- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy
- Allow git_script_t to mmap git_user_content_t files BZ(1530937)
- Allow certmonger domain to create temp files BZ(1530795)
- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)
- Allow fsdaemon_t to read nvme devices BZ(1530018)
- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)
- Update munin plugin policy BZ(1528471)
- Allow sendmail_t domain to be system dbusd client BZ(1478735)
- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)
- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)
- Allow thumb_t to mmap non security files BZ(1517393)
- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)
- Fix broken sysnet_filetrans_named_content() interface
- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
- Add interface files_map_non_security_files()
- Allow crond_t to read pcp lib files BZ(1525420)
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
- Allow certwatch_t to mmap generic certs. BZ(1527173)
- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
- Add interface userdom_map_user_home_files()
- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
This directory is already owned by rpm. I couldn't find a specific
section in the packaging guidelines, but it seems to me we shouldn't do
this. There's no good reason for it and it can lead to confusion.
Quickly scanning over all Fedora spec files that install RPM macros, I
couldn't find any other package that owns `%{_rpmconfigdir}`.
- Allow pcp_pmlogger to send logs to journal BZ(1512367)
- Merge pull request #40 from lslebodn/kcm_kerberos
- Allow services to use kerberos KCM BZ(1512128)
- Allow system_mail_t domain to be system_dbus_client BZ(1512476)
- Allow aide domain to stream connect to sssd_t BZ(1512500)
- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)
- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)
- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)
- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)
- Allow lircd_t domain to execute shell BZ(1512787)
- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)
- Allow redis to creating tmp files with own label BZ(1513518)
- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)
- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)
- Add map permission to samba_rw_var_files interface. BZ(1513908)
- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t
- Add dac_read_search and dac_override capabilities to ganesha
- Allow ldap_t domain to manage also slapd_tmp_t lnk files
- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)
- Add dac_override capability to dhcpd_t doamin BZ(1510030)
- Allow snapperd_t to remove old snaps BZ(1510862)
- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)
- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)
- Allow fs associate for sysctl_vm_t BZ(1447301)
- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)
- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)
- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)
- Allow systemd to mmap kernel modules BZ(1513399)
- Allow userdomains to mmap fifo_files BZ(1512242)
- Merge pull request #205 from rhatdan/labels
- Add map permission to init_domtrans() interface BZ(1513832)
- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)
- Unconfined domains, need to create content with the correct labels
- Container runtimes are running iptables within a different user namespace
- Add interface files_rmdir_all_dirs()
- Allow jabber domains to connect to postgresql ports
- Dontaudit slapd_t to block suspend system
- Allow spamc_t to stream connect to cyrys.
- Allow passenger to connect to mysqld_port_t
- Allow ipmievd to use nsswitch
- Allow chronyc_t domain to use user_ptys
- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst
- Fix typo bug in tlp module
- Allow userdomain gkeyringd domain to create stream socket with userdomain
- Merge pull request #37 from milosmalik/rawhide
- Allow mozilla_plugin_t domain to dbus chat with devicekit
- Dontaudit leaked logwatch pipes
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
- Allow chronyd daemon to execute chronyc. BZ(1507478)
- Allow pdns to read network system state BZ(1507244)
- Allow gssproxy to read network system state Resolves: rhbz#1507191
- Allow nfsd_t domain to read configfs_t files/dirs
- Allow tgtd_t domain to read generic certs
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
- Allow dirsrv_snmp_t to use inherited user ptys and read system state
- Allow glusterd_t domain to create own tmpfs dirs/files
- Allow keepalived stream connect to snmp
- Allow zabbix_t domain to change its resource limits
- Add new boolean nagios_use_nfs
- Allow system_mail_t to search network sysctls
- Hide all allow rules with ptrace inside deny_ptrace boolean
- Allow nagios_script_t to read nagios_spool_t files
- Allow sbd_t to create own sbd_tmpfs_t dirs/files
- Allow firewalld and networkmanager to chat with hypervkvp via dbus
- Allow dmidecode to read rhsmcert_log_t files
- Allow mail system to connect mariadb sockets.
- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)
- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)
- Allow iptables_t to run setfiles to restore context on system
- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
- Allow chronyd_t do request kernel module and block_suspend capability
- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label
- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)
- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)
- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)
- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)
- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables
- Allow svnserve to use kerberos
- Allow conman to use ptmx. Add conman_use_nfs boolean
- Allow nnp transition for amavis and tmpreaper SELinux domains
- Allow chronyd_t to mmap chronyc_exec_t binary files
- Add dac_read_search capability to openvswitch_t domain
- Allow svnserve to manage own svnserve_log_t files/dirs
- Allow keepalived_t to search network sysctls
- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain
- Add kill capability to openvswitch_t domain
- Label also compressed logs in /var/log for different services
- Allow inetd_child_t and system_cronjob_t to run chronyc.
- Allow chrony to create netlink route sockets
- Add SELinux support for chronyc
- Add support for running certbot(letsencrypt) in crontab
- Allow nnp trasintion for unconfined_service_t
- Allow unpriv user domains and unconfined_service_t to use chronyc
- Drop *.lst files from file list
- Ship file_contexts.homedirs in store
- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
- Allow haproxy daemon to reexec itself. BZ(1447800)
- Allow conmand to use usb ttys.
- Allow systemd_machined to read mock lib files. BZ(1504493)
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
Recent libsemanage-2.7-4.fc28 keeps copy of file_contexts.homedirs in
policy store in order to support listing homedirs file contexts in
semanage fcontext -l
- Fix typo in virt file contexts file
- allow ipa_dnskey_t to read /proc/net/unix file
- Allow openvswitch to run setfiles in setfiles_t domain.
- Allow openvswitch_t domain to read process data of neutron_t domains
- Fix typo in ipa_cert_filetrans_named_content() interface
- Fix typo bug in summary of xguest SELinux module
- Allow virtual machine with svirt_t label to stream connect to openvswitch.
- Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t
- Allow cloud-init to create content in /var/run/cloud-init
- Dontaudit VM to read gnome-boxes process data BZ(1415975)
- Allow winbind_t domain mmap samba_var_t files
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)
- Add dac_override capability to groupadd_t domain BZ(1497091)
- Allow unconfined_service_t to start containers
When selinux-policy is uninstalled, SELinux is changed to permissive and
/etc/selinux/config is updated to disable SELinux. But it doesn't apply
when selinux-policy-{targeted,mls,minimum} are uninstalled.
With this change when one of the policy subpackages is uninstalled
and the current policy type is same as the uninstalled policy, SELinux
is switched to permissive and disabled in config file as well.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1498569
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Build_Dependencies
The /usr/share/selinux/devel/policyhelp requirement was necessary to
extract the version number of the selinux-policy package being built
against, which is used to enforce a minimum version requirement on
selinux-policy when the built package is installed. The policyhelp file
itself can be found in either the selinux-policy, selinux-policy-devel,
or selinux-policy-doc package (depending on OS release), which is why we
cannot simply use a package name unless we are prepared to sacrifice
spec file portability. From Fedora 20 onwards, this method is no longer
necessary, so if your packaging is not targeting any releases prior to
Fedora 20 or EPEL-5/6, the /usr/share/selinux/devel/policyhelp
requirement is not needed.
Resolves: rhbz#1498429
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)
- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)
- Allow systemd to maange sysfs BZ(1471361)
See <https://pagure.io/atomic-wg/issue/341> - basically for libostree
(and hence rpm-ostree, and Fedora Editions that use it like Fedora Atomic Host),
the Anaconda `selinux --enforcing` verb will end up rewriting
`/etc/selinux/config` to the same value it had before.
But because of the trailing space character, this generates
a difference, and means the config file appears locally modified,
and hence deployed systems won't receive updates.
I think Anaconda should also be fixed to avoid touching the file *at all*
if it wouldn't result in a change, but let's remove the trailing space
here too, as it's better to fix in two places.
- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
- Allow pulseaudio_t domain to map user tmp files
- Allow mozilla plugin to mmap mozilla tmpfs files
- Add new bunch of map rules
- Merge pull request #25 from NetworkManager/nm-ovs
- Make working webadm_t userdomain
- Allow redis domain to execute shell scripts.
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
- Add couple capabilities to keepalived domain and allow get attributes of all domains
- Allow dmidecode read rhsmcertd lock files
- Add new interface rhsmcertd_rw_lock_files()
- Add new bunch of map rules
- Merge pull request #199 from mscherer/add_conntrackd
- Add support labeling for vmci and vsock device
- Add userdom_dontaudit_manage_admin_files() interface
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
- Fix denials during ipa-server-install process on F27+
- Allow httpd_t to mmap cert_t
- Add few rules to make tlp_t domain working in enforcing mode
- Allow cloud_init_t to dbus chat with systemd_timedated_t
- Allow logrotate_t to write to kmsg
- Add capability kill to rhsmcertd_t
- Allow winbind to manage smbd_tmp_t files
- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
- Add interface miscfiles_map_generic_certs()
- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)
- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.
- Label /var/run/agetty.reload as getty_var_run_t
- Add missing filecontext for sln binary
- Allow systemd to read/write to event_device_t BZ(1471401)
- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
- refpolicy: Define and allow map permission
- init: Add NoNewPerms support for systemd.
- Add nnp_nosuid_transition policycap and related class/perm definitions.
- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use
- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.
- Allow httpd_t to read realmd_var_lib_t files
- Allow unconfined_t user all user namespace capabilties.
- Add interface systemd_tmpfiles_exec()
- Add interface libs_dontaudit_setattr_lib_files()
- Dontaudit xdm_t domain to setattr on lib_t dirs
- Allow sysadm_r role to jump into dirsrv_t
- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
- Add interface pki_manage_common_files()
- Allow rngd domain read sysfs_t
- Allow tomcat_t domain to manage pki_common_t files and dirs
- Merge pull request #3 from rhatdan/devicekit
- Merge pull request #12 from lslebodn/sssd_sockets_fc
- Allow certmonger reads httpd_config_t files
- Allow keepalived_t domain creating netlink_netfilter_socket.
- Use stricter fc rules for sssd sockets in /var/run
- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.
- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Dontaudit net_admin capability for useradd_t domain
- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)
- Make able deply overcloud via neutron_t to label nsfs as fs_t
- Add fs_manage_configfs_lnk_files() interface
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Allow glusterd_t domain start ganesha service
- Made few cosmetic changes in sssd SELinux module
- Merge pull request #11 from lslebodn/sssd_kcm
- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.
- Allow keepalived_t domain read usermodehelper_t
- Allow radius domain stream connec to postgresql
- Merge pull request #8 from bowlofeggs/142-rawhide
- Add fs_manage_configfs_lnk_files() interface
libsemanage was updated [1] to use {policy,seusers,users_extra}.linked files
to cache the linked policy prior to merging local changes. We don't need
to ship these files, however the files should be owned by selinux-policy
packages on a filesystem.
[1] 8702a865e0
Each time this package is updated, it remove the sandbox module, thus
making the sandbox command not working until someone reenable it.
The main cause is likely the non intuitive ordering of RPM post install
script, as %preun is run after %post. See the details on
https://fedoraproject.org/wiki/Packaging:Scriptlets
- Allow tlp_t domain to ioctl removable devices BZ(1436830)
- Allow tlp_t domain domtrans into mount_t BZ(1442571)
- Allow lircd_t to read/write to sysfs BZ(1442443)
- Fix policy to reflect all changes in new IPA release
- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.
- Allow sbd_t to read/write fixed disk devices
- Add sys_ptrace capability to radiusd_t domain
- Allow cockpit_session_t domain connects to ssh tcp ports.
- Update tomcat policy to make working ipa install process
- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t
- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383
- Update pki interfaces and tomcat module
- Allow sendmail to search network sysctls
- Add interface gssd_noatsecure()
- Add interface gssproxy_noatsecure()
- Allow chronyd_t net_admin capability to allow support HW timestamping.
- Update tomcat policy.
- Allow certmonger to start haproxy service
- Fix init Module
- Make groupadd_t domain as system bus client BZ(1416963)
- Make useradd_t domain as system bus client BZ(1442572)
- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)
- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)
- Allow init noatsecure for gssd and gssproxy
- Allow staff user to read fwupd_cache_t files
- Remove typo bugs
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Allow iptables get list of kernel modules
- Allow unconfined_domain_type to enable/disable transient unit
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Label sysroot dir under ostree as root_t
- Make fwupd_var_lib_t type mountpoint. BZ(1429341)
- Remove tomcat_t domain from unconfined domains
- Create new boolean: sanlock_enable_home_dirs()
- Allow mdadm_t domain to read/write nvme_device_t
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content
- Add interface dev_rw_nvme
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
- Merge pull request #187 from rhatdan/container-selinux
- Allow rhsmcertd domain signull kernel.
- Allow container-selinux to handle all policy for container processes
- Fix label for nagios plugins in nagios file conxtext file
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add SELinux support for systemd-initctl daemon
- Add SELinux support for systemd-bootchart
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add module_load permission to can_load_kernmodule
- Add module_load permission to class system
- Add the validate_trans access vector to the security class
- Restore connecto permssions for init_t
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
- Tighten security on containe types
- Make working cracklib_password_check for MariaDB service
- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)
- Allow pptp_t to read /dev/random BZ(1404248)
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
- Allow systemd to stop glusterd_t domains.
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)
- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs."
- Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface
- Allow tgtd_t domain wake_alarm
- Merge pull request #172 from vinzent/allow_puppetagent_timedated
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow systemd_machined_t to start unit files labeled as init_var_run_t
- Add init_manage_config_transient_files() interface
- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
- Allow systemd to raise rlimit to all domains.BZ(1365435)
- Add interface domain_setrlimit_all_domains() interface
- Allow staff_t user to chat with fwupd_t domain via dbus
- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
- Allow systemd-networkd to read network state BZ(1400016)
- Allow systemd-resolved bind to dns port. BZ(1400023)
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Add named_t domain net_raw capability bz(1389240)
- Allow geoclue to read system info. bz(1389320)
- Make openfortivpn_t as init_deamon_domain. bz(1159899)
- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add interace lldpad_relabel_tmpfs
- Merge pull request #155 from rhatdan/sandbox_nfs
- Add pscsd_t wake_alarm capability2
- Allow sandbox domains to mount fuse file systems
- Add boolean to allow sandbox domains to mount nfs
- Allow hypervvssd_t to read all dirs.
- Allow isnsd_t to connect to isns_port_t
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
- Make tor_var_lib_t and tor_var_log_t as mountpoints.
- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)
- Allow init_t to relabel /dev/shm/lldpad.state
- Merge pull request #168 from rhatdan/docker
- Label tcp 51954 as isns_port_t
- Lots of new domains like OCID and RKT are user container processes
- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.
- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Merge pull request #167 from rhatdan/container
- Add transition rules for sandbox domains
- container_typebounds() should be part of sandbox domain template
- Fix broken container_* interfaces
- unconfined_typebounds() should be part of sandbox domain template
- Fixed unrecognized characters at sandboxX module
- unconfined_typebounds() should be part of sandbox domain template
- svirt_file_type is atribute no type.
- Merge pull request #166 from rhatdan/container
- Allow users to transition from unconfined_t to container types
- Add dbus_stream_connect_system_dbusd() interface.
- Merge pull request #152 from rhatdan/network_filetrans
- Fix typo in filesystem module
- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473)
There's no unified practice how to install SELinux modules from packages
and how to relabel a filesystem after the change. This update provides
several new macros which should help maintainers with the process.
%selinux_relabel_pre [-s <policytype>]
- backups the current file_contexts for later use with fixfiles
%selinux_relabel_post [-s <policytype>]
- relabels a filesystem based on changes in file_contexts using fixfiles
%selinux_modules_install [-s <policytype>] module [module]...
%selinux_modules_uninstall [-s <policytype>] module [module]...
- install and uninstall modules to the priority 200
- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace
- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)
- Fix typo
- Allow geoclue to send msgs to syslog. BZ(1371818)
- Allow abrt to read rpm_tmp_t dirs
- Add interface rpm_read_tmp_files()
- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux
- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.
- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service
- Revert "label /var/lib/kubelet as svirt_sandbox_file_t"
- Remove file context for /var/lib/kubelet. This filecontext is part of docker now
- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm
- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t
- Allow mdadm_t to getattr all device nodes
- Dontaudit gkeyringd_domain to connect to system_dbusd_t
- Add interface dbus_dontaudit_stream_connect_system_dbusd()
- Allow guest-set-user-passwd to set users password.
- Allow domains using kerberos to read also kerberos config dirs
- Allow add new interface to new namespace BZ(1375124)
- Allow systemd to relalbel files stored in /run/systemd/inaccessible/
- Add interface fs_getattr_tmpfs_blk_file()
- Dontaudit domain to create any file in /proc. This is kernel bug.
- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.
- Add new interface fs_getattr_oracleasmfs_fs()
- Add interface fs_manage_oracleasm()
- Label /dev/kfd as hsa_device_t
- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs
With rpm-ostree, /var/ directory doesn't contain any file, just
directories. It means that SELinux policy can't be managed or rebuilt
and users have to use only the default policy.
This update adds /usr/share/selinux/POLICYTYPE/default directory and
selinux-factory-reset service.
/var/lib/selinux/POLICYTYPE/active
selinux-reset-policy
- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
- Label /usr/bin/pappet as puppetagent_exec_t
- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/
- new interface oddjob_mkhomedir_entrypoint()
- Allow mdadm to get attributes from all devices.
- Label /etc/puppetlabs as puppet_etc_t.
- quota: allow init to run quota tools
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow VirtualBox to manage udev rules.
- Allow systemd_resolved to send dbus msgs to userdomains
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow systemd-machined to communicate to lxc container using dbus
- Dontaudit accountsd domain creating dirs in /root
- Add new policy for Disk Manager called udisks2
- Dontaudit firewalld wants write to /root
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
- Allow certmonger to manage all systemd unit files
- Allow ipa_helper_t stream connect to dirsrv_t domain
- Update oracleasm SELinux module
- label /var/lib/kubelet as svirt_sandbox_file_t
- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
- Add new userdom_dontaudit_manage_admin_dir() interface
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
- Add few interfaces to cloudform.if file
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
- Make confined users working again
- Fix hypervkvp module
- Allow ipmievd domain to create lock files in /var/lock/subsys/
- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
- Fix lsm SELinux module
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
- Add sys_admin capability to sbd domain
- Allow vdagent to comunnicate with systemd-logind via dbus
- Allow lsmd_plugin_t domain to create fixed_disk device.
- Allow opendnssec domain to create and manage own tmp dirs/files
- Allow opendnssec domain to read system state
- Allow systemd_logind stop system init_t
- Add interface init_stop()
- Add interface userdom_dontaudit_create_admin_dir()
- Label /var/run/storaged as lvm_var_run_t.
- Allow unconfineduser to run ipa_helper_t.
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
- Add wake_alarm capability to fprintd domain BZ(1362430)
- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)
- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)
- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)
- Dontaudit mock to write to generic certs.
- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
- Merge pull request #144 from rhatdan/modemmanager
- Allow modemmanager to write to systemd inhibit pipes
- Label corosync-qnetd and corosync-qdevice as corosync_t domain
- Allow ipa_helper to read network state
- Label oddjob_reqiest as oddjob_exec_t
- Add interface oddjob_run()
- Allow modemmanager chat with systemd_logind via dbus
- Allow NetworkManager chat with puppetagent via dbus
- Allow NetworkManager chat with kdumpctl via dbus
- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
- Allow rasdaemon to use tracefs filesystem
- Fix typo bug in dirsrv policy
- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
- Allow dirsrv to read dirsrv_share_t content
- Allow virtlogd_t to append svirt_image_t files.
- Allow hypervkvp domain to read hugetlbfs dir/files.
- Allow mdadm daemon to read nvme_device_t blk files
- Allow systemd_resolved to connect on system bus. BZ(1366334)
- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)
- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)
- label tcp/udp port 853 as dns_port_t. BZ(1365609)
- Merge pull request #145 from rhatdan/init
- systemd is doing a gettattr on blk and chr devices in /run
- Allow selinuxusers and unconfineduser to run oddjob_request
- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
- Fix typo in device interfaces
- Add interfaces for managing ipmi devices
- Add interfaces to allow mounting/umounting tracefs filesystem
- Add interfaces to allow rw tracefs filesystem
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Merge pull request #138 from rhatdan/userns
- Allow iptables to creating netlink generic sockets.
- Fix filecontext for systemd shared lib.
- collectd: update policy for 5.5
- Allow puppet_t transtition to shorewall_t
- Grant certmonger "chown" capability
- Boinc updates from Russell Coker.
- Allow sshd setcap capability. This is needed due to latest changes in sshd.
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Revert "Fix typo in ssh policy"
- Get attributes of generic ptys, from Russell Coker.
- Dontaudit mock_build_t can list all ptys.
- Allow ftpd_t to mamange userhome data without any boolean.
- Add logrotate permissions for creating netlink selinux sockets.
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
- Allow systemd gpt generator to run fstools BZ(1353585)
- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)
- Allow gnome-keyring also manage user_tmp_t sockets.
- Allow systemd to mounton /etc filesystem. BZ(1341753)
- Allow lsmd_plugin_t to exec ldconfig.
- Allow vnstatd domain to read /sys/class/net/ files
- Remove duplicate allow rules in spamassassin SELinux module
- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs
- Allow ipa_dnskey domain to search cache dirs
- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file
- Allow ipa-dnskey read system state.
- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245
- Add interface to write to nsfs inodes
- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721)
- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf
- sysadmin should be allowed to use docker.
- Allow hypervkvp domain to run restorecon.
- Allow firewalld to manage net_conf_t files
- Remove double graphite-web context declaration
- Fix typo in rhsmcertd SELinux policy
- Allow logrotate read logs inside containers.
- Allow sssd to getattr on fs_t
- Allow opendnssec domain to manage bind chace files
- Allow systemd to get status of systemd-logind daemon
- Label more ndctl devices not just ndctl0
- Allow lttng tools to block suspending
- Allow creation of vpnaas in openstack
- remove rules with compromised_kernel permission
- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)
- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263
- Update makefile to support snapperd_contexts file
- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission
- Remove duplicate declaration of class service
- Fix typo in access_vectors file
- Merge branch 'rawhide-base-modules-load' into rawhide-base
- Add new policy for systemd-modules-load
- Add systemd access vectors.
- Revert "Revert "Revert "Missed this version of exec_all"""
- Revert "Revert "Missed this version of exec_all""
- Revert "Missed this version of exec_all"
- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.
- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.
- Revert "Allow xserver to compromise_kernel access"BZ(1351624)
- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624)
- Revert "add ptrace_child access to process" (BZ1351624)
- Add user namespace capability object classes.
- Allow udev to manage systemd-hwdb files
- Add interface systemd_hwdb_manage_config()
- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
- iptables: add fcontext for nftables
- Fix typo in brltty policy
- Add new SELinux module sbd
- Allow pcp dmcache metrics collection
- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t
- Allow openvpn to create sock files labeled as openvpn_var_run_t
- Allow hypervkvp daemon to getattr on all filesystem types.
- Allow firewalld to create net_conf_t files
- Allow mock to use lvm
- Allow mirromanager creating log files in /tmp
- Allow vmtools_t to transition to rpm_script domain
- Allow nsd daemon to manage nsd_conf_t dirs and files
- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t
- Allow sssd read also sssd_conf_t dirs
- Allow opensm daemon to rw infiniband_mgmt_device_t
- Allow krb5kdc_t to communicate with sssd
- Allow prosody to bind on prosody ports
- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678
- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637
- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726
- Add label for brltty log file Resolves: rhbz#1328818
- Allow snort_t to communicate with sssd Resolves: rhbz#1284908
- Add interface lttng_sessiond_tmpfs_t()
- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl
- Add interface lvm_getattr_exec_files()
- Make label for new infiniband_mgmt deivices
- Add prosody ports Resolves: rhbz#1304664
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
- Allow glusterd daemon to get systemd status
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Merge pull request #135 from rhatdan/rawip_socket
- Allow logrotate dbus-chat with system_logind daemon
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
- Add interface cron_read_pid_files()
- Allow pcp_pmlogger to create unix dgram sockets
- Add interface dirsrv_run()
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
- Create label for openhpid log files.
- Container processes need to be able to listen on rawip sockets
- Label /var/lib/ganglia as httpd_var_lib_t
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Label /etc/dhcp/scripts dir as bin_t
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Allow rhsmcertd connect to port tcp 9090
- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.
- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.
- Add new boolean spamd_update_can_network.
- Add proper label for /var/log/proftpd.log
- Allow rhsmcertd connect to tcp netport_port_t
- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.
- Allow prosody to bind to fac_restore tcp port.
- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager
- Allow ninfod to read raw packets
- Fix broken hostapd policy
- Allow hostapd to create netlink_generic sockets. BZ(1343683)
- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall
- Allow pegasus get attributes from qemu binary files.
- Allow tuned to use policykit. This change is required by cockpit.
- Allow conman_t to read dir with conman_unconfined_script_t binary files.
- Allow pegasus to read /proc/sysinfo.
- Allow puppet_t transtition to shorewall_t
- Allow conman to kill conman_unconfined_script.
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base
- Allow systemd to execute all init daemon executables.
- Add init_exec_notrans_direct_init_entry() interface.
- Label tcp ports:16379, 26379 as redis_port_t
- Allow systemd to relabel /var and /var/lib directories during boot.
- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
- Add files_relabelto_var_lib_dirs() interface.
- Label tcp and udp port 5582 as fac_restore_port_t
- Allow sysadm_t user to run postgresql-setup.
- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
- Allow conman to kill conman_unconfined_script.
- Make conman_unconfined_script_t as init_system_domain.
- Allow init dbus chat with apmd.
- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.
- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t
- Allow collectd_t to stream connect to postgresql.
- Allow mysqld_safe to inherit rlimit information from mysqld
- Allow ip netns to mounton root fs and unmount proc_t fs.
- Allow sysadm_t to run newaliases command.
- Allow svirt_sandbox_domains to r/w onload sockets
- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
- Add interface sysnet_filetrans_named_net_conf()
- Rawhide fails to boot, systemd-logind needs to config transient config files
- User Namespace is requires create on process domains
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Add nrpe_dontaudit_write_pipes()
- Merge pull request #129 from rhatdan/onload
- Add support for onloadfs
- Merge pull request #127 from rhatdan/device-node
- Additional access required for unconfined domains
- Dontaudit ping attempts to write to nrpe unnamed pipes
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
- Allow ipa_dnskey_t search httpd config files.
- Dontaudit certmonger to write to etc_runtime_t
- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
- Add interface ipa_delete_tmp()
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
- Merge pull request #125 from rhatdan/typebounds
- Typebounds user domains
- Allow systemd_resolved_t to check if ipv6 is disabled.
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port
- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)
- Allow systemd to read efivarfs. Resolve: #121
- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed
- Label tcp port 8181 as intermapper_port_t.
- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588)
- Label tcp/udp port 2024 as xinuexpansion4_port_t
- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t
- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
- Fix typo in module compilation message
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970)
- Add mls support for some db classes
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
- Make virt_use_pcscd boolean off by default.
- Create boolean to allow virtual machine use smartcards. rhbz#1029297
- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754
- Allow mongod log to syslog.
- Allow nsd daemon to create log file in /var/log as nsd_log_t
- unlabeled_t can not be an entrypoint.
- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909
- Add new permissions stop/start to class system. rhbz#1324453
- Allow modemmanager to talk to logind
- Dontaudit tor daemon needs net_admin capability. rhbz#1311788
- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042
- Xorg now writes content in users homedir.
- rename several contrib modules according to their filenames
- Add interface gnome_filetrans_cert_home_content()
- By default container domains should not be allowed to create devices
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
- Allow systemd gpt generator to read removable devices. BZ(1323458)
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454)
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
- Label all run tgtd files, not just socket files.
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
- New cgroup2 file system in Rawhide
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow bitlee to create bitlee_var_t dirs.
- Allow CIM provider to read sssd public files.
- Fix some broken interfaces in distro policy.
- Allow power button to shutdown the laptop.
- Allow lsm plugins to create named fixed disks. rhbz#1238066
- Allow hyperv domains to rw hyperv devices. rhbz#1241636
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics
- Label nagios scripts as httpd_sys_script_exec_t.
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.
- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576
- Merge pull request #104 from berrange/rawhide-contrib-virtlogd
- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336
- Dontaudit logrotate to setrlimit itself. rhbz#1309604
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446)
- Merge pull request #115 from rhatdan/nvidea
- Label all nvidia binaries as xserver_exec_t
- Add new systemd_hwdb_read_config() interface. rhbz#1316514
- Add back corecmd_read_all_executables() interface.
- Call files_type() instead of file_type() for unlabeled_t.
- Add files_entrypoint_all_mountpoint() interface.
- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling.
- Add corecmd_entrypoint_all_executables() interface.
- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361
- Add neverallow assertion for unlabaled_t to increase policy security.
- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
- Label 8952 tcp port as nsd_control.
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
- Merge pull request #108 from rhatdan/rkt
- Merge pull request #109 from rhatdan/virt_sandbox
- Add new interface to define virt_sandbox_network domains
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
- Fix typo in drbd policy
- Remove declaration of empty booleans in virt policy.
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
- Additional rules to make rkt work in enforcing mode
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Allow ipsec to use pam. rhbz#1317988
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
- Allow setrans daemon to read /proc/meminfo.
- Merge pull request #107 from rhatdan/rkt-base
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
- Add support for systemd-gpt-auto-generator. rhbz#1314968
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
- Add support for systemd-hwdb daemon. rhbz#1306243
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
- Fix new rkt policy
- Remove some redundant rules.
- Fix cosmetic issues in interface file.
- Merge pull request #100 from rhatdan/rawhide-contrib
- Add interface fs_setattr_cifs_dirs().
- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
file_contexts is parsed in selabel_open().
Resolves: rhbz#1314372
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
- Allow collectd setgid capability Resolves:#1310896
- Allow adcli running as sssd_t to write krb5.keytab file.
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
- Allow kexec to read kernel module files in /usr/lib/modules.
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
- Remove redudant rules and fix _admin interface.
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
- Allow create mongodb unix dgram sockets. rhbz#1306819
- Support for InnoDB Tablespace Encryption.
- Dontaudit leaded file descriptors from firewalld
- Add port for rkt services
- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
- Add interface to dontaudit leaked files from firewalld
- fwupd needs to dbus chat with policykit
- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
- Fix wrong name for openqa_websockets tcp port.
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
- Add interface ssh_getattr_server_keys() interface. rhbz#1299106
- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312
- Add interface fs_getattr_nsfs_files()
- Add interface xserver_exec().
- Revert "Allow all domains some process flags."BZ(1190364)
- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()
- Allow iptables to read firewalld pid files. BZ(1291243)
- Allow the user cronjobs to run in their userdomain
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
- Merge pull request #81 from rhatdan/rawhide-base
- New access needed by systemd domains
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
- init_t domain should be running without unconfined_domain attribute.
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
- systemd needs to access /dev/rfkill on early boot.
- Allow dspam to read /etc/passwd
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Add userdom_destroy_unpriv_user_shared_mem() interface.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains
- Allow rpcbind_t domain to change file owner and group
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
- Revert "Add apache_read_pid_files() interface"
- Allow dirsrv-admin read httpd pid files.
- Add apache_read_pid_files() interface
- Add label for dirsrv-admin unit file.
- Allow qpid daemon to connect on amqp tcp port.
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Add userdom_transition_login_userdomain() interface
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
- Dontaudit fenced search gnome config
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
- Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon
- Fix labeling for fence_scsi_check script
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
- Allow openhpid to read snmp var lib files.
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
- Fix regexp in chronyd.fc file
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
- Add header for sslh.if file
- Fix sslh_admin() interface
- Clean up sslh.if
- Fix typo in pdns.if
- Allow qpid to create lnk_files in qpid_var_lib_t.
- Allow httpd_suexec_t to read and write Apache stream sockets
- Merge pull request #21 from hogarthj/rawhide-contrib
- Allow virt_qemu_ga_t domtrans to passwd_t.
- use read and manage files_patterns and the description for the admin interface
- Merge pull request #17 from rubenk/pdns-policy
- Allow redis to read kernel parameters.
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
- Allow bumblebee to seng kill signal to xserver
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Allow drbd to get attributes from filesystems.
- Allow drbd to read configuration options used when loading modules.
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
- Added Booleans: pcp_read_generic_logs.
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
- Allow glusterd to communicate with cluster domains over stream socket.
- fix copy paste error with writing the admin interface
- fix up the regex in sslh.fc, add sslh_admin() interface
- adding selinux policy files for sslh
- Remove diplicate sftpd_write_ssh_home boolean rule.
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
- kdbusfs should not be accessible for now.
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
- Label /usr/sbin/chpasswd as passwd_exec_t.
- Allow audisp_remote_t to read/write user domain pty.
- Allow audisp_remote_t to start power unit files domain to allow halt system.
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
- corrected day in changelog entry from Apr 30 2015
- merged two %description's for base package into one
Fixes:
warning: line 330: second Description
warning: bogus date in %changelog: Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126