rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Commit Graph

  • 35bcefb9e1
         * Wed Jul 18 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-28 - Allow cupsd_t domain to mmap cupsd_etc_t files - Allow kadmind_t domain to mmap krb5kdc_principal_t - Allow virtlogd_t domain to read virt_etc_t link files - Allow dirsrv_t domain to read crack db - Dontaudit pegasus_t to require sys_admin capability - Allow mysqld_t domain to exec mysqld_exec_t binary files - Allow abrt_t odmain to read rhsmcertd lib files - Allow winbind_t domain to request kernel module loads - Allow tomcat_domain to read cgroup_t files - Allow varnishlog_t domain to mmap varnishd_var_lib_t files - Allow innd_t domain to mmap news_spool_t files - Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t - Allow fenced_t domain to reboot - Allow amanda_t domain to read network system state - Allow abrt_t domain to read rhsmcertd logs - Fix typo in radius policy - Update zoneminder policy to reflect latest features in zoneminder BZ(1592555) - Label /usr/bin/esmtp-wrapper as sendmail_exec_t - Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files - Dontaudit thumb to read mmap_min_addr - Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904) - Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443) - Allow collectd_t domain to use ecryptfs files BZ(1592640) - Dontaudit mmap home type files for abrt_t domain - Allow fprintd_t domain creating own tmp files BZ(1590686) - Allow collectd_t domain to bind on bacula_port_t BZ(1590830) - Allow fail2ban_t domain to getpgid BZ(1591421) - Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808) - Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap - Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458) - Allow virt_qemu_ga_t domain to read network state BZ(1592145) - Allow radiusd_t domain to mmap radius_etc_rw_t files - Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729) - Add dac_read_search capability to thumb_t domain - Add dac_override capability to cups_pdf_t domain BZ(1594271) - Add net_admin capability to connntrackd_t domain BZ(1594221) - Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) - Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) - Allow motion_t to mmap video devices BZ(1590446) - Add dac_override capability to mpd_t domain BZ(1585358) - Allow fsdaemon_t domain to write to mta home files BZ(1588212) - Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) - Allow sssd_t domain to write to general cert files BZ(1589339) - Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) - Allow cockpit_session_t to read kernel network state BZ(1596941) - Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) - Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files - Allow chronyc_t domain to use nscd shm - Label /var/lib/tomcats dir as tomcat_var_lib_t Lukas Vrabec 2018-07-18 17:37:07 +0200
  • 9034dd66a3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Fedora Release Engineering 2018-07-14 05:57:18 +0000
  • 91c8ed0d49 Remove needless use of %defattr Jason Tibbitts 2018-07-10 01:20:06 -0500
  • e7ec0c885a
         Spec: fix typo in Url field (introduced in 51dc83b2d) Jan Pokorný 2018-07-05 18:19:21 +0200
  • 113644e361
         Make ibacm policy active Lukas Vrabec 2018-06-29 15:32:02 +0200
  • 985fc6104c
         * Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-26 - Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label - Allow abrt_t domain to write to rhsmcertd pid files - Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control - Add vhostmd_t domain to read/write to svirt images - Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files - Allow sssd_t and slpad_t domains to mmap generic certs - Allow chronyc_t domain use inherited user ttys - Allow stapserver_t domain to mmap own tmp files - Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain - Merge pull request #60 from vmojzis/rawhide - Allow tangd_t domain stream connect to sssd - Allow oddjob_t domain to chat with systemd via dbus - Allow freeipmi domains to mmap sysfs files - Fix typo in logwatch interface file - Allow sysadm_t and staff_t domains to use sudo io logging - Allow sysadm_t domain create sctp sockets - Allow traceroute_t domain to exec bin_t binaries - Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override - Add new interface dev_map_sysfs() Lukas Vrabec 2018-06-27 10:25:55 +0200
  • 5d84adca3e
         Remove config.tgz from distgit and put configuration to policy sources on github Lukas Vrabec 2018-06-26 17:21:53 +0200
  • b719841045 Improve make-rhat-patches.sh for local development Petr Lautrbach 2018-06-15 15:08:02 +0200
  • f4debe939a
         * Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-25 - Merge pull request #60 from vmojzis/rawhide - Allow tangd_t domain stream connect to sssd - Allow oddjob_t domain to chat with systemd via dbus - Allow freeipmi domains to mmap sysfs files - Fix typo in logwatch interface file - Allow spamd_t to manage logwatch_cache_t files/dirs - Allow dnsmasw_t domain to create own tmp files and manage mnt files - Allow fail2ban_client_t to inherit rlimit information from parent process - Allow nscd_t to read kernel sysctls - Label /var/log/conman.d as conman_log_t - Add dac_override capability to tor_t domain - Allow certmonger_t to readwrite to user_tmp_t dirs - Allow abrt_upload_watch_t domain to read general certs - Allow chornyd_t read phc2sys_t shared memory - Add several allow rules for pesign policy: - Add setgid and setuid capabilities to mysqlfd_safe_t domain - Add tomcat_can_network_connect_db boolean - Update virt_use_sanlock() boolean to read sanlock state - Add sanlock_read_state() interface - Allow zoneminder_t to getattr of fs_t - Allow rhsmcertd_t domain to send signull to postgresql_t domain - Add log file type to collectd and allow corresponding access - Allow policykit_t domain to dbus chat with dhcpc_t - Allow traceroute_t domain to exec bin_t binaries - Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override - Add new interface dev_map_sysfs() - Allow sshd_keygen_t to execute plymouthd - Allow systemd_networkd_t create and relabel tun sockets - Add new interface postgresql_signull() Lukas Vrabec 2018-06-14 15:31:59 +0200
  • 1d35f9ea76
         * Tue Jun 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-24 - /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type - Allow ntop_t domain to create/map various sockets/files. - Enable the dictd to communicate via D-bus. - Allow inetd_child process to chat via dbus with abrt - Allow zabbix_agent_t domain to connect to redis_port_t - Allow rhsmcertd_t domain to read xenfs_t files - Allow zabbix_agent_t to run zabbix scripts - Fix openvswith SELinux module - Fix wrong path in tlp context file BZ(1586329) - Update brltty SELinux module - Allow rabbitmq_t domain to create own tmp files/dirs - Allow policykit_t mmap policykit_auth_exec_t files - Allow ipmievd_t domain to read general certs - Add sys_ptrace capability to pcp_pmie_t domain - Allow squid domain to exec ldconfig - Update gpg SELinux policy module - Allow mailman_domain to read system network state - Allow openvswitch_t domain to read neutron state and read/write fixed disk devices - Allow antivirus_domain to read all domain system state - Allow targetd_t domain to red gconf_home_t files/dirs - Label /usr/libexec/bluetooth/obexd as obexd_exec_t - Add interface nagios_unconfined_signull() - Fix typos in zabbix.te file - Add missing requires - Allow tomcat domain sends email - Fix typo in sge policy - Merge pull request #214 from wrabcak/fb-dhcpc - Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971) - Allow confined users get AFS tokens - Allow sysadm_t domain to chat via dbus - Associate sysctl_kernel_t type with filesystem attribute - Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t - Fix typo in netutils.te file Lukas Vrabec 2018-06-12 14:22:02 +0200
  • afcdb03a67
         Adding missing equivalency rules to be able do proper configuration of polyinstation Lukas Vrabec 2018-06-06 16:05:24 +0200
  • 4cca30aa93
         * Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-23 - Add dac_override capability to sendmail_t domian Lukas Vrabec 2018-06-06 13:16:15 +0200
  • 318acc9510
         * Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-22 - Fix typo in authconfig policy - Update ctdb domain to support gNFS setup - Allow authconfig_t dbus chat with policykit - Allow lircd_t domain to read system state - Revert "Allow fsdaemon_t do send emails BZ(1582701)" - Typo in uuidd policy - Allow tangd_t domain read certs - Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107) - Allow vpnc_t domain to read generic certs BZ(1583100) - Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811) - Allow NetworkManager_ssh_t domain to be system dbud client - Allow virt_qemu_ga_t read utmp - Add capability dac_override to system_mail_t domain - Update uuidd policy to reflect last changes from base branch - Add cap dac_override to procmail_t domain - Allow sendmail to mmap etc_aliases_t files BZ(1578569) - Add new interface dbus_read_pid_sock_files() - Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled - Allow fsdaemon_t do send emails BZ(1582701) - Allow firewalld_t domain to request kernel module BZ(1573501) - Allow chronyd_t domain to send send msg via dgram socket BZ(1584757) - Add sys_admin capability to fprint_t SELinux domain - Allow cyrus_t domain to create own files under /var/run BZ(1582885) - Allow cachefiles_kernel_t domain to have capability dac_override - Update policy for ypserv_t domain - Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t - Allow cyrus to have dac_override capability - Dontaudit action when abrt-hook-ccpp is writing to nscd sockets - Fix homedir polyinstantion under mls - Fixed typo in init.if file - Allow systemd to remove generic tmpt files BZ(1583144) - Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation - Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075) - Fix typo in authlogin SELinux security module - Allod nsswitch_domain attribute to be system dbusd client BZ(1584632) - Allow audisp_t domain to mmap audisp_exec_t binary - Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file - Label tcp/udp ports 2612 as qpasa_agetn_port_t Lukas Vrabec 2018-06-06 10:25:52 +0200
  • 58acce3c84
         * Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-21 - Add dac_override to exim policy BZ(1574303) - Fix typo in conntrackd.fc file - Allow sssd_t to kill sssd_selinux_manager_t - Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on - Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp - Allow policykit_auth_t to read udev db files BZ(1574419) - Allow varnishd_t do be dbus client BZ(1582251) - Allow cyrus_t domain to mmap own pid files BZ(1582183) - Allow user_mail_t domain to mmap etc_aliases_t files - Allow gkeyringd domains to run ssh agents - Allow gpg_pinentry_t domain read ssh state - Allow sysadm_u use xdm - Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495) - Add interface ssh_read_state() - Fix typo in sysnetwork.if file Lukas Vrabec 2018-05-26 00:25:28 +0200
  • 9364159b18
         * Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-20 - Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files - Allow mailman_mail_t domain to search for apache configs - Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. - Improve procmail_domtrans() to allow mmaping procmail_exec_t - Allow ptrace arbitrary processes - Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) - Allow certmonger to geattr of filesystems BZ(1578755) - Update dev_map_xserver_misc interface to allo mmaping char devices instead of files - Allow noatsecure permission for all domain transitions from systemd. - Allow systemd to read tangd db files - Fix typo in ssh.if file - Allow xdm_t domain to mmap xserver_misc_device_t files - Allow xdm_t domain to execute systemd-coredump binary - Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set - Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries - Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary - Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries - Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. - Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface - Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used Lukas Vrabec 2018-05-24 16:07:11 +0200
  • ee05a93b19
         * Tue May 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-19 - Increase dependency versions of policycoreutils and checkpolicy packages Lukas Vrabec 2018-05-22 10:54:53 +0200
  • e881d79dbc
         * Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18 - Disable secure mode environment cleansing for dirsrv_t - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. Lukas Vrabec 2018-05-21 22:23:41 +0200
  • 844794a0f4
         * Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17 - Add dac_override capability to remote_login_t domain - Allow chrome_sandbox_t to mmap tmp files - Update ulogd SELinux security policy - Allow rhsmcertd_t domain send signull to apache processes - Allow systemd socket activation for modemmanager - Allow geoclue to dbus chat with systemd - Fix file contexts on conntrackd policy - Temporary fix for varnish and apache adding capability for DAC_OVERRIDE - Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets - Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t - Allow nscd_t domain to be system dbusd client - Allow abrt_t domain to read sysctl - Add dac_read_search capability for tangd - Allow systemd socket activation for rshd domain - Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t - Allow kdump_t domain to map /boot files - Allow conntrackd_t domain to send msgs to syslog - Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t - Allow swnserve_t domain to stream connect to sasl domain - Allow smbcontrol_t to create dirs with samba_var_t label - Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) - Allow tangd to read public sssd files BZ(1509054) - Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) - Allow ctdb_t domain modify ctdb_exec_t files - Allow firewalld_t domain to create netlink_netfilter sockets - Allow radiusd_t domain to read network sysctls - Allow pegasus_t domain to mount tracefs_t filesystem - Allow create systemd to mount pid files - Add files_map_boot_files() interface - Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) - Fix typo xserver SELinux module - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session Lukas Vrabec 2018-05-21 01:48:14 +0200
  • 4d2de689d5
         Fix typo bug in xserver SELinux module Lukas Vrabec 2018-04-30 17:41:45 +0200
  • a4ad07747e
         * Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16 - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session Lukas Vrabec 2018-04-30 16:30:28 +0200
  • 0bbda1a879
         Redirect also stdout to /dev/null to avoid printing anything during updating selinux-policy process Lukas Vrabec 2018-04-30 10:55:31 +0200
  • 560c1cf401
         * Sat Apr 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-15 - Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) Lukas Vrabec 2018-04-28 19:43:37 +0200
  • 42d22b559a
         Fix typo in spec file Lukas Vrabec 2018-04-27 13:30:59 +0200
  • 19c9a7d734
         * Fri Apr 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-14 - Add dac_override capability to mailman_mail_t domain - Add dac_override capability to radvd_t domain - Update openvswitch policy - Add dac_override capability to oddjob_homedir_t domain - Allow slapd_t domain to mmap slapd_var_run_t files - Rename tang policy to tangd - Allow virtd_t domain to relabel virt_var_lib_t files - Allow logrotate_t domain to stop services via systemd - Add tang policy - Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t - Allow snapperd_t daemon to create unlabeled dirs. - Make httpd_var_run_t mountpoint - Allow hsqldb_t domain to mmap own temp files - We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence - Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP - Add new Boolean tomcat_use_execmem - Allow nfsd_t domain to read/write sysctl fs files - Allow conman to read system state - Allow brltty_t domain to be dbusd system client - Allow zebra_t domain to bind on babel udp port - Allow freeipmi domain to read sysfs_t files - Allow targetd_t domain mmap lvm config files - Allow abrt_t domain to manage kdump crash files - Add capability dac_override to antivirus domain - Allow svirt_t domain mmap svirt_image_t files BZ(1514538) - Allow ftpd_t domain to chat with systemd - Allow systemd init named socket activation for uuidd policy - Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) - Allow l2tpd domain to stream connect to sssd BZ(1568160) - Dontaudit abrt_t to write to lib_t dirs BZ(1566784) - Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) - Allow certwatch to manage cert files BZ(1561418) - Merge pull request #53 from tmzullinger/rawhide - Merge pull request #52 from thetra0/rawhide - Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748) - Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files - Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851) - Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096) - Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on. - Allow pppd_t domain creating pppox sockets BZ(1566271) - Allow abrt to map var_lib_t files - Allow chronyc to read system state BZ(1565217) - Allow keepalived_t domain to chat with systemd via dbus - Allow git to mmap git_(sys|user)_content_t files BZ(1518027) - Allow netutils_t domain to create bluetooth sockets - Allow traceroute to bind on generic sctp node - Allow traceroute to search network sysctls - Allow systemd to use virtio console - Label /dev/op_panel and /dev/opal-prd as opal_device_t Lukas Vrabec 2018-04-27 11:50:21 +0200
  • 5c972253e7
         Update selinux policy macros to reflect the latest changes in selinux-policy-macros repo Lukas Vrabec 2018-04-25 21:47:44 +0200
  • 11e95ea76d
         Make tangd policy active Lukas Vrabec 2018-04-25 11:01:01 +0200
  • 39a94e09cd
         * Thu Apr 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-13 - refpolicy: Update for kernel sctp support - Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791) - Allow antivirus domain to be client for system dbus BZ(1562457) - Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383) - Add new boolean: colord_use_nfs() BZ(1562818) - Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317) - Allow colord_t to mmap gconf_home_t files - Add new boolean redis_enable_notify() - Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t - Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ - Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t Lukas Vrabec 2018-04-12 12:51:18 +0200
  • 1778514e56
         * Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-12 - Add new boolean redis_enable_notify() - Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t - Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ - Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab - Add dac_override and dac_read_search capability to hypervvssd_t domain - Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t - Allow samba to create /tmp/host_0 as krb5_host_rcache_t - Add dac_override capability to fsdaemon_t BZ(1564143) - Allow abrt_t domain to map dos files BZ(1564193) - Add dac_override capability to automount_t domain - Allow keepalived_t domain to connect to system dbus bus - Allow nfsd_t to read nvme block devices BZ(1562554) - Allow lircd_t domain to execute bin_t files BZ(1562835) - Allow l2tpd_t domain to read sssd public files BZ(1563355) - Allow logrotate_t domain to do dac_override BZ(1539327) - Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t - Add capability sys_resource to systemd_sysctl_t domain - Label all /dev/rbd* devices as fixed_disk_device_t - Allow xdm_t domain to mmap xserver_log_t files BZ(1564469) - Allow local_login_t domain to rread udev db - Allow systemd_gpt_generator_t to read /dev/random device - add definition of bpf class and systemd perms Lukas Vrabec 2018-04-07 20:34:23 +0200
  • 9762a51f7b
         * Thu Mar 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-11 - Allow accountsd_t domain to dac override BZ(1561304) - Allow cockpit_ws_t domain to read system state BZ(1561053) - Allow postfix_map_t domain to use inherited user ptys BZ(1561295) - Allow abrt_dump_oops_t domain dac override BZ(1561467) - Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755) - Allow crontab domains to do dac override - Allow snapperd_t domain to unmount fs_t filesystems - Allow pcp processes to read fixed_disk devices BZ(1560816) - Allow unconfined and confined users to use dccp sockets - Allow systemd to manage bpf dirs/files - Allow traceroute_t to create dccp_sockets Lukas Vrabec 2018-03-29 19:27:36 +0200
  • 0ac6359923
         * Mon Mar 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-10 - Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) Lukas Vrabec 2018-03-26 15:48:52 +0200
  • dd15940cc3
         Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) Lukas Vrabec 2018-03-26 15:47:13 +0200
  • 0dae2c353f
         * Sun Mar 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-9 - Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) - Allow nagios to exec itself and mmap nagios spool files BZ(1559683) - Allow nagios to mmap nagios config files BZ(1559683) - Fixing Ganesha module - Fix typo in NetworkManager module - Fix bug in gssproxy SELinux module - Allow abrt_t domain to mmap container_file_t files BZ(1525573) - Allow networkmanager to be run ssh client BZ(1558441) - Allow pcp domains to do dc override BZ(1557913) - Dontaudit pcp_pmie_t to reaquest lost kernel module - Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955) - Allow httpd_t to read httpd_log_t dirs BZ(1554912) - Allow fail2ban_t to read system network state BZ(1557752) - Allow dac override capability to mandb_t domain BZ(1529399) - Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681) - Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369) - Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439) - Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359) - Allow snapperd to relabel snapperd_data_t - Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets - Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled - Allow insmod_t to load modules BZ(1544189) - Allow systemd_rfkill_t domain sys_admin capability BZ(1557595) - Allow systemd_networkd_t to read/write tun tap devices - Add shell_exec_t file as domain entry for init_t - Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862) - Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347) - Improve userdom_mmap_user_home_content_files - Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414) - Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module - Allow semanage_t domain mmap usr_t files - Add new boolean: ssh_use_tcpd() Lukas Vrabec 2018-03-25 01:02:58 +0100
  • 67396b3121
         In Fedora 28, ganesha SELinux module is removed, for proper upgrade this modules needs to be removed before SELinux policy for F28 is installed. Lukas Vrabec 2018-03-25 00:55:02 +0100
  • 597a71b217
         * Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-8 - Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets - Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled - Allow semanage_t domain mmap usr_t files - Add new boolean: ssh_use_tcpd() Lukas Vrabec 2018-03-21 19:15:49 +0100
  • 1199c87fda
         Update also sources Lukas Vrabec 2018-03-20 12:21:39 +0100
  • a191ebd6c3
         * Tue Mar 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-7 - Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/ - Allow newrole_t dacoverride capability - Allow traceroute_t domain to mmap packet sockets - Allow netutils_t domain to mmap usmmon device - Allow netutils_t domain to use mmap on packet_sockets - Allow traceroute to create icmp packets - Allos sysadm_t domain to create tipc sockets - Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets Lukas Vrabec 2018-03-20 12:19:47 +0100
  • 8597119053
         * Thu Mar 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-6 - Allow rpcd_t domain dac override - Allow rpm domain to mmap rpm_var_lib_t files - Allow arpwatch domain to create bluetooth sockets - Allow secadm_t domain to mmap audit config and log files - Update init_abstract_socket_activation() to allow also creating tcp sockets - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Add SELinux support for systemd-importd - Create new type bpf_t and label /sys/fs/bpf with this type Lukas Vrabec 2018-03-15 20:41:40 +0100
  • 529a517a7a
         * Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-5 - Allow bluetooth_t domain to create alg_socket BZ(1554410) - Allow tor_t domain to execute bin_t files BZ(1496274) - Allow iscsid_t domain to mmap kernel modules BZ(1553759) - Update minidlna SELinux policy BZ(1554087) - Allow motion_t domain to read sysfs_t files BZ(1554142) - Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738) - Allow l2tp_t domain to read ipsec config files BZ(1545348) - Allow colord_t to mmap home user files BZ(1551033) - Dontaudit httpd_t creating kobject uevent sockets BZ(1552536) - Allow ipmievd_t to mmap kernel modules BZ(1552535) - Allow boinc_t domain to read cgroup files BZ(1468381) - Backport allow rules from refpolicy upstream repo - Allow gpg_t domain to bind on all unereserved udp ports - Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164) - Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) - Allow xdm_t domain to sys_ptrace BZ(1554150) - Allow application_domain_type also mmap inherited user temp files BZ(1552765) - Update ipsec_read_config() interface - Fix broken sysadm SELinux module - Allow ipsec_t to search for bind cache BZ(1542746) - Allow staff_t to send sigkill to mount_t domain BZ(1544272) - Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545) - Label ip6tables.init as iptables_exec_t BZ(1551463) - Allow hostname_t to use usb ttys BZ(1542903) - Add fsetid capability to updpwd_t domain BZ(1543375) - Allow systemd machined send signal to all domains BZ(1372644) - Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876) - Allow sysadm_t to create netlink generic sockets BZ(1547874) - Allow passwd_t domain chroot - Dontaudit confined unpriviliged users setuid capability Lukas Vrabec 2018-03-12 17:20:32 +0100
  • 870fdbbf14
         * Tue Mar 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-4 - Allow l2tpd_t domain to create pppox sockets - Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251) - Add interface abrt_map_cache() - Update gnome_manage_home_config() to allow also map permission BZ(1544270) - Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770) - Dontaudit kernel bug when several services requesting load kernel module - Allow traceroute and unconfined domains creating sctp sockets - Add interface corenet_sctp_bind_generic_node() - Allow ping_t domain to create icmp sockets - Allow staff_t to mmap abrt_var_cache_t BZ(1544273) - Fix typo bug in dev_map_framebuffer() interface BZ(1551842) - Dontaudit kernel bug when several services requesting load kernel module Lukas Vrabec 2018-03-06 16:16:43 +0100
  • 47ee5f4780
         Add forgotten sources file Lukas Vrabec 2018-03-05 16:27:57 +0100
  • 3c49a8df90
         * Mon Mar 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-3 - Allow vdagent_t domain search cgroup dirs BZ(1541564) - Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247) - Allow bluetooth domain creating bluetooth sockets BZ(1551577) - pki_log_t should be log_file - Allow gpgdomain to unix_stream socket connectto - Make working gpg agent in gpg_agent_t domain - Dontaudit thumb_t to rw lvm pipes BZ(154997) - Allow start cups_lpd via systemd socket activation BZ(1532015) - Improve screen_role_template Resolves: rhbz#1534111 - Dontaudit modemmanager to setpgid. BZ(1520482) - Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227) - Allow systemd-networkd to create netlink generic sockets BZ(1551578) - refpolicy: Define getrlimit permission for class process - refpolicy: Define smc_socket security class - Allow transition from sysadm role into mdadm_t domain. - ssh_t trying to communicate with gpg agent not sshd_t - Allow sshd_t communicate with gpg_agent_t - Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643) - Revert "Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)" - Revert "Allow systemd to request load kernel module BZ(1547227)" - Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576) - Add interface lvm_dontaudit_rw_pipes() BZ(154997) - Add interfaces for systemd socket activation - Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098) Lukas Vrabec 2018-03-05 16:13:41 +0100
  • 5a5985a439 * Thu Feb 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-2 - refpolicy: Define extended_socket_class policy capability and socket classes - Make bluetooth_var_lib_t as mountpoint BZ(1547416) - Allow systemd to request load kernel module BZ(1547227) - Allow ipsec_t domain to read l2tpd pid files - Allow sysadm to read/write trace filesystem BZ(1547875) - Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761) Lukas Vrabec 2018-02-22 15:13:02 +0100
  • 5b3d03345c * Wed Feb 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-1 - Rebuild for current rawhide (fc29) Lukas Vrabec 2018-02-21 19:10:21 +0100
  • 3256f1cc3b * Tue Feb 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-9 - Fix broken cups Security Module - Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079) - Allow geoclue to connect to tcp nmea port BZ(1362118) - Allow pcp_pmcd_t to read mock lib files BZ(1536152) - Allow abrt_t domain to mmap passwd file BZ(1540666) - Allow gpsd_t domain to get session id of another process BZ(1540584) - Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405) - Allow cluster_t dbus chat with systemd BZ(1540163) - Add interface raid_stream_connect() - Allow nscd_t to mmap nscd_var_run_t files BZ(1536689) - Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911) - Make cups_pdf_t domain system dbusd client BZ(1532043) - Allow logrotate to read auditd_log_t files BZ(1525017) - Improve snapperd SELinux policy BZ(1514272) - Allow virt_domain to read virt_image_t files BZ(1312572) - Allow openvswitch_t stream connect svirt_t - Update dbus_dontaudit_stream_connect_system_dbusd() interface - Allow openvswitch domain to manage svirt_tmp_t sock files - Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210) - Merge pull request #50 from dodys/pkcs - Label tcp and udp ports 10110 as nmea_port_t BZ(1362118) - Allow systemd to access rfkill lib dirs BZ(1539733) - Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044) - Allow vxfs filesystem to use SELinux labels - Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231) - Allow few services to dbus chat with snapperd BZ(1514272) - Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180) - Fix logging as staff_u into Fedora 27 - Fix broken systemd_tmpfiles_run() interface Lukas Vrabec 2018-02-20 09:25:14 +0100
  • d1295b542c Merge #8 Don't own %{_rpmconfigdir} Lukas Vrabec 2018-02-19 09:57:01 +0000
  • d890769dab List gcc in BuildRequires Petr Lautrbach 2018-02-19 10:34:23 +0100
  • f8cf034356
         Remove %clean section Igor Gnatenko 2018-02-14 09:57:34 +0100
  • 72d8378f5a Remove BuildRoot definition Igor Gnatenko 2018-02-14 00:36:49 +0100
  • 28c23c14e4
         Escape macros in %changelog Igor Gnatenko 2018-02-09 09:06:15 +0100
  • b22b1d1da0 * Thu Feb 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-7 - Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t - Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600) - Allow keepalived_t domain getattr proc filesystem - Allow init_t to create UNIX sockets for unconfined services (BZ1543049) - Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t - Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t Lukas Vrabec 2018-02-08 14:38:23 +0100
  • 00dcc13b60 * Tue Feb 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-6 - Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets - Add new interface ppp_filetrans_named_content() - Allow keepalived_t read sysctl_net_t files - Allow puppetmaster_t domtran to puppetagent_t - Allow kdump_t domain to read kernel ring buffer - Allow boinc_t to mmap boinc tmpfs files BZ(1540816) - Merge pull request #47 from masatake/keepalived-signal - Allow keepalived_t create and write a file under /tmp - Allow ipsec_t domain to exec ifconfig_exec_t binaries. - Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock - Allow updpwd_t domain to create files in /etc with shadow_t label Lukas Vrabec 2018-02-06 09:58:08 +0100
  • 4caea74068 Updated rpm.macros Lukas Vrabec 2018-02-05 17:01:34 +0100
  • 4b0a66cafc * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-5 - Allow opendnssec daemon to execute ods-signer BZ(1537971) Lukas Vrabec 2018-01-30 17:04:16 +0100
  • e9c4389283 * Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-4 - rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems) - Update dbus_role_template() BZ(1536218) - Allow lldpad_t domain to mmap own tmpfs files BZ(1534119) - Allow blueman_t dbus chat with policykit_t BZ(1470501) - Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110) - Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275) - Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471) - Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636) - Allow jetty_t domain to mmap own temp files BZ(1534628) - Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624) - Consistently label usr_t for kernel/initrd in /usr - kernel/files.fc: Label /usr/lib/sysimage as usr_t - Allow iptables sysctl load list support with SELinux enforced - Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864) Lukas Vrabec 2018-01-30 12:57:41 +0100
  • e7bae02f22 * Fri Jan 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-3 - Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide - Allow virt_domains to acces infiniband pkeys. - Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180) - Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t - Allow audisp_remote_t domain write to files on all levels Lukas Vrabec 2018-01-19 12:48:25 +0100
  • de6ed4b466 Added missing container-selinux.tgz sources Lukas Vrabec 2018-01-15 17:47:53 +0100
  • 72b2cda3a5 * Mon Jan 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-2 - Allow aide to mmap usr_t files BZ(1534182) - Allow ypserv_t domain to connect to tcp ports BZ(1534245) - Allow vmtools_t domain creating vmware_log_t files - Allow openvswitch_t domain to acces infiniband devices - Allow dirsrv_t domain to create tmp link files - Allow pcp_pmie_t domain to exec itself. BZ(153326) - Update openvswitch SELinux module - Allow virtd_t to create also sock_files with label virt_var_run_t - Allow chronyc_t domain to manage chronyd_keys_t files. - Allow logwatch to exec journal binaries BZ(1403463) - Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864) - Update logging_read_all_logs to allow mmap all logfiles BZ(1403463) - Add Label systemd_unit_file_t for /var/run/systemd/units/ Lukas Vrabec 2018-01-15 17:33:37 +0100
  • 22c9764fc4 Update new sources to reflect changes related to python3 dependency Lukas Vrabec 2018-01-08 18:44:57 +0100
  • 51dc83b2d4 Commit removes big SELinux policy patches against tresys refpolicy. Lukas Vrabec 2017-12-24 14:31:11 +0100
  • b9923641ff * Mon Jan 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-310 - Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy Lukas Vrabec 2018-01-08 12:28:09 +0100
  • af863d8251 * Fri Jan 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-309 - auth_use_nsswitch() interface cannot be used for attributes fixing munin policy - Allow git_script_t to mmap git_user_content_t files BZ(1530937) - Allow certmonger domain to create temp files BZ(1530795) - Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563) - Allow fsdaemon_t to read nvme devices BZ(1530018) - Dontaudit fsdaemon_t to write to admin homedir. BZ(153030) - Update munin plugin policy BZ(1528471) - Allow sendmail_t domain to be system dbusd client BZ(1478735) - Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645) - Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313) - Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672) - Allow thumb_t to mmap non security files BZ(1517393) - Allow smbd_t to mmap files with label samba_share_t BZ(1530453) - Fix broken sysnet_filetrans_named_content() interface - Allow init_t to create tcp sockets for unconfined services BZ(1366968) - Allow xdm_t to getattr on xserver_t process files BZ(1506116) - Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297) - Allow X userdomains to send dgram msgs to xserver_t BZ(1515967) - Add interface files_map_non_security_files() Lukas Vrabec 2018-01-05 15:16:17 +0100
  • 46f9f9c36a * Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308 - Make working SELinux sandbox with Wayland. BZ(1474082) - Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169) - Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723) - Allow collectd to connect to lmtp_port_t BZ(1304029) - Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776) - Allow thumb_t to mmap removable_t files. BZ(1522724) - Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118) - Add interface fs_mmap_removable_files() Lukas Vrabec 2018-01-04 13:06:00 +0100
  • d319e75862 sandbox SELinux module is part ofd distribution policy and should have 100 priority Lukas Vrabec 2018-01-04 11:45:11 +0100
  • 73d7285c92 * Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307 - Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) - Allow certwatch_t to mmap generic certs. BZ(1527173) - Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) - Add interface userdom_map_user_home_files() - Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) - Allow xdm_t dbus chat with modemmanager_t BZ(1526722) - All domains accessing home_cert_t objects should also mmap it. BZ(1519810) Lukas Vrabec 2017-12-19 16:18:46 +0100
  • 66de8d371d Don't own %{_rpmconfigdir} Jonathan Lebon 2017-12-14 20:09:54 +0000
  • 270b6479cd * Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306 - Allow thumb_t domain to dosfs_t BZ(1517720) - Allow gssd_t to read realmd_var_lib_t files BZ(1521125) - Allow domain transition from logrotate_t to chronyc_t BZ(1436013) - Allow git_script_t to mmap git_sys_content_t BZ(1517541) - Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803) - Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642) - Allow colord_t to mmap xdm pid files BZ(1518382) - Allow arpwatch to mmap usbmon device BZ(152456) - Allow mandb_t to read public sssd files BZ(1514093) - Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659) - Allow qpid to map files. - Allow plymouthd_t to mmap firamebuf device BZ(1517405) - Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611) - Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449) - Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816) - Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282) - Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048) - Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899) - Update samba_manage_var_files() interface by adding map permission. BZ(1517125) - Allow pcp_pmlogger_t domain to execute itself. BZ(1517395) - Dontaudit sys_ptrace capability for mdadm_t BZ(1515849) - Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956) - Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019) - Add interface fs_map_dos_files() - Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729) - Add interface xserver_map_xdm_pid() BZ(1518382) - Add new interface dev_map_usbmon_dev() BZ(1524256) - Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137) - Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810) - Fix typo in filesystem.if - Add interface dev_map_framebuffer() - Allow chkpwd command to mmap /etc/shadow BZ(1513704) - Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529) - Allow thumb_t domain to mmap fusefs_t files BZ(1517517) - Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125) - Add interface fs_map_cifs_files() - Merge pull request #207 from rhatdan/labels - Merge pull request #208 from rhatdan/logdir - Allow domains that manage logfiles to man logdirs Lukas Vrabec 2017-12-13 08:39:02 +0100
  • a0b507db50 Remove ganesha module from active modules Lukas Vrabec 2017-12-06 10:11:13 +0100
  • e55ea9eb7a make-rhat-patches.sh - Ignore submodules when generating diff Petr Lautrbach 2017-12-06 09:56:06 +0100
  • 617ff7d328 * Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305 - Make ganesha nfs server Lukas Vrabec 2017-11-24 18:20:55 +0100
  • 723bc03d9a Add new rpm macro %{selinux_requires} Lukas Vrabec 2017-11-23 15:48:40 +0100
  • 64b72debbe * Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304 - Add interface raid_relabel_mdadm_var_run_content() - Fix iscsi SELinux module - Allow spamc_t domain to read home mail content BZ(1414366) - Allow sendmail_t to list postfix config dirs BZ(1514868) - Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153) - Allow iscsid_t domain to requesting loading kernel modules BZ(1448877) - Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304) - Allow cupsd_t domain to localization BZ(1514350) - Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451) - Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301) - Allow abrt_t domain to mmap fusefs_t files BZ(1515169) - Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867) - Allow httpd_t domain to mmap all httpd content type BZ(1514866) - Allow mandb_t to read /etc/passwd BZ(1514903) - Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093) - Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975) - Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263) - Allow systemd to read/write to mount_var_run_t files BZ(1515373) - Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373) - Allow home managers to mmap nfs_t files BZ(1514372) - Add interface fs_mmap_nfs_files() - Allow systemd-mount to create new directory for mountpoint BZ(1514880) - Allow getty to use usbttys - Add interface systemd_rfkill_domtrans() - Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403) - Add interface fs_mmap_fusefs_files() - Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251) Lukas Vrabec 2017-11-21 16:42:21 +0100
  • 2d6f40abe4 * Thu Nov 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-303 - Allow pcp_pmlogger to send logs to journal BZ(1512367) - Merge pull request #40 from lslebodn/kcm_kerberos - Allow services to use kerberos KCM BZ(1512128) - Allow system_mail_t domain to be system_dbus_client BZ(1512476) - Allow aide domain to stream connect to sssd_t BZ(1512500) - Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809) - Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269) - Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584) - Allow samba_net_t domain to mmap samba_var_t files BZ(1512227) - Allow lircd_t domain to execute shell BZ(1512787) - Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814) - Allow redis to creating tmp files with own label BZ(1513518) - Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502) - Allow httpd_t to mmap httpd_tmp_t files BZ(1502303) - Add map permission to samba_rw_var_files interface. BZ(1513908) - Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t - Add dac_read_search and dac_override capabilities to ganesha - Allow ldap_t domain to manage also slapd_tmp_t lnk files - Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584) - Add dac_override capability to dhcpd_t doamin BZ(1510030) - Allow snapperd_t to remove old snaps BZ(1510862) - Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704) - Allow xdm_t send signull to all xserver unconfined types BZ(1499390) - Allow fs associate for sysctl_vm_t BZ(1447301) - Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479) - Allow xdm_t domain to read usermodehelper_t state BZ(1412609) - Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948) - Allow systemd to mmap kernel modules BZ(1513399) - Allow userdomains to mmap fifo_files BZ(1512242) - Merge pull request #205 from rhatdan/labels - Add map permission to init_domtrans() interface BZ(1513832) - Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883) - Unconfined domains, need to create content with the correct labels - Container runtimes are running iptables within a different user namespace - Add interface files_rmdir_all_dirs() Lukas Vrabec 2017-11-16 15:30:31 +0100
  • 6730963181 Drop all binary files from selinux-policy package which are depended on build arch. Lukas Vrabec 2017-11-16 15:28:19 +0100
  • ebb4e5ec53 * Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-302 - Allow jabber domains to connect to postgresql ports - Dontaudit slapd_t to block suspend system - Allow spamc_t to stream connect to cyrys. - Allow passenger to connect to mysqld_port_t - Allow ipmievd to use nsswitch - Allow chronyc_t domain to use user_ptys - Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst - Fix typo bug in tlp module - Allow userdomain gkeyringd domain to create stream socket with userdomain Lukas Vrabec 2017-11-06 16:54:47 +0100
  • 4c1c744cdd * Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301 - Merge pull request #37 from milosmalik/rawhide - Allow mozilla_plugin_t domain to dbus chat with devicekit - Dontaudit leaked logwatch pipes - Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. - Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) - Allow chronyd daemon to execute chronyc. BZ(1507478) - Allow pdns to read network system state BZ(1507244) - Allow gssproxy to read network system state Resolves: rhbz#1507191 - Allow nfsd_t domain to read configfs_t files/dirs - Allow tgtd_t domain to read generic certs - Allow ptp4l to send msgs via dgram socket to unprivileged user domains - Allow dirsrv_snmp_t to use inherited user ptys and read system state - Allow glusterd_t domain to create own tmpfs dirs/files - Allow keepalived stream connect to snmp Lukas Vrabec 2017-11-03 13:17:33 +0100
  • ba9b7318d9 Merge #3 Do not ship file_contexts.bin file Lukas Vrabec 2017-11-03 12:09:06 +0000
  • deccccdaf1 Do not own /etc/selinux/<policytype>/file_contexts.homedirs.bin Petr Lautrbach 2017-10-27 15:44:49 +0200
  • 59afa60b46 * Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300 - Allow zabbix_t domain to change its resource limits - Add new boolean nagios_use_nfs - Allow system_mail_t to search network sysctls - Hide all allow rules with ptrace inside deny_ptrace boolean - Allow nagios_script_t to read nagios_spool_t files - Allow sbd_t to create own sbd_tmpfs_t dirs/files - Allow firewalld and networkmanager to chat with hypervkvp via dbus - Allow dmidecode to read rhsmcert_log_t files - Allow mail system to connect mariadb sockets. - Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877) - Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170) - Allow iptables_t to run setfiles to restore context on system - Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466) Lukas Vrabec 2017-10-26 20:18:18 +0200
  • 7911257b23 * Tue Oct 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-299 - Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t - Allow chronyd_t do request kernel module and block_suspend capability - Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label - Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414) - Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912) - Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220) - Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110) - Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables - Allow svnserve to use kerberos - Allow conman to use ptmx. Add conman_use_nfs boolean - Allow nnp transition for amavis and tmpreaper SELinux domains - Allow chronyd_t to mmap chronyc_exec_t binary files - Add dac_read_search capability to openvswitch_t domain - Allow svnserve to manage own svnserve_log_t files/dirs - Allow keepalived_t to search network sysctls - Allow puppetagent_t domain dbus chat with rhsmcertd_t domain - Add kill capability to openvswitch_t domain - Label also compressed logs in /var/log for different services - Allow inetd_child_t and system_cronjob_t to run chronyc. - Allow chrony to create netlink route sockets - Add SELinux support for chronyc - Add support for running certbot(letsencrypt) in crontab - Allow nnp trasintion for unconfined_service_t - Allow unpriv user domains and unconfined_service_t to use chronyc Lukas Vrabec 2017-10-24 21:29:48 +0200
  • 2fff8fe522 Add rpm-plugin-selinux dependency into selinux-policy package. Resolves: rhbz#1493267 Lukas Vrabec 2017-10-24 13:16:20 +0200
  • 1014cb1eee * Sun Oct 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-298 - Drop *.lst files from file list - Ship file_contexts.homedirs in store - Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) - Allow haproxy daemon to reexec itself. BZ(1447800) - Allow conmand to use usb ttys. - Allow systemd_machined to read mock lib files. BZ(1504493) - Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) Lukas Vrabec 2017-10-22 15:56:04 +0200
  • b442d09884 Drop *.lst files from file list Petr Lautrbach 2017-10-20 16:08:32 +0200
  • 9e91a2824b Ship file_contexts.homedirs in store Petr Lautrbach 2017-10-20 16:05:16 +0200
  • 465d71cd8d * Fri Oct 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-297 - Fix typo in virt file contexts file - allow ipa_dnskey_t to read /proc/net/unix file - Allow openvswitch to run setfiles in setfiles_t domain. - Allow openvswitch_t domain to read process data of neutron_t domains - Fix typo in ipa_cert_filetrans_named_content() interface - Fix typo bug in summary of xguest SELinux module - Allow virtual machine with svirt_t label to stream connect to openvswitch. - Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t Lukas Vrabec 2017-10-20 11:27:02 +0200
  • 107eb82b3e * Tue Oct 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-296 - Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1 - Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852) - Add nnp transition rule for services using NoNewPrivileges systemd feature - Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923) - Add init_nnp_daemon_domain interface - Allow nnp transition capability - Merge pull request #204 from konradwilk/rhbz1484908 - Label postgresql-check-db-dir as postgresql_exec_t Lukas Vrabec 2017-10-17 15:29:08 +0200
  • 67f96cfe2c Make conntrackd policy active Lukas Vrabec 2017-10-16 14:41:30 +0200
  • c862e95fd2 Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox Lukas Vrabec 2017-10-12 13:53:04 +0200
  • d7e304ffbf Merge #4 Disable SELinux on a policy type subpackage uninstall Lukas Vrabec 2017-10-12 08:44:30 +0000
  • 2b83a4bd1d * Tue Oct 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-295 - Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088) - Allow fail2ban_t domain to mmap journals. BZ(1500089) - Add dac_override to abrt_t domain BZ(1499860) - Allow pppd domain to mmap own pid files BZ(1498587) - Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451) - Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules - Allow systemd to read sysfs sym links. BZ(1499327) - Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863) - Make systemd_networkd_var_run as mountpoint BZ(1499862) - Allow noatsecure for java-based unconfined services. BZ(1358476) - Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) Lukas Vrabec 2017-10-10 12:31:41 +0200
  • f2424e7390 * Mon Oct 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-294 - Allow cloud-init to create content in /var/run/cloud-init - Dontaudit VM to read gnome-boxes process data BZ(1415975) - Allow winbind_t domain mmap samba_var_t files - Allow cupsd_t to execute ld_so_cache_t BZ(1478602) - Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035) - Add dac_override capability to groupadd_t domain BZ(1497091) - Allow unconfined_service_t to start containers Lukas Vrabec 2017-10-09 10:09:01 +0200
  • 7f40329c8b Disable SELinux on a policy type subpackage uninstall Petr Lautrbach 2017-10-08 21:33:17 +0200
  • dba350c6e0 Do not ship file_contexts.bin file Petr Lautrbach 2017-10-08 20:52:07 +0200
  • 918bddec38 * Sun Oct 08 2017 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-293 - Drop policyhelp utility BZ(1498429) Petr Lautrbach 2017-10-08 10:29:32 +0200
  • 00cdacfa6a Drop policyhelp utility Petr Lautrbach 2017-10-05 08:58:45 +0200
  • 75b1898128 * Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-292 - Allow cupsd_t to execute ld_so_cache_t BZ(1478602) - Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806) - Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026) - Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531) - Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318) - Allow systemd to maange sysfs BZ(1471361) Lukas Vrabec 2017-10-03 17:11:40 +0200
  • 65c1dc9f4d * Tue Oct 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-291 - Switch default value of SELinux boolean httpd_graceful_shutdown to off. Lukas Vrabec 2017-10-03 14:19:31 +0200
  • c5099d17b0 Switch default value of SELinux boolean httpd_graceful_shutdown to off. Lukas Vrabec 2017-10-03 14:17:18 +0200
  • aab02e492d Merge #2 Remove trailing whitespace in default /etc/selinux/config Lukas Vrabec 2017-09-29 12:30:29 +0000
  • e8dfe68ada * Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290 - Allow virtlogd_t domain to write inhibit systemd pipes. - Add dac_override capability to openvpn_t domain - Add dac_override capability to xdm_t domain - Allow dac_override to groupadd_t domain BZ(1497081) - Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) Lukas Vrabec 2017-09-29 14:22:40 +0200
  • 5fdac71bd7 Remove trailing whitespace in default /etc/selinux/config Colin Walters 2017-09-27 16:01:25 -0400