Commit Graph

1659 Commits

Author SHA1 Message Date
Lukas Vrabec
5d2c760e35 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
- Build including docker selinux interfaces.
2015-10-20 16:28:15 +02:00
Lukas Vrabec
fadb0d2542 docker policy files support 2015-10-20 16:26:28 +02:00
Lukas Vrabec
0bdc2482e7 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
- Allow winbindd to send signull to kernel. BZ(#1269193)
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Fixes for chrony version 2.2 BZ(#1259636)
  * Allow chrony chown capability
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Add boolean allowing mysqld to connect to http port. #1262125
- Merge pull request #52 from 1dot75cm/rawhide-base
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
- Fix attribute in corenetwork.if.in
2015-10-20 15:11:36 +02:00
Lukas Vrabec
2bd687c904 * Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
2015-10-13 18:34:04 +02:00
Lukas Vrabec
a6a2539c66 * Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
2015-10-08 15:52:24 +02:00
Lukas Vrabec
0927e3f742 * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
2015-10-02 19:11:32 +02:00
Lukas Vrabec
61514837cc * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
2015-10-02 13:49:11 +02:00
Lukas Vrabec
b03747cd87 * Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
2015-09-29 18:17:13 +02:00
Lukas Vrabec
ec0c1bc01e * Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains
- Allow rpcbind_t domain to change file owner and group
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
- Revert "Add apache_read_pid_files() interface"
- Allow dirsrv-admin read httpd pid files.
- Add apache_read_pid_files() interface
- Add label for dirsrv-admin unit file.
- Allow qpid daemon to connect on amqp tcp port.
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Add userdom_transition_login_userdomain() interface
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
2015-09-22 18:00:08 +02:00
Lukas Vrabec
7c8404da3f Added support for permissive domains 2015-09-22 14:28:30 +02:00
Lukas Vrabec
2818673721 * Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
- Dontaudit fenced search gnome config
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
- Sanlock policy update. #1255307   - New sub-domain for sanlk-reset daemon
- Fix labeling for fence_scsi_check script
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
- Allow openhpid to read snmp var lib files.
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
- Fix regexp in chronyd.fc file
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
2015-09-14 09:29:16 +02:00
Lukas Vrabec
73a6a99de0 Add files homedir_template and users_extra to selinux-policy-* packages. 2015-09-09 10:23:56 +02:00
Lukas Vrabec
f1ab24fa93 * Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
2015-09-01 18:25:49 +02:00
Lukas Vrabec
0d70340b72 * Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
- Allow watchdog execute fenced python script.
- Added inferface watchdog_unconfined_exec_read_lnk_files()
- Allow pmweb daemon to exec shell. BZ(1256127)
- Allow pmweb daemon to read system state. BZ(#1256128)
- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
- Revert "Revert default_range change in targeted policy"
- Allow dhcpc_t domain transition to chronyd_t
2015-08-30 23:03:47 +02:00
Lukas Vrabec
96de5661d2 * Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
- Add interface dnssec_trigger_sigkill
- Allow smsd use usb ttys. BZ(#1250536)
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
- Revert default_range change in targeted policy
- Allow systemd-sysctl cap. sys_ptrace  BZ(1253926)
2015-08-24 11:25:02 +02:00
Miroslav Grepl
f5f6812fa4 - Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
2015-08-21 10:11:52 +02:00
Miroslav Grepl
4d097300f6 We should be able to do builds with neverallow check with new 2.4 userspace and fix the latest policy fixes. 2015-08-20 18:17:21 +02:00
Lukas Vrabec
1ba0a986f6 * Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow collectd stream connect to pdns.(BZ #1191044)
- Add interface pdns_stream_connect()
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow chronyd exec systemctl
- Merge pull request #30 from vmojzis/rawhide-contrib
- Hsqldb policy upgrade -Allow sock_file management
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
- Label /var/run/chrony-helper dir as chronyd_var_run_t.
- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
- Fix label on /var/tmp/kiprop_0
- Add mountpoint dontaudit access check in rhsmcertd policy.
- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow systemd_networkd to send logs to syslog.
- Added interface fs_dontaudit_write_configfs_dirs
- Allow audisp client to read system state.
- Label /var/run/xtables.lock as iptables_var_run_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
2015-08-18 10:39:06 +02:00
Lukas Vrabec
28b73b2eef * Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
2015-08-10 18:38:57 +02:00
Miroslav Grepl
d8af5a753a - firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service
- Allow lsm_plugin_t to rw raw_fixed_disk.
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
2015-08-05 16:03:40 +02:00
Lukas Vrabec
f35d9026d6 * Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
- Add header for sslh.if file
- Fix sslh_admin() interface
- Clean up sslh.if
- Fix typo in pdns.if
- Allow qpid to create lnk_files in qpid_var_lib_t.
- Allow httpd_suexec_t to read and write Apache stream sockets
- Merge pull request #21 from hogarthj/rawhide-contrib
- Allow virt_qemu_ga_t domtrans to passwd_t.
- use read and manage files_patterns and the description for the admin interface
- Merge pull request #17 from rubenk/pdns-policy
- Allow redis to read kernel parameters.
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
- Allow bumblebee to seng kill signal to xserver
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Allow drbd to get attributes from filesystems.
- Allow drbd to read configuration options used when loading modules.
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
- Added Booleans: pcp_read_generic_logs.
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
- Allow glusterd to communicate with cluster domains over stream socket.
- fix copy paste error with writing the admin interface
- fix up the regex in sslh.fc, add sslh_admin() interface
- adding selinux policy files for sslh
- Remove diplicate sftpd_write_ssh_home boolean rule.
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
- kdbusfs should not be accessible for now.
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
- Label /usr/sbin/chpasswd as passwd_exec_t.
- Allow audisp_remote_t to read/write user domain pty.
- Allow audisp_remote_t to start power unit files domain to allow halt system.
2015-08-04 01:19:35 +02:00
Lukas Vrabec
c6320132cb Remove old trigger selinux-policy-targeted-3.12.1-75 for relabeling home. 2015-08-04 00:27:26 +02:00
Lukas Vrabec
ceff8ba54e Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed. 2015-08-04 00:25:37 +02:00
Lukas Vrabec
ae80a5c1a5 Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed. 2015-08-03 17:10:54 +02:00
Lukas Vrabec
d6fa2521fb Move man pages from selinux-policy-devel to selinux-policy-doc 2015-07-24 11:27:15 +02:00
Lukas Vrabec
e5e6b1ee54 * Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to  communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
-  httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
2015-07-20 18:37:28 +02:00
Miroslav Grepl
57b06e2ca9 Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. 2015-07-16 09:10:21 +02:00
Petr Lautrbach
a345bb5a25 Prepare selinux-policy package for SELinux store migration 2015-07-15 14:26:46 +02:00
Lukas Vrabec
04f749c8f0 * Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
2015-07-15 11:45:00 +02:00
Lukas Vrabec
ee724ad113 * Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
2015-07-14 18:10:21 +02:00
Lukas Vrabec
f53ebea7af * Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-09 10:31:45 +02:00
Lukas Vrabec
d04212cd26 * Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-02 17:37:26 +02:00
Lukas Vrabec
1428c0c5e6 * Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133
- Cleanup permissive domains.
2015-06-30 13:53:46 +02:00
Lukas Vrabec
20e7f0e6a4 * Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132
- Rename xodbc-connect port to xodbc_connect
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
- Dontaudit chrome to read passwd file. BZ(1204307)
- Allow firewalld exec ldconfig. BZ(1232748)
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Rename xodbc-connect port to xodbc_connect
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
- Label tcp port 6640 as ovsdb port. BZ (1179809)
2015-06-29 18:07:03 +02:00
Lukas Vrabec
7100c57b1f * Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
2015-06-23 18:07:14 +02:00
Miroslav Grepl
66628cef58 - Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
2015-06-18 19:28:19 +02:00
Miroslav Grepl
8f46225b71 - We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) 2015-06-09 16:44:44 +02:00
Miroslav Grepl
19cd06ec8a We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) 2015-06-09 16:43:17 +02:00
Miroslav Grepl
5bcffd3a3a See Changelog for all changes. 2015-06-09 12:38:09 +02:00
Miroslav Grepl
26e9debdb7 Update selinux-policy.spec to show how to create policy patches from https://github.com/fedora-selinux/selinux-policy 2015-05-22 09:45:52 +02:00
Petr Lautrbach
9cef10b755 Minor spec file fixes:
- corrected day in changelog entry from Apr 30 2015
- merged two %description's for base package into one

Fixes:
warning: line 330: second Description
warning: bogus date in %changelog: Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
2015-05-19 10:41:20 +02:00
Lukas Vrabec
6a726d4793 * Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
- Add missing typealiases in apache_content_template() for script domain/executable.
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for new cobbler dir locations:
- Add support for iprdbg logging files in /var/log.
- Add relabel_user_home_dirs for use by docker_t
2015-05-05 15:54:12 +02:00
Lukas Vrabec
229bf3d017 * Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
2015-04-30 20:10:17 +02:00
Lukas Vrabec
c4df3c09b1 Fix bad date 2015-04-20 14:49:53 +02:00
Lukas Vrabec
0bfe8f4452 * Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- cloudinit and rhsmcertd need to communicate with dbus
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
2015-04-20 14:45:47 +02:00
Lukas Vrabec
28cc160db1 * Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
- Add more restriction on entrypoint for unconfined domains.
2015-04-15 17:14:18 +02:00
Lukas Vrabec
578b67080c * Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
- Allow mock_t to use ptmx. BZ(1181333)
- Allow dnssec_trigger_t to stream connect to networkmanager.
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
- Fix labeling for keystone CGI scripts.
2015-04-14 01:13:22 +02:00
Lukas Vrabec
b9a1c72d29 * Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
- Allow mongod to work with configured SSSD.
- Add collectd net_raw capability. BZ(1194169)
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
- Allow dhcpd kill capability.
- Make rwhod as nsswitch domain.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Fix cloudform policy.(m4 is case sensitive)
- Allow networkmanager and cloud_init_t to dbus chat
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices.
- Allow sblim domain to read sysctls..
- Allow timemaster send a signal to ntpd.
- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
- two 'l' is enough.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- Allow polkit to dbus chat with xserver. (1207478)
- Add lvm_stream_connect() interface.
- Set label of /sys/kernel/debug
2015-04-07 16:26:56 +02:00
Lukas Vrabec
5852f33770 * Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
- Allow kmscon to read system state. BZ (1206871)
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
2015-03-30 20:13:54 +02:00
Lukas Vrabec
734dd8ae6f * Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
- Allow all domains some process flags.
- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base
- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL
2015-03-23 16:13:45 +01:00