c53bdced40* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79 - Introduce xdm_manage_bootloader booelan Resolves: rhbz#1994096 - Rename samba_exec() to samba_exec_net() Resolves: rhbz#1855215 - Allow sssd to set samba setting Resolves: rhbz#1855215 - Allow dirsrv read slapd tmpfs files Resolves: rhbz#1843238 - Allow rhsmcertd to create cache file in /var/cache/cloud-what Resolves: rhbz#1994718
Zdenek Pytela
2021-08-27 11:39:38 +0200
b42446e02d* Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.14-1 - Support using ICA crypto accelerator on s390x arch Resolves: rhbz#1976180 - Allow systemd delete /run/systemd/default-hostname Resolves: rhbz#1978507 - Label /usr/bin/Xwayland with xserver_exec_t Resolves: rhbz#1993151 - Label /usr/libexec/gdm-runtime-config with xdm_exec_t Resolves: rhbz#1993151 - Allow tcpdump read system state information in /proc Resolves: rhbz#1972577 - Allow firewalld drop capabilities Resolves: rhbz#1989641
Zdenek Pytela
2021-08-25 18:48:38 +0200
757d64d9d6* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1 - Allow systemd-timesyncd watch system dbus pid socket files - Allow firewalld drop capabilities - Allow rhsmcertd execute gpg - Allow lldpad send to kdump over a unix dgram socket - Allow systemd-gpt-auto-generator read udev pid files - Set default file context for /sys/firmware/efi/efivars - Allow tcpdump run as a systemd service - Allow nmap create and use netlink generic socket - Allow nscd watch system db files in /var/db - Allow cockpit_ws_t get attributes of fs_t filesystems - Allow sysadm acces to kernel module resources - Allow sysadm to read/write scsi files and manage shadow - Allow sysadm access to files_unconfined and bind rpc ports - Allow sysadm read and view kernel keyrings - Allow journal mmap and read var lib files - Allow tuned to read rhsmcertd config files - Allow bootloader to read tuned etc files - Label /usr/bin/qemu-storage-daemon with virtd_exec_t
Zdenek Pytela
2021-08-12 18:39:36 +0200
cf60736fb6* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.13-1 - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp Resolves: rhbz#1977915 - Set default file context for /sys/firmware/efi/efivars Resolves: rhbz#1972372 - Allow tcpdump run as a systemd service Resolves: rhbz#1972577 - Allow nmap create and use netlink generic socket Resolves: rhbz#1985212 - Allow nscd watch system db files in /var/db Resolves: rhbz#1989416 - Allow systemd-gpt-auto-generator read udev pid files Resolves: rhbz#1992638
Zdenek Pytela
2021-08-12 16:15:32 +0200
991febef9c* Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.12-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" Resolves: rhbz#1990813 - Label /dev/crypto/nx-gzip with accelerator_device_t Resolves: rhbz#1973953 - Label /usr/bin/qemu-storage-daemon with virtd_exec_t Resolves: rhbz#1977245 - Allow systemd-machined stop generic service units Resolves: rhbz#1979522 - Label /.k5identity file allow read of this file to rpc.gssd Resolves: rhbz#1980610
Zdenek Pytela
2021-08-10 16:28:03 +0200
57b195c83bRebuilt for IMA sigs, glibc 2.34, aarch64 flags
Mohan Boddu
2021-08-10 00:49:40 +0000
58dbb0353c* Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1 - Disable seccomp on CI containers - Allow systemd-machined stop generic service units - Allow virtlogd_t read process state of user domains - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp - Label /dev/crypto/nx-gzip with accelerator_device_t - Update the policy for systemd-journal-upload - Allow unconfined domains to bpf all other domains - Confine rhsm service and rhsm-facts service as rhsmcertd_t - Allow fcoemon talk with unconfined user over unix domain datagram socket - Allow abrt_domain read and write z90crypt device - Allow mdadm read iscsi pid files - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t - Allow hostapd bind UDP sockets to the dhcpd port - Unconfined domains should not be confined
Zdenek Pytela
2021-08-06 19:30:54 +0200
4548b66f2e* Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.11-1 - Allow hostapd bind UDP sockets to the dhcpd port Resolves: rhbz#1979968 - Allow mdadm read iscsi pid files Resolves: rhbz#1976073 - Unconfined domains should not be confined Resolves: rhbz#1977986 - Allow NetworkManager_t to watch /etc Resolves: rhbz#1980000 - Allow using opencryptoki for ipsec Resolves: rhbz#1977915
Zdenek Pytela
2021-07-29 17:11:36 +0200
c0ea3a13a7* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.10-1 - Allow bacula get attributes of cgroup filesystems Resolves: rhbz#1976917 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: rhbz#1972382 - Add the lockdown integrity permission to dev_map_userio_dev() Resolves: rhbz#1966758 - Allow virtlogd_t to create virt_var_lockd_t dir Resolves: rhbz#1974875
Zdenek Pytela
2021-07-14 16:11:07 +0200
fe7971a7a7* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" - Remove references to init_watch_path_type attribute - Remove all redundant watch permissions for systemd - Allow systemd watch non_security_file_type dirs, files, lnk_files - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template - Allow bacula get attributes of cgroup filesystems - Allow systemd-journal-upload watch logs and journal - Create a policy for systemd-journal-upload - Allow tcpdump and nmap get attributes of infiniband_device_t - Allow arpwatch get attributes of infiniband_device_t devices - Label /dev/wmi/dell-smbios as acpi_device_t
Zdenek Pytela
2021-07-14 14:59:11 +0200
37bcc175cd* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.9-1 - Allow systemd-coredump getattr nsfs files and net_admin capability Resolves: rhbz#1965372 - Label /run/libvirt/common with virt_common_var_run_t Resolves: rhbz#1969209 - Label /usr/bin/arping plain file with netutils_exec_t Resolves: rhbz#1952515 - Make usbmuxd_t a daemon Resolves: rhbz#1965411 - Allow usbmuxd get attributes of cgroup filesystems Resolves: rhbz#1965411 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" Resolves: rhbz#1967818 - Label /var/lib/kdump with kdump_var_lib_t Resolves: rhbz#1965989 - Allow systemd-timedated watch runtime dir and its parent Resolves: rhbz#1970865 - Label /run/fsck with fsadm_var_run_t Resolves: rhbz#1970911
Zdenek Pytela
2021-06-22 14:41:30 +0200
8417543050* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2 - Add a systemd service to check that SELinux is disabled properly - specfile: Add unowned dir to the macro - Relabel /dev/dma_heap explicitly
Zdenek Pytela
2021-06-22 11:50:15 +0200
fd69433906Add a systemd service to check that SELinux is disabled properly
Ondrej Mosnacek
2021-05-13 16:23:31 +0200
a563172755Add unowned dir to the macro
Michael Scherer
2021-02-11 15:59:16 +0100
ed2eb34288* Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" - Add the lockdown integrity permission to dev_map_userio_dev() - Allow systemd-modules-load read/write tracefs files - Allow sssd watch /run/systemd - Label /usr/bin/arping plain file with netutils_exec_t - Label /run/fsck with fsadm_var_run_t - Label /usr/bin/Xwayland with xserver_exec_t - Allow systemd-timesyncd watch dbus runtime dir - Allow asterisk watch localization files - Allow iscsid read all process stat - iptables.fc: Add missing legacy-restore and legacy-save entries - Label /run/libvirt/common with virt_common_var_run_t - Label /.k5identity file allow read of this file to rpc.gssd - Make usbmuxd_t a daemon
Zdenek Pytela
2021-06-21 15:07:20 +0200
042fffd52c* Thu Jun 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.8-1 - Associate dma_device_dir_t with device filesystem Resolves: rhbz#1954116 - Add default file context specification for dnf log files Resolves: rhbz#1955223 - Allow using opencryptoki for certmonger Resolves: rhbz#1961756 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1961756 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1964890 - Dontaudit daemon open and read init_t file Resolves: rhbz#1965412 - Allow sanlock get attributes of cgroup filesystems Resolves: rhbz#1965217
Zdenek Pytela
2021-06-10 23:07:44 +0200
ef6e27e6c9* Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1 - Allow sanlock get attributes of cgroup filesystems - Associate dma_device_dir_t with device filesystem - Set default file context for /var/run/systemd instead of /run/systemd - Allow nmap create and use rdma socket - Allow pkcs-slotd create and use netlink_kobject_uevent_socket
Zdenek Pytela
2021-06-09 16:42:40 +0200
5d2a514c72* Tue Jun 08 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.7-1 - Set default file context for /var/run/systemd instead of /run/systemd Resolves: rhbz#1966492
Zdenek Pytela
2021-06-08 19:26:12 +0200
a0031a1fc3* Mon Jun 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.6-1 - Label /dev/dma_heap with dma_device_dir_t Resolves: rhbz#1954116 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1963252 - Label /run/systemd/default-hostname with hostname_etc_t Resolves: rhbz#1966492
Zdenek Pytela
2021-06-07 16:34:34 +0200
a4fcadc086* Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1 - Allow using opencryptoki for ipsec - Allow using opencryptoki for certmonger - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() - Label /dev/dma_heap with dma_device_dir_t - Allow syslogd watch non security dirs conditionally - Introduce logging_syslogd_list_non_security_dirs tunable - Remove openhpi module - Allow udev to watch fixed disk devices - Allow httpd_sys_script_t read, write, and map hugetlbfs files - Allow apcupsd get attributes of cgroup filesystems
Zdenek Pytela
2021-06-06 23:32:21 +0200
6b0b962be0* Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1 - Add kerberos object filetrans for nsswitchdomain - Allow fail2ban watch various log files - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs() - Remove further modules recently removed from refpolicy - Remove modules not shipped and not present in refpolicy - Revert "Add permission open to files_read_inherited_tmp_files() interface" - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)" - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604" - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)" - Dontaudit setrlimit for domains that exec systemctl - Allow kdump_t net_admin capability - Allow nsswitch_domain read init pid lnk_files - Label /dev/trng with random_device_t - Label /run/systemd/default-hostname with hostname_etc_t - Add default file context specification for dnf log files - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t - Label /dev/udmabuf character device with dma_device_t - Label /dev/dma_heap/* char devices with dma_device_t - Label /dev/acpi_thermal_rel char device with acpi_device_t
Zdenek Pytela
2021-05-27 22:08:10 +0200
14a2757535* Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.5-1 - Label /dev/trng with random_device_t Resolves: rhbz#1962260 - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t Resolves: rhbz#1954116 - Label /dev/udmabuf character device with dma_device_t Resolves: rhbz#1954116 - Label /dev/dma_heap/* char devices with dma_device_t Resolves: rhbz#1954116 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: rhbz#1954116 - Allow fcoemon create sysfs files Resolves: rhbz#1952292
Zdenek Pytela
2021-05-27 14:57:41 +0200
80410eaf30* Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1 - Allow local_login_t nnp_transition to login_userdomain - Allow asterisk watch localization symlinks - Allow NetworkManager_t to watch /etc - Label /var/lib/kdump with kdump_var_lib_t - Allow amanda get attributes of cgroup filesystems - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t - Allow install_t nnp_domtrans to setfiles_mac_t - Allow fcoemon create sysfs files
Zdenek Pytela
2021-05-20 15:09:34 +0200
30f8c042ae* Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1 - Allow tgtd read and write infiniband devices - Add a comment on virt_sandbox booleans with empty content - Deprecate duplicate dev_write_generic_sock_files() interface - Allow vnstatd_t map vnstatd_var_lib_t files - Allow privoxy execmem - Allow pmdakvm read information from the debug filesystem - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs() - Add permissions to delete lnk_files into gnome_delete_home_config() - Remove rules for inotifyfs - Remove rules for anon_inodefs - Allow systemd nnp_transition to login_userdomain - Allow unconfined_t write other processes perf_event records - Allow sysadm_t dbus chat with tuned - Allow tuned write profile files with file transition - Allow tuned manage perf_events - Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
Zdenek Pytela
2021-05-13 18:42:35 +0200
61280fbdd0* Wed May 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.4-1 - Allow sysadm_t dbus chat with tuned Resolves: rhbz#1953643 - Allow tuned write profile files with file transition Resolves: rhbz#1953643 - Allow tuned manage perf_events Resolves: rhbz#1953643 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Add kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Allow syslogd_t watch root and var directories Resolves: rhbz#1957792 - Allow tgtd create and use rdma socket Resolves: rhbz#1955559 - Allow aide connect to init with a unix socket Resolves: rhbz#1926343
Zdenek Pytela
2021-05-12 15:45:13 +0200
4fecc6469f* Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() - Add kernel_write_perf_event() and kernel_manage_perf_event() - Allow syslogd_t watch root and var directories - Allow unconfined_t read other processes perf_event records - Allow login_userdomain read and map /var/lib/systemd files - Allow NetworkManager watch its config dir - Allow NetworkManager read and write z90crypt device - Allow tgtd create and use rdma socket - Allow aide connect to init with a unix socket
Zdenek Pytela
2021-05-07 18:08:57 +0200
b900d641f6* Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1 - Grant execmem to varnishlog_t - We no longer need signull for varnishlog_t - Add map permission to varnishd_read_lib_files - Allow systemd-sleep tlp_filetrans_named_content() - Allow systemd-sleep execute generic programs - Allow systemd-sleep execute shell - Allow to sendmail read/write kerberos host rcache files - Allow freshclam get attributes of cgroup filesystems - Fix context of /run/systemd/timesync - Allow udev create /run/gdm with proper type - Allow chronyc socket file transition in user temp directory - Allow virtlogd_t to create virt_var_lockd_t dir - Allow pluto IKEv2 / ESP over TCP
Zdenek Pytela
2021-05-04 20:27:30 +0200
997ca10921* Wed Apr 28 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.3-1 - Allow domain create anonymous inodes Resolves: rhbz#1954145 - Add anon_inode class to the policy Resolves: rhbz#1954145 - Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1951471 - Add brltty new permissions required by new upstream version Resolves: rhbz#1947842 - Label /var/lib/brltty with brltty_var_lib_t Resolves: rhbz#1947842 - Allow login_userdomain create cgroup files Resolves: rhbz#1951114 - Allow aide connect to systemd-userdbd with a unix socket Resolves: rhbz#1926343 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1947397 - Label /etc/redis as redis_conf_t Resolves: rhbz#1947874 - Add file context specification for /usr/libexec/realmd Resolves: rhbz#1946495
Zdenek Pytela
2021-04-28 15:25:09 +0200
2b76eb3833* Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1 - Allow domain create anonymous inodes - Add anon_inode class to the policy - Allow systemd-coredump getattr nsfs files and net_admin capability - Allow systemd-sleep transition to sysstat_t - Allow systemd-sleep transition to tlp_t - Allow systemd-sleep transition to unconfined_service_t on bin_t executables - Allow systemd-timedated watch runtime dir and its parent - Allow system dbusd read /var/lib symlinks - Allow unconfined_service_t confidentiality and integrity lockdown - Label /var/lib/brltty with brltty_var_lib_t - Allow domain and unconfined_domain_type watch /proc/PID dirs - Additional permission for confined users loging into graphic session - Make for screen fsetid/setuid/setgid permission conditional - Allow for confined users acces to wtmp and run utempter
Zdenek Pytela
2021-04-27 19:55:59 +0200
2faa5c2293* Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file
Zdenek Pytela
2021-02-24 10:14:28 +0100
4508ded93fMerged update from upstream sources
DistroBaker
2021-02-20 17:32:55 +0000
7d8a7d8d32Merged update from upstream sources
DistroBaker
2021-02-17 12:42:58 +0100
0d835ab10aMerged update from upstream sources
DistroBaker
2021-02-17 08:17:18 +0000
aa1f535cb2* Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file
Zdenek Pytela
2021-02-16 22:47:33 +0100
15dc304d75* Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr
Zdenek Pytela
2021-02-15 20:38:28 +0100
f521412d05Merged update from upstream sources
DistroBaker
2021-02-13 00:52:48 +0000
ece0d0b7b5Merged update from upstream sources
DistroBaker
2021-02-12 06:32:55 +0000
d558c4f1c7* Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services
Zdenek Pytela
2021-02-11 22:08:31 +0100
eea0ee325aMerged update from upstream sources
DistroBaker
2021-02-09 04:48:56 +0000
c7e90bc196* Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions
Zdenek Pytela
2021-02-07 20:21:37 +0100
8e575c9c13Merged update from upstream sources
DistroBaker
2021-02-05 19:32:49 +0000
c2d5ebb406* Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17 - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information
Zdenek Pytela
2021-02-05 09:36:28 +0100
557675f09aUse the rawhide branch instead of master
Zdenek Pytela
2021-02-04 15:12:36 +0100
ed75dbd813Merged update from upstream sources
DistroBaker
2021-01-22 10:21:40 +0000
f38b38e51eRebuild with SELinux userspace 3.2-rc1 release
Petr Lautrbach
2021-01-22 10:01:43 +0100
4f8342e8c3Add /var/mnt equivalency to /mnt
Zdenek Pytela
2021-01-15 19:34:25 +0100
ce671c04d8Update specfile to not verify md5/size/mtime for active store files
Zdenek Pytela
2021-01-15 19:49:38 +0100
0397c4c5ecMerged update from upstream sources
DistroBaker
2021-01-09 09:21:37 +0000
d76e0b4040* Fri Jan 8 18:41:06 CET 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
Zdenek Pytela
2021-01-08 18:44:14 +0100
a2fc5fba64Merged update from upstream sources
DistroBaker
2020-12-17 21:38:57 +0000
d5b79a1cb7* Thu Dec 17 20:07:23 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR
Zdenek Pytela
2020-12-17 20:11:46 +0100
7cee52182dMerged update from upstream sources
DistroBaker
2020-12-17 03:03:39 +0000
533a2f186eRemove useless mkdir command from minimum build
Ondrej Mosnacek
2020-12-12 13:04:18 +0100
ecfabbb8f3Remove useless rm command from minimum build
Ondrej Mosnacek
2020-12-12 12:24:52 +0100
167b0505ceRemove unnecessary steps from targeted policy build
Ondrej Mosnacek
2020-12-12 12:08:56 +0100
fa72125856* Tue Dec 15 16:24:44 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files
Zdenek Pytela
2020-12-15 16:31:51 +0100
0f3b08d5d1Add make to BuildRequires
Petr Lautrbach
2020-12-14 12:15:28 +0100
8d02847dad* Wed Dec 9 15:39:03 CET 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update README.md to reflect the state after contrib and base merge - Add README.md announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo
Zdenek Pytela
2020-12-09 15:42:48 +0100
58fb34f371Fix typos and grammar in README
Ondrej Mosnacek
2020-11-29 23:39:09 +0100
14735eb5ebMerged update from upstream sources
DistroBaker
2020-12-01 19:27:05 +0000
e94a380d32* Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos
Zdenek Pytela
2020-11-26 19:32:31 +0100
54876665aeAdapt specfile, make-rhat-patches, and README to contrib merge
Ondrej Mosnacek
2020-09-26 12:08:38 +0200
aebc05fc19Reword and clean up the README
Ondrej Mosnacek
2020-10-12 10:18:21 +0200
cafbcb567eMerged update from upstream sources
DistroBaker
2020-11-25 16:25:36 +0000
595a6449f5* Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface
Zdenek Pytela
2020-11-24 19:47:48 +0100
05fb517c90* Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
Zdenek Pytela
2020-11-13 10:13:13 +0100
c0c357c156Merged update from upstream sources
DistroBaker
2020-11-06 00:43:32 +0000
e88945f82aselinux-policy-3.14.7-7
Petr Lautrbach
2020-11-03 17:03:56 +0100
4adda006baClean up .gitignore
Ondrej Mosnacek
2020-10-12 13:57:35 +0200
478f57b9e8Merged update from upstream sources
DistroBaker
2020-10-27 22:21:32 +0100
4da7d1152a* Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - fc_sort.py: Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI
Zdenek Pytela
2020-10-22 18:12:31 +0200
a231488911Drop the "BuildRequires: gcc" line selinux-policy.spec
Zdenek Pytela
2020-10-22 15:29:50 +0200