- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
- Fix new rkt policy
- Remove some redundant rules.
- Fix cosmetic issues in interface file.
- Merge pull request #100 from rhatdan/rawhide-contrib
- Add interface fs_setattr_cifs_dirs().
- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
file_contexts is parsed in selabel_open().
Resolves: rhbz#1314372
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
- Allow collectd setgid capability Resolves:#1310896
- Allow adcli running as sssd_t to write krb5.keytab file.
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
- Allow kexec to read kernel module files in /usr/lib/modules.
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
- Remove redudant rules and fix _admin interface.
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
- Allow create mongodb unix dgram sockets. rhbz#1306819
- Support for InnoDB Tablespace Encryption.
- Dontaudit leaded file descriptors from firewalld
- Add port for rkt services
- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
- Add interface to dontaudit leaked files from firewalld
- fwupd needs to dbus chat with policykit
- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
- Fix wrong name for openqa_websockets tcp port.
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
- Add interface ssh_getattr_server_keys() interface. rhbz#1299106
- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312
- Add interface fs_getattr_nsfs_files()
- Add interface xserver_exec().
- Revert "Allow all domains some process flags."BZ(1190364)
- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()
- Allow iptables to read firewalld pid files. BZ(1291243)
- Allow the user cronjobs to run in their userdomain
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
- Merge pull request #81 from rhatdan/rawhide-base
- New access needed by systemd domains
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
- init_t domain should be running without unconfined_domain attribute.
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
- systemd needs to access /dev/rfkill on early boot.
- Allow dspam to read /etc/passwd
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Add userdom_destroy_unpriv_user_shared_mem() interface.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
Lukas Vrabec
Miroslav Grepl
Vit Mojzis