Commit Graph

353 Commits

Author SHA1 Message Date
Miroslav Grepl
db55b65949 - Merge pull request #48 from lkundrak/contrib-openfortivpn
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
2015-11-10 10:24:32 +01:00
Miroslav Grepl
02b374489f - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
2015-11-09 15:04:44 +01:00
Lukas Vrabec
66791f96f6 * Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
2015-10-27 14:23:44 +01:00
Lukas Vrabec
0bdc2482e7 * Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
- Allow winbindd to send signull to kernel. BZ(#1269193)
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Fixes for chrony version 2.2 BZ(#1259636)
  * Allow chrony chown capability
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Add boolean allowing mysqld to connect to http port. #1262125
- Merge pull request #52 from 1dot75cm/rawhide-base
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
- Fix attribute in corenetwork.if.in
2015-10-20 15:11:36 +02:00
Lukas Vrabec
2bd687c904 * Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
2015-10-13 18:34:04 +02:00
Lukas Vrabec
a6a2539c66 * Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
2015-10-08 15:52:24 +02:00
Lukas Vrabec
61514837cc * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
2015-10-02 13:49:11 +02:00
Lukas Vrabec
b03747cd87 * Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
2015-09-29 18:17:13 +02:00
Lukas Vrabec
ec0c1bc01e * Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains
- Allow rpcbind_t domain to change file owner and group
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
- Revert "Add apache_read_pid_files() interface"
- Allow dirsrv-admin read httpd pid files.
- Add apache_read_pid_files() interface
- Add label for dirsrv-admin unit file.
- Allow qpid daemon to connect on amqp tcp port.
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Add userdom_transition_login_userdomain() interface
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
2015-09-22 18:00:08 +02:00
Lukas Vrabec
2818673721 * Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
- Dontaudit fenced search gnome config
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
- Sanlock policy update. #1255307   - New sub-domain for sanlk-reset daemon
- Fix labeling for fence_scsi_check script
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
- Allow openhpid to read snmp var lib files.
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
- Fix regexp in chronyd.fc file
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
2015-09-14 09:29:16 +02:00
Lukas Vrabec
f1ab24fa93 * Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
2015-09-01 18:25:49 +02:00
Lukas Vrabec
0d70340b72 * Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
- Allow watchdog execute fenced python script.
- Added inferface watchdog_unconfined_exec_read_lnk_files()
- Allow pmweb daemon to exec shell. BZ(1256127)
- Allow pmweb daemon to read system state. BZ(#1256128)
- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
- Revert "Revert default_range change in targeted policy"
- Allow dhcpc_t domain transition to chronyd_t
2015-08-30 23:03:47 +02:00
Lukas Vrabec
96de5661d2 * Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
- Add interface dnssec_trigger_sigkill
- Allow smsd use usb ttys. BZ(#1250536)
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
- Revert default_range change in targeted policy
- Allow systemd-sysctl cap. sys_ptrace  BZ(1253926)
2015-08-24 11:25:02 +02:00
Miroslav Grepl
f5f6812fa4 - Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
2015-08-21 10:11:52 +02:00
Lukas Vrabec
1ba0a986f6 * Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow collectd stream connect to pdns.(BZ #1191044)
- Add interface pdns_stream_connect()
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow chronyd exec systemctl
- Merge pull request #30 from vmojzis/rawhide-contrib
- Hsqldb policy upgrade -Allow sock_file management
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
- Label /var/run/chrony-helper dir as chronyd_var_run_t.
- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
- Fix label on /var/tmp/kiprop_0
- Add mountpoint dontaudit access check in rhsmcertd policy.
- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow systemd_networkd to send logs to syslog.
- Added interface fs_dontaudit_write_configfs_dirs
- Allow audisp client to read system state.
- Label /var/run/xtables.lock as iptables_var_run_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
2015-08-18 10:39:06 +02:00
Lukas Vrabec
28b73b2eef * Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
2015-08-10 18:38:57 +02:00
Miroslav Grepl
d8af5a753a - firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service
- Allow lsm_plugin_t to rw raw_fixed_disk.
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
2015-08-05 16:03:40 +02:00
Lukas Vrabec
f35d9026d6 * Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
- Add header for sslh.if file
- Fix sslh_admin() interface
- Clean up sslh.if
- Fix typo in pdns.if
- Allow qpid to create lnk_files in qpid_var_lib_t.
- Allow httpd_suexec_t to read and write Apache stream sockets
- Merge pull request #21 from hogarthj/rawhide-contrib
- Allow virt_qemu_ga_t domtrans to passwd_t.
- use read and manage files_patterns and the description for the admin interface
- Merge pull request #17 from rubenk/pdns-policy
- Allow redis to read kernel parameters.
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
- Allow bumblebee to seng kill signal to xserver
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Allow drbd to get attributes from filesystems.
- Allow drbd to read configuration options used when loading modules.
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
- Added Booleans: pcp_read_generic_logs.
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
- Allow glusterd to communicate with cluster domains over stream socket.
- fix copy paste error with writing the admin interface
- fix up the regex in sslh.fc, add sslh_admin() interface
- adding selinux policy files for sslh
- Remove diplicate sftpd_write_ssh_home boolean rule.
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
- kdbusfs should not be accessible for now.
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
- Label /usr/sbin/chpasswd as passwd_exec_t.
- Allow audisp_remote_t to read/write user domain pty.
- Allow audisp_remote_t to start power unit files domain to allow halt system.
2015-08-04 01:19:35 +02:00
Lukas Vrabec
e5e6b1ee54 * Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to  communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
-  httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
2015-07-20 18:37:28 +02:00
Lukas Vrabec
04f749c8f0 * Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
2015-07-15 11:45:00 +02:00
Lukas Vrabec
ee724ad113 * Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
2015-07-14 18:10:21 +02:00
Lukas Vrabec
f53ebea7af * Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-09 10:31:45 +02:00
Lukas Vrabec
d04212cd26 * Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
2015-07-02 17:37:26 +02:00
Lukas Vrabec
20e7f0e6a4 * Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132
- Rename xodbc-connect port to xodbc_connect
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
- Dontaudit chrome to read passwd file. BZ(1204307)
- Allow firewalld exec ldconfig. BZ(1232748)
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Rename xodbc-connect port to xodbc_connect
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
- Label tcp port 6640 as ovsdb port. BZ (1179809)
2015-06-29 18:07:03 +02:00
Lukas Vrabec
7100c57b1f * Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
2015-06-23 18:07:14 +02:00
Miroslav Grepl
4e49e36893 - Fix bogus line in logrotate.fc. 2015-06-23 15:44:47 +02:00
Miroslav Grepl
1bee2ddf1b Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te 2015-06-18 20:21:46 +02:00
Miroslav Grepl
66628cef58 - Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
2015-06-18 19:28:19 +02:00
Miroslav Grepl
5bcffd3a3a See Changelog for all changes. 2015-06-09 12:38:09 +02:00
Miroslav Grepl
0a3c59c4c0 commit 702978bda4b2106615a16d15ec58f80d7facd0ab
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed May 6 16:41:20 2015 +0200

    Revert "Add missing typealiases in apache_content_template() for script domain/executable."

    This reverts commit e8f96805b90c6fa1acc9fb9843863b8ea3d1136b
2015-05-06 16:46:39 +02:00
Lukas Vrabec
6a726d4793 * Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
- Add missing typealiases in apache_content_template() for script domain/executable.
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for new cobbler dir locations:
- Add support for iprdbg logging files in /var/log.
- Add relabel_user_home_dirs for use by docker_t
2015-05-05 15:54:12 +02:00
Lukas Vrabec
229bf3d017 * Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
2015-04-30 20:10:17 +02:00
Lukas Vrabec
0bfe8f4452 * Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- cloudinit and rhsmcertd need to communicate with dbus
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
2015-04-20 14:45:47 +02:00
Lukas Vrabec
578b67080c * Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
- Allow mock_t to use ptmx. BZ(1181333)
- Allow dnssec_trigger_t to stream connect to networkmanager.
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
- Fix labeling for keystone CGI scripts.
2015-04-14 01:13:22 +02:00
Lukas Vrabec
b9a1c72d29 * Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
- Allow mongod to work with configured SSSD.
- Add collectd net_raw capability. BZ(1194169)
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
- Allow dhcpd kill capability.
- Make rwhod as nsswitch domain.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Fix cloudform policy.(m4 is case sensitive)
- Allow networkmanager and cloud_init_t to dbus chat
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices.
- Allow sblim domain to read sysctls..
- Allow timemaster send a signal to ntpd.
- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
- two 'l' is enough.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- Allow polkit to dbus chat with xserver. (1207478)
- Add lvm_stream_connect() interface.
- Set label of /sys/kernel/debug
2015-04-07 16:26:56 +02:00
Lukas Vrabec
5852f33770 * Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
- Allow kmscon to read system state. BZ (1206871)
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
2015-03-30 20:13:54 +02:00
Lukas Vrabec
734dd8ae6f * Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
- Allow all domains some process flags.
- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base
- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL
2015-03-23 16:13:45 +01:00
Lukas Vrabec
60d4b2cec9 Fixed issues related to removing docker policy files 2015-03-19 17:57:47 +01:00
Lukas Vrabec
f9d97717a8 * Wed Mar 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-119
- build without docker
2015-03-18 17:03:21 +01:00
Lukas Vrabec
e2a064a427 * Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
- docker watches for content in the /etc directory
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
- Allow docker to communicate with openvswitch
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow journald to set loginuid. BZ(1190498)
- Add cap. sys_admin for passwd_t. BZ(1185191)
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
2015-03-16 18:04:20 +01:00
Lukas Vrabec
ed576d59f8 * Fri Mar 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-117
- Allow spamc read spamd_etc_t files. BZ(1199339).
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
- Allow abrt_watch_log_t read passwd file. BZ(1197396)
- Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659)
- Allow cups to read colord_var_lib_t files. BZ(1199765)
2015-03-09 13:16:20 +01:00
Lukas Vrabec
f6c1168684 * Thu Mar 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-115
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
- Add gluster_exec_lib interface.
- Allow l2tpd to manage NetworkManager pid files
- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
- Allow cyrus bind tcp berknet port. BZ(1198347)
- Add nsswitch domain for more serviecs.
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow system apache scripts to send log messages.
- Allow denyhosts execute iptables. BZ(1197371)
- Allow brltty rw event device. BZ(1190349)
- Allow cupsd config to execute ldconfig. BZ(1196608)
- xdm_t now needs to manage user ttys
- Allow ping_t read urand. BZ(1181831)
- Add support for tcp/2005 port.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- In F23 we are running xserver as the user, need this to allow confined users to us X
2015-03-05 20:22:19 +01:00
Lukas Vrabec
946068cde6 * Mon Feb 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-113
- Xserver needs to be transitioned to from confined users
- Added logging_syslogd_pid_filetrans
- xdm_t now talks to hostnamed
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Additional fix for labeleling /dev/log correctly.
- cups chats with network manager
- Allow parent domains to read/write fifo files in mozilla plugin
- Allow spc_t to transition to svirt domains
- Cleanup spc_t
- docker needs more control over spc_t
- pcp domains are executed out of cron
2015-02-23 16:11:23 +01:00
Lukas Vrabec
83d645c1b0 * Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112
- Allow audisp to connect to system DBUS for service.
- Label /dev/log correctly.
- Add interface init_read_var_lib_files().
- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
2015-02-16 20:23:47 +01:00
Lukas Vrabec
e793323380 * Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
- Remove automatcically running filetrans_named_content form sysnet_manage_config
- Allow syslogd/journal to read netlink audit socket
- Allow brltty ioctl on usb_device_t. BZ(1190349)
- Make sure NetworkManager configures resolv.conf correctly
2015-02-10 22:46:05 +01:00
Lukas Vrabec
ae5733a49e * Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
- Allow cockpit_session_t to create tmp files
- apmd needs sys_resource when shutting down the machine
- Fix path label to resolv.conf under NetworkManager
2015-02-05 12:12:00 +01:00
Lukas Vrabec
203031a6db * Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
- Fix labels, improve sysnet_manage_config interface.
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
- Dontaudit network connections related to thumb_t. BZ(1187981)
- Remove sysnet_filetrans_named_content from fail2ban
2015-02-04 13:06:40 +01:00
Lukas Vrabec
1808b757f1 * Thu Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
- Fix labels on new location of resolv.conf
- syslog is not writing to the audit socket
- seunshare is doing getattr on unix_stream_sockets leaked into it
- Allow sshd_t to manage gssd keyring
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
- Posgresql listens on port 9898 when running PCP (pgpool Control Port)
- Allow svirt sandbox domains to read /proc/mtrr
- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
- Allow dovecot domains to use sys_resouce
- Allow sshd_t to manage gssd keyring
- gpg_pinentry_t needs more access in f22
2015-02-02 11:59:21 +01:00
Lukas Vrabec
a849531c0e * Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106
- Allow docker to attach to the sandbox and user domains tun devices
- Allow pingd to read /dev/urandom. BZ(1181831)
- Allow virtd to list all mountpoints
- Allow sblim-sfcb to search images
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
- Call correct macro in virt_read_content().
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Allow docker_t to changes it rlimit
- Allow neutron to read rpm DB.
- Allow radius to connect/bind radsec ports
- Allow pm-suspend running as virt_qemu_ga to read
  /var/log/pm-suspend.log.
- Add devicekit_read_log_files().
- Allow  virt_qemu_ga to dbus chat with rpm.
- Allow netutils chown capability to make tcpdump working with -w.
- Label /ostree/deploy/rhel-atomic-host/deploy directory as
system_conf_t.
- journald now reads the netlink audit socket
- Add auditing support for ipsec.

* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105
- Bump release
2015-01-29 17:35:42 +01:00
Lukas Vrabec
72c96b37c5 * Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
- remove duplicate filename transition rules.
- Call proper interface in sosreport.te.
- Allow fetchmail to manage its keyring
- Allow mail munin to create udp_sockets
- Allow couchdb to sendto kernel unix domain sockets
2015-01-15 14:22:27 +01:00
Miroslav Grepl
525ad6557a Make build working 2015-01-12 14:12:54 +01:00
Lukas Vrabec
6eb7265b01 * Mon Dec 15 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-101
- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
- Allow virt_qemu_ga_t to execute kmod.
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
- Add support for /usr/share/vdsm/daemonAdapter.
- Docker has a new config/key file it writes to /etc/docker
- Allow bacula to connect also to postgresql.
2014-12-15 07:43:28 -05:00
Lukas Vrabec
00145df27f Added typo fix 2014-12-11 10:54:52 -05:00
Lukas Vrabec
e4ea4614c7 * Thu Dec 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-100
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
- Fix miscfiles_manage_generic_cert_files() to allow manage link files
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Add support for /var/run/gluster.
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
2014-12-11 10:20:57 -05:00
Lukas Vrabec
1c8cf318c6 * Fri Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-99
- Add files_dontaudit_list_security_dirs() interface.
- Added seutil_dontaudit_access_check_semanage_module_store interface.
- Allow docker to create /root/.docker
- Allow rlogind to use also rlogin ports
- dontaudit list security dirs for samba domain
- Dontaudit couchdb to list /var
2014-12-02 13:05:01 +01:00
Lukas Vrabec
cf94d6be19 * Fri Nov 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-98
- Update to have all _systemctl() interface also init_reload_services()
- Dontaudit access check on SELinux module store for sssd.
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
2014-11-29 00:18:57 +01:00
Lukas Vrabec
e4d7a4020d * Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97
- Allow reading of symlinks in /etc/puppet
- Added TAGS to gitignore
- I guess there can be content under /var/lib/lockdown #1167502
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
- Allow keystone to send a generic signal to own process.
- Allow radius to bind tcp/1812 radius port.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Add missing alias for _content_rw_t
- Allow .snapshots to be created in other directories, on all mountpoints
- Allow spamd to access razor-agent.log
- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
- Allow .snapshots to be created in other directories, on all mountpoints
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems
2014-11-28 15:28:22 +01:00
Lukas Vrabec
48f969d319 * Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
2014-11-20 11:38:07 +01:00
Lukas Vrabec
feb8dbd59b * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
- Allow networkmanager manage also openvpn sock pid files.
2014-11-19 19:46:38 +01:00
Lukas Vrabec
c88e657c3d * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
- Allow sendmail to create dead.letter. BZ(1165443)
- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
2014-11-19 16:33:35 +01:00
Lukas Vrabec
24d43eb10d * Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
- Allow bumblebee to use nsswitch. BZ(1155339)
- Allow openvpn to stream connect to networkmanager. BZ(1164182)
- Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS.
- Allow cpuplug rw virtual memory sysctl. BZ (1077831)
- Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
2014-11-14 16:06:50 +01:00
Lukas Vrabec
b6161d4177 * Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-92
- Add kdump_rw_inherited_kdumpctl_tmp_pipes()
- Added fixes related to linuxptp. BZ (1149693)
- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424
- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
- Fix seutil_dontaudit_access_check_load_policy()
- Add dontaudit interfaces for audit_access in seutil
- Label /etc/strongimcv as ipsec_conf_file_t.
2014-11-10 18:19:50 +01:00
Lukas Vrabec
062b36f481 * Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91
- Added interface userdom_dontaudit_manage_user_home_dirs
- Fix unconfined_server_dbus_chat() interface.
- Add unconfined_server_dbus_chat() inteface.
- Allow login domains to create kernel keyring with different level.
- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
- Make tuned as unconfined domain.
- Added support for linuxptp policy. BZ(1149693)
- make zoneminder as dbus client by default.
- Allow bluetooth read/write uhid devices. BZ (1161169)
- Add fixes for hypervkvp daemon
- Allow guest to connect to libvirt using unix_stream_socket.
- Allow all bus client domains to dbus chat with unconfined_service_t.
- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
- Make opensm as nsswitch domain to make it working with sssd.
- Allow brctl to read meminfo.
- Allow winbind-helper to execute ntlm_auth in the caller domain.
- Make plymouthd as nsswitch domain to make it working with sssd.
- Make drbd as nsswitch domain to make it working with sssd.
- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
- Add support for /var/lib/sntp directory.
2014-11-07 22:58:35 +01:00
Lukas Vrabec
ba65f59092 Fixed mistakes in build. 2014-11-03 16:31:25 +01:00
Lukas Vrabec
a38ffbf425 * Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
- Add 15672 as amqp_port_t
- Allow wine domains to read user homedir content
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
- Allow winbind to read usermodehelper
- Allow telepathy domains to execute shells and bin_t
- Allow gpgdomains to create netlink_kobject_uevent_sockets
- Allow abrt to read software raid state. BZ (1157770)
- Fix rhcs_signull_haproxy() interface.
-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
- Allow snapperd to dbus chat with system cron jobs.
- Allow nslcd to read /dev/urandom.
- Allow dovecot to create user's home directory when they log into IMAP.
- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
2014-11-03 15:03:44 +01:00
Lukas Vrabec
af3cfa7b5c * Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
- Allow rabbitmq to read nfs state data. BZ(1122412)
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
- Add rolekit policy
- ALlow rolekit domtrans to sssd_t.
- Add kerberos_tmp_filetrans_kadmin() interface.
- rolekit should be noaudit.
- Add rolekit_manage_keys().
- Need to label rpmnew file correctly
- Allow modemmanger to connectto itself
2014-10-29 11:24:42 +01:00
Lukas Vrabec
317f5a18dc * Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Allow osad to connect to jabber client port. BZ (1154242)
- Allow mon_statd to send syslog msgs. BZ (1077821
- Allow apcupsd to get attributes of filesystems with xattrs
2014-10-21 15:45:35 +02:00
Miroslav Grepl
650be6afbf - Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
- Allow systemd-networkd to be running as dhcp client.
- Label /usr/bin/cockpit-bridge as shell_exec_t.
- Add label for /var/run/systemd/resolve/resolv.conf.
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
2014-10-17 10:12:44 +02:00
Lukas Vrabec
8db354a9b7 * Tue Oct 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-86
- Dontaudit aicuu to search home config dir. BZ (#1104076)
- couchdb is using erlang so it needs execmem privs
- ALlow sanlock to send a signal to virtd_t.
- Allow mondogdb to  'accept' accesses on the tcp_socket port.
- Make sosreport as unconfined domain.
- Allow nova-console to connect to mem_cache port.
- Allow mandb to getattr on file systems
- Allow read antivirus domain all kernel sysctls.
- Allow lmsd_plugin to read passwd file. BZ(1093733)
- Label /usr/share/corosync/corosync as cluster_exec_t.
- ALlow sensord to getattr on sysfs.
- automount policy is non-base module so it needs to be called in optional block.
- Add auth_use_nsswitch for portreserve to make it working with sssd.
- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.
- Allow openvpn to execute  systemd-passwd-agent in  systemd_passwd_agent_t to make openvpn working with systemd.
- Allow openvpn to access /sys/fs/cgroup dir.
- Allow nova-scheduler to read certs
- Add support for /var/lib/swiftdirectory.
- Allow neutron connections to system dbus.
- Allow mongodb to manage own log files.
- Allow opensm_t to read/write /dev/infiniband/umad1.
- Added policy for mon_statd and mon_procd services. BZ (1077821)
- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.
- Allow dnssec_trigger_t to execute unbound-control in own domain.
- Allow all RHCS services to read system state.
- Added monitor device
- Add interfaces for /dev/infiniband
- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type.
- Add files_dontaudit_search_security_files()
- Add selinuxuser_udp_server boolean
- ALlow syslogd_t to create /var/log/cron  with correct labeling
- Add support for /etc/.updated and /var/.updated
- Allow iptables read fail2ban logs. BZ (1147709)
- ALlow ldconfig to read proc//net/sockstat.
2014-10-14 11:51:56 +02:00
Lukas Vrabec
cf89798586 * Mon Oct 06 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-85
- Allow nova domains to getattr on all filesystems.
- ALlow zebra for user/group look-ups.
- Allow lsmd to search own plguins.
- Allow sssd to read selinux config to add SELinux user mapping.
- Allow swift to connect to all ephemeral ports by default.
- Allow NetworkManager to create Bluetooth SDP sockets
- Allow keepalived manage snmp var lib sock files. BZ(1102228)
- Added policy for blrtty. BZ(1083162)
- Allow rhsmcertd manage rpm db. BZ(#1134173)
- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173)
- Label /usr/libexec/rhsmd as rhsmcertd_exec_t
- Fix broken interfaces
- Added sendmail_domtrans_unconfined interface
- Added support for cpuplug. BZ (#1077831)
- Fix bug in drbd policy, BZ (#1134883)
- Make keystone_cgi_script_t domain. BZ (#1138424)
- fix dev_getattr_generic_usb_dev interface
- Label 4101 tcp port as brlp port
- Allow libreswan to connect to VPN via NM-libreswan.
- Add userdom_manage_user_tmpfs_files interface
2014-10-06 16:53:41 +02:00
Lukas Vrabec
245c83ebf9 * Tue Sep 30 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-84
- Allow all domains to read fonts
- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
- Allow pki-tomcat to change SELinux object identity.
- Allow radious to connect to apache ports to do OCSP check
- Allow git cgi scripts to create content in /tmp
- Allow cockpit-session to do GSSAPI logins.
2014-09-30 09:38:06 +02:00
Lukas Vrabec
3430335564 * Mon Sep 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-83
- Make sure /run/systemd/generator and system is labeled correctly on creation.
- Additional access required by usbmuxd
- Allow sensord read in /proc BZ(#1143799)
2014-09-22 15:16:17 +02:00
Miroslav Grepl
0399c8ba54 - Allow du running in logwatch_t read hwdata.
- Allow sys_admin capability for antivirus domians.
- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc.
- Add support for pnp4nagios.
- Add missing labeling for /var/lib/cockpit.
- Label resolv.conf as docker_share_t under docker so we can read within a container
- Remove labeling for rabbitmqctl
- setfscreate in pki.te is not capability class.
- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd.
- Allow wine domains to create cache dirs.
- Allow newaliases to systemd inhibit pipes.
- Add fixes for pki-tomcat scriptlet handling.
- Allow user domains to manage all gnome home content
- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
2014-09-18 15:22:06 +02:00
Lukas Vrabec
6021c02dec * Thu Sep 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-81
- Label /usr/lib/erlang/erts.*/bin files as bin_t
- Added changes related to rabbitmq daemon.
- Fix labeling in couchdb policy
- Allow rabbitmq bind on epmd port
- Clean up rabbitmq policy
- fix domtrans_rabbitmq interface
- Added rabbitmq_beam_t and rabbitmq_epmd_t alias
- Allow couchdb to getattr
- Allow couchdb write to couchdb_conf files
- Allow couchdb to create dgram_sockets
- Added support for ejabberd
2014-09-11 17:53:40 +02:00
Lukas Vrabec
2ac2d93920 Fixed typo mistakes. 2014-09-10 16:09:24 +02:00
Lukas Vrabec
ae5a648040 * Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
- Since docker will now label volumes we can tighten the security of docker
2014-09-10 15:47:04 +02:00
Lukas Vrabec
6c07cc84bd * Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79
- Re-arange openshift_net_read_t rules.
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
- Allow jockey_t to use tmpfs files
- Allow pppd to create sock_files in /var/run
- Allow geoclue to stream connect to smart card service
- Allow docker to read all of /proc
- ALlow passeneger to read/write apache stream socket.
- Dontaudit read init state for svirt_t.
- Label /usr/sbin/unbound-control as named_exec_t (#1130510)
- Add support for /var/lbi/cockpit directory.
- Add support for ~/. speech-dispatcher.
- Allow nmbd to read /proc/sys/kernel/core_pattern.
- aLlow wine domains to create wine_home symlinks.
- Allow policykit_auth_t access check and read usr config files.
- Dontaudit access check on home_root_t for policykit-auth.
- hv_vss_daemon wants to list /boot
- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent
- Fix label for /usr/bin/courier/bin/sendmail
- Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain.
- Allow unconfined_r to access unconfined_service_t.
- Add label for ~/.local/share/fonts
- Add init_dontaudit_read_state() interface.
- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it.
- Allow udev_t mounton udev_var_run_t dirs #(1128618)
- Add files_dontaudit_access_check_home_dir() inteface.
2014-09-10 10:55:03 +02:00
Lukas Vrabec
9532ecd407 * Tue Sep 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-78
- Allow unconfined_service_t to dbus chat with all dbus domains
- Assign rabbitmq port.  BZ#1135523
- Add new interface to allow creation of file with lib_t type
- Allow init to read all config files
- We want to remove openshift_t domains ability to look at /proc/net
- I guess lockdown is a file not a directory
- Label /var/bacula/ as bacula_store_t
- Allow rhsmcertd to seng signull to sosreport.
- Allow sending of snmp trap messages by radiusd.
- remove redundant rule fron nova.te.
- Add auth_use_nsswitch() for ctdbd.
- call nova_vncproxy_t instead of vncproxy.
- Allow nova-vncproxy to use varnishd port.
- Fix rhnsd_manage_config() to allow manage also symlinks.
- Allow bacula to create dirs/files in /tmp
- Allow nova-api to use nsswitch.
- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface.
- Allow usbmuxd connect to itself by stream socket. (#1135945)
- I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft
- Allow nswrapper_32_64.nppdf.so to be created with the proper label
- Assign rabbitmq port.  BZ#1135523
- Dontaudit leaks of file descriptors from domains that transition to  thumb_t
- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource
- Allow unconfined_service_t to dbus chat with all dbus domains
- Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way)
2014-09-02 20:27:29 +02:00
Lukas Vrabec
c463599b36 * Thu Aug 28 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-77
- Allow aide to read random number generator
- Allow pppd to connect to http port. (#1128947)
- sssd needs to be able write krb5.conf.
- Labeli initial-setup as install_exec_t.
- Allow domains to are allowed to mounton proc to mount on files as well as dirs
2014-08-28 15:33:54 +02:00
Lukas Vrabec
45b429ef46 * Tue Aug 26 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-76
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Add a port definition for shellinaboxd
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
- Allow thumb_t to read/write video devices
- fail2ban 0.9 reads the journal by default.
- Allow sandbox net domains to bind to rawip socket
2014-08-26 17:39:34 +02:00
Lukas Vrabec
f9cc8e052f * Fri Aug 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-75
- Allow haproxy to read /dev/random and /dev/urandom.
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
- geoclue needs to connect to http and http_cache ports
- Allow passenger to use unix_stream_sockets leaked into it, from httpd
- Add SELinux policy for highly-available key value store for shared configuration.
- drbd executes modinfo.
- Add glance_api_can_network boolean since glance-api uses huge range port.
- Fix glance_api_can_network() definition.
- Allow smoltclient to connect on http_cache port. (#982199)
- Allow userdomains to stream connect to pcscd for smart cards
- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix)
- Added MLS fixes to support labeled socket activation which is going to be done by systemd
- Add kernel_signull() interface.
- sulogin_t executes plymouth commands
- lvm needs to be able to accept connections on stream generic sockets
2014-08-22 16:05:38 +02:00
Lukas Vrabec
9229b61067 * Mon Aug 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-73
- Allow ssytemd_logind_t to list tmpfs directories
- Allow lvm_t to create undefined sockets
- Allow passwd_t to read/write stream sockets
- Allow docker lots more access.
- Fix label for ports
- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
- Label tcp port 4194 as kubernetes port.
- Additional access required for passenger_t
- sandbox domains should be allowed to use libraries which require execmod
- Allow qpid to read passwd files BZ (#1130086)
- Remove cockpit port, it is now going to use websm port
- Add getattr to the list of access to dontaudit on unix_stream_sockets
- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
2014-08-18 17:43:18 +02:00
Lukas Vrabec
3399c51143 * Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-72
- docker needs to be able to look at everything in /dev
- Allow all processes to send themselves signals
- Allow sysadm_t to create netlink_tcpdiag socket
- sysadm_t should be allowed to communicate with networkmanager
- These are required for bluejeans to work on a unconfined.pp disabled
machine
- docker needs setfcap
- Allow svirt domains to manage chr files and blk files for mknod
commands
- Allow fail2ban to read audit logs
- Allow cachefilesd_t to send itself signals
- Allow smokeping cgi script to send syslog messages
- Allow svirt sandbox domains to relabel content
- Since apache content can be placed anywhere, we should just allow
apache to search through any directory
- These are required for bluejeans to work on a unconfined.pp disabled
machine
2014-08-12 13:41:36 +02:00
Miroslav Grepl
0bd1c473cc * Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-71
- shell_exec_t should not be in cockip.fc
2014-08-04 15:44:24 +02:00
Miroslav Grepl
c950f2dee8 - Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t.
- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
- Dontaudit write access on generic cert files. We don't audit also access check.
- Add support for arptables.
- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
2014-08-04 09:21:15 +02:00
Miroslav Grepl
540429c2f1 - Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow user
- Allow smokeping cgi scripts to accept connection on httpd stream socket.
- docker does a getattr on all file systems
- Label all abort-dump programs
- Allow alsa to create lock file to see if it fixes.
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running with
- Add interface for journalctl_exec
- Add labels also for glusterd sockets.
- Change virt.te to match default docker capabilies
- Add additional booleans for turning on mknod or all caps.
- Also add interface to allow users to write policy that matches docker defaults
- for capabilies.
- Label dhcpd6 unit file.
- Add support also for dhcp IPv6 services.
- Added support for dhcrelay service
- Additional access for bluejeans
- docker needs more access, need back port to RHEL7
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
- Allow bacula manage bacula_log_t dirs
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
- Fix mistakes keystone and quantum
- Label neutron var run dir
- Label keystone var run dir
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
- Dontaudit attempts to access check cert dirs/files for sssd.
- Allow sensord to send a signal.
- Allow certmonger to stream connect to dirsrv to make  ipa-server-install working.
- Label zabbix_var_lib_t directories
- Label conmans pid file as conman_var_run_t
- Label also /var/run/glusterd.socket file as gluster_var_run_t
- Fix policy for pkcsslotd from opencryptoki
- Update cockpik policy from cockpit usptream.
- Allow certmonger to exec ldconfig to make  ipa-server-install  working.
- Added support for Naemon policy
- Allow keepalived manage snmp files
- Add setpgid process to mip6d
- remove duplicate rule
- Allow postfix_smtpd to stream connect to antivirus
- Dontaudit list /tmp for icecast
- Allow zabbix domains to access /proc//net/dev.

Conflicts:
	selinux-policy.spec
2014-07-31 20:54:49 +02:00
Lukas Vrabec
0a90ee743a * Thu Jul 24 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-67
- Allow zabbix domains to access /proc//net/dev.
- Dontaudit list /tmp for icecast (#894387)
- Allow postfix_smtpd to stream connect to antivirus (#1105889)
- Add setpgid process to mip6d
- Allow keepalived manage snmp files(#1053450)
- Added support for Naemon policy (#1120789).
- Allow certmonger to exec ldconfig to make  ipa-server-install
working. (#1122110)
- Update cockpik policy from cockpit usptream.
2014-07-24 16:12:42 +02:00
Lukas Vrabec
610d0fc14f Add actual patch with naemon policy 2014-07-23 11:20:23 +02:00
Miroslav Grepl
6683373910 - Revert labeling back to /var/run/systemd/initctl/fifo
- geoclue dbus chats with modemmanger
- Bluejeans wants to connect to port 5000
- geoclue dbus chats with modemmange
2014-07-21 09:07:57 +02:00
Lukas Vrabec
ee1386c00c * Fri Jul 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65
- Allow sysadm to dbus chat with systemd
- Add logging_dontaudit_search_audit_logs()
- Add new files_read_all_mountpoint_symlinks()
- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo.
- Allow ndc to read random and urandom device (#1110397)
- Allow zabbix to read system network state
- Allow fprintd to execute usr_t/bin_t
- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t
- Add glance_use_execmem boolean to have glance configured to use Ceph/rbd
- Dontaudit search audit logs for fail2ban
- Allow mailserver_domain domains to create mail home content with right labeling
- Dontaudit svirt_sandbox_domain doing access checks on /proc
- Fix  files_pid_filetrans() calling in nut.te to reflect allow rules.
- Use nut_domain attribute for files_pid_filetrans() for nut domains.
- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs
- Fix nut domains only have type transition on dirs in /run/nut directory.
- Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt()
- Clean up osad policy. Remove additional interfaces/rules
2014-07-18 11:47:02 +02:00
Lukas Vrabec
3e33a0a354 * Mon Jul 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-64
- Allow systemd domains to check lvm status
- Allow getty to execute plymouth.#1112870
- Allow sshd to send signal to chkpwd_t
- initrctl fifo file has been renamed
- Set proper labeling on /var/run/sddm
- Fix labeling for cloud-init logs
- Allow kexec to read kallsyms
- Add rhcs_stream_connect_haproxy interface, Allow neutron stream
connect to rhcs
- Add fsetid caps for mandb. #1116165
- Allow all nut domains to read  /dev/(u)?random.
- Allow deltacloudd_t to read network state BZ #1116940
- Add support for KVM virtual machines to use NUMA pre-placement
- Allow utilize winbind for authentication to AD
- Allow chrome sandbox to use udp_sockets leaked in by its parent
- Allow gfs_controld_t to getattr on all file systems
- Allow logrotate to manage virt_cache
- varnishd needs to have fsetid capability
- Allow dovecot domains to send signal perms to themselves
- Allow apache to manage pid sock files
- Allow nut_upsmon_t to create sock_file in /run dir
- Add capability sys_ptrace to stapserver
- Mysql can execute scripts when run in a cluster to see if someone is
listening on a socket, basically runs lsof
- Added support for vdsm
2014-07-14 22:33:38 +02:00
Miroslav Grepl
682896c0a1 - If I can create a socket I need to be able to set the attributes
- Add tcp/8775 port as neutron port
- Add additional ports for swift ports
- Added changes to fedora from bug bz#1082183
- Add support for tcp/6200 port
- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
- Update neutron_manage_lib_files() interface
- Allow glustered to connect to ephemeral ports
- Allow apache to search ipa lib files by default
- Allow neutron to domtrans to haproxy
- Add rhcs_domtrans_haproxy()
- Add support for openstack-glance-* unit files
- Add initial support for /usr/bin/glance-scrubber
- Allow swift to connect to keystone and memcache ports.
- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
- Add policies for openstack-cinder
- Add support for /usr/bin/nova-conductor
- Add neutron_can_network boolean
- Allow neutron to connet to neutron port
- Allow glance domain to use syslog
- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
2014-07-04 18:51:18 +02:00
Miroslav Grepl
24862fd309 - Allow swift to use tcp/6200 swift port
- ALlow swift to search apache configs
- Remove duplicate .fc entry for Grilo plugin bookmarks
- Remove duplicate .fc entry for telepathy-gabble
- Additional allow rules for docker sandbox processes
- Allow keepalived connect to agentx port
- Allow neutron-ns-metadata to connectto own unix stream socket
- Add support for tcp/6200 port
- Remove ability for confined users to run xinit
- New tool for managing wireless /usr/sbin/iw
2014-06-25 10:50:56 +02:00
Miroslav Grepl
211fb9932a * Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61
- Add back MLS policy
2014-06-20 16:27:18 +02:00
Miroslav Grepl
c629d27ef4 Merge user_tmp patches to base patches 2014-06-17 09:30:08 +02:00
Miroslav Grepl
1c0c710fe4 * Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.+- Allow system_bus_types to use stream_sockets inherited
- Allow system_bus_types to use stream_sockets inherited
- Allow journalctl to call getpw
- New access needed by dbus to talk to kernel stream
- Label sm-notifypid files correctly
- contrib: Add KMSCon policy module
2014-06-17 07:24:58 +02:00
Miroslav Grepl
a629498afd - Add mozilla_plugin_use_bluejeans boolean
- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
2014-06-11 20:13:51 +02:00
Miroslav Grepl
686a38099f - Allow staff_t to communicate and run docker
- Fix *_ecryptfs_home_dirs booleans
- Allow ldconfig_t to read/write inherited user tmp pipes
- Allow storaged to dbus chat with lvm_t
- Add support for storaged  and storaged-lvm-helper. Labeled it as lvm_exec_t.
- Use proper calling in ssh.te for userdom_home_manager attribute
- Use userdom_home_manager_type() also for ssh_keygen_t
- Allow locate to list directories without labels
- Allow bitlbee to use tcp/7778 port
- /etc/cron.daily/logrotate to execute fail2ban-client.
- Allow keepalives to connect to SNMP port. Support to do  SNMP stuff
- Allow staff_t to communicate and run docker
- Dontaudit search mgrepl/.local for cobblerd_t
- Allow neutron to execute kmod in insmod_t
- Allow neutron to execute udevadm in udev_t
- Allow also fowner cap for varnishd
- Allow keepalived to execute bin_t/shell_exec_t
- rhsmcertd seems to need these accesses.  We need this backported to RHEL7 and perhaps RHEL6 policy
- Add cups_execmem boolean
- Allow gear to manage gear service
- New requires for gear to use systemctl and init var_run_t
- Allow cups to execute its rw_etc_t files, for brothers printers
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin co
- Allow swift to execute bin_t
- Allow swift to bind http_cache
2014-06-09 09:05:58 +02:00
Miroslav Grepl
0ddb744a37 - Add decl for cockip port
- Allow sysadm_t to read all kernel proc
- Allow logrotate to execute all executables
- Allow lircd_t to use tty_device_t for use withmythtv
- Make sure all zabbix files direcories in /var/log have the correct label
- Allow bittlebee to create directories and files in /var/log with the correct label
- Label /var/log/horizon as an apache log
- Add squid directory in /var/run
- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label
- Wronly labeled avahi_var_lib_t as a pid file
- Fix labels on rabbitmq_var_run_t on file/dir creation
- Allow neutron to create sock files
- Allow postfix domains to getattr on all file systems
- Label swift-proxy-server as swift_exec_t
- Tighten SELinux capabilities to match docker capabilities
- Add fixes for squid which is configured to run with more than one worker.
- Allow cockpit to bind to its port
2014-05-27 10:30:27 +02:00
Miroslav Grepl
cccaf8f646 - geard seems to do a lot of relabeling
- Allow system_mail_t to append to munin_var_lib_t
- Allow mozilla_plugin to read alsa_rw_ content
- Allow asterisk to connect to the apache ports
- Dontaudit attempts to read fixed disk
- Dontaudit search gconf_home_t
- Allow rsync to create  swift_server.lock with swift.log labeling
- Add labeling for swift lock files
- Use swift_virt_lock in swift.te
- Allow openwsman to getattr on sblim_sfcbd executable
- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
- Allow openwsman_t to read/write sblim-sfcb shared mem
- Allow openwsman to stream connec to sblim-sfcbd
- Allow openwsman to create tmpfs files/dirs
- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcb
- Allow sblim_sfcbd to execute shell
- Allow swift to create lock file
- Allow openwsman to use tcp/80
- Allow neutron to create also dirs in /tmp
- Allow seunshare domains to getattr on all executables
- Allow ssh-keygen to create temporary files/dirs needed by OpenSt
- Allow named_filetrans_domain to create /run/netns
- Allow ifconfig to create /run/netns
2014-05-20 07:59:07 +02:00
Miroslav Grepl
dfbb9aca62 * Tue May 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-
- Add missing dyntransition for sandbox_x_domain
2014-05-13 14:42:28 +02:00
Miroslav Grepl
dbf4ab85b0 - Added iotop policy. Thanks William Brown
- Allow spamc to read .pyzor located in /var/spool/spampd
- Allow spamc to create home content with correct labeling
- Allow logwatch_mail_t to create dead.letter with correct labelign
- Add labeling for min-cloud-agent
- Allow geoclue to read unix in proc.
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
- add support for min-cloud-agent
- Allow ulogd to request the kernel to load a module
- remove unconfined_domain for openwsman_t
- Add openwsman_tmp_t rules
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
- Allow nova-scheduler to read passwd file
- Allow neutron execute arping in neutron_t
- Dontaudit logrotate executing systemctl command attempting to net_admin
- Allow mozilla plugins to use /dev/sr0
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift file
- Any app that executes systemctl will attempt a net_admin
- Fix path to mmap_min_addr
2014-05-13 08:13:43 +02:00
Miroslav Grepl
6fbf46087c - More rules for gears and openshift 2014-05-07 21:48:58 +02:00
Miroslav Grepl
4c682c4ccf * Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
- Add gear fixes from dwalsh
2014-05-07 15:30:41 +02:00
Miroslav Grepl
9d0057f462 - selinux_unconfined_type should not be able to set booleans if the securemode is set
- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
2014-05-06 18:39:47 +02:00
Miroslav Grepl
4e5d63b465 - Fix labeling for /root/\.yubico
- userdom_search_admin_dir() calling needs to be optional in kernel.te
- Dontaudit leaked xserver_misc_device_t into plugins
- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Bootloader wants to look at init state
- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm
- init reads kdbump etc files
- Add support for tcp/9697
- Fix labeling for /var/run/user/<UID>/gvfs
- Add support for us_cli ports
- fix sysnet_use_ldap
- Allow mysql to execute ifconfig if Red Hat OpenStack
- ALlow stap-server to get attr on all fs
- Fix mail_pool_t to mail_spool_t
- Dontaudit leaked xserver_misc_device_t into plugins
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Add new labeling for /var/spool/smtpd
- Allow httpd_t to kill passenger
- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
- Allow nova-scheduler to read passwd/utmp files
- Additional rules required by openstack,  needs backport to F20 and RHEL7
- Additional access required by docker
- ALlow motion to use tcp/8082 port
2014-05-05 19:15:58 +02:00
Miroslav Grepl
3f5abd2216 - Fix virt_use_samba boolean
- Looks like all domains that use dbus libraries are now reading /dev/uran
- Add glance_use_fusefs() boolean
- Allow tgtd to read /proc/net/psched
- Additional access required for gear management of openshift directories
- Allow sys_ptrace for mock-build
- Fix mock_read_lib_files() interface
- Allow mock-build to write all inherited ttys and ptys
- Allow spamd to create razor home dirs with correct labeling
- Clean up sysnet_use_ldap()
- systemd calling needs to be optional
- Allow init_t to setattr/relabelfrom dhcp state files
2014-04-25 09:09:15 +02:00
Miroslav Grepl
345f520dd6 remove mongod labeling from cloudform.fc 2014-04-23 11:55:39 +02:00
Miroslav Grepl
bf38d6fee2 - mongod should not be a part of cloudforms.pp
- Fix labeling in snapper.fc
- Allow docker to read unconfined_t process state
- geoclue dbus chats with NetworkManager
- Add cockpit policy
- Add interface to allow tools to check the processes state of bind/named
- Allow myslqd to use the tram port for Galera/MariaDB
2014-04-23 11:47:29 +02:00
Miroslav Grepl
7ca2b30721 - Allow init_t to setattr/relabelfrom dhcp state files
- Allow dmesg to read hwdata and memory dev
- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
- Dontaudit antivirus domains read access on all security files by default
- Add missing alias for old amavis_etc_t type
- Additional fixes for  instack overcloud
- Allow block_suspend cap for haproxy
- Allow OpenStack to read mysqld_db links and connect to MySQL
- Remove dup filename rules in gnome.te
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
- Add labeling for /lib/systemd/system/thttpd.service
- Allow iscsid to handle own unit files
- Add iscsi_systemctl()
- Allow mongod also create sock_file with correct labeling in /run
- Allow aiccu stream connect to pcscd
- Allow rabbitmq_beam to connect to httpd port
- Allow httpd to send signull to apache script domains and don't audit leaks
- Fix labeling in drbd.fc
- Allow sssd to connect to the smbd port for handing logins using active directory, needs back
- Allow all freeipmi domains to read/write ipmi devices
- Allow rabbitmq_epmd to manage rabbit_var_log_t files
- Allow sblim_sfcbd to use also pegasus-https port
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
- Add httpd_run_preupgrade boolean
- Add interfaces to access preupgrade_data_t
- Add preupgrade policy
- Add labeling for puppet helper scripts
2014-04-18 14:31:10 +02:00
Miroslav Grepl
e0b675d7b3 Add labeling for puppet helper scripts 2014-04-08 13:56:03 +02:00
Miroslav Grepl
1aabaf6c8d * Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
Rename puppet_t to puppetagent_
2014-04-08 11:35:12 +02:00
Miroslav Grepl
3f1341d528 - Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by li
- Allow conman to resolve DNS and use user ptys
- update pegasus_openlmi_admin_t policy
- nslcd wants chown capability
- Dontaudit exec insmod in boinc policy
2014-04-08 07:25:43 +02:00
Miroslav Grepl
c14474eca6 - Add labels for /var/named/chroot_sdb/dev devices
- Add support for strongimcv
- Add additional fixes for yubikeys based on william@firstyear.id.au
- Allow init_t run /sbin/augenrules
- Remove dup decl for dev_unmount_sysfs_fs
- Allow unpriv SELinux user to use sandbox
- Fix ntp_filetrans_named_content for sntp-kod file
- Add httpd_dbus_sssd boolean
- Dontaudit exec insmod in boinc policy
- Add dbus_filetrans_named_content_system()
- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
- varnishd wants chown capability
- update ntp_filetrans_named_content() interface
- Add additional fixes for neutron_t. #1083335
- Dontaudit sandbox_t getattr on proc_kcore_t
- Allow pki_tomcat_t to read ipa lib files
2014-04-04 10:51:29 +02:00
Miroslav Grepl
33665e5aa5 * Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
2014-04-01 12:33:30 +02:00
Miroslav Grepl
f8f75f94a2 - Turn on gear_port_t
- Add gear policy and remove permissive domains.
- Add labels for ostree
- Add SELinux awareness for NM
- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
2014-03-27 20:39:58 +01:00
Miroslav Grepl
83715e6621 Fix ipa.if 2014-03-26 11:14:21 +01:00
Miroslav Grepl
1f53e62396 - update storage_filetrans_all_named_dev for sg* devices
- Allow auditctl_t  to getattr on all removeable devices
- Allow nsswitch_domains to stream connect to nmbd
- Allow rasdaemon to rw /dev/cpu//msr
- fix /var/log/pki file spec
- make bacula_t as auth_nsswitch domain
- Allow certmonger to manage ipa lib files
- Add support for /var/lib/ipa
2014-03-26 10:51:19 +01:00
Miroslav Grepl
8ad9144b00 - Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools
- Allow secadm to read /dev/urandom and meminfo
- Add userdom_tmp_role for secadm_t
- Allow postgresql to read network state
- Add a new file context for /var/named/chroot/run directory
- Add booleans to allow docker processes to use nfs and samba
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/b
- Allow puppet stream connect to mysql
- Fixed some rules related to puppet policy
- Allow vmware-user-sui to use user ttys
- Allow talk 2 users logged via console too
- Additional avcs for docker when running tests
- allow anaconda to dbus chat with systemd-localed
- clean up rhcs.te
- remove dup rules from haproxy.te
- Add fixes for haproxy based on bperkins@redhat.com
- Allow cmirrord to make dmsetup working
- Allow NM to execute arping
- Allow users to send messages through talk
- update rtas_errd policy
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
- Allow svirt_sandbox_domains to ptrace themselves
- Allow snmpd to getattr on removeable and fixed disks
- Allow docker containers to manage /var/lib/docker content
2014-03-25 09:50:55 +01:00
Miroslav Grepl
8e18cc2081 - Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state
- Allow java running as pki_tomcat to read network sysctls
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
- Allow beam.smp to use ephemeral ports
- Allow winbind to use the nis to authenticate passwords
2014-03-17 17:29:57 +01:00
Miroslav Grepl
6337678e76 - Allow collectd to talk to libvirt
- Allow chrome_sandbox to use leaked unix_stream_sockets
- Dontaudit leaks of sockets into chrome_sandbox_t
- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
- Run vmtools as unconfined domains
- Allow snort to manage its log files
- Allow systemd_cronjob_t to be entered via bin_t
- Allow procman to list doveconf_etc_t
- allow keyring daemon to create content in tmpfs directories
- Add proper labelling for icedtea-web
- vpnc is creating content in networkmanager var run directory
- unconfined_service should be allowed to transition to rpm_script_t
- Allow couchdb to listen on port 6984
- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
- Allow systemd-logind to setup user tmpfs directories
- Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
2014-03-17 08:59:51 +01:00
Miroslav Grepl
3f9fe17186 - Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
- Dontaudit attempts to setsched on the kernel_t threads
- Allow munin mail plugins to read network systcl
- Fix git_system_enable_homedirs boolean
- Make cimtest script 03_defineVS.py of ComputerSystem group working
- Make  abrt-java-connector working
- Allow net_admin cap for fence_virtd running as fenced_t
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
2014-03-14 11:01:06 +01:00
Miroslav Grepl
0575d649c8 - sshd to read network sysctls
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
- /var/lib/containers should be labeled as openshift content for now
- Allow docker domains to talk to the login programs, to allow a process to login into the container
2014-03-13 13:29:54 +01:00
Miroslav Grepl
695bbc81ea * Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-34
- Add install_t for anaconda
2014-03-12 20:45:39 +01:00
Miroslav Grepl
ab84f40064 - Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
2014-03-12 11:14:14 +01:00
Miroslav Grepl
24a25f20cc - Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
2014-03-10 11:51:20 +01:00
Miroslav Grepl
2d6801ddad - Modify xdm_write_home to allow create files/links in /root with xdm_home_t
- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
- Add xserver_dbus_chat() interface
- Add sysnet_filetrans_named_content_ifconfig() interface
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-
- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1
- Allow lscpu running as rhsmcertd_t to read sysinfo
- Allow virt domains to read network state
- Added pcp rules
- Allow ctdbd to connect own ports
- Fix samba_export_all_rw booleanto cover also non security dirs
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
- Allow neutron to create /run/netns with correct labeling
- Allow to run ip cmd in neutron_t domain
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
2014-03-07 16:53:11 +01:00
Miroslav Grepl
08fe2e457e - Allow block_suspend cap2 for systemd-logind and rw dri device
- Add labeling for /usr/libexec/nm-libreswan-service
- Allow locallogin to rw xdm key to make Virtual Terminal login providing
- Add xserver_rw_xdm_keys()
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
- update lpd_manage_spool() interface
- Allow krb5kdc to stream connect to ipa-otpd
- Add ipa_stream_connect_otpd() interface
- Allow vpnc to unlink NM pids
- Add networkmanager_delete_pid_files()
- Allow munin plugins to access unconfined plugins
- update abrt_filetrans_named_content to cover /var/spool/debug
- Label /var/spool/debug as abrt_var_cache_t
- Allow rhsmcertd to connect to squid port
- Make docker_transition_unconfined as optional boolean
- Allow certmonger to list home dirs
2014-03-04 10:17:06 +01:00
Miroslav Grepl
18bb7ec6a3 * Fri Feb 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-29
- Make docker as permissive domain
2014-02-28 12:34:15 +01:00
Miroslav Grepl
439063013f - Allow bumblebeed to send signal to insmod
- Dontaudit attempts by crond_t net_admin caused by journald
- Allow the docker daemon to mounton tty_device_t
- Add addtional snapper fixes to allo relabel file_t
- Allow setattr for all mountpoints
- Allow snapperd to write all dirs
- Add support for /etc/sysconfig/snapper
- Allow mozilla_plugin to getsession
- Add labeling for thttpd
- Allow sosreport to execute grub2-probe
- Allow NM to manage hostname config file
- Allow systemd_timedated_t to dbus chat with rpm_script_t
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
- Add lsmd_plugin_connect_any boolea
- Add support for ipset
- Add support for /dev/sclp_line0
- Add modutils_signal_insmod()
- Add files_relabelto_all_mountpoints() interface
- Allow the docker daemon to mounton tty_device_t
- Allow all systemd domains to read /proc/1
- Login programs talking to journald are attempting to net_admin, add dontaudit
- init is not gettar on processes as shutdown time
- Add systemd_hostnamed_manage_config() interface
- Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Add lvm_read_metadata()
2014-02-27 12:34:10 +01:00
Miroslav Grepl
3e0039f065 - Make unconfined_service_t valid in enforcing
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- Treat usermodehelper_t as a sysctl_type
- xdm communicates with geo
- Add lvm_read_metadata()
- Allow rabbitmq_beam to connect to jabber_interserver_port
- Allow logwatch_mail_t to transition to qmail_inject and queueu
- Added new rules to pcp policy
- Allow vmtools_helper_t to change role to system_r
- Allow NM to dbus chat with vmtools
2014-02-24 20:13:11 +01:00
Miroslav Grepl
74ec503d1c - Add labeling for /usr/sbin/amavi
- Colin asked for this program to be treated as cloud-init
- Allow ftp services to manage xferlog_t
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow certmonger to search home content
- Allow pkcsslotd to read users state
- Allow exim to use pam stack to check passwords
- Add labeling for /usr/sbin/amavi
- Colin asked for this program to be treated as cloud-init
- Allow ftp services to manage xferlog_t
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow certmonger to search home content
- Allow pkcsslotd to read users state
- Allow exim to use pam stack to check passwor
2014-02-21 17:01:54 +01:00
Miroslav Grepl
450ad890ec Fix lvm_read_metadata() 2014-02-18 18:16:00 +01:00
Miroslav Grepl
60668f6a35 * Tue Feb 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-25
- Add lvm_read_metadata()
- Allow auditadm to search /var/log/audit dir
- Add lvm_read_metadata() interface
- Allow confined users to run vmtools helpers
- Fix userdom_common_user_template()
- Generic systemd unit scripts do write check on /
- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
- Add additional fixes needed for init_t and setup script running in generic unit files
- Allow general users to create packet_sockets
- added connlcli port
- Add init_manage_transient_unit() interface
- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
- Fix userdomain.te to require passwd class
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Dontaudit rendom domains listing /proc and hittping system_map_t
- Dontauit leaks of var_t into ifconfig_t
- Allow domains that transition to ssh_t to manipulate its keyring
- Define oracleasm_t as a device node
- Change to handle /root as a symbolic link for os-tree
- Allow sysadm_t to create packet_socket, also move some rules to attributes
- Add label for openvswitch port
- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
- Allow postfix_local to read .forward in pcp lib files
- Allow pegasus_openlmi_storage_t to read lvm metadata
- Add additional fixes for pegasus_openlmi_storage_t
- Allow bumblebee to manage debugfs
- Make bumblebee as unconfined domain
- Allow snmp to read etc_aliases_t
- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
- Allow pegasus_openlmi_storage_t to read /proc/1/environ
- Dontaudit read gconf files for cupsd_config_t
- make vmtools as unconfined domain
- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
- Allow collectd_t to use a mysql database
- Allow ipa-otpd to perform DNS name resolution
- Added new policy for keepalived
- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
- Add additional fixes new pscs-lite+polkit support
- Add labeling for /run/krb5kdc
- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
- Allow pcscd to read users proc info
- Dontaudit smbd_t sending out random signuls
- Add boolean to allow openshift domains to use nfs
- Allow w3c_validator to create content in /tmp
- zabbix_agent uses nsswitch
- Allow procmail and dovecot to work together to deliver mail
- Allow spamd to execute files in homedir if boolean turned on
- Allow openvswitch to listen on port 6634
- Add net_admin capability in collectd policy
- Fixed snapperd policy
- Fixed bugsfor pcp policy
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Add kerberos_keytab_domain attribute
- Fix snapperd_conf_t def
2014-02-18 18:05:44 +01:00
Miroslav Grepl
7a727702c0 - Dontaudit rendom domains listing /proc and hittping system_map_t
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- systemd_tmpfiles_t needs to _setcheckreqprot
- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
- Fixed snapperd policy
- Fixed broken interfaces
- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
- Fixed bugsfor pcp policy
- pcscd seems to be using policy kit and looking at domains proc data that transition to it
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Allow ABRT to read puppet certs
- Allow virtd_lxc_t to specify the label of a socket
- New version of docker requires more access
2014-02-14 13:09:05 +01:00
Miroslav Grepl
05a36cdcd0 - Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Make tuned_t as unconfined domain for RHEL7.0
- Allow ABRT to read puppet certs
- Add sys_time capability for virt-ga
- Allow gemu-ga to domtrans to hwclock_t
- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
- Fix some AVCs in pcp policy
- Add to bacula capability setgid and setuid and allow to bind to bacula ports
- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
- Add access rhnsd and osad to /etc/sysconfig/rhn
- drbdadm executes drbdmeta
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
- Allow systemd_tmpfiles_t to manage all non security files on the system
- Added labels for bacula ports
- Fix label on /dev/vfio/vfio
- Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
2014-02-11 20:28:28 +01:00
Miroslav Grepl
fc059db54d - Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
- Add support for dey_sapi port
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- drbdadm executes drbdmeta
- Added osad policy
- Allow postfix to deliver to procmail
- Allow vmtools to execute /usr/bin/lsb_release
- Allow geoclue to read /etc/passwd
- Allow docker to write system net ctrls
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix pcp.te
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
2014-02-05 08:52:08 +01:00
Miroslav Grepl
21f72f0c5c Fix typo in geoclue.te 2014-01-30 13:45:46 +01:00
Miroslav Grepl
a853036f79 - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
- Allow geoclue to create temporary files/dirs in /tmp
- Add httpd_dontaudit_search_dirs boolean
- Add support for winbind.service
- ALlow also fail2ban-client to read apache logs
- Allow vmtools to getattr on all fs
2014-01-30 13:26:17 +01:00
Miroslav Grepl
2b1129da49 - Add net_admin also for systemd_passwd_agent_t
- Allow Associate usermodehelper_t to sysfs filesystem
- Allow gdm to create /var/gdm with correct labeling
- Allow domains to append rkhunterl lib files. #1057982
- Allow systemd_tmpfiles_t net_admin to communicate with journald
- update libs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
- Add labeling for snapper.log
- Allow tumbler to execute dbusd-daemon in thumb_t
- Add dbus_exec_dbusd()
- Add snapperd_data_t type
- Add additional fixes for snapperd
- FIx bad calling in samba.te
- Allow smbd to create tmpfs
- Allow rhsmcertd-worker send signull to rpm process
- Allow net_admin capability and send system log msgs
- Allow lldpad send dgram to NM
- Add networkmanager_dgram_send()
- rkhunter_var_lib_t is correct type
- Allow openlmi-storage to read removable devices
- Allow system cron jobs to manage rkhunter lib files
- Add rkhunter_manage_lib_files()
- Fix ftpd_use_fusefs boolean to allow manage also symlinks
- Allow smbcontrob block_suspend cap2
- Allow slpd to read network and system state info
- Allow NM domtrans to iscsid_t if iscsiadm is executed
- Allow slapd to send a signal itself
- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
- Fix plymouthd_create_log() interface
- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
- Allow postfix and cyrus-imapd to work out of box
- Remove logwatch_can_sendmail which is no longer used
- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
- snapperd is D-Bus service
- Allow OpenLMI PowerManagement to call 'systemctl --force reboot
2014-01-28 22:06:09 +01:00
Miroslav Grepl
f8d85476fd - Add haproxy_connect_any boolean
- Allow haproxy also to use http cache port by default
- Fix /usr/lib/firefox/plugin-container decl
- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
2014-01-24 17:52:42 +01:00
Miroslav Grepl
254b1593d0 - init calling needs to be optional in domain.te
- Allow docker and mount on devpts chr_file
- Allow docker to transition to unconfined_t if boolean set
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-contai
- Allow docker to use the network and build images
- Allow docker to read selinux files for labeling, and mount on devpts
- Allow domains that transition to svirt_sandbox to send it signals
- Allow docker to transition to unconfined_t if boolean set
2014-01-23 11:03:30 +01:00
Miroslav Grepl
d7f0c3cf54 - New access needed to allow docker + lxc +SELinux to work together
- Allow apache to write to the owncloud data directory in /var/www/html...
- Cleanup sandbox X AVC's
- Allow consolekit to create log dir
- Add support for icinga CGI scripts
- Add support for icinga
- Allow kdumpctl_t to create kdump lock file
- Allow kdump to create lnk lock file
- Allow ABRT write core_pattern
- Allwo ABRT to read core_pattern
- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
- Allow nscd_t block_suspen capability
- Allow unconfined domain types to manage own transient unit file
- Allow systemd domains to handle transient init unit files
- No longer need the rpm_script_roles line since rpm_transition_script now does this for us
- Add/fix interfaces for usermodehelper_t
- Add interfaces to handle transient
- Fixes for new usermodehelper and proc_securit_t types
2014-01-22 13:00:17 +01:00
Miroslav Grepl
3a0ebd8398 - Add cron unconfined role support for uncofined SELinux user
- Call kernel_rw_usermodehelper_state() in init.te
- Call corenet_udp_bind_all_ports() in milter.te
- Allow fence_virtd to connect to zented port
- Fix header for mirrormanager_admin()
- Allow dkim-milter to bind udp ports
- Allow milter domains to send signull itself
- Allow block_suspend for yum running as mock_t
- Allow beam.smp to manage couchdb files
- Add couchdb_manage_files()
- Add labeling for /var/log/php_errors.log
- Allow bumblebee to stream connect to xserver
- Allow bumblebee to send a signal to xserver
- gnome-thumbnail to stream connect to bumblebee
- Fix calling usermodehelper to use _state in interface name
- Allow xkbcomp running as bumblebee_t to execute  bin_t
- Allow logrotate to read squid.conf
- Additional rules to get docker and lxc to play well with SELinux
- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
- Make rpm_transition_script accept a role
- Added new policy for pcp
- Allow bumbleed to connect to xserver port
- Allow pegasus_openlmi_storage_t to read hwdata
2014-01-20 11:41:09 +01:00
Miroslav Grepl
93e99e4693 Rename badly used userhelper_t in kernel.if to usermodehelper 2014-01-19 22:18:55 +01:00
Miroslav Grepl
8155b37c25 Call kernel_rw_usermodehelper in devicekit.te 2014-01-17 22:21:54 +01:00
Miroslav Grepl
eeca65cd12 Call proper interfaces - usermodehelper 2014-01-17 21:45:33 +01:00
Miroslav Grepl
912db9180b ysctl_modprobe_t and sysctl_hotplug_t are now obsoleted by usermodhelper_t 2014-01-17 21:26:23 +01:00
Miroslav Grepl
368fb803a8 See spec file 2014-01-17 16:40:25 +01:00
Miroslav Grepl
5bd1f1afd6 * Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
- Remove file_t from the system and realias it with unlabeled_
2014-01-13 12:25:57 +01:00