Commit Graph

1917 Commits

Author SHA1 Message Date
Lukas Vrabec
51dc83b2d4 Commit removes big SELinux policy patches against tresys refpolicy.
We're quite diverted from upstream policy. This change will use tarballs
from github projects:
https://github.com/fedora-selinux/selinux-policy
https://github.com/fedora-selinux/selinux-policy-contrib
2018-01-08 18:28:27 +01:00
Lukas Vrabec
b9923641ff * Mon Jan 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-310
- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy
2018-01-08 12:28:09 +01:00
Lukas Vrabec
af863d8251 * Fri Jan 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-309
- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy
- Allow git_script_t to mmap git_user_content_t files BZ(1530937)
- Allow certmonger domain to create temp files BZ(1530795)
- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)
- Allow fsdaemon_t to read nvme devices BZ(1530018)
- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)
- Update munin plugin policy BZ(1528471)
- Allow sendmail_t domain to be system dbusd client BZ(1478735)
- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)
- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)
- Allow thumb_t to mmap non security files BZ(1517393)
- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)
- Fix broken sysnet_filetrans_named_content() interface
- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
- Add interface files_map_non_security_files()
2018-01-05 15:16:17 +01:00
Lukas Vrabec
46f9f9c36a * Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
- Make working SELinux sandbox with Wayland. BZ(1474082)
- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)
- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)
- Allow collectd to connect to lmtp_port_t BZ(1304029)
- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)
- Allow thumb_t to mmap removable_t files. BZ(1522724)
- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
- Add interface fs_mmap_removable_files()
2018-01-04 13:06:00 +01:00
Lukas Vrabec
d319e75862 sandbox SELinux module is part ofd distribution policy and should have 100 priority 2018-01-04 11:45:11 +01:00
Lukas Vrabec
73d7285c92 * Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
- Allow crond_t to read pcp lib files BZ(1525420)
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
- Allow certwatch_t to mmap generic certs. BZ(1527173)
- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
- Add interface userdom_map_user_home_files()
- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
2017-12-19 16:18:46 +01:00
Jonathan Lebon
66de8d371d Don't own %{_rpmconfigdir}
This directory is already owned by rpm. I couldn't find a specific
section in the packaging guidelines, but it seems to me we shouldn't do
this. There's no good reason for it and it can lead to confusion.
Quickly scanning over all Fedora spec files that install RPM macros, I
couldn't find any other package that owns `%{_rpmconfigdir}`.
2017-12-14 20:15:05 +00:00
Lukas Vrabec
270b6479cd * Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
- Allow thumb_t domain to dosfs_t BZ(1517720)
- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)
- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)
- Allow git_script_t to mmap git_sys_content_t BZ(1517541)
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)
- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)
- Allow colord_t to mmap xdm pid files BZ(1518382)
- Allow arpwatch to mmap usbmon device BZ(152456)
- Allow mandb_t to read public sssd files BZ(1514093)
- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)
- Allow qpid to map files.
- Allow plymouthd_t to mmap firamebuf device BZ(1517405)
- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)
- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)
- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)
- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)
- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)
- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)
- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)
- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)
- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)
- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)
- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)
- Add interface fs_map_dos_files()
- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)
- Add interface xserver_map_xdm_pid() BZ(1518382)
- Add new interface dev_map_usbmon_dev() BZ(1524256)
- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)
- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)
- Fix typo in filesystem.if
- Add interface dev_map_framebuffer()
- Allow chkpwd command to mmap /etc/shadow BZ(1513704)
- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)
- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)
- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)
- Add interface fs_map_cifs_files()
- Merge pull request #207 from rhatdan/labels
- Merge pull request #208 from rhatdan/logdir
- Allow domains that manage logfiles to man logdirs
2017-12-13 08:39:02 +01:00
Lukas Vrabec
617ff7d328 * Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
- Make ganesha nfs server
2017-11-24 18:20:55 +01:00
Lukas Vrabec
64b72debbe * Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
- Add interface raid_relabel_mdadm_var_run_content()
- Fix iscsi SELinux module
- Allow spamc_t domain to read home mail content BZ(1414366)
- Allow sendmail_t to list postfix config dirs BZ(1514868)
- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)
- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)
- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)
- Allow cupsd_t domain to localization BZ(1514350)
- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)
- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)
- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)
- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)
- Allow httpd_t domain to mmap all httpd content type BZ(1514866)
- Allow mandb_t to read /etc/passwd BZ(1514903)
- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)
- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)
- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)
- Allow systemd to read/write to mount_var_run_t files BZ(1515373)
- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)
- Allow home managers to mmap nfs_t files BZ(1514372)
- Add interface fs_mmap_nfs_files()
- Allow systemd-mount to create new directory for mountpoint BZ(1514880)
- Allow getty to use usbttys
- Add interface systemd_rfkill_domtrans()
- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)
- Add interface fs_mmap_fusefs_files()
- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251)
2017-11-21 16:42:21 +01:00
Lukas Vrabec
2d6f40abe4 * Thu Nov 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-303
- Allow pcp_pmlogger to send logs to journal BZ(1512367)
- Merge pull request #40 from lslebodn/kcm_kerberos
- Allow services to use kerberos KCM BZ(1512128)
- Allow system_mail_t domain to be system_dbus_client BZ(1512476)
- Allow aide domain to stream connect to sssd_t BZ(1512500)
- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)
- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)
- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)
- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)
- Allow lircd_t domain to execute shell BZ(1512787)
- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)
- Allow redis to creating tmp files with own label BZ(1513518)
- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)
- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)
- Add map permission to samba_rw_var_files interface. BZ(1513908)
- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t
- Add dac_read_search and dac_override capabilities to ganesha
- Allow ldap_t domain to manage also slapd_tmp_t lnk files
- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)
- Add dac_override capability to dhcpd_t doamin BZ(1510030)
- Allow snapperd_t to remove old snaps BZ(1510862)
- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)
- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)
- Allow fs associate for sysctl_vm_t BZ(1447301)
- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)
- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)
- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)
- Allow systemd to mmap kernel modules BZ(1513399)
- Allow userdomains to mmap fifo_files BZ(1512242)
- Merge pull request #205 from rhatdan/labels
- Add map permission to init_domtrans() interface BZ(1513832)
- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)
- Unconfined domains, need to create content with the correct labels
- Container runtimes are running iptables within a different user namespace
- Add interface files_rmdir_all_dirs()
2017-11-16 15:30:31 +01:00
Lukas Vrabec
6730963181 Drop all binary files from selinux-policy package which are depended on build arch. 2017-11-16 15:28:19 +01:00
Lukas Vrabec
ebb4e5ec53 * Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-302
- Allow jabber domains to connect to postgresql ports
- Dontaudit slapd_t to block suspend system
- Allow spamc_t to stream connect to cyrys.
- Allow passenger to connect to mysqld_port_t
- Allow ipmievd to use nsswitch
- Allow chronyc_t domain to use user_ptys
- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst
- Fix typo bug in tlp module
- Allow userdomain gkeyringd domain to create stream socket with userdomain
2017-11-06 16:54:47 +01:00
Lukas Vrabec
4c1c744cdd * Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
- Merge pull request #37 from milosmalik/rawhide
- Allow mozilla_plugin_t domain to dbus chat with devicekit
- Dontaudit leaked logwatch pipes
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
- Allow chronyd daemon to execute chronyc. BZ(1507478)
- Allow pdns to read network system state BZ(1507244)
- Allow gssproxy to read network system state Resolves: rhbz#1507191
- Allow nfsd_t domain to read configfs_t files/dirs
- Allow tgtd_t domain to read generic certs
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
- Allow dirsrv_snmp_t to use inherited user ptys and read system state
- Allow glusterd_t domain to create own tmpfs dirs/files
- Allow keepalived stream connect to snmp
2017-11-03 13:17:33 +01:00
Lukas Vrabec
ba9b7318d9 Merge #3 Do not ship file_contexts.bin file 2017-11-03 12:09:06 +00:00
Petr Lautrbach
deccccdaf1 Do not own /etc/selinux/<policytype>/file_contexts.homedirs.bin
This file belongs to /etc/selinux/<policytype>/contexts/files/
2017-10-31 18:48:31 +01:00
Lukas Vrabec
59afa60b46 * Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
- Allow zabbix_t domain to change its resource limits
- Add new boolean nagios_use_nfs
- Allow system_mail_t to search network sysctls
- Hide all allow rules with ptrace inside deny_ptrace boolean
- Allow nagios_script_t to read nagios_spool_t files
- Allow sbd_t to create own sbd_tmpfs_t dirs/files
- Allow firewalld and networkmanager to chat with hypervkvp via dbus
- Allow dmidecode to read rhsmcert_log_t files
- Allow mail system to connect mariadb sockets.
- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)
- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)
- Allow iptables_t to run setfiles to restore context on system
- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)
2017-10-26 20:18:18 +02:00
Lukas Vrabec
7911257b23 * Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
- Allow chronyd_t do request kernel module and block_suspend capability
- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label
- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)
- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)
- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)
- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)
- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables
- Allow svnserve to use kerberos
- Allow conman to use ptmx. Add conman_use_nfs boolean
- Allow nnp transition for amavis and tmpreaper SELinux domains
- Allow chronyd_t to mmap chronyc_exec_t binary files
- Add dac_read_search capability to openvswitch_t domain
- Allow svnserve to manage own svnserve_log_t files/dirs
- Allow keepalived_t to search network sysctls
- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain
- Add kill capability to openvswitch_t domain
- Label also compressed logs in /var/log for different services
- Allow inetd_child_t and system_cronjob_t to run chronyc.
- Allow chrony to create netlink route sockets
- Add SELinux support for chronyc
- Add support for running certbot(letsencrypt) in crontab
- Allow nnp trasintion for unconfined_service_t
- Allow unpriv user domains and unconfined_service_t to use chronyc
2017-10-24 21:29:48 +02:00
Lukas Vrabec
2fff8fe522 Add rpm-plugin-selinux dependency into selinux-policy package.
Resolves: rhbz#1493267
2017-10-24 13:16:21 +02:00
Lukas Vrabec
1014cb1eee * Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
- Drop *.lst files from file list
- Ship file_contexts.homedirs in store
- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
- Allow haproxy daemon to reexec itself. BZ(1447800)
- Allow conmand to use usb ttys.
- Allow systemd_machined to read mock lib files. BZ(1504493)
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
2017-10-22 15:56:04 +02:00
Petr Lautrbach
b442d09884 Drop *.lst files from file list
These files are already covered by:
%{_datadir}/selinux/%1

Fixes:
RPM build errors:
    File listed twice: /usr/share/selinux/targeted/nonbasemodules.lst
    File listed twice: /usr/share/selinux/minimum
    File listed twice: /usr/share/selinux/minimum/base.lst
    File listed twice: /usr/share/selinux/minimum/modules-base.lst
    File listed twice: /usr/share/selinux/minimum/modules-contrib.lst
    File listed twice: /usr/share/selinux/minimum/nonbasemodules.lst
    File listed twice: /usr/share/selinux/mls
    File listed twice: /usr/share/selinux/mls/base.lst
    File listed twice: /usr/share/selinux/mls/modules-base.lst
    File listed twice: /usr/share/selinux/mls/modules-contrib.lst
    File listed twice: /usr/share/selinux/mls/nonbasemodules.lst
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/cil
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/hll
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/lang_ext
2017-10-20 16:33:07 +02:00
Petr Lautrbach
9e91a2824b Ship file_contexts.homedirs in store
Recent libsemanage-2.7-4.fc28 keeps copy of file_contexts.homedirs in
policy store in order to support listing homedirs file contexts in
semanage fcontext -l
2017-10-20 16:05:19 +02:00
Lukas Vrabec
465d71cd8d * Fri Oct 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-297
- Fix typo in virt file contexts file
- allow ipa_dnskey_t to read /proc/net/unix file
- Allow openvswitch to run setfiles in setfiles_t domain.
- Allow openvswitch_t domain to read process data of neutron_t domains
- Fix typo in ipa_cert_filetrans_named_content() interface
- Fix typo bug in summary of xguest SELinux module
- Allow virtual machine with svirt_t label to stream connect to openvswitch.
- Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t
2017-10-20 11:27:02 +02:00
Lukas Vrabec
107eb82b3e * Tue Oct 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-296
- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1
- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)
- Add nnp transition rule for services using NoNewPrivileges systemd feature
- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)
- Add init_nnp_daemon_domain interface
- Allow nnp transition capability
- Merge pull request #204 from konradwilk/rhbz1484908
- Label postgresql-check-db-dir as postgresql_exec_t
2017-10-17 15:29:08 +02:00
Lukas Vrabec
c862e95fd2 Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox 2017-10-12 13:53:04 +02:00
Lukas Vrabec
d7e304ffbf Merge #4 Disable SELinux on a policy type subpackage uninstall 2017-10-12 08:44:30 +00:00
Lukas Vrabec
2b83a4bd1d * Tue Oct 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-295
- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)
- Allow fail2ban_t domain to mmap journals. BZ(1500089)
- Add dac_override to abrt_t domain BZ(1499860)
- Allow pppd domain to mmap own pid files BZ(1498587)
- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)
- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules
- Allow systemd to read sysfs sym links. BZ(1499327)
- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)
- Make systemd_networkd_var_run as mountpoint BZ(1499862)
- Allow noatsecure for java-based unconfined services. BZ(1358476)
- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015)
2017-10-10 12:31:41 +02:00
Lukas Vrabec
f2424e7390 * Mon Oct 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-294
- Allow cloud-init to create content in /var/run/cloud-init
- Dontaudit VM to read gnome-boxes process data BZ(1415975)
- Allow winbind_t domain mmap samba_var_t files
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)
- Add dac_override capability to groupadd_t domain BZ(1497091)
- Allow unconfined_service_t to start containers
2017-10-09 10:09:01 +02:00
Petr Lautrbach
7f40329c8b Disable SELinux on a policy type subpackage uninstall
When selinux-policy is uninstalled, SELinux is changed to permissive and
/etc/selinux/config is updated to disable SELinux. But it doesn't apply
when selinux-policy-{targeted,mls,minimum} are uninstalled.

With this change when one of the policy subpackages is uninstalled
and the current policy type is same as the uninstalled policy, SELinux
is switched to permissive and disabled in config file as well.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1498569
2017-10-08 21:33:17 +02:00
Petr Lautrbach
dba350c6e0 Do not ship file_contexts.bin file
selinux-policy is noarch but file_contexts.bin is not portable. As a
result, on architectures with different endianness, this file is ignored
and text file file_context is used instead.

For more information see:
https://janzarskyblog.wordpress.com/2017/09/06/why-we-dont-need-to-ship-file_contexts-bin-with-selinux-policy/

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1386180
2017-10-08 20:52:10 +02:00
Petr Lautrbach
918bddec38 * Sun Oct 08 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-293
- Drop policyhelp utility BZ(1498429)
2017-10-08 10:29:32 +02:00
Petr Lautrbach
00cdacfa6a Drop policyhelp utility
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Build_Dependencies

The /usr/share/selinux/devel/policyhelp requirement was necessary to
extract the version number of the selinux-policy package being built
against, which is used to enforce a minimum version requirement on
selinux-policy when the built package is installed. The policyhelp file
itself can be found in either the selinux-policy, selinux-policy-devel,
or selinux-policy-doc package (depending on OS release), which is why we
cannot simply use a package name unless we are prepared to sacrifice
spec file portability. From Fedora 20 onwards, this method is no longer
necessary, so if your packaging is not targeting any releases prior to
Fedora 20 or EPEL-5/6, the /usr/share/selinux/devel/policyhelp
requirement is not needed.

Resolves: rhbz#1498429
2017-10-05 09:03:21 +02:00
Lukas Vrabec
75b1898128 * Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-292
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)
- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)
- Allow systemd to maange sysfs BZ(1471361)
2017-10-03 17:11:40 +02:00
Lukas Vrabec
65c1dc9f4d * Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-291
- Switch default value of SELinux boolean httpd_graceful_shutdown to off.
2017-10-03 14:19:31 +02:00
Lukas Vrabec
aab02e492d Merge #2 Remove trailing whitespace in default /etc/selinux/config 2017-09-29 12:30:29 +00:00
Lukas Vrabec
e8dfe68ada * Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290
- Allow virtlogd_t domain to write inhibit systemd pipes.
- Add dac_override capability to openvpn_t domain
- Add dac_override capability to xdm_t domain
- Allow dac_override to groupadd_t domain BZ(1497081)
- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)
2017-09-29 14:22:40 +02:00
Colin Walters
5fdac71bd7 Remove trailing whitespace in default /etc/selinux/config
See <https://pagure.io/atomic-wg/issue/341> - basically for libostree
(and hence rpm-ostree, and Fedora Editions that use it like Fedora Atomic Host),
the Anaconda `selinux --enforcing` verb will end up rewriting
`/etc/selinux/config` to the same value it had before.

But because of the trailing space character, this generates
a difference, and means the config file appears locally modified,
and hence deployed systems won't receive updates.

I think Anaconda should also be fixed to avoid touching the file *at all*
if it wouldn't result in a change, but let's remove the trailing space
here too, as it's better to fix in two places.
2017-09-27 16:01:25 -04:00
Lukas Vrabec
233534cc51 * Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
- Allow tlp_t domain stream connect to sssd_t domain
- Add missing dac_override capability
- Add systemd_tmpfiles_t dac_override capability
2017-09-27 13:16:05 +02:00
Lukas Vrabec
8587149987 setfiles command produce unnecessary output during selinux-policy package update. This patch redirect stdout of setfiles to /dev/null.
Thanks: Petr Lautrbach <plautrba@redhat.com>
2017-09-27 10:01:01 +02:00
Lukas Vrabec
12fd9044f9 * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
- Remove all unnecessary dac_override capability in SELinux modules
2017-09-22 14:15:27 +02:00
Lukas Vrabec
fc41f8a9df * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
- Allow init noatsecure httpd_t
- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)
- Allow unconfined_t domain to create new users with proper SELinux lables
-  Allow init noatsecure httpd_t
- Label tcp port 3269 as ldap_port_t
2017-09-22 10:26:38 +02:00
Lukas Vrabec
7c73871fb5 * Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
- Add new boolean tomcat_read_rpm_db()
- Allow tomcat to connect on mysqld tcp ports
- Add new interface apache_delete_tmp()
- Add interface fprintd_exec()
- Add interface fprintd_mounton_var_lib()
- Allow mozilla plugin to mmap video devices BZ(1492580)
- Add ctdbd_t domain sys_source capability and allow setrlimit
- Allow systemd-logind to use ypbind
- Allow systemd to remove apache tmp files
- Allow ldconfig domain to mmap ldconfig cache files
- Allow systemd to exec fprintd BZ(1491808)
- Allow systemd to mounton fprintd lib dir
2017-09-18 15:03:29 +02:00
Lukas Vrabec
6551841efc * Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-285
- Allow svirt_t read userdomain state
2017-09-14 14:11:08 +02:00
Lukas Vrabec
83eed32c03 * Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-284
- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files
- Allow automount domain to manage mount pid files
- Allow stunnel_t domain setsched
- Add keepalived domain setpgid capability
- Merge pull request #24 from teg/rawhide
- Merge pull request #28 from lslebodn/revert_1e8403055
- Allow sysctl_irq_t assciate with proc_t
- Enable cgourp sec labeling
- Allow sshd_t domain to send signull to xdm_t processes
2017-09-14 09:11:13 +02:00
Lukas Vrabec
76e1d24391 Add /var/lib/sepolgen/interface_info to %files section in selinux-policy-devel 2017-09-13 13:15:22 +02:00
Lukas Vrabec
c3f53c2a7e * Tue Sep 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-283
- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
- Allow pulseaudio_t domain to map user tmp files
- Allow mozilla plugin to mmap mozilla tmpfs files
2017-09-12 14:05:47 +02:00
Lukas Vrabec
4dfc5f64ab * Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-282
- Add new bunch of map rules
- Merge pull request #25 from NetworkManager/nm-ovs
- Make working webadm_t userdomain
- Allow redis domain to execute shell scripts.
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
- Add couple capabilities to keepalived domain and allow get attributes of all domains
- Allow dmidecode read rhsmcertd lock files
- Add new interface rhsmcertd_rw_lock_files()
- Add new bunch of map rules
- Merge pull request #199 from mscherer/add_conntrackd
- Add support labeling for vmci and vsock device
- Add userdom_dontaudit_manage_admin_files() interface
2017-09-11 22:04:43 +02:00
Lukas Vrabec
65f16bbe30 * Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281
- Allow domains reading raw memory also use mmap.
2017-09-11 09:50:18 +02:00
Lukas Vrabec
b9bc43a953 * Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
- Fix denials during ipa-server-install process on F27+
- Allow httpd_t to mmap cert_t
- Add few rules to make tlp_t domain working in enforcing mode
- Allow cloud_init_t to dbus chat with systemd_timedated_t
- Allow logrotate_t to write to kmsg
- Add capability kill to rhsmcertd_t
- Allow winbind to manage smbd_tmp_t files
- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
- Add interface miscfiles_map_generic_certs()
2017-09-07 13:32:34 +02:00
Lukas Vrabec
fcebe07f6c * Tue Sep 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-279
- Allow abrt_dump_oops_t to read sssd_public_t files
- Allow cockpit_ws_t to mmap usr_t files
- Allow systemd to read/write dri devices.
2017-09-05 09:36:30 +02:00
Lukas Vrabec
313e17b74e * Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
- Add couple rules related to map permissions
- Allow ddclient use nsswitch BZ(1456241)
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
- Add interface dbus_manage_session_tmp_dirs()
- Dontaudit useradd_t sys_ptrace BZ(1480121)
- Allow ipsec_t can exec ipsec_exec_t
- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
2017-08-31 17:55:58 +02:00
Lukas Vrabec
0c6eef95d3 * Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277
- Allow cupsd_t to execute ld_so_cache
- Add cgroup_seclabel policycap.
- Allow xdm_t to read systemd hwdb
- Add new interface systemd_hwdb_mmap_config()
- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050)
2017-08-28 18:08:50 +02:00
Lukas Vrabec
2b14b695c4 * Sat Aug 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-276
- Allow couple map rules
2017-08-26 13:17:21 +02:00
Lukas Vrabec
c1ce08ecb5 * Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-275
- Make confined users working
- Allow ipmievd_t domain to load kernel modules
- Allow logrotate to reload transient systemd unit
2017-08-23 23:17:38 +02:00
Lukas Vrabec
b7314cadde * Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-274
- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain
- Allow nscd_t domain to search network sysctls
- Allow iscsid_t domain to read mount pid files
- Allow ksmtuned_t domain manage sysfs_t files/dirs
- Allow keepalived_t domain domtrans into iptables_t
- Allow rshd_t domain reads net sysctls
- Allow systemd to create syslog netlink audit socket
- Allow ifconfig_t domain unmount fs_t
- Label /dev/gpiochip* devices as gpio_device_t
2017-08-23 16:49:48 +02:00
Lukas Vrabec
681ffa2e20 * Tue Aug 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-273
- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)
- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.
- Label /var/run/agetty.reload as getty_var_run_t
- Add missing filecontext for sln binary
- Allow systemd to read/write to event_device_t BZ(1471401)
2017-08-22 14:47:56 +02:00
Lukas Vrabec
284401b055 * Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
- Allow sssd_t domain to map sssd_var_lib_t files
- allow map permission where needed
- contrib: allow map permission where needed
- Allow syslogd_t to map syslogd_var_run_t files
- allow map permission where needed
2017-08-15 16:29:24 +02:00
Lukas Vrabec
c6aaaee231 Remove temporary fix labeling cockpit binary 2017-08-15 16:27:40 +02:00
Lukas Vrabec
be2df80e69 * Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
- Label /usr/libexec/sudo/sesh as shell_exec_t
2017-08-14 16:11:30 +02:00
Lukas Vrabec
7a49a1c8c7 * Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-270
- refpolicy: Infiniband pkeys and endport
2017-08-10 23:27:06 +02:00
Lukas Vrabec
9a31f2128c Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2017-08-10 11:25:56 +02:00
Lukas Vrabec
ff3605a078 * Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-269
- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
- refpolicy: Define and allow map permission
- init: Add NoNewPerms support for systemd.
- Add nnp_nosuid_transition policycap and related class/perm definitions.
2017-08-10 11:25:41 +02:00
Petr Lautrbach
cf21eb3fa5 Fix bogus date for 3.13.1-267 changelog entry
warning: bogus date in %changelog: Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
2017-08-10 09:12:56 +02:00
Petr Lautrbach
b65295347f * Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-268
- Update for SELinux userspace release 20170804 / 2.7
- Omit precompiled regular expressions from file_contexts.bin files
2017-08-07 18:05:24 +02:00
Lukas Vrabec
631f95b1cf * Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
2017-08-07 16:17:01 +02:00
Petr Lautrbach
0eccbd957d Revert "Temporary fix while creating manpages using sepolicy is broken."
This reverts commit fbdb6e98da.

Since policycoreutils-2.6-7, 'sepolicy manpage' should be again
reasonable fast.
2017-08-03 08:01:21 +02:00
Fedora Release Engineering
f0d7feb11d - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 18:25:45 +00:00
Lukas Vrabec
4696e7ec09 * Fri Jul 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265
- Allow llpdad send dgram to libvirt
- Allow abrt_t domain dac_read_search capability
- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)
- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)
2017-07-21 14:21:02 +02:00
Lukas Vrabec
3622c01896 * Mon Jul 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264
- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)
2017-07-17 14:32:35 +02:00
Lukas Vrabec
ab9bb05673 * Tue Jul 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263
- Add new boolean gluster_use_execmem
2017-07-11 18:01:45 +02:00
Lukas Vrabec
6fc6359b10 * Mon Jul 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262
- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service
- Allow iptables to read container runtime files
2017-07-10 09:27:35 +02:00
Lukas Vrabec
959229d1e3 * Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261
- Allow boinc_t nsswitch
- Dontaudit firewalld to write to lib_t dirs
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
- Allow thumb_t domain to allow create dgram sockets
- Disable mysqld_safe_t secure mode environment cleansing
- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode
- Allow dirsrv domain setrlimit
- Dontaudit staff_t user read admin_home_t files.
- Add interface lvm_manage_metadata
- Add permission open to files_read_inherited_tmp_files() interface
2017-06-23 17:16:37 +02:00
Lukas Vrabec
c8dc4505f7 Fix commands how to create downstream patches 2017-06-20 17:00:14 +02:00
Lukas Vrabec
8c093f225c * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260
- Allow sssd_t to read realmd lib files.
- Fix init interface file. init_var_run_t is type not attribute
2017-06-19 16:52:54 +02:00
Lukas Vrabec
fa95f253bf * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258
- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use
- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.
- Allow httpd_t to read realmd_var_lib_t files
- Allow unconfined_t user all user namespace capabilties.
- Add interface systemd_tmpfiles_exec()
- Add interface libs_dontaudit_setattr_lib_files()
- Dontaudit xdm_t domain to setattr on lib_t dirs
- Allow sysadm_r role to jump into dirsrv_t
2017-06-19 10:01:33 +02:00
Lukas Vrabec
7ac1cbb003 * Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
- Merge pull request #10 from mscherer/fix_tor_dac
- Merge pull request #9 from rhatdan/rawhide
- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t
- Allow kdumpgui to read removable disk device
- Allow systemd_dbusd_t domain read/write to nvme devices
- Allow udisks2 domain to read removable devices BZ(1443981)
- Allow virtlogd_t to execute itself
- Allow keepalived to read/write usermodehelper state
- Allow named_t to bind on udp 4321 port
- Fix interface tlp_manage_pid_files()
- Allow collectd domain read lvm config files. BZ(1459097)
- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
- Allow samba_manage_home_dirs boolean to manage user content
- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify
- Allow pki_tomcat_t execute ldconfig.
- Merge pull request #191 from rhatdan/udev
- Allow systemd_modules_load_t to load modules
2017-06-08 12:25:29 +02:00
Lukas Vrabec
941d5af493 * Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.
- Allow tomcat to connect on all unreserved ports
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.
- Allow tomcat to connect on all unreserved ports
- Allow ganesha to connect to all rpc ports
- Update ganesha with few allow rules
- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.
- virt_use_glusterd boolean should be in optional block
- Add new boolean virt_use_glusterd
- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls.
- Allow ganesha_t domain to manage glusterd_var_run_t pid files.
- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls
- Add few allow rules to ganesha module
- Allow condor_master_t to read sysctls.
- Add dac_override cap to ctdbd_t domain
- Add ganesha_use_fusefs boolean.
- Allow httpd_t reading kerberos kdc config files
- Allow tomcat_t domain connect to ibm_dt_2 tcp port.
- Allow stream connect to initrc_t domains
- Add pki_exec_common_files() interface
- Allow  dnsmasq_t domain to read systemd-resolved pid files.
- Allow tomcat domain name_bind on tcp bctp_port_t
- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
- Allow condor_master_t write to sysctl_net_t
- Allow nagios check disk plugin read /sys/kernel/config/
- Allow pcp_pmie_t domain execute systemctl binary
- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl
- xdm_t should view kernel keys
- Hide broken symptoms when machine is configured with network bounding.
- Label 8750 tcp/udp port as dey_keyneg_port_t
- Label tcp/udp port 1792 as ibm_dt_2_port_t
- Add interface fs_read_configfs_dirs()
- Add interface fs_read_configfs_files()
- Fix systemd_resolved_read_pid interface
- Add interface systemd_resolved_read_pid()
- Allow sshd_net_t domain read/write into crypto devices
- Label 8999 tcp/udp as bctp_port_t
2017-06-05 13:25:12 +02:00
Lukas Vrabec
6c0472a324 * Thu May 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255
- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
- Add interface pki_manage_common_files()
- Allow rngd domain read sysfs_t
- Allow tomcat_t domain to manage pki_common_t files and dirs
- Merge pull request #3 from rhatdan/devicekit
- Merge pull request #12 from lslebodn/sssd_sockets_fc
- Allow certmonger reads httpd_config_t files
- Allow keepalived_t domain creating netlink_netfilter_socket.
- Use stricter fc rules for sssd sockets in /var/run
- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.
- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Dontaudit net_admin capability for useradd_t domain
- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)
- Make able deply overcloud via neutron_t to label nsfs as fs_t
- Add fs_manage_configfs_lnk_files() interface
2017-05-18 16:44:30 +02:00
Lukas Vrabec
c1e28f68d8 * Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Allow glusterd_t domain start ganesha service
- Made few cosmetic changes in sssd SELinux module
- Merge pull request #11 from lslebodn/sssd_kcm
- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.
- Allow keepalived_t domain read usermodehelper_t
- Allow radius domain stream connec to postgresql
- Merge pull request #8 from bowlofeggs/142-rawhide
- Add fs_manage_configfs_lnk_files() interface
2017-05-15 22:07:43 +02:00
Lukas Vrabec
dfee3bea84 * Fri May 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253
- auth_use_nsswitch can call only domain not attribute
- Dontaudit net_admin cap for winbind_t
- Allow tlp_t domain to stream connect to system bus
- Allow tomcat_t domain read pki_common_t files
- Add interface pki_read_common_files()
- Fix broken cermonger module
- Fix broken apache module
- Allow hypervkvp_t domain execute hostname
- Dontaudit sssd_selinux_manager_t use of net_admin capability
- Allow tomcat_t stream connect to pki_common_t
- Dontaudit xguest_t's attempts to listen to its tcp_socket
- Allow sssd_selinux_manager_t to ioctl init_t sockets
- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.
- Allow pki_tomcat_t domain read /etc/passwd.
- Allow tomcat_t domain read ipa_tmp_t files
- Label new path for ipa-otpd
- Allow radiusd_t domain stream connect to postgresql_t
- Allow rhsmcertd_t to execute hostname_exec_t binaries.
- Allow virtlogd to append nfs_t files when virt_use_nfs=1
- Allow httpd_t domain read also httpd_user_content_type lnk_files.
- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t
- Dontaudit <user>_gkeyringd_t stream connect to system_dbusd_t
- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t
- Add interface ipa_filetrans_named_content()
- Allow tomcat use nsswitch
- Allow certmonger_t start/status generic services
- Allow dirsrv read cgroup files.
- Allow ganesha_t domain read/write infiniband devices.
- Allow sendmail_t domain sysctl_net_t files
- Allow targetd_t domain read network state and getattr on loop_control_device_t
- Allow condor_schedd_t domain send mails.
- Allow ntpd to creating sockets. BZ(1434395)
- Alow certmonger to create own systemd unit files.
- Add kill namespace capability to xdm_t domain
- Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization."
- Revert "Allow <role>_su_t to create netlink_selinux_socket"
- Allow <role>_su_t to create netlink_selinux_socket
- Allow unconfined_t to module_load any file
- Allow staff to systemctl virt server when staff_use_svirt=1
- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context
- Allow netutils setpcap capability
- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124)
2017-05-12 17:03:36 +02:00
Lukas Vrabec
fe274d0fa4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2017-04-20 22:51:15 +02:00
Petr Lautrbach
3332d5b8d0 Do not ship .linked files
libsemanage was updated [1] to use {policy,seusers,users_extra}.linked files
to cache the linked policy prior to merging local changes. We don't need
to ship these files, however the files should be owned by selinux-policy
packages on a filesystem.

[1] 8702a865e0
2017-04-20 22:48:24 +02:00
Michael Scherer
c8b7cd49fb Add safeguard around "semodule -n -d sandbox"
Each time this package is updated, it remove the sandbox module, thus
making the sandbox command not working until someone reenable it.

The main cause is likely the non intuitive ordering of RPM post install
script, as %preun is run after %post. See the details on
https://fedoraproject.org/wiki/Packaging:Scriptlets
2017-04-20 09:27:13 +02:00
Lukas Vrabec
e08cffb7e1 * Tue Apr 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-251
- Fix abrt module to reflect all changes in abrt release
2017-04-18 16:09:05 +02:00
Lukas Vrabec
c0884791ad * Tue Apr 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-250
- Allow tlp_t domain to ioctl removable devices BZ(1436830)
- Allow tlp_t domain domtrans into mount_t BZ(1442571)
- Allow lircd_t to read/write to sysfs BZ(1442443)
- Fix policy to reflect all changes in new IPA release
- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.
- Allow sbd_t to read/write fixed disk devices
- Add sys_ptrace capability to radiusd_t domain
- Allow cockpit_session_t domain connects to ssh tcp ports.
- Update tomcat policy to make working ipa install process
- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t
- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383
- Update pki interfaces and tomcat module
- Allow sendmail to search network sysctls
- Add interface gssd_noatsecure()
- Add interface gssproxy_noatsecure()
- Allow chronyd_t net_admin capability to allow support HW timestamping.
- Update tomcat policy.
- Allow certmonger to start haproxy service
- Fix init Module
- Make groupadd_t domain as system bus client BZ(1416963)
- Make useradd_t domain as system bus client BZ(1442572)
- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)
- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)
- Allow init noatsecure for gssd and gssproxy
- Allow staff user to read fwupd_cache_t files
- Remove typo bugs
- Remove /proc <<none>> from fedora policy, it's no longer necessary
2017-04-18 00:12:06 +02:00
Lukas Vrabec
0d1055a787 * Mon Apr 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249
- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Allow iptables get list of kernel modules
- Allow unconfined_domain_type to enable/disable transient unit
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Label sysroot dir under ostree as root_t
2017-04-03 12:05:44 +02:00
Adam Williamson
f993349d77 Put tomcat_t back in unconfined domains for now. BZ(1436434) 2017-03-27 17:00:43 -07:00
Lukas Vrabec
b8c3e1f896 * Tue Mar 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-247
- Make fwupd_var_lib_t type mountpoint. BZ(1429341)
- Remove tomcat_t domain from unconfined domains
- Create new boolean: sanlock_enable_home_dirs()
- Allow mdadm_t domain to read/write nvme_device_t
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content
- Add interface dev_rw_nvme
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
2017-03-21 09:58:13 +01:00
Lukas Vrabec
b3dccbc4b2 * Sat Mar 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
2017-03-18 16:12:18 +01:00
Lukas Vrabec
96feeb5e20 * Fri Mar 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245
- Allow vdagent domain to getattr cgroup filesystem
- Allow abrt_dump_oops_t stream connect to sssd_t domain
- Allow cyrus stream connect to gssproxy
- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules
- Allow colord_t to read systemd hwdb.bin file
- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t
- Allow certmonger to manage /etc/krb5kdc_conf_t
- Allow kdumpctl to getenforce
- Allow ptp4l wake_alarm capability
- Allow ganesha to chat with unconfined domains via dbus
- Add nmbd_t capability2 block_suspend
- Add domain transition from sosreport_t to iptables_t
- Dontaudit init_t to mounton modules_object_t
- Add interface files_dontaudit_mounton_modules_object
- Allow xdm_t to execute files labeled as xdm_var_lib_t
- Make mtrr_device_t mountpoint.
- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd
2017-03-17 17:34:02 +01:00
Peter Robinson
469c7cb44c fix up other docs source 2017-03-09 19:53:13 +00:00
Peter Robinson
88d4af785a use correct source for man pages (hint: 'fedpkg local' is a quick way to test) 2017-03-09 17:11:47 +00:00
Lukas Vrabec
0cdcb41ef4 * Tue Mar 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-244 - Update fwupd policy - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t - Update ganesha policy - Allow chronyd to read adjtime - Merge pull request #194 from hogarthj/certbot_policy - get the correct cert_t context on certbot certificates bz#1289778 - Label /dev/ss0 as gpfs_device_t 2017-03-07 18:22:02 +01:00
Lukas Vrabec
fe778a9320 Fix broken build 2017-03-07 18:09:35 +01:00
Lukas Vrabec
b77d5e5e60 * Thu Mar 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-243
-  Allow abrt_t to send mails.
2017-03-02 10:12:44 +01:00
Lukas Vrabec
fbdb6e98da Temporary fix while creating manpages using sepolicy is broken. 2017-03-02 10:04:43 +01:00
Lukas Vrabec
73a41e1268 * Mon Feb 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-242
- Add radius_use_jit boolean
- Allow nfsd_t domain to create sysctls_rpc_t files
- add the policy required for nextcloud
- Allow can_load_kernmodule to load kernel modules. BZ(1426741)
- Create kernel_create_rpc_sysctls() interface
2017-02-27 10:50:42 +01:00
Lukas Vrabec
acb049dbc4 * Tue Feb 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241
- Remove ganesha from gluster module and create own module for ganesha
- FIx label for /usr/lib/libGLdispatch.so.0.0.0
2017-02-21 14:04:18 +01:00
Lukas Vrabec
9930e8f125 * Wed Feb 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-240
- Dontaudit xdm_t wake_alarm capability2
- Allow systemd_initctl_t to create and connect unix_dgram sockets
- Allow ifconfig_t to mount/unmount nsfs_t filesystem
- Add interfaces allowing mount/unmount nsfs_t filesystem
- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)
2017-02-15 15:41:56 +01:00
Lukas Vrabec
7c40aea259 * Mon Feb 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-239
- Allow syslog client to connect to kernel socket. BZ(1419946)
2017-02-13 10:17:47 +01:00