Commit Graph

6008 Commits

Author SHA1 Message Date
Ondrej Mosnacek
b867d53c38 README is written in markdown - change extension to .md
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:50:36 +00:00
Ondrej Mosnacek
4d9a7e555f Ensure targeted policy is installed by default
When installing [a package requiring] selinux-policy/-base/
rpm-plugin-selinux, selinux-policy-minimum is always chosen (based on
alphabetical order). This is not desirable and we'd like -targeted to be
picked as the default choice.

Since selinux-policy and selinux-policy-base are glued together because
of rpm-plugins-selinux, just have selinu-policy provide
selinux-policy-base, use a new metapackage selinux-policy-any to
represent "any of -targeted, -mls, or -minimum", and have selinux-policy
require -any.

Then adding "Suggests: selinux-policy-targeted" to selinux-policy has
the effect that -targeted is picked by default when any of
selinux-policy/-base/rpm-plugin-selinux is installed via "dnf install"
on a clean system.

This patch combines the ideas of Petr Lautrbach, Vit Mojzis, and myself.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:45:19 +00:00
Ondrej Mosnacek
e042be0581 make-rhat-patches: Use shallow clone
The selinux-policy repos are quite big - use --depth=1 to fetch only the
latest commit of the requested branch, to save network traffic and time.

A possible downside of this is that one can no longer pass a commit ID
via REPO_SELINUX_POLICY_*BRANCH, but that's unlikely to be useful in
practice.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:38:28 +00:00
Ondrej Mosnacek
d9d5631b8d make-rhat-patches: Use default tmp directory
It's better to use the standard /tmp, since it commonly has tmpfs
mounted over it, which avoids unnecessary disk I/O. Let's make our SSDs
slightly happier :)

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-12 06:38:28 +00:00
Zdenek Pytela
5772505d0d * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5
- Remove empty line from rshd.fc
- Allow systemd-logind read swap files
- Add fstools_read_swap_files() interface
- Allow dyntransition from sshd_t to unconfined_t
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
2020-10-06 15:41:07 +02:00
Zdenek Pytela
5a32f59808 * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4
- Allow chronyd_t to accept and make NTS-KE connections
- Allow domain write to an automount unnamed pipe
- Label /var/run/zincati/public/motd.d/* as motd_var_run_t
- Allow login programs to (only) read MOTD files and symlinks
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
- Confine systemd-sleep service
- Add fstools_rw_swap_files() interface
- Label 4460/tcp port as ntske_port_t
- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
2020-09-25 19:12:03 +02:00
Ondrej Mosnacek
4cdd6f8332 Update /etc/selinux/config for removal of runtime SELinux disable
This is in preparation for the following Fedora Change:
https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-09-24 14:31:12 +00:00
Zdenek Pytela
4b8bcba2a7 * Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3
- Check out the right -contrib branch in Travis
2020-09-21 13:54:33 +02:00
Zdenek Pytela
2cf6b0aa1d * Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2
- Allow openvswitch fowner capability and create netlink sockets
- Allow additional permissions for gnome-initial-setup
- Add to map non_security_files to the userdom_admin_user_template template
- kernel/filesystem: Add exfat support (no extended attributes)
2020-09-18 16:00:35 +02:00
Zdenek Pytela
129e6fcdd4 * Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1
- Bump version as Fedora 33 has been branched
- Allow php-fpm write access to /var/run/redis/redis.sock
- Allow journalctl to read and write to inherited user domain tty
- Update rkt policy to allow rkt_t domain to read sysfs filesystem
- Allow arpwatch create and use rdma socket
- Allow plymouth sys_chroot capability
- Allow gnome-initial-setup execute in a xdm sandbox
- Add new devices and filesystem interfaces
2020-09-09 15:22:20 +02:00
Zdenek Pytela
491bb86202 * Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25
- Allow certmonger fowner capability
- The nfsdcld service is now confined by SELinux
- Change transitions for ~/.config/Yubico
- Allow all users to connect to systemd-userdbd with a unix socket
- Add file context for ~/.config/Yubico
- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow login_pgm attribute to get attributes in proc_t"
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Allow traceroute_t and ping_t to bind generic nodes.
- Create macro corenet_icmp_bind_generic_node()
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
2020-08-27 08:58:40 +02:00
Petr Lautrbach
74e5e49dca test-reboot.yml: test.log is mandatory, improve results format
According to
https://docs.fedoraproject.org/en-US/ci/standard-test-interface/#_invocation
every test must provide *test.log*.

Improve *results.yml* format.

Drop *avc.err.log* and log everything AVC denial related to *avc.log*
2020-08-27 07:49:02 +02:00
Petr Lautrbach
8c3ddf27e9 Add a basic sanity reboot test collecting AVCs
In order to minimize possible damage on composes we need to be sure that a
system can boot and it doesn't generate any AVC denial.

This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit
messages into avc.log file which is propagated as test artifact.
2020-08-25 12:25:34 +02:00
Zdenek Pytela
8bda530858 * Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24
- Add ipa_helper_noatsecure() interface unconditionally
- Conditionally allow nagios_plugin_domain dbus chat with init
- Revert "Update allow rules set for nrpe_t domain"
- Add ipa_helper_noatsecure() interface to ipa.if
- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
- Allow kadmind manage kerberos host rcache
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
- Define named file transition for sshd on /tmp/krb5_0.rcache2
- Allow systemd-machined create userdbd runtime sock files
- Disable kdbus module before updating
2020-08-13 20:12:50 +02:00
Zdenek Pytela
01e3f0a70d * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
2020-08-03 13:25:54 +02:00
Zdenek Pytela
8394f612f0 * Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22
- Allow virtlockd only getattr and lock block devices
- Allow qemu-ga read all non security file types conditionally
- Allow virtlockd manage VMs posix file locks
- Allow smbd get attributes of device files labeled samba_share_t
- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
- Add a new httpd_can_manage_courier_spool boolean
- Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files
- Revert "Allow qemu-kvm read and write /dev/mapper/control"
- Revert "Allow qemu read and write /dev/mapper/control"
- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
- Dontaudit pcscd_t setting its process scheduling
- Dontaudit thumb_t setting its process scheduling
- Allow munin domain transition with NoNewPrivileges
- Add dev_lock_all_blk_files() interface
- Allow auditd manage kerberos host rcache files
- Allow systemd-logind dbus chat with fwupd
2020-07-30 18:50:17 +02:00
Fedora Release Engineering
d77690be67 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-29 10:31:23 +00:00
Lukas Vrabec
0b0aa798b9
* Mon Jul 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-20
- Align gen_tunable() syntax with sepolgen
2020-07-13 17:47:32 +02:00
Zdenek Pytela
33a29656c0 * Fri Jul 10 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-19
- Additional support for keepalived running in a namespace
- Remove systemd_dbus_chat_resolved(pcp_pmie_t)
- virt: remove the libvirt qmf rules
- Allow certmonger manage dirsrv services
- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
- Allow domain dbus chat with systemd-resolved
- Define file context for /var/run/netns directory only
- Revert "Add support for fuse.glusterfs"
2020-07-10 17:18:49 +02:00
Zdenek Pytela
d1c7bc688f * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18
- Allow oddjob_t process noatsecure permission for ipa_helper_t
- Allow keepalived manage its private type runtime directories
- Update irqbalance runtime directory file context
- Allow irqbalance file transition for pid sock_files and directories
- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
- Allow virtlogd_t manage virt lib files
- Allow systemd set efivarfs files attributes
- Support systemctl --user in machinectl
- Allow chkpwd_t read and write systemd-machined devpts character nodes
- Allow init_t write to inherited systemd-logind sessions pipes
2020-07-07 16:11:16 +02:00
Zdenek Pytela
c04fecfb03 * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17
- Allow pdns server to read system state
- Allow irqbalance nnp_transition
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
- Allow journalctl process set its resource limits
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
- Make keepalived work with network namespaces
- Create sssd_connect_all_unreserved_ports boolean
- Allow hypervkvpd to request kernel to load a module
- Allow systemd_private_tmp(dirsrv_tmp_t)
- Allow microcode_ctl get attributes of sysfs directories
- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
- Allow radiusd connect to gssproxy over unix domain stream socket
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
- Allow qemu read and write /dev/mapper/control
- Allow tlp_t can_exec() tlp_exec_t
- Dontaudit vpnc_t setting its process scheduling
- Remove files_mmap_usr_files() call for particular domains
- Allow dirsrv_t list cgroup directories
- Crete the kerberos_write_kadmind_tmp_files() interface
- Allow realmd_t dbus chat with accountsd_t
- Label systemd-growfs and systemd-makefs       as fsadm_exec_t
- Allow staff_u and user_u setattr generic usb devices
- Allow sysadm_t dbus chat with accountsd
- Modify kernel_rw_key() not to include append permission
- Add kernel_rw_key() interface to access to kernel keyrings
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
- Allow systemd-modules to load kernel modules
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
- Allow libkrb5 lib read client keytabs
- Allow domain mmap usr_t files
- Remove files_mmap_usr_files() call for systemd domains
- Allow sshd write to kadmind temporary files
- Do not audit staff_t and user_t attempts to manage boot_t entries
- Add files_dontaudit_manage_boot_dirs() interface
- Allow systemd-tty-ask-password-agent read efivarfs files
2020-06-26 16:15:46 +02:00
Adam Williamson
154654f526 Bump and build for scriptlet fix 2020-06-25 17:13:28 -07:00
Adam Williamson
69200e5a7d scriptlets: always existence-check /etc/selinux/config
This does not work as expected with `/bin/sh` if the file does
not exist:

. %{_sysconfdir}/selinux/config &> /dev/null || true;

when run with `/bin/sh` (as opposed to `/bin/bash`) it exits 1
if the file does not exist. It exits 0 if the file exists but
there is an error parsing it. When run with `/bin/bash` it exits
0 in both cases as expected, but RPM scriptlets are run with sh.

To avoid this problem, we must always explicitly do an existence
check on the file before attempting to source it.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-06-25 17:10:29 -07:00
Zdenek Pytela
5cdd516855 * Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
- Support multiple ways of tlp invocation
- Allow qemu-kvm read and write /dev/mapper/control
- Introduce logrotate_use_cifs boolean
- Allow ptp4l_t sys_admin capability to run bpf programs
- Allow to getattr files on an nsfs filesystem
- httpd: Allow NoNewPriv transition from systemd
- Allow rhsmd read process state of all domains and kernel threads
- Allow rhsmd mmap /etc/passwd
- Allow systemd-logind manage efivarfs files
- Allow initrc_t tlp_filetrans_named_content()
- Allow systemd_resolved_t to read efivarfs
- Allow systemd_modules_load_t to read efivarfs
- Introduce systemd_read_efivarfs_type attribute
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
- Add file context for /sys/kernel/tracing
2020-06-04 13:00:42 +02:00
Zdenek Pytela
1111964e2a * Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14
- Allow chronyc_t domain to use nsswitch
- Allow nscd_socket_use() for domains in nscd_use() unconditionally
- Add allow rules for lttng-sessiond domain
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow gluster geo-replication in rsync mode
- Allow nagios_plugin_domain execute programs in bin directories
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow tcpdump sniffing offloaded (RDMA) traffic
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow read efivarfs_t files by domains executing systemctl file
2020-05-19 17:52:53 +02:00
Zdenek Pytela
6a3fec4b74 * Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal
2020-04-29 11:21:16 +02:00
Vit Mojzis
53368f319b Disable ipa_custodia before policy update
Ipa_custodia was merged into ipa policy module. To avoid conflicts
the module needs to be disabled before policy update.

Fixes:
   Running scriptlet: selinux-policy-targeted-3.14.5-35.fc32.noarch
   Re-declaration of type ipa_custodia_t
   Failed to create node
   Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/ipa_custodia/cil:1
   /usr/sbin/semodule:  Failed!
2020-04-27 09:24:03 +02:00
Zdenek Pytela
b7b2c03ca7 * Tue Apr 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp
2020-04-14 16:43:04 +02:00
Zdenek Pytela
9006b430b3 * Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11
- Allow NetworkManager manage dhcpd unit files
- Update ninfod policy to add nnp transition from systemd to ninfod
- Remove container interface calling by named_filetrans_domain.
2020-03-31 09:52:00 +02:00
Zdenek Pytela
08e09fd9c1 * Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10
- Allow openfortivpn exec shell
- Remove label session_dbusd_tmp_t for /run/user/USERID/systemd
- Add ibacm_t ipc_lock capability
- Allow ipsec_t connectto ipsec_mgmt_t
- Remove ipa_custodia
- Allow systemd-journald to read user_tmp_t symlinks
2020-03-25 18:09:22 +01:00
Zdenek Pytela
099d40eeb8 * Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9
- Allow zabbix_t manage and filetrans temporary socket files
- Makefile: fix tmp/%.mod.fc target
2020-03-18 13:55:22 +01:00
Zdenek Pytela
e3700463c8 * Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8
- Allow NetworkManager read its unit files and manage services
- Add init_daemon_domain() for geoclue_t
- Allow to use nnp_transition in pulseaudio_role
- Allow pdns_t domain to map files in /usr.
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow login_pgm create and bind on netlink_selinux_socket
2020-03-13 09:22:23 +01:00
Ondrej Mosnacek
7579dcf465 Extend use of %common_params
Commit f76a9deccc ("Consolidate make parameters") replaced most
occurences of common make params with a single %common_params macro
call, but it omitted two places. Extend the %common_params usage to
these as well.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-03-11 14:15:18 +01:00
Ondrej Mosnacek
feca8df9ee Drop unused seusers file
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-03-11 14:15:18 +01:00
Zdenek Pytela
30da7f7067 * Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7
- Allow sssd read systemd-resolved runtime directory
- Allow sssd read NetworkManager's runtime directory
- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
- Allow system_mail_t to signull pcscd_t
- Create interface pcscd_signull
- Allow auditd poweroff or switch to single mode
2020-03-09 17:07:28 +01:00
Lukas Vrabec
eacc15421e
* Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6
- Allow postfix stream connect to cyrus through runtime socket
- Dontaudit daemons to set and get scheduling policy/parameters
2020-02-28 17:13:35 +01:00
Lukas Vrabec
6f3f722f7d
* Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5
- Allow certmonger_t domain to read pkcs_slotd lock files
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
- Allow local_login_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
2020-02-22 17:02:13 +01:00
Lukas Vrabec
e0ee9a1a66
* Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4
- Update virt_read_qemu_pid_files inteface
- Allow systemd_logind_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
- Allow nsswitch_domain attribute to stream connect to systemd process
2020-02-18 18:04:28 +01:00
Lukas Vrabec
48b6fc450f
Update changelog to descending chronological order 2020-02-16 13:08:28 +01:00
Lukas Vrabec
fc739f4200
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3
- Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks
- Allow systemd_userdbd_t domain to read efivarfs files
2020-02-16 13:00:31 +01:00
Lukas Vrabec
8c624edf84
* Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2
- Allow vhostmd communication with hosted virtual machines
- Add and update virt interfaces
- Update radiusd policy
- Allow systemd_private_tmp(named_tmp_t)
- Allow bacula dac_override capability
- Allow systemd_networkd_t to read efivarfs
- Add support for systemd-userdbd
- Allow systemd system services read efivarfs files
2020-02-16 00:25:43 +01:00
Lukas Vrabec
0270e1e28d
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-1
- Bump version to 3.14.6 because fedora 32 was branched
2020-02-16 00:22:07 +01:00
Zdenek Pytela
916c9099f2 * Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24
- Allow ptp4l_t create and use packet_socket sockets
- Allow ipa_custodia_t create and use netlink_route_socket sockets.
- Allow networkmanager_t transition to setfiles_t
- Create init_create_dirs boolean to allow init create directories
2020-02-07 17:22:36 +01:00
Ondrej Mosnacek
2a989ab68e spec: Use RPM path macros more consistently
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-02-07 12:37:11 +01:00
Zdenek Pytela
4ee1dfc5d7 * Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23
- Allow thumb_t connect to system_dbusd_t BZ(1795044)
- Allow saslauthd_t filetrans variable files for /tmp directory
- Added apache create log dirs macro
- Tiny documentation fix
- Allow openfortivpn_t to manage net_conf_t files.
- Introduce boolean openfortivpn_can_network_connect.
- Dontaudit domain chronyd_t to list in user home dirs.
- Allow init_t to create apache log dirs.
- Add file transition for /dev/nvidia-uvm BZ(1770588)
- Allow syslog_t to read efivarfs_t files
- Add ioctl to term_dontaudit_use_ptmx macro
- Update xserver_rw_session macro
2020-01-31 10:53:24 +01:00
Fedora Release Engineering
6f927019b9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-30 23:12:11 +00:00
Zdenek Pytela
07e568bc06 * Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21
- Dontaudit timedatex_t read file_contexts_t and validate security contexts
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Added macro for stratisd to chat over dbus
- Add dac_override capability to stratisd_t domain
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
2020-01-24 17:07:51 +01:00
Vit Mojzis
ee6e28e884 Fix %post script failures in selinux-policy-*
Since /etc/selinux/config is created in a %post script and execution
order of post scripts cannot be ensured in this case, all commands in
post have to be able to work without /etc/selinux/config.

Also standalone execution of selinuxenabled in relabel macro would cause
%post of all selinux-policy-* packages to fail in case selinux was
disabled.

Fixes:
   https://bugzilla.redhat.com/show_bug.cgi?id=1723940
2020-01-13 19:07:10 +00:00
Lukas Vrabec
0f62f5946f
* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain  to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Create files_create_non_security_dirs() interface
2020-01-13 10:09:50 +01:00
Ondrej Mosnacek
e4f8091964 Remove all the "factory reset" stuff
From reading BZ1290659 [1] it sounds like the ostree issue was resolved
by using /etc/selinux as the store root instead of /var/lib/selinux so I
believe the /usr/share/selinux redundant files are no longer needed.
Also remove all other leftovers of the factory reset thing...

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1290659

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-01-07 15:45:12 +01:00