Commit Graph

2220 Commits

Author SHA1 Message Date
Zdenek Pytela
8263376e4d * Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
2022-12-06 19:21:23 +01:00
Petr Lautrbach
4f5786b58d Migrate License tag to SPDX
https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1
2022-11-24 10:22:34 +00:00
Zdenek Pytela
17a6cf70e4 * Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
- Revert "Allow sysadm_t read raw memory devices"
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
- Allow rpc.gssd read network sysctls
- Allow winbind-rpcd get attributes of device and pty filesystems
- Allow insights-client domain transition on semanage execution
- Allow insights-client create gluster log dir with a transition
- Allow insights-client manage generic locks
- Allow insights-client unix_read all domain semaphores
- Add domain_unix_read_all_semaphores() interface
- Allow winbind-rpcd use the terminal multiplexor
- Allow mrtg send mails
- Allow systemd-hostnamed dbus chat with init scripts
- Allow sssd dbus chat with system cronjobs
- Add interface to watch all filesystems
- Add watch_sb interfaces
- Add watch interfaces
- Allow dhcpd bpf capability to run bpf programs
- Allow netutils and traceroute bpf capability to run bpf programs
- Allow pkcs_slotd_t bpf capability to run bpf programs
- Allow xdm bpf capability to run bpf programs
- Allow pcscd bpf capability to run bpf programs
- Allow lldpad bpf capability to run bpf programs
- Allow keepalived bpf capability to run bpf programs
- Allow ipsec bpf capability to run bpf programs
- Allow fprintd bpf capability to run bpf programs
- Allow systemd-socket-proxyd get filesystems attributes
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
2022-11-21 17:04:56 +01:00
Zdenek Pytela
5448967b7c * Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
- Allow rotatelogs read httpd_log_t symlinks
- Add winbind-rpcd to samba_enable_home_dirs boolean
- Allow system cronjobs dbus chat with setroubleshoot
- Allow setroubleshootd read device sysctls
- Allow virt_domain read device sysctls
- Allow rhcd compute selinux access vector
- Allow insights-client manage samba var dirs
- Label ports 10161-10162 tcp/udp with snmp
- Allow aide to connect to systemd_machined with a unix socket.
- Allow samba-dcerpcd use NSCD services over a unix stream socket
- Allow vlock search the contents of the /dev/pts directory
- Allow insights-client send null signal to rpm and system cronjob
- Label port 15354/tcp and 15354/udp with opendnssec
- Allow ftpd map ftpd_var_run files
- Allow targetclid to manage tmp files
- Allow insights-client connect to postgresql with a unix socket
- Allow insights-client domtrans on unix_chkpwd execution
- Add file context entries for insights-client and rhc
- Allow pulseaudio create gnome content (~/.config)
- Allow login_userdomain dbus chat with rhsmcertd
- Allow sbd the sys_ptrace capability
- Allow ptp4l_t name_bind ptp_event_port_t
2022-10-31 17:59:49 +01:00
Zdenek Pytela
c9f58f0676 * Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
- Remove the ipa module
- Allow sss daemons read/write unnamed pipes of cloud-init
- Allow postfix_mailqueue create and use unix dgram sockets
- Allow xdm watch user home directories
- Allow nm-dispatcher ddclient plugin load a kernel module
- Stop ignoring standalone interface files
- Drop cockpit module
- Allow init map its private tmp files
- Allow xenstored change its hard resource limits
- Allow system_mail-t read network sysctls
- Add bgpd sys_chroot capability
2022-10-03 23:24:01 +02:00
Zdenek Pytela
dde90d74a7 * Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
- Add numad the ipc_owner capability
- Allow gst-plugin-scanner read virtual memory sysctls
- Allow init read/write inherited user fifo files
- Update dnssec-trigger policy: setsched, module_request
- added policy for systemd-socket-proxyd
- Add the new 'cmd' permission to the 'io_uring' class
- Allow winbind-rpcd read and write its key ring
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
- pidof executed by abrt can readlink /proc/*/exe
- Fix typo in comment
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
2022-09-22 22:59:43 +02:00
Zdenek Pytela
0f27d97ff5 Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum 2022-09-21 21:30:53 +02:00
Zdenek Pytela
d02146ba68 * Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
- Allow tor get filesystem attributes
- Allow utempter append to login_userdomain stream
- Allow login_userdomain accept a stream connection to XDM
- Allow login_userdomain write to boltd named pipes
- Allow staff_u and user_u users write to bolt pipe
- Allow login_userdomain watch various directories
- Update rhcd policy for executing additional commands 5
- Update rhcd policy for executing additional commands 4
- Allow rhcd create rpm hawkey logs with correct label
- Allow systemd-gpt-auto-generator to check for empty dirs
- Update rhcd policy for executing additional commands 3
- Allow journalctl read rhcd fifo files
- Update insights-client policy for additional commands execution 5
- Allow init remount all file_type filesystems
- Confine insights-client systemd unit
- Update insights-client policy for additional commands execution 4
- Allow pcp pmcd search tracefs and acct_data dirs
- Allow httpd read network sysctls
- Dontaudit domain map permission on directories
- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
- Update insights-client policy for additional commands execution 3
- Allow systemd permissions needed for sandboxed services
- Add rhcd module
- Make dependency on rpm-plugin-selinux unordered
2022-09-14 09:14:08 +02:00
Petr Lautrbach
2a4b303a6b Make dependency on rpm-plugin-selinux unordered
And break the dependency loop with rpm-plugin-selinux

From rpm documentation:

    * meta (since rpm >= 4.16)

    Denotes a “meta” dependency, which must not affect transaction
    ordering. Typical use-cases would be meta-packages and sub-package
    cross-dependencies  whose purpose is just to ensure the sub-packages
    stay on common version.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1851266
2022-09-07 10:38:06 +02:00
Zdenek Pytela
9a58e62d76 * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
- Allow ipsec_t read/write tpm devices
- Allow rhcd execute all executables
- Update rhcd policy for executing additional commands 2
- Update insights-client policy for additional commands execution 2
- Allow sysadm_t read raw memory devices
- Allow chronyd send and receive chronyd/ntp client packets
- Allow ssh client read kerberos homedir config files
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
- Update insights-client policy (auditctl, gpg, journal)
- Allow system_cronjob_t domtrans to rpm_script_t
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
- Update tor_bind_all_unreserved_ports interface
- Allow chronyd bind UDP sockets to ptp_event ports.
- Allow unconfined and sysadm users transition for /root/.gnupg
- Add gpg_filetrans_admin_home_content() interface
- Update rhcd policy for executing additional commands
- Update insights-client policy for additional commands execution
- Add userdom_view_all_users_keys() interface
- Allow gpg read and write generic pty type
- Allow chronyc read and write generic pty type
- Allow system_dbusd ioctl kernel with a unix stream sockets
- Allow samba-bgqd to read a printer list
- Allow stalld get and set scheduling policy of all domains.
- Allow unconfined_t transition to targetclid_home_t
2022-09-02 14:10:03 +02:00
Zdenek Pytela
5ac843b27b * Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
- Allow nm-dispatcher custom plugin dbus chat with nm
- Allow nm-dispatcher sendmail plugin get status of systemd services
- Allow xdm read the kernel key ring
- Allow login_userdomain check status of mount units
- Allow postfix/smtp and postfix/virtual read kerberos key table
- Allow services execute systemd-notify
- Do not allow login_userdomain use sd_notify()
- Allow launch-xenstored read filesystem sysctls
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
- Allow openvswitch fsetid capability
- Allow openvswitch use its private tmpfs files and dirs
- Allow openvswitch search tracefs dirs
- Allow pmdalinux read files on an nfsd filesystem
- Allow winbind-rpcd write to winbind pid files
- Allow networkmanager to signal unconfined process
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
- Allow samba-bgqd get a printer list
- fix(init.fc): Fix section description
- Allow fedora-third-party read the passwords file
- Remove permissive domain for rhcd_t
- Allow pmie read network state information and network sysctls
- Revert "Dontaudit domain the fowner capability"
- Allow sysadm_t to run bpftool on the userdomain attribute
- Add the userdom_prog_run_bpf_userdomain() interface
- Allow insights-client rpm named file transitions
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
2022-08-11 21:24:24 +02:00
Zdenek Pytela
1ccfff1aa1 * Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
- Allow sa-update to get init status and start systemd files
- Use insights_client_filetrans_named_content
- Make default file context match with named transitions
- Allow nm-dispatcher tlp plugin send system log messages
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
- Add permissions to manage lnk_files into gnome_manage_home_config
- Allow rhsmcertd to read insights config files
- Label /etc/insights-client/machine-id
- fix(devices.fc): Replace single quote in comment to solve parsing issues
- Make NetworkManager_dispatcher_custom_t an unconfined domain
2022-08-01 11:07:08 +02:00
Fedora Release Engineering
666bf02b7f Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-23 08:21:08 +00:00
Zdenek Pytela
7ffa63b0f9 * Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
- Update winbind_rpcd_t
- Allow some domains use sd_notify()
- Revert "Allow rabbitmq to use systemd notify"
- fix(sedoctool.py): Fix syntax warning: "is not" with a literal
- Allow nm-dispatcher console plugin manage etc files
- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
- Allow nm-dispatcher console plugin setfscreate
- Support using systemd-update-helper in rpm scriptlets
- Allow nm-dispatcher winbind plugin read samba config files
- Allow domain use userfaultfd over all domains
- Allow cups-lpd read network sysctls
2022-07-14 21:38:38 +02:00
Zdenek Pytela
730af95045 * Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
- Allow stalld set scheduling policy of kernel threads
- Allow targetclid read /var/target files
- Allow targetclid read generic SSL certificates (fixed)
- Allow firewalld read the contents of the sysfs filesystem
- Fix file context pattern for /var/target
- Use insights_client_etc_t in insights_search_config()
- Allow nm-dispatcher ddclient plugin handle systemd services
- Allow nm-dispatcher winbind plugin run smbcontrol
- Allow nm-dispatcher custom plugin create and use unix dgram socket
- Update samba-dcerpcd policy for kerberos usage 2
- Allow keepalived read the contents of the sysfs filesystem
- Allow amandad read network sysctls
- Allow cups-lpd read network sysctls
- Allow kpropd read network sysctls
- Update insights_client_filetrans_named_content()
- Allow rabbitmq to use systemd notify
- Label /var/target with targetd_var_t
- Allow targetclid read generic SSL certificates
- Update rhcd policy
- Allow rhcd search insights configuration directories
- Add the kernel_read_proc_files() interface
- Require policycoreutils >= 3.4-1
- Add a script for enclosing interfaces in ifndef statements
- Disable rpm verification on interface_info
2022-06-29 21:00:49 +02:00
Zdenek Pytela
e0b2bb6894 Require policycoreutils >= 3.4-1
New policycoreutils increased the policydb max version.
2022-06-29 20:48:12 +02:00
Vit Mojzis
193d303b3b Disable rpm verification on interface_info
interface_info is generated by sepolgen-ifgen in %post. Therefore it
should not be verified as part of the package.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2022-06-29 18:00:11 +00:00
Zdenek Pytela
53d2cbdc84 * Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
- Allow transition to insights_client named content
- Add the insights_client_filetrans_named_content() interface
- Update policy for insights-client to run additional commands 3
- Allow dhclient manage pid files used by chronyd
- Allow stalld get scheduling policy of kernel threads
- Allow samba-dcerpcd work with sssd
- Allow dlm_controld send a null signal to a cluster daemon
- Allow ksmctl create hardware state information files
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
- Update samba-dcerpcd policy for kerberos usage
- Allow insights-client execute its private memfd: objects
- Update policy for insights-client to run additional commands 2
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
- Change space indentation to tab in insights-client
- Use socket permissions sets in insights-client
- Update policy for insights-client to run additional commands
- Change rpm_setattr_db_files() to use a pattern
- Allow init_t to rw insights_client unnamed pipe
- Add rpm setattr db files macro
- Fix insights client
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
- Allow rabbitmq to access its private memfd: objects
- Update policy for samba-dcerpcd
- Allow stalld setsched and sys_nice
2022-06-22 20:23:04 +02:00
Zdenek Pytela
7104f739ec Run restorecon for nm-dispatcher directory only if it exists
Unconditional execution can make the rpm scriptlet failing:

Running scriptlet: selinux-policy-targeted-36.9-1.fc36.noarch             4/4
/usr/sbin/restorecon: SELinux: Could not get canonical path for /etc/NetworkManager/dispatcher.d restorecon: No such file or directory.
warning: %posttrans(selinux-policy-targeted-36.9-1.fc36.noarch) scriptlet failed, exit status 255

Resolves: rhbz#2082547
2022-06-22 20:23:04 +02:00
Zdenek Pytela
75ed729ffd * Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
- Allow auditd_t noatsecure for a transition to audisp_remote_t
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
- Allow pcp_domain execute its private memfd: objects
- Add support for samba-dcerpcd
- Add policy for wireguard
- Confine targetcli
- Allow systemd work with install_t unix stream sockets
- Allow iscsid the sys_ptrace userns capability
- Allow xdm connect to unconfined_service_t over a unix stream socket
2022-06-07 22:33:10 +02:00
Zdenek Pytela
f69f4a323f * Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
- Allow nm-dispatcher custom plugin execute systemctl
- Allow nm-dispatcher custom plugin dbus chat with nm
- Allow nm-dispatcher custom plugin create and use udp socket
- Allow nm-dispatcher custom plugin create and use netlink_route_socket
- Use create_netlink_socket_perms in netlink_route_socket class permissions
- Add support for nm-dispatcher sendmail scripts
- Allow sslh net_admin capability
- Allow insights-client manage gpg admin home content
- Add the gpg_manage_admin_home_content() interface
- Allow rhsmcertd create generic log files
- Update logging_create_generic_logs() to use create_files_pattern()
- Label /var/cache/insights with insights_client_cache_t
- Allow insights-client search gconf homedir
- Allow insights-client create and use unix_dgram_socket
- Allow blueman execute its private memfd: files
- Move the chown call into make-srpm.sh
2022-05-27 21:08:08 +02:00
Zdenek Pytela
fccb378e9b * Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
- Use the networkmanager_dispatcher_plugin attribute in allow rules
- Make a custom nm-dispatcher plugin transition
- Label port 4784/tcp and 4784/udp with bfd_multi
- Allow systemd watch and watch_reads user ptys
- Allow sblim-gatherd the kill capability
- Label more vdsm utils with virtd_exec_t
- Add ksm service to ksmtuned
- Add rhcd policy
- Dontaudit guest attempts to dbus chat with systemd domains
- Dontaudit guest attempts to dbus chat with system bus types
- Use a named transition in systemd_hwdb_manage_config()
- Add default fc specifications for patterns in /opt
- Add the files_create_etc_files() interface
- Allow nm-dispatcher console plugin create and write files in /etc
- Allow nm-dispatcher console plugin transition to the setfiles domain
- Allow more nm-dispatcher plugins append to init stream sockets
- Allow nm-dispatcher tlp plugin dbus chat with nm
- Reorder networkmanager_dispatcher_plugin_template() calls
- Allow svirt connectto virtlogd
- Allow blueman map its private memfd: files
- Allow sysadm user execute init scripts with a transition
- Allow sblim-sfcbd connect to sblim-reposd stream
- Allow keepalived_unconfined_script_t dbus chat with init
- Run restorecon with "-i" not to report errors
2022-05-18 20:30:58 +02:00
Zdenek Pytela
59a2a4bfc4 Run restorecon with "-i" not to report errors
The %posttrans scriptlet contains explicit call to restorecon
to restore context of files/directories which are not handled
properly on updates. When a file or directory does not exist,
an error is reported:

/usr/sbin/restorecon: lstat(/etc/NetworkManager/dispatcher.d) failed: No such file or directory
warning: %posttrans(selinux-policy-targeted-36.8-1.fc36.noarch) scriptlet failed, exit status 255

Error in POSTTRANS scriptlet in rpm package selinux-policy-targeted

With the "-i" switch, restorecon does not report an error.

Resolves: rhbz#2082547
2022-05-06 14:33:26 +02:00
Zdenek Pytela
0e9b088744 * Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
- Fix users for SELinux userspace 3.4
- Label /var/run/machine-id as machineid_t
- Add stalld to modules.conf
- Use files_tmpfs_file() for rhsmcertd_tmpfs_t
- Allow blueman read/write its private memfd: objects
- Allow insights-client read rhnsd config files
- Allow insights-client create_socket_perms for tcp/udp sockets
2022-05-02 17:50:25 +02:00
Zdenek Pytela
af1a501769 * Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1
- Allow nm-dispatcher chronyc plugin append to init stream sockets
- Allow tmpreaper the sys_ptrace userns capability
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
- Allow nm-dispatcher tlp plugin read/write the wireless device
- Allow nm-dispatcher tlp plugin append to init socket
- Allow nm-dispatcher tlp plugin be client of a system bus
- Allow nm-dispatcher list its configuration directory
- Ecryptfs-private support
- Allow colord map /var/lib directories
- Allow ntlm_auth read the network state information
- Allow insights-client search rhnsd configuration directory
2022-04-26 11:56:41 +02:00
Zdenek Pytela
23fa4eb394 * Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3
- Add support for nm-dispatcher tlp-rdw scripts
- Update github actions to satisfy git 2.36 stricter rules
- New policy for stalld
- Allow colord read generic files in /var/lib
- Allow xdm mounton user temporary socket files
- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket
- Allow sssd domtrans to pkcs_slotd_t
- Allow keepalived setsched and sys_nice
- Allow xdm map generic files in /var/lib
- Allow xdm read generic symbolic links in /var/lib
- Allow pppd create a file in the locks directory
- Add file map permission to lpd_manage_spool() interface
- Allow system dbus daemon watch generic directories in /var/lib
- Allow pcscd the sys_ptrace userns capability
- Add the corecmd_watch_bin_dirs() interface
2022-04-21 09:24:57 +02:00
Zdenek Pytela
489937c6c2 Relabel explicitly some dirs in %posttrans scriptlets 2022-04-21 09:18:57 +02:00
Zdenek Pytela
8e34354093 Add stalld module to modules-targeted-contrib.conf 2022-04-21 09:10:30 +02:00
Zdenek Pytela
f3ea959687 * Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1
- Add support for systemd-network-generator
- Add the io_uring class
- Allow nm-dispatcher dhclient plugin append to init stream sockets
- Relax the naming pattern for systemd private shared libraries
- Allow nm-dispatcher iscsid plugin append to init socket
- Add the init_append_stream_sockets() interface
- Allow nm-dispatcher dnssec-trigger script to execute pidof
- Add support for nm-dispatcher dnssec-trigger scripts
- Allow chronyd talk with unconfined user over unix domain dgram socket
- Allow fenced read kerberos key tables
- Add support for nm-dispatcher ddclient scripts
- Add systemd_getattr_generic_unit_files() interface
- Allow fprintd read and write hardware state information
- Allow exim watch generic certificate directories
- Remove duplicate fc entries for corosync and corosync-notifyd
- Label corosync-cfgtool with cluster_exec_t
- Allow qemu-kvm create and use netlink rdma sockets
- Allow logrotate a domain transition to cluster administrative domain
2022-04-04 14:10:25 +02:00
Zdenek Pytela
46273b67bf * Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1
- Add support for nm-dispatcher console helper scripts
- Allow nm-dispatcher plugins read its directory and sysfs
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
- devices: Add a comment about cardmgr_dev_t
- Add basic policy for BinderFS
- Label /var/run/ecblp0 pipe with cupsd_var_run_t
- Allow rpmdb create directory in /usr/lib/sysimage
- Allow rngd drop privileges via setuid/setgid/setcap
- Allow init watch and watch_reads user ttys
- Allow systemd-logind dbus chat with sosreport
- Allow chronyd send a message to sosreport over datagram socket
- Remove unnecessary /etc file transitions for insights-client
- Label all content in /var/lib/insights with insights_client_var_lib_t
- Update insights-client policy
2022-03-18 18:48:45 +01:00
Zdenek Pytela
e42de71056 Add insights_client module to modules-targeted-contrib.conf 2022-02-23 18:43:55 +01:00
Zdenek Pytela
20d8d119db * Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1
- Update NetworkManager-dispatcher cloud and chronyc policy
- Update insights-client: fc pattern, motd, writing to etc
- Allow systemd-sysctl read the security state information
- Allow init create and mounton to support PrivateDevices
- Allow sosreport dbus chat abrt systemd timedatex
2022-02-23 14:55:24 +01:00
Zdenek Pytela
a3ac25c352 Update specfile to use new policycoreutils
These changes were applied:
- Update specfile to buildrequire policycoreutils-devel >= 3.3-4
- Add the new modules_checksum file to %files
2022-02-22 20:47:51 +01:00
Zdenek Pytela
b1087928cf * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
- Update NetworkManager-dispatcher policy to use scripts
- Allow init mounton kernel messages device
- Revert "Make dbus-broker service working on s390x arch"
- Remove permissive domain for insights_client_t
- Allow userdomain read symlinks in /var/lib
- Allow iptables list cgroup directories
- Dontaudit mdadm list dirsrv tmpfs dirs
- Dontaudit dirsrv search filesystem sysctl directories
- Allow chage domtrans to sssd
- Allow postfix_domain read dovecot certificates
- Allow systemd-networkd create and use netlink netfilter socket
- Allow nm-dispatcher read nm-dispatcher-script symlinks
- filesystem.te: add genfscon rule for ntfs3 filesystem
- Allow rhsmcertd get attributes of cgroup filesystems
- Allow sandbox_web_client_t watch various dirs
- Exclude container.if from policy devel files
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
2022-02-17 23:37:33 +01:00
Zdenek Pytela
652ddc6c42 * Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
- Allow sysadm_passwd_t to relabel passwd and group files
- Allow confined sysadmin to use tool vipw
- Allow login_userdomain map /var/lib/directories
- Allow login_userdomain watch library and fonts dirs
- Allow login_userdomain watch system configuration dirs
- Allow login_userdomain read systemd runtime files
- Allow ctdb create cluster logs
- Allow alsa bind mixer controls to led triggers
- New policy for insight-client
- Add mctp_socket security class and access vectors
- Fix koji repo URL pattern
- Update chronyd_pid_filetrans() to allow create dirs
- Update NetworkManager-dispatcher policy
- Allow unconfined to run virtd bpf
- Allow nm-privhelper setsched permission and send system logs
- Add the map permission to common_anon_inode_perm permission set
- Rename userfaultfd_anon_inode_perms to common_inode_perms
- Allow confined users to use kinit,klist and etc.
- Allow rhsmcertd create rpm hawkey logs with correct label
2022-02-11 12:26:34 +01:00
Zdenek Pytela
a2b5a0667a * Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
- Label exFAT utilities at /usr/sbin
- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
- Enable genfs_seclabel_symlinks policy capability
- Sync policy/policy_capabilities with refpolicy
- refpolicy: drop unused socket security classes
- Label new utility of NetworkManager nm-priv-helper
- Label NetworkManager-dispatcher service with separate context
- Allow sanlock get attributes of filesystems with extended attributes
- Associate stratisd_data_t with device filesystem
- Allow init read stratis data symlinks
2022-02-03 22:57:19 +01:00
Zdenek Pytela
7774d24565 * Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
- Allow systemd services watch dbusd pid directory and its parents
- Allow ModemManager connect to the unconfined user domain
- Label /dev/wwan.+ with modem_manager_t
- Allow alsactl set group Process ID of a process
- Allow domtrans to sssd_t and role access to sssd
- Creating interface sssd_run_sssd()
- Label utilities for exFAT filesystems with fsadm_exec_t
- Label /dev/nvme-fabrics with fixed_disk_device_t
- Allow init delete generic tmp named pipes
- Allow timedatex dbus chat with xdm
2022-02-01 16:42:40 +01:00
Zdenek Pytela
742db0fd66 * Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
- Fix badly indented used interfaces
- Allow domain transition to sssd_t
- Dontaudit sfcbd sys_ptrace cap_userns
- Label /var/lib/plocate with locate_var_lib_t
- Allow hostapd talk with unconfined user over unix domain dgram socket
- Allow NetworkManager talk with unconfined user over unix domain dgram socket
- Allow system_mail_t read inherited apache system content rw files
- Add apache_read_inherited_sys_content_rw_files() interface
- Allow rhsm-service execute its private memfd: objects
- Allow dirsrv read configfs files and directories
- Label /run/stratisd with stratisd_var_run_t
- Allow tumblerd write to session_dbusd tmp socket files
2022-01-26 19:28:39 +01:00
Zdenek Pytela
500380aef3 * Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
- Allow login_userdomain write to session_dbusd tmp socket files
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
2022-01-19 17:23:31 +01:00
Zdenek Pytela
cb08ccec64 Force a rebuild of policy unconditionally
Currently, the policy is rebuilt only when /etc/selinux/POLICY/.rebuild
exists which can make problems with independent policy modules.
2022-01-19 13:25:07 +01:00
Zdenek Pytela
b8cfdb1921 * Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
- Allow login_userdomain watch systemd-machined PID directories
- Allow login_userdomain watch systemd-logind PID directories
- Allow login_userdomain watch accountsd lib directories
- Allow login_userdomain watch localization directories
- Allow login_userdomain watch various files and dirs
- Allow login_userdomain watch generic directories in /tmp
- Allow rhsm-service read/write its private memfd: objects
- Allow radiusd connect to the radacct port
- Allow systemd-io-bridge ioctl rpm_script_t
- Allow systemd-coredump userns capabilities and root mounton
- Allow systemd-coredump read and write usermodehelper state
- Allow login_userdomain create session_dbusd tmp socket files
- Allow gkeyringd_domain write to session_dbusd tmp socket files
- Allow systemd-logind delete session_dbusd tmp socket files
- Allow gdm-x-session write to session dbus tmp sock files
- Label /etc/cockpit/ws-certs.d with cert_t
- Allow kpropd get attributes of cgroup filesystems
- Allow administrative users the bpf capability
- Allow sysadm_t start and stop transient services
- Connect triggerin to pcre2 instead of pcre
2022-01-17 18:17:56 +01:00
Petr Lautrbach
b15718470a Connect triggerin to pcre2 instead of pcre
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2013624
2022-01-17 08:09:32 +00:00
Zdenek Pytela
b3c7810107 * Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
- Allow sshd read filesystem sysctl files
- Revert "Allow sshd read sysctl files"
- Allow tlp read its systemd unit
- Allow gssproxy access to various system files.
- Allow gssproxy read, write, and map ica tmpfs files
- Allow gssproxy read and write z90crypt device
- Allow sssd_kcm read and write z90crypt device
- Allow smbcontrol read the network state information
- Allow virt_domain map vhost devices
- Allow fcoemon request the kernel to load a module
- Allow sshd read sysctl files
- Ensure that `/run/systemd/*` are properly labeled
- Allow admin userdomains use socketpair()
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
- Allow lldpd connect to snmpd with a unix domain stream socket
- Dontaudit pkcsslotd sys_admin capability
2022-01-12 17:57:27 +01:00
Zdenek Pytela
d0828ed3ca * Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
- Allow haproxy get attributes of filesystems with extended attributes
- Allow haproxy get attributes of cgroup filesystems
- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
- Allow sudodomains execute passwd in the passwd domain
- Allow braille printing in selinux
- Allow sandbox_xserver_t map sandbox_file_t
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
- Add hwtracing_device_t type for hardware-level tracing and debugging
- Label port 9528/tcp with openqa_liveview
- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
- Document Security Flask model in the policy
2021-12-23 18:01:36 +01:00
Zdenek Pytela
4bbbba4fda * Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
- Allow systemd read unlabeled symbolic links
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
- Allow dnsmasq watch /etc/dnsmasq.d directories
- Allow rhsmcertd get attributes of tmpfs_t filesystems
- Allow lldpd use an snmp subagent over a tcp socket
- Allow xdm watch generic directories in /var/lib
- Allow login_userdomain open/read/map system journal
- Allow sysadm_t connect to cluster domains over a unix stream socket
- Allow sysadm_t read/write pkcs shared memory segments
- Allow sysadm_t connect to sanlock over a unix stream socket
- Allow sysadm_t dbus chat with sssd
- Allow sysadm_t set attributes on character device nodes
- Allow sysadm_t read and write watchdog devices
- Allow smbcontrol use additional socket types
- Allow cloud-init dbus chat with systemd-logind
- Allow svnserve send mail from the system
- Update userdom_exec_user_tmp_files() with an entrypoint rule
- Allow sudodomain send a null signal to sshd processes
2021-12-10 18:04:24 +01:00
Zdenek Pytela
16445dca46 * Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
- Allow PID 1 and dbus-broker IPC with a systemd user session
- Allow rpmdb read generic SSL certificates
- Allow rpmdb read admin home config files
- Report warning on duplicate definition of interface
- Allow redis get attributes of filesystems with extended attributes
- Allow sysadm_t dbus chat with realmd_t
- Make cupsd_lpd_t a daemon
- Allow tlp dbus-chat with NetworkManager
- filesystem: add fs_use_trans for ramfs
- Allow systemd-logind destroy unconfined user's IPC objects
2021-11-19 18:02:51 +01:00
Zdenek Pytela
bc5db683cf * Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
- Support sanlock VG automated recovery on storage access loss 2/2
- Support sanlock VG automated recovery on storage access loss 1/2
- Revert "Support sanlock VG automated recovery on storage access loss"
- Allow tlp get service units status
- Allow fedora-third-party manage 3rd party repos
- Allow xdm_t nnp_transition to login_userdomain
- Add the auth_read_passwd_file() interface
- Allow redis-sentinel execute a notification script
- Allow fetchmail search cgroup directories
- Allow lvm_t to read/write devicekit disk semaphores
- Allow devicekit_disk_t to use /dev/mapper/control
- Allow devicekit_disk_t to get IPC info from the kernel
- Allow devicekit_disk_t to read systemd-logind pid files
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
- Allow devicekit_disk_t to manage mount_var_run_t files
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
- Use $releasever in koji repo to reduce rawhide hardcoding
- authlogin: add fcontext for tcb
- Add erofs as a SELinux capable file system
- Allow systemd execute user bin files
- Support sanlock VG automated recovery on storage access loss
- Support new PING_CHECK health checker in keepalived
2021-11-04 18:57:21 +01:00
Zdenek Pytela
510d46d44a * Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
- Allow fedora-third-party execute "flatpak remote-add"
- Add files_manage_var_lib_files() interface
- Add write permisson to userfaultfd_anon_inode_perms
- Allow proper function sosreport via iotop
- Allow proper function sosreport in sysadmin role
- Allow fedora-third-party to connect to the system log service
- Allow fedora-third-party dbus chat with policykit
- Allow chrony-wait service start with DynamicUser=yes
- Allow management of lnk_files if similar access to regular files
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
- Allow systemd-resolved watch /run/systemd
- Allow fedora-third-party create and use unix_dgram_socket
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
2021-10-18 14:30:50 +02:00
Zdenek Pytela
a38b01faa8 * Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
- Add fedoratp module
- Allow xdm_t domain transition to fedoratp_t
- Allow ModemManager create and use netlink route socket
- Add default file context for /run/gssproxy.default.sock
- Allow xdm_t watch fonts directories
- Allow xdm_t watch generic directories in /lib
- Allow xdm_t watch generic pid directories
2021-10-07 18:06:06 +02:00
Zdenek Pytela
792d74b90a * Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.21-1
- Add bluetooth-related permissions into a tunable block
- Allow gnome at-spi processes create and use stream sockets
- Allow usbmuxd get attributes of tmpfs_t filesystems
- Allow fprintd install a sleep delay inhibitor
- Allow collectd get attributes of infiniband devices
- Allow collectd create and user netlink rdma socket
- Allow collectd map packet_socket
- Allow snort create and use blootooth socket
- Allow systemd watch and watch_reads console devices
- Allow snort create and use generic netlink socket
- Allow NetworkManager dbus chat with fwupd
- Allow unconfined domains read/write domain perf_events
- Allow scripts to enter LUKS password
- Update mount_manage_pid_files() to use manage_files_pattern
- Support hitless reloads feature in haproxy
- Allow haproxy list the sysfs directories content
- Allow gnome at-spi processes get attributes of tmpfs filesystems
- Allow unbound connectto unix_stream_socket
- Allow rhsmcertd_t dbus chat with anaconda install_t
2021-09-23 18:47:59 +02:00
Zdenek Pytela
dead9d45da * Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 34.20-1
- cleanup unused codes
- Fix typo in the gnome_exec_atspi() interface summary
- Allow xdm execute gnome-atspi services
- Allow gnome at-spi processes execute dbus-daemon in caller domain
- Allow xdm watch dbus configuration
- Allow xdm execute dbus-daemon in the caller domain
- Revert "Allow xdm_t transition to system_dbusd_t"
- Allow at-spi-bus-launcher read and map xdm pid files
- Allow dhcpcd set its resource limits
- Allow systemd-sleep get removable devices attributes
- Allow usbmuxd get attributes of fs_t filesystems
2021-09-16 14:32:28 +02:00
Zdenek Pytela
28ce29abe9 * Thu Sep 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.19-1
- Update the dhcp client local policy
- Allow firewalld load kernel modules
- Allow postfix_domain to sendto unix dgram sockets.
- Allow systemd watch unallocated ttys
2021-09-09 21:36:07 +02:00
Zdenek Pytela
9bff620494 * Tue Sep 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.18-1
- Allow ModemManager create a qipcrtr socket
- Allow ModemManager request to load a kernel module
- Label /usr/sbin/virtproxyd as virtd_exec_t
- Allow communication between at-spi and gdm processes
- Update ica_filetrans_named_content() with create_file_perms
- Fix the gnome_atspi_domtrans() interface summary
2021-09-07 14:29:54 +02:00
Zdenek Pytela
9365468edb * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-5
- Add ica module to modules-targeted-contrib.conf
2021-08-27 13:46:07 +02:00
Zdenek Pytela
40faa1b7db * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-4
- Add trailing \ to the relabel() block which is needed even in a comment
2021-08-27 12:32:23 +02:00
Zdenek Pytela
6c25b6293b * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3
- Add ica module to modules-targeted.conf
2021-08-27 11:50:45 +02:00
Zdenek Pytela
600126801d * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-2
- Relabel /var/lib/rpm explicitly
- Revert "Relabel /dev/dma_heap explicitly"
2021-08-27 11:47:37 +02:00
Zdenek Pytela
95a4bac6d3 Revert "* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2"
This reverts commit 8417543050
which added explicit /dev/dma_heap relabeling temporarily to the specfile.
2021-08-27 11:43:37 +02:00
Zdenek Pytela
c53bdced40 * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79
- Introduce xdm_manage_bootloader booelan
Resolves: rhbz#1994096
- Rename samba_exec() to samba_exec_net()
Resolves: rhbz#1855215
- Allow sssd to set samba setting
Resolves: rhbz#1855215
- Allow dirsrv read slapd tmpfs files
Resolves: rhbz#1843238
- Allow rhsmcertd to create cache file in /var/cache/cloud-what
Resolves: rhbz#1994718
2021-08-27 11:39:38 +02:00
Zdenek Pytela
757d64d9d6 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1
- Allow systemd-timesyncd watch system dbus pid socket files
- Allow firewalld drop capabilities
- Allow rhsmcertd execute gpg
- Allow lldpad send to kdump over a unix dgram socket
- Allow systemd-gpt-auto-generator read udev pid files
- Set default file context for /sys/firmware/efi/efivars
- Allow tcpdump run as a systemd service
- Allow nmap create and use netlink generic socket
- Allow nscd watch system db files in /var/db
- Allow cockpit_ws_t get attributes of fs_t filesystems
- Allow sysadm acces to kernel module resources
- Allow sysadm to read/write scsi files and manage shadow
- Allow sysadm access to files_unconfined and bind rpc ports
- Allow sysadm read and view kernel keyrings
- Allow journal mmap and read var lib files
- Allow tuned to read rhsmcertd config files
- Allow bootloader to read tuned etc files
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
2021-08-12 18:39:36 +02:00
Zdenek Pytela
58dbb0353c * Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1
- Disable seccomp on CI containers
- Allow systemd-machined stop generic service units
- Allow virtlogd_t read process state of user domains
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
- Label /dev/crypto/nx-gzip with accelerator_device_t
- Update the policy for systemd-journal-upload
- Allow unconfined domains to bpf all other domains
- Confine rhsm service and rhsm-facts service as rhsmcertd_t
- Allow fcoemon talk with unconfined user over unix domain datagram socket
- Allow abrt_domain read and write z90crypt device
- Allow mdadm read iscsi pid files
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
- Allow hostapd bind UDP sockets to the dhcpd port
- Unconfined domains should not be confined
2021-08-06 19:30:54 +02:00
Fedora Release Engineering
418902d2f4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-23 17:20:44 +00:00
Zdenek Pytela
fe7971a7a7 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
- Remove references to init_watch_path_type attribute
- Remove all redundant watch permissions for systemd
- Allow systemd watch non_security_file_type dirs, files, lnk_files
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
- Allow bacula get attributes of cgroup filesystems
- Allow systemd-journal-upload watch logs and journal
- Create a policy for systemd-journal-upload
- Allow tcpdump and nmap get attributes of infiniband_device_t
- Allow arpwatch get attributes of infiniband_device_t devices
- Label /dev/wmi/dell-smbios as acpi_device_t
2021-07-14 14:59:11 +02:00
Zdenek Pytela
4f56cd3eb8 * Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1
- Allow radius map its library files
- Allow nftables read NetworkManager unnamed pipes
- Allow logrotate rotate container log files
2021-07-01 16:39:23 +02:00
Zdenek Pytela
8417543050 * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2
- Add a systemd service to check that SELinux is disabled properly
- specfile: Add unowned dir to the macro
- Relabel /dev/dma_heap explicitly
2021-06-22 11:50:15 +02:00
Ondrej Mosnacek
fd69433906 Add a systemd service to check that SELinux is disabled properly
As an additional sanity check to support the removal of runtime
disabling of SELinux [1], add a simple oneshot service to the
selinux-policy package that will print a warning to system journal when
it detects on boot that the system has been booted with SELINUX=disabled
in /etc/selinux/config, but without selinux=0 on the kernel command
line.

Note that as per [2], in order for the service to be enabled by default,
it needs to be added to the Fedora presets.

[1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
[2] https://docs.fedoraproject.org/en-US/packaging-guidelines/DefaultServices/#_how_to_enable_a_service_by_default

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-06-22 09:38:56 +00:00
Michael Scherer
a563172755 Add unowned dir to the macro 2021-06-22 09:32:58 +00:00
Zdenek Pytela
ed2eb34288 * Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1
- Label /dev/dma_heap/* char devices with dma_device_t
- Revert "Label /dev/dma_heap/* char devices with dma_device_t"
- Revert "Label /dev/dma_heap with dma_device_dir_t"
- Revert "Associate dma_device_dir_t with device filesystem"
- Add the lockdown integrity permission to dev_map_userio_dev()
- Allow systemd-modules-load read/write tracefs files
- Allow sssd watch /run/systemd
- Label /usr/bin/arping plain file with netutils_exec_t
- Label /run/fsck with fsadm_var_run_t
- Label /usr/bin/Xwayland with xserver_exec_t
- Allow systemd-timesyncd watch dbus runtime dir
- Allow asterisk watch localization files
- Allow iscsid read all process stat
- iptables.fc: Add missing legacy-restore and legacy-save entries
- Label /run/libvirt/common with virt_common_var_run_t
- Label /.k5identity file allow read of this file to rpc.gssd
- Make usbmuxd_t a daemon
2021-06-21 15:07:20 +02:00
Zdenek Pytela
ef6e27e6c9 * Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1
- Allow sanlock get attributes of cgroup filesystems
- Associate dma_device_dir_t with device filesystem
- Set default file context for /var/run/systemd instead of /run/systemd
- Allow nmap create and use rdma socket
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
2021-06-09 16:42:40 +02:00
Zdenek Pytela
a4fcadc086 * Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1
- Allow using opencryptoki for ipsec
- Allow using opencryptoki for certmonger
- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
- Label /dev/dma_heap with dma_device_dir_t
- Allow syslogd watch non security dirs conditionally
- Introduce logging_syslogd_list_non_security_dirs tunable
- Remove openhpi module
- Allow udev to watch fixed disk devices
- Allow httpd_sys_script_t read, write, and map hugetlbfs files
- Allow apcupsd get attributes of cgroup filesystems
2021-06-06 23:32:21 +02:00
Zdenek Pytela
6b0b962be0 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1
- Add kerberos object filetrans for nsswitchdomain
- Allow fail2ban watch various log files
- Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()
- Remove further modules recently removed from refpolicy
- Remove modules not shipped and not present in refpolicy
- Revert "Add permission open to files_read_inherited_tmp_files() interface"
- Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)"
- Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604"
- Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)"
- Dontaudit setrlimit for domains that exec systemctl
- Allow kdump_t net_admin capability
- Allow nsswitch_domain read init pid lnk_files
- Label /dev/trng with random_device_t
- Label /run/systemd/default-hostname with hostname_etc_t
- Add default file context specification for dnf log files
- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
- Label /dev/udmabuf character device with dma_device_t
- Label /dev/dma_heap/* char devices with dma_device_t
- Label /dev/acpi_thermal_rel char device with acpi_device_t
2021-05-27 22:08:10 +02:00
Zdenek Pytela
cd4a089134 Remove temporary explicit /dev/nvme* relabeling 2021-05-20 15:16:05 +02:00
Zdenek Pytela
80410eaf30 * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1
- Allow local_login_t nnp_transition to login_userdomain
- Allow asterisk watch localization symlinks
- Allow NetworkManager_t to watch /etc
- Label /var/lib/kdump with kdump_var_lib_t
- Allow amanda get attributes of cgroup filesystems
- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
- Allow install_t nnp_domtrans to setfiles_mac_t
- Allow fcoemon create sysfs files
2021-05-20 15:09:34 +02:00
Zdenek Pytela
30f8c042ae * Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1
- Allow tgtd read and write infiniband devices
- Add a comment on virt_sandbox booleans with empty content
- Deprecate duplicate dev_write_generic_sock_files() interface
- Allow vnstatd_t map vnstatd_var_lib_t files
- Allow privoxy execmem
- Allow pmdakvm read information from the debug filesystem
- Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()
- Add permissions to delete lnk_files into gnome_delete_home_config()
- Remove rules for inotifyfs
- Remove rules for anon_inodefs
- Allow systemd nnp_transition to login_userdomain
- Allow unconfined_t write other processes perf_event records
- Allow sysadm_t dbus chat with tuned
- Allow tuned write profile files with file transition
- Allow tuned manage perf_events
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
2021-05-13 18:42:35 +02:00
Zdenek Pytela
4fecc6469f * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
- Add kernel_write_perf_event() and kernel_manage_perf_event()
- Allow syslogd_t watch root and var directories
- Allow unconfined_t read other processes perf_event records
- Allow login_userdomain read and map /var/lib/systemd files
- Allow NetworkManager watch its config dir
- Allow NetworkManager read and write z90crypt device
- Allow tgtd create and use rdma socket
- Allow aide connect to init with a unix socket
2021-05-07 18:08:57 +02:00
Zdenek Pytela
b900d641f6 * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1
- Grant execmem to varnishlog_t
- We no longer need signull for varnishlog_t
- Add map permission to varnishd_read_lib_files
- Allow systemd-sleep tlp_filetrans_named_content()
- Allow systemd-sleep execute generic programs
- Allow systemd-sleep execute shell
- Allow to sendmail read/write kerberos host rcache files
- Allow freshclam get attributes of cgroup filesystems
- Fix context of /run/systemd/timesync
- Allow udev create /run/gdm with proper type
- Allow chronyc socket file transition in user temp directory
- Allow virtlogd_t to create virt_var_lockd_t dir
- Allow pluto IKEv2 / ESP over TCP
2021-05-04 20:27:30 +02:00
Zdenek Pytela
2b76eb3833 * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1
- Allow domain create anonymous inodes
- Add anon_inode class to the policy
- Allow systemd-coredump getattr nsfs files and net_admin capability
- Allow systemd-sleep transition to sysstat_t
- Allow systemd-sleep transition to tlp_t
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
- Allow systemd-timedated watch runtime dir and its parent
- Allow system dbusd read /var/lib symlinks
- Allow unconfined_service_t confidentiality and integrity lockdown
- Label /var/lib/brltty with brltty_var_lib_t
- Allow domain and unconfined_domain_type watch /proc/PID dirs
- Additional permission for confined users loging into graphic session
- Make for screen fsetid/setuid/setgid permission conditional
- Allow for confined users acces to wtmp and run utempter
2021-04-27 19:55:59 +02:00
Zdenek Pytela
ab4d6094ae * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1
- Label /etc/redis as redis_conf_t
- Add brltty new permissions required by new upstream version
- Allow cups-lpd read its private runtime socket files
- Dontaudit daemon open and read init_t file
- Add file context specification for /var/tmp/tmp-inst
- Allow brltty create and use bluetooth_socket
- Allow usbmuxd get attributes of cgroup filesystems

* Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1
- Allow usbmuxd get attributes of cgroup filesystems
- Allow accounts-daemon get attributes of cgroup filesystems
- Allow pool-geoclue get attributes of cgroup filesystems
- allow systemd-sleep to set timer for suspend-then-hibernate
- Allow aide connect to systemd-userdbd with a unix socket
- Add new interfaces with watch_mount and watch_with_perm permissions
- Add file context specification for /usr/libexec/realmd
- Allow /tmp file transition for dbus-daemon also for sock_file
- Allow login_userdomain create cgroup files
- Allow plymouthd_t exec generic program in bin directories

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1
- Change the package versioning

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10
- Allow plymouthd_t exec generic program in bin directories
- Allow dhcpc_t domain transition to chronyc_t
- Allow login_userdomain bind xmsg port
- Allow ibacm the net_raw and sys_rawio capabilities
- Allow nsswitch_domain read cgroup files
- Allow systemd-sleep create hardware state information files

* Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9
- Add watch_with_perm_dirs_pattern file pattern
2021-04-09 22:45:41 +02:00
Zdenek Pytela
6ff3284cb2 * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8
- Allow arpwatch_t create netlink generic socket
- Allow postgrey read network state
- Add watch_mount_dirs_pattern file pattern
- Allow bluetooth_t dbus chat with fwupd_t
- Allow xdm_t watch accountsd lib directories
- Add additional interfaces for watching /boot
- Allow sssd_t get attributes of tmpfs filesystems
- Allow local_login_t get attributes of tmpfs filesystems
- Dontaudit domain the fowner capability
- Extend fs_manage_nfsd_fs() to allow managing dirs as well
- Allow spice-vdagentd watch systemd-logind session dirs
2021-03-26 16:10:54 +01:00
Zdenek Pytela
7e06a74914 * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7
- Allow xdm_t watch systemd-logind session dirs
- Allow xdm_t transition to system_dbusd_t
- Allow confined users login into graphic session
- Allow login_userdomain watch systemd login session dirs
- install_t: Allow NoNewPriv transition from systemd
- Remove setuid/setgid capabilities from mysqld_t
- Add context for new mariadbd executable files
- Allow netutils_t create netlink generic socket
- Allow systemd the audit_control capability conditionally
2021-03-19 21:52:07 +01:00
Zdenek Pytela
77437ed12d * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
2021-03-11 22:25:45 +01:00
Zdenek Pytela
dd41f17526 * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5
- Allow apmd watch generic device directories
- Allow kdump load a new kernel
- Add confidentiality lockdown permission to kernel_read_core_if()
- Allow keepalived read nsfs files
- Allow local_login_t get attributes of filesystems with ext attributes
- Allow keepalived read/write its private memfd: objects
- Add missing declaration in rpm_named_filetrans()
- Change param description in cron interfaces to userdomain_prefix
2021-03-03 11:24:58 +01:00
Zdenek Pytela
c7794d90ee Relabel /dev/nvme* explicitly
In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit,
the type of nvme device files has changed from nvme_device_t to
fixed_disk_device_t.

This cannot currently be resolved in specfile selinux macros as fixfiles
excludes /dev entries. For files in /dev with changed context, restorecon
needs to be run explicitly to restore the context.

This is a temporary workaround till April 2021 when the updated policy
can be considered spread enough.
2021-03-01 11:50:07 +01:00
Zdenek Pytela
2faa5c2293 * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4
- iptables.fc: Add missing legacy entries
- iptables.fc: Remove some duplicate entries
- iptables.fc: Remove duplicate file context entries
- Allow libvirtd to create generic netlink sockets
- Allow libvirtd the fsetid capability
- Allow libvirtd to read /run/utmp
- Dontaudit sys_ptrace capability when calling systemctl
- Allow udisksd to read /dev/random
- Allow udisksd to watch files under /run/mount
- Allow udisksd to watch /etc
- Allow crond to watch user_cron_spool_t directories
- Allow accountsd watch xdm config directories
- Label /etc/avahi with avahi_conf_t
- Allow sssd get cgroup filesystems attributes and search cgroup dirs
- Allow systemd-hostnamed read udev runtime data
- Remove dev_getattr_sysfs_fs() interface calls for particular domains
- Allow domain stat the /sys filesystem
- Dontaudit NetworkManager write to initrc_tmp_t pipes
- policykit.te: Clean up watch rule for policykit_auth_t
- Revert further unnecessary watch rules
- Revert "Allow getty watch its private runtime files"
- Allow systemd watch generic /var directories
- Allow init watch network config files and lnk_files
- Allow systemd-sleep get attributes of fixed disk device nodes
- Complete initial policy for systemd-coredump
- Label SDC(scini) Dell Driver
- Allow upowerd to send syslog messages
- Remove the disk write permissions from tlp_t
- Label NVMe devices as fixed_disk_device_t
- Allow rhsmcertd bind tcp sockets to a generic node
- Allow systemd-importd manage machines.lock file
2021-02-24 10:14:28 +01:00
Zdenek Pytela
aa1f535cb2 * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
2021-02-16 22:47:33 +01:00
Zdenek Pytela
15dc304d75 * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
2021-02-15 20:38:28 +01:00
Zdenek Pytela
d558c4f1c7 * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1
- Bump version as Fedora 34 has been branched off rawhide
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow systemd-importd create /run/systemd/machines.lock file
- Allow rhsmcertd_t read kpatch lib files
- Add integrity lockdown permission into dev_read_raw_memory()
- Add confidentiality lockdown permission into fs_rw_tracefs_files()
- Allow gpsd read and write ptp4l_t shared memory.
- Allow colord watch its private lib files and /usr
- Allow init watch_reads mount PID files
- Allow IPsec and Certmonger to use opencryptoki services
2021-02-11 22:08:31 +01:00
Zdenek Pytela
c7e90bc196 * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
2021-02-08 21:24:07 +01:00
Zdenek Pytela
c2d5ebb406 * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket       socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
2021-02-05 12:51:30 +01:00
Fedora Release Engineering
b0dd6c6ef6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-27 20:11:38 +00:00
Petr Lautrbach
f38b38e51e Rebuild with SELinux userspace 3.2-rc1 release 2021-01-22 10:34:08 +01:00
Zdenek Pytela
ce671c04d8 Update specfile to not verify md5/size/mtime for active store files
The rpm-verify command reports changes for packaged files in the active
store (/var/lib/selinux) which are changed on the selinux-policy-*
packages updates. In order to pass the rpm verification process, the
specfile option %verify(not md5 size mtime) for each of the affected
files will prevent from reporting a failure in any of the rpm-verify
subtests:
- S file Size differs
- 5 digest (formerly MD5 sum) differs
- T mTime differs
2021-01-15 19:49:38 +01:00
Zdenek Pytela
d76e0b4040 * Fri Jan 8 18:41:06 CET 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
- Allow domain read usermodehelper state information
- Remove all kernel_read_usermodehelper_state() interface calls
- .copr: improve timestamp format
- Allow wireshark create and use rdma socket
- Allow domain stat /proc filesystem
- Remove all kernel_getattr_proc() interface calls
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow dovecot_auth_t stat /proc filesystem"
- Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
- Allow sssd read /run/systemd directory
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
2021-01-08 18:44:14 +01:00
Zdenek Pytela
d5b79a1cb7 * Thu Dec 17 20:07:23 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
2020-12-17 20:11:46 +01:00
Ondrej Mosnacek
533a2f186e Remove useless mkdir command from minimum build
The directory will be created automatically by the install commands, so
no need to create it manually.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Ondrej Mosnacek
ecfabbb8f3 Remove useless rm command from minimum build
There is no file actually created at that location during build, so the
command can be safely removed. Verified by removing the '-f' and
observing the build fail (file does not exist).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Ondrej Mosnacek
167b0505ce Remove unnecessary steps from targeted policy build
We can install the permissivedomains.cil module directly, no need to
copy it to %{buildroot} first.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Zdenek Pytela
fa72125856 * Tue Dec 15 16:24:44 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12
- Allow dovecot_auth_t stat /proc filesystem
- Allow sysadm_u user and unconfined_domain_type manage perf_events
- Allow pcp-pmcd manage perf_events
- Add manage_perf_event_perms object permissions set
- Add perf_event access vectors.
- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
- Allow stub-resolv.conf to be a symlink
- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
- Create the systemd_dbus_chat_resolved() compatibility interface
- Allow nsswitch-domain write to systemd-resolved PID socket files
- Add systemd_resolved_write_pid_sock_files() interface
- Add default file context for "/var/run/chrony-dhcp(/.*)?"
- Allow timedatex dbus chat with cron system domain
- Add cron_dbus_chat_system_job() interface
- Allow systemd-logind manage init's pid files
2020-12-15 16:31:51 +01:00
Petr Lautrbach
0f3b08d5d1 Add make to BuildRequires
See https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2020-12-14 12:15:28 +01:00
Zdenek Pytela
8d02847dad * Wed Dec 9 15:39:03 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
2020-12-09 15:42:48 +01:00