* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-1 - Bump version to 3.14.6 because fedora 32 was branched
Lukas Vrabec
2020-02-16 00:22:07 +0100
916c9099f2* Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24 - Allow ptp4l_t create and use packet_socket sockets - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories
Zdenek Pytela
2020-02-07 09:33:54 +0100
2a989ab68espec: Use RPM path macros more consistently
Ondrej Mosnacek
2020-01-14 14:36:14 +0100
4ee1dfc5d7* Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23 - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Added apache create log dirs macro - Tiny documentation fix - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Dontaudit domain chronyd_t to list in user home dirs. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Allow syslog_t to read efivarfs_t files - Add ioctl to term_dontaudit_use_ptmx macro - Update xserver_rw_session macro
Zdenek Pytela
2020-01-31 10:53:24 +0100
07e568bc06* Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21 - Dontaudit timedatex_t read file_contexts_t and validate security contexts - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus.
Zdenek Pytela
2020-01-24 17:07:51 +0100
ee6e28e884Fix %post script failures in selinux-policy-*
Vit Mojzis
2019-12-06 16:21:38 +0100
* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20 - Fix typo in anaconda SELinux module - Allow rtkit_t domain to control scheduling for your install_t processes - Boolean: rngd_t to use executable memory - Allow rngd_t domain to use nsswitch BZ(1787661) - Allow exim to execute bin_t without domain trans - Allow create udp sockets for abrt_upload_watch_t domains - Drop label zebra_t for frr binaries - Allow NetworkManager_t domain to get status of samba services - Update milter policy to allow use sendmail - Modify file context for .local directory to match exactly BZ(1637401) - Allow init_t domain to create own socket files in /tmp - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files - Create files_create_non_security_dirs() interface
Lukas Vrabec
2020-01-13 10:09:50 +0100
e4f8091964Remove all the "factory reset" stuff
Ondrej Mosnacek
2019-11-13 16:07:58 +0100
a9b321b3cc* Fri Dec 20 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-19 - Allow init_t nnp domain transition to kmod_t - Allow userdomain dbus chat with systemd_resolved_t - Allow init_t read and setattr on /var/lib/fprintd - Allow sysadm_t dbus chat with colord_t - Allow confined users run fwupdmgr - Allow confined users run machinectl - Allow systemd labeled as init_t domain to create dirs labeled as var_t - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) - Add new file context rabbitmq_conf_t. - Allow journalctl read init state BZ(1731753) - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain - Change type in transition for /var/cache/{dnf,yum} directory - Allow cockpit_ws_t read efivarfs_t BZ(1777085) - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) - Allow named_t domain to mmap named_zone_t files BZ(1647493) - Make boinc_var_lib_t label system mountdir attribute - Allow stratis_t domain to request load modules - Update fail2ban policy - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
Zdenek Pytela
2019-12-20 17:01:21 +0100
f76a9decccConsolidate make parameters
Ondrej Mosnacek
2019-12-03 14:28:42 +0100
9fd145765aRemove unused file
Ondrej Mosnacek
2019-12-03 10:55:57 +0100
* Thu Nov 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-18 - Introduce new type pdns_var_lib_t - Allow zebra_t domain to read files labled as nsfs_t. - Allow systemd to setattr on all device_nodes - Allow systemd to mounton and list all proc types
Lukas Vrabec
2019-11-28 22:19:38 +0100
* Thu Nov 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-15 - Increase SELinux userspace version which should be required.
Lukas Vrabec
2019-11-14 09:45:51 +0100
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-14 - Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0
Lukas Vrabec
2019-11-13 22:41:00 +0100
* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12 - Label /var/cache/nginx as httpd_cache_t - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Created dnsmasq_use_ipset boolean - Allow capability dac_override in logwatch_mail_t domain - Allow automount_t domain to execute ping in own SELinux domain (ping_t) - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t - Allow collectd_t domain to create netlink_generic_socket sockets - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. - Label /etc/postfix/chroot-update as postfix_exec_t - Update tmpreaper_t policy due to fuser command - Allow kdump_t domain to create netlink_route and udp sockets - Allow stratisd to connect to dbus - Allow fail2ban_t domain to create netlink netfilter sockets. - Allow dovecot get filesystem quotas - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689) - Allow systemd-tmpfiles processes to set rlimit information - Allow cephfs to use xattrs for storing contexts - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
Lukas Vrabec
2019-11-03 12:59:34 +0100
- Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Allow Gluster mount client to mount files_type - Dontaudit and disallow sys_admin capability for keepalived_t domain - Update numad policy to allow signull, kill, nice and trace processes - Allow ipmievd_t to RW watchdog devices - Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files - Allow user domains to manage user session services - Allow staff and user users to get status of user systemd session - Update sudo_role_template() to allow caller domain to read syslog pid files
Lukas Vrabec
2019-10-22 15:43:26 +0200
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-7 - Revert "nova.fc: fix duplicated slash" - Introduce new bolean httpd_use_opencryptoki - Add new interface apache_read_state() - Allow setroubleshoot_fixit_t to read random_device_t - Label /etc/named direcotory as named_conf_t BZ(1759495) - nova.fc: fix duplicated slash - Allow dkim to execute sendmail - Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files - Update aide_t domain to allow this tool to analyze also /dev filesystem - Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634) - Allow avahi_t to send msg to xdm_t - Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem - Update dev_manage_sysfs() to support managing also lnk files BZ(1759019) - Allow systemd_logind_t domain to read blk_files in domain removable_device_t - Add new interface udev_getattr_rules_chr_files()
Lukas Vrabec
2019-10-09 13:13:38 +0200
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-4 - Run ipa-custodia as ipa_custodia_t - Update webalizer_t SELinux policy - Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598) - Allow rhsmcertd_t domain to read rtas_errd lock files - Add new interface rtas_errd_read_lock() - Update allow rules set for nrpe_t domain - Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if - Allow avahi_t to send msg to lpr_t - Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label - Allow dlm_controld_t domain to read random device - Label libvirt drivers as virtd_exec_t - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Add new macro systemd_timedated_status to systemd.if to get timedated service status - Introduce xdm_manage_bootloader booelan - Revert "Unconfined domains, need to create content with the correct labels" - Allow xdm_t domain to read sssd pid files BZ(1753240) - Move open, audit_access, and execmod to common file perms
Lukas Vrabec
2019-09-20 15:00:31 +0200
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3 - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Fix typo in cachefilesd module - Allow cachefilesd_t domain to read/write cachefiles_device_t devices - Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy - Add sys_admin capability for keepalived_t labeled processes - Allow user_mail_domain attribute to manage files labeled as etc_aliases_t. - Create new type ipmievd_helper_t domain for loading kernel modules. - Run stratisd service as stratisd_t - Fix abrt_upload_watch_t in abrt policy - Update keepalived policy - Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types - Revert "Create admin_crontab_t and admin_crontab_tmp_t types" - Revert "Update cron_role() template to accept third parameter with SELinux domain prefix" - Allow amanda_t to manage its var lib files and read random_device_t - Create admin_crontab_t and admin_crontab_tmp_t types - Add setgid and setuid capabilities to keepalived_t domain - Update cron_role() template to accept third parameter with SELinux domain prefix - Allow psad_t domain to create tcp diag sockets BZ(1750324) - Allow systemd to mount fwupd_cache_t BZ(1750288) - Allow chronyc_t domain to append to all non_security files - Update zebra SELinux policy to make it work also with frr service - Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024) - Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763) - Label /var/run/mysql as mysqld_var_run_t - Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects. - Update timedatex policy to manage localization - Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces - Update gnome_dontaudit_read_config - Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997) - Allow systemd labeled as init_t domain to remount rootfs filesystem - Add interface files_remount_rootfs() - Dontaudit sys_admin capability for iptables_t SELinux domain - Label /dev/cachefilesd as cachefiles_device_t - Make stratisd policy active - Allow userdomains to dbus chat with policykit daemon - Update userdomains to pass correct parametes based on updates from cron_*_role interfaces - New interface files_append_non_security_files() - Label 2618/tcp and 2618/udp as priority_e_com_port_t - Label 2616/tcp and 2616/udp as appswitch_emp_port_t - Label 2615/tcp and 2615/udp as firepower_port_t - Label 2610/tcp and 2610/udp as versa_tek_port_t - Label 2613/tcp and 2613/udp as smntubootstrap_port_t - Label 3784/tcp and 3784/udp as bfd_control_port_t - Remove rule allowing all processes to stream connect to unconfined domains
Lukas Vrabec
2019-09-13 17:04:11 +0200
* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2 - Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket - Dontaudit sandbox web types to setattr lib_t dirs - Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369) - Allow haproxy_t domain to read network state of system - Allow processes labeled as keepalived_t domain to get process group - Introduce dbusd_unit_file_type - Allow pesign_t domain to read/write named cache files. - Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. - Allow httpd_t domain to read/write named_cache_t files - Add new interface bind_rw_cache() - Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t. - Update cpucontrol_t SELinux policy - Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t - Run lldpd service as lldpad_t. - Allow spamd_update_t domain to create unix dgram sockets. - Update dbus role template for confined users to allow login into x session - Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t - Fix typo in networkmanager_append_log() interface - Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label - Allow login user type to use systemd user session - Allow xdm_t domain to start dbusd services. - Introduce new type xdm_unit_file_t - Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute - Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632) - Allow ipsec_t domain to read/write named cache files - Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label - Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus - Label udp 8125 port as statsd_port_t
Lukas Vrabec
2019-09-04 18:09:39 +0200
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-30 - cockpit: Allow cockpit-session to read cockpit-tls state - Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983) - Allow named_t domain to read/write samba_var_t files BZ(1738794) - Dontaudit abrt_t domain to read root_t files - Allow ipa_dnskey_t domain to read kerberos keytab - Allow mongod_t domain to read cgroup_t files BZ(1739357) - Update ibacm_t policy - Allow systemd to relabel all files on system. - Revert "Add new boolean systemd_can_relabel" - Allow xdm_t domain to read kernel sysctl BZ(1740385) - Add sys_admin capability for xdm_t in user namespace. BZ(1740386) - Allow dbus communications with resolved for DNS lookups - Add new boolean systemd_can_relabel - Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp - Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t - Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs - Run lvmdbusd service as lvm_t
Lukas Vrabec
2019-08-13 17:59:35 +0200
* Tue Jul 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-26 - New policy for rrdcached - Allow dhcpd_t domain to read network sysctls. - Allow nut services to communicate with unconfined domains - Allow virt_domain to Support ecryptfs home dirs. - Allow domain transition lsmd_t to sensord_t - Allow httpd_t to signull mailman_cgi_t process - Make rrdcached policy active - Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542 - Allow machinectl to run pull-tar BZ(1724247)
Lukas Vrabec
2019-07-30 10:51:50 +0200
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Run timedatex service as timedatex_t - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - allow named_t to map named_cache_t files - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Make new timedatex policy module active - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources
Lukas Vrabec
2019-07-26 10:28:53 +0200
* Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24 - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports - Allow mysqld_t domain to manage cluster pid files - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool - Allow dkim-milter to send e-mails BZ(1716937) - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) - Update svnserve_t policy to make working svnserve hooks - Allow varnishlog_t domain to check for presence of varnishd_t domains - Update sandboxX policy to make working firefox inside SELinux sandbox - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices - Allow gssd_t domain to list tmpfs_t dirs - Allow mdadm_t domain to read tmpfs_t files - Allow sbd_t domain to check presence of processes labeled as cluster_t - Dontaudit httpd_sys_script_t to read systemd unit files - Allow blkmapd_t domain to read nvme devices - Update cpucontrol_t domain to make working microcode service - Allow domain transition from logwatch_t do postfix_postqueue_t - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' - Allow httpd_sys_script_t domain to mmap httpcontent - Allow sbd_t to manage cgroups_t files - Update wireshark policy to make working tshar labeled as wireshark_t - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources - Allow sysadm_t domain to dbus chat with rtkit daemon - Allow x_userdomains to nnp domain transition to thumb_t domain - Allow unconfined_domain_type to setattr own process lnk files. - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon - Allow staff and admin domains to setpcap in user namespace - Allow staff and sysadm to use lockdev - Allow staff and sysadm users to run iotop. - Dontaudit traceroute_t domain require sys_admin capability - Dontaudit dbus chat between kernel_t and init_t - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
Lukas Vrabec
2019-07-17 17:58:49 +0200
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23 - Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager - Fix all interfaces which cannot by compiled because of typos - Allow X userdomains to mmap user_fonts_cache_t dirs
Lukas Vrabec
2019-07-10 10:16:00 +0200
* Mon Jul 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-22 - Label /var/kerberos/krb5 as krb5_keytab_t - Allow glusterd_t domain to setpgid - Allow lsmd_t domain to execute /usr/bin/debuginfo-install - Allow sbd_t domain to manage cgroup dirs - Allow opafm_t domain to modify scheduling information of another process. - Allow wireshark_t domain to create netlink netfilter sockets - Allow gpg_agent_t domain to use nsswitch - Allow httpd script types to mmap httpd rw content - Allow dkim_milter_t domain to execute shell BZ(17116937) - Allow sbd_t domain to use nsswitch - Allow rhsmcertd_t domain to send signull to all domains - Allow snort_t domain to create netlink netfilter sockets BZ(1723184) - Dontaudit blueman to read state of all domains on system BZ(1722696) - Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) - Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) - Replace "-" by "_" in types names - Change condor_domain declaration in condor_systemctl - Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) - Allow auditd_t domain to send signals to audisp_remote_t domain - Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) - Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files - Add interface kernel_relabelfrom_usermodehelper() - Dontaudit unpriv_userdomain to manage boot_t files - Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) - Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) - Allow associate efivarfs_t on sysfs_t
Lukas Vrabec
2019-07-08 10:00:11 +0200
* Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-19 - Fix bind_read_cache() interface to allow only read perms to caller domains - [speech-dispatcher.if] m4 macro names can not have - in them - Grant varnishlog_t access to varnishd_etc_t - Allow nrpe_t domain to read process state of systemd_logind_t - Allow mongod_t domain to connect on https port BZ(1711922) - Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets - Dontaudit spamd_update_t domain to read all domains states BZ(1711799) - Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871) - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)" - Make boinc_var_lib_t mountpoint BZ(1711682) - Allow wireshark_t domain to create fifo temp files - All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy - Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484) - Fix typo in gpg SELinux module - Update gpg policy to make ti working with confined users - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Build in parallel on Travis - Fix parallel build of the policy - Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t" - Add interface systemd_logind_read_state() - Fix find commands in Makefiles - Allow systemd-timesyncd to read network state BZ(1694272) - Update userdomains to allow confined users to create gpg keys - Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow su_domain_type to getattr to /dev/gpmctl - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
Lukas Vrabec
2019-05-27 16:47:47 +0200
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18 - Fix typo in gpg SELinux module - Update gpg policy to make ti working with confined users - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Update userdomains to allow confined users to create gpg keys - Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow su_domain_type to getattr to /dev/gpmctl - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
Lukas Vrabec
2019-05-18 01:04:36 +0200
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-17 - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Fix typo in dbus_role_template() - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Allow userdomains dbus domain to execute dbus broker. BZ(1710113) - Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572) - Allow virt domains to access xserver devices BZ(1705685) - Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512) - Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598) - Allow pcp_pmie_t domain to use fsetid capability BZ(1708082) - Allow pcp_pmlogger_t to use setrlimit BZ(1708951) - Allow gpsd_t domain to read udev db BZ(1709025) - Add sys_ptrace capaiblity for namespace_init_t domain - Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331) - Allow rhsmcertd_t domain to read rpm cache files - Label /efi same as /boot/efi boot_t BZ(1571962) - Allow transition from udev_t to tlp_t BZ(1705246) - Remove initrc_exec_t for /usr/sbin/apachectl file
Lukas Vrabec
2019-05-17 18:12:55 +0200
* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-15 - Allow iscsid_t domain to mmap modules_dep_t files - Allow ngaios to use chown capability - Dontaudit gpg_domain to create netlink_audit sockets - Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251) - Allow dirsrv_t domain to execute own tmp files BZ(1703111) - Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files - Update domain_can_mmap_files() boolean to allow also mmap lnk files - Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
Lukas Vrabec
2019-05-02 15:46:11 +0200
* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-13 - Introduce deny_bluetooth boolean - Allow greylist_milter_t to read network system state BZ(1702672) - Allow freeipmi domains to mmap freeipmi_var_cache_t files - Allow rhsmcertd_t and rpm_t domains to chat over dbus - Allow thumb_t domain to delete cache_home_t files BZ(1701643) - Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus - Add new interface boltd_dbus_chat() - Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791) - Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750) - Allow cockpit_ws_t domain to set limits BZ(1701703) - Update Nagios policy when sudo is used - Deamon rhsmcertd is able to install certs for docker again - Introduce deny_bluetooth boolean - Don't allow a container to connect to random services - Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t. - Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus - Allow unconfined_t to use bpf tools - Allow x_userdomains to communicate with boltd daemon over dbus
Lukas Vrabec
2019-04-25 17:29:03 +0200
* Fri Apr 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-11 - Allow mongod_t domain to lsearch in cgroups BZ(1698743) - Allow rngd communication with pcscd BZ(1679217) - Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405) - Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t. - Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
Lukas Vrabec
2019-04-12 23:24:21 +0200
* Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6 - Allow boltd_t domain to write to sysfs_t dirs BZ(1689287) - Allow fail2ban execute journalctl BZ(1689034) - Update sudodomains to make working confined users run sudo/su - Introduce new boolean unconfined_dyntrans_all. - Allow iptables_t domain to read NetworkManager state BZ(1690881)
Lukas Vrabec
2019-03-23 15:32:56 +0100
03abf46c1cMerge #17Remove previous/ version of module directory
Lukas Vrabec
2019-03-20 18:58:56 +0000
7fd6024816Add check for config file consistency
Vit Mojzis
2019-02-14 15:42:36 +0100
* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4 - Update vmtools policy - Allow virt_qemu_ga_t domain to read udev_var_run_t files - Update nagios_run_sudo boolean with few allow rules related to accessing sssd - Update travis CI to install selinux-policy dependencies without checking for gpg check - Allow journalctl_t domain to mmap syslogd_var_run_t files - Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046 - Allow sbd_t domain to bypass permission checks for sending signals - Allow sbd_t domain read/write all sysctls - Allow kpatch_t domain to communicate with policykit_t domsin over dbus - Allow boltd_t to stream connect to sytem dbus - Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820) - Allow all domains to send dbus msgs to vmtools_unconfined_t processes - Label /dev/pkey as crypt_device_t - Allow sudodomains to write to systemd_logind_sessions_t pipes. - Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. - Allow ifconfig_t domain to read /dev/random BZ(1687516) - Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660 - Update travis CI to install selinux-policy dependencies without checking for gpg check - Label /usr/sbin/nodm as xdm_exec_t same as other display managers - Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin - Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221 - Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
Lukas Vrabec
2019-03-12 18:42:45 +0100
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-1 - Allow openvpn_t domain to set capability BZ(1680276) - Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on - Allow chronyd_t domain to send data over dgram socket - Add rolekit_dgram_send() interface - Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
Lukas Vrabec
2019-02-25 23:17:05 +0100
Lukas Vrabec
Zdenek Pytela
Ondrej Mosnacek
Fedora Release Engineering
Vit Mojzis
Petr Šplíchal
Jonathan Lebon
Lukas Vrabec
Petr Lautrbach