- Allow qatlib search the content of the kernel debugging filesystem
Resolves: RHEL-66334
- Allow qatlib connect to systemd-machined over a unix socket
Resolves: RHEL-66334
- Update policy for samba-bgqd
Resolves: RHEL-64908
- Allow httpd get attributes of dirsrv unit files
Resolves: RHEL-62706
- Allow virtstoraged read vm sysctls
Resolves: RHEL-61742
- Allow virtstoraged execute mount programs in the mount domain
Resolves: RHEL-61742
- Update policy for rpc-virtstorage
Resolves: RHEL-61742
- Allow virtstoraged get attributes of configfs dirs
Resolves: RHEL-61742
- Allow virt_driver_domain read virtd-lxc files in /proc
Resolves: RHEL-61742
- Allow virtstoraged manage files with virt_content_t type
Resolves: RHEL-61742
- Allow virtstoraged use the io_uring API
Resolves: RHEL-61742
- Allow virtstoraged execute lvm programs in the lvm domain
Resolves: RHEL-61742
- Allow svirt_t connect to unconfined_t over a unix domain socket
Resolves: RHEL-61246
- Label /usr/lib/node_modules_22/npm/bin with bin_t
Resolves: RHEL-56350
- Allow bacula execute container in the container domain
Resolves: RHEL-39529
- Label /run/systemd/generator with systemd_unit_file_t
Resolves: RHEL-68313
The content of these files is more or less tied to the policy source
code. Therefore, moving these files to the source repo rather than
dist-git will make it easier to do changes that would formerly need
coordinated modification both in the sources and in dist-git (e.g.
adding or removing a module). It will also make it easier for other
distributions seeking to package a Fedora-like SELinux policy.
[skip changelog]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Related: RHEL-54303
If policy update removes a module, %postInstall and therefore policy
rebuild - `semodule -B -n ...` was run when old module is still
installed, see
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#ordering
It resulted to state when the old module is still built in the policy
after update until another `semodule -B` is triggered.
Moving %postInstall to %posttrans should solve this problem
[skip changelog]
Related: RHEL-54303
We support two ways to update the operating system:
- `/usr/bin/rpm` (and `dnf` etc.) where SELinux labels are
computed and written client side
- ostree (and other image-based systems) where SELinux labels
were computed server side.
In the ostree case, I'd like the ability to generate smaller
images that do not even have `rpm` installed.
This hard dependency from `selinux-policy` -> `rpm` is one of
the only main blockers.
RPM supports these "alternative" conditionals, it's easy to do.
Related: RHEL-54303
If an user builds package with `%bcond mls 0` it ended with
RPM build errors:
error: Installed (but unpackaged) file(s) found:
/etc/dnf/protected.d/selinux-policy-mls.conf
Installed (but unpackaged) file(s) found:
/etc/dnf/protected.d/selinux-policy-mls.conf
With this change, dnf procted files for a policy is installed only when
the policy is built.
[skip changelog]
Related: RHEL-54303
Contrib was merged to main repo long time ago.
Makes the build process simpler.
Modules enabled in minimum lives in
%{_datadir}/selinux/minimum/modules.lst now.
Fixes:
RPM build warnings:
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/cil
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/hll
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/lang_ext
[skip changelog]
Related: RHEL-54303
rpm-verify reports the following problem:
.M....... g /var/lib/selinux/targeted/active/modules/400/extra_varrun
.M....... g /var/lib/selinux/targeted/active/modules/400/extra_varrun/cil
.M....... g /var/lib/selinux/targeted/active/modules/400/extra_varrun/lang_ext
Related: RHEL-54303
/run/systemd/generator is no longer equivalent to /usr/lib/systemd/system.
It has its own rules in the policy now, so instead
/run/systemd/generator.early and /run/systemd/generator.late
are equivalent to /run/systemd/generator.
Related: RHEL-54303
Instead of plain macros, use `%bcond ...` and `%{with ...}`, which will
allow controlling which policy types to build using the --with/--without
command-line arguments when calling `rpmbuild` or `mock`.
See also:
https://rpm-software-management.github.io/rpm/manual/conditionalbuilds.html
Note that the BUILD_DOC macro is removed without replacement as it's
unused. (The builds of the -doc and -devel subpackages overlap too much
for the macro to be useful, anyway.)
Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
Related: RHEL-54303
As part of https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin, programs
are moved from /usr/sbin/alternatives to /usr/bin/alternatives. Provisions
have been made to create a compat symlink on traditional systems, so that both
paths work and packages that use paths under /usr/sbin do not need to be
rebuilt. Unfortunately, on ostree systems, the compat symlinks are missing, so
using absolute paths causes problems
(https://bodhi.fedoraproject.org/updates/FEDORA-2024-3aafcac6a8).
There is no reason for or benefit from specifying the full path to binaries in
scriptlets because the scriptlets are called with a well-defined $PATH. When
we drop the full path, they work fine no matter where exactly the binary is
installed.
An additional problem with full paths is that they are specified using macros,
and the macro works fine within a package, but they is no guarantee that
different builds of different packages at different times use the same
definition of %_sbindir.
I also changed /bin/echo → echo. The shell builtin is good enough, we don't need
to spawn a separate process.
Related: RHEL-54303
- Update varrun-convert.sh script to check for existing duplicate
entries
- Remove incorrect "local" usage in varrun-convert.sh
- Use /usr/bin/bash in scripts as shebang
Related: RHEL-54303
- Dontaudit subscription manager setfscreate and read file contexts
Resolves: RHEL-58009
- Allow the sysadm user use the secretmem API
Resolves: RHEL-40953
- Allow sudodomain list files in /var
Resolves: RHEL-58068
- Allow gnome-remote-desktop watch /etc directory
Resolves: RHEL-35877
- Allow journalctl connect to systemd-userdbd over a unix socket
Resolves: RHEL-58072
- systemd: allow sys_admin capability for systemd_notify_t
Resolves: RHEL-58072
- Allow some confined users send to lldpad over a unix dgram socket
Resolves: RHEL-61634
- Allow lldpad send to sysadm_t over a unix dgram socket
Resolves: RHEL-61634
- Allow lldpd connect to systemd-machined over a unix socket
Resolves: RHEL-61634
Since libsemanage commit d96f27bf7cb91 ("libsemanage: Preserve file context
and ownership in policy store"), libsemanage tries to preserve file
contexts during SELinux policy rebuild. If the underline fs does not
support any operation used, it prints warnings on stderr. Given that
it's not a fatal error, it's reasonable to suppress them.
Fixes:
$ podman run --pull=newer --rm -ti quay.io/fedora/fedora:rawhide
[root@3a1e072c5559 /]# dnf4 install selinux-policy-targeted
...
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/cil: Operation not supported
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/hll: Operation not supported
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/lang_ext: Operation not supported
...
Could not set context for /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin: Operation not supported
Could not set context for /etc/selinux/targeted/policy/policy.33: Operation not supported
Could not set context for /etc/selinux/targeted/seusers: Operation not supported
[skip changelog]
Resolves: RHEL-59192
- Allow virtnodedevd run udev with a domain transition
Resolves: RHEL-39890
- Allow virtnodedev_t create and use virtnodedev_lock_t
Resolves: RHEL-39890
- Allow svirt attach_queue to a virtqemud tun_socket
Resolves: RHEL-44312
- Label /run/systemd/machine with systemd_machined_var_run_t
Resolves: RHEL-49567
There is no EPEL repo for RHEL-10 or CentOS stream 10. It makes
no sense to run tests which require this repo, because they would
fail. Once the EPEL repo becomes available, the part of filter
can be removed.
- Allow to create and delete socket files created by rhsm.service
Resolves: RHEL-40857
- Allow svirt read virtqemud fifo files
Resolves: RHEL-40350
- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
Resolves: RHEL-37822
- Allow virtqemud read virt-dbus process state
Resolves: RHEL-37822
- Allow virtqemud run ssh client with a transition
Resolves: RHEL-43215
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
Resolves: RHEL-41168
- Allow NetworkManager the sys_ptrace capability in user namespace
Resolves: RHEL-46717
- Update keyutils policy
Resolves: RHEL-38920
- Allow ip the setexec permission
Resolves: RHEL-41182
