Commit Graph

2211 Commits

Author SHA1 Message Date
Lukas Vrabec
284401b055 * Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
- Allow sssd_t domain to map sssd_var_lib_t files
- allow map permission where needed
- contrib: allow map permission where needed
- Allow syslogd_t to map syslogd_var_run_t files
- allow map permission where needed
2017-08-15 16:29:24 +02:00
Lukas Vrabec
c6aaaee231 Remove temporary fix labeling cockpit binary 2017-08-15 16:27:40 +02:00
Lukas Vrabec
be2df80e69 * Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
- Label /usr/libexec/sudo/sesh as shell_exec_t
2017-08-14 16:11:30 +02:00
Lukas Vrabec
7a49a1c8c7 * Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-270
- refpolicy: Infiniband pkeys and endport
2017-08-10 23:27:06 +02:00
Lukas Vrabec
9a31f2128c Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2017-08-10 11:25:56 +02:00
Lukas Vrabec
ff3605a078 * Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-269
- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
- refpolicy: Define and allow map permission
- init: Add NoNewPerms support for systemd.
- Add nnp_nosuid_transition policycap and related class/perm definitions.
2017-08-10 11:25:41 +02:00
Petr Lautrbach
cf21eb3fa5 Fix bogus date for 3.13.1-267 changelog entry
warning: bogus date in %changelog: Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
2017-08-10 09:12:56 +02:00
Petr Lautrbach
b65295347f * Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-268
- Update for SELinux userspace release 20170804 / 2.7
- Omit precompiled regular expressions from file_contexts.bin files
2017-08-07 18:05:24 +02:00
Lukas Vrabec
631f95b1cf * Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
2017-08-07 16:17:01 +02:00
Petr Lautrbach
0eccbd957d Revert "Temporary fix while creating manpages using sepolicy is broken."
This reverts commit fbdb6e98da.

Since policycoreutils-2.6-7, 'sepolicy manpage' should be again
reasonable fast.
2017-08-03 08:01:21 +02:00
Fedora Release Engineering
f0d7feb11d - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 18:25:45 +00:00
Lukas Vrabec
4696e7ec09 * Fri Jul 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265
- Allow llpdad send dgram to libvirt
- Allow abrt_t domain dac_read_search capability
- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)
- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)
2017-07-21 14:21:02 +02:00
Lukas Vrabec
3622c01896 * Mon Jul 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264
- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)
2017-07-17 14:32:35 +02:00
Lukas Vrabec
ab9bb05673 * Tue Jul 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263
- Add new boolean gluster_use_execmem
2017-07-11 18:01:45 +02:00
Lukas Vrabec
6fc6359b10 * Mon Jul 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262
- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service
- Allow iptables to read container runtime files
2017-07-10 09:27:35 +02:00
Lukas Vrabec
959229d1e3 * Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261
- Allow boinc_t nsswitch
- Dontaudit firewalld to write to lib_t dirs
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
- Allow thumb_t domain to allow create dgram sockets
- Disable mysqld_safe_t secure mode environment cleansing
- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode
- Allow dirsrv domain setrlimit
- Dontaudit staff_t user read admin_home_t files.
- Add interface lvm_manage_metadata
- Add permission open to files_read_inherited_tmp_files() interface
2017-06-23 17:16:37 +02:00
Lukas Vrabec
c8dc4505f7 Fix commands how to create downstream patches 2017-06-20 17:00:14 +02:00
Lukas Vrabec
8c093f225c * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260
- Allow sssd_t to read realmd lib files.
- Fix init interface file. init_var_run_t is type not attribute
2017-06-19 16:52:54 +02:00
Lukas Vrabec
fa95f253bf * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258
- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use
- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.
- Allow httpd_t to read realmd_var_lib_t files
- Allow unconfined_t user all user namespace capabilties.
- Add interface systemd_tmpfiles_exec()
- Add interface libs_dontaudit_setattr_lib_files()
- Dontaudit xdm_t domain to setattr on lib_t dirs
- Allow sysadm_r role to jump into dirsrv_t
2017-06-19 10:01:33 +02:00
Lukas Vrabec
7ac1cbb003 * Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
- Merge pull request #10 from mscherer/fix_tor_dac
- Merge pull request #9 from rhatdan/rawhide
- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t
- Allow kdumpgui to read removable disk device
- Allow systemd_dbusd_t domain read/write to nvme devices
- Allow udisks2 domain to read removable devices BZ(1443981)
- Allow virtlogd_t to execute itself
- Allow keepalived to read/write usermodehelper state
- Allow named_t to bind on udp 4321 port
- Fix interface tlp_manage_pid_files()
- Allow collectd domain read lvm config files. BZ(1459097)
- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
- Allow samba_manage_home_dirs boolean to manage user content
- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify
- Allow pki_tomcat_t execute ldconfig.
- Merge pull request #191 from rhatdan/udev
- Allow systemd_modules_load_t to load modules
2017-06-08 12:25:29 +02:00
Lukas Vrabec
941d5af493 * Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.
- Allow tomcat to connect on all unreserved ports
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.
- Allow tomcat to connect on all unreserved ports
- Allow ganesha to connect to all rpc ports
- Update ganesha with few allow rules
- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.
- virt_use_glusterd boolean should be in optional block
- Add new boolean virt_use_glusterd
- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls.
- Allow ganesha_t domain to manage glusterd_var_run_t pid files.
- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls
- Add few allow rules to ganesha module
- Allow condor_master_t to read sysctls.
- Add dac_override cap to ctdbd_t domain
- Add ganesha_use_fusefs boolean.
- Allow httpd_t reading kerberos kdc config files
- Allow tomcat_t domain connect to ibm_dt_2 tcp port.
- Allow stream connect to initrc_t domains
- Add pki_exec_common_files() interface
- Allow  dnsmasq_t domain to read systemd-resolved pid files.
- Allow tomcat domain name_bind on tcp bctp_port_t
- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
- Allow condor_master_t write to sysctl_net_t
- Allow nagios check disk plugin read /sys/kernel/config/
- Allow pcp_pmie_t domain execute systemctl binary
- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl
- xdm_t should view kernel keys
- Hide broken symptoms when machine is configured with network bounding.
- Label 8750 tcp/udp port as dey_keyneg_port_t
- Label tcp/udp port 1792 as ibm_dt_2_port_t
- Add interface fs_read_configfs_dirs()
- Add interface fs_read_configfs_files()
- Fix systemd_resolved_read_pid interface
- Add interface systemd_resolved_read_pid()
- Allow sshd_net_t domain read/write into crypto devices
- Label 8999 tcp/udp as bctp_port_t
2017-06-05 13:25:12 +02:00
Lukas Vrabec
6c0472a324 * Thu May 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255
- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
- Add interface pki_manage_common_files()
- Allow rngd domain read sysfs_t
- Allow tomcat_t domain to manage pki_common_t files and dirs
- Merge pull request #3 from rhatdan/devicekit
- Merge pull request #12 from lslebodn/sssd_sockets_fc
- Allow certmonger reads httpd_config_t files
- Allow keepalived_t domain creating netlink_netfilter_socket.
- Use stricter fc rules for sssd sockets in /var/run
- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.
- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Dontaudit net_admin capability for useradd_t domain
- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)
- Make able deply overcloud via neutron_t to label nsfs as fs_t
- Add fs_manage_configfs_lnk_files() interface
2017-05-18 16:44:30 +02:00
Lukas Vrabec
c1e28f68d8 * Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Allow glusterd_t domain start ganesha service
- Made few cosmetic changes in sssd SELinux module
- Merge pull request #11 from lslebodn/sssd_kcm
- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.
- Allow keepalived_t domain read usermodehelper_t
- Allow radius domain stream connec to postgresql
- Merge pull request #8 from bowlofeggs/142-rawhide
- Add fs_manage_configfs_lnk_files() interface
2017-05-15 22:07:43 +02:00
Lukas Vrabec
dfee3bea84 * Fri May 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253
- auth_use_nsswitch can call only domain not attribute
- Dontaudit net_admin cap for winbind_t
- Allow tlp_t domain to stream connect to system bus
- Allow tomcat_t domain read pki_common_t files
- Add interface pki_read_common_files()
- Fix broken cermonger module
- Fix broken apache module
- Allow hypervkvp_t domain execute hostname
- Dontaudit sssd_selinux_manager_t use of net_admin capability
- Allow tomcat_t stream connect to pki_common_t
- Dontaudit xguest_t's attempts to listen to its tcp_socket
- Allow sssd_selinux_manager_t to ioctl init_t sockets
- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.
- Allow pki_tomcat_t domain read /etc/passwd.
- Allow tomcat_t domain read ipa_tmp_t files
- Label new path for ipa-otpd
- Allow radiusd_t domain stream connect to postgresql_t
- Allow rhsmcertd_t to execute hostname_exec_t binaries.
- Allow virtlogd to append nfs_t files when virt_use_nfs=1
- Allow httpd_t domain read also httpd_user_content_type lnk_files.
- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t
- Dontaudit <user>_gkeyringd_t stream connect to system_dbusd_t
- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t
- Add interface ipa_filetrans_named_content()
- Allow tomcat use nsswitch
- Allow certmonger_t start/status generic services
- Allow dirsrv read cgroup files.
- Allow ganesha_t domain read/write infiniband devices.
- Allow sendmail_t domain sysctl_net_t files
- Allow targetd_t domain read network state and getattr on loop_control_device_t
- Allow condor_schedd_t domain send mails.
- Allow ntpd to creating sockets. BZ(1434395)
- Alow certmonger to create own systemd unit files.
- Add kill namespace capability to xdm_t domain
- Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization."
- Revert "Allow <role>_su_t to create netlink_selinux_socket"
- Allow <role>_su_t to create netlink_selinux_socket
- Allow unconfined_t to module_load any file
- Allow staff to systemctl virt server when staff_use_svirt=1
- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context
- Allow netutils setpcap capability
- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124)
2017-05-12 17:03:36 +02:00
Lukas Vrabec
fe274d0fa4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2017-04-20 22:51:15 +02:00
Petr Lautrbach
3332d5b8d0 Do not ship .linked files
libsemanage was updated [1] to use {policy,seusers,users_extra}.linked files
to cache the linked policy prior to merging local changes. We don't need
to ship these files, however the files should be owned by selinux-policy
packages on a filesystem.

[1] 8702a865e0
2017-04-20 22:48:24 +02:00
Michael Scherer
c8b7cd49fb Add safeguard around "semodule -n -d sandbox"
Each time this package is updated, it remove the sandbox module, thus
making the sandbox command not working until someone reenable it.

The main cause is likely the non intuitive ordering of RPM post install
script, as %preun is run after %post. See the details on
https://fedoraproject.org/wiki/Packaging:Scriptlets
2017-04-20 09:27:13 +02:00
Lukas Vrabec
e08cffb7e1 * Tue Apr 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-251
- Fix abrt module to reflect all changes in abrt release
2017-04-18 16:09:05 +02:00
Lukas Vrabec
c0884791ad * Tue Apr 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-250
- Allow tlp_t domain to ioctl removable devices BZ(1436830)
- Allow tlp_t domain domtrans into mount_t BZ(1442571)
- Allow lircd_t to read/write to sysfs BZ(1442443)
- Fix policy to reflect all changes in new IPA release
- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.
- Allow sbd_t to read/write fixed disk devices
- Add sys_ptrace capability to radiusd_t domain
- Allow cockpit_session_t domain connects to ssh tcp ports.
- Update tomcat policy to make working ipa install process
- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t
- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383
- Update pki interfaces and tomcat module
- Allow sendmail to search network sysctls
- Add interface gssd_noatsecure()
- Add interface gssproxy_noatsecure()
- Allow chronyd_t net_admin capability to allow support HW timestamping.
- Update tomcat policy.
- Allow certmonger to start haproxy service
- Fix init Module
- Make groupadd_t domain as system bus client BZ(1416963)
- Make useradd_t domain as system bus client BZ(1442572)
- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)
- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)
- Allow init noatsecure for gssd and gssproxy
- Allow staff user to read fwupd_cache_t files
- Remove typo bugs
- Remove /proc <<none>> from fedora policy, it's no longer necessary
2017-04-18 00:12:06 +02:00
Lukas Vrabec
0d1055a787 * Mon Apr 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249
- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Allow iptables get list of kernel modules
- Allow unconfined_domain_type to enable/disable transient unit
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Label sysroot dir under ostree as root_t
2017-04-03 12:05:44 +02:00
Adam Williamson
f993349d77 Put tomcat_t back in unconfined domains for now. BZ(1436434) 2017-03-27 17:00:43 -07:00
Lukas Vrabec
b8c3e1f896 * Tue Mar 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-247
- Make fwupd_var_lib_t type mountpoint. BZ(1429341)
- Remove tomcat_t domain from unconfined domains
- Create new boolean: sanlock_enable_home_dirs()
- Allow mdadm_t domain to read/write nvme_device_t
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content
- Add interface dev_rw_nvme
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
2017-03-21 09:58:13 +01:00
Lukas Vrabec
b3dccbc4b2 * Sat Mar 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
2017-03-18 16:12:18 +01:00
Lukas Vrabec
96feeb5e20 * Fri Mar 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245
- Allow vdagent domain to getattr cgroup filesystem
- Allow abrt_dump_oops_t stream connect to sssd_t domain
- Allow cyrus stream connect to gssproxy
- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules
- Allow colord_t to read systemd hwdb.bin file
- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t
- Allow certmonger to manage /etc/krb5kdc_conf_t
- Allow kdumpctl to getenforce
- Allow ptp4l wake_alarm capability
- Allow ganesha to chat with unconfined domains via dbus
- Add nmbd_t capability2 block_suspend
- Add domain transition from sosreport_t to iptables_t
- Dontaudit init_t to mounton modules_object_t
- Add interface files_dontaudit_mounton_modules_object
- Allow xdm_t to execute files labeled as xdm_var_lib_t
- Make mtrr_device_t mountpoint.
- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd
2017-03-17 17:34:02 +01:00
Peter Robinson
469c7cb44c fix up other docs source 2017-03-09 19:53:13 +00:00
Peter Robinson
88d4af785a use correct source for man pages (hint: 'fedpkg local' is a quick way to test) 2017-03-09 17:11:47 +00:00
Lukas Vrabec
0cdcb41ef4 * Tue Mar 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-244 - Update fwupd policy - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t - Update ganesha policy - Allow chronyd to read adjtime - Merge pull request #194 from hogarthj/certbot_policy - get the correct cert_t context on certbot certificates bz#1289778 - Label /dev/ss0 as gpfs_device_t 2017-03-07 18:22:02 +01:00
Lukas Vrabec
fe778a9320 Fix broken build 2017-03-07 18:09:35 +01:00
Lukas Vrabec
b77d5e5e60 * Thu Mar 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-243
-  Allow abrt_t to send mails.
2017-03-02 10:12:44 +01:00
Lukas Vrabec
fbdb6e98da Temporary fix while creating manpages using sepolicy is broken. 2017-03-02 10:04:43 +01:00
Lukas Vrabec
73a41e1268 * Mon Feb 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-242
- Add radius_use_jit boolean
- Allow nfsd_t domain to create sysctls_rpc_t files
- add the policy required for nextcloud
- Allow can_load_kernmodule to load kernel modules. BZ(1426741)
- Create kernel_create_rpc_sysctls() interface
2017-02-27 10:50:42 +01:00
Lukas Vrabec
acb049dbc4 * Tue Feb 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241
- Remove ganesha from gluster module and create own module for ganesha
- FIx label for /usr/lib/libGLdispatch.so.0.0.0
2017-02-21 14:04:18 +01:00
Lukas Vrabec
9930e8f125 * Wed Feb 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-240
- Dontaudit xdm_t wake_alarm capability2
- Allow systemd_initctl_t to create and connect unix_dgram sockets
- Allow ifconfig_t to mount/unmount nsfs_t filesystem
- Add interfaces allowing mount/unmount nsfs_t filesystem
- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)
2017-02-15 15:41:56 +01:00
Lukas Vrabec
7c40aea259 * Mon Feb 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-239
- Allow syslog client to connect to kernel socket. BZ(1419946)
2017-02-13 10:17:47 +01:00
Lukas Vrabec
67dffb1bc1 * Thu Feb 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-238
- Allow shiftfs to use xattr SELinux labels
- Fix ssh_server_template by add sshd_t to require section.
2017-02-09 23:34:30 +01:00
Lukas Vrabec
fd7fb37552 * Wed Feb 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
- Merge pull request #187 from rhatdan/container-selinux
- Allow rhsmcertd domain signull kernel.
- Allow container-selinux to handle all policy for container processes
- Fix label for nagios plugins in nagios file conxtext file
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add SELinux support for systemd-initctl daemon
- Add SELinux support for systemd-bootchart
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add module_load permission to can_load_kernmodule
- Add module_load permission to class system
- Add the validate_trans access vector to the security class
- Restore connecto permssions for init_t
2017-02-08 16:39:12 +01:00
Lukas Vrabec
bab4787609 * Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
- Allow kdumpgui domain to read nvme device
- Add amanda_tmpfs_t label. BZ(1243752)
- Fix typo in sssd interface file
- Allow sssd_t domain setpgid BZ(1411437)
- Allow ifconfig_t domain read nsfs_t
- Allow ping_t domain to load kernel modules.
- Allow systemd to send user information back to pid1. BZ(1412750)
- rawhide-base: Fix wrong type/attribute flavors in require blocks
2017-02-02 12:41:29 +01:00
Lukas Vrabec
5ed99329f5 * Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235
- Allow libvirt daemon to create /var/chace/libvirt dir.
- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)
- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829)
2017-01-17 18:02:49 +01:00
Lukas Vrabec
a4801c838b * Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
- Tighten security on containe types
- Make working cracklib_password_check for MariaDB service
- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)
2017-01-17 09:55:15 +01:00
Lukas Vrabec
cb674ac32f * Sun Jan 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-233
-Allow thumb domain sendto via dgram sockets. BZ(1398813)
- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)
- Allow cobbler domain to create netlink_audit sockets BZ(1384600)
- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626)
- Add dhcpd_t domain fowner capability BZ(1409963)
- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942)
- Fix broken interfaces
- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456)
- Allow user_t run systemctl --user BZ(1401625)
2017-01-08 22:35:48 +01:00
Lukas Vrabec
3f98d5071c * Fri Jan 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232
- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)
- Allow tlp_t domain to read proc_net_t BZ(1403487)
- Merge pull request #179 from rhatdan/virt1
- Allow tlp_t domain to read/write cpu microcode BZ(1403103)
- Allow virt domain to use interited virtlogd domains fifo_file
- Fixes for containers
- Allow glusterd_t to bind on glusterd_port_t udp ports.
- Update ctdbd_t policy to reflect all changes.
- Allow ctdbd_t domain transition to rpcd_t
2017-01-06 21:58:14 +01:00
Lukas Vrabec
aabe3f000e * Wed Dec 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231
- Allow pptp_t to read /dev/random BZ(1404248)
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
- Allow systemd to stop glusterd_t domains.
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)
- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition,  I can see no case where this is  a bad thing, and elminiates a whole class of AVCs."
2016-12-14 16:29:22 +01:00
Lukas Vrabec
6319c499e4 * Thu Dec 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-230
- Label /usr/bin/rpcbind as rpcbind_exec_t
- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)
- Merge pull request #174 from rhatdan/netlink
2016-12-08 16:30:38 +01:00
Lukas Vrabec
68b689158d * Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
- Allot tlp domain to create unix_dgram sockets BZ(1401233)
- Allow antivirus domain to create lnk_files in /tmp
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
- Allow svnserve_t domain to read /dev/random BZ(1401827)
- Allow lircd to use nsswitch. BZ(1401375)
- Allow hostname_t domain to manage cluster_tmp_t files
2016-12-07 12:46:00 +01:00
Lukas Vrabec
7216220f4a * Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226
- Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface
- Allow tgtd_t domain wake_alarm
- Merge pull request #172 from vinzent/allow_puppetagent_timedated
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow systemd_machined_t to start unit files labeled as init_var_run_t
- Add init_manage_config_transient_files() interface
- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
- Allow systemd to raise rlimit to all domains.BZ(1365435)
- Add interface domain_setrlimit_all_domains() interface
- Allow staff_t user to chat with fwupd_t domain via dbus
- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
- Allow systemd-networkd to read network state BZ(1400016)
- Allow systemd-resolved bind to dns port. BZ(1400023)
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
2016-12-05 16:48:37 +01:00
Lukas Vrabec
6a99358633 Exit postInstall state in mls package 2016-12-01 15:40:00 +01:00
Lukas Vrabec
bc46371d77 * Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow pmie daemon to send signal pcmd daemon BZ(1398078)
- Allow spamd_t to manage /var/spool/mail. BZ(1398437)
- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)
- Merge pull request #171 from t-woerner/rawhide-contrib
- Allow firewalld to getattr open search read modules_object_t:dir
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
2016-11-29 14:40:40 +01:00
Lukas Vrabec
99509b3f86 * Wed Nov 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226
- Adding policy for tlp
- Add interface  dev_manage_sysfs()
- Allow ifconfig domain to manage tlp pid files.
2016-11-16 14:46:50 +01:00
Lukas Vrabec
eae2c639f7 * Wed Nov 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-225
- Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373)
2016-11-09 13:45:14 +01:00
Lukas Vrabec
89fc5f15af * Tue Nov 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224
- Allow watching netflix using Firefox
2016-11-08 12:47:22 +01:00
Lukas Vrabec
25e7924958 * Mon Nov 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223
- nmbd_t needs net_admin capability like smbd
- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids
- Add wake_alarm capability2 to openct_t domain
- Allow abrt_t to getattr on nsfs_t files.
- Add cupsd_t domain wake_alarm capability.
- Allow sblim_reposd_t domain to read cert_f files.
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)"
- Allow isnsd_t to accept tcp connections
2016-11-07 23:00:09 +01:00
Lukas Vrabec
2bb5c83b3d * Wed Nov 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Add named_t domain net_raw capability bz(1389240)
- Allow geoclue to read system info. bz(1389320)
- Make openfortivpn_t as init_deamon_domain. bz(1159899)
- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add interace lldpad_relabel_tmpfs
- Merge pull request #155 from rhatdan/sandbox_nfs
- Add pscsd_t wake_alarm capability2
- Allow sandbox domains to mount fuse file systems
- Add boolean to allow sandbox domains to mount nfs
- Allow hypervvssd_t to read all dirs.
- Allow isnsd_t to connect to isns_port_t
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
- Make tor_var_lib_t and tor_var_log_t as mountpoints.
- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)
- Allow init_t to relabel /dev/shm/lldpad.state
- Merge pull request #168 from rhatdan/docker
- Label tcp 51954 as isns_port_t
- Lots of new domains like OCID and RKT are user container processes
2016-11-02 18:02:58 +01:00
Miroslav Grepl
cb85251274 Bump release to -221. 2016-10-17 20:53:13 +02:00
Miroslav Grepl
ec8dddbf3a * Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221
- Add container_file_t into contexts/customizable_types.
2016-10-17 20:52:01 +02:00
Lukas Vrabec
dad1b66dfe * Sun Oct 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-220
- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.
- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Merge pull request #167 from rhatdan/container
- Add transition rules for sandbox domains
- container_typebounds() should be part of sandbox domain template
- Fix broken container_* interfaces
- unconfined_typebounds() should be part of sandbox domain template
- Fixed unrecognized characters at sandboxX module
- unconfined_typebounds() should be part of sandbox domain template
- svirt_file_type is atribute no type.
- Merge pull request #166 from rhatdan/container
- Allow users to transition from unconfined_t to container types
- Add dbus_stream_connect_system_dbusd() interface.
- Merge pull request #152 from rhatdan/network_filetrans
- Fix typo in filesystem module
- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473)
2016-10-16 18:47:27 +02:00
Lukas Vrabec
8610886f2e * Mon Oct 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-219
- Dontaudit leaked file descriptors for thumb. BZ(1383071)
- Fix typo in cobbler SELinux module
- Merge pull request #165 from rhatdan/container
- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156)
- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t
- Rename svirt_lxc_net_t to container_t
- Rename docker.pp to container.pp, causes change in interface name
- Allow httpd_t domain to list inotify filesystem.
- Fix couple AVC to start roundup properly
- Allow dovecot_t send signull to dovecot_deliver_t
- Add sys_ptrace capability to pegasus domain
- Allow firewalld to stream connect to NetworkManager. BZ(1380954)
- rename docker intefaces to container
- Merge pull request #164 from rhatdan/docker-base
- Rename docker.pp to container.pp, causes change in interface name
- Allow gvfs to read /dev/nvme* devices BZ(1380951)
2016-10-10 17:16:44 +02:00
Lukas Vrabec
ab3db24c9e Rename docker-selinux to container-selinux package 2016-10-10 16:34:35 +02:00
Colin Walters
3b618f3b2e Revert addition of systemd service for factory reset, since it is
basically worse than what we had before.  BZ(1290659)
2016-10-05 14:51:35 -04:00
Lukas Vrabec
25813e22ec * Thu Sep 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-216
- Allow devicekit to chat with policykit via DBUS. BZ(1377113)
- Add interface virt_rw_stream_sockets_svirt() BZ(1379314)
- Allow xdm_t to read mount pid files. BZ(1377113)
- Allow staff to rw svirt unix stream sockets. BZ(1379314)
- Allow staff_t to read tmpfs files BZ(1378446)
2016-09-29 14:23:17 +02:00
Lukas Vrabec
4efe5ab99f * Fri Sep 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-215
- Make tor_var_run_t as mountpoint. BZ(1368621)
- Fix typo in ftpd SELinux module.
- Allow cockpit-session to reset expired passwords BZ(1374262)
- Allow ftp daemon to manage apache_user_content
- Label /etc/sysconfig/oracleasm as oracleasm_conf_t
- Allow oracleasm to rw inherited fixed disk device
- Allow collectd to connect on unix_stream_socket
- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)
- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)
- Add interface files_dontaudit_mounton_isid()
2016-09-23 10:24:25 +02:00
Petr Lautrbach
c49229e77f Provide rpm macros for packages installing SELinux modules
There's no unified practice how to install SELinux modules from packages
and how to relabel a filesystem after the change. This update provides
several new macros which should help maintainers with the process.

%selinux_relabel_pre [-s <policytype>]
- backups the current file_contexts for later use with fixfiles

%selinux_relabel_post [-s <policytype>]
- relabels a filesystem based on changes in file_contexts using fixfiles

%selinux_modules_install [-s <policytype>] module [module]...
%selinux_modules_uninstall [-s <policytype>] module [module]...
- install and uninstall modules to the priority 200
2016-09-20 09:40:52 +02:00
Lukas Vrabec
fec8280672 * Thu Sep 15 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-214
- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace
- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)
- Fix typo
- Allow geoclue to send msgs to syslog. BZ(1371818)
- Allow abrt to read rpm_tmp_t dirs
- Add interface rpm_read_tmp_files()
- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux
- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.
- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service
- Revert "label /var/lib/kubelet as svirt_sandbox_file_t"
- Remove file context for /var/lib/kubelet. This filecontext is part of docker now
- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm
- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t
- Allow mdadm_t to getattr all device nodes
- Dontaudit gkeyringd_domain to connect to system_dbusd_t
- Add interface dbus_dontaudit_stream_connect_system_dbusd()
- Allow guest-set-user-passwd to set users password.
- Allow domains using kerberos to read also kerberos config dirs
- Allow add new interface to new namespace BZ(1375124)
- Allow systemd to relalbel files stored in /run/systemd/inaccessible/
-  Add interface fs_getattr_tmpfs_blk_file()
- Dontaudit domain to create any file in /proc. This is kernel bug.
- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.
- Add new interface fs_getattr_oracleasmfs_fs()
- Add interface fs_manage_oracleasm()
- Label /dev/kfd as hsa_device_t
- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs
2016-09-15 17:59:37 +02:00
Petr Lautrbach
be68ccafef Do a factory reset when there's no policy.kern file in a store
With rpm-ostree, /var/ directory doesn't contain any file, just
directories. It means that SELinux policy can't be managed or rebuilt
and users have to use only the default policy.

This update adds /usr/share/selinux/POLICYTYPE/default directory and
selinux-factory-reset service.

/var/lib/selinux/POLICYTYPE/active

selinux-reset-policy
2016-09-15 13:51:31 +02:00
Petr Lautrbach
e3bf3ede6a Do not hardcode targeted in installCmds()
sefcontext_compile can create .bin files even for mls and maybe for minimum
2016-09-15 13:48:51 +02:00
Lukas Vrabec
96a0f667ce Update conflicts with docker-selinux 2016-09-06 17:37:55 +02:00
Lukas Vrabec
f6de2d2a2e * Fri Sep 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-213
- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
- Label /usr/bin/pappet as puppetagent_exec_t
- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
2016-09-02 15:13:18 +02:00
Lukas Vrabec
69374e6e65 * Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212
- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/
- new interface oddjob_mkhomedir_entrypoint()
- Allow mdadm to get attributes from all devices.
- Label /etc/puppetlabs as puppet_etc_t.
- quota: allow init to run quota tools
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow VirtualBox to manage udev rules.
- Allow systemd_resolved to send dbus msgs to userdomains
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t
2016-08-31 12:07:56 +02:00
Lukas Vrabec
0c7ae4b314 * Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow systemd-machined to communicate to lxc container using dbus
- Dontaudit accountsd domain creating dirs in /root
- Add new policy for Disk Manager called udisks2
- Dontaudit firewalld wants write to /root
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
- Allow certmonger to manage all systemd unit files
- Allow ipa_helper_t stream connect to dirsrv_t domain
- Update oracleasm SELinux module
- label /var/lib/kubelet as svirt_sandbox_file_t
- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
- Add new userdom_dontaudit_manage_admin_dir() interface
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
2016-08-25 14:28:42 +02:00
Lukas Vrabec
ba0eef5c75 * Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-210
- Add few interfaces to cloudform.if file
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
- Make confined users working again
- Fix hypervkvp module
- Allow ipmievd domain to create lock files in /var/lock/subsys/
- Update policy for ipmievd daemon. Contain:    Allowing reading sysfs, passwd,kernel modules   Execuring bin_t,insmod_t
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
2016-08-23 12:56:24 +02:00
Lukas Vrabec
6140a0daa8 * Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
- Fix lsm SELinux module
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
- Add sys_admin capability to sbd domain
- Allow vdagent to comunnicate with systemd-logind via dbus
- Allow lsmd_plugin_t domain to create fixed_disk device.
- Allow opendnssec domain to create and manage own tmp dirs/files
- Allow opendnssec domain to read system state
- Allow systemd_logind stop system init_t
- Add interface init_stop()
- Add interface userdom_dontaudit_create_admin_dir()
- Label /var/run/storaged as lvm_var_run_t.
- Allow unconfineduser to run ipa_helper_t.
2016-08-16 13:47:01 +02:00
Lukas Vrabec
3478003247 * Fri Aug 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-208
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
- Add wake_alarm capability to fprintd domain BZ(1362430)
- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)
- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)
- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)
- Dontaudit mock to write to generic certs.
- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
- Merge pull request #144 from rhatdan/modemmanager
- Allow modemmanager to write to systemd inhibit pipes
- Label corosync-qnetd and corosync-qdevice as corosync_t domain
- Allow ipa_helper to read network state
- Label oddjob_reqiest as oddjob_exec_t
- Add interface oddjob_run()
- Allow modemmanager chat with systemd_logind via dbus
- Allow NetworkManager chat with puppetagent via dbus
- Allow NetworkManager chat with kdumpctl via dbus
- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
- Allow rasdaemon to use tracefs filesystem
- Fix typo bug in dirsrv policy
- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
- Allow dirsrv to read dirsrv_share_t content
- Allow virtlogd_t to append svirt_image_t files.
- Allow hypervkvp domain to read hugetlbfs dir/files.
- Allow mdadm daemon to read nvme_device_t blk files
- Allow systemd_resolved to connect on system bus. BZ(1366334)
- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)
- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)
- label tcp/udp port 853 as dns_port_t. BZ(1365609)
- Merge pull request #145 from rhatdan/init
- systemd is doing a gettattr on blk and chr devices in /run
- Allow selinuxusers and unconfineduser to run oddjob_request
- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
- Fix typo in device interfaces
- Add interfaces for managing ipmi devices
- Add interfaces to allow mounting/umounting tracefs filesystem
- Add interfaces to allow rw tracefs filesystem
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Merge pull request #138 from rhatdan/userns
- Allow iptables to creating netlink generic sockets.
- Fix filecontext for systemd shared lib.
2016-08-12 15:08:46 +02:00
Lukas Vrabec
0ab5f5b469 * Thu Aug 04 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-207
- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t
2016-08-04 11:15:29 +02:00
Lukas Vrabec
4d7576addc * Tue Aug 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-206
- collectd: update policy for 5.5
- Allow puppet_t transtition to shorewall_t
- Grant certmonger "chown" capability
- Boinc updates from Russell Coker.
- Allow sshd setcap capability. This is needed due to latest changes in sshd.
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Revert "Fix typo in ssh policy"
- Get attributes of generic ptys, from Russell Coker.
2016-08-02 10:30:29 +02:00
Lukas Vrabec
247a84c954 * Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-205
- Dontaudit mock_build_t can list all ptys.
- Allow ftpd_t to mamange userhome data without any boolean.
- Add logrotate permissions for creating netlink selinux sockets.
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
- Allow systemd gpt generator to run fstools BZ(1353585)
- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)
- Allow gnome-keyring also manage user_tmp_t sockets.
- Allow systemd to mounton /etc filesystem. BZ(1341753)
2016-07-29 11:33:56 +02:00
Lukas Vrabec
95987e7beb * Tue Jul 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-204
- Allow lsmd_plugin_t to exec ldconfig.
- Allow vnstatd domain to read /sys/class/net/ files
- Remove duplicate allow rules in spamassassin SELinux module
- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs
- Allow ipa_dnskey domain to search cache dirs
- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file
- Allow ipa-dnskey read system state.
- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245
- Add interface to write to nsfs inodes
- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721)
- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf
- sysadmin should be allowed to use docker.
2016-07-26 17:05:44 +02:00
Lukas Vrabec
5b18dd6042 * Mon Jul 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-203
- Allow hypervkvp domain to run restorecon.
- Allow firewalld to manage net_conf_t files
- Remove double graphite-web context declaration
- Fix typo in rhsmcertd SELinux policy
- Allow logrotate read logs inside containers.
- Allow sssd to getattr on fs_t
- Allow opendnssec domain to manage bind chace files
- Allow systemd to get status of systemd-logind daemon
- Label more ndctl devices not just ndctl0
2016-07-18 12:32:16 +02:00
Lukas Vrabec
b8e5c7b726 Fix new version of policy 2016-07-13 08:58:46 +02:00
Lukas Vrabec
449da6b428 * Wed Jul 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-202
- Allow systemd_logind_t to start init_t BZ(1355861)
- Add init_start() interface
- Allow sysadm user to run systemd-tmpfiles
- Add interface systemd_tmpfiles_run
2016-07-13 08:55:29 +02:00
Lukas Vrabec
1ad8909907 * Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-201
- Allow lttng tools to block suspending
- Allow creation of vpnaas in openstack
- remove rules with compromised_kernel permission
- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)
- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263
- Update makefile to support snapperd_contexts file
- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission
- Remove duplicate declaration of class service
- Fix typo in access_vectors file
- Merge branch 'rawhide-base-modules-load' into rawhide-base
- Add new policy for systemd-modules-load
- Add systemd access vectors.
- Revert "Revert "Revert "Missed this version of exec_all"""
- Revert "Revert "Missed this version of exec_all""
- Revert "Missed this version of exec_all"
- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.
- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.
- Revert "Allow xserver to compromise_kernel access"BZ(1351624)
- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624)
- Revert "add ptrace_child access to process" (BZ1351624)
- Add user namespace capability object classes.
- Allow udev to manage systemd-hwdb files
- Add interface systemd_hwdb_manage_config()
- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
- iptables: add fcontext for nftables
2016-07-11 16:49:35 +02:00
Lukas Vrabec
c3183ad46d Add snapperd_contexts to rpm filelist 2016-07-11 16:30:00 +02:00
Lukas Vrabec
6c34b389e2 * Tue Jul 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-200
- Fix typo in brltty policy
- Add new SELinux module sbd
- Allow pcp dmcache metrics collection
- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t
- Allow openvpn to create sock files labeled as openvpn_var_run_t
- Allow hypervkvp daemon to getattr on  all filesystem types.
- Allow firewalld to create net_conf_t files
- Allow mock to use lvm
- Allow mirromanager creating log files in /tmp
- Allow vmtools_t to transition to rpm_script domain
- Allow nsd daemon to manage nsd_conf_t dirs and files
- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t
- Allow sssd read also sssd_conf_t dirs
- Allow opensm daemon to rw infiniband_mgmt_device_t
- Allow krb5kdc_t to communicate with sssd
- Allow prosody to bind on prosody ports
- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678
- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637
- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726
- Add label for brltty log file Resolves: rhbz#1328818
- Allow snort_t to communicate with sssd Resolves: rhbz#1284908
- Add interface lttng_sessiond_tmpfs_t()
- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl
- Add interface lvm_getattr_exec_files()
- Make label for new infiniband_mgmt deivices
- Add prosody ports Resolves: rhbz#1304664
2016-07-05 17:05:30 +02:00
Lukas Vrabec
962020bfff * Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-199
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
- Allow glusterd daemon to get systemd status
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Merge pull request #135 from rhatdan/rawip_socket
- Allow logrotate dbus-chat with system_logind daemon
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
- Add interface cron_read_pid_files()
- Allow pcp_pmlogger to create unix dgram sockets
- Add interface dirsrv_run()
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
- Create label for openhpid log files.
- Container processes need to be able to listen on rawip sockets
- Label /var/lib/ganglia as httpd_var_lib_t
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Label /etc/dhcp/scripts dir as bin_t
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
2016-06-28 10:34:53 +02:00
Lukas Vrabec
8037d64672 * Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Allow rhsmcertd connect to port tcp 9090
- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.
- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.
- Add new boolean spamd_update_can_network.
- Add proper label for /var/log/proftpd.log
- Allow rhsmcertd connect to tcp netport_port_t
- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.
- Allow prosody to bind to fac_restore tcp port.
- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager
- Allow ninfod to read raw packets
- Fix broken hostapd policy
- Allow hostapd to create netlink_generic sockets. BZ(1343683)
- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall
- Allow pegasus get attributes from qemu binary files.
- Allow tuned to use policykit. This change is required by cockpit.
- Allow conman_t to read dir with conman_unconfined_script_t binary files.
- Allow pegasus to read /proc/sysinfo.
- Allow puppet_t transtition to shorewall_t
- Allow conman to kill conman_unconfined_script.
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base
- Allow systemd to execute all init daemon executables.
- Add init_exec_notrans_direct_init_entry() interface.
- Label tcp ports:16379, 26379 as redis_port_t
- Allow systemd to relabel /var and /var/lib directories during boot.
- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
- Add files_relabelto_var_lib_dirs() interface.
- Label tcp and udp port 5582 as fac_restore_port_t
- Allow sysadm_t user to run postgresql-setup.
- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
2016-06-22 16:29:20 +02:00
Lukas Vrabec
a24ea5d79b Fix typo in changelog 2016-06-16 13:46:16 +02:00
Lukas Vrabec
4a34c4fbf0 * Thu Jun 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-197
- Allow conman to kill conman_unconfined_script.
- Make conman_unconfined_script_t as init_system_domain.
- Allow init dbus chat with apmd.
- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.
- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t
- Allow collectd_t to stream connect to postgresql.
- Allow mysqld_safe to inherit rlimit information from mysqld
- Allow ip netns to mounton root fs and unmount proc_t fs.
- Allow sysadm_t to run newaliases command.
2016-06-16 13:44:49 +02:00
Lukas Vrabec
be9b0d1f26 * Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-196
- Allow svirt_sandbox_domains to r/w onload sockets
- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
- Add interface sysnet_filetrans_named_net_conf()
- Rawhide fails to boot, systemd-logind needs to config transient config files
- User Namespace is requires create on process domains
2016-06-13 16:38:21 +02:00
Lukas Vrabec
04ed479779 * Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
- Add hwloc-dump-hwdata SELinux policy
- Add labels for mediawiki123
- Fix label for all fence_scsi_check scripts
- Allow setcap for fenced
- Allow glusterd domain read krb5_keytab_t files.
- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
- Update refpolicy to handle hwloc
- Fix typo in files_setattr_non_security_dirs.
- Add interface files_setattr_non_security_dirs()
2016-06-09 16:45:01 +02:00
Lukas Vrabec
c2ab480fb0 * Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Add nrpe_dontaudit_write_pipes()
- Merge pull request #129 from rhatdan/onload
- Add support for onloadfs
- Merge pull request #127 from rhatdan/device-node
- Additional access required for unconfined domains
- Dontaudit ping attempts to write to nrpe unnamed pipes
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
2016-06-07 15:57:53 +02:00
Lukas Vrabec
2506c08574 * Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
- Allow ipa_dnskey_t search httpd config files.
- Dontaudit certmonger to write to etc_runtime_t
- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
- Add interface ipa_delete_tmp()
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
2016-05-30 22:14:40 +02:00
Lukas Vrabec
3289d158c4 * Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192
- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
- Add SELinux policy for opendnssec service. BZ(1333106)
2016-05-25 12:46:10 +02:00
Lukas Vrabec
4c0ceef239 * Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
- Merge pull request #125 from rhatdan/typebounds
- Typebounds user domains
- Allow systemd_resolved_t to check if ipv6 is disabled.
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
2016-05-24 15:22:09 +02:00
Lukas Vrabec
5e78b00393 * Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port
- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)
- Allow systemd to read efivarfs. Resolve: #121
2016-05-16 17:29:54 +02:00
Lukas Vrabec
a2f43d9c50 * Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-189
- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed
2016-05-10 13:14:52 +02:00
Lukas Vrabec
d395cb970d Revert "Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ae80a5c1a5.
2016-05-10 12:57:45 +02:00
Lukas Vrabec
504f8fd0b8 Revert "Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ceff8ba54e.
2016-05-10 12:56:53 +02:00
Lukas Vrabec
fc75a66eaf Revert "Revert "Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed.""
This reverts commit ada2305b09.
2016-05-10 12:56:41 +02:00
Lukas Vrabec
627ba30be7 Revert "Revert "Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed.""
This reverts commit b62b4ef3bf.
2016-05-10 12:56:06 +02:00
Lukas Vrabec
b62b4ef3bf Revert "Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ceff8ba54e.
2016-05-10 11:53:39 +02:00
Lukas Vrabec
ada2305b09 Revert "Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ae80a5c1a5.
2016-05-10 10:41:49 +02:00
Lukas Vrabec
70515f6ee4 * Mon May 09 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-188
- Label tcp port 8181 as intermapper_port_t.
- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588)
- Label tcp/udp port 2024 as xinuexpansion4_port_t
- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t
2016-05-09 22:16:02 +02:00
Lukas Vrabec
7ff0b8badf * Thu May 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-187
- Allow stunnel create log files. BZ(1333033)
- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574)
- Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287)
- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs.
- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980)
- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927)
- Label /usr/sbin/xrdp* files as bin_t BZ(1258453)
- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318
2016-05-05 10:27:13 +02:00
Lukas Vrabec
7a1df1e370 * Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186
- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
- Fix typo in module compilation message
2016-04-29 16:08:26 +02:00
Lukas Vrabec
02b9e47960 * Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970)
- Add mls support for some db classes
2016-04-27 14:27:01 +02:00
Lukas Vrabec
34332645c9 * Tue Apr 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
- Make virt_use_pcscd boolean off by default.
- Create boolean to allow virtual machine use smartcards. rhbz#1029297
- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754
- Allow mongod log to syslog.
- Allow nsd daemon to create log file in /var/log as nsd_log_t
- unlabeled_t can not be an entrypoint.
- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909
- Add new permissions stop/start to class system. rhbz#1324453
2016-04-26 15:03:41 +02:00
Lukas Vrabec
64f8164852 * Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
- Allow modemmanager to talk to logind
- Dontaudit tor daemon needs net_admin capability. rhbz#1311788
- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042
- Xorg now writes content in users homedir.
2016-04-18 13:42:21 +02:00
Lukas Vrabec
4c61782def * Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
- rename several contrib modules according to their filenames
- Add interface gnome_filetrans_cert_home_content()
- By default container domains should not be allowed to create devices
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
- Allow systemd gpt generator to read removable devices. BZ(1323458)
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands  BZ(1323454)
2016-04-08 14:11:58 +02:00
Lukas Vrabec
c1300100ed * Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
- Label all run tgtd files, not just socket files.
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
- New cgroup2 file system in Rawhide
2016-04-01 18:15:00 +02:00
Lukas Vrabec
fac3fc97fa * Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow bitlee to create bitlee_var_t dirs.
- Allow CIM provider to read sssd public files.
- Fix some broken interfaces in distro policy.
- Allow power button to shutdown the laptop.
- Allow lsm plugins to create named fixed disks. rhbz#1238066
- Allow hyperv domains to rw hyperv devices. rhbz#1241636
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics
- Label nagios scripts as httpd_sys_script_exec_t.
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.
- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576
- Merge pull request #104 from berrange/rawhide-contrib-virtlogd
- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336
- Dontaudit logrotate to setrlimit itself. rhbz#1309604
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446)
- Merge pull request #115 from rhatdan/nvidea
- Label all nvidia binaries as xserver_exec_t
- Add new systemd_hwdb_read_config() interface. rhbz#1316514
- Add back corecmd_read_all_executables() interface.
- Call files_type() instead of file_type() for unlabeled_t.
- Add files_entrypoint_all_mountpoint() interface.
- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling.
- Add corecmd_entrypoint_all_executables() interface.
- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361
- Add neverallow assertion for unlabaled_t to increase policy security.
- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
- Label 8952 tcp port as nsd_control.
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
2016-03-30 12:56:26 +02:00
Lukas Vrabec
610d03d3bf Fix spec file by adding also 'Requires' where it is need not just only 'Requires(pre)'. rhbz#1319119 2016-03-22 11:58:58 +01:00
Lukas Vrabec
2f93136bc2 There's no need to repeat files for all subsets again and again when
there's %fileList macro available.
2016-03-16 23:25:45 +01:00
Lukas Vrabec
3f0021e9f3 * Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
- Merge pull request #108 from rhatdan/rkt
- Merge pull request #109 from rhatdan/virt_sandbox
- Add new interface to define virt_sandbox_network domains
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
- Fix typo in drbd policy
- Remove declaration of empty booleans in virt policy.
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
- Additional rules to make rkt work in enforcing mode
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Allow ipsec to use pam. rhbz#1317988
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
- Allow setrans daemon to read /proc/meminfo.
- Merge pull request #107 from rhatdan/rkt-base
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
2016-03-16 13:59:24 +01:00
Lukas Vrabec
cdb2ae4578 * Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
- Add support systemd-resolved.
2016-03-10 12:50:06 +01:00
Lukas Vrabec
d14d3706d7 * Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
- Add support for systemd-gpt-auto-generator. rhbz#1314968
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
- Add support for systemd-hwdb daemon. rhbz#1306243
2016-03-08 16:08:03 +01:00
Lukas Vrabec
9fc76d9ab8 * Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
- Fix new rkt policy
- Remove some redundant rules.
- Fix cosmetic issues in interface file.
- Merge pull request #100 from rhatdan/rawhide-contrib
- Add interface fs_setattr_cifs_dirs().
- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
 This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
 file_contexts is parsed in selabel_open().
Resolves: rhbz#1314372
2016-03-03 16:00:03 +01:00
Lukas Vrabec
dd88f3a1a7 Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files, file_contexts is parsed in selabel_open(). Resolves: rhbz#1314372 2016-03-03 15:57:30 +01:00
Lukas Vrabec
a99d75d418 This change was originally introduced to fix contexts of files in
~/.config when there were no filename transition rules in SELinux
policy. These lines could be  removed. rhbz#1313464
2016-03-01 17:22:44 +01:00
Lukas Vrabec
ca25751cfd * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
- Add policy for rkt services
2016-02-26 17:44:00 +01:00
Lukas Vrabec
e98b0994a7 * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-174
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
2016-02-26 14:55:26 +01:00
Lukas Vrabec
7ac3a50aaf * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
2016-02-26 13:34:18 +01:00
Lukas Vrabec
352a55a547 * Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
- Allow collectd setgid capability Resolves:#1310896
- Allow adcli running as sssd_t to write krb5.keytab file.
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
- Allow kexec to read kernel module files in /usr/lib/modules.
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
- Remove redudant rules and fix _admin interface.
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
- Allow create mongodb unix dgram sockets. rhbz#1306819
- Support for InnoDB Tablespace Encryption.
- Dontaudit leaded file descriptors from firewalld
- Add port for rkt services
- Add support for the default lttng-sessiond port - tcp/5345.  This port is used by LTTng 2.x central tracing registry session daemon.
2016-02-25 13:20:35 +01:00
Lukas Vrabec
5d7b1f6d2e Fixes related to new SELinux userspace Add new files from userspace: /var/lib/selinux/targeted|mls|minimum/active/seusers /var/lib/selinux/targeted|mls|minimum/active/file_contexts /var/lib/selinux/targeted|mls|minimum/active/policy.kern 2016-02-25 12:02:25 +01:00
Lukas Vrabec
d6823d337b * Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files
2016-02-11 14:22:13 +01:00
Lukas Vrabec
ead49a5633 * Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
- Add interface to dontaudit leaked files from firewalld
- fwupd needs to dbus chat with policykit
- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
- Fix wrong name for openqa_websockets tcp port.
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
- Add interface ssh_getattr_server_keys() interface. rhbz#1299106
- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312
- Add interface fs_getattr_nsfs_files()
- Add interface xserver_exec().
- Revert "Allow all domains some process flags."BZ(1190364)
2016-02-10 13:11:01 +01:00
Lukas Vrabec
edb36e0557 * Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169
- Allow openvswitch domain capability sys_rawio.
- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"
- Allow openvswitch to manage hugetlfs files and dirs.
- Allow NetworkManager create dhcpc pid files. BZ(1229755)
- Allow apcupsd to read kernel network state. BZ(1282003)
- Label /sys/kernel/debug/tracing filesystem
- Add fs_manage_hugetlbfs_files() interface.
- Add sysnet_filetrans_dhcpc_pid() interface.
2016-02-03 10:57:06 +01:00
Lukas Vrabec
4c488a69fa * Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
- Allow iptables to read nsfs files. BZ(1296826)
2016-01-20 15:56:50 +01:00
Lukas Vrabec
6d3ee17c0b * Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
2016-01-18 17:03:17 +01:00
Lukas Vrabec
5d165e36c4 * Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
- Allow condor_master_t domain capability chown. BZ(1297048)
- Allow chronyd to be dbus bus client. BZ(1297129)
- Allow openvswitch read/write hugetlb filesystem.
- Revert "Allow openvswitch read/write hugetlb filesystem."
- Allow smbcontrol domain to send sigchld to ctdbd domain.
- Allow openvswitch read/write hugetlb filesystem.
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge pull request #86 from rhatdan/rawhide-contrib
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
- Added interface logging_systemctl_syslogd
- Label rsyslog unit file
- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
2016-01-13 16:26:02 +01:00
Lukas Vrabec
936bb7a648 * Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
2016-01-06 12:19:09 +01:00
Lukas Vrabec
f1750fb373 * Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()
- Allow iptables to read firewalld pid files. BZ(1291243)
- Allow the user cronjobs to run in their userdomain
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
- Merge pull request #81 from rhatdan/rawhide-base
- New access needed by systemd domains
2015-12-15 18:23:46 +01:00
Lukas Vrabec
ad3add7345 Add missing noreplace flag to file: %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local
This should keep local modification of policy after update/downgrade
selinux-policy package.

Thanks plautrba@redhat.com
2015-12-15 16:09:20 +01:00
Lukas Vrabec
5c898c0814 * Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
2015-12-09 14:42:39 +01:00
Miroslav Grepl
2b449e6e35 - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
- init_t domain should be running without unconfined_domain attribute.
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
- systemd needs to access /dev/rfkill on early boot.
- Allow dspam to read /etc/passwd
2015-12-07 09:19:29 +01:00
Lukas Vrabec
71a663b812 * Mon Nov 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-161
- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)
2015-11-30 12:48:01 +01:00
Lukas Vrabec
78826f0b99 * Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
-  Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
2015-11-24 15:49:54 +01:00
Miroslav Grepl
2fc3e7cbba /usr/sbim/semanage has been moved to policycoreutils-python-utils package which needs to be require in Post section for selinux-policy-minumum package. 2015-11-20 15:51:27 +01:00
Miroslav Grepl
0e84535c7a - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Add userdom_destroy_unpriv_user_shared_mem() interface.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
2015-11-20 10:09:52 +01:00
Miroslav Grepl
982e483908 We need to cop *.local policy files to keep local customizations also after upgrades between old and new module store location. BZ(#1279621). 2015-11-12 16:01:20 +01:00
Miroslav Grepl
db55b65949 - Merge pull request #48 from lkundrak/contrib-openfortivpn
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
2015-11-10 10:24:32 +01:00
Miroslav Grepl
02b374489f - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
2015-11-09 15:04:44 +01:00
Lukas Vrabec
0a89ba84bd We want conflicts with docker-selinux not docker package. 2015-10-27 16:14:11 +01:00
Lukas Vrabec
66791f96f6 * Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
2015-10-27 14:23:44 +01:00
Lukas Vrabec
0f46e07ae6 Add conflict with docker lower or eq as docker-1.9.0-9 2015-10-27 14:14:33 +01:00
Lukas Vrabec
5d2c760e35 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
- Build including docker selinux interfaces.
2015-10-20 16:28:15 +02:00
Lukas Vrabec
fadb0d2542 docker policy files support 2015-10-20 16:26:28 +02:00
Lukas Vrabec
0bdc2482e7 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
- Allow winbindd to send signull to kernel. BZ(#1269193)
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Fixes for chrony version 2.2 BZ(#1259636)
  * Allow chrony chown capability
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Add boolean allowing mysqld to connect to http port. #1262125
- Merge pull request #52 from 1dot75cm/rawhide-base
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
- Fix attribute in corenetwork.if.in
2015-10-20 15:11:36 +02:00
Lukas Vrabec
2bd687c904 * Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
2015-10-13 18:34:04 +02:00
Lukas Vrabec
a6a2539c66 * Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
2015-10-08 15:52:24 +02:00
Lukas Vrabec
0927e3f742 * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
2015-10-02 19:11:32 +02:00
Lukas Vrabec
61514837cc * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
2015-10-02 13:49:11 +02:00
Lukas Vrabec
b03747cd87 * Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
2015-09-29 18:17:13 +02:00
Lukas Vrabec
ec0c1bc01e * Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains
- Allow rpcbind_t domain to change file owner and group
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
- Revert "Add apache_read_pid_files() interface"
- Allow dirsrv-admin read httpd pid files.
- Add apache_read_pid_files() interface
- Add label for dirsrv-admin unit file.
- Allow qpid daemon to connect on amqp tcp port.
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Add userdom_transition_login_userdomain() interface
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
2015-09-22 18:00:08 +02:00
Lukas Vrabec
7c8404da3f Added support for permissive domains 2015-09-22 14:28:30 +02:00
Lukas Vrabec
2818673721 * Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
- Dontaudit fenced search gnome config
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
- Sanlock policy update. #1255307   - New sub-domain for sanlk-reset daemon
- Fix labeling for fence_scsi_check script
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
- Allow openhpid to read snmp var lib files.
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
- Fix regexp in chronyd.fc file
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
2015-09-14 09:29:16 +02:00
Lukas Vrabec
73a6a99de0 Add files homedir_template and users_extra to selinux-policy-* packages. 2015-09-09 10:23:56 +02:00
Lukas Vrabec
f1ab24fa93 * Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
2015-09-01 18:25:49 +02:00
Lukas Vrabec
0d70340b72 * Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
- Allow watchdog execute fenced python script.
- Added inferface watchdog_unconfined_exec_read_lnk_files()
- Allow pmweb daemon to exec shell. BZ(1256127)
- Allow pmweb daemon to read system state. BZ(#1256128)
- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
- Revert "Revert default_range change in targeted policy"
- Allow dhcpc_t domain transition to chronyd_t
2015-08-30 23:03:47 +02:00
Lukas Vrabec
96de5661d2 * Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
- Add interface dnssec_trigger_sigkill
- Allow smsd use usb ttys. BZ(#1250536)
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
- Revert default_range change in targeted policy
- Allow systemd-sysctl cap. sys_ptrace  BZ(1253926)
2015-08-24 11:25:02 +02:00
Miroslav Grepl
f5f6812fa4 - Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
2015-08-21 10:11:52 +02:00
Miroslav Grepl
4d097300f6 We should be able to do builds with neverallow check with new 2.4 userspace and fix the latest policy fixes. 2015-08-20 18:17:21 +02:00
Lukas Vrabec
1ba0a986f6 * Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow collectd stream connect to pdns.(BZ #1191044)
- Add interface pdns_stream_connect()
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow chronyd exec systemctl
- Merge pull request #30 from vmojzis/rawhide-contrib
- Hsqldb policy upgrade -Allow sock_file management
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
- Label /var/run/chrony-helper dir as chronyd_var_run_t.
- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
- Fix label on /var/tmp/kiprop_0
- Add mountpoint dontaudit access check in rhsmcertd policy.
- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow systemd_networkd to send logs to syslog.
- Added interface fs_dontaudit_write_configfs_dirs
- Allow audisp client to read system state.
- Label /var/run/xtables.lock as iptables_var_run_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
2015-08-18 10:39:06 +02:00
Lukas Vrabec
28b73b2eef * Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
2015-08-10 18:38:57 +02:00
Miroslav Grepl
d8af5a753a - firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service
- Allow lsm_plugin_t to rw raw_fixed_disk.
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
2015-08-05 16:03:40 +02:00
Lukas Vrabec
f35d9026d6 * Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
- Add header for sslh.if file
- Fix sslh_admin() interface
- Clean up sslh.if
- Fix typo in pdns.if
- Allow qpid to create lnk_files in qpid_var_lib_t.
- Allow httpd_suexec_t to read and write Apache stream sockets
- Merge pull request #21 from hogarthj/rawhide-contrib
- Allow virt_qemu_ga_t domtrans to passwd_t.
- use read and manage files_patterns and the description for the admin interface
- Merge pull request #17 from rubenk/pdns-policy
- Allow redis to read kernel parameters.
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
- Allow bumblebee to seng kill signal to xserver
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Allow drbd to get attributes from filesystems.
- Allow drbd to read configuration options used when loading modules.
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
- Added Booleans: pcp_read_generic_logs.
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
- Allow glusterd to communicate with cluster domains over stream socket.
- fix copy paste error with writing the admin interface
- fix up the regex in sslh.fc, add sslh_admin() interface
- adding selinux policy files for sslh
- Remove diplicate sftpd_write_ssh_home boolean rule.
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
- kdbusfs should not be accessible for now.
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
- Label /usr/sbin/chpasswd as passwd_exec_t.
- Allow audisp_remote_t to read/write user domain pty.
- Allow audisp_remote_t to start power unit files domain to allow halt system.
2015-08-04 01:19:35 +02:00
Lukas Vrabec
c6320132cb Remove old trigger selinux-policy-targeted-3.12.1-75 for relabeling home. 2015-08-04 00:27:26 +02:00
Lukas Vrabec
ceff8ba54e Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed. 2015-08-04 00:25:37 +02:00
Lukas Vrabec
ae80a5c1a5 Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed. 2015-08-03 17:10:54 +02:00
Lukas Vrabec
d6fa2521fb Move man pages from selinux-policy-devel to selinux-policy-doc 2015-07-24 11:27:15 +02:00
Lukas Vrabec
e5e6b1ee54 * Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to  communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
-  httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
2015-07-20 18:37:28 +02:00
Miroslav Grepl
57b06e2ca9 Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. 2015-07-16 09:10:21 +02:00
Petr Lautrbach
a345bb5a25 Prepare selinux-policy package for SELinux store migration 2015-07-15 14:26:46 +02:00
Lukas Vrabec
04f749c8f0 * Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
2015-07-15 11:45:00 +02:00
Lukas Vrabec
ee724ad113 * Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
2015-07-14 18:10:21 +02:00
Lukas Vrabec
f53ebea7af * Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-09 10:31:45 +02:00
Lukas Vrabec
d04212cd26 * Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-02 17:37:26 +02:00
Lukas Vrabec
1428c0c5e6 * Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133
- Cleanup permissive domains.
2015-06-30 13:53:46 +02:00
Lukas Vrabec
20e7f0e6a4 * Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132
- Rename xodbc-connect port to xodbc_connect
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
- Dontaudit chrome to read passwd file. BZ(1204307)
- Allow firewalld exec ldconfig. BZ(1232748)
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Rename xodbc-connect port to xodbc_connect
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
- Label tcp port 6640 as ovsdb port. BZ (1179809)
2015-06-29 18:07:03 +02:00
Lukas Vrabec
7100c57b1f * Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
2015-06-23 18:07:14 +02:00
Miroslav Grepl
66628cef58 - Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
2015-06-18 19:28:19 +02:00
Miroslav Grepl
8f46225b71 - We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) 2015-06-09 16:44:44 +02:00
Miroslav Grepl
19cd06ec8a We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) 2015-06-09 16:43:17 +02:00
Miroslav Grepl
5bcffd3a3a See Changelog for all changes. 2015-06-09 12:38:09 +02:00
Miroslav Grepl
26e9debdb7 Update selinux-policy.spec to show how to create policy patches from https://github.com/fedora-selinux/selinux-policy 2015-05-22 09:45:52 +02:00
Petr Lautrbach
9cef10b755 Minor spec file fixes:
- corrected day in changelog entry from Apr 30 2015
- merged two %description's for base package into one

Fixes:
warning: line 330: second Description
warning: bogus date in %changelog: Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
2015-05-19 10:41:20 +02:00
Lukas Vrabec
6a726d4793 * Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
- Add missing typealiases in apache_content_template() for script domain/executable.
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for new cobbler dir locations:
- Add support for iprdbg logging files in /var/log.
- Add relabel_user_home_dirs for use by docker_t
2015-05-05 15:54:12 +02:00
Lukas Vrabec
229bf3d017 * Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
2015-04-30 20:10:17 +02:00
Lukas Vrabec
c4df3c09b1 Fix bad date 2015-04-20 14:49:53 +02:00
Lukas Vrabec
0bfe8f4452 * Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- cloudinit and rhsmcertd need to communicate with dbus
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
2015-04-20 14:45:47 +02:00
Lukas Vrabec
28cc160db1 * Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
- Add more restriction on entrypoint for unconfined domains.
2015-04-15 17:14:18 +02:00
Lukas Vrabec
578b67080c * Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
- Allow mock_t to use ptmx. BZ(1181333)
- Allow dnssec_trigger_t to stream connect to networkmanager.
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
- Fix labeling for keystone CGI scripts.
2015-04-14 01:13:22 +02:00
Lukas Vrabec
b9a1c72d29 * Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
- Allow mongod to work with configured SSSD.
- Add collectd net_raw capability. BZ(1194169)
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
- Allow dhcpd kill capability.
- Make rwhod as nsswitch domain.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Fix cloudform policy.(m4 is case sensitive)
- Allow networkmanager and cloud_init_t to dbus chat
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices.
- Allow sblim domain to read sysctls..
- Allow timemaster send a signal to ntpd.
- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
- two 'l' is enough.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- Allow polkit to dbus chat with xserver. (1207478)
- Add lvm_stream_connect() interface.
- Set label of /sys/kernel/debug
2015-04-07 16:26:56 +02:00
Lukas Vrabec
5852f33770 * Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
- Allow kmscon to read system state. BZ (1206871)
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
2015-03-30 20:13:54 +02:00
Lukas Vrabec
734dd8ae6f * Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
- Allow all domains some process flags.
- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base
- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL
2015-03-23 16:13:45 +01:00
Lukas Vrabec
f9d97717a8 * Wed Mar 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-119
- build without docker
2015-03-18 17:03:21 +01:00
Lukas Vrabec
e2a064a427 * Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
- docker watches for content in the /etc directory
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
- Allow docker to communicate with openvswitch
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow journald to set loginuid. BZ(1190498)
- Add cap. sys_admin for passwd_t. BZ(1185191)
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
2015-03-16 18:04:20 +01:00
Lukas Vrabec
ed576d59f8 * Fri Mar 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-117
- Allow spamc read spamd_etc_t files. BZ(1199339).
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
- Allow abrt_watch_log_t read passwd file. BZ(1197396)
- Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659)
- Allow cups to read colord_var_lib_t files. BZ(1199765)
2015-03-09 13:16:20 +01:00
Lukas Vrabec
b61b8da21f * Fri Mar 06 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-116
- Turn on rolekit in F23
2015-03-06 17:17:25 +01:00
Lukas Vrabec
f6c1168684 * Thu Mar 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-115
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
- Add gluster_exec_lib interface.
- Allow l2tpd to manage NetworkManager pid files
- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
- Allow cyrus bind tcp berknet port. BZ(1198347)
- Add nsswitch domain for more serviecs.
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow system apache scripts to send log messages.
- Allow denyhosts execute iptables. BZ(1197371)
- Allow brltty rw event device. BZ(1190349)
- Allow cupsd config to execute ldconfig. BZ(1196608)
- xdm_t now needs to manage user ttys
- Allow ping_t read urand. BZ(1181831)
- Add support for tcp/2005 port.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- In F23 we are running xserver as the user, need this to allow confined users to us X
2015-03-05 20:22:19 +01:00
Lukas Vrabec
2ee001bdc9 * Mon Feb 25 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-114
- Fix source filepath for moving html files.
2015-02-25 17:13:43 +01:00
Lukas Vrabec
6acb58cea3 Fix source filepath for moving html files. 2015-02-24 17:51:12 +01:00
Lukas Vrabec
946068cde6 * Mon Feb 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-113
- Xserver needs to be transitioned to from confined users
- Added logging_syslogd_pid_filetrans
- xdm_t now talks to hostnamed
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Additional fix for labeleling /dev/log correctly.
- cups chats with network manager
- Allow parent domains to read/write fifo files in mozilla plugin
- Allow spc_t to transition to svirt domains
- Cleanup spc_t
- docker needs more control over spc_t
- pcp domains are executed out of cron
2015-02-23 16:11:23 +01:00
Lukas Vrabec
83d645c1b0 * Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112
- Allow audisp to connect to system DBUS for service.
- Label /dev/log correctly.
- Add interface init_read_var_lib_files().
- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
2015-02-16 20:23:47 +01:00
Lukas Vrabec
e793323380 * Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
- Remove automatcically running filetrans_named_content form sysnet_manage_config
- Allow syslogd/journal to read netlink audit socket
- Allow brltty ioctl on usb_device_t. BZ(1190349)
- Make sure NetworkManager configures resolv.conf correctly
2015-02-10 22:46:05 +01:00
Lukas Vrabec
ae5733a49e * Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
- Allow cockpit_session_t to create tmp files
- apmd needs sys_resource when shutting down the machine
- Fix path label to resolv.conf under NetworkManager
2015-02-05 12:12:00 +01:00
Lukas Vrabec
1fd39e9da1 * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109
- Allow search all pid dirs when managing net_conf_t files.
2015-02-04 17:02:02 +01:00
Lukas Vrabec
203031a6db * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
- Fix labels, improve sysnet_manage_config interface.
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
- Dontaudit network connections related to thumb_t. BZ(1187981)
- Remove sysnet_filetrans_named_content from fail2ban
2015-02-04 13:06:40 +01:00
Lukas Vrabec
1808b757f1 * Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
- Fix labels on new location of resolv.conf
- syslog is not writing to the audit socket
- seunshare is doing getattr on unix_stream_sockets leaked into it
- Allow sshd_t to manage gssd keyring
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
- Posgresql listens on port 9898 when running PCP (pgpool Control Port)
- Allow svirt sandbox domains to read /proc/mtrr
- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
- Allow dovecot domains to use sys_resouce
- Allow sshd_t to manage gssd keyring
- gpg_pinentry_t needs more access in f22
2015-02-02 11:59:21 +01:00
Lukas Vrabec
a849531c0e * Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106
- Allow docker to attach to the sandbox and user domains tun devices
- Allow pingd to read /dev/urandom. BZ(1181831)
- Allow virtd to list all mountpoints
- Allow sblim-sfcb to search images
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
- Call correct macro in virt_read_content().
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Allow docker_t to changes it rlimit
- Allow neutron to read rpm DB.
- Allow radius to connect/bind radsec ports
- Allow pm-suspend running as virt_qemu_ga to read
  /var/log/pm-suspend.log.
- Add devicekit_read_log_files().
- Allow  virt_qemu_ga to dbus chat with rpm.
- Allow netutils chown capability to make tcpdump working with -w.
- Label /ostree/deploy/rhel-atomic-host/deploy directory as
system_conf_t.
- journald now reads the netlink audit socket
- Add auditing support for ipsec.

* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105
- Bump release
2015-01-29 17:35:42 +01:00
Lukas Vrabec
72c96b37c5 * Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
- remove duplicate filename transition rules.
- Call proper interface in sosreport.te.
- Allow fetchmail to manage its keyring
- Allow mail munin to create udp_sockets
- Allow couchdb to sendto kernel unix domain sockets
2015-01-15 14:22:27 +01:00
Miroslav Grepl
525ad6557a Make build working 2015-01-12 14:12:54 +01:00
Dan Walsh
f1ed4e46ca Add /etc/selinux/targeted/contexts/openssh_contexts 2015-01-03 08:44:45 -05:00
Lukas Vrabec
6eb7265b01 * Mon Dec 15 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-101
- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
- Allow virt_qemu_ga_t to execute kmod.
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
- Add support for /usr/share/vdsm/daemonAdapter.
- Docker has a new config/key file it writes to /etc/docker
- Allow bacula to connect also to postgresql.
2014-12-15 07:43:28 -05:00
Lukas Vrabec
e4ea4614c7 * Thu Dec 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-100
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
- Fix miscfiles_manage_generic_cert_files() to allow manage link files
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Add support for /var/run/gluster.
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
2014-12-11 10:20:57 -05:00
Lukas Vrabec
1c8cf318c6 * Fri Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-99
- Add files_dontaudit_list_security_dirs() interface.
- Added seutil_dontaudit_access_check_semanage_module_store interface.
- Allow docker to create /root/.docker
- Allow rlogind to use also rlogin ports
- dontaudit list security dirs for samba domain
- Dontaudit couchdb to list /var
2014-12-02 13:05:01 +01:00
Lukas Vrabec
cf94d6be19 * Fri Nov 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-98
- Update to have all _systemctl() interface also init_reload_services()
- Dontaudit access check on SELinux module store for sssd.
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
2014-11-29 00:18:57 +01:00
Lukas Vrabec
b5270954f2 Fix date bug 2014-11-28 15:30:56 +01:00
Lukas Vrabec
e4d7a4020d * Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97
- Allow reading of symlinks in /etc/puppet
- Added TAGS to gitignore
- I guess there can be content under /var/lib/lockdown #1167502
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
- Allow keystone to send a generic signal to own process.
- Allow radius to bind tcp/1812 radius port.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Add missing alias for _content_rw_t
- Allow .snapshots to be created in other directories, on all mountpoints
- Allow spamd to access razor-agent.log
- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
- Allow .snapshots to be created in other directories, on all mountpoints
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems
2014-11-28 15:28:22 +01:00
Lukas Vrabec
48f969d319 * Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
2014-11-20 11:38:07 +01:00
Lukas Vrabec
feb8dbd59b * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
- Allow networkmanager manage also openvpn sock pid files.
2014-11-19 19:46:38 +01:00
Lukas Vrabec
c88e657c3d * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
- Allow sendmail to create dead.letter. BZ(1165443)
- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
2014-11-19 16:33:35 +01:00
Lukas Vrabec
24d43eb10d * Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
- Allow bumblebee to use nsswitch. BZ(1155339)
- Allow openvpn to stream connect to networkmanager. BZ(1164182)
- Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS.
- Allow cpuplug rw virtual memory sysctl. BZ (1077831)
- Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
2014-11-14 16:06:50 +01:00
Lukas Vrabec
b6161d4177 * Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-92
- Add kdump_rw_inherited_kdumpctl_tmp_pipes()
- Added fixes related to linuxptp. BZ (1149693)
- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424
- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
- Fix seutil_dontaudit_access_check_load_policy()
- Add dontaudit interfaces for audit_access in seutil
- Label /etc/strongimcv as ipsec_conf_file_t.
2014-11-10 18:19:50 +01:00
Lukas Vrabec
062b36f481 * Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91
- Added interface userdom_dontaudit_manage_user_home_dirs
- Fix unconfined_server_dbus_chat() interface.
- Add unconfined_server_dbus_chat() inteface.
- Allow login domains to create kernel keyring with different level.
- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
- Make tuned as unconfined domain.
- Added support for linuxptp policy. BZ(1149693)
- make zoneminder as dbus client by default.
- Allow bluetooth read/write uhid devices. BZ (1161169)
- Add fixes for hypervkvp daemon
- Allow guest to connect to libvirt using unix_stream_socket.
- Allow all bus client domains to dbus chat with unconfined_service_t.
- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
- Make opensm as nsswitch domain to make it working with sssd.
- Allow brctl to read meminfo.
- Allow winbind-helper to execute ntlm_auth in the caller domain.
- Make plymouthd as nsswitch domain to make it working with sssd.
- Make drbd as nsswitch domain to make it working with sssd.
- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
- Add support for /var/lib/sntp directory.
2014-11-07 22:58:35 +01:00
Lukas Vrabec
ba65f59092 Fixed mistakes in build. 2014-11-03 16:31:25 +01:00
Lukas Vrabec
a38ffbf425 * Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
- Add 15672 as amqp_port_t
- Allow wine domains to read user homedir content
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
- Allow winbind to read usermodehelper
- Allow telepathy domains to execute shells and bin_t
- Allow gpgdomains to create netlink_kobject_uevent_sockets
- Allow abrt to read software raid state. BZ (1157770)
- Fix rhcs_signull_haproxy() interface.
-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
- Allow snapperd to dbus chat with system cron jobs.
- Allow nslcd to read /dev/urandom.
- Allow dovecot to create user's home directory when they log into IMAP.
- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
2014-11-03 15:03:44 +01:00
Lukas Vrabec
4dfcf7b0d0 Fix wrong url link to upstream. 2014-11-03 14:34:24 +01:00
Lukas Vrabec
af3cfa7b5c * Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
- Allow rabbitmq to read nfs state data. BZ(1122412)
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
- Add rolekit policy
- ALlow rolekit domtrans to sssd_t.
- Add kerberos_tmp_filetrans_kadmin() interface.
- rolekit should be noaudit.
- Add rolekit_manage_keys().
- Need to label rpmnew file correctly
- Allow modemmanger to connectto itself
2014-10-29 11:24:42 +01:00
Lukas Vrabec
317f5a18dc * Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Allow osad to connect to jabber client port. BZ (1154242)
- Allow mon_statd to send syslog msgs. BZ (1077821
- Allow apcupsd to get attributes of filesystems with xattrs
2014-10-21 15:45:35 +02:00
Miroslav Grepl
650be6afbf - Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
- Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
2014-10-17 10:12:44 +02:00
Lukas Vrabec
8db354a9b7 * Tue Oct 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-86
- Dontaudit aicuu to search home config dir. BZ (#1104076)
- couchdb is using erlang so it needs execmem privs
- ALlow sanlock to send a signal to virtd_t.
- Allow mondogdb to  'accept' accesses on the tcp_socket port.
- Make sosreport as unconfined domain.
- Allow nova-console to connect to mem_cache port.
- Allow mandb to getattr on file systems
- Allow read antivirus domain all kernel sysctls.
- Allow lmsd_plugin to read passwd file. BZ(1093733)
- Label /usr/share/corosync/corosync as cluster_exec_t.
- ALlow sensord to getattr on sysfs.
- automount policy is non-base module so it needs to be called in optional block.
- Add auth_use_nsswitch for portreserve to make it working with sssd.
- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.
- Allow openvpn to execute  systemd-passwd-agent in  systemd_passwd_agent_t to make openvpn working with systemd.
- Allow openvpn to access /sys/fs/cgroup dir.
- Allow nova-scheduler to read certs
- Add support for /var/lib/swiftdirectory.
- Allow neutron connections to system dbus.
- Allow mongodb to manage own log files.
- Allow opensm_t to read/write /dev/infiniband/umad1.
- Added policy for mon_statd and mon_procd services. BZ (1077821)
- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.
- Allow dnssec_trigger_t to execute unbound-control in own domain.
- Allow all RHCS services to read system state.
- Added monitor device
- Add interfaces for /dev/infiniband
- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type.
- Add files_dontaudit_search_security_files()
- Add selinuxuser_udp_server boolean
- ALlow syslogd_t to create /var/log/cron  with correct labeling
- Add support for /etc/.updated and /var/.updated
- Allow iptables read fail2ban logs. BZ (1147709)
- ALlow ldconfig to read proc//net/sockstat.
2014-10-14 11:51:56 +02:00
Lukas Vrabec
cf89798586 * Mon Oct 06 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-85
- Allow nova domains to getattr on all filesystems.
- ALlow zebra for user/group look-ups.
- Allow lsmd to search own plguins.
- Allow sssd to read selinux config to add SELinux user mapping.
- Allow swift to connect to all ephemeral ports by default.
- Allow NetworkManager to create Bluetooth SDP sockets
- Allow keepalived manage snmp var lib sock files. BZ(1102228)
- Added policy for blrtty. BZ(1083162)
- Allow rhsmcertd manage rpm db. BZ(#1134173)
- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173)
- Label /usr/libexec/rhsmd as rhsmcertd_exec_t
- Fix broken interfaces
- Added sendmail_domtrans_unconfined interface
- Added support for cpuplug. BZ (#1077831)
- Fix bug in drbd policy, BZ (#1134883)
- Make keystone_cgi_script_t domain. BZ (#1138424)
- fix dev_getattr_generic_usb_dev interface
- Label 4101 tcp port as brlp port
- Allow libreswan to connect to VPN via NM-libreswan.
- Add userdom_manage_user_tmpfs_files interface
2014-10-06 16:53:41 +02:00
Lukas Vrabec
245c83ebf9 * Tue Sep 30 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-84
- Allow all domains to read fonts
- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
- Allow pki-tomcat to change SELinux object identity.
- Allow radious to connect to apache ports to do OCSP check
- Allow git cgi scripts to create content in /tmp
- Allow cockpit-session to do GSSAPI logins.
2014-09-30 09:38:06 +02:00
Lukas Vrabec
3430335564 * Mon Sep 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-83
- Make sure /run/systemd/generator and system is labeled correctly on creation.
- Additional access required by usbmuxd
- Allow sensord read in /proc BZ(#1143799)
2014-09-22 15:16:17 +02:00
Miroslav Grepl
0399c8ba54 - Allow du running in logwatch_t read hwdata.
- Allow sys_admin capability for antivirus domians.
- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc.
- Add support for pnp4nagios.
- Add missing labeling for /var/lib/cockpit.
- Label resolv.conf as docker_share_t under docker so we can read within a container
- Remove labeling for rabbitmqctl
- setfscreate in pki.te is not capability class.
- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd.
- Allow wine domains to create cache dirs.
- Allow newaliases to systemd inhibit pipes.
- Add fixes for pki-tomcat scriptlet handling.
- Allow user domains to manage all gnome home content
- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
2014-09-18 15:22:06 +02:00
Lukas Vrabec
6021c02dec * Thu Sep 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-81
- Label /usr/lib/erlang/erts.*/bin files as bin_t
- Added changes related to rabbitmq daemon.
- Fix labeling in couchdb policy
- Allow rabbitmq bind on epmd port
- Clean up rabbitmq policy
- fix domtrans_rabbitmq interface
- Added rabbitmq_beam_t and rabbitmq_epmd_t alias
- Allow couchdb to getattr
- Allow couchdb write to couchdb_conf files
- Allow couchdb to create dgram_sockets
- Added support for ejabberd
2014-09-11 17:53:40 +02:00
Lukas Vrabec
ae5a648040 * Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
- Since docker will now label volumes we can tighten the security of docker
2014-09-10 15:47:04 +02:00
Lukas Vrabec
6c07cc84bd * Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79
- Re-arange openshift_net_read_t rules.
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
- Allow jockey_t to use tmpfs files
- Allow pppd to create sock_files in /var/run
- Allow geoclue to stream connect to smart card service
- Allow docker to read all of /proc
- ALlow passeneger to read/write apache stream socket.
- Dontaudit read init state for svirt_t.
- Label /usr/sbin/unbound-control as named_exec_t (#1130510)
- Add support for /var/lbi/cockpit directory.
- Add support for ~/. speech-dispatcher.
- Allow nmbd to read /proc/sys/kernel/core_pattern.
- aLlow wine domains to create wine_home symlinks.
- Allow policykit_auth_t access check and read usr config files.
- Dontaudit access check on home_root_t for policykit-auth.
- hv_vss_daemon wants to list /boot
- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent
- Fix label for /usr/bin/courier/bin/sendmail
- Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain.
- Allow unconfined_r to access unconfined_service_t.
- Add label for ~/.local/share/fonts
- Add init_dontaudit_read_state() interface.
- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it.
- Allow udev_t mounton udev_var_run_t dirs #(1128618)
- Add files_dontaudit_access_check_home_dir() inteface.
2014-09-10 10:55:03 +02:00
Lukas Vrabec
6823c75b4e Fix release number 2014-09-02 20:28:48 +02:00
Lukas Vrabec
9532ecd407 * Tue Sep 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-78
- Allow unconfined_service_t to dbus chat with all dbus domains
- Assign rabbitmq port.  BZ#1135523
- Add new interface to allow creation of file with lib_t type
- Allow init to read all config files
- We want to remove openshift_t domains ability to look at /proc/net
- I guess lockdown is a file not a directory
- Label /var/bacula/ as bacula_store_t
- Allow rhsmcertd to seng signull to sosreport.
- Allow sending of snmp trap messages by radiusd.
- remove redundant rule fron nova.te.
- Add auth_use_nsswitch() for ctdbd.
- call nova_vncproxy_t instead of vncproxy.
- Allow nova-vncproxy to use varnishd port.
- Fix rhnsd_manage_config() to allow manage also symlinks.
- Allow bacula to create dirs/files in /tmp
- Allow nova-api to use nsswitch.
- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface.
- Allow usbmuxd connect to itself by stream socket. (#1135945)
- I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft
- Allow nswrapper_32_64.nppdf.so to be created with the proper label
- Assign rabbitmq port.  BZ#1135523
- Dontaudit leaks of file descriptors from domains that transition to  thumb_t
- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource
- Allow unconfined_service_t to dbus chat with all dbus domains
- Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way)
2014-09-02 20:27:29 +02:00
Lukas Vrabec
c463599b36 * Thu Aug 28 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-77
- Allow aide to read random number generator
- Allow pppd to connect to http port. (#1128947)
- sssd needs to be able write krb5.conf.
- Labeli initial-setup as install_exec_t.
- Allow domains to are allowed to mounton proc to mount on files as well as dirs
2014-08-28 15:33:54 +02:00
Lukas Vrabec
45b429ef46 * Tue Aug 26 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-76
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Add a port definition for shellinaboxd
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
- Allow thumb_t to read/write video devices
- fail2ban 0.9 reads the journal by default.
- Allow sandbox net domains to bind to rawip socket
2014-08-26 17:39:34 +02:00
Lukas Vrabec
f9cc8e052f * Fri Aug 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-75
- Allow haproxy to read /dev/random and /dev/urandom.
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
- geoclue needs to connect to http and http_cache ports
- Allow passenger to use unix_stream_sockets leaked into it, from httpd
- Add SELinux policy for highly-available key value store for shared configuration.
- drbd executes modinfo.
- Add glance_api_can_network boolean since glance-api uses huge range port.
- Fix glance_api_can_network() definition.
- Allow smoltclient to connect on http_cache port. (#982199)
- Allow userdomains to stream connect to pcscd for smart cards
- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix)
- Added MLS fixes to support labeled socket activation which is going to be done by systemd
- Add kernel_signull() interface.
- sulogin_t executes plymouth commands
- lvm needs to be able to accept connections on stream generic sockets
2014-08-22 16:05:38 +02:00
Kevin Fenzi
5f1085b7ba Rebuild for rpm bug 1131960 2014-08-21 11:49:05 -06:00
Lukas Vrabec
9229b61067 * Mon Aug 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-73
- Allow ssytemd_logind_t to list tmpfs directories
- Allow lvm_t to create undefined sockets
- Allow passwd_t to read/write stream sockets
- Allow docker lots more access.
- Fix label for ports
- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
- Label tcp port 4194 as kubernetes port.
- Additional access required for passenger_t
- sandbox domains should be allowed to use libraries which require execmod
- Allow qpid to read passwd files BZ (#1130086)
- Remove cockpit port, it is now going to use websm port
- Add getattr to the list of access to dontaudit on unix_stream_sockets
- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
2014-08-18 17:43:18 +02:00
Lukas Vrabec
3399c51143 * Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-72
- docker needs to be able to look at everything in /dev
- Allow all processes to send themselves signals
- Allow sysadm_t to create netlink_tcpdiag socket
- sysadm_t should be allowed to communicate with networkmanager
- These are required for bluejeans to work on a unconfined.pp disabled
machine
- docker needs setfcap
- Allow svirt domains to manage chr files and blk files for mknod
commands
- Allow fail2ban to read audit logs
- Allow cachefilesd_t to send itself signals
- Allow smokeping cgi script to send syslog messages
- Allow svirt sandbox domains to relabel content
- Since apache content can be placed anywhere, we should just allow
apache to search through any directory
- These are required for bluejeans to work on a unconfined.pp disabled
machine
2014-08-12 13:41:36 +02:00
Miroslav Grepl
0bd1c473cc * Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-71
- shell_exec_t should not be in cockip.fc
2014-08-04 15:44:24 +02:00
Miroslav Grepl
c950f2dee8 - Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t.
- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
- Dontaudit write access on generic cert files. We don't audit also access check.
- Add support for arptables.
- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
2014-08-04 09:21:15 +02:00
Tom Callaway
4abfbc52c1 fix license handling 2014-08-04 01:11:48 -04:00
Miroslav Grepl
540429c2f1 - Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow user
- Allow smokeping cgi scripts to accept connection on httpd stream socket.
- docker does a getattr on all file systems
- Label all abort-dump programs
- Allow alsa to create lock file to see if it fixes.
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running with
- Add interface for journalctl_exec
- Add labels also for glusterd sockets.
- Change virt.te to match default docker capabilies
- Add additional booleans for turning on mknod or all caps.
- Also add interface to allow users to write policy that matches docker defaults
- for capabilies.
- Label dhcpd6 unit file.
- Add support also for dhcp IPv6 services.
- Added support for dhcrelay service
- Additional access for bluejeans
- docker needs more access, need back port to RHEL7
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
- Allow bacula manage bacula_log_t dirs
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
- Fix mistakes keystone and quantum
- Label neutron var run dir
- Label keystone var run dir
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
- Dontaudit attempts to access check cert dirs/files for sssd.
- Allow sensord to send a signal.
- Allow certmonger to stream connect to dirsrv to make  ipa-server-install working.
- Label zabbix_var_lib_t directories
- Label conmans pid file as conman_var_run_t
- Label also /var/run/glusterd.socket file as gluster_var_run_t
- Fix policy for pkcsslotd from opencryptoki
- Update cockpik policy from cockpit usptream.
- Allow certmonger to exec ldconfig to make  ipa-server-install  working.
- Added support for Naemon policy
- Allow keepalived manage snmp files
- Add setpgid process to mip6d
- remove duplicate rule
- Allow postfix_smtpd to stream connect to antivirus
- Dontaudit list /tmp for icecast
- Allow zabbix domains to access /proc//net/dev.

Conflicts:
	selinux-policy.spec
2014-07-31 20:54:49 +02:00
Lukas Vrabec
0a90ee743a * Thu Jul 24 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-67
- Allow zabbix domains to access /proc//net/dev.
- Dontaudit list /tmp for icecast (#894387)
- Allow postfix_smtpd to stream connect to antivirus (#1105889)
- Add setpgid process to mip6d
- Allow keepalived manage snmp files(#1053450)
- Added support for Naemon policy (#1120789).
- Allow certmonger to exec ldconfig to make  ipa-server-install
working. (#1122110)
- Update cockpik policy from cockpit usptream.
2014-07-24 16:12:42 +02:00
Miroslav Grepl
6683373910 - Revert labeling back to /var/run/systemd/initctl/fifo
- geoclue dbus chats with modemmanger
- Bluejeans wants to connect to port 5000
- geoclue dbus chats with modemmange
2014-07-21 09:07:57 +02:00
Lukas Vrabec
ee1386c00c * Fri Jul 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65
- Allow sysadm to dbus chat with systemd
- Add logging_dontaudit_search_audit_logs()
- Add new files_read_all_mountpoint_symlinks()
- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo.
- Allow ndc to read random and urandom device (#1110397)
- Allow zabbix to read system network state
- Allow fprintd to execute usr_t/bin_t
- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t
- Add glance_use_execmem boolean to have glance configured to use Ceph/rbd
- Dontaudit search audit logs for fail2ban
- Allow mailserver_domain domains to create mail home content with right labeling
- Dontaudit svirt_sandbox_domain doing access checks on /proc
- Fix  files_pid_filetrans() calling in nut.te to reflect allow rules.
- Use nut_domain attribute for files_pid_filetrans() for nut domains.
- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs
- Fix nut domains only have type transition on dirs in /run/nut directory.
- Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt()
- Clean up osad policy. Remove additional interfaces/rules
2014-07-18 11:47:02 +02:00
Lukas Vrabec
3e33a0a354 * Mon Jul 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-64
- Allow systemd domains to check lvm status
- Allow getty to execute plymouth.#1112870
- Allow sshd to send signal to chkpwd_t
- initrctl fifo file has been renamed
- Set proper labeling on /var/run/sddm
- Fix labeling for cloud-init logs
- Allow kexec to read kallsyms
- Add rhcs_stream_connect_haproxy interface, Allow neutron stream
connect to rhcs
- Add fsetid caps for mandb. #1116165
- Allow all nut domains to read  /dev/(u)?random.
- Allow deltacloudd_t to read network state BZ #1116940
- Add support for KVM virtual machines to use NUMA pre-placement
- Allow utilize winbind for authentication to AD
- Allow chrome sandbox to use udp_sockets leaked in by its parent
- Allow gfs_controld_t to getattr on all file systems
- Allow logrotate to manage virt_cache
- varnishd needs to have fsetid capability
- Allow dovecot domains to send signal perms to themselves
- Allow apache to manage pid sock files
- Allow nut_upsmon_t to create sock_file in /run dir
- Add capability sys_ptrace to stapserver
- Mysql can execute scripts when run in a cluster to see if someone is
listening on a socket, basically runs lsof
- Added support for vdsm
2014-07-14 22:33:38 +02:00
Miroslav Grepl
682896c0a1 - If I can create a socket I need to be able to set the attributes
- Add tcp/8775 port as neutron port
- Add additional ports for swift ports
- Added changes to fedora from bug bz#1082183
- Add support for tcp/6200 port
- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
- Update neutron_manage_lib_files() interface
- Allow glustered to connect to ephemeral ports
- Allow apache to search ipa lib files by default
- Allow neutron to domtrans to haproxy
- Add rhcs_domtrans_haproxy()
- Add support for openstack-glance-* unit files
- Add initial support for /usr/bin/glance-scrubber
- Allow swift to connect to keystone and memcache ports.
- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
- Add policies for openstack-cinder
- Add support for /usr/bin/nova-conductor
- Add neutron_can_network boolean
- Allow neutron to connet to neutron port
- Allow glance domain to use syslog
- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
2014-07-04 18:51:18 +02:00
Miroslav Grepl
24862fd309 - Allow swift to use tcp/6200 swift port
- ALlow swift to search apache configs
- Remove duplicate .fc entry for Grilo plugin bookmarks
- Remove duplicate .fc entry for telepathy-gabble
- Additional allow rules for docker sandbox processes
- Allow keepalived connect to agentx port
- Allow neutron-ns-metadata to connectto own unix stream socket
- Add support for tcp/6200 port
- Remove ability for confined users to run xinit
- New tool for managing wireless /usr/sbin/iw
2014-06-25 10:50:56 +02:00
Miroslav Grepl
e00cf0abb1 Fix spec file issues 2014-06-23 08:17:40 +02:00
Miroslav Grepl
9c9e4dd1a4 permissivedomains.pp should not be in MLS 2014-06-23 07:39:51 +02:00
Miroslav Grepl
211fb9932a * Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61
- Add back MLS policy
2014-06-20 16:27:18 +02:00
Miroslav Grepl
c04c318879 * Thu Jun 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-60
- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy
2014-06-19 16:53:27 +02:00
Miroslav Grepl
c629d27ef4 Merge user_tmp patches to base patches 2014-06-17 09:30:08 +02:00
Miroslav Grepl
1c0c710fe4 * Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.+- Allow system_bus_types to use stream_sockets inherited
- Allow system_bus_types to use stream_sockets inherited
- Allow journalctl to call getpw
- New access needed by dbus to talk to kernel stream
- Label sm-notifypid files correctly
- contrib: Add KMSCon policy module
2014-06-17 07:24:58 +02:00
Miroslav Grepl
a629498afd - Add mozilla_plugin_use_bluejeans boolean
- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
2014-06-11 20:13:51 +02:00
Miroslav Grepl
686a38099f - Allow staff_t to communicate and run docker
- Fix *_ecryptfs_home_dirs booleans
- Allow ldconfig_t to read/write inherited user tmp pipes
- Allow storaged to dbus chat with lvm_t
- Add support for storaged  and storaged-lvm-helper. Labeled it as lvm_exec_t.
- Use proper calling in ssh.te for userdom_home_manager attribute
- Use userdom_home_manager_type() also for ssh_keygen_t
- Allow locate to list directories without labels
- Allow bitlbee to use tcp/7778 port
- /etc/cron.daily/logrotate to execute fail2ban-client.
- Allow keepalives to connect to SNMP port. Support to do  SNMP stuff
- Allow staff_t to communicate and run docker
- Dontaudit search mgrepl/.local for cobblerd_t
- Allow neutron to execute kmod in insmod_t
- Allow neutron to execute udevadm in udev_t
- Allow also fowner cap for varnishd
- Allow keepalived to execute bin_t/shell_exec_t
- rhsmcertd seems to need these accesses.  We need this backported to RHEL7 and perhaps RHEL6 policy
- Add cups_execmem boolean
- Allow gear to manage gear service
- New requires for gear to use systemctl and init var_run_t
- Allow cups to execute its rw_etc_t files, for brothers printers
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin co
- Allow swift to execute bin_t
- Allow swift to bind http_cache
2014-06-09 09:05:58 +02:00
Dennis Gilmore
07a8be1e18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-08 01:07:47 -05:00
Miroslav Grepl
0ddb744a37 - Add decl for cockip port
- Allow sysadm_t to read all kernel proc
- Allow logrotate to execute all executables
- Allow lircd_t to use tty_device_t for use withmythtv
- Make sure all zabbix files direcories in /var/log have the correct label
- Allow bittlebee to create directories and files in /var/log with the correct label
- Label /var/log/horizon as an apache log
- Add squid directory in /var/run
- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label
- Wronly labeled avahi_var_lib_t as a pid file
- Fix labels on rabbitmq_var_run_t on file/dir creation
- Allow neutron to create sock files
- Allow postfix domains to getattr on all file systems
- Label swift-proxy-server as swift_exec_t
- Tighten SELinux capabilities to match docker capabilities
- Add fixes for squid which is configured to run with more than one worker.
- Allow cockpit to bind to its port
2014-05-27 10:30:27 +02:00
Miroslav Grepl
cccaf8f646 - geard seems to do a lot of relabeling
- Allow system_mail_t to append to munin_var_lib_t
- Allow mozilla_plugin to read alsa_rw_ content
- Allow asterisk to connect to the apache ports
- Dontaudit attempts to read fixed disk
- Dontaudit search gconf_home_t
- Allow rsync to create  swift_server.lock with swift.log labeling
- Add labeling for swift lock files
- Use swift_virt_lock in swift.te
- Allow openwsman to getattr on sblim_sfcbd executable
- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
- Allow openwsman_t to read/write sblim-sfcb shared mem
- Allow openwsman to stream connec to sblim-sfcbd
- Allow openwsman to create tmpfs files/dirs
- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcb
- Allow sblim_sfcbd to execute shell
- Allow swift to create lock file
- Allow openwsman to use tcp/80
- Allow neutron to create also dirs in /tmp
- Allow seunshare domains to getattr on all executables
- Allow ssh-keygen to create temporary files/dirs needed by OpenSt
- Allow named_filetrans_domain to create /run/netns
- Allow ifconfig to create /run/netns
2014-05-20 07:59:07 +02:00
Miroslav Grepl
7768984e85 Bump version 2014-05-13 14:44:23 +02:00
Miroslav Grepl
dfbb9aca62 * Tue May 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-
- Add missing dyntransition for sandbox_x_domain
2014-05-13 14:42:28 +02:00
Miroslav Grepl
dbf4ab85b0 - Added iotop policy. Thanks William Brown
- Allow spamc to read .pyzor located in /var/spool/spampd
- Allow spamc to create home content with correct labeling
- Allow logwatch_mail_t to create dead.letter with correct labelign
- Add labeling for min-cloud-agent
- Allow geoclue to read unix in proc.
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
- add support for min-cloud-agent
- Allow ulogd to request the kernel to load a module
- remove unconfined_domain for openwsman_t
- Add openwsman_tmp_t rules
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
- Allow nova-scheduler to read passwd file
- Allow neutron execute arping in neutron_t
- Dontaudit logrotate executing systemctl command attempting to net_admin
- Allow mozilla plugins to use /dev/sr0
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file
- Any app that executes systemctl will attempt a net_admin
- Fix path to mmap_min_addr
2014-05-13 08:13:43 +02:00
Miroslav Grepl
6fbf46087c - More rules for gears and openshift 2014-05-07 21:48:58 +02:00
Miroslav Grepl
4c682c4ccf * Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
- Add gear fixes from dwalsh
2014-05-07 15:30:41 +02:00
Miroslav Grepl
9d0057f462 - selinux_unconfined_type should not be able to set booleans if the securemode is set
- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
2014-05-06 18:39:47 +02:00
Miroslav Grepl
4e5d63b465 - Fix labeling for /root/\.yubico
- userdom_search_admin_dir() calling needs to be optional in kernel.te
- Dontaudit leaked xserver_misc_device_t into plugins
- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Bootloader wants to look at init state
- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm
- init reads kdbump etc files
- Add support for tcp/9697
- Fix labeling for /var/run/user/<UID>/gvfs
- Add support for us_cli ports
- fix sysnet_use_ldap
- Allow mysql to execute ifconfig if Red Hat OpenStack
- ALlow stap-server to get attr on all fs
- Fix mail_pool_t to mail_spool_t
- Dontaudit leaked xserver_misc_device_t into plugins
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Add new labeling for /var/spool/smtpd
- Allow httpd_t to kill passenger
- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
- Allow nova-scheduler to read passwd/utmp files
- Additional rules required by openstack,  needs backport to F20 and RHEL7
- Additional access required by docker
- ALlow motion to use tcp/8082 port
2014-05-05 19:15:58 +02:00
Miroslav Grepl
3f5abd2216 - Fix virt_use_samba boolean
- Looks like all domains that use dbus libraries are now reading /dev/uran
- Add glance_use_fusefs() boolean
- Allow tgtd to read /proc/net/psched
- Additional access required for gear management of openshift directories
- Allow sys_ptrace for mock-build
- Fix mock_read_lib_files() interface
- Allow mock-build to write all inherited ttys and ptys
- Allow spamd to create razor home dirs with correct labeling
- Clean up sysnet_use_ldap()
- systemd calling needs to be optional
- Allow init_t to setattr/relabelfrom dhcp state files
2014-04-25 09:09:15 +02:00
Miroslav Grepl
bf38d6fee2 - mongod should not be a part of cloudforms.pp
- Fix labeling in snapper.fc
- Allow docker to read unconfined_t process state
- geoclue dbus chats with NetworkManager
- Add cockpit policy
- Add interface to allow tools to check the processes state of bind/named
- Allow myslqd to use the tram port for Galera/MariaDB
2014-04-23 11:47:29 +02:00
Miroslav Grepl
7ca2b30721 - Allow init_t to setattr/relabelfrom dhcp state files
- Allow dmesg to read hwdata and memory dev
- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
- Dontaudit antivirus domains read access on all security files by default
- Add missing alias for old amavis_etc_t type
- Additional fixes for  instack overcloud
- Allow block_suspend cap for haproxy
- Allow OpenStack to read mysqld_db links and connect to MySQL
- Remove dup filename rules in gnome.te
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
- Add labeling for /lib/systemd/system/thttpd.service
- Allow iscsid to handle own unit files
- Add iscsi_systemctl()
- Allow mongod also create sock_file with correct labeling in /run
- Allow aiccu stream connect to pcscd
- Allow rabbitmq_beam to connect to httpd port
- Allow httpd to send signull to apache script domains and don't audit leaks
- Fix labeling in drbd.fc
- Allow sssd to connect to the smbd port for handing logins using active directory, needs back
- Allow all freeipmi domains to read/write ipmi devices
- Allow rabbitmq_epmd to manage rabbit_var_log_t files
- Allow sblim_sfcbd to use also pegasus-https port
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
- Add httpd_run_preupgrade boolean
- Add interfaces to access preupgrade_data_t
- Add preupgrade policy
- Add labeling for puppet helper scripts
2014-04-18 14:31:10 +02:00
Miroslav Grepl
1aabaf6c8d * Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
Rename puppet_t to puppetagent_
2014-04-08 11:35:12 +02:00
Miroslav Grepl
3f1341d528 - Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by li
- Allow conman to resolve DNS and use user ptys
- update pegasus_openlmi_admin_t policy
- nslcd wants chown capability
- Dontaudit exec insmod in boinc policy
2014-04-08 07:25:43 +02:00
Miroslav Grepl
c14474eca6 - Add labels for /var/named/chroot_sdb/dev devices
- Add support for strongimcv
- Add additional fixes for yubikeys based on william@firstyear.id.au
- Allow init_t run /sbin/augenrules
- Remove dup decl for dev_unmount_sysfs_fs
- Allow unpriv SELinux user to use sandbox
- Fix ntp_filetrans_named_content for sntp-kod file
- Add httpd_dbus_sssd boolean
- Dontaudit exec insmod in boinc policy
- Add dbus_filetrans_named_content_system()
- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
- varnishd wants chown capability
- update ntp_filetrans_named_content() interface
- Add additional fixes for neutron_t. #1083335
- Dontaudit sandbox_t getattr on proc_kcore_t
- Allow pki_tomcat_t to read ipa lib files
2014-04-04 10:51:29 +02:00
Miroslav Grepl
33665e5aa5 * Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
2014-04-01 12:33:30 +02:00
Miroslav Grepl
f8f75f94a2 - Turn on gear_port_t
- Add gear policy and remove permissive domains.
- Add labels for ostree
- Add SELinux awareness for NM
- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
2014-03-27 20:39:58 +01:00
Miroslav Grepl
1f53e62396 - update storage_filetrans_all_named_dev for sg* devices
- Allow auditctl_t  to getattr on all removeable devices
- Allow nsswitch_domains to stream connect to nmbd
- Allow rasdaemon to rw /dev/cpu//msr
- fix /var/log/pki file spec
- make bacula_t as auth_nsswitch domain
- Allow certmonger to manage ipa lib files
- Add support for /var/lib/ipa
2014-03-26 10:51:19 +01:00
Miroslav Grepl
8ad9144b00 - Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools
- Allow secadm to read /dev/urandom and meminfo
- Add userdom_tmp_role for secadm_t
- Allow postgresql to read network state
- Add a new file context for /var/named/chroot/run directory
- Add booleans to allow docker processes to use nfs and samba
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/b
- Allow puppet stream connect to mysql
- Fixed some rules related to puppet policy
- Allow vmware-user-sui to use user ttys
- Allow talk 2 users logged via console too
- Additional avcs for docker when running tests
- allow anaconda to dbus chat with systemd-localed
- clean up rhcs.te
- remove dup rules from haproxy.te
- Add fixes for haproxy based on bperkins@redhat.com
- Allow cmirrord to make dmsetup working
- Allow NM to execute arping
- Allow users to send messages through talk
- update rtas_errd policy
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
- Allow svirt_sandbox_domains to ptrace themselves
- Allow snmpd to getattr on removeable and fixed disks
- Allow docker containers to manage /var/lib/docker content
2014-03-25 09:50:55 +01:00
Miroslav Grepl
443a36eeca Remove smstools.pp to make upgrade working 2014-03-20 14:46:43 +01:00
Miroslav Grepl
38dae99c57 Create base.lst which contains list of base policy modules 2014-03-18 18:35:19 +01:00
Miroslav Grepl
8e18cc2081 - Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state
- Allow java running as pki_tomcat to read network sysctls
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
- Allow beam.smp to use ephemeral ports
- Allow winbind to use the nis to authenticate passwords
2014-03-17 17:29:57 +01:00
Miroslav Grepl
6337678e76 - Allow collectd to talk to libvirt
- Allow chrome_sandbox to use leaked unix_stream_sockets
- Dontaudit leaks of sockets into chrome_sandbox_t
- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
- Run vmtools as unconfined domains
- Allow snort to manage its log files
- Allow systemd_cronjob_t to be entered via bin_t
- Allow procman to list doveconf_etc_t
- allow keyring daemon to create content in tmpfs directories
- Add proper labelling for icedtea-web
- vpnc is creating content in networkmanager var run directory
- unconfined_service should be allowed to transition to rpm_script_t
- Allow couchdb to listen on port 6984
- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
- Allow systemd-logind to setup user tmpfs directories
- Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
2014-03-17 08:59:51 +01:00
Miroslav Grepl
3f9fe17186 - Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
- Dontaudit attempts to setsched on the kernel_t threads
- Allow munin mail plugins to read network systcl
- Fix git_system_enable_homedirs boolean
- Make cimtest script 03_defineVS.py of ComputerSystem group working
- Make  abrt-java-connector working
- Allow net_admin cap for fence_virtd running as fenced_t
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
2014-03-14 11:01:06 +01:00
Miroslav Grepl
0575d649c8 - sshd to read network sysctls
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
- /var/lib/containers should be labeled as openshift content for now
- Allow docker domains to talk to the login programs, to allow a process to login into the container
2014-03-13 13:29:54 +01:00
Miroslav Grepl
648f9057dc bump release 2014-03-12 21:45:04 +01:00
Miroslav Grepl
695bbc81ea * Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-34
- Add install_t for anaconda
2014-03-12 20:45:39 +01:00
Miroslav Grepl
ab84f40064 - Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
2014-03-12 11:14:14 +01:00
Miroslav Grepl
24a25f20cc - Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
2014-03-10 11:51:20 +01:00
Miroslav Grepl
2d6801ddad - Modify xdm_write_home to allow create files/links in /root with xdm_home_t
- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
- Add xserver_dbus_chat() interface
- Add sysnet_filetrans_named_content_ifconfig() interface
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-
- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1
- Allow lscpu running as rhsmcertd_t to read sysinfo
- Allow virt domains to read network state
- Added pcp rules
- Allow ctdbd to connect own ports
- Fix samba_export_all_rw booleanto cover also non security dirs
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
- Allow neutron to create /run/netns with correct labeling
- Allow to run ip cmd in neutron_t domain
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
2014-03-07 16:53:11 +01:00
Miroslav Grepl
08fe2e457e - Allow block_suspend cap2 for systemd-logind and rw dri device
- Add labeling for /usr/libexec/nm-libreswan-service
- Allow locallogin to rw xdm key to make Virtual Terminal login providing
- Add xserver_rw_xdm_keys()
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
- update lpd_manage_spool() interface
- Allow krb5kdc to stream connect to ipa-otpd
- Add ipa_stream_connect_otpd() interface
- Allow vpnc to unlink NM pids
- Add networkmanager_delete_pid_files()
- Allow munin plugins to access unconfined plugins
- update abrt_filetrans_named_content to cover /var/spool/debug
- Label /var/spool/debug as abrt_var_cache_t
- Allow rhsmcertd to connect to squid port
- Make docker_transition_unconfined as optional boolean
- Allow certmonger to list home dirs
2014-03-04 10:17:06 +01:00
Miroslav Grepl
18bb7ec6a3 * Fri Feb 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-29
- Make docker as permissive domain
2014-02-28 12:34:15 +01:00
Dan Walsh
96f7ac46ed Remove vbetool we no longer ship this 2014-02-27 16:00:58 -05:00
Miroslav Grepl
439063013f - Allow bumblebeed to send signal to insmod
- Dontaudit attempts by crond_t net_admin caused by journald
- Allow the docker daemon to mounton tty_device_t
- Add addtional snapper fixes to allo relabel file_t
- Allow setattr for all mountpoints
- Allow snapperd to write all dirs
- Add support for /etc/sysconfig/snapper
- Allow mozilla_plugin to getsession
- Add labeling for thttpd
- Allow sosreport to execute grub2-probe
- Allow NM to manage hostname config file
- Allow systemd_timedated_t to dbus chat with rpm_script_t
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
- Add lsmd_plugin_connect_any boolea
- Add support for ipset
- Add support for /dev/sclp_line0
- Add modutils_signal_insmod()
- Add files_relabelto_all_mountpoints() interface
- Allow the docker daemon to mounton tty_device_t
- Allow all systemd domains to read /proc/1
- Login programs talking to journald are attempting to net_admin, add dontaudit
- init is not gettar on processes as shutdown time
- Add systemd_hostnamed_manage_config() interface
- Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Add lvm_read_metadata()
2014-02-27 12:34:10 +01:00
Miroslav Grepl
3e0039f065 - Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Treat usermodehelper_t as a sysctl_type
- xdm communicates with geo
- Add lvm_read_metadata()
- Allow rabbitmq_beam to connect to jabber_interserver_port
- Allow logwatch_mail_t to transition to qmail_inject and queueu
- Added new rules to pcp policy
- Allow vmtools_helper_t to change role to system_r
- Allow NM to dbus chat with vmtools
2014-02-24 20:13:11 +01:00
Miroslav Grepl
74ec503d1c - Add labeling for /usr/sbin/amavi
- Colin asked for this program to be treated as cloud-init
- Allow ftp services to manage xferlog_t
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow certmonger to search home content
- Allow pkcsslotd to read users state
- Allow exim to use pam stack to check passwords
- Add labeling for /usr/sbin/amavi
- Colin asked for this program to be treated as cloud-init
- Allow ftp services to manage xferlog_t
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow certmonger to search home content
- Allow pkcsslotd to read users state
- Allow exim to use pam stack to check passwor
2014-02-21 17:01:54 +01:00
Miroslav Grepl
60668f6a35 * Tue Feb 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-25
- Add lvm_read_metadata()
- Allow auditadm to search /var/log/audit dir
- Add lvm_read_metadata() interface
- Allow confined users to run vmtools helpers
- Fix userdom_common_user_template()
- Generic systemd unit scripts do write check on /
- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
- Add additional fixes needed for init_t and setup script running in generic unit files
- Allow general users to create packet_sockets
- added connlcli port
- Add init_manage_transient_unit() interface
- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
- Fix userdomain.te to require passwd class
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Dontaudit rendom domains listing /proc and hittping system_map_t
- Dontauit leaks of var_t into ifconfig_t
- Allow domains that transition to ssh_t to manipulate its keyring
- Define oracleasm_t as a device node
- Change to handle /root as a symbolic link for os-tree
- Allow sysadm_t to create packet_socket, also move some rules to attributes
- Add label for openvswitch port
- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
- Allow postfix_local to read .forward in pcp lib files
- Allow pegasus_openlmi_storage_t to read lvm metadata
- Add additional fixes for pegasus_openlmi_storage_t
- Allow bumblebee to manage debugfs
- Make bumblebee as unconfined domain
- Allow snmp to read etc_aliases_t
- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
- Allow pegasus_openlmi_storage_t to read /proc/1/environ
- Dontaudit read gconf files for cupsd_config_t
- make vmtools as unconfined domain
- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
- Allow collectd_t to use a mysql database
- Allow ipa-otpd to perform DNS name resolution
- Added new policy for keepalived
- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
- Add additional fixes new pscs-lite+polkit support
- Add labeling for /run/krb5kdc
- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
- Allow pcscd to read users proc info
- Dontaudit smbd_t sending out random signuls
- Add boolean to allow openshift domains to use nfs
- Allow w3c_validator to create content in /tmp
- zabbix_agent uses nsswitch
- Allow procmail and dovecot to work together to deliver mail
- Allow spamd to execute files in homedir if boolean turned on
- Allow openvswitch to listen on port 6634
- Add net_admin capability in collectd policy
- Fixed snapperd policy
- Fixed bugsfor pcp policy
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Add kerberos_keytab_domain attribute
- Fix snapperd_conf_t def
2014-02-18 18:05:44 +01:00
Dan Walsh
0474cb579e Add nsplugin.pp and qemu.pp as two additional policies that we no longer ship 2014-02-18 10:19:40 -05:00
Miroslav Grepl
3dc79f55af Fix selinux config file 2014-02-18 14:19:57 +01:00
Dan Walsh
fdaea44147 Make sure selinux-policy owns the rpmconfigdir and macros.d so it does not build a require for rpm 2014-02-14 14:51:42 -05:00
Miroslav Grepl
7a727702c0 - Dontaudit rendom domains listing /proc and hittping system_map_t
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- systemd_tmpfiles_t needs to _setcheckreqprot
- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
- Fixed snapperd policy
- Fixed broken interfaces
- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
- Fixed bugsfor pcp policy
- pcscd seems to be using policy kit and looking at domains proc data that transition to it
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Allow ABRT to read puppet certs
- Allow virtd_lxc_t to specify the label of a socket
- New version of docker requires more access
2014-02-14 13:09:05 +01:00
Miroslav Grepl
05a36cdcd0 - Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Make tuned_t as unconfined domain for RHEL7.0
- Allow ABRT to read puppet certs
- Add sys_time capability for virt-ga
- Allow gemu-ga to domtrans to hwclock_t
- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
- Fix some AVCs in pcp policy
- Add to bacula capability setgid and setuid and allow to bind to bacula ports
- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
- Add access rhnsd and osad to /etc/sysconfig/rhn
- drbdadm executes drbdmeta
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
- Allow systemd_tmpfiles_t to manage all non security files on the system
- Added labels for bacula ports
- Fix label on /dev/vfio/vfio
- Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
2014-02-11 20:28:28 +01:00
Miroslav Grepl
6383860028 - Fix /dev/vfio/vfio labeling 2014-02-05 15:57:57 +01:00
Miroslav Grepl
fc059db54d - Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
- Add support for dey_sapi port
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- drbdadm executes drbdmeta
- Added osad policy
- Allow postfix to deliver to procmail
- Allow vmtools to execute /usr/bin/lsb_release
- Allow geoclue to read /etc/passwd
- Allow docker to write system net ctrls
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix pcp.te
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
2014-02-05 08:52:08 +01:00
Miroslav Grepl
a853036f79 - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
- Allow geoclue to create temporary files/dirs in /tmp
- Add httpd_dontaudit_search_dirs boolean
- Add support for winbind.service
- ALlow also fail2ban-client to read apache logs
- Allow vmtools to getattr on all fs
2014-01-30 13:26:17 +01:00
Miroslav Grepl
2b1129da49 - Add net_admin also for systemd_passwd_agent_t
- Allow Associate usermodehelper_t to sysfs filesystem
- Allow gdm to create /var/gdm with correct labeling
- Allow domains to append rkhunterl lib files. #1057982
- Allow systemd_tmpfiles_t net_admin to communicate with journald
- update libs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
- Add labeling for snapper.log
- Allow tumbler to execute dbusd-daemon in thumb_t
- Add dbus_exec_dbusd()
- Add snapperd_data_t type
- Add additional fixes for snapperd
- FIx bad calling in samba.te
- Allow smbd to create tmpfs
- Allow rhsmcertd-worker send signull to rpm process
- Allow net_admin capability and send system log msgs
- Allow lldpad send dgram to NM
- Add networkmanager_dgram_send()
- rkhunter_var_lib_t is correct type
- Allow openlmi-storage to read removable devices
- Allow system cron jobs to manage rkhunter lib files
- Add rkhunter_manage_lib_files()
- Fix ftpd_use_fusefs boolean to allow manage also symlinks
- Allow smbcontrob block_suspend cap2
- Allow slpd to read network and system state info
- Allow NM domtrans to iscsid_t if iscsiadm is executed
- Allow slapd to send a signal itself
- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
- Fix plymouthd_create_log() interface
- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
- Allow postfix and cyrus-imapd to work out of box
- Remove logwatch_can_sendmail which is no longer used
- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
- snapperd is D-Bus service
- Allow OpenLMI PowerManagement to call 'systemctl --force reboot
2014-01-28 22:06:09 +01:00
Dan Walsh
98a685257a Fix the day of the week 2014-01-28 15:59:39 -05:00
Miroslav Grepl
f8d85476fd - Add haproxy_connect_any boolean
- Allow haproxy also to use http cache port by default
- Fix /usr/lib/firefox/plugin-container decl
- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
2014-01-24 17:52:42 +01:00
Miroslav Grepl
254b1593d0 - init calling needs to be optional in domain.te
- Allow docker and mount on devpts chr_file
- Allow docker to transition to unconfined_t if boolean set
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-contai
- Allow docker to use the network and build images
- Allow docker to read selinux files for labeling, and mount on devpts
- Allow domains that transition to svirt_sandbox to send it signals
- Allow docker to transition to unconfined_t if boolean set
2014-01-23 11:03:30 +01:00
Miroslav Grepl
f4d3efd317 Remove conflict for pki-selinux 2014-01-22 13:15:32 +01:00
Miroslav Grepl
d7f0c3cf54 - New access needed to allow docker + lxc +SELinux to work together
- Allow apache to write to the owncloud data directory in /var/www/html...
- Cleanup sandbox X AVC's
- Allow consolekit to create log dir
- Add support for icinga CGI scripts
- Add support for icinga
- Allow kdumpctl_t to create kdump lock file
- Allow kdump to create lnk lock file
- Allow ABRT write core_pattern
- Allwo ABRT to read core_pattern
- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
- Allow nscd_t block_suspen capability
- Allow unconfined domain types to manage own transient unit file
- Allow systemd domains to handle transient init unit files
- No longer need the rpm_script_roles line since rpm_transition_script now does this for us
- Add/fix interfaces for usermodehelper_t
- Add interfaces to handle transient
- Fixes for new usermodehelper and proc_securit_t types
2014-01-22 13:00:17 +01:00
Miroslav Grepl
3a0ebd8398 - Add cron unconfined role support for uncofined SELinux user
- Call kernel_rw_usermodehelper_state() in init.te
- Call corenet_udp_bind_all_ports() in milter.te
- Allow fence_virtd to connect to zented port
- Fix header for mirrormanager_admin()
- Allow dkim-milter to bind udp ports
- Allow milter domains to send signull itself
- Allow block_suspend for yum running as mock_t
- Allow beam.smp to manage couchdb files
- Add couchdb_manage_files()
- Add labeling for /var/log/php_errors.log
- Allow bumblebee to stream connect to xserver
- Allow bumblebee to send a signal to xserver
- gnome-thumbnail to stream connect to bumblebee
- Fix calling usermodehelper to use _state in interface name
- Allow xkbcomp running as bumblebee_t to execute  bin_t
- Allow logrotate to read squid.conf
- Additional rules to get docker and lxc to play well with SELinux
- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
- Make rpm_transition_script accept a role
- Added new policy for pcp
- Allow bumbleed to connect to xserver port
- Allow pegasus_openlmi_storage_t to read hwdata
2014-01-20 11:41:09 +01:00
Miroslav Grepl
5dcd635c58 index.html and style.css should be in /usr/share/selinux/devel/htm 2014-01-20 11:24:03 +01:00
Miroslav Grepl
368fb803a8 See spec file 2014-01-17 16:40:25 +01:00
Miroslav Grepl
5bd1f1afd6 * Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
- Remove file_t from the system and realias it with unlabeled_
2014-01-13 12:25:57 +01:00
Miroslav Grepl
9b85087129 - Add gluster fixes
- Remove ability to transition to unconfined_t from confined domains
- Additional allow rules to get libvirt-lxc containers working with docker
2014-01-09 15:11:05 +01:00
Miroslav Grepl
9d88e18305 - Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Allow sandbox apps to attempt to set and get capabilties
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- allow modemmanger to read /dev/urand
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow rsync_t to manage all non auth files
- Allow certmonger to manage home cert files
- Allow user_mail_domains to write certain files to the /root and ~/ directories
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Add new access for mythtv
- Allow irc_t to execute shell and bin-t files:
- Allow smbd_t to signull cluster
- Allow sssd to read systemd_login_var_run_t
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
- Updated rasdaemon policy
- Allow virt_domains to read cert files
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Additional fixes for docker.te
- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
- Add tftp_write_rw_content/tftp_read_rw_content interfaces
- Allow amanda to do backups over UDP
2014-01-06 07:31:14 +01:00
Miroslav Grepl
804870d8a3 policy-rawhide-contrib-apache-content.patch is no longer needed. Merged to policy-rawhide-contrib.patch. 2014-01-06 06:56:06 +01:00
Dan Walsh
70c60d82d0 Fix usage of semanage import line 2014-01-02 14:17:35 -05:00
Miroslav Grepl
c9394c3ea7 Add selinux/minimum/contexts/users/sysadm_u also for minimum policy 2013-12-16 12:05:05 +01:00
Miroslav Grepl
74b303ea26 Fix spec file 2013-12-13 15:10:55 +01:00
Miroslav Grepl
2397102af8 - Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipm
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
2013-12-12 17:23:54 +01:00
Miroslav Grepl
4b8334da4c - DRM master and input event devices are used by the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Allow conman to connect to freeipmi services and clean up conman policy
- Allow conmand just bind on 7890 port
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Added policy for conmand
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix aliases in pegasus.te
- Allow chrome sandbox to read generic cache files in homedir
- Dontaudit mandb searching all mountpoints
- Make sure wine domains create .wine with the correct label
- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t
- Allow windbind the kill capability
- DRM master and input event devices are used by  the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
- Make sure wine domains create .wine with the correct label
- Allow manage dirs in kernel_manage_debugfs interface.
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
- Fix userdom_confined_admin_template()
- Add back exec_content boolean for secadm, logadm, auditadm
- Fix files_filetrans_system_db_named_files() interface
- Allow sulogin to getattr on /proc/kcore
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
2013-12-09 08:16:07 +01:00
Miroslav Grepl
676f0e4eb9 - Add back fixes for gnome_role_template()
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Add missing alias for pegasus_openlmi_service_exec_t
- Added support for rdisc unit file
- Added new policy for ninfod
- Added new policy for openwsman
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Add connectto perm for NM unix stream socket
- Allow watchdog to be executed from cron
- Allow cloud_init to transition to rpm_script_t
- Allow lsmd_plugin_t send system log messages
- Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT polic
- Added new capabilities for mip6d policy
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
2013-12-03 22:01:54 +01:00
Miroslav Grepl
d61adff49b - Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Add back exec_content boolean for secadm, logadm, auditadm
- Allow sulogin to getattr on /proc/kcore
2013-11-26 18:41:01 +01:00
Miroslav Grepl
c9b9ed2c4d - Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
- Allow mount to manage mount_var_run_t files/dirs
- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level
- Make sure boot.log is created with the correct label
- call logging_relabel_all_log_dirs() in systemd.te
- Allow systemd_tmpfiles to relabel log directories
- Allow staff_t to run frequency command
- Allow staff_t to read xserver_log file
- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f.
- Label hsperfdata_root as tmp_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Add glusterd_brick_t files type
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Allow zabbix_agentd to read all domain state
- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Clean up rtas.if
- Clean up docker.if
- drop /var/lib/glpi/files labeling in cron.fc
- Added new policy for rasdaemon
2013-11-26 11:42:42 +01:00
Miroslav Grepl
3abf0519c2 * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-5
- Add back /dev/shm labeling
2013-11-18 16:59:45 +01:00
Miroslav Grepl
d20212ac4f * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-4
- Fix gnome_role_template() interface
2013-11-18 15:25:06 +01:00
Miroslav Grepl
4fc70e284d - Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh 2013-11-14 22:05:22 +01:00
Dan Walsh
164fa392ee Fix config.tgz to include lxc_contexts and systemd_contexts 2013-11-14 11:05:22 -05:00
Miroslav Grepl
269ef098f1 * Wed Nov 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-1
- Update to upstream
2013-11-13 16:05:06 +01:00
Miroslav Grepl
0f9b0de389 Upload new upstream sources 2013-11-13 15:27:57 +01:00
Miroslav Grepl
73ec2c3819 - Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
2013-11-12 12:26:06 +01:00
Miroslav Grepl
90f92647e0 * Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
- Add support for yubikey in homedir
- Add support for upd/3052 port
- Allow apcupsd to use PowerChute Network Shutdown
- Allow lsmd to execute various lsmplugins
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
- Update gluster_export_all_rw boolean to allow relabel all base file types
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
2013-11-08 21:39:31 +01:00
Miroslav Grepl
c872e59953 - Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
- Allow pegasus to domtrans to mount_t
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
- Add support for unconfined watchdog scripts
- Allow watchdog to manage own log files
2013-11-06 23:12:50 +01:00
Miroslav Grepl
c5e7e5bb30 - Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
2013-11-06 09:11:46 +01:00
Miroslav Grepl
6bf18ad4aa Fix spec file 2013-11-01 19:29:49 +01:00
Miroslav Grepl
18a1acac8d * Fri Oct 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd
2013-11-01 19:24:30 +01:00
Dan Walsh
d11521e32b Do remove regardless. Update config.tgz with new labels for virt. 2013-11-01 12:09:39 -04:00
Miroslav Grepl
cd5d972925 scratch build 2013-10-30 20:24:38 +01:00
Miroslav Grepl
d4e55c7b7a Fix spec file to use systemd_context instead of sytemd_context 2013-10-28 12:03:32 +01:00
Miroslav Grepl
bf4990489d - Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct lab
- Allow mozilla_plugin_t to mmap hugepages as an executable
2013-10-28 10:06:40 +01:00
Miroslav Grepl
4f67cf89e1 Add fix to place sytemd_contexts 2013-10-25 12:59:16 +02:00
Miroslav Grepl
bb6a1f3c7f * Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
2013-10-24 11:31:47 +02:00
Miroslav Grepl
2d3bd44103 - Allow sshd_t to read openshift content, needs backport to RHEL6.5
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
- Make sur kdump lock is created with correct label if kdumpctl is executed
- gnome interface calls should always be made within an optional_block
- Allow syslogd_t to connect to the syslog_tls port
- Add labeling for /var/run/charon.ctl socket
- Add kdump_filetrans_named_content()
- Allo setpgid for fenced_t
- Allow setpgid and r/w cluster tmpfs for fenced_t
- gnome calls should always be within optional blocks
- wicd.pid should be labeled as networkmanager_var_run_t
- Allow sys_resource for lldpad
2013-10-22 12:08:40 +02:00
Miroslav Grepl
71bb644a3b Add rtas policy 2013-10-17 14:57:23 +02:00
Miroslav Grepl
37ab076306 - Allow mailserver_domains to manage and transition to mailman data
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv
- Allow mailserver_domains to manage and transition to mailman data
- Allow svirt_domains to read sysctl_net_t
- Allow thumb_t to use tmpfs inherited from the user
- Allow mozilla_plugin to bind to the vnc port if running with spice
- Add new attribute to discover confined_admins and assign confined admin to
- Fix zabbix to handle attributes in interfaces
- Fix zabbix to read system states for all zabbix domains
- Fix piranha_domain_template()
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
- Allow lldpad sys_rouserce cap due to #986870
- Allow dovecot-auth to read nologin
- Allow openlmi-networking to read /proc/net/dev
- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t
- Add zabbix_domain attribute for zabbix domains to treat them together
- Add labels for zabbix-poxy-* (#1018221)
- Update openlmi-storage policy to reflect #1015067
- Back port piranha tmpfs fixes from RHEL6
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildro
- Add postfix_rw_spool_maildrop_files interface
- Call new userdom_admin_user_templat() also for sysadm_secadm.pp
- Fix typo in userdom_admin_user_template()
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
- Add new attribute to discover confined_admins
- Fix labeling for /etc/strongswan/ipsec.d
- systemd_logind seems to pass fd to anyone who dbus communicates with it
- Dontaudit leaked write descriptor to dmesg
2013-10-17 08:30:35 +02:00
Miroslav Grepl
99c451355a - Fix gnome_read_generic_data_home_files()
- allow openshift_cgroup_t to read/write inherited openshift file types
- Remove httpd_cobbler_content * from cobbler_admin interface
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd
- Allow httpd_t to read also git sys content symlinks
- Allow init_t to read gnome home data
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
- Allow virsh to execute systemctl
- Fix for nagios_services plugins
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- Fix hypervkvp.te
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hy
- Add hypervkvp_unit_file_t type
- Fix logging policy
- Allow syslog to bind to tls ports
- Update labeling for /dev/cdc-wdm
- Allow to su_domain to read init states
- Allow init_t to read gnome home data
- Make sure if systemd_logind creates nologin file with the correct label
- Clean up ipsec.te
2013-10-14 08:46:37 +02:00
Dan Walsh
973ebb8068 Need to create the policy.kern symbolic link in the shipping policy.
This patch needs to be pushed into RHEL7.  It fixes a blocker bug.
2013-10-11 16:07:22 -04:00
Miroslav Grepl
ce98dfd270 - Add auth_exec_chkpwd interface
- Fix port definition for ctdb ports
- Allow systemd domains to read /dev/urand
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Add label for /var/run/charon.*
- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion servi
- Fix for nagios_services plugins
- Fix some bugs in zoneminder policy
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- glusterd binds to random unreserved ports
- Additional allow rules found by testing glusterfs
- apcupsd needs to send a message to all users on the system so needs to lo
- Fix the label on ~/.juniper_networks
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Allow polipo_daemon to connect to flash ports
- Allow gssproxy_t to create replay caches
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which sho
- Add hypervkvp_unit_file_t type
2013-10-08 23:19:39 +02:00
Miroslav Grepl
17233e7dc0 - init reload from systemd_localed_t
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
- Allow systemd_localed_t to ask systemd to reload the locale.
- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory
- Allow readahead to read /dev/urand
- Fix lots of avcs about tuned
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
- Allow tuned to inderact with hugepages
- Allow condor domains to list etc rw dirs
2013-10-04 20:24:18 +02:00
Miroslav Grepl
7a5c555024 Fix spec file 2013-10-04 00:25:11 +02:00
Miroslav Grepl
06b8c0546b - Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also a
- Add hypervkvp_unit_file_t type
- Add additional fixes forpegasus_openlmi_account_t
- Allow mdadm to read /dev/urand
- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it
- Add label/rules for /etc/mdadm.conf
- Allow pegasus_openlmi_storage_t to transition to fsadm_t
- Fixes for interface definition problems
- Dontaudit dovecot-deliver to gettatr on all fs dirs
- Allow domains to search data_home_t directories
- Allow cobblerd to connect to mysql
- Allow mdadm to r/w kdump lock files
- Add support for kdump lock files
- Label zarafa-search as zarafa-indexer
- Openshift cgroup wants to read /etc/passwd
- Add new sandbox domains for kvm
- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on
- Fix labeling for /usr/lib/systemd/system/lvm2.*
- Add labeling for /usr/lib/systemd/system/lvm2.*
- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules
- Add sshd_keygen_t policy for sshd-keygen
- Fix alsa_home_filetrans interface name and definition
- Allow chown for ssh_keygen_t
- Add fs_dontaudit_getattr_all_dirs()
- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys
- Fix up patch to allow systemd to manage home content
- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled
- Allow getty to exec hostname to get info
- Add systemd_home_t for ~/.local/share/systemd directory
2013-10-04 00:19:56 +02:00
Miroslav Grepl
05e00dcdfc * Wed Oct 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-85
- Fix lxc labeling in config.tgz
2013-10-02 21:39:51 +02:00
Miroslav Grepl
dc36731280 - Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Add support for MySQL/PostgreSQL for amavis
- Allow openvpn_t to manage openvpn_var_log_t files.
- Allow dirsrv_t to create tmpfs_t directories
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Allow nsswitch domains to manage own process key
- Fix labeling for mgetty.* logs
- Allow systemd to dbus chat with upower
- Allow ipsec to send signull to itself
- Allow setgid cap for ipsec_t
- Match upstream labeling
2013-09-30 18:07:50 +02:00
Miroslav Grepl
26f445bd79 - Do not build sanbox pkg on MLS 2013-09-25 19:24:13 +02:00
Dan Walsh
b03c8659de Only build the sandbox.pp file for targeted 2013-09-25 12:53:36 -04:00
Miroslav Grepl
d7f852786e - wine_tmp is no longer needed
- Allow setroubleshoot to look at /proc
- Allow telepathy domains to dbus with systemd logind
- Fix handling of fifo files of rpm
- Allow mozilla_plugin to transition to itself
- Allow certwatch to write to cert_t directories
- New abrt application
- Allow NetworkManager to set the kernel scheduler
- Make wine_domain shared by all wine domains
- Allow mdadm_t to read images labeled svirt_image_t
- Allow amanda to read /dev/urand
- ALlow my_print_default to read /dev/urand
- Allow mdadm to write to kdumpctl fifo files
- Allow nslcd to send signull to itself
- Allow yppasswd to read /dev/urandom
- Fix zarafa_setrlimit
- Add support for /var/lib/php/wsdlcache
- Add zarafa_setrlimit boolean
- Allow fetchmail to send mails
- Add additional alias for user_tmp_t because wine_tmp_t is no longer used
- More handling of ther kernel keyring required by kerberos
- New privs needed for init_t when running without transition to initrc_t over bin_t
2013-09-25 13:56:38 +02:00
Miroslav Grepl
3d49b27279 - Dontaudit attempts by sosreport to read shadow_t
- Allow browser sandbox plugins to connect to cups to print
- Add new label mpd_home_t
- Label /srv/www/logs as httpd_log_t
- Add support for /var/lib/php/wsdlcache
- Add zarafa_setrlimit boolean
- Allow fetchmail to send mails
- Add labels for apache logs under miq package
- Allow irc_t to use tcp sockets
- fix labels in puppet.if
- Allow tcsd to read utmp file
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to
- Define svirt_socket_t as a domain_type
- Take away transition from init_t to initrc_t when executing
- Fix label on pam_krb5 helper apps
2013-09-19 10:06:35 +02:00
Miroslav Grepl
fcf0156ca3 - Allow ldconfig to write to kdumpctl fifo files
- allow neutron to connect to amqp ports
- Allow kdump_manage_crash to list the kdump_crash_t directory
- Allow glance-api to connect to amqp port
- Allow virt_qemu_ga_t to read meminfo
- Add antivirus_home_t type for antivirus date in HOMEDIRS
- Allow mpd setcap which is needed by pulseaudio
- Allow smbcontrol to create content in /var/lib/samba
- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec
- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts
- amanda_exec_t needs to be executable file
- Allow block_suspend cap for samba-net
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
- Allow init_t to run crash utility
- Treat usr_t just like bin_t for transitions and executions
- Add port definition of pka_ca to port 829 for openshift
- Allow selinux_store to use symlinks
2013-09-12 11:30:06 +02:00
Dan Walsh
3fc099d1fb Allow block_suspend cap for samba-net
- Allow t-mission-control to manage gabble cache files
- Allow nslcd to read /sys/devices/system/cpu
- Allow selinux_store to use symlinks
2013-09-11 13:16:27 -04:00
Dan Walsh
030f138b3b Allow block_suspend cap for samba-net
- Allow t-mission-control to manage gabble cache files
- Allow nslcd to read /sys/devices/system/cpu
- Allow selinux_store to use symlinks
2013-09-11 09:17:30 -04:00
Miroslav Grepl
4b478253e7 Fix the spec file to use correct version 2013-09-10 21:39:22 +02:00
Miroslav Grepl
2411e6a6b6 - Allow block_suspend cap for samba-net
- Allow t-mission-control to manage gabble cache files
- Allow nslcd to read /sys/devices/system/cpu
- Allow selinux_store to use symlinks
- Allow xdm_t to transition to itself
- Call neutron interfaces instead of quantum
- Allow init to change targed role to make uncofined services (xrdp wh
- Make sure directories in /run get created with the correct label
- Make sure /root/.pki gets created with the right label
- try to remove labeling for motion from zoneminder_exec_t to bin_t
- Allow inetd_t to execute shell scripts
- Allow cloud-init to read all domainstate
- Fix to use quantum port
- Add interface netowrkmanager_initrc_domtrans
- Fix boinc_execmem
- Allow t-mission-control to read gabble cache home
- Add labeling for ~/.cache/telepathy/avatars/gabble
- Allow memcache to read sysfs data
- Cleanup antivirus policy and add additional fixes
- Add boolean boinc_enable_execstack
- Add support for couchdb in rabbitmq policy
- Add interface couchdb_search_pid_dirs
- Allow firewalld to read NM state
- Allow systemd running as git_systemd to bind git port
- Fix mozilla_plugin_rw_tmpfs_files()
2013-09-10 08:15:42 +02:00
Dan Walsh
26bb0a13ca Fix nameing of rpm macro
- Fix creating of checksum file off installed policy
2013-09-09 08:10:33 -04:00
Dan Walsh
1b0e0923f8 Cleanup related to init_domain()+inetd_domain fixes
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
- svirt domains neeed to create kobject_uevint_sockets
- Lots of new access required for sosreport
- Allow tgtd_t to connect to isns ports
- Allow init_t to transition to all inetd domains:
- openct needs to be able to create netlink_object_uevent_sockets
- Dontaudit leaks into ldconfig_t
- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
- Move kernel_stream_connect into all Xwindow using users
- Dontaudit inherited lock files in ifconfig o dhcpc_t
2013-09-05 09:40:37 -04:00
Dan Walsh
b8f3f18ef5 selinux_set_enforce_mode needs to be used with type
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
- Allow xdm_t to create symlinks in log direcotries
- Allow login programs to read afs config
- Label 10933 as a pop port, for dovecot
- New policy to allow selinux_server.py to run as semanage_t as a dbus service
- Add fixes to make netlabelctl working on MLS
- AVC's required for running sepolicy gui as staff_t
- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC
- New dbus server to be used with new gui
- After modifying some files in /etc/mail, I saw this needed on the next boot
- Loading a vm from /usr/tmp with virt-manager
- Clean up oracleasm policy for Fedora
- Add oracleasm policy written by rlopez@redhat.com
- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache
- Add label for /var/crash
- Allow fenced to domtrans to sanclok_t
- Allow nagios to manage nagios spool files
- Make tfptd as home_manager
- Allow kdump to read kcore on MLS system
- Allow mysqld-safe sys_nice/sys_resource caps
- Allow apache to search automount tmp dirs if http_use_nfs is enabled
- Allow crond to transition to named_t, for use with unbound
- Allow crond to look at named_conf_t, for unbound
- Allow mozilla_plugin_t to transition its home content
- Allow dovecot_domain to read all system and network state
- Allow httpd_user_script_t to call getpw
- Allow semanage to read pid files
- Dontaudit leaked file descriptors from user domain into thumb
- Make PAM authentication working if it is enabled in ejabberd
- Add fixes for rabbit to fix ##992920,#992931
- Allow glusterd to mount filesystems
- Loading a vm from /usr/tmp with virt-manager
- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device
- Add fix for pand service
- shorewall touches own log
- Allow nrpe to list /var
- Mozilla_plugin_roles can not be passed into lpd_run_lpr
- Allow afs domains to read afs_config files
- Allow login programs to read afs config
- Allow virt_domain to read virt_var_run_t symlinks
- Allow smokeping to send its process signals
- Allow fetchmail to setuid
- Add kdump_manage_crash() interface
- Allow abrt domain to write abrt.socket
2013-08-10 16:49:42 -04:00
Dan Walsh
b6a163f4ef selinux_set_enforce_mode needs to be used with type
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
- Allow xdm_t to create symlinks in log direcotries
- Allow login programs to read afs config
- Label 10933 as a pop port, for dovecot
- New policy to allow selinux_server.py to run as semanage_t as a dbus service
- Add fixes to make netlabelctl working on MLS
- AVC's required for running sepolicy gui as staff_t
- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC
- New dbus server to be used with new gui
- After modifying some files in /etc/mail, I saw this needed on the next boot
- Loading a vm from /usr/tmp with virt-manager
- Clean up oracleasm policy for Fedora
- Add oracleasm policy written by rlopez@redhat.com
- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache
- Add label for /var/crash
- Allow fenced to domtrans to sanclok_t
- Allow nagios to manage nagios spool files
- Make tfptd as home_manager
- Allow kdump to read kcore on MLS system
- Allow mysqld-safe sys_nice/sys_resource caps
- Allow apache to search automount tmp dirs if http_use_nfs is enabled
- Allow crond to transition to named_t, for use with unbound
- Allow crond to look at named_conf_t, for unbound
- Allow mozilla_plugin_t to transition its home content
- Allow dovecot_domain to read all system and network state
- Allow httpd_user_script_t to call getpw
- Allow semanage to read pid files
- Dontaudit leaked file descriptors from user domain into thumb
- Make PAM authentication working if it is enabled in ejabberd
- Add fixes for rabbit to fix ##992920,#992931
- Allow glusterd to mount filesystems
- Loading a vm from /usr/tmp with virt-manager
- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device
- Add fix for pand service
- shorewall touches own log
- Allow nrpe to list /var
- Mozilla_plugin_roles can not be passed into lpd_run_lpr
- Allow afs domains to read afs_config files
- Allow login programs to read afs config
- Allow virt_domain to read virt_var_run_t symlinks
- Allow smokeping to send its process signals
- Allow fetchmail to setuid
- Add kdump_manage_crash() interface
- Allow abrt domain to write abrt.socket
2013-08-09 06:07:28 -04:00
Miroslav Grepl
3b361c5061 - selinux_set_enforce_mode needs to be used with type
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
- Allow xdm_t to create symlinks in log direcotries
- Allow login programs to read afs config
- Label 10933 as a pop port, for dovecot
- New policy to allow selinux_server.py to run as semanage_t as a dbus servic
- Add fixes to make netlabelctl working on MLS
- AVC's required for running sepolicy gui as staff_t
- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this t
- New dbus server to be used with new gui
- After modifying some files in /etc/mail, I saw this needed on the next boot
- Loading a vm from /usr/tmp with virt-manager
- Clean up oracleasm policy for Fedora
- Add oracleasm policy written by rlopez@redhat.com
- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it
- Add label for /var/crash
- Allow fenced to domtrans to sanclok_t
- Allow nagios to manage nagios spool files
- Make tfptd as home_manager
- Allow kdump to read kcore on MLS system
- Allow mysqld-safe sys_nice/sys_resource caps
- Allow apache to search automount tmp dirs if http_use_nfs is enabled
- Allow crond to transition to named_t, for use with unbound
- Allow crond to look at named_conf_t, for unbound
- Allow mozilla_plugin_t to transition its home content
- Allow dovecot_domain to read all system and network state
- Allow httpd_user_script_t to call getpw
- Allow semanage to read pid files
- Dontaudit leaked file descriptors from user domain into thumb
- Make PAM authentication working if it is enabled in ejabberd
- Add fixes for rabbit to fix ##992920,#992931
- Allow glusterd to mount filesystems
- Loading a vm from /usr/tmp with virt-manager
- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device
- Add fix for pand service
- shorewall touches own log
- Allow nrpe to list /var
- Mozilla_plugin_roles can not be passed into lpd_run_lpr
- Allow afs domains to read afs_config files
- Allow login programs to read afs config
- Allow virt_domain to read virt_var_run_t symlinks
- Allow smokeping to send its process signals
- Allow fetchmail to setuid
- Add kdump_manage_crash() interface
- Allow abrt domain to write abrt.socket
2013-08-08 13:12:13 +02:00
Dan Walsh
0ea841fd7d unversioned doc dir change 2013-08-06 09:59:15 -04:00
Miroslav Grepl
5ed54459f6 - Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces
- Add interface fixes
- Allow nscd to stream connect to nmbd
- Allow gnupg apps to write to pcscd socket
- Add more fixes for openlmi provides. Fix naming and support for a
- Allow fetchmail to resolve host names
- Allow firewalld to interact also with lnk files labeled as firewa
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working i
- Fix corecmd_exec_chroot()
- Fix logging_relabel_syslog_pid_socket interface
- Fix typo in unconfineduser.te
- Allow system_r to access unconfined_dbusd_t to run hp_chec
2013-07-31 14:15:19 +02:00
Miroslav Grepl
6655c4c00e - Allow xdm_t to act as a dbus client to itsel
- Allow fetchmail to resolve host names
- Allow gnupg apps to write to pcscd socket
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/user
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passeng
-httpd_t does access_check on certs
2013-07-30 08:51:25 +02:00
Miroslav Grepl
993bf37643 - Add support for cmpiLMI_Service-cimprovagt
- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t
- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t
- Add support for pycmpiLMI_Storage-cimprovagt
- Add support for cmpiLMI_Networking-cimprovagt
- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working
- Allow virtual machines and containers to run as user doains, needed for virt-sandbox
- Allow buglist.cgi to read cpu info
2013-07-26 16:31:28 +02:00
Miroslav Grepl
0ab4f2d651 - Make auditd working if audit is configured to perform SINGLE action on disk error
- Add interfaces to handle systemd units
- Make systemd-notify working if pcsd is used
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
- Instead of having all unconfined domains get all of the named transition rules,
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
- Add definition for the salt ports
- Allow xdm_t to create link files in xdm_var_run_t
- Dontaudit reads of blk files or chr files leaked into ldconfig_t
- Allow sys_chroot for useradd_t
- Allow net_raw cap for ipsec_t
- Allow sysadm_t to reload services
- Add additional fixes to make strongswan working with a simple conf
- Allow sysadm_t to enable/disable init_t services
- Add additional glusterd perms
- Allow apache to read lnk files in the /mnt directory
- Allow glusterd to ask the kernel to load a module
- Fix description of ftpd_use_fusefs boolean
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process contro
- Allow glusterds to request load a kernel module
- Allow boinc to stream connect to xserver_t
- Allow sblim domains to read /etc/passwd
- Allow mdadm to read usb devices
- Allow collectd to use ping plugin
- Make foghorn working with SNMP
- Allow sssd to read ldap certs
- Allow haproxy to connect to RTP media ports
- Add additional trans rules for aide_db
- Add labeling for /usr/lib/pcsd/pcsd
- Add labeling for /var/log/pcsd
2013-07-22 15:32:38 +02:00
Miroslav Grepl
7a0f028107 - Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
- Allow all domains that can domtrans to shutdown, to start the power services s
- consolekit needs to be able to shut down system
- Move around interfaces
- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
- Allow gconf-defaults-m to read /etc/passwd
- Fix pki_rw_tomcat_cert() interface to support lnk_files
2013-07-17 14:37:14 +02:00
Miroslav Grepl
21e8b675d4 * Thu Jul 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-63
- Add mdadm fixes
2013-07-11 12:57:29 +02:00
Miroslav Grepl
60ad55be4d * Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
2013-07-09 21:53:12 +02:00
Miroslav Grepl
d1027c54b9 - Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain i
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain at
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
2013-07-08 09:18:11 +02:00
Miroslav Grepl
2d4ef1c07b - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow s
- Allow bootloader to manage generic log files
- Allow ftp to bind to port 989
- Fix label of new gear directory
- Add support for new directory /var/lib/openshift/gears/
- Add openshift_manage_lib_dirs()
- allow virtd domains to manage setrans_var_run_t
- Allow useradd to manage all openshift content
- Add support so that mozilla_plugin_t can use dri devices
- Allow chronyd to change the scheduler
- Allow apmd to shut downthe system
- Devicekit_disk_t needs to manage /etc/fstab
2013-06-28 21:52:00 +02:00
Dan Walsh
c23c3b2097 Fix name of sandbox.pp.disabled 2013-06-28 10:26:31 -04:00
Miroslav Grepl
b27c1f138f - Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
2013-06-27 07:36:03 +02:00
Dan Walsh
7c810a8041 We need to recompile policy if pcre is updated 2013-06-24 17:38:00 -04:00
Miroslav Grepl
634d39b171 - Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setschedule
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys fo
- Allow cobbler to execute apache with domain transition
2013-06-24 23:12:23 +02:00
Miroslav Grepl
82acdf3079 - Don't audit access checks by sandbox xserver on xdb var_lib
- Allow ntop to read usbmon devices
- Add labeling for new polcykit authorizor
- Dontaudit access checks from fail2ban_client
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
- Fix labeling for all /usr/bim/razor-lightdm-* binaries
- Add filename trans for /dev/md126p1
2013-06-20 16:58:38 +02:00
Dan Walsh
859a101f23 Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain
- Allow snmpd to run smartctl in fsadm_t domain
- remove duplicate openshift_search_lib() interface
- Allow mysqld to search openshift lib files
- Allow openshift cgroup to interact with passedin file descriptors
- Allow colord to list directories inthe users homedir
- aide executes prelink to check files
- Make sure cupsd_t creates content in /etc/cups with the correct label
- Lest dontaudit apache read all domains, so passenger will not cause this avc
- Allow gssd to connect to gssproxy
- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS
- Allow systemd-tmpfiles to relabel also lock files
- Allow useradd to add homdir in /var/lib/openshift
- Allow setfiles and semanage to write output to /run/files
2013-06-19 15:22:03 -04:00
Dan Walsh
9f52d7a4b1 Require sepolgen-ifgen to run in post install 2013-06-18 08:55:54 -04:00
Miroslav Grepl
708bb6ef9d - Add labeling for /dev/tgt
- Dontaudit leak fd from firewalld for modprobe
- Allow runuser running as rpm_script_t to
2013-06-14 12:56:00 +02:00
Miroslav Grepl
166a2805b7 - accountservice watches when accounts come and go in wtmp
- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket
- Add httpd_use_sasl boolean
- Allow net_admin for tuned_t
- iscsid needs sys_module to auto-load kernel modules
- Allow blueman to read bluetooth conf
- Add nova_manage_lib_files() interface
- Fix mplayer_filetrans_home_content()
- Add mplayer_filetrans_home_content()
- mozilla_plugin_config_roles need to be able to access mozilla_plugin_co
- Revert "Allow thumb_t to append inherited xdm stream socket"
- Add iscsi_filetrans_named_content() interface
- Allow to create .mplayer with the correct labeling for unconfined
- Allow iscsiadmin to create lock file with the correct labeling
2013-06-13 15:39:05 +02:00
Miroslav Grepl
574431f1a2 - Fix openshift_search_lib
- Add support for abrt-uefioops-oops
- Allow colord to getattr any file system
- Allow chrome processes to look at each other
- Allow sys_ptrace for abrt_t
- Add new policy for gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- openshift_net_type is interface not template
- Dontaudit pppd to search gnome config
- Update openshift_search_lib() interface
- Add fs_list_pstorefs()
- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18
- Better labels for raspberry pi devices
- Allow init to create devpts_t directory
- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18
- Allow sysadm_t to build kernels
- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18
- Allow userdomains to stream connect to gssproxy
- Dontaudit leaked file descriptor writes from firewalld
- Allow xserver to read /dev/urandom
- Add additional fixes for ipsec-mgmt
- Make SSHing into an Openshift Enterprise Node working
2013-06-04 08:43:23 +02:00
Dan Walsh
9b75ca7d3d Run sepolgen-ifgen in post install or selinux-policy-devel 2013-05-29 17:15:19 -04:00
Miroslav Grepl
520d6f23fc Update to the latest f19 2013-05-29 16:10:13 +02:00
Miroslav Grepl
d4d3448653 - Dontaudit to getattr on dirs for dovecot-deliver
- Allow raiudusd server connect to postgresql socket
- Add kerberos support for radiusd
- Allow saslauthd to connect to ldap port
- Allow postfix to manage postfix_private_t files
- Add chronyd support for #965457
- Fix labeling for HOME_DIR/\.icedtea
- CHange squid and snmpd to be allowed also write own logs
- Fix labeling for /usr/libexec/qemu-ga
- Allow virtd_t to use virt_lock_t
- Allow also sealert to read the policy from the kernel
- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use
- Dontaudit listing of users homedir by sendmail Seems like a leak
- Allow passenger to transition to puppet master
- Allow apache to connect to mythtv
- Add definition for mythtv ports
2013-05-22 14:29:22 +02:00
Miroslav Grepl
471c1eb0e1 - Add additional fixes for #948073 bug
- Allow sge_execd_t to also connect to sge ports
- Allow openshift_cron_t to manage openshift_var_lib_t sym links
- Allow openshift_cron_t to manage openshift_var_lib_t sym links
- Allow sge_execd to bind sge ports. Allow kill capability and read
- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is
- Add networkmanager_stream_connect()
- Make gnome-abrt wokring with staff_t
- Fix openshift_manage_lib_files() interface
- mdadm runs ps command which seems to getattr on random log files
- Allow mozilla_plugin_t to create pulseaudit_home_t directories
- Allow qemu-ga to shutdown virtual hosts
- Add labelling for cupsd-browsed
- Add web browser plugins to connect to aol ports
- Allow nm-dhcp-helper to stream connect to NM
- Add port definition for sge ports
2013-05-17 11:10:08 +02:00
Dan Walsh
ff5e7c397d Make sure users and unconfined domains create .hushlogin with the correct label
- Allow pegaus to chat with realmd over DBus
- Allow cobblerd to read network state
- Allow boicn-client to stat on /dev/input/mice
- Allow certwatch to read net_config_t when it executes apache
- Allow readahead to create /run/systemd and then create its own directory with the correct label
2013-05-14 17:01:16 -04:00
Dan Walsh
bdd37e8965 Move {_usr}/share/selinux/devel/policy to -devel package so we can remove requirement to install -doc in livecd 2013-05-13 10:12:18 -04:00
Miroslav Grepl
16d305b0ec Update to latest F19 2013-05-10 23:14:26 +02:00
Miroslav Grepl
2d9b83e8dc - Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly
- Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_
- Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid
- Allow virsh to read xen lock file
- Allow qemu-ga to create files in /run with proper labeling
- Allow glusterd to connect to own socket in /tmp
- Allow glance-api to connect to http port to make glance image-create working
- Allow keystonte_t to execute rpm
2013-05-06 13:03:05 +02:00
Miroslav Grepl
728c6f653e - Allow tcpd to execute leafnode
- Allow samba-net to read realmd cache files
- Dontaudit sys_tty_config for alsactl
- Fix allow rules for postfix_var_run
- Allow cobblerd to read /etc/passwd
- Allow pegasus to read exports
- Allow systemd-timedate to read xdm state
- Allow mout to stream connect to rpcbind
- Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki
2013-05-03 14:39:22 +02:00
Miroslav Grepl
a97fbb2332 * Tue Apr 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-38
- Allow thumbnails to share memory with apps which run thumbnails
- Allow postfix-postqueue block_suspend
- Add lib interfaces for smsd
- Add support for nginx
- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t
- Allow pki apache domain to create own tmp files and execute httpd_suexec
- Allow procmail to manger user tmp files/dirs/lnk_files
- Add virt_stream_connect_svirt() interface
- Allow dovecot-auth to execute bin_t
- Allow iscsid to request that kernel load a kernel module
- Add labeling support for /var/lib/mod_security
- Allow iw running as tuned_t to create netlink socket
- Dontaudit sys_tty_config for thumb_t
- Add labeling for nm-l2tp-service
- Allow httpd running as certwatch_t to open tcp socket
- Allow useradd to manager smsd lib files
- Allow useradd_t to add homedirs in /var/lib
- Fix typo in userdomain.te
- Cleanup userdom_read_home_certs
- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t
- Allow staff to stream connect to svirt_t to make gnome-boxes working
2013-04-30 15:56:20 +02:00
Miroslav Grepl
ac58d9fab2 - Allow lvm to create its own unit files
- Label /var/lib/sepolgen as selinux_config_t
- Add filetrans rules for tw devices
- Add transition from cupsd_config_t to cupsd_t
2013-04-26 14:11:44 +02:00
Miroslav Grepl
d61e0b894f - Fix lockdev_manage_files()
- Allow setroubleshootd to read var_lib_t to make email_alert working
- Add lockdev_manage_files()
- Call proper interface in virt.te
- Allow gkeyring_domain to create /var/run/UID/config/dbus file
- system dbus seems to be blocking suspend
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Allow mpd getattr on file system directories
- Make sure realmd creates content with the correct label
- Allow systemd-tty-ask to write kmsg
- Allow mgetty to use lockdev library for device locking
- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Make sure init.fc files are labeled correctly at creation
- File name trans vconsole.conf
- Fix labeling for nagios plugins
- label shared libraries in /opt/google/chrome as testrel_shlib_t
2013-04-23 12:44:02 +02:00
Miroslav Grepl
aae6505e89 - Allow realmd to run ipa, really needs to be an unconfined_domain
- Allow sandbox domains to use inherted terminals
- Allow pscd to use devices labeled svirt_image_t in order to use cat cards.
- Add label for new alsa pid
- Alsa now uses a pid file and needs to setsched
- Fix oracleasmfs_t definition
- Add support for sshd_unit_file_t
- Add oracleasmfs_t
- Allow unlabeled_t files to be stored on unlabeled_t filesystems
2013-04-18 12:46:24 +02:00
Miroslav Grepl
d42d1657e3 - Fix description of deny_ptrace boolean
- Remove allow for execmod lib_t for now
- Allow quantum to connect to keystone port
- Allow nova-console to talk with mysql over unix stream socket
- Allow dirsrv to stream connect to uuidd
- thumb_t needs to be able to create ~/.cache if it does not exist
- virtd needs to be able to sys_ptrace when starting and stoping containers
2013-04-16 13:24:49 +02:00
Miroslav Grepl
1d348dfc25 * Mon Apr 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-30
- Allow alsa_t signal_perms, we probaly should search for any app that c
- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets
- Fix deny_ptrace boolean, certain ptrace leaked into the system
- Allow winbind to manage kerberos_rcache_host
- Allow spamd to create spamd_var_lib_t directories
- Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage
- Add mising nslcd_dontaudit_write_sock_file() interface
- one more fix
- Fix pki_read_tomcat_lib_files() interface
- Allow certmonger to read pki-tomcat lib files
- Allow certwatch to execute bin_t
- Allow snmp to manage /var/lib/net-snmp files
- Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_di
- Fix vmware_role() interface
- Fix cobbler_manage_lib_files() interface
- Allow nagios check disk plugins to execute bin_t
- Allow quantum to transition to openvswitch_t
- Allow postdrop to stream connect to postfix-master
- Allow quantum to stream connect to openvswitch
- Add xserver_dontaudit_xdm_rw_stream_sockets() interface
- Allow daemon to send dgrams to initrc_t
- Allow kdm to start the power service to initiate a reboot or poweroff
2013-04-15 12:26:13 +02:00
Miroslav Grepl
fa447f104a - Add mising nslcd_dontaudit_write_sock_file() interface
- one more fix
- Fix pki_read_tomcat_lib_files() interface
- Allow certmonger to read pki-tomcat lib files
- Allow certwatch to execute bin_t
- Allow snmp to manage /var/lib/net-snmp files
- Don't audit attempts to write to stream socket of nscld by thumbnailers
- Allow git_system_t to read network state
- Allow pegasas to execute mount command
- Fix desc for drdb_admin
- Fix condor_amin()
- Interface fixes for uptime, vdagent, vnstatd
- Fix labeling for moodle in /var/www/moodle/data
- Add interface fixes
- Allow bugzilla to read certs
- /var/www/moodle needs to be writable by apache
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
- Fix namespace_init_t to create content with proper labels, and allow it to manage all user conten
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
- Fixes for dlm_controld
- Fix apache_read_sys_content_rw_dirs() interface
- Allow logrotate to read /var/log/z-push dir
- Fix sys_nice for cups_domain
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Add missing context for /usr/sbin/snmpd
- Kernel_t needs mac_admin in order to support labeled NFS
- Fix systemd_dontaudit_dbus_chat() interface
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest
- Allow consolehelper domain to write Xauth files in /root
- Add port definition for osapi_compute por
2013-04-11 22:49:52 +02:00
Miroslav Grepl
d8b4fa387f - Allow httpd_t to connect to osapi_compute port using httpd_use_openstac
- Fixes for dlm_controld
- Fix apache_read_sys_content_rw_dirs() interface
- Allow logrotate to read /var/log/z-push dir
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Add missing context for /usr/sbin/snmpd
- Allow consolehelper more access discovered by Tom London
- Allow fsdaemon to send signull to all domain
- Add port definition for osapi_compute port
- Allow unconfined to create /etc/hostname with correct labeling
- Add systemd_filetrans_named_hostname() interface
2013-04-08 14:05:50 +02:00
Dan Walsh
a48e548c78 Fix file_contexts.subs to label /run/lock correctly 2013-04-07 06:55:41 -04:00
Miroslav Grepl
f4f51d7574 * Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26
- Try to label on controlC devices up to 30 correctly
- Add mount_rw_pid_files() interface
- Add additional mount/umount interfaces needed by mock
- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
- Fix tabs
- Allow initrc_domain to search rgmanager lib files
- Add more fixes which make mock working together with confined users
  * Allow mock_t to manage rpm files
  * Allow mock_t to read rpm log files
  * Allow mock to setattr on tmpfs, devpts
  * Allow mount/umount filesystems
- Add rpm_read_log() interface
- yum-cron runs rpm from within it.
- Allow tuned to transition to dmidecode
- Allow firewalld to do net_admin
- Allow mock to unmont tmpfs_t
- Fix virt_sigkill() interface
- Add additional fixes for mock. Mainly caused by mount running in mock_t
- Allow mock to write sysfs_t and mount pid files
- Add mailman_domain to mailman_template()
- Allow openvswitch to execute shell
- Allow qpidd to use kerberos
- Allow mailman to use fusefs, needs back port to RHEL6
- Allow apache and its scripts to use anon_inodefs
- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7
- Realmd needs to connect to samba ports, needs back port to F18 also
- Allow colord to read /run/initial-setup-
- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock
- Add virt_kill() interface
- Add rgmanager_search_lib() interface
- Allow wdmd to getattr on all filesystems. Back ported from RHEL6
2013-04-05 17:34:40 +02:00
Miroslav Grepl
d9444b18fb - Allow realmd to create tmp files
- FIx ircssi_home_t type to irssi_home_t
- Allow adcli running as realmd_t to connect to ldap port
- Allow NetworkManager to transition to ipsec_t, for running strongswan
- Make openshift_initrc_t an lxc_domain
- Allow gssd to manage user_tmp_t files
- Fix handling of irclogs in users homedir
- Fix labeling for drupal an wp-content in subdirs of /var/www/html
- Allow abrt to read utmp_t file
- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a
- fix labeling for (oo|rhc)-restorer-wrapper.sh
- firewalld needs to be able to write to network sysctls
- Fix mozilla_plugin_dontaudit_rw_sem() interface
- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains
- Add mozilla_plugin_dontaudit_rw_sem() interface
- Allow svirt_lxc_t to transition to openshift domains
- Allow condor domains block_suspend and dac_override caps
- Allow condor_master to read passd
- Allow condor_master to read system state
- Allow NetworkManager to transition to ipsec_t, for running strongswan
- Lots of access required by lvm_t to created encrypted usb device
- Allow xdm_t to dbus communicate with systemd_localed_t
- Label strongswan content as ipsec_exec_mgmt_t for now
- Allow users to dbus chat with systemd_localed
- Fix handling of .xsession-errors in xserver.if, so kde will work
- Might be a bug but we are seeing avc's about people status on init_t:service
- Make sure we label content under /var/run/lock as <<none>>
- Allow daemon and systemprocesses to search init_var_run_t directory
- Add boolean to allow xdm to write xauth data to the home directory
- Allow mount to write keys for the unconfined domain
2013-04-02 14:31:42 +02:00
Miroslav Grepl
30fc9edc15 - Add labeling for /usr/share/pki
- Allow programs that read var_run_t symlinks also read var_t symlinks
- Add additional ports as mongod_port_t for  27018, 27019, 28017, 28018 and 28019
- Fix labeling for /etc/dhcp directory
- add missing systemd_stub_unit_file() interface
- Add files_stub_var() interface
- Add lables for cert_t directories
- Make localectl set-x11-keymap working at all
- Allow abrt to manage mock build environments to catch build problems.
- Allow virt_domains to setsched for running gdb on itself
- Allow thumb_t to execute user home content
- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
- Allow certwatch to execut /usr/bin/httpd
- Allow cgred to send signal perms to itself, needs back port to RHEL6
- Allow openshift_cron_t to look at quota
- Allow cups_t to read inhered tmpfs_t from the kernel
- Allow yppasswdd to use NIS
- Tuned wants sys_rawio capability
- Add ftpd_use_fusefs boolean
- Allow dirsrvadmin_t to signal itself
2013-03-27 13:13:37 +01:00
Dan Walsh
6c034c693d Allow localectl to read /etc/X11/xorg.conf.d directory
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
- Allow mount to transition to systemd_passwd_agent
- Make sure abrt directories are labeled correctly
- Allow commands that are going to read mount pid files to search mount_var_run_t
- label /usr/bin/repoquery as rpm_exec_t
- Allow automount to block suspend
- Add abrt_filetrans_named_content so that abrt directories get labeled correctly
- Allow virt domains to setrlimit and read file_context
2013-03-24 06:39:58 -04:00
Dan Walsh
07ce8fa723 Merge branches 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-03-13 13:25:16 -04:00
Dan Walsh
aef8acfec2 Fix triggerpostun command 2013-03-13 13:25:00 -04:00
Miroslav Grepl
00d1b82850 - Adopt swift changes from lhh@redhat.com
- Add rhcs_manage_cluster_pid_files() interface
- Allow screen domains to configure tty and setup sock_file in ~/.screen direct
- ALlow setroubleshoot to read default_context_t, needed to backport to F18
- Label /etc/owncloud as being an apache writable directory
- Allow sshd to stream connect to an lxc domain
2013-03-08 13:34:20 +01:00
Miroslav Grepl
06b84e3300 - Allow postgresql to manage rgmanager pid files
- Allow postgresql to read ccs data
- Allow systemd_domain to send dbus messages to policykit
- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create
- All systemd domains that create content are reading the file_context file and setfscreat
- Systemd domains need to search through init_var_run_t
- Allow sshd to communicate with libvirt to set containers labels
- Add interface to manage pid files
- Allow NetworkManger_t to read /etc/hostname
- Dontaudit leaked locked files into openshift_domains
- Add fixes for oo-cgroup-read - it nows creates tmp files
- Allow gluster to manage all directories as well as files
- Dontaudit chrome_sandbox_nacl_t using user terminals
- Allow sysstat to manage its own log files
- Allow virtual machines to setrlimit and send itself signals.
- Add labeling for /var/run/hplip
2013-03-07 11:49:39 +01:00
Miroslav Grepl
e30ef5a20a * Mon Mar 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-18
- Fix POSTIN scriptlet
2013-03-04 07:42:03 +01:00
Miroslav Grepl
ed588c9a54 Fix spec file 2013-03-01 14:16:02 +01:00
Miroslav Grepl
e4a8be5950 * Fri Feb 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-17
- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp
2013-03-01 14:13:51 +01:00
Miroslav Grepl
59421a6c70 Remove rgmanager,pacemaker,aisexec,pacemaker policies which have been merge to rhcs.pp as cluster_t 2013-03-01 14:05:44 +01:00
Dan Walsh
1be9b19a4f Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-02-28 10:04:11 -05:00
Dan Walsh
0aef6e5668 Cover up errors if .config dir does not exist, no need to run restorecon twice 2013-02-28 10:04:00 -05:00
Miroslav Grepl
94b74a373a - Allow nmbd_t to create samba_var_t directories
- Add filename transition support for spamassassin policy
- Add filename transition support for tvtime
- Fix alsa_home_filetrans_alsa_home() interface
- Move all userdom_filetrans_home_content() calling out of booleans
- Allow logrotote to getattr on all file sytems
- Remove duplicate userdom_filetrans_home_content() calling
- Allow kadmind to read /etc/passwd
- Dontaudit append .xsession-errors file on ecryptfs for  policykit-auth
- Allow antivirus domain to manage antivirus db links
- Allow logrotate to read /sys
- Allow mandb to setattr on man dirs
- Remove mozilla_plugin_enable_homedirs boolean
- Fix ftp_home_dir boolean
- homedir mozilla filetrans has been moved to userdom_home_manager
- homedir telepathy filetrans has been moved to userdom_home_manager
- Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd()
- Might want to eventually write a daemon on fusefsd.
- Add policy fixes for sshd [net] child from plautrba@redhat.com
- Tor uses a new port
- Remove bin_t for authconfig.py
- Fix so only one call to userdom_home_file_trans
- Allow home_manager_types to create content with the correctl label
- Fix all domains that write data into the homedir to do it with the correct label
- Change the postgresql to use proper boolean names, which is causing httpd_t to
- not get access to postgresql_var_run_t
- Hostname needs to send syslog messages
- Localectl needs to be able to send dbus signals to users
- Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default
- Allow user_home_manger domains to create spam* homedir content with correct labeling
- Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling
- Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type t
- Declare userdom_filetrans_type attribute
- userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type att
2013-02-27 20:03:22 +01:00
Dan Walsh
79ec805e92 Man pages are now generated in the build process
- Allow cgred to list inotifyfs filesystem
2013-02-22 19:12:36 +01:00
Dan Walsh
6a97c74b42 Man pages are now generated in the build process
- Allow cgred to list inotifyfs filesystem
2013-02-22 16:38:27 +01:00
Miroslav Grepl
cc78bcd4dc New POLICYCOREUTILSVER is required 2013-02-22 13:45:09 +01:00
Miroslav Grepl
2aca9b6e0b * Thu Feb 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-15
- Man pages are now generated in the build process
- Allow cgred to list inotifyfs filesystem
2013-02-21 17:13:10 +01:00
Dan Walsh
a7c9a93681 Switch to building man pages and html pages on the fly 2013-02-21 16:30:31 +01:00
Miroslav Grepl
26cbc57930 - Allow gluster to get attrs on all fs
- New access required for virt-sandbox
- Allow dnsmasq to execute bin_t
- Allow dnsmasq to create content in /var/run/NetworkManager
- Fix openshift_initrc_signal() interface
- Dontaudit openshift domains doing getattr on other domains
- Allow consolehelper domain to communicate with session bus
- Mock should not be transitioning to any other domains,  we should ke
- Update virt_qemu_ga_t policy
- Allow authconfig running from realmd to restart oddjob service
- Add systemd support for oddjob
- Add initial policy for realmd_consolehelper_t which if for authconfi
- Add labeling for gnashpluginrc
- Allow chrome_nacl to execute /dev/zero
- Allow condor domains to read /proc
- mozilla_plugin_t will getattr on /core if firefox crashes
- Allow condor domains to read /etc/passwd
- Allow dnsmasq to execute shell scripts, openstack requires this acce
- Fix glusterd labeling
- Allow virtd_t to interact with the socket type
- Allow nmbd_t to override dac if you turned on sharing all files
- Allow tuned to created kobject_uevent socket
- Allow guest user to run fusermount
- Allow openshift to read /proc and locale
- Allow realmd to dbus chat with rpm
- Add new interface for virt
- Remove depracated interfaces
- Allow systemd_domains read access on etc, etc_runtime and usr files,
- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
- Remove some more unconfined_t process transitions, that I don't beli
- Stop transitioning uncofnined_t to checkpc
- dmraid creates /var/lock/dmraid
- Allow systemd_localed to creatre unix_dgram_sockets
- Allow systemd_localed to write kernel messages.
- Also cleanup systemd definition a little.
- Fix userdom_restricted_xwindows_user_template() interface
- Label any block devices or char devices under /dev/infiniband as fix
- User accounts need to dbus chat with accountsd daemon
- Gnome requires all users to be able to read /proc/1/
2013-02-20 14:47:02 +01:00
Dan Walsh
f0628b3cd7 Always run restorecon at install time to make sure key files are labeled correctly 2013-02-20 14:13:08 +01:00
Dan Walsh
5eea0f4403 Always run restorecon at install time to make sure key files are labeled correctly 2013-02-20 14:12:19 +01:00
Dan Walsh
3460d4cd12 Remove shutdown policy. Shutdown is now a symlink to systemctl. 2013-02-20 06:31:55 +01:00
Miroslav Grepl
2599f2f590 - virsh now does a setexeccon call
- Additional rules required by openshift domains
- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-serv
- Allow spamd_update_t to search spamc_home_t
- Avcs discovered by mounting an isci device under /mnt
- Allow lspci running as logrotate to read pci.ids
- Additional fix for networkmanager_read_pid_files()
- Fix networkmanager_read_pid_files() interface
- Allow all svirt domains to connect to svirt_socket_t
- Allow virsh to set SELinux context for a process.
- Allow tuned to create netlink_kobject_uevent_socket
- Allow systemd-timestamp to set SELinux context
- Add support for /var/lib/systemd/linger
- Fix ssh_sysadm_login to be working on MLS as expected
2013-02-14 19:06:59 +01:00
Dan Walsh
79355670f4 Bump required versions for tool chain. 2013-02-13 09:24:21 -05:00
Miroslav Grepl
7980df38fe - Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file
- Add missing files_rw_inherited_tmp_files interface
- Add additional interface for ecryptfs
- ALlow nova-cert to connect to postgresql
- Allow keystone to connect to postgresql
- Allow all cups domains to getattr on filesystems
- Allow pppd to send signull
- Allow tuned to execute ldconfig
- Allow gpg to read fips_enabled
- Add additional fixes for ecryptfs
- Allow httpd to work with posgresql
- Allow keystone getsched and setsched
2013-02-11 16:57:33 +01:00
Miroslav Grepl
ad094338a5 - Allow gpg to read fips_enabled
- Add support for /var/cache/realmd
- Add support for /usr/sbin/blazer_usb and systemd support for nut
- Add labeling for fenced_sanlock and allow sanclok transition to fen
- bitlbee wants to read own log file
- Allow glance domain to send a signal itself
- Allow xend_t to request that the kernel load a kernel module
- Allow pacemaker to execute heartbeat lib files
- cleanup new swift policy
2013-02-08 14:01:21 +01:00
Miroslav Grepl
953ff14b8b Fix spec file 2013-02-05 11:02:32 +01:00
Miroslav Grepl
da973f3722 - Add xserver_xdm_ioctl_log() interface
- Allow Xusers to ioctl lxdm.log to make lxdm working
- Add MLS fixes to make MLS boot/log-in working
- Add mls_socket_write_all_levels() also for syslogd
- fsck.xfs needs to read passwd
- Fix ntp_filetrans_named_content calling in init.te
- Allow postgresql to create pg_log dir
- Allow sshd to read rsync_data_t to make rsync <backuphost> working
- Change ntp.conf to be labeled net_conf_t
- Allow useradd to create homedirs in /run.  ircd-ratbox does this and we sho
- Allow xdm_t to execute gstreamer home content
- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp
- New policy for openstack swift domains
- More access required for openshift_cron_t
- Use cupsd_log_t instead of cupsd_var_log_t
- rpm_script_roles should be used in rpm_run
- Fix rpm_run() interface
- Fix openshift_initrc_run()
- Fix sssd_dontaudit_stream_connect() interface
- Fix sssd_dontaudit_stream_connect() interface
- Allow LDA's job to deliver mail to the mailbox
- dontaudit block_suspend for mozilla_plugin_t
- Allow l2tpd_t to all signal perms
- Allow uuidgen to read /dev/random
- Allow mozilla-plugin-config to read power_supply info
- Implement cups_domain attribute for cups domains
- We now need access to user terminals since we start by executing a command
- We now need access to user terminals since we start by executing a command
- svirt lxc containers want to execute userhelper apps, need these changes to
- Add containment of openshift cron jobs
- Allow system cron jobs to create tmp directories
- Make userhelp_conf_t a config file
- Change rpm to use rpm_script_roles
- More fixes for rsync to make rsync <backuphost> wokring
- Allow logwatch to domtrans to mdadm
- Allow pacemaker to domtrans to ifconfig
- Allow pacemaker to setattr on corosync.log
- Add pacemaker_use_execmem for memcheck-amd64 command
- Allow block_suspend capability
- Allow create fifo_file in /tmp with pacemaker_tmp_t
- Allow systat to getattr on fixed disk
- Relabel /etc/ntp.conf to be net_conf_t
- ntp_admin should create files in /etc with the correct label
- Add interface to create ntp_conf_t files in /etc
- Add additional labeling for quantum
- Allow quantum to execute dnsmasq with transition
2013-02-05 11:01:00 +01:00