Commit Graph

6014 Commits

Author SHA1 Message Date
Zdenek Pytela
757d64d9d6 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1
- Allow systemd-timesyncd watch system dbus pid socket files
- Allow firewalld drop capabilities
- Allow rhsmcertd execute gpg
- Allow lldpad send to kdump over a unix dgram socket
- Allow systemd-gpt-auto-generator read udev pid files
- Set default file context for /sys/firmware/efi/efivars
- Allow tcpdump run as a systemd service
- Allow nmap create and use netlink generic socket
- Allow nscd watch system db files in /var/db
- Allow cockpit_ws_t get attributes of fs_t filesystems
- Allow sysadm acces to kernel module resources
- Allow sysadm to read/write scsi files and manage shadow
- Allow sysadm access to files_unconfined and bind rpc ports
- Allow sysadm read and view kernel keyrings
- Allow journal mmap and read var lib files
- Allow tuned to read rhsmcertd config files
- Allow bootloader to read tuned etc files
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
2021-08-12 18:39:36 +02:00
Zdenek Pytela
58dbb0353c * Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1
- Disable seccomp on CI containers
- Allow systemd-machined stop generic service units
- Allow virtlogd_t read process state of user domains
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
- Label /dev/crypto/nx-gzip with accelerator_device_t
- Update the policy for systemd-journal-upload
- Allow unconfined domains to bpf all other domains
- Confine rhsm service and rhsm-facts service as rhsmcertd_t
- Allow fcoemon talk with unconfined user over unix domain datagram socket
- Allow abrt_domain read and write z90crypt device
- Allow mdadm read iscsi pid files
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
- Allow hostapd bind UDP sockets to the dhcpd port
- Unconfined domains should not be confined
2021-08-06 19:30:54 +02:00
Fedora Release Engineering
418902d2f4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-23 17:20:44 +00:00
Zdenek Pytela
fe7971a7a7 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
- Remove references to init_watch_path_type attribute
- Remove all redundant watch permissions for systemd
- Allow systemd watch non_security_file_type dirs, files, lnk_files
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
- Allow bacula get attributes of cgroup filesystems
- Allow systemd-journal-upload watch logs and journal
- Create a policy for systemd-journal-upload
- Allow tcpdump and nmap get attributes of infiniband_device_t
- Allow arpwatch get attributes of infiniband_device_t devices
- Label /dev/wmi/dell-smbios as acpi_device_t
2021-07-14 14:59:11 +02:00
Zdenek Pytela
4f56cd3eb8 * Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1
- Allow radius map its library files
- Allow nftables read NetworkManager unnamed pipes
- Allow logrotate rotate container log files
2021-07-01 16:39:23 +02:00
Zdenek Pytela
8417543050 * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2
- Add a systemd service to check that SELinux is disabled properly
- specfile: Add unowned dir to the macro
- Relabel /dev/dma_heap explicitly
2021-06-22 11:50:15 +02:00
Ondrej Mosnacek
fd69433906 Add a systemd service to check that SELinux is disabled properly
As an additional sanity check to support the removal of runtime
disabling of SELinux [1], add a simple oneshot service to the
selinux-policy package that will print a warning to system journal when
it detects on boot that the system has been booted with SELINUX=disabled
in /etc/selinux/config, but without selinux=0 on the kernel command
line.

Note that as per [2], in order for the service to be enabled by default,
it needs to be added to the Fedora presets.

[1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
[2] https://docs.fedoraproject.org/en-US/packaging-guidelines/DefaultServices/#_how_to_enable_a_service_by_default

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-06-22 09:38:56 +00:00
Michael Scherer
a563172755 Add unowned dir to the macro 2021-06-22 09:32:58 +00:00
Zdenek Pytela
ed2eb34288 * Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1
- Label /dev/dma_heap/* char devices with dma_device_t
- Revert "Label /dev/dma_heap/* char devices with dma_device_t"
- Revert "Label /dev/dma_heap with dma_device_dir_t"
- Revert "Associate dma_device_dir_t with device filesystem"
- Add the lockdown integrity permission to dev_map_userio_dev()
- Allow systemd-modules-load read/write tracefs files
- Allow sssd watch /run/systemd
- Label /usr/bin/arping plain file with netutils_exec_t
- Label /run/fsck with fsadm_var_run_t
- Label /usr/bin/Xwayland with xserver_exec_t
- Allow systemd-timesyncd watch dbus runtime dir
- Allow asterisk watch localization files
- Allow iscsid read all process stat
- iptables.fc: Add missing legacy-restore and legacy-save entries
- Label /run/libvirt/common with virt_common_var_run_t
- Label /.k5identity file allow read of this file to rpc.gssd
- Make usbmuxd_t a daemon
2021-06-21 15:07:20 +02:00
Zdenek Pytela
ef6e27e6c9 * Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1
- Allow sanlock get attributes of cgroup filesystems
- Associate dma_device_dir_t with device filesystem
- Set default file context for /var/run/systemd instead of /run/systemd
- Allow nmap create and use rdma socket
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
2021-06-09 16:42:40 +02:00
Zdenek Pytela
a4fcadc086 * Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1
- Allow using opencryptoki for ipsec
- Allow using opencryptoki for certmonger
- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
- Label /dev/dma_heap with dma_device_dir_t
- Allow syslogd watch non security dirs conditionally
- Introduce logging_syslogd_list_non_security_dirs tunable
- Remove openhpi module
- Allow udev to watch fixed disk devices
- Allow httpd_sys_script_t read, write, and map hugetlbfs files
- Allow apcupsd get attributes of cgroup filesystems
2021-06-06 23:32:21 +02:00
Zdenek Pytela
6b0b962be0 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1
- Add kerberos object filetrans for nsswitchdomain
- Allow fail2ban watch various log files
- Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()
- Remove further modules recently removed from refpolicy
- Remove modules not shipped and not present in refpolicy
- Revert "Add permission open to files_read_inherited_tmp_files() interface"
- Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)"
- Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604"
- Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)"
- Dontaudit setrlimit for domains that exec systemctl
- Allow kdump_t net_admin capability
- Allow nsswitch_domain read init pid lnk_files
- Label /dev/trng with random_device_t
- Label /run/systemd/default-hostname with hostname_etc_t
- Add default file context specification for dnf log files
- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
- Label /dev/udmabuf character device with dma_device_t
- Label /dev/dma_heap/* char devices with dma_device_t
- Label /dev/acpi_thermal_rel char device with acpi_device_t
2021-05-27 22:08:10 +02:00
Zdenek Pytela
cd4a089134 Remove temporary explicit /dev/nvme* relabeling 2021-05-20 15:16:05 +02:00
Zdenek Pytela
80410eaf30 * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1
- Allow local_login_t nnp_transition to login_userdomain
- Allow asterisk watch localization symlinks
- Allow NetworkManager_t to watch /etc
- Label /var/lib/kdump with kdump_var_lib_t
- Allow amanda get attributes of cgroup filesystems
- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
- Allow install_t nnp_domtrans to setfiles_mac_t
- Allow fcoemon create sysfs files
2021-05-20 15:09:34 +02:00
Zdenek Pytela
30f8c042ae * Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1
- Allow tgtd read and write infiniband devices
- Add a comment on virt_sandbox booleans with empty content
- Deprecate duplicate dev_write_generic_sock_files() interface
- Allow vnstatd_t map vnstatd_var_lib_t files
- Allow privoxy execmem
- Allow pmdakvm read information from the debug filesystem
- Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()
- Add permissions to delete lnk_files into gnome_delete_home_config()
- Remove rules for inotifyfs
- Remove rules for anon_inodefs
- Allow systemd nnp_transition to login_userdomain
- Allow unconfined_t write other processes perf_event records
- Allow sysadm_t dbus chat with tuned
- Allow tuned write profile files with file transition
- Allow tuned manage perf_events
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
2021-05-13 18:42:35 +02:00
Zdenek Pytela
4fecc6469f * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
- Add kernel_write_perf_event() and kernel_manage_perf_event()
- Allow syslogd_t watch root and var directories
- Allow unconfined_t read other processes perf_event records
- Allow login_userdomain read and map /var/lib/systemd files
- Allow NetworkManager watch its config dir
- Allow NetworkManager read and write z90crypt device
- Allow tgtd create and use rdma socket
- Allow aide connect to init with a unix socket
2021-05-07 18:08:57 +02:00
Zdenek Pytela
b900d641f6 * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1
- Grant execmem to varnishlog_t
- We no longer need signull for varnishlog_t
- Add map permission to varnishd_read_lib_files
- Allow systemd-sleep tlp_filetrans_named_content()
- Allow systemd-sleep execute generic programs
- Allow systemd-sleep execute shell
- Allow to sendmail read/write kerberos host rcache files
- Allow freshclam get attributes of cgroup filesystems
- Fix context of /run/systemd/timesync
- Allow udev create /run/gdm with proper type
- Allow chronyc socket file transition in user temp directory
- Allow virtlogd_t to create virt_var_lockd_t dir
- Allow pluto IKEv2 / ESP over TCP
2021-05-04 20:27:30 +02:00
Zdenek Pytela
2b76eb3833 * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1
- Allow domain create anonymous inodes
- Add anon_inode class to the policy
- Allow systemd-coredump getattr nsfs files and net_admin capability
- Allow systemd-sleep transition to sysstat_t
- Allow systemd-sleep transition to tlp_t
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
- Allow systemd-timedated watch runtime dir and its parent
- Allow system dbusd read /var/lib symlinks
- Allow unconfined_service_t confidentiality and integrity lockdown
- Label /var/lib/brltty with brltty_var_lib_t
- Allow domain and unconfined_domain_type watch /proc/PID dirs
- Additional permission for confined users loging into graphic session
- Make for screen fsetid/setuid/setgid permission conditional
- Allow for confined users acces to wtmp and run utempter
2021-04-27 19:55:59 +02:00
Zdenek Pytela
ab4d6094ae * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1
- Label /etc/redis as redis_conf_t
- Add brltty new permissions required by new upstream version
- Allow cups-lpd read its private runtime socket files
- Dontaudit daemon open and read init_t file
- Add file context specification for /var/tmp/tmp-inst
- Allow brltty create and use bluetooth_socket
- Allow usbmuxd get attributes of cgroup filesystems

* Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1
- Allow usbmuxd get attributes of cgroup filesystems
- Allow accounts-daemon get attributes of cgroup filesystems
- Allow pool-geoclue get attributes of cgroup filesystems
- allow systemd-sleep to set timer for suspend-then-hibernate
- Allow aide connect to systemd-userdbd with a unix socket
- Add new interfaces with watch_mount and watch_with_perm permissions
- Add file context specification for /usr/libexec/realmd
- Allow /tmp file transition for dbus-daemon also for sock_file
- Allow login_userdomain create cgroup files
- Allow plymouthd_t exec generic program in bin directories

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1
- Change the package versioning

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10
- Allow plymouthd_t exec generic program in bin directories
- Allow dhcpc_t domain transition to chronyc_t
- Allow login_userdomain bind xmsg port
- Allow ibacm the net_raw and sys_rawio capabilities
- Allow nsswitch_domain read cgroup files
- Allow systemd-sleep create hardware state information files

* Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9
- Add watch_with_perm_dirs_pattern file pattern
2021-04-09 22:45:41 +02:00
Zdenek Pytela
6ff3284cb2 * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8
- Allow arpwatch_t create netlink generic socket
- Allow postgrey read network state
- Add watch_mount_dirs_pattern file pattern
- Allow bluetooth_t dbus chat with fwupd_t
- Allow xdm_t watch accountsd lib directories
- Add additional interfaces for watching /boot
- Allow sssd_t get attributes of tmpfs filesystems
- Allow local_login_t get attributes of tmpfs filesystems
- Dontaudit domain the fowner capability
- Extend fs_manage_nfsd_fs() to allow managing dirs as well
- Allow spice-vdagentd watch systemd-logind session dirs
2021-03-26 16:10:54 +01:00
Zdenek Pytela
7e06a74914 * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7
- Allow xdm_t watch systemd-logind session dirs
- Allow xdm_t transition to system_dbusd_t
- Allow confined users login into graphic session
- Allow login_userdomain watch systemd login session dirs
- install_t: Allow NoNewPriv transition from systemd
- Remove setuid/setgid capabilities from mysqld_t
- Add context for new mariadbd executable files
- Allow netutils_t create netlink generic socket
- Allow systemd the audit_control capability conditionally
2021-03-19 21:52:07 +01:00
Zdenek Pytela
77437ed12d * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
2021-03-11 22:25:45 +01:00
Zdenek Pytela
dd41f17526 * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5
- Allow apmd watch generic device directories
- Allow kdump load a new kernel
- Add confidentiality lockdown permission to kernel_read_core_if()
- Allow keepalived read nsfs files
- Allow local_login_t get attributes of filesystems with ext attributes
- Allow keepalived read/write its private memfd: objects
- Add missing declaration in rpm_named_filetrans()
- Change param description in cron interfaces to userdomain_prefix
2021-03-03 11:24:58 +01:00
Zdenek Pytela
c7794d90ee Relabel /dev/nvme* explicitly
In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit,
the type of nvme device files has changed from nvme_device_t to
fixed_disk_device_t.

This cannot currently be resolved in specfile selinux macros as fixfiles
excludes /dev entries. For files in /dev with changed context, restorecon
needs to be run explicitly to restore the context.

This is a temporary workaround till April 2021 when the updated policy
can be considered spread enough.
2021-03-01 11:50:07 +01:00
Zdenek Pytela
2faa5c2293 * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4
- iptables.fc: Add missing legacy entries
- iptables.fc: Remove some duplicate entries
- iptables.fc: Remove duplicate file context entries
- Allow libvirtd to create generic netlink sockets
- Allow libvirtd the fsetid capability
- Allow libvirtd to read /run/utmp
- Dontaudit sys_ptrace capability when calling systemctl
- Allow udisksd to read /dev/random
- Allow udisksd to watch files under /run/mount
- Allow udisksd to watch /etc
- Allow crond to watch user_cron_spool_t directories
- Allow accountsd watch xdm config directories
- Label /etc/avahi with avahi_conf_t
- Allow sssd get cgroup filesystems attributes and search cgroup dirs
- Allow systemd-hostnamed read udev runtime data
- Remove dev_getattr_sysfs_fs() interface calls for particular domains
- Allow domain stat the /sys filesystem
- Dontaudit NetworkManager write to initrc_tmp_t pipes
- policykit.te: Clean up watch rule for policykit_auth_t
- Revert further unnecessary watch rules
- Revert "Allow getty watch its private runtime files"
- Allow systemd watch generic /var directories
- Allow init watch network config files and lnk_files
- Allow systemd-sleep get attributes of fixed disk device nodes
- Complete initial policy for systemd-coredump
- Label SDC(scini) Dell Driver
- Allow upowerd to send syslog messages
- Remove the disk write permissions from tlp_t
- Label NVMe devices as fixed_disk_device_t
- Allow rhsmcertd bind tcp sockets to a generic node
- Allow systemd-importd manage machines.lock file
2021-02-24 10:14:28 +01:00
Zdenek Pytela
aa1f535cb2 * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
2021-02-16 22:47:33 +01:00
Zdenek Pytela
15dc304d75 * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
2021-02-15 20:38:28 +01:00
Zdenek Pytela
d558c4f1c7 * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1
- Bump version as Fedora 34 has been branched off rawhide
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow systemd-importd create /run/systemd/machines.lock file
- Allow rhsmcertd_t read kpatch lib files
- Add integrity lockdown permission into dev_read_raw_memory()
- Add confidentiality lockdown permission into fs_rw_tracefs_files()
- Allow gpsd read and write ptp4l_t shared memory.
- Allow colord watch its private lib files and /usr
- Allow init watch_reads mount PID files
- Allow IPsec and Certmonger to use opencryptoki services
2021-02-11 22:08:31 +01:00
Zdenek Pytela
c7e90bc196 * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
2021-02-08 21:24:07 +01:00
Zdenek Pytela
c2d5ebb406 * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket       socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
2021-02-05 12:51:30 +01:00
Zdenek Pytela
557675f09a Use the rawhide branch instead of master
In the src.fedoraproject.org/rpms/selinux-policy packages repository,
the default branch name has changed to "rawhide", with a symref (link)
of "main". The make-rhat-patches.sh file was updated to use "rawhide"
in the DISTGIT_BRANCH variable instead of "master".
2021-02-04 17:12:07 +01:00
Fedora Release Engineering
b0dd6c6ef6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-27 20:11:38 +00:00
Petr Lautrbach
f38b38e51e Rebuild with SELinux userspace 3.2-rc1 release 2021-01-22 10:34:08 +01:00
Zdenek Pytela
4f8342e8c3 Add /var/mnt equivalency to /mnt
On Fedora Silverblue, /mnt is a symlink to /var/mnt.
2021-01-22 10:32:59 +01:00
Zdenek Pytela
ce671c04d8 Update specfile to not verify md5/size/mtime for active store files
The rpm-verify command reports changes for packaged files in the active
store (/var/lib/selinux) which are changed on the selinux-policy-*
packages updates. In order to pass the rpm verification process, the
specfile option %verify(not md5 size mtime) for each of the affected
files will prevent from reporting a failure in any of the rpm-verify
subtests:
- S file Size differs
- 5 digest (formerly MD5 sum) differs
- T mTime differs
2021-01-15 19:49:38 +01:00
Zdenek Pytela
d76e0b4040 * Fri Jan 8 18:41:06 CET 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
- Allow domain read usermodehelper state information
- Remove all kernel_read_usermodehelper_state() interface calls
- .copr: improve timestamp format
- Allow wireshark create and use rdma socket
- Allow domain stat /proc filesystem
- Remove all kernel_getattr_proc() interface calls
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow dovecot_auth_t stat /proc filesystem"
- Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
- Allow sssd read /run/systemd directory
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
2021-01-08 18:44:14 +01:00
Zdenek Pytela
d5b79a1cb7 * Thu Dec 17 20:07:23 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
2020-12-17 20:11:46 +01:00
Ondrej Mosnacek
533a2f186e Remove useless mkdir command from minimum build
The directory will be created automatically by the install commands, so
no need to create it manually.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Ondrej Mosnacek
ecfabbb8f3 Remove useless rm command from minimum build
There is no file actually created at that location during build, so the
command can be safely removed. Verified by removing the '-f' and
observing the build fail (file does not exist).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Ondrej Mosnacek
167b0505ce Remove unnecessary steps from targeted policy build
We can install the permissivedomains.cil module directly, no need to
copy it to %{buildroot} first.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-15 21:29:57 +00:00
Zdenek Pytela
fa72125856 * Tue Dec 15 16:24:44 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12
- Allow dovecot_auth_t stat /proc filesystem
- Allow sysadm_u user and unconfined_domain_type manage perf_events
- Allow pcp-pmcd manage perf_events
- Add manage_perf_event_perms object permissions set
- Add perf_event access vectors.
- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
- Allow stub-resolv.conf to be a symlink
- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
- Create the systemd_dbus_chat_resolved() compatibility interface
- Allow nsswitch-domain write to systemd-resolved PID socket files
- Add systemd_resolved_write_pid_sock_files() interface
- Add default file context for "/var/run/chrony-dhcp(/.*)?"
- Allow timedatex dbus chat with cron system domain
- Add cron_dbus_chat_system_job() interface
- Allow systemd-logind manage init's pid files
2020-12-15 16:31:51 +01:00
Petr Lautrbach
0f3b08d5d1 Add make to BuildRequires
See https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2020-12-14 12:15:28 +01:00
Zdenek Pytela
8d02847dad * Wed Dec 9 15:39:03 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
2020-12-09 15:42:48 +01:00
Ondrej Mosnacek
58fb34f371 Fix typos and grammar in README
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-12-02 09:41:43 +01:00
Zdenek Pytela
e94a380d32 * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10
- Allow Xephyr connect to 6000/tcp port and open user ptys
- Allow kexec manage generic tmp files
- Update targetd nfs & lvm
- Add interface rpc_manage_exports
- Merge selinux-policy and selinux-policy-contrib repos
2020-11-26 19:32:31 +01:00
Ondrej Mosnacek
54876665ae Adapt specfile, make-rhat-patches, and README to contrib merge
The "rawhide" branch of selinux-policy and selinux-policy-contrib is
about to be merged together. Update dist-git for this, so that the next
build can be performed with the new repo structure.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-26 18:32:41 +01:00
Ondrej Mosnacek
aebc05fc19 Reword and clean up the README
Fix grammar, reword misleading statements, add some missing information,
and fix fromatting.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-25 19:27:11 +01:00
Zdenek Pytela
595a6449f5 * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface
2020-11-24 19:47:48 +01:00
Zdenek Pytela
05fb517c90 * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8
- Set correct default file context for /usr/libexec/pcp/lib/*
- Introduce rpmdb_t type
- Allow slapd manage files/dirs in ldap certificates directory
- Revert "Allow certmonger add new entries in a generic certificates directory"
- Allow certmonger add new entries in a generic certificates directory
- Allow slapd add new entries in ldap certificates directory
- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
- Let keepalived bind a raw socket
- Add default file context for /usr/libexec/pcp/lib/*
- squid: Allow net_raw capability when squid_use_tproxy is enabled
- systemd: allow networkd to check namespaces
- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
- Allow resolved to created varlink sockets and the domain to talk to it
- selinux: tweak selinux_get_enforce_mode() to allow status page to be used
- systemd: allow all systemd services to check selinux status
- Set default file context for /var/lib/ipsec/nss
- Allow user domains transition to rpmdb_t
- Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
- Revert "Add miscfiles_create_generic_cert_dirs() interface"
- Update miscfiles_manage_all_certs() to include managing directories
- Add miscfiles_create_generic_cert_dirs() interface
- Add miscfiles_add_entry_generic_cert_dirs() interface
- Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
2020-11-13 10:13:13 +01:00
Petr Lautrbach
e88945f82a selinux-policy-3.14.7-7
- Rebuild with latest libsepol
- Bump policy version to 33
2020-11-03 17:46:00 +01:00