Commit Graph

520 Commits

Author SHA1 Message Date
Zdenek Pytela
b2c25500b4 * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
Resolves: RHEL-40205
- Allow virt_driver_domain read files labeled unconfined_t
Resolves: RHEL-40262
- Allow virt_driver_domain dbus chat with policykit
Resolves: RHEL-40346
- Escape "interface" as a file name in a virt filetrans pattern
Resolves: RHEL-34769
- Allow setroubleshootd get attributes of all sysctls
Resolves: RHEL-40923
- Allow qemu-ga read vm sysctls
Resolves: RHEL-40829
- Allow sbd to trace processes in user namespace
Resolves: RHEL-39989
- Allow request-key execute scripts
Resolves: RHEL-38920
- Update policy for haproxyd
Resolves: RHEL-40877
2024-06-18 17:27:30 +02:00
Zdenek Pytela
1dacbf26a9 * Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1
- Allow all domains read and write z90crypt device
Resolves: RHEL-28539
- Allow dhcpc read /run/netns files
Resolves: RHEL-39510
- Allow bootupd search efivarfs dirs
Resolves: RHEL-39514
2024-06-07 20:11:48 +02:00
Zdenek Pytela
9359be591b * Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1
- Allow postfix smtpd map aliases file
- Ensure dbus communication is allowed bidirectionally
- Label systemd configuration files with systemd_conf_t
- Label /run/systemd/machine with systemd_machined_var_run_t
- Allow systemd-hostnamed read the vsock device
- Allow sysadm execute dmidecode using sudo
- Allow sudodomain list files in /var
- Allow setroubleshootd get attributes of all sysctls
- Allow various services read and write z90crypt device
- Allow nfsidmap connect to systemd-homed
- Allow sandbox_x_client_t dbus chat with accountsd
- Allow system_cronjob_t dbus chat with avahi_t
- Allow staff_t the io_uring sqpoll permission
- Allow staff_t use the io_uring API
- Add support for secretmem anon inode
- Backport /var/run change related improvements
2024-05-18 22:13:10 +00:00
Zdenek Pytela
0a14f83579 * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
- Only allow confined user domains to login locally without unconfined_login
- Add userdom_spec_domtrans_confined_admin_users interface
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
- Add userdom_spec_domtrans_admin_users interface
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
- Update ssh_role_template() for user ssh-agent type
- Allow init to inherit system DBus file descriptors
- Allow init to inherit fds from syslogd
- Allow any domain to inherit fds from rpm-ostree
- Update afterburn policy
- Allow init_t nnp domain transition to abrtd_t
2024-02-12 12:26:33 +01:00
Zdenek Pytela
6dd5c78a95 * Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
- Rename all /var/lock file context entries to /run/lock
- Rename all /var/run file context entries to /run
- Invert the "/var/run = /run" equivalency
2024-02-06 14:25:48 +01:00
Zdenek Pytela
0ec128677b * Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
- Replace init domtrans rule for confined users to allow exec init
- Update dbus_role_template() to allow user service status
- Allow polkit status all systemd services
- Allow setroubleshootd create and use inherited io_uring
- Allow load_policy read and write generic ptys
- Allow gpg manage rpm cache
- Allow login_userdomain name_bind to howl and xmsg udp ports
- Allow rules for confined users logged in plasma
- Label /dev/iommu with iommu_device_t
- Remove duplicate file context entries in /run
- Dontaudit getty and plymouth the checkpoint_restore capability
- Allow su domains write login records
- Revert "Allow su domains write login records"
- Allow login_userdomain delete session dbusd tmp socket files
- Allow unix dgram sendto between exim processes
- Allow su domains write login records
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
2024-02-05 16:57:20 +01:00
Zdenek Pytela
ac73b2b07b * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
- Allow chronyd-restricted read chronyd key files
- Allow conntrackd_t to use bpf capability2
- Allow systemd-networkd manage its runtime socket files
- Allow init_t nnp domain transition to colord_t
- Allow polkit status systemd services
- nova: Fix duplicate declarations
- Allow httpd work with PrivateTmp
- Add interfaces for watching and reading ifconfig_var_run_t
- Allow collectd read raw fixed disk device
- Allow collectd read udev pid files
- Set correct label on /etc/pki/pki-tomcat/kra
- Allow systemd domains watch system dbus pid socket files
- Allow certmonger read network sysctls
- Allow mdadm list stratisd data directories
- Allow syslog to run unconfined scripts conditionally
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
- Allow qatlib set attributes of vfio device files
2024-01-24 21:28:05 +01:00
Zdenek Pytela
443b716de1 * Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
- Allow systemd-sleep set attributes of efivarfs files
- Allow samba-dcerpcd read public files
- Allow spamd_update_t the sys_ptrace capability in user namespace
- Allow bluetooth devices work with alsa
- Allow alsa get attributes filesystems with extended attributes
2024-01-09 20:59:16 +01:00
Zdenek Pytela
68923ff3dd * Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
- Add interface for write-only access to NetworkManager rw conf
- Allow systemd-sleep send a message to syslog over a unix dgram socket
- Allow init create and use netlink netfilter socket
- Allow qatlib load kernel modules
- Allow qatlib run lspci
- Allow qatlib manage its private runtime socket files
- Allow qatlib read/write vfio devices
- Label /etc/redis.conf with redis_conf_t
- Remove the lockdown-class rules from the policy
- Allow init read all non-security socket files
- Replace redundant dnsmasq pattern macros
- Remove unneeded symlink perms in dnsmasq.if
- Add additions to dnsmasq interface
- Allow nvme_stas_t create and use netlink kobject uevent socket
- Allow collectd connect to statsd port
- Allow keepalived_t to use sys_ptrace of cap_userns
- Allow dovecot_auth_t connect to postgresql using UNIX socket
2023-12-21 17:03:58 +01:00
Zdenek Pytela
df4c66da89 * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
- Allow sysadm execute traceroute in sysadm_t domain using sudo
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
- Allow opafm search nfs directories
- Add support for syslogd unconfined scripts
- Allow gpsd use /dev/gnss devices
- Allow gpg read rpm cache
- Allow virtqemud additional permissions
- Allow virtqemud manage its private lock files
- Allow virtqemud use the io_uring api
- Allow ddclient send e-mail notifications
- Allow postfix_master_t map postfix data files
- Allow init create and use vsock sockets
- Allow thumb_t append to init unix domain stream sockets
- Label /dev/vas with vas_device_t
- Change domain_kernel_load_modules boolean to true
- Create interface selinux_watch_config and add it to SELinux users
2023-12-13 16:42:42 +01:00
Zdenek Pytela
ce3921683b * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
- Add afterburn to modules-targeted-contrib.conf
- Update cifs interfaces to include fs_search_auto_mountpoints()
- Allow sudodomain read var auth files
- Allow spamd_update_t read hardware state information
- Allow virtnetworkd domain transition on tc command execution
- Allow sendmail MTA connect to sendmail LDA
- Allow auditd read all domains process state
- Allow rsync read network sysctls
- Add dhcpcd bpf capability to run bpf programs
- Dontaudit systemd-hwdb dac_override capability
- Allow systemd-sleep create efivarfs files
2023-11-28 15:43:25 +01:00
Zdenek Pytela
648853f428 * Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
- Allow graphical applications work in Wayland
- Allow kdump work with PrivateTmp
- Allow dovecot-auth work with PrivateTmp
- Allow nfsd get attributes of all filesystems
- Allow unconfined_domain_type use io_uring cmd on domain
- ci: Only run Rawhide revdeps tests on the rawhide branch
- Label /var/run/auditd.state as auditd_var_run_t
- Allow fido-device-onboard (FDO) read the crack database
- Allow ip an explicit domain transition to other domains
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
- Allow  winbind_rpcd_t processes access when samba_export_all_* is on
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
- Allow ntp to bind and connect to ntske port.
- Allow system_mail_t manage exim spool files and dirs
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
- Label /run/pcsd.socket with cluster_var_run_t
- ci: Run cockpit tests in PRs
2023-11-14 20:38:51 +01:00
Zdenek Pytela
2d11fcc9ab * Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
- Add map_read map_write to kernel_prog_run_bpf
- Allow systemd-fstab-generator read all symlinks
- Allow systemd-fstab-generator the dac_override capability
- Allow rpcbind read network sysctls
- Support using systemd containers
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
- Add policy for coreos installer
- Add coreos_installer to modules-targeted-contrib.conf
2023-10-19 17:46:31 +02:00
Zdenek Pytela
1cd26ed671 * Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
- Add policy for nvme-stas
- Confine systemd fstab,sysv,rc-local
- Label /etc/aliases.lmdb with etc_aliases_t
- Create policy for afterburn
2023-10-17 22:10:31 +02:00
Zdenek Pytela
2bde33920c * Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
- Make new virt drivers permissive
- Split virt policy, introduce virt_supplementary module
- Allow apcupsd cgi scripts read /sys
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
- Allow kernel_t to manage and relabel all files
- Add missing optional_policy() to files_relabel_all_files()
2023-10-10 10:47:42 +02:00
Zdenek Pytela
995481ca80 * Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
- Allow named and ndc use the io_uring api
- Deprecate common_anon_inode_perms usage
- Improve default file context(None) of /var/lib/authselect/backups
- Allow udev_t to search all directories with a filesystem type
- Implement proper anon_inode support
- Allow targetd write to the syslog pid sock_file
- Add ipa_pki_retrieve_key_exec() interface
- Allow kdumpctl_t to list all directories with a filesystem type
- Allow udev additional permissions
- Allow udev load kernel module
- Allow sysadm_t to mmap modules_object_t files
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
- Set default file context of HOME_DIR/tmp/.* to <<none>>
- Allow kernel_generic_helper_t to execute mount(1)
2023-10-04 15:57:34 +02:00
Zdenek Pytela
11c92f5ea8 * Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1
- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
- Allow systemd-localed create Xserver config dirs
- Allow sssd read symlinks in /etc/sssd
- Label /dev/gnss[0-9] with gnss_device_t
- Allow systemd-sleep read/write efivarfs variables
- ci: Fix version number of packit generated srpms
- Dontaudit rhsmcertd write memory device
- Allow ssh_agent_type create a sockfile in /run/user/USERID
- Set default file context of /var/lib/authselect/backups to <<none>>
- Allow prosody read network sysctls
- Allow cupsd_t to use bpf capability
2023-09-29 20:49:14 +02:00
Zdenek Pytela
4beb93659f * Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1
- Allow sssd domain transition on passkey_child execution conditionally
- Allow login_userdomain watch lnk_files in /usr
- Allow login_userdomain watch video4linux devices
- Change systemd-network-generator transition to include class file
- Revert "Change file transition for systemd-network-generator"
- Allow nm-dispatcher winbind plugin read/write samba var files
- Allow systemd-networkd write to cgroup files
- Allow kdump create and use its memfd: objects
2023-09-15 14:49:49 +02:00
Zdenek Pytela
16fcf3610b * Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1
- Allow fedora-third-party get generic filesystem attributes
- Allow sssd use usb devices conditionally
- Update policy for qatlib
- Allow ssh_agent_type manage generic cache home files
2023-08-31 23:22:26 +02:00
Zdenek Pytela
42961943f5 * Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1
- Change file transition for systemd-network-generator
- Additional support for gnome-initial-setup
- Update gnome-initial-setup policy for geoclue
- Allow openconnect vpn open vhost net device
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
- Grant cifs.upcall more required capabilities
- Allow xenstored map xenfs files
- Update policy for fdo
- Allow keepalived watch var_run dirs
- Allow svirt to rw /dev/udmabuf
- Allow qatlib  to modify hardware state information.
- Allow key.dns_resolve connect to avahi over a unix stream socket
- Allow key.dns_resolve create and use unix datagram socket
- Use quay.io as the container image source for CI
2023-08-24 21:17:38 +02:00
Zdenek Pytela
314088eca9 * Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1
- ci: Move srpm/rpm build to packit
- .copr: Avoid subshell and changing directory
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
- Make insights_client_t an unconfined domain
- Allow insights-client manage user temporary files
- Allow insights-client create all rpm logs with a correct label
- Allow insights-client manage generic logs
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
- Allow insights-client read and write cluster tmpfs files
- Allow ipsec read nsfs files
- Make tuned work with mls policy
- Remove nsplugin_role from mozilla.if
- allow mon_procd_t self:cap_userns sys_ptrace
- Allow pdns name_bind and name_connect all ports
- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
- ci: Move to actions/checkout@v3 version
- .copr: Replace chown call with standard workflow safe.directory setting
- .copr: Enable `set -u` for robustness
- .copr: Simplify root directory variable
2023-08-14 18:30:13 +02:00
Zdenek Pytela
02754e0832 * Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1
- Allow rhsmcertd dbus chat with policykit
- Allow polkitd execute pkla-check-authorization with nnp transition
- Allow user_u and staff_u get attributes of non-security dirs
- Allow unconfined user filetrans chrome_sandbox_home_t
- Allow svnserve execute postdrop with a transition
- Do not make postfix_postdrop_t type an MTA executable file
- Allow samba-dcerpc service manage samba tmp files
- Add use_nfs_home_dirs boolean for mozilla_plugin
- Fix labeling for no-stub-resolv.conf
2023-08-04 19:48:49 +02:00
Zdenek Pytela
c618bb9f5d * Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1
- Revert "Allow winbind-rpcd use its private tmp files"
- Allow upsmon execute upsmon via a helper script
- Allow openconnect vpn read/write inherited vhost net device
- Allow winbind-rpcd use its private tmp files
- Update samba-dcerpc policy for printing
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
- Allow nscd watch system db dirs
- Allow qatlib to read sssd public files
- Allow fedora-third-party read /sys and proc
- Allow systemd-gpt-generator mount a tmpfs filesystem
- Allow journald write to cgroup files
- Allow rpc.mountd read network sysctls
- Allow blueman read the contents of the sysfs filesystem
- Allow logrotate_t to map generic files in /etc
- Boolean: Allow virt_qemu_ga create ssh directory
2023-08-02 22:34:58 +02:00
Zdenek Pytela
1969a71055 * Fri Jul 21 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1
- Allow systemd-network-generator send system log messages
- Dontaudit the execute permission on sock_file globally
- Allow fsadm_t the file mounton permission
- Allow named and ndc the io_uring sqpoll permission
- Allow sssd io_uring sqpoll permission
- Fix location for /run/nsd
- Allow qemu-ga get fixed disk devices attributes
- Update bitlbee policy
- Label /usr/sbin/sos with sosreport_exec_t
- Update policy for the sblim-sfcb service
- Add the files_getattr_non_auth_dirs() interface
- Fix the CI to work with DNF5
2023-07-25 19:19:47 +02:00
Zdenek Pytela
3861cc6854 * Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
- Revert "Allow insights client map cache_home_t"
- Allow nfsidmapd connect to systemd-machined over a unix socket
- Allow snapperd connect to kernel over a unix domain stream socket
- Allow virt_qemu_ga_t create .ssh dir with correct label
- Allow targetd read network sysctls
- Set the abrt_handle_event boolean to on
- Permit kernel_t to change the user identity in object contexts
- Allow insights client map cache_home_t
- Label /usr/sbin/mariadbd with mysqld_exec_t
- Trim changelog so that it starts at F37 time
- Define equivalency for /run/systemd/generator.early
2023-07-13 22:29:20 +02:00
Zdenek Pytela
3217953fb6 * Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1
- Allow httpd tcp connect to redis port conditionally
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
- Dontaudit aide the execmem permission
- Remove permissive from fdo
- Allow sa-update manage spamc home files
- Allow sa-update connect to systemlog services
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
- Allow bootupd search EFI directory
2023-06-29 11:47:37 +02:00
Zdenek Pytela
0a1d561fed * Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1
- Change init_audit_control default value to true
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
- Add the qatlib  module
- Add the fdo module
- Add the bootupd module
- Set default ports for keylime policy
- Create policy for qatlib
- Add policy for FIDO Device Onboard
- Add policy for bootupd
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
2023-06-27 20:40:11 +02:00
Zdenek Pytela
ca2263f358 * Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
2023-06-25 13:44:12 +02:00
Zdenek Pytela
38fd9a9006 * Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
- Label /dev/userfaultfd with userfaultfd_t
- Allow blueman send general signals to unprivileged user domains
- Allow dkim-milter domain transition to sendmail
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
- Allow cifs-helper read sssd kerberos configuration files
- Allow rpm_t sys_admin capability
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
- Allow collectd_t read proc_net link files
- Allow insights-client getsession process permission
- Allow insights-client work with pipe and socket tmp files
- Allow insights-client map generic log files
- Update cyrus_stream_connect() to use sockets in /run
- Allow keyutils-dns-resolver read/view kernel key ring
- Label /var/log/kdump.log with kdump_log_t
2023-06-15 11:13:58 +02:00
Zdenek Pytela
37f102411a * Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
2023-06-09 22:29:46 +02:00
Zdenek Pytela
70fa3a1489 * Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
- Update policy for systemd-sleep
- Remove permissive domain for rshim_t
- Remove permissive domain for mptcpd_t
- Allow systemd-bootchartd the sys_ptrace userns capability
- Allow sysadm_t read nsfs files
- Allow sysadm_t run kernel bpf programs
- Update ssh_role_template for ssh-agent
- Update ssh_role_template to allow read/write unallocated ttys
- Add the booth module to modules.conf
- Allow firewalld rw ica_tmpfs_t files
2023-05-30 12:00:03 +02:00
Zdenek Pytela
f148635ab0 * Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
- Remove permissive domain for cifs_helper_t
- Update the cifs-helper policy
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
- Update pkcsslotd policy for sandboxing
- Allow abrt_t read kernel persistent storage files
- Dontaudit targetd search httpd config dirs
- Allow init_t nnp domain transition to policykit_t
- Allow rpcd_lsad setcap and use generic ptys
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
- Allow wireguard to rw network sysctls
- Add policy for boothd
- Allow kernel to manage its own BPF objects
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
2023-05-26 13:00:58 +02:00
Zdenek Pytela
dfde7d3e7a * Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
- Add initial policy for cifs-helper
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
- Allow some systemd services write to cgroup files
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
- Allow systemd resolved to bind to arbitrary nodes
- Allow plymouthd_t bpf capability to run bpf programs
- Allow cupsd to create samba_var_t files
- Allow rhsmcert request the kernel to load a module
- Allow virsh name_connect virt_port_t
- Allow certmonger manage cluster library files
- Allow plymouthd read init process state
- Add chromium_sandbox_t setcap capability
- Allow snmpd read raw disk data
- Allow samba-rpcd work with passwords
- Allow unconfined service inherit signal state from init
- Allow cloud-init manage gpg admin home content
- Allow cluster_t dbus chat with various services
- Allow nfsidmapd work with systemd-userdbd and sssd
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
- Allow plymouthd map dri and framebuffer devices
- Allow rpmdb_migrate execute rpmdb
- Allow logrotate dbus chat with systemd-hostnamed
- Allow icecast connect to kernel using a unix stream socket
- Allow lldpad connect to systemd-userdbd over a unix socket
- Allow journalctl open user domain ptys and ttys
- Allow keepalived to manage its tmp files
- Allow ftpd read network sysctls
- Label /run/bgpd with zebra_var_run_t
- Allow gssproxy read network sysctls
- Add the cifsutils module
2023-05-22 09:00:23 +02:00
Zdenek Pytela
9619eb8fb1 * Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1
- Allow telnetd read network sysctls
- Allow munin system plugin read generic SSL certificates
- Allow munin system plugin create and use netlink generic socket
- Allow login_userdomain create user namespaces
- Allow request-key to send syslog messages
- Allow request-key to read/view any key
- Add fs_delete_pstore_files() interface
- Allow insights-client work with teamdctl
- Allow insights-client read unconfined service semaphores
- Allow insights-client get quotas of all filesystems
- Add fs_read_pstore_files() interface
- Allow generic kernel helper to read inherited kernel pipes
2023-04-25 22:13:11 +02:00
Zdenek Pytela
10fd8395c1 * Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
- Allow dovecot-deliver write to the main process runtime fifo files
- Allow dmidecode write to cloud-init tmp files
- Allow chronyd send a message to cloud-init over a datagram socket
- Allow cloud-init domain transition to insights-client domain
- Allow mongodb read filesystem sysctls
- Allow mongodb read network sysctls
- Allow accounts-daemon read generic systemd unit lnk files
- Allow blueman watch generic device dirs
- Allow nm-dispatcher tlp plugin create tlp dirs
- Allow systemd-coredump mounton /usr
- Allow rabbitmq to read network sysctls
2023-04-14 13:48:00 +02:00
Zdenek Pytela
1c3d527d43 * Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
- Allow certmonger dbus chat with the cron system domain
- Allow geoclue read network sysctls
- Allow geoclue watch the /etc directory
- Allow logwatch_mail_t read network sysctls
- Allow insights-client read all sysctls
- Allow passt manage qemu pid sock files
2023-04-04 21:35:41 +02:00
Zdenek Pytela
737e197bb4 * Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
- Allow sssd read accountsd fifo files
- Add support for the passt_t domain
- Allow virtd_t and svirt_t work with passt
- Add new interfaces in the virt module
- Add passt interfaces defined conditionally
- Allow tshark the setsched capability
- Allow poweroff create connections to system dbus
- Allow wg load kernel modules, search debugfs dir
- Boolean: allow qemu-ga manage ssh home directory
- Label smtpd with sendmail_exec_t
- Label msmtp and msmtpd with sendmail_exec_t
- Allow dovecot to map files in /var/spool/dovecot
2023-03-24 20:05:51 +01:00
Zdenek Pytela
4a6ce4bf1f * Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
- Confine gnome-initial-setup
- Allow qemu-guest-agent create and use vsock socket
- Allow login_pgm setcap permission
- Allow chronyc read network sysctls
- Enhancement of the /usr/sbin/request-key helper policy
- Fix opencryptoki file names in /dev/shm
- Allow system_cronjob_t transition to rpm_script_t
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
- Add tunable to allow squid bind snmp port
- Allow staff_t getattr init pid chr & blk files and read krb5
- Allow firewalld to rw z90crypt device
- Allow httpd work with tokens in /dev/shm
- Allow svirt to map svirt_image_t char files
- Allow sysadm_t run initrc_t script and sysadm_r role access
- Allow insights-client manage fsadm pid files
2023-03-03 17:49:15 +01:00
Zdenek Pytela
0d20c35838 * Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1
- Allowing snapper to create snapshots of /home/ subvolume/partition
- Add boolean qemu-ga to run unconfined script
- Label systemd-journald feature LogNamespace
- Add none file context for polyinstantiated tmp dirs
- Allow certmonger read the contents of the sysfs filesystem
- Add journalctl the sys_resource capability
- Allow nm-dispatcher plugins read generic files in /proc
- Add initial policy for the /usr/sbin/request-key helper
- Additional support for rpmdb_migrate
- Add the keyutils module
2023-02-08 21:31:38 +01:00
Zdenek Pytela
232d13e7df * Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
- Boolean: allow qemu-ga read ssh home directory
- Allow kernel_t to read/write all sockets
- Allow kernel_t to UNIX-stream connect to all domains
- Allow systemd-resolved send a datagram to journald
- Allow kernel_t to manage and have "execute" access to all files
- Fix the files_manage_all_files() interface
- Allow rshim bpf cap2 and read sssd public files
- Allow insights-client work with su and lpstat
- Allow insights-client tcp connect to all ports
- Allow nm-cloud-setup dispatcher plugin restart nm services
- Allow unconfined user filetransition for sudo log files
- Allow modemmanager create hardware state information files
- Allow ModemManager all permissions for netlink route socket
- Allow wg to send msg to kernel, write to syslog and dbus connections
- Allow hostname_t to read network sysctls.
- Dontaudit ftpd the execmem permission
- Allow svirt request the kernel to load a module
- Allow icecast rename its log files
- Allow upsd to send signal to itself
- Allow wireguard to create udp sockets and read net_conf
- Use %autosetup instead of %setup
- Pass -p 1 to %autosetup
2023-01-30 17:30:57 +01:00
Zdenek Pytela
13e15d410c * Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
- Allow insights client work with gluster and pcp
- Add insights additional capabilities
- Add interfaces in domain, files, and unconfined modules
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
- Allow sudodomain use sudo.log as a logfile
- Allow pdns server map its library files and bind to unreserved ports
- Allow sysadm_t read/write ipmi devices
- Allow prosody manage its runtime socket files
- Allow kernel threads manage kernel keys
- Allow systemd-userdbd the sys_resource capability
- Allow systemd-journal list cgroup directories
- Allow apcupsd dbus chat with systemd-logind
- Allow nut_domain manage also files and sock_files in /var/run
- Allow winbind-rpcd make a TCP connection to the ldap port
- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
- Allow tlp read generic SSL certificates
- Allow systemd-resolved watch tmpfs directories
- Revert "Allow systemd-resolved watch tmpfs directories"
2023-01-13 18:43:38 +01:00
Zdenek Pytela
328d37031b * Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
- Allow NetworkManager and wpa_supplicant the bpf capability
- Allow systemd-rfkill the bpf capability
- Allow winbind-rpcd manage samba_share_t files and dirs
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
- Allow gpsd the sys_ptrace userns capability
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
- Allow load_policy_t write to unallocated ttys
- Allow ndc read hardware state information
- Allow system mail service read inherited certmonger runtime files
- Add lpr_roles  to system_r roles
- Revert "Allow insights-client run lpr and allow the proper role"
- Allow stalld to read /sys/kernel/security/lockdown file
- Allow keepalived to set resource limits
- Add policy for mptcpd
- Add policy for rshim
- Allow admin users to create user namespaces
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
- Trim changelog so that it starts at F35 time
- Add mptcpd and rshim modules
2022-12-19 16:56:42 +01:00
Zdenek Pytela
5e55a1623d * Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
- Allow insights-client dbus chat with various services
- Allow insights-client tcp connect to various ports
- Allow insights-client run lpr and allow the proper role
- Allow insights-client work with pcp and manage user config files
- Allow redis get user names
- Allow kernel threads to use fds from all domains
- Allow systemd-modules-load load kernel modules
- Allow login_userdomain watch systemd-passwd pid dirs
- Allow insights-client dbus chat with abrt
- Grant kernel_t certain permissions in the system class
- Allow systemd-resolved watch tmpfs directories
- Allow systemd-timedated watch init runtime dir
- Make `bootc` be `install_exec_t`
- Allow systemd-coredump create user_namespace
- Allow syslog the setpcap capability
- donaudit virtlogd and dnsmasq execmem
2022-12-14 17:21:00 +01:00
Zdenek Pytela
8263376e4d * Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
2022-12-06 19:21:23 +01:00
Zdenek Pytela
17a6cf70e4 * Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
- Revert "Allow sysadm_t read raw memory devices"
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
- Allow rpc.gssd read network sysctls
- Allow winbind-rpcd get attributes of device and pty filesystems
- Allow insights-client domain transition on semanage execution
- Allow insights-client create gluster log dir with a transition
- Allow insights-client manage generic locks
- Allow insights-client unix_read all domain semaphores
- Add domain_unix_read_all_semaphores() interface
- Allow winbind-rpcd use the terminal multiplexor
- Allow mrtg send mails
- Allow systemd-hostnamed dbus chat with init scripts
- Allow sssd dbus chat with system cronjobs
- Add interface to watch all filesystems
- Add watch_sb interfaces
- Add watch interfaces
- Allow dhcpd bpf capability to run bpf programs
- Allow netutils and traceroute bpf capability to run bpf programs
- Allow pkcs_slotd_t bpf capability to run bpf programs
- Allow xdm bpf capability to run bpf programs
- Allow pcscd bpf capability to run bpf programs
- Allow lldpad bpf capability to run bpf programs
- Allow keepalived bpf capability to run bpf programs
- Allow ipsec bpf capability to run bpf programs
- Allow fprintd bpf capability to run bpf programs
- Allow systemd-socket-proxyd get filesystems attributes
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
2022-11-21 17:04:56 +01:00
Zdenek Pytela
5448967b7c * Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
- Allow rotatelogs read httpd_log_t symlinks
- Add winbind-rpcd to samba_enable_home_dirs boolean
- Allow system cronjobs dbus chat with setroubleshoot
- Allow setroubleshootd read device sysctls
- Allow virt_domain read device sysctls
- Allow rhcd compute selinux access vector
- Allow insights-client manage samba var dirs
- Label ports 10161-10162 tcp/udp with snmp
- Allow aide to connect to systemd_machined with a unix socket.
- Allow samba-dcerpcd use NSCD services over a unix stream socket
- Allow vlock search the contents of the /dev/pts directory
- Allow insights-client send null signal to rpm and system cronjob
- Label port 15354/tcp and 15354/udp with opendnssec
- Allow ftpd map ftpd_var_run files
- Allow targetclid to manage tmp files
- Allow insights-client connect to postgresql with a unix socket
- Allow insights-client domtrans on unix_chkpwd execution
- Add file context entries for insights-client and rhc
- Allow pulseaudio create gnome content (~/.config)
- Allow login_userdomain dbus chat with rhsmcertd
- Allow sbd the sys_ptrace capability
- Allow ptp4l_t name_bind ptp_event_port_t
2022-10-31 17:59:49 +01:00
Zdenek Pytela
c9f58f0676 * Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
- Remove the ipa module
- Allow sss daemons read/write unnamed pipes of cloud-init
- Allow postfix_mailqueue create and use unix dgram sockets
- Allow xdm watch user home directories
- Allow nm-dispatcher ddclient plugin load a kernel module
- Stop ignoring standalone interface files
- Drop cockpit module
- Allow init map its private tmp files
- Allow xenstored change its hard resource limits
- Allow system_mail-t read network sysctls
- Add bgpd sys_chroot capability
2022-10-03 23:24:01 +02:00
Zdenek Pytela
dde90d74a7 * Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
- Add numad the ipc_owner capability
- Allow gst-plugin-scanner read virtual memory sysctls
- Allow init read/write inherited user fifo files
- Update dnssec-trigger policy: setsched, module_request
- added policy for systemd-socket-proxyd
- Add the new 'cmd' permission to the 'io_uring' class
- Allow winbind-rpcd read and write its key ring
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
- pidof executed by abrt can readlink /proc/*/exe
- Fix typo in comment
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
2022-09-22 22:59:43 +02:00
Zdenek Pytela
d02146ba68 * Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
- Allow tor get filesystem attributes
- Allow utempter append to login_userdomain stream
- Allow login_userdomain accept a stream connection to XDM
- Allow login_userdomain write to boltd named pipes
- Allow staff_u and user_u users write to bolt pipe
- Allow login_userdomain watch various directories
- Update rhcd policy for executing additional commands 5
- Update rhcd policy for executing additional commands 4
- Allow rhcd create rpm hawkey logs with correct label
- Allow systemd-gpt-auto-generator to check for empty dirs
- Update rhcd policy for executing additional commands 3
- Allow journalctl read rhcd fifo files
- Update insights-client policy for additional commands execution 5
- Allow init remount all file_type filesystems
- Confine insights-client systemd unit
- Update insights-client policy for additional commands execution 4
- Allow pcp pmcd search tracefs and acct_data dirs
- Allow httpd read network sysctls
- Dontaudit domain map permission on directories
- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
- Update insights-client policy for additional commands execution 3
- Allow systemd permissions needed for sandboxed services
- Add rhcd module
- Make dependency on rpm-plugin-selinux unordered
2022-09-14 09:14:08 +02:00
Zdenek Pytela
9a58e62d76 * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
- Allow ipsec_t read/write tpm devices
- Allow rhcd execute all executables
- Update rhcd policy for executing additional commands 2
- Update insights-client policy for additional commands execution 2
- Allow sysadm_t read raw memory devices
- Allow chronyd send and receive chronyd/ntp client packets
- Allow ssh client read kerberos homedir config files
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
- Update insights-client policy (auditctl, gpg, journal)
- Allow system_cronjob_t domtrans to rpm_script_t
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
- Update tor_bind_all_unreserved_ports interface
- Allow chronyd bind UDP sockets to ptp_event ports.
- Allow unconfined and sysadm users transition for /root/.gnupg
- Add gpg_filetrans_admin_home_content() interface
- Update rhcd policy for executing additional commands
- Update insights-client policy for additional commands execution
- Add userdom_view_all_users_keys() interface
- Allow gpg read and write generic pty type
- Allow chronyc read and write generic pty type
- Allow system_dbusd ioctl kernel with a unix stream sockets
- Allow samba-bgqd to read a printer list
- Allow stalld get and set scheduling policy of all domains.
- Allow unconfined_t transition to targetclid_home_t
2022-09-02 14:10:03 +02:00