|
|
|
@ -1,11 +1,11 @@
|
|
|
|
|
# github repo with selinux-policy base sources
|
|
|
|
|
%global git0 https://github.com/fedora-selinux/selinux-policy
|
|
|
|
|
%global commit0 9db72ed4345b0f26e798cb301f306fb4ee303844
|
|
|
|
|
%global commit0 552905cb94a7790fb51586b7778d303be21692a4
|
|
|
|
|
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
|
|
|
|
|
|
|
|
|
# github repo with selinux-policy contrib sources
|
|
|
|
|
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
|
|
|
|
%global commit1 5e2c252146f379cd25df50de97816f6771d9d79b
|
|
|
|
|
%global commit1 635888d8ead909d158ac612b59e518534c9104f4
|
|
|
|
|
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
|
|
|
|
|
|
|
|
|
%define distro redhat
|
|
|
|
@ -29,7 +29,7 @@
|
|
|
|
|
Summary: SELinux policy configuration
|
|
|
|
|
Name: selinux-policy
|
|
|
|
|
Version: 3.14.3
|
|
|
|
|
Release: 107%{?dist}
|
|
|
|
|
Release: 139%{?dist}
|
|
|
|
|
License: GPLv2+
|
|
|
|
|
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
|
|
|
|
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
|
|
|
@ -165,6 +165,7 @@ SELinux policy documentation package
|
|
|
|
|
%files doc
|
|
|
|
|
%{_mandir}/man*/*
|
|
|
|
|
%{_mandir}/ru/*/*
|
|
|
|
|
%exclude %{_mandir}/man8/container_selinux.8.gz
|
|
|
|
|
%doc %{_usr}/share/doc/%{name}
|
|
|
|
|
|
|
|
|
|
%define makeCmds() \
|
|
|
|
@ -442,7 +443,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu
|
|
|
|
|
|
|
|
|
|
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
|
|
|
|
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
|
|
|
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
|
|
|
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
|
|
|
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -717,6 +718,495 @@ exit 0
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-139
|
|
|
|
|
- Allow wdmd read hardware state information
|
|
|
|
|
Resolves: RHEL-27507
|
|
|
|
|
|
|
|
|
|
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-138
|
|
|
|
|
- Allow wdmd list the contents of the sysfs directories
|
|
|
|
|
Resolves: RHEL-27507
|
|
|
|
|
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
|
|
|
|
Resolves: RHEL-27394
|
|
|
|
|
|
|
|
|
|
* Thu Feb 22 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-137
|
|
|
|
|
- Differentiate between staff and sysadm when executing crontab with sudo
|
|
|
|
|
Resolves: RHEL-1388
|
|
|
|
|
- Allow su domains write login records
|
|
|
|
|
Resolves: RHEL-2606
|
|
|
|
|
- Revert "Allow su domains write login records"
|
|
|
|
|
Resolves: RHEL-2606
|
|
|
|
|
- Add crontab_admin_domtrans interface
|
|
|
|
|
Resolves: RHEL-1388
|
|
|
|
|
- Allow gpg manage rpm cache
|
|
|
|
|
Resolves: RHEL-11249
|
|
|
|
|
|
|
|
|
|
* Thu Feb 15 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-136
|
|
|
|
|
- Transition from sudodomains to crontab_t when executing crontab_exec_t
|
|
|
|
|
Resolves: RHEL-1388
|
|
|
|
|
- Fix label of pseudoterminals created from sudodomain
|
|
|
|
|
Resolves: RHEL-1388
|
|
|
|
|
- Allow login_userdomain to manage session_dbusd_tmp_t dirs/files
|
|
|
|
|
Resolves: RHEL-22500
|
|
|
|
|
- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t
|
|
|
|
|
Resolves: RHEL-23442
|
|
|
|
|
- Allow admin user read/write on fixed_disk_device_t
|
|
|
|
|
Resolves: RHEL-23434
|
|
|
|
|
- Only allow confined user domains to login locally without unconfined_login
|
|
|
|
|
Resolves: RHEL-1628
|
|
|
|
|
- Add userdom_spec_domtrans_confined_admin_users interface
|
|
|
|
|
Resolves: RHEL-1628
|
|
|
|
|
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
|
|
|
|
Resolves: RHEL-1628
|
|
|
|
|
- Add userdom_spec_domtrans_admin_users interface
|
|
|
|
|
Resolves: RHEL-1628
|
|
|
|
|
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
|
|
|
|
Resolves: RHEL-1628
|
|
|
|
|
- Allow utempter_t use ptmx
|
|
|
|
|
Resolves: RHEL-25002
|
|
|
|
|
- Dontaudit subscription manager setfscreate and read file contexts
|
|
|
|
|
Resolves: RHEL-21639
|
|
|
|
|
- Don't audit crontab_domain write attempts to user home
|
|
|
|
|
Resolves: RHEL-1388
|
|
|
|
|
- Add crontab_domtrans interface
|
|
|
|
|
Resolves: RHEL-1388
|
|
|
|
|
- Add dbus_manage_session_tmp_files interface
|
|
|
|
|
Resolves: RHEL-22500
|
|
|
|
|
- Allow httpd read network sysctls
|
|
|
|
|
Resolves: RHEL-22748
|
|
|
|
|
- Allow keepalived_unconfined_script_t dbus chat with init
|
|
|
|
|
Resolves: RHEL-22843
|
|
|
|
|
|
|
|
|
|
* Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135
|
|
|
|
|
- Label /tmp/libdnf.* with user_tmp_t
|
|
|
|
|
Resolves: RHEL-11249
|
|
|
|
|
- Allow su domains write login records
|
|
|
|
|
Resolves: RHEL-2606
|
|
|
|
|
- Allow gpg read rpm cache
|
|
|
|
|
Resolves: RHEL-11249
|
|
|
|
|
- Allow unix dgram sendto between exim processes
|
|
|
|
|
Resolves: RHEL-21903
|
|
|
|
|
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
|
|
|
|
Resolves: RHEL-17687
|
|
|
|
|
- Add interface for write-only access to NetworkManager rw conf
|
|
|
|
|
Resolves: RHEL-17687
|
|
|
|
|
- Allow conntrackd_t to use sys_admin capability
|
|
|
|
|
Resolves: RHEL-22276
|
|
|
|
|
|
|
|
|
|
* Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134
|
|
|
|
|
- Allow syslog to run unconfined scripts conditionally
|
|
|
|
|
Resolves: RHEL-10087
|
|
|
|
|
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
|
|
|
|
Resolves: RHEL-10087
|
|
|
|
|
- Allow collectd connect to statsd port
|
|
|
|
|
Resolves: RHEL-19482
|
|
|
|
|
- Allow collectd_t read network state symlinks
|
|
|
|
|
Resolves: RHEL-19482
|
|
|
|
|
- Allow collectd_t domain to create netlink_generic_socket sockets
|
|
|
|
|
Resolves: RHEL-19482
|
|
|
|
|
- Allow opafm search nfs directories
|
|
|
|
|
Resolves: RHEL-19426
|
|
|
|
|
- Allow mdadm list stratisd data directories
|
|
|
|
|
Resolves: RHEL-21374
|
|
|
|
|
|
|
|
|
|
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133
|
|
|
|
|
- Label /dev/acpi_thermal_rel char device with acpi_device_t
|
|
|
|
|
Resolves: RHEL-18027
|
|
|
|
|
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
|
|
|
|
Resolves: RHEL-9947
|
|
|
|
|
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
|
|
|
|
Resolves: RHEL-15398
|
|
|
|
|
- Add support for syslogd unconfined scripts
|
|
|
|
|
Resolves: RHEL-10087
|
|
|
|
|
- Label /dev/wmi/dell-smbios as acpi_device_t
|
|
|
|
|
Resolves: RHEL-18027
|
|
|
|
|
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
|
|
|
|
Resolves: RHEL-1954
|
|
|
|
|
- Dontaudit rhsmcertd write memory device
|
|
|
|
|
Resolves: RHEL-17721
|
|
|
|
|
|
|
|
|
|
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132
|
|
|
|
|
- Allow sudodomain read var auth files
|
|
|
|
|
Resolves: RHEL-16567
|
|
|
|
|
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
|
|
|
|
Resolves: RHEL-14072
|
|
|
|
|
- Allow systemd-localed create Xserver config dirs
|
|
|
|
|
Resolves: RHEL-16715
|
|
|
|
|
- Label /var/run/auditd.state as auditd_var_run_t
|
|
|
|
|
Resolves: RHEL-14376
|
|
|
|
|
- Allow auditd read all domains process state
|
|
|
|
|
Resolves: RHEL-14471
|
|
|
|
|
- Allow sudo userdomain to run rpm related commands
|
|
|
|
|
Resolves: RHEL-1679
|
|
|
|
|
- Remove insights_client_watch_lib_dirs() interface
|
|
|
|
|
Resolves: RHEL-16185
|
|
|
|
|
|
|
|
|
|
* Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131
|
|
|
|
|
- Additional permissions for ip-vrf
|
|
|
|
|
Resolves: RHEL-9981
|
|
|
|
|
- Allow ip an explicit domain transition to other domains
|
|
|
|
|
Resolves: RHEL-9981
|
|
|
|
|
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
|
|
|
|
Resolves: RHEL-5845
|
|
|
|
|
- Allow system_mail_t manage exim spool files and dirs
|
|
|
|
|
Resolves: RHEL-14186
|
|
|
|
|
|
|
|
|
|
* Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130
|
|
|
|
|
- Label msmtp and msmtpd with sendmail_exec_t
|
|
|
|
|
Resolves: RHEL-1678
|
|
|
|
|
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
|
|
|
|
Resolves: RHEL-1099
|
|
|
|
|
- Improve default file context(None) of /var/lib/authselect/backups
|
|
|
|
|
Resolves: RHEL-3539
|
|
|
|
|
|
|
|
|
|
* Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129
|
|
|
|
|
- Set default file context of /var/lib/authselect/backups to <<none>>
|
|
|
|
|
Resolves: RHEL-3539
|
|
|
|
|
- Add file context specification for /usr/libexec/realmd
|
|
|
|
|
Resolves: RHEL-2147
|
|
|
|
|
- Add numad the ipc_owner capability
|
|
|
|
|
Resolves: RHEL-2415
|
|
|
|
|
|
|
|
|
|
* Fri Aug 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-128
|
|
|
|
|
- Allow ssh_agent_type manage generic cache home files
|
|
|
|
|
Resolves: rhbz#2177704
|
|
|
|
|
- Add chromium_sandbox_t setcap capability
|
|
|
|
|
Resolves: rhbz#2221573
|
|
|
|
|
|
|
|
|
|
* Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127
|
|
|
|
|
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3
|
|
|
|
|
Resolves: rhbz#2229726
|
|
|
|
|
|
|
|
|
|
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126
|
|
|
|
|
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2
|
|
|
|
|
Resolves: rhbz#2229726
|
|
|
|
|
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
|
|
|
|
Resolves: rhbz#2177704
|
|
|
|
|
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2
|
|
|
|
|
Resolves: rhbz#2229726
|
|
|
|
|
- Make insights_client_t an unconfined domain
|
|
|
|
|
Resolves: rhbz#2225527
|
|
|
|
|
- Allow insights-client create all rpm logs with a correct label
|
|
|
|
|
Resolves: rhbz#2229559
|
|
|
|
|
- Allow insights-client manage generic logs
|
|
|
|
|
Resolves: rhbz#2229559
|
|
|
|
|
|
|
|
|
|
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125
|
|
|
|
|
- Allow user_u and staff_u get attributes of non-security dirs
|
|
|
|
|
Resolves: rhbz#2216151
|
|
|
|
|
- Allow unconfined user filetrans chrome_sandbox_home_t 1/2
|
|
|
|
|
Resolves: rhbz#2221573
|
|
|
|
|
- Allow unconfined user filetrans chrome_sandbox_home_t 2/2
|
|
|
|
|
Resolves: rhbz#2221573
|
|
|
|
|
- Allow insights-client execmem
|
|
|
|
|
Resolves: rhbz#2225233
|
|
|
|
|
- Allow svnserve execute postdrop with a transition
|
|
|
|
|
Resolves: rhbz#2004843
|
|
|
|
|
- Do not make postfix_postdrop_t type an MTA executable file
|
|
|
|
|
Resolves: rhbz#2004843
|
|
|
|
|
- Allow samba-dcerpc service manage samba tmp files
|
|
|
|
|
Resolves: rhbz#2210771
|
|
|
|
|
- Update samba-dcerpc policy for printing
|
|
|
|
|
Resolves: rhbz#2210771
|
|
|
|
|
|
|
|
|
|
* Thu Jul 20 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-124
|
|
|
|
|
- Add the files_getattr_non_auth_dirs() interface
|
|
|
|
|
Resolves: rhbz#2076937
|
|
|
|
|
- Update policy for the sblim-sfcb service
|
|
|
|
|
Resolves: rhbz#2076937
|
|
|
|
|
- Dontaudit sfcbd sys_ptrace cap_userns
|
|
|
|
|
Resolves: rhbz#2076937
|
|
|
|
|
- Label /usr/sbin/sos with sosreport_exec_t
|
|
|
|
|
Resolves: rhbz#2167731
|
|
|
|
|
- Allow sa-update manage spamc home files
|
|
|
|
|
Resolves: rhbz#2222200
|
|
|
|
|
- Allow sa-update connect to systemlog services
|
|
|
|
|
Resolves: rhbz#2222200
|
|
|
|
|
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
|
|
|
|
Resolves: rhbz#2222200
|
|
|
|
|
|
|
|
|
|
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-123
|
|
|
|
|
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
|
|
|
|
Resolves: rhbz#2213606
|
|
|
|
|
- Allow httpd tcp connect to redis port conditionally
|
|
|
|
|
Resolves: rhbz#2213965
|
|
|
|
|
- Exclude container-selinux manpage from selinux-policy-doc
|
|
|
|
|
Resolves: rhbz#2218362
|
|
|
|
|
|
|
|
|
|
* Thu Jun 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-122
|
|
|
|
|
- Update cyrus_stream_connect() to use sockets in /run
|
|
|
|
|
Resolves: rhbz#2165752
|
|
|
|
|
- Allow insights-client map generic log files
|
|
|
|
|
Resolves: rhbz#2214572
|
|
|
|
|
- Allow insights-client work with pipe and socket tmp files
|
|
|
|
|
Resolves: rhbz#2207819
|
|
|
|
|
- Allow insights-client getsession process permission
|
|
|
|
|
Resolves: rhbz#2207819
|
|
|
|
|
- Allow keepalived to manage its tmp files
|
|
|
|
|
Resolves: rhbz#2179335
|
|
|
|
|
|
|
|
|
|
* Thu May 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-121
|
|
|
|
|
- Update pkcsslotd policy for sandboxing 2/2
|
|
|
|
|
Resolves: rhbz#2208162
|
|
|
|
|
- Update pkcsslotd policy for sandboxing 1/2
|
|
|
|
|
Resolves: rhbz#2208162
|
|
|
|
|
- Allow abrt_t read kernel persistent storage files
|
|
|
|
|
Resolves: rhbz#2207914
|
|
|
|
|
- Add allow rules for lttng-sessiond domain
|
|
|
|
|
Resolves: rhbz#2203509
|
|
|
|
|
- Allow rpcd_lsad setcap and use generic ptys
|
|
|
|
|
Resolves: rhbz#2107106
|
|
|
|
|
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
|
|
|
|
|
Resolves: rhbz#2107106
|
|
|
|
|
- Dontaudit targetd search httpd config dirs
|
|
|
|
|
Resolves: rhbz#2203720
|
|
|
|
|
|
|
|
|
|
* Thu May 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-120
|
|
|
|
|
- Allow unconfined service inherit signal state from init
|
|
|
|
|
Resolves: rhbz#2177254
|
|
|
|
|
- Allow systemd-pstore delete kernel persistent storage files
|
|
|
|
|
Resolves: rhbz#2181558
|
|
|
|
|
- Add fs_delete_pstore_files() interface
|
|
|
|
|
Resolves: rhbz#2181558
|
|
|
|
|
- Allow certmonger manage cluster library files
|
|
|
|
|
Resolves: rhbz#2177836
|
|
|
|
|
- Allow samba-rpcd work with passwords
|
|
|
|
|
Resolves: rhbz#2107106
|
|
|
|
|
- Allow snmpd read raw disk data
|
|
|
|
|
Resolves: rhbz#2160000
|
|
|
|
|
- Allow cluster_t dbus chat with various services
|
|
|
|
|
Resolves: rhbz#2196524
|
|
|
|
|
|
|
|
|
|
* Fri Apr 21 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-119
|
|
|
|
|
- Add unconfined_server_read_semaphores() interface
|
|
|
|
|
Resolves: rhbz#2183351
|
|
|
|
|
- Allow systemd-pstore read kernel persistent storage files
|
|
|
|
|
Resolves: rhbz#2181558
|
|
|
|
|
- Add fs_read_pstore_files() interface
|
|
|
|
|
Resolves: rhbz#2181558
|
|
|
|
|
- Allow insights-client work with teamdctl
|
|
|
|
|
Resolves: rhbz#2185158
|
|
|
|
|
- Allow insights-client read unconfined service semaphores
|
|
|
|
|
Resolves: rhbz#2183351
|
|
|
|
|
- Allow insights-client get quotas of all filesystems
|
|
|
|
|
Resolves: rhbz#2183351
|
|
|
|
|
|
|
|
|
|
* Thu Apr 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-118
|
|
|
|
|
- Allow login_pgm setcap permission
|
|
|
|
|
Resolves: rhbz#2172541
|
|
|
|
|
- Label /run/fsck with fsadm_var_run_t
|
|
|
|
|
Resolves: rhbz#2184348
|
|
|
|
|
- Add boolean qemu-ga to run unconfined script
|
|
|
|
|
Resolves: rhbz#2028762
|
|
|
|
|
- Allow dovecot-deliver write to the main process runtime fifo files
|
|
|
|
|
Resolves: rhbz#2170495
|
|
|
|
|
- Allow certmonger dbus chat with the cron system domain
|
|
|
|
|
Resolves: rhbz#2173289
|
|
|
|
|
- Allow insights-client read all sysctls
|
|
|
|
|
Resolves: rhbz#2177607
|
|
|
|
|
|
|
|
|
|
* Thu Feb 16 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-117
|
|
|
|
|
- Fix opencryptoki file names in /dev/shm
|
|
|
|
|
Resolves: rhbz#2028637
|
|
|
|
|
- Allow system_cronjob_t transition to rpm_script_t
|
|
|
|
|
Resolves: rhbz#2154242
|
|
|
|
|
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
|
|
|
|
Resolves: rhbz#2154242
|
|
|
|
|
- Allow httpd work with tokens in /dev/shm
|
|
|
|
|
Resolves: rhbz#2028637
|
|
|
|
|
- Allow keepalived to set resource limits
|
|
|
|
|
Resolves: rhbz#2168638
|
|
|
|
|
- Allow insights-client manage fsadm pid files
|
|
|
|
|
|
|
|
|
|
* Thu Feb 09 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-116
|
|
|
|
|
- Allow sysadm_t run initrc_t script and sysadm_r role access
|
|
|
|
|
Resolves: rhbz#2039662
|
|
|
|
|
- Allow insights-client manage fsadm pid files
|
|
|
|
|
Resolves: rhbz#2166802
|
|
|
|
|
- Add journalctl the sys_resource capability
|
|
|
|
|
Resolves: rhbz#2136189
|
|
|
|
|
|
|
|
|
|
* Thu Jan 26 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-115
|
|
|
|
|
- Fix syntax problem in redis.te
|
|
|
|
|
Resolves: rhbz#2112228
|
|
|
|
|
- Allow unconfined user filetransition for sudo log files
|
|
|
|
|
Resolves: rhbz#2164047
|
|
|
|
|
- Allow winbind-rpcd make a TCP connection to the ldap port
|
|
|
|
|
Resolves: rhbz#2152642
|
|
|
|
|
- Allow winbind-rpcd manage samba_share_t files and dirs
|
|
|
|
|
Resolves: rhbz#2152642
|
|
|
|
|
- Allow insights-client work with su and lpstat
|
|
|
|
|
Resolves: rhbz#2134125
|
|
|
|
|
- Allow insights-client read nvme devices
|
|
|
|
|
Resolves: rhbz#2143878
|
|
|
|
|
- Allow insights-client tcp connect to all ports
|
|
|
|
|
Resolves: rhbz#2143878
|
|
|
|
|
- Allow redis-sentinel execute a notification script
|
|
|
|
|
Resolves: rhbz#2112228
|
|
|
|
|
|
|
|
|
|
* Thu Jan 12 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-114
|
|
|
|
|
- Add interfaces in domain, files, and unconfined modules
|
|
|
|
|
Resolves: rhbz#2141311
|
|
|
|
|
- Allow sysadm_t read/write ipmi devices
|
|
|
|
|
Resolves: rhbz#2148561
|
|
|
|
|
- Allow sudodomain use sudo.log as a logfile
|
|
|
|
|
Resolves: rhbz#2143762
|
|
|
|
|
- Add insights additional capabilities
|
|
|
|
|
Resolves: rhbz#2158779
|
|
|
|
|
- Allow insights client work with gluster and pcp
|
|
|
|
|
Resolves: rhbz#2141311
|
|
|
|
|
- Allow prosody manage its runtime socket files
|
|
|
|
|
Resolves: rhbz#2157902
|
|
|
|
|
- Allow system mail service read inherited certmonger runtime files
|
|
|
|
|
Resolves: rhbz#2143337
|
|
|
|
|
- Add lpr_roles to system_r roles
|
|
|
|
|
Resolves: rhbz#2151111
|
|
|
|
|
|
|
|
|
|
* Thu Dec 15 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-113
|
|
|
|
|
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
|
|
|
|
|
Resolves: rhbz#2088441
|
|
|
|
|
- Allow systemd-socket-proxyd get filesystems attributes
|
|
|
|
|
Resolves: rhbz#2088441
|
|
|
|
|
- Allow sysadm read ipmi devices
|
|
|
|
|
Resolves: rhbz#2148561
|
|
|
|
|
- Allow system mail service read inherited certmonger runtime files
|
|
|
|
|
Resolves: rhbz#2143337
|
|
|
|
|
- Add lpr_roles to system_r roles
|
|
|
|
|
Resolves: rhbz#2151111
|
|
|
|
|
- Allow insights-client tcp connect to various ports
|
|
|
|
|
Resolves: rhbz#2151111
|
|
|
|
|
- Allow insights-client work with pcp and manage user config files
|
|
|
|
|
Resolves: rhbz#2151111
|
|
|
|
|
- Allow insights-client dbus chat with various services
|
|
|
|
|
Resolves: rhbz#2152867
|
|
|
|
|
- Allow insights-client dbus chat with abrt
|
|
|
|
|
Resolves: rhbz#2152867
|
|
|
|
|
- Allow redis get user names
|
|
|
|
|
Resolves: rhbz#2112228
|
|
|
|
|
- Add winbind-rpcd to samba_enable_home_dirs boolean
|
|
|
|
|
Resolves: rhbz#2143696
|
|
|
|
|
|
|
|
|
|
* Wed Nov 30 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-112
|
|
|
|
|
- Allow ipsec_t only read tpm devices
|
|
|
|
|
Resolves: rhbz#2147380
|
|
|
|
|
- Allow ipsec_t read/write tpm devices
|
|
|
|
|
Resolves: rhbz#2147380
|
|
|
|
|
- Label udf tools with fsadm_exec_t
|
|
|
|
|
Resolves: rhbz#1972230
|
|
|
|
|
- Allow the spamd_update_t domain get generic filesystem attributes
|
|
|
|
|
Resolves: rhbz#2144501
|
|
|
|
|
- Allow cdcc mmap dcc-client-map files
|
|
|
|
|
Resolves: rhbz#2144505
|
|
|
|
|
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
|
|
|
|
|
Resolves: rhbz#2143878
|
|
|
|
|
- Allow insights client read raw memory devices
|
|
|
|
|
Resolves: rhbz#2143878
|
|
|
|
|
- Allow winbind-rpcd get attributes of device and pty filesystems
|
|
|
|
|
Resolves: rhbz#2107106
|
|
|
|
|
- Allow postfix/smtpd read kerberos key table
|
|
|
|
|
Resolves: rhbz#1983308
|
|
|
|
|
|
|
|
|
|
* Fri Nov 11 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-111
|
|
|
|
|
- Add domain_unix_read_all_semaphores() interface
|
|
|
|
|
Resolves: rhbz#2141311
|
|
|
|
|
- Allow iptables list cgroup directories
|
|
|
|
|
Resolves: rhbz#2134820
|
|
|
|
|
- Allow systemd-hostnamed dbus chat with init scripts
|
|
|
|
|
Resolves: rhbz#2111632
|
|
|
|
|
- Allow systemd to read symlinks in /var/lib
|
|
|
|
|
Resolves: rhbz#2118784
|
|
|
|
|
- Allow insights-client domain transition on semanage execution
|
|
|
|
|
Resolves: rhbz#2141311
|
|
|
|
|
- Allow insights-client create gluster log dir with a transition
|
|
|
|
|
Resolves: rhbz#2141311
|
|
|
|
|
- Allow insights-client manage generic locks
|
|
|
|
|
Resolves: rhbz#2141311
|
|
|
|
|
- Allow insights-client unix_read all domain semaphores
|
|
|
|
|
Resolves: rhbz#2141311
|
|
|
|
|
- Allow winbind-rpcd use the terminal multiplexor
|
|
|
|
|
Resolves: rhbz#2107106
|
|
|
|
|
- Allow mrtg send mails
|
|
|
|
|
Resolves: rhbz#2103675
|
|
|
|
|
- Allow sssd dbus chat with system cronjobs
|
|
|
|
|
Resolves: rhbz#2132922
|
|
|
|
|
- Allow postfix/smtp and postfix/virtual read kerberos key table
|
|
|
|
|
Resolves: rhbz#1983308
|
|
|
|
|
|
|
|
|
|
* Thu Oct 20 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-110
|
|
|
|
|
- Add the systemd_connectto_socket_proxyd_unix_sockets() interface
|
|
|
|
|
Resolves: rhbz#208441
|
|
|
|
|
- Add the dev_map_vhost() interface
|
|
|
|
|
Resolves: rhbz#2122920
|
|
|
|
|
- Allow init remount all file_type filesystems
|
|
|
|
|
Resolves: rhbz#2122239
|
|
|
|
|
- added policy for systemd-socket-proxyd
|
|
|
|
|
Resolves: rhbz#2088441
|
|
|
|
|
- Allow virt_domain map vhost devices
|
|
|
|
|
Resolves: rhbz#2122920
|
|
|
|
|
- Allow virt domains to access xserver devices
|
|
|
|
|
Resolves: rhbz#2122920
|
|
|
|
|
- Allow rotatelogs read httpd_log_t symlinks
|
|
|
|
|
Resolves: rhbz#2030633
|
|
|
|
|
- Allow vlock search the contents of the /dev/pts directory
|
|
|
|
|
Resolves: rhbz#2122838
|
|
|
|
|
- Allow system cronjobs dbus chat with setroubleshoot
|
|
|
|
|
Resolves: rhbz#2125008
|
|
|
|
|
- Allow ptp4l_t name_bind ptp_event_port_t
|
|
|
|
|
Resolves: rhbz#2130168
|
|
|
|
|
- Allow pcp_domain execute its private memfd: objects
|
|
|
|
|
Resolves: rhbz#2090711
|
|
|
|
|
- Allow samba-dcerpcd use NSCD services over a unix stream socket
|
|
|
|
|
Resolves: rhbz#2121709
|
|
|
|
|
- Allow insights-client manage samba var dirs
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
|
|
|
|
|
* Wed Oct 12 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-109
|
|
|
|
|
- Add the files_map_read_etc_files() interface
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
- Allow insights-client manage samba var dirs
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
- Allow insights-client send null signal to rpm and system cronjob
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
- Update rhcd policy for executing additional commands 4
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
- Allow insights-client connect to postgresql with a unix socket
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
- Allow insights-client domtrans on unix_chkpwd execution
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
- Add file context entries for insights-client and rhc
|
|
|
|
|
Resolves: rhbz#2132230
|
|
|
|
|
- Allow snmpd_t domain to trace processes in user namespace
|
|
|
|
|
Resolves: rhbz#2121084
|
|
|
|
|
- Allow sbd the sys_ptrace capability
|
|
|
|
|
Resolves: rhbz#2124552
|
|
|
|
|
- Allow pulseaudio create gnome content (~/.config)
|
|
|
|
|
Resolves: rhbz#2124387
|
|
|
|
|
|
|
|
|
|
* Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-108
|
|
|
|
|
- Allow unconfined_service_t insights client content filetrans
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Add init_status_all_script_files() interface
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Update insights-client policy for additional commands execution 5
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Confine insights-client systemd unit
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Update insights-client policy for additional commands execution 4
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Change rhsmcertd_t to insights_client_t in insights-client policy
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Allow insights-client send signull to unconfined_service_t
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Update insights-client policy for additional commands execution 3
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Allow journalctl read init state
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
- Update insights-client policy for additional commands execution 2
|
|
|
|
|
Resolves: rhbz#2119507
|
|
|
|
|
|
|
|
|
|
* Thu Aug 25 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-107
|
|
|
|
|
- Label 319/udp port with ptp_event_port_t
|
|
|
|
|
Resolves: rhbz#2118628
|
|
|
|
|