Commit Graph

5767 Commits

Author SHA1 Message Date
Lukas Vrabec
985fc6104c
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-26
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
2018-06-27 10:25:55 +02:00
Lukas Vrabec
5d84adca3e
Remove config.tgz from distgit and put configuration to policy sources on github 2018-06-26 17:21:53 +02:00
Petr Lautrbach
b719841045 Improve make-rhat-patches.sh for local development
make-rhat-patches.sh had everything hard coded and didn't update spec file so it
was hard to use for local selinux-policy development. This patch doesn't change
default behavior, but makes this script configurable using environmental
variables and one option.

Usage:

If you want to change location of repositories set the following variables:

REPO_SELINUX_POLICY
  selinux-policy repository

REPO_SELINUX_POLICY_BRANCH
  selinux-policy repository branch

REPO_SELINUX_POLICY_CONTRIB
  selinux-policy repository

REPO_SELINUX_POLICY_CONTRIB_BRANCH
  selinux-policy-contrib repository branch

REPO_CONTAINER_SELINUX
  container-selinux repository

If you want to use locally created tarball (and don't download tarballs from
github), use '-l' option.

Example:

  export REPO_SELINUX_POLICY=~/devel/local/selinux-policy.git
        export REPO_SELINUX_POLICY_BRANCH=WIP-my-new-fix
        export REPO_SELINUX_POLICY_CONTRIB=~/devel/local/selinux-policy-contrib.git
        export REPO_SELINUX_POLICY_CONTRIB_BRANCH=WIP-some-contrib-fix
        export REPO_CONTAINER_SELINUX=~/devel/local/container-selinux.git

  ./make-rhat-patches.sh -l
2018-06-15 15:09:26 +02:00
Lukas Vrabec
f4debe939a
* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-25
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
2018-06-14 15:31:59 +02:00
Lukas Vrabec
1d35f9ea76
* Tue Jun 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-24
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
2018-06-12 14:22:02 +02:00
Lukas Vrabec
afcdb03a67
Adding missing equivalency rules to be able do proper configuration of polyinstation 2018-06-06 16:09:30 +02:00
Lukas Vrabec
4cca30aa93
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-23
- Add dac_override capability to sendmail_t domian
2018-06-06 13:16:15 +02:00
Lukas Vrabec
318acc9510
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-22
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
2018-06-06 10:25:52 +02:00
Lukas Vrabec
58acce3c84
* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-21
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db  is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
2018-05-26 00:25:28 +02:00
Lukas Vrabec
9364159b18
* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-20
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
2018-05-24 16:07:11 +02:00
Lukas Vrabec
ee05a93b19
* Tue May 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-19
- Increase dependency versions of policycoreutils and checkpolicy packages
2018-05-22 10:54:53 +02:00
Lukas Vrabec
e881d79dbc
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.
2018-05-21 22:23:41 +02:00
Lukas Vrabec
844794a0f4
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-05-21 01:48:14 +02:00
Lukas Vrabec
4d2de689d5
Fix typo bug in xserver SELinux module 2018-04-30 17:41:45 +02:00
Lukas Vrabec
a4ad07747e
* Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-04-30 16:30:28 +02:00
Lukas Vrabec
0bbda1a879
Redirect also stdout to /dev/null to avoid printing anything during updating selinux-policy process 2018-04-30 10:55:31 +02:00
Lukas Vrabec
560c1cf401
* Sat Apr 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-15
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
2018-04-28 19:43:37 +02:00
Lukas Vrabec
42d22b559a
Fix typo in spec file 2018-04-27 13:30:59 +02:00
Lukas Vrabec
19c9a7d734
* Fri Apr 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-14
- Add dac_override capability to mailman_mail_t domain
- Add dac_override capability to radvd_t domain
- Update openvswitch policy
- Add dac_override capability to oddjob_homedir_t domain
- Allow slapd_t domain to mmap slapd_var_run_t files
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
- Allow logrotate_t domain to stop services via systemd
- Add tang policy
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t
- Allow snapperd_t daemon to create unlabeled dirs.
- Make httpd_var_run_t mountpoint
- Allow hsqldb_t domain to mmap own temp files
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
- Add new Boolean tomcat_use_execmem
- Allow nfsd_t domain to read/write sysctl fs files
- Allow conman to read system state
- Allow brltty_t domain to be dbusd system client
- Allow zebra_t domain to bind on babel udp port
- Allow freeipmi domain to read sysfs_t files
- Allow targetd_t domain mmap lvm config files
- Allow abrt_t domain to manage kdump crash files
- Add capability dac_override to antivirus domain
- Allow svirt_t domain mmap svirt_image_t files BZ(1514538)
- Allow ftpd_t domain to chat with systemd
- Allow systemd init named socket activation for uuidd policy
- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)
- Allow l2tpd domain to stream connect to sssd BZ(1568160)
- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)
- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)
- Allow certwatch to manage cert files BZ(1561418)
- Merge pull request #53 from tmzullinger/rawhide
- Merge pull request #52 from thetra0/rawhide
- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)
- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files
- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)
- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)
- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.
- Allow pppd_t domain creating pppox sockets BZ(1566271)
- Allow abrt to map var_lib_t files
- Allow chronyc to read system state BZ(1565217)
- Allow keepalived_t domain to chat with systemd via dbus
- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)
- Allow netutils_t domain to create bluetooth sockets
- Allow traceroute to bind on generic sctp node
- Allow traceroute to search network sysctls
- Allow systemd to use virtio console
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
2018-04-27 11:50:21 +02:00
Lukas Vrabec
5c972253e7
Update selinux policy macros to reflect the latest changes in
selinux-policy-macros repo
2018-04-25 21:48:43 +02:00
Lukas Vrabec
11e95ea76d
Make tangd policy active 2018-04-25 11:01:01 +02:00
Lukas Vrabec
39a94e09cd
* Thu Apr 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-13
- refpolicy: Update for kernel sctp support
- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)
- Allow antivirus domain to be client for system dbus BZ(1562457)
- Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383)
- Add new boolean: colord_use_nfs() BZ(1562818)
- Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317)
- Allow colord_t to mmap gconf_home_t files
- Add new boolean redis_enable_notify()
- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
2018-04-12 12:51:18 +02:00
Lukas Vrabec
1778514e56
* Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-12
- Add new boolean redis_enable_notify()
- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab
- Add dac_override and dac_read_search capability to hypervvssd_t domain
- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t
- Allow samba to create /tmp/host_0 as krb5_host_rcache_t
- Add dac_override capability to fsdaemon_t BZ(1564143)
- Allow abrt_t domain to map dos files BZ(1564193)
- Add dac_override capability to automount_t domain
- Allow keepalived_t domain to connect to system dbus bus
- Allow nfsd_t to read nvme block devices BZ(1562554)
- Allow lircd_t domain to execute bin_t files BZ(1562835)
- Allow l2tpd_t domain to read sssd public files BZ(1563355)
- Allow logrotate_t domain to do dac_override BZ(1539327)
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
- Add capability sys_resource to systemd_sysctl_t domain
- Label all /dev/rbd* devices as fixed_disk_device_t
- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)
- Allow local_login_t domain to rread udev db
- Allow systemd_gpt_generator_t to read /dev/random device
- add definition of bpf class and systemd perms
2018-04-07 20:34:23 +02:00
Lukas Vrabec
9762a51f7b
* Thu Mar 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-11
- Allow accountsd_t domain to dac override BZ(1561304)
- Allow cockpit_ws_t domain to read system state BZ(1561053)
- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)
- Allow abrt_dump_oops_t domain dac override BZ(1561467)
- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)
- Allow crontab domains to do dac override
- Allow snapperd_t domain to unmount fs_t filesystems
- Allow pcp processes to read fixed_disk devices BZ(1560816)
- Allow unconfined and confined users to use dccp sockets
- Allow systemd to manage bpf dirs/files
- Allow traceroute_t to create dccp_sockets
2018-03-29 19:27:36 +02:00
Lukas Vrabec
0ac6359923
* Mon Mar 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-10
- Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531)
2018-03-26 15:48:52 +02:00
Lukas Vrabec
dd15940cc3
Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) 2018-03-26 15:47:43 +02:00
Lukas Vrabec
0dae2c353f
* Sun Mar 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-9
- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)
- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)
- Allow nagios to mmap nagios config files BZ(1559683)
- Fixing Ganesha module
- Fix typo in NetworkManager module
- Fix bug in gssproxy SELinux module
- Allow abrt_t domain to mmap container_file_t files BZ(1525573)
- Allow networkmanager to be run ssh client BZ(1558441)
- Allow pcp domains to do dc override BZ(1557913)
- Dontaudit pcp_pmie_t to reaquest lost kernel module
- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955)
- Allow httpd_t to read httpd_log_t dirs BZ(1554912)
- Allow fail2ban_t to read system network state BZ(1557752)
- Allow dac override capability to mandb_t domain BZ(1529399)
- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681)
- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369)
- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439)
- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359)
- Allow snapperd to relabel snapperd_data_t
- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow insmod_t to load modules BZ(1544189)
- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595)
- Allow systemd_networkd_t to read/write tun tap devices
- Add shell_exec_t file as domain entry for init_t
- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862)
- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347)
- Improve userdom_mmap_user_home_content_files
- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414)
- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
2018-03-25 01:02:58 +01:00
Lukas Vrabec
67396b3121
In Fedora 28, ganesha SELinux module is removed, for proper upgrade this
modules needs to be removed before SELinux policy for F28 is installed.

Resolves: rhbz#1559174
2018-03-25 00:57:29 +01:00
Lukas Vrabec
597a71b217
* Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-8
- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
2018-03-21 19:15:49 +01:00
Lukas Vrabec
1199c87fda
Update also sources 2018-03-20 12:21:39 +01:00
Lukas Vrabec
a191ebd6c3
* Tue Mar 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-7
- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/
- Allow newrole_t dacoverride capability
- Allow traceroute_t domain to mmap packet sockets
- Allow netutils_t domain to mmap usmmon device
- Allow netutils_t domain to use mmap on packet_sockets
- Allow traceroute to create icmp packets
- Allos sysadm_t domain to create tipc sockets
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
2018-03-20 12:19:47 +01:00
Lukas Vrabec
8597119053
* Thu Mar 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-6
- Allow rpcd_t domain dac override
- Allow rpm domain to mmap rpm_var_lib_t files
- Allow arpwatch domain to create bluetooth sockets
- Allow secadm_t domain to mmap audit config and log files
- Update init_abstract_socket_activation() to allow also creating tcp sockets
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.
- Add SELinux support for systemd-importd
- Create new type bpf_t and label /sys/fs/bpf with this type
2018-03-15 20:41:40 +01:00
Lukas Vrabec
529a517a7a
* Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-5
- Allow bluetooth_t domain to create alg_socket BZ(1554410)
- Allow tor_t domain to execute bin_t files BZ(1496274)
- Allow iscsid_t domain to mmap kernel modules BZ(1553759)
- Update minidlna SELinux policy BZ(1554087)
- Allow motion_t domain to read sysfs_t files BZ(1554142)
- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738)
- Allow l2tp_t domain to read ipsec config files BZ(1545348)
- Allow colord_t to mmap home user files BZ(1551033)
- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536)
- Allow ipmievd_t to mmap kernel modules BZ(1552535)
- Allow boinc_t domain to read cgroup files BZ(1468381)
- Backport allow rules from refpolicy upstream repo
- Allow gpg_t domain to bind on all unereserved udp ports
- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164)
- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
- Allow xdm_t domain to sys_ptrace BZ(1554150)
- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
- Update ipsec_read_config() interface
- Fix broken sysadm SELinux module
- Allow ipsec_t to search for bind cache BZ(1542746)
- Allow staff_t to send sigkill to mount_t domain BZ(1544272)
- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545)
- Label ip6tables.init as iptables_exec_t BZ(1551463)
- Allow hostname_t to use usb ttys BZ(1542903)
- Add fsetid capability to updpwd_t domain BZ(1543375)
- Allow systemd machined send signal to all domains BZ(1372644)
- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876)
- Allow sysadm_t to create netlink generic sockets BZ(1547874)
- Allow passwd_t domain chroot
- Dontaudit confined unpriviliged users setuid capability
2018-03-12 17:20:32 +01:00
Lukas Vrabec
870fdbbf14
* Tue Mar 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-4
- Allow l2tpd_t domain to create pppox sockets
- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)
- Add interface abrt_map_cache()
- Update gnome_manage_home_config() to allow also map permission BZ(1544270)
- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770)
- Dontaudit kernel bug when several services requesting load kernel module
- Allow traceroute and unconfined domains creating sctp sockets
- Add interface corenet_sctp_bind_generic_node()
- Allow ping_t domain to create icmp sockets
- Allow staff_t to mmap abrt_var_cache_t BZ(1544273)
- Fix typo bug in dev_map_framebuffer() interface BZ(1551842)
- Dontaudit kernel bug when several services requesting load kernel module
2018-03-06 16:16:43 +01:00
Lukas Vrabec
47ee5f4780
Add forgotten sources file 2018-03-05 16:27:57 +01:00
Lukas Vrabec
3c49a8df90
* Mon Mar 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-3
- Allow vdagent_t domain search cgroup dirs BZ(1541564)
- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)
- Allow bluetooth domain creating bluetooth sockets BZ(1551577)
- pki_log_t should be log_file
- Allow gpgdomain to unix_stream socket connectto
- Make working gpg agent in gpg_agent_t domain
- Dontaudit thumb_t to rw lvm pipes BZ(154997)
- Allow start cups_lpd via systemd socket activation BZ(1532015)
- Improve screen_role_template Resolves: rhbz#1534111
- Dontaudit modemmanager to setpgid. BZ(1520482)
- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227)
- Allow systemd-networkd to create netlink generic sockets BZ(1551578)
- refpolicy: Define getrlimit permission for class process
- refpolicy: Define smc_socket security class
- Allow transition from sysadm role into mdadm_t domain.
- ssh_t trying to communicate with gpg agent not sshd_t
- Allow sshd_t communicate with gpg_agent_t
- Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643)
- Revert "Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)"
- Revert "Allow systemd to request load kernel module BZ(1547227)"
- Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576)
- Add interface lvm_dontaudit_rw_pipes() BZ(154997)
- Add interfaces for systemd socket activation
- Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098)
2018-03-05 16:13:41 +01:00
Lukas Vrabec
5a5985a439 * Thu Feb 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-2
- refpolicy: Define extended_socket_class policy capability and socket classes
- Make bluetooth_var_lib_t as mountpoint BZ(1547416)
- Allow systemd to request load kernel module BZ(1547227)
- Allow ipsec_t domain to read l2tpd pid files
- Allow sysadm to read/write trace filesystem BZ(1547875)
- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761)
2018-02-22 15:13:02 +01:00
Lukas Vrabec
5b3d03345c * Wed Feb 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-1
- Rebuild for current rawhide (fc29)
2018-02-21 19:10:21 +01:00
Lukas Vrabec
3256f1cc3b * Tue Feb 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-9
- Fix broken cups Security Module
- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079)
- Allow geoclue to connect to tcp nmea port BZ(1362118)
- Allow pcp_pmcd_t to read mock lib files BZ(1536152)
- Allow abrt_t domain to mmap passwd file BZ(1540666)
- Allow gpsd_t domain to get session id of another process BZ(1540584)
- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405)
- Allow cluster_t dbus chat with systemd BZ(1540163)
- Add interface raid_stream_connect()
- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689)
- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911)
- Make cups_pdf_t domain system dbusd client BZ(1532043)
- Allow logrotate to read auditd_log_t files BZ(1525017)
- Improve snapperd SELinux policy BZ(1514272)
- Allow virt_domain to read virt_image_t files BZ(1312572)
- Allow openvswitch_t stream connect svirt_t
- Update dbus_dontaudit_stream_connect_system_dbusd() interface
- Allow openvswitch domain to manage svirt_tmp_t sock files
- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210)
- Merge pull request #50 from dodys/pkcs
- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118)
- Allow systemd to access rfkill lib dirs BZ(1539733)
- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044)
- Allow vxfs filesystem to use SELinux labels
- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231)
- Allow few services to dbus chat with snapperd BZ(1514272)
- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180)
- Fix logging as staff_u into Fedora 27
- Fix broken systemd_tmpfiles_run() interface
2018-02-20 09:25:14 +01:00
Lukas Vrabec
d1295b542c Merge #8 Don't own %{_rpmconfigdir} 2018-02-19 09:57:01 +00:00
Petr Lautrbach
d890769dab List gcc in BuildRequires
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IJFYI5Q2BYZKIGDFS2WLOBDUSEGWHIKV/
https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B#BuildRequires_and_Requires

Fixes:
cc -Wall support/fc_sort.c -o tmp/fc_sort
make: cc: Command not found
make: *** [Makefile:404: tmp/fc_sort] Error 127
2018-02-19 10:34:23 +01:00
Igor Gnatenko
f8cf034356
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 09:57:34 +01:00
Igor Gnatenko
72d8378f5a Remove BuildRoot definition
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 00:36:49 +01:00
Igor Gnatenko
28c23c14e4
Escape macros in %changelog
Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-09 09:06:15 +01:00
Lukas Vrabec
b22b1d1da0 * Thu Feb 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-7
- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t
- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600)
- Allow keepalived_t domain getattr proc filesystem
- Allow init_t to create UNIX sockets for unconfined services (BZ1543049)
- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t
- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t
2018-02-08 14:38:23 +01:00
Lukas Vrabec
00dcc13b60 * Tue Feb 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-6
- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets
- Add new interface ppp_filetrans_named_content()
- Allow keepalived_t read sysctl_net_t files
- Allow puppetmaster_t domtran to puppetagent_t
- Allow kdump_t domain to read kernel ring buffer
- Allow boinc_t to mmap boinc tmpfs files BZ(1540816)
- Merge pull request #47 from masatake/keepalived-signal
- Allow keepalived_t create and write a file under /tmp
- Allow ipsec_t domain to exec ifconfig_exec_t binaries.
- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock
- Allow updpwd_t domain to create files in /etc with shadow_t label
2018-02-06 09:58:08 +01:00
Lukas Vrabec
4caea74068 Updated rpm.macros 2018-02-05 17:01:34 +01:00
Lukas Vrabec
4b0a66cafc * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-5
- Allow opendnssec daemon to execute ods-signer BZ(1537971)
2018-01-30 17:04:16 +01:00
Lukas Vrabec
e9c4389283 * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-4
- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)
- Update dbus_role_template() BZ(1536218)
- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)
- Allow blueman_t dbus chat with policykit_t BZ(1470501)
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)
- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)
- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)
- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)
- Allow jetty_t domain to mmap own temp files BZ(1534628)
- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)
- Consistently label usr_t for kernel/initrd in /usr
- kernel/files.fc: Label /usr/lib/sysimage as usr_t
- Allow iptables sysctl load list support with SELinux enforced
- Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864)
2018-01-30 12:57:41 +01:00
Lukas Vrabec
e7bae02f22 * Fri Jan 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-3
- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide
- Allow virt_domains to acces infiniband pkeys.
- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)
- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t
- Allow audisp_remote_t domain write to files on all levels
2018-01-19 12:48:25 +01:00