Commit Graph

1896 Commits

Author SHA1 Message Date
Lukas Vrabec
4c61782def * Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
- rename several contrib modules according to their filenames
- Add interface gnome_filetrans_cert_home_content()
- By default container domains should not be allowed to create devices
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
- Allow systemd gpt generator to read removable devices. BZ(1323458)
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands  BZ(1323454)
2016-04-08 14:11:58 +02:00
Lukas Vrabec
c1300100ed * Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
- Label all run tgtd files, not just socket files.
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
- New cgroup2 file system in Rawhide
2016-04-01 18:15:00 +02:00
Lukas Vrabec
fac3fc97fa * Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow bitlee to create bitlee_var_t dirs.
- Allow CIM provider to read sssd public files.
- Fix some broken interfaces in distro policy.
- Allow power button to shutdown the laptop.
- Allow lsm plugins to create named fixed disks. rhbz#1238066
- Allow hyperv domains to rw hyperv devices. rhbz#1241636
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics
- Label nagios scripts as httpd_sys_script_exec_t.
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.
- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576
- Merge pull request #104 from berrange/rawhide-contrib-virtlogd
- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336
- Dontaudit logrotate to setrlimit itself. rhbz#1309604
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446)
- Merge pull request #115 from rhatdan/nvidea
- Label all nvidia binaries as xserver_exec_t
- Add new systemd_hwdb_read_config() interface. rhbz#1316514
- Add back corecmd_read_all_executables() interface.
- Call files_type() instead of file_type() for unlabeled_t.
- Add files_entrypoint_all_mountpoint() interface.
- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling.
- Add corecmd_entrypoint_all_executables() interface.
- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361
- Add neverallow assertion for unlabaled_t to increase policy security.
- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
- Label 8952 tcp port as nsd_control.
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
2016-03-30 12:56:26 +02:00
Lukas Vrabec
610d03d3bf Fix spec file by adding also 'Requires' where it is need not just only 'Requires(pre)'. rhbz#1319119 2016-03-22 11:58:58 +01:00
Lukas Vrabec
2f93136bc2 There's no need to repeat files for all subsets again and again when
there's %fileList macro available.
2016-03-16 23:25:45 +01:00
Lukas Vrabec
3f0021e9f3 * Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
- Merge pull request #108 from rhatdan/rkt
- Merge pull request #109 from rhatdan/virt_sandbox
- Add new interface to define virt_sandbox_network domains
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
- Fix typo in drbd policy
- Remove declaration of empty booleans in virt policy.
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
- Additional rules to make rkt work in enforcing mode
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Allow ipsec to use pam. rhbz#1317988
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
- Allow setrans daemon to read /proc/meminfo.
- Merge pull request #107 from rhatdan/rkt-base
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
2016-03-16 13:59:24 +01:00
Lukas Vrabec
cdb2ae4578 * Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
- Add support systemd-resolved.
2016-03-10 12:50:06 +01:00
Lukas Vrabec
d14d3706d7 * Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
- Add support for systemd-gpt-auto-generator. rhbz#1314968
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
- Add support for systemd-hwdb daemon. rhbz#1306243
2016-03-08 16:08:03 +01:00
Lukas Vrabec
9fc76d9ab8 * Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
- Fix new rkt policy
- Remove some redundant rules.
- Fix cosmetic issues in interface file.
- Merge pull request #100 from rhatdan/rawhide-contrib
- Add interface fs_setattr_cifs_dirs().
- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
 This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
 file_contexts is parsed in selabel_open().
Resolves: rhbz#1314372
2016-03-03 16:00:03 +01:00
Lukas Vrabec
dd88f3a1a7 Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files, file_contexts is parsed in selabel_open(). Resolves: rhbz#1314372 2016-03-03 15:57:30 +01:00
Lukas Vrabec
a99d75d418 This change was originally introduced to fix contexts of files in
~/.config when there were no filename transition rules in SELinux
policy. These lines could be  removed. rhbz#1313464
2016-03-01 17:22:44 +01:00
Lukas Vrabec
ca25751cfd * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
- Add policy for rkt services
2016-02-26 17:44:00 +01:00
Lukas Vrabec
e98b0994a7 * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-174
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
2016-02-26 14:55:26 +01:00
Lukas Vrabec
7ac3a50aaf * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
2016-02-26 13:34:18 +01:00
Lukas Vrabec
352a55a547 * Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
- Allow collectd setgid capability Resolves:#1310896
- Allow adcli running as sssd_t to write krb5.keytab file.
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
- Allow kexec to read kernel module files in /usr/lib/modules.
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
- Remove redudant rules and fix _admin interface.
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
- Allow create mongodb unix dgram sockets. rhbz#1306819
- Support for InnoDB Tablespace Encryption.
- Dontaudit leaded file descriptors from firewalld
- Add port for rkt services
- Add support for the default lttng-sessiond port - tcp/5345.  This port is used by LTTng 2.x central tracing registry session daemon.
2016-02-25 13:20:35 +01:00
Lukas Vrabec
5d7b1f6d2e Fixes related to new SELinux userspace Add new files from userspace: /var/lib/selinux/targeted|mls|minimum/active/seusers /var/lib/selinux/targeted|mls|minimum/active/file_contexts /var/lib/selinux/targeted|mls|minimum/active/policy.kern 2016-02-25 12:02:25 +01:00
Lukas Vrabec
d6823d337b * Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files
2016-02-11 14:22:13 +01:00
Lukas Vrabec
ead49a5633 * Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
- Add interface to dontaudit leaked files from firewalld
- fwupd needs to dbus chat with policykit
- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
- Fix wrong name for openqa_websockets tcp port.
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
- Add interface ssh_getattr_server_keys() interface. rhbz#1299106
- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312
- Add interface fs_getattr_nsfs_files()
- Add interface xserver_exec().
- Revert "Allow all domains some process flags."BZ(1190364)
2016-02-10 13:11:01 +01:00
Lukas Vrabec
edb36e0557 * Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169
- Allow openvswitch domain capability sys_rawio.
- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"
- Allow openvswitch to manage hugetlfs files and dirs.
- Allow NetworkManager create dhcpc pid files. BZ(1229755)
- Allow apcupsd to read kernel network state. BZ(1282003)
- Label /sys/kernel/debug/tracing filesystem
- Add fs_manage_hugetlbfs_files() interface.
- Add sysnet_filetrans_dhcpc_pid() interface.
2016-02-03 10:57:06 +01:00
Lukas Vrabec
4c488a69fa * Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
- Allow iptables to read nsfs files. BZ(1296826)
2016-01-20 15:56:50 +01:00
Lukas Vrabec
6d3ee17c0b * Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
2016-01-18 17:03:17 +01:00
Lukas Vrabec
5d165e36c4 * Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
- Allow condor_master_t domain capability chown. BZ(1297048)
- Allow chronyd to be dbus bus client. BZ(1297129)
- Allow openvswitch read/write hugetlb filesystem.
- Revert "Allow openvswitch read/write hugetlb filesystem."
- Allow smbcontrol domain to send sigchld to ctdbd domain.
- Allow openvswitch read/write hugetlb filesystem.
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge pull request #86 from rhatdan/rawhide-contrib
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
- Added interface logging_systemctl_syslogd
- Label rsyslog unit file
- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
2016-01-13 16:26:02 +01:00
Lukas Vrabec
936bb7a648 * Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
2016-01-06 12:19:09 +01:00
Lukas Vrabec
f1750fb373 * Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()
- Allow iptables to read firewalld pid files. BZ(1291243)
- Allow the user cronjobs to run in their userdomain
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
- Merge pull request #81 from rhatdan/rawhide-base
- New access needed by systemd domains
2015-12-15 18:23:46 +01:00
Lukas Vrabec
ad3add7345 Add missing noreplace flag to file: %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local
This should keep local modification of policy after update/downgrade
selinux-policy package.

Thanks plautrba@redhat.com
2015-12-15 16:09:20 +01:00
Lukas Vrabec
5c898c0814 * Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
2015-12-09 14:42:39 +01:00
Miroslav Grepl
2b449e6e35 - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
- init_t domain should be running without unconfined_domain attribute.
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
- systemd needs to access /dev/rfkill on early boot.
- Allow dspam to read /etc/passwd
2015-12-07 09:19:29 +01:00
Lukas Vrabec
71a663b812 * Mon Nov 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-161
- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)
2015-11-30 12:48:01 +01:00
Lukas Vrabec
78826f0b99 * Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
-  Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
2015-11-24 15:49:54 +01:00
Miroslav Grepl
2fc3e7cbba /usr/sbim/semanage has been moved to policycoreutils-python-utils package which needs to be require in Post section for selinux-policy-minumum package. 2015-11-20 15:51:27 +01:00
Miroslav Grepl
0e84535c7a - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Add userdom_destroy_unpriv_user_shared_mem() interface.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
2015-11-20 10:09:52 +01:00
Miroslav Grepl
982e483908 We need to cop *.local policy files to keep local customizations also after upgrades between old and new module store location. BZ(#1279621). 2015-11-12 16:01:20 +01:00
Miroslav Grepl
db55b65949 - Merge pull request #48 from lkundrak/contrib-openfortivpn
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
2015-11-10 10:24:32 +01:00
Miroslav Grepl
02b374489f - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
2015-11-09 15:04:44 +01:00
Lukas Vrabec
0a89ba84bd We want conflicts with docker-selinux not docker package. 2015-10-27 16:14:11 +01:00
Lukas Vrabec
66791f96f6 * Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
2015-10-27 14:23:44 +01:00
Lukas Vrabec
0f46e07ae6 Add conflict with docker lower or eq as docker-1.9.0-9 2015-10-27 14:14:33 +01:00
Lukas Vrabec
5d2c760e35 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
- Build including docker selinux interfaces.
2015-10-20 16:28:15 +02:00
Lukas Vrabec
fadb0d2542 docker policy files support 2015-10-20 16:26:28 +02:00
Lukas Vrabec
0bdc2482e7 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
- Allow winbindd to send signull to kernel. BZ(#1269193)
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Fixes for chrony version 2.2 BZ(#1259636)
  * Allow chrony chown capability
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Add boolean allowing mysqld to connect to http port. #1262125
- Merge pull request #52 from 1dot75cm/rawhide-base
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
- Fix attribute in corenetwork.if.in
2015-10-20 15:11:36 +02:00
Lukas Vrabec
2bd687c904 * Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
2015-10-13 18:34:04 +02:00
Lukas Vrabec
a6a2539c66 * Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
2015-10-08 15:52:24 +02:00
Lukas Vrabec
0927e3f742 * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
2015-10-02 19:11:32 +02:00
Lukas Vrabec
61514837cc * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
2015-10-02 13:49:11 +02:00
Lukas Vrabec
b03747cd87 * Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
2015-09-29 18:17:13 +02:00
Lukas Vrabec
ec0c1bc01e * Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains
- Allow rpcbind_t domain to change file owner and group
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
- Revert "Add apache_read_pid_files() interface"
- Allow dirsrv-admin read httpd pid files.
- Add apache_read_pid_files() interface
- Add label for dirsrv-admin unit file.
- Allow qpid daemon to connect on amqp tcp port.
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Add userdom_transition_login_userdomain() interface
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
2015-09-22 18:00:08 +02:00
Lukas Vrabec
7c8404da3f Added support for permissive domains 2015-09-22 14:28:30 +02:00
Lukas Vrabec
2818673721 * Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
- Dontaudit fenced search gnome config
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
- Sanlock policy update. #1255307   - New sub-domain for sanlk-reset daemon
- Fix labeling for fence_scsi_check script
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
- Allow openhpid to read snmp var lib files.
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
- Fix regexp in chronyd.fc file
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
2015-09-14 09:29:16 +02:00
Lukas Vrabec
73a6a99de0 Add files homedir_template and users_extra to selinux-policy-* packages. 2015-09-09 10:23:56 +02:00
Lukas Vrabec
f1ab24fa93 * Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
2015-09-01 18:25:49 +02:00
Lukas Vrabec
0d70340b72 * Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
- Allow watchdog execute fenced python script.
- Added inferface watchdog_unconfined_exec_read_lnk_files()
- Allow pmweb daemon to exec shell. BZ(1256127)
- Allow pmweb daemon to read system state. BZ(#1256128)
- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
- Revert "Revert default_range change in targeted policy"
- Allow dhcpc_t domain transition to chronyd_t
2015-08-30 23:03:47 +02:00
Lukas Vrabec
96de5661d2 * Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
- Add interface dnssec_trigger_sigkill
- Allow smsd use usb ttys. BZ(#1250536)
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
- Revert default_range change in targeted policy
- Allow systemd-sysctl cap. sys_ptrace  BZ(1253926)
2015-08-24 11:25:02 +02:00
Miroslav Grepl
f5f6812fa4 - Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
2015-08-21 10:11:52 +02:00
Miroslav Grepl
4d097300f6 We should be able to do builds with neverallow check with new 2.4 userspace and fix the latest policy fixes. 2015-08-20 18:17:21 +02:00
Lukas Vrabec
1ba0a986f6 * Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow collectd stream connect to pdns.(BZ #1191044)
- Add interface pdns_stream_connect()
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow chronyd exec systemctl
- Merge pull request #30 from vmojzis/rawhide-contrib
- Hsqldb policy upgrade -Allow sock_file management
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
- Label /var/run/chrony-helper dir as chronyd_var_run_t.
- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
- Fix label on /var/tmp/kiprop_0
- Add mountpoint dontaudit access check in rhsmcertd policy.
- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow systemd_networkd to send logs to syslog.
- Added interface fs_dontaudit_write_configfs_dirs
- Allow audisp client to read system state.
- Label /var/run/xtables.lock as iptables_var_run_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
2015-08-18 10:39:06 +02:00
Lukas Vrabec
28b73b2eef * Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
2015-08-10 18:38:57 +02:00
Miroslav Grepl
d8af5a753a - firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service
- Allow lsm_plugin_t to rw raw_fixed_disk.
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
2015-08-05 16:03:40 +02:00
Lukas Vrabec
f35d9026d6 * Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
- Add header for sslh.if file
- Fix sslh_admin() interface
- Clean up sslh.if
- Fix typo in pdns.if
- Allow qpid to create lnk_files in qpid_var_lib_t.
- Allow httpd_suexec_t to read and write Apache stream sockets
- Merge pull request #21 from hogarthj/rawhide-contrib
- Allow virt_qemu_ga_t domtrans to passwd_t.
- use read and manage files_patterns and the description for the admin interface
- Merge pull request #17 from rubenk/pdns-policy
- Allow redis to read kernel parameters.
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
- Allow bumblebee to seng kill signal to xserver
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Allow drbd to get attributes from filesystems.
- Allow drbd to read configuration options used when loading modules.
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
- Added Booleans: pcp_read_generic_logs.
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
- Allow glusterd to communicate with cluster domains over stream socket.
- fix copy paste error with writing the admin interface
- fix up the regex in sslh.fc, add sslh_admin() interface
- adding selinux policy files for sslh
- Remove diplicate sftpd_write_ssh_home boolean rule.
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
- kdbusfs should not be accessible for now.
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
- Label /usr/sbin/chpasswd as passwd_exec_t.
- Allow audisp_remote_t to read/write user domain pty.
- Allow audisp_remote_t to start power unit files domain to allow halt system.
2015-08-04 01:19:35 +02:00
Lukas Vrabec
c6320132cb Remove old trigger selinux-policy-targeted-3.12.1-75 for relabeling home. 2015-08-04 00:27:26 +02:00
Lukas Vrabec
ceff8ba54e Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed. 2015-08-04 00:25:37 +02:00
Lukas Vrabec
ae80a5c1a5 Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed. 2015-08-03 17:10:54 +02:00
Lukas Vrabec
d6fa2521fb Move man pages from selinux-policy-devel to selinux-policy-doc 2015-07-24 11:27:15 +02:00
Lukas Vrabec
e5e6b1ee54 * Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to  communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
-  httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
2015-07-20 18:37:28 +02:00
Miroslav Grepl
57b06e2ca9 Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. 2015-07-16 09:10:21 +02:00
Petr Lautrbach
a345bb5a25 Prepare selinux-policy package for SELinux store migration 2015-07-15 14:26:46 +02:00
Lukas Vrabec
04f749c8f0 * Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
2015-07-15 11:45:00 +02:00
Lukas Vrabec
ee724ad113 * Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
2015-07-14 18:10:21 +02:00
Lukas Vrabec
f53ebea7af * Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-09 10:31:45 +02:00
Lukas Vrabec
d04212cd26 * Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-02 17:37:26 +02:00
Lukas Vrabec
1428c0c5e6 * Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133
- Cleanup permissive domains.
2015-06-30 13:53:46 +02:00
Lukas Vrabec
20e7f0e6a4 * Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132
- Rename xodbc-connect port to xodbc_connect
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
- Dontaudit chrome to read passwd file. BZ(1204307)
- Allow firewalld exec ldconfig. BZ(1232748)
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Rename xodbc-connect port to xodbc_connect
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
- Label tcp port 6640 as ovsdb port. BZ (1179809)
2015-06-29 18:07:03 +02:00
Lukas Vrabec
7100c57b1f * Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
2015-06-23 18:07:14 +02:00
Miroslav Grepl
66628cef58 - Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
2015-06-18 19:28:19 +02:00
Miroslav Grepl
8f46225b71 - We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) 2015-06-09 16:44:44 +02:00
Miroslav Grepl
19cd06ec8a We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) 2015-06-09 16:43:17 +02:00
Miroslav Grepl
5bcffd3a3a See Changelog for all changes. 2015-06-09 12:38:09 +02:00
Miroslav Grepl
26e9debdb7 Update selinux-policy.spec to show how to create policy patches from https://github.com/fedora-selinux/selinux-policy 2015-05-22 09:45:52 +02:00
Petr Lautrbach
9cef10b755 Minor spec file fixes:
- corrected day in changelog entry from Apr 30 2015
- merged two %description's for base package into one

Fixes:
warning: line 330: second Description
warning: bogus date in %changelog: Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
2015-05-19 10:41:20 +02:00
Lukas Vrabec
6a726d4793 * Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
- Add missing typealiases in apache_content_template() for script domain/executable.
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for new cobbler dir locations:
- Add support for iprdbg logging files in /var/log.
- Add relabel_user_home_dirs for use by docker_t
2015-05-05 15:54:12 +02:00
Lukas Vrabec
229bf3d017 * Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
2015-04-30 20:10:17 +02:00
Lukas Vrabec
c4df3c09b1 Fix bad date 2015-04-20 14:49:53 +02:00
Lukas Vrabec
0bfe8f4452 * Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- cloudinit and rhsmcertd need to communicate with dbus
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
2015-04-20 14:45:47 +02:00
Lukas Vrabec
28cc160db1 * Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
- Add more restriction on entrypoint for unconfined domains.
2015-04-15 17:14:18 +02:00
Lukas Vrabec
578b67080c * Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
- Allow mock_t to use ptmx. BZ(1181333)
- Allow dnssec_trigger_t to stream connect to networkmanager.
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
- Fix labeling for keystone CGI scripts.
2015-04-14 01:13:22 +02:00
Lukas Vrabec
b9a1c72d29 * Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
- Allow mongod to work with configured SSSD.
- Add collectd net_raw capability. BZ(1194169)
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
- Allow dhcpd kill capability.
- Make rwhod as nsswitch domain.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Fix cloudform policy.(m4 is case sensitive)
- Allow networkmanager and cloud_init_t to dbus chat
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices.
- Allow sblim domain to read sysctls..
- Allow timemaster send a signal to ntpd.
- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
- two 'l' is enough.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- Allow polkit to dbus chat with xserver. (1207478)
- Add lvm_stream_connect() interface.
- Set label of /sys/kernel/debug
2015-04-07 16:26:56 +02:00
Lukas Vrabec
5852f33770 * Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
- Allow kmscon to read system state. BZ (1206871)
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
2015-03-30 20:13:54 +02:00
Lukas Vrabec
734dd8ae6f * Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
- Allow all domains some process flags.
- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base
- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL
2015-03-23 16:13:45 +01:00
Lukas Vrabec
f9d97717a8 * Wed Mar 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-119
- build without docker
2015-03-18 17:03:21 +01:00
Lukas Vrabec
e2a064a427 * Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
- docker watches for content in the /etc directory
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
- Allow docker to communicate with openvswitch
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow journald to set loginuid. BZ(1190498)
- Add cap. sys_admin for passwd_t. BZ(1185191)
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
2015-03-16 18:04:20 +01:00
Lukas Vrabec
ed576d59f8 * Fri Mar 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-117
- Allow spamc read spamd_etc_t files. BZ(1199339).
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
- Allow abrt_watch_log_t read passwd file. BZ(1197396)
- Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659)
- Allow cups to read colord_var_lib_t files. BZ(1199765)
2015-03-09 13:16:20 +01:00
Lukas Vrabec
b61b8da21f * Fri Mar 06 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-116
- Turn on rolekit in F23
2015-03-06 17:17:25 +01:00
Lukas Vrabec
f6c1168684 * Thu Mar 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-115
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
- Add gluster_exec_lib interface.
- Allow l2tpd to manage NetworkManager pid files
- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
- Allow cyrus bind tcp berknet port. BZ(1198347)
- Add nsswitch domain for more serviecs.
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow system apache scripts to send log messages.
- Allow denyhosts execute iptables. BZ(1197371)
- Allow brltty rw event device. BZ(1190349)
- Allow cupsd config to execute ldconfig. BZ(1196608)
- xdm_t now needs to manage user ttys
- Allow ping_t read urand. BZ(1181831)
- Add support for tcp/2005 port.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- In F23 we are running xserver as the user, need this to allow confined users to us X
2015-03-05 20:22:19 +01:00
Lukas Vrabec
2ee001bdc9 * Mon Feb 25 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-114
- Fix source filepath for moving html files.
2015-02-25 17:13:43 +01:00
Lukas Vrabec
6acb58cea3 Fix source filepath for moving html files. 2015-02-24 17:51:12 +01:00
Lukas Vrabec
946068cde6 * Mon Feb 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-113
- Xserver needs to be transitioned to from confined users
- Added logging_syslogd_pid_filetrans
- xdm_t now talks to hostnamed
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Additional fix for labeleling /dev/log correctly.
- cups chats with network manager
- Allow parent domains to read/write fifo files in mozilla plugin
- Allow spc_t to transition to svirt domains
- Cleanup spc_t
- docker needs more control over spc_t
- pcp domains are executed out of cron
2015-02-23 16:11:23 +01:00
Lukas Vrabec
83d645c1b0 * Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112
- Allow audisp to connect to system DBUS for service.
- Label /dev/log correctly.
- Add interface init_read_var_lib_files().
- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
2015-02-16 20:23:47 +01:00
Lukas Vrabec
e793323380 * Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
- Remove automatcically running filetrans_named_content form sysnet_manage_config
- Allow syslogd/journal to read netlink audit socket
- Allow brltty ioctl on usb_device_t. BZ(1190349)
- Make sure NetworkManager configures resolv.conf correctly
2015-02-10 22:46:05 +01:00
Lukas Vrabec
ae5733a49e * Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
- Allow cockpit_session_t to create tmp files
- apmd needs sys_resource when shutting down the machine
- Fix path label to resolv.conf under NetworkManager
2015-02-05 12:12:00 +01:00
Lukas Vrabec
1fd39e9da1 * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109
- Allow search all pid dirs when managing net_conf_t files.
2015-02-04 17:02:02 +01:00
Lukas Vrabec
203031a6db * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
- Fix labels, improve sysnet_manage_config interface.
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
- Dontaudit network connections related to thumb_t. BZ(1187981)
- Remove sysnet_filetrans_named_content from fail2ban
2015-02-04 13:06:40 +01:00
Lukas Vrabec
1808b757f1 * Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
- Fix labels on new location of resolv.conf
- syslog is not writing to the audit socket
- seunshare is doing getattr on unix_stream_sockets leaked into it
- Allow sshd_t to manage gssd keyring
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
- Posgresql listens on port 9898 when running PCP (pgpool Control Port)
- Allow svirt sandbox domains to read /proc/mtrr
- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
- Allow dovecot domains to use sys_resouce
- Allow sshd_t to manage gssd keyring
- gpg_pinentry_t needs more access in f22
2015-02-02 11:59:21 +01:00
Lukas Vrabec
a849531c0e * Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106
- Allow docker to attach to the sandbox and user domains tun devices
- Allow pingd to read /dev/urandom. BZ(1181831)
- Allow virtd to list all mountpoints
- Allow sblim-sfcb to search images
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
- Call correct macro in virt_read_content().
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Allow docker_t to changes it rlimit
- Allow neutron to read rpm DB.
- Allow radius to connect/bind radsec ports
- Allow pm-suspend running as virt_qemu_ga to read
  /var/log/pm-suspend.log.
- Add devicekit_read_log_files().
- Allow  virt_qemu_ga to dbus chat with rpm.
- Allow netutils chown capability to make tcpdump working with -w.
- Label /ostree/deploy/rhel-atomic-host/deploy directory as
system_conf_t.
- journald now reads the netlink audit socket
- Add auditing support for ipsec.

* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105
- Bump release
2015-01-29 17:35:42 +01:00
Lukas Vrabec
72c96b37c5 * Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
- remove duplicate filename transition rules.
- Call proper interface in sosreport.te.
- Allow fetchmail to manage its keyring
- Allow mail munin to create udp_sockets
- Allow couchdb to sendto kernel unix domain sockets
2015-01-15 14:22:27 +01:00
Miroslav Grepl
525ad6557a Make build working 2015-01-12 14:12:54 +01:00
Dan Walsh
f1ed4e46ca Add /etc/selinux/targeted/contexts/openssh_contexts 2015-01-03 08:44:45 -05:00
Lukas Vrabec
6eb7265b01 * Mon Dec 15 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-101
- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
- Allow virt_qemu_ga_t to execute kmod.
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
- Add support for /usr/share/vdsm/daemonAdapter.
- Docker has a new config/key file it writes to /etc/docker
- Allow bacula to connect also to postgresql.
2014-12-15 07:43:28 -05:00
Lukas Vrabec
e4ea4614c7 * Thu Dec 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-100
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
- Fix miscfiles_manage_generic_cert_files() to allow manage link files
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Add support for /var/run/gluster.
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
2014-12-11 10:20:57 -05:00
Lukas Vrabec
1c8cf318c6 * Fri Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-99
- Add files_dontaudit_list_security_dirs() interface.
- Added seutil_dontaudit_access_check_semanage_module_store interface.
- Allow docker to create /root/.docker
- Allow rlogind to use also rlogin ports
- dontaudit list security dirs for samba domain
- Dontaudit couchdb to list /var
2014-12-02 13:05:01 +01:00
Lukas Vrabec
cf94d6be19 * Fri Nov 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-98
- Update to have all _systemctl() interface also init_reload_services()
- Dontaudit access check on SELinux module store for sssd.
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
2014-11-29 00:18:57 +01:00
Lukas Vrabec
b5270954f2 Fix date bug 2014-11-28 15:30:56 +01:00
Lukas Vrabec
e4d7a4020d * Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97
- Allow reading of symlinks in /etc/puppet
- Added TAGS to gitignore
- I guess there can be content under /var/lib/lockdown #1167502
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
- Allow keystone to send a generic signal to own process.
- Allow radius to bind tcp/1812 radius port.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Add missing alias for _content_rw_t
- Allow .snapshots to be created in other directories, on all mountpoints
- Allow spamd to access razor-agent.log
- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
- Allow .snapshots to be created in other directories, on all mountpoints
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems
2014-11-28 15:28:22 +01:00
Lukas Vrabec
48f969d319 * Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
2014-11-20 11:38:07 +01:00
Lukas Vrabec
feb8dbd59b * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
- Allow networkmanager manage also openvpn sock pid files.
2014-11-19 19:46:38 +01:00
Lukas Vrabec
c88e657c3d * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
- Allow sendmail to create dead.letter. BZ(1165443)
- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
2014-11-19 16:33:35 +01:00
Lukas Vrabec
24d43eb10d * Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
- Allow bumblebee to use nsswitch. BZ(1155339)
- Allow openvpn to stream connect to networkmanager. BZ(1164182)
- Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS.
- Allow cpuplug rw virtual memory sysctl. BZ (1077831)
- Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
2014-11-14 16:06:50 +01:00
Lukas Vrabec
b6161d4177 * Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-92
- Add kdump_rw_inherited_kdumpctl_tmp_pipes()
- Added fixes related to linuxptp. BZ (1149693)
- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424
- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
- Fix seutil_dontaudit_access_check_load_policy()
- Add dontaudit interfaces for audit_access in seutil
- Label /etc/strongimcv as ipsec_conf_file_t.
2014-11-10 18:19:50 +01:00
Lukas Vrabec
062b36f481 * Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91
- Added interface userdom_dontaudit_manage_user_home_dirs
- Fix unconfined_server_dbus_chat() interface.
- Add unconfined_server_dbus_chat() inteface.
- Allow login domains to create kernel keyring with different level.
- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
- Make tuned as unconfined domain.
- Added support for linuxptp policy. BZ(1149693)
- make zoneminder as dbus client by default.
- Allow bluetooth read/write uhid devices. BZ (1161169)
- Add fixes for hypervkvp daemon
- Allow guest to connect to libvirt using unix_stream_socket.
- Allow all bus client domains to dbus chat with unconfined_service_t.
- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
- Make opensm as nsswitch domain to make it working with sssd.
- Allow brctl to read meminfo.
- Allow winbind-helper to execute ntlm_auth in the caller domain.
- Make plymouthd as nsswitch domain to make it working with sssd.
- Make drbd as nsswitch domain to make it working with sssd.
- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
- Add support for /var/lib/sntp directory.
2014-11-07 22:58:35 +01:00
Lukas Vrabec
ba65f59092 Fixed mistakes in build. 2014-11-03 16:31:25 +01:00
Lukas Vrabec
a38ffbf425 * Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
- Add 15672 as amqp_port_t
- Allow wine domains to read user homedir content
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
- Allow winbind to read usermodehelper
- Allow telepathy domains to execute shells and bin_t
- Allow gpgdomains to create netlink_kobject_uevent_sockets
- Allow abrt to read software raid state. BZ (1157770)
- Fix rhcs_signull_haproxy() interface.
-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
- Allow snapperd to dbus chat with system cron jobs.
- Allow nslcd to read /dev/urandom.
- Allow dovecot to create user's home directory when they log into IMAP.
- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
2014-11-03 15:03:44 +01:00
Lukas Vrabec
4dfcf7b0d0 Fix wrong url link to upstream. 2014-11-03 14:34:24 +01:00
Lukas Vrabec
af3cfa7b5c * Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
- Allow rabbitmq to read nfs state data. BZ(1122412)
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
- Add rolekit policy
- ALlow rolekit domtrans to sssd_t.
- Add kerberos_tmp_filetrans_kadmin() interface.
- rolekit should be noaudit.
- Add rolekit_manage_keys().
- Need to label rpmnew file correctly
- Allow modemmanger to connectto itself
2014-10-29 11:24:42 +01:00
Lukas Vrabec
317f5a18dc * Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Allow osad to connect to jabber client port. BZ (1154242)
- Allow mon_statd to send syslog msgs. BZ (1077821
- Allow apcupsd to get attributes of filesystems with xattrs
2014-10-21 15:45:35 +02:00
Miroslav Grepl
650be6afbf - Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
- Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
2014-10-17 10:12:44 +02:00
Lukas Vrabec
8db354a9b7 * Tue Oct 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-86
- Dontaudit aicuu to search home config dir. BZ (#1104076)
- couchdb is using erlang so it needs execmem privs
- ALlow sanlock to send a signal to virtd_t.
- Allow mondogdb to  'accept' accesses on the tcp_socket port.
- Make sosreport as unconfined domain.
- Allow nova-console to connect to mem_cache port.
- Allow mandb to getattr on file systems
- Allow read antivirus domain all kernel sysctls.
- Allow lmsd_plugin to read passwd file. BZ(1093733)
- Label /usr/share/corosync/corosync as cluster_exec_t.
- ALlow sensord to getattr on sysfs.
- automount policy is non-base module so it needs to be called in optional block.
- Add auth_use_nsswitch for portreserve to make it working with sssd.
- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.
- Allow openvpn to execute  systemd-passwd-agent in  systemd_passwd_agent_t to make openvpn working with systemd.
- Allow openvpn to access /sys/fs/cgroup dir.
- Allow nova-scheduler to read certs
- Add support for /var/lib/swiftdirectory.
- Allow neutron connections to system dbus.
- Allow mongodb to manage own log files.
- Allow opensm_t to read/write /dev/infiniband/umad1.
- Added policy for mon_statd and mon_procd services. BZ (1077821)
- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.
- Allow dnssec_trigger_t to execute unbound-control in own domain.
- Allow all RHCS services to read system state.
- Added monitor device
- Add interfaces for /dev/infiniband
- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type.
- Add files_dontaudit_search_security_files()
- Add selinuxuser_udp_server boolean
- ALlow syslogd_t to create /var/log/cron  with correct labeling
- Add support for /etc/.updated and /var/.updated
- Allow iptables read fail2ban logs. BZ (1147709)
- ALlow ldconfig to read proc//net/sockstat.
2014-10-14 11:51:56 +02:00
Lukas Vrabec
cf89798586 * Mon Oct 06 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-85
- Allow nova domains to getattr on all filesystems.
- ALlow zebra for user/group look-ups.
- Allow lsmd to search own plguins.
- Allow sssd to read selinux config to add SELinux user mapping.
- Allow swift to connect to all ephemeral ports by default.
- Allow NetworkManager to create Bluetooth SDP sockets
- Allow keepalived manage snmp var lib sock files. BZ(1102228)
- Added policy for blrtty. BZ(1083162)
- Allow rhsmcertd manage rpm db. BZ(#1134173)
- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173)
- Label /usr/libexec/rhsmd as rhsmcertd_exec_t
- Fix broken interfaces
- Added sendmail_domtrans_unconfined interface
- Added support for cpuplug. BZ (#1077831)
- Fix bug in drbd policy, BZ (#1134883)
- Make keystone_cgi_script_t domain. BZ (#1138424)
- fix dev_getattr_generic_usb_dev interface
- Label 4101 tcp port as brlp port
- Allow libreswan to connect to VPN via NM-libreswan.
- Add userdom_manage_user_tmpfs_files interface
2014-10-06 16:53:41 +02:00
Lukas Vrabec
245c83ebf9 * Tue Sep 30 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-84
- Allow all domains to read fonts
- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
- Allow pki-tomcat to change SELinux object identity.
- Allow radious to connect to apache ports to do OCSP check
- Allow git cgi scripts to create content in /tmp
- Allow cockpit-session to do GSSAPI logins.
2014-09-30 09:38:06 +02:00
Lukas Vrabec
3430335564 * Mon Sep 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-83
- Make sure /run/systemd/generator and system is labeled correctly on creation.
- Additional access required by usbmuxd
- Allow sensord read in /proc BZ(#1143799)
2014-09-22 15:16:17 +02:00
Miroslav Grepl
0399c8ba54 - Allow du running in logwatch_t read hwdata.
- Allow sys_admin capability for antivirus domians.
- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc.
- Add support for pnp4nagios.
- Add missing labeling for /var/lib/cockpit.
- Label resolv.conf as docker_share_t under docker so we can read within a container
- Remove labeling for rabbitmqctl
- setfscreate in pki.te is not capability class.
- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd.
- Allow wine domains to create cache dirs.
- Allow newaliases to systemd inhibit pipes.
- Add fixes for pki-tomcat scriptlet handling.
- Allow user domains to manage all gnome home content
- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
2014-09-18 15:22:06 +02:00
Lukas Vrabec
6021c02dec * Thu Sep 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-81
- Label /usr/lib/erlang/erts.*/bin files as bin_t
- Added changes related to rabbitmq daemon.
- Fix labeling in couchdb policy
- Allow rabbitmq bind on epmd port
- Clean up rabbitmq policy
- fix domtrans_rabbitmq interface
- Added rabbitmq_beam_t and rabbitmq_epmd_t alias
- Allow couchdb to getattr
- Allow couchdb write to couchdb_conf files
- Allow couchdb to create dgram_sockets
- Added support for ejabberd
2014-09-11 17:53:40 +02:00
Lukas Vrabec
ae5a648040 * Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
- Since docker will now label volumes we can tighten the security of docker
2014-09-10 15:47:04 +02:00
Lukas Vrabec
6c07cc84bd * Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79
- Re-arange openshift_net_read_t rules.
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
- Allow jockey_t to use tmpfs files
- Allow pppd to create sock_files in /var/run
- Allow geoclue to stream connect to smart card service
- Allow docker to read all of /proc
- ALlow passeneger to read/write apache stream socket.
- Dontaudit read init state for svirt_t.
- Label /usr/sbin/unbound-control as named_exec_t (#1130510)
- Add support for /var/lbi/cockpit directory.
- Add support for ~/. speech-dispatcher.
- Allow nmbd to read /proc/sys/kernel/core_pattern.
- aLlow wine domains to create wine_home symlinks.
- Allow policykit_auth_t access check and read usr config files.
- Dontaudit access check on home_root_t for policykit-auth.
- hv_vss_daemon wants to list /boot
- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent
- Fix label for /usr/bin/courier/bin/sendmail
- Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain.
- Allow unconfined_r to access unconfined_service_t.
- Add label for ~/.local/share/fonts
- Add init_dontaudit_read_state() interface.
- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it.
- Allow udev_t mounton udev_var_run_t dirs #(1128618)
- Add files_dontaudit_access_check_home_dir() inteface.
2014-09-10 10:55:03 +02:00
Lukas Vrabec
6823c75b4e Fix release number 2014-09-02 20:28:48 +02:00
Lukas Vrabec
9532ecd407 * Tue Sep 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-78
- Allow unconfined_service_t to dbus chat with all dbus domains
- Assign rabbitmq port.  BZ#1135523
- Add new interface to allow creation of file with lib_t type
- Allow init to read all config files
- We want to remove openshift_t domains ability to look at /proc/net
- I guess lockdown is a file not a directory
- Label /var/bacula/ as bacula_store_t
- Allow rhsmcertd to seng signull to sosreport.
- Allow sending of snmp trap messages by radiusd.
- remove redundant rule fron nova.te.
- Add auth_use_nsswitch() for ctdbd.
- call nova_vncproxy_t instead of vncproxy.
- Allow nova-vncproxy to use varnishd port.
- Fix rhnsd_manage_config() to allow manage also symlinks.
- Allow bacula to create dirs/files in /tmp
- Allow nova-api to use nsswitch.
- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface.
- Allow usbmuxd connect to itself by stream socket. (#1135945)
- I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft
- Allow nswrapper_32_64.nppdf.so to be created with the proper label
- Assign rabbitmq port.  BZ#1135523
- Dontaudit leaks of file descriptors from domains that transition to  thumb_t
- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource
- Allow unconfined_service_t to dbus chat with all dbus domains
- Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way)
2014-09-02 20:27:29 +02:00
Lukas Vrabec
c463599b36 * Thu Aug 28 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-77
- Allow aide to read random number generator
- Allow pppd to connect to http port. (#1128947)
- sssd needs to be able write krb5.conf.
- Labeli initial-setup as install_exec_t.
- Allow domains to are allowed to mounton proc to mount on files as well as dirs
2014-08-28 15:33:54 +02:00
Lukas Vrabec
45b429ef46 * Tue Aug 26 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-76
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Add a port definition for shellinaboxd
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
- Allow thumb_t to read/write video devices
- fail2ban 0.9 reads the journal by default.
- Allow sandbox net domains to bind to rawip socket
2014-08-26 17:39:34 +02:00
Lukas Vrabec
f9cc8e052f * Fri Aug 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-75
- Allow haproxy to read /dev/random and /dev/urandom.
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
- geoclue needs to connect to http and http_cache ports
- Allow passenger to use unix_stream_sockets leaked into it, from httpd
- Add SELinux policy for highly-available key value store for shared configuration.
- drbd executes modinfo.
- Add glance_api_can_network boolean since glance-api uses huge range port.
- Fix glance_api_can_network() definition.
- Allow smoltclient to connect on http_cache port. (#982199)
- Allow userdomains to stream connect to pcscd for smart cards
- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix)
- Added MLS fixes to support labeled socket activation which is going to be done by systemd
- Add kernel_signull() interface.
- sulogin_t executes plymouth commands
- lvm needs to be able to accept connections on stream generic sockets
2014-08-22 16:05:38 +02:00
Kevin Fenzi
5f1085b7ba Rebuild for rpm bug 1131960 2014-08-21 11:49:05 -06:00
Lukas Vrabec
9229b61067 * Mon Aug 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-73
- Allow ssytemd_logind_t to list tmpfs directories
- Allow lvm_t to create undefined sockets
- Allow passwd_t to read/write stream sockets
- Allow docker lots more access.
- Fix label for ports
- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
- Label tcp port 4194 as kubernetes port.
- Additional access required for passenger_t
- sandbox domains should be allowed to use libraries which require execmod
- Allow qpid to read passwd files BZ (#1130086)
- Remove cockpit port, it is now going to use websm port
- Add getattr to the list of access to dontaudit on unix_stream_sockets
- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
2014-08-18 17:43:18 +02:00
Lukas Vrabec
3399c51143 * Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-72
- docker needs to be able to look at everything in /dev
- Allow all processes to send themselves signals
- Allow sysadm_t to create netlink_tcpdiag socket
- sysadm_t should be allowed to communicate with networkmanager
- These are required for bluejeans to work on a unconfined.pp disabled
machine
- docker needs setfcap
- Allow svirt domains to manage chr files and blk files for mknod
commands
- Allow fail2ban to read audit logs
- Allow cachefilesd_t to send itself signals
- Allow smokeping cgi script to send syslog messages
- Allow svirt sandbox domains to relabel content
- Since apache content can be placed anywhere, we should just allow
apache to search through any directory
- These are required for bluejeans to work on a unconfined.pp disabled
machine
2014-08-12 13:41:36 +02:00
Miroslav Grepl
0bd1c473cc * Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-71
- shell_exec_t should not be in cockip.fc
2014-08-04 15:44:24 +02:00
Miroslav Grepl
c950f2dee8 - Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t.
- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
- Dontaudit write access on generic cert files. We don't audit also access check.
- Add support for arptables.
- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
2014-08-04 09:21:15 +02:00
Tom Callaway
4abfbc52c1 fix license handling 2014-08-04 01:11:48 -04:00
Miroslav Grepl
540429c2f1 - Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow user
- Allow smokeping cgi scripts to accept connection on httpd stream socket.
- docker does a getattr on all file systems
- Label all abort-dump programs
- Allow alsa to create lock file to see if it fixes.
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running with
- Add interface for journalctl_exec
- Add labels also for glusterd sockets.
- Change virt.te to match default docker capabilies
- Add additional booleans for turning on mknod or all caps.
- Also add interface to allow users to write policy that matches docker defaults
- for capabilies.
- Label dhcpd6 unit file.
- Add support also for dhcp IPv6 services.
- Added support for dhcrelay service
- Additional access for bluejeans
- docker needs more access, need back port to RHEL7
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
- Allow bacula manage bacula_log_t dirs
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
- Fix mistakes keystone and quantum
- Label neutron var run dir
- Label keystone var run dir
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
- Dontaudit attempts to access check cert dirs/files for sssd.
- Allow sensord to send a signal.
- Allow certmonger to stream connect to dirsrv to make  ipa-server-install working.
- Label zabbix_var_lib_t directories
- Label conmans pid file as conman_var_run_t
- Label also /var/run/glusterd.socket file as gluster_var_run_t
- Fix policy for pkcsslotd from opencryptoki
- Update cockpik policy from cockpit usptream.
- Allow certmonger to exec ldconfig to make  ipa-server-install  working.
- Added support for Naemon policy
- Allow keepalived manage snmp files
- Add setpgid process to mip6d
- remove duplicate rule
- Allow postfix_smtpd to stream connect to antivirus
- Dontaudit list /tmp for icecast
- Allow zabbix domains to access /proc//net/dev.

Conflicts:
	selinux-policy.spec
2014-07-31 20:54:49 +02:00
Lukas Vrabec
0a90ee743a * Thu Jul 24 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-67
- Allow zabbix domains to access /proc//net/dev.
- Dontaudit list /tmp for icecast (#894387)
- Allow postfix_smtpd to stream connect to antivirus (#1105889)
- Add setpgid process to mip6d
- Allow keepalived manage snmp files(#1053450)
- Added support for Naemon policy (#1120789).
- Allow certmonger to exec ldconfig to make  ipa-server-install
working. (#1122110)
- Update cockpik policy from cockpit usptream.
2014-07-24 16:12:42 +02:00
Miroslav Grepl
6683373910 - Revert labeling back to /var/run/systemd/initctl/fifo
- geoclue dbus chats with modemmanger
- Bluejeans wants to connect to port 5000
- geoclue dbus chats with modemmange
2014-07-21 09:07:57 +02:00
Lukas Vrabec
ee1386c00c * Fri Jul 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65
- Allow sysadm to dbus chat with systemd
- Add logging_dontaudit_search_audit_logs()
- Add new files_read_all_mountpoint_symlinks()
- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo.
- Allow ndc to read random and urandom device (#1110397)
- Allow zabbix to read system network state
- Allow fprintd to execute usr_t/bin_t
- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t
- Add glance_use_execmem boolean to have glance configured to use Ceph/rbd
- Dontaudit search audit logs for fail2ban
- Allow mailserver_domain domains to create mail home content with right labeling
- Dontaudit svirt_sandbox_domain doing access checks on /proc
- Fix  files_pid_filetrans() calling in nut.te to reflect allow rules.
- Use nut_domain attribute for files_pid_filetrans() for nut domains.
- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs
- Fix nut domains only have type transition on dirs in /run/nut directory.
- Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt()
- Clean up osad policy. Remove additional interfaces/rules
2014-07-18 11:47:02 +02:00
Lukas Vrabec
3e33a0a354 * Mon Jul 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-64
- Allow systemd domains to check lvm status
- Allow getty to execute plymouth.#1112870
- Allow sshd to send signal to chkpwd_t
- initrctl fifo file has been renamed
- Set proper labeling on /var/run/sddm
- Fix labeling for cloud-init logs
- Allow kexec to read kallsyms
- Add rhcs_stream_connect_haproxy interface, Allow neutron stream
connect to rhcs
- Add fsetid caps for mandb. #1116165
- Allow all nut domains to read  /dev/(u)?random.
- Allow deltacloudd_t to read network state BZ #1116940
- Add support for KVM virtual machines to use NUMA pre-placement
- Allow utilize winbind for authentication to AD
- Allow chrome sandbox to use udp_sockets leaked in by its parent
- Allow gfs_controld_t to getattr on all file systems
- Allow logrotate to manage virt_cache
- varnishd needs to have fsetid capability
- Allow dovecot domains to send signal perms to themselves
- Allow apache to manage pid sock files
- Allow nut_upsmon_t to create sock_file in /run dir
- Add capability sys_ptrace to stapserver
- Mysql can execute scripts when run in a cluster to see if someone is
listening on a socket, basically runs lsof
- Added support for vdsm
2014-07-14 22:33:38 +02:00
Miroslav Grepl
682896c0a1 - If I can create a socket I need to be able to set the attributes
- Add tcp/8775 port as neutron port
- Add additional ports for swift ports
- Added changes to fedora from bug bz#1082183
- Add support for tcp/6200 port
- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
- Update neutron_manage_lib_files() interface
- Allow glustered to connect to ephemeral ports
- Allow apache to search ipa lib files by default
- Allow neutron to domtrans to haproxy
- Add rhcs_domtrans_haproxy()
- Add support for openstack-glance-* unit files
- Add initial support for /usr/bin/glance-scrubber
- Allow swift to connect to keystone and memcache ports.
- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
- Add policies for openstack-cinder
- Add support for /usr/bin/nova-conductor
- Add neutron_can_network boolean
- Allow neutron to connet to neutron port
- Allow glance domain to use syslog
- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
2014-07-04 18:51:18 +02:00
Miroslav Grepl
24862fd309 - Allow swift to use tcp/6200 swift port
- ALlow swift to search apache configs
- Remove duplicate .fc entry for Grilo plugin bookmarks
- Remove duplicate .fc entry for telepathy-gabble
- Additional allow rules for docker sandbox processes
- Allow keepalived connect to agentx port
- Allow neutron-ns-metadata to connectto own unix stream socket
- Add support for tcp/6200 port
- Remove ability for confined users to run xinit
- New tool for managing wireless /usr/sbin/iw
2014-06-25 10:50:56 +02:00
Miroslav Grepl
e00cf0abb1 Fix spec file issues 2014-06-23 08:17:40 +02:00
Miroslav Grepl
9c9e4dd1a4 permissivedomains.pp should not be in MLS 2014-06-23 07:39:51 +02:00
Miroslav Grepl
211fb9932a * Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61
- Add back MLS policy
2014-06-20 16:27:18 +02:00
Miroslav Grepl
c04c318879 * Thu Jun 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-60
- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy
2014-06-19 16:53:27 +02:00
Miroslav Grepl
c629d27ef4 Merge user_tmp patches to base patches 2014-06-17 09:30:08 +02:00
Miroslav Grepl
1c0c710fe4 * Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.+- Allow system_bus_types to use stream_sockets inherited
- Allow system_bus_types to use stream_sockets inherited
- Allow journalctl to call getpw
- New access needed by dbus to talk to kernel stream
- Label sm-notifypid files correctly
- contrib: Add KMSCon policy module
2014-06-17 07:24:58 +02:00
Miroslav Grepl
a629498afd - Add mozilla_plugin_use_bluejeans boolean
- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
2014-06-11 20:13:51 +02:00
Miroslav Grepl
686a38099f - Allow staff_t to communicate and run docker
- Fix *_ecryptfs_home_dirs booleans
- Allow ldconfig_t to read/write inherited user tmp pipes
- Allow storaged to dbus chat with lvm_t
- Add support for storaged  and storaged-lvm-helper. Labeled it as lvm_exec_t.
- Use proper calling in ssh.te for userdom_home_manager attribute
- Use userdom_home_manager_type() also for ssh_keygen_t
- Allow locate to list directories without labels
- Allow bitlbee to use tcp/7778 port
- /etc/cron.daily/logrotate to execute fail2ban-client.
- Allow keepalives to connect to SNMP port. Support to do  SNMP stuff
- Allow staff_t to communicate and run docker
- Dontaudit search mgrepl/.local for cobblerd_t
- Allow neutron to execute kmod in insmod_t
- Allow neutron to execute udevadm in udev_t
- Allow also fowner cap for varnishd
- Allow keepalived to execute bin_t/shell_exec_t
- rhsmcertd seems to need these accesses.  We need this backported to RHEL7 and perhaps RHEL6 policy
- Add cups_execmem boolean
- Allow gear to manage gear service
- New requires for gear to use systemctl and init var_run_t
- Allow cups to execute its rw_etc_t files, for brothers printers
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin co
- Allow swift to execute bin_t
- Allow swift to bind http_cache
2014-06-09 09:05:58 +02:00
Dennis Gilmore
07a8be1e18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-08 01:07:47 -05:00
Miroslav Grepl
0ddb744a37 - Add decl for cockip port
- Allow sysadm_t to read all kernel proc
- Allow logrotate to execute all executables
- Allow lircd_t to use tty_device_t for use withmythtv
- Make sure all zabbix files direcories in /var/log have the correct label
- Allow bittlebee to create directories and files in /var/log with the correct label
- Label /var/log/horizon as an apache log
- Add squid directory in /var/run
- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label
- Wronly labeled avahi_var_lib_t as a pid file
- Fix labels on rabbitmq_var_run_t on file/dir creation
- Allow neutron to create sock files
- Allow postfix domains to getattr on all file systems
- Label swift-proxy-server as swift_exec_t
- Tighten SELinux capabilities to match docker capabilities
- Add fixes for squid which is configured to run with more than one worker.
- Allow cockpit to bind to its port
2014-05-27 10:30:27 +02:00
Miroslav Grepl
cccaf8f646 - geard seems to do a lot of relabeling
- Allow system_mail_t to append to munin_var_lib_t
- Allow mozilla_plugin to read alsa_rw_ content
- Allow asterisk to connect to the apache ports
- Dontaudit attempts to read fixed disk
- Dontaudit search gconf_home_t
- Allow rsync to create  swift_server.lock with swift.log labeling
- Add labeling for swift lock files
- Use swift_virt_lock in swift.te
- Allow openwsman to getattr on sblim_sfcbd executable
- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
- Allow openwsman_t to read/write sblim-sfcb shared mem
- Allow openwsman to stream connec to sblim-sfcbd
- Allow openwsman to create tmpfs files/dirs
- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcb
- Allow sblim_sfcbd to execute shell
- Allow swift to create lock file
- Allow openwsman to use tcp/80
- Allow neutron to create also dirs in /tmp
- Allow seunshare domains to getattr on all executables
- Allow ssh-keygen to create temporary files/dirs needed by OpenSt
- Allow named_filetrans_domain to create /run/netns
- Allow ifconfig to create /run/netns
2014-05-20 07:59:07 +02:00
Miroslav Grepl
7768984e85 Bump version 2014-05-13 14:44:23 +02:00
Miroslav Grepl
dfbb9aca62 * Tue May 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-
- Add missing dyntransition for sandbox_x_domain
2014-05-13 14:42:28 +02:00
Miroslav Grepl
dbf4ab85b0 - Added iotop policy. Thanks William Brown
- Allow spamc to read .pyzor located in /var/spool/spampd
- Allow spamc to create home content with correct labeling
- Allow logwatch_mail_t to create dead.letter with correct labelign
- Add labeling for min-cloud-agent
- Allow geoclue to read unix in proc.
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
- add support for min-cloud-agent
- Allow ulogd to request the kernel to load a module
- remove unconfined_domain for openwsman_t
- Add openwsman_tmp_t rules
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
- Allow nova-scheduler to read passwd file
- Allow neutron execute arping in neutron_t
- Dontaudit logrotate executing systemctl command attempting to net_admin
- Allow mozilla plugins to use /dev/sr0
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file
- Any app that executes systemctl will attempt a net_admin
- Fix path to mmap_min_addr
2014-05-13 08:13:43 +02:00
Miroslav Grepl
6fbf46087c - More rules for gears and openshift 2014-05-07 21:48:58 +02:00
Miroslav Grepl
4c682c4ccf * Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
- Add gear fixes from dwalsh
2014-05-07 15:30:41 +02:00
Miroslav Grepl
9d0057f462 - selinux_unconfined_type should not be able to set booleans if the securemode is set
- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
2014-05-06 18:39:47 +02:00
Miroslav Grepl
4e5d63b465 - Fix labeling for /root/\.yubico
- userdom_search_admin_dir() calling needs to be optional in kernel.te
- Dontaudit leaked xserver_misc_device_t into plugins
- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Bootloader wants to look at init state
- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm
- init reads kdbump etc files
- Add support for tcp/9697
- Fix labeling for /var/run/user/<UID>/gvfs
- Add support for us_cli ports
- fix sysnet_use_ldap
- Allow mysql to execute ifconfig if Red Hat OpenStack
- ALlow stap-server to get attr on all fs
- Fix mail_pool_t to mail_spool_t
- Dontaudit leaked xserver_misc_device_t into plugins
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Add new labeling for /var/spool/smtpd
- Allow httpd_t to kill passenger
- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
- Allow nova-scheduler to read passwd/utmp files
- Additional rules required by openstack,  needs backport to F20 and RHEL7
- Additional access required by docker
- ALlow motion to use tcp/8082 port
2014-05-05 19:15:58 +02:00
Miroslav Grepl
3f5abd2216 - Fix virt_use_samba boolean
- Looks like all domains that use dbus libraries are now reading /dev/uran
- Add glance_use_fusefs() boolean
- Allow tgtd to read /proc/net/psched
- Additional access required for gear management of openshift directories
- Allow sys_ptrace for mock-build
- Fix mock_read_lib_files() interface
- Allow mock-build to write all inherited ttys and ptys
- Allow spamd to create razor home dirs with correct labeling
- Clean up sysnet_use_ldap()
- systemd calling needs to be optional
- Allow init_t to setattr/relabelfrom dhcp state files
2014-04-25 09:09:15 +02:00
Miroslav Grepl
bf38d6fee2 - mongod should not be a part of cloudforms.pp
- Fix labeling in snapper.fc
- Allow docker to read unconfined_t process state
- geoclue dbus chats with NetworkManager
- Add cockpit policy
- Add interface to allow tools to check the processes state of bind/named
- Allow myslqd to use the tram port for Galera/MariaDB
2014-04-23 11:47:29 +02:00
Miroslav Grepl
7ca2b30721 - Allow init_t to setattr/relabelfrom dhcp state files
- Allow dmesg to read hwdata and memory dev
- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
- Dontaudit antivirus domains read access on all security files by default
- Add missing alias for old amavis_etc_t type
- Additional fixes for  instack overcloud
- Allow block_suspend cap for haproxy
- Allow OpenStack to read mysqld_db links and connect to MySQL
- Remove dup filename rules in gnome.te
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
- Add labeling for /lib/systemd/system/thttpd.service
- Allow iscsid to handle own unit files
- Add iscsi_systemctl()
- Allow mongod also create sock_file with correct labeling in /run
- Allow aiccu stream connect to pcscd
- Allow rabbitmq_beam to connect to httpd port
- Allow httpd to send signull to apache script domains and don't audit leaks
- Fix labeling in drbd.fc
- Allow sssd to connect to the smbd port for handing logins using active directory, needs back
- Allow all freeipmi domains to read/write ipmi devices
- Allow rabbitmq_epmd to manage rabbit_var_log_t files
- Allow sblim_sfcbd to use also pegasus-https port
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
- Add httpd_run_preupgrade boolean
- Add interfaces to access preupgrade_data_t
- Add preupgrade policy
- Add labeling for puppet helper scripts
2014-04-18 14:31:10 +02:00
Miroslav Grepl
1aabaf6c8d * Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
Rename puppet_t to puppetagent_
2014-04-08 11:35:12 +02:00
Miroslav Grepl
3f1341d528 - Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by li
- Allow conman to resolve DNS and use user ptys
- update pegasus_openlmi_admin_t policy
- nslcd wants chown capability
- Dontaudit exec insmod in boinc policy
2014-04-08 07:25:43 +02:00
Miroslav Grepl
c14474eca6 - Add labels for /var/named/chroot_sdb/dev devices
- Add support for strongimcv
- Add additional fixes for yubikeys based on william@firstyear.id.au
- Allow init_t run /sbin/augenrules
- Remove dup decl for dev_unmount_sysfs_fs
- Allow unpriv SELinux user to use sandbox
- Fix ntp_filetrans_named_content for sntp-kod file
- Add httpd_dbus_sssd boolean
- Dontaudit exec insmod in boinc policy
- Add dbus_filetrans_named_content_system()
- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
- varnishd wants chown capability
- update ntp_filetrans_named_content() interface
- Add additional fixes for neutron_t. #1083335
- Dontaudit sandbox_t getattr on proc_kcore_t
- Allow pki_tomcat_t to read ipa lib files
2014-04-04 10:51:29 +02:00
Miroslav Grepl
33665e5aa5 * Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
2014-04-01 12:33:30 +02:00
Miroslav Grepl
f8f75f94a2 - Turn on gear_port_t
- Add gear policy and remove permissive domains.
- Add labels for ostree
- Add SELinux awareness for NM
- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
2014-03-27 20:39:58 +01:00
Miroslav Grepl
1f53e62396 - update storage_filetrans_all_named_dev for sg* devices
- Allow auditctl_t  to getattr on all removeable devices
- Allow nsswitch_domains to stream connect to nmbd
- Allow rasdaemon to rw /dev/cpu//msr
- fix /var/log/pki file spec
- make bacula_t as auth_nsswitch domain
- Allow certmonger to manage ipa lib files
- Add support for /var/lib/ipa
2014-03-26 10:51:19 +01:00
Miroslav Grepl
8ad9144b00 - Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools
- Allow secadm to read /dev/urandom and meminfo
- Add userdom_tmp_role for secadm_t
- Allow postgresql to read network state
- Add a new file context for /var/named/chroot/run directory
- Add booleans to allow docker processes to use nfs and samba
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/b
- Allow puppet stream connect to mysql
- Fixed some rules related to puppet policy
- Allow vmware-user-sui to use user ttys
- Allow talk 2 users logged via console too
- Additional avcs for docker when running tests
- allow anaconda to dbus chat with systemd-localed
- clean up rhcs.te
- remove dup rules from haproxy.te
- Add fixes for haproxy based on bperkins@redhat.com
- Allow cmirrord to make dmsetup working
- Allow NM to execute arping
- Allow users to send messages through talk
- update rtas_errd policy
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
- Allow svirt_sandbox_domains to ptrace themselves
- Allow snmpd to getattr on removeable and fixed disks
- Allow docker containers to manage /var/lib/docker content
2014-03-25 09:50:55 +01:00
Miroslav Grepl
443a36eeca Remove smstools.pp to make upgrade working 2014-03-20 14:46:43 +01:00
Miroslav Grepl
38dae99c57 Create base.lst which contains list of base policy modules 2014-03-18 18:35:19 +01:00
Miroslav Grepl
8e18cc2081 - Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state
- Allow java running as pki_tomcat to read network sysctls
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
- Allow beam.smp to use ephemeral ports
- Allow winbind to use the nis to authenticate passwords
2014-03-17 17:29:57 +01:00
Miroslav Grepl
6337678e76 - Allow collectd to talk to libvirt
- Allow chrome_sandbox to use leaked unix_stream_sockets
- Dontaudit leaks of sockets into chrome_sandbox_t
- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
- Run vmtools as unconfined domains
- Allow snort to manage its log files
- Allow systemd_cronjob_t to be entered via bin_t
- Allow procman to list doveconf_etc_t
- allow keyring daemon to create content in tmpfs directories
- Add proper labelling for icedtea-web
- vpnc is creating content in networkmanager var run directory
- unconfined_service should be allowed to transition to rpm_script_t
- Allow couchdb to listen on port 6984
- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
- Allow systemd-logind to setup user tmpfs directories
- Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
2014-03-17 08:59:51 +01:00
Miroslav Grepl
3f9fe17186 - Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
- Dontaudit attempts to setsched on the kernel_t threads
- Allow munin mail plugins to read network systcl
- Fix git_system_enable_homedirs boolean
- Make cimtest script 03_defineVS.py of ComputerSystem group working
- Make  abrt-java-connector working
- Allow net_admin cap for fence_virtd running as fenced_t
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
2014-03-14 11:01:06 +01:00
Miroslav Grepl
0575d649c8 - sshd to read network sysctls
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
- /var/lib/containers should be labeled as openshift content for now
- Allow docker domains to talk to the login programs, to allow a process to login into the container
2014-03-13 13:29:54 +01:00
Miroslav Grepl
648f9057dc bump release 2014-03-12 21:45:04 +01:00
Miroslav Grepl
695bbc81ea * Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-34
- Add install_t for anaconda
2014-03-12 20:45:39 +01:00
Miroslav Grepl
ab84f40064 - Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
2014-03-12 11:14:14 +01:00
Miroslav Grepl
24a25f20cc - Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
2014-03-10 11:51:20 +01:00
Miroslav Grepl
2d6801ddad - Modify xdm_write_home to allow create files/links in /root with xdm_home_t
- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
- Add xserver_dbus_chat() interface
- Add sysnet_filetrans_named_content_ifconfig() interface
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-
- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1
- Allow lscpu running as rhsmcertd_t to read sysinfo
- Allow virt domains to read network state
- Added pcp rules
- Allow ctdbd to connect own ports
- Fix samba_export_all_rw booleanto cover also non security dirs
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
- Allow neutron to create /run/netns with correct labeling
- Allow to run ip cmd in neutron_t domain
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
2014-03-07 16:53:11 +01:00
Miroslav Grepl
08fe2e457e - Allow block_suspend cap2 for systemd-logind and rw dri device
- Add labeling for /usr/libexec/nm-libreswan-service
- Allow locallogin to rw xdm key to make Virtual Terminal login providing
- Add xserver_rw_xdm_keys()
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
- update lpd_manage_spool() interface
- Allow krb5kdc to stream connect to ipa-otpd
- Add ipa_stream_connect_otpd() interface
- Allow vpnc to unlink NM pids
- Add networkmanager_delete_pid_files()
- Allow munin plugins to access unconfined plugins
- update abrt_filetrans_named_content to cover /var/spool/debug
- Label /var/spool/debug as abrt_var_cache_t
- Allow rhsmcertd to connect to squid port
- Make docker_transition_unconfined as optional boolean
- Allow certmonger to list home dirs
2014-03-04 10:17:06 +01:00
Miroslav Grepl
18bb7ec6a3 * Fri Feb 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-29
- Make docker as permissive domain
2014-02-28 12:34:15 +01:00
Dan Walsh
96f7ac46ed Remove vbetool we no longer ship this 2014-02-27 16:00:58 -05:00
Miroslav Grepl
439063013f - Allow bumblebeed to send signal to insmod
- Dontaudit attempts by crond_t net_admin caused by journald
- Allow the docker daemon to mounton tty_device_t
- Add addtional snapper fixes to allo relabel file_t
- Allow setattr for all mountpoints
- Allow snapperd to write all dirs
- Add support for /etc/sysconfig/snapper
- Allow mozilla_plugin to getsession
- Add labeling for thttpd
- Allow sosreport to execute grub2-probe
- Allow NM to manage hostname config file
- Allow systemd_timedated_t to dbus chat with rpm_script_t
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
- Add lsmd_plugin_connect_any boolea
- Add support for ipset
- Add support for /dev/sclp_line0
- Add modutils_signal_insmod()
- Add files_relabelto_all_mountpoints() interface
- Allow the docker daemon to mounton tty_device_t
- Allow all systemd domains to read /proc/1
- Login programs talking to journald are attempting to net_admin, add dontaudit
- init is not gettar on processes as shutdown time
- Add systemd_hostnamed_manage_config() interface
- Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Add lvm_read_metadata()
2014-02-27 12:34:10 +01:00
Miroslav Grepl
3e0039f065 - Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Treat usermodehelper_t as a sysctl_type
- xdm communicates with geo
- Add lvm_read_metadata()
- Allow rabbitmq_beam to connect to jabber_interserver_port
- Allow logwatch_mail_t to transition to qmail_inject and queueu
- Added new rules to pcp policy
- Allow vmtools_helper_t to change role to system_r
- Allow NM to dbus chat with vmtools
2014-02-24 20:13:11 +01:00
Miroslav Grepl
74ec503d1c - Add labeling for /usr/sbin/amavi
- Colin asked for this program to be treated as cloud-init
- Allow ftp services to manage xferlog_t
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow certmonger to search home content
- Allow pkcsslotd to read users state
- Allow exim to use pam stack to check passwords
- Add labeling for /usr/sbin/amavi
- Colin asked for this program to be treated as cloud-init
- Allow ftp services to manage xferlog_t
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow certmonger to search home content
- Allow pkcsslotd to read users state
- Allow exim to use pam stack to check passwor
2014-02-21 17:01:54 +01:00
Miroslav Grepl
60668f6a35 * Tue Feb 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-25
- Add lvm_read_metadata()
- Allow auditadm to search /var/log/audit dir
- Add lvm_read_metadata() interface
- Allow confined users to run vmtools helpers
- Fix userdom_common_user_template()
- Generic systemd unit scripts do write check on /
- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
- Add additional fixes needed for init_t and setup script running in generic unit files
- Allow general users to create packet_sockets
- added connlcli port
- Add init_manage_transient_unit() interface
- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
- Fix userdomain.te to require passwd class
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Dontaudit rendom domains listing /proc and hittping system_map_t
- Dontauit leaks of var_t into ifconfig_t
- Allow domains that transition to ssh_t to manipulate its keyring
- Define oracleasm_t as a device node
- Change to handle /root as a symbolic link for os-tree
- Allow sysadm_t to create packet_socket, also move some rules to attributes
- Add label for openvswitch port
- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
- Allow postfix_local to read .forward in pcp lib files
- Allow pegasus_openlmi_storage_t to read lvm metadata
- Add additional fixes for pegasus_openlmi_storage_t
- Allow bumblebee to manage debugfs
- Make bumblebee as unconfined domain
- Allow snmp to read etc_aliases_t
- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
- Allow pegasus_openlmi_storage_t to read /proc/1/environ
- Dontaudit read gconf files for cupsd_config_t
- make vmtools as unconfined domain
- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
- Allow collectd_t to use a mysql database
- Allow ipa-otpd to perform DNS name resolution
- Added new policy for keepalived
- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
- Add additional fixes new pscs-lite+polkit support
- Add labeling for /run/krb5kdc
- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
- Allow pcscd to read users proc info
- Dontaudit smbd_t sending out random signuls
- Add boolean to allow openshift domains to use nfs
- Allow w3c_validator to create content in /tmp
- zabbix_agent uses nsswitch
- Allow procmail and dovecot to work together to deliver mail
- Allow spamd to execute files in homedir if boolean turned on
- Allow openvswitch to listen on port 6634
- Add net_admin capability in collectd policy
- Fixed snapperd policy
- Fixed bugsfor pcp policy
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Add kerberos_keytab_domain attribute
- Fix snapperd_conf_t def
2014-02-18 18:05:44 +01:00
Dan Walsh
0474cb579e Add nsplugin.pp and qemu.pp as two additional policies that we no longer ship 2014-02-18 10:19:40 -05:00
Miroslav Grepl
3dc79f55af Fix selinux config file 2014-02-18 14:19:57 +01:00
Dan Walsh
fdaea44147 Make sure selinux-policy owns the rpmconfigdir and macros.d so it does not build a require for rpm 2014-02-14 14:51:42 -05:00
Miroslav Grepl
7a727702c0 - Dontaudit rendom domains listing /proc and hittping system_map_t
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- systemd_tmpfiles_t needs to _setcheckreqprot
- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
- Fixed snapperd policy
- Fixed broken interfaces
- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
- Fixed bugsfor pcp policy
- pcscd seems to be using policy kit and looking at domains proc data that transition to it
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Allow ABRT to read puppet certs
- Allow virtd_lxc_t to specify the label of a socket
- New version of docker requires more access
2014-02-14 13:09:05 +01:00
Miroslav Grepl
05a36cdcd0 - Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Make tuned_t as unconfined domain for RHEL7.0
- Allow ABRT to read puppet certs
- Add sys_time capability for virt-ga
- Allow gemu-ga to domtrans to hwclock_t
- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
- Fix some AVCs in pcp policy
- Add to bacula capability setgid and setuid and allow to bind to bacula ports
- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
- Add access rhnsd and osad to /etc/sysconfig/rhn
- drbdadm executes drbdmeta
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
- Allow systemd_tmpfiles_t to manage all non security files on the system
- Added labels for bacula ports
- Fix label on /dev/vfio/vfio
- Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
2014-02-11 20:28:28 +01:00
Miroslav Grepl
6383860028 - Fix /dev/vfio/vfio labeling 2014-02-05 15:57:57 +01:00
Miroslav Grepl
fc059db54d - Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
- Add support for dey_sapi port
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- drbdadm executes drbdmeta
- Added osad policy
- Allow postfix to deliver to procmail
- Allow vmtools to execute /usr/bin/lsb_release
- Allow geoclue to read /etc/passwd
- Allow docker to write system net ctrls
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix pcp.te
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
2014-02-05 08:52:08 +01:00
Miroslav Grepl
a853036f79 - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
- Allow geoclue to create temporary files/dirs in /tmp
- Add httpd_dontaudit_search_dirs boolean
- Add support for winbind.service
- ALlow also fail2ban-client to read apache logs
- Allow vmtools to getattr on all fs
2014-01-30 13:26:17 +01:00
Miroslav Grepl
2b1129da49 - Add net_admin also for systemd_passwd_agent_t
- Allow Associate usermodehelper_t to sysfs filesystem
- Allow gdm to create /var/gdm with correct labeling
- Allow domains to append rkhunterl lib files. #1057982
- Allow systemd_tmpfiles_t net_admin to communicate with journald
- update libs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
- Add labeling for snapper.log
- Allow tumbler to execute dbusd-daemon in thumb_t
- Add dbus_exec_dbusd()
- Add snapperd_data_t type
- Add additional fixes for snapperd
- FIx bad calling in samba.te
- Allow smbd to create tmpfs
- Allow rhsmcertd-worker send signull to rpm process
- Allow net_admin capability and send system log msgs
- Allow lldpad send dgram to NM
- Add networkmanager_dgram_send()
- rkhunter_var_lib_t is correct type
- Allow openlmi-storage to read removable devices
- Allow system cron jobs to manage rkhunter lib files
- Add rkhunter_manage_lib_files()
- Fix ftpd_use_fusefs boolean to allow manage also symlinks
- Allow smbcontrob block_suspend cap2
- Allow slpd to read network and system state info
- Allow NM domtrans to iscsid_t if iscsiadm is executed
- Allow slapd to send a signal itself
- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
- Fix plymouthd_create_log() interface
- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
- Allow postfix and cyrus-imapd to work out of box
- Remove logwatch_can_sendmail which is no longer used
- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
- snapperd is D-Bus service
- Allow OpenLMI PowerManagement to call 'systemctl --force reboot
2014-01-28 22:06:09 +01:00
Dan Walsh
98a685257a Fix the day of the week 2014-01-28 15:59:39 -05:00
Miroslav Grepl
f8d85476fd - Add haproxy_connect_any boolean
- Allow haproxy also to use http cache port by default
- Fix /usr/lib/firefox/plugin-container decl
- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
2014-01-24 17:52:42 +01:00
Miroslav Grepl
254b1593d0 - init calling needs to be optional in domain.te
- Allow docker and mount on devpts chr_file
- Allow docker to transition to unconfined_t if boolean set
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-contai
- Allow docker to use the network and build images
- Allow docker to read selinux files for labeling, and mount on devpts
- Allow domains that transition to svirt_sandbox to send it signals
- Allow docker to transition to unconfined_t if boolean set
2014-01-23 11:03:30 +01:00
Miroslav Grepl
f4d3efd317 Remove conflict for pki-selinux 2014-01-22 13:15:32 +01:00
Miroslav Grepl
d7f0c3cf54 - New access needed to allow docker + lxc +SELinux to work together
- Allow apache to write to the owncloud data directory in /var/www/html...
- Cleanup sandbox X AVC's
- Allow consolekit to create log dir
- Add support for icinga CGI scripts
- Add support for icinga
- Allow kdumpctl_t to create kdump lock file
- Allow kdump to create lnk lock file
- Allow ABRT write core_pattern
- Allwo ABRT to read core_pattern
- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
- Allow nscd_t block_suspen capability
- Allow unconfined domain types to manage own transient unit file
- Allow systemd domains to handle transient init unit files
- No longer need the rpm_script_roles line since rpm_transition_script now does this for us
- Add/fix interfaces for usermodehelper_t
- Add interfaces to handle transient
- Fixes for new usermodehelper and proc_securit_t types
2014-01-22 13:00:17 +01:00
Miroslav Grepl
3a0ebd8398 - Add cron unconfined role support for uncofined SELinux user
- Call kernel_rw_usermodehelper_state() in init.te
- Call corenet_udp_bind_all_ports() in milter.te
- Allow fence_virtd to connect to zented port
- Fix header for mirrormanager_admin()
- Allow dkim-milter to bind udp ports
- Allow milter domains to send signull itself
- Allow block_suspend for yum running as mock_t
- Allow beam.smp to manage couchdb files
- Add couchdb_manage_files()
- Add labeling for /var/log/php_errors.log
- Allow bumblebee to stream connect to xserver
- Allow bumblebee to send a signal to xserver
- gnome-thumbnail to stream connect to bumblebee
- Fix calling usermodehelper to use _state in interface name
- Allow xkbcomp running as bumblebee_t to execute  bin_t
- Allow logrotate to read squid.conf
- Additional rules to get docker and lxc to play well with SELinux
- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
- Make rpm_transition_script accept a role
- Added new policy for pcp
- Allow bumbleed to connect to xserver port
- Allow pegasus_openlmi_storage_t to read hwdata
2014-01-20 11:41:09 +01:00
Miroslav Grepl
5dcd635c58 index.html and style.css should be in /usr/share/selinux/devel/htm 2014-01-20 11:24:03 +01:00
Miroslav Grepl
368fb803a8 See spec file 2014-01-17 16:40:25 +01:00
Miroslav Grepl
5bd1f1afd6 * Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
- Remove file_t from the system and realias it with unlabeled_
2014-01-13 12:25:57 +01:00
Miroslav Grepl
9b85087129 - Add gluster fixes
- Remove ability to transition to unconfined_t from confined domains
- Additional allow rules to get libvirt-lxc containers working with docker
2014-01-09 15:11:05 +01:00
Miroslav Grepl
9d88e18305 - Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Allow sandbox apps to attempt to set and get capabilties
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- allow modemmanger to read /dev/urand
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow rsync_t to manage all non auth files
- Allow certmonger to manage home cert files
- Allow user_mail_domains to write certain files to the /root and ~/ directories
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Add new access for mythtv
- Allow irc_t to execute shell and bin-t files:
- Allow smbd_t to signull cluster
- Allow sssd to read systemd_login_var_run_t
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
- Updated rasdaemon policy
- Allow virt_domains to read cert files
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Additional fixes for docker.te
- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
- Add tftp_write_rw_content/tftp_read_rw_content interfaces
- Allow amanda to do backups over UDP
2014-01-06 07:31:14 +01:00
Miroslav Grepl
804870d8a3 policy-rawhide-contrib-apache-content.patch is no longer needed. Merged to policy-rawhide-contrib.patch. 2014-01-06 06:56:06 +01:00
Dan Walsh
70c60d82d0 Fix usage of semanage import line 2014-01-02 14:17:35 -05:00
Miroslav Grepl
c9394c3ea7 Add selinux/minimum/contexts/users/sysadm_u also for minimum policy 2013-12-16 12:05:05 +01:00
Miroslav Grepl
74b303ea26 Fix spec file 2013-12-13 15:10:55 +01:00
Miroslav Grepl
2397102af8 - Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipm
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
2013-12-12 17:23:54 +01:00
Miroslav Grepl
4b8334da4c - DRM master and input event devices are used by the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Allow conman to connect to freeipmi services and clean up conman policy
- Allow conmand just bind on 7890 port
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Added policy for conmand
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix aliases in pegasus.te
- Allow chrome sandbox to read generic cache files in homedir
- Dontaudit mandb searching all mountpoints
- Make sure wine domains create .wine with the correct label
- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t
- Allow windbind the kill capability
- DRM master and input event devices are used by  the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
- Make sure wine domains create .wine with the correct label
- Allow manage dirs in kernel_manage_debugfs interface.
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
- Fix userdom_confined_admin_template()
- Add back exec_content boolean for secadm, logadm, auditadm
- Fix files_filetrans_system_db_named_files() interface
- Allow sulogin to getattr on /proc/kcore
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
2013-12-09 08:16:07 +01:00
Miroslav Grepl
676f0e4eb9 - Add back fixes for gnome_role_template()
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Add missing alias for pegasus_openlmi_service_exec_t
- Added support for rdisc unit file
- Added new policy for ninfod
- Added new policy for openwsman
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Add connectto perm for NM unix stream socket
- Allow watchdog to be executed from cron
- Allow cloud_init to transition to rpm_script_t
- Allow lsmd_plugin_t send system log messages
- Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT polic
- Added new capabilities for mip6d policy
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
2013-12-03 22:01:54 +01:00
Miroslav Grepl
d61adff49b - Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Add back exec_content boolean for secadm, logadm, auditadm
- Allow sulogin to getattr on /proc/kcore
2013-11-26 18:41:01 +01:00
Miroslav Grepl
c9b9ed2c4d - Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
- Allow mount to manage mount_var_run_t files/dirs
- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level
- Make sure boot.log is created with the correct label
- call logging_relabel_all_log_dirs() in systemd.te
- Allow systemd_tmpfiles to relabel log directories
- Allow staff_t to run frequency command
- Allow staff_t to read xserver_log file
- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f.
- Label hsperfdata_root as tmp_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Add glusterd_brick_t files type
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Allow zabbix_agentd to read all domain state
- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Clean up rtas.if
- Clean up docker.if
- drop /var/lib/glpi/files labeling in cron.fc
- Added new policy for rasdaemon
2013-11-26 11:42:42 +01:00
Miroslav Grepl
3abf0519c2 * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-5
- Add back /dev/shm labeling
2013-11-18 16:59:45 +01:00
Miroslav Grepl
d20212ac4f * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-4
- Fix gnome_role_template() interface
2013-11-18 15:25:06 +01:00
Miroslav Grepl
4fc70e284d - Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh 2013-11-14 22:05:22 +01:00
Dan Walsh
164fa392ee Fix config.tgz to include lxc_contexts and systemd_contexts 2013-11-14 11:05:22 -05:00
Miroslav Grepl
269ef098f1 * Wed Nov 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-1
- Update to upstream
2013-11-13 16:05:06 +01:00
Miroslav Grepl
0f9b0de389 Upload new upstream sources 2013-11-13 15:27:57 +01:00
Miroslav Grepl
73ec2c3819 - Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
2013-11-12 12:26:06 +01:00
Miroslav Grepl
90f92647e0 * Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
- Add support for yubikey in homedir
- Add support for upd/3052 port
- Allow apcupsd to use PowerChute Network Shutdown
- Allow lsmd to execute various lsmplugins
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
- Update gluster_export_all_rw boolean to allow relabel all base file types
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
2013-11-08 21:39:31 +01:00
Miroslav Grepl
c872e59953 - Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
- Allow pegasus to domtrans to mount_t
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
- Add support for unconfined watchdog scripts
- Allow watchdog to manage own log files
2013-11-06 23:12:50 +01:00
Miroslav Grepl
c5e7e5bb30 - Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
2013-11-06 09:11:46 +01:00
Miroslav Grepl
6bf18ad4aa Fix spec file 2013-11-01 19:29:49 +01:00
Miroslav Grepl
18a1acac8d * Fri Oct 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd
2013-11-01 19:24:30 +01:00
Dan Walsh
d11521e32b Do remove regardless. Update config.tgz with new labels for virt. 2013-11-01 12:09:39 -04:00
Miroslav Grepl
cd5d972925 scratch build 2013-10-30 20:24:38 +01:00
Miroslav Grepl
d4e55c7b7a Fix spec file to use systemd_context instead of sytemd_context 2013-10-28 12:03:32 +01:00
Miroslav Grepl
bf4990489d - Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct lab
- Allow mozilla_plugin_t to mmap hugepages as an executable
2013-10-28 10:06:40 +01:00
Miroslav Grepl
4f67cf89e1 Add fix to place sytemd_contexts 2013-10-25 12:59:16 +02:00
Miroslav Grepl
bb6a1f3c7f * Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
2013-10-24 11:31:47 +02:00
Miroslav Grepl
2d3bd44103 - Allow sshd_t to read openshift content, needs backport to RHEL6.5
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
- Make sur kdump lock is created with correct label if kdumpctl is executed
- gnome interface calls should always be made within an optional_block
- Allow syslogd_t to connect to the syslog_tls port
- Add labeling for /var/run/charon.ctl socket
- Add kdump_filetrans_named_content()
- Allo setpgid for fenced_t
- Allow setpgid and r/w cluster tmpfs for fenced_t
- gnome calls should always be within optional blocks
- wicd.pid should be labeled as networkmanager_var_run_t
- Allow sys_resource for lldpad
2013-10-22 12:08:40 +02:00
Miroslav Grepl
71bb644a3b Add rtas policy 2013-10-17 14:57:23 +02:00
Miroslav Grepl
37ab076306 - Allow mailserver_domains to manage and transition to mailman data
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv
- Allow mailserver_domains to manage and transition to mailman data
- Allow svirt_domains to read sysctl_net_t
- Allow thumb_t to use tmpfs inherited from the user
- Allow mozilla_plugin to bind to the vnc port if running with spice
- Add new attribute to discover confined_admins and assign confined admin to
- Fix zabbix to handle attributes in interfaces
- Fix zabbix to read system states for all zabbix domains
- Fix piranha_domain_template()
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
- Allow lldpad sys_rouserce cap due to #986870
- Allow dovecot-auth to read nologin
- Allow openlmi-networking to read /proc/net/dev
- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t
- Add zabbix_domain attribute for zabbix domains to treat them together
- Add labels for zabbix-poxy-* (#1018221)
- Update openlmi-storage policy to reflect #1015067
- Back port piranha tmpfs fixes from RHEL6
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildro
- Add postfix_rw_spool_maildrop_files interface
- Call new userdom_admin_user_templat() also for sysadm_secadm.pp
- Fix typo in userdom_admin_user_template()
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
- Add new attribute to discover confined_admins
- Fix labeling for /etc/strongswan/ipsec.d
- systemd_logind seems to pass fd to anyone who dbus communicates with it
- Dontaudit leaked write descriptor to dmesg
2013-10-17 08:30:35 +02:00
Miroslav Grepl
99c451355a - Fix gnome_read_generic_data_home_files()
- allow openshift_cgroup_t to read/write inherited openshift file types
- Remove httpd_cobbler_content * from cobbler_admin interface
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd
- Allow httpd_t to read also git sys content symlinks
- Allow init_t to read gnome home data
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
- Allow virsh to execute systemctl
- Fix for nagios_services plugins
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- Fix hypervkvp.te
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hy
- Add hypervkvp_unit_file_t type
- Fix logging policy
- Allow syslog to bind to tls ports
- Update labeling for /dev/cdc-wdm
- Allow to su_domain to read init states
- Allow init_t to read gnome home data
- Make sure if systemd_logind creates nologin file with the correct label
- Clean up ipsec.te
2013-10-14 08:46:37 +02:00
Dan Walsh
973ebb8068 Need to create the policy.kern symbolic link in the shipping policy.
This patch needs to be pushed into RHEL7.  It fixes a blocker bug.
2013-10-11 16:07:22 -04:00
Miroslav Grepl
ce98dfd270 - Add auth_exec_chkpwd interface
- Fix port definition for ctdb ports
- Allow systemd domains to read /dev/urand
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Add label for /var/run/charon.*
- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion servi
- Fix for nagios_services plugins
- Fix some bugs in zoneminder policy
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- glusterd binds to random unreserved ports
- Additional allow rules found by testing glusterfs
- apcupsd needs to send a message to all users on the system so needs to lo
- Fix the label on ~/.juniper_networks
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Allow polipo_daemon to connect to flash ports
- Allow gssproxy_t to create replay caches
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which sho
- Add hypervkvp_unit_file_t type
2013-10-08 23:19:39 +02:00
Miroslav Grepl
17233e7dc0 - init reload from systemd_localed_t
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
- Allow systemd_localed_t to ask systemd to reload the locale.
- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory
- Allow readahead to read /dev/urand
- Fix lots of avcs about tuned
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
- Allow tuned to inderact with hugepages
- Allow condor domains to list etc rw dirs
2013-10-04 20:24:18 +02:00
Miroslav Grepl
7a5c555024 Fix spec file 2013-10-04 00:25:11 +02:00