- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/
- Allow newrole_t dacoverride capability
- Allow traceroute_t domain to mmap packet sockets
- Allow netutils_t domain to mmap usmmon device
- Allow netutils_t domain to use mmap on packet_sockets
- Allow traceroute to create icmp packets
- Allos sysadm_t domain to create tipc sockets
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
- Allow rpcd_t domain dac override
- Allow rpm domain to mmap rpm_var_lib_t files
- Allow arpwatch domain to create bluetooth sockets
- Allow secadm_t domain to mmap audit config and log files
- Update init_abstract_socket_activation() to allow also creating tcp sockets
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.
- Add SELinux support for systemd-importd
- Create new type bpf_t and label /sys/fs/bpf with this type
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)
- Update dbus_role_template() BZ(1536218)
- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)
- Allow blueman_t dbus chat with policykit_t BZ(1470501)
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)
- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)
- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)
- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)
- Allow jetty_t domain to mmap own temp files BZ(1534628)
- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)
- Consistently label usr_t for kernel/initrd in /usr
- kernel/files.fc: Label /usr/lib/sysimage as usr_t
- Allow iptables sysctl load list support with SELinux enforced
- Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864)
- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide
- Allow virt_domains to acces infiniband pkeys.
- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)
- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t
- Allow audisp_remote_t domain write to files on all levels
- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy
- Allow git_script_t to mmap git_user_content_t files BZ(1530937)
- Allow certmonger domain to create temp files BZ(1530795)
- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)
- Allow fsdaemon_t to read nvme devices BZ(1530018)
- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)
- Update munin plugin policy BZ(1528471)
- Allow sendmail_t domain to be system dbusd client BZ(1478735)
- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)
- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)
- Allow thumb_t to mmap non security files BZ(1517393)
- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)
- Fix broken sysnet_filetrans_named_content() interface
- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
- Add interface files_map_non_security_files()
- Allow crond_t to read pcp lib files BZ(1525420)
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
- Allow certwatch_t to mmap generic certs. BZ(1527173)
- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
- Add interface userdom_map_user_home_files()
- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
This directory is already owned by rpm. I couldn't find a specific
section in the packaging guidelines, but it seems to me we shouldn't do
this. There's no good reason for it and it can lead to confusion.
Quickly scanning over all Fedora spec files that install RPM macros, I
couldn't find any other package that owns `%{_rpmconfigdir}`.
Fixes:
File policy/modules/contrib is not a regular file -- refusing to patch
1 out of 1 hunk ignored -- saving rejects to file policy/modules/contrib.rej
- Allow pcp_pmlogger to send logs to journal BZ(1512367)
- Merge pull request #40 from lslebodn/kcm_kerberos
- Allow services to use kerberos KCM BZ(1512128)
- Allow system_mail_t domain to be system_dbus_client BZ(1512476)
- Allow aide domain to stream connect to sssd_t BZ(1512500)
- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)
- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)
- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)
- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)
- Allow lircd_t domain to execute shell BZ(1512787)
- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)
- Allow redis to creating tmp files with own label BZ(1513518)
- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)
- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)
- Add map permission to samba_rw_var_files interface. BZ(1513908)
- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t
- Add dac_read_search and dac_override capabilities to ganesha
- Allow ldap_t domain to manage also slapd_tmp_t lnk files
- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)
- Add dac_override capability to dhcpd_t doamin BZ(1510030)
- Allow snapperd_t to remove old snaps BZ(1510862)
- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)
- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)
- Allow fs associate for sysctl_vm_t BZ(1447301)
- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)
- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)
- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)
- Allow systemd to mmap kernel modules BZ(1513399)
- Allow userdomains to mmap fifo_files BZ(1512242)
- Merge pull request #205 from rhatdan/labels
- Add map permission to init_domtrans() interface BZ(1513832)
- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)
- Unconfined domains, need to create content with the correct labels
- Container runtimes are running iptables within a different user namespace
- Add interface files_rmdir_all_dirs()
- Allow jabber domains to connect to postgresql ports
- Dontaudit slapd_t to block suspend system
- Allow spamc_t to stream connect to cyrys.
- Allow passenger to connect to mysqld_port_t
- Allow ipmievd to use nsswitch
- Allow chronyc_t domain to use user_ptys
- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst
- Fix typo bug in tlp module
- Allow userdomain gkeyringd domain to create stream socket with userdomain
- Merge pull request #37 from milosmalik/rawhide
- Allow mozilla_plugin_t domain to dbus chat with devicekit
- Dontaudit leaked logwatch pipes
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
- Allow chronyd daemon to execute chronyc. BZ(1507478)
- Allow pdns to read network system state BZ(1507244)
- Allow gssproxy to read network system state Resolves: rhbz#1507191
- Allow nfsd_t domain to read configfs_t files/dirs
- Allow tgtd_t domain to read generic certs
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
- Allow dirsrv_snmp_t to use inherited user ptys and read system state
- Allow glusterd_t domain to create own tmpfs dirs/files
- Allow keepalived stream connect to snmp
- Allow zabbix_t domain to change its resource limits
- Add new boolean nagios_use_nfs
- Allow system_mail_t to search network sysctls
- Hide all allow rules with ptrace inside deny_ptrace boolean
- Allow nagios_script_t to read nagios_spool_t files
- Allow sbd_t to create own sbd_tmpfs_t dirs/files
- Allow firewalld and networkmanager to chat with hypervkvp via dbus
- Allow dmidecode to read rhsmcert_log_t files
- Allow mail system to connect mariadb sockets.
- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)
- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)
- Allow iptables_t to run setfiles to restore context on system
- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
- Allow chronyd_t do request kernel module and block_suspend capability
- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label
- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)
- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)
- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)
- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)
- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables
- Allow svnserve to use kerberos
- Allow conman to use ptmx. Add conman_use_nfs boolean
- Allow nnp transition for amavis and tmpreaper SELinux domains
- Allow chronyd_t to mmap chronyc_exec_t binary files
- Add dac_read_search capability to openvswitch_t domain
- Allow svnserve to manage own svnserve_log_t files/dirs
- Allow keepalived_t to search network sysctls
- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain
- Add kill capability to openvswitch_t domain
- Label also compressed logs in /var/log for different services
- Allow inetd_child_t and system_cronjob_t to run chronyc.
- Allow chrony to create netlink route sockets
- Add SELinux support for chronyc
- Add support for running certbot(letsencrypt) in crontab
- Allow nnp trasintion for unconfined_service_t
- Allow unpriv user domains and unconfined_service_t to use chronyc
- Drop *.lst files from file list
- Ship file_contexts.homedirs in store
- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
- Allow haproxy daemon to reexec itself. BZ(1447800)
- Allow conmand to use usb ttys.
- Allow systemd_machined to read mock lib files. BZ(1504493)
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
Recent libsemanage-2.7-4.fc28 keeps copy of file_contexts.homedirs in
policy store in order to support listing homedirs file contexts in
semanage fcontext -l