0c8f629e44
Since libsemanage commit d96f27bf7cb91 ("libsemanage: Preserve file context and ownership in policy store"), libsemanage tries to preserve file contexts during SELinux policy rebuild. If the underline fs does not support any operation used, it prints warnings on stderr. Given that it's not a fatal error, it's reasonable to suppress them. Fixes: $ podman run --pull=newer --rm -ti quay.io/fedora/fedora:rawhide [root@3a1e072c5559 /]# dnf4 install selinux-policy-targeted ... Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/cil: Operation not supported Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/hll: Operation not supported Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/lang_ext: Operation not supported ... Could not set context for /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin: Operation not supported Could not set context for /etc/selinux/targeted/policy/policy.33: Operation not supported Could not set context for /etc/selinux/targeted/seusers: Operation not supported [skip changelog] Resolves: RHEL-59192
1982 lines
83 KiB
RPMSpec
1982 lines
83 KiB
RPMSpec
# github repo with selinux-policy sources
|
|
%global giturl https://github.com/fedora-selinux/selinux-policy
|
|
%global commit 61128219cb2270144668ecdde8e00b074dc898f8
|
|
%global shortcommit %(c=%{commit}; echo ${c:0:7})
|
|
|
|
%define distro redhat
|
|
%define polyinstatiate n
|
|
%define monolithic n
|
|
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1}
|
|
%define BUILD_DOC 1
|
|
%endif
|
|
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
|
|
%define BUILD_TARGETED 1
|
|
%endif
|
|
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
|
|
%define BUILD_MINIMUM 1
|
|
%endif
|
|
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
|
|
%define BUILD_MLS 1
|
|
%endif
|
|
%define POLICYVER 33
|
|
%define POLICYCOREUTILSVER 3.4-1
|
|
%define CHECKPOLICYVER 3.2
|
|
Summary: SELinux policy configuration
|
|
Name: selinux-policy
|
|
Version: 40.13.9
|
|
Release: 1%{?dist}
|
|
License: GPL-2.0-or-later
|
|
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
|
|
Source1: modules-targeted-base.conf
|
|
Source31: modules-targeted-contrib.conf
|
|
Source2: booleans-targeted.conf
|
|
Source3: Makefile.devel
|
|
Source4: setrans-targeted.conf
|
|
Source5: modules-mls-base.conf
|
|
Source32: modules-mls-contrib.conf
|
|
Source6: booleans-mls.conf
|
|
Source8: setrans-mls.conf
|
|
Source14: securetty_types-targeted
|
|
Source15: securetty_types-mls
|
|
#Source16: modules-minimum.conf
|
|
Source17: booleans-minimum.conf
|
|
Source18: setrans-minimum.conf
|
|
Source19: securetty_types-minimum
|
|
Source20: customizable_types
|
|
Source22: users-mls
|
|
Source23: users-targeted
|
|
Source25: users-minimum
|
|
Source26: file_contexts.subs_dist
|
|
Source27: selinux-policy.conf
|
|
Source28: permissivedomains.cil
|
|
Source30: booleans.subs_dist
|
|
|
|
# Tool helps during policy development, to expand system m4 macros to raw allow rules
|
|
# Git repo: https://github.com/fedora-selinux/macro-expander.git
|
|
Source33: macro-expander
|
|
|
|
# Include SELinux policy for container from separate container-selinux repo
|
|
# Git repo: https://github.com/containers/container-selinux.git
|
|
Source35: container-selinux.tgz
|
|
|
|
Source36: selinux-check-proper-disable.service
|
|
|
|
# Script to convert /var/run file context entries to /run
|
|
Source37: varrun-convert.sh
|
|
|
|
# Provide rpm macros for packages installing SELinux modules
|
|
Source102: rpm.macros
|
|
|
|
Url: %{giturl}
|
|
BuildArch: noarch
|
|
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
|
|
BuildRequires: make
|
|
BuildRequires: systemd-rpm-macros
|
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Requires(post): /bin/awk /usr/bin/sha512sum
|
|
Requires(meta): rpm-plugin-selinux
|
|
Requires: selinux-policy-any = %{version}-%{release}
|
|
Provides: selinux-policy-base = %{version}-%{release}
|
|
Suggests: selinux-policy-targeted
|
|
|
|
%description
|
|
SELinux core policy package.
|
|
Originally based off of reference policy,
|
|
the policy has been adjusted to provide support for Fedora.
|
|
|
|
%files
|
|
%{!?_licensedir:%global license %%doc}
|
|
%license COPYING
|
|
%dir %{_datadir}/selinux
|
|
%dir %{_datadir}/selinux/packages
|
|
%dir %{_sysconfdir}/selinux
|
|
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
|
%ghost %{_sysconfdir}/sysconfig/selinux
|
|
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
|
%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
%{_unitdir}/selinux-check-proper-disable.service
|
|
%{_libexecdir}/selinux/varrun-convert.sh
|
|
|
|
%package sandbox
|
|
Summary: SELinux sandbox policy
|
|
Requires(pre): selinux-policy-base = %{version}-%{release}
|
|
Requires(pre): selinux-policy-targeted = %{version}-%{release}
|
|
|
|
%description sandbox
|
|
SELinux sandbox policy for use with the sandbox utility.
|
|
|
|
%files sandbox
|
|
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
|
|
|
|
%post sandbox
|
|
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
|
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
|
|
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi;
|
|
exit 0
|
|
|
|
%preun sandbox
|
|
if [ $1 -eq 0 ] ; then
|
|
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi;
|
|
fi;
|
|
exit 0
|
|
|
|
%package devel
|
|
Summary: SELinux policy development files
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
|
|
Requires: /usr/bin/make
|
|
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
|
|
|
|
%description devel
|
|
SELinux policy development package.
|
|
This package contains:
|
|
- interfaces, macros, and patterns for policy development
|
|
- a policy example
|
|
- the macro-expander utility
|
|
and some additional files.
|
|
|
|
%files devel
|
|
%{_bindir}/macro-expander
|
|
%dir %{_datadir}/selinux/devel
|
|
%dir %{_datadir}/selinux/devel/include
|
|
%{_datadir}/selinux/devel/include/*
|
|
%exclude %{_datadir}/selinux/devel/include/contrib/container.if
|
|
%dir %{_datadir}/selinux/devel/html
|
|
%{_datadir}/selinux/devel/html/*html
|
|
%{_datadir}/selinux/devel/html/*css
|
|
%{_datadir}/selinux/devel/Makefile
|
|
%{_datadir}/selinux/devel/example.*
|
|
%{_datadir}/selinux/devel/policy.*
|
|
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
|
|
|
|
%post devel
|
|
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
|
|
exit 0
|
|
|
|
%package doc
|
|
Summary: SELinux policy documentation
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
|
|
%description doc
|
|
SELinux policy documentation package.
|
|
This package contains manual pages and documentation of the policy modules.
|
|
|
|
%files doc
|
|
%{_mandir}/man*/*
|
|
%{_mandir}/ru/*/*
|
|
%exclude %{_mandir}/man8/container_selinux.8.gz
|
|
%doc %{_datadir}/doc/%{name}
|
|
|
|
%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
|
|
|
|
%define makeCmds() \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
|
|
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
|
|
cp -f selinux_config/users-%1 ./policy/users \
|
|
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
|
|
|
|
%define makeModulesConf() \
|
|
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
|
|
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
|
|
if [ %3 == "contrib" ];then \
|
|
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
|
|
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
|
|
fi; \
|
|
|
|
%define installCmds() \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
|
|
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
|
|
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
|
|
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
|
|
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
|
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
|
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
|
|
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
|
|
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
|
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
|
|
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
|
|
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
|
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
|
|
%nil
|
|
|
|
%define fileList() \
|
|
%defattr(-,root,root) \
|
|
%dir %{_sysconfdir}/selinux/%1 \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
|
%dir %{_sysconfdir}/selinux/%1/logins \
|
|
%dir %{_sharedstatedir}/selinux/%1/active \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
|
|
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
|
|
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
|
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
|
%dir %{_sysconfdir}/selinux/%1/contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
|
|
%dir %{_sysconfdir}/selinux/%1/contexts/files \
|
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
|
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
|
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
|
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
|
|
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
|
|
%dir %{_sysconfdir}/selinux/%1/contexts/users \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
|
|
%dir %{_datadir}/selinux/%1 \
|
|
%{_datadir}/selinux/%1/base.lst \
|
|
%{_datadir}/selinux/%1/modules-base.lst \
|
|
%{_datadir}/selinux/%1/modules-contrib.lst \
|
|
%{_datadir}/selinux/%1/nonbasemodules.lst \
|
|
%dir %{_sharedstatedir}/selinux/%1 \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
|
%nil
|
|
|
|
%define relabel() \
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
|
|
fi; \
|
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
|
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
|
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
|
|
rm -f ${FILE_CONTEXT}.pre; \
|
|
fi; \
|
|
# rebuilding the rpm database still can sometimes result in an incorrect context \
|
|
%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
|
|
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
|
|
continue; \
|
|
fi;
|
|
|
|
%define preInstall() \
|
|
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
for MOD_NAME in ganesha ipa_custodia kdbus; do \
|
|
if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
|
|
%{_sbindir}/semodule -n -d $MOD_NAME 2> /dev/null; \
|
|
fi; \
|
|
done; \
|
|
. %{_sysconfdir}/selinux/config; \
|
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
|
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
|
|
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
|
fi; \
|
|
touch %{_sysconfdir}/selinux/%1/.rebuild; \
|
|
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
|
|
POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
|
|
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
|
|
checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
|
|
if [ "$sha512" == "$checksha512" ] ; then \
|
|
rm %{_sysconfdir}/selinux/%1/.rebuild; \
|
|
fi; \
|
|
fi; \
|
|
fi;
|
|
|
|
%define postInstall() \
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
|
|
fi; \
|
|
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
|
|
rm %{_sysconfdir}/selinux/%2/.rebuild; \
|
|
fi; \
|
|
%{_sbindir}/semodule -B -n -s %2 2> /dev/null; \
|
|
[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
|
|
if [ %1 -eq 1 ]; then \
|
|
%{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
|
|
else \
|
|
%relabel %2 \
|
|
fi;
|
|
|
|
%define modulesList() \
|
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
|
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
|
|
if [ -e ./policy/modules-contrib.conf ];then \
|
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
|
|
fi;
|
|
|
|
%define nonBaseModulesList() \
|
|
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
|
|
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
|
|
for i in $contrib_modules $base_modules; do \
|
|
if [ $i != "sandbox" ];then \
|
|
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
|
|
fi; \
|
|
done;
|
|
|
|
# Make sure the config is consistent with what packages are installed in the system
|
|
# this covers cases when system is installed with selinux-policy-{mls,minimal}
|
|
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
|
|
# been rebooted yet.
|
|
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
|
|
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
|
|
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
|
|
# Steps:
|
|
# * load values from config and its backup
|
|
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
|
|
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
|
|
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
|
|
%define checkConfigConsistency() \
|
|
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
|
|
. %{_sysconfdir}/selinux/.config_backup; \
|
|
else \
|
|
BACKUP_SELINUXTYPE=targeted; \
|
|
fi; \
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
. %{_sysconfdir}/selinux/config; \
|
|
if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
|
if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
|
|
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
|
|
fi; \
|
|
elif [ "%1" = "targeted" ]; then \
|
|
if [ "%1" != "$SELINUXTYPE" ]; then \
|
|
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
|
fi; \
|
|
elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
|
if [ "%1" != "$SELINUXTYPE" ]; then \
|
|
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
|
fi; \
|
|
fi; \
|
|
fi;
|
|
|
|
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
|
|
# of variables inside so that they are easy to use later
|
|
# This should be done in "pretrans" because config content can change during RPM operations
|
|
# The macro has to be used in a script slot with "-p <lua>"
|
|
%define backupConfigLua() \
|
|
local sysconfdir = rpm.expand("%{_sysconfdir}") \
|
|
local config_file = sysconfdir .. "/selinux/config" \
|
|
local config_backup = sysconfdir .. "/selinux/.config_backup" \
|
|
os.remove(config_backup) \
|
|
if posix.stat(config_file) then \
|
|
local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
|
|
local content = f:read("*all") \
|
|
f:close() \
|
|
local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
|
|
local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
|
|
bf:write(backup) \
|
|
bf:close() \
|
|
end
|
|
|
|
# Remove the local_varrun SELinux module
|
|
%define removeVarrunModule() \
|
|
if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \
|
|
%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
|
fi;
|
|
|
|
%define removeVarrunModuleLua() \
|
|
if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
|
|
os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
|
|
end
|
|
|
|
%build
|
|
|
|
%prep
|
|
%autosetup -p 1 -n %{name}-%{commit}
|
|
tar -C policy/modules/contrib -xf %{SOURCE35}
|
|
|
|
mkdir selinux_config
|
|
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
|
|
cp $i selinux_config
|
|
done
|
|
|
|
%install
|
|
# Build targeted policy
|
|
%{__rm} -fR %{buildroot}
|
|
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
|
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
|
touch %{buildroot}%{_sysconfdir}/selinux/config
|
|
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
|
|
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
|
|
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
|
|
mkdir -p %{buildroot}%{_bindir}
|
|
install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/
|
|
mkdir -p %{buildroot}%{_libexecdir}/selinux
|
|
install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
|
|
|
|
# Always create policy module package directories
|
|
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
|
|
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
|
|
|
|
mkdir -p %{buildroot}%{_datadir}/selinux/packages
|
|
|
|
# Install devel
|
|
make clean
|
|
%if %{BUILD_TARGETED}
|
|
# Build targeted policy
|
|
%makeCmds targeted mcs allow
|
|
%makeModulesConf targeted base contrib
|
|
%installCmds targeted mcs allow
|
|
# install permissivedomains.cil
|
|
%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
|
|
# recreate sandbox.pp
|
|
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
|
|
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
|
|
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
|
|
%modulesList targeted
|
|
%nonBaseModulesList targeted
|
|
%endif
|
|
|
|
%if %{BUILD_MINIMUM}
|
|
# Build minimum policy
|
|
%makeCmds minimum mcs allow
|
|
%makeModulesConf targeted base contrib
|
|
%installCmds minimum mcs allow
|
|
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
|
|
%modulesList minimum
|
|
%nonBaseModulesList minimum
|
|
%endif
|
|
|
|
%if %{BUILD_MLS}
|
|
# Build mls policy
|
|
%makeCmds mls mls deny
|
|
%makeModulesConf mls base contrib
|
|
%installCmds mls mls deny
|
|
%modulesList mls
|
|
%nonBaseModulesList mls
|
|
%endif
|
|
|
|
# remove leftovers when save-previous=true (semanage.conf) is used
|
|
rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
|
|
|
|
mkdir -p %{buildroot}%{_mandir}
|
|
cp -R man/* %{buildroot}%{_mandir}
|
|
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
|
|
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
|
|
mkdir %{buildroot}%{_datadir}/selinux/devel/
|
|
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
|
|
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
|
|
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
|
|
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
|
|
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
|
|
mkdir %{buildroot}%{_datadir}/selinux/devel/html
|
|
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
|
|
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
|
|
|
|
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
|
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
|
|
mkdir -p %{buildroot}%{_unitdir}
|
|
install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
|
|
|
|
rm -rf selinux_config
|
|
|
|
%post
|
|
%systemd_post selinux-check-proper-disable.service
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
#
|
|
# New install so we will default to targeted policy
|
|
#
|
|
echo "
|
|
# This file controls the state of SELinux on the system.
|
|
# SELINUX= can take one of these three values:
|
|
# enforcing - SELinux security policy is enforced.
|
|
# permissive - SELinux prints warnings instead of enforcing.
|
|
# disabled - No SELinux policy is loaded.
|
|
# See also:
|
|
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
|
|
#
|
|
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
|
|
# fully disable SELinux during boot. If you need a system with SELinux
|
|
# fully disabled instead of SELinux running with no policy loaded, you
|
|
# need to pass selinux=0 to the kernel command line. You can use grubby
|
|
# to persistently set the bootloader to boot with selinux=0:
|
|
#
|
|
# grubby --update-kernel ALL --args selinux=0
|
|
#
|
|
# To revert back to SELinux enabled:
|
|
#
|
|
# grubby --update-kernel ALL --remove-args selinux
|
|
#
|
|
SELINUX=enforcing
|
|
# SELINUXTYPE= can take one of these three values:
|
|
# targeted - Targeted processes are protected,
|
|
# minimum - Modification of targeted policy. Only selected processes are protected.
|
|
# mls - Multi Level Security protection.
|
|
SELINUXTYPE=targeted
|
|
|
|
" > %{_sysconfdir}/selinux/config
|
|
|
|
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
|
|
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
|
|
else
|
|
. %{_sysconfdir}/selinux/config
|
|
fi
|
|
exit 0
|
|
|
|
%preun
|
|
%systemd_preun selinux-check-proper-disable.service
|
|
|
|
%postun
|
|
%systemd_postun selinux-check-proper-disable.service
|
|
if [ $1 = 0 ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
%if %{BUILD_TARGETED}
|
|
%package targeted
|
|
Summary: SELinux targeted policy
|
|
Provides: selinux-policy-any = %{version}-%{release}
|
|
Obsoletes: selinux-policy-targeted-sources < 2
|
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Requires(pre): coreutils
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Conflicts: audispd-plugins <= 1.7.7-1
|
|
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
|
|
Obsoletes: cachefilesd-selinux <= 0.10-1
|
|
Conflicts: seedit
|
|
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
|
|
Conflicts: container-selinux < 2:1.12.1-22
|
|
|
|
%description targeted
|
|
SELinux targeted policy package.
|
|
|
|
%pretrans targeted -p <lua>
|
|
%backupConfigLua
|
|
%removeVarrunModuleLua targeted
|
|
|
|
%pre targeted
|
|
%preInstall targeted
|
|
|
|
%post targeted
|
|
%checkConfigConsistency targeted
|
|
%postInstall $1 targeted
|
|
exit 0
|
|
|
|
%posttrans targeted
|
|
%checkConfigConsistency targeted
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
|
|
%postun targeted
|
|
if [ $1 = 0 ]; then
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
fi
|
|
if [ "$SELINUXTYPE" = "targeted" ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
|
|
%triggerin -- pcre2
|
|
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null
|
|
exit 0
|
|
|
|
%triggerprein -- container-selinux
|
|
%removeVarrunModule targeted
|
|
exit 0
|
|
|
|
%triggerprein -- pcp-selinux
|
|
%removeVarrunModule targeted
|
|
exit 0
|
|
|
|
%triggerpostin -- container-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostin -- pcp-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
|
|
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
|
exit 0
|
|
|
|
%triggerpostun -- pcp-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostun -- container-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
|
|
CR=$'\n'
|
|
INPUT=""
|
|
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do
|
|
module=`basename $i | sed 's/.pp.disabled//'`
|
|
if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then
|
|
touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p
|
|
fi
|
|
done
|
|
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do
|
|
INPUT="${INPUT}${CR}module -N -a $i"
|
|
done
|
|
for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do
|
|
cp $i %{_sharedstatedir}/selinux/targeted/active
|
|
done
|
|
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi
|
|
exit 0
|
|
|
|
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
|
|
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
|
|
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
|
|
%fileList targeted
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
|
|
%endif
|
|
|
|
%if %{BUILD_MINIMUM}
|
|
%package minimum
|
|
Summary: SELinux minimum policy
|
|
Provides: selinux-policy-any = %{version}-%{release}
|
|
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
|
|
Requires(pre): coreutils
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Conflicts: seedit
|
|
Conflicts: container-selinux <= 1.9.0-9
|
|
|
|
%description minimum
|
|
SELinux minimum policy package.
|
|
|
|
%pretrans minimum -p <lua>
|
|
%backupConfigLua
|
|
|
|
%pre minimum
|
|
%preInstall minimum
|
|
if [ $1 -ne 1 ]; then
|
|
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
|
|
fi
|
|
|
|
%post minimum
|
|
%checkConfigConsistency minimum
|
|
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
|
|
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
|
|
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
|
|
mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
|
|
fi
|
|
if [ $1 -eq 1 ]; then
|
|
for p in $contribpackages; do
|
|
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
for p in $basepackages apache dbus inetd kerberos mta nis; do
|
|
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
%{_sbindir}/semanage import -S minimum -f - << __eof
|
|
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
|
login -m -s unconfined_u -r s0-s0:c0.c1023 root
|
|
__eof
|
|
%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
|
|
%{_sbindir}/semodule -B -s minimum 2> /dev/null
|
|
else
|
|
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
|
|
for p in $contribpackages; do
|
|
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
for p in $instpackages apache dbus inetd kerberos mta nis; do
|
|
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
%{_sbindir}/semodule -B -s minimum 2> /dev/null
|
|
%relabel minimum
|
|
fi
|
|
exit 0
|
|
|
|
%posttrans minimum
|
|
%checkConfigConsistency minimum
|
|
%{_libexecdir}/selinux/varrun-convert.sh minimum
|
|
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
|
|
%postun minimum
|
|
if [ $1 = 0 ]; then
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
fi
|
|
if [ "$SELINUXTYPE" = "minimum" ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
|
|
if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then
|
|
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/*
|
|
fi
|
|
CR=$'\n'
|
|
INPUT=""
|
|
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do
|
|
module=`basename $i | sed 's/.pp.disabled//'`
|
|
if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then
|
|
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
fi
|
|
done
|
|
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do
|
|
INPUT="${INPUT}${CR}module -N -a $i"
|
|
done
|
|
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi
|
|
exit 0
|
|
|
|
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
|
|
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
|
|
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
|
|
%fileList minimum
|
|
%endif
|
|
|
|
%if %{BUILD_MLS}
|
|
%package mls
|
|
Summary: SELinux MLS policy
|
|
Provides: selinux-policy-any = %{version}-%{release}
|
|
Obsoletes: selinux-policy-mls-sources < 2
|
|
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
|
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Requires(pre): coreutils
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Conflicts: seedit
|
|
Conflicts: container-selinux <= 1.9.0-9
|
|
|
|
%description mls
|
|
SELinux MLS (Multi Level Security) policy package.
|
|
|
|
%pretrans mls -p <lua>
|
|
%backupConfigLua
|
|
|
|
%pre mls
|
|
%preInstall mls
|
|
|
|
%post mls
|
|
%checkConfigConsistency mls
|
|
%postInstall $1 mls
|
|
exit 0
|
|
|
|
%posttrans mls
|
|
%checkConfigConsistency mls
|
|
%{_libexecdir}/selinux/varrun-convert.sh mls
|
|
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
|
|
%postun mls
|
|
if [ $1 = 0 ]; then
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
fi
|
|
if [ "$SELINUXTYPE" = "mls" ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
|
|
CR=$'\n'
|
|
INPUT=""
|
|
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do
|
|
module=`basename $i | sed 's/.pp.disabled//'`
|
|
if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then
|
|
touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p
|
|
fi
|
|
done
|
|
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do
|
|
INPUT="${INPUT}${CR}module -N -a $i"
|
|
done
|
|
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi
|
|
exit 0
|
|
|
|
|
|
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
|
|
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
|
|
%fileList mls
|
|
%endif
|
|
|
|
%changelog
|
|
* Mon Aug 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.9-1
|
|
- Allow virtqemud relabelfrom also for file and sock_file
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud relabel user tmp files and socket files
|
|
Resolves: RHEL-49763
|
|
- Update virtqemud policy for libguestfs usage
|
|
Resolves: RHEL-49763
|
|
- Label /run/libvirt/qemu/channel with virtqemud_var_run_t
|
|
Resolves: RHEL-47274
|
|
|
|
* Tue Aug 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.8-1
|
|
- Add virt_create_log() and virt_write_log() interfaces
|
|
Resolves: RHEL-47274
|
|
- Update libvirt policy
|
|
Resolves: RHEL-45464
|
|
Resolves: RHEL-49763
|
|
- Allow svirt_tcg_t map svirt_image_t files
|
|
Resolves: RHEL-47274
|
|
- Allow svirt_tcg_t read vm sysctls
|
|
Resolves: RHEL-47274
|
|
- Additional updates stalld policy for bpf usage
|
|
Resolves: RHEL-50356
|
|
|
|
* Thu Aug 08 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.7-1
|
|
- Add the swtpm.if interface file for interactions with other domains
|
|
Resolves: RHEL-47274
|
|
- Allow virtproxyd create and use its private tmp files
|
|
Resolves: RHEL-40499
|
|
- Allow virtproxyd read network state
|
|
Resolves: RHEL-40499
|
|
- Allow virtqemud domain transition on swtpm execution
|
|
Resolves: RHEL-47274
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud relabel virt_var_run_t directories
|
|
Resolves: RHEL-47274
|
|
Resolves: RHEL-45464
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud domain transition on passt execution
|
|
Resolves: RHEL-45464
|
|
- Allow virt_driver_domain create and use log files in /var/log
|
|
Resolves: RHEL-40239
|
|
- Allow virt_driver_domain connect to systemd-userdbd over a unix socket
|
|
Resolves: RHEL-44932
|
|
Resolves: RHEL-44898
|
|
- Update stalld policy for bpf usage
|
|
Resolves: RHEL-50356
|
|
- Allow boothd connect to systemd-userdbd over a unix socket
|
|
Resolves: RHEL-45907
|
|
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
|
Resolves: RHEL-46011
|
|
- Allow systemd-machined manage runtime sockets
|
|
Resolves: RHEL-49567
|
|
- Allow ip command write to ipsec's logs
|
|
Resolves: RHEL-41222
|
|
- Allow init_t nnp domain transition to firewalld_t
|
|
Resolves: RHEL-52481
|
|
- Update qatlib policy for v24.02 with new features
|
|
Resolves: RHEL-50377
|
|
- Allow postfix_domain map postfix_etc_t files
|
|
Resolves: RHEL-46327
|
|
|
|
* Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.6-1
|
|
- Allow virtnodedevd run udev with a domain transition
|
|
Resolves: RHEL-39890
|
|
- Allow virtnodedev_t create and use virtnodedev_lock_t
|
|
Resolves: RHEL-39890
|
|
- Allow svirt attach_queue to a virtqemud tun_socket
|
|
Resolves: RHEL-44312
|
|
- Label /run/systemd/machine with systemd_machined_var_run_t
|
|
Resolves: RHEL-49567
|
|
- Allow to create and delete socket files created by rhsm.service
|
|
|
|
* Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.5-1
|
|
- Allow to create and delete socket files created by rhsm.service
|
|
Resolves: RHEL-40857
|
|
- Allow svirt read virtqemud fifo files
|
|
Resolves: RHEL-40350
|
|
- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
|
|
Resolves: RHEL-37822
|
|
- Allow virtqemud read virt-dbus process state
|
|
Resolves: RHEL-37822
|
|
- Allow virtqemud run ssh client with a transition
|
|
Resolves: RHEL-43215
|
|
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
|
|
Resolves: RHEL-41168
|
|
- Allow NetworkManager the sys_ptrace capability in user namespace
|
|
Resolves: RHEL-46717
|
|
- Update keyutils policy
|
|
Resolves: RHEL-38920
|
|
- Allow ip the setexec permission
|
|
Resolves: RHEL-41182
|
|
|
|
* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.4-1
|
|
- Confine libvirt-dbus
|
|
Resolves: RHEL-37822
|
|
- Allow sssd create and use io_uring
|
|
Resolves: RHEL-43448
|
|
- Allow virtqemud the kill capability in user namespace
|
|
Resolves: RHEL-44996
|
|
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
|
|
Resolves: RHEL-44191
|
|
- Allow virtqemud read vm sysctls
|
|
Resolves: RHEL-40938
|
|
- Allow svirt_t read vm sysctls
|
|
Resolves: RHEL-40938
|
|
- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
|
|
Resolves: RHEL-40859
|
|
- Allow systemd-hostnamed read the vsock device
|
|
Resolves: RHEL-45309
|
|
- Allow systemd (PID 1) manage systemd conf files
|
|
Resolves: RHEL-45304
|
|
- Allow journald read systemd config files and directories
|
|
Resolves: RHEL-45304
|
|
- Allow systemd_domain read systemd_conf_t dirs
|
|
Resolves: RHEL-45304
|
|
- Label systemd configuration files with systemd_conf_t
|
|
Resolves: RHEL-45304
|
|
- Allow dhcpcd the kill capability
|
|
Resolves: RHEL-43417
|
|
- Add support for libvirt hooks
|
|
Resolves: RHEL-41168
|
|
|
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 40.13.3-2
|
|
- Bump release for June 2024 mass rebuild
|
|
|
|
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1
|
|
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
|
|
Resolves: RHEL-40205
|
|
- Allow virt_driver_domain read files labeled unconfined_t
|
|
Resolves: RHEL-40262
|
|
- Allow virt_driver_domain dbus chat with policykit
|
|
Resolves: RHEL-40346
|
|
- Escape "interface" as a file name in a virt filetrans pattern
|
|
Resolves: RHEL-34769
|
|
- Allow setroubleshootd get attributes of all sysctls
|
|
Resolves: RHEL-40923
|
|
- Allow qemu-ga read vm sysctls
|
|
Resolves: RHEL-40829
|
|
- Allow sbd to trace processes in user namespace
|
|
Resolves: RHEL-39989
|
|
- Allow request-key execute scripts
|
|
Resolves: RHEL-38920
|
|
- Update policy for haproxyd
|
|
Resolves: RHEL-40877
|
|
|
|
* Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1
|
|
- Allow all domains read and write z90crypt device
|
|
Resolves: RHEL-28539
|
|
- Allow dhcpc read /run/netns files
|
|
Resolves: RHEL-39510
|
|
- Allow bootupd search efivarfs dirs
|
|
Resolves: RHEL-39514
|
|
|
|
* Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.1-1
|
|
- Allow logwatch read logind sessions files
|
|
Resolves: RHEL-30441
|
|
- Allow sulogin relabel tty1
|
|
Resolves: RHEL-30440
|
|
- Dontaudit sulogin the checkpoint_restore capability
|
|
Resolves: RHEL-30440
|
|
- Allow postfix smtpd map aliases file
|
|
Resolves: RHEL-35544
|
|
- Ensure dbus communication is allowed bidirectionally
|
|
Resolves: RHEL-35783
|
|
- Allow various services read and write z90crypt device
|
|
Resolves: RHEL-28539
|
|
- Allow dhcpcd use unix_stream_socket
|
|
Resolves: RHEL-33081
|
|
- Allow xdm_t to watch and watch_reads mount_var_run_t
|
|
Resolves: RHEL-36073
|
|
- Allow plymouthd log during shutdown
|
|
Resolves: RHEL-30455
|
|
- Update rpm configuration for the /var/run equivalency change
|
|
Resolves: RHEL-36094
|
|
|
|
* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
|
|
- Only allow confined user domains to login locally without unconfined_login
|
|
- Add userdom_spec_domtrans_confined_admin_users interface
|
|
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
|
- Add userdom_spec_domtrans_admin_users interface
|
|
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
|
- Update ssh_role_template() for user ssh-agent type
|
|
- Allow init to inherit system DBus file descriptors
|
|
- Allow init to inherit fds from syslogd
|
|
- Allow any domain to inherit fds from rpm-ostree
|
|
- Update afterburn policy
|
|
- Allow init_t nnp domain transition to abrtd_t
|
|
|
|
* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
|
|
- Rename all /var/lock file context entries to /run/lock
|
|
- Rename all /var/run file context entries to /run
|
|
- Invert the "/var/run = /run" equivalency
|
|
|
|
* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
|
|
- Replace init domtrans rule for confined users to allow exec init
|
|
- Update dbus_role_template() to allow user service status
|
|
- Allow polkit status all systemd services
|
|
- Allow setroubleshootd create and use inherited io_uring
|
|
- Allow load_policy read and write generic ptys
|
|
- Allow gpg manage rpm cache
|
|
- Allow login_userdomain name_bind to howl and xmsg udp ports
|
|
- Allow rules for confined users logged in plasma
|
|
- Label /dev/iommu with iommu_device_t
|
|
- Remove duplicate file context entries in /run
|
|
- Dontaudit getty and plymouth the checkpoint_restore capability
|
|
- Allow su domains write login records
|
|
- Revert "Allow su domains write login records"
|
|
- Allow login_userdomain delete session dbusd tmp socket files
|
|
- Allow unix dgram sendto between exim processes
|
|
- Allow su domains write login records
|
|
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
|
|
|
|
* Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
|
|
- Allow chronyd-restricted read chronyd key files
|
|
- Allow conntrackd_t to use bpf capability2
|
|
- Allow systemd-networkd manage its runtime socket files
|
|
- Allow init_t nnp domain transition to colord_t
|
|
- Allow polkit status systemd services
|
|
- nova: Fix duplicate declarations
|
|
- Allow httpd work with PrivateTmp
|
|
- Add interfaces for watching and reading ifconfig_var_run_t
|
|
- Allow collectd read raw fixed disk device
|
|
- Allow collectd read udev pid files
|
|
- Set correct label on /etc/pki/pki-tomcat/kra
|
|
- Allow systemd domains watch system dbus pid socket files
|
|
- Allow certmonger read network sysctls
|
|
- Allow mdadm list stratisd data directories
|
|
- Allow syslog to run unconfined scripts conditionally
|
|
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
|
- Allow qatlib set attributes of vfio device files
|
|
|
|
* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
|
|
- Allow systemd-sleep set attributes of efivarfs files
|
|
- Allow samba-dcerpcd read public files
|
|
- Allow spamd_update_t the sys_ptrace capability in user namespace
|
|
- Allow bluetooth devices work with alsa
|
|
- Allow alsa get attributes filesystems with extended attributes
|
|
|
|
* Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2
|
|
- Limit %%selinux_requires to version, not release
|
|
|
|
* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
|
|
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
|
- Add interface for write-only access to NetworkManager rw conf
|
|
- Allow systemd-sleep send a message to syslog over a unix dgram socket
|
|
- Allow init create and use netlink netfilter socket
|
|
- Allow qatlib load kernel modules
|
|
- Allow qatlib run lspci
|
|
- Allow qatlib manage its private runtime socket files
|
|
- Allow qatlib read/write vfio devices
|
|
- Label /etc/redis.conf with redis_conf_t
|
|
- Remove the lockdown-class rules from the policy
|
|
- Allow init read all non-security socket files
|
|
- Replace redundant dnsmasq pattern macros
|
|
- Remove unneeded symlink perms in dnsmasq.if
|
|
- Add additions to dnsmasq interface
|
|
- Allow nvme_stas_t create and use netlink kobject uevent socket
|
|
- Allow collectd connect to statsd port
|
|
- Allow keepalived_t to use sys_ptrace of cap_userns
|
|
- Allow dovecot_auth_t connect to postgresql using UNIX socket
|
|
|
|
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
|
|
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
|
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
|
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
|
- Allow opafm search nfs directories
|
|
- Add support for syslogd unconfined scripts
|
|
- Allow gpsd use /dev/gnss devices
|
|
- Allow gpg read rpm cache
|
|
- Allow virtqemud additional permissions
|
|
- Allow virtqemud manage its private lock files
|
|
- Allow virtqemud use the io_uring api
|
|
- Allow ddclient send e-mail notifications
|
|
- Allow postfix_master_t map postfix data files
|
|
- Allow init create and use vsock sockets
|
|
- Allow thumb_t append to init unix domain stream sockets
|
|
- Label /dev/vas with vas_device_t
|
|
- Change domain_kernel_load_modules boolean to true
|
|
- Create interface selinux_watch_config and add it to SELinux users
|
|
|
|
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
|
|
- Add afterburn to modules-targeted-contrib.conf
|
|
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
|
- Allow sudodomain read var auth files
|
|
- Allow spamd_update_t read hardware state information
|
|
- Allow virtnetworkd domain transition on tc command execution
|
|
- Allow sendmail MTA connect to sendmail LDA
|
|
- Allow auditd read all domains process state
|
|
- Allow rsync read network sysctls
|
|
- Add dhcpcd bpf capability to run bpf programs
|
|
- Dontaudit systemd-hwdb dac_override capability
|
|
- Allow systemd-sleep create efivarfs files
|
|
|
|
* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
|
|
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
|
|
- Allow graphical applications work in Wayland
|
|
- Allow kdump work with PrivateTmp
|
|
- Allow dovecot-auth work with PrivateTmp
|
|
- Allow nfsd get attributes of all filesystems
|
|
- Allow unconfined_domain_type use io_uring cmd on domain
|
|
- ci: Only run Rawhide revdeps tests on the rawhide branch
|
|
- Label /var/run/auditd.state as auditd_var_run_t
|
|
- Allow fido-device-onboard (FDO) read the crack database
|
|
- Allow ip an explicit domain transition to other domains
|
|
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
|
|
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
|
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
|
|
- Allow ntp to bind and connect to ntske port.
|
|
- Allow system_mail_t manage exim spool files and dirs
|
|
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
|
|
- Label /run/pcsd.socket with cluster_var_run_t
|
|
- ci: Run cockpit tests in PRs
|
|
|
|
* Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
|
|
- Add map_read map_write to kernel_prog_run_bpf
|
|
- Allow systemd-fstab-generator read all symlinks
|
|
- Allow systemd-fstab-generator the dac_override capability
|
|
- Allow rpcbind read network sysctls
|
|
- Support using systemd containers
|
|
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
|
|
- Add policy for coreos installer
|
|
- Add coreos_installer to modules-targeted-contrib.conf
|
|
|
|
* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
|
|
- Add policy for nvme-stas
|
|
- Confine systemd fstab,sysv,rc-local
|
|
- Label /etc/aliases.lmdb with etc_aliases_t
|
|
- Create policy for afterburn
|
|
- Add nvme_stas to modules-targeted-contrib.conf
|
|
- Add plans/tests.fmf
|
|
|
|
* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
|
|
- Add the virt_supplementary module to modules-targeted-contrib.conf
|
|
- Make new virt drivers permissive
|
|
- Split virt policy, introduce virt_supplementary module
|
|
- Allow apcupsd cgi scripts read /sys
|
|
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
|
|
- Allow kernel_t to manage and relabel all files
|
|
- Add missing optional_policy() to files_relabel_all_files()
|
|
|
|
* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
|
|
- Allow named and ndc use the io_uring api
|
|
- Deprecate common_anon_inode_perms usage
|
|
- Improve default file context(None) of /var/lib/authselect/backups
|
|
- Allow udev_t to search all directories with a filesystem type
|
|
- Implement proper anon_inode support
|
|
- Allow targetd write to the syslog pid sock_file
|
|
- Add ipa_pki_retrieve_key_exec() interface
|
|
- Allow kdumpctl_t to list all directories with a filesystem type
|
|
- Allow udev additional permissions
|
|
- Allow udev load kernel module
|
|
- Allow sysadm_t to mmap modules_object_t files
|
|
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
|
|
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
|
- Allow kernel_generic_helper_t to execute mount(1)
|
|
|
|
* Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1
|
|
- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
|
|
- Allow systemd-localed create Xserver config dirs
|
|
- Allow sssd read symlinks in /etc/sssd
|
|
- Label /dev/gnss[0-9] with gnss_device_t
|
|
- Allow systemd-sleep read/write efivarfs variables
|
|
- ci: Fix version number of packit generated srpms
|
|
- Dontaudit rhsmcertd write memory device
|
|
- Allow ssh_agent_type create a sockfile in /run/user/USERID
|
|
- Set default file context of /var/lib/authselect/backups to <<none>>
|
|
- Allow prosody read network sysctls
|
|
- Allow cupsd_t to use bpf capability
|
|
|
|
* Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1
|
|
- Allow sssd domain transition on passkey_child execution conditionally
|
|
- Allow login_userdomain watch lnk_files in /usr
|
|
- Allow login_userdomain watch video4linux devices
|
|
- Change systemd-network-generator transition to include class file
|
|
- Revert "Change file transition for systemd-network-generator"
|
|
- Allow nm-dispatcher winbind plugin read/write samba var files
|
|
- Allow systemd-networkd write to cgroup files
|
|
- Allow kdump create and use its memfd: objects
|
|
|
|
* Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1
|
|
- Allow fedora-third-party get generic filesystem attributes
|
|
- Allow sssd use usb devices conditionally
|
|
- Update policy for qatlib
|
|
- Allow ssh_agent_type manage generic cache home files
|
|
|
|
* Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1
|
|
- Change file transition for systemd-network-generator
|
|
- Additional support for gnome-initial-setup
|
|
- Update gnome-initial-setup policy for geoclue
|
|
- Allow openconnect vpn open vhost net device
|
|
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
|
|
- Grant cifs.upcall more required capabilities
|
|
- Allow xenstored map xenfs files
|
|
- Update policy for fdo
|
|
- Allow keepalived watch var_run dirs
|
|
- Allow svirt to rw /dev/udmabuf
|
|
- Allow qatlib to modify hardware state information.
|
|
- Allow key.dns_resolve connect to avahi over a unix stream socket
|
|
- Allow key.dns_resolve create and use unix datagram socket
|
|
- Use quay.io as the container image source for CI
|
|
|
|
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1
|
|
- ci: Move srpm/rpm build to packit
|
|
- .copr: Avoid subshell and changing directory
|
|
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
|
|
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
|
- Make insights_client_t an unconfined domain
|
|
- Allow insights-client manage user temporary files
|
|
- Allow insights-client create all rpm logs with a correct label
|
|
- Allow insights-client manage generic logs
|
|
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
|
|
- Allow insights-client read and write cluster tmpfs files
|
|
- Allow ipsec read nsfs files
|
|
- Make tuned work with mls policy
|
|
- Remove nsplugin_role from mozilla.if
|
|
- allow mon_procd_t self:cap_userns sys_ptrace
|
|
- Allow pdns name_bind and name_connect all ports
|
|
- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
|
|
- ci: Move to actions/checkout@v3 version
|
|
- .copr: Replace chown call with standard workflow safe.directory setting
|
|
- .copr: Enable `set -u` for robustness
|
|
- .copr: Simplify root directory variable
|
|
|
|
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1
|
|
- Allow rhsmcertd dbus chat with policykit
|
|
- Allow polkitd execute pkla-check-authorization with nnp transition
|
|
- Allow user_u and staff_u get attributes of non-security dirs
|
|
- Allow unconfined user filetrans chrome_sandbox_home_t
|
|
- Allow svnserve execute postdrop with a transition
|
|
- Do not make postfix_postdrop_t type an MTA executable file
|
|
- Allow samba-dcerpc service manage samba tmp files
|
|
- Add use_nfs_home_dirs boolean for mozilla_plugin
|
|
- Fix labeling for no-stub-resolv.conf
|
|
|
|
* Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1
|
|
- Revert "Allow winbind-rpcd use its private tmp files"
|
|
- Allow upsmon execute upsmon via a helper script
|
|
- Allow openconnect vpn read/write inherited vhost net device
|
|
- Allow winbind-rpcd use its private tmp files
|
|
- Update samba-dcerpc policy for printing
|
|
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
|
|
- Allow nscd watch system db dirs
|
|
- Allow qatlib to read sssd public files
|
|
- Allow fedora-third-party read /sys and proc
|
|
- Allow systemd-gpt-generator mount a tmpfs filesystem
|
|
- Allow journald write to cgroup files
|
|
- Allow rpc.mountd read network sysctls
|
|
- Allow blueman read the contents of the sysfs filesystem
|
|
- Allow logrotate_t to map generic files in /etc
|
|
- Boolean: Allow virt_qemu_ga create ssh directory
|
|
|
|
* Tue Jul 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1
|
|
- Allow systemd-network-generator send system log messages
|
|
- Dontaudit the execute permission on sock_file globally
|
|
- Allow fsadm_t the file mounton permission
|
|
- Allow named and ndc the io_uring sqpoll permission
|
|
- Allow sssd io_uring sqpoll permission
|
|
- Fix location for /run/nsd
|
|
- Allow qemu-ga get fixed disk devices attributes
|
|
- Update bitlbee policy
|
|
- Label /usr/sbin/sos with sosreport_exec_t
|
|
- Update policy for the sblim-sfcb service
|
|
- Add the files_getattr_non_auth_dirs() interface
|
|
- Fix the CI to work with DNF5
|
|
|
|
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.21-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
|
|
|
* Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1
|
|
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
|
|
- Revert "Allow insights client map cache_home_t"
|
|
- Allow nfsidmapd connect to systemd-machined over a unix socket
|
|
- Allow snapperd connect to kernel over a unix domain stream socket
|
|
- Allow virt_qemu_ga_t create .ssh dir with correct label
|
|
- Allow targetd read network sysctls
|
|
- Set the abrt_handle_event boolean to on
|
|
- Permit kernel_t to change the user identity in object contexts
|
|
- Allow insights client map cache_home_t
|
|
- Label /usr/sbin/mariadbd with mysqld_exec_t
|
|
- Trim changelog so that it starts at F37 time
|
|
- Define equivalency for /run/systemd/generator.early
|
|
|
|
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1
|
|
- Allow httpd tcp connect to redis port conditionally
|
|
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
|
- Dontaudit aide the execmem permission
|
|
- Remove permissive from fdo
|
|
- Allow sa-update manage spamc home files
|
|
- Allow sa-update connect to systemlog services
|
|
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
|
- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
|
|
- Allow bootupd search EFI directory
|
|
|
|
* Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1
|
|
- Change init_audit_control default value to true
|
|
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
|
|
- Add the qatlib module
|
|
- Add the fdo module
|
|
- Add the bootupd module
|
|
- Set default ports for keylime policy
|
|
- Create policy for qatlib
|
|
- Add policy for FIDO Device Onboard
|
|
- Add policy for bootupd
|
|
- Add the qatlib module
|
|
- Add the fdo module
|
|
- Add the bootupd module
|
|
|
|
* Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
|
|
- Add support for kafs-dns requested by keyutils
|
|
- Allow insights-client execmem
|
|
- Add support for chronyd-restricted
|
|
- Add init_explicit_domain() interface
|
|
- Allow fsadm_t to get attributes of cgroup filesystems
|
|
- Add list_dir_perms to kerberos_read_keytab
|
|
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
|
|
- Allow sendmail manage its runtime files
|
|
- Allow keyutils_dns_resolver_exec_t be an entrypoint
|
|
- Allow collectd_t read network state symlinks
|
|
- Revert "Allow collectd_t read proc_net link files"
|
|
- Allow nfsd_t to list exports_t dirs
|
|
- Allow cupsd dbus chat with xdm
|
|
- Allow haproxy read hardware state information
|
|
- Add the kafs module
|
|
|
|
* Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
|
|
- Label /dev/userfaultfd with userfaultfd_t
|
|
- Allow blueman send general signals to unprivileged user domains
|
|
- Allow dkim-milter domain transition to sendmail
|
|
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
|
|
- Allow cifs-helper read sssd kerberos configuration files
|
|
- Allow rpm_t sys_admin capability
|
|
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
|
|
- Allow collectd_t read proc_net link files
|
|
- Allow insights-client getsession process permission
|
|
- Allow insights-client work with pipe and socket tmp files
|
|
- Allow insights-client map generic log files
|
|
- Update cyrus_stream_connect() to use sockets in /run
|
|
- Allow keyutils-dns-resolver read/view kernel key ring
|
|
- Label /var/log/kdump.log with kdump_log_t
|
|
|
|
* Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
|
|
- Add support for the systemd-pstore service
|
|
- Allow kdumpctl_t to execmem
|
|
- Update sendmail policy module for opensmtpd
|
|
- Allow nagios-mail-plugin exec postfix master
|
|
- Allow subscription-manager execute ip
|
|
- Allow ssh client connect with a user dbus instance
|
|
- Add support for ksshaskpass
|
|
- Allow rhsmcertd file transition in /run also for socket files
|
|
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
|
|
- Allow plymouthd read/write X server miscellaneous devices
|
|
- Allow systemd-sleep read udev pid files
|
|
- Allow exim read network sysctls
|
|
- Allow sendmail request load module
|
|
- Allow named map its conf files
|
|
- Allow squid map its cache files
|
|
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
|
|
|
|
* Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
|
|
- Update policy for systemd-sleep
|
|
- Remove permissive domain for rshim_t
|
|
- Remove permissive domain for mptcpd_t
|
|
- Allow systemd-bootchartd the sys_ptrace userns capability
|
|
- Allow sysadm_t read nsfs files
|
|
- Allow sysadm_t run kernel bpf programs
|
|
- Update ssh_role_template for ssh-agent
|
|
- Update ssh_role_template to allow read/write unallocated ttys
|
|
- Add the booth module to modules.conf
|
|
- Allow firewalld rw ica_tmpfs_t files
|
|
|
|
* Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
|
|
- Remove permissive domain for cifs_helper_t
|
|
- Update the cifs-helper policy
|
|
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
|
|
- Update pkcsslotd policy for sandboxing
|
|
- Allow abrt_t read kernel persistent storage files
|
|
- Dontaudit targetd search httpd config dirs
|
|
- Allow init_t nnp domain transition to policykit_t
|
|
- Allow rpcd_lsad setcap and use generic ptys
|
|
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
|
|
- Allow wireguard to rw network sysctls
|
|
- Add policy for boothd
|
|
- Allow kernel to manage its own BPF objects
|
|
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
|
|
|
|
* Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
|
|
- Add initial policy for cifs-helper
|
|
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
|
|
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
|
|
- Allow some systemd services write to cgroup files
|
|
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
|
|
- Allow systemd resolved to bind to arbitrary nodes
|
|
- Allow plymouthd_t bpf capability to run bpf programs
|
|
- Allow cupsd to create samba_var_t files
|
|
- Allow rhsmcert request the kernel to load a module
|
|
- Allow virsh name_connect virt_port_t
|
|
- Allow certmonger manage cluster library files
|
|
- Allow plymouthd read init process state
|
|
- Add chromium_sandbox_t setcap capability
|
|
- Allow snmpd read raw disk data
|
|
- Allow samba-rpcd work with passwords
|
|
- Allow unconfined service inherit signal state from init
|
|
- Allow cloud-init manage gpg admin home content
|
|
- Allow cluster_t dbus chat with various services
|
|
- Allow nfsidmapd work with systemd-userdbd and sssd
|
|
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
|
|
- Allow plymouthd map dri and framebuffer devices
|
|
- Allow rpmdb_migrate execute rpmdb
|
|
- Allow logrotate dbus chat with systemd-hostnamed
|
|
- Allow icecast connect to kernel using a unix stream socket
|
|
- Allow lldpad connect to systemd-userdbd over a unix socket
|
|
- Allow journalctl open user domain ptys and ttys
|
|
- Allow keepalived to manage its tmp files
|
|
- Allow ftpd read network sysctls
|
|
- Label /run/bgpd with zebra_var_run_t
|
|
- Allow gssproxy read network sysctls
|
|
- Add the cifsutils module
|
|
|
|
* Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1
|
|
- Allow telnetd read network sysctls
|
|
- Allow munin system plugin read generic SSL certificates
|
|
- Allow munin system plugin create and use netlink generic socket
|
|
- Allow login_userdomain create user namespaces
|
|
- Allow request-key to send syslog messages
|
|
- Allow request-key to read/view any key
|
|
- Add fs_delete_pstore_files() interface
|
|
- Allow insights-client work with teamdctl
|
|
- Allow insights-client read unconfined service semaphores
|
|
- Allow insights-client get quotas of all filesystems
|
|
- Add fs_read_pstore_files() interface
|
|
- Allow generic kernel helper to read inherited kernel pipes
|
|
|
|
* Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
|
|
- Allow dovecot-deliver write to the main process runtime fifo files
|
|
- Allow dmidecode write to cloud-init tmp files
|
|
- Allow chronyd send a message to cloud-init over a datagram socket
|
|
- Allow cloud-init domain transition to insights-client domain
|
|
- Allow mongodb read filesystem sysctls
|
|
- Allow mongodb read network sysctls
|
|
- Allow accounts-daemon read generic systemd unit lnk files
|
|
- Allow blueman watch generic device dirs
|
|
- Allow nm-dispatcher tlp plugin create tlp dirs
|
|
- Allow systemd-coredump mounton /usr
|
|
- Allow rabbitmq to read network sysctls
|
|
|
|
* Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
|
|
- Allow certmonger dbus chat with the cron system domain
|
|
- Allow geoclue read network sysctls
|
|
- Allow geoclue watch the /etc directory
|
|
- Allow logwatch_mail_t read network sysctls
|
|
- Allow insights-client read all sysctls
|
|
- Allow passt manage qemu pid sock files
|
|
|
|
* Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
|
|
- Allow sssd read accountsd fifo files
|
|
- Add support for the passt_t domain
|
|
- Allow virtd_t and svirt_t work with passt
|
|
- Add new interfaces in the virt module
|
|
- Add passt interfaces defined conditionally
|
|
- Allow tshark the setsched capability
|
|
- Allow poweroff create connections to system dbus
|
|
- Allow wg load kernel modules, search debugfs dir
|
|
- Boolean: allow qemu-ga manage ssh home directory
|
|
- Label smtpd with sendmail_exec_t
|
|
- Label msmtp and msmtpd with sendmail_exec_t
|
|
- Allow dovecot to map files in /var/spool/dovecot
|
|
|
|
* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
|
|
- Confine gnome-initial-setup
|
|
- Allow qemu-guest-agent create and use vsock socket
|
|
- Allow login_pgm setcap permission
|
|
- Allow chronyc read network sysctls
|
|
- Enhancement of the /usr/sbin/request-key helper policy
|
|
- Fix opencryptoki file names in /dev/shm
|
|
- Allow system_cronjob_t transition to rpm_script_t
|
|
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
|
- Add tunable to allow squid bind snmp port
|
|
- Allow staff_t getattr init pid chr & blk files and read krb5
|
|
- Allow firewalld to rw z90crypt device
|
|
- Allow httpd work with tokens in /dev/shm
|
|
- Allow svirt to map svirt_image_t char files
|
|
- Allow sysadm_t run initrc_t script and sysadm_r role access
|
|
- Allow insights-client manage fsadm pid files
|
|
|
|
* Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1
|
|
- Allowing snapper to create snapshots of /home/ subvolume/partition
|
|
- Add boolean qemu-ga to run unconfined script
|
|
- Label systemd-journald feature LogNamespace
|
|
- Add none file context for polyinstantiated tmp dirs
|
|
- Allow certmonger read the contents of the sysfs filesystem
|
|
- Add journalctl the sys_resource capability
|
|
- Allow nm-dispatcher plugins read generic files in /proc
|
|
- Add initial policy for the /usr/sbin/request-key helper
|
|
- Additional support for rpmdb_migrate
|
|
- Add the keyutils module
|
|
|
|
* Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
|
|
- Boolean: allow qemu-ga read ssh home directory
|
|
- Allow kernel_t to read/write all sockets
|
|
- Allow kernel_t to UNIX-stream connect to all domains
|
|
- Allow systemd-resolved send a datagram to journald
|
|
- Allow kernel_t to manage and have "execute" access to all files
|
|
- Fix the files_manage_all_files() interface
|
|
- Allow rshim bpf cap2 and read sssd public files
|
|
- Allow insights-client work with su and lpstat
|
|
- Allow insights-client tcp connect to all ports
|
|
- Allow nm-cloud-setup dispatcher plugin restart nm services
|
|
- Allow unconfined user filetransition for sudo log files
|
|
- Allow modemmanager create hardware state information files
|
|
- Allow ModemManager all permissions for netlink route socket
|
|
- Allow wg to send msg to kernel, write to syslog and dbus connections
|
|
- Allow hostname_t to read network sysctls.
|
|
- Dontaudit ftpd the execmem permission
|
|
- Allow svirt request the kernel to load a module
|
|
- Allow icecast rename its log files
|
|
- Allow upsd to send signal to itself
|
|
- Allow wireguard to create udp sockets and read net_conf
|
|
- Use '%autosetup' instead of '%setup'
|
|
- Pass -p 1 to '%autosetup'
|
|
|
|
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.5-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
|
|
|
* Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
|
|
- Allow insights client work with gluster and pcp
|
|
- Add insights additional capabilities
|
|
- Add interfaces in domain, files, and unconfined modules
|
|
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
|
|
- Allow sudodomain use sudo.log as a logfile
|
|
- Allow pdns server map its library files and bind to unreserved ports
|
|
- Allow sysadm_t read/write ipmi devices
|
|
- Allow prosody manage its runtime socket files
|
|
- Allow kernel threads manage kernel keys
|
|
- Allow systemd-userdbd the sys_resource capability
|
|
- Allow systemd-journal list cgroup directories
|
|
- Allow apcupsd dbus chat with systemd-logind
|
|
- Allow nut_domain manage also files and sock_files in /var/run
|
|
- Allow winbind-rpcd make a TCP connection to the ldap port
|
|
- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
|
|
- Allow tlp read generic SSL certificates
|
|
- Allow systemd-resolved watch tmpfs directories
|
|
- Revert "Allow systemd-resolved watch tmpfs directories"
|
|
|
|
* Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
|
|
- Allow NetworkManager and wpa_supplicant the bpf capability
|
|
- Allow systemd-rfkill the bpf capability
|
|
- Allow winbind-rpcd manage samba_share_t files and dirs
|
|
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
|
|
- Allow gpsd the sys_ptrace userns capability
|
|
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
|
|
- Allow load_policy_t write to unallocated ttys
|
|
- Allow ndc read hardware state information
|
|
- Allow system mail service read inherited certmonger runtime files
|
|
- Add lpr_roles to system_r roles
|
|
- Revert "Allow insights-client run lpr and allow the proper role"
|
|
- Allow stalld to read /sys/kernel/security/lockdown file
|
|
- Allow keepalived to set resource limits
|
|
- Add policy for mptcpd
|
|
- Add policy for rshim
|
|
- Allow admin users to create user namespaces
|
|
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
|
|
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
|
|
- Trim changelog so that it starts at F35 time
|
|
- Add mptcpd and rshim modules
|
|
|
|
* Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
|
|
- Allow insights-client dbus chat with various services
|
|
- Allow insights-client tcp connect to various ports
|
|
- Allow insights-client run lpr and allow the proper role
|
|
- Allow insights-client work with pcp and manage user config files
|
|
- Allow redis get user names
|
|
- Allow kernel threads to use fds from all domains
|
|
- Allow systemd-modules-load load kernel modules
|
|
- Allow login_userdomain watch systemd-passwd pid dirs
|
|
- Allow insights-client dbus chat with abrt
|
|
- Grant kernel_t certain permissions in the system class
|
|
- Allow systemd-resolved watch tmpfs directories
|
|
- Allow systemd-timedated watch init runtime dir
|
|
- Make `bootc` be `install_exec_t`
|
|
- Allow systemd-coredump create user_namespace
|
|
- Allow syslog the setpcap capability
|
|
- donaudit virtlogd and dnsmasq execmem
|
|
|
|
* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
|
|
- Don't make kernel_t an unconfined domain
|
|
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
|
|
- Allow kernel_t to execute systemctl to do a poweroff/reboot
|
|
- Grant basic permissions to the domain created by systemd_systemctl_domain()
|
|
- Allow kernel_t to request module loading
|
|
- Allow kernel_t to do compute_create
|
|
- Allow kernel_t to manage perf events
|
|
- Grant almost all capabilities to kernel_t
|
|
- Allow kernel_t to fully manage all devices
|
|
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
|
|
- Allow pulseaudio to write to session_dbusd tmp socket files
|
|
- Allow systemd and unconfined_domain_type create user_namespace
|
|
- Add the user_namespace security class
|
|
- Reuse tmpfs_t also for the ramfs filesystem
|
|
- Label udf tools with fsadm_exec_t
|
|
- Allow networkmanager_dispatcher_plugin work with nscd
|
|
- Watch_sb all file type directories.
|
|
- Allow spamc read hardware state information files
|
|
- Allow sysadm read ipmi devices
|
|
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
|
|
- Allow insights client read raw memory devices
|
|
- Allow the spamd_update_t domain get generic filesystem attributes
|
|
- Dontaudit systemd-gpt-generator the sys_admin capability
|
|
- Allow ipsec_t only read tpm devices
|
|
- Allow cups-pdf connect to the system log service
|
|
- Allow postfix/smtpd read kerberos key table
|
|
- Allow syslogd read network sysctls
|
|
- Allow cdcc mmap dcc-client-map files
|
|
- Add watch and watch_sb dosfs interface
|
|
|
|
* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
|
|
- Revert "Allow sysadm_t read raw memory devices"
|
|
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
|
|
- Allow rpc.gssd read network sysctls
|
|
- Allow winbind-rpcd get attributes of device and pty filesystems
|
|
- Allow insights-client domain transition on semanage execution
|
|
- Allow insights-client create gluster log dir with a transition
|
|
- Allow insights-client manage generic locks
|
|
- Allow insights-client unix_read all domain semaphores
|
|
- Add domain_unix_read_all_semaphores() interface
|
|
- Allow winbind-rpcd use the terminal multiplexor
|
|
- Allow mrtg send mails
|
|
- Allow systemd-hostnamed dbus chat with init scripts
|
|
- Allow sssd dbus chat with system cronjobs
|
|
- Add interface to watch all filesystems
|
|
- Add watch_sb interfaces
|
|
- Add watch interfaces
|
|
- Allow dhcpd bpf capability to run bpf programs
|
|
- Allow netutils and traceroute bpf capability to run bpf programs
|
|
- Allow pkcs_slotd_t bpf capability to run bpf programs
|
|
- Allow xdm bpf capability to run bpf programs
|
|
- Allow pcscd bpf capability to run bpf programs
|
|
- Allow lldpad bpf capability to run bpf programs
|
|
- Allow keepalived bpf capability to run bpf programs
|
|
- Allow ipsec bpf capability to run bpf programs
|
|
- Allow fprintd bpf capability to run bpf programs
|
|
- Allow systemd-socket-proxyd get filesystems attributes
|
|
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
|
|
|
|
* Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
|
|
- Allow rotatelogs read httpd_log_t symlinks
|
|
- Add winbind-rpcd to samba_enable_home_dirs boolean
|
|
- Allow system cronjobs dbus chat with setroubleshoot
|
|
- Allow setroubleshootd read device sysctls
|
|
- Allow virt_domain read device sysctls
|
|
- Allow rhcd compute selinux access vector
|
|
- Allow insights-client manage samba var dirs
|
|
- Label ports 10161-10162 tcp/udp with snmp
|
|
- Allow aide to connect to systemd_machined with a unix socket.
|
|
- Allow samba-dcerpcd use NSCD services over a unix stream socket
|
|
- Allow vlock search the contents of the /dev/pts directory
|
|
- Allow insights-client send null signal to rpm and system cronjob
|
|
- Label port 15354/tcp and 15354/udp with opendnssec
|
|
- Allow ftpd map ftpd_var_run files
|
|
- Allow targetclid to manage tmp files
|
|
- Allow insights-client connect to postgresql with a unix socket
|
|
- Allow insights-client domtrans on unix_chkpwd execution
|
|
- Add file context entries for insights-client and rhc
|
|
- Allow pulseaudio create gnome content (~/.config)
|
|
- Allow login_userdomain dbus chat with rhsmcertd
|
|
- Allow sbd the sys_ptrace capability
|
|
- Allow ptp4l_t name_bind ptp_event_port_t
|
|
|
|
* Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
|
|
- Remove the ipa module
|
|
- Allow sss daemons read/write unnamed pipes of cloud-init
|
|
- Allow postfix_mailqueue create and use unix dgram sockets
|
|
- Allow xdm watch user home directories
|
|
- Allow nm-dispatcher ddclient plugin load a kernel module
|
|
- Stop ignoring standalone interface files
|
|
- Drop cockpit module
|
|
- Allow init map its private tmp files
|
|
- Allow xenstored change its hard resource limits
|
|
- Allow system_mail-t read network sysctls
|
|
- Add bgpd sys_chroot capability
|
|
|
|
* Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
|
|
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
|
|
- Add numad the ipc_owner capability
|
|
- Allow gst-plugin-scanner read virtual memory sysctls
|
|
- Allow init read/write inherited user fifo files
|
|
- Update dnssec-trigger policy: setsched, module_request
|
|
- added policy for systemd-socket-proxyd
|
|
- Add the new 'cmd' permission to the 'io_uring' class
|
|
- Allow winbind-rpcd read and write its key ring
|
|
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
|
|
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
|
|
- pidof executed by abrt can readlink /proc/*/exe
|
|
- Fix typo in comment
|
|
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
|
|
|
|
* Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
|
|
- Allow tor get filesystem attributes
|
|
- Allow utempter append to login_userdomain stream
|
|
- Allow login_userdomain accept a stream connection to XDM
|
|
- Allow login_userdomain write to boltd named pipes
|
|
- Allow staff_u and user_u users write to bolt pipe
|
|
- Allow login_userdomain watch various directories
|
|
- Update rhcd policy for executing additional commands 5
|
|
- Update rhcd policy for executing additional commands 4
|
|
- Allow rhcd create rpm hawkey logs with correct label
|
|
- Allow systemd-gpt-auto-generator to check for empty dirs
|
|
- Update rhcd policy for executing additional commands 3
|
|
- Allow journalctl read rhcd fifo files
|
|
- Update insights-client policy for additional commands execution 5
|
|
- Allow init remount all file_type filesystems
|
|
- Confine insights-client systemd unit
|
|
- Update insights-client policy for additional commands execution 4
|
|
- Allow pcp pmcd search tracefs and acct_data dirs
|
|
- Allow httpd read network sysctls
|
|
- Dontaudit domain map permission on directories
|
|
- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
|
|
- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
|
|
- Update insights-client policy for additional commands execution 3
|
|
- Allow systemd permissions needed for sandboxed services
|
|
- Add rhcd module
|
|
- Make dependency on rpm-plugin-selinux unordered
|
|
|
|
* Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
|
|
- Allow ipsec_t read/write tpm devices
|
|
- Allow rhcd execute all executables
|
|
- Update rhcd policy for executing additional commands 2
|
|
- Update insights-client policy for additional commands execution 2
|
|
- Allow sysadm_t read raw memory devices
|
|
- Allow chronyd send and receive chronyd/ntp client packets
|
|
- Allow ssh client read kerberos homedir config files
|
|
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
|
|
- Update insights-client policy (auditctl, gpg, journal)
|
|
- Allow system_cronjob_t domtrans to rpm_script_t
|
|
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
|
|
- Update tor_bind_all_unreserved_ports interface
|
|
- Allow chronyd bind UDP sockets to ptp_event ports.
|
|
- Allow unconfined and sysadm users transition for /root/.gnupg
|
|
- Add gpg_filetrans_admin_home_content() interface
|
|
- Update rhcd policy for executing additional commands
|
|
- Update insights-client policy for additional commands execution
|
|
- Add userdom_view_all_users_keys() interface
|
|
- Allow gpg read and write generic pty type
|
|
- Allow chronyc read and write generic pty type
|
|
- Allow system_dbusd ioctl kernel with a unix stream sockets
|
|
- Allow samba-bgqd to read a printer list
|
|
- Allow stalld get and set scheduling policy of all domains.
|
|
- Allow unconfined_t transition to targetclid_home_t
|
|
|
|
* Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
|
|
- Allow nm-dispatcher custom plugin dbus chat with nm
|
|
- Allow nm-dispatcher sendmail plugin get status of systemd services
|
|
- Allow xdm read the kernel key ring
|
|
- Allow login_userdomain check status of mount units
|
|
- Allow postfix/smtp and postfix/virtual read kerberos key table
|
|
- Allow services execute systemd-notify
|
|
- Do not allow login_userdomain use sd_notify()
|
|
- Allow launch-xenstored read filesystem sysctls
|
|
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
|
|
- Allow openvswitch fsetid capability
|
|
- Allow openvswitch use its private tmpfs files and dirs
|
|
- Allow openvswitch search tracefs dirs
|
|
- Allow pmdalinux read files on an nfsd filesystem
|
|
- Allow winbind-rpcd write to winbind pid files
|
|
- Allow networkmanager to signal unconfined process
|
|
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
|
|
- Allow samba-bgqd get a printer list
|
|
- fix(init.fc): Fix section description
|
|
- Allow fedora-third-party read the passwords file
|
|
- Remove permissive domain for rhcd_t
|
|
- Allow pmie read network state information and network sysctls
|
|
- Revert "Dontaudit domain the fowner capability"
|
|
- Allow sysadm_t to run bpftool on the userdomain attribute
|
|
- Add the userdom_prog_run_bpf_userdomain() interface
|
|
- Allow insights-client rpm named file transitions
|
|
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
|
|
|
|
* Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
|
|
- Allow sa-update to get init status and start systemd files
|
|
- Use insights_client_filetrans_named_content
|
|
- Make default file context match with named transitions
|
|
- Allow nm-dispatcher tlp plugin send system log messages
|
|
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
|
|
- Add permissions to manage lnk_files into gnome_manage_home_config
|
|
- Allow rhsmcertd to read insights config files
|
|
- Label /etc/insights-client/machine-id
|
|
- fix(devices.fc): Replace single quote in comment to solve parsing issues
|
|
- Make NetworkManager_dispatcher_custom_t an unconfined domain
|
|
|
|
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
|
|
|
* Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
|
|
- Update winbind_rpcd_t
|
|
- Allow some domains use sd_notify()
|
|
- Revert "Allow rabbitmq to use systemd notify"
|
|
- fix(sedoctool.py): Fix syntax warning: "is not" with a literal
|
|
- Allow nm-dispatcher console plugin manage etc files
|
|
- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
|
|
- Allow nm-dispatcher console plugin setfscreate
|
|
- Support using systemd-update-helper in rpm scriptlets
|
|
- Allow nm-dispatcher winbind plugin read samba config files
|
|
- Allow domain use userfaultfd over all domains
|
|
- Allow cups-lpd read network sysctls
|
|
|
|
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
|
|
- Allow stalld set scheduling policy of kernel threads
|
|
- Allow targetclid read /var/target files
|
|
- Allow targetclid read generic SSL certificates (fixed)
|
|
- Allow firewalld read the contents of the sysfs filesystem
|
|
- Fix file context pattern for /var/target
|
|
- Use insights_client_etc_t in insights_search_config()
|
|
- Allow nm-dispatcher ddclient plugin handle systemd services
|
|
- Allow nm-dispatcher winbind plugin run smbcontrol
|
|
- Allow nm-dispatcher custom plugin create and use unix dgram socket
|
|
- Update samba-dcerpcd policy for kerberos usage 2
|
|
- Allow keepalived read the contents of the sysfs filesystem
|
|
- Allow amandad read network sysctls
|
|
- Allow cups-lpd read network sysctls
|
|
- Allow kpropd read network sysctls
|
|
- Update insights_client_filetrans_named_content()
|
|
- Allow rabbitmq to use systemd notify
|
|
- Label /var/target with targetd_var_t
|
|
- Allow targetclid read generic SSL certificates
|
|
- Update rhcd policy
|
|
- Allow rhcd search insights configuration directories
|
|
- Add the kernel_read_proc_files() interface
|
|
- Require policycoreutils >= 3.4-1
|
|
- Add a script for enclosing interfaces in ifndef statements
|
|
- Disable rpm verification on interface_info
|
|
|
|
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
|
|
- Allow transition to insights_client named content
|
|
- Add the insights_client_filetrans_named_content() interface
|
|
- Update policy for insights-client to run additional commands 3
|
|
- Allow dhclient manage pid files used by chronyd
|
|
- Allow stalld get scheduling policy of kernel threads
|
|
- Allow samba-dcerpcd work with sssd
|
|
- Allow dlm_controld send a null signal to a cluster daemon
|
|
- Allow ksmctl create hardware state information files
|
|
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
|
|
- Update samba-dcerpcd policy for kerberos usage
|
|
- Allow insights-client execute its private memfd: objects
|
|
- Update policy for insights-client to run additional commands 2
|
|
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
|
|
- Change space indentation to tab in insights-client
|
|
- Use socket permissions sets in insights-client
|
|
- Update policy for insights-client to run additional commands
|
|
- Change rpm_setattr_db_files() to use a pattern
|
|
- Allow init_t to rw insights_client unnamed pipe
|
|
- Add rpm setattr db files macro
|
|
- Fix insights client
|
|
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
|
|
- Allow rabbitmq to access its private memfd: objects
|
|
- Update policy for samba-dcerpcd
|
|
- Allow stalld setsched and sys_nice
|
|
|
|
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
|
|
- Allow auditd_t noatsecure for a transition to audisp_remote_t
|
|
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
|
|
- Allow pcp_domain execute its private memfd: objects
|
|
- Add support for samba-dcerpcd
|
|
- Add policy for wireguard
|
|
- Confine targetcli
|
|
- Allow systemd work with install_t unix stream sockets
|
|
- Allow iscsid the sys_ptrace userns capability
|
|
- Allow xdm connect to unconfined_service_t over a unix stream socket
|
|
|
|
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
|
|
- Allow nm-dispatcher custom plugin execute systemctl
|
|
- Allow nm-dispatcher custom plugin dbus chat with nm
|
|
- Allow nm-dispatcher custom plugin create and use udp socket
|
|
- Allow nm-dispatcher custom plugin create and use netlink_route_socket
|
|
- Use create_netlink_socket_perms in netlink_route_socket class permissions
|
|
- Add support for nm-dispatcher sendmail scripts
|
|
- Allow sslh net_admin capability
|
|
- Allow insights-client manage gpg admin home content
|
|
- Add the gpg_manage_admin_home_content() interface
|
|
- Allow rhsmcertd create generic log files
|
|
- Update logging_create_generic_logs() to use create_files_pattern()
|
|
- Label /var/cache/insights with insights_client_cache_t
|
|
- Allow insights-client search gconf homedir
|
|
- Allow insights-client create and use unix_dgram_socket
|
|
- Allow blueman execute its private memfd: files
|
|
- Move the chown call into make-srpm.sh
|
|
|
|
* Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
|
|
- Use the networkmanager_dispatcher_plugin attribute in allow rules
|
|
- Make a custom nm-dispatcher plugin transition
|
|
- Label port 4784/tcp and 4784/udp with bfd_multi
|
|
- Allow systemd watch and watch_reads user ptys
|
|
- Allow sblim-gatherd the kill capability
|
|
- Label more vdsm utils with virtd_exec_t
|
|
- Add ksm service to ksmtuned
|
|
- Add rhcd policy
|
|
- Dontaudit guest attempts to dbus chat with systemd domains
|
|
- Dontaudit guest attempts to dbus chat with system bus types
|
|
- Use a named transition in systemd_hwdb_manage_config()
|
|
- Add default fc specifications for patterns in /opt
|
|
- Add the files_create_etc_files() interface
|
|
- Allow nm-dispatcher console plugin create and write files in /etc
|
|
- Allow nm-dispatcher console plugin transition to the setfiles domain
|
|
- Allow more nm-dispatcher plugins append to init stream sockets
|
|
- Allow nm-dispatcher tlp plugin dbus chat with nm
|
|
- Reorder networkmanager_dispatcher_plugin_template() calls
|
|
- Allow svirt connectto virtlogd
|
|
- Allow blueman map its private memfd: files
|
|
- Allow sysadm user execute init scripts with a transition
|
|
- Allow sblim-sfcbd connect to sblim-reposd stream
|
|
- Allow keepalived_unconfined_script_t dbus chat with init
|
|
- Run restorecon with "-i" not to report errors
|
|
|
|
* Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
|
|
- Fix users for SELinux userspace 3.4
|
|
- Label /var/run/machine-id as machineid_t
|
|
- Add stalld to modules.conf
|
|
- Use files_tmpfs_file() for rhsmcertd_tmpfs_t
|
|
- Allow blueman read/write its private memfd: objects
|
|
- Allow insights-client read rhnsd config files
|
|
- Allow insights-client create_socket_perms for tcp/udp sockets
|