diff --git a/README.md b/README.md index febe1e9e..e6f13c68 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib ) origin/rawhide $ cd selinux-policy-contrib - $ git remote -v + $ git remote -v origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch) $ git branch -r @@ -38,13 +38,13 @@ Package sources in dist-git are generally composed from a _selinux-policy and _s ## Build process 1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository - + $ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy.git $ cd selinux-policy 2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository - + $ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git $ cd selinux-policy-contrib @@ -54,7 +54,7 @@ Package sources in dist-git are generally composed from a _selinux-policy and _s 4. clone **selinux-policy** dist-git repository $ cd ~/devel/dist-git - $ fedpkg clone selinux-policy + $ fedpkg clone selinux-policy $ cd selinux-policy 4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories @@ -63,6 +63,5 @@ Package sources in dist-git are generally composed from a _selinux-policy and _s 5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push 6. build the package - - $ fedpkg build + $ fedpkg build diff --git a/selinux-policy.spec b/selinux-policy.spec index 1a575fc9..0610d2c9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -79,12 +79,12 @@ Requires: selinux-policy-any = %{version}-%{release} Provides: selinux-policy-base = %{version}-%{release} Suggests: selinux-policy-targeted -%description +%description SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora. -%files +%files %{!?_licensedir:%global license %%doc} %license COPYING %dir %{_datadir}/selinux @@ -399,7 +399,7 @@ end %build -%prep +%prep %setup -n %{name}-contrib-%{commit1} -q -b 29 tar -xf %{SOURCE35} contrib_path=`pwd` @@ -525,13 +525,13 @@ echo " SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, -# minimum - Modification of targeted policy. Only selected processes are protected. +# minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > %{_sysconfdir}/selinux/config - ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : else . %{_sysconfdir}/selinux/config @@ -630,7 +630,7 @@ exit 0 %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u -%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains %endif @@ -733,12 +733,12 @@ exit 0 %files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u -%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum %endif %if %{BUILD_MLS} -%package mls +%package mls Summary: SELinux MLS policy Provides: selinux-policy-base = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 @@ -750,16 +750,16 @@ Requires: selinux-policy = %{version}-%{release} Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 -%description mls +%description mls SELinux MLS (Multi Level Security) policy package. %pretrans mls -p %backupConfigLua -%pre mls +%pre mls %preInstall mls -%post mls +%post mls %checkConfigConsistency mls %postInstall $1 mls exit 0 @@ -2620,7 +2620,7 @@ Resolves: rhbz#1683365 * Tue May 22 2018 Lukas Vrabec - 3.14.2-19 -- Increase dependency versions of policycoreutils and checkpolicy packages +- Increase dependency versions of policycoreutils and checkpolicy packages * Mon May 21 2018 Lukas Vrabec - 3.14.2-18 - Disable secure mode environment cleansing for dirsrv_t @@ -4883,7 +4883,7 @@ Resolves: rhbz#1314372 - Fix neverallow assertion for sys_module capability for openvswitch. - kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t. - Fix neverallow assertion for sys_module capability. -- Add more attributes for sandbox domains to avoid neverallow assertion issues. +- Add more attributes for sandbox domains to avoid neverallow assertion issues. - Add neverallow asserition fixes related to storage. - Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS - Allow openhpid_t to read system state. @@ -5171,7 +5171,7 @@ Resolves: rhbz#1314372 * Tue Jun 09 2015 Miroslav Grepl 3.13.1-128 - Add ipsec_rw_inherited_pipes() interface. -- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. +- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. - Label /usr/libexec/Xorg.wrap as xserver_exec_t. - Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. - Add fixes for selinux userspace moving the policy store to /var/lib/selinux. @@ -5179,13 +5179,13 @@ Resolves: rhbz#1314372 - Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly. - Access required to run with unconfine.pp disabled - Fix selinux_search_fs() interface. -- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. +- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. - Add seutil_search_config() interface. - Make ssh-keygen as nsswitch domain to access SSSD. - Label ctdb events scripts as bin_t. - Add support for /usr/sbin/lvmpolld. - Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint. -- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. +- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. - Allow login_pgm domains to access kernel keyring for nsswitch domains. - Allow hypervkvp to read /dev/urandom and read addition states/config files. - Add cgdcbxd policy. @@ -5200,26 +5200,26 @@ Resolves: rhbz#1314372 - Allow fowner capability for sssd because of selinux_child handling. - Allow pki-tomcat relabel pki_tomcat_etc_rw_t. - Allow cluster domain to dbus chat with systemd-logind. -- Allow tmpreaper_t to manage ntp log content +- Allow tmpreaper_t to manage ntp log content - Allow openvswitch_t to communicate with sssd. - Allow isnsd_t to communicate with sssd. - Allow rwho_t to communicate with sssd. - Allow pkcs_slotd_t to communicate with sssd. -- Add httpd_var_lib_t label for roundcubemail +- Add httpd_var_lib_t label for roundcubemail - Allow puppetagent_t to transfer firewalld messages over dbus. - Allow glusterd to have mknod capability. It creates a special file using mknod in a brick. - Update rules related to glusterd_brick_t. - Allow glusterd to execute lvm tools in the lvm_t target domain. - Allow glusterd to execute xfs_growfs in the target domain. - Allow sysctl to have running under hypervkvp_t domain. -- Allow smartdnotify to use user terminals. -- Allow pcp domains to create root.socket in /var/lip/pcp directroy. +- Allow smartdnotify to use user terminals. +- Allow pcp domains to create root.socket in /var/lip/pcp directroy. - Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain. -- Allow rpcbind to create rpcbind.xdr as a temporary file. -- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. -- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. +- Allow rpcbind to create rpcbind.xdr as a temporary file. +- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. +- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. - rsync server can be setup to send mail -- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. +- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. - Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type. - Fix samba_load_libgfapi decl in samba.te. - Fix typo in nagios_run_sudo() boolean. @@ -5255,19 +5255,19 @@ Resolves: rhbz#1314372 - Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. - Add glusterd_filetrans_named_pid() interface. - Allow antivirus_t to read system state info. -- Dontaudit use console for chrome-sandbox. -- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. -- Clamd needs to have fsetid capability. -- Allow cinder-backup to dbus chat with systemd-logind. +- Dontaudit use console for chrome-sandbox. +- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. +- Clamd needs to have fsetid capability. +- Allow cinder-backup to dbus chat with systemd-logind. - Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files. - Allow gssd to access kernel keyring for login_pgm domains. - Add more fixes related to timemaster+ntp+ptp4l. - Allow docker sandbox domains to search all mountpoiunts - update winbind_t rules to allow IPC for winbind. - Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3. -- Allow inet_gethost called by couchdb to access /proc/net/unix. -- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so -- Label /usr/bin/yum-deprecated as rpm_exec_t. +- Allow inet_gethost called by couchdb to access /proc/net/unix. +- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so +- Label /usr/bin/yum-deprecated as rpm_exec_t. * Tue May 05 2015 Lukas Vrabec 3.13.1-127 - Add missing typealiases in apache_content_template() for script domain/executable. @@ -5897,9 +5897,9 @@ Resolves: rhbz#1314372 - Allow mdadm to connect to own socket created by mdadm running as kernel_t. - Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks - Allow bacula manage bacula_log_t dirs -- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t +- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t - Fix mistakes keystone and quantum -- Label neutron var run dir +- Label neutron var run dir - Label keystone var run dir - Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc. - Dontaudit attempts to access check cert dirs/files for sssd. @@ -5910,13 +5910,13 @@ Resolves: rhbz#1314372 - Label also /var/run/glusterd.socket file as gluster_var_run_t - Fix policy for pkcsslotd from opencryptoki - Update cockpik policy from cockpit usptream. -- Allow certmonger to exec ldconfig to make ipa-server-install working. -- Added support for Naemon policy +- Allow certmonger to exec ldconfig to make ipa-server-install working. +- Added support for Naemon policy - Allow keepalived manage snmp files - Add setpgid process to mip6d - remove duplicate rule -- Allow postfix_smtpd to stream connect to antivirus -- Dontaudit list /tmp for icecast +- Allow postfix_smtpd to stream connect to antivirus +- Dontaudit list /tmp for icecast - Allow zabbix domains to access /proc//net/dev. * Wed Jul 23 2014 Lukas Vrabec 3.13.1-67 @@ -5938,7 +5938,7 @@ Resolves: rhbz#1314372 * Fri Jul 18 2014 Lukas Vrabec 3.13.1-65 - Allow sysadm to dbus chat with systemd - Add logging_dontaudit_search_audit_logs() -- Add new files_read_all_mountpoint_symlinks() +- Add new files_read_all_mountpoint_symlinks() - Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo. - Allow ndc to read random and urandom device (#1110397) - Allow zabbix to read system network state @@ -7176,7 +7176,7 @@ type in docker.te - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it -- Dontaudit leaked write descriptor to dmesg +- Dontaudit leaked write descriptor to dmesg * Mon Oct 14 2013 Miroslav Grepl 3.12.1-89 - Fix gnome_read_generic_data_home_files() @@ -7295,7 +7295,7 @@ type in docker.te - Match upstream labeling * Wed Sep 25 2013 Miroslav Grepl 3.12.1-83 -- Do not build sanbox pkg on MLS +- Do not build sanbox pkg on MLS * Wed Sep 25 2013 Miroslav Grepl 3.12.1-82 - wine_tmp is no longer needed @@ -7451,7 +7451,7 @@ type in docker.te - Add selinux-policy-sandbox pkg * Tue Aug 27 2013 Miroslav Grepl 3.12.1-73 -0 +0 - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service @@ -7742,17 +7742,17 @@ type in docker.te - fix selinuxuser_use_ssh_chroot boolean * Fri Jun 28 2013 Miroslav Grepl 3.12.1-58 -- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. -- Allow bootloader to manage generic log files -- Allow ftp to bind to port 989 -- Fix label of new gear directory -- Add support for new directory /var/lib/openshift/gears/ -- Add openshift_manage_lib_dirs() -- allow virtd domains to manage setrans_var_run_t -- Allow useradd to manage all openshift content -- Add support so that mozilla_plugin_t can use dri devices -- Allow chronyd to change the scheduler -- Allow apmd to shut downthe system +- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. +- Allow bootloader to manage generic log files +- Allow ftp to bind to port 989 +- Fix label of new gear directory +- Add support for new directory /var/lib/openshift/gears/ +- Add openshift_manage_lib_dirs() +- allow virtd domains to manage setrans_var_run_t +- Allow useradd to manage all openshift content +- Add support so that mozilla_plugin_t can use dri devices +- Allow chronyd to change the scheduler +- Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab * Wed Jun 26 2013 Miroslav Grepl 3.12.1-57 @@ -8143,7 +8143,7 @@ type in docker.te - label shared libraries in /opt/google/chrome as testrel_shlib_t * Thu Apr 18 2013 Miroslav Grepl 3.12.1-34 -- Allow certmonger to dbus communicate with realmd +- Allow certmonger to dbus communicate with realmd - Make realmd working * Thu Apr 18 2013 Miroslav Grepl 3.12.1-33 @@ -8162,7 +8162,7 @@ type in docker.te - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid -- Alsa now uses a pid file and needs to setsched +- Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t @@ -8719,7 +8719,7 @@ type in docker.te - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t -- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling +- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling * Fri Jan 11 2013 Miroslav Grepl 3.12.1-3 - Allow gnomeclock to talk to puppet over dbus @@ -8878,7 +8878,7 @@ type in docker.te - Allow firewalld to dbus chat with devicekit_power - Allow tuned to call lsblk - Allow tor to read /proc/sys/kernel/random/uuid -- Add tor_can_network_relay boolean +- Add tor_can_network_relay boolean * Wed Dec 5 2012 Miroslav Grepl 3.11.1-60 - Add openshift_initrc_signal() interface @@ -8983,7 +8983,7 @@ type in docker.te - Fix filetrans interface definitions - Dontaudit xdm_t to getattr on BOINC lib files - Add systemd_reload_all_services() interface -- Dontaudit write access on /var/lib/net-snmp/mib_indexes +- Dontaudit write access on /var/lib/net-snmp/mib_indexes - Only stop mcsuntrustedproc from relableing files - Allow accountsd to dbus chat with gdm - Allow realmd to getattr on all fs @@ -9148,7 +9148,7 @@ type in docker.te - Clean up for tunable+optional statements - Add labeling for /usr/sbin/mkhomedir_helper - Allow antivirus domain to managa amavis spool files -- Allow rpcbind_t to read passwd +- Allow rpcbind_t to read passwd - Allow pyzor running as spamc to manage amavis spool @@ -9295,7 +9295,7 @@ type in docker.te - Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer - Move netlable_peer check out of booleans - Remove call to recvfrom_netlabel for kerberos call -- Remove use of attributes when calling syslog call +- Remove use of attributes when calling syslog call - Move -miscfiles_read_localization to domain.te to save hundreds of allow rules - Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface - Allow rndc to block suspend @@ -9375,7 +9375,7 @@ type in docker.te * Fri Aug 31 2012 Dan Walsh 3.11.1-15 - Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs -- Allow domains that can read etc_t to read etc_runtime_t +- Allow domains that can read etc_t to read etc_runtime_t - Allow all domains to use inherited tmpfiles * Wed Aug 29 2012 Miroslav Grepl 3.11.1-14 @@ -9418,7 +9418,7 @@ type in docker.te - Allow xserver to communicate with secure_firmware - Allow fsadm tools (fsck) to read /run/mount contnet - Allow sysadm types to read /dev/kmsg -- +- * Thu Aug 16 2012 Dan Walsh 3.11.1-9 - Allow postfix, sssd, rpcd to block_suspend @@ -9775,7 +9775,7 @@ type in docker.te - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files -- Add label to machine-id +- Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error * Wed May 16 2012 Miroslav Grepl 3.10.0-125 @@ -10094,7 +10094,7 @@ type in docker.te * Fri Mar 9 2012 Miroslav Grepl 3.10.0-98 - Add policy for nove-cert - Add labeling for nova-openstack systemd unit files -- Add policy for keystoke +- Add policy for keystoke * Thu Mar 8 2012 Miroslav Grepl 3.10.0-97 - Fix man pages fro domains @@ -10266,7 +10266,7 @@ type in docker.te - Add support for selinux_avcstat munin plugin - Treat hearbeat with corosync policy - Allow corosync to read and write to qpidd shared mem -- mozilla_plugin is trying to run pulseaudio +- mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users context - Turn off dontaudit rules when turning on allow_ypbind - udev now reads /etc/modules.d directory @@ -10322,7 +10322,7 @@ type in docker.te - Add ubac_constrained rules for chrome_sandbox - Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra - Allow postgresql to be executed by the caller -- Standardize interfaces of daemons +- Standardize interfaces of daemons - Add new labeling for mm-handler - Allow all matahari domains to read network state and etc_runtime_t files @@ -10439,7 +10439,7 @@ type in docker.te * Fri Nov 11 2011 Dan Walsh 3.10.0-57 - Pulseaudio changes -- Merge patches +- Merge patches * Thu Nov 10 2011 Dan Walsh 3.10.0-56 - Merge patches back into git repository. @@ -10484,7 +10484,7 @@ type in docker.te - Check in fixed for Chrome nacl support * Thu Oct 27 2011 Miroslav Grepl 3.10.0-51 -- Begin removing qemu_t domain, we really no longer need this domain. +- Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container @@ -10492,7 +10492,7 @@ type in docker.te - Remove qemu.pp again without causing a crash * Wed Oct 26 2011 Dan Walsh 3.10.0-50.1 -- Remove qemu.pp, everything should use svirt_t or stay in its current domain +- Remove qemu.pp, everything should use svirt_t or stay in its current domain * Wed Oct 26 2011 Miroslav Grepl 3.10.0-50 - Allow policykit to talk to the systemd via dbus @@ -10572,7 +10572,7 @@ type in docker.te - Don't check md5 size or mtime on certain config files * Tue Oct 11 2011 Dan Walsh 3.10.0-39.1 -- Remove allow_ptrace and replace it with deny_ptrace, which will remove all +- Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system - Remove 2000 dontaudit rules between confined domains on transition and replace with single @@ -10799,7 +10799,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; * Wed Aug 10 2011 Miroslav Grepl 3.10.0-17 - livecd fixes -- spec file fixes +- spec file fixes * Thu Aug 4 2011 Miroslav Grepl 3.10.0-16 - fetchmail can use kerberos @@ -10876,7 +10876,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; - Allow asterisk to read /dev/random if it uses TLS - Allow colord to read ini files which are labeled as bin_t - Allow dirsrvadmin sys_resource and setrlimit to use ulimit -- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. +- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. - Also lists /var and /var/spool directories - Add openl2tpd to l2tpd policy - qpidd is reading the sysfs file @@ -10917,7 +10917,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; * Wed Jun 8 2011 Miroslav Grepl 3.9.16-27 - Fixes for zabbix - init script needs to be able to manage sanlock_var_run_... -- Allow sandlock and wdmd to create /var/run directories... +- Allow sandlock and wdmd to create /var/run directories... - mixclip.so has been compiled correctly - Fix passenger policy module name @@ -11014,17 +11014,17 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; - Virt_admin should be allowed to manage images and processes * Fri Apr 15 2011 Miroslav Grepl 3.9.16-15 -- xdm_t needs getsession for switch user -- Every app that used to exec init is now execing systemdctl -- Allow squid to manage krb5_host_rcache_t files +- xdm_t needs getsession for switch user +- Every app that used to exec init is now execing systemdctl +- Allow squid to manage krb5_host_rcache_t files - Allow foghorn to connect to agentx port - Fixes for colord policy * Mon Apr 11 2011 Miroslav Grepl 3.9.16-14 - Add Dan's patch to remove 64 bit variants -- Allow colord to use unix_dgram_socket -- Allow apps that search pids to read /var/run if it is a lnk_file -- iscsid_t creates its own directory -- Allow init to list var_lock_t dir +- Allow colord to use unix_dgram_socket +- Allow apps that search pids to read /var/run if it is a lnk_file +- iscsid_t creates its own directory +- Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added @@ -11074,7 +11074,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; * Wed Mar 23 2011 Miroslav Grepl 3.9.16-6 - Remove some unconfined domains - Remove permissive domains -- Add policy-term.patch from Dan +- Add policy-term.patch from Dan * Thu Mar 17 2011 Miroslav Grepl 3.9.16-5 - Fix multiple specification for boot.log @@ -11212,7 +11212,7 @@ assembled or disassembled. * Thu Jan 27 2011 Miroslav Grepl 3.9.13-6 - Fix xserver_dontaudit_read_xdm_pid - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite -- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. +- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t - Allow readahead to manage readahead pid dirs - Allow readahead to read all mcs levels @@ -11305,7 +11305,7 @@ assembled or disassembled. - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state -- Stop labeling files under /var/lib/mock so restorecon will not go into this +- Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk * Thu Dec 23 2010 Dan Walsh 3.9.12-3 @@ -11528,7 +11528,7 @@ assembled or disassembled. - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file -- Make removable_t a device_node +- Make removable_t a device_node - Fix label on /lib/systemd/* * Fri Oct 22 2010 Dan Walsh 3.9.7-6 @@ -11604,8 +11604,8 @@ assembled or disassembled. - Add /etc/localtime as locale file context * Thu Sep 30 2010 Dan Walsh 3.9.5-9 -- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user -- Turn off iptables from unconfined user +- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user +- Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio @@ -11687,7 +11687,7 @@ Bz #637339 Allow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr intd -label vlc as an execmem_exec_t +label vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chat Allow telepath_msn to execute ldconfig and its own tmp files Fix labels on hugepages @@ -11766,7 +11766,7 @@ Add boolean to allow icecast to connect to any port * Wed Aug 4 2010 Dan Walsh 3.8.8-10 - Allow pcscd to read sysfs -- systemd fixes +- systemd fixes - Fix wine_mmap_zero_ignore boolean * Tue Aug 3 2010 Dan Walsh 3.8.8-9 @@ -11967,7 +11967,7 @@ Resolves: #585963 - Allow rlogind_t to search /root for .rhosts Resolves: #582760 - Fix path for cached_var_t -- Fix prelink paths /var/lib/prelink +- Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri - Allow mls lvm/cryptosetup to work @@ -12025,7 +12025,7 @@ Resolves: #582145 - Fixes for labels during install from livecd * Thu Apr 1 2010 Dan Walsh 3.7.17-4 -- Fix /cgroup file context +- Fix /cgroup file context - Fix broken afs use of unlabled_t - Allow getty to use the console for s390 @@ -12164,7 +12164,7 @@ Resolves: #582145 - Merge with upstream * Thu Feb 11 2010 Dan Walsh 3.7.8-11 -- Allow sandbox to work with MLS +- Allow sandbox to work with MLS * Tue Feb 9 2010 Dan Walsh 3.7.8-9 - Make Chrome work with staff user @@ -12188,7 +12188,7 @@ Resolves: #582145 * Mon Jan 25 2010 Dan Walsh 3.7.8-3 - Allow abrt_helper to getattr on all filesystems -- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so +- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so * Thu Jan 21 2010 Dan Walsh 3.7.8-2 - Add gstreamer_home_t for ~/.gstreamer @@ -12304,7 +12304,7 @@ Resolves: #582145 - Fix request_module line to module_request * Fri Sep 18 2009 Dan Walsh 3.6.32-3 -- Fix sandbox policy to allow it to run under firefox. +- Fix sandbox policy to allow it to run under firefox. - Dont audit leaks. * Thu Sep 17 2009 Dan Walsh 3.6.32-2 @@ -12342,7 +12342,7 @@ Resolves: #582145 - Allow xserver to use netlink_kobject_uevent_socket * Thu Sep 3 2009 Dan Walsh 3.6.30-3 -- Fixes for sandbox +- Fixes for sandbox * Mon Aug 31 2009 Dan Walsh 3.6.30-2 - Dontaudit setroubleshootfix looking at /root directory @@ -12390,7 +12390,7 @@ Resolves: #582145 - Add policycoreutils-python to pre install * Thu Aug 13 2009 Dan Walsh 3.6.26-11 -- Make all unconfined_domains permissive so we can see what AVC's happen +- Make all unconfined_domains permissive so we can see what AVC's happen * Mon Aug 10 2009 Dan Walsh 3.6.26-10 - Add pt_chown policy @@ -12509,7 +12509,7 @@ Resolves: #582145 - Allow setroubleshoot to run mlocate * Mon Jun 8 2009 Dan Walsh 3.6.14-1 -- Update to upstream +- Update to upstream * Tue Jun 2 2009 Dan Walsh 3.6.13-3 - Add fish as a shell @@ -12749,7 +12749,7 @@ Resolves: #582145 - Add git web policy * Mon Feb 9 2009 Dan Walsh 3.6.5-1 -- Add setrans contains from upstream +- Add setrans contains from upstream * Mon Feb 9 2009 Dan Walsh 3.6.4-6 - Do transitions outside of the booleans @@ -12767,7 +12767,7 @@ Resolves: #582145 - More fixes for devicekit * Tue Feb 3 2009 Dan Walsh 3.6.4-1 -- Upgrade to latest upstream +- Upgrade to latest upstream * Mon Feb 2 2009 Dan Walsh 3.6.3-13 - Add boolean to disallow unconfined_t login @@ -12782,7 +12782,7 @@ Resolves: #582145 - Fixes for wicd daemon * Mon Jan 26 2009 Dan Walsh 3.6.3-9 -- More mls/rpm fixes +- More mls/rpm fixes * Fri Jan 23 2009 Dan Walsh 3.6.3-8 - Add policy to make dbus/nm-applet work @@ -12845,7 +12845,7 @@ Resolves: #582145 * Thu Dec 4 2008 Dan Walsh 3.6.1-7 - Allow iptables to talk to terminals - Fixes for policy kit -- lots of fixes for booting. +- lots of fixes for booting. * Wed Dec 3 2008 Dan Walsh 3.6.1-4 - Cleanup policy @@ -12861,7 +12861,7 @@ Resolves: #582145 * Wed Nov 5 2008 Dan Walsh 3.5.13-17 - Allow lvm to dbus chat with hal -- Allow rlogind to read nfs_t +- Allow rlogind to read nfs_t * Wed Nov 5 2008 Dan Walsh 3.5.13-16 - Fix cyphesis file context @@ -12884,7 +12884,7 @@ Resolves: #582145 - Add certmaster policy * Wed Oct 29 2008 Dan Walsh 3.5.13-11 -- Fix confined users +- Fix confined users - Allow xguest to read/write xguest_dbusd_t * Mon Oct 27 2008 Dan Walsh 3.5.13-9 @@ -12912,7 +12912,7 @@ Resolves: #582145 - Fix dovecot access * Fri Oct 17 2008 Dan Walsh 3.5.13-1 -- Policy cleanup +- Policy cleanup * Thu Oct 16 2008 Dan Walsh 3.5.12-3 - Remove Multiple spec @@ -12929,7 +12929,7 @@ Resolves: #582145 - Update to upstream policy * Mon Oct 6 2008 Dan Walsh 3.5.10-3 -- Fixes for confined xwindows and xdm_t +- Fixes for confined xwindows and xdm_t * Fri Oct 3 2008 Dan Walsh 3.5.10-2 - Allow confined users and xdm to exec wm @@ -12940,7 +12940,7 @@ Resolves: #582145 - Allow domains to search other domains keys, coverup kernel bug * Wed Oct 1 2008 Dan Walsh 3.5.9-4 -- Fix labeling for oracle +- Fix labeling for oracle * Wed Oct 1 2008 Dan Walsh 3.5.9-3 - Allow nsplugin to comminicate with xdm_tmp_t sock_file @@ -13003,7 +13003,7 @@ Resolves: #582145 - Update to upstream * Thu Aug 7 2008 Dan Walsh 3.5.3-1 -- Update to upstream +- Update to upstream * Sat Aug 2 2008 Dan Walsh 3.5.2-2 - Allow system-config-selinux to work with policykit @@ -13075,7 +13075,7 @@ Resolves: #582145 - Add /var/lib/selinux context * Wed Jun 11 2008 Dan Walsh 3.4.2-1 -- Update to upstream +- Update to upstream * Wed Jun 4 2008 Dan Walsh 3.4.1-5 - Add livecd policy @@ -13152,7 +13152,7 @@ Resolves: #582145 - dontaudit setfiles reading links - allow semanage sys_resource - add allow_httpd_mod_auth_ntlm_winbind boolean -- Allow privhome apps including dovecot read on nfs and cifs home +- Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set * Tue Apr 1 2008 Dan Walsh 3.3.1-27 @@ -13177,14 +13177,14 @@ dirs if the boolean is set * Tue Mar 18 2008 Dan Walsh 3.3.1-22 - Allow stunnel to transition to inetd children domains -- Make unconfined_dbusd_t an unconfined domain +- Make unconfined_dbusd_t an unconfined domain * Mon Mar 17 2008 Dan Walsh 3.3.1-21 - Fixes for qemu/virtd * Fri Mar 14 2008 Dan Walsh 3.3.1-20 - Fix bug in mozilla policy to allow xguest transition -- This will fix the +- This will fix the libsemanage.dbase_llist_query: could not find record value libsemanage.dbase_llist_query: could not query record value (No such file or @@ -13211,7 +13211,7 @@ directory) - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap -- More mls fixes +- More mls fixes * Tue Mar 11 2008 Bill Nottingham 3.3.1-14 - fixes for init policy (#436988) @@ -13243,7 +13243,7 @@ directory) * Tue Feb 26 2008 Dan Walsh 3.3.1-5 - Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config -- Change apache to use user content +- Change apache to use user content * Tue Feb 26 2008 Dan Walsh 3.3.1-4 - Add cyphesis policy @@ -13454,7 +13454,7 @@ directory) - Fix xguest to be able to connect to sound port * Fri Oct 19 2007 Dan Walsh 3.0.8-28 -- Fixes for hald_mac +- Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root @@ -13526,7 +13526,7 @@ directory) * Fri Sep 21 2007 Dan Walsh 3.0.8-8 - Allow also to search var_lib -- New context for dbus launcher +- New context for dbus launcher * Fri Sep 21 2007 Dan Walsh 3.0.8-7 - Allow cupsd_config_t to read/write usb_device_t @@ -13569,7 +13569,7 @@ directory) - Allow wine to run in system role * Thu Sep 6 2007 Dan Walsh 3.0.7-5 -- Fix java labeling +- Fix java labeling * Thu Sep 6 2007 Dan Walsh 3.0.7-4 - Define user_home_type as home_type @@ -13611,7 +13611,7 @@ directory) - Fix Makefile for building policy modules * Fri Aug 10 2007 Dan Walsh 3.0.5-5 -- Fix dhcpc startup of service +- Fix dhcpc startup of service * Fri Aug 10 2007 Dan Walsh 3.0.5-4 - Fix dbus chat to not happen for xguest and guest users @@ -13688,7 +13688,7 @@ directory) - Allow prelink to read kernel sysctls * Mon Jul 2 2007 Dan Walsh 3.0.1-5 -- Default to user_u:system_r:unconfined_t +- Default to user_u:system_r:unconfined_t * Sun Jul 1 2007 Dan Walsh 3.0.1-4 - fix squid @@ -13705,7 +13705,7 @@ directory) - Remove ifdef strict policy from upstream * Fri May 18 2007 Dan Walsh 2.6.5-3 -- Remove ifdef strict to allow user_u to login +- Remove ifdef strict to allow user_u to login * Fri May 18 2007 Dan Walsh 2.6.5-2 - Fix for amands @@ -13721,7 +13721,7 @@ directory) * Wed May 16 2007 Dan Walsh 2.6.4-5 - More fixes for alsactl - Transition from hal and modutils -- Fixes for suspend resume. +- Fixes for suspend resume. - insmod domtrans to alsactl - insmod writes to hal log @@ -13897,7 +13897,7 @@ Resolves: #227237 * Sun Feb 4 2007 Dan Walsh 2.5.2-5 - Fix ssh_agent to be marked as an executable -- Allow Hal to rw sound device +- Allow Hal to rw sound device * Thu Feb 1 2007 Dan Walsh 2.5.2-4 - Fix spamassisin so crond can update spam files @@ -13919,7 +13919,7 @@ Resolves: #227237 - Continue fixing, additional user domains * Wed Jan 10 2007 Dan Walsh 2.5.1-4 -- Begin adding user confinement to targeted policy +- Begin adding user confinement to targeted policy * Wed Jan 10 2007 Dan Walsh 2.5.1-2 - Fixes for prelink, ktalkd, netlabel @@ -13966,7 +13966,7 @@ Resolves: #220080 Resolves: #219999 * Thu Dec 14 2006 Dan Walsh 2.4.6-14 -- Allow cron to polyinstatiate +- Allow cron to polyinstatiate - Fix creation of boot flags Resolves: #207433 @@ -14020,7 +14020,7 @@ Resolves: #216184 Resolves: #212957 * Tue Nov 28 2006 Dan Walsh 2.4.6-1 -- Dontaudit appending hal_var_lib files +- Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 Resolves: #217611 @@ -14068,7 +14068,7 @@ Resolves: #217725 - Allow xen to search automount * Thu Nov 9 2006 Dan Walsh 2.4.3-7 -- Fix spec of jre files +- Fix spec of jre files * Wed Nov 8 2006 Dan Walsh 2.4.3-6 - Fix unconfined access to shadow file @@ -14129,7 +14129,7 @@ Resolves: #217725 - Update xen to read nfs files * Mon Oct 23 2006 Dan Walsh 2.4-4 -- Allow noxattrfs to associate with other noxattrfs +- Allow noxattrfs to associate with other noxattrfs * Mon Oct 23 2006 Dan Walsh 2.4-3 - Allow hal to use power_device_t @@ -14222,10 +14222,10 @@ Resolves: #217725 - Update with upstream * Mon Sep 25 2006 Dan Walsh 2.3.15-2 -- mls fixes +- mls fixes * Fri Sep 22 2006 Dan Walsh 2.3.15-1 -- Update from upstream +- Update from upstream * Fri Sep 22 2006 Dan Walsh 2.3.14-8 - More fixes for mls @@ -14262,7 +14262,7 @@ Resolves: #217725 * Thu Sep 7 2006 Dan Walsh 2.3.13-3 - Fix location of xel log files -- Fix handling of sysadm_r -> rpm_exec_t +- Fix handling of sysadm_r -> rpm_exec_t * Thu Sep 7 2006 Dan Walsh 2.3.13-2 - Fixes for autofs, lp @@ -14320,7 +14320,7 @@ Resolves: #217725 - More java fixes * Fri Aug 11 2006 Dan Walsh 2.3.6-4 -- Change allow_execstack to default to on, for RHEL5 Beta. +- Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta @@ -14347,7 +14347,7 @@ Resolves: #217725 * Wed Aug 2 2006 Dan Walsh 2.3.3-18 - yet more xen rules - + * Tue Aug 1 2006 Dan Walsh 2.3.3-17 - more xen rules @@ -14367,7 +14367,7 @@ Resolves: #217725 - fixes for setroubleshoot * Wed Jul 26 2006 Dan Walsh 2.3.3-11 -- Added Paul Howarth patch to only load policy packages shipped +- Added Paul Howarth patch to only load policy packages shipped with this package - Allow pidof from initrc to ptrace higher level domains - Allow firstboot to communicate with hal via dbus @@ -14763,7 +14763,7 @@ Resolves: #217725 - Fix semoudle polcy * Thu Feb 16 2006 Dan Walsh 2.2.16-1 -- Update to upstream +- Update to upstream - fix sysconfig/selinux link * Wed Feb 15 2006 Dan Walsh 2.2.15-4 @@ -14826,7 +14826,7 @@ Resolves: #217725 - Put back in changes for pup/zen * Tue Jan 24 2006 Dan Walsh 2.2.5-1 -- Many changes for MLS +- Many changes for MLS - Turn on strict policy * Mon Jan 23 2006 Dan Walsh 2.2.4-1 @@ -14876,7 +14876,7 @@ Resolves: #217725 * Mon Jan 9 2006 Dan Walsh 2.1.8-1 - Update to upstream -- Apply +- Apply * Fri Jan 6 2006 Dan Walsh 2.1.7-4 - Add wine and fix hal problems @@ -14947,7 +14947,7 @@ Resolves: #217725 - Fixes to start kernel in s0-s15:c0.c255 * Wed Dec 14 2005 Dan Walsh 2.1.6-3 -- Add java unconfined/execmem policy +- Add java unconfined/execmem policy * Wed Dec 14 2005 Dan Walsh 2.1.6-2 - Add file context for /var/cvs @@ -14976,7 +14976,7 @@ Resolves: #217725 - Allow unconfined_t to execmod texrel_shlib_t * Sat Dec 10 2005 Dan Walsh 2.1.2-1 -- Update to upstream +- Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies @@ -15024,7 +15024,7 @@ Update from upstream - Fixes for dovecot and saslauthd * Wed Nov 23 2005 Dan Walsh 2.0.5-4 -- Cleanup pegasus and named +- Cleanup pegasus and named - Fix spec file - Fix up passwd changing applications