Commit Graph

506 Commits

Author SHA1 Message Date
Zdenek Pytela
b1087928cf * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
- Update NetworkManager-dispatcher policy to use scripts
- Allow init mounton kernel messages device
- Revert "Make dbus-broker service working on s390x arch"
- Remove permissive domain for insights_client_t
- Allow userdomain read symlinks in /var/lib
- Allow iptables list cgroup directories
- Dontaudit mdadm list dirsrv tmpfs dirs
- Dontaudit dirsrv search filesystem sysctl directories
- Allow chage domtrans to sssd
- Allow postfix_domain read dovecot certificates
- Allow systemd-networkd create and use netlink netfilter socket
- Allow nm-dispatcher read nm-dispatcher-script symlinks
- filesystem.te: add genfscon rule for ntfs3 filesystem
- Allow rhsmcertd get attributes of cgroup filesystems
- Allow sandbox_web_client_t watch various dirs
- Exclude container.if from policy devel files
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
2022-02-17 23:37:33 +01:00
Zdenek Pytela
652ddc6c42 * Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
- Allow sysadm_passwd_t to relabel passwd and group files
- Allow confined sysadmin to use tool vipw
- Allow login_userdomain map /var/lib/directories
- Allow login_userdomain watch library and fonts dirs
- Allow login_userdomain watch system configuration dirs
- Allow login_userdomain read systemd runtime files
- Allow ctdb create cluster logs
- Allow alsa bind mixer controls to led triggers
- New policy for insight-client
- Add mctp_socket security class and access vectors
- Fix koji repo URL pattern
- Update chronyd_pid_filetrans() to allow create dirs
- Update NetworkManager-dispatcher policy
- Allow unconfined to run virtd bpf
- Allow nm-privhelper setsched permission and send system logs
- Add the map permission to common_anon_inode_perm permission set
- Rename userfaultfd_anon_inode_perms to common_inode_perms
- Allow confined users to use kinit,klist and etc.
- Allow rhsmcertd create rpm hawkey logs with correct label
2022-02-11 12:26:34 +01:00
Zdenek Pytela
a2b5a0667a * Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
- Label exFAT utilities at /usr/sbin
- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
- Enable genfs_seclabel_symlinks policy capability
- Sync policy/policy_capabilities with refpolicy
- refpolicy: drop unused socket security classes
- Label new utility of NetworkManager nm-priv-helper
- Label NetworkManager-dispatcher service with separate context
- Allow sanlock get attributes of filesystems with extended attributes
- Associate stratisd_data_t with device filesystem
- Allow init read stratis data symlinks
2022-02-03 22:57:19 +01:00
Zdenek Pytela
7774d24565 * Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
- Allow systemd services watch dbusd pid directory and its parents
- Allow ModemManager connect to the unconfined user domain
- Label /dev/wwan.+ with modem_manager_t
- Allow alsactl set group Process ID of a process
- Allow domtrans to sssd_t and role access to sssd
- Creating interface sssd_run_sssd()
- Label utilities for exFAT filesystems with fsadm_exec_t
- Label /dev/nvme-fabrics with fixed_disk_device_t
- Allow init delete generic tmp named pipes
- Allow timedatex dbus chat with xdm
2022-02-01 16:42:40 +01:00
Zdenek Pytela
742db0fd66 * Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
- Fix badly indented used interfaces
- Allow domain transition to sssd_t
- Dontaudit sfcbd sys_ptrace cap_userns
- Label /var/lib/plocate with locate_var_lib_t
- Allow hostapd talk with unconfined user over unix domain dgram socket
- Allow NetworkManager talk with unconfined user over unix domain dgram socket
- Allow system_mail_t read inherited apache system content rw files
- Add apache_read_inherited_sys_content_rw_files() interface
- Allow rhsm-service execute its private memfd: objects
- Allow dirsrv read configfs files and directories
- Label /run/stratisd with stratisd_var_run_t
- Allow tumblerd write to session_dbusd tmp socket files
2022-01-26 19:28:39 +01:00
Zdenek Pytela
500380aef3 * Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
- Allow login_userdomain write to session_dbusd tmp socket files
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
2022-01-19 17:23:31 +01:00
Zdenek Pytela
b8cfdb1921 * Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
- Allow login_userdomain watch systemd-machined PID directories
- Allow login_userdomain watch systemd-logind PID directories
- Allow login_userdomain watch accountsd lib directories
- Allow login_userdomain watch localization directories
- Allow login_userdomain watch various files and dirs
- Allow login_userdomain watch generic directories in /tmp
- Allow rhsm-service read/write its private memfd: objects
- Allow radiusd connect to the radacct port
- Allow systemd-io-bridge ioctl rpm_script_t
- Allow systemd-coredump userns capabilities and root mounton
- Allow systemd-coredump read and write usermodehelper state
- Allow login_userdomain create session_dbusd tmp socket files
- Allow gkeyringd_domain write to session_dbusd tmp socket files
- Allow systemd-logind delete session_dbusd tmp socket files
- Allow gdm-x-session write to session dbus tmp sock files
- Label /etc/cockpit/ws-certs.d with cert_t
- Allow kpropd get attributes of cgroup filesystems
- Allow administrative users the bpf capability
- Allow sysadm_t start and stop transient services
- Connect triggerin to pcre2 instead of pcre
2022-01-17 18:17:56 +01:00
Zdenek Pytela
b3c7810107 * Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
- Allow sshd read filesystem sysctl files
- Revert "Allow sshd read sysctl files"
- Allow tlp read its systemd unit
- Allow gssproxy access to various system files.
- Allow gssproxy read, write, and map ica tmpfs files
- Allow gssproxy read and write z90crypt device
- Allow sssd_kcm read and write z90crypt device
- Allow smbcontrol read the network state information
- Allow virt_domain map vhost devices
- Allow fcoemon request the kernel to load a module
- Allow sshd read sysctl files
- Ensure that `/run/systemd/*` are properly labeled
- Allow admin userdomains use socketpair()
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
- Allow lldpd connect to snmpd with a unix domain stream socket
- Dontaudit pkcsslotd sys_admin capability
2022-01-12 17:57:27 +01:00
Zdenek Pytela
d0828ed3ca * Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
- Allow haproxy get attributes of filesystems with extended attributes
- Allow haproxy get attributes of cgroup filesystems
- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
- Allow sudodomains execute passwd in the passwd domain
- Allow braille printing in selinux
- Allow sandbox_xserver_t map sandbox_file_t
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
- Add hwtracing_device_t type for hardware-level tracing and debugging
- Label port 9528/tcp with openqa_liveview
- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
- Document Security Flask model in the policy
2021-12-23 18:01:36 +01:00
Zdenek Pytela
4bbbba4fda * Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
- Allow systemd read unlabeled symbolic links
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
- Allow dnsmasq watch /etc/dnsmasq.d directories
- Allow rhsmcertd get attributes of tmpfs_t filesystems
- Allow lldpd use an snmp subagent over a tcp socket
- Allow xdm watch generic directories in /var/lib
- Allow login_userdomain open/read/map system journal
- Allow sysadm_t connect to cluster domains over a unix stream socket
- Allow sysadm_t read/write pkcs shared memory segments
- Allow sysadm_t connect to sanlock over a unix stream socket
- Allow sysadm_t dbus chat with sssd
- Allow sysadm_t set attributes on character device nodes
- Allow sysadm_t read and write watchdog devices
- Allow smbcontrol use additional socket types
- Allow cloud-init dbus chat with systemd-logind
- Allow svnserve send mail from the system
- Update userdom_exec_user_tmp_files() with an entrypoint rule
- Allow sudodomain send a null signal to sshd processes
2021-12-10 18:04:24 +01:00
Zdenek Pytela
16445dca46 * Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
- Allow PID 1 and dbus-broker IPC with a systemd user session
- Allow rpmdb read generic SSL certificates
- Allow rpmdb read admin home config files
- Report warning on duplicate definition of interface
- Allow redis get attributes of filesystems with extended attributes
- Allow sysadm_t dbus chat with realmd_t
- Make cupsd_lpd_t a daemon
- Allow tlp dbus-chat with NetworkManager
- filesystem: add fs_use_trans for ramfs
- Allow systemd-logind destroy unconfined user's IPC objects
2021-11-19 18:02:51 +01:00
Zdenek Pytela
bc5db683cf * Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
- Support sanlock VG automated recovery on storage access loss 2/2
- Support sanlock VG automated recovery on storage access loss 1/2
- Revert "Support sanlock VG automated recovery on storage access loss"
- Allow tlp get service units status
- Allow fedora-third-party manage 3rd party repos
- Allow xdm_t nnp_transition to login_userdomain
- Add the auth_read_passwd_file() interface
- Allow redis-sentinel execute a notification script
- Allow fetchmail search cgroup directories
- Allow lvm_t to read/write devicekit disk semaphores
- Allow devicekit_disk_t to use /dev/mapper/control
- Allow devicekit_disk_t to get IPC info from the kernel
- Allow devicekit_disk_t to read systemd-logind pid files
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
- Allow devicekit_disk_t to manage mount_var_run_t files
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
- Use $releasever in koji repo to reduce rawhide hardcoding
- authlogin: add fcontext for tcb
- Add erofs as a SELinux capable file system
- Allow systemd execute user bin files
- Support sanlock VG automated recovery on storage access loss
- Support new PING_CHECK health checker in keepalived
2021-11-04 18:57:21 +01:00
Zdenek Pytela
510d46d44a * Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
- Allow fedora-third-party execute "flatpak remote-add"
- Add files_manage_var_lib_files() interface
- Add write permisson to userfaultfd_anon_inode_perms
- Allow proper function sosreport via iotop
- Allow proper function sosreport in sysadmin role
- Allow fedora-third-party to connect to the system log service
- Allow fedora-third-party dbus chat with policykit
- Allow chrony-wait service start with DynamicUser=yes
- Allow management of lnk_files if similar access to regular files
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
- Allow systemd-resolved watch /run/systemd
- Allow fedora-third-party create and use unix_dgram_socket
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
2021-10-18 14:30:50 +02:00
Zdenek Pytela
a38b01faa8 * Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
- Add fedoratp module
- Allow xdm_t domain transition to fedoratp_t
- Allow ModemManager create and use netlink route socket
- Add default file context for /run/gssproxy.default.sock
- Allow xdm_t watch fonts directories
- Allow xdm_t watch generic directories in /lib
- Allow xdm_t watch generic pid directories
2021-10-07 18:06:06 +02:00
Zdenek Pytela
792d74b90a * Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.21-1
- Add bluetooth-related permissions into a tunable block
- Allow gnome at-spi processes create and use stream sockets
- Allow usbmuxd get attributes of tmpfs_t filesystems
- Allow fprintd install a sleep delay inhibitor
- Allow collectd get attributes of infiniband devices
- Allow collectd create and user netlink rdma socket
- Allow collectd map packet_socket
- Allow snort create and use blootooth socket
- Allow systemd watch and watch_reads console devices
- Allow snort create and use generic netlink socket
- Allow NetworkManager dbus chat with fwupd
- Allow unconfined domains read/write domain perf_events
- Allow scripts to enter LUKS password
- Update mount_manage_pid_files() to use manage_files_pattern
- Support hitless reloads feature in haproxy
- Allow haproxy list the sysfs directories content
- Allow gnome at-spi processes get attributes of tmpfs filesystems
- Allow unbound connectto unix_stream_socket
- Allow rhsmcertd_t dbus chat with anaconda install_t
2021-09-23 18:47:59 +02:00
Zdenek Pytela
dead9d45da * Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 34.20-1
- cleanup unused codes
- Fix typo in the gnome_exec_atspi() interface summary
- Allow xdm execute gnome-atspi services
- Allow gnome at-spi processes execute dbus-daemon in caller domain
- Allow xdm watch dbus configuration
- Allow xdm execute dbus-daemon in the caller domain
- Revert "Allow xdm_t transition to system_dbusd_t"
- Allow at-spi-bus-launcher read and map xdm pid files
- Allow dhcpcd set its resource limits
- Allow systemd-sleep get removable devices attributes
- Allow usbmuxd get attributes of fs_t filesystems
2021-09-16 14:32:28 +02:00
Zdenek Pytela
28ce29abe9 * Thu Sep 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.19-1
- Update the dhcp client local policy
- Allow firewalld load kernel modules
- Allow postfix_domain to sendto unix dgram sockets.
- Allow systemd watch unallocated ttys
2021-09-09 21:36:07 +02:00
Zdenek Pytela
9bff620494 * Tue Sep 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.18-1
- Allow ModemManager create a qipcrtr socket
- Allow ModemManager request to load a kernel module
- Label /usr/sbin/virtproxyd as virtd_exec_t
- Allow communication between at-spi and gdm processes
- Update ica_filetrans_named_content() with create_file_perms
- Fix the gnome_atspi_domtrans() interface summary
2021-09-07 14:29:54 +02:00
Zdenek Pytela
c53bdced40 * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79
- Introduce xdm_manage_bootloader booelan
Resolves: rhbz#1994096
- Rename samba_exec() to samba_exec_net()
Resolves: rhbz#1855215
- Allow sssd to set samba setting
Resolves: rhbz#1855215
- Allow dirsrv read slapd tmpfs files
Resolves: rhbz#1843238
- Allow rhsmcertd to create cache file in /var/cache/cloud-what
Resolves: rhbz#1994718
2021-08-27 11:39:38 +02:00
Zdenek Pytela
757d64d9d6 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1
- Allow systemd-timesyncd watch system dbus pid socket files
- Allow firewalld drop capabilities
- Allow rhsmcertd execute gpg
- Allow lldpad send to kdump over a unix dgram socket
- Allow systemd-gpt-auto-generator read udev pid files
- Set default file context for /sys/firmware/efi/efivars
- Allow tcpdump run as a systemd service
- Allow nmap create and use netlink generic socket
- Allow nscd watch system db files in /var/db
- Allow cockpit_ws_t get attributes of fs_t filesystems
- Allow sysadm acces to kernel module resources
- Allow sysadm to read/write scsi files and manage shadow
- Allow sysadm access to files_unconfined and bind rpc ports
- Allow sysadm read and view kernel keyrings
- Allow journal mmap and read var lib files
- Allow tuned to read rhsmcertd config files
- Allow bootloader to read tuned etc files
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
2021-08-12 18:39:36 +02:00
Zdenek Pytela
58dbb0353c * Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1
- Disable seccomp on CI containers
- Allow systemd-machined stop generic service units
- Allow virtlogd_t read process state of user domains
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
- Label /dev/crypto/nx-gzip with accelerator_device_t
- Update the policy for systemd-journal-upload
- Allow unconfined domains to bpf all other domains
- Confine rhsm service and rhsm-facts service as rhsmcertd_t
- Allow fcoemon talk with unconfined user over unix domain datagram socket
- Allow abrt_domain read and write z90crypt device
- Allow mdadm read iscsi pid files
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
- Allow hostapd bind UDP sockets to the dhcpd port
- Unconfined domains should not be confined
2021-08-06 19:30:54 +02:00
Zdenek Pytela
fe7971a7a7 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
- Remove references to init_watch_path_type attribute
- Remove all redundant watch permissions for systemd
- Allow systemd watch non_security_file_type dirs, files, lnk_files
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
- Allow bacula get attributes of cgroup filesystems
- Allow systemd-journal-upload watch logs and journal
- Create a policy for systemd-journal-upload
- Allow tcpdump and nmap get attributes of infiniband_device_t
- Allow arpwatch get attributes of infiniband_device_t devices
- Label /dev/wmi/dell-smbios as acpi_device_t
2021-07-14 14:59:11 +02:00
Zdenek Pytela
4f56cd3eb8 * Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1
- Allow radius map its library files
- Allow nftables read NetworkManager unnamed pipes
- Allow logrotate rotate container log files
2021-07-01 16:39:23 +02:00
Zdenek Pytela
ed2eb34288 * Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1
- Label /dev/dma_heap/* char devices with dma_device_t
- Revert "Label /dev/dma_heap/* char devices with dma_device_t"
- Revert "Label /dev/dma_heap with dma_device_dir_t"
- Revert "Associate dma_device_dir_t with device filesystem"
- Add the lockdown integrity permission to dev_map_userio_dev()
- Allow systemd-modules-load read/write tracefs files
- Allow sssd watch /run/systemd
- Label /usr/bin/arping plain file with netutils_exec_t
- Label /run/fsck with fsadm_var_run_t
- Label /usr/bin/Xwayland with xserver_exec_t
- Allow systemd-timesyncd watch dbus runtime dir
- Allow asterisk watch localization files
- Allow iscsid read all process stat
- iptables.fc: Add missing legacy-restore and legacy-save entries
- Label /run/libvirt/common with virt_common_var_run_t
- Label /.k5identity file allow read of this file to rpc.gssd
- Make usbmuxd_t a daemon
2021-06-21 15:07:20 +02:00
Zdenek Pytela
ef6e27e6c9 * Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1
- Allow sanlock get attributes of cgroup filesystems
- Associate dma_device_dir_t with device filesystem
- Set default file context for /var/run/systemd instead of /run/systemd
- Allow nmap create and use rdma socket
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
2021-06-09 16:42:40 +02:00
Zdenek Pytela
a4fcadc086 * Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1
- Allow using opencryptoki for ipsec
- Allow using opencryptoki for certmonger
- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
- Label /dev/dma_heap with dma_device_dir_t
- Allow syslogd watch non security dirs conditionally
- Introduce logging_syslogd_list_non_security_dirs tunable
- Remove openhpi module
- Allow udev to watch fixed disk devices
- Allow httpd_sys_script_t read, write, and map hugetlbfs files
- Allow apcupsd get attributes of cgroup filesystems
2021-06-06 23:32:21 +02:00
Zdenek Pytela
6b0b962be0 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1
- Add kerberos object filetrans for nsswitchdomain
- Allow fail2ban watch various log files
- Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()
- Remove further modules recently removed from refpolicy
- Remove modules not shipped and not present in refpolicy
- Revert "Add permission open to files_read_inherited_tmp_files() interface"
- Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)"
- Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604"
- Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)"
- Dontaudit setrlimit for domains that exec systemctl
- Allow kdump_t net_admin capability
- Allow nsswitch_domain read init pid lnk_files
- Label /dev/trng with random_device_t
- Label /run/systemd/default-hostname with hostname_etc_t
- Add default file context specification for dnf log files
- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
- Label /dev/udmabuf character device with dma_device_t
- Label /dev/dma_heap/* char devices with dma_device_t
- Label /dev/acpi_thermal_rel char device with acpi_device_t
2021-05-27 22:08:10 +02:00
Zdenek Pytela
80410eaf30 * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1
- Allow local_login_t nnp_transition to login_userdomain
- Allow asterisk watch localization symlinks
- Allow NetworkManager_t to watch /etc
- Label /var/lib/kdump with kdump_var_lib_t
- Allow amanda get attributes of cgroup filesystems
- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
- Allow install_t nnp_domtrans to setfiles_mac_t
- Allow fcoemon create sysfs files
2021-05-20 15:09:34 +02:00
Zdenek Pytela
30f8c042ae * Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1
- Allow tgtd read and write infiniband devices
- Add a comment on virt_sandbox booleans with empty content
- Deprecate duplicate dev_write_generic_sock_files() interface
- Allow vnstatd_t map vnstatd_var_lib_t files
- Allow privoxy execmem
- Allow pmdakvm read information from the debug filesystem
- Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()
- Add permissions to delete lnk_files into gnome_delete_home_config()
- Remove rules for inotifyfs
- Remove rules for anon_inodefs
- Allow systemd nnp_transition to login_userdomain
- Allow unconfined_t write other processes perf_event records
- Allow sysadm_t dbus chat with tuned
- Allow tuned write profile files with file transition
- Allow tuned manage perf_events
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
2021-05-13 18:42:35 +02:00
Zdenek Pytela
4fecc6469f * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
- Add kernel_write_perf_event() and kernel_manage_perf_event()
- Allow syslogd_t watch root and var directories
- Allow unconfined_t read other processes perf_event records
- Allow login_userdomain read and map /var/lib/systemd files
- Allow NetworkManager watch its config dir
- Allow NetworkManager read and write z90crypt device
- Allow tgtd create and use rdma socket
- Allow aide connect to init with a unix socket
2021-05-07 18:08:57 +02:00
Zdenek Pytela
b900d641f6 * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1
- Grant execmem to varnishlog_t
- We no longer need signull for varnishlog_t
- Add map permission to varnishd_read_lib_files
- Allow systemd-sleep tlp_filetrans_named_content()
- Allow systemd-sleep execute generic programs
- Allow systemd-sleep execute shell
- Allow to sendmail read/write kerberos host rcache files
- Allow freshclam get attributes of cgroup filesystems
- Fix context of /run/systemd/timesync
- Allow udev create /run/gdm with proper type
- Allow chronyc socket file transition in user temp directory
- Allow virtlogd_t to create virt_var_lockd_t dir
- Allow pluto IKEv2 / ESP over TCP
2021-05-04 20:27:30 +02:00
Zdenek Pytela
2b76eb3833 * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1
- Allow domain create anonymous inodes
- Add anon_inode class to the policy
- Allow systemd-coredump getattr nsfs files and net_admin capability
- Allow systemd-sleep transition to sysstat_t
- Allow systemd-sleep transition to tlp_t
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
- Allow systemd-timedated watch runtime dir and its parent
- Allow system dbusd read /var/lib symlinks
- Allow unconfined_service_t confidentiality and integrity lockdown
- Label /var/lib/brltty with brltty_var_lib_t
- Allow domain and unconfined_domain_type watch /proc/PID dirs
- Additional permission for confined users loging into graphic session
- Make for screen fsetid/setuid/setgid permission conditional
- Allow for confined users acces to wtmp and run utempter
2021-04-27 19:55:59 +02:00
Zdenek Pytela
ab4d6094ae * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1
- Label /etc/redis as redis_conf_t
- Add brltty new permissions required by new upstream version
- Allow cups-lpd read its private runtime socket files
- Dontaudit daemon open and read init_t file
- Add file context specification for /var/tmp/tmp-inst
- Allow brltty create and use bluetooth_socket
- Allow usbmuxd get attributes of cgroup filesystems

* Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1
- Allow usbmuxd get attributes of cgroup filesystems
- Allow accounts-daemon get attributes of cgroup filesystems
- Allow pool-geoclue get attributes of cgroup filesystems
- allow systemd-sleep to set timer for suspend-then-hibernate
- Allow aide connect to systemd-userdbd with a unix socket
- Add new interfaces with watch_mount and watch_with_perm permissions
- Add file context specification for /usr/libexec/realmd
- Allow /tmp file transition for dbus-daemon also for sock_file
- Allow login_userdomain create cgroup files
- Allow plymouthd_t exec generic program in bin directories

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1
- Change the package versioning

* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10
- Allow plymouthd_t exec generic program in bin directories
- Allow dhcpc_t domain transition to chronyc_t
- Allow login_userdomain bind xmsg port
- Allow ibacm the net_raw and sys_rawio capabilities
- Allow nsswitch_domain read cgroup files
- Allow systemd-sleep create hardware state information files

* Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9
- Add watch_with_perm_dirs_pattern file pattern
2021-04-09 22:45:41 +02:00
Zdenek Pytela
6ff3284cb2 * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8
- Allow arpwatch_t create netlink generic socket
- Allow postgrey read network state
- Add watch_mount_dirs_pattern file pattern
- Allow bluetooth_t dbus chat with fwupd_t
- Allow xdm_t watch accountsd lib directories
- Add additional interfaces for watching /boot
- Allow sssd_t get attributes of tmpfs filesystems
- Allow local_login_t get attributes of tmpfs filesystems
- Dontaudit domain the fowner capability
- Extend fs_manage_nfsd_fs() to allow managing dirs as well
- Allow spice-vdagentd watch systemd-logind session dirs
2021-03-26 16:10:54 +01:00
Zdenek Pytela
7e06a74914 * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7
- Allow xdm_t watch systemd-logind session dirs
- Allow xdm_t transition to system_dbusd_t
- Allow confined users login into graphic session
- Allow login_userdomain watch systemd login session dirs
- install_t: Allow NoNewPriv transition from systemd
- Remove setuid/setgid capabilities from mysqld_t
- Add context for new mariadbd executable files
- Allow netutils_t create netlink generic socket
- Allow systemd the audit_control capability conditionally
2021-03-19 21:52:07 +01:00
Zdenek Pytela
77437ed12d * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
2021-03-11 22:25:45 +01:00
Zdenek Pytela
dd41f17526 * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5
- Allow apmd watch generic device directories
- Allow kdump load a new kernel
- Add confidentiality lockdown permission to kernel_read_core_if()
- Allow keepalived read nsfs files
- Allow local_login_t get attributes of filesystems with ext attributes
- Allow keepalived read/write its private memfd: objects
- Add missing declaration in rpm_named_filetrans()
- Change param description in cron interfaces to userdomain_prefix
2021-03-03 11:24:58 +01:00
Zdenek Pytela
2faa5c2293 * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4
- iptables.fc: Add missing legacy entries
- iptables.fc: Remove some duplicate entries
- iptables.fc: Remove duplicate file context entries
- Allow libvirtd to create generic netlink sockets
- Allow libvirtd the fsetid capability
- Allow libvirtd to read /run/utmp
- Dontaudit sys_ptrace capability when calling systemctl
- Allow udisksd to read /dev/random
- Allow udisksd to watch files under /run/mount
- Allow udisksd to watch /etc
- Allow crond to watch user_cron_spool_t directories
- Allow accountsd watch xdm config directories
- Label /etc/avahi with avahi_conf_t
- Allow sssd get cgroup filesystems attributes and search cgroup dirs
- Allow systemd-hostnamed read udev runtime data
- Remove dev_getattr_sysfs_fs() interface calls for particular domains
- Allow domain stat the /sys filesystem
- Dontaudit NetworkManager write to initrc_tmp_t pipes
- policykit.te: Clean up watch rule for policykit_auth_t
- Revert further unnecessary watch rules
- Revert "Allow getty watch its private runtime files"
- Allow systemd watch generic /var directories
- Allow init watch network config files and lnk_files
- Allow systemd-sleep get attributes of fixed disk device nodes
- Complete initial policy for systemd-coredump
- Label SDC(scini) Dell Driver
- Allow upowerd to send syslog messages
- Remove the disk write permissions from tlp_t
- Label NVMe devices as fixed_disk_device_t
- Allow rhsmcertd bind tcp sockets to a generic node
- Allow systemd-importd manage machines.lock file
2021-02-24 10:14:28 +01:00
Zdenek Pytela
aa1f535cb2 * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
2021-02-16 22:47:33 +01:00
Zdenek Pytela
15dc304d75 * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
2021-02-15 20:38:28 +01:00
Zdenek Pytela
d558c4f1c7 * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1
- Bump version as Fedora 34 has been branched off rawhide
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow systemd-importd create /run/systemd/machines.lock file
- Allow rhsmcertd_t read kpatch lib files
- Add integrity lockdown permission into dev_read_raw_memory()
- Add confidentiality lockdown permission into fs_rw_tracefs_files()
- Allow gpsd read and write ptp4l_t shared memory.
- Allow colord watch its private lib files and /usr
- Allow init watch_reads mount PID files
- Allow IPsec and Certmonger to use opencryptoki services
2021-02-11 22:08:31 +01:00
Zdenek Pytela
c7e90bc196 * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
2021-02-08 21:24:07 +01:00
Zdenek Pytela
c2d5ebb406 * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket       socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
2021-02-05 12:51:30 +01:00
Zdenek Pytela
d76e0b4040 * Fri Jan 8 18:41:06 CET 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
- Allow domain read usermodehelper state information
- Remove all kernel_read_usermodehelper_state() interface calls
- .copr: improve timestamp format
- Allow wireshark create and use rdma socket
- Allow domain stat /proc filesystem
- Remove all kernel_getattr_proc() interface calls
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow dovecot_auth_t stat /proc filesystem"
- Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
- Allow sssd read /run/systemd directory
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
2021-01-08 18:44:14 +01:00
Zdenek Pytela
d5b79a1cb7 * Thu Dec 17 20:07:23 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
2020-12-17 20:11:46 +01:00
Zdenek Pytela
fa72125856 * Tue Dec 15 16:24:44 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12
- Allow dovecot_auth_t stat /proc filesystem
- Allow sysadm_u user and unconfined_domain_type manage perf_events
- Allow pcp-pmcd manage perf_events
- Add manage_perf_event_perms object permissions set
- Add perf_event access vectors.
- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
- Allow stub-resolv.conf to be a symlink
- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
- Create the systemd_dbus_chat_resolved() compatibility interface
- Allow nsswitch-domain write to systemd-resolved PID socket files
- Add systemd_resolved_write_pid_sock_files() interface
- Add default file context for "/var/run/chrony-dhcp(/.*)?"
- Allow timedatex dbus chat with cron system domain
- Add cron_dbus_chat_system_job() interface
- Allow systemd-logind manage init's pid files
2020-12-15 16:31:51 +01:00
Zdenek Pytela
8d02847dad * Wed Dec 9 15:39:03 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
2020-12-09 15:42:48 +01:00
Zdenek Pytela
e94a380d32 * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10
- Allow Xephyr connect to 6000/tcp port and open user ptys
- Allow kexec manage generic tmp files
- Update targetd nfs & lvm
- Add interface rpc_manage_exports
- Merge selinux-policy and selinux-policy-contrib repos
2020-11-26 19:32:31 +01:00
Zdenek Pytela
595a6449f5 * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface
2020-11-24 19:47:48 +01:00
Zdenek Pytela
05fb517c90 * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8
- Set correct default file context for /usr/libexec/pcp/lib/*
- Introduce rpmdb_t type
- Allow slapd manage files/dirs in ldap certificates directory
- Revert "Allow certmonger add new entries in a generic certificates directory"
- Allow certmonger add new entries in a generic certificates directory
- Allow slapd add new entries in ldap certificates directory
- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
- Let keepalived bind a raw socket
- Add default file context for /usr/libexec/pcp/lib/*
- squid: Allow net_raw capability when squid_use_tproxy is enabled
- systemd: allow networkd to check namespaces
- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
- Allow resolved to created varlink sockets and the domain to talk to it
- selinux: tweak selinux_get_enforce_mode() to allow status page to be used
- systemd: allow all systemd services to check selinux status
- Set default file context for /var/lib/ipsec/nss
- Allow user domains transition to rpmdb_t
- Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
- Revert "Add miscfiles_create_generic_cert_dirs() interface"
- Update miscfiles_manage_all_certs() to include managing directories
- Add miscfiles_create_generic_cert_dirs() interface
- Add miscfiles_add_entry_generic_cert_dirs() interface
- Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
2020-11-13 10:13:13 +01:00
Zdenek Pytela
4da7d1152a * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6
- rpc.fc: Include /etc/exports.d dir & files
- Create chronyd_pid_filetrans() interface
- Change invalid type redisd_t to redis_t in redis_stream_connect()
- Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
- Allow init dbus chat with kernel
- Allow initrc_t create /run/chronyd-dhcp directory with a transition
- Drop gcc from dependencies in Travis CI
- fc_sort.py: Use "==" for comparing integers.
- re-implement fc_sort in python
- Remove invalid file context line
- Drop git from dependencies in Travis CI
2020-10-22 18:12:31 +02:00
Zdenek Pytela
5772505d0d * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5
- Remove empty line from rshd.fc
- Allow systemd-logind read swap files
- Add fstools_read_swap_files() interface
- Allow dyntransition from sshd_t to unconfined_t
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
2020-10-06 15:41:07 +02:00
Zdenek Pytela
5a32f59808 * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4
- Allow chronyd_t to accept and make NTS-KE connections
- Allow domain write to an automount unnamed pipe
- Label /var/run/zincati/public/motd.d/* as motd_var_run_t
- Allow login programs to (only) read MOTD files and symlinks
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
- Confine systemd-sleep service
- Add fstools_rw_swap_files() interface
- Label 4460/tcp port as ntske_port_t
- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
2020-09-25 19:12:03 +02:00
Zdenek Pytela
4b8bcba2a7 * Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3
- Check out the right -contrib branch in Travis
2020-09-21 13:54:33 +02:00
Zdenek Pytela
2cf6b0aa1d * Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2
- Allow openvswitch fowner capability and create netlink sockets
- Allow additional permissions for gnome-initial-setup
- Add to map non_security_files to the userdom_admin_user_template template
- kernel/filesystem: Add exfat support (no extended attributes)
2020-09-18 16:00:35 +02:00
Zdenek Pytela
129e6fcdd4 * Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1
- Bump version as Fedora 33 has been branched
- Allow php-fpm write access to /var/run/redis/redis.sock
- Allow journalctl to read and write to inherited user domain tty
- Update rkt policy to allow rkt_t domain to read sysfs filesystem
- Allow arpwatch create and use rdma socket
- Allow plymouth sys_chroot capability
- Allow gnome-initial-setup execute in a xdm sandbox
- Add new devices and filesystem interfaces
2020-09-09 15:22:20 +02:00
Zdenek Pytela
491bb86202 * Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25
- Allow certmonger fowner capability
- The nfsdcld service is now confined by SELinux
- Change transitions for ~/.config/Yubico
- Allow all users to connect to systemd-userdbd with a unix socket
- Add file context for ~/.config/Yubico
- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow login_pgm attribute to get attributes in proc_t"
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Allow traceroute_t and ping_t to bind generic nodes.
- Create macro corenet_icmp_bind_generic_node()
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
2020-08-27 08:58:40 +02:00
Zdenek Pytela
8bda530858 * Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24
- Add ipa_helper_noatsecure() interface unconditionally
- Conditionally allow nagios_plugin_domain dbus chat with init
- Revert "Update allow rules set for nrpe_t domain"
- Add ipa_helper_noatsecure() interface to ipa.if
- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
- Allow kadmind manage kerberos host rcache
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
- Define named file transition for sshd on /tmp/krb5_0.rcache2
- Allow systemd-machined create userdbd runtime sock files
- Disable kdbus module before updating
2020-08-13 20:12:50 +02:00
Zdenek Pytela
01e3f0a70d * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
2020-08-03 13:25:54 +02:00
Zdenek Pytela
8394f612f0 * Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22
- Allow virtlockd only getattr and lock block devices
- Allow qemu-ga read all non security file types conditionally
- Allow virtlockd manage VMs posix file locks
- Allow smbd get attributes of device files labeled samba_share_t
- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
- Add a new httpd_can_manage_courier_spool boolean
- Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files
- Revert "Allow qemu-kvm read and write /dev/mapper/control"
- Revert "Allow qemu read and write /dev/mapper/control"
- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
- Dontaudit pcscd_t setting its process scheduling
- Dontaudit thumb_t setting its process scheduling
- Allow munin domain transition with NoNewPrivileges
- Add dev_lock_all_blk_files() interface
- Allow auditd manage kerberos host rcache files
- Allow systemd-logind dbus chat with fwupd
2020-07-30 18:50:17 +02:00
Lukas Vrabec
0b0aa798b9
* Mon Jul 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-20
- Align gen_tunable() syntax with sepolgen
2020-07-13 17:47:32 +02:00
Zdenek Pytela
33a29656c0 * Fri Jul 10 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-19
- Additional support for keepalived running in a namespace
- Remove systemd_dbus_chat_resolved(pcp_pmie_t)
- virt: remove the libvirt qmf rules
- Allow certmonger manage dirsrv services
- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
- Allow domain dbus chat with systemd-resolved
- Define file context for /var/run/netns directory only
- Revert "Add support for fuse.glusterfs"
2020-07-10 17:18:49 +02:00
Zdenek Pytela
d1c7bc688f * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18
- Allow oddjob_t process noatsecure permission for ipa_helper_t
- Allow keepalived manage its private type runtime directories
- Update irqbalance runtime directory file context
- Allow irqbalance file transition for pid sock_files and directories
- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
- Allow virtlogd_t manage virt lib files
- Allow systemd set efivarfs files attributes
- Support systemctl --user in machinectl
- Allow chkpwd_t read and write systemd-machined devpts character nodes
- Allow init_t write to inherited systemd-logind sessions pipes
2020-07-07 16:11:16 +02:00
Zdenek Pytela
c04fecfb03 * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17
- Allow pdns server to read system state
- Allow irqbalance nnp_transition
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
- Allow journalctl process set its resource limits
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
- Make keepalived work with network namespaces
- Create sssd_connect_all_unreserved_ports boolean
- Allow hypervkvpd to request kernel to load a module
- Allow systemd_private_tmp(dirsrv_tmp_t)
- Allow microcode_ctl get attributes of sysfs directories
- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
- Allow radiusd connect to gssproxy over unix domain stream socket
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
- Allow qemu read and write /dev/mapper/control
- Allow tlp_t can_exec() tlp_exec_t
- Dontaudit vpnc_t setting its process scheduling
- Remove files_mmap_usr_files() call for particular domains
- Allow dirsrv_t list cgroup directories
- Crete the kerberos_write_kadmind_tmp_files() interface
- Allow realmd_t dbus chat with accountsd_t
- Label systemd-growfs and systemd-makefs       as fsadm_exec_t
- Allow staff_u and user_u setattr generic usb devices
- Allow sysadm_t dbus chat with accountsd
- Modify kernel_rw_key() not to include append permission
- Add kernel_rw_key() interface to access to kernel keyrings
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
- Allow systemd-modules to load kernel modules
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
- Allow libkrb5 lib read client keytabs
- Allow domain mmap usr_t files
- Remove files_mmap_usr_files() call for systemd domains
- Allow sshd write to kadmind temporary files
- Do not audit staff_t and user_t attempts to manage boot_t entries
- Add files_dontaudit_manage_boot_dirs() interface
- Allow systemd-tty-ask-password-agent read efivarfs files
2020-06-26 16:15:46 +02:00
Zdenek Pytela
5cdd516855 * Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
- Support multiple ways of tlp invocation
- Allow qemu-kvm read and write /dev/mapper/control
- Introduce logrotate_use_cifs boolean
- Allow ptp4l_t sys_admin capability to run bpf programs
- Allow to getattr files on an nsfs filesystem
- httpd: Allow NoNewPriv transition from systemd
- Allow rhsmd read process state of all domains and kernel threads
- Allow rhsmd mmap /etc/passwd
- Allow systemd-logind manage efivarfs files
- Allow initrc_t tlp_filetrans_named_content()
- Allow systemd_resolved_t to read efivarfs
- Allow systemd_modules_load_t to read efivarfs
- Introduce systemd_read_efivarfs_type attribute
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
- Add file context for /sys/kernel/tracing
2020-06-04 13:00:42 +02:00
Zdenek Pytela
1111964e2a * Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14
- Allow chronyc_t domain to use nsswitch
- Allow nscd_socket_use() for domains in nscd_use() unconditionally
- Add allow rules for lttng-sessiond domain
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow gluster geo-replication in rsync mode
- Allow nagios_plugin_domain execute programs in bin directories
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow tcpdump sniffing offloaded (RDMA) traffic
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow read efivarfs_t files by domains executing systemctl file
2020-05-19 17:52:53 +02:00
Zdenek Pytela
6a3fec4b74 * Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal
2020-04-29 11:21:16 +02:00
Zdenek Pytela
b7b2c03ca7 * Tue Apr 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp
2020-04-14 16:43:04 +02:00
Zdenek Pytela
9006b430b3 * Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11
- Allow NetworkManager manage dhcpd unit files
- Update ninfod policy to add nnp transition from systemd to ninfod
- Remove container interface calling by named_filetrans_domain.
2020-03-31 09:52:00 +02:00
Zdenek Pytela
08e09fd9c1 * Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10
- Allow openfortivpn exec shell
- Remove label session_dbusd_tmp_t for /run/user/USERID/systemd
- Add ibacm_t ipc_lock capability
- Allow ipsec_t connectto ipsec_mgmt_t
- Remove ipa_custodia
- Allow systemd-journald to read user_tmp_t symlinks
2020-03-25 18:09:22 +01:00
Zdenek Pytela
099d40eeb8 * Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9
- Allow zabbix_t manage and filetrans temporary socket files
- Makefile: fix tmp/%.mod.fc target
2020-03-18 13:55:22 +01:00
Zdenek Pytela
e3700463c8 * Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8
- Allow NetworkManager read its unit files and manage services
- Add init_daemon_domain() for geoclue_t
- Allow to use nnp_transition in pulseaudio_role
- Allow pdns_t domain to map files in /usr.
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow login_pgm create and bind on netlink_selinux_socket
2020-03-13 09:22:23 +01:00
Zdenek Pytela
30da7f7067 * Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7
- Allow sssd read systemd-resolved runtime directory
- Allow sssd read NetworkManager's runtime directory
- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
- Allow system_mail_t to signull pcscd_t
- Create interface pcscd_signull
- Allow auditd poweroff or switch to single mode
2020-03-09 17:07:28 +01:00
Lukas Vrabec
eacc15421e
* Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6
- Allow postfix stream connect to cyrus through runtime socket
- Dontaudit daemons to set and get scheduling policy/parameters
2020-02-28 17:13:35 +01:00
Lukas Vrabec
6f3f722f7d
* Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5
- Allow certmonger_t domain to read pkcs_slotd lock files
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
- Allow local_login_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
2020-02-22 17:02:13 +01:00
Lukas Vrabec
e0ee9a1a66
* Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4
- Update virt_read_qemu_pid_files inteface
- Allow systemd_logind_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
- Allow nsswitch_domain attribute to stream connect to systemd process
2020-02-18 18:04:28 +01:00
Lukas Vrabec
fc739f4200
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3
- Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks
- Allow systemd_userdbd_t domain to read efivarfs files
2020-02-16 13:00:31 +01:00
Lukas Vrabec
8c624edf84
* Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2
- Allow vhostmd communication with hosted virtual machines
- Add and update virt interfaces
- Update radiusd policy
- Allow systemd_private_tmp(named_tmp_t)
- Allow bacula dac_override capability
- Allow systemd_networkd_t to read efivarfs
- Add support for systemd-userdbd
- Allow systemd system services read efivarfs files
2020-02-16 00:25:43 +01:00
Zdenek Pytela
916c9099f2 * Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24
- Allow ptp4l_t create and use packet_socket sockets
- Allow ipa_custodia_t create and use netlink_route_socket sockets.
- Allow networkmanager_t transition to setfiles_t
- Create init_create_dirs boolean to allow init create directories
2020-02-07 17:22:36 +01:00
Zdenek Pytela
4ee1dfc5d7 * Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23
- Allow thumb_t connect to system_dbusd_t BZ(1795044)
- Allow saslauthd_t filetrans variable files for /tmp directory
- Added apache create log dirs macro
- Tiny documentation fix
- Allow openfortivpn_t to manage net_conf_t files.
- Introduce boolean openfortivpn_can_network_connect.
- Dontaudit domain chronyd_t to list in user home dirs.
- Allow init_t to create apache log dirs.
- Add file transition for /dev/nvidia-uvm BZ(1770588)
- Allow syslog_t to read efivarfs_t files
- Add ioctl to term_dontaudit_use_ptmx macro
- Update xserver_rw_session macro
2020-01-31 10:53:24 +01:00
Zdenek Pytela
07e568bc06 * Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21
- Dontaudit timedatex_t read file_contexts_t and validate security contexts
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Added macro for stratisd to chat over dbus
- Add dac_override capability to stratisd_t domain
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
2020-01-24 17:07:51 +01:00
Lukas Vrabec
0f62f5946f
* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain  to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Create files_create_non_security_dirs() interface
2020-01-13 10:09:50 +01:00
Zdenek Pytela
a9b321b3cc * Fri Dec 20 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-19
- Allow init_t nnp domain transition to kmod_t
- Allow userdomain dbus chat with systemd_resolved_t
- Allow init_t read and setattr on /var/lib/fprintd
- Allow sysadm_t dbus chat with colord_t
- Allow confined users run fwupdmgr
- Allow confined users run machinectl
- Allow systemd labeled as init_t domain to create dirs labeled as var_t
- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)
- Add new file context rabbitmq_conf_t.
- Allow journalctl read init state BZ(1731753)
- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
- Change type in transition for /var/cache/{dnf,yum} directory
- Allow cockpit_ws_t read efivarfs_t BZ(1777085)
- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
- Allow named_t domain to mmap named_zone_t files BZ(1647493)
- Make boinc_var_lib_t label system mountdir attribute
- Allow stratis_t domain to request load modules
- Update fail2ban policy
- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)
- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
2019-12-20 17:01:21 +01:00
Lukas Vrabec
d4e9a2fe96
Add missing sources 2019-11-28 23:01:47 +01:00
Lukas Vrabec
6ed257bb1a
- Allow systemd to read all proc 2019-11-28 22:55:17 +01:00
Lukas Vrabec
188eac8e79
* Thu Nov 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-18
- Introduce new type pdns_var_lib_t
- Allow zebra_t domain to read files labled as nsfs_t.
- Allow systemd to setattr on all device_nodes
- Allow systemd to mounton and list all proc types
2019-11-28 22:19:38 +01:00
Lukas Vrabec
f32fe38207
* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-17
- Fix nonexisting types in rtas_errd_rw_lock interface
- Allow snmpd_t domain to trace processes in user namespace
- Allow timedatex_t domain to read relatime clock and adjtime_t files
- Allow zebra_t domain to execute zebra binaries
- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
- Allow ksmtuned_t domain to trace processes in user namespace
- Allow systemd to read symlinks in /var/lib
- Update dev_mounton_all_device_nodes() interface
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
- Allow systemd_domain to map files in /usr.
- Allow strongswan start using swanctl method BZ(1773381)
- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
2019-11-27 20:26:39 +01:00
Zdenek Pytela
6f1a9fb9a4 * Thu Nov 21 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-16
- Allow timedatex_t domain dbus chat with both confined and unconfined users
- Allow timedatex_t domain dbus chat with unconfined users
- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
- Make unconfined domains part of domain_named_attribute
- Label tcp ports 24816,24817 as pulp_port_t
- Remove duplicate entries for initrc_t in init.te
2019-11-21 16:26:28 +01:00
Lukas Vrabec
d1df004bac
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-13
- Fix typo bugs in rtas_errd_read_lock() interface
- cockpit: Drop cockpit-cert-session
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Fix typo in dev_filetrans_all_named_dev()
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Fix typo in cachefiles device
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
2019-11-13 15:45:37 +01:00
Lukas Vrabec
4faaca1916
* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Allow cephfs to use xattrs for storing contexts
- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
2019-11-03 12:59:34 +01:00
Lukas Vrabec
d7e7544fe0
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11
- Allow confined users to run newaliases
- Add interface mysql_dontaudit_rw_db()
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
- Allow tmpreaper_t domain to read all domains state
- Make httpd_var_lib_t label system mountdir attribute
- Update cockpit policy
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
- Dontaudit domains read/write leaked pipes
2019-10-25 11:09:31 +02:00
Lukas Vrabec
03b04ae77e
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Allow Gluster mount client to mount files_type
- Dontaudit and disallow sys_admin capability for keepalived_t domain
- Update numad policy to allow signull, kill, nice and trace processes
- Allow ipmievd_t to RW watchdog devices
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
- Allow user domains to manage user session services
- Allow staff and user users to get status of user systemd session
- Update sudo_role_template() to allow caller domain to read syslog pid files
2019-10-22 15:43:26 +02:00
Lukas Vrabec
840e53f65a
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-9
- Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
2019-10-11 15:22:02 +02:00
Lukas Vrabec
39164cea20
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-8
- Update apache and pkcs policies to make active opencryptoki rules
- Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
2019-10-09 20:44:47 +02:00
Lukas Vrabec
b4683c29a5
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-7
- Revert "nova.fc: fix duplicated slash"
- Introduce new bolean httpd_use_opencryptoki
- Add new interface apache_read_state()
- Allow setroubleshoot_fixit_t to read random_device_t
- Label /etc/named direcotory as named_conf_t BZ(1759495)
- nova.fc: fix duplicated slash
- Allow dkim to execute sendmail
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)
- Allow avahi_t to send msg to xdm_t
- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)
- Allow systemd_logind_t domain to read blk_files in domain removable_device_t
- Add new interface udev_getattr_rules_chr_files()
2019-10-09 13:13:38 +02:00
Lukas Vrabec
e84c9b118f
* Fri Oct 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-6
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Allow bitlbee_t domain map files in /usr
- Allow stratisd to getattr of fixed disk device nodes
- Add net_broadcast capability to openvswitch_t domain BZ(1716044)
- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
- Allow cobblerd_t domain search apache configuration dirs
- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
- Label /var/log/collectd.log as collectd_log_t
- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)
- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)
- networkmanager: allow NetworkManager_t to create bluetooth_socket
- Fix ipa_custodia_stream_connect interface
- Add new interface udev_getattr_rules_chr_files()
- Make dbus-broker service working on s390x arch
- Add new interface dev_mounton_all_device_nodes()
- Add new interface dev_create_all_files()
- Allow systemd(init_t) to load kernel modules
- Allow ldconfig_t domain to manage initrc_tmp_t objects
- Add new interface init_write_initrc_tmp_pipes()
- Add new interface init_manage_script_tmp_files()
- Allow xdm_t setpcap capability in user namespace BZ(1756790)
- Allow x_userdomain to mmap generic SSL certificates
- Allow xdm_t domain to user netlink_route sockets BZ(1756791)
- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)
- Allow sudo userdomain to run rpm related commands
- Add sys_admin capability for ipsec_t domain
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
- Make ipa_custodia policy active
2019-10-04 14:03:09 +02:00
Lukas Vrabec
a21f7739e6
Update fixed sources from github 2019-09-20 23:31:28 +02:00
Lukas Vrabec
c3cb5b2032
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-5
- Fix ipa_custodia_stream_connect interface
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
2019-09-20 23:17:36 +02:00
Lukas Vrabec
361693e74b
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-4
- Run ipa-custodia as ipa_custodia_t
- Update webalizer_t SELinux policy
- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)
- Allow rhsmcertd_t domain to read rtas_errd lock files
- Add new interface rtas_errd_read_lock()
- Update allow rules set for nrpe_t domain
- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
- Allow avahi_t to send msg to lpr_t
- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
- Allow dlm_controld_t domain to read random device
- Label libvirt drivers as virtd_exec_t
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Add new macro systemd_timedated_status to systemd.if to get timedated service status
- Introduce xdm_manage_bootloader booelan
- Revert "Unconfined domains, need to create content with the correct labels"
- Allow xdm_t domain to read sssd pid files BZ(1753240)
- Move open, audit_access, and execmod to common file perms
2019-09-20 15:00:31 +02:00
Lukas Vrabec
f1d354de29
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Fix typo in cachefilesd module
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
- Add sys_admin capability for keepalived_t labeled processes
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
- Create new type ipmievd_helper_t domain for loading kernel modules.
- Run stratisd service as stratisd_t
- Fix abrt_upload_watch_t in abrt policy
- Update keepalived policy
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
- Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
- Allow amanda_t to manage its var lib files and read random_device_t
- Create admin_crontab_t and admin_crontab_tmp_t types
- Add setgid and setuid capabilities to keepalived_t domain
- Update cron_role() template to accept third parameter with SELinux domain prefix
- Allow psad_t domain to create tcp diag sockets BZ(1750324)
- Allow systemd to mount fwupd_cache_t BZ(1750288)
- Allow chronyc_t domain to append to all non_security files
- Update zebra SELinux policy to make it work also with frr service
- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
- Label /var/run/mysql as mysqld_var_run_t
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
- Update timedatex policy to manage localization
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
- Update gnome_dontaudit_read_config
- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
- Allow systemd labeled as init_t domain to remount rootfs filesystem
- Add interface files_remount_rootfs()
- Dontaudit sys_admin capability for iptables_t SELinux domain
- Label /dev/cachefilesd as cachefiles_device_t
- Make stratisd policy active
- Allow userdomains to dbus chat with policykit daemon
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
- New interface files_append_non_security_files()
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Remove rule allowing all processes to stream connect to unconfined domains
2019-09-13 17:04:11 +02:00