The rpm-verify command reports changes for packaged files in the active
store (/var/lib/selinux) which are changed on the selinux-policy-*
packages updates. In order to pass the rpm verification process, the
specfile option %verify(not md5 size mtime) for each of the affected
files will prevent from reporting a failure in any of the rpm-verify
subtests:
- S file Size differs
- 5 digest (formerly MD5 sum) differs
- T mTime differs
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
The directory will be created automatically by the install commands, so
no need to create it manually.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
There is no file actually created at that location during build, so the
command can be safely removed. Verified by removing the '-f' and
observing the build fail (file does not exist).
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
We can install the permissivedomains.cil module directly, no need to
copy it to %{buildroot} first.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
The "rawhide" branch of selinux-policy and selinux-policy-contrib is
about to be merged together. Update dist-git for this, so that the next
build can be performed with the new repo structure.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface
- Set correct default file context for /usr/libexec/pcp/lib/*
- Introduce rpmdb_t type
- Allow slapd manage files/dirs in ldap certificates directory
- Revert "Allow certmonger add new entries in a generic certificates directory"
- Allow certmonger add new entries in a generic certificates directory
- Allow slapd add new entries in ldap certificates directory
- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
- Let keepalived bind a raw socket
- Add default file context for /usr/libexec/pcp/lib/*
- squid: Allow net_raw capability when squid_use_tproxy is enabled
- systemd: allow networkd to check namespaces
- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
- Allow resolved to created varlink sockets and the domain to talk to it
- selinux: tweak selinux_get_enforce_mode() to allow status page to be used
- systemd: allow all systemd services to check selinux status
- Set default file context for /var/lib/ipsec/nss
- Allow user domains transition to rpmdb_t
- Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
- Revert "Add miscfiles_create_generic_cert_dirs() interface"
- Update miscfiles_manage_all_certs() to include managing directories
- Add miscfiles_create_generic_cert_dirs() interface
- Add miscfiles_add_entry_generic_cert_dirs() interface
- Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
Replace individual entries for each snapshot with a common pattern rule
and remove obsolete entries.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- rpc.fc: Include /etc/exports.d dir & files
- Create chronyd_pid_filetrans() interface
- Change invalid type redisd_t to redis_t in redis_stream_connect()
- Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
- Allow init dbus chat with kernel
- Allow initrc_t create /run/chronyd-dhcp directory with a transition
- Drop gcc from dependencies in Travis CI
- fc_sort.py: Use "==" for comparing integers.
- re-implement fc_sort in python
- Remove invalid file context line
- Drop git from dependencies in Travis CI
This commit puts back changes in selinux-policy.spec brought by the
"Ensure targeted policy is installed by default" commit, inadvertently
reverted as a result of resolving a merge conflict.
When installing [a package requiring] selinux-policy/-base/
rpm-plugin-selinux, selinux-policy-minimum is always chosen (based on
alphabetical order). This is not desirable and we'd like -targeted to be
picked as the default choice.
Since selinux-policy and selinux-policy-base are glued together because
of rpm-plugins-selinux, just have selinu-policy provide
selinux-policy-base, use a new metapackage selinux-policy-any to
represent "any of -targeted, -mls, or -minimum", and have selinux-policy
require -any.
Then adding "Suggests: selinux-policy-targeted" to selinux-policy has
the effect that -targeted is picked by default when any of
selinux-policy/-base/rpm-plugin-selinux is installed via "dnf install"
on a clean system.
This patch combines the ideas of Petr Lautrbach, Vit Mojzis, and myself.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The selinux-policy repos are quite big - use --depth=1 to fetch only the
latest commit of the requested branch, to save network traffic and time.
A possible downside of this is that one can no longer pass a commit ID
via REPO_SELINUX_POLICY_*BRANCH, but that's unlikely to be useful in
practice.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
It's better to use the standard /tmp, since it commonly has tmpfs
mounted over it, which avoids unnecessary disk I/O. Let's make our SSDs
slightly happier :)
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Allow chronyd_t to accept and make NTS-KE connections
- Allow domain write to an automount unnamed pipe
- Label /var/run/zincati/public/motd.d/* as motd_var_run_t
- Allow login programs to (only) read MOTD files and symlinks
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
- Confine systemd-sleep service
- Add fstools_rw_swap_files() interface
- Label 4460/tcp port as ntske_port_t
- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
- Allow openvswitch fowner capability and create netlink sockets
- Allow additional permissions for gnome-initial-setup
- Add to map non_security_files to the userdom_admin_user_template template
- kernel/filesystem: Add exfat support (no extended attributes)
- Bump version as Fedora 33 has been branched
- Allow php-fpm write access to /var/run/redis/redis.sock
- Allow journalctl to read and write to inherited user domain tty
- Update rkt policy to allow rkt_t domain to read sysfs filesystem
- Allow arpwatch create and use rdma socket
- Allow plymouth sys_chroot capability
- Allow gnome-initial-setup execute in a xdm sandbox
- Add new devices and filesystem interfaces
- Allow certmonger fowner capability
- The nfsdcld service is now confined by SELinux
- Change transitions for ~/.config/Yubico
- Allow all users to connect to systemd-userdbd with a unix socket
- Add file context for ~/.config/Yubico
- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow login_pgm attribute to get attributes in proc_t"
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Allow traceroute_t and ping_t to bind generic nodes.
- Create macro corenet_icmp_bind_generic_node()
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
In order to minimize possible damage on composes we need to be sure that a
system can boot and it doesn't generate any AVC denial.
This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit
messages into avc.log file which is propagated as test artifact.
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
- Additional support for keepalived running in a namespace
- Remove systemd_dbus_chat_resolved(pcp_pmie_t)
- virt: remove the libvirt qmf rules
- Allow certmonger manage dirsrv services
- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
- Allow domain dbus chat with systemd-resolved
- Define file context for /var/run/netns directory only
- Revert "Add support for fuse.glusterfs"
- Allow pdns server to read system state
- Allow irqbalance nnp_transition
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
- Allow journalctl process set its resource limits
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
- Make keepalived work with network namespaces
- Create sssd_connect_all_unreserved_ports boolean
- Allow hypervkvpd to request kernel to load a module
- Allow systemd_private_tmp(dirsrv_tmp_t)
- Allow microcode_ctl get attributes of sysfs directories
- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
- Allow radiusd connect to gssproxy over unix domain stream socket
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
- Allow qemu read and write /dev/mapper/control
- Allow tlp_t can_exec() tlp_exec_t
- Dontaudit vpnc_t setting its process scheduling
- Remove files_mmap_usr_files() call for particular domains
- Allow dirsrv_t list cgroup directories
- Crete the kerberos_write_kadmind_tmp_files() interface
- Allow realmd_t dbus chat with accountsd_t
- Label systemd-growfs and systemd-makefs as fsadm_exec_t
- Allow staff_u and user_u setattr generic usb devices
- Allow sysadm_t dbus chat with accountsd
- Modify kernel_rw_key() not to include append permission
- Add kernel_rw_key() interface to access to kernel keyrings
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
- Allow systemd-modules to load kernel modules
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
- Allow libkrb5 lib read client keytabs
- Allow domain mmap usr_t files
- Remove files_mmap_usr_files() call for systemd domains
- Allow sshd write to kadmind temporary files
- Do not audit staff_t and user_t attempts to manage boot_t entries
- Add files_dontaudit_manage_boot_dirs() interface
- Allow systemd-tty-ask-password-agent read efivarfs files
This does not work as expected with `/bin/sh` if the file does
not exist:
. %{_sysconfdir}/selinux/config &> /dev/null || true;
when run with `/bin/sh` (as opposed to `/bin/bash`) it exits 1
if the file does not exist. It exits 0 if the file exists but
there is an error parsing it. When run with `/bin/bash` it exits
0 in both cases as expected, but RPM scriptlets are run with sh.
To avoid this problem, we must always explicitly do an existence
check on the file before attempting to source it.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
- Support multiple ways of tlp invocation
- Allow qemu-kvm read and write /dev/mapper/control
- Introduce logrotate_use_cifs boolean
- Allow ptp4l_t sys_admin capability to run bpf programs
- Allow to getattr files on an nsfs filesystem
- httpd: Allow NoNewPriv transition from systemd
- Allow rhsmd read process state of all domains and kernel threads
- Allow rhsmd mmap /etc/passwd
- Allow systemd-logind manage efivarfs files
- Allow initrc_t tlp_filetrans_named_content()
- Allow systemd_resolved_t to read efivarfs
- Allow systemd_modules_load_t to read efivarfs
- Introduce systemd_read_efivarfs_type attribute
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
- Add file context for /sys/kernel/tracing
- Allow chronyc_t domain to use nsswitch
- Allow nscd_socket_use() for domains in nscd_use() unconditionally
- Add allow rules for lttng-sessiond domain
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow gluster geo-replication in rsync mode
- Allow nagios_plugin_domain execute programs in bin directories
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow tcpdump sniffing offloaded (RDMA) traffic
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow read efivarfs_t files by domains executing systemctl file
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal
Ipa_custodia was merged into ipa policy module. To avoid conflicts
the module needs to be disabled before policy update.
Fixes:
Running scriptlet: selinux-policy-targeted-3.14.5-35.fc32.noarch
Re-declaration of type ipa_custodia_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
/usr/sbin/semodule: Failed!
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp