Chrome still needs execmem
Missing role for chrome_sandbox_bootstrap
Add boolean to remove execmem and execstack from virtual machines
Dontaudit xdm_t doing an access_check on etc_t directories
add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
Make corosync to be able to relabelto cluster lib fies
Allow samba domains to search /var/run/nmbd
Allow dirsrv to use pam
Allow thumb to call getuid
chrome less likely to get mmap_zero bug so removing dontaudit
gimp help-browser has built in javascript
Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
Re-write glance policy
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron is now labeled as user_cron_spool_t
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
- Allow asterisk to connect to jabber client port
- Allow procmail to read utmp
- Add NIS support for systemd_logind_t
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled a
- Fix systemd_manage_unit_dirs() interface
- Allow ssh_t to manage directories passed into it
- init needs to be able to create and delete unit file directories
- Fix typo in apache_exec_sys_script
- Add ability for logrotate to transition to awstat domain
- Add virt_use_sanlock booelan
- ksmtuned is trying to resolve uids
- Make sure .gvfs is labeled user_home_t in the users home directory
- Sanlock sends kill signals and needs the kill capability
- Allow mockbuild to work on nfs homedirs
- Fix kerberos_manage_host_rcache() interface
- Allow exim to read system state
+- Add loop_control_device_t
+- Allow mdadm to request kernel to load module
+- Allow domains that start other domains via systemctl to search unit dir
+- systemd_tmpfiles, needs to list any file systems mounted on /tmp
+- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
+- If I can manage etc_runtime files, I should be able to read the links
+- Dontaudit hostname writing to mock library chr_files
+- Have gdm_t setup labeling correctly in users home dir
+- Label content unde /var/run/user/NAME/dconf as config_home_t
+- Allow sa-update to execute shell
+- Make ssh-keygen working with fips_enabled
+- Make mock work for staff_t user
+- Tighten security on mock_t
Dan Walsh
Miroslav