Commit Graph

529 Commits

Author SHA1 Message Date
Zdenek Pytela
80410eaf30 * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1
- Allow local_login_t nnp_transition to login_userdomain
- Allow asterisk watch localization symlinks
- Allow NetworkManager_t to watch /etc
- Label /var/lib/kdump with kdump_var_lib_t
- Allow amanda get attributes of cgroup filesystems
- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
- Allow install_t nnp_domtrans to setfiles_mac_t
- Allow fcoemon create sysfs files
2021-05-20 15:09:34 +02:00
Zdenek Pytela
30f8c042ae * Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1
- Allow tgtd read and write infiniband devices
- Add a comment on virt_sandbox booleans with empty content
- Deprecate duplicate dev_write_generic_sock_files() interface
- Allow vnstatd_t map vnstatd_var_lib_t files
- Allow privoxy execmem
- Allow pmdakvm read information from the debug filesystem
- Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()
- Add permissions to delete lnk_files into gnome_delete_home_config()
- Remove rules for inotifyfs
- Remove rules for anon_inodefs
- Allow systemd nnp_transition to login_userdomain
- Allow unconfined_t write other processes perf_event records
- Allow sysadm_t dbus chat with tuned
- Allow tuned write profile files with file transition
- Allow tuned manage perf_events
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
2021-05-13 18:42:35 +02:00
Zdenek Pytela
4fecc6469f * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
- Add kernel_write_perf_event() and kernel_manage_perf_event()
- Allow syslogd_t watch root and var directories
- Allow unconfined_t read other processes perf_event records
- Allow login_userdomain read and map /var/lib/systemd files
- Allow NetworkManager watch its config dir
- Allow NetworkManager read and write z90crypt device
- Allow tgtd create and use rdma socket
- Allow aide connect to init with a unix socket
2021-05-07 18:08:57 +02:00
Zdenek Pytela
b900d641f6 * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1
- Grant execmem to varnishlog_t
- We no longer need signull for varnishlog_t
- Add map permission to varnishd_read_lib_files
- Allow systemd-sleep tlp_filetrans_named_content()
- Allow systemd-sleep execute generic programs
- Allow systemd-sleep execute shell
- Allow to sendmail read/write kerberos host rcache files
- Allow freshclam get attributes of cgroup filesystems
- Fix context of /run/systemd/timesync
- Allow udev create /run/gdm with proper type
- Allow chronyc socket file transition in user temp directory
- Allow virtlogd_t to create virt_var_lockd_t dir
- Allow pluto IKEv2 / ESP over TCP
2021-05-04 20:27:30 +02:00
Zdenek Pytela
2b76eb3833 * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1
- Allow domain create anonymous inodes
- Add anon_inode class to the policy
- Allow systemd-coredump getattr nsfs files and net_admin capability
- Allow systemd-sleep transition to sysstat_t
- Allow systemd-sleep transition to tlp_t
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
- Allow systemd-timedated watch runtime dir and its parent
- Allow system dbusd read /var/lib symlinks
- Allow unconfined_service_t confidentiality and integrity lockdown
- Label /var/lib/brltty with brltty_var_lib_t
- Allow domain and unconfined_domain_type watch /proc/PID dirs
- Additional permission for confined users loging into graphic session
- Make for screen fsetid/setuid/setgid permission conditional
- Allow for confined users acces to wtmp and run utempter
2021-04-27 19:55:59 +02:00
Zdenek Pytela
ab4d6094ae * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1
- Label /etc/redis as redis_conf_t
- Add brltty new permissions required by new upstream version
- Allow cups-lpd read its private runtime socket files
- Dontaudit daemon open and read init_t file
- Add file context specification for /var/tmp/tmp-inst
- Allow brltty create and use bluetooth_socket
- Allow usbmuxd get attributes of cgroup filesystems

* Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1
- Allow usbmuxd get attributes of cgroup filesystems
- Allow accounts-daemon get attributes of cgroup filesystems
- Allow pool-geoclue get attributes of cgroup filesystems
- allow systemd-sleep to set timer for suspend-then-hibernate
- Allow aide connect to systemd-userdbd with a unix socket
- Add new interfaces with watch_mount and watch_with_perm permissions
- Add file context specification for /usr/libexec/realmd
- Allow /tmp file transition for dbus-daemon also for sock_file
- Allow login_userdomain create cgroup files
- Allow plymouthd_t exec generic program in bin directories

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1
- Change the package versioning

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10
- Allow plymouthd_t exec generic program in bin directories
- Allow dhcpc_t domain transition to chronyc_t
- Allow login_userdomain bind xmsg port
- Allow ibacm the net_raw and sys_rawio capabilities
- Allow nsswitch_domain read cgroup files
- Allow systemd-sleep create hardware state information files

* Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9
- Add watch_with_perm_dirs_pattern file pattern
2021-04-09 22:45:41 +02:00
Zdenek Pytela
6ff3284cb2 * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8
- Allow arpwatch_t create netlink generic socket
- Allow postgrey read network state
- Add watch_mount_dirs_pattern file pattern
- Allow bluetooth_t dbus chat with fwupd_t
- Allow xdm_t watch accountsd lib directories
- Add additional interfaces for watching /boot
- Allow sssd_t get attributes of tmpfs filesystems
- Allow local_login_t get attributes of tmpfs filesystems
- Dontaudit domain the fowner capability
- Extend fs_manage_nfsd_fs() to allow managing dirs as well
- Allow spice-vdagentd watch systemd-logind session dirs
2021-03-26 16:10:54 +01:00
Zdenek Pytela
7e06a74914 * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7
- Allow xdm_t watch systemd-logind session dirs
- Allow xdm_t transition to system_dbusd_t
- Allow confined users login into graphic session
- Allow login_userdomain watch systemd login session dirs
- install_t: Allow NoNewPriv transition from systemd
- Remove setuid/setgid capabilities from mysqld_t
- Add context for new mariadbd executable files
- Allow netutils_t create netlink generic socket
- Allow systemd the audit_control capability conditionally
2021-03-19 21:52:07 +01:00
Zdenek Pytela
77437ed12d * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
2021-03-11 22:25:45 +01:00
Zdenek Pytela
dd41f17526 * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5
- Allow apmd watch generic device directories
- Allow kdump load a new kernel
- Add confidentiality lockdown permission to kernel_read_core_if()
- Allow keepalived read nsfs files
- Allow local_login_t get attributes of filesystems with ext attributes
- Allow keepalived read/write its private memfd: objects
- Add missing declaration in rpm_named_filetrans()
- Change param description in cron interfaces to userdomain_prefix
2021-03-03 11:24:58 +01:00
Zdenek Pytela
2faa5c2293 * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4
- iptables.fc: Add missing legacy entries
- iptables.fc: Remove some duplicate entries
- iptables.fc: Remove duplicate file context entries
- Allow libvirtd to create generic netlink sockets
- Allow libvirtd the fsetid capability
- Allow libvirtd to read /run/utmp
- Dontaudit sys_ptrace capability when calling systemctl
- Allow udisksd to read /dev/random
- Allow udisksd to watch files under /run/mount
- Allow udisksd to watch /etc
- Allow crond to watch user_cron_spool_t directories
- Allow accountsd watch xdm config directories
- Label /etc/avahi with avahi_conf_t
- Allow sssd get cgroup filesystems attributes and search cgroup dirs
- Allow systemd-hostnamed read udev runtime data
- Remove dev_getattr_sysfs_fs() interface calls for particular domains
- Allow domain stat the /sys filesystem
- Dontaudit NetworkManager write to initrc_tmp_t pipes
- policykit.te: Clean up watch rule for policykit_auth_t
- Revert further unnecessary watch rules
- Revert "Allow getty watch its private runtime files"
- Allow systemd watch generic /var directories
- Allow init watch network config files and lnk_files
- Allow systemd-sleep get attributes of fixed disk device nodes
- Complete initial policy for systemd-coredump
- Label SDC(scini) Dell Driver
- Allow upowerd to send syslog messages
- Remove the disk write permissions from tlp_t
- Label NVMe devices as fixed_disk_device_t
- Allow rhsmcertd bind tcp sockets to a generic node
- Allow systemd-importd manage machines.lock file
2021-02-24 10:14:28 +01:00
Zdenek Pytela
aa1f535cb2 * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
2021-02-16 22:47:33 +01:00
Zdenek Pytela
15dc304d75 * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
2021-02-15 20:38:28 +01:00
Zdenek Pytela
d558c4f1c7 * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1
- Bump version as Fedora 34 has been branched off rawhide
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow systemd-importd create /run/systemd/machines.lock file
- Allow rhsmcertd_t read kpatch lib files
- Add integrity lockdown permission into dev_read_raw_memory()
- Add confidentiality lockdown permission into fs_rw_tracefs_files()
- Allow gpsd read and write ptp4l_t shared memory.
- Allow colord watch its private lib files and /usr
- Allow init watch_reads mount PID files
- Allow IPsec and Certmonger to use opencryptoki services
2021-02-11 22:08:31 +01:00
Zdenek Pytela
c7e90bc196 * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
2021-02-08 21:24:07 +01:00
Zdenek Pytela
c2d5ebb406 * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket       socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
2021-02-05 12:51:30 +01:00
Zdenek Pytela
d76e0b4040 * Fri Jan 8 18:41:06 CET 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
- Allow domain read usermodehelper state information
- Remove all kernel_read_usermodehelper_state() interface calls
- .copr: improve timestamp format
- Allow wireshark create and use rdma socket
- Allow domain stat /proc filesystem
- Remove all kernel_getattr_proc() interface calls
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow dovecot_auth_t stat /proc filesystem"
- Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
- Allow sssd read /run/systemd directory
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
2021-01-08 18:44:14 +01:00
Zdenek Pytela
d5b79a1cb7 * Thu Dec 17 20:07:23 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
2020-12-17 20:11:46 +01:00
Zdenek Pytela
fa72125856 * Tue Dec 15 16:24:44 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12
- Allow dovecot_auth_t stat /proc filesystem
- Allow sysadm_u user and unconfined_domain_type manage perf_events
- Allow pcp-pmcd manage perf_events
- Add manage_perf_event_perms object permissions set
- Add perf_event access vectors.
- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
- Allow stub-resolv.conf to be a symlink
- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
- Create the systemd_dbus_chat_resolved() compatibility interface
- Allow nsswitch-domain write to systemd-resolved PID socket files
- Add systemd_resolved_write_pid_sock_files() interface
- Add default file context for "/var/run/chrony-dhcp(/.*)?"
- Allow timedatex dbus chat with cron system domain
- Add cron_dbus_chat_system_job() interface
- Allow systemd-logind manage init's pid files
2020-12-15 16:31:51 +01:00
Zdenek Pytela
8d02847dad * Wed Dec 9 15:39:03 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
2020-12-09 15:42:48 +01:00
Zdenek Pytela
e94a380d32 * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10
- Allow Xephyr connect to 6000/tcp port and open user ptys
- Allow kexec manage generic tmp files
- Update targetd nfs & lvm
- Add interface rpc_manage_exports
- Merge selinux-policy and selinux-policy-contrib repos
2020-11-26 19:32:31 +01:00
Zdenek Pytela
595a6449f5 * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface
2020-11-24 19:47:48 +01:00
Zdenek Pytela
05fb517c90 * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8
- Set correct default file context for /usr/libexec/pcp/lib/*
- Introduce rpmdb_t type
- Allow slapd manage files/dirs in ldap certificates directory
- Revert "Allow certmonger add new entries in a generic certificates directory"
- Allow certmonger add new entries in a generic certificates directory
- Allow slapd add new entries in ldap certificates directory
- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
- Let keepalived bind a raw socket
- Add default file context for /usr/libexec/pcp/lib/*
- squid: Allow net_raw capability when squid_use_tproxy is enabled
- systemd: allow networkd to check namespaces
- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
- Allow resolved to created varlink sockets and the domain to talk to it
- selinux: tweak selinux_get_enforce_mode() to allow status page to be used
- systemd: allow all systemd services to check selinux status
- Set default file context for /var/lib/ipsec/nss
- Allow user domains transition to rpmdb_t
- Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
- Revert "Add miscfiles_create_generic_cert_dirs() interface"
- Update miscfiles_manage_all_certs() to include managing directories
- Add miscfiles_create_generic_cert_dirs() interface
- Add miscfiles_add_entry_generic_cert_dirs() interface
- Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
2020-11-13 10:13:13 +01:00
Zdenek Pytela
4da7d1152a * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6
- rpc.fc: Include /etc/exports.d dir & files
- Create chronyd_pid_filetrans() interface
- Change invalid type redisd_t to redis_t in redis_stream_connect()
- Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
- Allow init dbus chat with kernel
- Allow initrc_t create /run/chronyd-dhcp directory with a transition
- Drop gcc from dependencies in Travis CI
- fc_sort.py: Use "==" for comparing integers.
- re-implement fc_sort in python
- Remove invalid file context line
- Drop git from dependencies in Travis CI
2020-10-22 18:12:31 +02:00
Zdenek Pytela
5772505d0d * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5
- Remove empty line from rshd.fc
- Allow systemd-logind read swap files
- Add fstools_read_swap_files() interface
- Allow dyntransition from sshd_t to unconfined_t
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
2020-10-06 15:41:07 +02:00
Zdenek Pytela
5a32f59808 * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4
- Allow chronyd_t to accept and make NTS-KE connections
- Allow domain write to an automount unnamed pipe
- Label /var/run/zincati/public/motd.d/* as motd_var_run_t
- Allow login programs to (only) read MOTD files and symlinks
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
- Confine systemd-sleep service
- Add fstools_rw_swap_files() interface
- Label 4460/tcp port as ntske_port_t
- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
2020-09-25 19:12:03 +02:00
Zdenek Pytela
4b8bcba2a7 * Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3
- Check out the right -contrib branch in Travis
2020-09-21 13:54:33 +02:00
Zdenek Pytela
2cf6b0aa1d * Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2
- Allow openvswitch fowner capability and create netlink sockets
- Allow additional permissions for gnome-initial-setup
- Add to map non_security_files to the userdom_admin_user_template template
- kernel/filesystem: Add exfat support (no extended attributes)
2020-09-18 16:00:35 +02:00
Zdenek Pytela
129e6fcdd4 * Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1
- Bump version as Fedora 33 has been branched
- Allow php-fpm write access to /var/run/redis/redis.sock
- Allow journalctl to read and write to inherited user domain tty
- Update rkt policy to allow rkt_t domain to read sysfs filesystem
- Allow arpwatch create and use rdma socket
- Allow plymouth sys_chroot capability
- Allow gnome-initial-setup execute in a xdm sandbox
- Add new devices and filesystem interfaces
2020-09-09 15:22:20 +02:00
Zdenek Pytela
491bb86202 * Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25
- Allow certmonger fowner capability
- The nfsdcld service is now confined by SELinux
- Change transitions for ~/.config/Yubico
- Allow all users to connect to systemd-userdbd with a unix socket
- Add file context for ~/.config/Yubico
- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow login_pgm attribute to get attributes in proc_t"
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Allow traceroute_t and ping_t to bind generic nodes.
- Create macro corenet_icmp_bind_generic_node()
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
2020-08-27 08:58:40 +02:00
Zdenek Pytela
8bda530858 * Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24
- Add ipa_helper_noatsecure() interface unconditionally
- Conditionally allow nagios_plugin_domain dbus chat with init
- Revert "Update allow rules set for nrpe_t domain"
- Add ipa_helper_noatsecure() interface to ipa.if
- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
- Allow kadmind manage kerberos host rcache
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
- Define named file transition for sshd on /tmp/krb5_0.rcache2
- Allow systemd-machined create userdbd runtime sock files
- Disable kdbus module before updating
2020-08-13 20:12:50 +02:00
Zdenek Pytela
01e3f0a70d * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
2020-08-03 13:25:54 +02:00
Zdenek Pytela
8394f612f0 * Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22
- Allow virtlockd only getattr and lock block devices
- Allow qemu-ga read all non security file types conditionally
- Allow virtlockd manage VMs posix file locks
- Allow smbd get attributes of device files labeled samba_share_t
- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
- Add a new httpd_can_manage_courier_spool boolean
- Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files
- Revert "Allow qemu-kvm read and write /dev/mapper/control"
- Revert "Allow qemu read and write /dev/mapper/control"
- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
- Dontaudit pcscd_t setting its process scheduling
- Dontaudit thumb_t setting its process scheduling
- Allow munin domain transition with NoNewPrivileges
- Add dev_lock_all_blk_files() interface
- Allow auditd manage kerberos host rcache files
- Allow systemd-logind dbus chat with fwupd
2020-07-30 18:50:17 +02:00
Lukas Vrabec
0b0aa798b9
* Mon Jul 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-20
- Align gen_tunable() syntax with sepolgen
2020-07-13 17:47:32 +02:00
Zdenek Pytela
33a29656c0 * Fri Jul 10 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-19
- Additional support for keepalived running in a namespace
- Remove systemd_dbus_chat_resolved(pcp_pmie_t)
- virt: remove the libvirt qmf rules
- Allow certmonger manage dirsrv services
- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
- Allow domain dbus chat with systemd-resolved
- Define file context for /var/run/netns directory only
- Revert "Add support for fuse.glusterfs"
2020-07-10 17:18:49 +02:00
Zdenek Pytela
d1c7bc688f * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18
- Allow oddjob_t process noatsecure permission for ipa_helper_t
- Allow keepalived manage its private type runtime directories
- Update irqbalance runtime directory file context
- Allow irqbalance file transition for pid sock_files and directories
- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
- Allow virtlogd_t manage virt lib files
- Allow systemd set efivarfs files attributes
- Support systemctl --user in machinectl
- Allow chkpwd_t read and write systemd-machined devpts character nodes
- Allow init_t write to inherited systemd-logind sessions pipes
2020-07-07 16:11:16 +02:00
Zdenek Pytela
c04fecfb03 * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17
- Allow pdns server to read system state
- Allow irqbalance nnp_transition
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
- Allow journalctl process set its resource limits
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
- Make keepalived work with network namespaces
- Create sssd_connect_all_unreserved_ports boolean
- Allow hypervkvpd to request kernel to load a module
- Allow systemd_private_tmp(dirsrv_tmp_t)
- Allow microcode_ctl get attributes of sysfs directories
- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
- Allow radiusd connect to gssproxy over unix domain stream socket
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
- Allow qemu read and write /dev/mapper/control
- Allow tlp_t can_exec() tlp_exec_t
- Dontaudit vpnc_t setting its process scheduling
- Remove files_mmap_usr_files() call for particular domains
- Allow dirsrv_t list cgroup directories
- Crete the kerberos_write_kadmind_tmp_files() interface
- Allow realmd_t dbus chat with accountsd_t
- Label systemd-growfs and systemd-makefs       as fsadm_exec_t
- Allow staff_u and user_u setattr generic usb devices
- Allow sysadm_t dbus chat with accountsd
- Modify kernel_rw_key() not to include append permission
- Add kernel_rw_key() interface to access to kernel keyrings
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
- Allow systemd-modules to load kernel modules
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
- Allow libkrb5 lib read client keytabs
- Allow domain mmap usr_t files
- Remove files_mmap_usr_files() call for systemd domains
- Allow sshd write to kadmind temporary files
- Do not audit staff_t and user_t attempts to manage boot_t entries
- Add files_dontaudit_manage_boot_dirs() interface
- Allow systemd-tty-ask-password-agent read efivarfs files
2020-06-26 16:15:46 +02:00
Zdenek Pytela
5cdd516855 * Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
- Support multiple ways of tlp invocation
- Allow qemu-kvm read and write /dev/mapper/control
- Introduce logrotate_use_cifs boolean
- Allow ptp4l_t sys_admin capability to run bpf programs
- Allow to getattr files on an nsfs filesystem
- httpd: Allow NoNewPriv transition from systemd
- Allow rhsmd read process state of all domains and kernel threads
- Allow rhsmd mmap /etc/passwd
- Allow systemd-logind manage efivarfs files
- Allow initrc_t tlp_filetrans_named_content()
- Allow systemd_resolved_t to read efivarfs
- Allow systemd_modules_load_t to read efivarfs
- Introduce systemd_read_efivarfs_type attribute
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
- Add file context for /sys/kernel/tracing
2020-06-04 13:00:42 +02:00
Zdenek Pytela
1111964e2a * Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14
- Allow chronyc_t domain to use nsswitch
- Allow nscd_socket_use() for domains in nscd_use() unconditionally
- Add allow rules for lttng-sessiond domain
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow gluster geo-replication in rsync mode
- Allow nagios_plugin_domain execute programs in bin directories
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow tcpdump sniffing offloaded (RDMA) traffic
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow read efivarfs_t files by domains executing systemctl file
2020-05-19 17:52:53 +02:00
Zdenek Pytela
6a3fec4b74 * Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal
2020-04-29 11:21:16 +02:00
Zdenek Pytela
b7b2c03ca7 * Tue Apr 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp
2020-04-14 16:43:04 +02:00
Zdenek Pytela
9006b430b3 * Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11
- Allow NetworkManager manage dhcpd unit files
- Update ninfod policy to add nnp transition from systemd to ninfod
- Remove container interface calling by named_filetrans_domain.
2020-03-31 09:52:00 +02:00
Zdenek Pytela
08e09fd9c1 * Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10
- Allow openfortivpn exec shell
- Remove label session_dbusd_tmp_t for /run/user/USERID/systemd
- Add ibacm_t ipc_lock capability
- Allow ipsec_t connectto ipsec_mgmt_t
- Remove ipa_custodia
- Allow systemd-journald to read user_tmp_t symlinks
2020-03-25 18:09:22 +01:00
Zdenek Pytela
099d40eeb8 * Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9
- Allow zabbix_t manage and filetrans temporary socket files
- Makefile: fix tmp/%.mod.fc target
2020-03-18 13:55:22 +01:00
Zdenek Pytela
e3700463c8 * Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8
- Allow NetworkManager read its unit files and manage services
- Add init_daemon_domain() for geoclue_t
- Allow to use nnp_transition in pulseaudio_role
- Allow pdns_t domain to map files in /usr.
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow login_pgm create and bind on netlink_selinux_socket
2020-03-13 09:22:23 +01:00
Zdenek Pytela
30da7f7067 * Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7
- Allow sssd read systemd-resolved runtime directory
- Allow sssd read NetworkManager's runtime directory
- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
- Allow system_mail_t to signull pcscd_t
- Create interface pcscd_signull
- Allow auditd poweroff or switch to single mode
2020-03-09 17:07:28 +01:00
Lukas Vrabec
eacc15421e
* Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6
- Allow postfix stream connect to cyrus through runtime socket
- Dontaudit daemons to set and get scheduling policy/parameters
2020-02-28 17:13:35 +01:00
Lukas Vrabec
6f3f722f7d
* Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5
- Allow certmonger_t domain to read pkcs_slotd lock files
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
- Allow local_login_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
2020-02-22 17:02:13 +01:00
Lukas Vrabec
e0ee9a1a66
* Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4
- Update virt_read_qemu_pid_files inteface
- Allow systemd_logind_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
- Allow nsswitch_domain attribute to stream connect to systemd process
2020-02-18 18:04:28 +01:00
Lukas Vrabec
fc739f4200
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3
- Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks
- Allow systemd_userdbd_t domain to read efivarfs files
2020-02-16 13:00:31 +01:00
Lukas Vrabec
8c624edf84
* Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2
- Allow vhostmd communication with hosted virtual machines
- Add and update virt interfaces
- Update radiusd policy
- Allow systemd_private_tmp(named_tmp_t)
- Allow bacula dac_override capability
- Allow systemd_networkd_t to read efivarfs
- Add support for systemd-userdbd
- Allow systemd system services read efivarfs files
2020-02-16 00:25:43 +01:00
Zdenek Pytela
916c9099f2 * Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24
- Allow ptp4l_t create and use packet_socket sockets
- Allow ipa_custodia_t create and use netlink_route_socket sockets.
- Allow networkmanager_t transition to setfiles_t
- Create init_create_dirs boolean to allow init create directories
2020-02-07 17:22:36 +01:00
Zdenek Pytela
4ee1dfc5d7 * Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23
- Allow thumb_t connect to system_dbusd_t BZ(1795044)
- Allow saslauthd_t filetrans variable files for /tmp directory
- Added apache create log dirs macro
- Tiny documentation fix
- Allow openfortivpn_t to manage net_conf_t files.
- Introduce boolean openfortivpn_can_network_connect.
- Dontaudit domain chronyd_t to list in user home dirs.
- Allow init_t to create apache log dirs.
- Add file transition for /dev/nvidia-uvm BZ(1770588)
- Allow syslog_t to read efivarfs_t files
- Add ioctl to term_dontaudit_use_ptmx macro
- Update xserver_rw_session macro
2020-01-31 10:53:24 +01:00
Zdenek Pytela
07e568bc06 * Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21
- Dontaudit timedatex_t read file_contexts_t and validate security contexts
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Added macro for stratisd to chat over dbus
- Add dac_override capability to stratisd_t domain
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
2020-01-24 17:07:51 +01:00
Lukas Vrabec
0f62f5946f
* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain  to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Create files_create_non_security_dirs() interface
2020-01-13 10:09:50 +01:00
Zdenek Pytela
a9b321b3cc * Fri Dec 20 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-19
- Allow init_t nnp domain transition to kmod_t
- Allow userdomain dbus chat with systemd_resolved_t
- Allow init_t read and setattr on /var/lib/fprintd
- Allow sysadm_t dbus chat with colord_t
- Allow confined users run fwupdmgr
- Allow confined users run machinectl
- Allow systemd labeled as init_t domain to create dirs labeled as var_t
- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)
- Add new file context rabbitmq_conf_t.
- Allow journalctl read init state BZ(1731753)
- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
- Change type in transition for /var/cache/{dnf,yum} directory
- Allow cockpit_ws_t read efivarfs_t BZ(1777085)
- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
- Allow named_t domain to mmap named_zone_t files BZ(1647493)
- Make boinc_var_lib_t label system mountdir attribute
- Allow stratis_t domain to request load modules
- Update fail2ban policy
- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)
- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
2019-12-20 17:01:21 +01:00
Lukas Vrabec
d4e9a2fe96
Add missing sources 2019-11-28 23:01:47 +01:00
Lukas Vrabec
6ed257bb1a
- Allow systemd to read all proc 2019-11-28 22:55:17 +01:00
Lukas Vrabec
188eac8e79
* Thu Nov 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-18
- Introduce new type pdns_var_lib_t
- Allow zebra_t domain to read files labled as nsfs_t.
- Allow systemd to setattr on all device_nodes
- Allow systemd to mounton and list all proc types
2019-11-28 22:19:38 +01:00
Lukas Vrabec
f32fe38207
* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-17
- Fix nonexisting types in rtas_errd_rw_lock interface
- Allow snmpd_t domain to trace processes in user namespace
- Allow timedatex_t domain to read relatime clock and adjtime_t files
- Allow zebra_t domain to execute zebra binaries
- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
- Allow ksmtuned_t domain to trace processes in user namespace
- Allow systemd to read symlinks in /var/lib
- Update dev_mounton_all_device_nodes() interface
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
- Allow systemd_domain to map files in /usr.
- Allow strongswan start using swanctl method BZ(1773381)
- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
2019-11-27 20:26:39 +01:00
Zdenek Pytela
6f1a9fb9a4 * Thu Nov 21 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-16
- Allow timedatex_t domain dbus chat with both confined and unconfined users
- Allow timedatex_t domain dbus chat with unconfined users
- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
- Make unconfined domains part of domain_named_attribute
- Label tcp ports 24816,24817 as pulp_port_t
- Remove duplicate entries for initrc_t in init.te
2019-11-21 16:26:28 +01:00
Lukas Vrabec
d1df004bac
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-13
- Fix typo bugs in rtas_errd_read_lock() interface
- cockpit: Drop cockpit-cert-session
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Fix typo in dev_filetrans_all_named_dev()
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Fix typo in cachefiles device
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
2019-11-13 15:45:37 +01:00
Lukas Vrabec
4faaca1916
* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Allow cephfs to use xattrs for storing contexts
- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
2019-11-03 12:59:34 +01:00
Lukas Vrabec
d7e7544fe0
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11
- Allow confined users to run newaliases
- Add interface mysql_dontaudit_rw_db()
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
- Allow tmpreaper_t domain to read all domains state
- Make httpd_var_lib_t label system mountdir attribute
- Update cockpit policy
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
- Dontaudit domains read/write leaked pipes
2019-10-25 11:09:31 +02:00
Lukas Vrabec
03b04ae77e
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Allow Gluster mount client to mount files_type
- Dontaudit and disallow sys_admin capability for keepalived_t domain
- Update numad policy to allow signull, kill, nice and trace processes
- Allow ipmievd_t to RW watchdog devices
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
- Allow user domains to manage user session services
- Allow staff and user users to get status of user systemd session
- Update sudo_role_template() to allow caller domain to read syslog pid files
2019-10-22 15:43:26 +02:00
Lukas Vrabec
840e53f65a
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-9
- Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
2019-10-11 15:22:02 +02:00
Lukas Vrabec
39164cea20
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-8
- Update apache and pkcs policies to make active opencryptoki rules
- Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
2019-10-09 20:44:47 +02:00
Lukas Vrabec
b4683c29a5
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-7
- Revert "nova.fc: fix duplicated slash"
- Introduce new bolean httpd_use_opencryptoki
- Add new interface apache_read_state()
- Allow setroubleshoot_fixit_t to read random_device_t
- Label /etc/named direcotory as named_conf_t BZ(1759495)
- nova.fc: fix duplicated slash
- Allow dkim to execute sendmail
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)
- Allow avahi_t to send msg to xdm_t
- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)
- Allow systemd_logind_t domain to read blk_files in domain removable_device_t
- Add new interface udev_getattr_rules_chr_files()
2019-10-09 13:13:38 +02:00
Lukas Vrabec
e84c9b118f
* Fri Oct 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-6
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Allow bitlbee_t domain map files in /usr
- Allow stratisd to getattr of fixed disk device nodes
- Add net_broadcast capability to openvswitch_t domain BZ(1716044)
- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
- Allow cobblerd_t domain search apache configuration dirs
- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
- Label /var/log/collectd.log as collectd_log_t
- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)
- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)
- networkmanager: allow NetworkManager_t to create bluetooth_socket
- Fix ipa_custodia_stream_connect interface
- Add new interface udev_getattr_rules_chr_files()
- Make dbus-broker service working on s390x arch
- Add new interface dev_mounton_all_device_nodes()
- Add new interface dev_create_all_files()
- Allow systemd(init_t) to load kernel modules
- Allow ldconfig_t domain to manage initrc_tmp_t objects
- Add new interface init_write_initrc_tmp_pipes()
- Add new interface init_manage_script_tmp_files()
- Allow xdm_t setpcap capability in user namespace BZ(1756790)
- Allow x_userdomain to mmap generic SSL certificates
- Allow xdm_t domain to user netlink_route sockets BZ(1756791)
- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)
- Allow sudo userdomain to run rpm related commands
- Add sys_admin capability for ipsec_t domain
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
- Make ipa_custodia policy active
2019-10-04 14:03:09 +02:00
Lukas Vrabec
a21f7739e6
Update fixed sources from github 2019-09-20 23:31:28 +02:00
Lukas Vrabec
c3cb5b2032
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-5
- Fix ipa_custodia_stream_connect interface
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
2019-09-20 23:17:36 +02:00
Lukas Vrabec
361693e74b
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-4
- Run ipa-custodia as ipa_custodia_t
- Update webalizer_t SELinux policy
- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)
- Allow rhsmcertd_t domain to read rtas_errd lock files
- Add new interface rtas_errd_read_lock()
- Update allow rules set for nrpe_t domain
- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
- Allow avahi_t to send msg to lpr_t
- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
- Allow dlm_controld_t domain to read random device
- Label libvirt drivers as virtd_exec_t
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Add new macro systemd_timedated_status to systemd.if to get timedated service status
- Introduce xdm_manage_bootloader booelan
- Revert "Unconfined domains, need to create content with the correct labels"
- Allow xdm_t domain to read sssd pid files BZ(1753240)
- Move open, audit_access, and execmod to common file perms
2019-09-20 15:00:31 +02:00
Lukas Vrabec
f1d354de29
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Fix typo in cachefilesd module
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
- Add sys_admin capability for keepalived_t labeled processes
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
- Create new type ipmievd_helper_t domain for loading kernel modules.
- Run stratisd service as stratisd_t
- Fix abrt_upload_watch_t in abrt policy
- Update keepalived policy
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
- Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
- Allow amanda_t to manage its var lib files and read random_device_t
- Create admin_crontab_t and admin_crontab_tmp_t types
- Add setgid and setuid capabilities to keepalived_t domain
- Update cron_role() template to accept third parameter with SELinux domain prefix
- Allow psad_t domain to create tcp diag sockets BZ(1750324)
- Allow systemd to mount fwupd_cache_t BZ(1750288)
- Allow chronyc_t domain to append to all non_security files
- Update zebra SELinux policy to make it work also with frr service
- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
- Label /var/run/mysql as mysqld_var_run_t
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
- Update timedatex policy to manage localization
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
- Update gnome_dontaudit_read_config
- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
- Allow systemd labeled as init_t domain to remount rootfs filesystem
- Add interface files_remount_rootfs()
- Dontaudit sys_admin capability for iptables_t SELinux domain
- Label /dev/cachefilesd as cachefiles_device_t
- Make stratisd policy active
- Allow userdomains to dbus chat with policykit daemon
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
- New interface files_append_non_security_files()
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Remove rule allowing all processes to stream connect to unconfined domains
2019-09-13 17:04:11 +02:00
Lukas Vrabec
d2110e0b7c
* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2
- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
- Dontaudit sandbox web types to setattr lib_t dirs
- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)
- Allow haproxy_t domain to read network state of system
- Allow processes labeled as keepalived_t domain to get process group
- Introduce dbusd_unit_file_type
- Allow pesign_t domain to read/write named cache files.
- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
- Allow httpd_t domain to read/write named_cache_t files
- Add new interface bind_rw_cache()
- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
- Update cpucontrol_t SELinux policy
- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
- Run lldpd service as lldpad_t.
- Allow spamd_update_t domain to create unix dgram sockets.
- Update dbus role template for confined users to allow login into x session
- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
- Fix typo in networkmanager_append_log() interface
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
- Allow login user type to use systemd user session
- Allow xdm_t domain to start dbusd services.
- Introduce new type xdm_unit_file_t
- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute
- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)
- Allow ipsec_t domain to read/write named cache files
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
- Label udp 8125 port as statsd_port_t
2019-09-04 18:09:39 +02:00
Lukas Vrabec
7bacb4d438
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-31
- Update timedatex policy BZ(1734197)
2019-08-13 19:06:46 +02:00
Lukas Vrabec
bee0c094a4
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-30
- cockpit: Allow cockpit-session to read cockpit-tls state
- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)
- Allow named_t domain to read/write samba_var_t files BZ(1738794)
- Dontaudit abrt_t domain to read root_t files
- Allow ipa_dnskey_t domain to read kerberos keytab
- Allow mongod_t domain to read cgroup_t files BZ(1739357)
- Update ibacm_t policy
- Allow systemd to relabel all files on system.
- Revert "Add new boolean systemd_can_relabel"
- Allow xdm_t domain to read kernel sysctl BZ(1740385)
- Add sys_admin capability for xdm_t in user namespace. BZ(1740386)
- Allow dbus communications with resolved for DNS lookups
- Add new boolean systemd_can_relabel
- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t
- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
- Run lvmdbusd service as lvm_t
2019-08-13 17:59:35 +02:00
Lukas Vrabec
6e1369286b
* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-29
- Allow dlm_controld_t domain setgid capability
- Fix SELinux modules not installing in chroots.
Resolves: rhbz#1665643
2019-08-07 17:38:17 +02:00
Lukas Vrabec
e89a7ef306
* Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-28
- Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-06 10:48:46 +02:00
Lukas Vrabec
2442d10f50
* Mon Aug 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-27
- Allow tlp domain run tlp in trace mode BZ(1737106)
- Make timedatex_t domain system dbus bus client BZ(1737239)
- Allow cgdcbxd_t domain to list cgroup dirs
- Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-05 18:25:34 +02:00
Lukas Vrabec
0775289b10
* Tue Jul 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-26
- New policy for rrdcached
- Allow dhcpd_t domain to read network sysctls.
- Allow nut services to communicate with unconfined domains
- Allow virt_domain to Support ecryptfs home dirs.
- Allow domain transition lsmd_t to sensord_t
- Allow httpd_t to signull mailman_cgi_t process
- Make rrdcached policy active
- Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542
- Allow machinectl to run pull-tar BZ(1724247)
2019-07-30 10:51:50 +02:00
Lukas Vrabec
c8c754cba3
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25
- Allow spamd_update_t domain to read network state of system BZ(1733172)
- Allow dlm_controld_t domain to transition to the lvm_t
- Allow sandbox_web_client_t domain to do sys_chroot in user namespace
- Allow virtlockd process read virtlockd.conf file
- Add more permissions for session dbus types to make working dbus broker with systemd user sessions
- Allow sssd_t domain to read gnome config and named cache files
- Allow brltty to request to load kernel module
- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
- Allow sssd_t domain to read kernel net sysctls BZ(1732185)
- Run timedatex service as timedatex_t
- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
- Allow cyrus work with PrivateTmp
- Make cgdcbxd_t domain working with SELinux enforcing.
- Make working wireshark execute byt confined users staff_t and sysadm_t
- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963)
- Allow svnserve_t domain to read system state
- allow named_t to map named_cache_t files
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow ifconfig_t domain to manage vmware logs
- Remove system_r role from staff_u user.
- Make new timedatex policy module active
- Add systemd_private_tmp_type attribute
- Allow systemd to load kernel modules during boot process.
- Allow sysadm_t and staff_t domains to read wireshark shared memory
- Label /usr/libexec/utempter/utempter  as utemper_exec_t
- Allow ipsec_t domain to read/write  l2tpd pipe BZ(1731197)
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources
2019-07-26 10:28:53 +02:00
Lukas Vrabec
9fad02a45b
* Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
- Update  tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
- Allow mysqld_t domain to manage cluster pid files
- Relabel  /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
- Allow dkim-milter to send e-mails BZ(1716937)
- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799)
- Update svnserve_t policy to make working svnserve hooks
- Allow varnishlog_t domain to check for presence of varnishd_t domains
- Update sandboxX policy to make working firefox inside SELinux sandbox
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
- Allow gssd_t domain to list tmpfs_t dirs
- Allow mdadm_t domain to read tmpfs_t files
- Allow sbd_t domain to check presence of processes labeled as cluster_t
- Dontaudit httpd_sys_script_t to read systemd unit files
- Allow blkmapd_t domain to read nvme devices
- Update cpucontrol_t domain to make working microcode service
- Allow domain transition from logwatch_t do postfix_postqueue_t
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
- Allow httpd_sys_script_t domain to mmap httpcontent
- Allow sbd_t to manage cgroups_t files
- Update wireshark policy to make working tshar labeled as wireshark_t
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources
- Allow sysadm_t domain to dbus chat with rtkit daemon
- Allow x_userdomains to nnp domain transition to thumb_t domain
- Allow unconfined_domain_type to setattr own process lnk files.
- Add interface files_write_generic_pid_sockets()
- Dontaudit writing to user home dirs by gnome-keyring-daemon
- Allow staff and admin domains to setpcap in user namespace
- Allow staff and sysadm to use lockdev
- Allow staff and sysadm users to run iotop.
- Dontaudit traceroute_t domain require sys_admin capability
- Dontaudit dbus chat between kernel_t and init_t
- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
2019-07-17 17:58:49 +02:00
Lukas Vrabec
9a1d06b5aa
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23
- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager
- Fix all interfaces which cannot by compiled because of typos
- Allow X userdomains to mmap user_fonts_cache_t dirs
2019-07-10 10:16:00 +02:00
Lukas Vrabec
f57a61daab
* Mon Jul 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-22
- Label /var/kerberos/krb5 as krb5_keytab_t
- Allow glusterd_t domain to setpgid
- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
- Allow sbd_t domain to manage cgroup dirs
- Allow opafm_t domain to modify scheduling information of another process.
- Allow wireshark_t domain to create netlink netfilter sockets
- Allow gpg_agent_t domain to use nsswitch
- Allow httpd script types to mmap httpd rw content
- Allow dkim_milter_t domain to execute shell BZ(17116937)
- Allow sbd_t domain to use nsswitch
- Allow rhsmcertd_t domain to send signull to all domains
- Allow snort_t domain to create netlink netfilter sockets BZ(1723184)
- Dontaudit blueman to read state of all domains on system BZ(1722696)
- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217)
- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)
- Replace "-" by "_" in types names
- Change condor_domain declaration in condor_systemctl
- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405)
- Allow auditd_t domain to send signals to audisp_remote_t domain
- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files
- Add interface kernel_relabelfrom_usermodehelper()
- Dontaudit unpriv_userdomain to manage boot_t files
- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)
- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531)
- Allow associate efivarfs_t on sysfs_t
2019-07-08 10:00:11 +02:00
Lukas Vrabec
0c72b2ee98
Add new sources 2019-06-18 09:30:20 +02:00
Lukas Vrabec
4d8c6240ed
* Tue Jun 18 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-21
- Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864)
- cockpit: Support split-out TLS proxy
- Allow dkim_milter_t to use shell BZ(1716937)
- Create explicit fc rule for mailman executable BZ(1666004)
- Update interface networkmanager_manage_pid_files() to allow manage also dirs
- Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)
- Add new interface bind_map_dnssec_keys()
- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files
- Allow redis_t domain to read public sssd files
- Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569)
- Allow confined users to login via cockpit
- Allow nfsd_t domain to do chroot becasue of new version of nfsd
- Add gpg_agent_roles to system_r roles
- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
- Allow rhsmcertd_t domain to manage rpm cache
- Allow sbd_t domain to read tmpfs_t symlinks
- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs
- Allow kadmind_t domain to read home config data
- Allow sbd_t domain to readwrite cgroups
- Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)
- Label /var/log/pacemaker/pacemaker as cluster_var_log_t
- Allow certmonger_t domain to manage named cache files/dirs
- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)
- Allow crack_t domain read /et/passwd files
- Label fontconfig cache and config files and directories BZ(1659905)
- Allow dhcpc_t domain to manage network manager pid files
- Label /usr/sbin/nft as iptables_exec_t
- Allow userdomain attribute to manage cockpit_ws_t stream sockets
- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes
- Add interface ssh_agent_signal()
2019-06-18 09:29:06 +02:00
Lukas Vrabec
191f6b36c3
* Thu May 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-20
- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)
- Allow spamd_update_t to exec itsef
- Fix broken logwatch SELinux module
- Allow logwatch_mail_t to manage logwatch cache files/dirs
- Update wireshark_t domain to use several sockets
- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t
2019-05-30 11:43:45 +02:00
Lukas Vrabec
46a2445aaf
* Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-19
- Fix bind_read_cache() interface to allow only read perms to caller domains
- [speech-dispatcher.if] m4 macro names can not have - in them
- Grant varnishlog_t access to varnishd_etc_t
- Allow nrpe_t domain to read process state of systemd_logind_t
- Allow mongod_t domain to connect on https port BZ(1711922)
- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets
- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)
- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)"
- Make boinc_var_lib_t mountpoint BZ(1711682)
- Allow wireshark_t domain to create fifo temp files
- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy
- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Build in parallel on Travis
- Fix parallel build of the policy
- Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t"
- Add interface systemd_logind_read_state()
- Fix find commands in Makefiles
- Allow systemd-timesyncd to read network state BZ(1694272)
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-27 16:47:47 +02:00
Lukas Vrabec
4ce765ae0a
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-18 01:04:36 +02:00
Lukas Vrabec
fb7eb895aa
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-17
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Fix typo in dbus_role_template()
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)
- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)
- Allow virt domains to access xserver devices BZ(1705685)
- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)
- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)
- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)
- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)
- Allow gpsd_t domain to read udev db BZ(1709025)
- Add sys_ptrace capaiblity for  namespace_init_t domain
- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)
- Allow rhsmcertd_t domain to read rpm cache files
- Label /efi same as /boot/efi boot_t BZ(1571962)
- Allow transition from udev_t to tlp_t BZ(1705246)
- Remove initrc_exec_t for /usr/sbin/apachectl file
2019-05-17 18:12:55 +02:00
Lukas Vrabec
1938d6c60c
Update broken sources 2019-05-04 17:45:09 +02:00
Lukas Vrabec
2a04dcf5c8
* Fri May 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-16
- Add fcontext for apachectl util to fix missing output when executed "httpd -t" from this script.
2019-05-04 00:00:01 +02:00
Lukas Vrabec
a0e74cb580
* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-15
- Allow iscsid_t domain to mmap modules_dep_t files
- Allow ngaios to use chown capability
- Dontaudit gpg_domain to create netlink_audit sockets
- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)
- Allow dirsrv_t domain to execute own tmp files BZ(1703111)
- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files
- Update domain_can_mmap_files() boolean to allow also mmap lnk files
- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
2019-05-02 15:46:11 +02:00
Lukas Vrabec
2c13568192
* Fri Apr 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-14
- Allow transition from cockpit_session to unpriv user domains
2019-04-26 16:46:34 +02:00
Lukas Vrabec
ca2231a93a
Add missing sources 2019-04-25 17:55:05 +02:00
Lukas Vrabec
2675489867
* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-13
- Introduce deny_bluetooth boolean
- Allow greylist_milter_t to read network system state BZ(1702672)
- Allow freeipmi domains to mmap freeipmi_var_cache_t files
- Allow rhsmcertd_t and rpm_t domains to chat over dbus
- Allow thumb_t domain to delete cache_home_t files BZ(1701643)
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus
- Add new interface boltd_dbus_chat()
- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)
- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)
- Allow cockpit_ws_t domain to set limits BZ(1701703)
- Update Nagios policy when sudo is used
- Deamon rhsmcertd is able to install certs for docker again
- Introduce deny_bluetooth boolean
- Don't allow a container to connect to random services
- Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.
- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus
- Allow unconfined_t to use bpf tools
- Allow x_userdomains to communicate with boltd daemon over dbus
2019-04-25 17:29:03 +02:00
Lukas Vrabec
a64329452e
* Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-12
- Fix typo in cups SELinux policy
- Allow iscsid_t to read modules deps BZ(1700245)
- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442)
- Allow httpd_rotatelogs_t to execute generic binaries
- Update system_dbus policy because of dbus-broker-20-2
- Allow httpd_t doman to read/write /dev/zero device  BZ(1700758)
- Allow tlp_t domain to read module deps files BZ(1699459)
- Add file context for /usr/lib/dotnet/dotnet
- Update dev_rw_zero() interface by adding map permission
- Allow bounded transition for executing init scripts
2019-04-19 22:39:06 +02:00
Lukas Vrabec
05bc3ebd5c
* Fri Apr 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-11
- Allow mongod_t domain to lsearch in cgroups BZ(1698743)
- Allow rngd communication with pcscd BZ(1679217)
- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)
- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
2019-04-12 23:24:21 +02:00
Lukas Vrabec
cba3e984f6
* Tue Apr 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-10
- Allow systemd_modules_load to read modules_dep_t files
- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)
2019-04-09 10:57:19 +02:00
Lukas Vrabec
2809c70adb
* Mon Apr 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-9
- Merge #18 `Add check for config file consistency`
- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943)
- Fix typo in rhsmcertd SELinux module
- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files
- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t
- Allow unconfined users to use vsock unlabeled sockets
- Add interface kernel_rw_unlabeled_vsock_socket()
- Allow unconfined users to use smc unlabeled sockets
- Add interface kernel_rw_unlabeled_smc_socket
- Allow systemd_resolved_t domain to read system network state BZ(1697039)
- Allow systemd to mounton kernel sysctls BZ(1696201)
- Add interface kernel_mounton_kernel_sysctl() BZ(1696201)
- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201
2019-04-08 15:54:57 +02:00
Lukas Vrabec
29b329cf28
Update missing sources 2019-04-05 19:30:47 +02:00
Lukas Vrabec
47a2243adc
* Fri Apr 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-8
- Allow systemd to mounton several systemd direstory to increase security of systemd
Resolves: rhbz#1696201
2019-04-05 16:26:48 +02:00
Lukas Vrabec
fe3eb5975b
Fix some conflicting filename transition rules in the policy sources 2019-04-04 11:02:58 +02:00
Lukas Vrabec
c4065f7c94
* Wed Apr 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-7
- Allow fontconfig file transition for xguest_u user
- Add gnome_filetrans_fontconfig_home_content interface
- Add permissions needed by systemd's machinectl shell/login
- Update SELinux policy for xen services
- Add dac_override capability for kdumpctl_t process domain
- Allow chronyd_t domain to exec shell
- Fix varnisncsa typo
- Allow init start freenx-server BZ(1678025)
- Create logrotate_use_fusefs boolean
- Add tcpd_wrapped_domain for telnetd BZ(1676940)
- Allow tcpd bind to services ports BZ(1676940)
- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t
- Allow esmtp access .esmtprc BZ(1691149)
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow tlp_t domain to read nvme block devices BZ(1692154)
- Add support for smart card authentication in cockpit BZ(1690444)
- Add permissions needed by systemd's machinectl shell/login
- Allow kmod_t domain to mmap modules_dep_t files.
- Allow systemd_machined_t dac_override capability BZ(1670787)
- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)"
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Allow init_t read mnt_t symlinks BZ(1637070)
- Update dev_filetrans_all_named_dev() interface
- Allow xdm_t domain to execmod temp files BZ(1686675)
- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)"
- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)
- Allow confined users labeled as staff_t to run iptables.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow xdm_t domain to create own tmp files BZ(1686675)
- Add miscfiles_dontaudit_map_generic_certs interface.
2019-04-03 14:33:40 +02:00
Lukas Vrabec
bccf0f816c
* Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6
- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
- Allow fail2ban execute journalctl BZ(1689034)
- Update sudodomains to make working confined users run sudo/su
- Introduce new boolean unconfined_dyntrans_all.
- Allow iptables_t domain to read NetworkManager state BZ(1690881)
2019-03-23 15:32:56 +01:00
Lukas Vrabec
7dd08a5cde
* Tue Mar 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-5
- Update xen SELinux module
- Improve labeling for PCP plugins
- Allow varnishd_t domain to read sysfs_t files
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update file context for modutils rhbz#1689975
- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293
- Grant permissions for onloadfs files of all classes.
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
2019-03-19 11:32:41 +01:00
Lukas Vrabec
a8da133b94
* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Allow journalctl_t domain to mmap syslogd_var_run_t files
- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046
- Allow sbd_t domain to bypass permission checks for sending signals
- Allow sbd_t domain read/write all sysctls
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
- Allow boltd_t to stream connect to sytem dbus
- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
- Allow ifconfig_t domain to read /dev/random BZ(1687516)
- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Label /usr/sbin/nodm as xdm_exec_t same as other display managers
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
2019-03-12 18:42:45 +01:00
Lukas Vrabec
43393ba497
* Wed Feb 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-3
- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because "%pretrans" cannot use shell scripts.
Resolves: rhbz#1683365
2019-02-27 10:18:03 +01:00
Lukas Vrabec
c2043acf2b
* Tue Feb 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-2
- Merge insmod_t, depmod_t and update_modules_t do kmod_t
2019-02-26 11:07:59 +01:00
Lukas Vrabec
8be35be283
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-1
- Allow openvpn_t domain to set capability BZ(1680276)
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
- Allow chronyd_t domain to send data over dgram socket
- Add rolekit_dgram_send() interface
- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
2019-02-25 23:17:05 +01:00
Lukas Vrabec
3f88fcf054
Add missing sources 2019-02-14 17:54:25 +01:00
Lukas Vrabec
c3cce98fea
* Thu Feb 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
- Allow dovecot_t domain to connect to mysql db
- Add dac_override capability for sbd_t SELinux domain
- Add dac_override capability for  spamd_update_t domain
- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
2019-02-14 17:52:26 +01:00
Lukas Vrabec
37bb67856f
* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
- Allow ddclient_t to setcap Resolves: rhbz#1674298
- Add dac_override capability to vpnc_t domain
- Add dac_override capability to spamd_t domain
- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
- Allow read network state of system for processes labeled as ibacm_t
- Allow ibacm_t domain to send dgram sockets to kernel processes
- Allow dovecot_t to connect to MySQL UNIX socket
- Fix CI for use on forks
- Fix typo bug in sensord policy
- Update ibacm_t policy after testing lastest version of this component
- Allow sensord_t domain to mmap own log files
- Allow virt_doamin to read/write dev device
- Add dac_override capability for ipa_helper_t
- Update policy with multiple allow rules to make working installing VM in MLS policy
- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
2019-02-12 17:05:35 +01:00
Lukas Vrabec
6fe0e8a6a7
* Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
- Allow sensord_t domain to use nsswitch and execute shell
- Allow opafm_t domain to execute lib_t files
- Allow opafm_t domain to manage kdump_crash_t files and dirs
- Allow virt domains to read/write cephfs filesystems
- Allow virtual machine to write to fixed_disk_device_t
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
- Allow vhostmd_t read libvirt configuration files
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
2019-02-02 13:41:12 +01:00
Lukas Vrabec
5664a30563
Add missing sources 2019-01-29 16:58:50 +01:00
Lukas Vrabec
ee38f3e105
* Tue Jan 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
- Add new xdp_socket class
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Allow boltd_t domain to read cache_home_t files BZ(1669911)
- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
- Allow gpg_agent_t to create own tmpfs dirs and sockets
- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
- Add multiple interfaces for vpnc interface file
- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
- Allow gssd_t domain to manage kernel keyrings of every domain.
- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
- Allow plymouthd_t search efivarfs directory BZ(1664143)
2019-01-29 16:51:11 +01:00
Lukas Vrabec
1d650f7cbb
* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
- Allow plymouthd_t search efivarfs directory BZ(1664143)
- Allow arpwatch send e-mail notifications BZ(1657327)
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
- Allow gssd_t domain to read/write kernel keyrings of every domain.
- Allow systemd_timedated_t domain nnp_transition BZ(1666222)
- Add the fs_search_efivarfs_dir interface
- Create tangd_port_t with default label tcp/7406
- Add interface domain_rw_all_domains_keyrings()
- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
2019-01-15 18:29:10 +01:00
Lukas Vrabec
f1dd2fa0f0
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
- Allow staff_t domain to read read_binfmt_misc filesystem
- Add interface fs_read_binfmt_misc()
- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
2019-01-11 16:07:53 +01:00
Lukas Vrabec
78bc214808
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
- Allow sensord_t to execute own binary files
- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)
- Allow virtd_lxc_t domains use BPF BZ(1662613)
- Allow openvpn_t domain to read systemd state BZ(1661065)
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Used correct renamed interface for imapd_t domain
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Specify recipients that will be notified about build CI results.
- Allow saslauthd_t domain to mmap own pid files BZ(1653024)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.
- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
- Specify recipients that will be notified about build CI results.
- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.
- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
2019-01-11 12:46:15 +01:00
Lukas Vrabec
22bdc94c2b
* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
2018-12-06 16:43:04 +01:00
Lukas Vrabec
70c776a7bc
* Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain
- Create ibacm_tmpfs_t type for the ibacm policy
- Dontaudit capability sys_admin for dhcpd_t domain
- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.
- Allow abrt_t domain to mmap generic tmp_t files
- Label /usr/sbin/wpa_cli as wpa_cli_exec_t
- Allow sandbox_xserver_t domain write to user_tmp_t files
- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints
- Add interface files_map_generic_tmp_files()
- Add dac_override capability to the syslogd_t domain
- Create systemd_timedated_var_run_t label
- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
2018-11-07 23:34:46 +01:00
Lukas Vrabec
e4f858261b
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Allow xdm_t domain to manage dosfs_t files BZ(1645770)
- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
2018-11-04 19:53:51 +01:00
Lukas Vrabec
38e2f9cae4
Add missing sources from github 2018-11-04 02:05:17 +01:00
Lukas Vrabec
9fcbb6398f
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
- Add dac_override capability to ftpd_t domain
- Allow gpg_t to create own tmpfs dirs and sockets
- Allow rhsmcertd_t domain to relabel cert_t files
- Add SELinux policy for kpatch
- Allow nova_t domain to use pam
- sysstat: grant sysstat_t the search_dir_perms set
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
- Allow systemd_logind_t to read fixed dist device BZ(1645631)
- Allow systemd_logind_t domain to read nvme devices BZ(1645567)
- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)
- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
- Allow X display manager to check status and reload services which are part of x_domain attribute
- Add interface miscfiles_relabel_generic_cert()
- Make kpatch policy active
- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
- Dontaudit sys_admin capability for netutils_t domain
- Label tcp and udp ports 2611 as qpasa_agent_port_t
2018-11-04 01:55:34 +01:00
Lukas Vrabec
b602e5bcc1
* Tue Oct 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
2018-10-16 00:18:59 +02:00
Lukas Vrabec
9b1e4d53d1
* Mon Oct 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)
- Add interface cron_system_spool_entrypoint()
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
- Add interfaces for boltd SELinux module
- Add dac_override capability to modemmanager_t domain BZ(1636608)
- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
- Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
2018-10-15 17:44:05 +02:00
Lukas Vrabec
4b05ad26d8
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-8
- ejabberd SELinux module removed, it's shipped by ejabberd-selinux package
2018-10-13 22:39:48 +02:00
Lukas Vrabec
c889572bdc
* Tue Oct 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-6
- Allow boltd_t to be activated by init socket activation
- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)
- Update SELinux policy for libreswan based on the latest rebase 3.26
- Fix typo in init_named_socket_activation interface
2018-10-09 17:49:28 +02:00
Lukas Vrabec
ef7c751093
* Thu Oct 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-5
- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
- Fix typo in boltd.te policy
- Allow fail2ban_t domain to mmap journal
- Add kill capability to named_t domain
- Allow neutron domain to read/write /var/run/utmp
- Create boltd_var_run_t type for boltd pid files
- Allow tomcat_domain to read /dev/random
- Allow neutron_t domain to use pam
- Add the port used by nsca (Nagios Service Check Acceptor)
2018-10-04 16:27:59 +02:00
Lukas Vrabec
7e236649a1
* Mon Sep 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-4
- Update sources to include SELinux policy for containers
2018-09-24 17:11:01 +02:00
Lukas Vrabec
5d5eb8e7fc
* Thu Sep 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-3
- Allow certmonger to manage cockpit_var_run_t pid files
- Allow cockpit_ws_t domain to manage cockpit services
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
- Add interface apache_read_tmp_dirs()
- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t
- Add interface apcupsd_read_power_files()
- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain
- Allow dac_override capability to amanda_t domain
- Allow geoclue_t domain to get attributes of fs_t filesystems
- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client
- Allow cockpit_t domain to read systemd state
- Allow abrt_t domain to write to usr_t files
- Allow cockpit to create motd file in /var/run/cockpit
- Label /usr/sbin/pcsd as cluster_exec_t
- Allow pesign_t domain to getattr all fs
- Allow tomcat servers to manage usr_t files
- Dontaudit tomcat serves to append to /dev/random device
- Allow dirsrvadmin_script_t domain to read httpd tmp files
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
- Fix path where are sources for CI
- Revert "Allow firewalld_t domain to read random device"
- Add travis CI for selinux-policy-contrib repo
- Allow postfix domains to mmap system db files
- Allow geoclue_t domain to execute own tmp files
- Update ibacm_read_pid_files interface to allow also reading link files
- Allow zebra_t domain to create packet_sockets
- Allow opafm_t domain to list sysfs
- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
- Allow chronyd_t domain to read virt_var_lib_t files
- Allow systemd to read apcupsd power files
- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t"
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow systemd_resolved_t domain to bind on udp howl port
- Add new boolean use_virtualbox Resolves: rhbz#1510478
- Allow sshd_t domain to read cockpit pid files
- Allow syslogd_t domain to manage cert_t files
- Fix path where are sources for CI
- Add travis.yml to to create CI for selinux-policy sources
- Allow getattr as part of files_mounton_kernel_symbol_table.
- Fix typo "aduit" -> "audit"
- Revert "Add new interface dev_map_userio()"
- Add new interface dev_map_userio()
- Allow systemd to read ibacm pid files
2018-09-20 08:54:04 +02:00
Lukas Vrabec
833e3136e5
* Thu Sep 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2
- Allow tomcat services create link file in /tmp
- Label /etc/shorewall6 as shorewall_etc_t
- Allow winbind_t domain kill in user namespaces
- Allow firewalld_t domain to read random device
- Allow abrt_t domain to do execmem
- Allow geoclue_t domain to execute own var_lib_t files
- Allow openfortivpn_t domain to read system network state
- Allow dnsmasq_t domain to read networkmanager lib files
- sssd: Allow to limit capabilities using libcap
- sssd: Remove unnecessary capability
- sssd: Do not audit usage of lib nss_systemd.so
- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
- Allow exim_t domain to mmap bin files
- Allow mysqld_t domain to executed with nnp transition
- Allow svirt_t domain to mmap svirt_image_t block files
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
- Add read interfaces for mysqld_log_t that was added in commit df832bf
- Allow boltd_t to dbus chat with xdm_t
- Conntrackd need to load kernel module to work
- Allow mysqld sys_nice capability
- Update boltd policy based on SELinux denials from rhbz#1607974
- Allow systemd to create symlinks in for /var/lib
- Add comment to show that template call also allows changing shells
- Document userdom_change_password_template() behaviour
- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
- Fix typo in logging SELinux module
- Allow usertype to mmap user_tmp_type files
- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
- Add boolean: domain_can_mmap_files.
- Allow ipsec_t domian to mmap own tmp files
- Add .gitignore file
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow audisp_remote_t domain to read auditd_etc_t
- netlabel: Remove unnecessary sssd nsswitch related macros
- Allow to use sss module in auth_use_nsswitch
- Limit communication with init_t over dbus
- Add actual modules.conf to the git repo
- Add few interfaces to optional block
- Allow sysadm_t and staff_t domain to manage systemd unit files
- Add interface dev_map_userio_dev()
2018-09-06 22:33:33 +02:00
Lukas Vrabec
046756d71a
* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1
- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
- Add interface devicekit_mounton_var_lib()
- Allow httpd_t domain to mmap tmp files
- Allow tcsd_t domain to have dac_override capability
- Allow cupsd_t to rename cupsd_etc_t files
- Allow iptables_t domain to create rawip sockets
- Allow amanda_t domain to mmap own tmpfs files
- Allow fcoemon_t domain to write to sysfs_t dirs
- Allow dovecot_auth_t domain to have dac_override capability
- Allow geoclue_t domain to mmap own tmp files
- Allow chronyc_t domain to read network state
- Allow apcupsd_t domain to execute itself
- Allow modemmanager_t domain to stream connect to sssd
- Allow chonyc_t domain to rw userdomain pipes
- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
- Allow nagios_script_t domain to mmap nagios_spool_t files
- Allow geoclue_t domain to mmap geoclue_var_lib_t files
- Allow geoclue_t domain to map generic certs
- Update munin_manage_var_lib_files to allow manage also dirs
- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl
- Fix typo in virt SELinux policy module
- Allow virtd_t domain to create netlink_socket
- Allow rpm_t domain to write to audit
- Allow nagios_script_t domain to mmap nagios_etc_t files
- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
- Allow kdumpctl_t domain to getattr fixed disk device in mls
- Fix typo in stapserver policy
- Dontaudit abrt_t domain to write to usr_t dirs
- Revert "Allow rpcbind to bind on all unreserved udp ports"
- Allow rpcbind to bind on all unreserved udp ports
- Allow virtlogd to execute itself
- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files
- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs
- Allos systemd to socket activate ibacm service
- Allow dirsrv_t domain to mmap user_t files
- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
- Allow kdumpctl to write to files on all levels
- Allow httpd_t domain to mmap httpd_config_t files
- Allow sanlock_t domain to connectto to unix_stream_socket
- Revert "Add same context for symlink as binary"
- Allow mysql execute rsync
- Update nfsd_t policy because of ganesha features
- Allow conman to getattr devpts_t
- Allow tomcat_domain to connect to smtp ports
- Allow tomcat_t domain to mmap tomcat_var_lib_t files
- Allow nagios_t domain to mmap nagios_log_t files
- Allow kpropd_t domain to mmap krb5kdc_principal_t files
- Allow kdumpctl_t domain to read fixed disk storage
2018-08-29 00:10:24 +02:00
Lukas Vrabec
354ea12800
* Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-32
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow gpg_t domain to mmap gpg_agent_tmp_t files
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
- Allow sshd_t domain to mmap user_tmp_t files
2018-08-10 17:26:19 +02:00
Lukas Vrabec
bb7c753263
* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-31
- Allow kprop_t domain to read network state
- Add support boltd policy
- Allow kpropd domain to exec itself
- Allow pdns_t to bind on tcp transproxy port
- Add support for opafm service
- Allow hsqldb_t domain to read cgroup files
- Allow rngd_t domain to read generic certs
- Allow innd_t domain to mmap own var_lib_t files
- Update screen_role_temaplate interface
- Allow chronyd_t domain to mmap own tmpfs files
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow systemd to mounont boltd lib dirs
- Allow sysadm_t domain to create rawip sockets
- Allow sysadm_t domain to listen on socket
- Update sudo_role_template() to allow caller domain also setattr generic ptys
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
2018-08-07 15:54:42 +02:00
Lukas Vrabec
da3bd2ceb6
* Sun Jul 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-30
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow nfsd_t domain to read krb5 keytab files
- Allow nfsd_t domain to manage fadm pid files
- Allow virt_domain to create icmp sockets BZ(1609142)
- Dontaudit oracleasm_t domain to request sys_admin capability
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
2018-07-29 17:17:33 +02:00
Lukas Vrabec
539110c25c
* Wed Jul 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-29
- Allow aide to mmap all files
- Revert "Allow firewalld to create rawip sockets"
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
2018-07-25 23:42:34 +02:00
Lukas Vrabec
35bcefb9e1
* Wed Jul 18 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-28
- Allow cupsd_t domain to mmap cupsd_etc_t files
- Allow kadmind_t domain to mmap krb5kdc_principal_t
- Allow virtlogd_t domain to read virt_etc_t link files
- Allow dirsrv_t domain to read crack db
- Dontaudit pegasus_t to require sys_admin capability
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
- Allow winbind_t domain to request kernel module loads
- Allow tomcat_domain to read cgroup_t files
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
- Allow innd_t domain to mmap news_spool_t files
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
- Allow fenced_t domain to reboot
- Allow amanda_t domain to read network system state
- Allow abrt_t domain to read rhsmcertd logs
- Fix typo in radius policy
- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)
- Label /usr/bin/esmtp-wrapper as sendmail_exec_t
- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files
- Dontaudit thumb to read mmap_min_addr
- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)
- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)
- Allow collectd_t domain to use ecryptfs files BZ(1592640)
- Dontaudit mmap home type files for abrt_t domain
- Allow fprintd_t domain creating own tmp files BZ(1590686)
- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)
- Allow fail2ban_t domain to getpgid BZ(1591421)
- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)
- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap
- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)
- Allow virt_qemu_ga_t domain to read network state BZ(1592145)
- Allow radiusd_t domain to mmap radius_etc_rw_t files
- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
2018-07-18 17:37:07 +02:00
Lukas Vrabec
985fc6104c
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-26
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
2018-06-27 10:25:55 +02:00
Lukas Vrabec
f4debe939a
* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-25
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
2018-06-14 15:31:59 +02:00
Lukas Vrabec
1d35f9ea76
* Tue Jun 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-24
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
2018-06-12 14:22:02 +02:00
Lukas Vrabec
4cca30aa93
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-23
- Add dac_override capability to sendmail_t domian
2018-06-06 13:16:15 +02:00
Lukas Vrabec
318acc9510
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-22
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
2018-06-06 10:25:52 +02:00
Lukas Vrabec
58acce3c84
* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-21
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db  is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
2018-05-26 00:25:28 +02:00
Lukas Vrabec
9364159b18
* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-20
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
2018-05-24 16:07:11 +02:00
Lukas Vrabec
e881d79dbc
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.
2018-05-21 22:23:41 +02:00
Lukas Vrabec
844794a0f4
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-05-21 01:48:14 +02:00
Lukas Vrabec
4d2de689d5
Fix typo bug in xserver SELinux module 2018-04-30 17:41:45 +02:00
Lukas Vrabec
a4ad07747e
* Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-04-30 16:30:28 +02:00
Lukas Vrabec
560c1cf401
* Sat Apr 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-15
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
2018-04-28 19:43:37 +02:00