Recent libsemanage-2.7-4.fc28 keeps copy of file_contexts.homedirs in
policy store in order to support listing homedirs file contexts in
semanage fcontext -l
- Fix typo in virt file contexts file
- allow ipa_dnskey_t to read /proc/net/unix file
- Allow openvswitch to run setfiles in setfiles_t domain.
- Allow openvswitch_t domain to read process data of neutron_t domains
- Fix typo in ipa_cert_filetrans_named_content() interface
- Fix typo bug in summary of xguest SELinux module
- Allow virtual machine with svirt_t label to stream connect to openvswitch.
- Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t
- Allow cloud-init to create content in /var/run/cloud-init
- Dontaudit VM to read gnome-boxes process data BZ(1415975)
- Allow winbind_t domain mmap samba_var_t files
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)
- Add dac_override capability to groupadd_t domain BZ(1497091)
- Allow unconfined_service_t to start containers
When selinux-policy is uninstalled, SELinux is changed to permissive and
/etc/selinux/config is updated to disable SELinux. But it doesn't apply
when selinux-policy-{targeted,mls,minimum} are uninstalled.
With this change when one of the policy subpackages is uninstalled
and the current policy type is same as the uninstalled policy, SELinux
is switched to permissive and disabled in config file as well.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1498569
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Build_Dependencies
The /usr/share/selinux/devel/policyhelp requirement was necessary to
extract the version number of the selinux-policy package being built
against, which is used to enforce a minimum version requirement on
selinux-policy when the built package is installed. The policyhelp file
itself can be found in either the selinux-policy, selinux-policy-devel,
or selinux-policy-doc package (depending on OS release), which is why we
cannot simply use a package name unless we are prepared to sacrifice
spec file portability. From Fedora 20 onwards, this method is no longer
necessary, so if your packaging is not targeting any releases prior to
Fedora 20 or EPEL-5/6, the /usr/share/selinux/devel/policyhelp
requirement is not needed.
Resolves: rhbz#1498429
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)
- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)
- Allow systemd to maange sysfs BZ(1471361)
See <https://pagure.io/atomic-wg/issue/341> - basically for libostree
(and hence rpm-ostree, and Fedora Editions that use it like Fedora Atomic Host),
the Anaconda `selinux --enforcing` verb will end up rewriting
`/etc/selinux/config` to the same value it had before.
But because of the trailing space character, this generates
a difference, and means the config file appears locally modified,
and hence deployed systems won't receive updates.
I think Anaconda should also be fixed to avoid touching the file *at all*
if it wouldn't result in a change, but let's remove the trailing space
here too, as it's better to fix in two places.
- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
- Allow pulseaudio_t domain to map user tmp files
- Allow mozilla plugin to mmap mozilla tmpfs files
- Add new bunch of map rules
- Merge pull request #25 from NetworkManager/nm-ovs
- Make working webadm_t userdomain
- Allow redis domain to execute shell scripts.
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
- Add couple capabilities to keepalived domain and allow get attributes of all domains
- Allow dmidecode read rhsmcertd lock files
- Add new interface rhsmcertd_rw_lock_files()
- Add new bunch of map rules
- Merge pull request #199 from mscherer/add_conntrackd
- Add support labeling for vmci and vsock device
- Add userdom_dontaudit_manage_admin_files() interface
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
- Fix denials during ipa-server-install process on F27+
- Allow httpd_t to mmap cert_t
- Add few rules to make tlp_t domain working in enforcing mode
- Allow cloud_init_t to dbus chat with systemd_timedated_t
- Allow logrotate_t to write to kmsg
- Add capability kill to rhsmcertd_t
- Allow winbind to manage smbd_tmp_t files
- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
- Add interface miscfiles_map_generic_certs()
- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)
- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.
- Label /var/run/agetty.reload as getty_var_run_t
- Add missing filecontext for sln binary
- Allow systemd to read/write to event_device_t BZ(1471401)
- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
- refpolicy: Define and allow map permission
- init: Add NoNewPerms support for systemd.
- Add nnp_nosuid_transition policycap and related class/perm definitions.