rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Commit Graph

  • 95a4bac6d3 Revert "* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2" Zdenek Pytela 2021-08-27 11:43:37 +0200
  • c53bdced40 * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79 - Introduce xdm_manage_bootloader booelan Resolves: rhbz#1994096 - Rename samba_exec() to samba_exec_net() Resolves: rhbz#1855215 - Allow sssd to set samba setting Resolves: rhbz#1855215 - Allow dirsrv read slapd tmpfs files Resolves: rhbz#1843238 - Allow rhsmcertd to create cache file in /var/cache/cloud-what Resolves: rhbz#1994718 Zdenek Pytela 2021-08-27 11:39:38 +0200
  • b42446e02d * Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.14-1 - Support using ICA crypto accelerator on s390x arch Resolves: rhbz#1976180 - Allow systemd delete /run/systemd/default-hostname Resolves: rhbz#1978507 - Label /usr/bin/Xwayland with xserver_exec_t Resolves: rhbz#1993151 - Label /usr/libexec/gdm-runtime-config with xdm_exec_t Resolves: rhbz#1993151 - Allow tcpdump read system state information in /proc Resolves: rhbz#1972577 - Allow firewalld drop capabilities Resolves: rhbz#1989641 Zdenek Pytela 2021-08-25 18:48:38 +0200
  • 757d64d9d6 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1 - Allow systemd-timesyncd watch system dbus pid socket files - Allow firewalld drop capabilities - Allow rhsmcertd execute gpg - Allow lldpad send to kdump over a unix dgram socket - Allow systemd-gpt-auto-generator read udev pid files - Set default file context for /sys/firmware/efi/efivars - Allow tcpdump run as a systemd service - Allow nmap create and use netlink generic socket - Allow nscd watch system db files in /var/db - Allow cockpit_ws_t get attributes of fs_t filesystems - Allow sysadm acces to kernel module resources - Allow sysadm to read/write scsi files and manage shadow - Allow sysadm access to files_unconfined and bind rpc ports - Allow sysadm read and view kernel keyrings - Allow journal mmap and read var lib files - Allow tuned to read rhsmcertd config files - Allow bootloader to read tuned etc files - Label /usr/bin/qemu-storage-daemon with virtd_exec_t Zdenek Pytela 2021-08-12 18:39:36 +0200
  • cf60736fb6 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.13-1 - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp Resolves: rhbz#1977915 - Set default file context for /sys/firmware/efi/efivars Resolves: rhbz#1972372 - Allow tcpdump run as a systemd service Resolves: rhbz#1972577 - Allow nmap create and use netlink generic socket Resolves: rhbz#1985212 - Allow nscd watch system db files in /var/db Resolves: rhbz#1989416 - Allow systemd-gpt-auto-generator read udev pid files Resolves: rhbz#1992638 Zdenek Pytela 2021-08-12 16:15:32 +0200
  • 991febef9c * Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.12-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" Resolves: rhbz#1990813 - Label /dev/crypto/nx-gzip with accelerator_device_t Resolves: rhbz#1973953 - Label /usr/bin/qemu-storage-daemon with virtd_exec_t Resolves: rhbz#1977245 - Allow systemd-machined stop generic service units Resolves: rhbz#1979522 - Label /.k5identity file allow read of this file to rpc.gssd Resolves: rhbz#1980610 Zdenek Pytela 2021-08-10 16:28:03 +0200
  • 57b195c83b Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Mohan Boddu 2021-08-10 00:49:40 +0000
  • 58dbb0353c * Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1 - Disable seccomp on CI containers - Allow systemd-machined stop generic service units - Allow virtlogd_t read process state of user domains - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp - Label /dev/crypto/nx-gzip with accelerator_device_t - Update the policy for systemd-journal-upload - Allow unconfined domains to bpf all other domains - Confine rhsm service and rhsm-facts service as rhsmcertd_t - Allow fcoemon talk with unconfined user over unix domain datagram socket - Allow abrt_domain read and write z90crypt device - Allow mdadm read iscsi pid files - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t - Allow hostapd bind UDP sockets to the dhcpd port - Unconfined domains should not be confined Zdenek Pytela 2021-08-06 19:30:54 +0200
  • 4548b66f2e * Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.11-1 - Allow hostapd bind UDP sockets to the dhcpd port Resolves: rhbz#1979968 - Allow mdadm read iscsi pid files Resolves: rhbz#1976073 - Unconfined domains should not be confined Resolves: rhbz#1977986 - Allow NetworkManager_t to watch /etc Resolves: rhbz#1980000 - Allow using opencryptoki for ipsec Resolves: rhbz#1977915 Zdenek Pytela 2021-07-29 17:11:36 +0200
  • 418902d2f4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Fedora Release Engineering 2021-07-23 17:20:44 +0000
  • c0ea3a13a7 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.10-1 - Allow bacula get attributes of cgroup filesystems Resolves: rhbz#1976917 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: rhbz#1972382 - Add the lockdown integrity permission to dev_map_userio_dev() Resolves: rhbz#1966758 - Allow virtlogd_t to create virt_var_lockd_t dir Resolves: rhbz#1974875 Zdenek Pytela 2021-07-14 16:11:07 +0200
  • fe7971a7a7 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" - Remove references to init_watch_path_type attribute - Remove all redundant watch permissions for systemd - Allow systemd watch non_security_file_type dirs, files, lnk_files - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template - Allow bacula get attributes of cgroup filesystems - Allow systemd-journal-upload watch logs and journal - Create a policy for systemd-journal-upload - Allow tcpdump and nmap get attributes of infiniband_device_t - Allow arpwatch get attributes of infiniband_device_t devices - Label /dev/wmi/dell-smbios as acpi_device_t Zdenek Pytela 2021-07-14 14:59:11 +0200
  • 86f64b8b19 gating.yaml: add missing '}' Zdenek Pytela 2021-07-07 10:46:03 +0200
  • 4f56cd3eb8 * Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1 - Allow radius map its library files - Allow nftables read NetworkManager unnamed pipes - Allow logrotate rotate container log files Zdenek Pytela 2021-07-01 16:39:23 +0200
  • 52a5aa8d34 Add gating.yaml to enable functional gating tests Zdenek Pytela 2021-04-22 15:49:46 +0200
  • 37bcc175cd * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.9-1 - Allow systemd-coredump getattr nsfs files and net_admin capability Resolves: rhbz#1965372 - Label /run/libvirt/common with virt_common_var_run_t Resolves: rhbz#1969209 - Label /usr/bin/arping plain file with netutils_exec_t Resolves: rhbz#1952515 - Make usbmuxd_t a daemon Resolves: rhbz#1965411 - Allow usbmuxd get attributes of cgroup filesystems Resolves: rhbz#1965411 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" Resolves: rhbz#1967818 - Label /var/lib/kdump with kdump_var_lib_t Resolves: rhbz#1965989 - Allow systemd-timedated watch runtime dir and its parent Resolves: rhbz#1970865 - Label /run/fsck with fsadm_var_run_t Resolves: rhbz#1970911 Zdenek Pytela 2021-06-22 14:41:30 +0200
  • 8417543050 * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2 - Add a systemd service to check that SELinux is disabled properly - specfile: Add unowned dir to the macro - Relabel /dev/dma_heap explicitly Zdenek Pytela 2021-06-22 11:50:15 +0200
  • fd69433906 Add a systemd service to check that SELinux is disabled properly Ondrej Mosnacek 2021-05-13 16:23:31 +0200
  • a563172755 Add unowned dir to the macro Michael Scherer 2021-02-11 15:59:16 +0100
  • ed2eb34288 * Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" - Add the lockdown integrity permission to dev_map_userio_dev() - Allow systemd-modules-load read/write tracefs files - Allow sssd watch /run/systemd - Label /usr/bin/arping plain file with netutils_exec_t - Label /run/fsck with fsadm_var_run_t - Label /usr/bin/Xwayland with xserver_exec_t - Allow systemd-timesyncd watch dbus runtime dir - Allow asterisk watch localization files - Allow iscsid read all process stat - iptables.fc: Add missing legacy-restore and legacy-save entries - Label /run/libvirt/common with virt_common_var_run_t - Label /.k5identity file allow read of this file to rpc.gssd - Make usbmuxd_t a daemon Zdenek Pytela 2021-06-21 15:07:20 +0200
  • 042fffd52c * Thu Jun 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.8-1 - Associate dma_device_dir_t with device filesystem Resolves: rhbz#1954116 - Add default file context specification for dnf log files Resolves: rhbz#1955223 - Allow using opencryptoki for certmonger Resolves: rhbz#1961756 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1961756 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1964890 - Dontaudit daemon open and read init_t file Resolves: rhbz#1965412 - Allow sanlock get attributes of cgroup filesystems Resolves: rhbz#1965217 Zdenek Pytela 2021-06-10 23:07:44 +0200
  • ef6e27e6c9 * Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1 - Allow sanlock get attributes of cgroup filesystems - Associate dma_device_dir_t with device filesystem - Set default file context for /var/run/systemd instead of /run/systemd - Allow nmap create and use rdma socket - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Zdenek Pytela 2021-06-09 16:42:40 +0200
  • 5d2a514c72 * Tue Jun 08 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.7-1 - Set default file context for /var/run/systemd instead of /run/systemd Resolves: rhbz#1966492 Zdenek Pytela 2021-06-08 19:26:12 +0200
  • a0031a1fc3 * Mon Jun 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.6-1 - Label /dev/dma_heap with dma_device_dir_t Resolves: rhbz#1954116 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1963252 - Label /run/systemd/default-hostname with hostname_etc_t Resolves: rhbz#1966492 Zdenek Pytela 2021-06-07 16:34:34 +0200
  • a4fcadc086 * Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1 - Allow using opencryptoki for ipsec - Allow using opencryptoki for certmonger - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() - Label /dev/dma_heap with dma_device_dir_t - Allow syslogd watch non security dirs conditionally - Introduce logging_syslogd_list_non_security_dirs tunable - Remove openhpi module - Allow udev to watch fixed disk devices - Allow httpd_sys_script_t read, write, and map hugetlbfs files - Allow apcupsd get attributes of cgroup filesystems Zdenek Pytela 2021-06-06 23:32:21 +0200
  • 6b0b962be0 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1 - Add kerberos object filetrans for nsswitchdomain - Allow fail2ban watch various log files - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs() - Remove further modules recently removed from refpolicy - Remove modules not shipped and not present in refpolicy - Revert "Add permission open to files_read_inherited_tmp_files() interface" - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)" - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604" - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)" - Dontaudit setrlimit for domains that exec systemctl - Allow kdump_t net_admin capability - Allow nsswitch_domain read init pid lnk_files - Label /dev/trng with random_device_t - Label /run/systemd/default-hostname with hostname_etc_t - Add default file context specification for dnf log files - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t - Label /dev/udmabuf character device with dma_device_t - Label /dev/dma_heap/* char devices with dma_device_t - Label /dev/acpi_thermal_rel char device with acpi_device_t Zdenek Pytela 2021-05-27 22:08:10 +0200
  • 14a2757535 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.5-1 - Label /dev/trng with random_device_t Resolves: rhbz#1962260 - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t Resolves: rhbz#1954116 - Label /dev/udmabuf character device with dma_device_t Resolves: rhbz#1954116 - Label /dev/dma_heap/* char devices with dma_device_t Resolves: rhbz#1954116 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: rhbz#1954116 - Allow fcoemon create sysfs files Resolves: rhbz#1952292 Zdenek Pytela 2021-05-27 14:57:41 +0200
  • cd4a089134 Remove temporary explicit /dev/nvme* relabeling Zdenek Pytela 2021-05-20 15:12:43 +0200
  • 80410eaf30 * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1 - Allow local_login_t nnp_transition to login_userdomain - Allow asterisk watch localization symlinks - Allow NetworkManager_t to watch /etc - Label /var/lib/kdump with kdump_var_lib_t - Allow amanda get attributes of cgroup filesystems - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t - Allow install_t nnp_domtrans to setfiles_mac_t - Allow fcoemon create sysfs files Zdenek Pytela 2021-05-20 15:09:34 +0200
  • 30f8c042ae * Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1 - Allow tgtd read and write infiniband devices - Add a comment on virt_sandbox booleans with empty content - Deprecate duplicate dev_write_generic_sock_files() interface - Allow vnstatd_t map vnstatd_var_lib_t files - Allow privoxy execmem - Allow pmdakvm read information from the debug filesystem - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs() - Add permissions to delete lnk_files into gnome_delete_home_config() - Remove rules for inotifyfs - Remove rules for anon_inodefs - Allow systemd nnp_transition to login_userdomain - Allow unconfined_t write other processes perf_event records - Allow sysadm_t dbus chat with tuned - Allow tuned write profile files with file transition - Allow tuned manage perf_events - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Zdenek Pytela 2021-05-13 18:42:35 +0200
  • 61280fbdd0 * Wed May 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.4-1 - Allow sysadm_t dbus chat with tuned Resolves: rhbz#1953643 - Allow tuned write profile files with file transition Resolves: rhbz#1953643 - Allow tuned manage perf_events Resolves: rhbz#1953643 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Add kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Allow syslogd_t watch root and var directories Resolves: rhbz#1957792 - Allow tgtd create and use rdma socket Resolves: rhbz#1955559 - Allow aide connect to init with a unix socket Resolves: rhbz#1926343 Zdenek Pytela 2021-05-12 15:45:13 +0200
  • 4fecc6469f * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() - Add kernel_write_perf_event() and kernel_manage_perf_event() - Allow syslogd_t watch root and var directories - Allow unconfined_t read other processes perf_event records - Allow login_userdomain read and map /var/lib/systemd files - Allow NetworkManager watch its config dir - Allow NetworkManager read and write z90crypt device - Allow tgtd create and use rdma socket - Allow aide connect to init with a unix socket Zdenek Pytela 2021-05-07 18:08:57 +0200
  • b900d641f6 * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1 - Grant execmem to varnishlog_t - We no longer need signull for varnishlog_t - Add map permission to varnishd_read_lib_files - Allow systemd-sleep tlp_filetrans_named_content() - Allow systemd-sleep execute generic programs - Allow systemd-sleep execute shell - Allow to sendmail read/write kerberos host rcache files - Allow freshclam get attributes of cgroup filesystems - Fix context of /run/systemd/timesync - Allow udev create /run/gdm with proper type - Allow chronyc socket file transition in user temp directory - Allow virtlogd_t to create virt_var_lockd_t dir - Allow pluto IKEv2 / ESP over TCP Zdenek Pytela 2021-05-04 20:27:30 +0200
  • 997ca10921 * Wed Apr 28 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.3-1 - Allow domain create anonymous inodes Resolves: rhbz#1954145 - Add anon_inode class to the policy Resolves: rhbz#1954145 - Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1951471 - Add brltty new permissions required by new upstream version Resolves: rhbz#1947842 - Label /var/lib/brltty with brltty_var_lib_t Resolves: rhbz#1947842 - Allow login_userdomain create cgroup files Resolves: rhbz#1951114 - Allow aide connect to systemd-userdbd with a unix socket Resolves: rhbz#1926343 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1947397 - Label /etc/redis as redis_conf_t Resolves: rhbz#1947874 - Add file context specification for /usr/libexec/realmd Resolves: rhbz#1946495 Zdenek Pytela 2021-04-28 15:25:09 +0200
  • 2b76eb3833 * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1 - Allow domain create anonymous inodes - Add anon_inode class to the policy - Allow systemd-coredump getattr nsfs files and net_admin capability - Allow systemd-sleep transition to sysstat_t - Allow systemd-sleep transition to tlp_t - Allow systemd-sleep transition to unconfined_service_t on bin_t executables - Allow systemd-timedated watch runtime dir and its parent - Allow system dbusd read /var/lib symlinks - Allow unconfined_service_t confidentiality and integrity lockdown - Label /var/lib/brltty with brltty_var_lib_t - Allow domain and unconfined_domain_type watch /proc/PID dirs - Additional permission for confined users loging into graphic session - Make for screen fsetid/setuid/setgid permission conditional - Allow for confined users acces to wtmp and run utempter Zdenek Pytela 2021-04-27 19:55:59 +0200
  • d48e2527dc * Thu Apr 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.2-1 - Further update make-rhat-patches.sh for RHEL 9.0 beta - Add file context specification for /var/tmp/tmp-inst Resolves: rhbz#1924656 Zdenek Pytela 2021-04-22 13:47:13 +0200
  • 40e9a7fb1f * Wed Apr 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.1-1 - Update selinux-policy.spec and make-rhat-patches.sh for RHEL 9.0 beta - Allow unconfined_service_t confidentiality and integrity lockdown Resolves: rhbz#1950267 Zdenek Pytela 2021-04-21 20:32:21 +0200
  • b8bce4d7d2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 Mohan Boddu 2021-04-16 05:35:15 +0000
  • ab4d6094ae * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1 - Label /etc/redis as redis_conf_t - Add brltty new permissions required by new upstream version - Allow cups-lpd read its private runtime socket files - Dontaudit daemon open and read init_t file - Add file context specification for /var/tmp/tmp-inst - Allow brltty create and use bluetooth_socket - Allow usbmuxd get attributes of cgroup filesystems Zdenek Pytela 2021-04-09 22:43:18 +0200
  • 0c7d2cb554 Merged update from upstream sources DistroBaker 2021-04-04 19:30:25 +0000
  • e671ae4028 Merged update from upstream sources DistroBaker 2021-03-31 18:45:22 +0000
  • ba2607aba9 Merged update from upstream sources DistroBaker 2021-03-28 20:10:28 +0000
  • 6ff3284cb2 * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs Zdenek Pytela 2021-03-26 16:10:54 +0100
  • 7e06a74914 * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally Zdenek Pytela 2021-03-19 21:52:07 +0100
  • d69f76993a Merged update from upstream sources DistroBaker 2021-03-15 19:41:15 +0000
  • 77437ed12d * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys Zdenek Pytela 2021-03-11 22:25:45 +0100
  • dd41f17526 * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix Zdenek Pytela 2021-03-03 11:24:28 +0100
  • c7794d90ee Relabel /dev/nvme* explicitly Zdenek Pytela 2021-03-01 09:38:19 +0100
  • 2faa5c2293 * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file Zdenek Pytela 2021-02-24 10:14:28 +0100
  • 4508ded93f Merged update from upstream sources DistroBaker 2021-02-20 17:32:55 +0000
  • 7d8a7d8d32 Merged update from upstream sources DistroBaker 2021-02-17 12:42:58 +0100
  • 0d835ab10a Merged update from upstream sources DistroBaker 2021-02-17 08:17:18 +0000
  • aa1f535cb2 * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file Zdenek Pytela 2021-02-16 22:47:33 +0100
  • 15dc304d75 * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr Zdenek Pytela 2021-02-15 20:38:28 +0100
  • f521412d05 Merged update from upstream sources DistroBaker 2021-02-13 00:52:48 +0000
  • ece0d0b7b5 Merged update from upstream sources DistroBaker 2021-02-12 06:32:55 +0000
  • d558c4f1c7 * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services Zdenek Pytela 2021-02-11 22:08:31 +0100
  • eea0ee325a Merged update from upstream sources DistroBaker 2021-02-09 04:48:56 +0000
  • c7e90bc196 * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions Zdenek Pytela 2021-02-07 20:21:37 +0100
  • 8e575c9c13 Merged update from upstream sources DistroBaker 2021-02-05 19:32:49 +0000
  • c2d5ebb406 * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17 - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information Zdenek Pytela 2021-02-05 09:36:28 +0100
  • 557675f09a Use the rawhide branch instead of master Zdenek Pytela 2021-02-04 15:12:36 +0100
  • b0dd6c6ef6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Fedora Release Engineering 2021-01-27 20:11:38 +0000
  • ed75dbd813 Merged update from upstream sources DistroBaker 2021-01-22 10:21:40 +0000
  • f38b38e51e Rebuild with SELinux userspace 3.2-rc1 release Petr Lautrbach 2021-01-22 10:01:43 +0100
  • 4f8342e8c3 Add /var/mnt equivalency to /mnt Zdenek Pytela 2021-01-15 19:34:25 +0100
  • ce671c04d8 Update specfile to not verify md5/size/mtime for active store files Zdenek Pytela 2021-01-15 19:49:38 +0100
  • 0397c4c5ec Merged update from upstream sources DistroBaker 2021-01-09 09:21:37 +0000
  • d76e0b4040 * Fri Jan 8 18:41:06 CET 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t Zdenek Pytela 2021-01-08 18:44:14 +0100
  • a2fc5fba64 Merged update from upstream sources DistroBaker 2020-12-17 21:38:57 +0000
  • d5b79a1cb7 * Thu Dec 17 20:07:23 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR Zdenek Pytela 2020-12-17 20:11:46 +0100
  • 7cee52182d Merged update from upstream sources DistroBaker 2020-12-17 03:03:39 +0000
  • 533a2f186e Remove useless mkdir command from minimum build Ondrej Mosnacek 2020-12-12 13:04:18 +0100
  • ecfabbb8f3 Remove useless rm command from minimum build Ondrej Mosnacek 2020-12-12 12:24:52 +0100
  • 167b0505ce Remove unnecessary steps from targeted policy build Ondrej Mosnacek 2020-12-12 12:08:56 +0100
  • fa72125856 * Tue Dec 15 16:24:44 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files Zdenek Pytela 2020-12-15 16:31:51 +0100
  • 0f3b08d5d1 Add make to BuildRequires Petr Lautrbach 2020-12-14 12:15:28 +0100
  • 8d02847dad * Wed Dec 9 15:39:03 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update README.md to reflect the state after contrib and base merge - Add README.md announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo Zdenek Pytela 2020-12-09 15:42:48 +0100
  • 58fb34f371 Fix typos and grammar in README Ondrej Mosnacek 2020-11-29 23:39:09 +0100
  • 14735eb5eb Merged update from upstream sources DistroBaker 2020-12-01 19:27:05 +0000
  • e94a380d32 * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos Zdenek Pytela 2020-11-26 19:32:31 +0100
  • 54876665ae Adapt specfile, make-rhat-patches, and README to contrib merge Ondrej Mosnacek 2020-09-26 12:08:38 +0200
  • aebc05fc19 Reword and clean up the README Ondrej Mosnacek 2020-10-12 10:18:21 +0200
  • cafbcb567e Merged update from upstream sources DistroBaker 2020-11-25 16:25:36 +0000
  • 595a6449f5 * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface Zdenek Pytela 2020-11-24 19:47:48 +0100
  • 2fc3743e24 RHEL 9.0.0 Alpha bootstrap Troy Dawson 2020-11-16 14:01:44 -0800
  • 05fb517c90 * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" Zdenek Pytela 2020-11-13 10:13:13 +0100
  • c0c357c156 Merged update from upstream sources DistroBaker 2020-11-06 00:43:32 +0000
  • e88945f82a selinux-policy-3.14.7-7 Petr Lautrbach 2020-11-03 17:03:56 +0100
  • 4adda006ba Clean up .gitignore Ondrej Mosnacek 2020-10-12 13:57:35 +0200
  • 478f57b9e8 Merged update from upstream sources DistroBaker 2020-10-27 22:21:32 +0100
  • 4da7d1152a * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - fc_sort.py: Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI Zdenek Pytela 2020-10-22 18:12:31 +0200
  • a231488911 Drop the "BuildRequires: gcc" line selinux-policy.spec Zdenek Pytela 2020-10-22 15:29:50 +0200
  • 4e04fae030 Replace "Provides: selinux-policy-base" with "Provides: selinux-policy-any" Zdenek Pytela 2020-10-22 15:16:02 +0200
  • 7975d49f67 RHEL 9.0.0 Alpha bootstrap Troy Dawson 2020-10-15 09:28:03 -0700
  • fe20768333 Remove trailing whitespaces Vit Mojzis 2020-10-12 10:02:20 +0200
  • e99b0bae28 Change the package summary and description Zdenek Pytela 2020-09-29 21:22:38 +0200
  • b867d53c38 README is written in markdown - change extension to .md Ondrej Mosnacek 2020-10-07 11:26:38 +0200
  • 4d9a7e555f Ensure targeted policy is installed by default Ondrej Mosnacek 2020-09-30 10:00:25 +0200
  • e042be0581 make-rhat-patches: Use shallow clone Ondrej Mosnacek 2020-10-05 21:04:36 +0200