rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Commit Graph

  • da1accb7ff * Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.43-1 - Update rhcd policy for executing additional commands 5 Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 4 Resolves: rhbz#2119351 - Allow rhcd create rpm hawkey logs with correct label Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 3 Resolves: rhbz#2119351 - Allow sssd to set samba setting Resolves: rhbz#2121125 - Allow journalctl read rhcd fifo files Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 5 Resolves: rhbz#2121125 - Confine insights-client systemd unit Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 4 Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 3 Resolves: rhbz#2121125 - Allow rhcd execute all executables Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 2 Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 2 Resolves: rhbz#2121125 Zdenek Pytela 2022-09-02 12:07:49 +0200
  • 2a4b303a6b Make dependency on rpm-plugin-selinux unordered Petr Lautrbach 2022-09-07 10:38:06 +0200
  • 9a58e62d76 * Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1 - Allow ipsec_t read/write tpm devices - Allow rhcd execute all executables - Update rhcd policy for executing additional commands 2 - Update insights-client policy for additional commands execution 2 - Allow sysadm_t read raw memory devices - Allow chronyd send and receive chronyd/ntp client packets - Allow ssh client read kerberos homedir config files - Label /var/log/rhc-worker-playbook with rhcd_var_log_t - Update insights-client policy (auditctl, gpg, journal) - Allow system_cronjob_t domtrans to rpm_script_t - Allow smbd_t process noatsecure permission for winbind_rpcd_t - Update tor_bind_all_unreserved_ports interface - Allow chronyd bind UDP sockets to ptp_event ports. - Allow unconfined and sysadm users transition for /root/.gnupg - Add gpg_filetrans_admin_home_content() interface - Update rhcd policy for executing additional commands - Update insights-client policy for additional commands execution - Add userdom_view_all_users_keys() interface - Allow gpg read and write generic pty type - Allow chronyc read and write generic pty type - Allow system_dbusd ioctl kernel with a unix stream sockets - Allow samba-bgqd to read a printer list - Allow stalld get and set scheduling policy of all domains. - Allow unconfined_t transition to targetclid_home_t Zdenek Pytela 2022-09-02 14:10:03 +0200
  • 781039be23 * Mon Aug 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.42-1 - Label /var/log/rhc-worker-playbook with rhcd_var_log_t Resolves: rhbz#2119351 - Update insights-client policy (auditctl, gpg, journal) Resolves: rhbz#2107363 Zdenek Pytela 2022-08-29 15:12:23 +0200
  • 28da52cae8 Auto sync2gitlab import of selinux-policy-3.14.3-107.el8.src.rpm CentOS Sources 2022-08-27 14:20:01 +0000
  • 91869e6a9b import selinux-policy-3.14.3-107.el8 imports/c8s/selinux-policy-3.14.3-107.el8 CentOS Sources 2022-08-27 14:19:43 +0000
  • d1c3472797 * Thu Aug 25 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.41-1 - Allow unconfined domains to bpf all other domains Resolves: RHBZ#2112014 - Allow stalld get and set scheduling policy of all domains. Resolves: rhbz#2105038 - Allow unconfined_t transition to targetclid_home_t Resolves: RHBZ#2106360 - Allow samba-bgqd to read a printer list Resolves: rhbz#2118977 - Allow system_dbusd ioctl kernel with a unix stream sockets Resolves: rhbz#2085392 - Allow chronyd bind UDP sockets to ptp_event ports. Resolves: RHBZ#2118631 - Update tor_bind_all_unreserved_ports interface Resolves: RHBZ#2089486 - Remove permissive domain for rhcd_t Resolves: rhbz#2119351 - Allow unconfined and sysadm users transition for /root/.gnupg Resolves: rhbz#2121125 - Add gpg_filetrans_admin_home_content() interface Resolves: rhbz#2121125 - Update rhcd policy for executing additional commands Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution Resolves: rhbz#2119507 - Add rpm setattr db files macro Resolves: rhbz#2119507 - Add userdom_view_all_users_keys() interface Resolves: rhbz#2119507 - Allow gpg read and write generic pty type Resolves: rhbz#2119507 - Allow chronyc read and write generic pty type Resolves: rhbz#2119507 Nikola Knazekova 2022-08-25 18:10:43 +0200
  • 0fcafaead6 Update POLICYCOREUTILSVER to 3.4-1 Nikola Knazekova 2022-08-25 16:08:42 +0200
  • cd23a37542 import selinux-policy-3.14.3-95.el8_6.4 imports/c8/selinux-policy-3.14.3-95.el8_6.4 CentOS Sources 2022-08-24 04:17:53 -0400
  • 7c6344649f import selinux-policy-34.1.29-1.el9_0.2 imports/c9/selinux-policy-34.1.29-1.el9_0.2 CentOS Sources 2022-08-24 04:17:33 -0400
  • 58f4ff021b import selinux-policy-3.14.3-106.el8 imports/c8s/selinux-policy-3.14.3-106.el8 CentOS Sources 2022-08-16 02:10:34 +0000
  • 020b5dcec8 Auto sync2gitlab import of selinux-policy-3.14.3-106.el8.src.rpm CentOS Sources 2022-08-16 02:10:51 +0000
  • 5ac843b27b * Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1 - Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher sendmail plugin get status of systemd services - Allow xdm read the kernel key ring - Allow login_userdomain check status of mount units - Allow postfix/smtp and postfix/virtual read kerberos key table - Allow services execute systemd-notify - Do not allow login_userdomain use sd_notify() - Allow launch-xenstored read filesystem sysctls - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd - Allow openvswitch fsetid capability - Allow openvswitch use its private tmpfs files and dirs - Allow openvswitch search tracefs dirs - Allow pmdalinux read files on an nfsd filesystem - Allow winbind-rpcd write to winbind pid files - Allow networkmanager to signal unconfined process - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t - Allow samba-bgqd get a printer list - fix(init.fc): Fix section description - Allow fedora-third-party read the passwords file - Remove permissive domain for rhcd_t - Allow pmie read network state information and network sysctls - Revert "Dontaudit domain the fowner capability" - Allow sysadm_t to run bpftool on the userdomain attribute - Add the userdom_prog_run_bpf_userdomain() interface - Allow insights-client rpm named file transitions - Add /var/tmp/insights-archive to insights_client_filetrans_named_content Zdenek Pytela 2022-08-11 21:24:24 +0200
  • 48cb3e3e93 * Wed Aug 10 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.40-1 - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd Resolves: RHBZ#2088257 - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t Resolves: RHBZ#1976684 - Allow samba-bgqd get a printer list Resolves: rhbz#2112395 - Allow networkmanager to signal unconfined process Resolves: RHBZ#2074414 - Update NetworkManager-dispatcher policy Resolves: RHBZ#2101910 - Allow openvswitch search tracefs dirs Resolves: rhbz#1988164 - Allow openvswitch use its private tmpfs files and dirs Resolves: rhbz#1988164 - Allow openvswitch fsetid capability Resolves: rhbz#1988164 Nikola Knazekova 2022-08-10 17:49:53 +0200
  • 6ef9bd966b Auto sync2gitlab import of selinux-policy-3.14.3-105.el8.src.rpm CentOS Sources 2022-08-02 22:11:21 +0000
  • f4a8d98cf7 import selinux-policy-3.14.3-105.el8 imports/c8s/selinux-policy-3.14.3-105.el8 CentOS Sources 2022-08-02 22:11:05 +0000
  • 3bda17335b * Tue Aug 02 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.39-1 - Add support for systemd-network-generator Resolves: RHBZ#2111069 - Allow systemd work with install_t unix stream sockets Resolves: rhbz#2111206 - Allow sa-update to get init status and start systemd files Resolves: RHBZ#2061844 Nikola Knazekova 2022-08-02 22:59:23 +0200
  • 10566bff3f import selinux-policy-3.14.3-95.el8_6.1 imports/c8/selinux-policy-3.14.3-95.el8_6.1 CentOS Sources 2022-08-02 03:02:37 -0400
  • 1ccfff1aa1 * Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1 - Allow sa-update to get init status and start systemd files - Use insights_client_filetrans_named_content - Make default file context match with named transitions - Allow nm-dispatcher tlp plugin send system log messages - Allow nm-dispatcher tlp plugin create and use unix_dgram_socket - Add permissions to manage lnk_files into gnome_manage_home_config - Allow rhsmcertd to read insights config files - Label /etc/insights-client/machine-id - fix(devices.fc): Replace single quote in comment to solve parsing issues - Make NetworkManager_dispatcher_custom_t an unconfined domain Zdenek Pytela 2022-08-01 11:07:08 +0200
  • 666bf02b7f Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Fedora Release Engineering 2022-07-23 08:21:08 +0000
  • 91720b42e6 * Fri Jul 15 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.38-1 - Allow some domains use sd_notify() Resolves: rhbz#2056565 - Revert "Allow rabbitmq to use systemd notify" Resolves: rhbz#2056565 - Update winbind_rpcd_t Resolves: rhbz#2102084 - Update chronyd_pid_filetrans() to allow create dirs Resolves: rhbz#2101910 - Allow keepalived read the contents of the sysfs filesystem Resolves: rhbz#2098130 - Define LIBSEPOL version 3.4-1 Resolves: rhbz#2095688 Nikola Knazekova 2022-07-15 16:05:08 +0200
  • 1478384cd2 Define LIBSEPOL version 3.4-1 Nikola Knazekova 2022-07-15 09:46:27 +0200
  • 7ffa63b0f9 * Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1 - Update winbind_rpcd_t - Allow some domains use sd_notify() - Revert "Allow rabbitmq to use systemd notify" - fix(sedoctool.py): Fix syntax warning: "is not" with a literal - Allow nm-dispatcher console plugin manage etc files - Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs - Allow nm-dispatcher console plugin setfscreate - Support using systemd-update-helper in rpm scriptlets - Allow nm-dispatcher winbind plugin read samba config files - Allow domain use userfaultfd over all domains - Allow cups-lpd read network sysctls Zdenek Pytela 2022-07-14 21:38:38 +0200
  • 66163acd0f Auto sync2gitlab import of selinux-policy-3.14.3-104.el8.src.rpm CentOS Sources 2022-07-02 00:14:29 +0000
  • 06f68b9a6f import selinux-policy-3.14.3-104.el8 imports/c8s/selinux-policy-3.14.3-104.el8 CentOS Sources 2022-07-02 00:14:11 +0000
  • 730af95045 * Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1 - Allow stalld set scheduling policy of kernel threads - Allow targetclid read /var/target files - Allow targetclid read generic SSL certificates (fixed) - Allow firewalld read the contents of the sysfs filesystem - Fix file context pattern for /var/target - Use insights_client_etc_t in insights_search_config() - Allow nm-dispatcher ddclient plugin handle systemd services - Allow nm-dispatcher winbind plugin run smbcontrol - Allow nm-dispatcher custom plugin create and use unix dgram socket - Update samba-dcerpcd policy for kerberos usage 2 - Allow keepalived read the contents of the sysfs filesystem - Allow amandad read network sysctls - Allow cups-lpd read network sysctls - Allow kpropd read network sysctls - Update insights_client_filetrans_named_content() - Allow rabbitmq to use systemd notify - Label /var/target with targetd_var_t - Allow targetclid read generic SSL certificates - Update rhcd policy - Allow rhcd search insights configuration directories - Add the kernel_read_proc_files() interface - Require policycoreutils >= 3.4-1 - Add a script for enclosing interfaces in ifndef statements - Disable rpm verification on interface_info Zdenek Pytela 2022-06-29 21:00:49 +0200
  • e0b2bb6894 Require policycoreutils >= 3.4-1 Zdenek Pytela 2022-06-29 20:48:12 +0200
  • 5eda2e5e49 Add a script for enclosing interfaces in ifndef statements Vit Mojzis 2021-09-03 16:15:57 +0200
  • 193d303b3b Disable rpm verification on interface_info Vit Mojzis 2022-03-30 14:47:15 +0200
  • ab0fff6428 * Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.37-1 - Allow targetclid read /var/target files Resolves: rhbz#2020169 - Update samba-dcerpcd policy for kerberos usage 2 Resolves: rhbz#2096521 - Allow samba-dcerpcd work with sssd Resolves: rhbz#2096521 - Allow stalld set scheduling policy of kernel threads Resolves: rhbz#2102224 Zdenek Pytela 2022-06-29 16:10:16 +0200
  • 8d1d780d0b * Tue Jun 28 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.36-1 - Allow targetclid read generic SSL certificates (fixed) Resolves: rhbz#2020169 - Fix file context pattern for /var/target Resolves: rhbz#2020169 - Use insights_client_etc_t in insights_search_config() Resolves: rhbz#1965013 Zdenek Pytela 2022-06-28 19:30:35 +0200
  • 64a29f1839 * Fri Jun 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.35-1 -Add the corecmd_watch_bin_dirs() interface Resolves: rhbz#1965013 - Update rhcd policy Resolves: rhbz#1965013 - Allow rhcd search insights configuration directories Resolves: rhbz#1965013 - Add the kernel_read_proc_files() interface Resolves: rhbz#1965013 - Update insights_client_filetrans_named_content() Resolves: rhbz#2081425 - Allow transition to insights_client named content Resolves: rhbz#2081425 - Add the insights_client_filetrans_named_content() interface Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 3 Resolves: rhbz#2081425 - Allow insights-client execute its private memfd: objects Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 2 Resolves: rhbz#2081425 - Use insights_client_tmp_t instead of insights_client_var_tmp_t Resolves: rhbz#2081425 - Change space indentation to tab in insights-client Resolves: rhbz#2081425 - Use socket permissions sets in insights-client Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands Resolves: rhbz#2081425 - Allow init_t to rw insights_client unnamed pipe Resolves: rhbz#2081425 - Fix insights client Resolves: rhbz#2081425 - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling Resolves: rhbz#2081425 - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t Resolves: rhbz#2081425 - Allow stalld get scheduling policy of kernel threads Resolves: rhbz#2096776 - Update samba-dcerpcd policy for kerberos usage Resolves: rhbz#2096521 - Allow winbind_rpcd_t connect to self over a unix_stream_socket Resolves: rhbz#2096255 - Allow dlm_controld send a null signal to a cluster daemon Resolves: rhbz#2095884 - Allow dhclient manage pid files used by chronyd The chronyd_manage_pid_files() interface was added. - Resolves: rhbz#2094155 Allow install_t nnp_domtrans to setfiles_mac_t - Resolves: rhbz#2073010 - Allow rabbitmq to use systemd notify Resolves: rhbz#2056565 - Allow ksmctl create hardware state information files Resolves: rhbz#2021131 - Label /var/target with targetd_var_t Resolves: rhbz#2020169 - Allow targetclid read generic SSL certificates Resolves: rhbz#2020169 Zdenek Pytela 2022-06-24 23:20:46 +0200
  • 53d2cbdc84 * Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1 - Allow transition to insights_client named content - Add the insights_client_filetrans_named_content() interface - Update policy for insights-client to run additional commands 3 - Allow dhclient manage pid files used by chronyd - Allow stalld get scheduling policy of kernel threads - Allow samba-dcerpcd work with sssd - Allow dlm_controld send a null signal to a cluster daemon - Allow ksmctl create hardware state information files - Allow winbind_rpcd_t connect to self over a unix_stream_socket - Update samba-dcerpcd policy for kerberos usage - Allow insights-client execute its private memfd: objects - Update policy for insights-client to run additional commands 2 - Use insights_client_tmp_t instead of insights_client_var_tmp_t - Change space indentation to tab in insights-client - Use socket permissions sets in insights-client - Update policy for insights-client to run additional commands - Change rpm_setattr_db_files() to use a pattern - Allow init_t to rw insights_client unnamed pipe - Add rpm setattr db files macro - Fix insights client - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling - Allow rabbitmq to access its private memfd: objects - Update policy for samba-dcerpcd - Allow stalld setsched and sys_nice Zdenek Pytela 2022-06-22 18:50:29 +0200
  • 7104f739ec Run restorecon for nm-dispatcher directory only if it exists Zdenek Pytela 2022-06-10 21:35:31 +0200
  • 09418e83d2 Auto sync2gitlab import of selinux-policy-3.14.3-100.el8.src.rpm CentOS Sources 2022-06-11 10:09:54 +0000
  • cec5ade880 import selinux-policy-3.14.3-100.el8 imports/c8s/selinux-policy-3.14.3-100.el8 CentOS Sources 2022-06-11 10:09:05 +0000
  • 14f9935fa0 * Thu Jun 09 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.34-1 - Allow stalld setsched and sys_nice Resolves: rhbz#2092864 - Allow rhsmcertd to create cache file in /var/cache/cloud-what Resolves: rhbz#2092333 - Update policy for samba-dcerpcd Resolves: rhbz#2083509 - Add support for samba-dcerpcd Resolves: rhbz#2083509 - Allow rabbitmq to access its private memfd: objects Resolves: rhbz#2056565 - Confine targetcli Resolves: rhbz#2020169 - Add policy for wireguard Resolves: 1964862 - Label /var/cache/insights with insights_client_cache_t Resolves: rhbz#2062136 - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket Resolves: rhbz#2094489 - Allow auditd_t noatsecure for a transition to audisp_remote_t Resolves: rhbz#2081907 Zdenek Pytela 2022-06-09 16:26:59 +0200
  • 1cc1f4ddfc Connect triggerin to pcre2 instead of pcre Petr Lautrbach 2021-10-18 14:44:42 +0200
  • e59ad3159d Add wireguard module to modules-targeted-contrib.conf Zdenek Pytela 2022-06-09 16:01:15 +0200
  • 75ed729ffd * Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1 - Allow auditd_t noatsecure for a transition to audisp_remote_t - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket - Allow pcp_domain execute its private memfd: objects - Add support for samba-dcerpcd - Add policy for wireguard - Confine targetcli - Allow systemd work with install_t unix stream sockets - Allow iscsid the sys_ptrace userns capability - Allow xdm connect to unconfined_service_t over a unix stream socket Zdenek Pytela 2022-06-07 22:33:10 +0200
  • 291ee391b8 Auto sync2gitlab import of selinux-policy-3.14.3-99.el8.src.rpm James Antill 2022-06-07 00:01:12 -0400
  • bbc61bc528 Auto sync2gitlab import of selinux-policy-3.14.3-98.el8.src.rpm James Antill 2022-05-31 15:00:30 -0400
  • f4e876e432 import selinux-policy-3.14.3-99.el8 imports/c8s/selinux-policy-3.14.3-99.el8 CentOS Sources 2022-05-30 20:09:51 +0000
  • f69f4a323f * Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1 - Allow nm-dispatcher custom plugin execute systemctl - Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher custom plugin create and use udp socket - Allow nm-dispatcher custom plugin create and use netlink_route_socket - Use create_netlink_socket_perms in netlink_route_socket class permissions - Add support for nm-dispatcher sendmail scripts - Allow sslh net_admin capability - Allow insights-client manage gpg admin home content - Add the gpg_manage_admin_home_content() interface - Allow rhsmcertd create generic log files - Update logging_create_generic_logs() to use create_files_pattern() - Label /var/cache/insights with insights_client_cache_t - Allow insights-client search gconf homedir - Allow insights-client create and use unix_dgram_socket - Allow blueman execute its private memfd: files - Move the chown call into make-srpm.sh Zdenek Pytela 2022-05-27 21:08:08 +0200
  • b3c14aca87 * Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.33-1 - Allow insights-client manage gpg admin home content Resolves: rhbz#2062136 - Add the gpg_manage_admin_home_content() interface Resolves: rhbz#2062136 - Add rhcd policy Resolves: bz#1965013 - Allow svirt connectto virtlogd Resolves: rhbz#2000881 - Add ksm service to ksmtuned Resolves: rhbz#2021131 - Allow nm-privhelper setsched permission and send system logs Resolves: rhbz#2053639 - Update the policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow systemd-journal-upload watch logs and journal Resolves: rhbz#2085369 - Create a policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow insights-client create and use unix_dgram_socket Resolves: rhbz#2087765 - Allow insights-client search gconf homedir Resolves: rhbz#2087765 Zdenek Pytela 2022-05-27 17:03:29 +0200
  • 7b45c2b424 Add rhcd module to modules-targeted-contrib.conf Zdenek Pytela 2022-05-27 16:58:53 +0200
  • 70d901a9e4 Auto sync2gitlab import of selinux-policy-3.14.3-95.el8.src.rpm James Antill 2022-05-26 14:23:57 -0400
  • d550681291 Initial c8s branch. James Antill 2022-05-26 14:23:53 -0400
  • fccb378e9b * Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1 - Use the networkmanager_dispatcher_plugin attribute in allow rules - Make a custom nm-dispatcher plugin transition - Label port 4784/tcp and 4784/udp with bfd_multi - Allow systemd watch and watch_reads user ptys - Allow sblim-gatherd the kill capability - Label more vdsm utils with virtd_exec_t - Add ksm service to ksmtuned - Add rhcd policy - Dontaudit guest attempts to dbus chat with systemd domains - Dontaudit guest attempts to dbus chat with system bus types - Use a named transition in systemd_hwdb_manage_config() - Add default fc specifications for patterns in /opt - Add the files_create_etc_files() interface - Allow nm-dispatcher console plugin create and write files in /etc - Allow nm-dispatcher console plugin transition to the setfiles domain - Allow more nm-dispatcher plugins append to init stream sockets - Allow nm-dispatcher tlp plugin dbus chat with nm - Reorder networkmanager_dispatcher_plugin_template() calls - Allow svirt connectto virtlogd - Allow blueman map its private memfd: files - Allow sysadm user execute init scripts with a transition - Allow sblim-sfcbd connect to sblim-reposd stream - Allow keepalived_unconfined_script_t dbus chat with init - Run restorecon with "-i" not to report errors Zdenek Pytela 2022-05-18 20:30:58 +0200
  • 6f5dd4b697 import selinux-policy-34.1.29-1.el9_0 imports/c9/selinux-policy-34.1.29-1.el9_0 CentOS Sources 2022-05-17 06:24:44 -0400
  • 29a520ae24 * Wed May 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.32-1 Zdenek Pytela 2022-05-11 20:55:03 +0200
  • 527e11b6c8 Users have to be generated is policy/users to make 3.4 userspace happy Petr Lautrbach 2022-04-14 13:53:53 +0200
  • 2726dc48f2 import selinux-policy-3.14.3-95.el8 imports/c8/selinux-policy-3.14.3-95.el8 CentOS Sources 2022-05-10 03:13:52 -0400
  • 1f963fdee4 import selinux-policy-3.14.3-98.el8 imports/c8s/selinux-policy-3.14.3-98.el8 CentOS Sources 2022-05-07 12:08:42 +0000
  • 59a2a4bfc4 Run restorecon with "-i" not to report errors Zdenek Pytela 2022-05-06 14:33:26 +0200
  • 5fd82ec867 * Wed May 04 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.31-2 - Remove letter v from version Related: rhbz#2061680 Nikola Knazekova 2022-05-04 10:27:22 +0200
  • 0e9b088744 * Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1 - Fix users for SELinux userspace 3.4 - Label /var/run/machine-id as machineid_t - Add stalld to modules.conf - Use files_tmpfs_file() for rhsmcertd_tmpfs_t - Allow blueman read/write its private memfd: objects - Allow insights-client read rhnsd config files - Allow insights-client create_socket_perms for tcp/udp sockets Zdenek Pytela 2022-05-02 17:50:25 +0200
  • 936c0dfc4c Users have to be generated is policy/users to make 3.4 userspace happy Petr Lautrbach 2022-04-14 13:53:53 +0200
  • e67d11e38d Mon May 02 2022 Nikola Knazekova <nknazeko@redhat.com> - v34.1.31-1 Nikola Knazekova 2022-05-02 14:19:14 +0200
  • 637873d5ad Add stalld module to modules-targeted-contrib.conf Nikola Knazekova 2022-05-02 14:10:20 +0200
  • d5d18f13f7 Exclude container.if from selinux-policy-devel The container-selinux has been separated from selinux-policy, but selinux-policy still contains the interface in selinux-policy-devel subpackage, which can result in errors like Nikola Knazekova 2022-05-02 13:59:29 +0200
  • c4a5cce598 import selinux-policy-3.14.3-97.el8 imports/c8s/selinux-policy-3.14.3-97.el8 CentOS Sources 2022-04-30 08:11:18 +0000
  • af1a501769 * Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1 - Allow nm-dispatcher chronyc plugin append to init stream sockets - Allow tmpreaper the sys_ptrace userns capability - Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t - Allow nm-dispatcher tlp plugin read/write the wireless device - Allow nm-dispatcher tlp plugin append to init socket - Allow nm-dispatcher tlp plugin be client of a system bus - Allow nm-dispatcher list its configuration directory - Ecryptfs-private support - Allow colord map /var/lib directories - Allow ntlm_auth read the network state information - Allow insights-client search rhnsd configuration directory Zdenek Pytela 2022-04-26 11:56:41 +0200
  • 23fa4eb394 * Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3 - Add support for nm-dispatcher tlp-rdw scripts - Update github actions to satisfy git 2.36 stricter rules - New policy for stalld - Allow colord read generic files in /var/lib - Allow xdm mounton user temporary socket files - Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket - Allow sssd domtrans to pkcs_slotd_t - Allow keepalived setsched and sys_nice - Allow xdm map generic files in /var/lib - Allow xdm read generic symbolic links in /var/lib - Allow pppd create a file in the locks directory - Add file map permission to lpd_manage_spool() interface - Allow system dbus daemon watch generic directories in /var/lib - Allow pcscd the sys_ptrace userns capability - Add the corecmd_watch_bin_dirs() interface Zdenek Pytela 2022-04-21 09:24:57 +0200
  • 489937c6c2 Relabel explicitly some dirs in %posttrans scriptlets Zdenek Pytela 2022-04-21 09:15:28 +0200
  • 8e34354093 Add stalld module to modules-targeted-contrib.conf Zdenek Pytela 2022-04-21 09:10:30 +0200
  • 98a41b6a2c * Tue Apr 19 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.30-2 - Update source branches to build a new package for RHEL 9.1.0 Resolves: rhbz#2070982 Zdenek Pytela 2022-04-19 17:39:29 +0200
  • 5d8c009a98 Tue Apr 12 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.30-1 Nikola Knazekova 2022-04-12 13:22:32 +0200
  • 0bd517d749 import selinux-policy-3.14.3-96.el8 imports/c8s/selinux-policy-3.14.3-96.el8 CentOS Sources 2022-04-13 04:08:55 +0000
  • d16a3024e0 * Thu Mar 31 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.29-1 - Allow qemu-kvm create and use netlink rdma sockets Resolves: rhbz#2070569 - Label corosync-cfgtool with cluster_exec_t Resolves: rhbz#2067501 Zdenek Pytela 2022-03-31 19:38:05 +0200
  • ac95e7125b import selinux-policy-34.1.28-1.el9_0 imports/c9-beta/selinux-policy-34.1.28-1.el9_0 CentOS Sources 2022-04-05 07:02:16 -0400
  • cab4d847c2 * Thu Mar 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.28-1 - Allow logrotate a domain transition to cluster administrative domain Resolves: rhbz#2061277 - Change the selinuxuser_execstack boolean value to true Resolves: rhbz#2064274 Zdenek Pytela 2022-03-24 15:56:48 +0100
  • d0c8cc2186 Change the selinuxuser_execstack boolean value to true Zdenek Pytela 2022-03-24 15:22:33 +0100
  • f3ea959687 * Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1 - Add support for systemd-network-generator - Add the io_uring class - Allow nm-dispatcher dhclient plugin append to init stream sockets - Relax the naming pattern for systemd private shared libraries - Allow nm-dispatcher iscsid plugin append to init socket - Add the init_append_stream_sockets() interface - Allow nm-dispatcher dnssec-trigger script to execute pidof - Add support for nm-dispatcher dnssec-trigger scripts - Allow chronyd talk with unconfined user over unix domain dgram socket - Allow fenced read kerberos key tables - Add support for nm-dispatcher ddclient scripts - Add systemd_getattr_generic_unit_files() interface - Allow fprintd read and write hardware state information - Allow exim watch generic certificate directories - Remove duplicate fc entries for corosync and corosync-notifyd - Label corosync-cfgtool with cluster_exec_t - Allow qemu-kvm create and use netlink rdma sockets - Allow logrotate a domain transition to cluster administrative domain Zdenek Pytela 2022-04-04 14:10:25 +0200
  • 6c178f644a import selinux-policy-3.14.3-93.el8 imports/c8-beta/selinux-policy-3.14.3-93.el8 CentOS Sources 2022-03-29 14:10:06 -0400
  • 3058c67a35 import selinux-policy-3.14.3-95.el8 imports/c8s/selinux-policy-3.14.3-95.el8 CentOS Sources 2022-03-26 12:14:14 +0000
  • d329b24f22 import selinux-policy-3.14.3-94.el8 imports/c8s/selinux-policy-3.14.3-94.el8 CentOS Sources 2022-03-11 22:12:25 +0000
  • 46273b67bf * Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1 - Add support for nm-dispatcher console helper scripts - Allow nm-dispatcher plugins read its directory and sysfs - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t - devices: Add a comment about cardmgr_dev_t - Add basic policy for BinderFS - Label /var/run/ecblp0 pipe with cupsd_var_run_t - Allow rpmdb create directory in /usr/lib/sysimage - Allow rngd drop privileges via setuid/setgid/setcap - Allow init watch and watch_reads user ttys - Allow systemd-logind dbus chat with sosreport - Allow chronyd send a message to sosreport over datagram socket - Remove unnecessary /etc file transitions for insights-client - Label all content in /var/lib/insights with insights_client_var_lib_t - Update insights-client policy Zdenek Pytela 2022-03-18 18:48:45 +0100
  • 842d9c9cdb import selinux-policy-34.1.26-1.el9 imports/c9-beta/selinux-policy-34.1.26-1.el9 CentOS Sources 2022-03-01 08:15:03 -0500
  • 6b1418ae16 import selinux-policy-3.14.3-93.el8 imports/c8s/selinux-policy-3.14.3-93.el8 CentOS Sources 2022-02-27 05:26:39 +0000
  • f60c51e134 * Thu Feb 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.27-1 - Allow ModemManager connect to the unconfined user domain Resolves: rhbz#2000196 - Label /dev/wwan.+ with modem_manager_t Resolves: rhbz#2000196 - Allow systemd-coredump userns capabilities and root mounton Resolves: rhbz#2057435 - Allow systemd-coredump read and write usermodehelper state Resolves: rhbz#2057435 - Allow sysadm_passwd_t to relabel passwd and group files Resolves: rhbz#2053458 - Allow systemd-sysctl read the security state information Resolves: rhbz#2056999 - Remove unnecessary /etc file transitions for insights-client Resolves: rhbz#2055823 - Label all content in /var/lib/insights with insights_client_var_lib_t Resolves: rhbz#2055823 - Update insights-client policy Resolves: rhbz#2055823 - Update insights-client: fc pattern, motd, writing to etc Resolves: rhbz#2055823 - Update specfile to buildrequire policycoreutils-devel >= 3.3-5 - Add modules_checksum to %files Zdenek Pytela 2022-02-24 12:24:53 +0100
  • e42de71056 Add insights_client module to modules-targeted-contrib.conf Zdenek Pytela 2022-02-23 18:43:55 +0100
  • 2cdf9ca305 import selinux-policy-3.14.3-92.el8 imports/c8s/selinux-policy-3.14.3-92.el8 CentOS Sources 2022-02-23 14:25:13 +0000
  • 20d8d119db * Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1 - Update NetworkManager-dispatcher cloud and chronyc policy - Update insights-client: fc pattern, motd, writing to etc - Allow systemd-sysctl read the security state information - Allow init create and mounton to support PrivateDevices - Allow sosreport dbus chat abrt systemd timedatex Zdenek Pytela 2022-02-23 14:55:24 +0100
  • a3ac25c352 Update specfile to use new policycoreutils Zdenek Pytela 2022-02-22 18:25:37 +0100
  • b1087928cf * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1 - Update NetworkManager-dispatcher policy to use scripts - Allow init mounton kernel messages device - Revert "Make dbus-broker service working on s390x arch" - Remove permissive domain for insights_client_t - Allow userdomain read symlinks in /var/lib - Allow iptables list cgroup directories - Dontaudit mdadm list dirsrv tmpfs dirs - Dontaudit dirsrv search filesystem sysctl directories - Allow chage domtrans to sssd - Allow postfix_domain read dovecot certificates - Allow systemd-networkd create and use netlink netfilter socket - Allow nm-dispatcher read nm-dispatcher-script symlinks - filesystem.te: add genfscon rule for ntfs3 filesystem - Allow rhsmcertd get attributes of cgroup filesystems - Allow sandbox_web_client_t watch various dirs - Exclude container.if from policy devel files - Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm Zdenek Pytela 2022-02-17 23:37:33 +0100
  • 8a1fd2d0a4 * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.26-1 - Remove permissive domain for insights_client_t Resolves: rhbz#2055823 - New policy for insight-client Resolves: rhbz#2055823 - Allow confined sysadmin to use tool vipw Resolves: rhbz#2053458 - Allow chage domtrans to sssd Resolves: rhbz#2054657 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2055578 - Dontaudit pkcsslotd sys_admin capability Resolves: rhbz#2055639 - Do not change selinuxuser_execmod and selinuxuser_execstack Resolves: rhbz#2055822 - Allow tuned to read rhsmcertd config files Resolves: rhbz#2055823 Zdenek Pytela 2022-02-17 22:06:31 +0100
  • d5bb233ea2 Do not change selinuxuser_execmod and selinuxuser_execstack Zdenek Pytela 2022-02-17 22:02:29 +0100
  • be2e9e731d Add the insights_client module Zdenek Pytela 2022-02-17 22:02:02 +0100
  • 34edc3e97a * Mon Feb 14 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.25-1 - Allow systemd watch unallocated ttys Resolves: rhbz#2054150 - Allow alsa bind mixer controls to led triggers Resolves: rhbz#2049732 - Allow alsactl set group Process ID of a process Resolves: rhbz#2049732 - Allow unconfined to run virtd bpf Resolves: rhbz#2033504 Zdenek Pytela 2022-02-14 15:33:14 +0100
  • 652ddc6c42 * Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1 - Allow sysadm_passwd_t to relabel passwd and group files - Allow confined sysadmin to use tool vipw - Allow login_userdomain map /var/lib/directories - Allow login_userdomain watch library and fonts dirs - Allow login_userdomain watch system configuration dirs - Allow login_userdomain read systemd runtime files - Allow ctdb create cluster logs - Allow alsa bind mixer controls to led triggers - New policy for insight-client - Add mctp_socket security class and access vectors - Fix koji repo URL pattern - Update chronyd_pid_filetrans() to allow create dirs - Update NetworkManager-dispatcher policy - Allow unconfined to run virtd bpf - Allow nm-privhelper setsched permission and send system logs - Add the map permission to common_anon_inode_perm permission set - Rename userfaultfd_anon_inode_perms to common_inode_perms - Allow confined users to use kinit,klist and etc. - Allow rhsmcertd create rpm hawkey logs with correct label Zdenek Pytela 2022-02-11 12:26:34 +0100
  • 7ea9c9ad66 import selinux-policy-3.14.3-91.el8 imports/c8s/selinux-policy-3.14.3-91.el8 CentOS Sources 2022-02-11 05:32:48 +0000
  • 93570f083c * Fri Feb 04 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.24-1 - Allow tumblerd write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain create session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gkeyringd_domain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow systemd-logind delete session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gdm-x-session write to session dbus tmp sock files Resolves: rhbz#2000039 - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t Resolves: rhbz#2039453 - Label exFAT utilities at /usr/sbin Resolves: rhbz#1972225 Zdenek Pytela 2022-02-04 17:43:05 +0100
  • a2b5a0667a * Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1 - Label exFAT utilities at /usr/sbin - policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path - Enable genfs_seclabel_symlinks policy capability - Sync policy/policy_capabilities with refpolicy - refpolicy: drop unused socket security classes - Label new utility of NetworkManager nm-priv-helper - Label NetworkManager-dispatcher service with separate context - Allow sanlock get attributes of filesystems with extended attributes - Associate stratisd_data_t with device filesystem - Allow init read stratis data symlinks Zdenek Pytela 2022-02-03 22:57:19 +0100
  • 4d21d7d728 * Wed Feb 02 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.23-1 - Allow systemd nnp_transition to login_userdomain Resolves: rhbz#2039453 - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t Resolves: rhbz#2000039 - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling Resolves: rhbz#2000039 - Allow scripts to enter LUKS password Resolves: rhbz#2048521 - Allow system_mail_t read inherited apache system content rw files Resolves: rhbz#2049372 - Add apache_read_inherited_sys_content_rw_files() interface Related: rhbz#2049372 - Allow sanlock get attributes of filesystems with extended attributes Resolves: rhbz#2047811 - Associate stratisd_data_t with device filesystem Resolves: rhbz#2039974 - Allow init read stratis data symlinks Resolves: rhbz#2039974 - Label /run/stratisd with stratisd_var_run_t Resolves: rhbz#2039974 - Allow domtrans to sssd_t and role access to sssd Resolves: rhbz#2039757 - Creating interface sssd_run_sssd() Resolves: rhbz#2039757 - Fix badly indented used interfaces Resolves: rhbz#2039757 - Allow domain transition to sssd_t Resolves: rhbz#2039757 - Label /dev/nvme-fabrics with fixed_disk_device_t Resolves: rhbz#2039759 - Allow local_login_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Allow xdm_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Make cupsd_lpd_t a daemon Resolves: rhbz#2039449 - Label utilities for exFAT filesystems with fsadm_exec_t Resolves: rhbz#1972225 - Dontaudit sfcbd sys_ptrace cap_userns Resolves: rhbz#2040311 Zdenek Pytela 2022-02-02 20:25:06 +0100
  • aa60c4739e import selinux-policy-34.1.22-1.el9 imports/c9-beta/selinux-policy-34.1.22-1.el9 CentOS Sources 2022-02-01 13:18:34 -0500
  • 7774d24565 * Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1 - Allow systemd services watch dbusd pid directory and its parents - Allow ModemManager connect to the unconfined user domain - Label /dev/wwan.+ with modem_manager_t - Allow alsactl set group Process ID of a process - Allow domtrans to sssd_t and role access to sssd - Creating interface sssd_run_sssd() - Label utilities for exFAT filesystems with fsadm_exec_t - Label /dev/nvme-fabrics with fixed_disk_device_t - Allow init delete generic tmp named pipes - Allow timedatex dbus chat with xdm Zdenek Pytela 2022-02-01 16:42:40 +0100
  • a6acbb622f import selinux-policy-3.14.3-89.el8 imports/c8s/selinux-policy-3.14.3-89.el8 CentOS Sources 2022-01-28 04:21:25 +0000
  • ef40c9474b import selinux-policy-3.14.3-88.el8 imports/c8s/selinux-policy-3.14.3-88.el8 CentOS Sources 2022-01-27 05:04:42 +0000
  • 742db0fd66 * Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1 - Fix badly indented used interfaces - Allow domain transition to sssd_t - Dontaudit sfcbd sys_ptrace cap_userns - Label /var/lib/plocate with locate_var_lib_t - Allow hostapd talk with unconfined user over unix domain dgram socket - Allow NetworkManager talk with unconfined user over unix domain dgram socket - Allow system_mail_t read inherited apache system content rw files - Add apache_read_inherited_sys_content_rw_files() interface - Allow rhsm-service execute its private memfd: objects - Allow dirsrv read configfs files and directories - Label /run/stratisd with stratisd_var_run_t - Allow tumblerd write to session_dbusd tmp socket files Zdenek Pytela 2022-01-26 19:28:39 +0100