Compare commits
No commits in common. "c8" and "imports/c8s/selinux-policy-3.14.3-106.el8" have entirely different histories.
c8
...
imports/c8
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,3 +1,3 @@
|
||||
SOURCES/container-selinux.tgz
|
||||
SOURCES/selinux-policy-552905c.tar.gz
|
||||
SOURCES/selinux-policy-contrib-635888d.tar.gz
|
||||
SOURCES/selinux-policy-contrib-49d512d.tar.gz
|
||||
SOURCES/selinux-policy-e0a8ee2.tar.gz
|
||||
|
@ -1,3 +1,3 @@
|
||||
e87338b5f56ae6e78c5a461e9bcadfc9333a1cd6 SOURCES/container-selinux.tgz
|
||||
ac42e4401f30f57e1ffea73fb82ba208d5f96c88 SOURCES/selinux-policy-552905c.tar.gz
|
||||
1776ee65081f2f9cf8113923854c5ad1ee28b4a6 SOURCES/selinux-policy-contrib-635888d.tar.gz
|
||||
cb55df9b9c41c798f00c6557bd42f691a03b001c SOURCES/container-selinux.tgz
|
||||
bb74431e494936bd97fa9baac3f04c80b72fd110 SOURCES/selinux-policy-contrib-49d512d.tar.gz
|
||||
2a4f0892f05eba5d144bd36f7d8fd9423b43d4bf SOURCES/selinux-policy-e0a8ee2.tar.gz
|
||||
|
@ -1,11 +1,11 @@
|
||||
# github repo with selinux-policy base sources
|
||||
%global git0 https://github.com/fedora-selinux/selinux-policy
|
||||
%global commit0 552905cb94a7790fb51586b7778d303be21692a4
|
||||
%global commit0 e0a8ee21365132c1f4668c975670621c889c5e35
|
||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||
|
||||
# github repo with selinux-policy contrib sources
|
||||
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
||||
%global commit1 635888d8ead909d158ac612b59e518534c9104f4
|
||||
%global commit1 49d512d4d8f17250aaf5524bdfea85180c6dbe56
|
||||
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
||||
|
||||
%define distro redhat
|
||||
@ -29,7 +29,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.14.3
|
||||
Release: 139%{?dist}
|
||||
Release: 106%{?dist}
|
||||
License: GPLv2+
|
||||
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
||||
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
||||
@ -148,7 +148,7 @@ SELinux policy development and man page package
|
||||
%{_usr}/share/selinux/devel/Makefile
|
||||
%{_usr}/share/selinux/devel/example.*
|
||||
%{_usr}/share/selinux/devel/policy.*
|
||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
|
||||
%ghost %{_sharedstatedir}/sepolgen/interface_info
|
||||
|
||||
%post devel
|
||||
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
|
||||
@ -165,7 +165,6 @@ SELinux policy documentation package
|
||||
%files doc
|
||||
%{_mandir}/man*/*
|
||||
%{_mandir}/ru/*/*
|
||||
%exclude %{_mandir}/man8/container_selinux.8.gz
|
||||
%doc %{_usr}/share/doc/%{name}
|
||||
|
||||
%define makeCmds() \
|
||||
@ -443,7 +442,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu
|
||||
|
||||
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
||||
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
|
||||
|
||||
@ -718,523 +717,6 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-139
|
||||
- Allow wdmd read hardware state information
|
||||
Resolves: RHEL-27507
|
||||
|
||||
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-138
|
||||
- Allow wdmd list the contents of the sysfs directories
|
||||
Resolves: RHEL-27507
|
||||
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
||||
Resolves: RHEL-27394
|
||||
|
||||
* Thu Feb 22 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-137
|
||||
- Differentiate between staff and sysadm when executing crontab with sudo
|
||||
Resolves: RHEL-1388
|
||||
- Allow su domains write login records
|
||||
Resolves: RHEL-2606
|
||||
- Revert "Allow su domains write login records"
|
||||
Resolves: RHEL-2606
|
||||
- Add crontab_admin_domtrans interface
|
||||
Resolves: RHEL-1388
|
||||
- Allow gpg manage rpm cache
|
||||
Resolves: RHEL-11249
|
||||
|
||||
* Thu Feb 15 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-136
|
||||
- Transition from sudodomains to crontab_t when executing crontab_exec_t
|
||||
Resolves: RHEL-1388
|
||||
- Fix label of pseudoterminals created from sudodomain
|
||||
Resolves: RHEL-1388
|
||||
- Allow login_userdomain to manage session_dbusd_tmp_t dirs/files
|
||||
Resolves: RHEL-22500
|
||||
- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t
|
||||
Resolves: RHEL-23442
|
||||
- Allow admin user read/write on fixed_disk_device_t
|
||||
Resolves: RHEL-23434
|
||||
- Only allow confined user domains to login locally without unconfined_login
|
||||
Resolves: RHEL-1628
|
||||
- Add userdom_spec_domtrans_confined_admin_users interface
|
||||
Resolves: RHEL-1628
|
||||
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
||||
Resolves: RHEL-1628
|
||||
- Add userdom_spec_domtrans_admin_users interface
|
||||
Resolves: RHEL-1628
|
||||
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
||||
Resolves: RHEL-1628
|
||||
- Allow utempter_t use ptmx
|
||||
Resolves: RHEL-25002
|
||||
- Dontaudit subscription manager setfscreate and read file contexts
|
||||
Resolves: RHEL-21639
|
||||
- Don't audit crontab_domain write attempts to user home
|
||||
Resolves: RHEL-1388
|
||||
- Add crontab_domtrans interface
|
||||
Resolves: RHEL-1388
|
||||
- Add dbus_manage_session_tmp_files interface
|
||||
Resolves: RHEL-22500
|
||||
- Allow httpd read network sysctls
|
||||
Resolves: RHEL-22748
|
||||
- Allow keepalived_unconfined_script_t dbus chat with init
|
||||
Resolves: RHEL-22843
|
||||
|
||||
* Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135
|
||||
- Label /tmp/libdnf.* with user_tmp_t
|
||||
Resolves: RHEL-11249
|
||||
- Allow su domains write login records
|
||||
Resolves: RHEL-2606
|
||||
- Allow gpg read rpm cache
|
||||
Resolves: RHEL-11249
|
||||
- Allow unix dgram sendto between exim processes
|
||||
Resolves: RHEL-21903
|
||||
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
||||
Resolves: RHEL-17687
|
||||
- Add interface for write-only access to NetworkManager rw conf
|
||||
Resolves: RHEL-17687
|
||||
- Allow conntrackd_t to use sys_admin capability
|
||||
Resolves: RHEL-22276
|
||||
|
||||
* Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134
|
||||
- Allow syslog to run unconfined scripts conditionally
|
||||
Resolves: RHEL-10087
|
||||
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
||||
Resolves: RHEL-10087
|
||||
- Allow collectd connect to statsd port
|
||||
Resolves: RHEL-19482
|
||||
- Allow collectd_t read network state symlinks
|
||||
Resolves: RHEL-19482
|
||||
- Allow collectd_t domain to create netlink_generic_socket sockets
|
||||
Resolves: RHEL-19482
|
||||
- Allow opafm search nfs directories
|
||||
Resolves: RHEL-19426
|
||||
- Allow mdadm list stratisd data directories
|
||||
Resolves: RHEL-21374
|
||||
|
||||
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133
|
||||
- Label /dev/acpi_thermal_rel char device with acpi_device_t
|
||||
Resolves: RHEL-18027
|
||||
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
||||
Resolves: RHEL-9947
|
||||
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
||||
Resolves: RHEL-15398
|
||||
- Add support for syslogd unconfined scripts
|
||||
Resolves: RHEL-10087
|
||||
- Label /dev/wmi/dell-smbios as acpi_device_t
|
||||
Resolves: RHEL-18027
|
||||
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
||||
Resolves: RHEL-1954
|
||||
- Dontaudit rhsmcertd write memory device
|
||||
Resolves: RHEL-17721
|
||||
|
||||
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132
|
||||
- Allow sudodomain read var auth files
|
||||
Resolves: RHEL-16567
|
||||
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
||||
Resolves: RHEL-14072
|
||||
- Allow systemd-localed create Xserver config dirs
|
||||
Resolves: RHEL-16715
|
||||
- Label /var/run/auditd.state as auditd_var_run_t
|
||||
Resolves: RHEL-14376
|
||||
- Allow auditd read all domains process state
|
||||
Resolves: RHEL-14471
|
||||
- Allow sudo userdomain to run rpm related commands
|
||||
Resolves: RHEL-1679
|
||||
- Remove insights_client_watch_lib_dirs() interface
|
||||
Resolves: RHEL-16185
|
||||
|
||||
* Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131
|
||||
- Additional permissions for ip-vrf
|
||||
Resolves: RHEL-9981
|
||||
- Allow ip an explicit domain transition to other domains
|
||||
Resolves: RHEL-9981
|
||||
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
||||
Resolves: RHEL-5845
|
||||
- Allow system_mail_t manage exim spool files and dirs
|
||||
Resolves: RHEL-14186
|
||||
|
||||
* Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130
|
||||
- Label msmtp and msmtpd with sendmail_exec_t
|
||||
Resolves: RHEL-1678
|
||||
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
||||
Resolves: RHEL-1099
|
||||
- Improve default file context(None) of /var/lib/authselect/backups
|
||||
Resolves: RHEL-3539
|
||||
|
||||
* Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129
|
||||
- Set default file context of /var/lib/authselect/backups to <<none>>
|
||||
Resolves: RHEL-3539
|
||||
- Add file context specification for /usr/libexec/realmd
|
||||
Resolves: RHEL-2147
|
||||
- Add numad the ipc_owner capability
|
||||
Resolves: RHEL-2415
|
||||
|
||||
* Fri Aug 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-128
|
||||
- Allow ssh_agent_type manage generic cache home files
|
||||
Resolves: rhbz#2177704
|
||||
- Add chromium_sandbox_t setcap capability
|
||||
Resolves: rhbz#2221573
|
||||
|
||||
* Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127
|
||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3
|
||||
Resolves: rhbz#2229726
|
||||
|
||||
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126
|
||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2
|
||||
Resolves: rhbz#2229726
|
||||
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
||||
Resolves: rhbz#2177704
|
||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2
|
||||
Resolves: rhbz#2229726
|
||||
- Make insights_client_t an unconfined domain
|
||||
Resolves: rhbz#2225527
|
||||
- Allow insights-client create all rpm logs with a correct label
|
||||
Resolves: rhbz#2229559
|
||||
- Allow insights-client manage generic logs
|
||||
Resolves: rhbz#2229559
|
||||
|
||||
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125
|
||||
- Allow user_u and staff_u get attributes of non-security dirs
|
||||
Resolves: rhbz#2216151
|
||||
- Allow unconfined user filetrans chrome_sandbox_home_t 1/2
|
||||
Resolves: rhbz#2221573
|
||||
- Allow unconfined user filetrans chrome_sandbox_home_t 2/2
|
||||
Resolves: rhbz#2221573
|
||||
- Allow insights-client execmem
|
||||
Resolves: rhbz#2225233
|
||||
- Allow svnserve execute postdrop with a transition
|
||||
Resolves: rhbz#2004843
|
||||
- Do not make postfix_postdrop_t type an MTA executable file
|
||||
Resolves: rhbz#2004843
|
||||
- Allow samba-dcerpc service manage samba tmp files
|
||||
Resolves: rhbz#2210771
|
||||
- Update samba-dcerpc policy for printing
|
||||
Resolves: rhbz#2210771
|
||||
|
||||
* Thu Jul 20 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-124
|
||||
- Add the files_getattr_non_auth_dirs() interface
|
||||
Resolves: rhbz#2076937
|
||||
- Update policy for the sblim-sfcb service
|
||||
Resolves: rhbz#2076937
|
||||
- Dontaudit sfcbd sys_ptrace cap_userns
|
||||
Resolves: rhbz#2076937
|
||||
- Label /usr/sbin/sos with sosreport_exec_t
|
||||
Resolves: rhbz#2167731
|
||||
- Allow sa-update manage spamc home files
|
||||
Resolves: rhbz#2222200
|
||||
- Allow sa-update connect to systemlog services
|
||||
Resolves: rhbz#2222200
|
||||
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
||||
Resolves: rhbz#2222200
|
||||
|
||||
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-123
|
||||
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
||||
Resolves: rhbz#2213606
|
||||
- Allow httpd tcp connect to redis port conditionally
|
||||
Resolves: rhbz#2213965
|
||||
- Exclude container-selinux manpage from selinux-policy-doc
|
||||
Resolves: rhbz#2218362
|
||||
|
||||
* Thu Jun 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-122
|
||||
- Update cyrus_stream_connect() to use sockets in /run
|
||||
Resolves: rhbz#2165752
|
||||
- Allow insights-client map generic log files
|
||||
Resolves: rhbz#2214572
|
||||
- Allow insights-client work with pipe and socket tmp files
|
||||
Resolves: rhbz#2207819
|
||||
- Allow insights-client getsession process permission
|
||||
Resolves: rhbz#2207819
|
||||
- Allow keepalived to manage its tmp files
|
||||
Resolves: rhbz#2179335
|
||||
|
||||
* Thu May 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-121
|
||||
- Update pkcsslotd policy for sandboxing 2/2
|
||||
Resolves: rhbz#2208162
|
||||
- Update pkcsslotd policy for sandboxing 1/2
|
||||
Resolves: rhbz#2208162
|
||||
- Allow abrt_t read kernel persistent storage files
|
||||
Resolves: rhbz#2207914
|
||||
- Add allow rules for lttng-sessiond domain
|
||||
Resolves: rhbz#2203509
|
||||
- Allow rpcd_lsad setcap and use generic ptys
|
||||
Resolves: rhbz#2107106
|
||||
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
|
||||
Resolves: rhbz#2107106
|
||||
- Dontaudit targetd search httpd config dirs
|
||||
Resolves: rhbz#2203720
|
||||
|
||||
* Thu May 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-120
|
||||
- Allow unconfined service inherit signal state from init
|
||||
Resolves: rhbz#2177254
|
||||
- Allow systemd-pstore delete kernel persistent storage files
|
||||
Resolves: rhbz#2181558
|
||||
- Add fs_delete_pstore_files() interface
|
||||
Resolves: rhbz#2181558
|
||||
- Allow certmonger manage cluster library files
|
||||
Resolves: rhbz#2177836
|
||||
- Allow samba-rpcd work with passwords
|
||||
Resolves: rhbz#2107106
|
||||
- Allow snmpd read raw disk data
|
||||
Resolves: rhbz#2160000
|
||||
- Allow cluster_t dbus chat with various services
|
||||
Resolves: rhbz#2196524
|
||||
|
||||
* Fri Apr 21 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-119
|
||||
- Add unconfined_server_read_semaphores() interface
|
||||
Resolves: rhbz#2183351
|
||||
- Allow systemd-pstore read kernel persistent storage files
|
||||
Resolves: rhbz#2181558
|
||||
- Add fs_read_pstore_files() interface
|
||||
Resolves: rhbz#2181558
|
||||
- Allow insights-client work with teamdctl
|
||||
Resolves: rhbz#2185158
|
||||
- Allow insights-client read unconfined service semaphores
|
||||
Resolves: rhbz#2183351
|
||||
- Allow insights-client get quotas of all filesystems
|
||||
Resolves: rhbz#2183351
|
||||
|
||||
* Thu Apr 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-118
|
||||
- Allow login_pgm setcap permission
|
||||
Resolves: rhbz#2172541
|
||||
- Label /run/fsck with fsadm_var_run_t
|
||||
Resolves: rhbz#2184348
|
||||
- Add boolean qemu-ga to run unconfined script
|
||||
Resolves: rhbz#2028762
|
||||
- Allow dovecot-deliver write to the main process runtime fifo files
|
||||
Resolves: rhbz#2170495
|
||||
- Allow certmonger dbus chat with the cron system domain
|
||||
Resolves: rhbz#2173289
|
||||
- Allow insights-client read all sysctls
|
||||
Resolves: rhbz#2177607
|
||||
|
||||
* Thu Feb 16 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-117
|
||||
- Fix opencryptoki file names in /dev/shm
|
||||
Resolves: rhbz#2028637
|
||||
- Allow system_cronjob_t transition to rpm_script_t
|
||||
Resolves: rhbz#2154242
|
||||
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
||||
Resolves: rhbz#2154242
|
||||
- Allow httpd work with tokens in /dev/shm
|
||||
Resolves: rhbz#2028637
|
||||
- Allow keepalived to set resource limits
|
||||
Resolves: rhbz#2168638
|
||||
- Allow insights-client manage fsadm pid files
|
||||
|
||||
* Thu Feb 09 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-116
|
||||
- Allow sysadm_t run initrc_t script and sysadm_r role access
|
||||
Resolves: rhbz#2039662
|
||||
- Allow insights-client manage fsadm pid files
|
||||
Resolves: rhbz#2166802
|
||||
- Add journalctl the sys_resource capability
|
||||
Resolves: rhbz#2136189
|
||||
|
||||
* Thu Jan 26 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-115
|
||||
- Fix syntax problem in redis.te
|
||||
Resolves: rhbz#2112228
|
||||
- Allow unconfined user filetransition for sudo log files
|
||||
Resolves: rhbz#2164047
|
||||
- Allow winbind-rpcd make a TCP connection to the ldap port
|
||||
Resolves: rhbz#2152642
|
||||
- Allow winbind-rpcd manage samba_share_t files and dirs
|
||||
Resolves: rhbz#2152642
|
||||
- Allow insights-client work with su and lpstat
|
||||
Resolves: rhbz#2134125
|
||||
- Allow insights-client read nvme devices
|
||||
Resolves: rhbz#2143878
|
||||
- Allow insights-client tcp connect to all ports
|
||||
Resolves: rhbz#2143878
|
||||
- Allow redis-sentinel execute a notification script
|
||||
Resolves: rhbz#2112228
|
||||
|
||||
* Thu Jan 12 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-114
|
||||
- Add interfaces in domain, files, and unconfined modules
|
||||
Resolves: rhbz#2141311
|
||||
- Allow sysadm_t read/write ipmi devices
|
||||
Resolves: rhbz#2148561
|
||||
- Allow sudodomain use sudo.log as a logfile
|
||||
Resolves: rhbz#2143762
|
||||
- Add insights additional capabilities
|
||||
Resolves: rhbz#2158779
|
||||
- Allow insights client work with gluster and pcp
|
||||
Resolves: rhbz#2141311
|
||||
- Allow prosody manage its runtime socket files
|
||||
Resolves: rhbz#2157902
|
||||
- Allow system mail service read inherited certmonger runtime files
|
||||
Resolves: rhbz#2143337
|
||||
- Add lpr_roles to system_r roles
|
||||
Resolves: rhbz#2151111
|
||||
|
||||
* Thu Dec 15 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-113
|
||||
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
|
||||
Resolves: rhbz#2088441
|
||||
- Allow systemd-socket-proxyd get filesystems attributes
|
||||
Resolves: rhbz#2088441
|
||||
- Allow sysadm read ipmi devices
|
||||
Resolves: rhbz#2148561
|
||||
- Allow system mail service read inherited certmonger runtime files
|
||||
Resolves: rhbz#2143337
|
||||
- Add lpr_roles to system_r roles
|
||||
Resolves: rhbz#2151111
|
||||
- Allow insights-client tcp connect to various ports
|
||||
Resolves: rhbz#2151111
|
||||
- Allow insights-client work with pcp and manage user config files
|
||||
Resolves: rhbz#2151111
|
||||
- Allow insights-client dbus chat with various services
|
||||
Resolves: rhbz#2152867
|
||||
- Allow insights-client dbus chat with abrt
|
||||
Resolves: rhbz#2152867
|
||||
- Allow redis get user names
|
||||
Resolves: rhbz#2112228
|
||||
- Add winbind-rpcd to samba_enable_home_dirs boolean
|
||||
Resolves: rhbz#2143696
|
||||
|
||||
* Wed Nov 30 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-112
|
||||
- Allow ipsec_t only read tpm devices
|
||||
Resolves: rhbz#2147380
|
||||
- Allow ipsec_t read/write tpm devices
|
||||
Resolves: rhbz#2147380
|
||||
- Label udf tools with fsadm_exec_t
|
||||
Resolves: rhbz#1972230
|
||||
- Allow the spamd_update_t domain get generic filesystem attributes
|
||||
Resolves: rhbz#2144501
|
||||
- Allow cdcc mmap dcc-client-map files
|
||||
Resolves: rhbz#2144505
|
||||
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
|
||||
Resolves: rhbz#2143878
|
||||
- Allow insights client read raw memory devices
|
||||
Resolves: rhbz#2143878
|
||||
- Allow winbind-rpcd get attributes of device and pty filesystems
|
||||
Resolves: rhbz#2107106
|
||||
- Allow postfix/smtpd read kerberos key table
|
||||
Resolves: rhbz#1983308
|
||||
|
||||
* Fri Nov 11 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-111
|
||||
- Add domain_unix_read_all_semaphores() interface
|
||||
Resolves: rhbz#2141311
|
||||
- Allow iptables list cgroup directories
|
||||
Resolves: rhbz#2134820
|
||||
- Allow systemd-hostnamed dbus chat with init scripts
|
||||
Resolves: rhbz#2111632
|
||||
- Allow systemd to read symlinks in /var/lib
|
||||
Resolves: rhbz#2118784
|
||||
- Allow insights-client domain transition on semanage execution
|
||||
Resolves: rhbz#2141311
|
||||
- Allow insights-client create gluster log dir with a transition
|
||||
Resolves: rhbz#2141311
|
||||
- Allow insights-client manage generic locks
|
||||
Resolves: rhbz#2141311
|
||||
- Allow insights-client unix_read all domain semaphores
|
||||
Resolves: rhbz#2141311
|
||||
- Allow winbind-rpcd use the terminal multiplexor
|
||||
Resolves: rhbz#2107106
|
||||
- Allow mrtg send mails
|
||||
Resolves: rhbz#2103675
|
||||
- Allow sssd dbus chat with system cronjobs
|
||||
Resolves: rhbz#2132922
|
||||
- Allow postfix/smtp and postfix/virtual read kerberos key table
|
||||
Resolves: rhbz#1983308
|
||||
|
||||
* Thu Oct 20 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-110
|
||||
- Add the systemd_connectto_socket_proxyd_unix_sockets() interface
|
||||
Resolves: rhbz#208441
|
||||
- Add the dev_map_vhost() interface
|
||||
Resolves: rhbz#2122920
|
||||
- Allow init remount all file_type filesystems
|
||||
Resolves: rhbz#2122239
|
||||
- added policy for systemd-socket-proxyd
|
||||
Resolves: rhbz#2088441
|
||||
- Allow virt_domain map vhost devices
|
||||
Resolves: rhbz#2122920
|
||||
- Allow virt domains to access xserver devices
|
||||
Resolves: rhbz#2122920
|
||||
- Allow rotatelogs read httpd_log_t symlinks
|
||||
Resolves: rhbz#2030633
|
||||
- Allow vlock search the contents of the /dev/pts directory
|
||||
Resolves: rhbz#2122838
|
||||
- Allow system cronjobs dbus chat with setroubleshoot
|
||||
Resolves: rhbz#2125008
|
||||
- Allow ptp4l_t name_bind ptp_event_port_t
|
||||
Resolves: rhbz#2130168
|
||||
- Allow pcp_domain execute its private memfd: objects
|
||||
Resolves: rhbz#2090711
|
||||
- Allow samba-dcerpcd use NSCD services over a unix stream socket
|
||||
Resolves: rhbz#2121709
|
||||
- Allow insights-client manage samba var dirs
|
||||
Resolves: rhbz#2132230
|
||||
|
||||
* Wed Oct 12 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-109
|
||||
- Add the files_map_read_etc_files() interface
|
||||
Resolves: rhbz#2132230
|
||||
- Allow insights-client manage samba var dirs
|
||||
Resolves: rhbz#2132230
|
||||
- Allow insights-client send null signal to rpm and system cronjob
|
||||
Resolves: rhbz#2132230
|
||||
- Update rhcd policy for executing additional commands 4
|
||||
Resolves: rhbz#2132230
|
||||
- Allow insights-client connect to postgresql with a unix socket
|
||||
Resolves: rhbz#2132230
|
||||
- Allow insights-client domtrans on unix_chkpwd execution
|
||||
Resolves: rhbz#2132230
|
||||
- Add file context entries for insights-client and rhc
|
||||
Resolves: rhbz#2132230
|
||||
- Allow snmpd_t domain to trace processes in user namespace
|
||||
Resolves: rhbz#2121084
|
||||
- Allow sbd the sys_ptrace capability
|
||||
Resolves: rhbz#2124552
|
||||
- Allow pulseaudio create gnome content (~/.config)
|
||||
Resolves: rhbz#2124387
|
||||
|
||||
* Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-108
|
||||
- Allow unconfined_service_t insights client content filetrans
|
||||
Resolves: rhbz#2119507
|
||||
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
|
||||
Resolves: rhbz#2119507
|
||||
- Add init_status_all_script_files() interface
|
||||
Resolves: rhbz#2119507
|
||||
- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces
|
||||
Resolves: rhbz#2119507
|
||||
- Update insights-client policy for additional commands execution 5
|
||||
Resolves: rhbz#2119507
|
||||
- Confine insights-client systemd unit
|
||||
Resolves: rhbz#2119507
|
||||
- Update insights-client policy for additional commands execution 4
|
||||
Resolves: rhbz#2119507
|
||||
- Change rhsmcertd_t to insights_client_t in insights-client policy
|
||||
Resolves: rhbz#2119507
|
||||
- Allow insights-client send signull to unconfined_service_t
|
||||
Resolves: rhbz#2119507
|
||||
- Update insights-client policy for additional commands execution 3
|
||||
Resolves: rhbz#2119507
|
||||
- Allow journalctl read init state
|
||||
Resolves: rhbz#2119507
|
||||
- Update insights-client policy for additional commands execution 2
|
||||
Resolves: rhbz#2119507
|
||||
|
||||
* Thu Aug 25 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-107
|
||||
- Label 319/udp port with ptp_event_port_t
|
||||
Resolves: rhbz#2118628
|
||||
- Allow unconfined and sysadm users transition for /root/.gnupg
|
||||
Resolves: rhbz#2119507
|
||||
- Add the kernel_read_proc_files() interface
|
||||
Resolves: rhbz#2119507
|
||||
- Add userdom_view_all_users_keys() interface
|
||||
Resolves: rhbz#2119507
|
||||
- Allow system_cronjob_t domtrans to rpm_script_t
|
||||
Resolves: rhbz#2118362
|
||||
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
|
||||
Resolves: rhbz#2117199
|
||||
- Allow chronyd bind UDP sockets to ptp_event ports
|
||||
Resolves: rhbz#2118628
|
||||
- Allow samba-bgqd to read a printer list
|
||||
Resolves: rhbz#2118958
|
||||
- Add gpg_filetrans_admin_home_content() interface
|
||||
Resolves: rhbz#2119507
|
||||
- Update insights-client policy for additional commands execution
|
||||
Resolves: rhbz#2119507
|
||||
- Allow gpg read and write generic pty type
|
||||
Resolves: rhbz#2119507
|
||||
- Allow chronyc read and write generic pty type
|
||||
Resolves: rhbz#2119507
|
||||
- Disable rpm verification on interface_info
|
||||
Resolves: rhbz#2119472
|
||||
|
||||
* Wed Aug 10 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-106
|
||||
- Allow networkmanager to signal unconfined process
|
||||
Resolves: rhbz#1918148
|
||||
|
Loading…
Reference in New Issue
Block a user