Commit Graph

2235 Commits

Author SHA1 Message Date
Zdenek Pytela
f4aa9187f8 * Thu Oct 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.12-1
- Dontaudit subscription manager setfscreate and read file contexts
Resolves: RHEL-58009
- Allow the sysadm user use the secretmem API
Resolves: RHEL-40953
- Allow sudodomain list files in /var
Resolves: RHEL-58068
- Allow gnome-remote-desktop watch /etc directory
Resolves: RHEL-35877
- Allow journalctl connect to systemd-userdbd over a unix socket
Resolves: RHEL-58072
- systemd: allow sys_admin capability for systemd_notify_t
Resolves: RHEL-58072
- Allow some confined users send to lldpad over a unix dgram socket
Resolves: RHEL-61634
- Allow lldpad send to sysadm_t over a unix dgram socket
Resolves: RHEL-61634
- Allow lldpd connect to systemd-machined over a unix socket
Resolves: RHEL-61634
2024-10-24 22:27:53 +02:00
Zdenek Pytela
c615292dfa * Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.11-1
- Allow ping_t read network sysctls
Resolves: RHEL-54299
- Label /usr/lib/node_modules/npm/bin with bin_t
Resolves: RHEL-56350
- Label /run/sssd with sssd_var_run_t
Resolves: RHEL-57065
- Allow virtqemud read virtd_t files
Resolves: RHEL-57713
- Allow wdmd read hardware state information
Resolves: RHEL-57982
- Allow wdmd list the contents of the sysfs directories
Resolves: RHEL-57982
- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
Resolves: RHEL-58380
- Allow dirsrv read network sysctls
Resolves: RHEL-58381
- Allow lldpad create and use netlink_generic_socket
Resolves: RHEL-61634
- Allow unconfined_t execute kmod in the kmod domain
Resolves: RHEL-61755
- Confine the pcm service
Resolves: RHEL-52838
- Allow iio-sensor-proxy the bpf capability
Resolves: RHEL-62355
- Confine iio-sensor-proxy
Resolves: RHEL-62355
2024-10-23 22:23:35 +02:00
Zdenek Pytela
b9f20bbf55 * Wed Oct 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.10-1
- Confine gnome-remote-desktop
Resolves: RHEL-35877
- Allow virtqemud get attributes of a tmpfs filesystem
Resolves: RHEL-40855
- Allow virtqemud get attributes of cifs files
Resolves: RHEL-40855
- Allow virtqemud get attributes of filesystems with extended attributes
Resolves: RHEL-39668
- Allow virtqemud get attributes of NFS filesystems
Resolves: RHEL-40855
- Add support for secretmem anon inode
Resolves: RHEL-40953
- Allow systemd-sleep read raw disk data
Resolves: RHEL-49600
- Allow systemd-hwdb send messages to kernel unix datagram sockets
Resolves: RHEL-50810
- Label /run/modprobe.d with modules_conf_t
Resolves: RHEL-54591
- Allow setsebool_t relabel selinux data files
Resolves: RHEL-55412
- Don't audit crontab_domain write attempts to user home
Resolves: RHEL-56349
- Differentiate between staff and sysadm when executing crontab with sudo
Resolves: RHEL-56349
- Add crontab_admin_domtrans interface
Resolves: RHEL-56349
- Add crontab_domtrans interface
Resolves: RHEL-56349
- Allow boothd connect to kernel over a unix socket
Resolves: RHEL-58060
- Fix label of pseudoterminals created from sudodomain
Resolves: RHEL-58068
- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
Resolves: RHEL-58072
- Allow rsyslog read systemd-logind session files
Resolves: RHEL-40961
- Label /dev/mmcblk0rpmb character device with removable_device_t
Resolves: RHEL-55265
- Label /dev/hfi1_[0-9]+ devices
Resolves: RHEL-62836
- Label /dev/papr-sysparm and /dev/papr-vpd
Resolves: RHEL-56908
- Support SGX devices
Resolves: RHEL-62354
- Suppress semodule's stderr
Resolves: RHEL-59192
2024-10-16 16:41:17 +02:00
Petr Lautrbach
0c8f629e44 Suppress semodule's stderr
Since libsemanage commit d96f27bf7cb91 ("libsemanage: Preserve file context
and ownership in policy store"), libsemanage tries to preserve file
contexts during SELinux policy rebuild. If the underline fs does not
support any operation used, it prints warnings on stderr. Given that
it's not a fatal error, it's reasonable to suppress them.

Fixes:

    $ podman run --pull=newer --rm -ti quay.io/fedora/fedora:rawhide
    [root@3a1e072c5559 /]# dnf4 install selinux-policy-targeted
    ...
    Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/cil:  Operation not supported
    Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/hll:  Operation not supported
    Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/lang_ext:  Operation not supported
    ...
    Could not set context for /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin:  Operation not supported
    Could not set context for /etc/selinux/targeted/policy/policy.33:  Operation not supported
    Could not set context for /etc/selinux/targeted/seusers:  Operation not supported

[skip changelog]

Resolves: RHEL-59192
2024-10-10 09:35:08 +02:00
Zdenek Pytela
52526cb202 * Mon Aug 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.9-1
- Allow virtqemud relabelfrom also for file and sock_file
Resolves: RHEL-49763
- Allow virtqemud relabel user tmp files and socket files
Resolves: RHEL-49763
- Update virtqemud policy for libguestfs usage
Resolves: RHEL-49763
- Label /run/libvirt/qemu/channel with virtqemud_var_run_t
Resolves: RHEL-47274
2024-08-26 19:42:36 +02:00
Zdenek Pytela
926debbc11 * Tue Aug 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.8-1
- Add virt_create_log() and virt_write_log() interfaces
Resolves: RHEL-47274
- Update libvirt policy
Resolves: RHEL-45464
Resolves: RHEL-49763
- Allow svirt_tcg_t map svirt_image_t files
Resolves: RHEL-47274
- Allow svirt_tcg_t read vm sysctls
Resolves: RHEL-47274
- Additional updates stalld policy for bpf usage
Resolves: RHEL-50356
2024-08-13 19:32:48 +02:00
Zdenek Pytela
f5b3d7b772 * Thu Aug 08 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.7-1
- Add the swtpm.if interface file for interactions with other domains
Resolves: RHEL-47274
- Allow virtproxyd create and use its private tmp files
Resolves: RHEL-40499
- Allow virtproxyd read network state
Resolves: RHEL-40499
- Allow virtqemud domain transition on swtpm execution
Resolves: RHEL-47274
Resolves: RHEL-49763
- Allow virtqemud relabel virt_var_run_t directories
Resolves: RHEL-47274
Resolves: RHEL-45464
Resolves: RHEL-49763
- Allow virtqemud domain transition on passt execution
Resolves: RHEL-45464
- Allow virt_driver_domain create and use log files in /var/log
Resolves: RHEL-40239
- Allow virt_driver_domain connect to systemd-userdbd over a unix socket
Resolves: RHEL-44932
Resolves: RHEL-44898
- Update stalld policy for bpf usage
Resolves: RHEL-50356
- Allow boothd connect to systemd-userdbd over a unix socket
Resolves: RHEL-45907
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
Resolves: RHEL-46011
- Allow systemd-machined manage runtime sockets
Resolves: RHEL-49567
- Allow ip command write to ipsec's logs
Resolves: RHEL-41222
- Allow init_t nnp domain transition to firewalld_t
Resolves: RHEL-52481
- Update qatlib policy for v24.02 with new features
Resolves: RHEL-50377
- Allow postfix_domain map postfix_etc_t files
Resolves: RHEL-46327
2024-08-08 18:12:12 +02:00
Zdenek Pytela
6ebbf22125 * Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.6-1
- Allow virtnodedevd run udev with a domain transition
Resolves: RHEL-39890
- Allow virtnodedev_t create and use virtnodedev_lock_t
Resolves: RHEL-39890
- Allow svirt attach_queue to a virtqemud tun_socket
Resolves: RHEL-44312
- Label /run/systemd/machine with systemd_machined_var_run_t
Resolves: RHEL-49567
2024-07-25 21:02:39 +00:00
Zdenek Pytela
85e80ce5b4 * Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.5-1
- Allow to create and delete socket files created by rhsm.service
Resolves: RHEL-40857
- Allow svirt read virtqemud fifo files
Resolves: RHEL-40350
- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
Resolves: RHEL-37822
- Allow virtqemud read virt-dbus process state
Resolves: RHEL-37822
- Allow virtqemud run ssh client with a transition
Resolves: RHEL-43215
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
Resolves: RHEL-41168
- Allow NetworkManager the sys_ptrace capability in user namespace
Resolves: RHEL-46717
- Update keyutils policy
Resolves: RHEL-38920
- Allow ip the setexec permission
Resolves: RHEL-41182
2024-07-16 19:27:49 +02:00
Zdenek Pytela
cbb1ba3beb * Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.4-1
- Confine libvirt-dbus
Resolves: RHEL-37822
- Allow sssd create and use io_uring
Resolves: RHEL-43448
- Allow virtqemud the kill capability in user namespace
Resolves: RHEL-44996
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
Resolves: RHEL-44191
- Allow virtqemud read vm sysctls
Resolves: RHEL-40938
- Allow svirt_t read vm sysctls
Resolves: RHEL-40938
- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
Resolves: RHEL-40859
- Allow systemd-hostnamed read the vsock device
Resolves: RHEL-45309
- Allow systemd (PID 1) manage systemd conf files
Resolves: RHEL-45304
- Allow journald read systemd config files and directories
Resolves: RHEL-45304
- Allow systemd_domain read systemd_conf_t dirs
Resolves: RHEL-45304
- Label systemd configuration files with systemd_conf_t
Resolves: RHEL-45304
- Allow dhcpcd the kill capability
Resolves: RHEL-43417
- Add support for libvirt hooks
Resolves: RHEL-41168
2024-06-28 23:24:45 +02:00
Troy Dawson
c4cc684f3c Bump release for June 2024 mass rebuild 2024-06-24 09:24:07 -07:00
Zdenek Pytela
b2c25500b4 * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
Resolves: RHEL-40205
- Allow virt_driver_domain read files labeled unconfined_t
Resolves: RHEL-40262
- Allow virt_driver_domain dbus chat with policykit
Resolves: RHEL-40346
- Escape "interface" as a file name in a virt filetrans pattern
Resolves: RHEL-34769
- Allow setroubleshootd get attributes of all sysctls
Resolves: RHEL-40923
- Allow qemu-ga read vm sysctls
Resolves: RHEL-40829
- Allow sbd to trace processes in user namespace
Resolves: RHEL-39989
- Allow request-key execute scripts
Resolves: RHEL-38920
- Update policy for haproxyd
Resolves: RHEL-40877
2024-06-18 17:27:30 +02:00
Zdenek Pytela
1dacbf26a9 * Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1
- Allow all domains read and write z90crypt device
Resolves: RHEL-28539
- Allow dhcpc read /run/netns files
Resolves: RHEL-39510
- Allow bootupd search efivarfs dirs
Resolves: RHEL-39514
2024-06-07 20:11:48 +02:00
Zdenek Pytela
9359be591b * Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1
- Allow postfix smtpd map aliases file
- Ensure dbus communication is allowed bidirectionally
- Label systemd configuration files with systemd_conf_t
- Label /run/systemd/machine with systemd_machined_var_run_t
- Allow systemd-hostnamed read the vsock device
- Allow sysadm execute dmidecode using sudo
- Allow sudodomain list files in /var
- Allow setroubleshootd get attributes of all sysctls
- Allow various services read and write z90crypt device
- Allow nfsidmap connect to systemd-homed
- Allow sandbox_x_client_t dbus chat with accountsd
- Allow system_cronjob_t dbus chat with avahi_t
- Allow staff_t the io_uring sqpoll permission
- Allow staff_t use the io_uring API
- Add support for secretmem anon inode
- Backport /var/run change related improvements
2024-05-18 22:13:10 +00:00
Zdenek Pytela
befd3d6c81 Update rpm configuration for the /var/run equivalency change
Various updating and installing scenarios are now supported:
- using rpm triggers for other packages in selinux-policy
- inside the selinux_modules_install and selinux_modules_uninstall
  rpm macros when selinux subpackages are being built
2024-05-18 22:13:10 +00:00
Zdenek Pytela
0a14f83579 * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
- Only allow confined user domains to login locally without unconfined_login
- Add userdom_spec_domtrans_confined_admin_users interface
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
- Add userdom_spec_domtrans_admin_users interface
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
- Update ssh_role_template() for user ssh-agent type
- Allow init to inherit system DBus file descriptors
- Allow init to inherit fds from syslogd
- Allow any domain to inherit fds from rpm-ostree
- Update afterburn policy
- Allow init_t nnp domain transition to abrtd_t
2024-02-12 12:26:33 +01:00
Zdenek Pytela
6dd5c78a95 * Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
- Rename all /var/lock file context entries to /run/lock
- Rename all /var/run file context entries to /run
- Invert the "/var/run = /run" equivalency
2024-02-06 14:25:48 +01:00
Zdenek Pytela
0ec128677b * Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
- Replace init domtrans rule for confined users to allow exec init
- Update dbus_role_template() to allow user service status
- Allow polkit status all systemd services
- Allow setroubleshootd create and use inherited io_uring
- Allow load_policy read and write generic ptys
- Allow gpg manage rpm cache
- Allow login_userdomain name_bind to howl and xmsg udp ports
- Allow rules for confined users logged in plasma
- Label /dev/iommu with iommu_device_t
- Remove duplicate file context entries in /run
- Dontaudit getty and plymouth the checkpoint_restore capability
- Allow su domains write login records
- Revert "Allow su domains write login records"
- Allow login_userdomain delete session dbusd tmp socket files
- Allow unix dgram sendto between exim processes
- Allow su domains write login records
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
2024-02-05 16:57:20 +01:00
Zdenek Pytela
ac73b2b07b * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
- Allow chronyd-restricted read chronyd key files
- Allow conntrackd_t to use bpf capability2
- Allow systemd-networkd manage its runtime socket files
- Allow init_t nnp domain transition to colord_t
- Allow polkit status systemd services
- nova: Fix duplicate declarations
- Allow httpd work with PrivateTmp
- Add interfaces for watching and reading ifconfig_var_run_t
- Allow collectd read raw fixed disk device
- Allow collectd read udev pid files
- Set correct label on /etc/pki/pki-tomcat/kra
- Allow systemd domains watch system dbus pid socket files
- Allow certmonger read network sysctls
- Allow mdadm list stratisd data directories
- Allow syslog to run unconfined scripts conditionally
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
- Allow qatlib set attributes of vfio device files
2024-01-24 21:28:05 +01:00
Zdenek Pytela
443b716de1 * Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
- Allow systemd-sleep set attributes of efivarfs files
- Allow samba-dcerpcd read public files
- Allow spamd_update_t the sys_ptrace capability in user namespace
- Allow bluetooth devices work with alsa
- Allow alsa get attributes filesystems with extended attributes
2024-01-09 20:59:16 +01:00
Yaakov Selkowitz
e46b929e63 Limit %selinux_requires to version, not release
Using exact NVR dependencies works well within RPMS from a single SRPM,
but otherwise relies on assumptions which do not always hold out.
Because %release includes %dist, this is particularly fragile in the
context of the Rawhide->ELN->c10s build pipeline.  For instance, if a
package which uses %selinux_requires gets built for ELN with the rawhide
selinux-policy, then .fcNN will be hardcoded into the ELN build, and the
ELN build with .elnNNN will never meet the condition (since f > e).
2024-01-02 11:15:16 -05:00
Zdenek Pytela
68923ff3dd * Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
- Add interface for write-only access to NetworkManager rw conf
- Allow systemd-sleep send a message to syslog over a unix dgram socket
- Allow init create and use netlink netfilter socket
- Allow qatlib load kernel modules
- Allow qatlib run lspci
- Allow qatlib manage its private runtime socket files
- Allow qatlib read/write vfio devices
- Label /etc/redis.conf with redis_conf_t
- Remove the lockdown-class rules from the policy
- Allow init read all non-security socket files
- Replace redundant dnsmasq pattern macros
- Remove unneeded symlink perms in dnsmasq.if
- Add additions to dnsmasq interface
- Allow nvme_stas_t create and use netlink kobject uevent socket
- Allow collectd connect to statsd port
- Allow keepalived_t to use sys_ptrace of cap_userns
- Allow dovecot_auth_t connect to postgresql using UNIX socket
2023-12-21 17:03:58 +01:00
Zdenek Pytela
df4c66da89 * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
- Allow sysadm execute traceroute in sysadm_t domain using sudo
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
- Allow opafm search nfs directories
- Add support for syslogd unconfined scripts
- Allow gpsd use /dev/gnss devices
- Allow gpg read rpm cache
- Allow virtqemud additional permissions
- Allow virtqemud manage its private lock files
- Allow virtqemud use the io_uring api
- Allow ddclient send e-mail notifications
- Allow postfix_master_t map postfix data files
- Allow init create and use vsock sockets
- Allow thumb_t append to init unix domain stream sockets
- Label /dev/vas with vas_device_t
- Change domain_kernel_load_modules boolean to true
- Create interface selinux_watch_config and add it to SELinux users
2023-12-13 16:42:42 +01:00
Zdenek Pytela
ce3921683b * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
- Add afterburn to modules-targeted-contrib.conf
- Update cifs interfaces to include fs_search_auto_mountpoints()
- Allow sudodomain read var auth files
- Allow spamd_update_t read hardware state information
- Allow virtnetworkd domain transition on tc command execution
- Allow sendmail MTA connect to sendmail LDA
- Allow auditd read all domains process state
- Allow rsync read network sysctls
- Add dhcpcd bpf capability to run bpf programs
- Dontaudit systemd-hwdb dac_override capability
- Allow systemd-sleep create efivarfs files
2023-11-28 15:43:25 +01:00
Zdenek Pytela
648853f428 * Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
- Allow graphical applications work in Wayland
- Allow kdump work with PrivateTmp
- Allow dovecot-auth work with PrivateTmp
- Allow nfsd get attributes of all filesystems
- Allow unconfined_domain_type use io_uring cmd on domain
- ci: Only run Rawhide revdeps tests on the rawhide branch
- Label /var/run/auditd.state as auditd_var_run_t
- Allow fido-device-onboard (FDO) read the crack database
- Allow ip an explicit domain transition to other domains
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
- Allow  winbind_rpcd_t processes access when samba_export_all_* is on
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
- Allow ntp to bind and connect to ntske port.
- Allow system_mail_t manage exim spool files and dirs
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
- Label /run/pcsd.socket with cluster_var_run_t
- ci: Run cockpit tests in PRs
2023-11-14 20:38:51 +01:00
Zdenek Pytela
2d11fcc9ab * Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
- Add map_read map_write to kernel_prog_run_bpf
- Allow systemd-fstab-generator read all symlinks
- Allow systemd-fstab-generator the dac_override capability
- Allow rpcbind read network sysctls
- Support using systemd containers
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
- Add policy for coreos installer
- Add coreos_installer to modules-targeted-contrib.conf
2023-10-19 17:46:31 +02:00
Zdenek Pytela
1cd26ed671 * Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
- Add policy for nvme-stas
- Confine systemd fstab,sysv,rc-local
- Label /etc/aliases.lmdb with etc_aliases_t
- Create policy for afterburn
2023-10-17 22:10:31 +02:00
Zdenek Pytela
6fbdf6352d Add the virt_supplementary module to modules-targeted-contrib.conf 2023-10-10 10:49:52 +02:00
Zdenek Pytela
2bde33920c * Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
- Make new virt drivers permissive
- Split virt policy, introduce virt_supplementary module
- Allow apcupsd cgi scripts read /sys
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
- Allow kernel_t to manage and relabel all files
- Add missing optional_policy() to files_relabel_all_files()
2023-10-10 10:47:42 +02:00
Zdenek Pytela
995481ca80 * Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
- Allow named and ndc use the io_uring api
- Deprecate common_anon_inode_perms usage
- Improve default file context(None) of /var/lib/authselect/backups
- Allow udev_t to search all directories with a filesystem type
- Implement proper anon_inode support
- Allow targetd write to the syslog pid sock_file
- Add ipa_pki_retrieve_key_exec() interface
- Allow kdumpctl_t to list all directories with a filesystem type
- Allow udev additional permissions
- Allow udev load kernel module
- Allow sysadm_t to mmap modules_object_t files
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
- Set default file context of HOME_DIR/tmp/.* to <<none>>
- Allow kernel_generic_helper_t to execute mount(1)
2023-10-04 15:57:34 +02:00
Zdenek Pytela
11c92f5ea8 * Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1
- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
- Allow systemd-localed create Xserver config dirs
- Allow sssd read symlinks in /etc/sssd
- Label /dev/gnss[0-9] with gnss_device_t
- Allow systemd-sleep read/write efivarfs variables
- ci: Fix version number of packit generated srpms
- Dontaudit rhsmcertd write memory device
- Allow ssh_agent_type create a sockfile in /run/user/USERID
- Set default file context of /var/lib/authselect/backups to <<none>>
- Allow prosody read network sysctls
- Allow cupsd_t to use bpf capability
2023-09-29 20:49:14 +02:00
Zdenek Pytela
4beb93659f * Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1
- Allow sssd domain transition on passkey_child execution conditionally
- Allow login_userdomain watch lnk_files in /usr
- Allow login_userdomain watch video4linux devices
- Change systemd-network-generator transition to include class file
- Revert "Change file transition for systemd-network-generator"
- Allow nm-dispatcher winbind plugin read/write samba var files
- Allow systemd-networkd write to cgroup files
- Allow kdump create and use its memfd: objects
2023-09-15 14:49:49 +02:00
Zdenek Pytela
16fcf3610b * Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1
- Allow fedora-third-party get generic filesystem attributes
- Allow sssd use usb devices conditionally
- Update policy for qatlib
- Allow ssh_agent_type manage generic cache home files
2023-08-31 23:22:26 +02:00
Zdenek Pytela
42961943f5 * Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1
- Change file transition for systemd-network-generator
- Additional support for gnome-initial-setup
- Update gnome-initial-setup policy for geoclue
- Allow openconnect vpn open vhost net device
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
- Grant cifs.upcall more required capabilities
- Allow xenstored map xenfs files
- Update policy for fdo
- Allow keepalived watch var_run dirs
- Allow svirt to rw /dev/udmabuf
- Allow qatlib  to modify hardware state information.
- Allow key.dns_resolve connect to avahi over a unix stream socket
- Allow key.dns_resolve create and use unix datagram socket
- Use quay.io as the container image source for CI
2023-08-24 21:17:38 +02:00
Zdenek Pytela
314088eca9 * Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1
- ci: Move srpm/rpm build to packit
- .copr: Avoid subshell and changing directory
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
- Make insights_client_t an unconfined domain
- Allow insights-client manage user temporary files
- Allow insights-client create all rpm logs with a correct label
- Allow insights-client manage generic logs
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
- Allow insights-client read and write cluster tmpfs files
- Allow ipsec read nsfs files
- Make tuned work with mls policy
- Remove nsplugin_role from mozilla.if
- allow mon_procd_t self:cap_userns sys_ptrace
- Allow pdns name_bind and name_connect all ports
- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
- ci: Move to actions/checkout@v3 version
- .copr: Replace chown call with standard workflow safe.directory setting
- .copr: Enable `set -u` for robustness
- .copr: Simplify root directory variable
2023-08-14 18:30:13 +02:00
Zdenek Pytela
02754e0832 * Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1
- Allow rhsmcertd dbus chat with policykit
- Allow polkitd execute pkla-check-authorization with nnp transition
- Allow user_u and staff_u get attributes of non-security dirs
- Allow unconfined user filetrans chrome_sandbox_home_t
- Allow svnserve execute postdrop with a transition
- Do not make postfix_postdrop_t type an MTA executable file
- Allow samba-dcerpc service manage samba tmp files
- Add use_nfs_home_dirs boolean for mozilla_plugin
- Fix labeling for no-stub-resolv.conf
2023-08-04 19:48:49 +02:00
Zdenek Pytela
c618bb9f5d * Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1
- Revert "Allow winbind-rpcd use its private tmp files"
- Allow upsmon execute upsmon via a helper script
- Allow openconnect vpn read/write inherited vhost net device
- Allow winbind-rpcd use its private tmp files
- Update samba-dcerpc policy for printing
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
- Allow nscd watch system db dirs
- Allow qatlib to read sssd public files
- Allow fedora-third-party read /sys and proc
- Allow systemd-gpt-generator mount a tmpfs filesystem
- Allow journald write to cgroup files
- Allow rpc.mountd read network sysctls
- Allow blueman read the contents of the sysfs filesystem
- Allow logrotate_t to map generic files in /etc
- Boolean: Allow virt_qemu_ga create ssh directory
2023-08-02 22:34:58 +02:00
Zdenek Pytela
1969a71055 * Fri Jul 21 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1
- Allow systemd-network-generator send system log messages
- Dontaudit the execute permission on sock_file globally
- Allow fsadm_t the file mounton permission
- Allow named and ndc the io_uring sqpoll permission
- Allow sssd io_uring sqpoll permission
- Fix location for /run/nsd
- Allow qemu-ga get fixed disk devices attributes
- Update bitlbee policy
- Label /usr/sbin/sos with sosreport_exec_t
- Update policy for the sblim-sfcb service
- Add the files_getattr_non_auth_dirs() interface
- Fix the CI to work with DNF5
2023-07-25 19:19:47 +02:00
Fedora Release Engineering
4f880142d7 Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-22 01:23:35 +00:00
Zdenek Pytela
3861cc6854 * Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
- Revert "Allow insights client map cache_home_t"
- Allow nfsidmapd connect to systemd-machined over a unix socket
- Allow snapperd connect to kernel over a unix domain stream socket
- Allow virt_qemu_ga_t create .ssh dir with correct label
- Allow targetd read network sysctls
- Set the abrt_handle_event boolean to on
- Permit kernel_t to change the user identity in object contexts
- Allow insights client map cache_home_t
- Label /usr/sbin/mariadbd with mysqld_exec_t
- Trim changelog so that it starts at F37 time
- Define equivalency for /run/systemd/generator.early
2023-07-13 22:29:20 +02:00
Zdenek Pytela
59a0d615a7 Trim changelog so that it starts at F37 time 2023-07-13 21:43:45 +02:00
Zdenek Pytela
3217953fb6 * Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1
- Allow httpd tcp connect to redis port conditionally
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
- Dontaudit aide the execmem permission
- Remove permissive from fdo
- Allow sa-update manage spamc home files
- Allow sa-update connect to systemlog services
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
- Allow bootupd search EFI directory
2023-06-29 11:47:37 +02:00
Zdenek Pytela
0a1d561fed * Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1
- Change init_audit_control default value to true
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
- Add the qatlib  module
- Add the fdo module
- Add the bootupd module
- Set default ports for keylime policy
- Create policy for qatlib
- Add policy for FIDO Device Onboard
- Add policy for bootupd
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
2023-06-27 20:40:11 +02:00
Zdenek Pytela
ca2263f358 * Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
2023-06-25 13:44:12 +02:00
Zdenek Pytela
38fd9a9006 * Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
- Label /dev/userfaultfd with userfaultfd_t
- Allow blueman send general signals to unprivileged user domains
- Allow dkim-milter domain transition to sendmail
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
- Allow cifs-helper read sssd kerberos configuration files
- Allow rpm_t sys_admin capability
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
- Allow collectd_t read proc_net link files
- Allow insights-client getsession process permission
- Allow insights-client work with pipe and socket tmp files
- Allow insights-client map generic log files
- Update cyrus_stream_connect() to use sockets in /run
- Allow keyutils-dns-resolver read/view kernel key ring
- Label /var/log/kdump.log with kdump_log_t
2023-06-15 11:13:58 +02:00
Zdenek Pytela
995ad0daac Exclude container-selinux manpage from selinux-policy-doc
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.

Resolves: rhbz#2209120
2023-06-12 17:15:47 +02:00
Zdenek Pytela
37f102411a * Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
2023-06-09 22:29:46 +02:00
Zdenek Pytela
70fa3a1489 * Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
- Update policy for systemd-sleep
- Remove permissive domain for rshim_t
- Remove permissive domain for mptcpd_t
- Allow systemd-bootchartd the sys_ptrace userns capability
- Allow sysadm_t read nsfs files
- Allow sysadm_t run kernel bpf programs
- Update ssh_role_template for ssh-agent
- Update ssh_role_template to allow read/write unallocated ttys
- Add the booth module to modules.conf
- Allow firewalld rw ica_tmpfs_t files
2023-05-30 12:00:03 +02:00
Zdenek Pytela
f148635ab0 * Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
- Remove permissive domain for cifs_helper_t
- Update the cifs-helper policy
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
- Update pkcsslotd policy for sandboxing
- Allow abrt_t read kernel persistent storage files
- Dontaudit targetd search httpd config dirs
- Allow init_t nnp domain transition to policykit_t
- Allow rpcd_lsad setcap and use generic ptys
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
- Allow wireguard to rw network sysctls
- Add policy for boothd
- Allow kernel to manage its own BPF objects
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
2023-05-26 13:00:58 +02:00
Zdenek Pytela
dfde7d3e7a * Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
- Add initial policy for cifs-helper
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
- Allow some systemd services write to cgroup files
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
- Allow systemd resolved to bind to arbitrary nodes
- Allow plymouthd_t bpf capability to run bpf programs
- Allow cupsd to create samba_var_t files
- Allow rhsmcert request the kernel to load a module
- Allow virsh name_connect virt_port_t
- Allow certmonger manage cluster library files
- Allow plymouthd read init process state
- Add chromium_sandbox_t setcap capability
- Allow snmpd read raw disk data
- Allow samba-rpcd work with passwords
- Allow unconfined service inherit signal state from init
- Allow cloud-init manage gpg admin home content
- Allow cluster_t dbus chat with various services
- Allow nfsidmapd work with systemd-userdbd and sssd
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
- Allow plymouthd map dri and framebuffer devices
- Allow rpmdb_migrate execute rpmdb
- Allow logrotate dbus chat with systemd-hostnamed
- Allow icecast connect to kernel using a unix stream socket
- Allow lldpad connect to systemd-userdbd over a unix socket
- Allow journalctl open user domain ptys and ttys
- Allow keepalived to manage its tmp files
- Allow ftpd read network sysctls
- Label /run/bgpd with zebra_var_run_t
- Allow gssproxy read network sysctls
- Add the cifsutils module
2023-05-22 09:00:23 +02:00