Zdenek Pytela
38bdf8abba
* Mon Jan 10 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.21-1
...
- Remove the lockdown class from the policy
Resolves: rhbz#2017848
- Revert "define lockdown class and access"
Resolves: rhbz#2017848
- Allow gssproxy access to various system files.
Resolves: rhbz#2026974
- Allow gssproxy read, write, and map ica tmpfs files
Resolves: rhbz#2026974
- Allow gssproxy read and write z90crypt device
Resolves: rhbz#2026974
- Allow sssd_kcm read and write z90crypt device
Resolves: rhbz#2026974
- Allow abrt_domain read and write z90crypt device
Resolves: rhbz#2026974
- Allow NetworkManager read and write z90crypt device
Resolves: rhbz#2026974
- Allow smbcontrol read the network state information
Resolves: rhbz#2038157
- Allow virt_domain map vhost devices
Resolves: rhbz#2035702
- Allow fcoemon request the kernel to load a module
Resolves: rhbz#2034463
- Allow lldpd connect to snmpd with a unix domain stream socket
Resolves: rhbz#2033315
- Allow ModemManager create a qipcrtr socket
Resolves: rhbz#2036582
- Allow ModemManager request to load a kernel module
Resolves: rhbz#2036582
- Allow sshd read sysctl files
Resolves: rhbz#2036585
2022-01-10 21:09:15 +01:00
Zdenek Pytela
6bc3bd6ac4
* Wed Dec 15 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.20-1
...
- Allow dnsmasq watch /etc/dnsmasq.d directories
Resolves: rhbz#2029866
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
Resolves: rhbz#2029316
- Allow lldpd use an snmp subagent over a tcp socket
Resolves: rhbz#2028561
- Allow smbcontrol use additional socket types
Resolves: rhbz#2027751
- Add write permisson to userfaultfd_anon_inode_perms
Resolves: rhbz#2027660
- Allow xdm_t watch generic directories in /lib
Resolves: rhbz#1960010
- Allow xdm_t watch fonts directories
Resolves: rhbz#1960010
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
Resolves: rhbz#2027994
- Add hwtracing_device_t type for hardware-level tracing and debugging
Resolves: rhbz#2029392
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
Resolves: rhbz#2028791
- Allow arpwatch get attributes of infiniband_device_t devices
Resolves: rhbz#2028791
- Allow tcpdump and nmap get attributes of infiniband_device_t
Resolves: rhbz#2028791
2021-12-15 17:27:25 +01:00
Zdenek Pytela
470eea63e8
* Mon Nov 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.19-1
...
- Allow redis get attributes of filesystems with extended attributes
Resolves: rhbz#2014611
- Allow dirsrv read slapd tmpfs files
Resolves: rhbz#2015928
- Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label"
Resolves: rhbz#2015928
- Allow login_userdomain open/read/map system journal
Resolves: rhbz#2017838
- Allow login_userdomain read and map /var/lib/systemd files
Resolves: rhbz#2017838
- Allow nftables read NetworkManager unnamed pipes
Resolves: rhbz#2023456
- Allow xdm watch generic directories in /var/lib
Resolves: rhbz#1960010
- Allow xdm_t watch generic pid directories
Resolves: rhbz#1960010
2021-11-29 15:31:44 +01:00
Zdenek Pytela
89586f9eb1
* Mon Nov 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.18-1
...
- Allow fetchmail search cgroup directories
Resolves: rhbz#2015118
- Add the auth_read_passwd_file() interface
Resolves: rhbz#2014611
- Allow redis-sentinel execute a notification script
Resolves: rhbz#2014611
- Support new PING_CHECK health checker in keepalived
Resolves: rhbz#2014423
2021-11-01 11:51:58 +01:00
Zdenek Pytela
16d5820b15
* Thu Oct 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.17-1
...
- Label /usr/sbin/virtproxyd as virtd_exec_t
Resolves: rhbz#2002143
- Allow at-spi-bus-launcher read and map xdm pid files
Resolves: rhbz#2011772
- Remove references to init_watch_path_type attribute
Resolves: rhbz#2007960
- Remove all redundant watch permissions for systemd
Resolves: rhbz#2007960
- Allow systemd watch non_security_file_type dirs, files, lnk_files
Resolves: rhbz#2007960
- Allow systemd-resolved watch /run/systemd
Resolves: rhbz#1992461
- Allow sssd watch /run/systemd
Resolves: rhbz#1992461
2021-10-14 09:46:11 +02:00
Zdenek Pytela
5ad9abab43
* Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.16-1
...
- Allow fprintd install a sleep delay inhibitor
Resolves: rhbz#1999537
- Update mount_manage_pid_files() to use manage_files_pattern
Resolves: rhbz#1999997
- Allow gnome at-spi processes create and use stream sockets
Resolves: rhbz#2004885
- Allow haproxy list the sysfs directories content
Resolves: rhbz#1986823
- Allow virtlogd_t read process state of user domains
Resolves: rhbz#1994592
- Support hitless reloads feature in haproxy
Resolves: rhbz#1997182
- Allow firewalld load kernel modules
Resolves: rhbz#1999152
- Allow communication between at-spi and gdm processes
Resolves: rhbz#2003037
2021-09-24 09:21:09 +02:00
Zdenek Pytela
c024fd84d4
Remove "ipa = module" from modules-targeted-contrib.conf
...
Resolves: rhbz#2006039
2021-09-23 21:19:26 +02:00
Zdenek Pytela
ddedf0d0b5
* Mon Aug 30 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.15-1
...
- Update ica_filetrans_named_content() with create_file_perms
Resolves: rhbz#1976180
- Allow various domains work with ICA crypto accelerator
Resolves: rhbz#1976180
- Add ica module
Resolves: rhbz#1976180
- Revert "Support using ICA crypto accelerator on s390x arch"
Resolves: rhbz#1976180
- Fix the gnome_atspi_domtrans() interface summary
Resolves: rhbz#1972655
- Add support for at-spi
Resolves: rhbz#1972655
- Add permissions for system dbus processes
Resolves: rhbz#1972655
- Allow /tmp file transition for dbus-daemon also for sock_file
Resolves: rhbz#1972655
2021-08-30 16:13:54 +02:00
Zdenek Pytela
b42446e02d
* Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.14-1
...
- Support using ICA crypto accelerator on s390x arch
Resolves: rhbz#1976180
- Allow systemd delete /run/systemd/default-hostname
Resolves: rhbz#1978507
- Label /usr/bin/Xwayland with xserver_exec_t
Resolves: rhbz#1993151
- Label /usr/libexec/gdm-runtime-config with xdm_exec_t
Resolves: rhbz#1993151
- Allow tcpdump read system state information in /proc
Resolves: rhbz#1972577
- Allow firewalld drop capabilities
Resolves: rhbz#1989641
2021-08-25 18:48:38 +02:00
Zdenek Pytela
cf60736fb6
* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.13-1
...
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
Resolves: rhbz#1977915
- Set default file context for /sys/firmware/efi/efivars
Resolves: rhbz#1972372
- Allow tcpdump run as a systemd service
Resolves: rhbz#1972577
- Allow nmap create and use netlink generic socket
Resolves: rhbz#1985212
- Allow nscd watch system db files in /var/db
Resolves: rhbz#1989416
- Allow systemd-gpt-auto-generator read udev pid files
Resolves: rhbz#1992638
2021-08-12 16:15:32 +02:00
Zdenek Pytela
991febef9c
* Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.12-1
...
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
Resolves: rhbz#1990813
- Label /dev/crypto/nx-gzip with accelerator_device_t
Resolves: rhbz#1973953
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
Resolves: rhbz#1977245
- Allow systemd-machined stop generic service units
Resolves: rhbz#1979522
- Label /.k5identity file allow read of this file to rpc.gssd
Resolves: rhbz#1980610
2021-08-10 16:28:03 +02:00
Mohan Boddu
57b195c83b
Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
...
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-10 00:49:40 +00:00
Zdenek Pytela
4548b66f2e
* Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.11-1
...
- Allow hostapd bind UDP sockets to the dhcpd port
Resolves: rhbz#1979968
- Allow mdadm read iscsi pid files
Resolves: rhbz#1976073
- Unconfined domains should not be confined
Resolves: rhbz#1977986
- Allow NetworkManager_t to watch /etc
Resolves: rhbz#1980000
- Allow using opencryptoki for ipsec
Resolves: rhbz#1977915
2021-07-29 17:11:36 +02:00
Zdenek Pytela
c0ea3a13a7
* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.10-1
...
- Allow bacula get attributes of cgroup filesystems
Resolves: rhbz#1976917
- Label /dev/wmi/dell-smbios as acpi_device_t
Resolves: rhbz#1972382
- Add the lockdown integrity permission to dev_map_userio_dev()
Resolves: rhbz#1966758
- Allow virtlogd_t to create virt_var_lockd_t dir
Resolves: rhbz#1974875
2021-07-14 16:11:07 +02:00
Zdenek Pytela
86f64b8b19
gating.yaml: add missing '}'
2021-07-07 10:46:03 +02:00
Zdenek Pytela
52a5aa8d34
Add gating.yaml to enable functional gating tests
2021-06-30 12:07:25 +02:00
Zdenek Pytela
37bcc175cd
* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.9-1
...
- Allow systemd-coredump getattr nsfs files and net_admin capability
Resolves: rhbz#1965372
- Label /run/libvirt/common with virt_common_var_run_t
Resolves: rhbz#1969209
- Label /usr/bin/arping plain file with netutils_exec_t
Resolves: rhbz#1952515
- Make usbmuxd_t a daemon
Resolves: rhbz#1965411
- Allow usbmuxd get attributes of cgroup filesystems
Resolves: rhbz#1965411
- Label /dev/dma_heap/* char devices with dma_device_t
- Revert "Label /dev/dma_heap/* char devices with dma_device_t"
- Revert "Label /dev/dma_heap with dma_device_dir_t"
- Revert "Associate dma_device_dir_t with device filesystem"
Resolves: rhbz#1967818
- Label /var/lib/kdump with kdump_var_lib_t
Resolves: rhbz#1965989
- Allow systemd-timedated watch runtime dir and its parent
Resolves: rhbz#1970865
- Label /run/fsck with fsadm_var_run_t
Resolves: rhbz#1970911
2021-06-22 14:41:30 +02:00
Zdenek Pytela
042fffd52c
* Thu Jun 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.8-1
...
- Associate dma_device_dir_t with device filesystem
Resolves: rhbz#1954116
- Add default file context specification for dnf log files
Resolves: rhbz#1955223
- Allow using opencryptoki for certmonger
Resolves: rhbz#1961756
- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
Resolves: rhbz#1961756
- Allow httpd_sys_script_t read, write, and map hugetlbfs files
Resolves: rhbz#1964890
- Dontaudit daemon open and read init_t file
Resolves: rhbz#1965412
- Allow sanlock get attributes of cgroup filesystems
Resolves: rhbz#1965217
2021-06-10 23:07:44 +02:00
Zdenek Pytela
5d2a514c72
* Tue Jun 08 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.7-1
...
- Set default file context for /var/run/systemd instead of /run/systemd
Resolves: rhbz#1966492
2021-06-08 19:26:12 +02:00
Zdenek Pytela
a0031a1fc3
* Mon Jun 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.6-1
...
- Label /dev/dma_heap with dma_device_dir_t
Resolves: rhbz#1954116
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
Resolves: rhbz#1963252
- Label /run/systemd/default-hostname with hostname_etc_t
Resolves: rhbz#1966492
2021-06-07 16:34:34 +02:00
Zdenek Pytela
14a2757535
* Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.5-1
...
- Label /dev/trng with random_device_t
Resolves: rhbz#1962260
- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
Resolves: rhbz#1954116
- Label /dev/udmabuf character device with dma_device_t
Resolves: rhbz#1954116
- Label /dev/dma_heap/* char devices with dma_device_t
Resolves: rhbz#1954116
- Label /dev/acpi_thermal_rel char device with acpi_device_t
Resolves: rhbz#1954116
- Allow fcoemon create sysfs files
Resolves: rhbz#1952292
2021-05-27 14:57:41 +02:00
Zdenek Pytela
61280fbdd0
* Wed May 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.4-1
...
- Allow sysadm_t dbus chat with tuned
Resolves: rhbz#1953643
- Allow tuned write profile files with file transition
Resolves: rhbz#1953643
- Allow tuned manage perf_events
Resolves: rhbz#1953643
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
Resolves: rhbz#1953643
- Add kernel_write_perf_event() and kernel_manage_perf_event()
Resolves: rhbz#1953643
- Allow syslogd_t watch root and var directories
Resolves: rhbz#1957792
- Allow tgtd create and use rdma socket
Resolves: rhbz#1955559
- Allow aide connect to init with a unix socket
Resolves: rhbz#1926343
2021-05-12 15:45:13 +02:00
Zdenek Pytela
997ca10921
* Wed Apr 28 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.3-1
...
- Allow domain create anonymous inodes
Resolves: rhbz#1954145
- Add anon_inode class to the policy
Resolves: rhbz#1954145
- Allow pluto IKEv2 / ESP over TCP
Resolves: rhbz#1951471
- Add brltty new permissions required by new upstream version
Resolves: rhbz#1947842
- Label /var/lib/brltty with brltty_var_lib_t
Resolves: rhbz#1947842
- Allow login_userdomain create cgroup files
Resolves: rhbz#1951114
- Allow aide connect to systemd-userdbd with a unix socket
Resolves: rhbz#1926343
- Allow cups-lpd read its private runtime socket files
Resolves: rhbz#1947397
- Label /etc/redis as redis_conf_t
Resolves: rhbz#1947874
- Add file context specification for /usr/libexec/realmd
Resolves: rhbz#1946495
2021-04-28 15:25:09 +02:00
Zdenek Pytela
d48e2527dc
* Thu Apr 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.2-1
...
- Further update make-rhat-patches.sh for RHEL 9.0 beta
- Add file context specification for /var/tmp/tmp-inst
Resolves: rhbz#1924656
2021-04-22 13:47:13 +02:00
Zdenek Pytela
40e9a7fb1f
* Wed Apr 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.1-1
...
- Update selinux-policy.spec and make-rhat-patches.sh for RHEL 9.0 beta
- Allow unconfined_service_t confidentiality and integrity lockdown
Resolves: rhbz#1950267
2021-04-21 21:27:35 +02:00
Mohan Boddu
b8bce4d7d2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
...
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-16 05:35:15 +00:00
DistroBaker
0c7d2cb554
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#b599883a670d1bbd3ee0d8a4386b917f0ba3781d
2021-04-04 19:30:25 +00:00
DistroBaker
e671ae4028
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#9e9c1b67b363a55618c218f648491cd9c4830e8d
2021-03-31 18:45:22 +00:00
DistroBaker
ba2607aba9
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#2b6e9bd08f688cf6ad39a2dbad7531164a22fff5
2021-03-28 20:10:28 +00:00
DistroBaker
d69f76993a
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#8c7a9eaa8cb01c7fbadd4104c2e1cafb819f0a89
2021-03-15 19:41:15 +00:00
DistroBaker
4508ded93f
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#7d544924d94f99f4e8c9ee3c995d131c8c6be206
2021-02-20 17:32:55 +00:00
DistroBaker
7d8a7d8d32
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#912df6d5ff592ea23f7d034ac8eede8c24c6b985
2021-02-17 12:42:58 +01:00
DistroBaker
0d835ab10a
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#912df6d5ff592ea23f7d034ac8eede8c24c6b985
2021-02-17 08:17:18 +00:00
DistroBaker
f521412d05
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#ad33d7979e1d6eb8cb76a1176222778f981b4c4e
2021-02-13 00:52:48 +00:00
DistroBaker
ece0d0b7b5
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#942c59859e64bf268aaf0f161f26fe50d188dc4b
2021-02-12 06:32:55 +00:00
DistroBaker
eea0ee325a
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#c7e90bc1966a5ae10e5353dcd8f6ce95b89a4074
2021-02-09 04:48:56 +00:00
DistroBaker
8e575c9c13
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#c2d5ebb406c8c797f8649613eea182f482be67fe
2021-02-05 19:32:49 +00:00
DistroBaker
ed75dbd813
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#f38b38e51ef448ce19c0a0407ad298d3efab23b9
2021-01-22 10:21:40 +00:00
DistroBaker
0397c4c5ec
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#d76e0b4040478d5497587132b1c5aba5af644aed
2021-01-09 09:21:37 +00:00
DistroBaker
a2fc5fba64
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#d5b79a1cb725b8d95cc6140a4eb965fea7374ece
2020-12-17 21:38:57 +00:00
DistroBaker
7cee52182d
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#fa72125856bf3148d227f294213f8a446fe75cd0
2020-12-17 03:03:39 +00:00
DistroBaker
14735eb5eb
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#e94a380d324949b0fc1f903c7b11c1e44e5fe442
2020-12-01 19:27:05 +00:00
DistroBaker
cafbcb567e
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#595a6449f5abcc3114363c116e7553287deaebee
2020-11-25 16:25:36 +00:00
Troy Dawson
2fc3743e24
RHEL 9.0.0 Alpha bootstrap
...
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/selinux-policy#05fb517c90ca63c44475836508d3946a4eb6c232
2020-11-16 14:01:44 -08:00
DistroBaker
c0c357c156
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#e88945f82ad9e3f5a742fcaf10fe1fa36603c4c2
2020-11-06 00:43:32 +00:00
DistroBaker
478f57b9e8
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/selinux-policy.git#4da7d1152a950e9266b347d74ef778c0e899c8dc
2020-10-27 22:21:32 +01:00
Troy Dawson
7975d49f67
RHEL 9.0.0 Alpha bootstrap
...
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/selinux-policy#fe20768333d6dfa8183364a04e3c4327c8185427
2020-10-15 09:28:03 -07:00
Release Configuration Management
cc2b4860c9
New branch setup
2020-10-09 04:31:37 +00:00