rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
6,145 Commits 8 Branches 89 Tags 36 MiB
Commit Graph

518 Commits

Author SHA1 Message Date
Lukas Vrabec c3cce98fea
* Thu Feb 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22 
- Allow dovecot_t domain to connect to mysql db
- Add dac_override capability for sbd_t SELinux domain
- Add dac_override capability for  spamd_update_t domain
- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
 2019-02-14 17:52:26 +01:00
Lukas Vrabec 37bb67856f
* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21 
- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
- Allow ddclient_t to setcap Resolves: rhbz#1674298
- Add dac_override capability to vpnc_t domain
- Add dac_override capability to spamd_t domain
- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
- Allow read network state of system for processes labeled as ibacm_t
- Allow ibacm_t domain to send dgram sockets to kernel processes
- Allow dovecot_t to connect to MySQL UNIX socket
- Fix CI for use on forks
- Fix typo bug in sensord policy
- Update ibacm_t policy after testing lastest version of this component
- Allow sensord_t domain to mmap own log files
- Allow virt_doamin to read/write dev device
- Add dac_override capability for ipa_helper_t
- Update policy with multiple allow rules to make working installing VM in MLS policy
- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
 2019-02-12 17:05:35 +01:00
Lukas Vrabec 6fe0e8a6a7
* Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20 
- Allow sensord_t domain to use nsswitch and execute shell
- Allow opafm_t domain to execute lib_t files
- Allow opafm_t domain to manage kdump_crash_t files and dirs
- Allow virt domains to read/write cephfs filesystems
- Allow virtual machine to write to fixed_disk_device_t
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
- Allow vhostmd_t read libvirt configuration files
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
 2019-02-02 13:41:12 +01:00
Lukas Vrabec 5664a30563
Add missing sources 2019-01-29 16:58:50 +01:00
Lukas Vrabec ee38f3e105
* Tue Jan 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19 
- Add new xdp_socket class
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Allow boltd_t domain to read cache_home_t files BZ(1669911)
- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
- Allow gpg_agent_t to create own tmpfs dirs and sockets
- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
- Add multiple interfaces for vpnc interface file
- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
- Allow gssd_t domain to manage kernel keyrings of every domain.
- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
- Allow plymouthd_t search efivarfs directory BZ(1664143)
 2019-01-29 16:51:11 +01:00
Lukas Vrabec 1d650f7cbb
* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18 
- Allow plymouthd_t search efivarfs directory BZ(1664143)
- Allow arpwatch send e-mail notifications BZ(1657327)
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
- Allow gssd_t domain to read/write kernel keyrings of every domain.
- Allow systemd_timedated_t domain nnp_transition BZ(1666222)
- Add the fs_search_efivarfs_dir interface
- Create tangd_port_t with default label tcp/7406
- Add interface domain_rw_all_domains_keyrings()
- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
 2019-01-15 18:29:10 +01:00
Lukas Vrabec f1dd2fa0f0
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17 
- Allow staff_t domain to read read_binfmt_misc filesystem
- Add interface fs_read_binfmt_misc()
- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
 2019-01-11 16:07:53 +01:00
Lukas Vrabec 78bc214808
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16 
- Allow sensord_t to execute own binary files
- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)
- Allow virtd_lxc_t domains use BPF BZ(1662613)
- Allow openvpn_t domain to read systemd state BZ(1661065)
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Used correct renamed interface for imapd_t domain
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Specify recipients that will be notified about build CI results.
- Allow saslauthd_t domain to mmap own pid files BZ(1653024)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.
- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
- Specify recipients that will be notified about build CI results.
- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.
- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
 2019-01-11 12:46:15 +01:00
Lukas Vrabec 22bdc94c2b
* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14 
- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
 2018-12-06 16:43:04 +01:00
Lukas Vrabec 70c776a7bc
* Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13 
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain
- Create ibacm_tmpfs_t type for the ibacm policy
- Dontaudit capability sys_admin for dhcpd_t domain
- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.
- Allow abrt_t domain to mmap generic tmp_t files
- Label /usr/sbin/wpa_cli as wpa_cli_exec_t
- Allow sandbox_xserver_t domain write to user_tmp_t files
- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints
- Add interface files_map_generic_tmp_files()
- Add dac_override capability to the syslogd_t domain
- Create systemd_timedated_var_run_t label
- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
 2018-11-07 23:34:46 +01:00
Lukas Vrabec e4f858261b
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12 
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Allow xdm_t domain to manage dosfs_t files BZ(1645770)
- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
 2018-11-04 19:53:51 +01:00
Lukas Vrabec 38e2f9cae4
Add missing sources from github 2018-11-04 02:05:17 +01:00
Lukas Vrabec 9fcbb6398f
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11 
- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
- Add dac_override capability to ftpd_t domain
- Allow gpg_t to create own tmpfs dirs and sockets
- Allow rhsmcertd_t domain to relabel cert_t files
- Add SELinux policy for kpatch
- Allow nova_t domain to use pam
- sysstat: grant sysstat_t the search_dir_perms set
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
- Allow systemd_logind_t to read fixed dist device BZ(1645631)
- Allow systemd_logind_t domain to read nvme devices BZ(1645567)
- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)
- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
- Allow X display manager to check status and reload services which are part of x_domain attribute
- Add interface miscfiles_relabel_generic_cert()
- Make kpatch policy active
- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
- Dontaudit sys_admin capability for netutils_t domain
- Label tcp and udp ports 2611 as qpasa_agent_port_t
 2018-11-04 01:55:34 +01:00
Lukas Vrabec b602e5bcc1
* Tue Oct 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10 
- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
 2018-10-16 00:18:59 +02:00
Lukas Vrabec 9b1e4d53d1
* Mon Oct 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9 
- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)
- Add interface cron_system_spool_entrypoint()
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
- Add interfaces for boltd SELinux module
- Add dac_override capability to modemmanager_t domain BZ(1636608)
- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
- Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
 2018-10-15 17:44:05 +02:00
Lukas Vrabec 4b05ad26d8
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-8 
- ejabberd SELinux module removed, it's shipped by ejabberd-selinux package
 2018-10-13 22:39:48 +02:00
Lukas Vrabec c889572bdc
* Tue Oct 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-6 
- Allow boltd_t to be activated by init socket activation
- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)
- Update SELinux policy for libreswan based on the latest rebase 3.26
- Fix typo in init_named_socket_activation interface
 2018-10-09 17:49:28 +02:00
Lukas Vrabec ef7c751093
* Thu Oct 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-5 
- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
- Fix typo in boltd.te policy
- Allow fail2ban_t domain to mmap journal
- Add kill capability to named_t domain
- Allow neutron domain to read/write /var/run/utmp
- Create boltd_var_run_t type for boltd pid files
- Allow tomcat_domain to read /dev/random
- Allow neutron_t domain to use pam
- Add the port used by nsca (Nagios Service Check Acceptor)
 2018-10-04 16:27:59 +02:00
Lukas Vrabec 7e236649a1
* Mon Sep 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-4 
- Update sources to include SELinux policy for containers
 2018-09-24 17:11:01 +02:00
Lukas Vrabec 5d5eb8e7fc
* Thu Sep 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-3 
- Allow certmonger to manage cockpit_var_run_t pid files
- Allow cockpit_ws_t domain to manage cockpit services
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
- Add interface apache_read_tmp_dirs()
- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t
- Add interface apcupsd_read_power_files()
- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain
- Allow dac_override capability to amanda_t domain
- Allow geoclue_t domain to get attributes of fs_t filesystems
- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client
- Allow cockpit_t domain to read systemd state
- Allow abrt_t domain to write to usr_t files
- Allow cockpit to create motd file in /var/run/cockpit
- Label /usr/sbin/pcsd as cluster_exec_t
- Allow pesign_t domain to getattr all fs
- Allow tomcat servers to manage usr_t files
- Dontaudit tomcat serves to append to /dev/random device
- Allow dirsrvadmin_script_t domain to read httpd tmp files
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
- Fix path where are sources for CI
- Revert "Allow firewalld_t domain to read random device"
- Add travis CI for selinux-policy-contrib repo
- Allow postfix domains to mmap system db files
- Allow geoclue_t domain to execute own tmp files
- Update ibacm_read_pid_files interface to allow also reading link files
- Allow zebra_t domain to create packet_sockets
- Allow opafm_t domain to list sysfs
- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
- Allow chronyd_t domain to read virt_var_lib_t files
- Allow systemd to read apcupsd power files
- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t"
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow systemd_resolved_t domain to bind on udp howl port
- Add new boolean use_virtualbox Resolves: rhbz#1510478
- Allow sshd_t domain to read cockpit pid files
- Allow syslogd_t domain to manage cert_t files
- Fix path where are sources for CI
- Add travis.yml to to create CI for selinux-policy sources
- Allow getattr as part of files_mounton_kernel_symbol_table.
- Fix typo "aduit" -> "audit"
- Revert "Add new interface dev_map_userio()"
- Add new interface dev_map_userio()
- Allow systemd to read ibacm pid files
 2018-09-20 08:54:04 +02:00
Lukas Vrabec 833e3136e5
* Thu Sep 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2 
- Allow tomcat services create link file in /tmp
- Label /etc/shorewall6 as shorewall_etc_t
- Allow winbind_t domain kill in user namespaces
- Allow firewalld_t domain to read random device
- Allow abrt_t domain to do execmem
- Allow geoclue_t domain to execute own var_lib_t files
- Allow openfortivpn_t domain to read system network state
- Allow dnsmasq_t domain to read networkmanager lib files
- sssd: Allow to limit capabilities using libcap
- sssd: Remove unnecessary capability
- sssd: Do not audit usage of lib nss_systemd.so
- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
- Allow exim_t domain to mmap bin files
- Allow mysqld_t domain to executed with nnp transition
- Allow svirt_t domain to mmap svirt_image_t block files
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
- Add read interfaces for mysqld_log_t that was added in commit df832bf
- Allow boltd_t to dbus chat with xdm_t
- Conntrackd need to load kernel module to work
- Allow mysqld sys_nice capability
- Update boltd policy based on SELinux denials from rhbz#1607974
- Allow systemd to create symlinks in for /var/lib
- Add comment to show that template call also allows changing shells
- Document userdom_change_password_template() behaviour
- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
- Fix typo in logging SELinux module
- Allow usertype to mmap user_tmp_type files
- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
- Add boolean: domain_can_mmap_files.
- Allow ipsec_t domian to mmap own tmp files
- Add .gitignore file
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow audisp_remote_t domain to read auditd_etc_t
- netlabel: Remove unnecessary sssd nsswitch related macros
- Allow to use sss module in auth_use_nsswitch
- Limit communication with init_t over dbus
- Add actual modules.conf to the git repo
- Add few interfaces to optional block
- Allow sysadm_t and staff_t domain to manage systemd unit files
- Add interface dev_map_userio_dev()
 2018-09-06 22:33:33 +02:00
Lukas Vrabec 046756d71a
* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1 
- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
- Add interface devicekit_mounton_var_lib()
- Allow httpd_t domain to mmap tmp files
- Allow tcsd_t domain to have dac_override capability
- Allow cupsd_t to rename cupsd_etc_t files
- Allow iptables_t domain to create rawip sockets
- Allow amanda_t domain to mmap own tmpfs files
- Allow fcoemon_t domain to write to sysfs_t dirs
- Allow dovecot_auth_t domain to have dac_override capability
- Allow geoclue_t domain to mmap own tmp files
- Allow chronyc_t domain to read network state
- Allow apcupsd_t domain to execute itself
- Allow modemmanager_t domain to stream connect to sssd
- Allow chonyc_t domain to rw userdomain pipes
- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
- Allow nagios_script_t domain to mmap nagios_spool_t files
- Allow geoclue_t domain to mmap geoclue_var_lib_t files
- Allow geoclue_t domain to map generic certs
- Update munin_manage_var_lib_files to allow manage also dirs
- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl
- Fix typo in virt SELinux policy module
- Allow virtd_t domain to create netlink_socket
- Allow rpm_t domain to write to audit
- Allow nagios_script_t domain to mmap nagios_etc_t files
- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
- Allow kdumpctl_t domain to getattr fixed disk device in mls
- Fix typo in stapserver policy
- Dontaudit abrt_t domain to write to usr_t dirs
- Revert "Allow rpcbind to bind on all unreserved udp ports"
- Allow rpcbind to bind on all unreserved udp ports
- Allow virtlogd to execute itself
- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files
- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs
- Allos systemd to socket activate ibacm service
- Allow dirsrv_t domain to mmap user_t files
- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
- Allow kdumpctl to write to files on all levels
- Allow httpd_t domain to mmap httpd_config_t files
- Allow sanlock_t domain to connectto to unix_stream_socket
- Revert "Add same context for symlink as binary"
- Allow mysql execute rsync
- Update nfsd_t policy because of ganesha features
- Allow conman to getattr devpts_t
- Allow tomcat_domain to connect to smtp ports
- Allow tomcat_t domain to mmap tomcat_var_lib_t files
- Allow nagios_t domain to mmap nagios_log_t files
- Allow kpropd_t domain to mmap krb5kdc_principal_t files
- Allow kdumpctl_t domain to read fixed disk storage
 2018-08-29 00:10:24 +02:00
Lukas Vrabec 354ea12800
* Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-32 
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow gpg_t domain to mmap gpg_agent_tmp_t files
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
- Allow sshd_t domain to mmap user_tmp_t files
 2018-08-10 17:26:19 +02:00
Lukas Vrabec bb7c753263
* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-31 
- Allow kprop_t domain to read network state
- Add support boltd policy
- Allow kpropd domain to exec itself
- Allow pdns_t to bind on tcp transproxy port
- Add support for opafm service
- Allow hsqldb_t domain to read cgroup files
- Allow rngd_t domain to read generic certs
- Allow innd_t domain to mmap own var_lib_t files
- Update screen_role_temaplate interface
- Allow chronyd_t domain to mmap own tmpfs files
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow systemd to mounont boltd lib dirs
- Allow sysadm_t domain to create rawip sockets
- Allow sysadm_t domain to listen on socket
- Update sudo_role_template() to allow caller domain also setattr generic ptys
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
 2018-08-07 15:54:42 +02:00
Lukas Vrabec da3bd2ceb6
* Sun Jul 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-30 
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow nfsd_t domain to read krb5 keytab files
- Allow nfsd_t domain to manage fadm pid files
- Allow virt_domain to create icmp sockets BZ(1609142)
- Dontaudit oracleasm_t domain to request sys_admin capability
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
 2018-07-29 17:17:33 +02:00
Lukas Vrabec 539110c25c
* Wed Jul 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-29 
- Allow aide to mmap all files
- Revert "Allow firewalld to create rawip sockets"
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
 2018-07-25 23:42:34 +02:00
Lukas Vrabec 35bcefb9e1
* Wed Jul 18 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-28 
- Allow cupsd_t domain to mmap cupsd_etc_t files
- Allow kadmind_t domain to mmap krb5kdc_principal_t
- Allow virtlogd_t domain to read virt_etc_t link files
- Allow dirsrv_t domain to read crack db
- Dontaudit pegasus_t to require sys_admin capability
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
- Allow winbind_t domain to request kernel module loads
- Allow tomcat_domain to read cgroup_t files
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
- Allow innd_t domain to mmap news_spool_t files
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
- Allow fenced_t domain to reboot
- Allow amanda_t domain to read network system state
- Allow abrt_t domain to read rhsmcertd logs
- Fix typo in radius policy
- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)
- Label /usr/bin/esmtp-wrapper as sendmail_exec_t
- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files
- Dontaudit thumb to read mmap_min_addr
- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)
- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)
- Allow collectd_t domain to use ecryptfs files BZ(1592640)
- Dontaudit mmap home type files for abrt_t domain
- Allow fprintd_t domain creating own tmp files BZ(1590686)
- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)
- Allow fail2ban_t domain to getpgid BZ(1591421)
- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)
- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap
- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)
- Allow virt_qemu_ga_t domain to read network state BZ(1592145)
- Allow radiusd_t domain to mmap radius_etc_rw_t files
- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
 2018-07-18 17:37:07 +02:00
Lukas Vrabec 985fc6104c
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-26 
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
 2018-06-27 10:25:55 +02:00
Lukas Vrabec f4debe939a
* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-25 
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
 2018-06-14 15:31:59 +02:00
Lukas Vrabec 1d35f9ea76
* Tue Jun 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-24 
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
 2018-06-12 14:22:02 +02:00
Lukas Vrabec 4cca30aa93
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-23 
- Add dac_override capability to sendmail_t domian
 2018-06-06 13:16:15 +02:00
Lukas Vrabec 318acc9510
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-22 
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
 2018-06-06 10:25:52 +02:00
Lukas Vrabec 58acce3c84
* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-21 
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db  is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
 2018-05-26 00:25:28 +02:00
Lukas Vrabec 9364159b18
* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-20 
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
 2018-05-24 16:07:11 +02:00
Lukas Vrabec e881d79dbc
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18 
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.
 2018-05-21 22:23:41 +02:00
Lukas Vrabec 844794a0f4
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17 
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
 2018-05-21 01:48:14 +02:00
Lukas Vrabec 4d2de689d5
Fix typo bug in xserver SELinux module 2018-04-30 17:41:45 +02:00
Lukas Vrabec a4ad07747e
* Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16 
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
 2018-04-30 16:30:28 +02:00
Lukas Vrabec 560c1cf401
* Sat Apr 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-15 
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
 2018-04-28 19:43:37 +02:00
Lukas Vrabec 19c9a7d734
* Fri Apr 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-14 
- Add dac_override capability to mailman_mail_t domain
- Add dac_override capability to radvd_t domain
- Update openvswitch policy
- Add dac_override capability to oddjob_homedir_t domain
- Allow slapd_t domain to mmap slapd_var_run_t files
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
- Allow logrotate_t domain to stop services via systemd
- Add tang policy
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t
- Allow snapperd_t daemon to create unlabeled dirs.
- Make httpd_var_run_t mountpoint
- Allow hsqldb_t domain to mmap own temp files
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
- Add new Boolean tomcat_use_execmem
- Allow nfsd_t domain to read/write sysctl fs files
- Allow conman to read system state
- Allow brltty_t domain to be dbusd system client
- Allow zebra_t domain to bind on babel udp port
- Allow freeipmi domain to read sysfs_t files
- Allow targetd_t domain mmap lvm config files
- Allow abrt_t domain to manage kdump crash files
- Add capability dac_override to antivirus domain
- Allow svirt_t domain mmap svirt_image_t files BZ(1514538)
- Allow ftpd_t domain to chat with systemd
- Allow systemd init named socket activation for uuidd policy
- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)
- Allow l2tpd domain to stream connect to sssd BZ(1568160)
- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)
- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)
- Allow certwatch to manage cert files BZ(1561418)
- Merge pull request #53 from tmzullinger/rawhide
- Merge pull request #52 from thetra0/rawhide
- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)
- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files
- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)
- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)
- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.
- Allow pppd_t domain creating pppox sockets BZ(1566271)
- Allow abrt to map var_lib_t files
- Allow chronyc to read system state BZ(1565217)
- Allow keepalived_t domain to chat with systemd via dbus
- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)
- Allow netutils_t domain to create bluetooth sockets
- Allow traceroute to bind on generic sctp node
- Allow traceroute to search network sysctls
- Allow systemd to use virtio console
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
 2018-04-27 11:50:21 +02:00
Lukas Vrabec 39a94e09cd
* Thu Apr 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-13 
- refpolicy: Update for kernel sctp support
- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)
- Allow antivirus domain to be client for system dbus BZ(1562457)
- Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383)
- Add new boolean: colord_use_nfs() BZ(1562818)
- Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317)
- Allow colord_t to mmap gconf_home_t files
- Add new boolean redis_enable_notify()
- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
 2018-04-12 12:51:18 +02:00
Lukas Vrabec 1778514e56
* Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-12 
- Add new boolean redis_enable_notify()
- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab
- Add dac_override and dac_read_search capability to hypervvssd_t domain
- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t
- Allow samba to create /tmp/host_0 as krb5_host_rcache_t
- Add dac_override capability to fsdaemon_t BZ(1564143)
- Allow abrt_t domain to map dos files BZ(1564193)
- Add dac_override capability to automount_t domain
- Allow keepalived_t domain to connect to system dbus bus
- Allow nfsd_t to read nvme block devices BZ(1562554)
- Allow lircd_t domain to execute bin_t files BZ(1562835)
- Allow l2tpd_t domain to read sssd public files BZ(1563355)
- Allow logrotate_t domain to do dac_override BZ(1539327)
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
- Add capability sys_resource to systemd_sysctl_t domain
- Label all /dev/rbd* devices as fixed_disk_device_t
- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)
- Allow local_login_t domain to rread udev db
- Allow systemd_gpt_generator_t to read /dev/random device
- add definition of bpf class and systemd perms
 2018-04-07 20:34:23 +02:00
Lukas Vrabec 9762a51f7b
* Thu Mar 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-11 
- Allow accountsd_t domain to dac override BZ(1561304)
- Allow cockpit_ws_t domain to read system state BZ(1561053)
- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)
- Allow abrt_dump_oops_t domain dac override BZ(1561467)
- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)
- Allow crontab domains to do dac override
- Allow snapperd_t domain to unmount fs_t filesystems
- Allow pcp processes to read fixed_disk devices BZ(1560816)
- Allow unconfined and confined users to use dccp sockets
- Allow systemd to manage bpf dirs/files
- Allow traceroute_t to create dccp_sockets
 2018-03-29 19:27:36 +02:00
Lukas Vrabec 0dae2c353f
* Sun Mar 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-9 
- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)
- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)
- Allow nagios to mmap nagios config files BZ(1559683)
- Fixing Ganesha module
- Fix typo in NetworkManager module
- Fix bug in gssproxy SELinux module
- Allow abrt_t domain to mmap container_file_t files BZ(1525573)
- Allow networkmanager to be run ssh client BZ(1558441)
- Allow pcp domains to do dc override BZ(1557913)
- Dontaudit pcp_pmie_t to reaquest lost kernel module
- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955)
- Allow httpd_t to read httpd_log_t dirs BZ(1554912)
- Allow fail2ban_t to read system network state BZ(1557752)
- Allow dac override capability to mandb_t domain BZ(1529399)
- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681)
- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369)
- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439)
- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359)
- Allow snapperd to relabel snapperd_data_t
- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow insmod_t to load modules BZ(1544189)
- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595)
- Allow systemd_networkd_t to read/write tun tap devices
- Add shell_exec_t file as domain entry for init_t
- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862)
- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347)
- Improve userdom_mmap_user_home_content_files
- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414)
- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
 2018-03-25 01:02:58 +01:00
Lukas Vrabec 597a71b217
* Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-8 
- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
 2018-03-21 19:15:49 +01:00
Lukas Vrabec 1199c87fda
Update also sources 2018-03-20 12:21:39 +01:00
Lukas Vrabec 8597119053
* Thu Mar 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-6 
- Allow rpcd_t domain dac override
- Allow rpm domain to mmap rpm_var_lib_t files
- Allow arpwatch domain to create bluetooth sockets
- Allow secadm_t domain to mmap audit config and log files
- Update init_abstract_socket_activation() to allow also creating tcp sockets
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.
- Add SELinux support for systemd-importd
- Create new type bpf_t and label /sys/fs/bpf with this type
 2018-03-15 20:41:40 +01:00
Lukas Vrabec 529a517a7a
* Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-5 
- Allow bluetooth_t domain to create alg_socket BZ(1554410)
- Allow tor_t domain to execute bin_t files BZ(1496274)
- Allow iscsid_t domain to mmap kernel modules BZ(1553759)
- Update minidlna SELinux policy BZ(1554087)
- Allow motion_t domain to read sysfs_t files BZ(1554142)
- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738)
- Allow l2tp_t domain to read ipsec config files BZ(1545348)
- Allow colord_t to mmap home user files BZ(1551033)
- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536)
- Allow ipmievd_t to mmap kernel modules BZ(1552535)
- Allow boinc_t domain to read cgroup files BZ(1468381)
- Backport allow rules from refpolicy upstream repo
- Allow gpg_t domain to bind on all unereserved udp ports
- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164)
- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
- Allow xdm_t domain to sys_ptrace BZ(1554150)
- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
- Update ipsec_read_config() interface
- Fix broken sysadm SELinux module
- Allow ipsec_t to search for bind cache BZ(1542746)
- Allow staff_t to send sigkill to mount_t domain BZ(1544272)
- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545)
- Label ip6tables.init as iptables_exec_t BZ(1551463)
- Allow hostname_t to use usb ttys BZ(1542903)
- Add fsetid capability to updpwd_t domain BZ(1543375)
- Allow systemd machined send signal to all domains BZ(1372644)
- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876)
- Allow sysadm_t to create netlink generic sockets BZ(1547874)
- Allow passwd_t domain chroot
- Dontaudit confined unpriviliged users setuid capability
 2018-03-12 17:20:32 +01:00
Lukas Vrabec 870fdbbf14
* Tue Mar 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-4 
- Allow l2tpd_t domain to create pppox sockets
- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)
- Add interface abrt_map_cache()
- Update gnome_manage_home_config() to allow also map permission BZ(1544270)
- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770)
- Dontaudit kernel bug when several services requesting load kernel module
- Allow traceroute and unconfined domains creating sctp sockets
- Add interface corenet_sctp_bind_generic_node()
- Allow ping_t domain to create icmp sockets
- Allow staff_t to mmap abrt_var_cache_t BZ(1544273)
- Fix typo bug in dev_map_framebuffer() interface BZ(1551842)
- Dontaudit kernel bug when several services requesting load kernel module
 2018-03-06 16:16:43 +01:00
Lukas Vrabec 47ee5f4780
Add forgotten sources file 2018-03-05 16:27:57 +01:00
Lukas Vrabec 5a5985a439 * Thu Feb 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-2 
- refpolicy: Define extended_socket_class policy capability and socket classes
- Make bluetooth_var_lib_t as mountpoint BZ(1547416)
- Allow systemd to request load kernel module BZ(1547227)
- Allow ipsec_t domain to read l2tpd pid files
- Allow sysadm to read/write trace filesystem BZ(1547875)
- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761)
 2018-02-22 15:13:02 +01:00
Lukas Vrabec 3256f1cc3b * Tue Feb 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-9 
- Fix broken cups Security Module
- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079)
- Allow geoclue to connect to tcp nmea port BZ(1362118)
- Allow pcp_pmcd_t to read mock lib files BZ(1536152)
- Allow abrt_t domain to mmap passwd file BZ(1540666)
- Allow gpsd_t domain to get session id of another process BZ(1540584)
- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405)
- Allow cluster_t dbus chat with systemd BZ(1540163)
- Add interface raid_stream_connect()
- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689)
- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911)
- Make cups_pdf_t domain system dbusd client BZ(1532043)
- Allow logrotate to read auditd_log_t files BZ(1525017)
- Improve snapperd SELinux policy BZ(1514272)
- Allow virt_domain to read virt_image_t files BZ(1312572)
- Allow openvswitch_t stream connect svirt_t
- Update dbus_dontaudit_stream_connect_system_dbusd() interface
- Allow openvswitch domain to manage svirt_tmp_t sock files
- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210)
- Merge pull request #50 from dodys/pkcs
- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118)
- Allow systemd to access rfkill lib dirs BZ(1539733)
- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044)
- Allow vxfs filesystem to use SELinux labels
- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231)
- Allow few services to dbus chat with snapperd BZ(1514272)
- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180)
- Fix logging as staff_u into Fedora 27
- Fix broken systemd_tmpfiles_run() interface
 2018-02-20 09:25:14 +01:00
Lukas Vrabec b22b1d1da0 * Thu Feb 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-7 
- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t
- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600)
- Allow keepalived_t domain getattr proc filesystem
- Allow init_t to create UNIX sockets for unconfined services (BZ1543049)
- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t
- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t
 2018-02-08 14:38:23 +01:00
Lukas Vrabec 00dcc13b60 * Tue Feb 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-6 
- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets
- Add new interface ppp_filetrans_named_content()
- Allow keepalived_t read sysctl_net_t files
- Allow puppetmaster_t domtran to puppetagent_t
- Allow kdump_t domain to read kernel ring buffer
- Allow boinc_t to mmap boinc tmpfs files BZ(1540816)
- Merge pull request #47 from masatake/keepalived-signal
- Allow keepalived_t create and write a file under /tmp
- Allow ipsec_t domain to exec ifconfig_exec_t binaries.
- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock
- Allow updpwd_t domain to create files in /etc with shadow_t label
 2018-02-06 09:58:08 +01:00
Lukas Vrabec 4b0a66cafc * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-5 
- Allow opendnssec daemon to execute ods-signer BZ(1537971)
 2018-01-30 17:04:16 +01:00
Lukas Vrabec e9c4389283 * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-4 
- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)
- Update dbus_role_template() BZ(1536218)
- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)
- Allow blueman_t dbus chat with policykit_t BZ(1470501)
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)
- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)
- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)
- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)
- Allow jetty_t domain to mmap own temp files BZ(1534628)
- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)
- Consistently label usr_t for kernel/initrd in /usr
- kernel/files.fc: Label /usr/lib/sysimage as usr_t
- Allow iptables sysctl load list support with SELinux enforced
- Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864)
 2018-01-30 12:57:41 +01:00
Lukas Vrabec e7bae02f22 * Fri Jan 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-3 
- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide
- Allow virt_domains to acces infiniband pkeys.
- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)
- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t
- Allow audisp_remote_t domain write to files on all levels
 2018-01-19 12:48:25 +01:00
Lukas Vrabec de6ed4b466 Added missing container-selinux.tgz sources 2018-01-15 17:47:53 +01:00
Lukas Vrabec 72b2cda3a5 * Mon Jan 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-2 
- Allow aide to mmap usr_t files BZ(1534182)
- Allow ypserv_t domain to connect to tcp ports BZ(1534245)
- Allow vmtools_t domain creating vmware_log_t files
- Allow openvswitch_t domain to acces infiniband devices
- Allow dirsrv_t domain to create tmp link files
- Allow pcp_pmie_t domain to exec itself. BZ(153326)
- Update openvswitch SELinux module
- Allow virtd_t to create also sock_files with label virt_var_run_t
- Allow chronyc_t domain to manage chronyd_keys_t files.
- Allow logwatch to exec journal binaries BZ(1403463)
- Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864)
- Update logging_read_all_logs to allow mmap all logfiles BZ(1403463)
- Add Label systemd_unit_file_t for /var/run/systemd/units/
 2018-01-15 17:33:37 +01:00
Lukas Vrabec 22c9764fc4 Update new sources to reflect changes related to python3 dependency 2018-01-08 18:44:57 +01:00
Lukas Vrabec 51dc83b2d4 Commit removes big SELinux policy patches against tresys refpolicy. 
We're quite diverted from upstream policy. This change will use tarballs
from github projects:
https://github.com/fedora-selinux/selinux-policy
https://github.com/fedora-selinux/selinux-policy-contrib
 2018-01-08 18:28:27 +01:00
Dan Walsh 164fa392ee Fix config.tgz to include lxc_contexts and systemd_contexts 2013-11-14 11:05:22 -05:00
Miroslav Grepl 0f9b0de389 Upload new upstream sources 2013-11-13 15:27:57 +01:00
Miroslav Grepl e4104d9fc0 Upload updated config.tgz 2013-11-12 12:22:03 +01:00
Miroslav Grepl e5e41801b0 Upload new upstream sources 2013-01-08 11:50:45 +01:00
Miroslav Grepl a270091f19 Make rawhide == f18 2012-12-17 17:21:00 +01:00
Miroslav Grepl 46a9c6067c * Thu Aug 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-0 
- Update to upstream
 2012-08-02 07:43:02 +02:00
Miroslav Grepl d68342900a fix sources 2012-06-07 13:40:47 +02:00
Miroslav Grepl e392eca2af Upload new sources 2012-06-06 16:09:49 +02:00
Miroslav Grepl 3f8c0984d4 Upload the right source file 2011-06-27 18:20:35 +02:00
Miroslav Grepl ade486af72 Update to upstream 2011-06-27 18:02:16 +02:00
Miroslav Grepl 6726024e43 Update to upstream 2011-03-08 18:28:56 +00:00
Miroslav Grepl 7288282fd4 - Update to upstream 2011-02-16 18:45:08 +00:00
Dan Walsh 812781becc - Update to ref policy 
- cgred needs chown capability
- Add /dev/crash crash_dev_t
 2011-02-08 17:50:40 -05:00
Miroslav Grepl 86b1f12f92 - Update to upstream 2011-01-17 18:42:12 +00:00
Miroslav Grepl d6c5f3679b Update to upstream 2010-12-20 17:43:48 +00:00
Miroslav Grepl 0ba6b243f7 - Update to upstream 
- Fix version of policy in spec file
 2010-12-15 11:03:25 +00:00
Miroslav Grepl 05f913e88b - Update to upstream 
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
 2010-11-25 12:21:34 +00:00
Dan Walsh f4eab7417d Remove bad tar ball from src 2010-11-16 10:59:45 -05:00
Miroslav Grepl 582d2c5d2c - Update to upstream 
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
 2010-11-16 09:46:19 +01:00
Dan Walsh 3e0b7834a6 - Update to upstream 
- Add vlock policy
 2010-11-05 14:22:36 -04:00
Dan Walsh 06262c1566 - Update to upstream 
- Add vlock policy
 2010-11-05 12:40:07 -04:00
Dan Walsh 7a208696f9 - Dontaudit sandbox sending sigkill to all user domains 
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
 2010-10-28 15:55:48 -04:00
Dan Walsh 5a152bc135 - Update to upstream 2010-10-12 16:47:46 -04:00
Dan Walsh 6f934680a8 - Allow smbd to use sys_admin 
- Remove duplicate file context for tcfmgr
- Update to upstream
 2010-10-07 14:55:49 -04:00
Dan Walsh a24e6a6700 - Update to upstream 2010-09-16 07:59:03 -04:00
Dan Walsh a0e8efd42c - Update to upstream 2010-09-13 16:17:15 -04:00
Dan Walsh 64d84cf8ec Allow iptables to read shorewall tmp files 
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
 2010-09-08 14:17:07 -04:00
Dan Walsh 482c9f3ad9 - Merge upstream fix of mmap_zero 
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
 2010-09-02 13:43:28 -04:00
Dan Walsh a7a2367a59 - Merge with upstream 2010-08-30 17:34:52 -04:00
Dan Walsh 6578cf7413 - More access needed for devicekit 
- Add dbadm policy
 2010-08-30 11:58:36 -04:00
Dan Walsh ba77266a14 - Merge with upstream 2010-08-26 20:35:53 -04:00
Daniel J Walsh 7f5d8f30d0 - Update boinc policy 
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
 2010-07-27 17:28:04 +00:00
Daniel J Walsh d66bec6356 - Update to latest policy 2010-07-20 17:48:36 +00:00
Daniel J Walsh 0f2ae00c61 - Update to upstream 2010-07-15 13:11:25 +00:00
Daniel J Walsh 6c42218d9d -Update to upstream 2010-06-28 17:19:34 +00:00
Daniel J Walsh fa98e0ec52 -Update to upstream 2010-06-21 14:31:26 +00:00
Daniel J Walsh 5f371acada -Update to upstream 2010-06-18 20:14:28 +00:00
Daniel J Walsh b39ccca147 - Update to upstream 2010-06-08 21:23:21 +00:00
Daniel J Walsh 632048ceb1 - Update to upstream 
- Allow prelink script to signal itself
- Cobbler fixes
 2010-06-07 21:15:35 +00:00
Daniel J Walsh bc4089cfaa - Update to upstream 2010-05-26 21:15:42 +00:00
Daniel J Walsh a72c31df34 - Update to upstream 2010-03-18 15:47:35 +00:00
Daniel J Walsh add957370e - Merge with upstream 2010-02-16 22:10:14 +00:00
Daniel J Walsh a62c6405cc - Lots of fixes found in F12 2010-02-02 16:41:03 +00:00
Daniel J Walsh faec5c2a14 - Update to upstream 2010-01-18 22:40:25 +00:00
Daniel J Walsh fc05ac0660 - Move users file to selection by spec file. 
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
 2010-01-11 22:06:55 +00:00
Daniel J Walsh 468fe0b647 - Update to upstream 2010-01-08 22:03:53 +00:00
Daniel J Walsh b2ccd1a9c8 Update packages 2009-12-18 21:09:01 +00:00
Daniel J Walsh 9eef358da0 - Update to upstream release 2009-12-10 19:20:14 +00:00
Daniel J Walsh f2a1dcd3d4 - Add asterisk policy back in 
- Update to upstream release 2.20091117
 2009-11-25 20:19:12 +00:00
Daniel J Walsh ee88b050c5 - Add asterisk policy back in 2009-11-20 16:55:54 +00:00
Daniel J Walsh 55acbfd715 - Update to upstream release 2.20091117 2009-11-18 22:22:56 +00:00
Daniel J Walsh 5e44eb8657 - Update to upstream 2009-11-14 05:18:01 +00:00
Daniel J Walsh 69290fd9df - Update to upstream 
- Dontaudit nsplugin search /root
- Dontaudit nsplugin sys_nice
 2009-09-16 17:50:32 +00:00
Daniel J Walsh ab8f807545 - More fixes 2009-09-09 21:08:02 +00:00
Daniel J Walsh 65c3f9a0a8 - Update to upsteam 2009-08-31 21:27:50 +00:00
Daniel J Walsh faf9cbbc4b - Update to upstream 2009-08-28 20:55:16 +00:00
Daniel J Walsh 40243d944f - Allow cupsd_config_t to be started by dbus 
- Add smoltclient policy
 2009-08-18 22:43:34 +00:00
Daniel J Walsh 9c270225e5 - Add policycoreutils-python to pre install 2009-08-18 12:34:26 +00:00
Daniel J Walsh 43fb726b4b - More fixes from upstream 2009-07-30 21:38:54 +00:00
Daniel J Walsh c6e2224c70 - Fix polkit label 
- Remove hidebrokensymptoms for nss_ldap fix
- Add modemmanager policy
- Lots of merges from upstream
- Begin removing textrel_shlib_t labels, from fixed libraries
 2009-07-30 04:31:53 +00:00
Daniel J Walsh 3750561a72 - Update to upstream 2009-07-28 19:08:17 +00:00
Daniel J Walsh df7055d5b3 - Update to upstream 2009-07-23 21:47:41 +00:00
Daniel J Walsh 2360ff9f3f - Update to upstream 2009-07-15 19:12:04 +00:00
Daniel J Walsh d9676a6ada - Update to upstream 2009-07-06 21:16:26 +00:00
Daniel J Walsh 7b16d569d8 - Update to upstream 
- Fix nlscd_stream_connect
 2009-06-26 20:13:04 +00:00
Daniel J Walsh a9f0953822 - Update to upstream 
add sssd
 2009-06-22 22:27:58 +00:00
Daniel J Walsh 8866315d40 - Update to upstream 
cleanup
Fri Jun 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.17-1
- Update to upstream
- Additional mail ports
- Add virt_use_usb boolean for svirt
 2009-06-20 13:59:00 +00:00
Daniel J Walsh 6071093529 - Update to upstream 
- Additional mail ports
- Add virt_use_usb boolean for svirt
 2009-06-19 11:41:44 +00:00
Daniel J Walsh d54def1c6f - New version for upstream 2009-06-15 17:59:49 +00:00
Daniel J Walsh d3ae977ab7 - New version for upstream 2009-06-12 18:59:09 +00:00
Daniel J Walsh f3d2889157 - Update to upstream 2009-06-09 02:15:29 +00:00
Daniel J Walsh ef7416c2b8 - Upgrade to upstream 2009-05-22 14:37:43 +00:00
Daniel J Walsh 2e917624ad - Upgrade to latest upstream 
- Allow devicekit_disk sys_rawio
 2009-04-08 11:58:59 +00:00
Daniel J Walsh 0e78af1c39 - Dontaudit binds to ports < 1024 for named 
- Upgrade to latest upstream
 2009-04-06 19:27:19 +00:00
Daniel J Walsh 9ca87fc9d8 - Fixes to allow svirt read iso files in homedir 2009-03-24 19:45:02 +00:00
Daniel J Walsh 5dce3c12f7 - Add xenner and wine fixes from mgrepl 2009-03-20 18:42:38 +00:00
Daniel J Walsh b12011f2ab - Upgrade to latest upstream 2009-03-12 15:48:51 +00:00
Daniel J Walsh a67a1c12aa - Upgrade to latest patches 2009-03-05 21:05:47 +00:00
Daniel J Walsh 8c3a31a48a - Update to Latest upstream 2009-03-03 20:10:30 +00:00
Daniel J Walsh 2eec438a0b - Re-add corenet_in_generic_if(unlabeled_t) 2009-02-16 22:54:22 +00:00
Daniel J Walsh bd0db4f147 - Add setrans contains from upstream 2009-02-09 22:07:20 +00:00
Daniel J Walsh c957c38343 - Upgrade to latest upstream 2009-02-04 04:02:17 +00:00
Daniel J Walsh 1d72fb031f - Update to upstream 2009-01-19 17:35:43 +00:00
Daniel J Walsh 292c49cacc - Update to upstream 2009-01-05 22:55:20 +00:00
Daniel J Walsh b3f084a8c7 - Update to upstream 2009-01-05 22:35:32 +00:00
Daniel J Walsh fce9b71022 - Fix labeling on /var/spool/rsyslog 2008-11-25 21:08:25 +00:00
Daniel J Walsh 02d888c766 - Fix labeling on /var/spool/rsyslog 2008-11-25 19:18:01 +00:00
Daniel J Walsh 49f48f4a99 - Policy cleanup 2008-10-17 22:03:34 +00:00
Daniel J Walsh 4125702a20 - Update to upstream 2008-10-14 23:50:08 +00:00
Daniel J Walsh b6cc6a84e9 - Update to upstream 2008-10-11 23:57:43 +00:00
Daniel J Walsh e0b9b8d38f - Update to upstream policy 2008-10-09 10:48:56 +00:00
Daniel J Walsh f1a8278899 - Allow NetworkManager to transition to avahi and iptables 
- Allow domains to search other domains keys, coverup kernel bug
 2008-10-03 15:49:44 +00:00
Daniel J Walsh d611f1191a - Upgrade to upstream 2008-09-26 12:38:56 +00:00
Daniel J Walsh 59571abd0d - Merge upstream changes 
- Add Xavier Toth patches
 2008-09-16 13:57:15 +00:00
Daniel J Walsh 8a482d67b3 - Merge upstream changes 
- Add Xavier Toth patches
 2008-09-12 20:36:21 +00:00
Daniel J Walsh aca77a6f2d - Remove gamin policy 2008-09-08 21:01:42 +00:00
Daniel J Walsh 0a219fe07b - Update to upstream 
- New handling of init scripts
 2008-09-03 20:16:35 +00:00
Daniel J Walsh 7638e78556 - Allow ifconfig_t to read dhcpc_state_t 2008-08-26 14:46:43 +00:00
Daniel J Walsh 1a0f642074 - Update to upstream 2008-08-11 21:19:25 +00:00
Daniel J Walsh b5d09d1532 - Update to upstream 2008-08-07 20:05:57 +00:00
Daniel J Walsh 0f1bd620e5 - Allow system-config-selinux to work with policykit 2008-08-07 12:22:07 +00:00
Daniel J Walsh feefeee019 - Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t 2008-07-17 19:53:32 +00:00
Daniel J Walsh af0f735167 - Update to upstream 2008-06-12 14:50:00 +00:00
Daniel J Walsh 9ed55bda90 - Merge Upstream 2008-05-30 20:27:06 +00:00
Daniel J Walsh 7fd4585229 - Merge Upstream 2008-05-23 20:05:34 +00:00
Daniel J Walsh 4b7f030014 Update for rawhide 2008-05-19 13:02:56 +00:00
Daniel J Walsh c43b447f6f Update for rawhide 2008-05-19 13:01:59 +00:00
Daniel J Walsh f75033d612 - Update to upstream fixes 2008-02-26 13:45:23 +00:00
Daniel J Walsh 5ca2ff99b6 - Add xace support 2008-02-22 20:32:52 +00:00
Daniel J Walsh 541ba8edec - Fixes from yum-cron 
- Update to latest upstream
 2008-02-20 18:52:50 +00:00
Daniel J Walsh eb3e9fbc68 - Merge with upstream 2008-02-18 21:31:18 +00:00
Daniel J Walsh 57ac1cab83 - Update to upstream 2008-02-06 21:47:42 +00:00
Daniel J Walsh b19d470cd4 - Update to upstream 
- Add libvirt policy
- add qemu policy
 2008-02-02 06:30:04 +00:00
Daniel J Walsh 2587107071 - Fix definiton of admin_home_t 2007-12-19 18:00:58 +00:00
Daniel J Walsh f14d51e840 - Update to upstream 2007-12-13 21:40:00 +00:00
Daniel J Walsh 7dfe3eb3ef - Add polkit policy 
- Symplify userdom context, remove automatic per_role changes
 2007-12-11 06:08:33 +00:00
Daniel J Walsh 02654b8fb4 - Update to upstream 
- Allow httpd_sys_script_t to search users homedirs
 2007-12-05 03:19:13 +00:00
Daniel J Walsh 9186dc57d9 - Remove user based home directory separation 2007-11-30 22:33:18 +00:00
Daniel J Walsh 6e70d63f52 - Remove user based home directory separation 2007-11-30 22:08:19 +00:00
Daniel J Walsh 965b62cceb - Merge with upstream 
- Allow xsever to read hwdata_t
- Allow login programs to setkeycreate
 2007-11-27 04:11:10 +00:00
Daniel J Walsh 7330e86b90 - Update to upstream 2007-11-10 14:14:41 +00:00
Daniel J Walsh fa0d1c8884 - Update to upstream 2007-10-23 23:13:09 +00:00
Daniel J Walsh bf76748359 - Allow cron to search nfs and samba homedirs 2007-09-18 15:09:11 +00:00
Daniel J Walsh e8b5993e52 - Update an readd modules 2007-08-27 21:43:05 +00:00
Daniel J Walsh 77a22067be - Add setransd for mls policy 2007-08-22 14:46:21 +00:00
Daniel J Walsh f9778219aa - Update from upstream 2007-08-03 19:53:44 +00:00
Daniel J Walsh 2fac1d6655 - Update with latest changes from upstream 2007-07-26 17:54:24 +00:00
Daniel J Walsh 297dd1a900 - Allow execution of gconf 2007-07-19 14:45:16 +00:00
Daniel J Walsh af677794a8 - Default to user_u:system_r:unconfined_t 2007-07-03 19:20:47 +00:00
Daniel J Walsh 269acb5ee8 - Remove ifdef strict policy from upstream 2007-06-26 12:09:30 +00:00
Daniel J Walsh 56187c2f8a - Remove ifdef strict policy from upstream 2007-05-31 18:40:35 +00:00
Daniel J Walsh 346d2dccfd 2007-05-21 18:54:40 +00:00
Daniel J Walsh 8cd496f1d6 - Update to latest from upstream 2007-05-14 18:10:58 +00:00
Daniel J Walsh daa6abe9e1 - Update to latest from upstream 2007-05-04 17:30:10 +00:00
Daniel J Walsh 8a3cefc9a6 - Update to latest from upstream 2007-05-04 17:14:04 +00:00
Daniel J Walsh a615d5b893 - Update to latest from upstream 2007-05-02 02:53:14 +00:00
Daniel J Walsh 8fea836859 - Update to latest from upstream 2007-05-01 20:53:29 +00:00
Daniel J Walsh 8396b2dbd2 - Upstream bumped the version 2007-04-23 17:00:48 +00:00
Daniel J Walsh a3b1a2c522 - Update to upstream 2007-04-11 20:55:28 +00:00
Daniel J Walsh e441a1b48b - Update to upstream 2007-04-11 20:23:53 +00:00
Daniel J Walsh 8e5289e20b - Update to upstream 2007-04-02 19:53:16 +00:00
Daniel J Walsh ce7f30a258 - Update to upstream 2007-04-02 15:17:45 +00:00
Daniel J Walsh 145e8d73ba - Allow samba to run groupadd 2007-03-23 17:31:13 +00:00
Daniel J Walsh d3aabaedb4 2007-03-20 15:01:28 +00:00
Daniel J Walsh 2a9b648b37 - More of my patches from upstream 2007-03-11 05:19:36 +00:00
Daniel J Walsh 1fed4c745c - Update to latest from upstream 
- Add fail2ban policy
 2007-03-01 21:57:47 +00:00
Daniel J Walsh 5ad70cf38c - Update to remove security_t:filesystem getattr problems 2007-02-28 21:23:19 +00:00
Daniel J Walsh b2ca43f5ca 2007-02-26 22:15:47 +00:00
Daniel J Walsh fd5c324a94 2007-02-26 16:09:11 +00:00
Daniel J Walsh af8af9caee 2007-02-26 15:06:22 +00:00
Daniel J Walsh b7da3b9e3e - Add sepolgen support 
- Add bugzilla policy
 2007-02-20 17:35:59 +00:00
Daniel J Walsh df0bef9ac0 - 2007-02-12 16:27:42 +00:00
Daniel J Walsh e45f5d36d0 - Add ability to generate webadm_t policy 
- Lots of new interfaces for httpd
- Allow sshd to login as unconfined_t
 2007-01-25 19:07:00 +00:00
Daniel J Walsh 352de5d2ec - Begin adding user confinement to targeted policy 2007-01-22 18:15:16 +00:00
Daniel J Walsh cc1462b7d0 - Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 
Resolves: #217611 Resolves: #217640 Resolves: #217725
 2006-11-29 20:11:02 +00:00
Daniel J Walsh 9e4aeac9dd - Move to upstream version which accepted my patches 2006-11-17 19:21:40 +00:00
Daniel J Walsh 73ea8c2e4d - Update to upstream 2006-11-15 15:22:30 +00:00
Daniel J Walsh d7e0f9fa0d - Merge with upstream 2006-11-06 21:15:57 +00:00
Daniel J Walsh 6672fcfbdd - Allow mount.nfs to work 2006-10-27 19:16:43 +00:00
Daniel J Walsh 3d011ff2e8 Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4-4 
- Allow noxattrfs to associate with other noxattrfs
 2006-10-23 20:54:50 +00:00
Daniel J Walsh e2eecb7a01 - Refupdate from upstream 2006-10-19 15:52:02 +00:00
Daniel J Walsh da08298372 - Update to upstream 2006-10-17 18:43:08 +00:00
Daniel J Walsh f21d67baff - Patch for labeled networking 2006-10-03 18:47:06 +00:00
Daniel J Walsh 8fff699602 - Update to upstream 2006-09-29 19:19:18 +00:00
Daniel J Walsh a76cf8a10b - Update with upstream 2006-09-26 14:59:58 +00:00
Daniel J Walsh 85bd855811 - Update from upstream 2006-09-22 20:41:12 +00:00
Daniel J Walsh 3f1bb62fc8 - Upgrade to upstream 2006-09-15 18:28:09 +00:00
Daniel J Walsh 937c1cc4df - Update from upstream 2006-09-06 18:29:35 +00:00
Daniel J Walsh efb08979c0 - Update to upstream 2006-09-05 12:03:37 +00:00
Daniel J Walsh 928af41d8b - Update to upstream 2006-09-01 19:45:39 +00:00
Daniel J Walsh 06027c9ac0 - Upgrade to upstream 2006-08-30 20:59:51 +00:00
Daniel J Walsh a5dcfa874f - Update to upstream 2006-08-23 20:42:38 +00:00
Daniel J Walsh 3559b5314e - Fixes for stunnel and postgresql 
- Update from upstream
 2006-08-20 15:11:37 +00:00
Daniel J Walsh 256cfc628c - Update from upstream 
- More java fixes
 2006-08-12 11:54:51 +00:00
Daniel J Walsh 8da541a5e6 - Quiet down anaconda audit messages 2006-08-08 20:40:36 +00:00
Daniel J Walsh 932c79f792 - Fix setroubleshootd 2006-08-08 00:26:46 +00:00
Daniel J Walsh 26202062d0 - Update to the latest from upstream 2006-08-04 22:58:10 +00:00
Daniel J Walsh c62a78555a - Remove spamassassin_can_network boolean 2006-07-17 17:14:27 +00:00
Daniel J Walsh 8bee3a4a58 - Update to upstream 2006-07-09 09:51:33 +00:00
Daniel J Walsh 4a291ab8b9 - Update to upstream 
- Add new class for kernel key ring
 2006-06-22 19:16:49 +00:00
Daniel J Walsh 55d3b8c480 - Update to upstream 2006-06-22 01:15:06 +00:00
Daniel J Walsh 8df543a44d - Update to upstream 2006-06-21 14:01:45 +00:00
Daniel J Walsh 358335b9db - Update from Upstream 2006-06-14 15:48:59 +00:00
Daniel J Walsh 2616c66ff4 - Update to upstream 2006-06-13 18:26:00 +00:00
Daniel J Walsh 3004d53f75 - Update from upstream 2006-06-09 03:03:22 +00:00
Daniel J Walsh 43fe713171 - Update to upstream 2006-05-28 10:56:26 +00:00
Daniel J Walsh e5e5095da5 - Upgrade to upstream 2006-05-20 12:01:14 +00:00
Daniel J Walsh 75d0fe4f47 - allow hal to read boot_t files 
- Upgrade to upstream
 2006-05-18 16:07:35 +00:00
Daniel J Walsh f4d170770a - Update from upstream 2006-05-17 01:40:53 +00:00