- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager
- Fix all interfaces which cannot by compiled because of typos
- Allow X userdomains to mmap user_fonts_cache_t dirs
- Label /var/kerberos/krb5 as krb5_keytab_t
- Allow glusterd_t domain to setpgid
- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
- Allow sbd_t domain to manage cgroup dirs
- Allow opafm_t domain to modify scheduling information of another process.
- Allow wireshark_t domain to create netlink netfilter sockets
- Allow gpg_agent_t domain to use nsswitch
- Allow httpd script types to mmap httpd rw content
- Allow dkim_milter_t domain to execute shell BZ(17116937)
- Allow sbd_t domain to use nsswitch
- Allow rhsmcertd_t domain to send signull to all domains
- Allow snort_t domain to create netlink netfilter sockets BZ(1723184)
- Dontaudit blueman to read state of all domains on system BZ(1722696)
- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217)
- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)
- Replace "-" by "_" in types names
- Change condor_domain declaration in condor_systemctl
- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405)
- Allow auditd_t domain to send signals to audisp_remote_t domain
- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files
- Add interface kernel_relabelfrom_usermodehelper()
- Dontaudit unpriv_userdomain to manage boot_t files
- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)
- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531)
- Allow associate efivarfs_t on sysfs_t
- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)
- Allow spamd_update_t to exec itsef
- Fix broken logwatch SELinux module
- Allow logwatch_mail_t to manage logwatch cache files/dirs
- Update wireshark_t domain to use several sockets
- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t
- Fix bind_read_cache() interface to allow only read perms to caller domains
- [speech-dispatcher.if] m4 macro names can not have - in them
- Grant varnishlog_t access to varnishd_etc_t
- Allow nrpe_t domain to read process state of systemd_logind_t
- Allow mongod_t domain to connect on https port BZ(1711922)
- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets
- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)
- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)"
- Make boinc_var_lib_t mountpoint BZ(1711682)
- Allow wireshark_t domain to create fifo temp files
- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy
- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Build in parallel on Travis
- Fix parallel build of the policy
- Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t"
- Add interface systemd_logind_read_state()
- Fix find commands in Makefiles
- Allow systemd-timesyncd to read network state BZ(1694272)
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Fix typo in dbus_role_template()
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)
- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)
- Allow virt domains to access xserver devices BZ(1705685)
- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)
- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)
- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)
- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)
- Allow gpsd_t domain to read udev db BZ(1709025)
- Add sys_ptrace capaiblity for namespace_init_t domain
- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)
- Allow rhsmcertd_t domain to read rpm cache files
- Label /efi same as /boot/efi boot_t BZ(1571962)
- Allow transition from udev_t to tlp_t BZ(1705246)
- Remove initrc_exec_t for /usr/sbin/apachectl file
- Allow iscsid_t domain to mmap modules_dep_t files
- Allow ngaios to use chown capability
- Dontaudit gpg_domain to create netlink_audit sockets
- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)
- Allow dirsrv_t domain to execute own tmp files BZ(1703111)
- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files
- Update domain_can_mmap_files() boolean to allow also mmap lnk files
- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
- Introduce deny_bluetooth boolean
- Allow greylist_milter_t to read network system state BZ(1702672)
- Allow freeipmi domains to mmap freeipmi_var_cache_t files
- Allow rhsmcertd_t and rpm_t domains to chat over dbus
- Allow thumb_t domain to delete cache_home_t files BZ(1701643)
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus
- Add new interface boltd_dbus_chat()
- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)
- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)
- Allow cockpit_ws_t domain to set limits BZ(1701703)
- Update Nagios policy when sudo is used
- Deamon rhsmcertd is able to install certs for docker again
- Introduce deny_bluetooth boolean
- Don't allow a container to connect to random services
- Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.
- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus
- Allow unconfined_t to use bpf tools
- Allow x_userdomains to communicate with boltd daemon over dbus
- Allow mongod_t domain to lsearch in cgroups BZ(1698743)
- Allow rngd communication with pcscd BZ(1679217)
- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)
- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
After all reverted commit looks good, just targeted store have to be
specified when permissivedomains SELinux module is loaded.
This reverts commit f1ed716369.
- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
- Allow fail2ban execute journalctl BZ(1689034)
- Update sudodomains to make working confined users run sudo/su
- Introduce new boolean unconfined_dyntrans_all.
- Allow iptables_t domain to read NetworkManager state BZ(1690881)
Make sure the config is consistent with what packages are (being)
installed in the system.
This should ensure that the package corresponding to SELINUXTYPE
in the config is always present in the system, or selinux is DISABLED
(both before policy_load is called and after any RPM transaction involving
selinux-policy-* package). Targeted mode is used when possible.
Resolves: rhbz#1641631
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Update xen SELinux module
- Improve labeling for PCP plugins
- Allow varnishd_t domain to read sysfs_t files
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update file context for modutils rhbz#1689975
- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293
- Grant permissions for onloadfs files of all classes.
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
When the policy is built with save-previous=true (see semanage.conf) the
previous version of store is saved in /var/lib/selinux/TYPE/previous directory.
This directory needs to be erased after build as it has no function for
packages.
Fixes:
Checking for unpackaged file(s): /usr/lib/rpm/check-files /home/plautrba/rpmbuild/BUILDROOT/selinux-policy-3.14.4-4.fc31.x86_64
error: Installed (but unpackaged) file(s) found:
/var/lib/selinux/targeted/previous/commit_num
/var/lib/selinux/targeted/previous/file_contexts
/var/lib/selinux/targeted/previous/file_contexts.homedirs
...
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Allow journalctl_t domain to mmap syslogd_var_run_t files
- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046
- Allow sbd_t domain to bypass permission checks for sending signals
- Allow sbd_t domain read/write all sysctls
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
- Allow boltd_t to stream connect to sytem dbus
- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
- Allow ifconfig_t domain to read /dev/random BZ(1687516)
- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Label /usr/sbin/nodm as xdm_exec_t same as other display managers
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
- Allow openvpn_t domain to set capability BZ(1680276)
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
- Allow chronyd_t domain to send data over dgram socket
- Add rolekit_dgram_send() interface
- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
Make sure the config is consistent with what packages are (being)
installed in the system.
This should ensure that the package corresponding to SELINUXTYPE
in the config is always present in the system, or selinux is DISABLED
(both before policy_load is called and after any RPM transaction involving
selinux-policy-* package). Targeted mode is used when possible.
Resolves: rhbz#1641631
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Allow dovecot_t domain to connect to mysql db
- Add dac_override capability for sbd_t SELinux domain
- Add dac_override capability for spamd_update_t domain
- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
- Allow ddclient_t to setcap Resolves: rhbz#1674298
- Add dac_override capability to vpnc_t domain
- Add dac_override capability to spamd_t domain
- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
- Allow read network state of system for processes labeled as ibacm_t
- Allow ibacm_t domain to send dgram sockets to kernel processes
- Allow dovecot_t to connect to MySQL UNIX socket
- Fix CI for use on forks
- Fix typo bug in sensord policy
- Update ibacm_t policy after testing lastest version of this component
- Allow sensord_t domain to mmap own log files
- Allow virt_doamin to read/write dev device
- Add dac_override capability for ipa_helper_t
- Update policy with multiple allow rules to make working installing VM in MLS policy
- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
- Allow sensord_t domain to use nsswitch and execute shell
- Allow opafm_t domain to execute lib_t files
- Allow opafm_t domain to manage kdump_crash_t files and dirs
- Allow virt domains to read/write cephfs filesystems
- Allow virtual machine to write to fixed_disk_device_t
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
- Allow vhostmd_t read libvirt configuration files
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
- Add new xdp_socket class
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Allow boltd_t domain to read cache_home_t files BZ(1669911)
- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
- Allow gpg_agent_t to create own tmpfs dirs and sockets
- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
- Add multiple interfaces for vpnc interface file
- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
- Allow gssd_t domain to manage kernel keyrings of every domain.
- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
- Allow plymouthd_t search efivarfs directory BZ(1664143)
- Allow sensord_t to execute own binary files
- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)
- Allow virtd_lxc_t domains use BPF BZ(1662613)
- Allow openvpn_t domain to read systemd state BZ(1661065)
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Used correct renamed interface for imapd_t domain
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Specify recipients that will be notified about build CI results.
- Allow saslauthd_t domain to mmap own pid files BZ(1653024)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.
- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
- Specify recipients that will be notified about build CI results.
- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.
- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain
- Create ibacm_tmpfs_t type for the ibacm policy
- Dontaudit capability sys_admin for dhcpd_t domain
- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.
- Allow abrt_t domain to mmap generic tmp_t files
- Label /usr/sbin/wpa_cli as wpa_cli_exec_t
- Allow sandbox_xserver_t domain write to user_tmp_t files
- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints
- Add interface files_map_generic_tmp_files()
- Add dac_override capability to the syslogd_t domain
- Create systemd_timedated_var_run_t label
- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Allow xdm_t domain to manage dosfs_t files BZ(1645770)
- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
- Add dac_override capability to ftpd_t domain
- Allow gpg_t to create own tmpfs dirs and sockets
- Allow rhsmcertd_t domain to relabel cert_t files
- Add SELinux policy for kpatch
- Allow nova_t domain to use pam
- sysstat: grant sysstat_t the search_dir_perms set
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
- Allow systemd_logind_t to read fixed dist device BZ(1645631)
- Allow systemd_logind_t domain to read nvme devices BZ(1645567)
- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)
- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
- Allow X display manager to check status and reload services which are part of x_domain attribute
- Add interface miscfiles_relabel_generic_cert()
- Make kpatch policy active
- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
- Dontaudit sys_admin capability for netutils_t domain
- Label tcp and udp ports 2611 as qpasa_agent_port_t
- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)
- Add interface cron_system_spool_entrypoint()
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
- Add interfaces for boltd SELinux module
- Add dac_override capability to modemmanager_t domain BZ(1636608)
- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
- Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
- Allow boltd_t to be activated by init socket activation
- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)
- Update SELinux policy for libreswan based on the latest rebase 3.26
- Fix typo in init_named_socket_activation interface
- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
- Fix typo in boltd.te policy
- Allow fail2ban_t domain to mmap journal
- Add kill capability to named_t domain
- Allow neutron domain to read/write /var/run/utmp
- Create boltd_var_run_t type for boltd pid files
- Allow tomcat_domain to read /dev/random
- Allow neutron_t domain to use pam
- Add the port used by nsca (Nagios Service Check Acceptor)
- Allow certmonger to manage cockpit_var_run_t pid files
- Allow cockpit_ws_t domain to manage cockpit services
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
- Add interface apache_read_tmp_dirs()
- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t
- Add interface apcupsd_read_power_files()
- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain
- Allow dac_override capability to amanda_t domain
- Allow geoclue_t domain to get attributes of fs_t filesystems
- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client
- Allow cockpit_t domain to read systemd state
- Allow abrt_t domain to write to usr_t files
- Allow cockpit to create motd file in /var/run/cockpit
- Label /usr/sbin/pcsd as cluster_exec_t
- Allow pesign_t domain to getattr all fs
- Allow tomcat servers to manage usr_t files
- Dontaudit tomcat serves to append to /dev/random device
- Allow dirsrvadmin_script_t domain to read httpd tmp files
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
- Fix path where are sources for CI
- Revert "Allow firewalld_t domain to read random device"
- Add travis CI for selinux-policy-contrib repo
- Allow postfix domains to mmap system db files
- Allow geoclue_t domain to execute own tmp files
- Update ibacm_read_pid_files interface to allow also reading link files
- Allow zebra_t domain to create packet_sockets
- Allow opafm_t domain to list sysfs
- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
- Allow chronyd_t domain to read virt_var_lib_t files
- Allow systemd to read apcupsd power files
- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t"
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow systemd_resolved_t domain to bind on udp howl port
- Add new boolean use_virtualbox Resolves: rhbz#1510478
- Allow sshd_t domain to read cockpit pid files
- Allow syslogd_t domain to manage cert_t files
- Fix path where are sources for CI
- Add travis.yml to to create CI for selinux-policy sources
- Allow getattr as part of files_mounton_kernel_symbol_table.
- Fix typo "aduit" -> "audit"
- Revert "Add new interface dev_map_userio()"
- Add new interface dev_map_userio()
- Allow systemd to read ibacm pid files
- Allow tomcat services create link file in /tmp
- Label /etc/shorewall6 as shorewall_etc_t
- Allow winbind_t domain kill in user namespaces
- Allow firewalld_t domain to read random device
- Allow abrt_t domain to do execmem
- Allow geoclue_t domain to execute own var_lib_t files
- Allow openfortivpn_t domain to read system network state
- Allow dnsmasq_t domain to read networkmanager lib files
- sssd: Allow to limit capabilities using libcap
- sssd: Remove unnecessary capability
- sssd: Do not audit usage of lib nss_systemd.so
- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
- Allow exim_t domain to mmap bin files
- Allow mysqld_t domain to executed with nnp transition
- Allow svirt_t domain to mmap svirt_image_t block files
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
- Add read interfaces for mysqld_log_t that was added in commit df832bf
- Allow boltd_t to dbus chat with xdm_t
- Conntrackd need to load kernel module to work
- Allow mysqld sys_nice capability
- Update boltd policy based on SELinux denials from rhbz#1607974
- Allow systemd to create symlinks in for /var/lib
- Add comment to show that template call also allows changing shells
- Document userdom_change_password_template() behaviour
- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
- Fix typo in logging SELinux module
- Allow usertype to mmap user_tmp_type files
- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
- Add boolean: domain_can_mmap_files.
- Allow ipsec_t domian to mmap own tmp files
- Add .gitignore file
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow audisp_remote_t domain to read auditd_etc_t
- netlabel: Remove unnecessary sssd nsswitch related macros
- Allow to use sss module in auth_use_nsswitch
- Limit communication with init_t over dbus
- Add actual modules.conf to the git repo
- Add few interfaces to optional block
- Allow sysadm_t and staff_t domain to manage systemd unit files
- Add interface dev_map_userio_dev()
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow gpg_t domain to mmap gpg_agent_tmp_t files
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
- Allow sshd_t domain to mmap user_tmp_t files
- Allow kprop_t domain to read network state
- Add support boltd policy
- Allow kpropd domain to exec itself
- Allow pdns_t to bind on tcp transproxy port
- Add support for opafm service
- Allow hsqldb_t domain to read cgroup files
- Allow rngd_t domain to read generic certs
- Allow innd_t domain to mmap own var_lib_t files
- Update screen_role_temaplate interface
- Allow chronyd_t domain to mmap own tmpfs files
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow systemd to mounont boltd lib dirs
- Allow sysadm_t domain to create rawip sockets
- Allow sysadm_t domain to listen on socket
- Update sudo_role_template() to allow caller domain also setattr generic ptys
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
- Allow aide to mmap all files
- Revert "Allow firewalld to create rawip sockets"
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
- Add dac_override capability to mailman_mail_t domain
- Add dac_override capability to radvd_t domain
- Update openvswitch policy
- Add dac_override capability to oddjob_homedir_t domain
- Allow slapd_t domain to mmap slapd_var_run_t files
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
- Allow logrotate_t domain to stop services via systemd
- Add tang policy
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t
- Allow snapperd_t daemon to create unlabeled dirs.
- Make httpd_var_run_t mountpoint
- Allow hsqldb_t domain to mmap own temp files
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
- Add new Boolean tomcat_use_execmem
- Allow nfsd_t domain to read/write sysctl fs files
- Allow conman to read system state
- Allow brltty_t domain to be dbusd system client
- Allow zebra_t domain to bind on babel udp port
- Allow freeipmi domain to read sysfs_t files
- Allow targetd_t domain mmap lvm config files
- Allow abrt_t domain to manage kdump crash files
- Add capability dac_override to antivirus domain
- Allow svirt_t domain mmap svirt_image_t files BZ(1514538)
- Allow ftpd_t domain to chat with systemd
- Allow systemd init named socket activation for uuidd policy
- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)
- Allow l2tpd domain to stream connect to sssd BZ(1568160)
- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)
- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)
- Allow certwatch to manage cert files BZ(1561418)
- Merge pull request #53 from tmzullinger/rawhide
- Merge pull request #52 from thetra0/rawhide
- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)
- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files
- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)
- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)
- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.
- Allow pppd_t domain creating pppox sockets BZ(1566271)
- Allow abrt to map var_lib_t files
- Allow chronyc to read system state BZ(1565217)
- Allow keepalived_t domain to chat with systemd via dbus
- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)
- Allow netutils_t domain to create bluetooth sockets
- Allow traceroute to bind on generic sctp node
- Allow traceroute to search network sysctls
- Allow systemd to use virtio console
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
- refpolicy: Update for kernel sctp support
- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)
- Allow antivirus domain to be client for system dbus BZ(1562457)
- Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383)
- Add new boolean: colord_use_nfs() BZ(1562818)
- Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317)
- Allow colord_t to mmap gconf_home_t files
- Add new boolean redis_enable_notify()
- Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
- Add new boolean redis_enable_notify()
- Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab
- Add dac_override and dac_read_search capability to hypervvssd_t domain
- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t
- Allow samba to create /tmp/host_0 as krb5_host_rcache_t
- Add dac_override capability to fsdaemon_t BZ(1564143)
- Allow abrt_t domain to map dos files BZ(1564193)
- Add dac_override capability to automount_t domain
- Allow keepalived_t domain to connect to system dbus bus
- Allow nfsd_t to read nvme block devices BZ(1562554)
- Allow lircd_t domain to execute bin_t files BZ(1562835)
- Allow l2tpd_t domain to read sssd public files BZ(1563355)
- Allow logrotate_t domain to do dac_override BZ(1539327)
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
- Add capability sys_resource to systemd_sysctl_t domain
- Label all /dev/rbd* devices as fixed_disk_device_t
- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)
- Allow local_login_t domain to rread udev db
- Allow systemd_gpt_generator_t to read /dev/random device
- add definition of bpf class and systemd perms
- Allow accountsd_t domain to dac override BZ(1561304)
- Allow cockpit_ws_t domain to read system state BZ(1561053)
- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)
- Allow abrt_dump_oops_t domain dac override BZ(1561467)
- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)
- Allow crontab domains to do dac override
- Allow snapperd_t domain to unmount fs_t filesystems
- Allow pcp processes to read fixed_disk devices BZ(1560816)
- Allow unconfined and confined users to use dccp sockets
- Allow systemd to manage bpf dirs/files
- Allow traceroute_t to create dccp_sockets
- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/
- Allow newrole_t dacoverride capability
- Allow traceroute_t domain to mmap packet sockets
- Allow netutils_t domain to mmap usmmon device
- Allow netutils_t domain to use mmap on packet_sockets
- Allow traceroute to create icmp packets
- Allos sysadm_t domain to create tipc sockets
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
- Allow rpcd_t domain dac override
- Allow rpm domain to mmap rpm_var_lib_t files
- Allow arpwatch domain to create bluetooth sockets
- Allow secadm_t domain to mmap audit config and log files
- Update init_abstract_socket_activation() to allow also creating tcp sockets
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.
- Add SELinux support for systemd-importd
- Create new type bpf_t and label /sys/fs/bpf with this type
