- Allow tlp_t domain to ioctl removable devices BZ(1436830)
- Allow tlp_t domain domtrans into mount_t BZ(1442571)
- Allow lircd_t to read/write to sysfs BZ(1442443)
- Fix policy to reflect all changes in new IPA release
- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.
- Allow sbd_t to read/write fixed disk devices
- Add sys_ptrace capability to radiusd_t domain
- Allow cockpit_session_t domain connects to ssh tcp ports.
- Update tomcat policy to make working ipa install process
- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t
- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383
- Update pki interfaces and tomcat module
- Allow sendmail to search network sysctls
- Add interface gssd_noatsecure()
- Add interface gssproxy_noatsecure()
- Allow chronyd_t net_admin capability to allow support HW timestamping.
- Update tomcat policy.
- Allow certmonger to start haproxy service
- Fix init Module
- Make groupadd_t domain as system bus client BZ(1416963)
- Make useradd_t domain as system bus client BZ(1442572)
- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)
- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)
- Allow init noatsecure for gssd and gssproxy
- Allow staff user to read fwupd_cache_t files
- Remove typo bugs
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Allow iptables get list of kernel modules
- Allow unconfined_domain_type to enable/disable transient unit
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Label sysroot dir under ostree as root_t
- Make fwupd_var_lib_t type mountpoint. BZ(1429341)
- Remove tomcat_t domain from unconfined domains
- Create new boolean: sanlock_enable_home_dirs()
- Allow mdadm_t domain to read/write nvme_device_t
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content
- Add interface dev_rw_nvme
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
- Merge pull request #187 from rhatdan/container-selinux
- Allow rhsmcertd domain signull kernel.
- Allow container-selinux to handle all policy for container processes
- Fix label for nagios plugins in nagios file conxtext file
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add SELinux support for systemd-initctl daemon
- Add SELinux support for systemd-bootchart
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add module_load permission to can_load_kernmodule
- Add module_load permission to class system
- Add the validate_trans access vector to the security class
- Restore connecto permssions for init_t
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
- Tighten security on containe types
- Make working cracklib_password_check for MariaDB service
- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)
- Allow pptp_t to read /dev/random BZ(1404248)
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
- Allow systemd to stop glusterd_t domains.
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)
- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs."
- Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface
- Allow tgtd_t domain wake_alarm
- Merge pull request #172 from vinzent/allow_puppetagent_timedated
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow systemd_machined_t to start unit files labeled as init_var_run_t
- Add init_manage_config_transient_files() interface
- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
- Allow systemd to raise rlimit to all domains.BZ(1365435)
- Add interface domain_setrlimit_all_domains() interface
- Allow staff_t user to chat with fwupd_t domain via dbus
- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
- Allow systemd-networkd to read network state BZ(1400016)
- Allow systemd-resolved bind to dns port. BZ(1400023)
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Add named_t domain net_raw capability bz(1389240)
- Allow geoclue to read system info. bz(1389320)
- Make openfortivpn_t as init_deamon_domain. bz(1159899)
- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add interace lldpad_relabel_tmpfs
- Merge pull request #155 from rhatdan/sandbox_nfs
- Add pscsd_t wake_alarm capability2
- Allow sandbox domains to mount fuse file systems
- Add boolean to allow sandbox domains to mount nfs
- Allow hypervvssd_t to read all dirs.
- Allow isnsd_t to connect to isns_port_t
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
- Make tor_var_lib_t and tor_var_log_t as mountpoints.
- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)
- Allow init_t to relabel /dev/shm/lldpad.state
- Merge pull request #168 from rhatdan/docker
- Label tcp 51954 as isns_port_t
- Lots of new domains like OCID and RKT are user container processes
- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.
- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Merge pull request #167 from rhatdan/container
- Add transition rules for sandbox domains
- container_typebounds() should be part of sandbox domain template
- Fix broken container_* interfaces
- unconfined_typebounds() should be part of sandbox domain template
- Fixed unrecognized characters at sandboxX module
- unconfined_typebounds() should be part of sandbox domain template
- svirt_file_type is atribute no type.
- Merge pull request #166 from rhatdan/container
- Allow users to transition from unconfined_t to container types
- Add dbus_stream_connect_system_dbusd() interface.
- Merge pull request #152 from rhatdan/network_filetrans
- Fix typo in filesystem module
- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473)
- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace
- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)
- Fix typo
- Allow geoclue to send msgs to syslog. BZ(1371818)
- Allow abrt to read rpm_tmp_t dirs
- Add interface rpm_read_tmp_files()
- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux
- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.
- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service
- Revert "label /var/lib/kubelet as svirt_sandbox_file_t"
- Remove file context for /var/lib/kubelet. This filecontext is part of docker now
- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm
- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t
- Allow mdadm_t to getattr all device nodes
- Dontaudit gkeyringd_domain to connect to system_dbusd_t
- Add interface dbus_dontaudit_stream_connect_system_dbusd()
- Allow guest-set-user-passwd to set users password.
- Allow domains using kerberos to read also kerberos config dirs
- Allow add new interface to new namespace BZ(1375124)
- Allow systemd to relalbel files stored in /run/systemd/inaccessible/
- Add interface fs_getattr_tmpfs_blk_file()
- Dontaudit domain to create any file in /proc. This is kernel bug.
- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.
- Add new interface fs_getattr_oracleasmfs_fs()
- Add interface fs_manage_oracleasm()
- Label /dev/kfd as hsa_device_t
- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs
- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
- Label /usr/bin/pappet as puppetagent_exec_t
- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/
- new interface oddjob_mkhomedir_entrypoint()
- Allow mdadm to get attributes from all devices.
- Label /etc/puppetlabs as puppet_etc_t.
- quota: allow init to run quota tools
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow VirtualBox to manage udev rules.
- Allow systemd_resolved to send dbus msgs to userdomains
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow systemd-machined to communicate to lxc container using dbus
- Dontaudit accountsd domain creating dirs in /root
- Add new policy for Disk Manager called udisks2
- Dontaudit firewalld wants write to /root
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
- Allow certmonger to manage all systemd unit files
- Allow ipa_helper_t stream connect to dirsrv_t domain
- Update oracleasm SELinux module
- label /var/lib/kubelet as svirt_sandbox_file_t
- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
- Add new userdom_dontaudit_manage_admin_dir() interface
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
- Add few interfaces to cloudform.if file
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
- Make confined users working again
- Fix hypervkvp module
- Allow ipmievd domain to create lock files in /var/lock/subsys/
- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
- Fix lsm SELinux module
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
- Add sys_admin capability to sbd domain
- Allow vdagent to comunnicate with systemd-logind via dbus
- Allow lsmd_plugin_t domain to create fixed_disk device.
- Allow opendnssec domain to create and manage own tmp dirs/files
- Allow opendnssec domain to read system state
- Allow systemd_logind stop system init_t
- Add interface init_stop()
- Add interface userdom_dontaudit_create_admin_dir()
- Label /var/run/storaged as lvm_var_run_t.
- Allow unconfineduser to run ipa_helper_t.
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
- Add wake_alarm capability to fprintd domain BZ(1362430)
- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)
- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)
- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)
- Dontaudit mock to write to generic certs.
- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
- Merge pull request #144 from rhatdan/modemmanager
- Allow modemmanager to write to systemd inhibit pipes
- Label corosync-qnetd and corosync-qdevice as corosync_t domain
- Allow ipa_helper to read network state
- Label oddjob_reqiest as oddjob_exec_t
- Add interface oddjob_run()
- Allow modemmanager chat with systemd_logind via dbus
- Allow NetworkManager chat with puppetagent via dbus
- Allow NetworkManager chat with kdumpctl via dbus
- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
- Allow rasdaemon to use tracefs filesystem
- Fix typo bug in dirsrv policy
- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
- Allow dirsrv to read dirsrv_share_t content
- Allow virtlogd_t to append svirt_image_t files.
- Allow hypervkvp domain to read hugetlbfs dir/files.
- Allow mdadm daemon to read nvme_device_t blk files
- Allow systemd_resolved to connect on system bus. BZ(1366334)
- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)
- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)
- label tcp/udp port 853 as dns_port_t. BZ(1365609)
- Merge pull request #145 from rhatdan/init
- systemd is doing a gettattr on blk and chr devices in /run
- Allow selinuxusers and unconfineduser to run oddjob_request
- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
- Fix typo in device interfaces
- Add interfaces for managing ipmi devices
- Add interfaces to allow mounting/umounting tracefs filesystem
- Add interfaces to allow rw tracefs filesystem
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Merge pull request #138 from rhatdan/userns
- Allow iptables to creating netlink generic sockets.
- Fix filecontext for systemd shared lib.
- collectd: update policy for 5.5
- Allow puppet_t transtition to shorewall_t
- Grant certmonger "chown" capability
- Boinc updates from Russell Coker.
- Allow sshd setcap capability. This is needed due to latest changes in sshd.
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Revert "Fix typo in ssh policy"
- Get attributes of generic ptys, from Russell Coker.
- Dontaudit mock_build_t can list all ptys.
- Allow ftpd_t to mamange userhome data without any boolean.
- Add logrotate permissions for creating netlink selinux sockets.
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
- Allow systemd gpt generator to run fstools BZ(1353585)
- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)
- Allow gnome-keyring also manage user_tmp_t sockets.
- Allow systemd to mounton /etc filesystem. BZ(1341753)
- Allow lsmd_plugin_t to exec ldconfig.
- Allow vnstatd domain to read /sys/class/net/ files
- Remove duplicate allow rules in spamassassin SELinux module
- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs
- Allow ipa_dnskey domain to search cache dirs
- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file
- Allow ipa-dnskey read system state.
- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245
- Add interface to write to nsfs inodes
- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721)
- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf
- sysadmin should be allowed to use docker.
- Allow hypervkvp domain to run restorecon.
- Allow firewalld to manage net_conf_t files
- Remove double graphite-web context declaration
- Fix typo in rhsmcertd SELinux policy
- Allow logrotate read logs inside containers.
- Allow sssd to getattr on fs_t
- Allow opendnssec domain to manage bind chace files
- Allow systemd to get status of systemd-logind daemon
- Label more ndctl devices not just ndctl0
- Allow lttng tools to block suspending
- Allow creation of vpnaas in openstack
- remove rules with compromised_kernel permission
- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)
- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263
- Update makefile to support snapperd_contexts file
- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission
- Remove duplicate declaration of class service
- Fix typo in access_vectors file
- Merge branch 'rawhide-base-modules-load' into rawhide-base
- Add new policy for systemd-modules-load
- Add systemd access vectors.
- Revert "Revert "Revert "Missed this version of exec_all"""
- Revert "Revert "Missed this version of exec_all""
- Revert "Missed this version of exec_all"
- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.
- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.
- Revert "Allow xserver to compromise_kernel access"BZ(1351624)
- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624)
- Revert "add ptrace_child access to process" (BZ1351624)
- Add user namespace capability object classes.
- Allow udev to manage systemd-hwdb files
- Add interface systemd_hwdb_manage_config()
- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
- iptables: add fcontext for nftables
- Fix typo in brltty policy
- Add new SELinux module sbd
- Allow pcp dmcache metrics collection
- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t
- Allow openvpn to create sock files labeled as openvpn_var_run_t
- Allow hypervkvp daemon to getattr on all filesystem types.
- Allow firewalld to create net_conf_t files
- Allow mock to use lvm
- Allow mirromanager creating log files in /tmp
- Allow vmtools_t to transition to rpm_script domain
- Allow nsd daemon to manage nsd_conf_t dirs and files
- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t
- Allow sssd read also sssd_conf_t dirs
- Allow opensm daemon to rw infiniband_mgmt_device_t
- Allow krb5kdc_t to communicate with sssd
- Allow prosody to bind on prosody ports
- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678
- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637
- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726
- Add label for brltty log file Resolves: rhbz#1328818
- Allow snort_t to communicate with sssd Resolves: rhbz#1284908
- Add interface lttng_sessiond_tmpfs_t()
- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl
- Add interface lvm_getattr_exec_files()
- Make label for new infiniband_mgmt deivices
- Add prosody ports Resolves: rhbz#1304664
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
- Allow glusterd daemon to get systemd status
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Merge pull request #135 from rhatdan/rawip_socket
- Allow logrotate dbus-chat with system_logind daemon
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
- Add interface cron_read_pid_files()
- Allow pcp_pmlogger to create unix dgram sockets
- Add interface dirsrv_run()
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
- Create label for openhpid log files.
- Container processes need to be able to listen on rawip sockets
- Label /var/lib/ganglia as httpd_var_lib_t
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Label /etc/dhcp/scripts dir as bin_t
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
