Commit Graph

2146 Commits

Author SHA1 Message Date
Zdenek Pytela
d1c7bc688f * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18
- Allow oddjob_t process noatsecure permission for ipa_helper_t
- Allow keepalived manage its private type runtime directories
- Update irqbalance runtime directory file context
- Allow irqbalance file transition for pid sock_files and directories
- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
- Allow virtlogd_t manage virt lib files
- Allow systemd set efivarfs files attributes
- Support systemctl --user in machinectl
- Allow chkpwd_t read and write systemd-machined devpts character nodes
- Allow init_t write to inherited systemd-logind sessions pipes
2020-07-07 16:11:16 +02:00
Zdenek Pytela
c04fecfb03 * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17
- Allow pdns server to read system state
- Allow irqbalance nnp_transition
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
- Allow journalctl process set its resource limits
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
- Make keepalived work with network namespaces
- Create sssd_connect_all_unreserved_ports boolean
- Allow hypervkvpd to request kernel to load a module
- Allow systemd_private_tmp(dirsrv_tmp_t)
- Allow microcode_ctl get attributes of sysfs directories
- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
- Allow radiusd connect to gssproxy over unix domain stream socket
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
- Allow qemu read and write /dev/mapper/control
- Allow tlp_t can_exec() tlp_exec_t
- Dontaudit vpnc_t setting its process scheduling
- Remove files_mmap_usr_files() call for particular domains
- Allow dirsrv_t list cgroup directories
- Crete the kerberos_write_kadmind_tmp_files() interface
- Allow realmd_t dbus chat with accountsd_t
- Label systemd-growfs and systemd-makefs       as fsadm_exec_t
- Allow staff_u and user_u setattr generic usb devices
- Allow sysadm_t dbus chat with accountsd
- Modify kernel_rw_key() not to include append permission
- Add kernel_rw_key() interface to access to kernel keyrings
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
- Allow systemd-modules to load kernel modules
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
- Allow libkrb5 lib read client keytabs
- Allow domain mmap usr_t files
- Remove files_mmap_usr_files() call for systemd domains
- Allow sshd write to kadmind temporary files
- Do not audit staff_t and user_t attempts to manage boot_t entries
- Add files_dontaudit_manage_boot_dirs() interface
- Allow systemd-tty-ask-password-agent read efivarfs files
2020-06-26 16:15:46 +02:00
Adam Williamson
154654f526 Bump and build for scriptlet fix 2020-06-25 17:13:28 -07:00
Adam Williamson
69200e5a7d scriptlets: always existence-check /etc/selinux/config
This does not work as expected with `/bin/sh` if the file does
not exist:

. %{_sysconfdir}/selinux/config &> /dev/null || true;

when run with `/bin/sh` (as opposed to `/bin/bash`) it exits 1
if the file does not exist. It exits 0 if the file exists but
there is an error parsing it. When run with `/bin/bash` it exits
0 in both cases as expected, but RPM scriptlets are run with sh.

To avoid this problem, we must always explicitly do an existence
check on the file before attempting to source it.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-06-25 17:10:29 -07:00
Zdenek Pytela
5cdd516855 * Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
- Support multiple ways of tlp invocation
- Allow qemu-kvm read and write /dev/mapper/control
- Introduce logrotate_use_cifs boolean
- Allow ptp4l_t sys_admin capability to run bpf programs
- Allow to getattr files on an nsfs filesystem
- httpd: Allow NoNewPriv transition from systemd
- Allow rhsmd read process state of all domains and kernel threads
- Allow rhsmd mmap /etc/passwd
- Allow systemd-logind manage efivarfs files
- Allow initrc_t tlp_filetrans_named_content()
- Allow systemd_resolved_t to read efivarfs
- Allow systemd_modules_load_t to read efivarfs
- Introduce systemd_read_efivarfs_type attribute
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
- Add file context for /sys/kernel/tracing
2020-06-04 13:00:42 +02:00
Zdenek Pytela
1111964e2a * Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14
- Allow chronyc_t domain to use nsswitch
- Allow nscd_socket_use() for domains in nscd_use() unconditionally
- Add allow rules for lttng-sessiond domain
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow gluster geo-replication in rsync mode
- Allow nagios_plugin_domain execute programs in bin directories
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow tcpdump sniffing offloaded (RDMA) traffic
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow read efivarfs_t files by domains executing systemctl file
2020-05-19 17:52:53 +02:00
Zdenek Pytela
6a3fec4b74 * Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal
2020-04-29 11:21:16 +02:00
Vit Mojzis
53368f319b Disable ipa_custodia before policy update
Ipa_custodia was merged into ipa policy module. To avoid conflicts
the module needs to be disabled before policy update.

Fixes:
   Running scriptlet: selinux-policy-targeted-3.14.5-35.fc32.noarch
   Re-declaration of type ipa_custodia_t
   Failed to create node
   Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
   /usr/sbin/semodule:  Failed!
2020-04-27 09:24:03 +02:00
Zdenek Pytela
b7b2c03ca7 * Tue Apr 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp
2020-04-14 16:43:04 +02:00
Zdenek Pytela
9006b430b3 * Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11
- Allow NetworkManager manage dhcpd unit files
- Update ninfod policy to add nnp transition from systemd to ninfod
- Remove container interface calling by named_filetrans_domain.
2020-03-31 09:52:00 +02:00
Zdenek Pytela
08e09fd9c1 * Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10
- Allow openfortivpn exec shell
- Remove label session_dbusd_tmp_t for /run/user/USERID/systemd
- Add ibacm_t ipc_lock capability
- Allow ipsec_t connectto ipsec_mgmt_t
- Remove ipa_custodia
- Allow systemd-journald to read user_tmp_t symlinks
2020-03-25 18:09:22 +01:00
Zdenek Pytela
099d40eeb8 * Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9
- Allow zabbix_t manage and filetrans temporary socket files
- Makefile: fix tmp/%.mod.fc target
2020-03-18 13:55:22 +01:00
Zdenek Pytela
e3700463c8 * Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8
- Allow NetworkManager read its unit files and manage services
- Add init_daemon_domain() for geoclue_t
- Allow to use nnp_transition in pulseaudio_role
- Allow pdns_t domain to map files in /usr.
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow login_pgm create and bind on netlink_selinux_socket
2020-03-13 09:22:23 +01:00
Ondrej Mosnacek
7579dcf465 Extend use of %common_params
Commit f76a9deccc ("Consolidate make parameters") replaced most
occurences of common make params with a single %common_params macro
call, but it omitted two places. Extend the %common_params usage to
these as well.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-03-11 14:15:18 +01:00
Zdenek Pytela
30da7f7067 * Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7
- Allow sssd read systemd-resolved runtime directory
- Allow sssd read NetworkManager's runtime directory
- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
- Allow system_mail_t to signull pcscd_t
- Create interface pcscd_signull
- Allow auditd poweroff or switch to single mode
2020-03-09 17:07:28 +01:00
Lukas Vrabec
eacc15421e
* Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6
- Allow postfix stream connect to cyrus through runtime socket
- Dontaudit daemons to set and get scheduling policy/parameters
2020-02-28 17:13:35 +01:00
Lukas Vrabec
6f3f722f7d
* Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5
- Allow certmonger_t domain to read pkcs_slotd lock files
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
- Allow local_login_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
2020-02-22 17:02:13 +01:00
Lukas Vrabec
e0ee9a1a66
* Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4
- Update virt_read_qemu_pid_files inteface
- Allow systemd_logind_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
- Allow nsswitch_domain attribute to stream connect to systemd process
2020-02-18 18:04:28 +01:00
Lukas Vrabec
48b6fc450f
Update changelog to descending chronological order 2020-02-16 13:08:28 +01:00
Lukas Vrabec
fc739f4200
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3
- Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks
- Allow systemd_userdbd_t domain to read efivarfs files
2020-02-16 13:00:31 +01:00
Lukas Vrabec
8c624edf84
* Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2
- Allow vhostmd communication with hosted virtual machines
- Add and update virt interfaces
- Update radiusd policy
- Allow systemd_private_tmp(named_tmp_t)
- Allow bacula dac_override capability
- Allow systemd_networkd_t to read efivarfs
- Add support for systemd-userdbd
- Allow systemd system services read efivarfs files
2020-02-16 00:25:43 +01:00
Lukas Vrabec
0270e1e28d
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-1
- Bump version to 3.14.6 because fedora 32 was branched
2020-02-16 00:22:07 +01:00
Zdenek Pytela
916c9099f2 * Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24
- Allow ptp4l_t create and use packet_socket sockets
- Allow ipa_custodia_t create and use netlink_route_socket sockets.
- Allow networkmanager_t transition to setfiles_t
- Create init_create_dirs boolean to allow init create directories
2020-02-07 17:22:36 +01:00
Ondrej Mosnacek
2a989ab68e spec: Use RPM path macros more consistently
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-02-07 12:37:11 +01:00
Zdenek Pytela
4ee1dfc5d7 * Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23
- Allow thumb_t connect to system_dbusd_t BZ(1795044)
- Allow saslauthd_t filetrans variable files for /tmp directory
- Added apache create log dirs macro
- Tiny documentation fix
- Allow openfortivpn_t to manage net_conf_t files.
- Introduce boolean openfortivpn_can_network_connect.
- Dontaudit domain chronyd_t to list in user home dirs.
- Allow init_t to create apache log dirs.
- Add file transition for /dev/nvidia-uvm BZ(1770588)
- Allow syslog_t to read efivarfs_t files
- Add ioctl to term_dontaudit_use_ptmx macro
- Update xserver_rw_session macro
2020-01-31 10:53:24 +01:00
Fedora Release Engineering
6f927019b9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-30 23:12:11 +00:00
Zdenek Pytela
07e568bc06 * Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21
- Dontaudit timedatex_t read file_contexts_t and validate security contexts
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Added macro for stratisd to chat over dbus
- Add dac_override capability to stratisd_t domain
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
2020-01-24 17:07:51 +01:00
Vit Mojzis
ee6e28e884 Fix %post script failures in selinux-policy-*
Since /etc/selinux/config is created in a %post script and execution
order of post scripts cannot be ensured in this case, all commands in
post have to be able to work without /etc/selinux/config.

Also standalone execution of selinuxenabled in relabel macro would cause
%post of all selinux-policy-* packages to fail in case selinux was
disabled.

Fixes:
   https://bugzilla.redhat.com/show_bug.cgi?id=1723940
2020-01-13 19:07:10 +00:00
Lukas Vrabec
0f62f5946f
* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain  to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Create files_create_non_security_dirs() interface
2020-01-13 10:09:50 +01:00
Ondrej Mosnacek
e4f8091964 Remove all the "factory reset" stuff
From reading BZ1290659 [1] it sounds like the ostree issue was resolved
by using /etc/selinux as the store root instead of /var/lib/selinux so I
believe the /usr/share/selinux redundant files are no longer needed.
Also remove all other leftovers of the factory reset thing...

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1290659

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-01-07 15:45:12 +01:00
Zdenek Pytela
a9b321b3cc * Fri Dec 20 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-19
- Allow init_t nnp domain transition to kmod_t
- Allow userdomain dbus chat with systemd_resolved_t
- Allow init_t read and setattr on /var/lib/fprintd
- Allow sysadm_t dbus chat with colord_t
- Allow confined users run fwupdmgr
- Allow confined users run machinectl
- Allow systemd labeled as init_t domain to create dirs labeled as var_t
- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)
- Add new file context rabbitmq_conf_t.
- Allow journalctl read init state BZ(1731753)
- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
- Change type in transition for /var/cache/{dnf,yum} directory
- Allow cockpit_ws_t read efivarfs_t BZ(1777085)
- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
- Allow named_t domain to mmap named_zone_t files BZ(1647493)
- Make boinc_var_lib_t label system mountdir attribute
- Allow stratis_t domain to request load modules
- Update fail2ban policy
- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)
- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
2019-12-20 17:01:21 +01:00
Ondrej Mosnacek
f76a9deccc Consolidate make parameters
Make code more readable by putting common make parameters under a common
macro. Also fix the sandbox.pp command-line, which was copy-pasted out
of context...

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-12-04 11:48:03 +00:00
Lukas Vrabec
6ed257bb1a
- Allow systemd to read all proc 2019-11-28 22:55:17 +01:00
Lukas Vrabec
188eac8e79
* Thu Nov 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-18
- Introduce new type pdns_var_lib_t
- Allow zebra_t domain to read files labled as nsfs_t.
- Allow systemd to setattr on all device_nodes
- Allow systemd to mounton and list all proc types
2019-11-28 22:19:38 +01:00
Lukas Vrabec
f32fe38207
* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-17
- Fix nonexisting types in rtas_errd_rw_lock interface
- Allow snmpd_t domain to trace processes in user namespace
- Allow timedatex_t domain to read relatime clock and adjtime_t files
- Allow zebra_t domain to execute zebra binaries
- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
- Allow ksmtuned_t domain to trace processes in user namespace
- Allow systemd to read symlinks in /var/lib
- Update dev_mounton_all_device_nodes() interface
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
- Allow systemd_domain to map files in /usr.
- Allow strongswan start using swanctl method BZ(1773381)
- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
2019-11-27 20:26:39 +01:00
Zdenek Pytela
6f1a9fb9a4 * Thu Nov 21 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-16
- Allow timedatex_t domain dbus chat with both confined and unconfined users
- Allow timedatex_t domain dbus chat with unconfined users
- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
- Make unconfined domains part of domain_named_attribute
- Label tcp ports 24816,24817 as pulp_port_t
- Remove duplicate entries for initrc_t in init.te
2019-11-21 16:26:28 +01:00
Lukas Vrabec
7694691838
* Thu Nov 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-15
- Increase SELinux userspace version which should be required.
2019-11-14 09:45:51 +01:00
Lukas Vrabec
67a56dfdce
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-14
- Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0
2019-11-13 22:41:00 +01:00
Lukas Vrabec
d1df004bac
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-13
- Fix typo bugs in rtas_errd_read_lock() interface
- cockpit: Drop cockpit-cert-session
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Fix typo in dev_filetrans_all_named_dev()
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Fix typo in cachefiles device
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
2019-11-13 15:45:37 +01:00
Lukas Vrabec
4faaca1916
* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Allow cephfs to use xattrs for storing contexts
- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
2019-11-03 12:59:34 +01:00
Lukas Vrabec
d7e7544fe0
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11
- Allow confined users to run newaliases
- Add interface mysql_dontaudit_rw_db()
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
- Allow tmpreaper_t domain to read all domains state
- Make httpd_var_lib_t label system mountdir attribute
- Update cockpit policy
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
- Dontaudit domains read/write leaked pipes
2019-10-25 11:09:31 +02:00
Lukas Vrabec
03b04ae77e
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Allow Gluster mount client to mount files_type
- Dontaudit and disallow sys_admin capability for keepalived_t domain
- Update numad policy to allow signull, kill, nice and trace processes
- Allow ipmievd_t to RW watchdog devices
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
- Allow user domains to manage user session services
- Allow staff and user users to get status of user systemd session
- Update sudo_role_template() to allow caller domain to read syslog pid files
2019-10-22 15:43:26 +02:00
Lukas Vrabec
4a9509e8a2
Fix permissions set on macro-expander tool.
macro-exapnder is part of selinux-policy-devel rpm package, but the tool
was installed with wrong permissions set so it was not possible to
execute this tool. This commit fixes the issue.
2019-10-16 16:40:59 +02:00
Lukas Vrabec
840e53f65a
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-9
- Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
2019-10-11 15:22:02 +02:00
Lukas Vrabec
39164cea20
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-8
- Update apache and pkcs policies to make active opencryptoki rules
- Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
2019-10-09 20:44:47 +02:00
Lukas Vrabec
b4683c29a5
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-7
- Revert "nova.fc: fix duplicated slash"
- Introduce new bolean httpd_use_opencryptoki
- Add new interface apache_read_state()
- Allow setroubleshoot_fixit_t to read random_device_t
- Label /etc/named direcotory as named_conf_t BZ(1759495)
- nova.fc: fix duplicated slash
- Allow dkim to execute sendmail
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)
- Allow avahi_t to send msg to xdm_t
- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)
- Allow systemd_logind_t domain to read blk_files in domain removable_device_t
- Add new interface udev_getattr_rules_chr_files()
2019-10-09 13:13:38 +02:00
Lukas Vrabec
e84c9b118f
* Fri Oct 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-6
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Allow bitlbee_t domain map files in /usr
- Allow stratisd to getattr of fixed disk device nodes
- Add net_broadcast capability to openvswitch_t domain BZ(1716044)
- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
- Allow cobblerd_t domain search apache configuration dirs
- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
- Label /var/log/collectd.log as collectd_log_t
- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)
- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)
- networkmanager: allow NetworkManager_t to create bluetooth_socket
- Fix ipa_custodia_stream_connect interface
- Add new interface udev_getattr_rules_chr_files()
- Make dbus-broker service working on s390x arch
- Add new interface dev_mounton_all_device_nodes()
- Add new interface dev_create_all_files()
- Allow systemd(init_t) to load kernel modules
- Allow ldconfig_t domain to manage initrc_tmp_t objects
- Add new interface init_write_initrc_tmp_pipes()
- Add new interface init_manage_script_tmp_files()
- Allow xdm_t setpcap capability in user namespace BZ(1756790)
- Allow x_userdomain to mmap generic SSL certificates
- Allow xdm_t domain to user netlink_route sockets BZ(1756791)
- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)
- Allow sudo userdomain to run rpm related commands
- Add sys_admin capability for ipsec_t domain
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
- Make ipa_custodia policy active
2019-10-04 14:03:09 +02:00
Lukas Vrabec
a21f7739e6
Update fixed sources from github 2019-09-20 23:31:28 +02:00
Lukas Vrabec
c3cb5b2032
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-5
- Fix ipa_custodia_stream_connect interface
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
2019-09-20 23:17:36 +02:00
Lukas Vrabec
361693e74b
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-4
- Run ipa-custodia as ipa_custodia_t
- Update webalizer_t SELinux policy
- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)
- Allow rhsmcertd_t domain to read rtas_errd lock files
- Add new interface rtas_errd_read_lock()
- Update allow rules set for nrpe_t domain
- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
- Allow avahi_t to send msg to lpr_t
- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
- Allow dlm_controld_t domain to read random device
- Label libvirt drivers as virtd_exec_t
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Add new macro systemd_timedated_status to systemd.if to get timedated service status
- Introduce xdm_manage_bootloader booelan
- Revert "Unconfined domains, need to create content with the correct labels"
- Allow xdm_t domain to read sssd pid files BZ(1753240)
- Move open, audit_access, and execmod to common file perms
2019-09-20 15:00:31 +02:00
Lukas Vrabec
f1d354de29
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Fix typo in cachefilesd module
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
- Add sys_admin capability for keepalived_t labeled processes
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
- Create new type ipmievd_helper_t domain for loading kernel modules.
- Run stratisd service as stratisd_t
- Fix abrt_upload_watch_t in abrt policy
- Update keepalived policy
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
- Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
- Allow amanda_t to manage its var lib files and read random_device_t
- Create admin_crontab_t and admin_crontab_tmp_t types
- Add setgid and setuid capabilities to keepalived_t domain
- Update cron_role() template to accept third parameter with SELinux domain prefix
- Allow psad_t domain to create tcp diag sockets BZ(1750324)
- Allow systemd to mount fwupd_cache_t BZ(1750288)
- Allow chronyc_t domain to append to all non_security files
- Update zebra SELinux policy to make it work also with frr service
- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
- Label /var/run/mysql as mysqld_var_run_t
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
- Update timedatex policy to manage localization
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
- Update gnome_dontaudit_read_config
- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
- Allow systemd labeled as init_t domain to remount rootfs filesystem
- Add interface files_remount_rootfs()
- Dontaudit sys_admin capability for iptables_t SELinux domain
- Label /dev/cachefilesd as cachefiles_device_t
- Make stratisd policy active
- Allow userdomains to dbus chat with policykit daemon
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
- New interface files_append_non_security_files()
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Remove rule allowing all processes to stream connect to unconfined domains
2019-09-13 17:04:11 +02:00
Lukas Vrabec
d2110e0b7c
* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2
- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
- Dontaudit sandbox web types to setattr lib_t dirs
- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)
- Allow haproxy_t domain to read network state of system
- Allow processes labeled as keepalived_t domain to get process group
- Introduce dbusd_unit_file_type
- Allow pesign_t domain to read/write named cache files.
- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
- Allow httpd_t domain to read/write named_cache_t files
- Add new interface bind_rw_cache()
- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
- Update cpucontrol_t SELinux policy
- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
- Run lldpd service as lldpad_t.
- Allow spamd_update_t domain to create unix dgram sockets.
- Update dbus role template for confined users to allow login into x session
- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
- Fix typo in networkmanager_append_log() interface
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
- Allow login user type to use systemd user session
- Allow xdm_t domain to start dbusd services.
- Introduce new type xdm_unit_file_t
- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute
- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)
- Allow ipsec_t domain to read/write named cache files
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
- Label udp 8125 port as statsd_port_t
2019-09-04 18:09:39 +02:00
Lukas Vrabec
7961246df4
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-1
- Bump version
2019-08-13 19:10:26 +02:00
Lukas Vrabec
7bacb4d438
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-31
- Update timedatex policy BZ(1734197)
2019-08-13 19:06:46 +02:00
Lukas Vrabec
bee0c094a4
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-30
- cockpit: Allow cockpit-session to read cockpit-tls state
- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)
- Allow named_t domain to read/write samba_var_t files BZ(1738794)
- Dontaudit abrt_t domain to read root_t files
- Allow ipa_dnskey_t domain to read kerberos keytab
- Allow mongod_t domain to read cgroup_t files BZ(1739357)
- Update ibacm_t policy
- Allow systemd to relabel all files on system.
- Revert "Add new boolean systemd_can_relabel"
- Allow xdm_t domain to read kernel sysctl BZ(1740385)
- Add sys_admin capability for xdm_t in user namespace. BZ(1740386)
- Allow dbus communications with resolved for DNS lookups
- Add new boolean systemd_can_relabel
- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t
- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
- Run lvmdbusd service as lvm_t
2019-08-13 17:59:35 +02:00
Lukas Vrabec
6e1369286b
* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-29
- Allow dlm_controld_t domain setgid capability
- Fix SELinux modules not installing in chroots.
Resolves: rhbz#1665643
2019-08-07 17:38:17 +02:00
Lukas Vrabec
e89a7ef306
* Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-28
- Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-06 10:48:46 +02:00
Lukas Vrabec
2442d10f50
* Mon Aug 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-27
- Allow tlp domain run tlp in trace mode BZ(1737106)
- Make timedatex_t domain system dbus bus client BZ(1737239)
- Allow cgdcbxd_t domain to list cgroup dirs
- Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-05 18:25:34 +02:00
Lukas Vrabec
0775289b10
* Tue Jul 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-26
- New policy for rrdcached
- Allow dhcpd_t domain to read network sysctls.
- Allow nut services to communicate with unconfined domains
- Allow virt_domain to Support ecryptfs home dirs.
- Allow domain transition lsmd_t to sensord_t
- Allow httpd_t to signull mailman_cgi_t process
- Make rrdcached policy active
- Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542
- Allow machinectl to run pull-tar BZ(1724247)
2019-07-30 10:51:50 +02:00
Lukas Vrabec
c8c754cba3
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25
- Allow spamd_update_t domain to read network state of system BZ(1733172)
- Allow dlm_controld_t domain to transition to the lvm_t
- Allow sandbox_web_client_t domain to do sys_chroot in user namespace
- Allow virtlockd process read virtlockd.conf file
- Add more permissions for session dbus types to make working dbus broker with systemd user sessions
- Allow sssd_t domain to read gnome config and named cache files
- Allow brltty to request to load kernel module
- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
- Allow sssd_t domain to read kernel net sysctls BZ(1732185)
- Run timedatex service as timedatex_t
- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
- Allow cyrus work with PrivateTmp
- Make cgdcbxd_t domain working with SELinux enforcing.
- Make working wireshark execute byt confined users staff_t and sysadm_t
- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963)
- Allow svnserve_t domain to read system state
- allow named_t to map named_cache_t files
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow ifconfig_t domain to manage vmware logs
- Remove system_r role from staff_u user.
- Make new timedatex policy module active
- Add systemd_private_tmp_type attribute
- Allow systemd to load kernel modules during boot process.
- Allow sysadm_t and staff_t domains to read wireshark shared memory
- Label /usr/libexec/utempter/utempter  as utemper_exec_t
- Allow ipsec_t domain to read/write  l2tpd pipe BZ(1731197)
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources
2019-07-26 10:28:53 +02:00
Lukas Vrabec
9fad02a45b
* Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
- Update  tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
- Allow mysqld_t domain to manage cluster pid files
- Relabel  /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
- Allow dkim-milter to send e-mails BZ(1716937)
- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799)
- Update svnserve_t policy to make working svnserve hooks
- Allow varnishlog_t domain to check for presence of varnishd_t domains
- Update sandboxX policy to make working firefox inside SELinux sandbox
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
- Allow gssd_t domain to list tmpfs_t dirs
- Allow mdadm_t domain to read tmpfs_t files
- Allow sbd_t domain to check presence of processes labeled as cluster_t
- Dontaudit httpd_sys_script_t to read systemd unit files
- Allow blkmapd_t domain to read nvme devices
- Update cpucontrol_t domain to make working microcode service
- Allow domain transition from logwatch_t do postfix_postqueue_t
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
- Allow httpd_sys_script_t domain to mmap httpcontent
- Allow sbd_t to manage cgroups_t files
- Update wireshark policy to make working tshar labeled as wireshark_t
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources
- Allow sysadm_t domain to dbus chat with rtkit daemon
- Allow x_userdomains to nnp domain transition to thumb_t domain
- Allow unconfined_domain_type to setattr own process lnk files.
- Add interface files_write_generic_pid_sockets()
- Dontaudit writing to user home dirs by gnome-keyring-daemon
- Allow staff and admin domains to setpcap in user namespace
- Allow staff and sysadm to use lockdev
- Allow staff and sysadm users to run iotop.
- Dontaudit traceroute_t domain require sys_admin capability
- Dontaudit dbus chat between kernel_t and init_t
- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
2019-07-17 17:58:49 +02:00
Lukas Vrabec
9a1d06b5aa
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23
- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager
- Fix all interfaces which cannot by compiled because of typos
- Allow X userdomains to mmap user_fonts_cache_t dirs
2019-07-10 10:16:00 +02:00
Lukas Vrabec
f57a61daab
* Mon Jul 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-22
- Label /var/kerberos/krb5 as krb5_keytab_t
- Allow glusterd_t domain to setpgid
- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
- Allow sbd_t domain to manage cgroup dirs
- Allow opafm_t domain to modify scheduling information of another process.
- Allow wireshark_t domain to create netlink netfilter sockets
- Allow gpg_agent_t domain to use nsswitch
- Allow httpd script types to mmap httpd rw content
- Allow dkim_milter_t domain to execute shell BZ(17116937)
- Allow sbd_t domain to use nsswitch
- Allow rhsmcertd_t domain to send signull to all domains
- Allow snort_t domain to create netlink netfilter sockets BZ(1723184)
- Dontaudit blueman to read state of all domains on system BZ(1722696)
- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217)
- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)
- Replace "-" by "_" in types names
- Change condor_domain declaration in condor_systemctl
- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405)
- Allow auditd_t domain to send signals to audisp_remote_t domain
- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files
- Add interface kernel_relabelfrom_usermodehelper()
- Dontaudit unpriv_userdomain to manage boot_t files
- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)
- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531)
- Allow associate efivarfs_t on sysfs_t
2019-07-08 10:00:11 +02:00
Lukas Vrabec
4d8c6240ed
* Tue Jun 18 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-21
- Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864)
- cockpit: Support split-out TLS proxy
- Allow dkim_milter_t to use shell BZ(1716937)
- Create explicit fc rule for mailman executable BZ(1666004)
- Update interface networkmanager_manage_pid_files() to allow manage also dirs
- Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)
- Add new interface bind_map_dnssec_keys()
- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files
- Allow redis_t domain to read public sssd files
- Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569)
- Allow confined users to login via cockpit
- Allow nfsd_t domain to do chroot becasue of new version of nfsd
- Add gpg_agent_roles to system_r roles
- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
- Allow rhsmcertd_t domain to manage rpm cache
- Allow sbd_t domain to read tmpfs_t symlinks
- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs
- Allow kadmind_t domain to read home config data
- Allow sbd_t domain to readwrite cgroups
- Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)
- Label /var/log/pacemaker/pacemaker as cluster_var_log_t
- Allow certmonger_t domain to manage named cache files/dirs
- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)
- Allow crack_t domain read /et/passwd files
- Label fontconfig cache and config files and directories BZ(1659905)
- Allow dhcpc_t domain to manage network manager pid files
- Label /usr/sbin/nft as iptables_exec_t
- Allow userdomain attribute to manage cockpit_ws_t stream sockets
- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes
- Add interface ssh_agent_signal()
2019-06-18 09:29:06 +02:00
Lukas Vrabec
191f6b36c3
* Thu May 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-20
- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)
- Allow spamd_update_t to exec itsef
- Fix broken logwatch SELinux module
- Allow logwatch_mail_t to manage logwatch cache files/dirs
- Update wireshark_t domain to use several sockets
- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t
2019-05-30 11:43:45 +02:00
Lukas Vrabec
46a2445aaf
* Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-19
- Fix bind_read_cache() interface to allow only read perms to caller domains
- [speech-dispatcher.if] m4 macro names can not have - in them
- Grant varnishlog_t access to varnishd_etc_t
- Allow nrpe_t domain to read process state of systemd_logind_t
- Allow mongod_t domain to connect on https port BZ(1711922)
- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets
- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)
- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)"
- Make boinc_var_lib_t mountpoint BZ(1711682)
- Allow wireshark_t domain to create fifo temp files
- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy
- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Build in parallel on Travis
- Fix parallel build of the policy
- Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t"
- Add interface systemd_logind_read_state()
- Fix find commands in Makefiles
- Allow systemd-timesyncd to read network state BZ(1694272)
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-27 16:47:47 +02:00
Ondrej Mosnacek
c134af44dc
Use parallel build where possible
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-27 16:44:36 +02:00
Lukas Vrabec
4ce765ae0a
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-18 01:04:36 +02:00
Lukas Vrabec
fb7eb895aa
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-17
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Fix typo in dbus_role_template()
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)
- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)
- Allow virt domains to access xserver devices BZ(1705685)
- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)
- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)
- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)
- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)
- Allow gpsd_t domain to read udev db BZ(1709025)
- Add sys_ptrace capaiblity for  namespace_init_t domain
- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)
- Allow rhsmcertd_t domain to read rpm cache files
- Label /efi same as /boot/efi boot_t BZ(1571962)
- Allow transition from udev_t to tlp_t BZ(1705246)
- Remove initrc_exec_t for /usr/sbin/apachectl file
2019-05-17 18:12:55 +02:00
Lukas Vrabec
1938d6c60c
Update broken sources 2019-05-04 17:45:09 +02:00
Lukas Vrabec
2a04dcf5c8
* Fri May 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-16
- Add fcontext for apachectl util to fix missing output when executed "httpd -t" from this script.
2019-05-04 00:00:01 +02:00
Lukas Vrabec
a0e74cb580
* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-15
- Allow iscsid_t domain to mmap modules_dep_t files
- Allow ngaios to use chown capability
- Dontaudit gpg_domain to create netlink_audit sockets
- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)
- Allow dirsrv_t domain to execute own tmp files BZ(1703111)
- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files
- Update domain_can_mmap_files() boolean to allow also mmap lnk files
- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
2019-05-02 15:46:11 +02:00
Lukas Vrabec
2c13568192
* Fri Apr 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-14
- Allow transition from cockpit_session to unpriv user domains
2019-04-26 16:46:34 +02:00
Lukas Vrabec
2675489867
* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-13
- Introduce deny_bluetooth boolean
- Allow greylist_milter_t to read network system state BZ(1702672)
- Allow freeipmi domains to mmap freeipmi_var_cache_t files
- Allow rhsmcertd_t and rpm_t domains to chat over dbus
- Allow thumb_t domain to delete cache_home_t files BZ(1701643)
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus
- Add new interface boltd_dbus_chat()
- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)
- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)
- Allow cockpit_ws_t domain to set limits BZ(1701703)
- Update Nagios policy when sudo is used
- Deamon rhsmcertd is able to install certs for docker again
- Introduce deny_bluetooth boolean
- Don't allow a container to connect to random services
- Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.
- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus
- Allow unconfined_t to use bpf tools
- Allow x_userdomains to communicate with boltd daemon over dbus
2019-04-25 17:29:03 +02:00
Lukas Vrabec
a64329452e
* Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-12
- Fix typo in cups SELinux policy
- Allow iscsid_t to read modules deps BZ(1700245)
- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442)
- Allow httpd_rotatelogs_t to execute generic binaries
- Update system_dbus policy because of dbus-broker-20-2
- Allow httpd_t doman to read/write /dev/zero device  BZ(1700758)
- Allow tlp_t domain to read module deps files BZ(1699459)
- Add file context for /usr/lib/dotnet/dotnet
- Update dev_rw_zero() interface by adding map permission
- Allow bounded transition for executing init scripts
2019-04-19 22:39:06 +02:00
Lukas Vrabec
05bc3ebd5c
* Fri Apr 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-11
- Allow mongod_t domain to lsearch in cgroups BZ(1698743)
- Allow rngd communication with pcscd BZ(1679217)
- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)
- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
2019-04-12 23:24:21 +02:00
Lukas Vrabec
2e12c978e7
Add check for config file consistency
After all reverted commit looks good, just targeted store have to be
specified when permissivedomains SELinux module is loaded.

This reverts commit f1ed716369.
2019-04-12 21:08:30 +02:00
Lukas Vrabec
f1ed716369
Revert "Add check for config file consistency"
This reverts commit 7fd6024816.
2019-04-12 10:03:08 +02:00
Lukas Vrabec
cba3e984f6
* Tue Apr 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-10
- Allow systemd_modules_load to read modules_dep_t files
- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)
2019-04-09 10:57:19 +02:00
Lukas Vrabec
2809c70adb
* Mon Apr 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-9
- Merge #18 `Add check for config file consistency`
- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943)
- Fix typo in rhsmcertd SELinux module
- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files
- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t
- Allow unconfined users to use vsock unlabeled sockets
- Add interface kernel_rw_unlabeled_vsock_socket()
- Allow unconfined users to use smc unlabeled sockets
- Add interface kernel_rw_unlabeled_smc_socket
- Allow systemd_resolved_t domain to read system network state BZ(1697039)
- Allow systemd to mounton kernel sysctls BZ(1696201)
- Add interface kernel_mounton_kernel_sysctl() BZ(1696201)
- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201
2019-04-08 15:54:57 +02:00
Lukas Vrabec
3da5a62edd Merge #18 Add check for config file consistency 2019-04-08 13:49:30 +00:00
Lukas Vrabec
47a2243adc
* Fri Apr 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-8
- Allow systemd to mounton several systemd direstory to increase security of systemd
Resolves: rhbz#1696201
2019-04-05 16:26:48 +02:00
Lukas Vrabec
fe3eb5975b
Fix some conflicting filename transition rules in the policy sources 2019-04-04 11:02:58 +02:00
Lukas Vrabec
c4065f7c94
* Wed Apr 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-7
- Allow fontconfig file transition for xguest_u user
- Add gnome_filetrans_fontconfig_home_content interface
- Add permissions needed by systemd's machinectl shell/login
- Update SELinux policy for xen services
- Add dac_override capability for kdumpctl_t process domain
- Allow chronyd_t domain to exec shell
- Fix varnisncsa typo
- Allow init start freenx-server BZ(1678025)
- Create logrotate_use_fusefs boolean
- Add tcpd_wrapped_domain for telnetd BZ(1676940)
- Allow tcpd bind to services ports BZ(1676940)
- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t
- Allow esmtp access .esmtprc BZ(1691149)
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow tlp_t domain to read nvme block devices BZ(1692154)
- Add support for smart card authentication in cockpit BZ(1690444)
- Add permissions needed by systemd's machinectl shell/login
- Allow kmod_t domain to mmap modules_dep_t files.
- Allow systemd_machined_t dac_override capability BZ(1670787)
- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)"
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Allow init_t read mnt_t symlinks BZ(1637070)
- Update dev_filetrans_all_named_dev() interface
- Allow xdm_t domain to execmod temp files BZ(1686675)
- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)"
- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)
- Allow confined users labeled as staff_t to run iptables.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow xdm_t domain to create own tmp files BZ(1686675)
- Add miscfiles_dontaudit_map_generic_certs interface.
2019-04-03 14:33:40 +02:00
Lukas Vrabec
8ad34683d2
Comment macro-expander and container-selinux sources in spec file 2019-03-23 19:00:30 +01:00
Lukas Vrabec
ba905225c2
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2019-03-23 15:33:27 +01:00
Lukas Vrabec
bccf0f816c
* Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6
- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
- Allow fail2ban execute journalctl BZ(1689034)
- Update sudodomains to make working confined users run sudo/su
- Introduce new boolean unconfined_dyntrans_all.
- Allow iptables_t domain to read NetworkManager state BZ(1690881)
2019-03-23 15:32:56 +01:00
Lukas Vrabec
03abf46c1c Merge #17 Remove previous/ version of module directory 2019-03-20 18:58:56 +00:00
Vit Mojzis
7fd6024816 Add check for config file consistency
Make sure the config is consistent with what packages are (being)
installed in the system.

This should ensure that the package corresponding to SELINUXTYPE
in the config is always present in the system, or selinux is DISABLED
(both before policy_load is called and after any RPM transaction involving
selinux-policy-* package). Targeted mode is used when possible.

Resolves: rhbz#1641631

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-03-20 18:04:45 +01:00
Lukas Vrabec
7dd08a5cde
* Tue Mar 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-5
- Update xen SELinux module
- Improve labeling for PCP plugins
- Allow varnishd_t domain to read sysfs_t files
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update file context for modutils rhbz#1689975
- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293
- Grant permissions for onloadfs files of all classes.
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
2019-03-19 11:32:41 +01:00
Lukas Vrabec
10d7e3defc
Update wrong dates in changelog 2019-03-19 11:21:57 +01:00
Petr Lautrbach
b73fcb724e Remove previous/ version of module directory
When the policy is built with save-previous=true (see semanage.conf) the
previous version of store is saved in /var/lib/selinux/TYPE/previous directory.
This directory needs to be erased after build as it has no function for
packages.

Fixes:
Checking for unpackaged file(s): /usr/lib/rpm/check-files /home/plautrba/rpmbuild/BUILDROOT/selinux-policy-3.14.4-4.fc31.x86_64
error: Installed (but unpackaged) file(s) found:
   /var/lib/selinux/targeted/previous/commit_num
   /var/lib/selinux/targeted/previous/file_contexts
   /var/lib/selinux/targeted/previous/file_contexts.homedirs
...
2019-03-19 11:04:43 +01:00
Lukas Vrabec
a8da133b94
* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Allow journalctl_t domain to mmap syslogd_var_run_t files
- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046
- Allow sbd_t domain to bypass permission checks for sending signals
- Allow sbd_t domain read/write all sysctls
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
- Allow boltd_t to stream connect to sytem dbus
- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
- Allow ifconfig_t domain to read /dev/random BZ(1687516)
- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Label /usr/sbin/nodm as xdm_exec_t same as other display managers
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
2019-03-12 18:42:45 +01:00
Lukas Vrabec
43393ba497
* Wed Feb 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-3
- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because "%pretrans" cannot use shell scripts.
Resolves: rhbz#1683365
2019-02-27 10:18:03 +01:00
Lukas Vrabec
31fb935c5f
Revert "Add check for config file consistency"
This reverts commit 46c51e1cb2.

Reverting
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15
because "%pretrans" cannot use shell scripts.
Resolves: rhbz#1683365
2019-02-27 09:58:48 +01:00
Lukas Vrabec
c2043acf2b
* Tue Feb 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-2
- Merge insmod_t, depmod_t and update_modules_t do kmod_t
2019-02-26 11:07:59 +01:00
Lukas Vrabec
8be35be283
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-1
- Allow openvpn_t domain to set capability BZ(1680276)
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
- Allow chronyd_t domain to send data over dgram socket
- Add rolekit_dgram_send() interface
- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
2019-02-25 23:17:05 +01:00
Lukas Vrabec
0bd9f6aa0b Merge #15 Add check for config file consistency 2019-02-25 18:20:52 +00:00
Vit Mojzis
46c51e1cb2 Add check for config file consistency
Make sure the config is consistent with what packages are (being)
installed in the system.

This should ensure that the package corresponding to SELINUXTYPE
in the config is always present in the system, or selinux is DISABLED
(both before policy_load is called and after any RPM transaction involving
selinux-policy-* package). Targeted mode is used when possible.

Resolves: rhbz#1641631

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-02-19 16:49:27 +01:00
Lukas Vrabec
c3cce98fea
* Thu Feb 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
- Allow dovecot_t domain to connect to mysql db
- Add dac_override capability for sbd_t SELinux domain
- Add dac_override capability for  spamd_update_t domain
- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
2019-02-14 17:52:26 +01:00
Lukas Vrabec
37bb67856f
* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
- Allow ddclient_t to setcap Resolves: rhbz#1674298
- Add dac_override capability to vpnc_t domain
- Add dac_override capability to spamd_t domain
- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
- Allow read network state of system for processes labeled as ibacm_t
- Allow ibacm_t domain to send dgram sockets to kernel processes
- Allow dovecot_t to connect to MySQL UNIX socket
- Fix CI for use on forks
- Fix typo bug in sensord policy
- Update ibacm_t policy after testing lastest version of this component
- Allow sensord_t domain to mmap own log files
- Allow virt_doamin to read/write dev device
- Add dac_override capability for ipa_helper_t
- Update policy with multiple allow rules to make working installing VM in MLS policy
- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
2019-02-12 17:05:35 +01:00
Lukas Vrabec
6fe0e8a6a7
* Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
- Allow sensord_t domain to use nsswitch and execute shell
- Allow opafm_t domain to execute lib_t files
- Allow opafm_t domain to manage kdump_crash_t files and dirs
- Allow virt domains to read/write cephfs filesystems
- Allow virtual machine to write to fixed_disk_device_t
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
- Allow vhostmd_t read libvirt configuration files
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
2019-02-02 13:41:12 +01:00
Lukas Vrabec
ee38f3e105
* Tue Jan 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
- Add new xdp_socket class
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Allow boltd_t domain to read cache_home_t files BZ(1669911)
- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
- Allow gpg_agent_t to create own tmpfs dirs and sockets
- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
- Add multiple interfaces for vpnc interface file
- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
- Allow gssd_t domain to manage kernel keyrings of every domain.
- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
- Allow plymouthd_t search efivarfs directory BZ(1664143)
2019-01-29 16:51:11 +01:00
Igor Gnatenko
1767906c81 Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:24:49 +01:00
Lukas Vrabec
1d650f7cbb
* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
- Allow plymouthd_t search efivarfs directory BZ(1664143)
- Allow arpwatch send e-mail notifications BZ(1657327)
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
- Allow gssd_t domain to read/write kernel keyrings of every domain.
- Allow systemd_timedated_t domain nnp_transition BZ(1666222)
- Add the fs_search_efivarfs_dir interface
- Create tangd_port_t with default label tcp/7406
- Add interface domain_rw_all_domains_keyrings()
- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
2019-01-15 18:29:10 +01:00
Lukas Vrabec
f1dd2fa0f0
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
- Allow staff_t domain to read read_binfmt_misc filesystem
- Add interface fs_read_binfmt_misc()
- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
2019-01-11 16:07:53 +01:00
Lukas Vrabec
78bc214808
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
- Allow sensord_t to execute own binary files
- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)
- Allow virtd_lxc_t domains use BPF BZ(1662613)
- Allow openvpn_t domain to read systemd state BZ(1661065)
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Used correct renamed interface for imapd_t domain
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Specify recipients that will be notified about build CI results.
- Allow saslauthd_t domain to mmap own pid files BZ(1653024)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.
- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
- Specify recipients that will be notified about build CI results.
- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.
- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
2019-01-11 12:46:15 +01:00
Lukas Vrabec
cecdfcd1b2
* Sun Dec 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15
- Add macro-expander script to selinux-policy-devel package
2018-12-16 21:37:16 +01:00
Lukas Vrabec
7d7414921d
Add macro-expander script to selinux-policy-devel package 2018-12-16 21:35:37 +01:00
Lukas Vrabec
22bdc94c2b
* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
2018-12-06 16:43:04 +01:00
Lukas Vrabec
70c776a7bc
* Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain
- Create ibacm_tmpfs_t type for the ibacm policy
- Dontaudit capability sys_admin for dhcpd_t domain
- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.
- Allow abrt_t domain to mmap generic tmp_t files
- Label /usr/sbin/wpa_cli as wpa_cli_exec_t
- Allow sandbox_xserver_t domain write to user_tmp_t files
- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints
- Add interface files_map_generic_tmp_files()
- Add dac_override capability to the syslogd_t domain
- Create systemd_timedated_var_run_t label
- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
2018-11-07 23:34:46 +01:00
Lukas Vrabec
e4f858261b
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Allow xdm_t domain to manage dosfs_t files BZ(1645770)
- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
2018-11-04 19:53:51 +01:00
Lukas Vrabec
9fcbb6398f
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
- Add dac_override capability to ftpd_t domain
- Allow gpg_t to create own tmpfs dirs and sockets
- Allow rhsmcertd_t domain to relabel cert_t files
- Add SELinux policy for kpatch
- Allow nova_t domain to use pam
- sysstat: grant sysstat_t the search_dir_perms set
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
- Allow systemd_logind_t to read fixed dist device BZ(1645631)
- Allow systemd_logind_t domain to read nvme devices BZ(1645567)
- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)
- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
- Allow X display manager to check status and reload services which are part of x_domain attribute
- Add interface miscfiles_relabel_generic_cert()
- Make kpatch policy active
- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
- Dontaudit sys_admin capability for netutils_t domain
- Label tcp and udp ports 2611 as qpasa_agent_port_t
2018-11-04 01:55:34 +01:00
Lukas Vrabec
b602e5bcc1
* Tue Oct 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
2018-10-16 00:18:59 +02:00
Lukas Vrabec
9b1e4d53d1
* Mon Oct 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)
- Add interface cron_system_spool_entrypoint()
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
- Add interfaces for boltd SELinux module
- Add dac_override capability to modemmanager_t domain BZ(1636608)
- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
- Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
2018-10-15 17:44:05 +02:00
Lukas Vrabec
4b05ad26d8
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-8
- ejabberd SELinux module removed, it's shipped by ejabberd-selinux package
2018-10-13 22:39:48 +02:00
Lukas Vrabec
146094f7a3
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-7
- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros
2018-10-13 00:13:10 +02:00
Lukas Vrabec
729e95002a
Fix typo bug in version 2018-10-09 17:50:46 +02:00
Lukas Vrabec
c889572bdc
* Tue Oct 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-6
- Allow boltd_t to be activated by init socket activation
- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)
- Update SELinux policy for libreswan based on the latest rebase 3.26
- Fix typo in init_named_socket_activation interface
2018-10-09 17:49:28 +02:00
Lukas Vrabec
43c3b7f814
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2018-10-04 16:28:36 +02:00
Lukas Vrabec
ef7c751093
* Thu Oct 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-5
- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
- Fix typo in boltd.te policy
- Allow fail2ban_t domain to mmap journal
- Add kill capability to named_t domain
- Allow neutron domain to read/write /var/run/utmp
- Create boltd_var_run_t type for boltd pid files
- Allow tomcat_domain to read /dev/random
- Allow neutron_t domain to use pam
- Add the port used by nsca (Nagios Service Check Acceptor)
2018-10-04 16:27:59 +02:00
Lukas Vrabec
efe0830570 Merge #11 Spec: fix typo in Url field (introduced in 51dc83b2d) 2018-10-03 08:03:58 +00:00
Lukas Vrabec
7e236649a1
* Mon Sep 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-4
- Update sources to include SELinux policy for containers
2018-09-24 17:11:01 +02:00
Lukas Vrabec
5d5eb8e7fc
* Thu Sep 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-3
- Allow certmonger to manage cockpit_var_run_t pid files
- Allow cockpit_ws_t domain to manage cockpit services
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
- Add interface apache_read_tmp_dirs()
- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t
- Add interface apcupsd_read_power_files()
- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain
- Allow dac_override capability to amanda_t domain
- Allow geoclue_t domain to get attributes of fs_t filesystems
- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client
- Allow cockpit_t domain to read systemd state
- Allow abrt_t domain to write to usr_t files
- Allow cockpit to create motd file in /var/run/cockpit
- Label /usr/sbin/pcsd as cluster_exec_t
- Allow pesign_t domain to getattr all fs
- Allow tomcat servers to manage usr_t files
- Dontaudit tomcat serves to append to /dev/random device
- Allow dirsrvadmin_script_t domain to read httpd tmp files
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
- Fix path where are sources for CI
- Revert "Allow firewalld_t domain to read random device"
- Add travis CI for selinux-policy-contrib repo
- Allow postfix domains to mmap system db files
- Allow geoclue_t domain to execute own tmp files
- Update ibacm_read_pid_files interface to allow also reading link files
- Allow zebra_t domain to create packet_sockets
- Allow opafm_t domain to list sysfs
- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
- Allow chronyd_t domain to read virt_var_lib_t files
- Allow systemd to read apcupsd power files
- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t"
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow systemd_resolved_t domain to bind on udp howl port
- Add new boolean use_virtualbox Resolves: rhbz#1510478
- Allow sshd_t domain to read cockpit pid files
- Allow syslogd_t domain to manage cert_t files
- Fix path where are sources for CI
- Add travis.yml to to create CI for selinux-policy sources
- Allow getattr as part of files_mounton_kernel_symbol_table.
- Fix typo "aduit" -> "audit"
- Revert "Add new interface dev_map_userio()"
- Add new interface dev_map_userio()
- Allow systemd to read ibacm pid files
2018-09-20 08:54:04 +02:00
Lukas Vrabec
833e3136e5
* Thu Sep 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2
- Allow tomcat services create link file in /tmp
- Label /etc/shorewall6 as shorewall_etc_t
- Allow winbind_t domain kill in user namespaces
- Allow firewalld_t domain to read random device
- Allow abrt_t domain to do execmem
- Allow geoclue_t domain to execute own var_lib_t files
- Allow openfortivpn_t domain to read system network state
- Allow dnsmasq_t domain to read networkmanager lib files
- sssd: Allow to limit capabilities using libcap
- sssd: Remove unnecessary capability
- sssd: Do not audit usage of lib nss_systemd.so
- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
- Allow exim_t domain to mmap bin files
- Allow mysqld_t domain to executed with nnp transition
- Allow svirt_t domain to mmap svirt_image_t block files
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
- Add read interfaces for mysqld_log_t that was added in commit df832bf
- Allow boltd_t to dbus chat with xdm_t
- Conntrackd need to load kernel module to work
- Allow mysqld sys_nice capability
- Update boltd policy based on SELinux denials from rhbz#1607974
- Allow systemd to create symlinks in for /var/lib
- Add comment to show that template call also allows changing shells
- Document userdom_change_password_template() behaviour
- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
- Fix typo in logging SELinux module
- Allow usertype to mmap user_tmp_type files
- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
- Add boolean: domain_can_mmap_files.
- Allow ipsec_t domian to mmap own tmp files
- Add .gitignore file
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow audisp_remote_t domain to read auditd_etc_t
- netlabel: Remove unnecessary sssd nsswitch related macros
- Allow to use sss module in auth_use_nsswitch
- Limit communication with init_t over dbus
- Add actual modules.conf to the git repo
- Add few interfaces to optional block
- Allow sysadm_t and staff_t domain to manage systemd unit files
- Add interface dev_map_userio_dev()
2018-09-06 22:33:33 +02:00
Lukas Vrabec
046756d71a
* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1
- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
- Add interface devicekit_mounton_var_lib()
- Allow httpd_t domain to mmap tmp files
- Allow tcsd_t domain to have dac_override capability
- Allow cupsd_t to rename cupsd_etc_t files
- Allow iptables_t domain to create rawip sockets
- Allow amanda_t domain to mmap own tmpfs files
- Allow fcoemon_t domain to write to sysfs_t dirs
- Allow dovecot_auth_t domain to have dac_override capability
- Allow geoclue_t domain to mmap own tmp files
- Allow chronyc_t domain to read network state
- Allow apcupsd_t domain to execute itself
- Allow modemmanager_t domain to stream connect to sssd
- Allow chonyc_t domain to rw userdomain pipes
- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
- Allow nagios_script_t domain to mmap nagios_spool_t files
- Allow geoclue_t domain to mmap geoclue_var_lib_t files
- Allow geoclue_t domain to map generic certs
- Update munin_manage_var_lib_files to allow manage also dirs
- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl
- Fix typo in virt SELinux policy module
- Allow virtd_t domain to create netlink_socket
- Allow rpm_t domain to write to audit
- Allow nagios_script_t domain to mmap nagios_etc_t files
- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
- Allow kdumpctl_t domain to getattr fixed disk device in mls
- Fix typo in stapserver policy
- Dontaudit abrt_t domain to write to usr_t dirs
- Revert "Allow rpcbind to bind on all unreserved udp ports"
- Allow rpcbind to bind on all unreserved udp ports
- Allow virtlogd to execute itself
- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files
- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs
- Allos systemd to socket activate ibacm service
- Allow dirsrv_t domain to mmap user_t files
- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
- Allow kdumpctl to write to files on all levels
- Allow httpd_t domain to mmap httpd_config_t files
- Allow sanlock_t domain to connectto to unix_stream_socket
- Revert "Add same context for symlink as binary"
- Allow mysql execute rsync
- Update nfsd_t policy because of ganesha features
- Allow conman to getattr devpts_t
- Allow tomcat_domain to connect to smtp ports
- Allow tomcat_t domain to mmap tomcat_var_lib_t files
- Allow nagios_t domain to mmap nagios_log_t files
- Allow kpropd_t domain to mmap krb5kdc_principal_t files
- Allow kdumpctl_t domain to read fixed disk storage
2018-08-29 00:10:24 +02:00
Lukas Vrabec
354ea12800
* Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-32
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow gpg_t domain to mmap gpg_agent_tmp_t files
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
- Allow sshd_t domain to mmap user_tmp_t files
2018-08-10 17:26:19 +02:00
Lukas Vrabec
bb7c753263
* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-31
- Allow kprop_t domain to read network state
- Add support boltd policy
- Allow kpropd domain to exec itself
- Allow pdns_t to bind on tcp transproxy port
- Add support for opafm service
- Allow hsqldb_t domain to read cgroup files
- Allow rngd_t domain to read generic certs
- Allow innd_t domain to mmap own var_lib_t files
- Update screen_role_temaplate interface
- Allow chronyd_t domain to mmap own tmpfs files
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow systemd to mounont boltd lib dirs
- Allow sysadm_t domain to create rawip sockets
- Allow sysadm_t domain to listen on socket
- Update sudo_role_template() to allow caller domain also setattr generic ptys
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
2018-08-07 15:54:42 +02:00
Lukas Vrabec
da3bd2ceb6
* Sun Jul 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-30
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow nfsd_t domain to read krb5 keytab files
- Allow nfsd_t domain to manage fadm pid files
- Allow virt_domain to create icmp sockets BZ(1609142)
- Dontaudit oracleasm_t domain to request sys_admin capability
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
2018-07-29 17:17:33 +02:00
Lukas Vrabec
539110c25c
* Wed Jul 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-29
- Allow aide to mmap all files
- Revert "Allow firewalld to create rawip sockets"
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
2018-07-25 23:42:34 +02:00
Lukas Vrabec
35bcefb9e1
* Wed Jul 18 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-28
- Allow cupsd_t domain to mmap cupsd_etc_t files
- Allow kadmind_t domain to mmap krb5kdc_principal_t
- Allow virtlogd_t domain to read virt_etc_t link files
- Allow dirsrv_t domain to read crack db
- Dontaudit pegasus_t to require sys_admin capability
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
- Allow winbind_t domain to request kernel module loads
- Allow tomcat_domain to read cgroup_t files
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
- Allow innd_t domain to mmap news_spool_t files
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
- Allow fenced_t domain to reboot
- Allow amanda_t domain to read network system state
- Allow abrt_t domain to read rhsmcertd logs
- Fix typo in radius policy
- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)
- Label /usr/bin/esmtp-wrapper as sendmail_exec_t
- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files
- Dontaudit thumb to read mmap_min_addr
- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)
- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)
- Allow collectd_t domain to use ecryptfs files BZ(1592640)
- Dontaudit mmap home type files for abrt_t domain
- Allow fprintd_t domain creating own tmp files BZ(1590686)
- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)
- Allow fail2ban_t domain to getpgid BZ(1591421)
- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)
- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap
- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)
- Allow virt_qemu_ga_t domain to read network state BZ(1592145)
- Allow radiusd_t domain to mmap radius_etc_rw_t files
- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
2018-07-18 17:37:07 +02:00
Fedora Release Engineering
9034dd66a3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-14 05:57:18 +00:00
Jason Tibbitts
91c8ed0d49 Remove needless use of %defattr 2018-07-10 01:20:06 -05:00
Jan Pokorný
e7ec0c885a
Spec: fix typo in Url field (introduced in 51dc83b2d)
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2018-07-05 18:19:21 +02:00
Lukas Vrabec
985fc6104c
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-26
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
2018-06-27 10:25:55 +02:00
Lukas Vrabec
5d84adca3e
Remove config.tgz from distgit and put configuration to policy sources on github 2018-06-26 17:21:53 +02:00
Lukas Vrabec
f4debe939a
* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-25
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
2018-06-14 15:31:59 +02:00
Lukas Vrabec
1d35f9ea76
* Tue Jun 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-24
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
2018-06-12 14:22:02 +02:00
Lukas Vrabec
4cca30aa93
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-23
- Add dac_override capability to sendmail_t domian
2018-06-06 13:16:15 +02:00
Lukas Vrabec
318acc9510
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-22
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
2018-06-06 10:25:52 +02:00
Lukas Vrabec
58acce3c84
* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-21
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db  is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
2018-05-26 00:25:28 +02:00
Lukas Vrabec
9364159b18
* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-20
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
2018-05-24 16:07:11 +02:00
Lukas Vrabec
ee05a93b19
* Tue May 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-19
- Increase dependency versions of policycoreutils and checkpolicy packages
2018-05-22 10:54:53 +02:00
Lukas Vrabec
e881d79dbc
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.
2018-05-21 22:23:41 +02:00
Lukas Vrabec
844794a0f4
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-05-21 01:48:14 +02:00
Lukas Vrabec
4d2de689d5
Fix typo bug in xserver SELinux module 2018-04-30 17:41:45 +02:00
Lukas Vrabec
a4ad07747e
* Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-04-30 16:30:28 +02:00
Lukas Vrabec
0bbda1a879
Redirect also stdout to /dev/null to avoid printing anything during updating selinux-policy process 2018-04-30 10:55:31 +02:00
Lukas Vrabec
560c1cf401
* Sat Apr 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-15
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
2018-04-28 19:43:37 +02:00
Lukas Vrabec
42d22b559a
Fix typo in spec file 2018-04-27 13:30:59 +02:00