In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit,
the type of nvme device files has changed from nvme_device_t to
fixed_disk_device_t.
This cannot currently be resolved in specfile selinux macros as fixfiles
excludes /dev entries. For files in /dev with changed context, restorecon
needs to be run explicitly to restore the context.
This is a temporary workaround till April 2021 when the updated policy
can be considered spread enough.
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
In the src.fedoraproject.org/rpms/selinux-policy packages repository,
the default branch name has changed to "rawhide", with a symref (link)
of "main". The make-rhat-patches.sh file was updated to use "rawhide"
in the DISTGIT_BRANCH variable instead of "master".
The rpm-verify command reports changes for packaged files in the active
store (/var/lib/selinux) which are changed on the selinux-policy-*
packages updates. In order to pass the rpm verification process, the
specfile option %verify(not md5 size mtime) for each of the affected
files will prevent from reporting a failure in any of the rpm-verify
subtests:
- S file Size differs
- 5 digest (formerly MD5 sum) differs
- T mTime differs
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
The directory will be created automatically by the install commands, so
no need to create it manually.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
There is no file actually created at that location during build, so the
command can be safely removed. Verified by removing the '-f' and
observing the build fail (file does not exist).
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
We can install the permissivedomains.cil module directly, no need to
copy it to %{buildroot} first.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
The "rawhide" branch of selinux-policy and selinux-policy-contrib is
about to be merged together. Update dist-git for this, so that the next
build can be performed with the new repo structure.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface
- Set correct default file context for /usr/libexec/pcp/lib/*
- Introduce rpmdb_t type
- Allow slapd manage files/dirs in ldap certificates directory
- Revert "Allow certmonger add new entries in a generic certificates directory"
- Allow certmonger add new entries in a generic certificates directory
- Allow slapd add new entries in ldap certificates directory
- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
- Let keepalived bind a raw socket
- Add default file context for /usr/libexec/pcp/lib/*
- squid: Allow net_raw capability when squid_use_tproxy is enabled
- systemd: allow networkd to check namespaces
- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
- Allow resolved to created varlink sockets and the domain to talk to it
- selinux: tweak selinux_get_enforce_mode() to allow status page to be used
- systemd: allow all systemd services to check selinux status
- Set default file context for /var/lib/ipsec/nss
- Allow user domains transition to rpmdb_t
- Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
- Revert "Add miscfiles_create_generic_cert_dirs() interface"
- Update miscfiles_manage_all_certs() to include managing directories
- Add miscfiles_create_generic_cert_dirs() interface
- Add miscfiles_add_entry_generic_cert_dirs() interface
- Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
Replace individual entries for each snapshot with a common pattern rule
and remove obsolete entries.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- rpc.fc: Include /etc/exports.d dir & files
- Create chronyd_pid_filetrans() interface
- Change invalid type redisd_t to redis_t in redis_stream_connect()
- Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
- Allow init dbus chat with kernel
- Allow initrc_t create /run/chronyd-dhcp directory with a transition
- Drop gcc from dependencies in Travis CI
- fc_sort.py: Use "==" for comparing integers.
- re-implement fc_sort in python
- Remove invalid file context line
- Drop git from dependencies in Travis CI
This commit puts back changes in selinux-policy.spec brought by the
"Ensure targeted policy is installed by default" commit, inadvertently
reverted as a result of resolving a merge conflict.
When installing [a package requiring] selinux-policy/-base/
rpm-plugin-selinux, selinux-policy-minimum is always chosen (based on
alphabetical order). This is not desirable and we'd like -targeted to be
picked as the default choice.
Since selinux-policy and selinux-policy-base are glued together because
of rpm-plugins-selinux, just have selinu-policy provide
selinux-policy-base, use a new metapackage selinux-policy-any to
represent "any of -targeted, -mls, or -minimum", and have selinux-policy
require -any.
Then adding "Suggests: selinux-policy-targeted" to selinux-policy has
the effect that -targeted is picked by default when any of
selinux-policy/-base/rpm-plugin-selinux is installed via "dnf install"
on a clean system.
This patch combines the ideas of Petr Lautrbach, Vit Mojzis, and myself.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The selinux-policy repos are quite big - use --depth=1 to fetch only the
latest commit of the requested branch, to save network traffic and time.
A possible downside of this is that one can no longer pass a commit ID
via REPO_SELINUX_POLICY_*BRANCH, but that's unlikely to be useful in
practice.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
It's better to use the standard /tmp, since it commonly has tmpfs
mounted over it, which avoids unnecessary disk I/O. Let's make our SSDs
slightly happier :)
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow chronyd_t to accept and make NTS-KE connections
- Allow domain write to an automount unnamed pipe
- Label /var/run/zincati/public/motd.d/* as motd_var_run_t
- Allow login programs to (only) read MOTD files and symlinks
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
- Confine systemd-sleep service
- Add fstools_rw_swap_files() interface
- Label 4460/tcp port as ntske_port_t
- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
- Allow openvswitch fowner capability and create netlink sockets
- Allow additional permissions for gnome-initial-setup
- Add to map non_security_files to the userdom_admin_user_template template
- kernel/filesystem: Add exfat support (no extended attributes)
- Bump version as Fedora 33 has been branched
- Allow php-fpm write access to /var/run/redis/redis.sock
- Allow journalctl to read and write to inherited user domain tty
- Update rkt policy to allow rkt_t domain to read sysfs filesystem
- Allow arpwatch create and use rdma socket
- Allow plymouth sys_chroot capability
- Allow gnome-initial-setup execute in a xdm sandbox
- Add new devices and filesystem interfaces
- Allow certmonger fowner capability
- The nfsdcld service is now confined by SELinux
- Change transitions for ~/.config/Yubico
- Allow all users to connect to systemd-userdbd with a unix socket
- Add file context for ~/.config/Yubico
- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow login_pgm attribute to get attributes in proc_t"
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Allow traceroute_t and ping_t to bind generic nodes.
- Create macro corenet_icmp_bind_generic_node()
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
In order to minimize possible damage on composes we need to be sure that a
system can boot and it doesn't generate any AVC denial.
This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit
messages into avc.log file which is propagated as test artifact.
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf