Lukas Vrabec
aab02e492d
Merge #2 Remove trailing whitespace in default /etc/selinux/config
2017-09-29 12:30:29 +00:00
Lukas Vrabec
e8dfe68ada
* Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290
...
- Allow virtlogd_t domain to write inhibit systemd pipes.
- Add dac_override capability to openvpn_t domain
- Add dac_override capability to xdm_t domain
- Allow dac_override to groupadd_t domain BZ(1497081)
- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)
2017-09-29 14:22:40 +02:00
Colin Walters
5fdac71bd7
Remove trailing whitespace in default /etc/selinux/config
...
See <https://pagure.io/atomic-wg/issue/341 > - basically for libostree
(and hence rpm-ostree, and Fedora Editions that use it like Fedora Atomic Host),
the Anaconda `selinux --enforcing` verb will end up rewriting
`/etc/selinux/config` to the same value it had before.
But because of the trailing space character, this generates
a difference, and means the config file appears locally modified,
and hence deployed systems won't receive updates.
I think Anaconda should also be fixed to avoid touching the file *at all*
if it wouldn't result in a change, but let's remove the trailing space
here too, as it's better to fix in two places.
2017-09-27 16:01:25 -04:00
Lukas Vrabec
233534cc51
* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
...
- Allow tlp_t domain stream connect to sssd_t domain
- Add missing dac_override capability
- Add systemd_tmpfiles_t dac_override capability
2017-09-27 13:16:05 +02:00
Lukas Vrabec
8587149987
setfiles command produce unnecessary output during selinux-policy package update. This patch redirect stdout of setfiles to /dev/null.
...
Thanks: Petr Lautrbach <plautrba@redhat.com>
2017-09-27 10:01:01 +02:00
Lukas Vrabec
12fd9044f9
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
...
- Remove all unnecessary dac_override capability in SELinux modules
2017-09-22 14:15:27 +02:00
Lukas Vrabec
be528824f0
Remove all permissive domains, all domains looks stable
2017-09-22 12:24:43 +02:00
Lukas Vrabec
fc41f8a9df
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
...
- Allow init noatsecure httpd_t
- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)
- Allow unconfined_t domain to create new users with proper SELinux lables
- Allow init noatsecure httpd_t
- Label tcp port 3269 as ldap_port_t
2017-09-22 10:26:38 +02:00
Lukas Vrabec
7c73871fb5
* Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
...
- Add new boolean tomcat_read_rpm_db()
- Allow tomcat to connect on mysqld tcp ports
- Add new interface apache_delete_tmp()
- Add interface fprintd_exec()
- Add interface fprintd_mounton_var_lib()
- Allow mozilla plugin to mmap video devices BZ(1492580)
- Add ctdbd_t domain sys_source capability and allow setrlimit
- Allow systemd-logind to use ypbind
- Allow systemd to remove apache tmp files
- Allow ldconfig domain to mmap ldconfig cache files
- Allow systemd to exec fprintd BZ(1491808)
- Allow systemd to mounton fprintd lib dir
2017-09-18 15:03:29 +02:00
Lukas Vrabec
6551841efc
* Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-285
...
- Allow svirt_t read userdomain state
2017-09-14 14:11:08 +02:00
Lukas Vrabec
7177126bc6
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy
2017-09-14 09:56:19 +02:00
Lukas Vrabec
a73b2e2ece
Fix broken build
2017-09-14 09:55:54 +02:00
Lukas Vrabec
d781e6d8fd
Fix broken build
2017-09-14 09:30:02 +02:00
Lukas Vrabec
83eed32c03
* Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-284
...
- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files
- Allow automount domain to manage mount pid files
- Allow stunnel_t domain setsched
- Add keepalived domain setpgid capability
- Merge pull request #24 from teg/rawhide
- Merge pull request #28 from lslebodn/revert_1e8403055
- Allow sysctl_irq_t assciate with proc_t
- Enable cgourp sec labeling
- Allow sshd_t domain to send signull to xdm_t processes
2017-09-14 09:11:13 +02:00
Lukas Vrabec
21c53d34a6
Use %{_sbindir} macro instead of full path
2017-09-14 09:02:59 +02:00
Lukas Vrabec
76e1d24391
Add /var/lib/sepolgen/interface_info to %files section in selinux-policy-devel
2017-09-13 13:15:22 +02:00
Lukas Vrabec
c3f53c2a7e
* Tue Sep 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-283
...
- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
- Allow pulseaudio_t domain to map user tmp files
- Allow mozilla plugin to mmap mozilla tmpfs files
2017-09-12 14:05:47 +02:00
Lukas Vrabec
63dd04bba8
Fix typobug in mandb interface file
2017-09-12 09:24:40 +02:00
Lukas Vrabec
4dfc5f64ab
* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-282
...
- Add new bunch of map rules
- Merge pull request #25 from NetworkManager/nm-ovs
- Make working webadm_t userdomain
- Allow redis domain to execute shell scripts.
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
- Add couple capabilities to keepalived domain and allow get attributes of all domains
- Allow dmidecode read rhsmcertd lock files
- Add new interface rhsmcertd_rw_lock_files()
- Add new bunch of map rules
- Merge pull request #199 from mscherer/add_conntrackd
- Add support labeling for vmci and vsock device
- Add userdom_dontaudit_manage_admin_files() interface
2017-09-11 22:04:43 +02:00
Lukas Vrabec
65f16bbe30
* Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281
...
- Allow domains reading raw memory also use mmap.
2017-09-11 09:50:18 +02:00
Lukas Vrabec
b9bc43a953
* Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
...
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
- Fix denials during ipa-server-install process on F27+
- Allow httpd_t to mmap cert_t
- Add few rules to make tlp_t domain working in enforcing mode
- Allow cloud_init_t to dbus chat with systemd_timedated_t
- Allow logrotate_t to write to kmsg
- Add capability kill to rhsmcertd_t
- Allow winbind to manage smbd_tmp_t files
- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
- Add interface miscfiles_map_generic_certs()
2017-09-07 13:32:34 +02:00
Lukas Vrabec
fcebe07f6c
* Tue Sep 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-279
...
- Allow abrt_dump_oops_t to read sssd_public_t files
- Allow cockpit_ws_t to mmap usr_t files
- Allow systemd to read/write dri devices.
2017-09-05 09:36:30 +02:00
Lukas Vrabec
313e17b74e
* Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
...
- Add couple rules related to map permissions
- Allow ddclient use nsswitch BZ(1456241)
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
- Add interface dbus_manage_session_tmp_dirs()
- Dontaudit useradd_t sys_ptrace BZ(1480121)
- Allow ipsec_t can exec ipsec_exec_t
- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
2017-08-31 17:55:58 +02:00
Lukas Vrabec
0c6eef95d3
* Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277
...
- Allow cupsd_t to execute ld_so_cache
- Add cgroup_seclabel policycap.
- Allow xdm_t to read systemd hwdb
- Add new interface systemd_hwdb_mmap_config()
- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050)
2017-08-28 18:08:50 +02:00
Lukas Vrabec
2b14b695c4
* Sat Aug 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-276
...
- Allow couple map rules
2017-08-26 13:17:21 +02:00
Lukas Vrabec
c1ce08ecb5
* Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-275
...
- Make confined users working
- Allow ipmievd_t domain to load kernel modules
- Allow logrotate to reload transient systemd unit
2017-08-23 23:17:38 +02:00
Lukas Vrabec
b7314cadde
* Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-274
...
- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain
- Allow nscd_t domain to search network sysctls
- Allow iscsid_t domain to read mount pid files
- Allow ksmtuned_t domain manage sysfs_t files/dirs
- Allow keepalived_t domain domtrans into iptables_t
- Allow rshd_t domain reads net sysctls
- Allow systemd to create syslog netlink audit socket
- Allow ifconfig_t domain unmount fs_t
- Label /dev/gpiochip* devices as gpio_device_t
2017-08-23 16:49:48 +02:00
Lukas Vrabec
681ffa2e20
* Tue Aug 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-273
...
- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)
- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.
- Label /var/run/agetty.reload as getty_var_run_t
- Add missing filecontext for sln binary
- Allow systemd to read/write to event_device_t BZ(1471401)
2017-08-22 14:47:56 +02:00
Lukas Vrabec
b2ee09aa09
Fix broken gnome module
2017-08-15 16:41:58 +02:00
Lukas Vrabec
284401b055
* Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
...
- Allow sssd_t domain to map sssd_var_lib_t files
- allow map permission where needed
- contrib: allow map permission where needed
- Allow syslogd_t to map syslogd_var_run_t files
- allow map permission where needed
2017-08-15 16:29:24 +02:00
Lukas Vrabec
c6aaaee231
Remove temporary fix labeling cockpit binary
2017-08-15 16:27:40 +02:00
Troy Dawson
d76574db8d
Update .gitignore
2017-08-14 14:16:34 -07:00
Troy Dawson
59617829f2
Update .gitignore
2017-08-14 14:12:18 -07:00
Lukas Vrabec
be2df80e69
* Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
...
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
- Label /usr/libexec/sudo/sesh as shell_exec_t
2017-08-14 16:11:30 +02:00
Lukas Vrabec
7a49a1c8c7
* Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-270
...
- refpolicy: Infiniband pkeys and endport
2017-08-10 23:27:06 +02:00
Lukas Vrabec
5f4424a65d
Fix dbus SELinux module
2017-08-10 14:29:31 +02:00
Lukas Vrabec
7e4fe9b0e2
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy
2017-08-10 13:17:09 +02:00
Lukas Vrabec
ca40d14c20
Fix syntax error after merge with upstream
2017-08-10 13:16:37 +02:00
Lukas Vrabec
5953456a78
Fix syntax error after merge with upstream
2017-08-10 13:05:38 +02:00
Lukas Vrabec
9a31f2128c
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy
2017-08-10 11:25:56 +02:00
Lukas Vrabec
ff3605a078
* Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-269
...
- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
- refpolicy: Define and allow map permission
- init: Add NoNewPerms support for systemd.
- Add nnp_nosuid_transition policycap and related class/perm definitions.
2017-08-10 11:25:41 +02:00
Petr Lautrbach
cf21eb3fa5
Fix bogus date for 3.13.1-267 changelog entry
...
warning: bogus date in %changelog: Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
2017-08-10 09:12:56 +02:00
Petr Lautrbach
b65295347f
* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-268
...
- Update for SELinux userspace release 20170804 / 2.7
- Omit precompiled regular expressions from file_contexts.bin files
2017-08-07 18:05:24 +02:00
Lukas Vrabec
631f95b1cf
* Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
...
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
2017-08-07 16:17:01 +02:00
Petr Lautrbach
0eccbd957d
Revert "Temporary fix while creating manpages using sepolicy is broken."
...
This reverts commit fbdb6e98da
.
Since policycoreutils-2.6-7, 'sepolicy manpage' should be again
reasonable fast.
2017-08-03 08:01:21 +02:00
Fedora Release Engineering
f0d7feb11d
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
2017-07-27 18:25:45 +00:00
Lukas Vrabec
4696e7ec09
* Fri Jul 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265
...
- Allow llpdad send dgram to libvirt
- Allow abrt_t domain dac_read_search capability
- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)
- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)
2017-07-21 14:21:02 +02:00
Lukas Vrabec
3622c01896
* Mon Jul 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264
...
- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518 )
2017-07-17 14:32:35 +02:00
Lukas Vrabec
ab9bb05673
* Tue Jul 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263
...
- Add new boolean gluster_use_execmem
2017-07-11 18:01:45 +02:00
Lukas Vrabec
37cf7d764b
Backport new selinux-policy rpm macros from github repo:
...
https://github.com/fedora-selinux/selinux-policy-macros.git
Main point of this change is to allow set SELinux Module priority in
selinux_modules_(u)install() macros.
2017-07-11 17:56:49 +02:00