Commit Graph

5754 Commits

Author SHA1 Message Date
Lukas Vrabec
4c488a69fa * Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
- Allow iptables to read nsfs files. BZ(1296826)
2016-01-20 15:56:50 +01:00
Lukas Vrabec
6d3ee17c0b * Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
2016-01-18 17:03:17 +01:00
Lukas Vrabec
3852fc17ea Add fwupd domain to permissivedomains 2016-01-18 14:53:09 +01:00
Lukas Vrabec
0cb9270926 Add fwupd module to modules-targeted-contrib.conf file. 2016-01-18 14:50:53 +01:00
Lukas Vrabec
7fe5489869 Fix typo troubles. 2016-01-13 17:18:32 +01:00
Lukas Vrabec
5d165e36c4 * Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
- Allow condor_master_t domain capability chown. BZ(1297048)
- Allow chronyd to be dbus bus client. BZ(1297129)
- Allow openvswitch read/write hugetlb filesystem.
- Revert "Allow openvswitch read/write hugetlb filesystem."
- Allow smbcontrol domain to send sigchld to ctdbd domain.
- Allow openvswitch read/write hugetlb filesystem.
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge pull request #86 from rhatdan/rawhide-contrib
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
- Added interface logging_systemctl_syslogd
- Label rsyslog unit file
- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
2016-01-13 16:26:02 +01:00
Lukas Vrabec
936bb7a648 * Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
2016-01-06 12:19:09 +01:00
Lukas Vrabec
f1750fb373 * Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()
- Allow iptables to read firewalld pid files. BZ(1291243)
- Allow the user cronjobs to run in their userdomain
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
- Merge pull request #81 from rhatdan/rawhide-base
- New access needed by systemd domains
2015-12-15 18:23:46 +01:00
Lukas Vrabec
ad3add7345 Add missing noreplace flag to file: %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local
This should keep local modification of policy after update/downgrade
selinux-policy package.

Thanks plautrba@redhat.com
2015-12-15 16:09:20 +01:00
Lukas Vrabec
5c898c0814 * Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
2015-12-09 14:42:39 +01:00
Miroslav Grepl
2b449e6e35 - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
- init_t domain should be running without unconfined_domain attribute.
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
- systemd needs to access /dev/rfkill on early boot.
- Allow dspam to read /etc/passwd
2015-12-07 09:19:29 +01:00
Lukas Vrabec
71a663b812 * Mon Nov 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-161
- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)
2015-11-30 12:48:01 +01:00
Lukas Vrabec
e5fd601a61 Set default value as true in boolean mozilla_plugin_can_network_connect. 2015-11-27 16:21:05 +01:00
Lukas Vrabec
78826f0b99 * Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
-  Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
2015-11-24 15:49:54 +01:00
Miroslav Grepl
2fc3e7cbba /usr/sbim/semanage has been moved to policycoreutils-python-utils package which needs to be require in Post section for selinux-policy-minumum package. 2015-11-20 15:51:27 +01:00
Miroslav Grepl
0e84535c7a - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Add userdom_destroy_unpriv_user_shared_mem() interface.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
2015-11-20 10:09:52 +01:00
Miroslav Grepl
982e483908 We need to cop *.local policy files to keep local customizations also after upgrades between old and new module store location. BZ(#1279621). 2015-11-12 16:01:20 +01:00
Miroslav Grepl
db55b65949 - Merge pull request #48 from lkundrak/contrib-openfortivpn
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
2015-11-10 10:24:32 +01:00
Miroslav Grepl
5c3fd596c9 Add support for openfortivpn 2015-11-10 08:18:14 +01:00
Miroslav Grepl
02b374489f - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
2015-11-09 15:04:44 +01:00
Lukas Vrabec
0a89ba84bd We want conflicts with docker-selinux not docker package. 2015-10-27 16:14:11 +01:00
Lukas Vrabec
66791f96f6 * Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
2015-10-27 14:23:44 +01:00
Lukas Vrabec
0f46e07ae6 Add conflict with docker lower or eq as docker-1.9.0-9 2015-10-27 14:14:33 +01:00
Miroslav Grepl
856e20097e Update make-rhat-patches.sh to avoid git-checkout for patches creation. 2015-10-23 11:06:11 +02:00
Lukas Vrabec
03d22f204f Add smart script to create the latest selinux-policy patches from github and also download the latest docker policy from github 2015-10-22 16:39:15 +02:00
Lukas Vrabec
0bd6f9778c Add actual docker policy from docker-selinux repo. 2015-10-20 16:50:46 +02:00
Lukas Vrabec
5d2c760e35 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
- Build including docker selinux interfaces.
2015-10-20 16:28:15 +02:00
Lukas Vrabec
fadb0d2542 docker policy files support 2015-10-20 16:26:28 +02:00
Lukas Vrabec
0bdc2482e7 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
- Allow winbindd to send signull to kernel. BZ(#1269193)
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Fixes for chrony version 2.2 BZ(#1259636)
  * Allow chrony chown capability
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Add boolean allowing mysqld to connect to http port. #1262125
- Merge pull request #52 from 1dot75cm/rawhide-base
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
- Fix attribute in corenetwork.if.in
2015-10-20 15:11:36 +02:00
Lukas Vrabec
8c4eb92cbb Added also pkcs11proxyd domains to permissivedomains. 2015-10-15 13:42:05 +02:00
Vit Mojzis
263716cfef Set recently created domains as permissive for testing period. Enable new ipmievd domain. #1241453 2015-10-15 13:40:32 +02:00
Lukas Vrabec
2bd687c904 * Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
2015-10-13 18:34:04 +02:00
Lukas Vrabec
a6a2539c66 * Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
2015-10-08 15:52:24 +02:00
Lukas Vrabec
0927e3f742 * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
2015-10-02 19:11:32 +02:00
Lukas Vrabec
61514837cc * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
2015-10-02 13:49:11 +02:00
Lukas Vrabec
b03747cd87 * Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
2015-09-29 18:17:13 +02:00
Lukas Vrabec
23d80687e0 Make pkcs11proxyd policy active 2015-09-29 18:16:18 +02:00
Lukas Vrabec
ec0c1bc01e * Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains
- Allow rpcbind_t domain to change file owner and group
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
- Revert "Add apache_read_pid_files() interface"
- Allow dirsrv-admin read httpd pid files.
- Add apache_read_pid_files() interface
- Add label for dirsrv-admin unit file.
- Allow qpid daemon to connect on amqp tcp port.
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Add userdom_transition_login_userdomain() interface
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
2015-09-22 18:00:08 +02:00
Lukas Vrabec
7c8404da3f Added support for permissive domains 2015-09-22 14:28:30 +02:00
Miroslav Grepl
7eb3be8dd0 Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users. 2015-09-17 08:34:47 +02:00
Lukas Vrabec
2818673721 * Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
- Dontaudit fenced search gnome config
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
- Sanlock policy update. #1255307   - New sub-domain for sanlk-reset daemon
- Fix labeling for fence_scsi_check script
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
- Allow openhpid to read snmp var lib files.
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
- Fix regexp in chronyd.fc file
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
2015-09-14 09:29:16 +02:00
Lukas Vrabec
73a6a99de0 Add files homedir_template and users_extra to selinux-policy-* packages. 2015-09-09 10:23:56 +02:00
Lukas Vrabec
f1ab24fa93 * Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
2015-09-01 18:25:49 +02:00
Lukas Vrabec
0d70340b72 * Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
- Allow watchdog execute fenced python script.
- Added inferface watchdog_unconfined_exec_read_lnk_files()
- Allow pmweb daemon to exec shell. BZ(1256127)
- Allow pmweb daemon to read system state. BZ(#1256128)
- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
- Revert "Revert default_range change in targeted policy"
- Allow dhcpc_t domain transition to chronyd_t
2015-08-30 23:03:47 +02:00
Lukas Vrabec
96de5661d2 * Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
- Add interface dnssec_trigger_sigkill
- Allow smsd use usb ttys. BZ(#1250536)
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
- Revert default_range change in targeted policy
- Allow systemd-sysctl cap. sys_ptrace  BZ(1253926)
2015-08-24 11:25:02 +02:00
Miroslav Grepl
f5f6812fa4 - Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
2015-08-21 10:11:52 +02:00
Miroslav Grepl
4d097300f6 We should be able to do builds with neverallow check with new 2.4 userspace and fix the latest policy fixes. 2015-08-20 18:17:21 +02:00
Vit Mojzis
53aa42deae Activate new blkmapd policy. 2015-08-20 12:37:22 +02:00
Lukas Vrabec
1ba0a986f6 * Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow collectd stream connect to pdns.(BZ #1191044)
- Add interface pdns_stream_connect()
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow chronyd exec systemctl
- Merge pull request #30 from vmojzis/rawhide-contrib
- Hsqldb policy upgrade -Allow sock_file management
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
- Label /var/run/chrony-helper dir as chronyd_var_run_t.
- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
- Fix label on /var/tmp/kiprop_0
- Add mountpoint dontaudit access check in rhsmcertd policy.
- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow systemd_networkd to send logs to syslog.
- Added interface fs_dontaudit_write_configfs_dirs
- Allow audisp client to read system state.
- Label /var/run/xtables.lock as iptables_var_run_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
2015-08-18 10:39:06 +02:00
Vit Mojzis
c4a368df4f Activate new hsqldb policy. 2015-08-17 15:05:14 +02:00