Commit Graph

6091 Commits

Author SHA1 Message Date
Zdenek Pytela
c7794d90ee Relabel /dev/nvme* explicitly
In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit,
the type of nvme device files has changed from nvme_device_t to
fixed_disk_device_t.

This cannot currently be resolved in specfile selinux macros as fixfiles
excludes /dev entries. For files in /dev with changed context, restorecon
needs to be run explicitly to restore the context.

This is a temporary workaround till April 2021 when the updated policy
can be considered spread enough.
2021-03-01 11:50:07 +01:00
Zdenek Pytela
2faa5c2293 * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4
- iptables.fc: Add missing legacy entries
- iptables.fc: Remove some duplicate entries
- iptables.fc: Remove duplicate file context entries
- Allow libvirtd to create generic netlink sockets
- Allow libvirtd the fsetid capability
- Allow libvirtd to read /run/utmp
- Dontaudit sys_ptrace capability when calling systemctl
- Allow udisksd to read /dev/random
- Allow udisksd to watch files under /run/mount
- Allow udisksd to watch /etc
- Allow crond to watch user_cron_spool_t directories
- Allow accountsd watch xdm config directories
- Label /etc/avahi with avahi_conf_t
- Allow sssd get cgroup filesystems attributes and search cgroup dirs
- Allow systemd-hostnamed read udev runtime data
- Remove dev_getattr_sysfs_fs() interface calls for particular domains
- Allow domain stat the /sys filesystem
- Dontaudit NetworkManager write to initrc_tmp_t pipes
- policykit.te: Clean up watch rule for policykit_auth_t
- Revert further unnecessary watch rules
- Revert "Allow getty watch its private runtime files"
- Allow systemd watch generic /var directories
- Allow init watch network config files and lnk_files
- Allow systemd-sleep get attributes of fixed disk device nodes
- Complete initial policy for systemd-coredump
- Label SDC(scini) Dell Driver
- Allow upowerd to send syslog messages
- Remove the disk write permissions from tlp_t
- Label NVMe devices as fixed_disk_device_t
- Allow rhsmcertd bind tcp sockets to a generic node
- Allow systemd-importd manage machines.lock file
2021-02-24 10:14:28 +01:00
Zdenek Pytela
aa1f535cb2 * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
2021-02-16 22:47:33 +01:00
Zdenek Pytela
15dc304d75 * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
2021-02-15 20:38:28 +01:00
Zdenek Pytela
d558c4f1c7 * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1
- Bump version as Fedora 34 has been branched off rawhide
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow systemd-importd create /run/systemd/machines.lock file
- Allow rhsmcertd_t read kpatch lib files
- Add integrity lockdown permission into dev_read_raw_memory()
- Add confidentiality lockdown permission into fs_rw_tracefs_files()
- Allow gpsd read and write ptp4l_t shared memory.
- Allow colord watch its private lib files and /usr
- Allow init watch_reads mount PID files
- Allow IPsec and Certmonger to use opencryptoki services
2021-02-11 22:08:31 +01:00
Zdenek Pytela
c7e90bc196 * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
2021-02-08 21:24:07 +01:00
Zdenek Pytela
c2d5ebb406 * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket       socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
2021-02-05 12:51:30 +01:00
Zdenek Pytela
557675f09a Use the rawhide branch instead of master
In the src.fedoraproject.org/rpms/selinux-policy packages repository,
the default branch name has changed to "rawhide", with a symref (link)
of "main". The make-rhat-patches.sh file was updated to use "rawhide"
in the DISTGIT_BRANCH variable instead of "master".
2021-02-04 17:12:07 +01:00
Fedora Release Engineering
b0dd6c6ef6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-27 20:11:38 +00:00
Petr Lautrbach
f38b38e51e Rebuild with SELinux userspace 3.2-rc1 release 2021-01-22 10:34:08 +01:00
Zdenek Pytela
4f8342e8c3 Add /var/mnt equivalency to /mnt
On Fedora Silverblue, /mnt is a symlink to /var/mnt.
2021-01-22 10:32:59 +01:00
Zdenek Pytela
ce671c04d8 Update specfile to not verify md5/size/mtime for active store files
The rpm-verify command reports changes for packaged files in the active
store (/var/lib/selinux) which are changed on the selinux-policy-*
packages updates. In order to pass the rpm verification process, the
specfile option %verify(not md5 size mtime) for each of the affected
files will prevent from reporting a failure in any of the rpm-verify
subtests:
- S file Size differs
- 5 digest (formerly MD5 sum) differs
- T mTime differs
2021-01-15 19:49:38 +01:00
Zdenek Pytela
d76e0b4040 * Fri Jan 8 18:41:06 CET 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
- Allow domain read usermodehelper state information
- Remove all kernel_read_usermodehelper_state() interface calls
- .copr: improve timestamp format
- Allow wireshark create and use rdma socket
- Allow domain stat /proc filesystem
- Remove all kernel_getattr_proc() interface calls
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow dovecot_auth_t stat /proc filesystem"
- Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
- Allow sssd read /run/systemd directory
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
2021-01-08 18:44:14 +01:00
Zdenek Pytela
d5b79a1cb7 * Thu Dec 17 20:07:23 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
2020-12-17 20:11:46 +01:00
Ondrej Mosnacek
533a2f186e Remove useless mkdir command from minimum build
The directory will be created automatically by the install commands, so
no need to create it manually.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Ondrej Mosnacek
ecfabbb8f3 Remove useless rm command from minimum build
There is no file actually created at that location during build, so the
command can be safely removed. Verified by removing the '-f' and
observing the build fail (file does not exist).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Ondrej Mosnacek
167b0505ce Remove unnecessary steps from targeted policy build
We can install the permissivedomains.cil module directly, no need to
copy it to %{buildroot} first.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Zdenek Pytela
fa72125856 * Tue Dec 15 16:24:44 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12
- Allow dovecot_auth_t stat /proc filesystem
- Allow sysadm_u user and unconfined_domain_type manage perf_events
- Allow pcp-pmcd manage perf_events
- Add manage_perf_event_perms object permissions set
- Add perf_event access vectors.
- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
- Allow stub-resolv.conf to be a symlink
- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
- Create the systemd_dbus_chat_resolved() compatibility interface
- Allow nsswitch-domain write to systemd-resolved PID socket files
- Add systemd_resolved_write_pid_sock_files() interface
- Add default file context for "/var/run/chrony-dhcp(/.*)?"
- Allow timedatex dbus chat with cron system domain
- Add cron_dbus_chat_system_job() interface
- Allow systemd-logind manage init's pid files
2020-12-15 16:31:51 +01:00
Petr Lautrbach
0f3b08d5d1 Add make to BuildRequires
See https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2020-12-14 12:15:28 +01:00
Zdenek Pytela
8d02847dad * Wed Dec 9 15:39:03 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
2020-12-09 15:42:48 +01:00
Ondrej Mosnacek
58fb34f371 Fix typos and grammar in README
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-02 09:41:43 +01:00
Zdenek Pytela
e94a380d32 * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10
- Allow Xephyr connect to 6000/tcp port and open user ptys
- Allow kexec manage generic tmp files
- Update targetd nfs & lvm
- Add interface rpc_manage_exports
- Merge selinux-policy and selinux-policy-contrib repos
2020-11-26 19:32:31 +01:00
Ondrej Mosnacek
54876665ae Adapt specfile, make-rhat-patches, and README to contrib merge
The "rawhide" branch of selinux-policy and selinux-policy-contrib is
about to be merged together. Update dist-git for this, so that the next
build can be performed with the new repo structure.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-26 18:32:41 +01:00
Ondrej Mosnacek
aebc05fc19 Reword and clean up the README
Fix grammar, reword misleading statements, add some missing information,
and fix fromatting.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-25 19:27:11 +01:00
Zdenek Pytela
595a6449f5 * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface
2020-11-24 19:47:48 +01:00
Zdenek Pytela
05fb517c90 * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8
- Set correct default file context for /usr/libexec/pcp/lib/*
- Introduce rpmdb_t type
- Allow slapd manage files/dirs in ldap certificates directory
- Revert "Allow certmonger add new entries in a generic certificates directory"
- Allow certmonger add new entries in a generic certificates directory
- Allow slapd add new entries in ldap certificates directory
- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
- Let keepalived bind a raw socket
- Add default file context for /usr/libexec/pcp/lib/*
- squid: Allow net_raw capability when squid_use_tproxy is enabled
- systemd: allow networkd to check namespaces
- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
- Allow resolved to created varlink sockets and the domain to talk to it
- selinux: tweak selinux_get_enforce_mode() to allow status page to be used
- systemd: allow all systemd services to check selinux status
- Set default file context for /var/lib/ipsec/nss
- Allow user domains transition to rpmdb_t
- Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
- Revert "Add miscfiles_create_generic_cert_dirs() interface"
- Update miscfiles_manage_all_certs() to include managing directories
- Add miscfiles_create_generic_cert_dirs() interface
- Add miscfiles_add_entry_generic_cert_dirs() interface
- Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
2020-11-13 10:13:13 +01:00
Petr Lautrbach
e88945f82a selinux-policy-3.14.7-7
- Rebuild with latest libsepol
- Bump policy version to 33
2020-11-03 17:46:00 +01:00
Ondrej Mosnacek
4adda006ba Clean up .gitignore
Replace individual entries for each snapshot with a common pattern rule
and remove obsolete entries.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-03 12:25:19 +01:00
Zdenek Pytela
4da7d1152a * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6
- rpc.fc: Include /etc/exports.d dir & files
- Create chronyd_pid_filetrans() interface
- Change invalid type redisd_t to redis_t in redis_stream_connect()
- Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
- Allow init dbus chat with kernel
- Allow initrc_t create /run/chronyd-dhcp directory with a transition
- Drop gcc from dependencies in Travis CI
- fc_sort.py: Use "==" for comparing integers.
- re-implement fc_sort in python
- Remove invalid file context line
- Drop git from dependencies in Travis CI
2020-10-22 18:12:31 +02:00
Zdenek Pytela
a231488911 Drop the "BuildRequires: gcc" line selinux-policy.spec 2020-10-22 15:29:50 +02:00
Zdenek Pytela
4e04fae030 Replace "Provides: selinux-policy-base" with "Provides: selinux-policy-any"
This commit puts back changes in selinux-policy.spec brought by the
"Ensure targeted policy is installed by default" commit, inadvertently
reverted as a result of resolving a merge conflict.
2020-10-22 15:22:59 +02:00
Vit Mojzis
fe20768333 Remove trailing whitespaces 2020-10-12 10:49:45 +02:00
Zdenek Pytela
e99b0bae28 Change the package summary and description
Change summary and description for the package and all subpackages
to match the current status and to provide more information.
2020-10-12 09:04:28 +02:00
Ondrej Mosnacek
b867d53c38 README is written in markdown - change extension to .md
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:50:36 +00:00
Ondrej Mosnacek
4d9a7e555f Ensure targeted policy is installed by default
When installing [a package requiring] selinux-policy/-base/
rpm-plugin-selinux, selinux-policy-minimum is always chosen (based on
alphabetical order). This is not desirable and we'd like -targeted to be
picked as the default choice.

Since selinux-policy and selinux-policy-base are glued together because
of rpm-plugins-selinux, just have selinu-policy provide
selinux-policy-base, use a new metapackage selinux-policy-any to
represent "any of -targeted, -mls, or -minimum", and have selinux-policy
require -any.

Then adding "Suggests: selinux-policy-targeted" to selinux-policy has
the effect that -targeted is picked by default when any of
selinux-policy/-base/rpm-plugin-selinux is installed via "dnf install"
on a clean system.

This patch combines the ideas of Petr Lautrbach, Vit Mojzis, and myself.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:45:19 +00:00
Ondrej Mosnacek
e042be0581 make-rhat-patches: Use shallow clone
The selinux-policy repos are quite big - use --depth=1 to fetch only the
latest commit of the requested branch, to save network traffic and time.

A possible downside of this is that one can no longer pass a commit ID
via REPO_SELINUX_POLICY_*BRANCH, but that's unlikely to be useful in
practice.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:38:28 +00:00
Ondrej Mosnacek
d9d5631b8d make-rhat-patches: Use default tmp directory
It's better to use the standard /tmp, since it commonly has tmpfs
mounted over it, which avoids unnecessary disk I/O. Let's make our SSDs
slightly happier :)

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:38:28 +00:00
Zdenek Pytela
5772505d0d * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5
- Remove empty line from rshd.fc
- Allow systemd-logind read swap files
- Add fstools_read_swap_files() interface
- Allow dyntransition from sshd_t to unconfined_t
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
2020-10-06 15:41:07 +02:00
Zdenek Pytela
5a32f59808 * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4
- Allow chronyd_t to accept and make NTS-KE connections
- Allow domain write to an automount unnamed pipe
- Label /var/run/zincati/public/motd.d/* as motd_var_run_t
- Allow login programs to (only) read MOTD files and symlinks
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
- Confine systemd-sleep service
- Add fstools_rw_swap_files() interface
- Label 4460/tcp port as ntske_port_t
- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
2020-09-25 19:12:03 +02:00
Ondrej Mosnacek
4cdd6f8332 Update /etc/selinux/config for removal of runtime SELinux disable
This is in preparation for the following Fedora Change:
https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-09-24 14:31:12 +00:00
Zdenek Pytela
4b8bcba2a7 * Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3
- Check out the right -contrib branch in Travis
2020-09-21 13:54:33 +02:00
Zdenek Pytela
2cf6b0aa1d * Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2
- Allow openvswitch fowner capability and create netlink sockets
- Allow additional permissions for gnome-initial-setup
- Add to map non_security_files to the userdom_admin_user_template template
- kernel/filesystem: Add exfat support (no extended attributes)
2020-09-18 16:00:35 +02:00
Zdenek Pytela
129e6fcdd4 * Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1
- Bump version as Fedora 33 has been branched
- Allow php-fpm write access to /var/run/redis/redis.sock
- Allow journalctl to read and write to inherited user domain tty
- Update rkt policy to allow rkt_t domain to read sysfs filesystem
- Allow arpwatch create and use rdma socket
- Allow plymouth sys_chroot capability
- Allow gnome-initial-setup execute in a xdm sandbox
- Add new devices and filesystem interfaces
2020-09-09 15:22:20 +02:00
Zdenek Pytela
491bb86202 * Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25
- Allow certmonger fowner capability
- The nfsdcld service is now confined by SELinux
- Change transitions for ~/.config/Yubico
- Allow all users to connect to systemd-userdbd with a unix socket
- Add file context for ~/.config/Yubico
- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow login_pgm attribute to get attributes in proc_t"
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Allow traceroute_t and ping_t to bind generic nodes.
- Create macro corenet_icmp_bind_generic_node()
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
2020-08-27 08:58:40 +02:00
Petr Lautrbach
74e5e49dca test-reboot.yml: test.log is mandatory, improve results format
According to
https://docs.fedoraproject.org/en-US/ci/standard-test-interface/#_invocation
every test must provide *test.log*.

Improve *results.yml* format.

Drop *avc.err.log* and log everything AVC denial related to *avc.log*
2020-08-27 07:49:02 +02:00
Petr Lautrbach
8c3ddf27e9 Add a basic sanity reboot test collecting AVCs
In order to minimize possible damage on composes we need to be sure that a
system can boot and it doesn't generate any AVC denial.

This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit
messages into avc.log file which is propagated as test artifact.
2020-08-25 12:25:34 +02:00
Zdenek Pytela
8bda530858 * Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24
- Add ipa_helper_noatsecure() interface unconditionally
- Conditionally allow nagios_plugin_domain dbus chat with init
- Revert "Update allow rules set for nrpe_t domain"
- Add ipa_helper_noatsecure() interface to ipa.if
- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
- Allow kadmind manage kerberos host rcache
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
- Define named file transition for sshd on /tmp/krb5_0.rcache2
- Allow systemd-machined create userdbd runtime sock files
- Disable kdbus module before updating
2020-08-13 20:12:50 +02:00
Zdenek Pytela
01e3f0a70d * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
2020-08-03 13:25:54 +02:00
Zdenek Pytela
8394f612f0 * Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22
- Allow virtlockd only getattr and lock block devices
- Allow qemu-ga read all non security file types conditionally
- Allow virtlockd manage VMs posix file locks
- Allow smbd get attributes of device files labeled samba_share_t
- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
- Add a new httpd_can_manage_courier_spool boolean
- Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files
- Revert "Allow qemu-kvm read and write /dev/mapper/control"
- Revert "Allow qemu read and write /dev/mapper/control"
- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
- Dontaudit pcscd_t setting its process scheduling
- Dontaudit thumb_t setting its process scheduling
- Allow munin domain transition with NoNewPrivileges
- Add dev_lock_all_blk_files() interface
- Allow auditd manage kerberos host rcache files
- Allow systemd-logind dbus chat with fwupd
2020-07-30 18:50:17 +02:00
Fedora Release Engineering
d77690be67 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-29 10:31:23 +00:00