Commit Graph

5820 Commits

Author SHA1 Message Date
Lukas Vrabec
b040fbf78d Fix make-rhat-patches.sh script to download right version of docker policy. 2016-03-02 17:43:18 +01:00
Lukas Vrabec
a99d75d418 This change was originally introduced to fix contexts of files in
~/.config when there were no filename transition rules in SELinux
policy. These lines could be  removed. rhbz#1313464
2016-03-01 17:22:44 +01:00
Lukas Vrabec
20c9cf85eb Make rkt policy permissive in F24+ 2016-02-26 18:22:22 +01:00
Lukas Vrabec
cf1dbe818b Revert "Make rkt policy permissive in F24+"
This reverts commit 039bb26fd5.
2016-02-26 18:22:01 +01:00
Lukas Vrabec
ca25751cfd * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
- Add policy for rkt services
2016-02-26 17:44:00 +01:00
Lukas Vrabec
039bb26fd5 Make rkt policy permissive in F24+ 2016-02-26 17:35:24 +01:00
Lukas Vrabec
b07cbca68f Make rkt policy active. 2016-02-26 17:34:45 +01:00
Lukas Vrabec
e98b0994a7 * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-174
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
2016-02-26 14:55:26 +01:00
Lukas Vrabec
7ac3a50aaf * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
2016-02-26 13:34:18 +01:00
Lukas Vrabec
352a55a547 * Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
- Allow collectd setgid capability Resolves:#1310896
- Allow adcli running as sssd_t to write krb5.keytab file.
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
- Allow kexec to read kernel module files in /usr/lib/modules.
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
- Remove redudant rules and fix _admin interface.
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
- Allow create mongodb unix dgram sockets. rhbz#1306819
- Support for InnoDB Tablespace Encryption.
- Dontaudit leaded file descriptors from firewalld
- Add port for rkt services
- Add support for the default lttng-sessiond port - tcp/5345.  This port is used by LTTng 2.x central tracing registry session daemon.
2016-02-25 13:20:35 +01:00
Lukas Vrabec
5d7b1f6d2e Fixes related to new SELinux userspace Add new files from userspace: /var/lib/selinux/targeted|mls|minimum/active/seusers /var/lib/selinux/targeted|mls|minimum/active/file_contexts /var/lib/selinux/targeted|mls|minimum/active/policy.kern 2016-02-25 12:02:25 +01:00
Lukas Vrabec
93a03bbf67 Make lttng-tools SELinux module active 2016-02-15 21:34:40 +01:00
Lukas Vrabec
b984541904 Make lttng_sessiond_t as permissive domain while is this policy just in rawhide 2016-02-15 21:32:35 +01:00
Lukas Vrabec
d6823d337b * Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files
2016-02-11 14:22:13 +01:00
Lukas Vrabec
ead49a5633 * Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
- Add interface to dontaudit leaked files from firewalld
- fwupd needs to dbus chat with policykit
- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
- Fix wrong name for openqa_websockets tcp port.
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
- Add interface ssh_getattr_server_keys() interface. rhbz#1299106
- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312
- Add interface fs_getattr_nsfs_files()
- Add interface xserver_exec().
- Revert "Allow all domains some process flags."BZ(1190364)
2016-02-10 13:11:01 +01:00
Lukas Vrabec
edb36e0557 * Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169
- Allow openvswitch domain capability sys_rawio.
- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"
- Allow openvswitch to manage hugetlfs files and dirs.
- Allow NetworkManager create dhcpc pid files. BZ(1229755)
- Allow apcupsd to read kernel network state. BZ(1282003)
- Label /sys/kernel/debug/tracing filesystem
- Add fs_manage_hugetlbfs_files() interface.
- Add sysnet_filetrans_dhcpc_pid() interface.
2016-02-03 10:57:06 +01:00
Lukas Vrabec
4c488a69fa * Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
- Allow iptables to read nsfs files. BZ(1296826)
2016-01-20 15:56:50 +01:00
Lukas Vrabec
6d3ee17c0b * Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
2016-01-18 17:03:17 +01:00
Lukas Vrabec
3852fc17ea Add fwupd domain to permissivedomains 2016-01-18 14:53:09 +01:00
Lukas Vrabec
0cb9270926 Add fwupd module to modules-targeted-contrib.conf file. 2016-01-18 14:50:53 +01:00
Lukas Vrabec
7fe5489869 Fix typo troubles. 2016-01-13 17:18:32 +01:00
Lukas Vrabec
5d165e36c4 * Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
- Allow condor_master_t domain capability chown. BZ(1297048)
- Allow chronyd to be dbus bus client. BZ(1297129)
- Allow openvswitch read/write hugetlb filesystem.
- Revert "Allow openvswitch read/write hugetlb filesystem."
- Allow smbcontrol domain to send sigchld to ctdbd domain.
- Allow openvswitch read/write hugetlb filesystem.
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge pull request #86 from rhatdan/rawhide-contrib
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
- Added interface logging_systemctl_syslogd
- Label rsyslog unit file
- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
2016-01-13 16:26:02 +01:00
Lukas Vrabec
936bb7a648 * Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
2016-01-06 12:19:09 +01:00
Lukas Vrabec
f1750fb373 * Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()
- Allow iptables to read firewalld pid files. BZ(1291243)
- Allow the user cronjobs to run in their userdomain
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
- Merge pull request #81 from rhatdan/rawhide-base
- New access needed by systemd domains
2015-12-15 18:23:46 +01:00
Lukas Vrabec
ad3add7345 Add missing noreplace flag to file: %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local
This should keep local modification of policy after update/downgrade
selinux-policy package.

Thanks plautrba@redhat.com
2015-12-15 16:09:20 +01:00
Lukas Vrabec
5c898c0814 * Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
2015-12-09 14:42:39 +01:00
Miroslav Grepl
2b449e6e35 - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
- init_t domain should be running without unconfined_domain attribute.
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
- systemd needs to access /dev/rfkill on early boot.
- Allow dspam to read /etc/passwd
2015-12-07 09:19:29 +01:00
Lukas Vrabec
71a663b812 * Mon Nov 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-161
- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)
2015-11-30 12:48:01 +01:00
Lukas Vrabec
e5fd601a61 Set default value as true in boolean mozilla_plugin_can_network_connect. 2015-11-27 16:21:05 +01:00
Lukas Vrabec
78826f0b99 * Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
-  Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
2015-11-24 15:49:54 +01:00
Miroslav Grepl
2fc3e7cbba /usr/sbim/semanage has been moved to policycoreutils-python-utils package which needs to be require in Post section for selinux-policy-minumum package. 2015-11-20 15:51:27 +01:00
Miroslav Grepl
0e84535c7a - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Add userdom_destroy_unpriv_user_shared_mem() interface.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
2015-11-20 10:09:52 +01:00
Miroslav Grepl
982e483908 We need to cop *.local policy files to keep local customizations also after upgrades between old and new module store location. BZ(#1279621). 2015-11-12 16:01:20 +01:00
Miroslav Grepl
db55b65949 - Merge pull request #48 from lkundrak/contrib-openfortivpn
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
2015-11-10 10:24:32 +01:00
Miroslav Grepl
5c3fd596c9 Add support for openfortivpn 2015-11-10 08:18:14 +01:00
Miroslav Grepl
02b374489f - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
2015-11-09 15:04:44 +01:00
Lukas Vrabec
0a89ba84bd We want conflicts with docker-selinux not docker package. 2015-10-27 16:14:11 +01:00
Lukas Vrabec
66791f96f6 * Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
2015-10-27 14:23:44 +01:00
Lukas Vrabec
0f46e07ae6 Add conflict with docker lower or eq as docker-1.9.0-9 2015-10-27 14:14:33 +01:00
Miroslav Grepl
856e20097e Update make-rhat-patches.sh to avoid git-checkout for patches creation. 2015-10-23 11:06:11 +02:00
Lukas Vrabec
03d22f204f Add smart script to create the latest selinux-policy patches from github and also download the latest docker policy from github 2015-10-22 16:39:15 +02:00
Lukas Vrabec
0bd6f9778c Add actual docker policy from docker-selinux repo. 2015-10-20 16:50:46 +02:00
Lukas Vrabec
5d2c760e35 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
- Build including docker selinux interfaces.
2015-10-20 16:28:15 +02:00
Lukas Vrabec
fadb0d2542 docker policy files support 2015-10-20 16:26:28 +02:00
Lukas Vrabec
0bdc2482e7 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
- Allow winbindd to send signull to kernel. BZ(#1269193)
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Fixes for chrony version 2.2 BZ(#1259636)
  * Allow chrony chown capability
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Add boolean allowing mysqld to connect to http port. #1262125
- Merge pull request #52 from 1dot75cm/rawhide-base
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
- Fix attribute in corenetwork.if.in
2015-10-20 15:11:36 +02:00
Lukas Vrabec
8c4eb92cbb Added also pkcs11proxyd domains to permissivedomains. 2015-10-15 13:42:05 +02:00
Vit Mojzis
263716cfef Set recently created domains as permissive for testing period. Enable new ipmievd domain. #1241453 2015-10-15 13:40:32 +02:00
Lukas Vrabec
2bd687c904 * Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
2015-10-13 18:34:04 +02:00
Lukas Vrabec
a6a2539c66 * Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
2015-10-08 15:52:24 +02:00
Lukas Vrabec
0927e3f742 * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
2015-10-02 19:11:32 +02:00