- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
- Add few rules related to new policy for pkcs11proxyd
- Added new policy for pkcs11proxyd daemon
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Dontaudit abrt_t to rw lvm_lock_t dir.
- Allow abrt_d domain to write to kernel msg device.
- Add interface lvm_dontaudit_rw_lock_dir()
- Merge pull request #35 from lkundrak/lr-libreswan
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Added support for permissive domains
- Allow rpcbind_t domain to change file owner and group
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
- Revert "Add apache_read_pid_files() interface"
- Allow dirsrv-admin read httpd pid files.
- Add apache_read_pid_files() interface
- Add label for dirsrv-admin unit file.
- Allow qpid daemon to connect on amqp tcp port.
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Add userdom_transition_login_userdomain() interface
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
- Dontaudit fenced search gnome config
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
- Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon
- Fix labeling for fence_scsi_check script
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
- Allow openhpid to read snmp var lib files.
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
- Fix regexp in chronyd.fc file
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
- Allow chronyd to execute mkdir command.
- Allow chronyd_t to read dhcpc state.
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow openhpid liboa_soap plugin to read resolv.conf file.
- Allow openhpid liboa_soap plugin to read generic certs.
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
- Allow logrotate to reload services.
- Allow apcupsd_t to read /sys/devices
- Allow kpropd to connect to kropd tcp port.
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
- Add header for sslh.if file
- Fix sslh_admin() interface
- Clean up sslh.if
- Fix typo in pdns.if
- Allow qpid to create lnk_files in qpid_var_lib_t.
- Allow httpd_suexec_t to read and write Apache stream sockets
- Merge pull request #21 from hogarthj/rawhide-contrib
- Allow virt_qemu_ga_t domtrans to passwd_t.
- use read and manage files_patterns and the description for the admin interface
- Merge pull request #17 from rubenk/pdns-policy
- Allow redis to read kernel parameters.
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
- Allow bumblebee to seng kill signal to xserver
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Allow drbd to get attributes from filesystems.
- Allow drbd to read configuration options used when loading modules.
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
- Added Booleans: pcp_read_generic_logs.
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
- Allow glusterd to communicate with cluster domains over stream socket.
- fix copy paste error with writing the admin interface
- fix up the regex in sslh.fc, add sslh_admin() interface
- adding selinux policy files for sslh
- Remove diplicate sftpd_write_ssh_home boolean rule.
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
- kdbusfs should not be accessible for now.
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
- Label /usr/sbin/chpasswd as passwd_exec_t.
- Allow audisp_remote_t to read/write user domain pty.
- Allow audisp_remote_t to start power unit files domain to allow halt system.
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
- Prepare selinux-policy package for SELinux store migration
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Label /var/db/ as system_db_t.
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add nagios_domtrans_unconfined_plugins() interface.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
- Add missing typealiases in apache_content_template() for script domain/executable.
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for new cobbler dir locations:
- Add support for iprdbg logging files in /var/log.
- Add relabel_user_home_dirs for use by docker_t
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- cloudinit and rhsmcertd need to communicate with dbus
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
- Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
- Allow mock_t to use ptmx. BZ(1181333)
- Allow dnssec_trigger_t to stream connect to networkmanager.
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
- Fix labeling for keystone CGI scripts.
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
- Allow mongod to work with configured SSSD.
- Add collectd net_raw capability. BZ(1194169)
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
- Allow dhcpd kill capability.
- Make rwhod as nsswitch domain.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Fix cloudform policy.(m4 is case sensitive)
- Allow networkmanager and cloud_init_t to dbus chat
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices.
- Allow sblim domain to read sysctls..
- Allow timemaster send a signal to ntpd.
- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
- two 'l' is enough.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- Allow polkit to dbus chat with xserver. (1207478)
- Add lvm_stream_connect() interface.
- Set label of /sys/kernel/debug
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
- Allow all domains some process flags.
- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base
- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide. Eventually will need this in RHEL
- docker watches for content in the /etc directory
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
- Allow docker to communicate with openvswitch
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow journald to set loginuid. BZ(1190498)
- Add cap. sys_admin for passwd_t. BZ(1185191)
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
- Add gluster_exec_lib interface.
- Allow l2tpd to manage NetworkManager pid files
- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
- Allow cyrus bind tcp berknet port. BZ(1198347)
- Add nsswitch domain for more serviecs.
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow system apache scripts to send log messages.
- Allow denyhosts execute iptables. BZ(1197371)
- Allow brltty rw event device. BZ(1190349)
- Allow cupsd config to execute ldconfig. BZ(1196608)
- xdm_t now needs to manage user ttys
- Allow ping_t read urand. BZ(1181831)
- Add support for tcp/2005 port.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- In F23 we are running xserver as the user, need this to allow confined users to us X
- Xserver needs to be transitioned to from confined users
- Added logging_syslogd_pid_filetrans
- xdm_t now talks to hostnamed
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Additional fix for labeleling /dev/log correctly.
- cups chats with network manager
- Allow parent domains to read/write fifo files in mozilla plugin
- Allow spc_t to transition to svirt domains
- Cleanup spc_t
- docker needs more control over spc_t
- pcp domains are executed out of cron
- Fix labels on new location of resolv.conf
- syslog is not writing to the audit socket
- seunshare is doing getattr on unix_stream_sockets leaked into it
- Allow sshd_t to manage gssd keyring
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
- Posgresql listens on port 9898 when running PCP (pgpool Control Port)
- Allow svirt sandbox domains to read /proc/mtrr
- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
- Allow dovecot domains to use sys_resouce
- Allow sshd_t to manage gssd keyring
- gpg_pinentry_t needs more access in f22
- Allow docker to attach to the sandbox and user domains tun devices
- Allow pingd to read /dev/urandom. BZ(1181831)
- Allow virtd to list all mountpoints
- Allow sblim-sfcb to search images
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
- Call correct macro in virt_read_content().
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Allow docker_t to changes it rlimit
- Allow neutron to read rpm DB.
- Allow radius to connect/bind radsec ports
- Allow pm-suspend running as virt_qemu_ga to read
/var/log/pm-suspend.log.
- Add devicekit_read_log_files().
- Allow virt_qemu_ga to dbus chat with rpm.
- Allow netutils chown capability to make tcpdump working with -w.
- Label /ostree/deploy/rhel-atomic-host/deploy directory as
system_conf_t.
- journald now reads the netlink audit socket
- Add auditing support for ipsec.
* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105
- Bump release
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
- Fix miscfiles_manage_generic_cert_files() to allow manage link files
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Add support for /var/run/gluster.
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
- Add files_dontaudit_list_security_dirs() interface.
- Added seutil_dontaudit_access_check_semanage_module_store interface.
- Allow docker to create /root/.docker
- Allow rlogind to use also rlogin ports
- dontaudit list security dirs for samba domain
- Dontaudit couchdb to list /var