Commit Graph

6089 Commits

Author SHA1 Message Date
Zdenek Pytela
d1c7bc688f * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18
- Allow oddjob_t process noatsecure permission for ipa_helper_t
- Allow keepalived manage its private type runtime directories
- Update irqbalance runtime directory file context
- Allow irqbalance file transition for pid sock_files and directories
- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
- Allow virtlogd_t manage virt lib files
- Allow systemd set efivarfs files attributes
- Support systemctl --user in machinectl
- Allow chkpwd_t read and write systemd-machined devpts character nodes
- Allow init_t write to inherited systemd-logind sessions pipes
2020-07-07 16:11:16 +02:00
Zdenek Pytela
c04fecfb03 * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17
- Allow pdns server to read system state
- Allow irqbalance nnp_transition
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
- Allow journalctl process set its resource limits
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
- Make keepalived work with network namespaces
- Create sssd_connect_all_unreserved_ports boolean
- Allow hypervkvpd to request kernel to load a module
- Allow systemd_private_tmp(dirsrv_tmp_t)
- Allow microcode_ctl get attributes of sysfs directories
- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
- Allow radiusd connect to gssproxy over unix domain stream socket
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
- Allow qemu read and write /dev/mapper/control
- Allow tlp_t can_exec() tlp_exec_t
- Dontaudit vpnc_t setting its process scheduling
- Remove files_mmap_usr_files() call for particular domains
- Allow dirsrv_t list cgroup directories
- Crete the kerberos_write_kadmind_tmp_files() interface
- Allow realmd_t dbus chat with accountsd_t
- Label systemd-growfs and systemd-makefs       as fsadm_exec_t
- Allow staff_u and user_u setattr generic usb devices
- Allow sysadm_t dbus chat with accountsd
- Modify kernel_rw_key() not to include append permission
- Add kernel_rw_key() interface to access to kernel keyrings
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
- Allow systemd-modules to load kernel modules
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
- Allow libkrb5 lib read client keytabs
- Allow domain mmap usr_t files
- Remove files_mmap_usr_files() call for systemd domains
- Allow sshd write to kadmind temporary files
- Do not audit staff_t and user_t attempts to manage boot_t entries
- Add files_dontaudit_manage_boot_dirs() interface
- Allow systemd-tty-ask-password-agent read efivarfs files
2020-06-26 16:15:46 +02:00
Adam Williamson
154654f526 Bump and build for scriptlet fix 2020-06-25 17:13:28 -07:00
Adam Williamson
69200e5a7d scriptlets: always existence-check /etc/selinux/config
This does not work as expected with `/bin/sh` if the file does
not exist:

. %{_sysconfdir}/selinux/config &> /dev/null || true;

when run with `/bin/sh` (as opposed to `/bin/bash`) it exits 1
if the file does not exist. It exits 0 if the file exists but
there is an error parsing it. When run with `/bin/bash` it exits
0 in both cases as expected, but RPM scriptlets are run with sh.

To avoid this problem, we must always explicitly do an existence
check on the file before attempting to source it.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-06-25 17:10:29 -07:00
Zdenek Pytela
5cdd516855 * Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
- Support multiple ways of tlp invocation
- Allow qemu-kvm read and write /dev/mapper/control
- Introduce logrotate_use_cifs boolean
- Allow ptp4l_t sys_admin capability to run bpf programs
- Allow to getattr files on an nsfs filesystem
- httpd: Allow NoNewPriv transition from systemd
- Allow rhsmd read process state of all domains and kernel threads
- Allow rhsmd mmap /etc/passwd
- Allow systemd-logind manage efivarfs files
- Allow initrc_t tlp_filetrans_named_content()
- Allow systemd_resolved_t to read efivarfs
- Allow systemd_modules_load_t to read efivarfs
- Introduce systemd_read_efivarfs_type attribute
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
- Add file context for /sys/kernel/tracing
2020-06-04 13:00:42 +02:00
Zdenek Pytela
1111964e2a * Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14
- Allow chronyc_t domain to use nsswitch
- Allow nscd_socket_use() for domains in nscd_use() unconditionally
- Add allow rules for lttng-sessiond domain
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow gluster geo-replication in rsync mode
- Allow nagios_plugin_domain execute programs in bin directories
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow tcpdump sniffing offloaded (RDMA) traffic
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow read efivarfs_t files by domains executing systemctl file
2020-05-19 17:52:53 +02:00
Zdenek Pytela
6a3fec4b74 * Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal
2020-04-29 11:21:16 +02:00
Vit Mojzis
53368f319b Disable ipa_custodia before policy update
Ipa_custodia was merged into ipa policy module. To avoid conflicts
the module needs to be disabled before policy update.

Fixes:
   Running scriptlet: selinux-policy-targeted-3.14.5-35.fc32.noarch
   Re-declaration of type ipa_custodia_t
   Failed to create node
   Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
   /usr/sbin/semodule:  Failed!
2020-04-27 09:24:03 +02:00
Zdenek Pytela
b7b2c03ca7 * Tue Apr 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp
2020-04-14 16:43:04 +02:00
Zdenek Pytela
9006b430b3 * Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11
- Allow NetworkManager manage dhcpd unit files
- Update ninfod policy to add nnp transition from systemd to ninfod
- Remove container interface calling by named_filetrans_domain.
2020-03-31 09:52:00 +02:00
Zdenek Pytela
08e09fd9c1 * Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10
- Allow openfortivpn exec shell
- Remove label session_dbusd_tmp_t for /run/user/USERID/systemd
- Add ibacm_t ipc_lock capability
- Allow ipsec_t connectto ipsec_mgmt_t
- Remove ipa_custodia
- Allow systemd-journald to read user_tmp_t symlinks
2020-03-25 18:09:22 +01:00
Zdenek Pytela
099d40eeb8 * Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9
- Allow zabbix_t manage and filetrans temporary socket files
- Makefile: fix tmp/%.mod.fc target
2020-03-18 13:55:22 +01:00
Zdenek Pytela
e3700463c8 * Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8
- Allow NetworkManager read its unit files and manage services
- Add init_daemon_domain() for geoclue_t
- Allow to use nnp_transition in pulseaudio_role
- Allow pdns_t domain to map files in /usr.
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow login_pgm create and bind on netlink_selinux_socket
2020-03-13 09:22:23 +01:00
Ondrej Mosnacek
7579dcf465 Extend use of %common_params
Commit f76a9deccc ("Consolidate make parameters") replaced most
occurences of common make params with a single %common_params macro
call, but it omitted two places. Extend the %common_params usage to
these as well.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-03-11 14:15:18 +01:00
Ondrej Mosnacek
feca8df9ee Drop unused seusers file
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-03-11 14:15:18 +01:00
Zdenek Pytela
30da7f7067 * Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7
- Allow sssd read systemd-resolved runtime directory
- Allow sssd read NetworkManager's runtime directory
- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
- Allow system_mail_t to signull pcscd_t
- Create interface pcscd_signull
- Allow auditd poweroff or switch to single mode
2020-03-09 17:07:28 +01:00
Lukas Vrabec
eacc15421e
* Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6
- Allow postfix stream connect to cyrus through runtime socket
- Dontaudit daemons to set and get scheduling policy/parameters
2020-02-28 17:13:35 +01:00
Lukas Vrabec
6f3f722f7d
* Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5
- Allow certmonger_t domain to read pkcs_slotd lock files
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
- Allow local_login_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
2020-02-22 17:02:13 +01:00
Lukas Vrabec
e0ee9a1a66
* Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4
- Update virt_read_qemu_pid_files inteface
- Allow systemd_logind_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
- Allow nsswitch_domain attribute to stream connect to systemd process
2020-02-18 18:04:28 +01:00
Lukas Vrabec
48b6fc450f
Update changelog to descending chronological order 2020-02-16 13:08:28 +01:00
Lukas Vrabec
fc739f4200
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3
- Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks
- Allow systemd_userdbd_t domain to read efivarfs files
2020-02-16 13:00:31 +01:00
Lukas Vrabec
8c624edf84
* Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2
- Allow vhostmd communication with hosted virtual machines
- Add and update virt interfaces
- Update radiusd policy
- Allow systemd_private_tmp(named_tmp_t)
- Allow bacula dac_override capability
- Allow systemd_networkd_t to read efivarfs
- Add support for systemd-userdbd
- Allow systemd system services read efivarfs files
2020-02-16 00:25:43 +01:00
Lukas Vrabec
0270e1e28d
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-1
- Bump version to 3.14.6 because fedora 32 was branched
2020-02-16 00:22:07 +01:00
Zdenek Pytela
916c9099f2 * Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24
- Allow ptp4l_t create and use packet_socket sockets
- Allow ipa_custodia_t create and use netlink_route_socket sockets.
- Allow networkmanager_t transition to setfiles_t
- Create init_create_dirs boolean to allow init create directories
2020-02-07 17:22:36 +01:00
Ondrej Mosnacek
2a989ab68e spec: Use RPM path macros more consistently
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-02-07 12:37:11 +01:00
Zdenek Pytela
4ee1dfc5d7 * Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23
- Allow thumb_t connect to system_dbusd_t BZ(1795044)
- Allow saslauthd_t filetrans variable files for /tmp directory
- Added apache create log dirs macro
- Tiny documentation fix
- Allow openfortivpn_t to manage net_conf_t files.
- Introduce boolean openfortivpn_can_network_connect.
- Dontaudit domain chronyd_t to list in user home dirs.
- Allow init_t to create apache log dirs.
- Add file transition for /dev/nvidia-uvm BZ(1770588)
- Allow syslog_t to read efivarfs_t files
- Add ioctl to term_dontaudit_use_ptmx macro
- Update xserver_rw_session macro
2020-01-31 10:53:24 +01:00
Fedora Release Engineering
6f927019b9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-30 23:12:11 +00:00
Zdenek Pytela
07e568bc06 * Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21
- Dontaudit timedatex_t read file_contexts_t and validate security contexts
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Added macro for stratisd to chat over dbus
- Add dac_override capability to stratisd_t domain
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
2020-01-24 17:07:51 +01:00
Vit Mojzis
ee6e28e884 Fix %post script failures in selinux-policy-*
Since /etc/selinux/config is created in a %post script and execution
order of post scripts cannot be ensured in this case, all commands in
post have to be able to work without /etc/selinux/config.

Also standalone execution of selinuxenabled in relabel macro would cause
%post of all selinux-policy-* packages to fail in case selinux was
disabled.

Fixes:
   https://bugzilla.redhat.com/show_bug.cgi?id=1723940
2020-01-13 19:07:10 +00:00
Lukas Vrabec
0f62f5946f
* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain  to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Create files_create_non_security_dirs() interface
2020-01-13 10:09:50 +01:00
Ondrej Mosnacek
e4f8091964 Remove all the "factory reset" stuff
From reading BZ1290659 [1] it sounds like the ostree issue was resolved
by using /etc/selinux as the store root instead of /var/lib/selinux so I
believe the /usr/share/selinux redundant files are no longer needed.
Also remove all other leftovers of the factory reset thing...

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1290659

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-01-07 15:45:12 +01:00
Zdenek Pytela
a9b321b3cc * Fri Dec 20 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-19
- Allow init_t nnp domain transition to kmod_t
- Allow userdomain dbus chat with systemd_resolved_t
- Allow init_t read and setattr on /var/lib/fprintd
- Allow sysadm_t dbus chat with colord_t
- Allow confined users run fwupdmgr
- Allow confined users run machinectl
- Allow systemd labeled as init_t domain to create dirs labeled as var_t
- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)
- Add new file context rabbitmq_conf_t.
- Allow journalctl read init state BZ(1731753)
- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
- Change type in transition for /var/cache/{dnf,yum} directory
- Allow cockpit_ws_t read efivarfs_t BZ(1777085)
- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
- Allow named_t domain to mmap named_zone_t files BZ(1647493)
- Make boinc_var_lib_t label system mountdir attribute
- Allow stratis_t domain to request load modules
- Update fail2ban policy
- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)
- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
2019-12-20 17:01:21 +01:00
Ondrej Mosnacek
f76a9deccc Consolidate make parameters
Make code more readable by putting common make parameters under a common
macro. Also fix the sandbox.pp command-line, which was copy-pasted out
of context...

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-12-04 11:48:03 +00:00
Ondrej Mosnacek
9fd145765a Remove unused file
This copy of the Makefile is not used anywhere, remove it.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-12-03 13:42:31 +01:00
Lukas Vrabec
d4e9a2fe96
Add missing sources 2019-11-28 23:01:47 +01:00
Lukas Vrabec
6ed257bb1a
- Allow systemd to read all proc 2019-11-28 22:55:17 +01:00
Lukas Vrabec
188eac8e79
* Thu Nov 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-18
- Introduce new type pdns_var_lib_t
- Allow zebra_t domain to read files labled as nsfs_t.
- Allow systemd to setattr on all device_nodes
- Allow systemd to mounton and list all proc types
2019-11-28 22:19:38 +01:00
Lukas Vrabec
f32fe38207
* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-17
- Fix nonexisting types in rtas_errd_rw_lock interface
- Allow snmpd_t domain to trace processes in user namespace
- Allow timedatex_t domain to read relatime clock and adjtime_t files
- Allow zebra_t domain to execute zebra binaries
- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
- Allow ksmtuned_t domain to trace processes in user namespace
- Allow systemd to read symlinks in /var/lib
- Update dev_mounton_all_device_nodes() interface
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
- Allow systemd_domain to map files in /usr.
- Allow strongswan start using swanctl method BZ(1773381)
- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
2019-11-27 20:26:39 +01:00
Zdenek Pytela
6f1a9fb9a4 * Thu Nov 21 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-16
- Allow timedatex_t domain dbus chat with both confined and unconfined users
- Allow timedatex_t domain dbus chat with unconfined users
- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
- Make unconfined domains part of domain_named_attribute
- Label tcp ports 24816,24817 as pulp_port_t
- Remove duplicate entries for initrc_t in init.te
2019-11-21 16:26:28 +01:00
Lukas Vrabec
7694691838
* Thu Nov 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-15
- Increase SELinux userspace version which should be required.
2019-11-14 09:45:51 +01:00
Lukas Vrabec
67a56dfdce
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-14
- Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0
2019-11-13 22:41:00 +01:00
Lukas Vrabec
d1df004bac
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-13
- Fix typo bugs in rtas_errd_read_lock() interface
- cockpit: Drop cockpit-cert-session
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Fix typo in dev_filetrans_all_named_dev()
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Fix typo in cachefiles device
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
2019-11-13 15:45:37 +01:00
Lukas Vrabec
72c4289c25
Update rpm.macros file fomr the upstream repo
Remove git from BuildRequires in %selinux_requires
In %selinux_requires macro, as part of BuildRequires is also git
package. It looks like some leftover and this commit removes it.

Upstream repo: https://github.com/fedora-selinux/selinux-policy-macros
2019-11-05 17:50:20 +01:00
Petr Šplíchal
58a31e207a
Remove explicit requires from tests.yml
Requires are now handled by Standard Test Roles based on the
individual test metadata so there is no need to list them here.
2019-11-04 14:01:50 +01:00
Lukas Vrabec
5e3b0e1f2a
Update selinux-policy macros from upstream repo
Upstream repo: https://github.com/fedora-selinux/selinux-policy-macros

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1723940
2019-11-03 15:00:33 +01:00
Lukas Vrabec
4faaca1916
* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Allow cephfs to use xattrs for storing contexts
- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
2019-11-03 12:59:34 +01:00
Lukas Vrabec
0c284fe6fc
Update the macros based on changes from upstream repo
Ref: b2f1034f76

Resolves: #16
2019-11-01 17:25:21 +01:00
Jonathan Lebon
3597bdb094 Add /var/usrlocal equivalency rule
In OSTree-based systems, `/usr/local` is a symlink to `/var/usrlocal`.
But we still want the right labels for these files.

Ref: https://github.com/coreos/rpm-ostree/issues/1936
2019-10-31 16:50:38 -04:00
Lukas Vrabec
d7e7544fe0
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11
- Allow confined users to run newaliases
- Add interface mysql_dontaudit_rw_db()
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
- Allow tmpreaper_t domain to read all domains state
- Make httpd_var_lib_t label system mountdir attribute
- Update cockpit policy
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
- Dontaudit domains read/write leaked pipes
2019-10-25 11:09:31 +02:00
Lukas Vrabec
9fb60ef78a
Add equivalence to /var/named/chroot/ /var
Resolves: rhbz#1525641
2019-10-25 10:16:01 +02:00