Commit Graph

360 Commits

Author SHA1 Message Date
Lukas Vrabec
a21f7739e6
Update fixed sources from github 2019-09-20 23:31:28 +02:00
Lukas Vrabec
c3cb5b2032
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-5
- Fix ipa_custodia_stream_connect interface
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
2019-09-20 23:17:36 +02:00
Lukas Vrabec
361693e74b
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-4
- Run ipa-custodia as ipa_custodia_t
- Update webalizer_t SELinux policy
- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)
- Allow rhsmcertd_t domain to read rtas_errd lock files
- Add new interface rtas_errd_read_lock()
- Update allow rules set for nrpe_t domain
- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
- Allow avahi_t to send msg to lpr_t
- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
- Allow dlm_controld_t domain to read random device
- Label libvirt drivers as virtd_exec_t
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Add new macro systemd_timedated_status to systemd.if to get timedated service status
- Introduce xdm_manage_bootloader booelan
- Revert "Unconfined domains, need to create content with the correct labels"
- Allow xdm_t domain to read sssd pid files BZ(1753240)
- Move open, audit_access, and execmod to common file perms
2019-09-20 15:00:31 +02:00
Lukas Vrabec
f1d354de29
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Fix typo in cachefilesd module
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
- Add sys_admin capability for keepalived_t labeled processes
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
- Create new type ipmievd_helper_t domain for loading kernel modules.
- Run stratisd service as stratisd_t
- Fix abrt_upload_watch_t in abrt policy
- Update keepalived policy
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
- Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
- Allow amanda_t to manage its var lib files and read random_device_t
- Create admin_crontab_t and admin_crontab_tmp_t types
- Add setgid and setuid capabilities to keepalived_t domain
- Update cron_role() template to accept third parameter with SELinux domain prefix
- Allow psad_t domain to create tcp diag sockets BZ(1750324)
- Allow systemd to mount fwupd_cache_t BZ(1750288)
- Allow chronyc_t domain to append to all non_security files
- Update zebra SELinux policy to make it work also with frr service
- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
- Label /var/run/mysql as mysqld_var_run_t
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
- Update timedatex policy to manage localization
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
- Update gnome_dontaudit_read_config
- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
- Allow systemd labeled as init_t domain to remount rootfs filesystem
- Add interface files_remount_rootfs()
- Dontaudit sys_admin capability for iptables_t SELinux domain
- Label /dev/cachefilesd as cachefiles_device_t
- Make stratisd policy active
- Allow userdomains to dbus chat with policykit daemon
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
- New interface files_append_non_security_files()
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Remove rule allowing all processes to stream connect to unconfined domains
2019-09-13 17:04:11 +02:00
Lukas Vrabec
d2110e0b7c
* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2
- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
- Dontaudit sandbox web types to setattr lib_t dirs
- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)
- Allow haproxy_t domain to read network state of system
- Allow processes labeled as keepalived_t domain to get process group
- Introduce dbusd_unit_file_type
- Allow pesign_t domain to read/write named cache files.
- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
- Allow httpd_t domain to read/write named_cache_t files
- Add new interface bind_rw_cache()
- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
- Update cpucontrol_t SELinux policy
- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
- Run lldpd service as lldpad_t.
- Allow spamd_update_t domain to create unix dgram sockets.
- Update dbus role template for confined users to allow login into x session
- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
- Fix typo in networkmanager_append_log() interface
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
- Allow login user type to use systemd user session
- Allow xdm_t domain to start dbusd services.
- Introduce new type xdm_unit_file_t
- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute
- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)
- Allow ipsec_t domain to read/write named cache files
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
- Label udp 8125 port as statsd_port_t
2019-09-04 18:09:39 +02:00
Lukas Vrabec
7bacb4d438
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-31
- Update timedatex policy BZ(1734197)
2019-08-13 19:06:46 +02:00
Lukas Vrabec
bee0c094a4
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-30
- cockpit: Allow cockpit-session to read cockpit-tls state
- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)
- Allow named_t domain to read/write samba_var_t files BZ(1738794)
- Dontaudit abrt_t domain to read root_t files
- Allow ipa_dnskey_t domain to read kerberos keytab
- Allow mongod_t domain to read cgroup_t files BZ(1739357)
- Update ibacm_t policy
- Allow systemd to relabel all files on system.
- Revert "Add new boolean systemd_can_relabel"
- Allow xdm_t domain to read kernel sysctl BZ(1740385)
- Add sys_admin capability for xdm_t in user namespace. BZ(1740386)
- Allow dbus communications with resolved for DNS lookups
- Add new boolean systemd_can_relabel
- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t
- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
- Run lvmdbusd service as lvm_t
2019-08-13 17:59:35 +02:00
Lukas Vrabec
6e1369286b
* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-29
- Allow dlm_controld_t domain setgid capability
- Fix SELinux modules not installing in chroots.
Resolves: rhbz#1665643
2019-08-07 17:38:17 +02:00
Lukas Vrabec
e89a7ef306
* Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-28
- Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-06 10:48:46 +02:00
Lukas Vrabec
2442d10f50
* Mon Aug 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-27
- Allow tlp domain run tlp in trace mode BZ(1737106)
- Make timedatex_t domain system dbus bus client BZ(1737239)
- Allow cgdcbxd_t domain to list cgroup dirs
- Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-05 18:25:34 +02:00
Lukas Vrabec
0775289b10
* Tue Jul 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-26
- New policy for rrdcached
- Allow dhcpd_t domain to read network sysctls.
- Allow nut services to communicate with unconfined domains
- Allow virt_domain to Support ecryptfs home dirs.
- Allow domain transition lsmd_t to sensord_t
- Allow httpd_t to signull mailman_cgi_t process
- Make rrdcached policy active
- Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542
- Allow machinectl to run pull-tar BZ(1724247)
2019-07-30 10:51:50 +02:00
Lukas Vrabec
c8c754cba3
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25
- Allow spamd_update_t domain to read network state of system BZ(1733172)
- Allow dlm_controld_t domain to transition to the lvm_t
- Allow sandbox_web_client_t domain to do sys_chroot in user namespace
- Allow virtlockd process read virtlockd.conf file
- Add more permissions for session dbus types to make working dbus broker with systemd user sessions
- Allow sssd_t domain to read gnome config and named cache files
- Allow brltty to request to load kernel module
- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
- Allow sssd_t domain to read kernel net sysctls BZ(1732185)
- Run timedatex service as timedatex_t
- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
- Allow cyrus work with PrivateTmp
- Make cgdcbxd_t domain working with SELinux enforcing.
- Make working wireshark execute byt confined users staff_t and sysadm_t
- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963)
- Allow svnserve_t domain to read system state
- allow named_t to map named_cache_t files
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow ifconfig_t domain to manage vmware logs
- Remove system_r role from staff_u user.
- Make new timedatex policy module active
- Add systemd_private_tmp_type attribute
- Allow systemd to load kernel modules during boot process.
- Allow sysadm_t and staff_t domains to read wireshark shared memory
- Label /usr/libexec/utempter/utempter  as utemper_exec_t
- Allow ipsec_t domain to read/write  l2tpd pipe BZ(1731197)
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources
2019-07-26 10:28:53 +02:00
Lukas Vrabec
9fad02a45b
* Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
- Update  tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
- Allow mysqld_t domain to manage cluster pid files
- Relabel  /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
- Allow dkim-milter to send e-mails BZ(1716937)
- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799)
- Update svnserve_t policy to make working svnserve hooks
- Allow varnishlog_t domain to check for presence of varnishd_t domains
- Update sandboxX policy to make working firefox inside SELinux sandbox
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
- Allow gssd_t domain to list tmpfs_t dirs
- Allow mdadm_t domain to read tmpfs_t files
- Allow sbd_t domain to check presence of processes labeled as cluster_t
- Dontaudit httpd_sys_script_t to read systemd unit files
- Allow blkmapd_t domain to read nvme devices
- Update cpucontrol_t domain to make working microcode service
- Allow domain transition from logwatch_t do postfix_postqueue_t
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
- Allow httpd_sys_script_t domain to mmap httpcontent
- Allow sbd_t to manage cgroups_t files
- Update wireshark policy to make working tshar labeled as wireshark_t
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources
- Allow sysadm_t domain to dbus chat with rtkit daemon
- Allow x_userdomains to nnp domain transition to thumb_t domain
- Allow unconfined_domain_type to setattr own process lnk files.
- Add interface files_write_generic_pid_sockets()
- Dontaudit writing to user home dirs by gnome-keyring-daemon
- Allow staff and admin domains to setpcap in user namespace
- Allow staff and sysadm to use lockdev
- Allow staff and sysadm users to run iotop.
- Dontaudit traceroute_t domain require sys_admin capability
- Dontaudit dbus chat between kernel_t and init_t
- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
2019-07-17 17:58:49 +02:00
Lukas Vrabec
9a1d06b5aa
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23
- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager
- Fix all interfaces which cannot by compiled because of typos
- Allow X userdomains to mmap user_fonts_cache_t dirs
2019-07-10 10:16:00 +02:00
Lukas Vrabec
f57a61daab
* Mon Jul 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-22
- Label /var/kerberos/krb5 as krb5_keytab_t
- Allow glusterd_t domain to setpgid
- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
- Allow sbd_t domain to manage cgroup dirs
- Allow opafm_t domain to modify scheduling information of another process.
- Allow wireshark_t domain to create netlink netfilter sockets
- Allow gpg_agent_t domain to use nsswitch
- Allow httpd script types to mmap httpd rw content
- Allow dkim_milter_t domain to execute shell BZ(17116937)
- Allow sbd_t domain to use nsswitch
- Allow rhsmcertd_t domain to send signull to all domains
- Allow snort_t domain to create netlink netfilter sockets BZ(1723184)
- Dontaudit blueman to read state of all domains on system BZ(1722696)
- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217)
- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)
- Replace "-" by "_" in types names
- Change condor_domain declaration in condor_systemctl
- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405)
- Allow auditd_t domain to send signals to audisp_remote_t domain
- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files
- Add interface kernel_relabelfrom_usermodehelper()
- Dontaudit unpriv_userdomain to manage boot_t files
- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)
- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531)
- Allow associate efivarfs_t on sysfs_t
2019-07-08 10:00:11 +02:00
Lukas Vrabec
0c72b2ee98
Add new sources 2019-06-18 09:30:20 +02:00
Lukas Vrabec
4d8c6240ed
* Tue Jun 18 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-21
- Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864)
- cockpit: Support split-out TLS proxy
- Allow dkim_milter_t to use shell BZ(1716937)
- Create explicit fc rule for mailman executable BZ(1666004)
- Update interface networkmanager_manage_pid_files() to allow manage also dirs
- Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)
- Add new interface bind_map_dnssec_keys()
- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files
- Allow redis_t domain to read public sssd files
- Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569)
- Allow confined users to login via cockpit
- Allow nfsd_t domain to do chroot becasue of new version of nfsd
- Add gpg_agent_roles to system_r roles
- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
- Allow rhsmcertd_t domain to manage rpm cache
- Allow sbd_t domain to read tmpfs_t symlinks
- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs
- Allow kadmind_t domain to read home config data
- Allow sbd_t domain to readwrite cgroups
- Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)
- Label /var/log/pacemaker/pacemaker as cluster_var_log_t
- Allow certmonger_t domain to manage named cache files/dirs
- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)
- Allow crack_t domain read /et/passwd files
- Label fontconfig cache and config files and directories BZ(1659905)
- Allow dhcpc_t domain to manage network manager pid files
- Label /usr/sbin/nft as iptables_exec_t
- Allow userdomain attribute to manage cockpit_ws_t stream sockets
- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes
- Add interface ssh_agent_signal()
2019-06-18 09:29:06 +02:00
Lukas Vrabec
191f6b36c3
* Thu May 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-20
- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)
- Allow spamd_update_t to exec itsef
- Fix broken logwatch SELinux module
- Allow logwatch_mail_t to manage logwatch cache files/dirs
- Update wireshark_t domain to use several sockets
- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t
2019-05-30 11:43:45 +02:00
Lukas Vrabec
46a2445aaf
* Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-19
- Fix bind_read_cache() interface to allow only read perms to caller domains
- [speech-dispatcher.if] m4 macro names can not have - in them
- Grant varnishlog_t access to varnishd_etc_t
- Allow nrpe_t domain to read process state of systemd_logind_t
- Allow mongod_t domain to connect on https port BZ(1711922)
- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets
- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)
- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)"
- Make boinc_var_lib_t mountpoint BZ(1711682)
- Allow wireshark_t domain to create fifo temp files
- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy
- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Build in parallel on Travis
- Fix parallel build of the policy
- Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t"
- Add interface systemd_logind_read_state()
- Fix find commands in Makefiles
- Allow systemd-timesyncd to read network state BZ(1694272)
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-27 16:47:47 +02:00
Lukas Vrabec
4ce765ae0a
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-18 01:04:36 +02:00
Lukas Vrabec
fb7eb895aa
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-17
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Fix typo in dbus_role_template()
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)
- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)
- Allow virt domains to access xserver devices BZ(1705685)
- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)
- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)
- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)
- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)
- Allow gpsd_t domain to read udev db BZ(1709025)
- Add sys_ptrace capaiblity for  namespace_init_t domain
- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)
- Allow rhsmcertd_t domain to read rpm cache files
- Label /efi same as /boot/efi boot_t BZ(1571962)
- Allow transition from udev_t to tlp_t BZ(1705246)
- Remove initrc_exec_t for /usr/sbin/apachectl file
2019-05-17 18:12:55 +02:00
Lukas Vrabec
1938d6c60c
Update broken sources 2019-05-04 17:45:09 +02:00
Lukas Vrabec
2a04dcf5c8
* Fri May 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-16
- Add fcontext for apachectl util to fix missing output when executed "httpd -t" from this script.
2019-05-04 00:00:01 +02:00
Lukas Vrabec
a0e74cb580
* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-15
- Allow iscsid_t domain to mmap modules_dep_t files
- Allow ngaios to use chown capability
- Dontaudit gpg_domain to create netlink_audit sockets
- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)
- Allow dirsrv_t domain to execute own tmp files BZ(1703111)
- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files
- Update domain_can_mmap_files() boolean to allow also mmap lnk files
- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
2019-05-02 15:46:11 +02:00
Lukas Vrabec
2c13568192
* Fri Apr 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-14
- Allow transition from cockpit_session to unpriv user domains
2019-04-26 16:46:34 +02:00
Lukas Vrabec
ca2231a93a
Add missing sources 2019-04-25 17:55:05 +02:00
Lukas Vrabec
2675489867
* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-13
- Introduce deny_bluetooth boolean
- Allow greylist_milter_t to read network system state BZ(1702672)
- Allow freeipmi domains to mmap freeipmi_var_cache_t files
- Allow rhsmcertd_t and rpm_t domains to chat over dbus
- Allow thumb_t domain to delete cache_home_t files BZ(1701643)
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus
- Add new interface boltd_dbus_chat()
- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)
- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)
- Allow cockpit_ws_t domain to set limits BZ(1701703)
- Update Nagios policy when sudo is used
- Deamon rhsmcertd is able to install certs for docker again
- Introduce deny_bluetooth boolean
- Don't allow a container to connect to random services
- Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.
- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus
- Allow unconfined_t to use bpf tools
- Allow x_userdomains to communicate with boltd daemon over dbus
2019-04-25 17:29:03 +02:00
Lukas Vrabec
a64329452e
* Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-12
- Fix typo in cups SELinux policy
- Allow iscsid_t to read modules deps BZ(1700245)
- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442)
- Allow httpd_rotatelogs_t to execute generic binaries
- Update system_dbus policy because of dbus-broker-20-2
- Allow httpd_t doman to read/write /dev/zero device  BZ(1700758)
- Allow tlp_t domain to read module deps files BZ(1699459)
- Add file context for /usr/lib/dotnet/dotnet
- Update dev_rw_zero() interface by adding map permission
- Allow bounded transition for executing init scripts
2019-04-19 22:39:06 +02:00
Lukas Vrabec
05bc3ebd5c
* Fri Apr 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-11
- Allow mongod_t domain to lsearch in cgroups BZ(1698743)
- Allow rngd communication with pcscd BZ(1679217)
- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)
- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
2019-04-12 23:24:21 +02:00
Lukas Vrabec
cba3e984f6
* Tue Apr 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-10
- Allow systemd_modules_load to read modules_dep_t files
- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)
2019-04-09 10:57:19 +02:00
Lukas Vrabec
2809c70adb
* Mon Apr 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-9
- Merge #18 `Add check for config file consistency`
- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943)
- Fix typo in rhsmcertd SELinux module
- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files
- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t
- Allow unconfined users to use vsock unlabeled sockets
- Add interface kernel_rw_unlabeled_vsock_socket()
- Allow unconfined users to use smc unlabeled sockets
- Add interface kernel_rw_unlabeled_smc_socket
- Allow systemd_resolved_t domain to read system network state BZ(1697039)
- Allow systemd to mounton kernel sysctls BZ(1696201)
- Add interface kernel_mounton_kernel_sysctl() BZ(1696201)
- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201
2019-04-08 15:54:57 +02:00
Lukas Vrabec
29b329cf28
Update missing sources 2019-04-05 19:30:47 +02:00
Lukas Vrabec
47a2243adc
* Fri Apr 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-8
- Allow systemd to mounton several systemd direstory to increase security of systemd
Resolves: rhbz#1696201
2019-04-05 16:26:48 +02:00
Lukas Vrabec
fe3eb5975b
Fix some conflicting filename transition rules in the policy sources 2019-04-04 11:02:58 +02:00
Lukas Vrabec
c4065f7c94
* Wed Apr 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-7
- Allow fontconfig file transition for xguest_u user
- Add gnome_filetrans_fontconfig_home_content interface
- Add permissions needed by systemd's machinectl shell/login
- Update SELinux policy for xen services
- Add dac_override capability for kdumpctl_t process domain
- Allow chronyd_t domain to exec shell
- Fix varnisncsa typo
- Allow init start freenx-server BZ(1678025)
- Create logrotate_use_fusefs boolean
- Add tcpd_wrapped_domain for telnetd BZ(1676940)
- Allow tcpd bind to services ports BZ(1676940)
- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t
- Allow esmtp access .esmtprc BZ(1691149)
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow tlp_t domain to read nvme block devices BZ(1692154)
- Add support for smart card authentication in cockpit BZ(1690444)
- Add permissions needed by systemd's machinectl shell/login
- Allow kmod_t domain to mmap modules_dep_t files.
- Allow systemd_machined_t dac_override capability BZ(1670787)
- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)"
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Allow init_t read mnt_t symlinks BZ(1637070)
- Update dev_filetrans_all_named_dev() interface
- Allow xdm_t domain to execmod temp files BZ(1686675)
- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)"
- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)
- Allow confined users labeled as staff_t to run iptables.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow xdm_t domain to create own tmp files BZ(1686675)
- Add miscfiles_dontaudit_map_generic_certs interface.
2019-04-03 14:33:40 +02:00
Lukas Vrabec
bccf0f816c
* Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6
- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
- Allow fail2ban execute journalctl BZ(1689034)
- Update sudodomains to make working confined users run sudo/su
- Introduce new boolean unconfined_dyntrans_all.
- Allow iptables_t domain to read NetworkManager state BZ(1690881)
2019-03-23 15:32:56 +01:00
Lukas Vrabec
7dd08a5cde
* Tue Mar 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-5
- Update xen SELinux module
- Improve labeling for PCP plugins
- Allow varnishd_t domain to read sysfs_t files
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update file context for modutils rhbz#1689975
- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293
- Grant permissions for onloadfs files of all classes.
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
2019-03-19 11:32:41 +01:00
Lukas Vrabec
a8da133b94
* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Allow journalctl_t domain to mmap syslogd_var_run_t files
- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046
- Allow sbd_t domain to bypass permission checks for sending signals
- Allow sbd_t domain read/write all sysctls
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
- Allow boltd_t to stream connect to sytem dbus
- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
- Allow ifconfig_t domain to read /dev/random BZ(1687516)
- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Label /usr/sbin/nodm as xdm_exec_t same as other display managers
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
2019-03-12 18:42:45 +01:00
Lukas Vrabec
43393ba497
* Wed Feb 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-3
- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because "%pretrans" cannot use shell scripts.
Resolves: rhbz#1683365
2019-02-27 10:18:03 +01:00
Lukas Vrabec
c2043acf2b
* Tue Feb 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-2
- Merge insmod_t, depmod_t and update_modules_t do kmod_t
2019-02-26 11:07:59 +01:00
Lukas Vrabec
8be35be283
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-1
- Allow openvpn_t domain to set capability BZ(1680276)
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
- Allow chronyd_t domain to send data over dgram socket
- Add rolekit_dgram_send() interface
- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
2019-02-25 23:17:05 +01:00
Lukas Vrabec
3f88fcf054
Add missing sources 2019-02-14 17:54:25 +01:00
Lukas Vrabec
c3cce98fea
* Thu Feb 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
- Allow dovecot_t domain to connect to mysql db
- Add dac_override capability for sbd_t SELinux domain
- Add dac_override capability for  spamd_update_t domain
- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
2019-02-14 17:52:26 +01:00
Lukas Vrabec
37bb67856f
* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
- Allow ddclient_t to setcap Resolves: rhbz#1674298
- Add dac_override capability to vpnc_t domain
- Add dac_override capability to spamd_t domain
- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
- Allow read network state of system for processes labeled as ibacm_t
- Allow ibacm_t domain to send dgram sockets to kernel processes
- Allow dovecot_t to connect to MySQL UNIX socket
- Fix CI for use on forks
- Fix typo bug in sensord policy
- Update ibacm_t policy after testing lastest version of this component
- Allow sensord_t domain to mmap own log files
- Allow virt_doamin to read/write dev device
- Add dac_override capability for ipa_helper_t
- Update policy with multiple allow rules to make working installing VM in MLS policy
- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
2019-02-12 17:05:35 +01:00
Lukas Vrabec
6fe0e8a6a7
* Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
- Allow sensord_t domain to use nsswitch and execute shell
- Allow opafm_t domain to execute lib_t files
- Allow opafm_t domain to manage kdump_crash_t files and dirs
- Allow virt domains to read/write cephfs filesystems
- Allow virtual machine to write to fixed_disk_device_t
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
- Allow vhostmd_t read libvirt configuration files
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
2019-02-02 13:41:12 +01:00
Lukas Vrabec
5664a30563
Add missing sources 2019-01-29 16:58:50 +01:00
Lukas Vrabec
ee38f3e105
* Tue Jan 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
- Add new xdp_socket class
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Allow boltd_t domain to read cache_home_t files BZ(1669911)
- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
- Allow gpg_agent_t to create own tmpfs dirs and sockets
- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
- Add multiple interfaces for vpnc interface file
- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
- Allow gssd_t domain to manage kernel keyrings of every domain.
- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
- Allow plymouthd_t search efivarfs directory BZ(1664143)
2019-01-29 16:51:11 +01:00
Lukas Vrabec
1d650f7cbb
* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
- Allow plymouthd_t search efivarfs directory BZ(1664143)
- Allow arpwatch send e-mail notifications BZ(1657327)
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
- Allow gssd_t domain to read/write kernel keyrings of every domain.
- Allow systemd_timedated_t domain nnp_transition BZ(1666222)
- Add the fs_search_efivarfs_dir interface
- Create tangd_port_t with default label tcp/7406
- Add interface domain_rw_all_domains_keyrings()
- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
2019-01-15 18:29:10 +01:00
Lukas Vrabec
f1dd2fa0f0
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
- Allow staff_t domain to read read_binfmt_misc filesystem
- Add interface fs_read_binfmt_misc()
- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
2019-01-11 16:07:53 +01:00
Lukas Vrabec
78bc214808
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
- Allow sensord_t to execute own binary files
- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)
- Allow virtd_lxc_t domains use BPF BZ(1662613)
- Allow openvpn_t domain to read systemd state BZ(1661065)
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Used correct renamed interface for imapd_t domain
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Specify recipients that will be notified about build CI results.
- Allow saslauthd_t domain to mmap own pid files BZ(1653024)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.
- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
- Specify recipients that will be notified about build CI results.
- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.
- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
2019-01-11 12:46:15 +01:00