Ipa_custodia was merged into ipa policy module. To avoid conflicts
the module needs to be disabled before policy update.
Fixes:
Running scriptlet: selinux-policy-targeted-3.14.5-35.fc32.noarch
Re-declaration of type ipa_custodia_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
/usr/sbin/semodule: Failed!
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp
- Allow NetworkManager read its unit files and manage services
- Add init_daemon_domain() for geoclue_t
- Allow to use nnp_transition in pulseaudio_role
- Allow pdns_t domain to map files in /usr.
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow login_pgm create and bind on netlink_selinux_socket
Commit f76a9deccc ("Consolidate make parameters") replaced most
occurences of common make params with a single %common_params macro
call, but it omitted two places. Extend the %common_params usage to
these as well.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow certmonger_t domain to read pkcs_slotd lock files
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
- Allow local_login_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
- Dontaudit timedatex_t read file_contexts_t and validate security contexts
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Added macro for stratisd to chat over dbus
- Add dac_override capability to stratisd_t domain
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
Since /etc/selinux/config is created in a %post script and execution
order of post scripts cannot be ensured in this case, all commands in
post have to be able to work without /etc/selinux/config.
Also standalone execution of selinuxenabled in relabel macro would cause
%post of all selinux-policy-* packages to fail in case selinux was
disabled.
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1723940
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Create files_create_non_security_dirs() interface
From reading BZ1290659 [1] it sounds like the ostree issue was resolved
by using /etc/selinux as the store root instead of /var/lib/selinux so I
believe the /usr/share/selinux redundant files are no longer needed.
Also remove all other leftovers of the factory reset thing...
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1290659
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Make code more readable by putting common make parameters under a common
macro. Also fix the sandbox.pp command-line, which was copy-pasted out
of context...
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Introduce new type pdns_var_lib_t
- Allow zebra_t domain to read files labled as nsfs_t.
- Allow systemd to setattr on all device_nodes
- Allow systemd to mounton and list all proc types
- Fix nonexisting types in rtas_errd_rw_lock interface
- Allow snmpd_t domain to trace processes in user namespace
- Allow timedatex_t domain to read relatime clock and adjtime_t files
- Allow zebra_t domain to execute zebra binaries
- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
- Allow ksmtuned_t domain to trace processes in user namespace
- Allow systemd to read symlinks in /var/lib
- Update dev_mounton_all_device_nodes() interface
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
- Allow systemd_domain to map files in /usr.
- Allow strongswan start using swanctl method BZ(1773381)
- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
- Allow timedatex_t domain dbus chat with both confined and unconfined users
- Allow timedatex_t domain dbus chat with unconfined users
- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
- Make unconfined domains part of domain_named_attribute
- Label tcp ports 24816,24817 as pulp_port_t
- Remove duplicate entries for initrc_t in init.te
- Fix typo bugs in rtas_errd_read_lock() interface
- cockpit: Drop cockpit-cert-session
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Fix typo in dev_filetrans_all_named_dev()
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Fix typo in cachefiles device
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
Remove git from BuildRequires in %selinux_requires
In %selinux_requires macro, as part of BuildRequires is also git
package. It looks like some leftover and this commit removes it.
Upstream repo: https://github.com/fedora-selinux/selinux-policy-macros
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Allow cephfs to use xattrs for storing contexts
- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Allow Gluster mount client to mount files_type
- Dontaudit and disallow sys_admin capability for keepalived_t domain
- Update numad policy to allow signull, kill, nice and trace processes
- Allow ipmievd_t to RW watchdog devices
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
- Allow user domains to manage user session services
- Allow staff and user users to get status of user systemd session
- Update sudo_role_template() to allow caller domain to read syslog pid files
macro-exapnder is part of selinux-policy-devel rpm package, but the tool
was installed with wrong permissions set so it was not possible to
execute this tool. This commit fixes the issue.
- Revert "nova.fc: fix duplicated slash"
- Introduce new bolean httpd_use_opencryptoki
- Add new interface apache_read_state()
- Allow setroubleshoot_fixit_t to read random_device_t
- Label /etc/named direcotory as named_conf_t BZ(1759495)
- nova.fc: fix duplicated slash
- Allow dkim to execute sendmail
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)
- Allow avahi_t to send msg to xdm_t
- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)
- Allow systemd_logind_t domain to read blk_files in domain removable_device_t
- Add new interface udev_getattr_rules_chr_files()
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Allow bitlbee_t domain map files in /usr
- Allow stratisd to getattr of fixed disk device nodes
- Add net_broadcast capability to openvswitch_t domain BZ(1716044)
- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
- Allow cobblerd_t domain search apache configuration dirs
- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
- Label /var/log/collectd.log as collectd_log_t
- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)
- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)
- networkmanager: allow NetworkManager_t to create bluetooth_socket
- Fix ipa_custodia_stream_connect interface
- Add new interface udev_getattr_rules_chr_files()
- Make dbus-broker service working on s390x arch
- Add new interface dev_mounton_all_device_nodes()
- Add new interface dev_create_all_files()
- Allow systemd(init_t) to load kernel modules
- Allow ldconfig_t domain to manage initrc_tmp_t objects
- Add new interface init_write_initrc_tmp_pipes()
- Add new interface init_manage_script_tmp_files()
- Allow xdm_t setpcap capability in user namespace BZ(1756790)
- Allow x_userdomain to mmap generic SSL certificates
- Allow xdm_t domain to user netlink_route sockets BZ(1756791)
- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)
- Allow sudo userdomain to run rpm related commands
- Add sys_admin capability for ipsec_t domain
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
- Make ipa_custodia policy active