Commit Graph

47 Commits

Author SHA1 Message Date
Zdenek Pytela 0853e85626 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-139
- Allow wdmd read hardware state information
Resolves: RHEL-27507
2024-03-08 19:07:27 +01:00
Zdenek Pytela fe855b4c90 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-138
- Allow wdmd list the contents of the sysfs directories
Resolves: RHEL-27507
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
Resolves: RHEL-27394
2024-03-08 10:25:36 +01:00
Zdenek Pytela 66e607f19e * Thu Feb 22 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-137
- Differentiate between staff and sysadm when executing crontab with sudo
Resolves: RHEL-1388
- Allow su domains write login records
Resolves: RHEL-2606
- Revert "Allow su domains write login records"
Resolves: RHEL-2606
- Add crontab_admin_domtrans interface
Resolves: RHEL-1388
- Allow gpg manage rpm cache
Resolves: RHEL-11249
2024-02-22 17:27:43 +01:00
Zdenek Pytela 72be2b6d57 * Thu Feb 15 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-136
- Transition from sudodomains to crontab_t when executing crontab_exec_t
Resolves: RHEL-1388
- Fix label of pseudoterminals created from sudodomain
Resolves: RHEL-1388
- Allow login_userdomain to manage session_dbusd_tmp_t dirs/files
Resolves: RHEL-22500
- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t
Resolves: RHEL-23442
- Allow admin user read/write on fixed_disk_device_t
Resolves: RHEL-23434
- Only allow confined user domains to login locally without unconfined_login
Resolves: RHEL-1628
- Add userdom_spec_domtrans_confined_admin_users interface
Resolves: RHEL-1628
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
Resolves: RHEL-1628
- Add userdom_spec_domtrans_admin_users interface
Resolves: RHEL-1628
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
Resolves: RHEL-1628
- Allow utempter_t use ptmx
Resolves: RHEL-25002
- Dontaudit subscription manager setfscreate and read file contexts
Resolves: RHEL-21639
- Don't audit crontab_domain write attempts to user home
Resolves: RHEL-1388
- Add crontab_domtrans interface
Resolves: RHEL-1388
- Add dbus_manage_session_tmp_files interface
Resolves: RHEL-22500
- Allow httpd read network sysctls
Resolves: RHEL-22748
- Allow keepalived_unconfined_script_t dbus chat with init
Resolves: RHEL-22843
2024-02-15 18:25:24 +01:00
Zdenek Pytela 8ab4e101e9 Limit %selinux_requires to version, not release
The %selinux_requires variable is used in packages with their own
selinux policy modules (DSP adopters) as a dependency set to the
selinux-policy package version which was installed at the time of
building the DSP module.

Using "%{version}-%{release}" in the variable can effect in such
a state that updated package with selinux policy module is available,
but selinux-policy is not, e. g. when the other package was released
earlier in an ASYNC update.

This commit cuts the release part out from the %selinux_requires
variable, leaving only version there.
2024-02-14 16:13:03 +01:00
Zdenek Pytela d620ca1705 * Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135
- Label /tmp/libdnf.* with user_tmp_t
Resolves: RHEL-11249
- Allow su domains write login records
Resolves: RHEL-2606
- Allow gpg read rpm cache
Resolves: RHEL-11249
- Allow unix dgram sendto between exim processes
Resolves: RHEL-21903
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
Resolves: RHEL-17687
- Add interface for write-only access to NetworkManager rw conf
Resolves: RHEL-17687
- Allow conntrackd_t to use sys_admin capability
Resolves: RHEL-22276
2024-01-26 17:47:29 +01:00
Zdenek Pytela a99bd017ea * Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134
- Allow syslog to run unconfined scripts conditionally
Resolves: RHEL-10087
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
Resolves: RHEL-10087
- Allow collectd connect to statsd port
Resolves: RHEL-19482
- Allow collectd_t read network state symlinks
Resolves: RHEL-19482
- Allow collectd_t domain to create netlink_generic_socket sockets
Resolves: RHEL-19482
- Allow opafm search nfs directories
Resolves: RHEL-19426
- Allow mdadm list stratisd data directories
Resolves: RHEL-21374
2024-01-12 16:52:31 +01:00
Zdenek Pytela bbcf1324a4 * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133
- Label /dev/acpi_thermal_rel char device with acpi_device_t
Resolves: RHEL-18027
- Allow sysadm execute traceroute in sysadm_t domain using sudo
Resolves: RHEL-9947
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
Resolves: RHEL-15398
- Add support for syslogd unconfined scripts
Resolves: RHEL-10087
- Label /dev/wmi/dell-smbios as acpi_device_t
Resolves: RHEL-18027
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
Resolves: RHEL-1954
- Dontaudit rhsmcertd write memory device
Resolves: RHEL-17721
2023-12-13 17:45:32 +01:00
Zdenek Pytela 83b950022b * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132
- Allow sudodomain read var auth files
Resolves: RHEL-16567
- Update cifs interfaces to include fs_search_auto_mountpoints()
Resolves: RHEL-14072
- Allow systemd-localed create Xserver config dirs
Resolves: RHEL-16715
- Label /var/run/auditd.state as auditd_var_run_t
Resolves: RHEL-14376
- Allow auditd read all domains process state
Resolves: RHEL-14471
- Allow sudo userdomain to run rpm related commands
Resolves: RHEL-1679
- Remove insights_client_watch_lib_dirs() interface
Resolves: RHEL-16185
2023-11-28 16:32:42 +00:00
Milos Malik 5db7d069a4 fix the sequence of script commands
A missing ';' character causes an error when the script lines get
concatenated and executed on RHEL-8 machine.
2023-11-09 07:00:01 +01:00
Zdenek Pytela e756dec2b1 * Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131
- Additional permissions for ip-vrf
Resolves: RHEL-9981
- Allow ip an explicit domain transition to other domains
Resolves: RHEL-9981
- Allow  winbind_rpcd_t processes access when samba_export_all_* is on
Resolves: RHEL-5845
- Allow system_mail_t manage exim spool files and dirs
Resolves: RHEL-14186
2023-11-08 12:13:14 +01:00
Milos Malik 95f948b470 improve the Tier1 test plan
To avoid known failures, do not run the tests which have the
failinfedora tag.
To make more tests working, enable the EPEL repository too.
2023-11-03 20:58:29 +01:00
Lukas Vrabec 1826d51b0d * Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130
- Label msmtp and msmtpd with sendmail_exec_t
Resolves: RHEL-1678
- Set default file context of HOME_DIR/tmp/.* to <<none>>
Resolves: RHEL-1099
- Improve default file context(None) of /var/lib/authselect/backups
Resolves: RHEL-3539
2023-10-04 13:20:31 +02:00
Lukas Vrabec 728deb0464 * Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129
- Set default file context of /var/lib/authselect/backups to <<none>>
Resolves: RHEL-3539
- Add file context specification for /usr/libexec/realmd
Resolves: RHEL-2147
- Add numad the ipc_owner capability
Resolves: RHEL-2415
2023-09-29 20:44:20 +02:00
Zdenek Pytela d3c8942890 * Fri Aug 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-128
- Allow ssh_agent_type manage generic cache home files
Resolves: rhbz#2177704
- Add chromium_sandbox_t setcap capability
Resolves: rhbz#2221573
2023-08-25 14:02:35 +02:00
Zdenek Pytela ef4e39e85f * Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3
Resolves: rhbz#2229726
2023-08-17 13:47:08 +02:00
Zdenek Pytela 29d572116d * Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2
Resolves: rhbz#2229726
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
Resolves: rhbz#2177704
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2
Resolves: rhbz#2229726
- Make insights_client_t an unconfined domain
Resolves: rhbz#2225527
- Allow insights-client create all rpm logs with a correct label
Resolves: rhbz#2229559
- Allow insights-client manage generic logs
Resolves: rhbz#2229559
2023-08-11 20:39:42 +02:00
Zdenek Pytela 1b1eb8edb4 * Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125
- Allow user_u and staff_u get attributes of non-security dirs
Resolves: rhbz#2216151
- Allow unconfined user filetrans chrome_sandbox_home_t 1/2
Resolves: rhbz#2221573
- Allow unconfined user filetrans chrome_sandbox_home_t 2/2
Resolves: rhbz#2221573
- Allow insights-client execmem
Resolves: rhbz#2225233
- Allow svnserve execute postdrop with a transition
Resolves: rhbz#2004843
- Do not make postfix_postdrop_t type an MTA executable file
Resolves: rhbz#2004843
- Allow samba-dcerpc service manage samba tmp files
Resolves: rhbz#2210771
- Update samba-dcerpc policy for printing
Resolves: rhbz#2210771
2023-08-04 16:16:26 +02:00
Zdenek Pytela edd3ad31f7 * Thu Jul 20 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-124
- Add the files_getattr_non_auth_dirs() interface
Resolves: rhbz#2076937
- Update policy for the sblim-sfcb service
Resolves: rhbz#2076937
- Dontaudit sfcbd sys_ptrace cap_userns
Resolves: rhbz#2076937
- Label /usr/sbin/sos with sosreport_exec_t
Resolves: rhbz#2167731
- Allow sa-update manage spamc home files
Resolves: rhbz#2222200
- Allow sa-update connect to systemlog services
Resolves: rhbz#2222200
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
Resolves: rhbz#2222200
2023-07-20 17:52:48 +02:00
Zdenek Pytela 01e007e93d Exclude container-selinux manpage from selinux-policy-doc
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.

Resolves: rhbz#2218362
2023-06-29 12:38:57 +02:00
Zdenek Pytela 23e1dd29b9 * Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-123
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
Resolves: rhbz#2213606
- Allow httpd tcp connect to redis port conditionally
Resolves: rhbz#2213965
- Exclude container-selinux manpage from selinux-policy-doc
Resolves: rhbz#2218362
2023-06-29 12:37:59 +02:00
Nikola Knazekova 289f477398 * Thu Jun 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-122
- Update cyrus_stream_connect() to use sockets in /run
Resolves: rhbz#2165752
- Allow insights-client map generic log files
Resolves: rhbz#2214572
- Allow insights-client work with pipe and socket tmp files
Resolves: rhbz#2207819
- Allow insights-client getsession process permission
Resolves: rhbz#2207819
- Allow keepalived to manage its tmp files
Resolves: rhbz#2179335
2023-06-15 22:06:42 +02:00
Zdenek Pytela 534ee173e7 * Thu May 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-121
- Update pkcsslotd policy for sandboxing 2/2
Resolves: rhbz#2208162
- Update pkcsslotd policy for sandboxing 1/2
Resolves: rhbz#2208162
- Allow abrt_t read kernel persistent storage files
Resolves: rhbz#2207914
- Add allow rules for lttng-sessiond domain
Resolves: rhbz#2203509
- Allow rpcd_lsad setcap and use generic ptys
Resolves: rhbz#2107106
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
Resolves: rhbz#2107106
- Dontaudit targetd search httpd config dirs
Resolves: rhbz#2203720
2023-05-25 21:29:12 +02:00
Zdenek Pytela fc4cf3fb79 * Thu May 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-120
- Allow unconfined service inherit signal state from init
Resolves: rhbz#2177254
- Allow systemd-pstore delete kernel persistent storage files
Resolves: rhbz#2181558
- Add fs_delete_pstore_files() interface
Resolves: rhbz#2181558
- Allow certmonger manage cluster library files
Resolves: rhbz#2177836
- Allow samba-rpcd work with passwords
Resolves: rhbz#2107106
- Allow snmpd read raw disk data
Resolves: rhbz#2160000
- Allow cluster_t dbus chat with various services
Resolves: rhbz#2196524
2023-05-11 19:40:42 +02:00
Zdenek Pytela b48de44518 * Fri Apr 21 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-119
- Add unconfined_server_read_semaphores() interface
Resolves: rhbz#2183351
- Allow systemd-pstore read kernel persistent storage files
Resolves: rhbz#2181558
- Add fs_read_pstore_files() interface
Resolves: rhbz#2181558
- Allow insights-client work with teamdctl
Resolves: rhbz#2185158
- Allow insights-client read unconfined service semaphores
Resolves: rhbz#2183351
- Allow insights-client get quotas of all filesystems
Resolves: rhbz#2183351
2023-04-21 17:08:40 +02:00
Zdenek Pytela 009a32345a * Thu Apr 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-118
- Allow login_pgm setcap permission
Resolves: rhbz#2172541
- Label /run/fsck with fsadm_var_run_t
Resolves: rhbz#2184348
- Add boolean qemu-ga to run unconfined script
Resolves: rhbz#2028762
- Allow dovecot-deliver write to the main process runtime fifo files
Resolves: rhbz#2170495
- Allow certmonger dbus chat with the cron system domain
Resolves: rhbz#2173289
- Allow insights-client read all sysctls
Resolves: rhbz#2177607
2023-04-14 09:54:39 +02:00
Zdenek Pytela c38b24eb7c Synchronize the repo content with the previous state
After the automated creation of the c8s branch, not all files tracked
previously in dist-git were added to the repository. This commit adds
all required files and also makes necessary changes.

Related: rhbz#2093355
2023-04-13 21:02:31 +02:00
Troy Dawson 79f7948acd Bring gating.yaml over from Brew dist-git
Signed-off-by: Troy Dawson <tdawson@redhat.com>
2023-03-10 11:25:41 -08:00
James Antill 9db2d9539c Import rpm: c8s 2023-02-27 15:25:04 -05:00
CentOS Sources 7d8f8c5a54 Auto sync2gitlab import of selinux-policy-3.14.3-117.el8.src.rpm 2023-02-18 02:11:46 +00:00
CentOS Sources 88f724ac2c Auto sync2gitlab import of selinux-policy-3.14.3-115.el8.src.rpm 2023-01-28 08:08:34 +00:00
CentOS Sources 3db2fd1ef3 Auto sync2gitlab import of selinux-policy-3.14.3-114.el8.src.rpm 2023-01-14 10:10:16 +00:00
CentOS Sources 738125b00d Auto sync2gitlab import of selinux-policy-3.14.3-113.el8.src.rpm 2022-12-19 16:09:18 +00:00
CentOS Sources f7adb29799 Auto sync2gitlab import of selinux-policy-3.14.3-112.el8.src.rpm 2022-12-04 06:09:15 +00:00
CentOS Sources e408680df8 Auto sync2gitlab import of selinux-policy-3.14.3-111.el8.src.rpm 2022-11-22 18:09:09 +00:00
CentOS Sources bac7993408 Auto sync2gitlab import of selinux-policy-3.14.3-110.el8.src.rpm 2022-10-26 10:09:34 +00:00
CentOS Sources f244f04ef7 Auto sync2gitlab import of selinux-policy-3.14.3-109.el8.src.rpm 2022-10-15 20:11:40 +00:00
CentOS Sources 28b22b85f1 Auto sync2gitlab import of selinux-policy-3.14.3-108.el8.src.rpm 2022-09-09 12:09:46 +00:00
CentOS Sources 28da52cae8 Auto sync2gitlab import of selinux-policy-3.14.3-107.el8.src.rpm 2022-08-27 14:20:01 +00:00
CentOS Sources 020b5dcec8 Auto sync2gitlab import of selinux-policy-3.14.3-106.el8.src.rpm 2022-08-16 02:10:51 +00:00
CentOS Sources 6ef9bd966b Auto sync2gitlab import of selinux-policy-3.14.3-105.el8.src.rpm 2022-08-02 22:11:21 +00:00
CentOS Sources 66163acd0f Auto sync2gitlab import of selinux-policy-3.14.3-104.el8.src.rpm 2022-07-02 00:14:29 +00:00
CentOS Sources 09418e83d2 Auto sync2gitlab import of selinux-policy-3.14.3-100.el8.src.rpm 2022-06-11 10:09:54 +00:00
James Antill 291ee391b8 Auto sync2gitlab import of selinux-policy-3.14.3-99.el8.src.rpm 2022-06-07 00:01:12 -04:00
James Antill bbc61bc528 Auto sync2gitlab import of selinux-policy-3.14.3-98.el8.src.rpm 2022-05-31 15:00:30 -04:00
James Antill 70d901a9e4 Auto sync2gitlab import of selinux-policy-3.14.3-95.el8.src.rpm 2022-05-26 14:23:57 -04:00
James Antill d550681291 Initial c8s branch. 2022-05-26 14:23:53 -04:00