Commit Graph

5665 Commits

Author SHA1 Message Date
Dan Walsh
662016aa11 We need to setcheckreqprot to 0 for security purposes 2015-04-16 14:00:38 -04:00
Lukas Vrabec
28cc160db1 * Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
- Add more restriction on entrypoint for unconfined domains.
2015-04-15 17:14:18 +02:00
Lukas Vrabec
578b67080c * Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
- Allow mock_t to use ptmx. BZ(1181333)
- Allow dnssec_trigger_t to stream connect to networkmanager.
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
- Fix labeling for keystone CGI scripts.
2015-04-14 01:13:22 +02:00
Lukas Vrabec
b9a1c72d29 * Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
- Allow mongod to work with configured SSSD.
- Add collectd net_raw capability. BZ(1194169)
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
- Allow dhcpd kill capability.
- Make rwhod as nsswitch domain.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Fix cloudform policy.(m4 is case sensitive)
- Allow networkmanager and cloud_init_t to dbus chat
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices.
- Allow sblim domain to read sysctls..
- Allow timemaster send a signal to ntpd.
- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
- two 'l' is enough.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- Allow polkit to dbus chat with xserver. (1207478)
- Add lvm_stream_connect() interface.
- Set label of /sys/kernel/debug
2015-04-07 16:26:56 +02:00
Lukas Vrabec
5852f33770 * Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
- Allow kmscon to read system state. BZ (1206871)
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
2015-03-30 20:13:54 +02:00
Lukas Vrabec
734dd8ae6f * Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
- Allow all domains some process flags.
- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base
- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL
2015-03-23 16:13:45 +01:00
Lukas Vrabec
60d4b2cec9 Fixed issues related to removing docker policy files 2015-03-19 17:57:47 +01:00
Lukas Vrabec
f9d97717a8 * Wed Mar 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-119
- build without docker
2015-03-18 17:03:21 +01:00
Lukas Vrabec
e2a064a427 * Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
- docker watches for content in the /etc directory
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
- Allow docker to communicate with openvswitch
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow journald to set loginuid. BZ(1190498)
- Add cap. sys_admin for passwd_t. BZ(1185191)
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
2015-03-16 18:04:20 +01:00
Lukas Vrabec
ed576d59f8 * Fri Mar 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-117
- Allow spamc read spamd_etc_t files. BZ(1199339).
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
- Allow abrt_watch_log_t read passwd file. BZ(1197396)
- Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659)
- Allow cups to read colord_var_lib_t files. BZ(1199765)
2015-03-09 13:16:20 +01:00
Lukas Vrabec
b61b8da21f * Fri Mar 06 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-116
- Turn on rolekit in F23
2015-03-06 17:17:25 +01:00
Miroslav Grepl
b97a0c7a41 Turn on rolekit in F22 2015-03-06 17:11:00 +01:00
Lukas Vrabec
f6c1168684 * Thu Mar 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-115
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
- Add gluster_exec_lib interface.
- Allow l2tpd to manage NetworkManager pid files
- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
- Allow cyrus bind tcp berknet port. BZ(1198347)
- Add nsswitch domain for more serviecs.
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow system apache scripts to send log messages.
- Allow denyhosts execute iptables. BZ(1197371)
- Allow brltty rw event device. BZ(1190349)
- Allow cupsd config to execute ldconfig. BZ(1196608)
- xdm_t now needs to manage user ttys
- Allow ping_t read urand. BZ(1181831)
- Add support for tcp/2005 port.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- In F23 we are running xserver as the user, need this to allow confined users to us X
2015-03-05 20:22:19 +01:00
Lukas Vrabec
2ee001bdc9 * Mon Feb 25 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-114
- Fix source filepath for moving html files.
2015-02-25 17:13:43 +01:00
Lukas Vrabec
6acb58cea3 Fix source filepath for moving html files. 2015-02-24 17:51:12 +01:00
Lukas Vrabec
946068cde6 * Mon Feb 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-113
- Xserver needs to be transitioned to from confined users
- Added logging_syslogd_pid_filetrans
- xdm_t now talks to hostnamed
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Additional fix for labeleling /dev/log correctly.
- cups chats with network manager
- Allow parent domains to read/write fifo files in mozilla plugin
- Allow spc_t to transition to svirt domains
- Cleanup spc_t
- docker needs more control over spc_t
- pcp domains are executed out of cron
2015-02-23 16:11:23 +01:00
Lukas Vrabec
83d645c1b0 * Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112
- Allow audisp to connect to system DBUS for service.
- Label /dev/log correctly.
- Add interface init_read_var_lib_files().
- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
2015-02-16 20:23:47 +01:00
Lukas Vrabec
e793323380 * Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
- Remove automatcically running filetrans_named_content form sysnet_manage_config
- Allow syslogd/journal to read netlink audit socket
- Allow brltty ioctl on usb_device_t. BZ(1190349)
- Make sure NetworkManager configures resolv.conf correctly
2015-02-10 22:46:05 +01:00
Lukas Vrabec
ae5733a49e * Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
- Allow cockpit_session_t to create tmp files
- apmd needs sys_resource when shutting down the machine
- Fix path label to resolv.conf under NetworkManager
2015-02-05 12:12:00 +01:00
Lukas Vrabec
1fd39e9da1 * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109
- Allow search all pid dirs when managing net_conf_t files.
2015-02-04 17:02:02 +01:00
Lukas Vrabec
203031a6db * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
- Fix labels, improve sysnet_manage_config interface.
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
- Dontaudit network connections related to thumb_t. BZ(1187981)
- Remove sysnet_filetrans_named_content from fail2ban
2015-02-04 13:06:40 +01:00
Lukas Vrabec
1808b757f1 * Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
- Fix labels on new location of resolv.conf
- syslog is not writing to the audit socket
- seunshare is doing getattr on unix_stream_sockets leaked into it
- Allow sshd_t to manage gssd keyring
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
- Posgresql listens on port 9898 when running PCP (pgpool Control Port)
- Allow svirt sandbox domains to read /proc/mtrr
- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
- Allow dovecot domains to use sys_resouce
- Allow sshd_t to manage gssd keyring
- gpg_pinentry_t needs more access in f22
2015-02-02 11:59:21 +01:00
Lukas Vrabec
a849531c0e * Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106
- Allow docker to attach to the sandbox and user domains tun devices
- Allow pingd to read /dev/urandom. BZ(1181831)
- Allow virtd to list all mountpoints
- Allow sblim-sfcb to search images
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
- Call correct macro in virt_read_content().
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Allow docker_t to changes it rlimit
- Allow neutron to read rpm DB.
- Allow radius to connect/bind radsec ports
- Allow pm-suspend running as virt_qemu_ga to read
  /var/log/pm-suspend.log.
- Add devicekit_read_log_files().
- Allow  virt_qemu_ga to dbus chat with rpm.
- Allow netutils chown capability to make tcpdump working with -w.
- Label /ostree/deploy/rhel-atomic-host/deploy directory as
system_conf_t.
- journald now reads the netlink audit socket
- Add auditing support for ipsec.

* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105
- Bump release
2015-01-29 17:35:42 +01:00
Lukas Vrabec
72c96b37c5 * Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
- remove duplicate filename transition rules.
- Call proper interface in sosreport.te.
- Allow fetchmail to manage its keyring
- Allow mail munin to create udp_sockets
- Allow couchdb to sendto kernel unix domain sockets
2015-01-15 14:22:27 +01:00
Miroslav Grepl
525ad6557a Make build working 2015-01-12 14:12:54 +01:00
Dan Walsh
800a85e70f Add new policy for hostapd 2015-01-03 09:32:33 -05:00
Dan Walsh
f1ed4e46ca Add /etc/selinux/targeted/contexts/openssh_contexts 2015-01-03 08:44:45 -05:00
Lukas Vrabec
6eb7265b01 * Mon Dec 15 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-101
- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
- Allow virt_qemu_ga_t to execute kmod.
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
- Add support for /usr/share/vdsm/daemonAdapter.
- Docker has a new config/key file it writes to /etc/docker
- Allow bacula to connect also to postgresql.
2014-12-15 07:43:28 -05:00
Lukas Vrabec
00145df27f Added typo fix 2014-12-11 10:54:52 -05:00
Lukas Vrabec
e4ea4614c7 * Thu Dec 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-100
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
- Fix miscfiles_manage_generic_cert_files() to allow manage link files
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Add support for /var/run/gluster.
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
2014-12-11 10:20:57 -05:00
Lukas Vrabec
1c8cf318c6 * Fri Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-99
- Add files_dontaudit_list_security_dirs() interface.
- Added seutil_dontaudit_access_check_semanage_module_store interface.
- Allow docker to create /root/.docker
- Allow rlogind to use also rlogin ports
- dontaudit list security dirs for samba domain
- Dontaudit couchdb to list /var
2014-12-02 13:05:01 +01:00
Lukas Vrabec
1929f5bfe8 Added seutil_dontaudit_access_check_semanage_module_store interface. 2014-11-29 04:38:17 +01:00
Lukas Vrabec
cf94d6be19 * Fri Nov 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-98
- Update to have all _systemctl() interface also init_reload_services()
- Dontaudit access check on SELinux module store for sssd.
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
2014-11-29 00:18:57 +01:00
Lukas Vrabec
b5270954f2 Fix date bug 2014-11-28 15:30:56 +01:00
Lukas Vrabec
e4d7a4020d * Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97
- Allow reading of symlinks in /etc/puppet
- Added TAGS to gitignore
- I guess there can be content under /var/lib/lockdown #1167502
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
- Allow keystone to send a generic signal to own process.
- Allow radius to bind tcp/1812 radius port.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Add missing alias for _content_rw_t
- Allow .snapshots to be created in other directories, on all mountpoints
- Allow spamd to access razor-agent.log
- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
- Allow .snapshots to be created in other directories, on all mountpoints
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems
2014-11-28 15:28:22 +01:00
Lukas Vrabec
48f969d319 * Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
2014-11-20 11:38:07 +01:00
Lukas Vrabec
feb8dbd59b * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
- Allow networkmanager manage also openvpn sock pid files.
2014-11-19 19:46:38 +01:00
Lukas Vrabec
c88e657c3d * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
- Allow sendmail to create dead.letter. BZ(1165443)
- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
2014-11-19 16:33:35 +01:00
Lukas Vrabec
24d43eb10d * Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
- Allow bumblebee to use nsswitch. BZ(1155339)
- Allow openvpn to stream connect to networkmanager. BZ(1164182)
- Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS.
- Allow cpuplug rw virtual memory sysctl. BZ (1077831)
- Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
2014-11-14 16:06:50 +01:00
Lukas Vrabec
b6161d4177 * Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-92
- Add kdump_rw_inherited_kdumpctl_tmp_pipes()
- Added fixes related to linuxptp. BZ (1149693)
- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424
- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
- Fix seutil_dontaudit_access_check_load_policy()
- Add dontaudit interfaces for audit_access in seutil
- Label /etc/strongimcv as ipsec_conf_file_t.
2014-11-10 18:19:50 +01:00
Lukas Vrabec
062b36f481 * Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91
- Added interface userdom_dontaudit_manage_user_home_dirs
- Fix unconfined_server_dbus_chat() interface.
- Add unconfined_server_dbus_chat() inteface.
- Allow login domains to create kernel keyring with different level.
- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
- Make tuned as unconfined domain.
- Added support for linuxptp policy. BZ(1149693)
- make zoneminder as dbus client by default.
- Allow bluetooth read/write uhid devices. BZ (1161169)
- Add fixes for hypervkvp daemon
- Allow guest to connect to libvirt using unix_stream_socket.
- Allow all bus client domains to dbus chat with unconfined_service_t.
- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
- Make opensm as nsswitch domain to make it working with sssd.
- Allow brctl to read meminfo.
- Allow winbind-helper to execute ntlm_auth in the caller domain.
- Make plymouthd as nsswitch domain to make it working with sssd.
- Make drbd as nsswitch domain to make it working with sssd.
- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
- Add support for /var/lib/sntp directory.
2014-11-07 22:58:35 +01:00
Lukas Vrabec
bfb6adef8b Added support for linuxptp policy. 2014-11-07 19:12:59 +01:00
Lukas Vrabec
ba65f59092 Fixed mistakes in build. 2014-11-03 16:31:25 +01:00
Lukas Vrabec
a38ffbf425 * Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
- Add 15672 as amqp_port_t
- Allow wine domains to read user homedir content
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
- Allow winbind to read usermodehelper
- Allow telepathy domains to execute shells and bin_t
- Allow gpgdomains to create netlink_kobject_uevent_sockets
- Allow abrt to read software raid state. BZ (1157770)
- Fix rhcs_signull_haproxy() interface.
-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
- Allow snapperd to dbus chat with system cron jobs.
- Allow nslcd to read /dev/urandom.
- Allow dovecot to create user's home directory when they log into IMAP.
- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
2014-11-03 15:03:44 +01:00
Lukas Vrabec
4dfcf7b0d0 Fix wrong url link to upstream. 2014-11-03 14:34:24 +01:00
Lukas Vrabec
af3cfa7b5c * Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
- Allow rabbitmq to read nfs state data. BZ(1122412)
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
- Add rolekit policy
- ALlow rolekit domtrans to sssd_t.
- Add kerberos_tmp_filetrans_kadmin() interface.
- rolekit should be noaudit.
- Add rolekit_manage_keys().
- Need to label rpmnew file correctly
- Allow modemmanger to connectto itself
2014-10-29 11:24:42 +01:00
Lukas Vrabec
317f5a18dc * Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Allow osad to connect to jabber client port. BZ (1154242)
- Allow mon_statd to send syslog msgs. BZ (1077821
- Allow apcupsd to get attributes of filesystems with xattrs
2014-10-21 15:45:35 +02:00
Lukas Vrabec
df39310b9d Removed redundant patches 2014-10-21 15:14:37 +02:00
Lukas Vrabec
d681f58aea Add cinder to modules-targeted-contrib 2014-10-21 14:53:28 +02:00
Miroslav Grepl
650be6afbf - Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
- Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
2014-10-17 10:12:44 +02:00