Commit Graph

2220 Commits

Author SHA1 Message Date
Zdenek Pytela
0a14f83579 * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
- Only allow confined user domains to login locally without unconfined_login
- Add userdom_spec_domtrans_confined_admin_users interface
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
- Add userdom_spec_domtrans_admin_users interface
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
- Update ssh_role_template() for user ssh-agent type
- Allow init to inherit system DBus file descriptors
- Allow init to inherit fds from syslogd
- Allow any domain to inherit fds from rpm-ostree
- Update afterburn policy
- Allow init_t nnp domain transition to abrtd_t
2024-02-12 12:26:33 +01:00
Zdenek Pytela
6dd5c78a95 * Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
- Rename all /var/lock file context entries to /run/lock
- Rename all /var/run file context entries to /run
- Invert the "/var/run = /run" equivalency
2024-02-06 14:25:48 +01:00
Zdenek Pytela
0ec128677b * Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
- Replace init domtrans rule for confined users to allow exec init
- Update dbus_role_template() to allow user service status
- Allow polkit status all systemd services
- Allow setroubleshootd create and use inherited io_uring
- Allow load_policy read and write generic ptys
- Allow gpg manage rpm cache
- Allow login_userdomain name_bind to howl and xmsg udp ports
- Allow rules for confined users logged in plasma
- Label /dev/iommu with iommu_device_t
- Remove duplicate file context entries in /run
- Dontaudit getty and plymouth the checkpoint_restore capability
- Allow su domains write login records
- Revert "Allow su domains write login records"
- Allow login_userdomain delete session dbusd tmp socket files
- Allow unix dgram sendto between exim processes
- Allow su domains write login records
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
2024-02-05 16:57:20 +01:00
Zdenek Pytela
ac73b2b07b * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
- Allow chronyd-restricted read chronyd key files
- Allow conntrackd_t to use bpf capability2
- Allow systemd-networkd manage its runtime socket files
- Allow init_t nnp domain transition to colord_t
- Allow polkit status systemd services
- nova: Fix duplicate declarations
- Allow httpd work with PrivateTmp
- Add interfaces for watching and reading ifconfig_var_run_t
- Allow collectd read raw fixed disk device
- Allow collectd read udev pid files
- Set correct label on /etc/pki/pki-tomcat/kra
- Allow systemd domains watch system dbus pid socket files
- Allow certmonger read network sysctls
- Allow mdadm list stratisd data directories
- Allow syslog to run unconfined scripts conditionally
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
- Allow qatlib set attributes of vfio device files
2024-01-24 21:28:05 +01:00
Zdenek Pytela
443b716de1 * Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
- Allow systemd-sleep set attributes of efivarfs files
- Allow samba-dcerpcd read public files
- Allow spamd_update_t the sys_ptrace capability in user namespace
- Allow bluetooth devices work with alsa
- Allow alsa get attributes filesystems with extended attributes
2024-01-09 20:59:16 +01:00
Yaakov Selkowitz
e46b929e63 Limit %selinux_requires to version, not release
Using exact NVR dependencies works well within RPMS from a single SRPM,
but otherwise relies on assumptions which do not always hold out.
Because %release includes %dist, this is particularly fragile in the
context of the Rawhide->ELN->c10s build pipeline.  For instance, if a
package which uses %selinux_requires gets built for ELN with the rawhide
selinux-policy, then .fcNN will be hardcoded into the ELN build, and the
ELN build with .elnNNN will never meet the condition (since f > e).
2024-01-02 11:15:16 -05:00
Zdenek Pytela
68923ff3dd * Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
- Add interface for write-only access to NetworkManager rw conf
- Allow systemd-sleep send a message to syslog over a unix dgram socket
- Allow init create and use netlink netfilter socket
- Allow qatlib load kernel modules
- Allow qatlib run lspci
- Allow qatlib manage its private runtime socket files
- Allow qatlib read/write vfio devices
- Label /etc/redis.conf with redis_conf_t
- Remove the lockdown-class rules from the policy
- Allow init read all non-security socket files
- Replace redundant dnsmasq pattern macros
- Remove unneeded symlink perms in dnsmasq.if
- Add additions to dnsmasq interface
- Allow nvme_stas_t create and use netlink kobject uevent socket
- Allow collectd connect to statsd port
- Allow keepalived_t to use sys_ptrace of cap_userns
- Allow dovecot_auth_t connect to postgresql using UNIX socket
2023-12-21 17:03:58 +01:00
Zdenek Pytela
df4c66da89 * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
- Allow sysadm execute traceroute in sysadm_t domain using sudo
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
- Allow opafm search nfs directories
- Add support for syslogd unconfined scripts
- Allow gpsd use /dev/gnss devices
- Allow gpg read rpm cache
- Allow virtqemud additional permissions
- Allow virtqemud manage its private lock files
- Allow virtqemud use the io_uring api
- Allow ddclient send e-mail notifications
- Allow postfix_master_t map postfix data files
- Allow init create and use vsock sockets
- Allow thumb_t append to init unix domain stream sockets
- Label /dev/vas with vas_device_t
- Change domain_kernel_load_modules boolean to true
- Create interface selinux_watch_config and add it to SELinux users
2023-12-13 16:42:42 +01:00
Zdenek Pytela
ce3921683b * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
- Add afterburn to modules-targeted-contrib.conf
- Update cifs interfaces to include fs_search_auto_mountpoints()
- Allow sudodomain read var auth files
- Allow spamd_update_t read hardware state information
- Allow virtnetworkd domain transition on tc command execution
- Allow sendmail MTA connect to sendmail LDA
- Allow auditd read all domains process state
- Allow rsync read network sysctls
- Add dhcpcd bpf capability to run bpf programs
- Dontaudit systemd-hwdb dac_override capability
- Allow systemd-sleep create efivarfs files
2023-11-28 15:43:25 +01:00
Zdenek Pytela
648853f428 * Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
- Allow graphical applications work in Wayland
- Allow kdump work with PrivateTmp
- Allow dovecot-auth work with PrivateTmp
- Allow nfsd get attributes of all filesystems
- Allow unconfined_domain_type use io_uring cmd on domain
- ci: Only run Rawhide revdeps tests on the rawhide branch
- Label /var/run/auditd.state as auditd_var_run_t
- Allow fido-device-onboard (FDO) read the crack database
- Allow ip an explicit domain transition to other domains
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
- Allow  winbind_rpcd_t processes access when samba_export_all_* is on
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
- Allow ntp to bind and connect to ntske port.
- Allow system_mail_t manage exim spool files and dirs
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
- Label /run/pcsd.socket with cluster_var_run_t
- ci: Run cockpit tests in PRs
2023-11-14 20:38:51 +01:00
Zdenek Pytela
2d11fcc9ab * Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
- Add map_read map_write to kernel_prog_run_bpf
- Allow systemd-fstab-generator read all symlinks
- Allow systemd-fstab-generator the dac_override capability
- Allow rpcbind read network sysctls
- Support using systemd containers
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
- Add policy for coreos installer
- Add coreos_installer to modules-targeted-contrib.conf
2023-10-19 17:46:31 +02:00
Zdenek Pytela
1cd26ed671 * Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
- Add policy for nvme-stas
- Confine systemd fstab,sysv,rc-local
- Label /etc/aliases.lmdb with etc_aliases_t
- Create policy for afterburn
2023-10-17 22:10:31 +02:00
Zdenek Pytela
6fbdf6352d Add the virt_supplementary module to modules-targeted-contrib.conf 2023-10-10 10:49:52 +02:00
Zdenek Pytela
2bde33920c * Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
- Make new virt drivers permissive
- Split virt policy, introduce virt_supplementary module
- Allow apcupsd cgi scripts read /sys
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
- Allow kernel_t to manage and relabel all files
- Add missing optional_policy() to files_relabel_all_files()
2023-10-10 10:47:42 +02:00
Zdenek Pytela
995481ca80 * Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
- Allow named and ndc use the io_uring api
- Deprecate common_anon_inode_perms usage
- Improve default file context(None) of /var/lib/authselect/backups
- Allow udev_t to search all directories with a filesystem type
- Implement proper anon_inode support
- Allow targetd write to the syslog pid sock_file
- Add ipa_pki_retrieve_key_exec() interface
- Allow kdumpctl_t to list all directories with a filesystem type
- Allow udev additional permissions
- Allow udev load kernel module
- Allow sysadm_t to mmap modules_object_t files
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
- Set default file context of HOME_DIR/tmp/.* to <<none>>
- Allow kernel_generic_helper_t to execute mount(1)
2023-10-04 15:57:34 +02:00
Zdenek Pytela
11c92f5ea8 * Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1
- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
- Allow systemd-localed create Xserver config dirs
- Allow sssd read symlinks in /etc/sssd
- Label /dev/gnss[0-9] with gnss_device_t
- Allow systemd-sleep read/write efivarfs variables
- ci: Fix version number of packit generated srpms
- Dontaudit rhsmcertd write memory device
- Allow ssh_agent_type create a sockfile in /run/user/USERID
- Set default file context of /var/lib/authselect/backups to <<none>>
- Allow prosody read network sysctls
- Allow cupsd_t to use bpf capability
2023-09-29 20:49:14 +02:00
Zdenek Pytela
4beb93659f * Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1
- Allow sssd domain transition on passkey_child execution conditionally
- Allow login_userdomain watch lnk_files in /usr
- Allow login_userdomain watch video4linux devices
- Change systemd-network-generator transition to include class file
- Revert "Change file transition for systemd-network-generator"
- Allow nm-dispatcher winbind plugin read/write samba var files
- Allow systemd-networkd write to cgroup files
- Allow kdump create and use its memfd: objects
2023-09-15 14:49:49 +02:00
Zdenek Pytela
16fcf3610b * Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1
- Allow fedora-third-party get generic filesystem attributes
- Allow sssd use usb devices conditionally
- Update policy for qatlib
- Allow ssh_agent_type manage generic cache home files
2023-08-31 23:22:26 +02:00
Zdenek Pytela
42961943f5 * Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1
- Change file transition for systemd-network-generator
- Additional support for gnome-initial-setup
- Update gnome-initial-setup policy for geoclue
- Allow openconnect vpn open vhost net device
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
- Grant cifs.upcall more required capabilities
- Allow xenstored map xenfs files
- Update policy for fdo
- Allow keepalived watch var_run dirs
- Allow svirt to rw /dev/udmabuf
- Allow qatlib  to modify hardware state information.
- Allow key.dns_resolve connect to avahi over a unix stream socket
- Allow key.dns_resolve create and use unix datagram socket
- Use quay.io as the container image source for CI
2023-08-24 21:17:38 +02:00
Zdenek Pytela
314088eca9 * Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1
- ci: Move srpm/rpm build to packit
- .copr: Avoid subshell and changing directory
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
- Make insights_client_t an unconfined domain
- Allow insights-client manage user temporary files
- Allow insights-client create all rpm logs with a correct label
- Allow insights-client manage generic logs
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
- Allow insights-client read and write cluster tmpfs files
- Allow ipsec read nsfs files
- Make tuned work with mls policy
- Remove nsplugin_role from mozilla.if
- allow mon_procd_t self:cap_userns sys_ptrace
- Allow pdns name_bind and name_connect all ports
- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
- ci: Move to actions/checkout@v3 version
- .copr: Replace chown call with standard workflow safe.directory setting
- .copr: Enable `set -u` for robustness
- .copr: Simplify root directory variable
2023-08-14 18:30:13 +02:00
Zdenek Pytela
02754e0832 * Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1
- Allow rhsmcertd dbus chat with policykit
- Allow polkitd execute pkla-check-authorization with nnp transition
- Allow user_u and staff_u get attributes of non-security dirs
- Allow unconfined user filetrans chrome_sandbox_home_t
- Allow svnserve execute postdrop with a transition
- Do not make postfix_postdrop_t type an MTA executable file
- Allow samba-dcerpc service manage samba tmp files
- Add use_nfs_home_dirs boolean for mozilla_plugin
- Fix labeling for no-stub-resolv.conf
2023-08-04 19:48:49 +02:00
Zdenek Pytela
c618bb9f5d * Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1
- Revert "Allow winbind-rpcd use its private tmp files"
- Allow upsmon execute upsmon via a helper script
- Allow openconnect vpn read/write inherited vhost net device
- Allow winbind-rpcd use its private tmp files
- Update samba-dcerpc policy for printing
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
- Allow nscd watch system db dirs
- Allow qatlib to read sssd public files
- Allow fedora-third-party read /sys and proc
- Allow systemd-gpt-generator mount a tmpfs filesystem
- Allow journald write to cgroup files
- Allow rpc.mountd read network sysctls
- Allow blueman read the contents of the sysfs filesystem
- Allow logrotate_t to map generic files in /etc
- Boolean: Allow virt_qemu_ga create ssh directory
2023-08-02 22:34:58 +02:00
Zdenek Pytela
1969a71055 * Fri Jul 21 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1
- Allow systemd-network-generator send system log messages
- Dontaudit the execute permission on sock_file globally
- Allow fsadm_t the file mounton permission
- Allow named and ndc the io_uring sqpoll permission
- Allow sssd io_uring sqpoll permission
- Fix location for /run/nsd
- Allow qemu-ga get fixed disk devices attributes
- Update bitlbee policy
- Label /usr/sbin/sos with sosreport_exec_t
- Update policy for the sblim-sfcb service
- Add the files_getattr_non_auth_dirs() interface
- Fix the CI to work with DNF5
2023-07-25 19:19:47 +02:00
Fedora Release Engineering
4f880142d7 Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-22 01:23:35 +00:00
Zdenek Pytela
3861cc6854 * Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
- Revert "Allow insights client map cache_home_t"
- Allow nfsidmapd connect to systemd-machined over a unix socket
- Allow snapperd connect to kernel over a unix domain stream socket
- Allow virt_qemu_ga_t create .ssh dir with correct label
- Allow targetd read network sysctls
- Set the abrt_handle_event boolean to on
- Permit kernel_t to change the user identity in object contexts
- Allow insights client map cache_home_t
- Label /usr/sbin/mariadbd with mysqld_exec_t
- Trim changelog so that it starts at F37 time
- Define equivalency for /run/systemd/generator.early
2023-07-13 22:29:20 +02:00
Zdenek Pytela
59a0d615a7 Trim changelog so that it starts at F37 time 2023-07-13 21:43:45 +02:00
Zdenek Pytela
3217953fb6 * Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1
- Allow httpd tcp connect to redis port conditionally
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
- Dontaudit aide the execmem permission
- Remove permissive from fdo
- Allow sa-update manage spamc home files
- Allow sa-update connect to systemlog services
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
- Allow bootupd search EFI directory
2023-06-29 11:47:37 +02:00
Zdenek Pytela
0a1d561fed * Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1
- Change init_audit_control default value to true
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
- Add the qatlib  module
- Add the fdo module
- Add the bootupd module
- Set default ports for keylime policy
- Create policy for qatlib
- Add policy for FIDO Device Onboard
- Add policy for bootupd
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
2023-06-27 20:40:11 +02:00
Zdenek Pytela
ca2263f358 * Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
2023-06-25 13:44:12 +02:00
Zdenek Pytela
38fd9a9006 * Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
- Label /dev/userfaultfd with userfaultfd_t
- Allow blueman send general signals to unprivileged user domains
- Allow dkim-milter domain transition to sendmail
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
- Allow cifs-helper read sssd kerberos configuration files
- Allow rpm_t sys_admin capability
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
- Allow collectd_t read proc_net link files
- Allow insights-client getsession process permission
- Allow insights-client work with pipe and socket tmp files
- Allow insights-client map generic log files
- Update cyrus_stream_connect() to use sockets in /run
- Allow keyutils-dns-resolver read/view kernel key ring
- Label /var/log/kdump.log with kdump_log_t
2023-06-15 11:13:58 +02:00
Zdenek Pytela
995ad0daac Exclude container-selinux manpage from selinux-policy-doc
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.

Resolves: rhbz#2209120
2023-06-12 17:15:47 +02:00
Zdenek Pytela
37f102411a * Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
2023-06-09 22:29:46 +02:00
Zdenek Pytela
70fa3a1489 * Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
- Update policy for systemd-sleep
- Remove permissive domain for rshim_t
- Remove permissive domain for mptcpd_t
- Allow systemd-bootchartd the sys_ptrace userns capability
- Allow sysadm_t read nsfs files
- Allow sysadm_t run kernel bpf programs
- Update ssh_role_template for ssh-agent
- Update ssh_role_template to allow read/write unallocated ttys
- Add the booth module to modules.conf
- Allow firewalld rw ica_tmpfs_t files
2023-05-30 12:00:03 +02:00
Zdenek Pytela
f148635ab0 * Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
- Remove permissive domain for cifs_helper_t
- Update the cifs-helper policy
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
- Update pkcsslotd policy for sandboxing
- Allow abrt_t read kernel persistent storage files
- Dontaudit targetd search httpd config dirs
- Allow init_t nnp domain transition to policykit_t
- Allow rpcd_lsad setcap and use generic ptys
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
- Allow wireguard to rw network sysctls
- Add policy for boothd
- Allow kernel to manage its own BPF objects
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
2023-05-26 13:00:58 +02:00
Zdenek Pytela
dfde7d3e7a * Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
- Add initial policy for cifs-helper
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
- Allow some systemd services write to cgroup files
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
- Allow systemd resolved to bind to arbitrary nodes
- Allow plymouthd_t bpf capability to run bpf programs
- Allow cupsd to create samba_var_t files
- Allow rhsmcert request the kernel to load a module
- Allow virsh name_connect virt_port_t
- Allow certmonger manage cluster library files
- Allow plymouthd read init process state
- Add chromium_sandbox_t setcap capability
- Allow snmpd read raw disk data
- Allow samba-rpcd work with passwords
- Allow unconfined service inherit signal state from init
- Allow cloud-init manage gpg admin home content
- Allow cluster_t dbus chat with various services
- Allow nfsidmapd work with systemd-userdbd and sssd
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
- Allow plymouthd map dri and framebuffer devices
- Allow rpmdb_migrate execute rpmdb
- Allow logrotate dbus chat with systemd-hostnamed
- Allow icecast connect to kernel using a unix stream socket
- Allow lldpad connect to systemd-userdbd over a unix socket
- Allow journalctl open user domain ptys and ttys
- Allow keepalived to manage its tmp files
- Allow ftpd read network sysctls
- Label /run/bgpd with zebra_var_run_t
- Allow gssproxy read network sysctls
- Add the cifsutils module
2023-05-22 09:00:23 +02:00
Zdenek Pytela
9619eb8fb1 * Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1
- Allow telnetd read network sysctls
- Allow munin system plugin read generic SSL certificates
- Allow munin system plugin create and use netlink generic socket
- Allow login_userdomain create user namespaces
- Allow request-key to send syslog messages
- Allow request-key to read/view any key
- Add fs_delete_pstore_files() interface
- Allow insights-client work with teamdctl
- Allow insights-client read unconfined service semaphores
- Allow insights-client get quotas of all filesystems
- Add fs_read_pstore_files() interface
- Allow generic kernel helper to read inherited kernel pipes
2023-04-25 22:13:11 +02:00
Zdenek Pytela
10fd8395c1 * Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
- Allow dovecot-deliver write to the main process runtime fifo files
- Allow dmidecode write to cloud-init tmp files
- Allow chronyd send a message to cloud-init over a datagram socket
- Allow cloud-init domain transition to insights-client domain
- Allow mongodb read filesystem sysctls
- Allow mongodb read network sysctls
- Allow accounts-daemon read generic systemd unit lnk files
- Allow blueman watch generic device dirs
- Allow nm-dispatcher tlp plugin create tlp dirs
- Allow systemd-coredump mounton /usr
- Allow rabbitmq to read network sysctls
2023-04-14 13:48:00 +02:00
Zdenek Pytela
1c3d527d43 * Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
- Allow certmonger dbus chat with the cron system domain
- Allow geoclue read network sysctls
- Allow geoclue watch the /etc directory
- Allow logwatch_mail_t read network sysctls
- Allow insights-client read all sysctls
- Allow passt manage qemu pid sock files
2023-04-04 21:35:41 +02:00
Zdenek Pytela
737e197bb4 * Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
- Allow sssd read accountsd fifo files
- Add support for the passt_t domain
- Allow virtd_t and svirt_t work with passt
- Add new interfaces in the virt module
- Add passt interfaces defined conditionally
- Allow tshark the setsched capability
- Allow poweroff create connections to system dbus
- Allow wg load kernel modules, search debugfs dir
- Boolean: allow qemu-ga manage ssh home directory
- Label smtpd with sendmail_exec_t
- Label msmtp and msmtpd with sendmail_exec_t
- Allow dovecot to map files in /var/spool/dovecot
2023-03-24 20:05:51 +01:00
Zdenek Pytela
4a6ce4bf1f * Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
- Confine gnome-initial-setup
- Allow qemu-guest-agent create and use vsock socket
- Allow login_pgm setcap permission
- Allow chronyc read network sysctls
- Enhancement of the /usr/sbin/request-key helper policy
- Fix opencryptoki file names in /dev/shm
- Allow system_cronjob_t transition to rpm_script_t
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
- Add tunable to allow squid bind snmp port
- Allow staff_t getattr init pid chr & blk files and read krb5
- Allow firewalld to rw z90crypt device
- Allow httpd work with tokens in /dev/shm
- Allow svirt to map svirt_image_t char files
- Allow sysadm_t run initrc_t script and sysadm_r role access
- Allow insights-client manage fsadm pid files
2023-03-03 17:49:15 +01:00
Zdenek Pytela
0d20c35838 * Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1
- Allowing snapper to create snapshots of /home/ subvolume/partition
- Add boolean qemu-ga to run unconfined script
- Label systemd-journald feature LogNamespace
- Add none file context for polyinstantiated tmp dirs
- Allow certmonger read the contents of the sysfs filesystem
- Add journalctl the sys_resource capability
- Allow nm-dispatcher plugins read generic files in /proc
- Add initial policy for the /usr/sbin/request-key helper
- Additional support for rpmdb_migrate
- Add the keyutils module
2023-02-08 21:31:38 +01:00
Zdenek Pytela
232d13e7df * Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
- Boolean: allow qemu-ga read ssh home directory
- Allow kernel_t to read/write all sockets
- Allow kernel_t to UNIX-stream connect to all domains
- Allow systemd-resolved send a datagram to journald
- Allow kernel_t to manage and have "execute" access to all files
- Fix the files_manage_all_files() interface
- Allow rshim bpf cap2 and read sssd public files
- Allow insights-client work with su and lpstat
- Allow insights-client tcp connect to all ports
- Allow nm-cloud-setup dispatcher plugin restart nm services
- Allow unconfined user filetransition for sudo log files
- Allow modemmanager create hardware state information files
- Allow ModemManager all permissions for netlink route socket
- Allow wg to send msg to kernel, write to syslog and dbus connections
- Allow hostname_t to read network sysctls.
- Dontaudit ftpd the execmem permission
- Allow svirt request the kernel to load a module
- Allow icecast rename its log files
- Allow upsd to send signal to itself
- Allow wireguard to create udp sockets and read net_conf
- Use %autosetup instead of %setup
- Pass -p 1 to %autosetup
2023-01-30 17:30:57 +01:00
Ondrej Mosnáček
66b983ca0d
Pass -p 1 to %autosetup
This means that the first component of the path is stripped when
applying patches. This is needed so that patches created by git can be
applied.

Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
2023-01-24 14:26:04 +01:00
Ondrej Mosnáček
a5f1fa9914
Use %autosetup instead of %setup
This makes it easier to modify the spec to apply a patch for testing.

The -q option is dropped, as it's the default for %autosetup:
https://rpm-software-management.github.io/rpm/manual/autosetup.html#autosetup-options

Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
2023-01-23 10:49:19 +01:00
Fedora Release Engineering
c11eb88514 Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-21 02:58:55 +00:00
Zdenek Pytela
13e15d410c * Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
- Allow insights client work with gluster and pcp
- Add insights additional capabilities
- Add interfaces in domain, files, and unconfined modules
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
- Allow sudodomain use sudo.log as a logfile
- Allow pdns server map its library files and bind to unreserved ports
- Allow sysadm_t read/write ipmi devices
- Allow prosody manage its runtime socket files
- Allow kernel threads manage kernel keys
- Allow systemd-userdbd the sys_resource capability
- Allow systemd-journal list cgroup directories
- Allow apcupsd dbus chat with systemd-logind
- Allow nut_domain manage also files and sock_files in /var/run
- Allow winbind-rpcd make a TCP connection to the ldap port
- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
- Allow tlp read generic SSL certificates
- Allow systemd-resolved watch tmpfs directories
- Revert "Allow systemd-resolved watch tmpfs directories"
2023-01-13 18:43:38 +01:00
Zdenek Pytela
328d37031b * Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
- Allow NetworkManager and wpa_supplicant the bpf capability
- Allow systemd-rfkill the bpf capability
- Allow winbind-rpcd manage samba_share_t files and dirs
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
- Allow gpsd the sys_ptrace userns capability
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
- Allow load_policy_t write to unallocated ttys
- Allow ndc read hardware state information
- Allow system mail service read inherited certmonger runtime files
- Add lpr_roles  to system_r roles
- Revert "Allow insights-client run lpr and allow the proper role"
- Allow stalld to read /sys/kernel/security/lockdown file
- Allow keepalived to set resource limits
- Add policy for mptcpd
- Add policy for rshim
- Allow admin users to create user namespaces
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
- Trim changelog so that it starts at F35 time
- Add mptcpd and rshim modules
2022-12-19 16:56:42 +01:00
Zdenek Pytela
be364fec7b Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
Resolves: rhbz#2093594
2022-12-19 16:37:33 +01:00
Zdenek Pytela
f8cec3d7f5 Trim changelog so that it starts at F35 time
The changelog contains entries from 16 years ago, making the content
unwieldy. With this commit, changelog starts at the time when
F35 package version in rawhide branched off F34.
2022-12-16 12:19:36 +01:00
Zdenek Pytela
5e55a1623d * Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
- Allow insights-client dbus chat with various services
- Allow insights-client tcp connect to various ports
- Allow insights-client run lpr and allow the proper role
- Allow insights-client work with pcp and manage user config files
- Allow redis get user names
- Allow kernel threads to use fds from all domains
- Allow systemd-modules-load load kernel modules
- Allow login_userdomain watch systemd-passwd pid dirs
- Allow insights-client dbus chat with abrt
- Grant kernel_t certain permissions in the system class
- Allow systemd-resolved watch tmpfs directories
- Allow systemd-timedated watch init runtime dir
- Make `bootc` be `install_exec_t`
- Allow systemd-coredump create user_namespace
- Allow syslog the setpcap capability
- donaudit virtlogd and dnsmasq execmem
2022-12-14 17:21:00 +01:00