Commit Graph

2229 Commits

Author SHA1 Message Date
Lukas Vrabec
4ce765ae0a
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
- Add dac_override capability to namespace_init_t domain
- Label /usr/sbin/corosync-qdevice as cluster_exec_t
- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)
- Label /usr/libexec/dnf-utils as debuginfo_exec_t
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Update userdomains to allow confined users to create gpg keys
- Allow associate all filesystem_types with fs_t
- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)
- Allow init_t to manage session_dbusd_tmp_t dirs
- Allow systemd_gpt_generator_t to read/write to clearance
- Allow su_domain_type to getattr to /dev/gpmctl
- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-18 01:04:36 +02:00
Lukas Vrabec
fb7eb895aa
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-17
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
- Allow nrpe_t domain to be dbus cliennt
- Add interface sssd_signull()
- Label /usr/bin/tshark as wireshark_exec_t
- Fix typo in dbus_role_template()
- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)
- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)
- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)
- Allow virt domains to access xserver devices BZ(1705685)
- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)
- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)
- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)
- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)
- Allow gpsd_t domain to read udev db BZ(1709025)
- Add sys_ptrace capaiblity for  namespace_init_t domain
- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)
- Allow rhsmcertd_t domain to read rpm cache files
- Label /efi same as /boot/efi boot_t BZ(1571962)
- Allow transition from udev_t to tlp_t BZ(1705246)
- Remove initrc_exec_t for /usr/sbin/apachectl file
2019-05-17 18:12:55 +02:00
Lukas Vrabec
1938d6c60c
Update broken sources 2019-05-04 17:45:09 +02:00
Lukas Vrabec
2a04dcf5c8
* Fri May 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-16
- Add fcontext for apachectl util to fix missing output when executed "httpd -t" from this script.
2019-05-04 00:00:01 +02:00
Lukas Vrabec
a0e74cb580
* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-15
- Allow iscsid_t domain to mmap modules_dep_t files
- Allow ngaios to use chown capability
- Dontaudit gpg_domain to create netlink_audit sockets
- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)
- Allow dirsrv_t domain to execute own tmp files BZ(1703111)
- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files
- Update domain_can_mmap_files() boolean to allow also mmap lnk files
- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
2019-05-02 15:46:11 +02:00
Lukas Vrabec
2c13568192
* Fri Apr 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-14
- Allow transition from cockpit_session to unpriv user domains
2019-04-26 16:46:34 +02:00
Lukas Vrabec
2675489867
* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-13
- Introduce deny_bluetooth boolean
- Allow greylist_milter_t to read network system state BZ(1702672)
- Allow freeipmi domains to mmap freeipmi_var_cache_t files
- Allow rhsmcertd_t and rpm_t domains to chat over dbus
- Allow thumb_t domain to delete cache_home_t files BZ(1701643)
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus
- Add new interface boltd_dbus_chat()
- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)
- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)
- Allow cockpit_ws_t domain to set limits BZ(1701703)
- Update Nagios policy when sudo is used
- Deamon rhsmcertd is able to install certs for docker again
- Introduce deny_bluetooth boolean
- Don't allow a container to connect to random services
- Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.
- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus
- Allow unconfined_t to use bpf tools
- Allow x_userdomains to communicate with boltd daemon over dbus
2019-04-25 17:29:03 +02:00
Lukas Vrabec
a64329452e
* Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-12
- Fix typo in cups SELinux policy
- Allow iscsid_t to read modules deps BZ(1700245)
- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442)
- Allow httpd_rotatelogs_t to execute generic binaries
- Update system_dbus policy because of dbus-broker-20-2
- Allow httpd_t doman to read/write /dev/zero device  BZ(1700758)
- Allow tlp_t domain to read module deps files BZ(1699459)
- Add file context for /usr/lib/dotnet/dotnet
- Update dev_rw_zero() interface by adding map permission
- Allow bounded transition for executing init scripts
2019-04-19 22:39:06 +02:00
Lukas Vrabec
05bc3ebd5c
* Fri Apr 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-11
- Allow mongod_t domain to lsearch in cgroups BZ(1698743)
- Allow rngd communication with pcscd BZ(1679217)
- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)
- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
2019-04-12 23:24:21 +02:00
Lukas Vrabec
2e12c978e7
Add check for config file consistency
After all reverted commit looks good, just targeted store have to be
specified when permissivedomains SELinux module is loaded.

This reverts commit f1ed716369.
2019-04-12 21:08:30 +02:00
Lukas Vrabec
f1ed716369
Revert "Add check for config file consistency"
This reverts commit 7fd6024816.
2019-04-12 10:03:08 +02:00
Lukas Vrabec
cba3e984f6
* Tue Apr 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-10
- Allow systemd_modules_load to read modules_dep_t files
- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)
2019-04-09 10:57:19 +02:00
Lukas Vrabec
2809c70adb
* Mon Apr 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-9
- Merge #18 `Add check for config file consistency`
- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943)
- Fix typo in rhsmcertd SELinux module
- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files
- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t
- Allow unconfined users to use vsock unlabeled sockets
- Add interface kernel_rw_unlabeled_vsock_socket()
- Allow unconfined users to use smc unlabeled sockets
- Add interface kernel_rw_unlabeled_smc_socket
- Allow systemd_resolved_t domain to read system network state BZ(1697039)
- Allow systemd to mounton kernel sysctls BZ(1696201)
- Add interface kernel_mounton_kernel_sysctl() BZ(1696201)
- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201
2019-04-08 15:54:57 +02:00
Lukas Vrabec
3da5a62edd Merge #18 Add check for config file consistency 2019-04-08 13:49:30 +00:00
Lukas Vrabec
47a2243adc
* Fri Apr 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-8
- Allow systemd to mounton several systemd direstory to increase security of systemd
Resolves: rhbz#1696201
2019-04-05 16:26:48 +02:00
Lukas Vrabec
fe3eb5975b
Fix some conflicting filename transition rules in the policy sources 2019-04-04 11:02:58 +02:00
Lukas Vrabec
c4065f7c94
* Wed Apr 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-7
- Allow fontconfig file transition for xguest_u user
- Add gnome_filetrans_fontconfig_home_content interface
- Add permissions needed by systemd's machinectl shell/login
- Update SELinux policy for xen services
- Add dac_override capability for kdumpctl_t process domain
- Allow chronyd_t domain to exec shell
- Fix varnisncsa typo
- Allow init start freenx-server BZ(1678025)
- Create logrotate_use_fusefs boolean
- Add tcpd_wrapped_domain for telnetd BZ(1676940)
- Allow tcpd bind to services ports BZ(1676940)
- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t
- Allow esmtp access .esmtprc BZ(1691149)
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide
- Allow tlp_t domain to read nvme block devices BZ(1692154)
- Add support for smart card authentication in cockpit BZ(1690444)
- Add permissions needed by systemd's machinectl shell/login
- Allow kmod_t domain to mmap modules_dep_t files.
- Allow systemd_machined_t dac_override capability BZ(1670787)
- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)"
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow unconfined_domain_type to use bpf tools BZ(1694115)
- Allow init_t read mnt_t symlinks BZ(1637070)
- Update dev_filetrans_all_named_dev() interface
- Allow xdm_t domain to execmod temp files BZ(1686675)
- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)"
- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)
- Allow confined users labeled as staff_t to run iptables.
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Allow xdm_t domain to create own tmp files BZ(1686675)
- Add miscfiles_dontaudit_map_generic_certs interface.
2019-04-03 14:33:40 +02:00
Lukas Vrabec
8ad34683d2
Comment macro-expander and container-selinux sources in spec file 2019-03-23 19:00:30 +01:00
Lukas Vrabec
ba905225c2
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2019-03-23 15:33:27 +01:00
Lukas Vrabec
bccf0f816c
* Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6
- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
- Allow fail2ban execute journalctl BZ(1689034)
- Update sudodomains to make working confined users run sudo/su
- Introduce new boolean unconfined_dyntrans_all.
- Allow iptables_t domain to read NetworkManager state BZ(1690881)
2019-03-23 15:32:56 +01:00
Lukas Vrabec
03abf46c1c Merge #17 Remove previous/ version of module directory 2019-03-20 18:58:56 +00:00
Vit Mojzis
7fd6024816 Add check for config file consistency
Make sure the config is consistent with what packages are (being)
installed in the system.

This should ensure that the package corresponding to SELINUXTYPE
in the config is always present in the system, or selinux is DISABLED
(both before policy_load is called and after any RPM transaction involving
selinux-policy-* package). Targeted mode is used when possible.

Resolves: rhbz#1641631

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-03-20 18:04:45 +01:00
Lukas Vrabec
7dd08a5cde
* Tue Mar 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-5
- Update xen SELinux module
- Improve labeling for PCP plugins
- Allow varnishd_t domain to read sysfs_t files
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update file context for modutils rhbz#1689975
- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293
- Grant permissions for onloadfs files of all classes.
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
2019-03-19 11:32:41 +01:00
Lukas Vrabec
10d7e3defc
Update wrong dates in changelog 2019-03-19 11:21:57 +01:00
Petr Lautrbach
b73fcb724e Remove previous/ version of module directory
When the policy is built with save-previous=true (see semanage.conf) the
previous version of store is saved in /var/lib/selinux/TYPE/previous directory.
This directory needs to be erased after build as it has no function for
packages.

Fixes:
Checking for unpackaged file(s): /usr/lib/rpm/check-files /home/plautrba/rpmbuild/BUILDROOT/selinux-policy-3.14.4-4.fc31.x86_64
error: Installed (but unpackaged) file(s) found:
   /var/lib/selinux/targeted/previous/commit_num
   /var/lib/selinux/targeted/previous/file_contexts
   /var/lib/selinux/targeted/previous/file_contexts.homedirs
...
2019-03-19 11:04:43 +01:00
Lukas Vrabec
a8da133b94
* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Allow journalctl_t domain to mmap syslogd_var_run_t files
- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046
- Allow sbd_t domain to bypass permission checks for sending signals
- Allow sbd_t domain read/write all sysctls
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
- Allow boltd_t to stream connect to sytem dbus
- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
- Allow ifconfig_t domain to read /dev/random BZ(1687516)
- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Label /usr/sbin/nodm as xdm_exec_t same as other display managers
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
2019-03-12 18:42:45 +01:00
Lukas Vrabec
43393ba497
* Wed Feb 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-3
- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because "%pretrans" cannot use shell scripts.
Resolves: rhbz#1683365
2019-02-27 10:18:03 +01:00
Lukas Vrabec
31fb935c5f
Revert "Add check for config file consistency"
This reverts commit 46c51e1cb2.

Reverting
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15
because "%pretrans" cannot use shell scripts.
Resolves: rhbz#1683365
2019-02-27 09:58:48 +01:00
Lukas Vrabec
c2043acf2b
* Tue Feb 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-2
- Merge insmod_t, depmod_t and update_modules_t do kmod_t
2019-02-26 11:07:59 +01:00
Lukas Vrabec
8be35be283
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-1
- Allow openvpn_t domain to set capability BZ(1680276)
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
- Allow chronyd_t domain to send data over dgram socket
- Add rolekit_dgram_send() interface
- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
2019-02-25 23:17:05 +01:00
Lukas Vrabec
0bd9f6aa0b Merge #15 Add check for config file consistency 2019-02-25 18:20:52 +00:00
Vit Mojzis
46c51e1cb2 Add check for config file consistency
Make sure the config is consistent with what packages are (being)
installed in the system.

This should ensure that the package corresponding to SELINUXTYPE
in the config is always present in the system, or selinux is DISABLED
(both before policy_load is called and after any RPM transaction involving
selinux-policy-* package). Targeted mode is used when possible.

Resolves: rhbz#1641631

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-02-19 16:49:27 +01:00
Lukas Vrabec
c3cce98fea
* Thu Feb 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
- Allow dovecot_t domain to connect to mysql db
- Add dac_override capability for sbd_t SELinux domain
- Add dac_override capability for  spamd_update_t domain
- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
2019-02-14 17:52:26 +01:00
Lukas Vrabec
37bb67856f
* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
- Allow ddclient_t to setcap Resolves: rhbz#1674298
- Add dac_override capability to vpnc_t domain
- Add dac_override capability to spamd_t domain
- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
- Allow read network state of system for processes labeled as ibacm_t
- Allow ibacm_t domain to send dgram sockets to kernel processes
- Allow dovecot_t to connect to MySQL UNIX socket
- Fix CI for use on forks
- Fix typo bug in sensord policy
- Update ibacm_t policy after testing lastest version of this component
- Allow sensord_t domain to mmap own log files
- Allow virt_doamin to read/write dev device
- Add dac_override capability for ipa_helper_t
- Update policy with multiple allow rules to make working installing VM in MLS policy
- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
2019-02-12 17:05:35 +01:00
Lukas Vrabec
6fe0e8a6a7
* Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
- Allow sensord_t domain to use nsswitch and execute shell
- Allow opafm_t domain to execute lib_t files
- Allow opafm_t domain to manage kdump_crash_t files and dirs
- Allow virt domains to read/write cephfs filesystems
- Allow virtual machine to write to fixed_disk_device_t
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
- Allow vhostmd_t read libvirt configuration files
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
2019-02-02 13:41:12 +01:00
Lukas Vrabec
ee38f3e105
* Tue Jan 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
- Add new xdp_socket class
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Allow boltd_t domain to read cache_home_t files BZ(1669911)
- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
- Allow gpg_agent_t to create own tmpfs dirs and sockets
- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
- Add multiple interfaces for vpnc interface file
- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
- Allow gssd_t domain to manage kernel keyrings of every domain.
- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
- Allow plymouthd_t search efivarfs directory BZ(1664143)
2019-01-29 16:51:11 +01:00
Igor Gnatenko
1767906c81 Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:24:49 +01:00
Lukas Vrabec
1d650f7cbb
* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
- Allow plymouthd_t search efivarfs directory BZ(1664143)
- Allow arpwatch send e-mail notifications BZ(1657327)
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
- Allow gssd_t domain to read/write kernel keyrings of every domain.
- Allow systemd_timedated_t domain nnp_transition BZ(1666222)
- Add the fs_search_efivarfs_dir interface
- Create tangd_port_t with default label tcp/7406
- Add interface domain_rw_all_domains_keyrings()
- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
2019-01-15 18:29:10 +01:00
Lukas Vrabec
f1dd2fa0f0
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
- Allow staff_t domain to read read_binfmt_misc filesystem
- Add interface fs_read_binfmt_misc()
- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
2019-01-11 16:07:53 +01:00
Lukas Vrabec
78bc214808
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
- Allow sensord_t to execute own binary files
- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)
- Allow virtd_lxc_t domains use BPF BZ(1662613)
- Allow openvpn_t domain to read systemd state BZ(1661065)
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Used correct renamed interface for imapd_t domain
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Specify recipients that will be notified about build CI results.
- Allow saslauthd_t domain to mmap own pid files BZ(1653024)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.
- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
- Specify recipients that will be notified about build CI results.
- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.
- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
2019-01-11 12:46:15 +01:00
Lukas Vrabec
cecdfcd1b2
* Sun Dec 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15
- Add macro-expander script to selinux-policy-devel package
2018-12-16 21:37:16 +01:00
Lukas Vrabec
7d7414921d
Add macro-expander script to selinux-policy-devel package 2018-12-16 21:35:37 +01:00
Lukas Vrabec
22bdc94c2b
* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
2018-12-06 16:43:04 +01:00
Lukas Vrabec
70c776a7bc
* Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain
- Create ibacm_tmpfs_t type for the ibacm policy
- Dontaudit capability sys_admin for dhcpd_t domain
- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.
- Allow abrt_t domain to mmap generic tmp_t files
- Label /usr/sbin/wpa_cli as wpa_cli_exec_t
- Allow sandbox_xserver_t domain write to user_tmp_t files
- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints
- Add interface files_map_generic_tmp_files()
- Add dac_override capability to the syslogd_t domain
- Create systemd_timedated_var_run_t label
- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
2018-11-07 23:34:46 +01:00
Lukas Vrabec
e4f858261b
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Allow xdm_t domain to manage dosfs_t files BZ(1645770)
- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
2018-11-04 19:53:51 +01:00
Lukas Vrabec
9fcbb6398f
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
- Add dac_override capability to ftpd_t domain
- Allow gpg_t to create own tmpfs dirs and sockets
- Allow rhsmcertd_t domain to relabel cert_t files
- Add SELinux policy for kpatch
- Allow nova_t domain to use pam
- sysstat: grant sysstat_t the search_dir_perms set
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
- Allow systemd_logind_t to read fixed dist device BZ(1645631)
- Allow systemd_logind_t domain to read nvme devices BZ(1645567)
- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)
- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
- Allow X display manager to check status and reload services which are part of x_domain attribute
- Add interface miscfiles_relabel_generic_cert()
- Make kpatch policy active
- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
- Dontaudit sys_admin capability for netutils_t domain
- Label tcp and udp ports 2611 as qpasa_agent_port_t
2018-11-04 01:55:34 +01:00
Lukas Vrabec
b602e5bcc1
* Tue Oct 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
2018-10-16 00:18:59 +02:00
Lukas Vrabec
9b1e4d53d1
* Mon Oct 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)
- Add interface cron_system_spool_entrypoint()
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
- Add interfaces for boltd SELinux module
- Add dac_override capability to modemmanager_t domain BZ(1636608)
- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
- Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
2018-10-15 17:44:05 +02:00
Lukas Vrabec
4b05ad26d8
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-8
- ejabberd SELinux module removed, it's shipped by ejabberd-selinux package
2018-10-13 22:39:48 +02:00
Lukas Vrabec
146094f7a3
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-7
- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros
2018-10-13 00:13:10 +02:00
Lukas Vrabec
729e95002a
Fix typo bug in version 2018-10-09 17:50:46 +02:00
Lukas Vrabec
c889572bdc
* Tue Oct 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-6
- Allow boltd_t to be activated by init socket activation
- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)
- Update SELinux policy for libreswan based on the latest rebase 3.26
- Fix typo in init_named_socket_activation interface
2018-10-09 17:49:28 +02:00
Lukas Vrabec
43c3b7f814
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2018-10-04 16:28:36 +02:00
Lukas Vrabec
ef7c751093
* Thu Oct 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-5
- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
- Fix typo in boltd.te policy
- Allow fail2ban_t domain to mmap journal
- Add kill capability to named_t domain
- Allow neutron domain to read/write /var/run/utmp
- Create boltd_var_run_t type for boltd pid files
- Allow tomcat_domain to read /dev/random
- Allow neutron_t domain to use pam
- Add the port used by nsca (Nagios Service Check Acceptor)
2018-10-04 16:27:59 +02:00
Lukas Vrabec
efe0830570 Merge #11 Spec: fix typo in Url field (introduced in 51dc83b2d) 2018-10-03 08:03:58 +00:00
Lukas Vrabec
7e236649a1
* Mon Sep 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-4
- Update sources to include SELinux policy for containers
2018-09-24 17:11:01 +02:00
Lukas Vrabec
5d5eb8e7fc
* Thu Sep 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-3
- Allow certmonger to manage cockpit_var_run_t pid files
- Allow cockpit_ws_t domain to manage cockpit services
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
- Add interface apache_read_tmp_dirs()
- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t
- Add interface apcupsd_read_power_files()
- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain
- Allow dac_override capability to amanda_t domain
- Allow geoclue_t domain to get attributes of fs_t filesystems
- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client
- Allow cockpit_t domain to read systemd state
- Allow abrt_t domain to write to usr_t files
- Allow cockpit to create motd file in /var/run/cockpit
- Label /usr/sbin/pcsd as cluster_exec_t
- Allow pesign_t domain to getattr all fs
- Allow tomcat servers to manage usr_t files
- Dontaudit tomcat serves to append to /dev/random device
- Allow dirsrvadmin_script_t domain to read httpd tmp files
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
- Fix path where are sources for CI
- Revert "Allow firewalld_t domain to read random device"
- Add travis CI for selinux-policy-contrib repo
- Allow postfix domains to mmap system db files
- Allow geoclue_t domain to execute own tmp files
- Update ibacm_read_pid_files interface to allow also reading link files
- Allow zebra_t domain to create packet_sockets
- Allow opafm_t domain to list sysfs
- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
- Allow chronyd_t domain to read virt_var_lib_t files
- Allow systemd to read apcupsd power files
- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t"
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow systemd_resolved_t domain to bind on udp howl port
- Add new boolean use_virtualbox Resolves: rhbz#1510478
- Allow sshd_t domain to read cockpit pid files
- Allow syslogd_t domain to manage cert_t files
- Fix path where are sources for CI
- Add travis.yml to to create CI for selinux-policy sources
- Allow getattr as part of files_mounton_kernel_symbol_table.
- Fix typo "aduit" -> "audit"
- Revert "Add new interface dev_map_userio()"
- Add new interface dev_map_userio()
- Allow systemd to read ibacm pid files
2018-09-20 08:54:04 +02:00
Lukas Vrabec
833e3136e5
* Thu Sep 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2
- Allow tomcat services create link file in /tmp
- Label /etc/shorewall6 as shorewall_etc_t
- Allow winbind_t domain kill in user namespaces
- Allow firewalld_t domain to read random device
- Allow abrt_t domain to do execmem
- Allow geoclue_t domain to execute own var_lib_t files
- Allow openfortivpn_t domain to read system network state
- Allow dnsmasq_t domain to read networkmanager lib files
- sssd: Allow to limit capabilities using libcap
- sssd: Remove unnecessary capability
- sssd: Do not audit usage of lib nss_systemd.so
- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
- Allow exim_t domain to mmap bin files
- Allow mysqld_t domain to executed with nnp transition
- Allow svirt_t domain to mmap svirt_image_t block files
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
- Add read interfaces for mysqld_log_t that was added in commit df832bf
- Allow boltd_t to dbus chat with xdm_t
- Conntrackd need to load kernel module to work
- Allow mysqld sys_nice capability
- Update boltd policy based on SELinux denials from rhbz#1607974
- Allow systemd to create symlinks in for /var/lib
- Add comment to show that template call also allows changing shells
- Document userdom_change_password_template() behaviour
- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
- Fix typo in logging SELinux module
- Allow usertype to mmap user_tmp_type files
- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
- Add boolean: domain_can_mmap_files.
- Allow ipsec_t domian to mmap own tmp files
- Add .gitignore file
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow audisp_remote_t domain to read auditd_etc_t
- netlabel: Remove unnecessary sssd nsswitch related macros
- Allow to use sss module in auth_use_nsswitch
- Limit communication with init_t over dbus
- Add actual modules.conf to the git repo
- Add few interfaces to optional block
- Allow sysadm_t and staff_t domain to manage systemd unit files
- Add interface dev_map_userio_dev()
2018-09-06 22:33:33 +02:00
Lukas Vrabec
046756d71a
* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1
- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
- Add interface devicekit_mounton_var_lib()
- Allow httpd_t domain to mmap tmp files
- Allow tcsd_t domain to have dac_override capability
- Allow cupsd_t to rename cupsd_etc_t files
- Allow iptables_t domain to create rawip sockets
- Allow amanda_t domain to mmap own tmpfs files
- Allow fcoemon_t domain to write to sysfs_t dirs
- Allow dovecot_auth_t domain to have dac_override capability
- Allow geoclue_t domain to mmap own tmp files
- Allow chronyc_t domain to read network state
- Allow apcupsd_t domain to execute itself
- Allow modemmanager_t domain to stream connect to sssd
- Allow chonyc_t domain to rw userdomain pipes
- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
- Allow nagios_script_t domain to mmap nagios_spool_t files
- Allow geoclue_t domain to mmap geoclue_var_lib_t files
- Allow geoclue_t domain to map generic certs
- Update munin_manage_var_lib_files to allow manage also dirs
- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl
- Fix typo in virt SELinux policy module
- Allow virtd_t domain to create netlink_socket
- Allow rpm_t domain to write to audit
- Allow nagios_script_t domain to mmap nagios_etc_t files
- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
- Allow kdumpctl_t domain to getattr fixed disk device in mls
- Fix typo in stapserver policy
- Dontaudit abrt_t domain to write to usr_t dirs
- Revert "Allow rpcbind to bind on all unreserved udp ports"
- Allow rpcbind to bind on all unreserved udp ports
- Allow virtlogd to execute itself
- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files
- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs
- Allos systemd to socket activate ibacm service
- Allow dirsrv_t domain to mmap user_t files
- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
- Allow kdumpctl to write to files on all levels
- Allow httpd_t domain to mmap httpd_config_t files
- Allow sanlock_t domain to connectto to unix_stream_socket
- Revert "Add same context for symlink as binary"
- Allow mysql execute rsync
- Update nfsd_t policy because of ganesha features
- Allow conman to getattr devpts_t
- Allow tomcat_domain to connect to smtp ports
- Allow tomcat_t domain to mmap tomcat_var_lib_t files
- Allow nagios_t domain to mmap nagios_log_t files
- Allow kpropd_t domain to mmap krb5kdc_principal_t files
- Allow kdumpctl_t domain to read fixed disk storage
2018-08-29 00:10:24 +02:00
Lukas Vrabec
354ea12800
* Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-32
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow gpg_t domain to mmap gpg_agent_tmp_t files
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
- Allow sshd_t domain to mmap user_tmp_t files
2018-08-10 17:26:19 +02:00
Lukas Vrabec
bb7c753263
* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-31
- Allow kprop_t domain to read network state
- Add support boltd policy
- Allow kpropd domain to exec itself
- Allow pdns_t to bind on tcp transproxy port
- Add support for opafm service
- Allow hsqldb_t domain to read cgroup files
- Allow rngd_t domain to read generic certs
- Allow innd_t domain to mmap own var_lib_t files
- Update screen_role_temaplate interface
- Allow chronyd_t domain to mmap own tmpfs files
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow systemd to mounont boltd lib dirs
- Allow sysadm_t domain to create rawip sockets
- Allow sysadm_t domain to listen on socket
- Update sudo_role_template() to allow caller domain also setattr generic ptys
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
2018-08-07 15:54:42 +02:00
Lukas Vrabec
da3bd2ceb6
* Sun Jul 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-30
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow nfsd_t domain to read krb5 keytab files
- Allow nfsd_t domain to manage fadm pid files
- Allow virt_domain to create icmp sockets BZ(1609142)
- Dontaudit oracleasm_t domain to request sys_admin capability
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
2018-07-29 17:17:33 +02:00
Lukas Vrabec
539110c25c
* Wed Jul 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-29
- Allow aide to mmap all files
- Revert "Allow firewalld to create rawip sockets"
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
2018-07-25 23:42:34 +02:00
Lukas Vrabec
35bcefb9e1
* Wed Jul 18 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-28
- Allow cupsd_t domain to mmap cupsd_etc_t files
- Allow kadmind_t domain to mmap krb5kdc_principal_t
- Allow virtlogd_t domain to read virt_etc_t link files
- Allow dirsrv_t domain to read crack db
- Dontaudit pegasus_t to require sys_admin capability
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
- Allow winbind_t domain to request kernel module loads
- Allow tomcat_domain to read cgroup_t files
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
- Allow innd_t domain to mmap news_spool_t files
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
- Allow fenced_t domain to reboot
- Allow amanda_t domain to read network system state
- Allow abrt_t domain to read rhsmcertd logs
- Fix typo in radius policy
- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)
- Label /usr/bin/esmtp-wrapper as sendmail_exec_t
- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files
- Dontaudit thumb to read mmap_min_addr
- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)
- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)
- Allow collectd_t domain to use ecryptfs files BZ(1592640)
- Dontaudit mmap home type files for abrt_t domain
- Allow fprintd_t domain creating own tmp files BZ(1590686)
- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)
- Allow fail2ban_t domain to getpgid BZ(1591421)
- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)
- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap
- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)
- Allow virt_qemu_ga_t domain to read network state BZ(1592145)
- Allow radiusd_t domain to mmap radius_etc_rw_t files
- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
2018-07-18 17:37:07 +02:00
Fedora Release Engineering
9034dd66a3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-14 05:57:18 +00:00
Jason Tibbitts
91c8ed0d49 Remove needless use of %defattr 2018-07-10 01:20:06 -05:00
Jan Pokorný
e7ec0c885a
Spec: fix typo in Url field (introduced in 51dc83b2d)
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2018-07-05 18:19:21 +02:00
Lukas Vrabec
985fc6104c
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-26
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
2018-06-27 10:25:55 +02:00
Lukas Vrabec
5d84adca3e
Remove config.tgz from distgit and put configuration to policy sources on github 2018-06-26 17:21:53 +02:00
Lukas Vrabec
f4debe939a
* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-25
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
2018-06-14 15:31:59 +02:00
Lukas Vrabec
1d35f9ea76
* Tue Jun 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-24
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
2018-06-12 14:22:02 +02:00
Lukas Vrabec
4cca30aa93
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-23
- Add dac_override capability to sendmail_t domian
2018-06-06 13:16:15 +02:00
Lukas Vrabec
318acc9510
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-22
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
2018-06-06 10:25:52 +02:00
Lukas Vrabec
58acce3c84
* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-21
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db  is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
2018-05-26 00:25:28 +02:00
Lukas Vrabec
9364159b18
* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-20
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
2018-05-24 16:07:11 +02:00
Lukas Vrabec
ee05a93b19
* Tue May 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-19
- Increase dependency versions of policycoreutils and checkpolicy packages
2018-05-22 10:54:53 +02:00
Lukas Vrabec
e881d79dbc
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.
2018-05-21 22:23:41 +02:00
Lukas Vrabec
844794a0f4
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-05-21 01:48:14 +02:00
Lukas Vrabec
4d2de689d5
Fix typo bug in xserver SELinux module 2018-04-30 17:41:45 +02:00
Lukas Vrabec
a4ad07747e
* Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
2018-04-30 16:30:28 +02:00
Lukas Vrabec
0bbda1a879
Redirect also stdout to /dev/null to avoid printing anything during updating selinux-policy process 2018-04-30 10:55:31 +02:00
Lukas Vrabec
560c1cf401
* Sat Apr 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-15
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
2018-04-28 19:43:37 +02:00
Lukas Vrabec
42d22b559a
Fix typo in spec file 2018-04-27 13:30:59 +02:00
Lukas Vrabec
19c9a7d734
* Fri Apr 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-14
- Add dac_override capability to mailman_mail_t domain
- Add dac_override capability to radvd_t domain
- Update openvswitch policy
- Add dac_override capability to oddjob_homedir_t domain
- Allow slapd_t domain to mmap slapd_var_run_t files
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
- Allow logrotate_t domain to stop services via systemd
- Add tang policy
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t
- Allow snapperd_t daemon to create unlabeled dirs.
- Make httpd_var_run_t mountpoint
- Allow hsqldb_t domain to mmap own temp files
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
- Add new Boolean tomcat_use_execmem
- Allow nfsd_t domain to read/write sysctl fs files
- Allow conman to read system state
- Allow brltty_t domain to be dbusd system client
- Allow zebra_t domain to bind on babel udp port
- Allow freeipmi domain to read sysfs_t files
- Allow targetd_t domain mmap lvm config files
- Allow abrt_t domain to manage kdump crash files
- Add capability dac_override to antivirus domain
- Allow svirt_t domain mmap svirt_image_t files BZ(1514538)
- Allow ftpd_t domain to chat with systemd
- Allow systemd init named socket activation for uuidd policy
- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)
- Allow l2tpd domain to stream connect to sssd BZ(1568160)
- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)
- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)
- Allow certwatch to manage cert files BZ(1561418)
- Merge pull request #53 from tmzullinger/rawhide
- Merge pull request #52 from thetra0/rawhide
- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)
- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files
- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)
- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)
- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.
- Allow pppd_t domain creating pppox sockets BZ(1566271)
- Allow abrt to map var_lib_t files
- Allow chronyc to read system state BZ(1565217)
- Allow keepalived_t domain to chat with systemd via dbus
- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)
- Allow netutils_t domain to create bluetooth sockets
- Allow traceroute to bind on generic sctp node
- Allow traceroute to search network sysctls
- Allow systemd to use virtio console
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
2018-04-27 11:50:21 +02:00
Lukas Vrabec
5c972253e7
Update selinux policy macros to reflect the latest changes in
selinux-policy-macros repo
2018-04-25 21:48:43 +02:00
Lukas Vrabec
39a94e09cd
* Thu Apr 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-13
- refpolicy: Update for kernel sctp support
- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)
- Allow antivirus domain to be client for system dbus BZ(1562457)
- Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383)
- Add new boolean: colord_use_nfs() BZ(1562818)
- Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317)
- Allow colord_t to mmap gconf_home_t files
- Add new boolean redis_enable_notify()
- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
2018-04-12 12:51:18 +02:00
Lukas Vrabec
1778514e56
* Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-12
- Add new boolean redis_enable_notify()
- Label  /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab
- Add dac_override and dac_read_search capability to hypervvssd_t domain
- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t
- Allow samba to create /tmp/host_0 as krb5_host_rcache_t
- Add dac_override capability to fsdaemon_t BZ(1564143)
- Allow abrt_t domain to map dos files BZ(1564193)
- Add dac_override capability to automount_t domain
- Allow keepalived_t domain to connect to system dbus bus
- Allow nfsd_t to read nvme block devices BZ(1562554)
- Allow lircd_t domain to execute bin_t files BZ(1562835)
- Allow l2tpd_t domain to read sssd public files BZ(1563355)
- Allow logrotate_t domain to do dac_override BZ(1539327)
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
- Add capability sys_resource to systemd_sysctl_t domain
- Label all /dev/rbd* devices as fixed_disk_device_t
- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)
- Allow local_login_t domain to rread udev db
- Allow systemd_gpt_generator_t to read /dev/random device
- add definition of bpf class and systemd perms
2018-04-07 20:34:23 +02:00
Lukas Vrabec
9762a51f7b
* Thu Mar 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-11
- Allow accountsd_t domain to dac override BZ(1561304)
- Allow cockpit_ws_t domain to read system state BZ(1561053)
- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)
- Allow abrt_dump_oops_t domain dac override BZ(1561467)
- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)
- Allow crontab domains to do dac override
- Allow snapperd_t domain to unmount fs_t filesystems
- Allow pcp processes to read fixed_disk devices BZ(1560816)
- Allow unconfined and confined users to use dccp sockets
- Allow systemd to manage bpf dirs/files
- Allow traceroute_t to create dccp_sockets
2018-03-29 19:27:36 +02:00
Lukas Vrabec
0ac6359923
* Mon Mar 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-10
- Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531)
2018-03-26 15:48:52 +02:00
Lukas Vrabec
0dae2c353f
* Sun Mar 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-9
- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)
- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)
- Allow nagios to mmap nagios config files BZ(1559683)
- Fixing Ganesha module
- Fix typo in NetworkManager module
- Fix bug in gssproxy SELinux module
- Allow abrt_t domain to mmap container_file_t files BZ(1525573)
- Allow networkmanager to be run ssh client BZ(1558441)
- Allow pcp domains to do dc override BZ(1557913)
- Dontaudit pcp_pmie_t to reaquest lost kernel module
- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955)
- Allow httpd_t to read httpd_log_t dirs BZ(1554912)
- Allow fail2ban_t to read system network state BZ(1557752)
- Allow dac override capability to mandb_t domain BZ(1529399)
- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681)
- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369)
- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439)
- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359)
- Allow snapperd to relabel snapperd_data_t
- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow insmod_t to load modules BZ(1544189)
- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595)
- Allow systemd_networkd_t to read/write tun tap devices
- Add shell_exec_t file as domain entry for init_t
- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862)
- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347)
- Improve userdom_mmap_user_home_content_files
- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414)
- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
2018-03-25 01:02:58 +01:00
Lukas Vrabec
67396b3121
In Fedora 28, ganesha SELinux module is removed, for proper upgrade this
modules needs to be removed before SELinux policy for F28 is installed.

Resolves: rhbz#1559174
2018-03-25 00:57:29 +01:00
Lukas Vrabec
597a71b217
* Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-8
- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets
- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled
- Allow semanage_t domain mmap usr_t files
- Add new boolean: ssh_use_tcpd()
2018-03-21 19:15:49 +01:00
Lukas Vrabec
a191ebd6c3
* Tue Mar 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-7
- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/
- Allow newrole_t dacoverride capability
- Allow traceroute_t domain to mmap packet sockets
- Allow netutils_t domain to mmap usmmon device
- Allow netutils_t domain to use mmap on packet_sockets
- Allow traceroute to create icmp packets
- Allos sysadm_t domain to create tipc sockets
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
2018-03-20 12:19:47 +01:00
Lukas Vrabec
8597119053
* Thu Mar 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-6
- Allow rpcd_t domain dac override
- Allow rpm domain to mmap rpm_var_lib_t files
- Allow arpwatch domain to create bluetooth sockets
- Allow secadm_t domain to mmap audit config and log files
- Update init_abstract_socket_activation() to allow also creating tcp sockets
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.
- Add SELinux support for systemd-importd
- Create new type bpf_t and label /sys/fs/bpf with this type
2018-03-15 20:41:40 +01:00
Lukas Vrabec
529a517a7a
* Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-5
- Allow bluetooth_t domain to create alg_socket BZ(1554410)
- Allow tor_t domain to execute bin_t files BZ(1496274)
- Allow iscsid_t domain to mmap kernel modules BZ(1553759)
- Update minidlna SELinux policy BZ(1554087)
- Allow motion_t domain to read sysfs_t files BZ(1554142)
- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738)
- Allow l2tp_t domain to read ipsec config files BZ(1545348)
- Allow colord_t to mmap home user files BZ(1551033)
- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536)
- Allow ipmievd_t to mmap kernel modules BZ(1552535)
- Allow boinc_t domain to read cgroup files BZ(1468381)
- Backport allow rules from refpolicy upstream repo
- Allow gpg_t domain to bind on all unereserved udp ports
- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164)
- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
- Allow xdm_t domain to sys_ptrace BZ(1554150)
- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
- Update ipsec_read_config() interface
- Fix broken sysadm SELinux module
- Allow ipsec_t to search for bind cache BZ(1542746)
- Allow staff_t to send sigkill to mount_t domain BZ(1544272)
- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545)
- Label ip6tables.init as iptables_exec_t BZ(1551463)
- Allow hostname_t to use usb ttys BZ(1542903)
- Add fsetid capability to updpwd_t domain BZ(1543375)
- Allow systemd machined send signal to all domains BZ(1372644)
- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876)
- Allow sysadm_t to create netlink generic sockets BZ(1547874)
- Allow passwd_t domain chroot
- Dontaudit confined unpriviliged users setuid capability
2018-03-12 17:20:32 +01:00
Lukas Vrabec
870fdbbf14
* Tue Mar 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-4
- Allow l2tpd_t domain to create pppox sockets
- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)
- Add interface abrt_map_cache()
- Update gnome_manage_home_config() to allow also map permission BZ(1544270)
- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770)
- Dontaudit kernel bug when several services requesting load kernel module
- Allow traceroute and unconfined domains creating sctp sockets
- Add interface corenet_sctp_bind_generic_node()
- Allow ping_t domain to create icmp sockets
- Allow staff_t to mmap abrt_var_cache_t BZ(1544273)
- Fix typo bug in dev_map_framebuffer() interface BZ(1551842)
- Dontaudit kernel bug when several services requesting load kernel module
2018-03-06 16:16:43 +01:00
Lukas Vrabec
3c49a8df90
* Mon Mar 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-3
- Allow vdagent_t domain search cgroup dirs BZ(1541564)
- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)
- Allow bluetooth domain creating bluetooth sockets BZ(1551577)
- pki_log_t should be log_file
- Allow gpgdomain to unix_stream socket connectto
- Make working gpg agent in gpg_agent_t domain
- Dontaudit thumb_t to rw lvm pipes BZ(154997)
- Allow start cups_lpd via systemd socket activation BZ(1532015)
- Improve screen_role_template Resolves: rhbz#1534111
- Dontaudit modemmanager to setpgid. BZ(1520482)
- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227)
- Allow systemd-networkd to create netlink generic sockets BZ(1551578)
- refpolicy: Define getrlimit permission for class process
- refpolicy: Define smc_socket security class
- Allow transition from sysadm role into mdadm_t domain.
- ssh_t trying to communicate with gpg agent not sshd_t
- Allow sshd_t communicate with gpg_agent_t
- Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643)
- Revert "Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)"
- Revert "Allow systemd to request load kernel module BZ(1547227)"
- Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576)
- Add interface lvm_dontaudit_rw_pipes() BZ(154997)
- Add interfaces for systemd socket activation
- Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098)
2018-03-05 16:13:41 +01:00
Lukas Vrabec
5a5985a439 * Thu Feb 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-2
- refpolicy: Define extended_socket_class policy capability and socket classes
- Make bluetooth_var_lib_t as mountpoint BZ(1547416)
- Allow systemd to request load kernel module BZ(1547227)
- Allow ipsec_t domain to read l2tpd pid files
- Allow sysadm to read/write trace filesystem BZ(1547875)
- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761)
2018-02-22 15:13:02 +01:00
Lukas Vrabec
5b3d03345c * Wed Feb 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-1
- Rebuild for current rawhide (fc29)
2018-02-21 19:10:21 +01:00
Lukas Vrabec
3256f1cc3b * Tue Feb 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-9
- Fix broken cups Security Module
- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079)
- Allow geoclue to connect to tcp nmea port BZ(1362118)
- Allow pcp_pmcd_t to read mock lib files BZ(1536152)
- Allow abrt_t domain to mmap passwd file BZ(1540666)
- Allow gpsd_t domain to get session id of another process BZ(1540584)
- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405)
- Allow cluster_t dbus chat with systemd BZ(1540163)
- Add interface raid_stream_connect()
- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689)
- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911)
- Make cups_pdf_t domain system dbusd client BZ(1532043)
- Allow logrotate to read auditd_log_t files BZ(1525017)
- Improve snapperd SELinux policy BZ(1514272)
- Allow virt_domain to read virt_image_t files BZ(1312572)
- Allow openvswitch_t stream connect svirt_t
- Update dbus_dontaudit_stream_connect_system_dbusd() interface
- Allow openvswitch domain to manage svirt_tmp_t sock files
- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210)
- Merge pull request #50 from dodys/pkcs
- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118)
- Allow systemd to access rfkill lib dirs BZ(1539733)
- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044)
- Allow vxfs filesystem to use SELinux labels
- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231)
- Allow few services to dbus chat with snapperd BZ(1514272)
- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180)
- Fix logging as staff_u into Fedora 27
- Fix broken systemd_tmpfiles_run() interface
2018-02-20 09:25:14 +01:00
Lukas Vrabec
d1295b542c Merge #8 Don't own %{_rpmconfigdir} 2018-02-19 09:57:01 +00:00
Petr Lautrbach
d890769dab List gcc in BuildRequires
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IJFYI5Q2BYZKIGDFS2WLOBDUSEGWHIKV/
https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B#BuildRequires_and_Requires

Fixes:
cc -Wall support/fc_sort.c -o tmp/fc_sort
make: cc: Command not found
make: *** [Makefile:404: tmp/fc_sort] Error 127
2018-02-19 10:34:23 +01:00
Igor Gnatenko
f8cf034356
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 09:57:34 +01:00
Igor Gnatenko
72d8378f5a Remove BuildRoot definition
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 00:36:49 +01:00
Igor Gnatenko
28c23c14e4
Escape macros in %changelog
Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-09 09:06:15 +01:00
Lukas Vrabec
b22b1d1da0 * Thu Feb 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-7
- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t
- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600)
- Allow keepalived_t domain getattr proc filesystem
- Allow init_t to create UNIX sockets for unconfined services (BZ1543049)
- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t
- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t
2018-02-08 14:38:23 +01:00
Lukas Vrabec
00dcc13b60 * Tue Feb 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-6
- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets
- Add new interface ppp_filetrans_named_content()
- Allow keepalived_t read sysctl_net_t files
- Allow puppetmaster_t domtran to puppetagent_t
- Allow kdump_t domain to read kernel ring buffer
- Allow boinc_t to mmap boinc tmpfs files BZ(1540816)
- Merge pull request #47 from masatake/keepalived-signal
- Allow keepalived_t create and write a file under /tmp
- Allow ipsec_t domain to exec ifconfig_exec_t binaries.
- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock
- Allow updpwd_t domain to create files in /etc with shadow_t label
2018-02-06 09:58:08 +01:00
Lukas Vrabec
4b0a66cafc * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-5
- Allow opendnssec daemon to execute ods-signer BZ(1537971)
2018-01-30 17:04:16 +01:00
Lukas Vrabec
e9c4389283 * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-4
- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)
- Update dbus_role_template() BZ(1536218)
- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)
- Allow blueman_t dbus chat with policykit_t BZ(1470501)
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)
- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)
- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)
- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)
- Allow jetty_t domain to mmap own temp files BZ(1534628)
- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)
- Consistently label usr_t for kernel/initrd in /usr
- kernel/files.fc: Label /usr/lib/sysimage as usr_t
- Allow iptables sysctl load list support with SELinux enforced
- Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864)
2018-01-30 12:57:41 +01:00
Lukas Vrabec
e7bae02f22 * Fri Jan 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-3
- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide
- Allow virt_domains to acces infiniband pkeys.
- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)
- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t
- Allow audisp_remote_t domain write to files on all levels
2018-01-19 12:48:25 +01:00
Lukas Vrabec
72b2cda3a5 * Mon Jan 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-2
- Allow aide to mmap usr_t files BZ(1534182)
- Allow ypserv_t domain to connect to tcp ports BZ(1534245)
- Allow vmtools_t domain creating vmware_log_t files
- Allow openvswitch_t domain to acces infiniband devices
- Allow dirsrv_t domain to create tmp link files
- Allow pcp_pmie_t domain to exec itself. BZ(153326)
- Update openvswitch SELinux module
- Allow virtd_t to create also sock_files with label virt_var_run_t
- Allow chronyc_t domain to manage chronyd_keys_t files.
- Allow logwatch to exec journal binaries BZ(1403463)
- Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864)
- Update logging_read_all_logs to allow mmap all logfiles BZ(1403463)
- Add Label systemd_unit_file_t for /var/run/systemd/units/
2018-01-15 17:33:37 +01:00
Lukas Vrabec
22c9764fc4 Update new sources to reflect changes related to python3 dependency 2018-01-08 18:44:57 +01:00
Lukas Vrabec
51dc83b2d4 Commit removes big SELinux policy patches against tresys refpolicy.
We're quite diverted from upstream policy. This change will use tarballs
from github projects:
https://github.com/fedora-selinux/selinux-policy
https://github.com/fedora-selinux/selinux-policy-contrib
2018-01-08 18:28:27 +01:00
Lukas Vrabec
b9923641ff * Mon Jan 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-310
- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy
2018-01-08 12:28:09 +01:00
Lukas Vrabec
af863d8251 * Fri Jan 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-309
- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy
- Allow git_script_t to mmap git_user_content_t files BZ(1530937)
- Allow certmonger domain to create temp files BZ(1530795)
- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)
- Allow fsdaemon_t to read nvme devices BZ(1530018)
- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)
- Update munin plugin policy BZ(1528471)
- Allow sendmail_t domain to be system dbusd client BZ(1478735)
- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)
- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)
- Allow thumb_t to mmap non security files BZ(1517393)
- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)
- Fix broken sysnet_filetrans_named_content() interface
- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
- Add interface files_map_non_security_files()
2018-01-05 15:16:17 +01:00
Lukas Vrabec
46f9f9c36a * Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
- Make working SELinux sandbox with Wayland. BZ(1474082)
- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)
- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)
- Allow collectd to connect to lmtp_port_t BZ(1304029)
- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)
- Allow thumb_t to mmap removable_t files. BZ(1522724)
- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
- Add interface fs_mmap_removable_files()
2018-01-04 13:06:00 +01:00
Lukas Vrabec
d319e75862 sandbox SELinux module is part ofd distribution policy and should have 100 priority 2018-01-04 11:45:11 +01:00
Lukas Vrabec
73d7285c92 * Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
- Allow crond_t to read pcp lib files BZ(1525420)
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
- Allow certwatch_t to mmap generic certs. BZ(1527173)
- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
- Add interface userdom_map_user_home_files()
- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
2017-12-19 16:18:46 +01:00
Jonathan Lebon
66de8d371d Don't own %{_rpmconfigdir}
This directory is already owned by rpm. I couldn't find a specific
section in the packaging guidelines, but it seems to me we shouldn't do
this. There's no good reason for it and it can lead to confusion.
Quickly scanning over all Fedora spec files that install RPM macros, I
couldn't find any other package that owns `%{_rpmconfigdir}`.
2017-12-14 20:15:05 +00:00
Lukas Vrabec
270b6479cd * Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
- Allow thumb_t domain to dosfs_t BZ(1517720)
- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)
- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)
- Allow git_script_t to mmap git_sys_content_t BZ(1517541)
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)
- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)
- Allow colord_t to mmap xdm pid files BZ(1518382)
- Allow arpwatch to mmap usbmon device BZ(152456)
- Allow mandb_t to read public sssd files BZ(1514093)
- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)
- Allow qpid to map files.
- Allow plymouthd_t to mmap firamebuf device BZ(1517405)
- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)
- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)
- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)
- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)
- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)
- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)
- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)
- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)
- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)
- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)
- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)
- Add interface fs_map_dos_files()
- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)
- Add interface xserver_map_xdm_pid() BZ(1518382)
- Add new interface dev_map_usbmon_dev() BZ(1524256)
- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)
- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)
- Fix typo in filesystem.if
- Add interface dev_map_framebuffer()
- Allow chkpwd command to mmap /etc/shadow BZ(1513704)
- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)
- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)
- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)
- Add interface fs_map_cifs_files()
- Merge pull request #207 from rhatdan/labels
- Merge pull request #208 from rhatdan/logdir
- Allow domains that manage logfiles to man logdirs
2017-12-13 08:39:02 +01:00
Lukas Vrabec
617ff7d328 * Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
- Make ganesha nfs server
2017-11-24 18:20:55 +01:00
Lukas Vrabec
64b72debbe * Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
- Add interface raid_relabel_mdadm_var_run_content()
- Fix iscsi SELinux module
- Allow spamc_t domain to read home mail content BZ(1414366)
- Allow sendmail_t to list postfix config dirs BZ(1514868)
- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)
- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)
- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)
- Allow cupsd_t domain to localization BZ(1514350)
- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)
- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)
- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)
- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)
- Allow httpd_t domain to mmap all httpd content type BZ(1514866)
- Allow mandb_t to read /etc/passwd BZ(1514903)
- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)
- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)
- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)
- Allow systemd to read/write to mount_var_run_t files BZ(1515373)
- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)
- Allow home managers to mmap nfs_t files BZ(1514372)
- Add interface fs_mmap_nfs_files()
- Allow systemd-mount to create new directory for mountpoint BZ(1514880)
- Allow getty to use usbttys
- Add interface systemd_rfkill_domtrans()
- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)
- Add interface fs_mmap_fusefs_files()
- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251)
2017-11-21 16:42:21 +01:00
Lukas Vrabec
2d6f40abe4 * Thu Nov 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-303
- Allow pcp_pmlogger to send logs to journal BZ(1512367)
- Merge pull request #40 from lslebodn/kcm_kerberos
- Allow services to use kerberos KCM BZ(1512128)
- Allow system_mail_t domain to be system_dbus_client BZ(1512476)
- Allow aide domain to stream connect to sssd_t BZ(1512500)
- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)
- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)
- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)
- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)
- Allow lircd_t domain to execute shell BZ(1512787)
- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)
- Allow redis to creating tmp files with own label BZ(1513518)
- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)
- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)
- Add map permission to samba_rw_var_files interface. BZ(1513908)
- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t
- Add dac_read_search and dac_override capabilities to ganesha
- Allow ldap_t domain to manage also slapd_tmp_t lnk files
- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)
- Add dac_override capability to dhcpd_t doamin BZ(1510030)
- Allow snapperd_t to remove old snaps BZ(1510862)
- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)
- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)
- Allow fs associate for sysctl_vm_t BZ(1447301)
- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)
- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)
- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)
- Allow systemd to mmap kernel modules BZ(1513399)
- Allow userdomains to mmap fifo_files BZ(1512242)
- Merge pull request #205 from rhatdan/labels
- Add map permission to init_domtrans() interface BZ(1513832)
- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)
- Unconfined domains, need to create content with the correct labels
- Container runtimes are running iptables within a different user namespace
- Add interface files_rmdir_all_dirs()
2017-11-16 15:30:31 +01:00
Lukas Vrabec
6730963181 Drop all binary files from selinux-policy package which are depended on build arch. 2017-11-16 15:28:19 +01:00
Lukas Vrabec
ebb4e5ec53 * Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-302
- Allow jabber domains to connect to postgresql ports
- Dontaudit slapd_t to block suspend system
- Allow spamc_t to stream connect to cyrys.
- Allow passenger to connect to mysqld_port_t
- Allow ipmievd to use nsswitch
- Allow chronyc_t domain to use user_ptys
- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst
- Fix typo bug in tlp module
- Allow userdomain gkeyringd domain to create stream socket with userdomain
2017-11-06 16:54:47 +01:00
Lukas Vrabec
4c1c744cdd * Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
- Merge pull request #37 from milosmalik/rawhide
- Allow mozilla_plugin_t domain to dbus chat with devicekit
- Dontaudit leaked logwatch pipes
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
- Allow chronyd daemon to execute chronyc. BZ(1507478)
- Allow pdns to read network system state BZ(1507244)
- Allow gssproxy to read network system state Resolves: rhbz#1507191
- Allow nfsd_t domain to read configfs_t files/dirs
- Allow tgtd_t domain to read generic certs
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
- Allow dirsrv_snmp_t to use inherited user ptys and read system state
- Allow glusterd_t domain to create own tmpfs dirs/files
- Allow keepalived stream connect to snmp
2017-11-03 13:17:33 +01:00
Lukas Vrabec
ba9b7318d9 Merge #3 Do not ship file_contexts.bin file 2017-11-03 12:09:06 +00:00
Petr Lautrbach
deccccdaf1 Do not own /etc/selinux/<policytype>/file_contexts.homedirs.bin
This file belongs to /etc/selinux/<policytype>/contexts/files/
2017-10-31 18:48:31 +01:00
Lukas Vrabec
59afa60b46 * Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
- Allow zabbix_t domain to change its resource limits
- Add new boolean nagios_use_nfs
- Allow system_mail_t to search network sysctls
- Hide all allow rules with ptrace inside deny_ptrace boolean
- Allow nagios_script_t to read nagios_spool_t files
- Allow sbd_t to create own sbd_tmpfs_t dirs/files
- Allow firewalld and networkmanager to chat with hypervkvp via dbus
- Allow dmidecode to read rhsmcert_log_t files
- Allow mail system to connect mariadb sockets.
- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)
- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)
- Allow iptables_t to run setfiles to restore context on system
- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)
2017-10-26 20:18:18 +02:00
Lukas Vrabec
7911257b23 * Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
- Allow chronyd_t do request kernel module and block_suspend capability
- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label
- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)
- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)
- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)
- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)
- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables
- Allow svnserve to use kerberos
- Allow conman to use ptmx. Add conman_use_nfs boolean
- Allow nnp transition for amavis and tmpreaper SELinux domains
- Allow chronyd_t to mmap chronyc_exec_t binary files
- Add dac_read_search capability to openvswitch_t domain
- Allow svnserve to manage own svnserve_log_t files/dirs
- Allow keepalived_t to search network sysctls
- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain
- Add kill capability to openvswitch_t domain
- Label also compressed logs in /var/log for different services
- Allow inetd_child_t and system_cronjob_t to run chronyc.
- Allow chrony to create netlink route sockets
- Add SELinux support for chronyc
- Add support for running certbot(letsencrypt) in crontab
- Allow nnp trasintion for unconfined_service_t
- Allow unpriv user domains and unconfined_service_t to use chronyc
2017-10-24 21:29:48 +02:00
Lukas Vrabec
2fff8fe522 Add rpm-plugin-selinux dependency into selinux-policy package.
Resolves: rhbz#1493267
2017-10-24 13:16:21 +02:00
Lukas Vrabec
1014cb1eee * Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298
- Drop *.lst files from file list
- Ship file_contexts.homedirs in store
- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)
- Allow haproxy daemon to reexec itself. BZ(1447800)
- Allow conmand to use usb ttys.
- Allow systemd_machined to read mock lib files. BZ(1504493)
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)
2017-10-22 15:56:04 +02:00
Petr Lautrbach
b442d09884 Drop *.lst files from file list
These files are already covered by:
%{_datadir}/selinux/%1

Fixes:
RPM build errors:
    File listed twice: /usr/share/selinux/targeted/nonbasemodules.lst
    File listed twice: /usr/share/selinux/minimum
    File listed twice: /usr/share/selinux/minimum/base.lst
    File listed twice: /usr/share/selinux/minimum/modules-base.lst
    File listed twice: /usr/share/selinux/minimum/modules-contrib.lst
    File listed twice: /usr/share/selinux/minimum/nonbasemodules.lst
    File listed twice: /usr/share/selinux/mls
    File listed twice: /usr/share/selinux/mls/base.lst
    File listed twice: /usr/share/selinux/mls/modules-base.lst
    File listed twice: /usr/share/selinux/mls/modules-contrib.lst
    File listed twice: /usr/share/selinux/mls/nonbasemodules.lst
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/cil
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/hll
    File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/lang_ext
2017-10-20 16:33:07 +02:00
Petr Lautrbach
9e91a2824b Ship file_contexts.homedirs in store
Recent libsemanage-2.7-4.fc28 keeps copy of file_contexts.homedirs in
policy store in order to support listing homedirs file contexts in
semanage fcontext -l
2017-10-20 16:05:19 +02:00
Lukas Vrabec
465d71cd8d * Fri Oct 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-297
- Fix typo in virt file contexts file
- allow ipa_dnskey_t to read /proc/net/unix file
- Allow openvswitch to run setfiles in setfiles_t domain.
- Allow openvswitch_t domain to read process data of neutron_t domains
- Fix typo in ipa_cert_filetrans_named_content() interface
- Fix typo bug in summary of xguest SELinux module
- Allow virtual machine with svirt_t label to stream connect to openvswitch.
- Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t
2017-10-20 11:27:02 +02:00
Lukas Vrabec
107eb82b3e * Tue Oct 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-296
- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1
- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)
- Add nnp transition rule for services using NoNewPrivileges systemd feature
- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)
- Add init_nnp_daemon_domain interface
- Allow nnp transition capability
- Merge pull request #204 from konradwilk/rhbz1484908
- Label postgresql-check-db-dir as postgresql_exec_t
2017-10-17 15:29:08 +02:00
Lukas Vrabec
c862e95fd2 Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox 2017-10-12 13:53:04 +02:00
Lukas Vrabec
d7e304ffbf Merge #4 Disable SELinux on a policy type subpackage uninstall 2017-10-12 08:44:30 +00:00
Lukas Vrabec
2b83a4bd1d * Tue Oct 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-295
- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)
- Allow fail2ban_t domain to mmap journals. BZ(1500089)
- Add dac_override to abrt_t domain BZ(1499860)
- Allow pppd domain to mmap own pid files BZ(1498587)
- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)
- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules
- Allow systemd to read sysfs sym links. BZ(1499327)
- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)
- Make systemd_networkd_var_run as mountpoint BZ(1499862)
- Allow noatsecure for java-based unconfined services. BZ(1358476)
- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015)
2017-10-10 12:31:41 +02:00
Lukas Vrabec
f2424e7390 * Mon Oct 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-294
- Allow cloud-init to create content in /var/run/cloud-init
- Dontaudit VM to read gnome-boxes process data BZ(1415975)
- Allow winbind_t domain mmap samba_var_t files
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)
- Add dac_override capability to groupadd_t domain BZ(1497091)
- Allow unconfined_service_t to start containers
2017-10-09 10:09:01 +02:00
Petr Lautrbach
7f40329c8b Disable SELinux on a policy type subpackage uninstall
When selinux-policy is uninstalled, SELinux is changed to permissive and
/etc/selinux/config is updated to disable SELinux. But it doesn't apply
when selinux-policy-{targeted,mls,minimum} are uninstalled.

With this change when one of the policy subpackages is uninstalled
and the current policy type is same as the uninstalled policy, SELinux
is switched to permissive and disabled in config file as well.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1498569
2017-10-08 21:33:17 +02:00
Petr Lautrbach
dba350c6e0 Do not ship file_contexts.bin file
selinux-policy is noarch but file_contexts.bin is not portable. As a
result, on architectures with different endianness, this file is ignored
and text file file_context is used instead.

For more information see:
https://janzarskyblog.wordpress.com/2017/09/06/why-we-dont-need-to-ship-file_contexts-bin-with-selinux-policy/

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1386180
2017-10-08 20:52:10 +02:00
Petr Lautrbach
918bddec38 * Sun Oct 08 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-293
- Drop policyhelp utility BZ(1498429)
2017-10-08 10:29:32 +02:00
Petr Lautrbach
00cdacfa6a Drop policyhelp utility
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Build_Dependencies

The /usr/share/selinux/devel/policyhelp requirement was necessary to
extract the version number of the selinux-policy package being built
against, which is used to enforce a minimum version requirement on
selinux-policy when the built package is installed. The policyhelp file
itself can be found in either the selinux-policy, selinux-policy-devel,
or selinux-policy-doc package (depending on OS release), which is why we
cannot simply use a package name unless we are prepared to sacrifice
spec file portability. From Fedora 20 onwards, this method is no longer
necessary, so if your packaging is not targeting any releases prior to
Fedora 20 or EPEL-5/6, the /usr/share/selinux/devel/policyhelp
requirement is not needed.

Resolves: rhbz#1498429
2017-10-05 09:03:21 +02:00
Lukas Vrabec
75b1898128 * Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-292
- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)
- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)
- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)
- Allow systemd to maange sysfs BZ(1471361)
2017-10-03 17:11:40 +02:00
Lukas Vrabec
65c1dc9f4d * Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-291
- Switch default value of SELinux boolean httpd_graceful_shutdown to off.
2017-10-03 14:19:31 +02:00
Lukas Vrabec
aab02e492d Merge #2 Remove trailing whitespace in default /etc/selinux/config 2017-09-29 12:30:29 +00:00
Lukas Vrabec
e8dfe68ada * Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290
- Allow virtlogd_t domain to write inhibit systemd pipes.
- Add dac_override capability to openvpn_t domain
- Add dac_override capability to xdm_t domain
- Allow dac_override to groupadd_t domain BZ(1497081)
- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)
2017-09-29 14:22:40 +02:00
Colin Walters
5fdac71bd7 Remove trailing whitespace in default /etc/selinux/config
See <https://pagure.io/atomic-wg/issue/341> - basically for libostree
(and hence rpm-ostree, and Fedora Editions that use it like Fedora Atomic Host),
the Anaconda `selinux --enforcing` verb will end up rewriting
`/etc/selinux/config` to the same value it had before.

But because of the trailing space character, this generates
a difference, and means the config file appears locally modified,
and hence deployed systems won't receive updates.

I think Anaconda should also be fixed to avoid touching the file *at all*
if it wouldn't result in a change, but let's remove the trailing space
here too, as it's better to fix in two places.
2017-09-27 16:01:25 -04:00
Lukas Vrabec
233534cc51 * Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
- Allow tlp_t domain stream connect to sssd_t domain
- Add missing dac_override capability
- Add systemd_tmpfiles_t dac_override capability
2017-09-27 13:16:05 +02:00
Lukas Vrabec
8587149987 setfiles command produce unnecessary output during selinux-policy package update. This patch redirect stdout of setfiles to /dev/null.
Thanks: Petr Lautrbach <plautrba@redhat.com>
2017-09-27 10:01:01 +02:00
Lukas Vrabec
12fd9044f9 * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
- Remove all unnecessary dac_override capability in SELinux modules
2017-09-22 14:15:27 +02:00
Lukas Vrabec
fc41f8a9df * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
- Allow init noatsecure httpd_t
- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)
- Allow unconfined_t domain to create new users with proper SELinux lables
-  Allow init noatsecure httpd_t
- Label tcp port 3269 as ldap_port_t
2017-09-22 10:26:38 +02:00
Lukas Vrabec
7c73871fb5 * Mon Sep 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-286
- Add new boolean tomcat_read_rpm_db()
- Allow tomcat to connect on mysqld tcp ports
- Add new interface apache_delete_tmp()
- Add interface fprintd_exec()
- Add interface fprintd_mounton_var_lib()
- Allow mozilla plugin to mmap video devices BZ(1492580)
- Add ctdbd_t domain sys_source capability and allow setrlimit
- Allow systemd-logind to use ypbind
- Allow systemd to remove apache tmp files
- Allow ldconfig domain to mmap ldconfig cache files
- Allow systemd to exec fprintd BZ(1491808)
- Allow systemd to mounton fprintd lib dir
2017-09-18 15:03:29 +02:00
Lukas Vrabec
6551841efc * Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-285
- Allow svirt_t read userdomain state
2017-09-14 14:11:08 +02:00
Lukas Vrabec
83eed32c03 * Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-284
- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files
- Allow automount domain to manage mount pid files
- Allow stunnel_t domain setsched
- Add keepalived domain setpgid capability
- Merge pull request #24 from teg/rawhide
- Merge pull request #28 from lslebodn/revert_1e8403055
- Allow sysctl_irq_t assciate with proc_t
- Enable cgourp sec labeling
- Allow sshd_t domain to send signull to xdm_t processes
2017-09-14 09:11:13 +02:00
Lukas Vrabec
76e1d24391 Add /var/lib/sepolgen/interface_info to %files section in selinux-policy-devel 2017-09-13 13:15:22 +02:00
Lukas Vrabec
c3f53c2a7e * Tue Sep 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-283
- Allow passwd_t domain mmap /etc/shadow and /etc/passwd
- Allow pulseaudio_t domain to map user tmp files
- Allow mozilla plugin to mmap mozilla tmpfs files
2017-09-12 14:05:47 +02:00
Lukas Vrabec
4dfc5f64ab * Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-282
- Add new bunch of map rules
- Merge pull request #25 from NetworkManager/nm-ovs
- Make working webadm_t userdomain
- Allow redis domain to execute shell scripts.
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t
- Add couple capabilities to keepalived domain and allow get attributes of all domains
- Allow dmidecode read rhsmcertd lock files
- Add new interface rhsmcertd_rw_lock_files()
- Add new bunch of map rules
- Merge pull request #199 from mscherer/add_conntrackd
- Add support labeling for vmci and vsock device
- Add userdom_dontaudit_manage_admin_files() interface
2017-09-11 22:04:43 +02:00
Lukas Vrabec
65f16bbe30 * Mon Sep 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-281
- Allow domains reading raw memory also use mmap.
2017-09-11 09:50:18 +02:00
Lukas Vrabec
b9bc43a953 * Thu Sep 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-280
- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)
- Fix denials during ipa-server-install process on F27+
- Allow httpd_t to mmap cert_t
- Add few rules to make tlp_t domain working in enforcing mode
- Allow cloud_init_t to dbus chat with systemd_timedated_t
- Allow logrotate_t to write to kmsg
- Add capability kill to rhsmcertd_t
- Allow winbind to manage smbd_tmp_t files
- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)
- Add interface miscfiles_map_generic_certs()
2017-09-07 13:32:34 +02:00
Lukas Vrabec
fcebe07f6c * Tue Sep 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-279
- Allow abrt_dump_oops_t to read sssd_public_t files
- Allow cockpit_ws_t to mmap usr_t files
- Allow systemd to read/write dri devices.
2017-09-05 09:36:30 +02:00
Lukas Vrabec
313e17b74e * Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
- Add couple rules related to map permissions
- Allow ddclient use nsswitch BZ(1456241)
- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)
- Add interface dbus_manage_session_tmp_dirs()
- Dontaudit useradd_t sys_ptrace BZ(1480121)
- Allow ipsec_t can exec ipsec_exec_t
- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs
2017-08-31 17:55:58 +02:00
Lukas Vrabec
0c6eef95d3 * Mon Aug 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-277
- Allow cupsd_t to execute ld_so_cache
- Add cgroup_seclabel policycap.
- Allow xdm_t to read systemd hwdb
- Add new interface systemd_hwdb_mmap_config()
- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050)
2017-08-28 18:08:50 +02:00
Lukas Vrabec
2b14b695c4 * Sat Aug 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-276
- Allow couple map rules
2017-08-26 13:17:21 +02:00
Lukas Vrabec
c1ce08ecb5 * Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-275
- Make confined users working
- Allow ipmievd_t domain to load kernel modules
- Allow logrotate to reload transient systemd unit
2017-08-23 23:17:38 +02:00
Lukas Vrabec
b7314cadde * Wed Aug 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-274
- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain
- Allow nscd_t domain to search network sysctls
- Allow iscsid_t domain to read mount pid files
- Allow ksmtuned_t domain manage sysfs_t files/dirs
- Allow keepalived_t domain domtrans into iptables_t
- Allow rshd_t domain reads net sysctls
- Allow systemd to create syslog netlink audit socket
- Allow ifconfig_t domain unmount fs_t
- Label /dev/gpiochip* devices as gpio_device_t
2017-08-23 16:49:48 +02:00
Lukas Vrabec
681ffa2e20 * Tue Aug 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-273
- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)
- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.
- Label /var/run/agetty.reload as getty_var_run_t
- Add missing filecontext for sln binary
- Allow systemd to read/write to event_device_t BZ(1471401)
2017-08-22 14:47:56 +02:00
Lukas Vrabec
284401b055 * Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
- Allow sssd_t domain to map sssd_var_lib_t files
- allow map permission where needed
- contrib: allow map permission where needed
- Allow syslogd_t to map syslogd_var_run_t files
- allow map permission where needed
2017-08-15 16:29:24 +02:00
Lukas Vrabec
c6aaaee231 Remove temporary fix labeling cockpit binary 2017-08-15 16:27:40 +02:00
Lukas Vrabec
be2df80e69 * Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
- Label /usr/libexec/sudo/sesh as shell_exec_t
2017-08-14 16:11:30 +02:00
Lukas Vrabec
7a49a1c8c7 * Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-270
- refpolicy: Infiniband pkeys and endport
2017-08-10 23:27:06 +02:00
Lukas Vrabec
9a31f2128c Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2017-08-10 11:25:56 +02:00
Lukas Vrabec
ff3605a078 * Thu Aug 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-269
- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
- refpolicy: Define and allow map permission
- init: Add NoNewPerms support for systemd.
- Add nnp_nosuid_transition policycap and related class/perm definitions.
2017-08-10 11:25:41 +02:00
Petr Lautrbach
cf21eb3fa5 Fix bogus date for 3.13.1-267 changelog entry
warning: bogus date in %changelog: Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
2017-08-10 09:12:56 +02:00
Petr Lautrbach
b65295347f * Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-268
- Update for SELinux userspace release 20170804 / 2.7
- Omit precompiled regular expressions from file_contexts.bin files
2017-08-07 18:05:24 +02:00
Lukas Vrabec
631f95b1cf * Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
2017-08-07 16:17:01 +02:00
Petr Lautrbach
0eccbd957d Revert "Temporary fix while creating manpages using sepolicy is broken."
This reverts commit fbdb6e98da.

Since policycoreutils-2.6-7, 'sepolicy manpage' should be again
reasonable fast.
2017-08-03 08:01:21 +02:00
Fedora Release Engineering
f0d7feb11d - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 18:25:45 +00:00
Lukas Vrabec
4696e7ec09 * Fri Jul 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265
- Allow llpdad send dgram to libvirt
- Allow abrt_t domain dac_read_search capability
- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)
- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)
2017-07-21 14:21:02 +02:00
Lukas Vrabec
3622c01896 * Mon Jul 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264
- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)
2017-07-17 14:32:35 +02:00
Lukas Vrabec
ab9bb05673 * Tue Jul 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263
- Add new boolean gluster_use_execmem
2017-07-11 18:01:45 +02:00
Lukas Vrabec
6fc6359b10 * Mon Jul 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262
- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service
- Allow iptables to read container runtime files
2017-07-10 09:27:35 +02:00
Lukas Vrabec
959229d1e3 * Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261
- Allow boinc_t nsswitch
- Dontaudit firewalld to write to lib_t dirs
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
- Allow thumb_t domain to allow create dgram sockets
- Disable mysqld_safe_t secure mode environment cleansing
- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode
- Allow dirsrv domain setrlimit
- Dontaudit staff_t user read admin_home_t files.
- Add interface lvm_manage_metadata
- Add permission open to files_read_inherited_tmp_files() interface
2017-06-23 17:16:37 +02:00
Lukas Vrabec
c8dc4505f7 Fix commands how to create downstream patches 2017-06-20 17:00:14 +02:00
Lukas Vrabec
8c093f225c * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260
- Allow sssd_t to read realmd lib files.
- Fix init interface file. init_var_run_t is type not attribute
2017-06-19 16:52:54 +02:00
Lukas Vrabec
fa95f253bf * Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258
- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.
- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use
- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.
- Allow httpd_t to read realmd_var_lib_t files
- Allow unconfined_t user all user namespace capabilties.
- Add interface systemd_tmpfiles_exec()
- Add interface libs_dontaudit_setattr_lib_files()
- Dontaudit xdm_t domain to setattr on lib_t dirs
- Allow sysadm_r role to jump into dirsrv_t
2017-06-19 10:01:33 +02:00
Lukas Vrabec
7ac1cbb003 * Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
- Merge pull request #10 from mscherer/fix_tor_dac
- Merge pull request #9 from rhatdan/rawhide
- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t
- Allow kdumpgui to read removable disk device
- Allow systemd_dbusd_t domain read/write to nvme devices
- Allow udisks2 domain to read removable devices BZ(1443981)
- Allow virtlogd_t to execute itself
- Allow keepalived to read/write usermodehelper state
- Allow named_t to bind on udp 4321 port
- Fix interface tlp_manage_pid_files()
- Allow collectd domain read lvm config files. BZ(1459097)
- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide
- Allow samba_manage_home_dirs boolean to manage user content
- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify
- Allow pki_tomcat_t execute ldconfig.
- Merge pull request #191 from rhatdan/udev
- Allow systemd_modules_load_t to load modules
2017-06-08 12:25:29 +02:00
Lukas Vrabec
941d5af493 * Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.
- Allow tomcat to connect on all unreserved ports
- Allow keepalived domain connect to squid tcp port
- Allow krb5kdc_t domain read realmd lib files.
- Allow tomcat to connect on all unreserved ports
- Allow ganesha to connect to all rpc ports
- Update ganesha with few allow rules
- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.
- virt_use_glusterd boolean should be in optional block
- Add new boolean virt_use_glusterd
- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls.
- Allow ganesha_t domain to manage glusterd_var_run_t pid files.
- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls
- Add few allow rules to ganesha module
- Allow condor_master_t to read sysctls.
- Add dac_override cap to ctdbd_t domain
- Add ganesha_use_fusefs boolean.
- Allow httpd_t reading kerberos kdc config files
- Allow tomcat_t domain connect to ibm_dt_2 tcp port.
- Allow stream connect to initrc_t domains
- Add pki_exec_common_files() interface
- Allow  dnsmasq_t domain to read systemd-resolved pid files.
- Allow tomcat domain name_bind on tcp bctp_port_t
- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
- Allow condor_master_t write to sysctl_net_t
- Allow nagios check disk plugin read /sys/kernel/config/
- Allow pcp_pmie_t domain execute systemctl binary
- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl
- xdm_t should view kernel keys
- Hide broken symptoms when machine is configured with network bounding.
- Label 8750 tcp/udp port as dey_keyneg_port_t
- Label tcp/udp port 1792 as ibm_dt_2_port_t
- Add interface fs_read_configfs_dirs()
- Add interface fs_read_configfs_files()
- Fix systemd_resolved_read_pid interface
- Add interface systemd_resolved_read_pid()
- Allow sshd_net_t domain read/write into crypto devices
- Label 8999 tcp/udp as bctp_port_t
2017-06-05 13:25:12 +02:00
Lukas Vrabec
6c0472a324 * Thu May 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255
- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t
- Add interface pki_manage_common_files()
- Allow rngd domain read sysfs_t
- Allow tomcat_t domain to manage pki_common_t files and dirs
- Merge pull request #3 from rhatdan/devicekit
- Merge pull request #12 from lslebodn/sssd_sockets_fc
- Allow certmonger reads httpd_config_t files
- Allow keepalived_t domain creating netlink_netfilter_socket.
- Use stricter fc rules for sssd sockets in /var/run
- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.
- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Dontaudit net_admin capability for useradd_t domain
- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)
- Make able deply overcloud via neutron_t to label nsfs as fs_t
- Add fs_manage_configfs_lnk_files() interface
2017-05-18 16:44:30 +02:00
Lukas Vrabec
c1e28f68d8 * Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
- ejabberd small fixes
- Update targetd policy to accommodate changes in the service
- Allow tomcat_domain connect to    * postgresql_port_t    * amqp_port_t Allow tomcat_domain read network sysctls
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit
- Allow glusterd_t domain start ganesha service
- Made few cosmetic changes in sssd SELinux module
- Merge pull request #11 from lslebodn/sssd_kcm
- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.
- Allow keepalived_t domain read usermodehelper_t
- Allow radius domain stream connec to postgresql
- Merge pull request #8 from bowlofeggs/142-rawhide
- Add fs_manage_configfs_lnk_files() interface
2017-05-15 22:07:43 +02:00
Lukas Vrabec
dfee3bea84 * Fri May 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253
- auth_use_nsswitch can call only domain not attribute
- Dontaudit net_admin cap for winbind_t
- Allow tlp_t domain to stream connect to system bus
- Allow tomcat_t domain read pki_common_t files
- Add interface pki_read_common_files()
- Fix broken cermonger module
- Fix broken apache module
- Allow hypervkvp_t domain execute hostname
- Dontaudit sssd_selinux_manager_t use of net_admin capability
- Allow tomcat_t stream connect to pki_common_t
- Dontaudit xguest_t's attempts to listen to its tcp_socket
- Allow sssd_selinux_manager_t to ioctl init_t sockets
- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.
- Allow pki_tomcat_t domain read /etc/passwd.
- Allow tomcat_t domain read ipa_tmp_t files
- Label new path for ipa-otpd
- Allow radiusd_t domain stream connect to postgresql_t
- Allow rhsmcertd_t to execute hostname_exec_t binaries.
- Allow virtlogd to append nfs_t files when virt_use_nfs=1
- Allow httpd_t domain read also httpd_user_content_type lnk_files.
- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t
- Dontaudit <user>_gkeyringd_t stream connect to system_dbusd_t
- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t
- Add interface ipa_filetrans_named_content()
- Allow tomcat use nsswitch
- Allow certmonger_t start/status generic services
- Allow dirsrv read cgroup files.
- Allow ganesha_t domain read/write infiniband devices.
- Allow sendmail_t domain sysctl_net_t files
- Allow targetd_t domain read network state and getattr on loop_control_device_t
- Allow condor_schedd_t domain send mails.
- Allow ntpd to creating sockets. BZ(1434395)
- Alow certmonger to create own systemd unit files.
- Add kill namespace capability to xdm_t domain
- Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization."
- Revert "Allow <role>_su_t to create netlink_selinux_socket"
- Allow <role>_su_t to create netlink_selinux_socket
- Allow unconfined_t to module_load any file
- Allow staff to systemctl virt server when staff_use_svirt=1
- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context
- Allow netutils setpcap capability
- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124)
2017-05-12 17:03:36 +02:00
Lukas Vrabec
fe274d0fa4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/selinux-policy 2017-04-20 22:51:15 +02:00
Petr Lautrbach
3332d5b8d0 Do not ship .linked files
libsemanage was updated [1] to use {policy,seusers,users_extra}.linked files
to cache the linked policy prior to merging local changes. We don't need
to ship these files, however the files should be owned by selinux-policy
packages on a filesystem.

[1] 8702a865e0
2017-04-20 22:48:24 +02:00
Michael Scherer
c8b7cd49fb Add safeguard around "semodule -n -d sandbox"
Each time this package is updated, it remove the sandbox module, thus
making the sandbox command not working until someone reenable it.

The main cause is likely the non intuitive ordering of RPM post install
script, as %preun is run after %post. See the details on
https://fedoraproject.org/wiki/Packaging:Scriptlets
2017-04-20 09:27:13 +02:00
Lukas Vrabec
e08cffb7e1 * Tue Apr 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-251
- Fix abrt module to reflect all changes in abrt release
2017-04-18 16:09:05 +02:00
Lukas Vrabec
c0884791ad * Tue Apr 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-250
- Allow tlp_t domain to ioctl removable devices BZ(1436830)
- Allow tlp_t domain domtrans into mount_t BZ(1442571)
- Allow lircd_t to read/write to sysfs BZ(1442443)
- Fix policy to reflect all changes in new IPA release
- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.
- Allow sbd_t to read/write fixed disk devices
- Add sys_ptrace capability to radiusd_t domain
- Allow cockpit_session_t domain connects to ssh tcp ports.
- Update tomcat policy to make working ipa install process
- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t
- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383
- Update pki interfaces and tomcat module
- Allow sendmail to search network sysctls
- Add interface gssd_noatsecure()
- Add interface gssproxy_noatsecure()
- Allow chronyd_t net_admin capability to allow support HW timestamping.
- Update tomcat policy.
- Allow certmonger to start haproxy service
- Fix init Module
- Make groupadd_t domain as system bus client BZ(1416963)
- Make useradd_t domain as system bus client BZ(1442572)
- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)
- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)
- Allow init noatsecure for gssd and gssproxy
- Allow staff user to read fwupd_cache_t files
- Remove typo bugs
- Remove /proc <<none>> from fedora policy, it's no longer necessary
2017-04-18 00:12:06 +02:00
Lukas Vrabec
0d1055a787 * Mon Apr 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249
- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Allow iptables get list of kernel modules
- Allow unconfined_domain_type to enable/disable transient unit
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Label sysroot dir under ostree as root_t
2017-04-03 12:05:44 +02:00
Adam Williamson
f993349d77 Put tomcat_t back in unconfined domains for now. BZ(1436434) 2017-03-27 17:00:43 -07:00
Lukas Vrabec
b8c3e1f896 * Tue Mar 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-247
- Make fwupd_var_lib_t type mountpoint. BZ(1429341)
- Remove tomcat_t domain from unconfined domains
- Create new boolean: sanlock_enable_home_dirs()
- Allow mdadm_t domain to read/write nvme_device_t
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content
- Add interface dev_rw_nvme
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
2017-03-21 09:58:13 +01:00
Lukas Vrabec
b3dccbc4b2 * Sat Mar 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
2017-03-18 16:12:18 +01:00
Lukas Vrabec
96feeb5e20 * Fri Mar 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245
- Allow vdagent domain to getattr cgroup filesystem
- Allow abrt_dump_oops_t stream connect to sssd_t domain
- Allow cyrus stream connect to gssproxy
- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules
- Allow colord_t to read systemd hwdb.bin file
- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t
- Allow certmonger to manage /etc/krb5kdc_conf_t
- Allow kdumpctl to getenforce
- Allow ptp4l wake_alarm capability
- Allow ganesha to chat with unconfined domains via dbus
- Add nmbd_t capability2 block_suspend
- Add domain transition from sosreport_t to iptables_t
- Dontaudit init_t to mounton modules_object_t
- Add interface files_dontaudit_mounton_modules_object
- Allow xdm_t to execute files labeled as xdm_var_lib_t
- Make mtrr_device_t mountpoint.
- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd
2017-03-17 17:34:02 +01:00
Peter Robinson
469c7cb44c fix up other docs source 2017-03-09 19:53:13 +00:00
Peter Robinson
88d4af785a use correct source for man pages (hint: 'fedpkg local' is a quick way to test) 2017-03-09 17:11:47 +00:00
Lukas Vrabec
0cdcb41ef4 * Tue Mar 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-244 - Update fwupd policy - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t - Update ganesha policy - Allow chronyd to read adjtime - Merge pull request #194 from hogarthj/certbot_policy - get the correct cert_t context on certbot certificates bz#1289778 - Label /dev/ss0 as gpfs_device_t 2017-03-07 18:22:02 +01:00
Lukas Vrabec
fe778a9320 Fix broken build 2017-03-07 18:09:35 +01:00
Lukas Vrabec
b77d5e5e60 * Thu Mar 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-243
-  Allow abrt_t to send mails.
2017-03-02 10:12:44 +01:00
Lukas Vrabec
fbdb6e98da Temporary fix while creating manpages using sepolicy is broken. 2017-03-02 10:04:43 +01:00
Lukas Vrabec
73a41e1268 * Mon Feb 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-242
- Add radius_use_jit boolean
- Allow nfsd_t domain to create sysctls_rpc_t files
- add the policy required for nextcloud
- Allow can_load_kernmodule to load kernel modules. BZ(1426741)
- Create kernel_create_rpc_sysctls() interface
2017-02-27 10:50:42 +01:00
Lukas Vrabec
acb049dbc4 * Tue Feb 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241
- Remove ganesha from gluster module and create own module for ganesha
- FIx label for /usr/lib/libGLdispatch.so.0.0.0
2017-02-21 14:04:18 +01:00
Lukas Vrabec
9930e8f125 * Wed Feb 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-240
- Dontaudit xdm_t wake_alarm capability2
- Allow systemd_initctl_t to create and connect unix_dgram sockets
- Allow ifconfig_t to mount/unmount nsfs_t filesystem
- Add interfaces allowing mount/unmount nsfs_t filesystem
- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)
2017-02-15 15:41:56 +01:00
Lukas Vrabec
7c40aea259 * Mon Feb 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-239
- Allow syslog client to connect to kernel socket. BZ(1419946)
2017-02-13 10:17:47 +01:00
Lukas Vrabec
67dffb1bc1 * Thu Feb 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-238
- Allow shiftfs to use xattr SELinux labels
- Fix ssh_server_template by add sshd_t to require section.
2017-02-09 23:34:30 +01:00
Lukas Vrabec
fd7fb37552 * Wed Feb 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
- Merge pull request #187 from rhatdan/container-selinux
- Allow rhsmcertd domain signull kernel.
- Allow container-selinux to handle all policy for container processes
- Fix label for nagios plugins in nagios file conxtext file
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add SELinux support for systemd-initctl daemon
- Add SELinux support for systemd-bootchart
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
- Add module_load permission to can_load_kernmodule
- Add module_load permission to class system
- Add the validate_trans access vector to the security class
- Restore connecto permssions for init_t
2017-02-08 16:39:12 +01:00
Lukas Vrabec
bab4787609 * Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
- Allow kdumpgui domain to read nvme device
- Add amanda_tmpfs_t label. BZ(1243752)
- Fix typo in sssd interface file
- Allow sssd_t domain setpgid BZ(1411437)
- Allow ifconfig_t domain read nsfs_t
- Allow ping_t domain to load kernel modules.
- Allow systemd to send user information back to pid1. BZ(1412750)
- rawhide-base: Fix wrong type/attribute flavors in require blocks
2017-02-02 12:41:29 +01:00
Lukas Vrabec
5ed99329f5 * Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235
- Allow libvirt daemon to create /var/chace/libvirt dir.
- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)
- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829)
2017-01-17 18:02:49 +01:00
Lukas Vrabec
a4801c838b * Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)
- Tighten security on containe types
- Make working cracklib_password_check for MariaDB service
- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)
2017-01-17 09:55:15 +01:00
Lukas Vrabec
cb674ac32f * Sun Jan 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-233
-Allow thumb domain sendto via dgram sockets. BZ(1398813)
- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)
- Allow cobbler domain to create netlink_audit sockets BZ(1384600)
- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626)
- Add dhcpd_t domain fowner capability BZ(1409963)
- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942)
- Fix broken interfaces
- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456)
- Allow user_t run systemctl --user BZ(1401625)
2017-01-08 22:35:48 +01:00
Lukas Vrabec
3f98d5071c * Fri Jan 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232
- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)
- Allow tlp_t domain to read proc_net_t BZ(1403487)
- Merge pull request #179 from rhatdan/virt1
- Allow tlp_t domain to read/write cpu microcode BZ(1403103)
- Allow virt domain to use interited virtlogd domains fifo_file
- Fixes for containers
- Allow glusterd_t to bind on glusterd_port_t udp ports.
- Update ctdbd_t policy to reflect all changes.
- Allow ctdbd_t domain transition to rpcd_t
2017-01-06 21:58:14 +01:00
Lukas Vrabec
aabe3f000e * Wed Dec 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231
- Allow pptp_t to read /dev/random BZ(1404248)
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
- Allow systemd to stop glusterd_t domains.
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)
- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition,  I can see no case where this is  a bad thing, and elminiates a whole class of AVCs."
2016-12-14 16:29:22 +01:00
Lukas Vrabec
6319c499e4 * Thu Dec 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-230
- Label /usr/bin/rpcbind as rpcbind_exec_t
- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)
- Merge pull request #174 from rhatdan/netlink
2016-12-08 16:30:38 +01:00
Lukas Vrabec
68b689158d * Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
- Allot tlp domain to create unix_dgram sockets BZ(1401233)
- Allow antivirus domain to create lnk_files in /tmp
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
- Allow svnserve_t domain to read /dev/random BZ(1401827)
- Allow lircd to use nsswitch. BZ(1401375)
- Allow hostname_t domain to manage cluster_tmp_t files
2016-12-07 12:46:00 +01:00
Lukas Vrabec
7216220f4a * Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226
- Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface
- Allow tgtd_t domain wake_alarm
- Merge pull request #172 from vinzent/allow_puppetagent_timedated
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow systemd_machined_t to start unit files labeled as init_var_run_t
- Add init_manage_config_transient_files() interface
- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
- Allow systemd to raise rlimit to all domains.BZ(1365435)
- Add interface domain_setrlimit_all_domains() interface
- Allow staff_t user to chat with fwupd_t domain via dbus
- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
- Allow systemd-networkd to read network state BZ(1400016)
- Allow systemd-resolved bind to dns port. BZ(1400023)
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
2016-12-05 16:48:37 +01:00
Lukas Vrabec
6a99358633 Exit postInstall state in mls package 2016-12-01 15:40:00 +01:00
Lukas Vrabec
bc46371d77 * Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow pmie daemon to send signal pcmd daemon BZ(1398078)
- Allow spamd_t to manage /var/spool/mail. BZ(1398437)
- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)
- Merge pull request #171 from t-woerner/rawhide-contrib
- Allow firewalld to getattr open search read modules_object_t:dir
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
2016-11-29 14:40:40 +01:00
Lukas Vrabec
99509b3f86 * Wed Nov 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226
- Adding policy for tlp
- Add interface  dev_manage_sysfs()
- Allow ifconfig domain to manage tlp pid files.
2016-11-16 14:46:50 +01:00
Lukas Vrabec
eae2c639f7 * Wed Nov 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-225
- Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373)
2016-11-09 13:45:14 +01:00
Lukas Vrabec
89fc5f15af * Tue Nov 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224
- Allow watching netflix using Firefox
2016-11-08 12:47:22 +01:00
Lukas Vrabec
25e7924958 * Mon Nov 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223
- nmbd_t needs net_admin capability like smbd
- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids
- Add wake_alarm capability2 to openct_t domain
- Allow abrt_t to getattr on nsfs_t files.
- Add cupsd_t domain wake_alarm capability.
- Allow sblim_reposd_t domain to read cert_f files.
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)"
- Allow isnsd_t to accept tcp connections
2016-11-07 23:00:09 +01:00
Lukas Vrabec
2bb5c83b3d * Wed Nov 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222
- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
- Add named_t domain net_raw capability bz(1389240)
- Allow geoclue to read system info. bz(1389320)
- Make openfortivpn_t as init_deamon_domain. bz(1159899)
- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add interace lldpad_relabel_tmpfs
- Merge pull request #155 from rhatdan/sandbox_nfs
- Add pscsd_t wake_alarm capability2
- Allow sandbox domains to mount fuse file systems
- Add boolean to allow sandbox domains to mount nfs
- Allow hypervvssd_t to read all dirs.
- Allow isnsd_t to connect to isns_port_t
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
- Make tor_var_lib_t and tor_var_log_t as mountpoints.
- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)
- Allow init_t to relabel /dev/shm/lldpad.state
- Merge pull request #168 from rhatdan/docker
- Label tcp 51954 as isns_port_t
- Lots of new domains like OCID and RKT are user container processes
2016-11-02 18:02:58 +01:00
Miroslav Grepl
cb85251274 Bump release to -221. 2016-10-17 20:53:13 +02:00
Miroslav Grepl
ec8dddbf3a * Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221
- Add container_file_t into contexts/customizable_types.
2016-10-17 20:52:01 +02:00
Lukas Vrabec
dad1b66dfe * Sun Oct 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-220
- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.
- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.
- Merge pull request #167 from rhatdan/container
- Add transition rules for sandbox domains
- container_typebounds() should be part of sandbox domain template
- Fix broken container_* interfaces
- unconfined_typebounds() should be part of sandbox domain template
- Fixed unrecognized characters at sandboxX module
- unconfined_typebounds() should be part of sandbox domain template
- svirt_file_type is atribute no type.
- Merge pull request #166 from rhatdan/container
- Allow users to transition from unconfined_t to container types
- Add dbus_stream_connect_system_dbusd() interface.
- Merge pull request #152 from rhatdan/network_filetrans
- Fix typo in filesystem module
- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473)
2016-10-16 18:47:27 +02:00
Lukas Vrabec
8610886f2e * Mon Oct 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-219
- Dontaudit leaked file descriptors for thumb. BZ(1383071)
- Fix typo in cobbler SELinux module
- Merge pull request #165 from rhatdan/container
- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156)
- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t
- Rename svirt_lxc_net_t to container_t
- Rename docker.pp to container.pp, causes change in interface name
- Allow httpd_t domain to list inotify filesystem.
- Fix couple AVC to start roundup properly
- Allow dovecot_t send signull to dovecot_deliver_t
- Add sys_ptrace capability to pegasus domain
- Allow firewalld to stream connect to NetworkManager. BZ(1380954)
- rename docker intefaces to container
- Merge pull request #164 from rhatdan/docker-base
- Rename docker.pp to container.pp, causes change in interface name
- Allow gvfs to read /dev/nvme* devices BZ(1380951)
2016-10-10 17:16:44 +02:00
Lukas Vrabec
ab3db24c9e Rename docker-selinux to container-selinux package 2016-10-10 16:34:35 +02:00
Colin Walters
3b618f3b2e Revert addition of systemd service for factory reset, since it is
basically worse than what we had before.  BZ(1290659)
2016-10-05 14:51:35 -04:00
Lukas Vrabec
25813e22ec * Thu Sep 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-216
- Allow devicekit to chat with policykit via DBUS. BZ(1377113)
- Add interface virt_rw_stream_sockets_svirt() BZ(1379314)
- Allow xdm_t to read mount pid files. BZ(1377113)
- Allow staff to rw svirt unix stream sockets. BZ(1379314)
- Allow staff_t to read tmpfs files BZ(1378446)
2016-09-29 14:23:17 +02:00
Lukas Vrabec
4efe5ab99f * Fri Sep 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-215
- Make tor_var_run_t as mountpoint. BZ(1368621)
- Fix typo in ftpd SELinux module.
- Allow cockpit-session to reset expired passwords BZ(1374262)
- Allow ftp daemon to manage apache_user_content
- Label /etc/sysconfig/oracleasm as oracleasm_conf_t
- Allow oracleasm to rw inherited fixed disk device
- Allow collectd to connect on unix_stream_socket
- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)
- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)
- Add interface files_dontaudit_mounton_isid()
2016-09-23 10:24:25 +02:00
Petr Lautrbach
c49229e77f Provide rpm macros for packages installing SELinux modules
There's no unified practice how to install SELinux modules from packages
and how to relabel a filesystem after the change. This update provides
several new macros which should help maintainers with the process.

%selinux_relabel_pre [-s <policytype>]
- backups the current file_contexts for later use with fixfiles

%selinux_relabel_post [-s <policytype>]
- relabels a filesystem based on changes in file_contexts using fixfiles

%selinux_modules_install [-s <policytype>] module [module]...
%selinux_modules_uninstall [-s <policytype>] module [module]...
- install and uninstall modules to the priority 200
2016-09-20 09:40:52 +02:00
Lukas Vrabec
fec8280672 * Thu Sep 15 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-214
- Allow attach usb device to virtual machine BZ(1276873)
- Dontaudit mozilla_plugin to sys_ptrace
- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)
- Fix typo
- Allow geoclue to send msgs to syslog. BZ(1371818)
- Allow abrt to read rpm_tmp_t dirs
- Add interface rpm_read_tmp_files()
- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux
- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.
- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service
- Revert "label /var/lib/kubelet as svirt_sandbox_file_t"
- Remove file context for /var/lib/kubelet. This filecontext is part of docker now
- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm
- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t
- Allow mdadm_t to getattr all device nodes
- Dontaudit gkeyringd_domain to connect to system_dbusd_t
- Add interface dbus_dontaudit_stream_connect_system_dbusd()
- Allow guest-set-user-passwd to set users password.
- Allow domains using kerberos to read also kerberos config dirs
- Allow add new interface to new namespace BZ(1375124)
- Allow systemd to relalbel files stored in /run/systemd/inaccessible/
-  Add interface fs_getattr_tmpfs_blk_file()
- Dontaudit domain to create any file in /proc. This is kernel bug.
- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.
- Add new interface fs_getattr_oracleasmfs_fs()
- Add interface fs_manage_oracleasm()
- Label /dev/kfd as hsa_device_t
- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs
2016-09-15 17:59:37 +02:00
Petr Lautrbach
be68ccafef Do a factory reset when there's no policy.kern file in a store
With rpm-ostree, /var/ directory doesn't contain any file, just
directories. It means that SELinux policy can't be managed or rebuilt
and users have to use only the default policy.

This update adds /usr/share/selinux/POLICYTYPE/default directory and
selinux-factory-reset service.

/var/lib/selinux/POLICYTYPE/active

selinux-reset-policy
2016-09-15 13:51:31 +02:00
Petr Lautrbach
e3bf3ede6a Do not hardcode targeted in installCmds()
sefcontext_compile can create .bin files even for mls and maybe for minimum
2016-09-15 13:48:51 +02:00
Lukas Vrabec
96a0f667ce Update conflicts with docker-selinux 2016-09-06 17:37:55 +02:00
Lukas Vrabec
f6de2d2a2e * Fri Sep 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-213
- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
- Label /usr/bin/pappet as puppetagent_exec_t
- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
2016-09-02 15:13:18 +02:00
Lukas Vrabec
69374e6e65 * Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212
- udisk2 module is part of devicekit module now
- Fix file context for /etc/pki/pki-tomcat/ca/
- new interface oddjob_mkhomedir_entrypoint()
- Allow mdadm to get attributes from all devices.
- Label /etc/puppetlabs as puppet_etc_t.
- quota: allow init to run quota tools
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow VirtualBox to manage udev rules.
- Allow systemd_resolved to send dbus msgs to userdomains
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t
2016-08-31 12:07:56 +02:00
Lukas Vrabec
0c7ae4b314 * Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211
- Add new domain ipa_ods_exporter_t BZ(1366640)
- Create new interface opendnssec_stream_connect()
- Allow systemd-machined to communicate to lxc container using dbus
- Dontaudit accountsd domain creating dirs in /root
- Add new policy for Disk Manager called udisks2
- Dontaudit firewalld wants write to /root
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
- Allow certmonger to manage all systemd unit files
- Allow ipa_helper_t stream connect to dirsrv_t domain
- Update oracleasm SELinux module
- label /var/lib/kubelet as svirt_sandbox_file_t
- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
- Add new userdom_dontaudit_manage_admin_dir() interface
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
2016-08-25 14:28:42 +02:00
Lukas Vrabec
ba0eef5c75 * Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-210
- Add few interfaces to cloudform.if file
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
- Make confined users working again
- Fix hypervkvp module
- Allow ipmievd domain to create lock files in /var/lock/subsys/
- Update policy for ipmievd daemon. Contain:    Allowing reading sysfs, passwd,kernel modules   Execuring bin_t,insmod_t
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
2016-08-23 12:56:24 +02:00
Lukas Vrabec
6140a0daa8 * Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
- Fix lsm SELinux module
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
- Add sys_admin capability to sbd domain
- Allow vdagent to comunnicate with systemd-logind via dbus
- Allow lsmd_plugin_t domain to create fixed_disk device.
- Allow opendnssec domain to create and manage own tmp dirs/files
- Allow opendnssec domain to read system state
- Allow systemd_logind stop system init_t
- Add interface init_stop()
- Add interface userdom_dontaudit_create_admin_dir()
- Label /var/run/storaged as lvm_var_run_t.
- Allow unconfineduser to run ipa_helper_t.
2016-08-16 13:47:01 +02:00
Lukas Vrabec
3478003247 * Fri Aug 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-208
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
- Add wake_alarm capability to fprintd domain BZ(1362430)
- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)
- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)
- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)
- Dontaudit mock to write to generic certs.
- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
- Merge pull request #144 from rhatdan/modemmanager
- Allow modemmanager to write to systemd inhibit pipes
- Label corosync-qnetd and corosync-qdevice as corosync_t domain
- Allow ipa_helper to read network state
- Label oddjob_reqiest as oddjob_exec_t
- Add interface oddjob_run()
- Allow modemmanager chat with systemd_logind via dbus
- Allow NetworkManager chat with puppetagent via dbus
- Allow NetworkManager chat with kdumpctl via dbus
- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
- Allow rasdaemon to use tracefs filesystem
- Fix typo bug in dirsrv policy
- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
- Allow dirsrv to read dirsrv_share_t content
- Allow virtlogd_t to append svirt_image_t files.
- Allow hypervkvp domain to read hugetlbfs dir/files.
- Allow mdadm daemon to read nvme_device_t blk files
- Allow systemd_resolved to connect on system bus. BZ(1366334)
- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)
- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)
- label tcp/udp port 853 as dns_port_t. BZ(1365609)
- Merge pull request #145 from rhatdan/init
- systemd is doing a gettattr on blk and chr devices in /run
- Allow selinuxusers and unconfineduser to run oddjob_request
- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
- Fix typo in device interfaces
- Add interfaces for managing ipmi devices
- Add interfaces to allow mounting/umounting tracefs filesystem
- Add interfaces to allow rw tracefs filesystem
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Merge pull request #138 from rhatdan/userns
- Allow iptables to creating netlink generic sockets.
- Fix filecontext for systemd shared lib.
2016-08-12 15:08:46 +02:00
Lukas Vrabec
0ab5f5b469 * Thu Aug 04 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-207
- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t
2016-08-04 11:15:29 +02:00
Lukas Vrabec
4d7576addc * Tue Aug 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-206
- collectd: update policy for 5.5
- Allow puppet_t transtition to shorewall_t
- Grant certmonger "chown" capability
- Boinc updates from Russell Coker.
- Allow sshd setcap capability. This is needed due to latest changes in sshd.
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Revert "Fix typo in ssh policy"
- Get attributes of generic ptys, from Russell Coker.
2016-08-02 10:30:29 +02:00
Lukas Vrabec
247a84c954 * Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-205
- Dontaudit mock_build_t can list all ptys.
- Allow ftpd_t to mamange userhome data without any boolean.
- Add logrotate permissions for creating netlink selinux sockets.
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
- Allow systemd gpt generator to run fstools BZ(1353585)
- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)
- Allow gnome-keyring also manage user_tmp_t sockets.
- Allow systemd to mounton /etc filesystem. BZ(1341753)
2016-07-29 11:33:56 +02:00
Lukas Vrabec
95987e7beb * Tue Jul 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-204
- Allow lsmd_plugin_t to exec ldconfig.
- Allow vnstatd domain to read /sys/class/net/ files
- Remove duplicate allow rules in spamassassin SELinux module
- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs
- Allow ipa_dnskey domain to search cache dirs
- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file
- Allow ipa-dnskey read system state.
- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245
- Add interface to write to nsfs inodes
- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721)
- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf
- sysadmin should be allowed to use docker.
2016-07-26 17:05:44 +02:00
Lukas Vrabec
5b18dd6042 * Mon Jul 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-203
- Allow hypervkvp domain to run restorecon.
- Allow firewalld to manage net_conf_t files
- Remove double graphite-web context declaration
- Fix typo in rhsmcertd SELinux policy
- Allow logrotate read logs inside containers.
- Allow sssd to getattr on fs_t
- Allow opendnssec domain to manage bind chace files
- Allow systemd to get status of systemd-logind daemon
- Label more ndctl devices not just ndctl0
2016-07-18 12:32:16 +02:00
Lukas Vrabec
b8e5c7b726 Fix new version of policy 2016-07-13 08:58:46 +02:00
Lukas Vrabec
449da6b428 * Wed Jul 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-202
- Allow systemd_logind_t to start init_t BZ(1355861)
- Add init_start() interface
- Allow sysadm user to run systemd-tmpfiles
- Add interface systemd_tmpfiles_run
2016-07-13 08:55:29 +02:00
Lukas Vrabec
1ad8909907 * Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-201
- Allow lttng tools to block suspending
- Allow creation of vpnaas in openstack
- remove rules with compromised_kernel permission
- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)
- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263
- Update makefile to support snapperd_contexts file
- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission
- Remove duplicate declaration of class service
- Fix typo in access_vectors file
- Merge branch 'rawhide-base-modules-load' into rawhide-base
- Add new policy for systemd-modules-load
- Add systemd access vectors.
- Revert "Revert "Revert "Missed this version of exec_all"""
- Revert "Revert "Missed this version of exec_all""
- Revert "Missed this version of exec_all"
- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.
- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.
- Revert "Allow xserver to compromise_kernel access"BZ(1351624)
- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624)
- Revert "add ptrace_child access to process" (BZ1351624)
- Add user namespace capability object classes.
- Allow udev to manage systemd-hwdb files
- Add interface systemd_hwdb_manage_config()
- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
- iptables: add fcontext for nftables
2016-07-11 16:49:35 +02:00
Lukas Vrabec
c3183ad46d Add snapperd_contexts to rpm filelist 2016-07-11 16:30:00 +02:00
Lukas Vrabec
6c34b389e2 * Tue Jul 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-200
- Fix typo in brltty policy
- Add new SELinux module sbd
- Allow pcp dmcache metrics collection
- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t
- Allow openvpn to create sock files labeled as openvpn_var_run_t
- Allow hypervkvp daemon to getattr on  all filesystem types.
- Allow firewalld to create net_conf_t files
- Allow mock to use lvm
- Allow mirromanager creating log files in /tmp
- Allow vmtools_t to transition to rpm_script domain
- Allow nsd daemon to manage nsd_conf_t dirs and files
- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t
- Allow sssd read also sssd_conf_t dirs
- Allow opensm daemon to rw infiniband_mgmt_device_t
- Allow krb5kdc_t to communicate with sssd
- Allow prosody to bind on prosody ports
- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678
- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637
- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726
- Add label for brltty log file Resolves: rhbz#1328818
- Allow snort_t to communicate with sssd Resolves: rhbz#1284908
- Add interface lttng_sessiond_tmpfs_t()
- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl
- Add interface lvm_getattr_exec_files()
- Make label for new infiniband_mgmt deivices
- Add prosody ports Resolves: rhbz#1304664
2016-07-05 17:05:30 +02:00
Lukas Vrabec
962020bfff * Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-199
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
- Allow glusterd daemon to get systemd status
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Merge pull request #135 from rhatdan/rawip_socket
- Allow logrotate dbus-chat with system_logind daemon
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
- Add interface cron_read_pid_files()
- Allow pcp_pmlogger to create unix dgram sockets
- Add interface dirsrv_run()
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
- Create label for openhpid log files.
- Container processes need to be able to listen on rawip sockets
- Label /var/lib/ganglia as httpd_var_lib_t
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Label /etc/dhcp/scripts dir as bin_t
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
2016-06-28 10:34:53 +02:00
Lukas Vrabec
8037d64672 * Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198
- Allow firewalld_t to create entries in net_conf_t dirs.
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
- Allow rhsmcertd connect to port tcp 9090
- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.
- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.
- Add new boolean spamd_update_can_network.
- Add proper label for /var/log/proftpd.log
- Allow rhsmcertd connect to tcp netport_port_t
- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.
- Allow prosody to bind to fac_restore tcp port.
- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager
- Allow ninfod to read raw packets
- Fix broken hostapd policy
- Allow hostapd to create netlink_generic sockets. BZ(1343683)
- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall
- Allow pegasus get attributes from qemu binary files.
- Allow tuned to use policykit. This change is required by cockpit.
- Allow conman_t to read dir with conman_unconfined_script_t binary files.
- Allow pegasus to read /proc/sysinfo.
- Allow puppet_t transtition to shorewall_t
- Allow conman to kill conman_unconfined_script.
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base
- Allow systemd to execute all init daemon executables.
- Add init_exec_notrans_direct_init_entry() interface.
- Label tcp ports:16379, 26379 as redis_port_t
- Allow systemd to relabel /var and /var/lib directories during boot.
- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
- Add files_relabelto_var_lib_dirs() interface.
- Label tcp and udp port 5582 as fac_restore_port_t
- Allow sysadm_t user to run postgresql-setup.
- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
2016-06-22 16:29:20 +02:00
Lukas Vrabec
a24ea5d79b Fix typo in changelog 2016-06-16 13:46:16 +02:00
Lukas Vrabec
4a34c4fbf0 * Thu Jun 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-197
- Allow conman to kill conman_unconfined_script.
- Make conman_unconfined_script_t as init_system_domain.
- Allow init dbus chat with apmd.
- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.
- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t
- Allow collectd_t to stream connect to postgresql.
- Allow mysqld_safe to inherit rlimit information from mysqld
- Allow ip netns to mounton root fs and unmount proc_t fs.
- Allow sysadm_t to run newaliases command.
2016-06-16 13:44:49 +02:00
Lukas Vrabec
be9b0d1f26 * Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-196
- Allow svirt_sandbox_domains to r/w onload sockets
- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
- Add interface sysnet_filetrans_named_net_conf()
- Rawhide fails to boot, systemd-logind needs to config transient config files
- User Namespace is requires create on process domains
2016-06-13 16:38:21 +02:00
Lukas Vrabec
04ed479779 * Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
- Add hwloc-dump-hwdata SELinux policy
- Add labels for mediawiki123
- Fix label for all fence_scsi_check scripts
- Allow setcap for fenced
- Allow glusterd domain read krb5_keytab_t files.
- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
- Update refpolicy to handle hwloc
- Fix typo in files_setattr_non_security_dirs.
- Add interface files_setattr_non_security_dirs()
2016-06-09 16:45:01 +02:00
Lukas Vrabec
c2ab480fb0 * Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Add nrpe_dontaudit_write_pipes()
- Merge pull request #129 from rhatdan/onload
- Add support for onloadfs
- Merge pull request #127 from rhatdan/device-node
- Additional access required for unconfined domains
- Dontaudit ping attempts to write to nrpe unnamed pipes
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
2016-06-07 15:57:53 +02:00
Lukas Vrabec
2506c08574 * Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
- Allow ipa_dnskey_t search httpd config files.
- Dontaudit certmonger to write to etc_runtime_t
- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
- Add interface ipa_delete_tmp()
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
2016-05-30 22:14:40 +02:00
Lukas Vrabec
3289d158c4 * Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192
- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
- Add SELinux policy for opendnssec service. BZ(1333106)
2016-05-25 12:46:10 +02:00
Lukas Vrabec
4c0ceef239 * Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
- Merge pull request #125 from rhatdan/typebounds
- Typebounds user domains
- Allow systemd_resolved_t to check if ipv6 is disabled.
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
2016-05-24 15:22:09 +02:00
Lukas Vrabec
5e78b00393 * Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port
- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)
- Allow systemd to read efivarfs. Resolve: #121
2016-05-16 17:29:54 +02:00
Lukas Vrabec
a2f43d9c50 * Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-189
- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed
2016-05-10 13:14:52 +02:00
Lukas Vrabec
d395cb970d Revert "Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ae80a5c1a5.
2016-05-10 12:57:45 +02:00
Lukas Vrabec
504f8fd0b8 Revert "Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ceff8ba54e.
2016-05-10 12:56:53 +02:00
Lukas Vrabec
fc75a66eaf Revert "Revert "Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed.""
This reverts commit ada2305b09.
2016-05-10 12:56:41 +02:00
Lukas Vrabec
627ba30be7 Revert "Revert "Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed.""
This reverts commit b62b4ef3bf.
2016-05-10 12:56:06 +02:00
Lukas Vrabec
b62b4ef3bf Revert "Fix for Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ceff8ba54e.
2016-05-10 11:53:39 +02:00
Lukas Vrabec
ada2305b09 Revert "Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed."
This reverts commit ae80a5c1a5.
2016-05-10 10:41:49 +02:00
Lukas Vrabec
70515f6ee4 * Mon May 09 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-188
- Label tcp port 8181 as intermapper_port_t.
- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588)
- Label tcp/udp port 2024 as xinuexpansion4_port_t
- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t
2016-05-09 22:16:02 +02:00
Lukas Vrabec
7ff0b8badf * Thu May 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-187
- Allow stunnel create log files. BZ(1333033)
- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574)
- Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287)
- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs.
- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980)
- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927)
- Label /usr/sbin/xrdp* files as bin_t BZ(1258453)
- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318
2016-05-05 10:27:13 +02:00
Lukas Vrabec
7a1df1e370 * Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186
- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
- Fix typo in module compilation message
2016-04-29 16:08:26 +02:00
Lukas Vrabec
02b9e47960 * Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970)
- Add mls support for some db classes
2016-04-27 14:27:01 +02:00
Lukas Vrabec
34332645c9 * Tue Apr 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
- Make virt_use_pcscd boolean off by default.
- Create boolean to allow virtual machine use smartcards. rhbz#1029297
- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754
- Allow mongod log to syslog.
- Allow nsd daemon to create log file in /var/log as nsd_log_t
- unlabeled_t can not be an entrypoint.
- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909
- Add new permissions stop/start to class system. rhbz#1324453
2016-04-26 15:03:41 +02:00
Lukas Vrabec
64f8164852 * Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
- Allow modemmanager to talk to logind
- Dontaudit tor daemon needs net_admin capability. rhbz#1311788
- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042
- Xorg now writes content in users homedir.
2016-04-18 13:42:21 +02:00
Lukas Vrabec
4c61782def * Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
- rename several contrib modules according to their filenames
- Add interface gnome_filetrans_cert_home_content()
- By default container domains should not be allowed to create devices
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
- Allow systemd gpt generator to read removable devices. BZ(1323458)
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands  BZ(1323454)
2016-04-08 14:11:58 +02:00
Lukas Vrabec
c1300100ed * Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
- Label all run tgtd files, not just socket files.
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
- New cgroup2 file system in Rawhide
2016-04-01 18:15:00 +02:00
Lukas Vrabec
fac3fc97fa * Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow bitlee to create bitlee_var_t dirs.
- Allow CIM provider to read sssd public files.
- Fix some broken interfaces in distro policy.
- Allow power button to shutdown the laptop.
- Allow lsm plugins to create named fixed disks. rhbz#1238066
- Allow hyperv domains to rw hyperv devices. rhbz#1241636
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics
- Label nagios scripts as httpd_sys_script_exec_t.
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.
- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576
- Merge pull request #104 from berrange/rawhide-contrib-virtlogd
- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336
- Dontaudit logrotate to setrlimit itself. rhbz#1309604
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446)
- Merge pull request #115 from rhatdan/nvidea
- Label all nvidia binaries as xserver_exec_t
- Add new systemd_hwdb_read_config() interface. rhbz#1316514
- Add back corecmd_read_all_executables() interface.
- Call files_type() instead of file_type() for unlabeled_t.
- Add files_entrypoint_all_mountpoint() interface.
- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling.
- Add corecmd_entrypoint_all_executables() interface.
- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361
- Add neverallow assertion for unlabaled_t to increase policy security.
- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
- Label 8952 tcp port as nsd_control.
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
2016-03-30 12:56:26 +02:00
Lukas Vrabec
610d03d3bf Fix spec file by adding also 'Requires' where it is need not just only 'Requires(pre)'. rhbz#1319119 2016-03-22 11:58:58 +01:00
Lukas Vrabec
2f93136bc2 There's no need to repeat files for all subsets again and again when
there's %fileList macro available.
2016-03-16 23:25:45 +01:00
Lukas Vrabec
3f0021e9f3 * Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
- Merge pull request #108 from rhatdan/rkt
- Merge pull request #109 from rhatdan/virt_sandbox
- Add new interface to define virt_sandbox_network domains
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
- Fix typo in drbd policy
- Remove declaration of empty booleans in virt policy.
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
- Additional rules to make rkt work in enforcing mode
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Allow ipsec to use pam. rhbz#1317988
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
- Allow setrans daemon to read /proc/meminfo.
- Merge pull request #107 from rhatdan/rkt-base
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
2016-03-16 13:59:24 +01:00
Lukas Vrabec
cdb2ae4578 * Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
- Add support systemd-resolved.
2016-03-10 12:50:06 +01:00
Lukas Vrabec
d14d3706d7 * Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
- Add support for systemd-gpt-auto-generator. rhbz#1314968
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
- Add support for systemd-hwdb daemon. rhbz#1306243
2016-03-08 16:08:03 +01:00
Lukas Vrabec
9fc76d9ab8 * Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
- Fix new rkt policy
- Remove some redundant rules.
- Fix cosmetic issues in interface file.
- Merge pull request #100 from rhatdan/rawhide-contrib
- Add interface fs_setattr_cifs_dirs().
- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
 This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
 file_contexts is parsed in selabel_open().
Resolves: rhbz#1314372
2016-03-03 16:00:03 +01:00
Lukas Vrabec
dd88f3a1a7 Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files, file_contexts is parsed in selabel_open(). Resolves: rhbz#1314372 2016-03-03 15:57:30 +01:00
Lukas Vrabec
a99d75d418 This change was originally introduced to fix contexts of files in
~/.config when there were no filename transition rules in SELinux
policy. These lines could be  removed. rhbz#1313464
2016-03-01 17:22:44 +01:00
Lukas Vrabec
ca25751cfd * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
- Add policy for rkt services
2016-02-26 17:44:00 +01:00
Lukas Vrabec
e98b0994a7 * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-174
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
2016-02-26 14:55:26 +01:00
Lukas Vrabec
7ac3a50aaf * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
2016-02-26 13:34:18 +01:00
Lukas Vrabec
352a55a547 * Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
- Allow collectd setgid capability Resolves:#1310896
- Allow adcli running as sssd_t to write krb5.keytab file.
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
- Allow kexec to read kernel module files in /usr/lib/modules.
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
- Remove redudant rules and fix _admin interface.
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
- Allow create mongodb unix dgram sockets. rhbz#1306819
- Support for InnoDB Tablespace Encryption.
- Dontaudit leaded file descriptors from firewalld
- Add port for rkt services
- Add support for the default lttng-sessiond port - tcp/5345.  This port is used by LTTng 2.x central tracing registry session daemon.
2016-02-25 13:20:35 +01:00
Lukas Vrabec
5d7b1f6d2e Fixes related to new SELinux userspace Add new files from userspace: /var/lib/selinux/targeted|mls|minimum/active/seusers /var/lib/selinux/targeted|mls|minimum/active/file_contexts /var/lib/selinux/targeted|mls|minimum/active/policy.kern 2016-02-25 12:02:25 +01:00
Lukas Vrabec
d6823d337b * Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files
2016-02-11 14:22:13 +01:00