- Allow systemd-timesyncd watch system dbus pid socket files
- Allow firewalld drop capabilities
- Allow rhsmcertd execute gpg
- Allow lldpad send to kdump over a unix dgram socket
- Allow systemd-gpt-auto-generator read udev pid files
- Set default file context for /sys/firmware/efi/efivars
- Allow tcpdump run as a systemd service
- Allow nmap create and use netlink generic socket
- Allow nscd watch system db files in /var/db
- Allow cockpit_ws_t get attributes of fs_t filesystems
- Allow sysadm acces to kernel module resources
- Allow sysadm to read/write scsi files and manage shadow
- Allow sysadm access to files_unconfined and bind rpc ports
- Allow sysadm read and view kernel keyrings
- Allow journal mmap and read var lib files
- Allow tuned to read rhsmcertd config files
- Allow bootloader to read tuned etc files
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
- Disable seccomp on CI containers
- Allow systemd-machined stop generic service units
- Allow virtlogd_t read process state of user domains
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
- Label /dev/crypto/nx-gzip with accelerator_device_t
- Update the policy for systemd-journal-upload
- Allow unconfined domains to bpf all other domains
- Confine rhsm service and rhsm-facts service as rhsmcertd_t
- Allow fcoemon talk with unconfined user over unix domain datagram socket
- Allow abrt_domain read and write z90crypt device
- Allow mdadm read iscsi pid files
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
- Allow hostapd bind UDP sockets to the dhcpd port
- Unconfined domains should not be confined
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
- Remove references to init_watch_path_type attribute
- Remove all redundant watch permissions for systemd
- Allow systemd watch non_security_file_type dirs, files, lnk_files
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
- Allow bacula get attributes of cgroup filesystems
- Allow systemd-journal-upload watch logs and journal
- Create a policy for systemd-journal-upload
- Allow tcpdump and nmap get attributes of infiniband_device_t
- Allow arpwatch get attributes of infiniband_device_t devices
- Label /dev/wmi/dell-smbios as acpi_device_t
- Allow sanlock get attributes of cgroup filesystems
- Associate dma_device_dir_t with device filesystem
- Set default file context for /var/run/systemd instead of /run/systemd
- Allow nmap create and use rdma socket
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
- Add kernel_write_perf_event() and kernel_manage_perf_event()
- Allow syslogd_t watch root and var directories
- Allow unconfined_t read other processes perf_event records
- Allow login_userdomain read and map /var/lib/systemd files
- Allow NetworkManager watch its config dir
- Allow NetworkManager read and write z90crypt device
- Allow tgtd create and use rdma socket
- Allow aide connect to init with a unix socket
- Grant execmem to varnishlog_t
- We no longer need signull for varnishlog_t
- Add map permission to varnishd_read_lib_files
- Allow systemd-sleep tlp_filetrans_named_content()
- Allow systemd-sleep execute generic programs
- Allow systemd-sleep execute shell
- Allow to sendmail read/write kerberos host rcache files
- Allow freshclam get attributes of cgroup filesystems
- Fix context of /run/systemd/timesync
- Allow udev create /run/gdm with proper type
- Allow chronyc socket file transition in user temp directory
- Allow virtlogd_t to create virt_var_lockd_t dir
- Allow pluto IKEv2 / ESP over TCP
- Allow domain create anonymous inodes
- Add anon_inode class to the policy
- Allow systemd-coredump getattr nsfs files and net_admin capability
- Allow systemd-sleep transition to sysstat_t
- Allow systemd-sleep transition to tlp_t
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
- Allow systemd-timedated watch runtime dir and its parent
- Allow system dbusd read /var/lib symlinks
- Allow unconfined_service_t confidentiality and integrity lockdown
- Label /var/lib/brltty with brltty_var_lib_t
- Allow domain and unconfined_domain_type watch /proc/PID dirs
- Additional permission for confined users loging into graphic session
- Make for screen fsetid/setuid/setgid permission conditional
- Allow for confined users acces to wtmp and run utempter
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit,
the type of nvme device files has changed from nvme_device_t to
fixed_disk_device_t.
This cannot currently be resolved in specfile selinux macros as fixfiles
excludes /dev entries. For files in /dev with changed context, restorecon
needs to be run explicitly to restore the context.
This is a temporary workaround till April 2021 when the updated policy
can be considered spread enough.
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
In the src.fedoraproject.org/rpms/selinux-policy packages repository,
the default branch name has changed to "rawhide", with a symref (link)
of "main". The make-rhat-patches.sh file was updated to use "rawhide"
in the DISTGIT_BRANCH variable instead of "master".
The rpm-verify command reports changes for packaged files in the active
store (/var/lib/selinux) which are changed on the selinux-policy-*
packages updates. In order to pass the rpm verification process, the
specfile option %verify(not md5 size mtime) for each of the affected
files will prevent from reporting a failure in any of the rpm-verify
subtests:
- S file Size differs
- 5 digest (formerly MD5 sum) differs
- T mTime differs
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
The directory will be created automatically by the install commands, so
no need to create it manually.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
There is no file actually created at that location during build, so the
command can be safely removed. Verified by removing the '-f' and
observing the build fail (file does not exist).
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
We can install the permissivedomains.cil module directly, no need to
copy it to %{buildroot} first.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
The "rawhide" branch of selinux-policy and selinux-policy-contrib is
about to be merged together. Update dist-git for this, so that the next
build can be performed with the new repo structure.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface