Commit Graph

6155 Commits

Author SHA1 Message Date
Zdenek Pytela
33df875935 Add the qatlib module 2023-06-27 15:28:13 +02:00
Zdenek Pytela
1726cd56f8 Add the fdo module 2023-06-27 15:27:59 +02:00
Zdenek Pytela
fcf01bf48f Add the bootupd module 2023-06-27 15:27:42 +02:00
Zdenek Pytela
ca2263f358 * Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
2023-06-25 13:44:12 +02:00
Zdenek Pytela
d71412e8ad Add the kafs module 2023-06-23 17:09:10 +02:00
Zdenek Pytela
38fd9a9006 * Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
- Label /dev/userfaultfd with userfaultfd_t
- Allow blueman send general signals to unprivileged user domains
- Allow dkim-milter domain transition to sendmail
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
- Allow cifs-helper read sssd kerberos configuration files
- Allow rpm_t sys_admin capability
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
- Allow collectd_t read proc_net link files
- Allow insights-client getsession process permission
- Allow insights-client work with pipe and socket tmp files
- Allow insights-client map generic log files
- Update cyrus_stream_connect() to use sockets in /run
- Allow keyutils-dns-resolver read/view kernel key ring
- Label /var/log/kdump.log with kdump_log_t
2023-06-15 11:13:58 +02:00
Zdenek Pytela
995ad0daac Exclude container-selinux manpage from selinux-policy-doc
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.

Resolves: rhbz#2209120
2023-06-12 17:15:47 +02:00
Zdenek Pytela
37f102411a * Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
2023-06-09 22:29:46 +02:00
Zdenek Pytela
70fa3a1489 * Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
- Update policy for systemd-sleep
- Remove permissive domain for rshim_t
- Remove permissive domain for mptcpd_t
- Allow systemd-bootchartd the sys_ptrace userns capability
- Allow sysadm_t read nsfs files
- Allow sysadm_t run kernel bpf programs
- Update ssh_role_template for ssh-agent
- Update ssh_role_template to allow read/write unallocated ttys
- Add the booth module to modules.conf
- Allow firewalld rw ica_tmpfs_t files
2023-05-30 12:00:03 +02:00
Zdenek Pytela
c7eb7f478f Add booth module 2023-05-26 22:05:40 +02:00
Zdenek Pytela
f148635ab0 * Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
- Remove permissive domain for cifs_helper_t
- Update the cifs-helper policy
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
- Update pkcsslotd policy for sandboxing
- Allow abrt_t read kernel persistent storage files
- Dontaudit targetd search httpd config dirs
- Allow init_t nnp domain transition to policykit_t
- Allow rpcd_lsad setcap and use generic ptys
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
- Allow wireguard to rw network sysctls
- Add policy for boothd
- Allow kernel to manage its own BPF objects
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
2023-05-26 13:00:58 +02:00
Zdenek Pytela
dfde7d3e7a * Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
- Add initial policy for cifs-helper
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
- Allow some systemd services write to cgroup files
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
- Allow systemd resolved to bind to arbitrary nodes
- Allow plymouthd_t bpf capability to run bpf programs
- Allow cupsd to create samba_var_t files
- Allow rhsmcert request the kernel to load a module
- Allow virsh name_connect virt_port_t
- Allow certmonger manage cluster library files
- Allow plymouthd read init process state
- Add chromium_sandbox_t setcap capability
- Allow snmpd read raw disk data
- Allow samba-rpcd work with passwords
- Allow unconfined service inherit signal state from init
- Allow cloud-init manage gpg admin home content
- Allow cluster_t dbus chat with various services
- Allow nfsidmapd work with systemd-userdbd and sssd
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
- Allow plymouthd map dri and framebuffer devices
- Allow rpmdb_migrate execute rpmdb
- Allow logrotate dbus chat with systemd-hostnamed
- Allow icecast connect to kernel using a unix stream socket
- Allow lldpad connect to systemd-userdbd over a unix socket
- Allow journalctl open user domain ptys and ttys
- Allow keepalived to manage its tmp files
- Allow ftpd read network sysctls
- Label /run/bgpd with zebra_var_run_t
- Allow gssproxy read network sysctls
- Add the cifsutils module
2023-05-22 09:00:23 +02:00
Zdenek Pytela
9619eb8fb1 * Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1
- Allow telnetd read network sysctls
- Allow munin system plugin read generic SSL certificates
- Allow munin system plugin create and use netlink generic socket
- Allow login_userdomain create user namespaces
- Allow request-key to send syslog messages
- Allow request-key to read/view any key
- Add fs_delete_pstore_files() interface
- Allow insights-client work with teamdctl
- Allow insights-client read unconfined service semaphores
- Allow insights-client get quotas of all filesystems
- Add fs_read_pstore_files() interface
- Allow generic kernel helper to read inherited kernel pipes
2023-04-25 22:13:11 +02:00
Zdenek Pytela
10fd8395c1 * Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
- Allow dovecot-deliver write to the main process runtime fifo files
- Allow dmidecode write to cloud-init tmp files
- Allow chronyd send a message to cloud-init over a datagram socket
- Allow cloud-init domain transition to insights-client domain
- Allow mongodb read filesystem sysctls
- Allow mongodb read network sysctls
- Allow accounts-daemon read generic systemd unit lnk files
- Allow blueman watch generic device dirs
- Allow nm-dispatcher tlp plugin create tlp dirs
- Allow systemd-coredump mounton /usr
- Allow rabbitmq to read network sysctls
2023-04-14 13:48:00 +02:00
Zdenek Pytela
1c3d527d43 * Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
- Allow certmonger dbus chat with the cron system domain
- Allow geoclue read network sysctls
- Allow geoclue watch the /etc directory
- Allow logwatch_mail_t read network sysctls
- Allow insights-client read all sysctls
- Allow passt manage qemu pid sock files
2023-04-04 21:35:41 +02:00
Zdenek Pytela
737e197bb4 * Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
- Allow sssd read accountsd fifo files
- Add support for the passt_t domain
- Allow virtd_t and svirt_t work with passt
- Add new interfaces in the virt module
- Add passt interfaces defined conditionally
- Allow tshark the setsched capability
- Allow poweroff create connections to system dbus
- Allow wg load kernel modules, search debugfs dir
- Boolean: allow qemu-ga manage ssh home directory
- Label smtpd with sendmail_exec_t
- Label msmtp and msmtpd with sendmail_exec_t
- Allow dovecot to map files in /var/spool/dovecot
2023-03-24 20:05:51 +01:00
Zdenek Pytela
4a6ce4bf1f * Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
- Confine gnome-initial-setup
- Allow qemu-guest-agent create and use vsock socket
- Allow login_pgm setcap permission
- Allow chronyc read network sysctls
- Enhancement of the /usr/sbin/request-key helper policy
- Fix opencryptoki file names in /dev/shm
- Allow system_cronjob_t transition to rpm_script_t
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
- Add tunable to allow squid bind snmp port
- Allow staff_t getattr init pid chr & blk files and read krb5
- Allow firewalld to rw z90crypt device
- Allow httpd work with tokens in /dev/shm
- Allow svirt to map svirt_image_t char files
- Allow sysadm_t run initrc_t script and sysadm_r role access
- Allow insights-client manage fsadm pid files
2023-03-03 17:49:15 +01:00
Zdenek Pytela
0d20c35838 * Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1
- Allowing snapper to create snapshots of /home/ subvolume/partition
- Add boolean qemu-ga to run unconfined script
- Label systemd-journald feature LogNamespace
- Add none file context for polyinstantiated tmp dirs
- Allow certmonger read the contents of the sysfs filesystem
- Add journalctl the sys_resource capability
- Allow nm-dispatcher plugins read generic files in /proc
- Add initial policy for the /usr/sbin/request-key helper
- Additional support for rpmdb_migrate
- Add the keyutils module
2023-02-08 21:31:38 +01:00
Zdenek Pytela
232d13e7df * Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
- Boolean: allow qemu-ga read ssh home directory
- Allow kernel_t to read/write all sockets
- Allow kernel_t to UNIX-stream connect to all domains
- Allow systemd-resolved send a datagram to journald
- Allow kernel_t to manage and have "execute" access to all files
- Fix the files_manage_all_files() interface
- Allow rshim bpf cap2 and read sssd public files
- Allow insights-client work with su and lpstat
- Allow insights-client tcp connect to all ports
- Allow nm-cloud-setup dispatcher plugin restart nm services
- Allow unconfined user filetransition for sudo log files
- Allow modemmanager create hardware state information files
- Allow ModemManager all permissions for netlink route socket
- Allow wg to send msg to kernel, write to syslog and dbus connections
- Allow hostname_t to read network sysctls.
- Dontaudit ftpd the execmem permission
- Allow svirt request the kernel to load a module
- Allow icecast rename its log files
- Allow upsd to send signal to itself
- Allow wireguard to create udp sockets and read net_conf
- Use %autosetup instead of %setup
- Pass -p 1 to %autosetup
2023-01-30 17:30:57 +01:00
Ondrej Mosnáček
66b983ca0d
Pass -p 1 to %autosetup
This means that the first component of the path is stripped when
applying patches. This is needed so that patches created by git can be
applied.

Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
2023-01-24 14:26:04 +01:00
Ondrej Mosnáček
a5f1fa9914
Use %autosetup instead of %setup
This makes it easier to modify the spec to apply a patch for testing.

The -q option is dropped, as it's the default for %autosetup:
https://rpm-software-management.github.io/rpm/manual/autosetup.html#autosetup-options

Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
2023-01-23 10:49:19 +01:00
Fedora Release Engineering
c11eb88514 Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-21 02:58:55 +00:00
Zdenek Pytela
13e15d410c * Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
- Allow insights client work with gluster and pcp
- Add insights additional capabilities
- Add interfaces in domain, files, and unconfined modules
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
- Allow sudodomain use sudo.log as a logfile
- Allow pdns server map its library files and bind to unreserved ports
- Allow sysadm_t read/write ipmi devices
- Allow prosody manage its runtime socket files
- Allow kernel threads manage kernel keys
- Allow systemd-userdbd the sys_resource capability
- Allow systemd-journal list cgroup directories
- Allow apcupsd dbus chat with systemd-logind
- Allow nut_domain manage also files and sock_files in /var/run
- Allow winbind-rpcd make a TCP connection to the ldap port
- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
- Allow tlp read generic SSL certificates
- Allow systemd-resolved watch tmpfs directories
- Revert "Allow systemd-resolved watch tmpfs directories"
2023-01-13 18:43:38 +01:00
Zdenek Pytela
328d37031b * Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
- Allow NetworkManager and wpa_supplicant the bpf capability
- Allow systemd-rfkill the bpf capability
- Allow winbind-rpcd manage samba_share_t files and dirs
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
- Allow gpsd the sys_ptrace userns capability
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
- Allow load_policy_t write to unallocated ttys
- Allow ndc read hardware state information
- Allow system mail service read inherited certmonger runtime files
- Add lpr_roles  to system_r roles
- Revert "Allow insights-client run lpr and allow the proper role"
- Allow stalld to read /sys/kernel/security/lockdown file
- Allow keepalived to set resource limits
- Add policy for mptcpd
- Add policy for rshim
- Allow admin users to create user namespaces
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
- Trim changelog so that it starts at F35 time
- Add mptcpd and rshim modules
2022-12-19 16:56:42 +01:00
Zdenek Pytela
be364fec7b Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
Resolves: rhbz#2093594
2022-12-19 16:37:33 +01:00
Zdenek Pytela
f8cec3d7f5 Trim changelog so that it starts at F35 time
The changelog contains entries from 16 years ago, making the content
unwieldy. With this commit, changelog starts at the time when
F35 package version in rawhide branched off F34.
2022-12-16 12:19:36 +01:00
Zdenek Pytela
6a5242edba Add mptcpd and rshim modules 2022-12-15 11:31:44 +01:00
Zdenek Pytela
5e55a1623d * Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
- Allow insights-client dbus chat with various services
- Allow insights-client tcp connect to various ports
- Allow insights-client run lpr and allow the proper role
- Allow insights-client work with pcp and manage user config files
- Allow redis get user names
- Allow kernel threads to use fds from all domains
- Allow systemd-modules-load load kernel modules
- Allow login_userdomain watch systemd-passwd pid dirs
- Allow insights-client dbus chat with abrt
- Grant kernel_t certain permissions in the system class
- Allow systemd-resolved watch tmpfs directories
- Allow systemd-timedated watch init runtime dir
- Make `bootc` be `install_exec_t`
- Allow systemd-coredump create user_namespace
- Allow syslog the setpcap capability
- donaudit virtlogd and dnsmasq execmem
2022-12-14 17:21:00 +01:00
Zdenek Pytela
8263376e4d * Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
2022-12-06 19:21:23 +01:00
Petr Lautrbach
4f5786b58d Migrate License tag to SPDX
https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1
2022-11-24 10:22:34 +00:00
Zdenek Pytela
17a6cf70e4 * Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
- Revert "Allow sysadm_t read raw memory devices"
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
- Allow rpc.gssd read network sysctls
- Allow winbind-rpcd get attributes of device and pty filesystems
- Allow insights-client domain transition on semanage execution
- Allow insights-client create gluster log dir with a transition
- Allow insights-client manage generic locks
- Allow insights-client unix_read all domain semaphores
- Add domain_unix_read_all_semaphores() interface
- Allow winbind-rpcd use the terminal multiplexor
- Allow mrtg send mails
- Allow systemd-hostnamed dbus chat with init scripts
- Allow sssd dbus chat with system cronjobs
- Add interface to watch all filesystems
- Add watch_sb interfaces
- Add watch interfaces
- Allow dhcpd bpf capability to run bpf programs
- Allow netutils and traceroute bpf capability to run bpf programs
- Allow pkcs_slotd_t bpf capability to run bpf programs
- Allow xdm bpf capability to run bpf programs
- Allow pcscd bpf capability to run bpf programs
- Allow lldpad bpf capability to run bpf programs
- Allow keepalived bpf capability to run bpf programs
- Allow ipsec bpf capability to run bpf programs
- Allow fprintd bpf capability to run bpf programs
- Allow systemd-socket-proxyd get filesystems attributes
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
2022-11-21 17:04:56 +01:00
Zdenek Pytela
5448967b7c * Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
- Allow rotatelogs read httpd_log_t symlinks
- Add winbind-rpcd to samba_enable_home_dirs boolean
- Allow system cronjobs dbus chat with setroubleshoot
- Allow setroubleshootd read device sysctls
- Allow virt_domain read device sysctls
- Allow rhcd compute selinux access vector
- Allow insights-client manage samba var dirs
- Label ports 10161-10162 tcp/udp with snmp
- Allow aide to connect to systemd_machined with a unix socket.
- Allow samba-dcerpcd use NSCD services over a unix stream socket
- Allow vlock search the contents of the /dev/pts directory
- Allow insights-client send null signal to rpm and system cronjob
- Label port 15354/tcp and 15354/udp with opendnssec
- Allow ftpd map ftpd_var_run files
- Allow targetclid to manage tmp files
- Allow insights-client connect to postgresql with a unix socket
- Allow insights-client domtrans on unix_chkpwd execution
- Add file context entries for insights-client and rhc
- Allow pulseaudio create gnome content (~/.config)
- Allow login_userdomain dbus chat with rhsmcertd
- Allow sbd the sys_ptrace capability
- Allow ptp4l_t name_bind ptp_event_port_t
2022-10-31 17:59:49 +01:00
Zdenek Pytela
c9f58f0676 * Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
- Remove the ipa module
- Allow sss daemons read/write unnamed pipes of cloud-init
- Allow postfix_mailqueue create and use unix dgram sockets
- Allow xdm watch user home directories
- Allow nm-dispatcher ddclient plugin load a kernel module
- Stop ignoring standalone interface files
- Drop cockpit module
- Allow init map its private tmp files
- Allow xenstored change its hard resource limits
- Allow system_mail-t read network sysctls
- Add bgpd sys_chroot capability
2022-10-03 23:24:01 +02:00
Zdenek Pytela
bee780fc8d Remove "ipa = module" from modules-targeted-contrib.conf 2022-10-03 18:02:43 +02:00
Zdenek Pytela
faefd4829c Remove "cockpit = module" from modules-targeted-contrib.conf 2022-09-30 15:08:32 +02:00
Zdenek Pytela
dde90d74a7 * Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
- Add numad the ipc_owner capability
- Allow gst-plugin-scanner read virtual memory sysctls
- Allow init read/write inherited user fifo files
- Update dnssec-trigger policy: setsched, module_request
- added policy for systemd-socket-proxyd
- Add the new 'cmd' permission to the 'io_uring' class
- Allow winbind-rpcd read and write its key ring
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
- pidof executed by abrt can readlink /proc/*/exe
- Fix typo in comment
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
2022-09-22 22:59:43 +02:00
Zdenek Pytela
0f27d97ff5 Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum 2022-09-21 21:30:53 +02:00
Zdenek Pytela
d02146ba68 * Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
- Allow tor get filesystem attributes
- Allow utempter append to login_userdomain stream
- Allow login_userdomain accept a stream connection to XDM
- Allow login_userdomain write to boltd named pipes
- Allow staff_u and user_u users write to bolt pipe
- Allow login_userdomain watch various directories
- Update rhcd policy for executing additional commands 5
- Update rhcd policy for executing additional commands 4
- Allow rhcd create rpm hawkey logs with correct label
- Allow systemd-gpt-auto-generator to check for empty dirs
- Update rhcd policy for executing additional commands 3
- Allow journalctl read rhcd fifo files
- Update insights-client policy for additional commands execution 5
- Allow init remount all file_type filesystems
- Confine insights-client systemd unit
- Update insights-client policy for additional commands execution 4
- Allow pcp pmcd search tracefs and acct_data dirs
- Allow httpd read network sysctls
- Dontaudit domain map permission on directories
- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
- Update insights-client policy for additional commands execution 3
- Allow systemd permissions needed for sandboxed services
- Add rhcd module
- Make dependency on rpm-plugin-selinux unordered
2022-09-14 09:14:08 +02:00
Petr Lautrbach
2a4b303a6b Make dependency on rpm-plugin-selinux unordered
And break the dependency loop with rpm-plugin-selinux

From rpm documentation:

    * meta (since rpm >= 4.16)

    Denotes a “meta” dependency, which must not affect transaction
    ordering. Typical use-cases would be meta-packages and sub-package
    cross-dependencies  whose purpose is just to ensure the sub-packages
    stay on common version.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1851266
2022-09-07 10:38:06 +02:00
Zdenek Pytela
9a58e62d76 * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
- Allow ipsec_t read/write tpm devices
- Allow rhcd execute all executables
- Update rhcd policy for executing additional commands 2
- Update insights-client policy for additional commands execution 2
- Allow sysadm_t read raw memory devices
- Allow chronyd send and receive chronyd/ntp client packets
- Allow ssh client read kerberos homedir config files
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
- Update insights-client policy (auditctl, gpg, journal)
- Allow system_cronjob_t domtrans to rpm_script_t
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
- Update tor_bind_all_unreserved_ports interface
- Allow chronyd bind UDP sockets to ptp_event ports.
- Allow unconfined and sysadm users transition for /root/.gnupg
- Add gpg_filetrans_admin_home_content() interface
- Update rhcd policy for executing additional commands
- Update insights-client policy for additional commands execution
- Add userdom_view_all_users_keys() interface
- Allow gpg read and write generic pty type
- Allow chronyc read and write generic pty type
- Allow system_dbusd ioctl kernel with a unix stream sockets
- Allow samba-bgqd to read a printer list
- Allow stalld get and set scheduling policy of all domains.
- Allow unconfined_t transition to targetclid_home_t
2022-09-02 14:10:03 +02:00
Zdenek Pytela
5ac843b27b * Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
- Allow nm-dispatcher custom plugin dbus chat with nm
- Allow nm-dispatcher sendmail plugin get status of systemd services
- Allow xdm read the kernel key ring
- Allow login_userdomain check status of mount units
- Allow postfix/smtp and postfix/virtual read kerberos key table
- Allow services execute systemd-notify
- Do not allow login_userdomain use sd_notify()
- Allow launch-xenstored read filesystem sysctls
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
- Allow openvswitch fsetid capability
- Allow openvswitch use its private tmpfs files and dirs
- Allow openvswitch search tracefs dirs
- Allow pmdalinux read files on an nfsd filesystem
- Allow winbind-rpcd write to winbind pid files
- Allow networkmanager to signal unconfined process
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
- Allow samba-bgqd get a printer list
- fix(init.fc): Fix section description
- Allow fedora-third-party read the passwords file
- Remove permissive domain for rhcd_t
- Allow pmie read network state information and network sysctls
- Revert "Dontaudit domain the fowner capability"
- Allow sysadm_t to run bpftool on the userdomain attribute
- Add the userdom_prog_run_bpf_userdomain() interface
- Allow insights-client rpm named file transitions
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
2022-08-11 21:24:24 +02:00
Zdenek Pytela
1ccfff1aa1 * Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
- Allow sa-update to get init status and start systemd files
- Use insights_client_filetrans_named_content
- Make default file context match with named transitions
- Allow nm-dispatcher tlp plugin send system log messages
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
- Add permissions to manage lnk_files into gnome_manage_home_config
- Allow rhsmcertd to read insights config files
- Label /etc/insights-client/machine-id
- fix(devices.fc): Replace single quote in comment to solve parsing issues
- Make NetworkManager_dispatcher_custom_t an unconfined domain
2022-08-01 11:07:08 +02:00
Fedora Release Engineering
666bf02b7f Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-23 08:21:08 +00:00
Zdenek Pytela
7ffa63b0f9 * Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
- Update winbind_rpcd_t
- Allow some domains use sd_notify()
- Revert "Allow rabbitmq to use systemd notify"
- fix(sedoctool.py): Fix syntax warning: "is not" with a literal
- Allow nm-dispatcher console plugin manage etc files
- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
- Allow nm-dispatcher console plugin setfscreate
- Support using systemd-update-helper in rpm scriptlets
- Allow nm-dispatcher winbind plugin read samba config files
- Allow domain use userfaultfd over all domains
- Allow cups-lpd read network sysctls
2022-07-14 21:38:38 +02:00
Zdenek Pytela
730af95045 * Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
- Allow stalld set scheduling policy of kernel threads
- Allow targetclid read /var/target files
- Allow targetclid read generic SSL certificates (fixed)
- Allow firewalld read the contents of the sysfs filesystem
- Fix file context pattern for /var/target
- Use insights_client_etc_t in insights_search_config()
- Allow nm-dispatcher ddclient plugin handle systemd services
- Allow nm-dispatcher winbind plugin run smbcontrol
- Allow nm-dispatcher custom plugin create and use unix dgram socket
- Update samba-dcerpcd policy for kerberos usage 2
- Allow keepalived read the contents of the sysfs filesystem
- Allow amandad read network sysctls
- Allow cups-lpd read network sysctls
- Allow kpropd read network sysctls
- Update insights_client_filetrans_named_content()
- Allow rabbitmq to use systemd notify
- Label /var/target with targetd_var_t
- Allow targetclid read generic SSL certificates
- Update rhcd policy
- Allow rhcd search insights configuration directories
- Add the kernel_read_proc_files() interface
- Require policycoreutils >= 3.4-1
- Add a script for enclosing interfaces in ifndef statements
- Disable rpm verification on interface_info
2022-06-29 21:00:49 +02:00
Zdenek Pytela
e0b2bb6894 Require policycoreutils >= 3.4-1
New policycoreutils increased the policydb max version.
2022-06-29 20:48:12 +02:00
Vit Mojzis
5eda2e5e49 Add a script for enclosing interfaces in ifndef statements
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2022-06-29 18:34:21 +00:00
Vit Mojzis
193d303b3b Disable rpm verification on interface_info
interface_info is generated by sepolgen-ifgen in %post. Therefore it
should not be verified as part of the package.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2022-06-29 18:00:11 +00:00
Zdenek Pytela
53d2cbdc84 * Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
- Allow transition to insights_client named content
- Add the insights_client_filetrans_named_content() interface
- Update policy for insights-client to run additional commands 3
- Allow dhclient manage pid files used by chronyd
- Allow stalld get scheduling policy of kernel threads
- Allow samba-dcerpcd work with sssd
- Allow dlm_controld send a null signal to a cluster daemon
- Allow ksmctl create hardware state information files
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
- Update samba-dcerpcd policy for kerberos usage
- Allow insights-client execute its private memfd: objects
- Update policy for insights-client to run additional commands 2
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
- Change space indentation to tab in insights-client
- Use socket permissions sets in insights-client
- Update policy for insights-client to run additional commands
- Change rpm_setattr_db_files() to use a pattern
- Allow init_t to rw insights_client unnamed pipe
- Add rpm setattr db files macro
- Fix insights client
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
- Allow rabbitmq to access its private memfd: objects
- Update policy for samba-dcerpcd
- Allow stalld setsched and sys_nice
2022-06-22 20:23:04 +02:00
Zdenek Pytela
7104f739ec Run restorecon for nm-dispatcher directory only if it exists
Unconditional execution can make the rpm scriptlet failing:

Running scriptlet: selinux-policy-targeted-36.9-1.fc36.noarch             4/4
/usr/sbin/restorecon: SELinux: Could not get canonical path for /etc/NetworkManager/dispatcher.d restorecon: No such file or directory.
warning: %posttrans(selinux-policy-targeted-36.9-1.fc36.noarch) scriptlet failed, exit status 255

Resolves: rhbz#2082547
2022-06-22 20:23:04 +02:00