# github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy %global commit e464c3bb967763b8bfac50769b72159d040088b9 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat %define polyinstatiate n %define monolithic n %if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} %define BUILD_DOC 1 %endif %if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} %define BUILD_TARGETED 1 %endif %if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} %define BUILD_MINIMUM 1 %endif %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif %define POLICYVER 33 %define POLICYCOREUTILSVER 3.4-1 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy Version: 40.13.13 Release: 1%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf Source3: Makefile.devel Source4: setrans-targeted.conf Source5: modules-mls-base.conf Source32: modules-mls-contrib.conf Source6: booleans-mls.conf Source8: setrans-mls.conf Source14: securetty_types-targeted Source15: securetty_types-mls #Source16: modules-minimum.conf Source17: booleans-minimum.conf Source18: setrans-minimum.conf Source19: securetty_types-minimum Source20: customizable_types Source22: users-mls Source23: users-targeted Source25: users-minimum Source26: file_contexts.subs_dist Source27: selinux-policy.conf Source28: permissivedomains.cil Source30: booleans.subs_dist # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git Source33: macro-expander # Include SELinux policy for container from separate container-selinux repo # Git repo: https://github.com/containers/container-selinux.git Source35: container-selinux.tgz Source36: selinux-check-proper-disable.service # Script to convert /var/run file context entries to /run Source37: varrun-convert.sh # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros Url: %{giturl} BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 BuildRequires: make BuildRequires: systemd-rpm-macros Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum Requires(meta): rpm-plugin-selinux Requires: selinux-policy-any = %{version}-%{release} Provides: selinux-policy-base = %{version}-%{release} Suggests: selinux-policy-targeted %description SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora. %files %{!?_licensedir:%global license %%doc} %license COPYING %dir %{_datadir}/selinux %dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config %ghost %{_sysconfdir}/sysconfig/selinux %{_usr}/lib/tmpfiles.d/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy %{_unitdir}/selinux-check-proper-disable.service %{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux sandbox policy Requires(pre): selinux-policy-base = %{version}-%{release} Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy for use with the sandbox utility. %files sandbox %verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp %post sandbox rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null %{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi; exit 0 %preun sandbox if [ $1 -eq 0 ] ; then %{_sbindir}/semodule -n -d sandbox 2>/dev/null if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi; fi; exit 0 %package devel Summary: SELinux policy development files Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Requires: m4 checkpolicy >= %{CHECKPOLICYVER} Requires: /usr/bin/make Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} %description devel SELinux policy development package. This package contains: - interfaces, macros, and patterns for policy development - a policy example - the macro-expander utility and some additional files. %files devel %{_bindir}/macro-expander %dir %{_datadir}/selinux/devel %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* %exclude %{_datadir}/selinux/devel/include/contrib/container.if %dir %{_datadir}/selinux/devel/html %{_datadir}/selinux/devel/html/*html %{_datadir}/selinux/devel/html/*css %{_datadir}/selinux/devel/Makefile %{_datadir}/selinux/devel/example.* %{_datadir}/selinux/devel/policy.* %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info %post devel %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null exit 0 %package doc Summary: SELinux policy documentation Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} %description doc SELinux policy documentation package. This package contains manual pages and documentation of the policy modules. %files doc %{_mandir}/man*/* %{_mandir}/ru/*/* %exclude %{_mandir}/man8/container_selinux.8.gz %doc %{_datadir}/doc/%{name} %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 %define makeCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ cp -f selinux_config/users-%1 ./policy/users \ #cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ %define makeModulesConf() \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ if [ %3 == "contrib" ];then \ cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ fi; \ %define installCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %nil %define fileList() \ %defattr(-,root,root) \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ %dir %{_sharedstatedir}/selinux/%1/active \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ %{_sysconfdir}/selinux/%1/.policy.sha512 \ %dir %{_sysconfdir}/selinux/%1/contexts \ %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ %{_sysconfdir}/selinux/%1/booleans.subs_dist \ %config %{_sysconfdir}/selinux/%1/contexts/files/media \ %dir %{_sysconfdir}/selinux/%1/contexts/users \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %dir %{_datadir}/selinux/%1 \ %{_datadir}/selinux/%1/base.lst \ %{_datadir}/selinux/%1/modules-base.lst \ %{_datadir}/selinux/%1/modules-contrib.lst \ %{_datadir}/selinux/%1/nonbasemodules.lst \ %dir %{_sharedstatedir}/selinux/%1 \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ %ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %nil %define relabel() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ # rebuilding the rpm database still can sometimes result in an incorrect context \ %{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ continue; \ fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ for MOD_NAME in ganesha ipa_custodia kdbus; do \ if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ %{_sbindir}/semodule -n -d $MOD_NAME 2> /dev/null; \ fi; \ done; \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ fi; \ touch %{_sysconfdir}/selinux/%1/.rebuild; \ if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ if [ "$sha512" == "$checksha512" ] ; then \ rm %{_sysconfdir}/selinux/%1/.rebuild; \ fi; \ fi; \ fi; %define postInstall() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%2/.rebuild; \ fi; \ %{_sbindir}/semodule -B -n -s %2 2> /dev/null; \ [ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ if [ %1 -eq 1 ]; then \ %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ else \ %relabel %2 \ fi; %define modulesList() \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ if [ -e ./policy/modules-contrib.conf ];then \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ fi; %define nonBaseModulesList() \ contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ for i in $contrib_modules $base_modules; do \ if [ $i != "sandbox" ];then \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ fi; \ done; # Make sure the config is consistent with what packages are installed in the system # this covers cases when system is installed with selinux-policy-{mls,minimal} # or selinux-policy-{targeted,mls,minimal} where switched but the machine has not # been rebooted yet. # The macro should be called at the beginning of "post" (to make sure load_policy does not fail) # and in "posttrans" (to make sure that the store is consistent when all package transitions are done) # Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable) # Steps: # * load values from config and its backup # * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so # * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used # * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't %define checkConfigConsistency() \ if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ . %{_sysconfdir}/selinux/.config_backup; \ else \ BACKUP_SELINUXTYPE=targeted; \ fi; \ if [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ fi; \ elif [ "%1" = "targeted" ]; then \ if [ "%1" != "$SELINUXTYPE" ]; then \ sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ fi; \ elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ if [ "%1" != "$SELINUXTYPE" ]; then \ sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ fi; \ fi; \ fi; # Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names # of variables inside so that they are easy to use later # This should be done in "pretrans" because config content can change during RPM operations # The macro has to be used in a script slot with "-p " %define backupConfigLua() \ local sysconfdir = rpm.expand("%{_sysconfdir}") \ local config_file = sysconfdir .. "/selinux/config" \ local config_backup = sysconfdir .. "/selinux/.config_backup" \ os.remove(config_backup) \ if posix.stat(config_file) then \ local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ local content = f:read("*all") \ f:close() \ local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ bf:write(backup) \ bf:close() \ end # Remove the local_varrun SELinux module %define removeVarrunModule() \ if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \ %{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ fi; %define removeVarrunModuleLua() \ if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \ os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \ end %build %prep %autosetup -p 1 -n %{name}-%{commit} tar -C policy/modules/contrib -xf %{SOURCE35} mkdir selinux_config for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do cp $i selinux_config done %install # Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_bindir} install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ mkdir -p %{buildroot}%{_libexecdir}/selinux install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux # Always create policy module package directories mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages # Install devel make clean %if %{BUILD_TARGETED} # Build targeted policy %makeCmds targeted mcs allow %makeModulesConf targeted base contrib %installCmds targeted mcs allow # install permissivedomains.cil %{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} # recreate sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox %make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp %modulesList targeted %nonBaseModulesList targeted %endif %if %{BUILD_MINIMUM} # Build minimum policy %makeCmds minimum mcs allow %makeModulesConf targeted base contrib %installCmds minimum mcs allow rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %modulesList minimum %nonBaseModulesList minimum %endif %if %{BUILD_MLS} # Build mls policy %makeCmds mls mls deny %makeModulesConf mls base contrib %installCmds mls mls deny %modulesList mls %nonBaseModulesList mls %endif # remove leftovers when save-previous=true (semanage.conf) is used rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} mkdir %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy mkdir -p %{buildroot}%{_unitdir} install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} rm -rf selinux_config %post %systemd_post selinux-check-proper-disable.service if [ ! -s %{_sysconfdir}/selinux/config ]; then # # New install so we will default to targeted policy # echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > %{_sysconfdir}/selinux/config ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : else . %{_sysconfdir}/selinux/config fi exit 0 %preun %systemd_preun selinux-check-proper-disable.service %postun %systemd_postun selinux-check-proper-disable.service if [ $1 = 0 ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi exit 0 %if %{BUILD_TARGETED} %package targeted Summary: SELinux targeted policy Provides: selinux-policy-any = %{version}-%{release} Obsoletes: selinux-policy-targeted-sources < 2 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: audispd-plugins <= 1.7.7-1 Obsoletes: mod_fcgid-selinux <= %{version}-%{release} Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: seedit Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 Conflicts: container-selinux < 2:1.12.1-22 %description targeted SELinux targeted policy package. %pretrans targeted -p %backupConfigLua %removeVarrunModuleLua targeted %pre targeted %preInstall targeted %post targeted %checkConfigConsistency targeted %postInstall $1 targeted exit 0 %posttrans targeted %checkConfigConsistency targeted %{_libexecdir}/selinux/varrun-convert.sh targeted %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun targeted if [ $1 = 0 ]; then if [ -s %{_sysconfdir}/selinux/config ]; then source %{_sysconfdir}/selinux/config &> /dev/null || true fi if [ "$SELINUXTYPE" = "targeted" ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi fi exit 0 %triggerin -- pcre2 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null exit 0 %triggerprein -- container-selinux %removeVarrunModule targeted exit 0 %triggerprein -- pcp-selinux %removeVarrunModule targeted exit 0 %triggerpostin -- container-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 %triggerpostin -- pcp-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 %triggerpostun -- selinux-policy-targeted < 3.12.1-74 rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null exit 0 %triggerpostun -- pcp-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 %triggerpostun -- container-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 CR=$'\n' INPUT="" for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do module=`basename $i | sed 's/.pp.disabled//'` if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p fi done for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do INPUT="${INPUT}${CR}module -N -a $i" done for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do cp $i %{_sharedstatedir}/selinux/targeted/active done echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi exit 0 %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains %endif %if %{BUILD_MINIMUM} %package minimum Summary: SELinux minimum policy Provides: selinux-policy-any = %{version}-%{release} Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description minimum SELinux minimum policy package. %pretrans minimum -p %backupConfigLua %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst fi %post minimum %checkConfigConsistency minimum contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled fi if [ $1 -eq 1 ]; then for p in $contribpackages; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $basepackages apache dbus inetd kerberos mta nis; do rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof %{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null %{_sbindir}/semodule -B -s minimum 2> /dev/null else instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` for p in $contribpackages; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semodule -B -s minimum 2> /dev/null %relabel minimum fi exit 0 %posttrans minimum %checkConfigConsistency minimum %{_libexecdir}/selinux/varrun-convert.sh minimum %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun minimum if [ $1 = 0 ]; then if [ -s %{_sysconfdir}/selinux/config ]; then source %{_sysconfdir}/selinux/config &> /dev/null || true fi if [ "$SELINUXTYPE" = "minimum" ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi fi exit 0 %triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138 if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/* fi CR=$'\n' INPUT="" for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do module=`basename $i | sed 's/.pp.disabled//'` if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p fi done for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do INPUT="${INPUT}${CR}module -N -a $i" done echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi exit 0 %files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum %endif %if %{BUILD_MLS} %package mls Summary: SELinux MLS policy Provides: selinux-policy-any = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description mls SELinux MLS (Multi Level Security) policy package. %pretrans mls -p %backupConfigLua %pre mls %preInstall mls %post mls %checkConfigConsistency mls %postInstall $1 mls exit 0 %posttrans mls %checkConfigConsistency mls %{_libexecdir}/selinux/varrun-convert.sh mls %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun mls if [ $1 = 0 ]; then if [ -s %{_sysconfdir}/selinux/config ]; then source %{_sysconfdir}/selinux/config &> /dev/null || true fi if [ "$SELINUXTYPE" = "mls" ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi fi exit 0 %triggerpostun mls -- selinux-policy-mls < 3.13.1-138 CR=$'\n' INPUT="" for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do module=`basename $i | sed 's/.pp.disabled//'` if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p fi done for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do INPUT="${INPUT}${CR}module -N -a $i" done echo "$INPUT" | %{_sbindir}/semanage import -S mls -N if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi exit 0 %files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %endif %changelog * Tue Nov 12 2024 Zdenek Pytela - 40.13.13-1 - Revert "Allow unconfined_t execute kmod in the kmod domain" Resolves: RHEL-65190 - Add policy for /usr/libexec/samba/samba-bgqd Resolves: RHEL-64908 - Label samba certificates with samba_cert_t Resolves: RHEL-64908 - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t Resolves: RHEL-64908 - Allow rpcd read network sysctls Resolves: RHEL-64737 - Label all semanage store files in /etc as semanage_store_t Resolves: RHEL-65864 * Tue Oct 29 2024 Troy Dawson - 40.13.12-2 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 * Thu Oct 24 2024 Zdenek Pytela - 40.13.12-1 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-58009 - Allow the sysadm user use the secretmem API Resolves: RHEL-40953 - Allow sudodomain list files in /var Resolves: RHEL-58068 - Allow gnome-remote-desktop watch /etc directory Resolves: RHEL-35877 - Allow journalctl connect to systemd-userdbd over a unix socket Resolves: RHEL-58072 - systemd: allow sys_admin capability for systemd_notify_t Resolves: RHEL-58072 - Allow some confined users send to lldpad over a unix dgram socket Resolves: RHEL-61634 - Allow lldpad send to sysadm_t over a unix dgram socket Resolves: RHEL-61634 - Allow lldpd connect to systemd-machined over a unix socket Resolves: RHEL-61634 * Wed Oct 23 2024 Zdenek Pytela - 40.13.11-1 - Allow ping_t read network sysctls Resolves: RHEL-54299 - Label /usr/lib/node_modules/npm/bin with bin_t Resolves: RHEL-56350 - Label /run/sssd with sssd_var_run_t Resolves: RHEL-57065 - Allow virtqemud read virtd_t files Resolves: RHEL-57713 - Allow wdmd read hardware state information Resolves: RHEL-57982 - Allow wdmd list the contents of the sysfs directories Resolves: RHEL-57982 - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t Resolves: RHEL-58380 - Allow dirsrv read network sysctls Resolves: RHEL-58381 - Allow lldpad create and use netlink_generic_socket Resolves: RHEL-61634 - Allow unconfined_t execute kmod in the kmod domain Resolves: RHEL-61755 - Confine the pcm service Resolves: RHEL-52838 - Allow iio-sensor-proxy the bpf capability Resolves: RHEL-62355 - Confine iio-sensor-proxy Resolves: RHEL-62355 * Wed Oct 16 2024 Zdenek Pytela - 40.13.10-1 - Confine gnome-remote-desktop Resolves: RHEL-35877 - Allow virtqemud get attributes of a tmpfs filesystem Resolves: RHEL-40855 - Allow virtqemud get attributes of cifs files Resolves: RHEL-40855 - Allow virtqemud get attributes of filesystems with extended attributes Resolves: RHEL-39668 - Allow virtqemud get attributes of NFS filesystems Resolves: RHEL-40855 - Add support for secretmem anon inode Resolves: RHEL-40953 - Allow systemd-sleep read raw disk data Resolves: RHEL-49600 - Allow systemd-hwdb send messages to kernel unix datagram sockets Resolves: RHEL-50810 - Label /run/modprobe.d with modules_conf_t Resolves: RHEL-54591 - Allow setsebool_t relabel selinux data files Resolves: RHEL-55412 - Don't audit crontab_domain write attempts to user home Resolves: RHEL-56349 - Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-56349 - Add crontab_admin_domtrans interface Resolves: RHEL-56349 - Add crontab_domtrans interface Resolves: RHEL-56349 - Allow boothd connect to kernel over a unix socket Resolves: RHEL-58060 - Fix label of pseudoterminals created from sudodomain Resolves: RHEL-58068 - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets Resolves: RHEL-58072 - Allow rsyslog read systemd-logind session files Resolves: RHEL-40961 - Label /dev/mmcblk0rpmb character device with removable_device_t Resolves: RHEL-55265 - Label /dev/hfi1_[0-9]+ devices Resolves: RHEL-62836 - Label /dev/papr-sysparm and /dev/papr-vpd Resolves: RHEL-56908 - Support SGX devices Resolves: RHEL-62354 - Suppress semodule's stderr Resolves: RHEL-59192 * Mon Aug 26 2024 Zdenek Pytela - 40.13.9-1 - Allow virtqemud relabelfrom also for file and sock_file Resolves: RHEL-49763 - Allow virtqemud relabel user tmp files and socket files Resolves: RHEL-49763 - Update virtqemud policy for libguestfs usage Resolves: RHEL-49763 - Label /run/libvirt/qemu/channel with virtqemud_var_run_t Resolves: RHEL-47274 * Tue Aug 13 2024 Zdenek Pytela - 40.13.8-1 - Add virt_create_log() and virt_write_log() interfaces Resolves: RHEL-47274 - Update libvirt policy Resolves: RHEL-45464 Resolves: RHEL-49763 - Allow svirt_tcg_t map svirt_image_t files Resolves: RHEL-47274 - Allow svirt_tcg_t read vm sysctls Resolves: RHEL-47274 - Additional updates stalld policy for bpf usage Resolves: RHEL-50356 * Thu Aug 08 2024 Zdenek Pytela - 40.13.7-1 - Add the swtpm.if interface file for interactions with other domains Resolves: RHEL-47274 - Allow virtproxyd create and use its private tmp files Resolves: RHEL-40499 - Allow virtproxyd read network state Resolves: RHEL-40499 - Allow virtqemud domain transition on swtpm execution Resolves: RHEL-47274 Resolves: RHEL-49763 - Allow virtqemud relabel virt_var_run_t directories Resolves: RHEL-47274 Resolves: RHEL-45464 Resolves: RHEL-49763 - Allow virtqemud domain transition on passt execution Resolves: RHEL-45464 - Allow virt_driver_domain create and use log files in /var/log Resolves: RHEL-40239 - Allow virt_driver_domain connect to systemd-userdbd over a unix socket Resolves: RHEL-44932 Resolves: RHEL-44898 - Update stalld policy for bpf usage Resolves: RHEL-50356 - Allow boothd connect to systemd-userdbd over a unix socket Resolves: RHEL-45907 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-46011 - Allow systemd-machined manage runtime sockets Resolves: RHEL-49567 - Allow ip command write to ipsec's logs Resolves: RHEL-41222 - Allow init_t nnp domain transition to firewalld_t Resolves: RHEL-52481 - Update qatlib policy for v24.02 with new features Resolves: RHEL-50377 - Allow postfix_domain map postfix_etc_t files Resolves: RHEL-46327 * Thu Jul 25 2024 Zdenek Pytela - 40.13.6-1 - Allow virtnodedevd run udev with a domain transition Resolves: RHEL-39890 - Allow virtnodedev_t create and use virtnodedev_lock_t Resolves: RHEL-39890 - Allow svirt attach_queue to a virtqemud tun_socket Resolves: RHEL-44312 - Label /run/systemd/machine with systemd_machined_var_run_t Resolves: RHEL-49567 - Allow to create and delete socket files created by rhsm.service * Tue Jul 16 2024 Zdenek Pytela - 40.13.5-1 - Allow to create and delete socket files created by rhsm.service Resolves: RHEL-40857 - Allow svirt read virtqemud fifo files Resolves: RHEL-40350 - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket Resolves: RHEL-37822 - Allow virtqemud read virt-dbus process state Resolves: RHEL-37822 - Allow virtqemud run ssh client with a transition Resolves: RHEL-43215 - Allow virtnetworkd exec shell when virt_hooks_unconfined is on Resolves: RHEL-41168 - Allow NetworkManager the sys_ptrace capability in user namespace Resolves: RHEL-46717 - Update keyutils policy Resolves: RHEL-38920 - Allow ip the setexec permission Resolves: RHEL-41182 * Fri Jun 28 2024 Zdenek Pytela - 40.13.4-1 - Confine libvirt-dbus Resolves: RHEL-37822 - Allow sssd create and use io_uring Resolves: RHEL-43448 - Allow virtqemud the kill capability in user namespace Resolves: RHEL-44996 - Allow login_userdomain execute systemd-tmpfiles in the caller domain Resolves: RHEL-44191 - Allow virtqemud read vm sysctls Resolves: RHEL-40938 - Allow svirt_t read vm sysctls Resolves: RHEL-40938 - Allow rshim get options of the netlink class for KOBJECT_UEVENT family Resolves: RHEL-40859 - Allow systemd-hostnamed read the vsock device Resolves: RHEL-45309 - Allow systemd (PID 1) manage systemd conf files Resolves: RHEL-45304 - Allow journald read systemd config files and directories Resolves: RHEL-45304 - Allow systemd_domain read systemd_conf_t dirs Resolves: RHEL-45304 - Label systemd configuration files with systemd_conf_t Resolves: RHEL-45304 - Allow dhcpcd the kill capability Resolves: RHEL-43417 - Add support for libvirt hooks Resolves: RHEL-41168 * Mon Jun 24 2024 Troy Dawson - 40.13.3-2 - Bump release for June 2024 mass rebuild * Tue Jun 18 2024 Zdenek Pytela - 40.13.3-1 - Allow virtqemud manage nfs files when virt_use_nfs boolean is on Resolves: RHEL-40205 - Allow virt_driver_domain read files labeled unconfined_t Resolves: RHEL-40262 - Allow virt_driver_domain dbus chat with policykit Resolves: RHEL-40346 - Escape "interface" as a file name in a virt filetrans pattern Resolves: RHEL-34769 - Allow setroubleshootd get attributes of all sysctls Resolves: RHEL-40923 - Allow qemu-ga read vm sysctls Resolves: RHEL-40829 - Allow sbd to trace processes in user namespace Resolves: RHEL-39989 - Allow request-key execute scripts Resolves: RHEL-38920 - Update policy for haproxyd Resolves: RHEL-40877 * Fri Jun 07 2024 Zdenek Pytela - 40.13.2-1 - Allow all domains read and write z90crypt device Resolves: RHEL-28539 - Allow dhcpc read /run/netns files Resolves: RHEL-39510 - Allow bootupd search efivarfs dirs Resolves: RHEL-39514 * Fri May 17 2024 Zdenek Pytela - 40.13.1-1 - Allow logwatch read logind sessions files Resolves: RHEL-30441 - Allow sulogin relabel tty1 Resolves: RHEL-30440 - Dontaudit sulogin the checkpoint_restore capability Resolves: RHEL-30440 - Allow postfix smtpd map aliases file Resolves: RHEL-35544 - Ensure dbus communication is allowed bidirectionally Resolves: RHEL-35783 - Allow various services read and write z90crypt device Resolves: RHEL-28539 - Allow dhcpcd use unix_stream_socket Resolves: RHEL-33081 - Allow xdm_t to watch and watch_reads mount_var_run_t Resolves: RHEL-36073 - Allow plymouthd log during shutdown Resolves: RHEL-30455 - Update rpm configuration for the /var/run equivalency change Resolves: RHEL-36094 * Mon Feb 12 2024 Zdenek Pytela - 40.13-1 - Only allow confined user domains to login locally without unconfined_login - Add userdom_spec_domtrans_confined_admin_users interface - Only allow admindomain to execute shell via ssh with ssh_sysadm_login - Add userdom_spec_domtrans_admin_users interface - Move ssh dyntrans to unconfined inside unconfined_login tunable policy - Update ssh_role_template() for user ssh-agent type - Allow init to inherit system DBus file descriptors - Allow init to inherit fds from syslogd - Allow any domain to inherit fds from rpm-ostree - Update afterburn policy - Allow init_t nnp domain transition to abrtd_t * Tue Feb 06 2024 Zdenek Pytela - 40.12-1 - Rename all /var/lock file context entries to /run/lock - Rename all /var/run file context entries to /run - Invert the "/var/run = /run" equivalency * Mon Feb 05 2024 Zdenek Pytela - 40.11-1 - Replace init domtrans rule for confined users to allow exec init - Update dbus_role_template() to allow user service status - Allow polkit status all systemd services - Allow setroubleshootd create and use inherited io_uring - Allow load_policy read and write generic ptys - Allow gpg manage rpm cache - Allow login_userdomain name_bind to howl and xmsg udp ports - Allow rules for confined users logged in plasma - Label /dev/iommu with iommu_device_t - Remove duplicate file context entries in /run - Dontaudit getty and plymouth the checkpoint_restore capability - Allow su domains write login records - Revert "Allow su domains write login records" - Allow login_userdomain delete session dbusd tmp socket files - Allow unix dgram sendto between exim processes - Allow su domains write login records - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Wed Jan 24 2024 Zdenek Pytela - 40.10-1 - Allow chronyd-restricted read chronyd key files - Allow conntrackd_t to use bpf capability2 - Allow systemd-networkd manage its runtime socket files - Allow init_t nnp domain transition to colord_t - Allow polkit status systemd services - nova: Fix duplicate declarations - Allow httpd work with PrivateTmp - Add interfaces for watching and reading ifconfig_var_run_t - Allow collectd read raw fixed disk device - Allow collectd read udev pid files - Set correct label on /etc/pki/pki-tomcat/kra - Allow systemd domains watch system dbus pid socket files - Allow certmonger read network sysctls - Allow mdadm list stratisd data directories - Allow syslog to run unconfined scripts conditionally - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t - Allow qatlib set attributes of vfio device files * Tue Jan 09 2024 Zdenek Pytela - 40.9-1 - Allow systemd-sleep set attributes of efivarfs files - Allow samba-dcerpcd read public files - Allow spamd_update_t the sys_ptrace capability in user namespace - Allow bluetooth devices work with alsa - Allow alsa get attributes filesystems with extended attributes * Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 - Limit %%selinux_requires to version, not release * Thu Dec 21 2023 Zdenek Pytela - 40.8-1 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t - Add interface for write-only access to NetworkManager rw conf - Allow systemd-sleep send a message to syslog over a unix dgram socket - Allow init create and use netlink netfilter socket - Allow qatlib load kernel modules - Allow qatlib run lspci - Allow qatlib manage its private runtime socket files - Allow qatlib read/write vfio devices - Label /etc/redis.conf with redis_conf_t - Remove the lockdown-class rules from the policy - Allow init read all non-security socket files - Replace redundant dnsmasq pattern macros - Remove unneeded symlink perms in dnsmasq.if - Add additions to dnsmasq interface - Allow nvme_stas_t create and use netlink kobject uevent socket - Allow collectd connect to statsd port - Allow keepalived_t to use sys_ptrace of cap_userns - Allow dovecot_auth_t connect to postgresql using UNIX socket * Wed Dec 13 2023 Zdenek Pytela - 40.7-1 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute - Allow sysadm execute traceroute in sysadm_t domain using sudo - Allow sysadm execute tcpdump in sysadm_t domain using sudo - Allow opafm search nfs directories - Add support for syslogd unconfined scripts - Allow gpsd use /dev/gnss devices - Allow gpg read rpm cache - Allow virtqemud additional permissions - Allow virtqemud manage its private lock files - Allow virtqemud use the io_uring api - Allow ddclient send e-mail notifications - Allow postfix_master_t map postfix data files - Allow init create and use vsock sockets - Allow thumb_t append to init unix domain stream sockets - Label /dev/vas with vas_device_t - Change domain_kernel_load_modules boolean to true - Create interface selinux_watch_config and add it to SELinux users * Tue Nov 28 2023 Zdenek Pytela - 40.6-1 - Add afterburn to modules-targeted-contrib.conf - Update cifs interfaces to include fs_search_auto_mountpoints() - Allow sudodomain read var auth files - Allow spamd_update_t read hardware state information - Allow virtnetworkd domain transition on tc command execution - Allow sendmail MTA connect to sendmail LDA - Allow auditd read all domains process state - Allow rsync read network sysctls - Add dhcpcd bpf capability to run bpf programs - Dontaudit systemd-hwdb dac_override capability - Allow systemd-sleep create efivarfs files * Tue Nov 14 2023 Zdenek Pytela - 40.5-1 - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on - Allow graphical applications work in Wayland - Allow kdump work with PrivateTmp - Allow dovecot-auth work with PrivateTmp - Allow nfsd get attributes of all filesystems - Allow unconfined_domain_type use io_uring cmd on domain - ci: Only run Rawhide revdeps tests on the rawhide branch - Label /var/run/auditd.state as auditd_var_run_t - Allow fido-device-onboard (FDO) read the crack database - Allow ip an explicit domain transition to other domains - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t - Allow winbind_rpcd_t processes access when samba_export_all_* is on - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection - Allow ntp to bind and connect to ntske port. - Allow system_mail_t manage exim spool files and dirs - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t - Label /run/pcsd.socket with cluster_var_run_t - ci: Run cockpit tests in PRs * Thu Oct 19 2023 Zdenek Pytela - 40.4-1 - Add map_read map_write to kernel_prog_run_bpf - Allow systemd-fstab-generator read all symlinks - Allow systemd-fstab-generator the dac_override capability - Allow rpcbind read network sysctls - Support using systemd containers - Allow sysadm_t to connect to iscsid using a unix domain stream socket - Add policy for coreos installer - Add coreos_installer to modules-targeted-contrib.conf * Tue Oct 17 2023 Zdenek Pytela - 40.3-1 - Add policy for nvme-stas - Confine systemd fstab,sysv,rc-local - Label /etc/aliases.lmdb with etc_aliases_t - Create policy for afterburn - Add nvme_stas to modules-targeted-contrib.conf - Add plans/tests.fmf * Tue Oct 10 2023 Zdenek Pytela - 40.2-1 - Add the virt_supplementary module to modules-targeted-contrib.conf - Make new virt drivers permissive - Split virt policy, introduce virt_supplementary module - Allow apcupsd cgi scripts read /sys - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes - Allow kernel_t to manage and relabel all files - Add missing optional_policy() to files_relabel_all_files() * Tue Oct 03 2023 Zdenek Pytela - 40.1-1 - Allow named and ndc use the io_uring api - Deprecate common_anon_inode_perms usage - Improve default file context(None) of /var/lib/authselect/backups - Allow udev_t to search all directories with a filesystem type - Implement proper anon_inode support - Allow targetd write to the syslog pid sock_file - Add ipa_pki_retrieve_key_exec() interface - Allow kdumpctl_t to list all directories with a filesystem type - Allow udev additional permissions - Allow udev load kernel module - Allow sysadm_t to mmap modules_object_t files - Add the unconfined_read_files() and unconfined_list_dirs() interfaces - Set default file context of HOME_DIR/tmp/.* to <> - Allow kernel_generic_helper_t to execute mount(1) * Fri Sep 29 2023 Zdenek Pytela - 38.29-1 - Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t - Allow systemd-localed create Xserver config dirs - Allow sssd read symlinks in /etc/sssd - Label /dev/gnss[0-9] with gnss_device_t - Allow systemd-sleep read/write efivarfs variables - ci: Fix version number of packit generated srpms - Dontaudit rhsmcertd write memory device - Allow ssh_agent_type create a sockfile in /run/user/USERID - Set default file context of /var/lib/authselect/backups to <> - Allow prosody read network sysctls - Allow cupsd_t to use bpf capability * Fri Sep 15 2023 Zdenek Pytela - 38.28-1 - Allow sssd domain transition on passkey_child execution conditionally - Allow login_userdomain watch lnk_files in /usr - Allow login_userdomain watch video4linux devices - Change systemd-network-generator transition to include class file - Revert "Change file transition for systemd-network-generator" - Allow nm-dispatcher winbind plugin read/write samba var files - Allow systemd-networkd write to cgroup files - Allow kdump create and use its memfd: objects * Thu Aug 31 2023 Zdenek Pytela - 38.27-1 - Allow fedora-third-party get generic filesystem attributes - Allow sssd use usb devices conditionally - Update policy for qatlib - Allow ssh_agent_type manage generic cache home files * Thu Aug 24 2023 Zdenek Pytela - 38.26-1 - Change file transition for systemd-network-generator - Additional support for gnome-initial-setup - Update gnome-initial-setup policy for geoclue - Allow openconnect vpn open vhost net device - Allow cifs.upcall to connect to SSSD also through the /var/run socket - Grant cifs.upcall more required capabilities - Allow xenstored map xenfs files - Update policy for fdo - Allow keepalived watch var_run dirs - Allow svirt to rw /dev/udmabuf - Allow qatlib to modify hardware state information. - Allow key.dns_resolve connect to avahi over a unix stream socket - Allow key.dns_resolve create and use unix datagram socket - Use quay.io as the container image source for CI * Fri Aug 11 2023 Zdenek Pytela - 38.25-1 - ci: Move srpm/rpm build to packit - .copr: Avoid subshell and changing directory - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t - Make insights_client_t an unconfined domain - Allow insights-client manage user temporary files - Allow insights-client create all rpm logs with a correct label - Allow insights-client manage generic logs - Allow cloud_init create dhclient var files and init_t manage net_conf_t - Allow insights-client read and write cluster tmpfs files - Allow ipsec read nsfs files - Make tuned work with mls policy - Remove nsplugin_role from mozilla.if - allow mon_procd_t self:cap_userns sys_ptrace - Allow pdns name_bind and name_connect all ports - Set the MLS range of fsdaemon_t to s0 - mls_systemhigh - ci: Move to actions/checkout@v3 version - .copr: Replace chown call with standard workflow safe.directory setting - .copr: Enable `set -u` for robustness - .copr: Simplify root directory variable * Fri Aug 04 2023 Zdenek Pytela - 38.24-1 - Allow rhsmcertd dbus chat with policykit - Allow polkitd execute pkla-check-authorization with nnp transition - Allow user_u and staff_u get attributes of non-security dirs - Allow unconfined user filetrans chrome_sandbox_home_t - Allow svnserve execute postdrop with a transition - Do not make postfix_postdrop_t type an MTA executable file - Allow samba-dcerpc service manage samba tmp files - Add use_nfs_home_dirs boolean for mozilla_plugin - Fix labeling for no-stub-resolv.conf * Wed Aug 02 2023 Zdenek Pytela - 38.23-1 - Revert "Allow winbind-rpcd use its private tmp files" - Allow upsmon execute upsmon via a helper script - Allow openconnect vpn read/write inherited vhost net device - Allow winbind-rpcd use its private tmp files - Update samba-dcerpc policy for printing - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty - Allow nscd watch system db dirs - Allow qatlib to read sssd public files - Allow fedora-third-party read /sys and proc - Allow systemd-gpt-generator mount a tmpfs filesystem - Allow journald write to cgroup files - Allow rpc.mountd read network sysctls - Allow blueman read the contents of the sysfs filesystem - Allow logrotate_t to map generic files in /etc - Boolean: Allow virt_qemu_ga create ssh directory * Tue Jul 25 2023 Zdenek Pytela - 38.22-1 - Allow systemd-network-generator send system log messages - Dontaudit the execute permission on sock_file globally - Allow fsadm_t the file mounton permission - Allow named and ndc the io_uring sqpoll permission - Allow sssd io_uring sqpoll permission - Fix location for /run/nsd - Allow qemu-ga get fixed disk devices attributes - Update bitlbee policy - Label /usr/sbin/sos with sosreport_exec_t - Update policy for the sblim-sfcb service - Add the files_getattr_non_auth_dirs() interface - Fix the CI to work with DNF5 * Sat Jul 22 2023 Fedora Release Engineering - 38.21-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Thu Jul 13 2023 Zdenek Pytela - 38.21-1 - Make systemd_tmpfiles_t MLS trusted for lowering the level of files - Revert "Allow insights client map cache_home_t" - Allow nfsidmapd connect to systemd-machined over a unix socket - Allow snapperd connect to kernel over a unix domain stream socket - Allow virt_qemu_ga_t create .ssh dir with correct label - Allow targetd read network sysctls - Set the abrt_handle_event boolean to on - Permit kernel_t to change the user identity in object contexts - Allow insights client map cache_home_t - Label /usr/sbin/mariadbd with mysqld_exec_t - Trim changelog so that it starts at F37 time - Define equivalency for /run/systemd/generator.early * Thu Jun 29 2023 Zdenek Pytela - 38.20-1 - Allow httpd tcp connect to redis port conditionally - Label only /usr/sbin/ripd and ripngd with zebra_exec_t - Dontaudit aide the execmem permission - Remove permissive from fdo - Allow sa-update manage spamc home files - Allow sa-update connect to systemlog services - Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t - Allow bootupd search EFI directory * Tue Jun 27 2023 Zdenek Pytela - 38.19-1 - Change init_audit_control default value to true - Allow nfsidmapd connect to systemd-userdbd with a unix socket - Add the qatlib module - Add the fdo module - Add the bootupd module - Set default ports for keylime policy - Create policy for qatlib - Add policy for FIDO Device Onboard - Add policy for bootupd - Add the qatlib module - Add the fdo module - Add the bootupd module * Sun Jun 25 2023 Zdenek Pytela - 38.18-1 - Add support for kafs-dns requested by keyutils - Allow insights-client execmem - Add support for chronyd-restricted - Add init_explicit_domain() interface - Allow fsadm_t to get attributes of cgroup filesystems - Add list_dir_perms to kerberos_read_keytab - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t - Allow sendmail manage its runtime files - Allow keyutils_dns_resolver_exec_t be an entrypoint - Allow collectd_t read network state symlinks - Revert "Allow collectd_t read proc_net link files" - Allow nfsd_t to list exports_t dirs - Allow cupsd dbus chat with xdm - Allow haproxy read hardware state information - Add the kafs module * Thu Jun 15 2023 Zdenek Pytela - 38.17-1 - Label /dev/userfaultfd with userfaultfd_t - Allow blueman send general signals to unprivileged user domains - Allow dkim-milter domain transition to sendmail - Label /usr/sbin/cifs.idmap with cifs_helper_exec_t - Allow cifs-helper read sssd kerberos configuration files - Allow rpm_t sys_admin capability - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file - Allow collectd_t read proc_net link files - Allow insights-client getsession process permission - Allow insights-client work with pipe and socket tmp files - Allow insights-client map generic log files - Update cyrus_stream_connect() to use sockets in /run - Allow keyutils-dns-resolver read/view kernel key ring - Label /var/log/kdump.log with kdump_log_t * Fri Jun 09 2023 Zdenek Pytela - 38.16-1 - Add support for the systemd-pstore service - Allow kdumpctl_t to execmem - Update sendmail policy module for opensmtpd - Allow nagios-mail-plugin exec postfix master - Allow subscription-manager execute ip - Allow ssh client connect with a user dbus instance - Add support for ksshaskpass - Allow rhsmcertd file transition in /run also for socket files - Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t - Allow plymouthd read/write X server miscellaneous devices - Allow systemd-sleep read udev pid files - Allow exim read network sysctls - Allow sendmail request load module - Allow named map its conf files - Allow squid map its cache files - Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition * Tue May 30 2023 Zdenek Pytela - 38.15-1 - Update policy for systemd-sleep - Remove permissive domain for rshim_t - Remove permissive domain for mptcpd_t - Allow systemd-bootchartd the sys_ptrace userns capability - Allow sysadm_t read nsfs files - Allow sysadm_t run kernel bpf programs - Update ssh_role_template for ssh-agent - Update ssh_role_template to allow read/write unallocated ttys - Add the booth module to modules.conf - Allow firewalld rw ica_tmpfs_t files * Fri May 26 2023 Zdenek Pytela - 38.14-1 - Remove permissive domain for cifs_helper_t - Update the cifs-helper policy - Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() - Update pkcsslotd policy for sandboxing - Allow abrt_t read kernel persistent storage files - Dontaudit targetd search httpd config dirs - Allow init_t nnp domain transition to policykit_t - Allow rpcd_lsad setcap and use generic ptys - Allow samba-dcerpcd connect to systemd_machined over a unix socket - Allow wireguard to rw network sysctls - Add policy for boothd - Allow kernel to manage its own BPF objects - Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t * Mon May 22 2023 Zdenek Pytela - 38.13-1 - Add initial policy for cifs-helper - Label key.dns_resolver with keyutils_dns_resolver_exec_t - Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t - Allow some systemd services write to cgroup files - Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files - Allow systemd resolved to bind to arbitrary nodes - Allow plymouthd_t bpf capability to run bpf programs - Allow cupsd to create samba_var_t files - Allow rhsmcert request the kernel to load a module - Allow virsh name_connect virt_port_t - Allow certmonger manage cluster library files - Allow plymouthd read init process state - Add chromium_sandbox_t setcap capability - Allow snmpd read raw disk data - Allow samba-rpcd work with passwords - Allow unconfined service inherit signal state from init - Allow cloud-init manage gpg admin home content - Allow cluster_t dbus chat with various services - Allow nfsidmapd work with systemd-userdbd and sssd - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes - Allow plymouthd map dri and framebuffer devices - Allow rpmdb_migrate execute rpmdb - Allow logrotate dbus chat with systemd-hostnamed - Allow icecast connect to kernel using a unix stream socket - Allow lldpad connect to systemd-userdbd over a unix socket - Allow journalctl open user domain ptys and ttys - Allow keepalived to manage its tmp files - Allow ftpd read network sysctls - Label /run/bgpd with zebra_var_run_t - Allow gssproxy read network sysctls - Add the cifsutils module * Tue Apr 25 2023 Zdenek Pytela - 38.12-1 - Allow telnetd read network sysctls - Allow munin system plugin read generic SSL certificates - Allow munin system plugin create and use netlink generic socket - Allow login_userdomain create user namespaces - Allow request-key to send syslog messages - Allow request-key to read/view any key - Add fs_delete_pstore_files() interface - Allow insights-client work with teamdctl - Allow insights-client read unconfined service semaphores - Allow insights-client get quotas of all filesystems - Add fs_read_pstore_files() interface - Allow generic kernel helper to read inherited kernel pipes * Fri Apr 14 2023 Zdenek Pytela - 38.11-1 - Allow dovecot-deliver write to the main process runtime fifo files - Allow dmidecode write to cloud-init tmp files - Allow chronyd send a message to cloud-init over a datagram socket - Allow cloud-init domain transition to insights-client domain - Allow mongodb read filesystem sysctls - Allow mongodb read network sysctls - Allow accounts-daemon read generic systemd unit lnk files - Allow blueman watch generic device dirs - Allow nm-dispatcher tlp plugin create tlp dirs - Allow systemd-coredump mounton /usr - Allow rabbitmq to read network sysctls * Tue Apr 04 2023 Zdenek Pytela - 38.10-1 - Allow certmonger dbus chat with the cron system domain - Allow geoclue read network sysctls - Allow geoclue watch the /etc directory - Allow logwatch_mail_t read network sysctls - Allow insights-client read all sysctls - Allow passt manage qemu pid sock files * Fri Mar 24 2023 Zdenek Pytela - 38.9-1 - Allow sssd read accountsd fifo files - Add support for the passt_t domain - Allow virtd_t and svirt_t work with passt - Add new interfaces in the virt module - Add passt interfaces defined conditionally - Allow tshark the setsched capability - Allow poweroff create connections to system dbus - Allow wg load kernel modules, search debugfs dir - Boolean: allow qemu-ga manage ssh home directory - Label smtpd with sendmail_exec_t - Label msmtp and msmtpd with sendmail_exec_t - Allow dovecot to map files in /var/spool/dovecot * Fri Mar 03 2023 Zdenek Pytela - 38.8-1 - Confine gnome-initial-setup - Allow qemu-guest-agent create and use vsock socket - Allow login_pgm setcap permission - Allow chronyc read network sysctls - Enhancement of the /usr/sbin/request-key helper policy - Fix opencryptoki file names in /dev/shm - Allow system_cronjob_t transition to rpm_script_t - Revert "Allow system_cronjob_t domtrans to rpm_script_t" - Add tunable to allow squid bind snmp port - Allow staff_t getattr init pid chr & blk files and read krb5 - Allow firewalld to rw z90crypt device - Allow httpd work with tokens in /dev/shm - Allow svirt to map svirt_image_t char files - Allow sysadm_t run initrc_t script and sysadm_r role access - Allow insights-client manage fsadm pid files * Wed Feb 08 2023 Zdenek Pytela - 38.7-1 - Allowing snapper to create snapshots of /home/ subvolume/partition - Add boolean qemu-ga to run unconfined script - Label systemd-journald feature LogNamespace - Add none file context for polyinstantiated tmp dirs - Allow certmonger read the contents of the sysfs filesystem - Add journalctl the sys_resource capability - Allow nm-dispatcher plugins read generic files in /proc - Add initial policy for the /usr/sbin/request-key helper - Additional support for rpmdb_migrate - Add the keyutils module * Mon Jan 30 2023 Zdenek Pytela - 38.6-1 - Boolean: allow qemu-ga read ssh home directory - Allow kernel_t to read/write all sockets - Allow kernel_t to UNIX-stream connect to all domains - Allow systemd-resolved send a datagram to journald - Allow kernel_t to manage and have "execute" access to all files - Fix the files_manage_all_files() interface - Allow rshim bpf cap2 and read sssd public files - Allow insights-client work with su and lpstat - Allow insights-client tcp connect to all ports - Allow nm-cloud-setup dispatcher plugin restart nm services - Allow unconfined user filetransition for sudo log files - Allow modemmanager create hardware state information files - Allow ModemManager all permissions for netlink route socket - Allow wg to send msg to kernel, write to syslog and dbus connections - Allow hostname_t to read network sysctls. - Dontaudit ftpd the execmem permission - Allow svirt request the kernel to load a module - Allow icecast rename its log files - Allow upsd to send signal to itself - Allow wireguard to create udp sockets and read net_conf - Use '%autosetup' instead of '%setup' - Pass -p 1 to '%autosetup' * Sat Jan 21 2023 Fedora Release Engineering - 38.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild * Fri Jan 13 2023 Zdenek Pytela - 38.5-1 - Allow insights client work with gluster and pcp - Add insights additional capabilities - Add interfaces in domain, files, and unconfined modules - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t - Allow sudodomain use sudo.log as a logfile - Allow pdns server map its library files and bind to unreserved ports - Allow sysadm_t read/write ipmi devices - Allow prosody manage its runtime socket files - Allow kernel threads manage kernel keys - Allow systemd-userdbd the sys_resource capability - Allow systemd-journal list cgroup directories - Allow apcupsd dbus chat with systemd-logind - Allow nut_domain manage also files and sock_files in /var/run - Allow winbind-rpcd make a TCP connection to the ldap port - Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t - Allow tlp read generic SSL certificates - Allow systemd-resolved watch tmpfs directories - Revert "Allow systemd-resolved watch tmpfs directories" * Mon Dec 19 2022 Zdenek Pytela - 38.4-1 - Allow NetworkManager and wpa_supplicant the bpf capability - Allow systemd-rfkill the bpf capability - Allow winbind-rpcd manage samba_share_t files and dirs - Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t - Allow gpsd the sys_ptrace userns capability - Introduce gpsd_tmp_t for sockfiles managed by gpsd_t - Allow load_policy_t write to unallocated ttys - Allow ndc read hardware state information - Allow system mail service read inherited certmonger runtime files - Add lpr_roles to system_r roles - Revert "Allow insights-client run lpr and allow the proper role" - Allow stalld to read /sys/kernel/security/lockdown file - Allow keepalived to set resource limits - Add policy for mptcpd - Add policy for rshim - Allow admin users to create user namespaces - Allow journalctl relabel with var_log_t and syslogd_var_run_t files - Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted - Trim changelog so that it starts at F35 time - Add mptcpd and rshim modules * Wed Dec 14 2022 Zdenek Pytela - 38.3-1 - Allow insights-client dbus chat with various services - Allow insights-client tcp connect to various ports - Allow insights-client run lpr and allow the proper role - Allow insights-client work with pcp and manage user config files - Allow redis get user names - Allow kernel threads to use fds from all domains - Allow systemd-modules-load load kernel modules - Allow login_userdomain watch systemd-passwd pid dirs - Allow insights-client dbus chat with abrt - Grant kernel_t certain permissions in the system class - Allow systemd-resolved watch tmpfs directories - Allow systemd-timedated watch init runtime dir - Make `bootc` be `install_exec_t` - Allow systemd-coredump create user_namespace - Allow syslog the setpcap capability - donaudit virtlogd and dnsmasq execmem * Tue Dec 06 2022 Zdenek Pytela - 38.2-1 - Don't make kernel_t an unconfined domain - Don't allow kernel_t to execute bin_t/usr_t binaries without a transition - Allow kernel_t to execute systemctl to do a poweroff/reboot - Grant basic permissions to the domain created by systemd_systemctl_domain() - Allow kernel_t to request module loading - Allow kernel_t to do compute_create - Allow kernel_t to manage perf events - Grant almost all capabilities to kernel_t - Allow kernel_t to fully manage all devices - Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" - Allow pulseaudio to write to session_dbusd tmp socket files - Allow systemd and unconfined_domain_type create user_namespace - Add the user_namespace security class - Reuse tmpfs_t also for the ramfs filesystem - Label udf tools with fsadm_exec_t - Allow networkmanager_dispatcher_plugin work with nscd - Watch_sb all file type directories. - Allow spamc read hardware state information files - Allow sysadm read ipmi devices - Allow insights client communicate with cupsd, mysqld, openvswitch, redis - Allow insights client read raw memory devices - Allow the spamd_update_t domain get generic filesystem attributes - Dontaudit systemd-gpt-generator the sys_admin capability - Allow ipsec_t only read tpm devices - Allow cups-pdf connect to the system log service - Allow postfix/smtpd read kerberos key table - Allow syslogd read network sysctls - Allow cdcc mmap dcc-client-map files - Add watch and watch_sb dosfs interface * Mon Nov 21 2022 Zdenek Pytela - 38.1-1 - Revert "Allow sysadm_t read raw memory devices" - Allow systemd-socket-proxyd get attributes of cgroup filesystems - Allow rpc.gssd read network sysctls - Allow winbind-rpcd get attributes of device and pty filesystems - Allow insights-client domain transition on semanage execution - Allow insights-client create gluster log dir with a transition - Allow insights-client manage generic locks - Allow insights-client unix_read all domain semaphores - Add domain_unix_read_all_semaphores() interface - Allow winbind-rpcd use the terminal multiplexor - Allow mrtg send mails - Allow systemd-hostnamed dbus chat with init scripts - Allow sssd dbus chat with system cronjobs - Add interface to watch all filesystems - Add watch_sb interfaces - Add watch interfaces - Allow dhcpd bpf capability to run bpf programs - Allow netutils and traceroute bpf capability to run bpf programs - Allow pkcs_slotd_t bpf capability to run bpf programs - Allow xdm bpf capability to run bpf programs - Allow pcscd bpf capability to run bpf programs - Allow lldpad bpf capability to run bpf programs - Allow keepalived bpf capability to run bpf programs - Allow ipsec bpf capability to run bpf programs - Allow fprintd bpf capability to run bpf programs - Allow systemd-socket-proxyd get filesystems attributes - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files * Mon Oct 31 2022 Zdenek Pytela - 37.14-1 - Allow rotatelogs read httpd_log_t symlinks - Add winbind-rpcd to samba_enable_home_dirs boolean - Allow system cronjobs dbus chat with setroubleshoot - Allow setroubleshootd read device sysctls - Allow virt_domain read device sysctls - Allow rhcd compute selinux access vector - Allow insights-client manage samba var dirs - Label ports 10161-10162 tcp/udp with snmp - Allow aide to connect to systemd_machined with a unix socket. - Allow samba-dcerpcd use NSCD services over a unix stream socket - Allow vlock search the contents of the /dev/pts directory - Allow insights-client send null signal to rpm and system cronjob - Label port 15354/tcp and 15354/udp with opendnssec - Allow ftpd map ftpd_var_run files - Allow targetclid to manage tmp files - Allow insights-client connect to postgresql with a unix socket - Allow insights-client domtrans on unix_chkpwd execution - Add file context entries for insights-client and rhc - Allow pulseaudio create gnome content (~/.config) - Allow login_userdomain dbus chat with rhsmcertd - Allow sbd the sys_ptrace capability - Allow ptp4l_t name_bind ptp_event_port_t * Mon Oct 03 2022 Zdenek Pytela - 37.13-1 - Remove the ipa module - Allow sss daemons read/write unnamed pipes of cloud-init - Allow postfix_mailqueue create and use unix dgram sockets - Allow xdm watch user home directories - Allow nm-dispatcher ddclient plugin load a kernel module - Stop ignoring standalone interface files - Drop cockpit module - Allow init map its private tmp files - Allow xenstored change its hard resource limits - Allow system_mail-t read network sysctls - Add bgpd sys_chroot capability * Thu Sep 22 2022 Zdenek Pytela - 37.12-1 - nut-upsd: kernel_read_system_state, fs_getattr_cgroup - Add numad the ipc_owner capability - Allow gst-plugin-scanner read virtual memory sysctls - Allow init read/write inherited user fifo files - Update dnssec-trigger policy: setsched, module_request - added policy for systemd-socket-proxyd - Add the new 'cmd' permission to the 'io_uring' class - Allow winbind-rpcd read and write its key ring - Label /run/NetworkManager/no-stub-resolv.conf net_conf_t - blueman-mechanism can read ~/.local/lib/python*/site-packages directory - pidof executed by abrt can readlink /proc/*/exe - Fix typo in comment - Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum * Wed Sep 14 2022 Zdenek Pytela - 37.11-1 - Allow tor get filesystem attributes - Allow utempter append to login_userdomain stream - Allow login_userdomain accept a stream connection to XDM - Allow login_userdomain write to boltd named pipes - Allow staff_u and user_u users write to bolt pipe - Allow login_userdomain watch various directories - Update rhcd policy for executing additional commands 5 - Update rhcd policy for executing additional commands 4 - Allow rhcd create rpm hawkey logs with correct label - Allow systemd-gpt-auto-generator to check for empty dirs - Update rhcd policy for executing additional commands 3 - Allow journalctl read rhcd fifo files - Update insights-client policy for additional commands execution 5 - Allow init remount all file_type filesystems - Confine insights-client systemd unit - Update insights-client policy for additional commands execution 4 - Allow pcp pmcd search tracefs and acct_data dirs - Allow httpd read network sysctls - Dontaudit domain map permission on directories - Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" - Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" - Update insights-client policy for additional commands execution 3 - Allow systemd permissions needed for sandboxed services - Add rhcd module - Make dependency on rpm-plugin-selinux unordered * Fri Sep 02 2022 Zdenek Pytela - 37.10-1 - Allow ipsec_t read/write tpm devices - Allow rhcd execute all executables - Update rhcd policy for executing additional commands 2 - Update insights-client policy for additional commands execution 2 - Allow sysadm_t read raw memory devices - Allow chronyd send and receive chronyd/ntp client packets - Allow ssh client read kerberos homedir config files - Label /var/log/rhc-worker-playbook with rhcd_var_log_t - Update insights-client policy (auditctl, gpg, journal) - Allow system_cronjob_t domtrans to rpm_script_t - Allow smbd_t process noatsecure permission for winbind_rpcd_t - Update tor_bind_all_unreserved_ports interface - Allow chronyd bind UDP sockets to ptp_event ports. - Allow unconfined and sysadm users transition for /root/.gnupg - Add gpg_filetrans_admin_home_content() interface - Update rhcd policy for executing additional commands - Update insights-client policy for additional commands execution - Add userdom_view_all_users_keys() interface - Allow gpg read and write generic pty type - Allow chronyc read and write generic pty type - Allow system_dbusd ioctl kernel with a unix stream sockets - Allow samba-bgqd to read a printer list - Allow stalld get and set scheduling policy of all domains. - Allow unconfined_t transition to targetclid_home_t * Thu Aug 11 2022 Zdenek Pytela - 37.9-1 - Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher sendmail plugin get status of systemd services - Allow xdm read the kernel key ring - Allow login_userdomain check status of mount units - Allow postfix/smtp and postfix/virtual read kerberos key table - Allow services execute systemd-notify - Do not allow login_userdomain use sd_notify() - Allow launch-xenstored read filesystem sysctls - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd - Allow openvswitch fsetid capability - Allow openvswitch use its private tmpfs files and dirs - Allow openvswitch search tracefs dirs - Allow pmdalinux read files on an nfsd filesystem - Allow winbind-rpcd write to winbind pid files - Allow networkmanager to signal unconfined process - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t - Allow samba-bgqd get a printer list - fix(init.fc): Fix section description - Allow fedora-third-party read the passwords file - Remove permissive domain for rhcd_t - Allow pmie read network state information and network sysctls - Revert "Dontaudit domain the fowner capability" - Allow sysadm_t to run bpftool on the userdomain attribute - Add the userdom_prog_run_bpf_userdomain() interface - Allow insights-client rpm named file transitions - Add /var/tmp/insights-archive to insights_client_filetrans_named_content * Mon Aug 01 2022 Zdenek Pytela - 37.8-1 - Allow sa-update to get init status and start systemd files - Use insights_client_filetrans_named_content - Make default file context match with named transitions - Allow nm-dispatcher tlp plugin send system log messages - Allow nm-dispatcher tlp plugin create and use unix_dgram_socket - Add permissions to manage lnk_files into gnome_manage_home_config - Allow rhsmcertd to read insights config files - Label /etc/insights-client/machine-id - fix(devices.fc): Replace single quote in comment to solve parsing issues - Make NetworkManager_dispatcher_custom_t an unconfined domain * Sat Jul 23 2022 Fedora Release Engineering - 37.7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Thu Jul 14 2022 Zdenek Pytela - 37.7-1 - Update winbind_rpcd_t - Allow some domains use sd_notify() - Revert "Allow rabbitmq to use systemd notify" - fix(sedoctool.py): Fix syntax warning: "is not" with a literal - Allow nm-dispatcher console plugin manage etc files - Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs - Allow nm-dispatcher console plugin setfscreate - Support using systemd-update-helper in rpm scriptlets - Allow nm-dispatcher winbind plugin read samba config files - Allow domain use userfaultfd over all domains - Allow cups-lpd read network sysctls * Wed Jun 29 2022 Zdenek Pytela - 37.6-1 - Allow stalld set scheduling policy of kernel threads - Allow targetclid read /var/target files - Allow targetclid read generic SSL certificates (fixed) - Allow firewalld read the contents of the sysfs filesystem - Fix file context pattern for /var/target - Use insights_client_etc_t in insights_search_config() - Allow nm-dispatcher ddclient plugin handle systemd services - Allow nm-dispatcher winbind plugin run smbcontrol - Allow nm-dispatcher custom plugin create and use unix dgram socket - Update samba-dcerpcd policy for kerberos usage 2 - Allow keepalived read the contents of the sysfs filesystem - Allow amandad read network sysctls - Allow cups-lpd read network sysctls - Allow kpropd read network sysctls - Update insights_client_filetrans_named_content() - Allow rabbitmq to use systemd notify - Label /var/target with targetd_var_t - Allow targetclid read generic SSL certificates - Update rhcd policy - Allow rhcd search insights configuration directories - Add the kernel_read_proc_files() interface - Require policycoreutils >= 3.4-1 - Add a script for enclosing interfaces in ifndef statements - Disable rpm verification on interface_info * Wed Jun 22 2022 Zdenek Pytela - 37.5-1 - Allow transition to insights_client named content - Add the insights_client_filetrans_named_content() interface - Update policy for insights-client to run additional commands 3 - Allow dhclient manage pid files used by chronyd - Allow stalld get scheduling policy of kernel threads - Allow samba-dcerpcd work with sssd - Allow dlm_controld send a null signal to a cluster daemon - Allow ksmctl create hardware state information files - Allow winbind_rpcd_t connect to self over a unix_stream_socket - Update samba-dcerpcd policy for kerberos usage - Allow insights-client execute its private memfd: objects - Update policy for insights-client to run additional commands 2 - Use insights_client_tmp_t instead of insights_client_var_tmp_t - Change space indentation to tab in insights-client - Use socket permissions sets in insights-client - Update policy for insights-client to run additional commands - Change rpm_setattr_db_files() to use a pattern - Allow init_t to rw insights_client unnamed pipe - Add rpm setattr db files macro - Fix insights client - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling - Allow rabbitmq to access its private memfd: objects - Update policy for samba-dcerpcd - Allow stalld setsched and sys_nice * Tue Jun 07 2022 Zdenek Pytela - 37.4-1 - Allow auditd_t noatsecure for a transition to audisp_remote_t - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket - Allow pcp_domain execute its private memfd: objects - Add support for samba-dcerpcd - Add policy for wireguard - Confine targetcli - Allow systemd work with install_t unix stream sockets - Allow iscsid the sys_ptrace userns capability - Allow xdm connect to unconfined_service_t over a unix stream socket * Fri May 27 2022 Zdenek Pytela - 37.3-1 - Allow nm-dispatcher custom plugin execute systemctl - Allow nm-dispatcher custom plugin dbus chat with nm - Allow nm-dispatcher custom plugin create and use udp socket - Allow nm-dispatcher custom plugin create and use netlink_route_socket - Use create_netlink_socket_perms in netlink_route_socket class permissions - Add support for nm-dispatcher sendmail scripts - Allow sslh net_admin capability - Allow insights-client manage gpg admin home content - Add the gpg_manage_admin_home_content() interface - Allow rhsmcertd create generic log files - Update logging_create_generic_logs() to use create_files_pattern() - Label /var/cache/insights with insights_client_cache_t - Allow insights-client search gconf homedir - Allow insights-client create and use unix_dgram_socket - Allow blueman execute its private memfd: files - Move the chown call into make-srpm.sh * Fri May 06 2022 Zdenek Pytela - 37.2-1 - Use the networkmanager_dispatcher_plugin attribute in allow rules - Make a custom nm-dispatcher plugin transition - Label port 4784/tcp and 4784/udp with bfd_multi - Allow systemd watch and watch_reads user ptys - Allow sblim-gatherd the kill capability - Label more vdsm utils with virtd_exec_t - Add ksm service to ksmtuned - Add rhcd policy - Dontaudit guest attempts to dbus chat with systemd domains - Dontaudit guest attempts to dbus chat with system bus types - Use a named transition in systemd_hwdb_manage_config() - Add default fc specifications for patterns in /opt - Add the files_create_etc_files() interface - Allow nm-dispatcher console plugin create and write files in /etc - Allow nm-dispatcher console plugin transition to the setfiles domain - Allow more nm-dispatcher plugins append to init stream sockets - Allow nm-dispatcher tlp plugin dbus chat with nm - Reorder networkmanager_dispatcher_plugin_template() calls - Allow svirt connectto virtlogd - Allow blueman map its private memfd: files - Allow sysadm user execute init scripts with a transition - Allow sblim-sfcbd connect to sblim-reposd stream - Allow keepalived_unconfined_script_t dbus chat with init - Run restorecon with "-i" not to report errors * Mon May 02 2022 Zdenek Pytela - 37.1-1 - Fix users for SELinux userspace 3.4 - Label /var/run/machine-id as machineid_t - Add stalld to modules.conf - Use files_tmpfs_file() for rhsmcertd_tmpfs_t - Allow blueman read/write its private memfd: objects - Allow insights-client read rhnsd config files - Allow insights-client create_socket_perms for tcp/udp sockets