Compare commits
No commits in common. "c8" and "imports/c8s/selinux-policy-3.14.3-97.el8" have entirely different histories.
c8
...
imports/c8
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,3 +1,3 @@
|
|||||||
SOURCES/container-selinux.tgz
|
SOURCES/container-selinux.tgz
|
||||||
SOURCES/selinux-policy-552905c.tar.gz
|
SOURCES/selinux-policy-contrib-85de0a6.tar.gz
|
||||||
SOURCES/selinux-policy-contrib-635888d.tar.gz
|
SOURCES/selinux-policy-e39b8e8.tar.gz
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
e87338b5f56ae6e78c5a461e9bcadfc9333a1cd6 SOURCES/container-selinux.tgz
|
f840a673117375ec854283cc9fa9015f6455f90f SOURCES/container-selinux.tgz
|
||||||
ac42e4401f30f57e1ffea73fb82ba208d5f96c88 SOURCES/selinux-policy-552905c.tar.gz
|
4a6ed78a35e86a3c6e2db18a1cddf9542237d038 SOURCES/selinux-policy-contrib-85de0a6.tar.gz
|
||||||
1776ee65081f2f9cf8113923854c5ad1ee28b4a6 SOURCES/selinux-policy-contrib-635888d.tar.gz
|
9633199c8b41b047e538459ec39cb4af1c0d260a SOURCES/selinux-policy-e39b8e8.tar.gz
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
# github repo with selinux-policy base sources
|
# github repo with selinux-policy base sources
|
||||||
%global git0 https://github.com/fedora-selinux/selinux-policy
|
%global git0 https://github.com/fedora-selinux/selinux-policy
|
||||||
%global commit0 552905cb94a7790fb51586b7778d303be21692a4
|
%global commit0 e39b8e88564358f54a80d346d1700a44c59352bc
|
||||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||||
|
|
||||||
# github repo with selinux-policy contrib sources
|
# github repo with selinux-policy contrib sources
|
||||||
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
||||||
%global commit1 635888d8ead909d158ac612b59e518534c9104f4
|
%global commit1 85de0a6389e09653fecdae6308e678b1b0e11164
|
||||||
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
||||||
|
|
||||||
%define distro redhat
|
%define distro redhat
|
||||||
@ -29,7 +29,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.14.3
|
Version: 3.14.3
|
||||||
Release: 139%{?dist}
|
Release: 97%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
||||||
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
||||||
@ -148,7 +148,7 @@ SELinux policy development and man page package
|
|||||||
%{_usr}/share/selinux/devel/Makefile
|
%{_usr}/share/selinux/devel/Makefile
|
||||||
%{_usr}/share/selinux/devel/example.*
|
%{_usr}/share/selinux/devel/example.*
|
||||||
%{_usr}/share/selinux/devel/policy.*
|
%{_usr}/share/selinux/devel/policy.*
|
||||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
|
%ghost %{_sharedstatedir}/sepolgen/interface_info
|
||||||
|
|
||||||
%post devel
|
%post devel
|
||||||
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
|
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
|
||||||
@ -165,7 +165,6 @@ SELinux policy documentation package
|
|||||||
%files doc
|
%files doc
|
||||||
%{_mandir}/man*/*
|
%{_mandir}/man*/*
|
||||||
%{_mandir}/ru/*/*
|
%{_mandir}/ru/*/*
|
||||||
%exclude %{_mandir}/man8/container_selinux.8.gz
|
|
||||||
%doc %{_usr}/share/doc/%{name}
|
%doc %{_usr}/share/doc/%{name}
|
||||||
|
|
||||||
%define makeCmds() \
|
%define makeCmds() \
|
||||||
@ -443,7 +442,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu
|
|||||||
|
|
||||||
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
||||||
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||||
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||||
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||||
|
|
||||||
|
|
||||||
@ -718,675 +717,6 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-139
|
|
||||||
- Allow wdmd read hardware state information
|
|
||||||
Resolves: RHEL-27507
|
|
||||||
|
|
||||||
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-138
|
|
||||||
- Allow wdmd list the contents of the sysfs directories
|
|
||||||
Resolves: RHEL-27507
|
|
||||||
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
|
||||||
Resolves: RHEL-27394
|
|
||||||
|
|
||||||
* Thu Feb 22 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-137
|
|
||||||
- Differentiate between staff and sysadm when executing crontab with sudo
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Allow su domains write login records
|
|
||||||
Resolves: RHEL-2606
|
|
||||||
- Revert "Allow su domains write login records"
|
|
||||||
Resolves: RHEL-2606
|
|
||||||
- Add crontab_admin_domtrans interface
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Allow gpg manage rpm cache
|
|
||||||
Resolves: RHEL-11249
|
|
||||||
|
|
||||||
* Thu Feb 15 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-136
|
|
||||||
- Transition from sudodomains to crontab_t when executing crontab_exec_t
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Fix label of pseudoterminals created from sudodomain
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Allow login_userdomain to manage session_dbusd_tmp_t dirs/files
|
|
||||||
Resolves: RHEL-22500
|
|
||||||
- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t
|
|
||||||
Resolves: RHEL-23442
|
|
||||||
- Allow admin user read/write on fixed_disk_device_t
|
|
||||||
Resolves: RHEL-23434
|
|
||||||
- Only allow confined user domains to login locally without unconfined_login
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Add userdom_spec_domtrans_confined_admin_users interface
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Add userdom_spec_domtrans_admin_users interface
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Allow utempter_t use ptmx
|
|
||||||
Resolves: RHEL-25002
|
|
||||||
- Dontaudit subscription manager setfscreate and read file contexts
|
|
||||||
Resolves: RHEL-21639
|
|
||||||
- Don't audit crontab_domain write attempts to user home
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Add crontab_domtrans interface
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Add dbus_manage_session_tmp_files interface
|
|
||||||
Resolves: RHEL-22500
|
|
||||||
- Allow httpd read network sysctls
|
|
||||||
Resolves: RHEL-22748
|
|
||||||
- Allow keepalived_unconfined_script_t dbus chat with init
|
|
||||||
Resolves: RHEL-22843
|
|
||||||
|
|
||||||
* Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135
|
|
||||||
- Label /tmp/libdnf.* with user_tmp_t
|
|
||||||
Resolves: RHEL-11249
|
|
||||||
- Allow su domains write login records
|
|
||||||
Resolves: RHEL-2606
|
|
||||||
- Allow gpg read rpm cache
|
|
||||||
Resolves: RHEL-11249
|
|
||||||
- Allow unix dgram sendto between exim processes
|
|
||||||
Resolves: RHEL-21903
|
|
||||||
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
|
||||||
Resolves: RHEL-17687
|
|
||||||
- Add interface for write-only access to NetworkManager rw conf
|
|
||||||
Resolves: RHEL-17687
|
|
||||||
- Allow conntrackd_t to use sys_admin capability
|
|
||||||
Resolves: RHEL-22276
|
|
||||||
|
|
||||||
* Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134
|
|
||||||
- Allow syslog to run unconfined scripts conditionally
|
|
||||||
Resolves: RHEL-10087
|
|
||||||
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
|
||||||
Resolves: RHEL-10087
|
|
||||||
- Allow collectd connect to statsd port
|
|
||||||
Resolves: RHEL-19482
|
|
||||||
- Allow collectd_t read network state symlinks
|
|
||||||
Resolves: RHEL-19482
|
|
||||||
- Allow collectd_t domain to create netlink_generic_socket sockets
|
|
||||||
Resolves: RHEL-19482
|
|
||||||
- Allow opafm search nfs directories
|
|
||||||
Resolves: RHEL-19426
|
|
||||||
- Allow mdadm list stratisd data directories
|
|
||||||
Resolves: RHEL-21374
|
|
||||||
|
|
||||||
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133
|
|
||||||
- Label /dev/acpi_thermal_rel char device with acpi_device_t
|
|
||||||
Resolves: RHEL-18027
|
|
||||||
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
|
||||||
Resolves: RHEL-9947
|
|
||||||
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
|
||||||
Resolves: RHEL-15398
|
|
||||||
- Add support for syslogd unconfined scripts
|
|
||||||
Resolves: RHEL-10087
|
|
||||||
- Label /dev/wmi/dell-smbios as acpi_device_t
|
|
||||||
Resolves: RHEL-18027
|
|
||||||
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
|
||||||
Resolves: RHEL-1954
|
|
||||||
- Dontaudit rhsmcertd write memory device
|
|
||||||
Resolves: RHEL-17721
|
|
||||||
|
|
||||||
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132
|
|
||||||
- Allow sudodomain read var auth files
|
|
||||||
Resolves: RHEL-16567
|
|
||||||
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
|
||||||
Resolves: RHEL-14072
|
|
||||||
- Allow systemd-localed create Xserver config dirs
|
|
||||||
Resolves: RHEL-16715
|
|
||||||
- Label /var/run/auditd.state as auditd_var_run_t
|
|
||||||
Resolves: RHEL-14376
|
|
||||||
- Allow auditd read all domains process state
|
|
||||||
Resolves: RHEL-14471
|
|
||||||
- Allow sudo userdomain to run rpm related commands
|
|
||||||
Resolves: RHEL-1679
|
|
||||||
- Remove insights_client_watch_lib_dirs() interface
|
|
||||||
Resolves: RHEL-16185
|
|
||||||
|
|
||||||
* Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131
|
|
||||||
- Additional permissions for ip-vrf
|
|
||||||
Resolves: RHEL-9981
|
|
||||||
- Allow ip an explicit domain transition to other domains
|
|
||||||
Resolves: RHEL-9981
|
|
||||||
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
|
||||||
Resolves: RHEL-5845
|
|
||||||
- Allow system_mail_t manage exim spool files and dirs
|
|
||||||
Resolves: RHEL-14186
|
|
||||||
|
|
||||||
* Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130
|
|
||||||
- Label msmtp and msmtpd with sendmail_exec_t
|
|
||||||
Resolves: RHEL-1678
|
|
||||||
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
|
||||||
Resolves: RHEL-1099
|
|
||||||
- Improve default file context(None) of /var/lib/authselect/backups
|
|
||||||
Resolves: RHEL-3539
|
|
||||||
|
|
||||||
* Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129
|
|
||||||
- Set default file context of /var/lib/authselect/backups to <<none>>
|
|
||||||
Resolves: RHEL-3539
|
|
||||||
- Add file context specification for /usr/libexec/realmd
|
|
||||||
Resolves: RHEL-2147
|
|
||||||
- Add numad the ipc_owner capability
|
|
||||||
Resolves: RHEL-2415
|
|
||||||
|
|
||||||
* Fri Aug 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-128
|
|
||||||
- Allow ssh_agent_type manage generic cache home files
|
|
||||||
Resolves: rhbz#2177704
|
|
||||||
- Add chromium_sandbox_t setcap capability
|
|
||||||
Resolves: rhbz#2221573
|
|
||||||
|
|
||||||
* Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127
|
|
||||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3
|
|
||||||
Resolves: rhbz#2229726
|
|
||||||
|
|
||||||
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126
|
|
||||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2
|
|
||||||
Resolves: rhbz#2229726
|
|
||||||
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
|
||||||
Resolves: rhbz#2177704
|
|
||||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2
|
|
||||||
Resolves: rhbz#2229726
|
|
||||||
- Make insights_client_t an unconfined domain
|
|
||||||
Resolves: rhbz#2225527
|
|
||||||
- Allow insights-client create all rpm logs with a correct label
|
|
||||||
Resolves: rhbz#2229559
|
|
||||||
- Allow insights-client manage generic logs
|
|
||||||
Resolves: rhbz#2229559
|
|
||||||
|
|
||||||
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125
|
|
||||||
- Allow user_u and staff_u get attributes of non-security dirs
|
|
||||||
Resolves: rhbz#2216151
|
|
||||||
- Allow unconfined user filetrans chrome_sandbox_home_t 1/2
|
|
||||||
Resolves: rhbz#2221573
|
|
||||||
- Allow unconfined user filetrans chrome_sandbox_home_t 2/2
|
|
||||||
Resolves: rhbz#2221573
|
|
||||||
- Allow insights-client execmem
|
|
||||||
Resolves: rhbz#2225233
|
|
||||||
- Allow svnserve execute postdrop with a transition
|
|
||||||
Resolves: rhbz#2004843
|
|
||||||
- Do not make postfix_postdrop_t type an MTA executable file
|
|
||||||
Resolves: rhbz#2004843
|
|
||||||
- Allow samba-dcerpc service manage samba tmp files
|
|
||||||
Resolves: rhbz#2210771
|
|
||||||
- Update samba-dcerpc policy for printing
|
|
||||||
Resolves: rhbz#2210771
|
|
||||||
|
|
||||||
* Thu Jul 20 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-124
|
|
||||||
- Add the files_getattr_non_auth_dirs() interface
|
|
||||||
Resolves: rhbz#2076937
|
|
||||||
- Update policy for the sblim-sfcb service
|
|
||||||
Resolves: rhbz#2076937
|
|
||||||
- Dontaudit sfcbd sys_ptrace cap_userns
|
|
||||||
Resolves: rhbz#2076937
|
|
||||||
- Label /usr/sbin/sos with sosreport_exec_t
|
|
||||||
Resolves: rhbz#2167731
|
|
||||||
- Allow sa-update manage spamc home files
|
|
||||||
Resolves: rhbz#2222200
|
|
||||||
- Allow sa-update connect to systemlog services
|
|
||||||
Resolves: rhbz#2222200
|
|
||||||
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
|
||||||
Resolves: rhbz#2222200
|
|
||||||
|
|
||||||
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-123
|
|
||||||
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
|
||||||
Resolves: rhbz#2213606
|
|
||||||
- Allow httpd tcp connect to redis port conditionally
|
|
||||||
Resolves: rhbz#2213965
|
|
||||||
- Exclude container-selinux manpage from selinux-policy-doc
|
|
||||||
Resolves: rhbz#2218362
|
|
||||||
|
|
||||||
* Thu Jun 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-122
|
|
||||||
- Update cyrus_stream_connect() to use sockets in /run
|
|
||||||
Resolves: rhbz#2165752
|
|
||||||
- Allow insights-client map generic log files
|
|
||||||
Resolves: rhbz#2214572
|
|
||||||
- Allow insights-client work with pipe and socket tmp files
|
|
||||||
Resolves: rhbz#2207819
|
|
||||||
- Allow insights-client getsession process permission
|
|
||||||
Resolves: rhbz#2207819
|
|
||||||
- Allow keepalived to manage its tmp files
|
|
||||||
Resolves: rhbz#2179335
|
|
||||||
|
|
||||||
* Thu May 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-121
|
|
||||||
- Update pkcsslotd policy for sandboxing 2/2
|
|
||||||
Resolves: rhbz#2208162
|
|
||||||
- Update pkcsslotd policy for sandboxing 1/2
|
|
||||||
Resolves: rhbz#2208162
|
|
||||||
- Allow abrt_t read kernel persistent storage files
|
|
||||||
Resolves: rhbz#2207914
|
|
||||||
- Add allow rules for lttng-sessiond domain
|
|
||||||
Resolves: rhbz#2203509
|
|
||||||
- Allow rpcd_lsad setcap and use generic ptys
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Dontaudit targetd search httpd config dirs
|
|
||||||
Resolves: rhbz#2203720
|
|
||||||
|
|
||||||
* Thu May 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-120
|
|
||||||
- Allow unconfined service inherit signal state from init
|
|
||||||
Resolves: rhbz#2177254
|
|
||||||
- Allow systemd-pstore delete kernel persistent storage files
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Add fs_delete_pstore_files() interface
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Allow certmonger manage cluster library files
|
|
||||||
Resolves: rhbz#2177836
|
|
||||||
- Allow samba-rpcd work with passwords
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow snmpd read raw disk data
|
|
||||||
Resolves: rhbz#2160000
|
|
||||||
- Allow cluster_t dbus chat with various services
|
|
||||||
Resolves: rhbz#2196524
|
|
||||||
|
|
||||||
* Fri Apr 21 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-119
|
|
||||||
- Add unconfined_server_read_semaphores() interface
|
|
||||||
Resolves: rhbz#2183351
|
|
||||||
- Allow systemd-pstore read kernel persistent storage files
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Add fs_read_pstore_files() interface
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Allow insights-client work with teamdctl
|
|
||||||
Resolves: rhbz#2185158
|
|
||||||
- Allow insights-client read unconfined service semaphores
|
|
||||||
Resolves: rhbz#2183351
|
|
||||||
- Allow insights-client get quotas of all filesystems
|
|
||||||
Resolves: rhbz#2183351
|
|
||||||
|
|
||||||
* Thu Apr 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-118
|
|
||||||
- Allow login_pgm setcap permission
|
|
||||||
Resolves: rhbz#2172541
|
|
||||||
- Label /run/fsck with fsadm_var_run_t
|
|
||||||
Resolves: rhbz#2184348
|
|
||||||
- Add boolean qemu-ga to run unconfined script
|
|
||||||
Resolves: rhbz#2028762
|
|
||||||
- Allow dovecot-deliver write to the main process runtime fifo files
|
|
||||||
Resolves: rhbz#2170495
|
|
||||||
- Allow certmonger dbus chat with the cron system domain
|
|
||||||
Resolves: rhbz#2173289
|
|
||||||
- Allow insights-client read all sysctls
|
|
||||||
Resolves: rhbz#2177607
|
|
||||||
|
|
||||||
* Thu Feb 16 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-117
|
|
||||||
- Fix opencryptoki file names in /dev/shm
|
|
||||||
Resolves: rhbz#2028637
|
|
||||||
- Allow system_cronjob_t transition to rpm_script_t
|
|
||||||
Resolves: rhbz#2154242
|
|
||||||
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
|
||||||
Resolves: rhbz#2154242
|
|
||||||
- Allow httpd work with tokens in /dev/shm
|
|
||||||
Resolves: rhbz#2028637
|
|
||||||
- Allow keepalived to set resource limits
|
|
||||||
Resolves: rhbz#2168638
|
|
||||||
- Allow insights-client manage fsadm pid files
|
|
||||||
|
|
||||||
* Thu Feb 09 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-116
|
|
||||||
- Allow sysadm_t run initrc_t script and sysadm_r role access
|
|
||||||
Resolves: rhbz#2039662
|
|
||||||
- Allow insights-client manage fsadm pid files
|
|
||||||
Resolves: rhbz#2166802
|
|
||||||
- Add journalctl the sys_resource capability
|
|
||||||
Resolves: rhbz#2136189
|
|
||||||
|
|
||||||
* Thu Jan 26 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-115
|
|
||||||
- Fix syntax problem in redis.te
|
|
||||||
Resolves: rhbz#2112228
|
|
||||||
- Allow unconfined user filetransition for sudo log files
|
|
||||||
Resolves: rhbz#2164047
|
|
||||||
- Allow winbind-rpcd make a TCP connection to the ldap port
|
|
||||||
Resolves: rhbz#2152642
|
|
||||||
- Allow winbind-rpcd manage samba_share_t files and dirs
|
|
||||||
Resolves: rhbz#2152642
|
|
||||||
- Allow insights-client work with su and lpstat
|
|
||||||
Resolves: rhbz#2134125
|
|
||||||
- Allow insights-client read nvme devices
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow insights-client tcp connect to all ports
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow redis-sentinel execute a notification script
|
|
||||||
Resolves: rhbz#2112228
|
|
||||||
|
|
||||||
* Thu Jan 12 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-114
|
|
||||||
- Add interfaces in domain, files, and unconfined modules
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow sysadm_t read/write ipmi devices
|
|
||||||
Resolves: rhbz#2148561
|
|
||||||
- Allow sudodomain use sudo.log as a logfile
|
|
||||||
Resolves: rhbz#2143762
|
|
||||||
- Add insights additional capabilities
|
|
||||||
Resolves: rhbz#2158779
|
|
||||||
- Allow insights client work with gluster and pcp
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow prosody manage its runtime socket files
|
|
||||||
Resolves: rhbz#2157902
|
|
||||||
- Allow system mail service read inherited certmonger runtime files
|
|
||||||
Resolves: rhbz#2143337
|
|
||||||
- Add lpr_roles to system_r roles
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
|
|
||||||
* Thu Dec 15 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-113
|
|
||||||
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
|
|
||||||
Resolves: rhbz#2088441
|
|
||||||
- Allow systemd-socket-proxyd get filesystems attributes
|
|
||||||
Resolves: rhbz#2088441
|
|
||||||
- Allow sysadm read ipmi devices
|
|
||||||
Resolves: rhbz#2148561
|
|
||||||
- Allow system mail service read inherited certmonger runtime files
|
|
||||||
Resolves: rhbz#2143337
|
|
||||||
- Add lpr_roles to system_r roles
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
- Allow insights-client tcp connect to various ports
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
- Allow insights-client work with pcp and manage user config files
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
- Allow insights-client dbus chat with various services
|
|
||||||
Resolves: rhbz#2152867
|
|
||||||
- Allow insights-client dbus chat with abrt
|
|
||||||
Resolves: rhbz#2152867
|
|
||||||
- Allow redis get user names
|
|
||||||
Resolves: rhbz#2112228
|
|
||||||
- Add winbind-rpcd to samba_enable_home_dirs boolean
|
|
||||||
Resolves: rhbz#2143696
|
|
||||||
|
|
||||||
* Wed Nov 30 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-112
|
|
||||||
- Allow ipsec_t only read tpm devices
|
|
||||||
Resolves: rhbz#2147380
|
|
||||||
- Allow ipsec_t read/write tpm devices
|
|
||||||
Resolves: rhbz#2147380
|
|
||||||
- Label udf tools with fsadm_exec_t
|
|
||||||
Resolves: rhbz#1972230
|
|
||||||
- Allow the spamd_update_t domain get generic filesystem attributes
|
|
||||||
Resolves: rhbz#2144501
|
|
||||||
- Allow cdcc mmap dcc-client-map files
|
|
||||||
Resolves: rhbz#2144505
|
|
||||||
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow insights client read raw memory devices
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow winbind-rpcd get attributes of device and pty filesystems
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow postfix/smtpd read kerberos key table
|
|
||||||
Resolves: rhbz#1983308
|
|
||||||
|
|
||||||
* Fri Nov 11 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-111
|
|
||||||
- Add domain_unix_read_all_semaphores() interface
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow iptables list cgroup directories
|
|
||||||
Resolves: rhbz#2134820
|
|
||||||
- Allow systemd-hostnamed dbus chat with init scripts
|
|
||||||
Resolves: rhbz#2111632
|
|
||||||
- Allow systemd to read symlinks in /var/lib
|
|
||||||
Resolves: rhbz#2118784
|
|
||||||
- Allow insights-client domain transition on semanage execution
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow insights-client create gluster log dir with a transition
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow insights-client manage generic locks
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow insights-client unix_read all domain semaphores
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow winbind-rpcd use the terminal multiplexor
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow mrtg send mails
|
|
||||||
Resolves: rhbz#2103675
|
|
||||||
- Allow sssd dbus chat with system cronjobs
|
|
||||||
Resolves: rhbz#2132922
|
|
||||||
- Allow postfix/smtp and postfix/virtual read kerberos key table
|
|
||||||
Resolves: rhbz#1983308
|
|
||||||
|
|
||||||
* Thu Oct 20 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-110
|
|
||||||
- Add the systemd_connectto_socket_proxyd_unix_sockets() interface
|
|
||||||
Resolves: rhbz#208441
|
|
||||||
- Add the dev_map_vhost() interface
|
|
||||||
Resolves: rhbz#2122920
|
|
||||||
- Allow init remount all file_type filesystems
|
|
||||||
Resolves: rhbz#2122239
|
|
||||||
- added policy for systemd-socket-proxyd
|
|
||||||
Resolves: rhbz#2088441
|
|
||||||
- Allow virt_domain map vhost devices
|
|
||||||
Resolves: rhbz#2122920
|
|
||||||
- Allow virt domains to access xserver devices
|
|
||||||
Resolves: rhbz#2122920
|
|
||||||
- Allow rotatelogs read httpd_log_t symlinks
|
|
||||||
Resolves: rhbz#2030633
|
|
||||||
- Allow vlock search the contents of the /dev/pts directory
|
|
||||||
Resolves: rhbz#2122838
|
|
||||||
- Allow system cronjobs dbus chat with setroubleshoot
|
|
||||||
Resolves: rhbz#2125008
|
|
||||||
- Allow ptp4l_t name_bind ptp_event_port_t
|
|
||||||
Resolves: rhbz#2130168
|
|
||||||
- Allow pcp_domain execute its private memfd: objects
|
|
||||||
Resolves: rhbz#2090711
|
|
||||||
- Allow samba-dcerpcd use NSCD services over a unix stream socket
|
|
||||||
Resolves: rhbz#2121709
|
|
||||||
- Allow insights-client manage samba var dirs
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
|
|
||||||
* Wed Oct 12 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-109
|
|
||||||
- Add the files_map_read_etc_files() interface
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client manage samba var dirs
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client send null signal to rpm and system cronjob
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Update rhcd policy for executing additional commands 4
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client connect to postgresql with a unix socket
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client domtrans on unix_chkpwd execution
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Add file context entries for insights-client and rhc
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow snmpd_t domain to trace processes in user namespace
|
|
||||||
Resolves: rhbz#2121084
|
|
||||||
- Allow sbd the sys_ptrace capability
|
|
||||||
Resolves: rhbz#2124552
|
|
||||||
- Allow pulseaudio create gnome content (~/.config)
|
|
||||||
Resolves: rhbz#2124387
|
|
||||||
|
|
||||||
* Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-108
|
|
||||||
- Allow unconfined_service_t insights client content filetrans
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add init_status_all_script_files() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 5
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Confine insights-client systemd unit
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 4
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Change rhsmcertd_t to insights_client_t in insights-client policy
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow insights-client send signull to unconfined_service_t
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 3
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow journalctl read init state
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 2
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
|
|
||||||
* Thu Aug 25 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-107
|
|
||||||
- Label 319/udp port with ptp_event_port_t
|
|
||||||
Resolves: rhbz#2118628
|
|
||||||
- Allow unconfined and sysadm users transition for /root/.gnupg
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add the kernel_read_proc_files() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add userdom_view_all_users_keys() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow system_cronjob_t domtrans to rpm_script_t
|
|
||||||
Resolves: rhbz#2118362
|
|
||||||
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
|
|
||||||
Resolves: rhbz#2117199
|
|
||||||
- Allow chronyd bind UDP sockets to ptp_event ports
|
|
||||||
Resolves: rhbz#2118628
|
|
||||||
- Allow samba-bgqd to read a printer list
|
|
||||||
Resolves: rhbz#2118958
|
|
||||||
- Add gpg_filetrans_admin_home_content() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow gpg read and write generic pty type
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow chronyc read and write generic pty type
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Disable rpm verification on interface_info
|
|
||||||
Resolves: rhbz#2119472
|
|
||||||
|
|
||||||
* Wed Aug 10 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-106
|
|
||||||
- Allow networkmanager to signal unconfined process
|
|
||||||
Resolves: rhbz#1918148
|
|
||||||
- Allow sa-update to get init status and start systemd files
|
|
||||||
Resolves: rhbz#2011239
|
|
||||||
- Allow samba-bgqd get a printer list
|
|
||||||
Resolves: rhbz#2114737
|
|
||||||
- Allow insights-client rpm named file transitions
|
|
||||||
Resolves: rhbz#2104913
|
|
||||||
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
|
|
||||||
Resolves: rhbz#2104913
|
|
||||||
- Use insights_client_filetrans_named_content
|
|
||||||
Resolves: rhbz#2104913
|
|
||||||
- Make default file context match with named transitions
|
|
||||||
Resolves: rhbz#2104913
|
|
||||||
- Allow rhsmcertd to read insights config files
|
|
||||||
Resolves: rhbz#2104913
|
|
||||||
- Label /etc/insights-client/machine-id
|
|
||||||
Resolves: rhbz#2104913
|
|
||||||
|
|
||||||
* Fri Jul 29 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-105
|
|
||||||
- Do not call systemd_userdbd_stream_connect() for winbind-rpcd
|
|
||||||
Resolves: rhbz#2108383
|
|
||||||
- Update winbind_rpcd_t
|
|
||||||
Resolves: rhbz#2108383
|
|
||||||
- Allow irqbalance file transition for pid sock_files and directories
|
|
||||||
Resolves: rhbz#2111916
|
|
||||||
- Update irqbalance runtime directory file context
|
|
||||||
Resolves: rhbz#2111916
|
|
||||||
|
|
||||||
* Tue Jun 28 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-104
|
|
||||||
- Update samba-dcerpcd policy for kerberos usage 2
|
|
||||||
Resolves: rhbz#2096825
|
|
||||||
|
|
||||||
* Mon Jun 27 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-103
|
|
||||||
- Allow domain read usermodehelper state information
|
|
||||||
Resolves: rhbz#2083504
|
|
||||||
- Remove all kernel_read_usermodehelper_state() interface calls
|
|
||||||
Resolves: rhbz#2083504
|
|
||||||
- Allow samba-dcerpcd work with sssd
|
|
||||||
Resolves: rhbz#2096825
|
|
||||||
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
|
|
||||||
Resolves: rhbz#2096825
|
|
||||||
- Update samba-dcerpcd policy for kerberos usage
|
|
||||||
Resolves: rhbz#2096825
|
|
||||||
- Allow keepalived read the contents of the sysfs filesystem
|
|
||||||
Resolves: rhbz#2098189
|
|
||||||
- Update policy for samba-dcerpcd
|
|
||||||
Resolves: rhbz#2083504
|
|
||||||
- Remove all kernel_read_usermodehelper_state() interface calls 2/2
|
|
||||||
Resolves: rhbz#2083504
|
|
||||||
- Update insights_client_filetrans_named_content()
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
|
|
||||||
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-102
|
|
||||||
- Allow transition to insights_client named content
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Add the insights_client_filetrans_named_content() interface
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Update policy for insights-client to run additional commands 3
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
|
|
||||||
* Fri Jun 17 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-101
|
|
||||||
- Add the init_status_config_transient_files() interface
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Allow init_t to rw insights_client unnamed pipe
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Allow insights-client get status of the systemd transient scripts
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Allow insights-client execute its private memfd: objects
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Update policy for insights-client to run additional commands 2
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Do not call systemd_userdbd_stream_connect() for insights-client
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Change space indentation to tab in insights-client
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Use socket permissions sets in insights-client
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Update policy for insights-client to run additional commands
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Change rpm_setattr_db_files() to use a pattern
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Add rpm setattr db files macro
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Fix insights client
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
|
|
||||||
Resolves: rhbz#2091117
|
|
||||||
|
|
||||||
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-100
|
|
||||||
- Update logging_create_generic_logs() to use create_files_pattern()
|
|
||||||
Resolves: rhbz#2081907
|
|
||||||
- Add the auth_read_passwd_file() interface
|
|
||||||
Resolves: rhbz#2083504
|
|
||||||
- Allow auditd_t noatsecure for a transition to audisp_remote_t
|
|
||||||
Resolves: rhbz#2081907
|
|
||||||
- Add support for samba-dcerpcd
|
|
||||||
Resolves: rhbz#2083504
|
|
||||||
- Allow rhsmcertd create generic log files
|
|
||||||
Resolves: rhbz#1852086
|
|
||||||
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
|
|
||||||
Resolves: rhbz#2090800
|
|
||||||
|
|
||||||
* Mon May 23 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-99
|
|
||||||
- Allow ifconfig_t domain to manage vmware logs
|
|
||||||
Resolves: rhbz#1721943
|
|
||||||
- Allow insights-client manage gpg admin home content
|
|
||||||
Resolves: rhbz#2060834
|
|
||||||
- Add the gpg_manage_admin_home_content() interface
|
|
||||||
Resolves: rhbz#2060834
|
|
||||||
- Label /var/cache/insights with insights_client_cache_t
|
|
||||||
Resolves: rhbz#2063195
|
|
||||||
- Allow insights-client search gconf homedir
|
|
||||||
Resolves: rhbz#2087069
|
|
||||||
- Allow insights-client create and use unix_dgram_socket
|
|
||||||
Resolves: rhbz#2087069
|
|
||||||
- Label more vdsm utils with virtd_exec_t
|
|
||||||
Resolves: rhbz#2063871
|
|
||||||
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
|
|
||||||
Resolves: rhbz#2063871
|
|
||||||
- Allow sblim-gatherd the kill capability
|
|
||||||
Resolves: rhbz#2082677
|
|
||||||
- Allow privoxy execmem
|
|
||||||
Resolves: rhbz#2083940
|
|
||||||
|
|
||||||
* Wed May 04 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-98
|
|
||||||
- Allow sysadm user execute init scripts with a transition
|
|
||||||
Resolves: rhbz#2039662
|
|
||||||
- Change invalid type redisd_t to redis_t in redis_stream_connect()
|
|
||||||
Resolves: rhbz#1897517
|
|
||||||
- Allow php-fpm write access to /var/run/redis/redis.sock
|
|
||||||
Resolves: rhbz#1897517
|
|
||||||
- Allow sssd read systemd-resolved runtime directory
|
|
||||||
Resolves: rhbz#2060721
|
|
||||||
- Allow postfix stream connect to cyrus through runtime socket
|
|
||||||
Resolves: rhbz#2066005
|
|
||||||
- Allow insights-client create_socket_perms for tcp/udp sockets
|
|
||||||
Resolves: rhbz#2073395
|
|
||||||
- Allow insights-client read rhnsd config files
|
|
||||||
Resolves: rhbz#2073395
|
|
||||||
- Allow sblim-sfcbd connect to sblim-reposd stream
|
|
||||||
Resolves: rhbz#2075810
|
|
||||||
- Allow rngd drop privileges via setuid/setgid/setcap
|
|
||||||
Resolves: rhbz#2076641
|
|
||||||
- Allow rngd_t domain to use nsswitch
|
|
||||||
Resolves: rhbz#2076641
|
|
||||||
|
|
||||||
* Fri Apr 22 2022 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-97
|
* Fri Apr 22 2022 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-97
|
||||||
- Create macro corenet_icmp_bind_generic_node()
|
- Create macro corenet_icmp_bind_generic_node()
|
||||||
Resolves: rhbz#2070870
|
Resolves: rhbz#2070870
|
||||||
|
Loading…
Reference in New Issue
Block a user