52526cb202
- Allow virtqemud relabelfrom also for file and sock_file Resolves: RHEL-49763 - Allow virtqemud relabel user tmp files and socket files Resolves: RHEL-49763 - Update virtqemud policy for libguestfs usage Resolves: RHEL-49763 - Label /run/libvirt/qemu/channel with virtqemud_var_run_t Resolves: RHEL-47274
1982 lines
83 KiB
RPMSpec
1982 lines
83 KiB
RPMSpec
# github repo with selinux-policy sources
|
|
%global giturl https://github.com/fedora-selinux/selinux-policy
|
|
%global commit 61128219cb2270144668ecdde8e00b074dc898f8
|
|
%global shortcommit %(c=%{commit}; echo ${c:0:7})
|
|
|
|
%define distro redhat
|
|
%define polyinstatiate n
|
|
%define monolithic n
|
|
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1}
|
|
%define BUILD_DOC 1
|
|
%endif
|
|
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
|
|
%define BUILD_TARGETED 1
|
|
%endif
|
|
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
|
|
%define BUILD_MINIMUM 1
|
|
%endif
|
|
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
|
|
%define BUILD_MLS 1
|
|
%endif
|
|
%define POLICYVER 33
|
|
%define POLICYCOREUTILSVER 3.4-1
|
|
%define CHECKPOLICYVER 3.2
|
|
Summary: SELinux policy configuration
|
|
Name: selinux-policy
|
|
Version: 40.13.9
|
|
Release: 1%{?dist}
|
|
License: GPL-2.0-or-later
|
|
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
|
|
Source1: modules-targeted-base.conf
|
|
Source31: modules-targeted-contrib.conf
|
|
Source2: booleans-targeted.conf
|
|
Source3: Makefile.devel
|
|
Source4: setrans-targeted.conf
|
|
Source5: modules-mls-base.conf
|
|
Source32: modules-mls-contrib.conf
|
|
Source6: booleans-mls.conf
|
|
Source8: setrans-mls.conf
|
|
Source14: securetty_types-targeted
|
|
Source15: securetty_types-mls
|
|
#Source16: modules-minimum.conf
|
|
Source17: booleans-minimum.conf
|
|
Source18: setrans-minimum.conf
|
|
Source19: securetty_types-minimum
|
|
Source20: customizable_types
|
|
Source22: users-mls
|
|
Source23: users-targeted
|
|
Source25: users-minimum
|
|
Source26: file_contexts.subs_dist
|
|
Source27: selinux-policy.conf
|
|
Source28: permissivedomains.cil
|
|
Source30: booleans.subs_dist
|
|
|
|
# Tool helps during policy development, to expand system m4 macros to raw allow rules
|
|
# Git repo: https://github.com/fedora-selinux/macro-expander.git
|
|
Source33: macro-expander
|
|
|
|
# Include SELinux policy for container from separate container-selinux repo
|
|
# Git repo: https://github.com/containers/container-selinux.git
|
|
Source35: container-selinux.tgz
|
|
|
|
Source36: selinux-check-proper-disable.service
|
|
|
|
# Script to convert /var/run file context entries to /run
|
|
Source37: varrun-convert.sh
|
|
|
|
# Provide rpm macros for packages installing SELinux modules
|
|
Source102: rpm.macros
|
|
|
|
Url: %{giturl}
|
|
BuildArch: noarch
|
|
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
|
|
BuildRequires: make
|
|
BuildRequires: systemd-rpm-macros
|
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Requires(post): /bin/awk /usr/bin/sha512sum
|
|
Requires(meta): rpm-plugin-selinux
|
|
Requires: selinux-policy-any = %{version}-%{release}
|
|
Provides: selinux-policy-base = %{version}-%{release}
|
|
Suggests: selinux-policy-targeted
|
|
|
|
%description
|
|
SELinux core policy package.
|
|
Originally based off of reference policy,
|
|
the policy has been adjusted to provide support for Fedora.
|
|
|
|
%files
|
|
%{!?_licensedir:%global license %%doc}
|
|
%license COPYING
|
|
%dir %{_datadir}/selinux
|
|
%dir %{_datadir}/selinux/packages
|
|
%dir %{_sysconfdir}/selinux
|
|
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
|
%ghost %{_sysconfdir}/sysconfig/selinux
|
|
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
|
%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
%{_unitdir}/selinux-check-proper-disable.service
|
|
%{_libexecdir}/selinux/varrun-convert.sh
|
|
|
|
%package sandbox
|
|
Summary: SELinux sandbox policy
|
|
Requires(pre): selinux-policy-base = %{version}-%{release}
|
|
Requires(pre): selinux-policy-targeted = %{version}-%{release}
|
|
|
|
%description sandbox
|
|
SELinux sandbox policy for use with the sandbox utility.
|
|
|
|
%files sandbox
|
|
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
|
|
|
|
%post sandbox
|
|
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
|
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
|
|
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi;
|
|
exit 0
|
|
|
|
%preun sandbox
|
|
if [ $1 -eq 0 ] ; then
|
|
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi;
|
|
fi;
|
|
exit 0
|
|
|
|
%package devel
|
|
Summary: SELinux policy development files
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
|
|
Requires: /usr/bin/make
|
|
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
|
|
|
|
%description devel
|
|
SELinux policy development package.
|
|
This package contains:
|
|
- interfaces, macros, and patterns for policy development
|
|
- a policy example
|
|
- the macro-expander utility
|
|
and some additional files.
|
|
|
|
%files devel
|
|
%{_bindir}/macro-expander
|
|
%dir %{_datadir}/selinux/devel
|
|
%dir %{_datadir}/selinux/devel/include
|
|
%{_datadir}/selinux/devel/include/*
|
|
%exclude %{_datadir}/selinux/devel/include/contrib/container.if
|
|
%dir %{_datadir}/selinux/devel/html
|
|
%{_datadir}/selinux/devel/html/*html
|
|
%{_datadir}/selinux/devel/html/*css
|
|
%{_datadir}/selinux/devel/Makefile
|
|
%{_datadir}/selinux/devel/example.*
|
|
%{_datadir}/selinux/devel/policy.*
|
|
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
|
|
|
|
%post devel
|
|
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
|
|
exit 0
|
|
|
|
%package doc
|
|
Summary: SELinux policy documentation
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
|
|
%description doc
|
|
SELinux policy documentation package.
|
|
This package contains manual pages and documentation of the policy modules.
|
|
|
|
%files doc
|
|
%{_mandir}/man*/*
|
|
%{_mandir}/ru/*/*
|
|
%exclude %{_mandir}/man8/container_selinux.8.gz
|
|
%doc %{_datadir}/doc/%{name}
|
|
|
|
%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
|
|
|
|
%define makeCmds() \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
|
|
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
|
|
cp -f selinux_config/users-%1 ./policy/users \
|
|
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
|
|
|
|
%define makeModulesConf() \
|
|
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
|
|
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
|
|
if [ %3 == "contrib" ];then \
|
|
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
|
|
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
|
|
fi; \
|
|
|
|
%define installCmds() \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
|
|
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
|
|
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
|
|
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
|
|
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
|
|
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
|
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
|
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
|
|
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
|
|
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
|
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
|
|
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
|
|
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
|
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
|
|
%nil
|
|
|
|
%define fileList() \
|
|
%defattr(-,root,root) \
|
|
%dir %{_sysconfdir}/selinux/%1 \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
|
%dir %{_sysconfdir}/selinux/%1/logins \
|
|
%dir %{_sharedstatedir}/selinux/%1/active \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
|
|
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
|
|
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
|
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
|
%dir %{_sysconfdir}/selinux/%1/contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
|
|
%dir %{_sysconfdir}/selinux/%1/contexts/files \
|
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
|
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
|
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
|
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
|
|
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
|
|
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
|
|
%dir %{_sysconfdir}/selinux/%1/contexts/users \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
|
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
|
|
%dir %{_datadir}/selinux/%1 \
|
|
%{_datadir}/selinux/%1/base.lst \
|
|
%{_datadir}/selinux/%1/modules-base.lst \
|
|
%{_datadir}/selinux/%1/modules-contrib.lst \
|
|
%{_datadir}/selinux/%1/nonbasemodules.lst \
|
|
%dir %{_sharedstatedir}/selinux/%1 \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
|
|
%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
|
%nil
|
|
|
|
%define relabel() \
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
|
|
fi; \
|
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
|
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
|
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
|
|
rm -f ${FILE_CONTEXT}.pre; \
|
|
fi; \
|
|
# rebuilding the rpm database still can sometimes result in an incorrect context \
|
|
%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
|
|
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
|
|
continue; \
|
|
fi;
|
|
|
|
%define preInstall() \
|
|
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
for MOD_NAME in ganesha ipa_custodia kdbus; do \
|
|
if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
|
|
%{_sbindir}/semodule -n -d $MOD_NAME; \
|
|
fi; \
|
|
done; \
|
|
. %{_sysconfdir}/selinux/config; \
|
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
|
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
|
|
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
|
fi; \
|
|
touch %{_sysconfdir}/selinux/%1/.rebuild; \
|
|
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
|
|
POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
|
|
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
|
|
checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
|
|
if [ "$sha512" == "$checksha512" ] ; then \
|
|
rm %{_sysconfdir}/selinux/%1/.rebuild; \
|
|
fi; \
|
|
fi; \
|
|
fi;
|
|
|
|
%define postInstall() \
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
|
|
fi; \
|
|
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
|
|
rm %{_sysconfdir}/selinux/%2/.rebuild; \
|
|
fi; \
|
|
%{_sbindir}/semodule -B -n -s %2; \
|
|
[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
|
|
if [ %1 -eq 1 ]; then \
|
|
%{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
|
|
else \
|
|
%relabel %2 \
|
|
fi;
|
|
|
|
%define modulesList() \
|
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
|
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
|
|
if [ -e ./policy/modules-contrib.conf ];then \
|
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
|
|
fi;
|
|
|
|
%define nonBaseModulesList() \
|
|
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
|
|
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
|
|
for i in $contrib_modules $base_modules; do \
|
|
if [ $i != "sandbox" ];then \
|
|
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
|
|
fi; \
|
|
done;
|
|
|
|
# Make sure the config is consistent with what packages are installed in the system
|
|
# this covers cases when system is installed with selinux-policy-{mls,minimal}
|
|
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
|
|
# been rebooted yet.
|
|
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
|
|
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
|
|
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
|
|
# Steps:
|
|
# * load values from config and its backup
|
|
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
|
|
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
|
|
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
|
|
%define checkConfigConsistency() \
|
|
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
|
|
. %{_sysconfdir}/selinux/.config_backup; \
|
|
else \
|
|
BACKUP_SELINUXTYPE=targeted; \
|
|
fi; \
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
. %{_sysconfdir}/selinux/config; \
|
|
if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
|
if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
|
|
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
|
|
fi; \
|
|
elif [ "%1" = "targeted" ]; then \
|
|
if [ "%1" != "$SELINUXTYPE" ]; then \
|
|
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
|
fi; \
|
|
elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
|
if [ "%1" != "$SELINUXTYPE" ]; then \
|
|
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
|
fi; \
|
|
fi; \
|
|
fi;
|
|
|
|
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
|
|
# of variables inside so that they are easy to use later
|
|
# This should be done in "pretrans" because config content can change during RPM operations
|
|
# The macro has to be used in a script slot with "-p <lua>"
|
|
%define backupConfigLua() \
|
|
local sysconfdir = rpm.expand("%{_sysconfdir}") \
|
|
local config_file = sysconfdir .. "/selinux/config" \
|
|
local config_backup = sysconfdir .. "/selinux/.config_backup" \
|
|
os.remove(config_backup) \
|
|
if posix.stat(config_file) then \
|
|
local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
|
|
local content = f:read("*all") \
|
|
f:close() \
|
|
local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
|
|
local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
|
|
bf:write(backup) \
|
|
bf:close() \
|
|
end
|
|
|
|
# Remove the local_varrun SELinux module
|
|
%define removeVarrunModule() \
|
|
if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \
|
|
%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
|
fi;
|
|
|
|
%define removeVarrunModuleLua() \
|
|
if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
|
|
os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
|
|
end
|
|
|
|
%build
|
|
|
|
%prep
|
|
%autosetup -p 1 -n %{name}-%{commit}
|
|
tar -C policy/modules/contrib -xf %{SOURCE35}
|
|
|
|
mkdir selinux_config
|
|
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
|
|
cp $i selinux_config
|
|
done
|
|
|
|
%install
|
|
# Build targeted policy
|
|
%{__rm} -fR %{buildroot}
|
|
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
|
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
|
touch %{buildroot}%{_sysconfdir}/selinux/config
|
|
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
|
|
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
|
|
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
|
|
mkdir -p %{buildroot}%{_bindir}
|
|
install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/
|
|
mkdir -p %{buildroot}%{_libexecdir}/selinux
|
|
install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
|
|
|
|
# Always create policy module package directories
|
|
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
|
|
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
|
|
|
|
mkdir -p %{buildroot}%{_datadir}/selinux/packages
|
|
|
|
# Install devel
|
|
make clean
|
|
%if %{BUILD_TARGETED}
|
|
# Build targeted policy
|
|
%makeCmds targeted mcs allow
|
|
%makeModulesConf targeted base contrib
|
|
%installCmds targeted mcs allow
|
|
# install permissivedomains.cil
|
|
%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
|
|
# recreate sandbox.pp
|
|
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
|
|
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
|
|
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
|
|
%modulesList targeted
|
|
%nonBaseModulesList targeted
|
|
%endif
|
|
|
|
%if %{BUILD_MINIMUM}
|
|
# Build minimum policy
|
|
%makeCmds minimum mcs allow
|
|
%makeModulesConf targeted base contrib
|
|
%installCmds minimum mcs allow
|
|
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
|
|
%modulesList minimum
|
|
%nonBaseModulesList minimum
|
|
%endif
|
|
|
|
%if %{BUILD_MLS}
|
|
# Build mls policy
|
|
%makeCmds mls mls deny
|
|
%makeModulesConf mls base contrib
|
|
%installCmds mls mls deny
|
|
%modulesList mls
|
|
%nonBaseModulesList mls
|
|
%endif
|
|
|
|
# remove leftovers when save-previous=true (semanage.conf) is used
|
|
rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
|
|
|
|
mkdir -p %{buildroot}%{_mandir}
|
|
cp -R man/* %{buildroot}%{_mandir}
|
|
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
|
|
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
|
|
mkdir %{buildroot}%{_datadir}/selinux/devel/
|
|
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
|
|
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
|
|
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
|
|
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
|
|
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
|
|
mkdir %{buildroot}%{_datadir}/selinux/devel/html
|
|
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
|
|
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
|
|
|
|
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
|
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
|
|
mkdir -p %{buildroot}%{_unitdir}
|
|
install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
|
|
|
|
rm -rf selinux_config
|
|
|
|
%post
|
|
%systemd_post selinux-check-proper-disable.service
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
#
|
|
# New install so we will default to targeted policy
|
|
#
|
|
echo "
|
|
# This file controls the state of SELinux on the system.
|
|
# SELINUX= can take one of these three values:
|
|
# enforcing - SELinux security policy is enforced.
|
|
# permissive - SELinux prints warnings instead of enforcing.
|
|
# disabled - No SELinux policy is loaded.
|
|
# See also:
|
|
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
|
|
#
|
|
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
|
|
# fully disable SELinux during boot. If you need a system with SELinux
|
|
# fully disabled instead of SELinux running with no policy loaded, you
|
|
# need to pass selinux=0 to the kernel command line. You can use grubby
|
|
# to persistently set the bootloader to boot with selinux=0:
|
|
#
|
|
# grubby --update-kernel ALL --args selinux=0
|
|
#
|
|
# To revert back to SELinux enabled:
|
|
#
|
|
# grubby --update-kernel ALL --remove-args selinux
|
|
#
|
|
SELINUX=enforcing
|
|
# SELINUXTYPE= can take one of these three values:
|
|
# targeted - Targeted processes are protected,
|
|
# minimum - Modification of targeted policy. Only selected processes are protected.
|
|
# mls - Multi Level Security protection.
|
|
SELINUXTYPE=targeted
|
|
|
|
" > %{_sysconfdir}/selinux/config
|
|
|
|
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
|
|
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
|
|
else
|
|
. %{_sysconfdir}/selinux/config
|
|
fi
|
|
exit 0
|
|
|
|
%preun
|
|
%systemd_preun selinux-check-proper-disable.service
|
|
|
|
%postun
|
|
%systemd_postun selinux-check-proper-disable.service
|
|
if [ $1 = 0 ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
%if %{BUILD_TARGETED}
|
|
%package targeted
|
|
Summary: SELinux targeted policy
|
|
Provides: selinux-policy-any = %{version}-%{release}
|
|
Obsoletes: selinux-policy-targeted-sources < 2
|
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Requires(pre): coreutils
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Conflicts: audispd-plugins <= 1.7.7-1
|
|
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
|
|
Obsoletes: cachefilesd-selinux <= 0.10-1
|
|
Conflicts: seedit
|
|
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
|
|
Conflicts: container-selinux < 2:1.12.1-22
|
|
|
|
%description targeted
|
|
SELinux targeted policy package.
|
|
|
|
%pretrans targeted -p <lua>
|
|
%backupConfigLua
|
|
%removeVarrunModuleLua targeted
|
|
|
|
%pre targeted
|
|
%preInstall targeted
|
|
|
|
%post targeted
|
|
%checkConfigConsistency targeted
|
|
%postInstall $1 targeted
|
|
exit 0
|
|
|
|
%posttrans targeted
|
|
%checkConfigConsistency targeted
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
|
|
%postun targeted
|
|
if [ $1 = 0 ]; then
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
fi
|
|
if [ "$SELINUXTYPE" = "targeted" ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
|
|
%triggerin -- pcre2
|
|
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
|
|
exit 0
|
|
|
|
%triggerprein -- container-selinux
|
|
%removeVarrunModule targeted
|
|
exit 0
|
|
|
|
%triggerprein -- pcp-selinux
|
|
%removeVarrunModule targeted
|
|
exit 0
|
|
|
|
%triggerpostin -- container-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostin -- pcp-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
|
|
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
|
exit 0
|
|
|
|
%triggerpostun -- pcp-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostun -- container-selinux
|
|
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
exit 0
|
|
|
|
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
|
|
CR=$'\n'
|
|
INPUT=""
|
|
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do
|
|
module=`basename $i | sed 's/.pp.disabled//'`
|
|
if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then
|
|
touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p
|
|
fi
|
|
done
|
|
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do
|
|
INPUT="${INPUT}${CR}module -N -a $i"
|
|
done
|
|
for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do
|
|
cp $i %{_sharedstatedir}/selinux/targeted/active
|
|
done
|
|
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi
|
|
exit 0
|
|
|
|
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
|
|
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
|
|
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
|
|
%fileList targeted
|
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
|
|
%endif
|
|
|
|
%if %{BUILD_MINIMUM}
|
|
%package minimum
|
|
Summary: SELinux minimum policy
|
|
Provides: selinux-policy-any = %{version}-%{release}
|
|
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
|
|
Requires(pre): coreutils
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Conflicts: seedit
|
|
Conflicts: container-selinux <= 1.9.0-9
|
|
|
|
%description minimum
|
|
SELinux minimum policy package.
|
|
|
|
%pretrans minimum -p <lua>
|
|
%backupConfigLua
|
|
|
|
%pre minimum
|
|
%preInstall minimum
|
|
if [ $1 -ne 1 ]; then
|
|
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
|
|
fi
|
|
|
|
%post minimum
|
|
%checkConfigConsistency minimum
|
|
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
|
|
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
|
|
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
|
|
mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
|
|
fi
|
|
if [ $1 -eq 1 ]; then
|
|
for p in $contribpackages; do
|
|
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
for p in $basepackages apache dbus inetd kerberos mta nis; do
|
|
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
%{_sbindir}/semanage import -S minimum -f - << __eof
|
|
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
|
login -m -s unconfined_u -r s0-s0:c0.c1023 root
|
|
__eof
|
|
%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
|
|
%{_sbindir}/semodule -B -s minimum
|
|
else
|
|
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
|
|
for p in $contribpackages; do
|
|
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
for p in $instpackages apache dbus inetd kerberos mta nis; do
|
|
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
done
|
|
%{_sbindir}/semodule -B -s minimum
|
|
%relabel minimum
|
|
fi
|
|
exit 0
|
|
|
|
%posttrans minimum
|
|
%checkConfigConsistency minimum
|
|
%{_libexecdir}/selinux/varrun-convert.sh minimum
|
|
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
|
|
%postun minimum
|
|
if [ $1 = 0 ]; then
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
fi
|
|
if [ "$SELINUXTYPE" = "minimum" ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
|
|
if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then
|
|
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/*
|
|
fi
|
|
CR=$'\n'
|
|
INPUT=""
|
|
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do
|
|
module=`basename $i | sed 's/.pp.disabled//'`
|
|
if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then
|
|
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
fi
|
|
done
|
|
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do
|
|
INPUT="${INPUT}${CR}module -N -a $i"
|
|
done
|
|
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi
|
|
exit 0
|
|
|
|
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
|
|
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
|
|
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
|
|
%fileList minimum
|
|
%endif
|
|
|
|
%if %{BUILD_MLS}
|
|
%package mls
|
|
Summary: SELinux MLS policy
|
|
Provides: selinux-policy-any = %{version}-%{release}
|
|
Obsoletes: selinux-policy-mls-sources < 2
|
|
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
|
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Requires(pre): coreutils
|
|
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Requires: selinux-policy = %{version}-%{release}
|
|
Conflicts: seedit
|
|
Conflicts: container-selinux <= 1.9.0-9
|
|
|
|
%description mls
|
|
SELinux MLS (Multi Level Security) policy package.
|
|
|
|
%pretrans mls -p <lua>
|
|
%backupConfigLua
|
|
|
|
%pre mls
|
|
%preInstall mls
|
|
|
|
%post mls
|
|
%checkConfigConsistency mls
|
|
%postInstall $1 mls
|
|
exit 0
|
|
|
|
%posttrans mls
|
|
%checkConfigConsistency mls
|
|
%{_libexecdir}/selinux/varrun-convert.sh mls
|
|
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
|
|
%postun mls
|
|
if [ $1 = 0 ]; then
|
|
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
fi
|
|
if [ "$SELINUXTYPE" = "mls" ]; then
|
|
%{_sbindir}/setenforce 0 2> /dev/null
|
|
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
else
|
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
fi
|
|
fi
|
|
fi
|
|
exit 0
|
|
|
|
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
|
|
CR=$'\n'
|
|
INPUT=""
|
|
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do
|
|
module=`basename $i | sed 's/.pp.disabled//'`
|
|
if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then
|
|
touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p
|
|
fi
|
|
done
|
|
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do
|
|
INPUT="${INPUT}${CR}module -N -a $i"
|
|
done
|
|
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
|
|
if %{_sbindir}/selinuxenabled ; then
|
|
%{_sbindir}/load_policy
|
|
fi
|
|
exit 0
|
|
|
|
|
|
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
|
|
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
|
|
%fileList mls
|
|
%endif
|
|
|
|
%changelog
|
|
* Mon Aug 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.9-1
|
|
- Allow virtqemud relabelfrom also for file and sock_file
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud relabel user tmp files and socket files
|
|
Resolves: RHEL-49763
|
|
- Update virtqemud policy for libguestfs usage
|
|
Resolves: RHEL-49763
|
|
- Label /run/libvirt/qemu/channel with virtqemud_var_run_t
|
|
Resolves: RHEL-47274
|
|
|
|
* Tue Aug 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.8-1
|
|
- Add virt_create_log() and virt_write_log() interfaces
|
|
Resolves: RHEL-47274
|
|
- Update libvirt policy
|
|
Resolves: RHEL-45464
|
|
Resolves: RHEL-49763
|
|
- Allow svirt_tcg_t map svirt_image_t files
|
|
Resolves: RHEL-47274
|
|
- Allow svirt_tcg_t read vm sysctls
|
|
Resolves: RHEL-47274
|
|
- Additional updates stalld policy for bpf usage
|
|
Resolves: RHEL-50356
|
|
|
|
* Thu Aug 08 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.7-1
|
|
- Add the swtpm.if interface file for interactions with other domains
|
|
Resolves: RHEL-47274
|
|
- Allow virtproxyd create and use its private tmp files
|
|
Resolves: RHEL-40499
|
|
- Allow virtproxyd read network state
|
|
Resolves: RHEL-40499
|
|
- Allow virtqemud domain transition on swtpm execution
|
|
Resolves: RHEL-47274
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud relabel virt_var_run_t directories
|
|
Resolves: RHEL-47274
|
|
Resolves: RHEL-45464
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud domain transition on passt execution
|
|
Resolves: RHEL-45464
|
|
- Allow virt_driver_domain create and use log files in /var/log
|
|
Resolves: RHEL-40239
|
|
- Allow virt_driver_domain connect to systemd-userdbd over a unix socket
|
|
Resolves: RHEL-44932
|
|
Resolves: RHEL-44898
|
|
- Update stalld policy for bpf usage
|
|
Resolves: RHEL-50356
|
|
- Allow boothd connect to systemd-userdbd over a unix socket
|
|
Resolves: RHEL-45907
|
|
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
|
Resolves: RHEL-46011
|
|
- Allow systemd-machined manage runtime sockets
|
|
Resolves: RHEL-49567
|
|
- Allow ip command write to ipsec's logs
|
|
Resolves: RHEL-41222
|
|
- Allow init_t nnp domain transition to firewalld_t
|
|
Resolves: RHEL-52481
|
|
- Update qatlib policy for v24.02 with new features
|
|
Resolves: RHEL-50377
|
|
- Allow postfix_domain map postfix_etc_t files
|
|
Resolves: RHEL-46327
|
|
|
|
* Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.6-1
|
|
- Allow virtnodedevd run udev with a domain transition
|
|
Resolves: RHEL-39890
|
|
- Allow virtnodedev_t create and use virtnodedev_lock_t
|
|
Resolves: RHEL-39890
|
|
- Allow svirt attach_queue to a virtqemud tun_socket
|
|
Resolves: RHEL-44312
|
|
- Label /run/systemd/machine with systemd_machined_var_run_t
|
|
Resolves: RHEL-49567
|
|
- Allow to create and delete socket files created by rhsm.service
|
|
|
|
* Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.5-1
|
|
- Allow to create and delete socket files created by rhsm.service
|
|
Resolves: RHEL-40857
|
|
- Allow svirt read virtqemud fifo files
|
|
Resolves: RHEL-40350
|
|
- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
|
|
Resolves: RHEL-37822
|
|
- Allow virtqemud read virt-dbus process state
|
|
Resolves: RHEL-37822
|
|
- Allow virtqemud run ssh client with a transition
|
|
Resolves: RHEL-43215
|
|
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
|
|
Resolves: RHEL-41168
|
|
- Allow NetworkManager the sys_ptrace capability in user namespace
|
|
Resolves: RHEL-46717
|
|
- Update keyutils policy
|
|
Resolves: RHEL-38920
|
|
- Allow ip the setexec permission
|
|
Resolves: RHEL-41182
|
|
|
|
* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.4-1
|
|
- Confine libvirt-dbus
|
|
Resolves: RHEL-37822
|
|
- Allow sssd create and use io_uring
|
|
Resolves: RHEL-43448
|
|
- Allow virtqemud the kill capability in user namespace
|
|
Resolves: RHEL-44996
|
|
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
|
|
Resolves: RHEL-44191
|
|
- Allow virtqemud read vm sysctls
|
|
Resolves: RHEL-40938
|
|
- Allow svirt_t read vm sysctls
|
|
Resolves: RHEL-40938
|
|
- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
|
|
Resolves: RHEL-40859
|
|
- Allow systemd-hostnamed read the vsock device
|
|
Resolves: RHEL-45309
|
|
- Allow systemd (PID 1) manage systemd conf files
|
|
Resolves: RHEL-45304
|
|
- Allow journald read systemd config files and directories
|
|
Resolves: RHEL-45304
|
|
- Allow systemd_domain read systemd_conf_t dirs
|
|
Resolves: RHEL-45304
|
|
- Label systemd configuration files with systemd_conf_t
|
|
Resolves: RHEL-45304
|
|
- Allow dhcpcd the kill capability
|
|
Resolves: RHEL-43417
|
|
- Add support for libvirt hooks
|
|
Resolves: RHEL-41168
|
|
|
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 40.13.3-2
|
|
- Bump release for June 2024 mass rebuild
|
|
|
|
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1
|
|
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
|
|
Resolves: RHEL-40205
|
|
- Allow virt_driver_domain read files labeled unconfined_t
|
|
Resolves: RHEL-40262
|
|
- Allow virt_driver_domain dbus chat with policykit
|
|
Resolves: RHEL-40346
|
|
- Escape "interface" as a file name in a virt filetrans pattern
|
|
Resolves: RHEL-34769
|
|
- Allow setroubleshootd get attributes of all sysctls
|
|
Resolves: RHEL-40923
|
|
- Allow qemu-ga read vm sysctls
|
|
Resolves: RHEL-40829
|
|
- Allow sbd to trace processes in user namespace
|
|
Resolves: RHEL-39989
|
|
- Allow request-key execute scripts
|
|
Resolves: RHEL-38920
|
|
- Update policy for haproxyd
|
|
Resolves: RHEL-40877
|
|
|
|
* Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1
|
|
- Allow all domains read and write z90crypt device
|
|
Resolves: RHEL-28539
|
|
- Allow dhcpc read /run/netns files
|
|
Resolves: RHEL-39510
|
|
- Allow bootupd search efivarfs dirs
|
|
Resolves: RHEL-39514
|
|
|
|
* Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.1-1
|
|
- Allow logwatch read logind sessions files
|
|
Resolves: RHEL-30441
|
|
- Allow sulogin relabel tty1
|
|
Resolves: RHEL-30440
|
|
- Dontaudit sulogin the checkpoint_restore capability
|
|
Resolves: RHEL-30440
|
|
- Allow postfix smtpd map aliases file
|
|
Resolves: RHEL-35544
|
|
- Ensure dbus communication is allowed bidirectionally
|
|
Resolves: RHEL-35783
|
|
- Allow various services read and write z90crypt device
|
|
Resolves: RHEL-28539
|
|
- Allow dhcpcd use unix_stream_socket
|
|
Resolves: RHEL-33081
|
|
- Allow xdm_t to watch and watch_reads mount_var_run_t
|
|
Resolves: RHEL-36073
|
|
- Allow plymouthd log during shutdown
|
|
Resolves: RHEL-30455
|
|
- Update rpm configuration for the /var/run equivalency change
|
|
Resolves: RHEL-36094
|
|
|
|
* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
|
|
- Only allow confined user domains to login locally without unconfined_login
|
|
- Add userdom_spec_domtrans_confined_admin_users interface
|
|
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
|
- Add userdom_spec_domtrans_admin_users interface
|
|
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
|
- Update ssh_role_template() for user ssh-agent type
|
|
- Allow init to inherit system DBus file descriptors
|
|
- Allow init to inherit fds from syslogd
|
|
- Allow any domain to inherit fds from rpm-ostree
|
|
- Update afterburn policy
|
|
- Allow init_t nnp domain transition to abrtd_t
|
|
|
|
* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
|
|
- Rename all /var/lock file context entries to /run/lock
|
|
- Rename all /var/run file context entries to /run
|
|
- Invert the "/var/run = /run" equivalency
|
|
|
|
* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
|
|
- Replace init domtrans rule for confined users to allow exec init
|
|
- Update dbus_role_template() to allow user service status
|
|
- Allow polkit status all systemd services
|
|
- Allow setroubleshootd create and use inherited io_uring
|
|
- Allow load_policy read and write generic ptys
|
|
- Allow gpg manage rpm cache
|
|
- Allow login_userdomain name_bind to howl and xmsg udp ports
|
|
- Allow rules for confined users logged in plasma
|
|
- Label /dev/iommu with iommu_device_t
|
|
- Remove duplicate file context entries in /run
|
|
- Dontaudit getty and plymouth the checkpoint_restore capability
|
|
- Allow su domains write login records
|
|
- Revert "Allow su domains write login records"
|
|
- Allow login_userdomain delete session dbusd tmp socket files
|
|
- Allow unix dgram sendto between exim processes
|
|
- Allow su domains write login records
|
|
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
|
|
|
|
* Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
|
|
- Allow chronyd-restricted read chronyd key files
|
|
- Allow conntrackd_t to use bpf capability2
|
|
- Allow systemd-networkd manage its runtime socket files
|
|
- Allow init_t nnp domain transition to colord_t
|
|
- Allow polkit status systemd services
|
|
- nova: Fix duplicate declarations
|
|
- Allow httpd work with PrivateTmp
|
|
- Add interfaces for watching and reading ifconfig_var_run_t
|
|
- Allow collectd read raw fixed disk device
|
|
- Allow collectd read udev pid files
|
|
- Set correct label on /etc/pki/pki-tomcat/kra
|
|
- Allow systemd domains watch system dbus pid socket files
|
|
- Allow certmonger read network sysctls
|
|
- Allow mdadm list stratisd data directories
|
|
- Allow syslog to run unconfined scripts conditionally
|
|
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
|
- Allow qatlib set attributes of vfio device files
|
|
|
|
* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
|
|
- Allow systemd-sleep set attributes of efivarfs files
|
|
- Allow samba-dcerpcd read public files
|
|
- Allow spamd_update_t the sys_ptrace capability in user namespace
|
|
- Allow bluetooth devices work with alsa
|
|
- Allow alsa get attributes filesystems with extended attributes
|
|
|
|
* Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2
|
|
- Limit %%selinux_requires to version, not release
|
|
|
|
* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
|
|
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
|
- Add interface for write-only access to NetworkManager rw conf
|
|
- Allow systemd-sleep send a message to syslog over a unix dgram socket
|
|
- Allow init create and use netlink netfilter socket
|
|
- Allow qatlib load kernel modules
|
|
- Allow qatlib run lspci
|
|
- Allow qatlib manage its private runtime socket files
|
|
- Allow qatlib read/write vfio devices
|
|
- Label /etc/redis.conf with redis_conf_t
|
|
- Remove the lockdown-class rules from the policy
|
|
- Allow init read all non-security socket files
|
|
- Replace redundant dnsmasq pattern macros
|
|
- Remove unneeded symlink perms in dnsmasq.if
|
|
- Add additions to dnsmasq interface
|
|
- Allow nvme_stas_t create and use netlink kobject uevent socket
|
|
- Allow collectd connect to statsd port
|
|
- Allow keepalived_t to use sys_ptrace of cap_userns
|
|
- Allow dovecot_auth_t connect to postgresql using UNIX socket
|
|
|
|
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
|
|
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
|
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
|
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
|
- Allow opafm search nfs directories
|
|
- Add support for syslogd unconfined scripts
|
|
- Allow gpsd use /dev/gnss devices
|
|
- Allow gpg read rpm cache
|
|
- Allow virtqemud additional permissions
|
|
- Allow virtqemud manage its private lock files
|
|
- Allow virtqemud use the io_uring api
|
|
- Allow ddclient send e-mail notifications
|
|
- Allow postfix_master_t map postfix data files
|
|
- Allow init create and use vsock sockets
|
|
- Allow thumb_t append to init unix domain stream sockets
|
|
- Label /dev/vas with vas_device_t
|
|
- Change domain_kernel_load_modules boolean to true
|
|
- Create interface selinux_watch_config and add it to SELinux users
|
|
|
|
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
|
|
- Add afterburn to modules-targeted-contrib.conf
|
|
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
|
- Allow sudodomain read var auth files
|
|
- Allow spamd_update_t read hardware state information
|
|
- Allow virtnetworkd domain transition on tc command execution
|
|
- Allow sendmail MTA connect to sendmail LDA
|
|
- Allow auditd read all domains process state
|
|
- Allow rsync read network sysctls
|
|
- Add dhcpcd bpf capability to run bpf programs
|
|
- Dontaudit systemd-hwdb dac_override capability
|
|
- Allow systemd-sleep create efivarfs files
|
|
|
|
* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
|
|
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
|
|
- Allow graphical applications work in Wayland
|
|
- Allow kdump work with PrivateTmp
|
|
- Allow dovecot-auth work with PrivateTmp
|
|
- Allow nfsd get attributes of all filesystems
|
|
- Allow unconfined_domain_type use io_uring cmd on domain
|
|
- ci: Only run Rawhide revdeps tests on the rawhide branch
|
|
- Label /var/run/auditd.state as auditd_var_run_t
|
|
- Allow fido-device-onboard (FDO) read the crack database
|
|
- Allow ip an explicit domain transition to other domains
|
|
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
|
|
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
|
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
|
|
- Allow ntp to bind and connect to ntske port.
|
|
- Allow system_mail_t manage exim spool files and dirs
|
|
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
|
|
- Label /run/pcsd.socket with cluster_var_run_t
|
|
- ci: Run cockpit tests in PRs
|
|
|
|
* Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
|
|
- Add map_read map_write to kernel_prog_run_bpf
|
|
- Allow systemd-fstab-generator read all symlinks
|
|
- Allow systemd-fstab-generator the dac_override capability
|
|
- Allow rpcbind read network sysctls
|
|
- Support using systemd containers
|
|
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
|
|
- Add policy for coreos installer
|
|
- Add coreos_installer to modules-targeted-contrib.conf
|
|
|
|
* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
|
|
- Add policy for nvme-stas
|
|
- Confine systemd fstab,sysv,rc-local
|
|
- Label /etc/aliases.lmdb with etc_aliases_t
|
|
- Create policy for afterburn
|
|
- Add nvme_stas to modules-targeted-contrib.conf
|
|
- Add plans/tests.fmf
|
|
|
|
* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
|
|
- Add the virt_supplementary module to modules-targeted-contrib.conf
|
|
- Make new virt drivers permissive
|
|
- Split virt policy, introduce virt_supplementary module
|
|
- Allow apcupsd cgi scripts read /sys
|
|
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
|
|
- Allow kernel_t to manage and relabel all files
|
|
- Add missing optional_policy() to files_relabel_all_files()
|
|
|
|
* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
|
|
- Allow named and ndc use the io_uring api
|
|
- Deprecate common_anon_inode_perms usage
|
|
- Improve default file context(None) of /var/lib/authselect/backups
|
|
- Allow udev_t to search all directories with a filesystem type
|
|
- Implement proper anon_inode support
|
|
- Allow targetd write to the syslog pid sock_file
|
|
- Add ipa_pki_retrieve_key_exec() interface
|
|
- Allow kdumpctl_t to list all directories with a filesystem type
|
|
- Allow udev additional permissions
|
|
- Allow udev load kernel module
|
|
- Allow sysadm_t to mmap modules_object_t files
|
|
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
|
|
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
|
- Allow kernel_generic_helper_t to execute mount(1)
|
|
|
|
* Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1
|
|
- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
|
|
- Allow systemd-localed create Xserver config dirs
|
|
- Allow sssd read symlinks in /etc/sssd
|
|
- Label /dev/gnss[0-9] with gnss_device_t
|
|
- Allow systemd-sleep read/write efivarfs variables
|
|
- ci: Fix version number of packit generated srpms
|
|
- Dontaudit rhsmcertd write memory device
|
|
- Allow ssh_agent_type create a sockfile in /run/user/USERID
|
|
- Set default file context of /var/lib/authselect/backups to <<none>>
|
|
- Allow prosody read network sysctls
|
|
- Allow cupsd_t to use bpf capability
|
|
|
|
* Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1
|
|
- Allow sssd domain transition on passkey_child execution conditionally
|
|
- Allow login_userdomain watch lnk_files in /usr
|
|
- Allow login_userdomain watch video4linux devices
|
|
- Change systemd-network-generator transition to include class file
|
|
- Revert "Change file transition for systemd-network-generator"
|
|
- Allow nm-dispatcher winbind plugin read/write samba var files
|
|
- Allow systemd-networkd write to cgroup files
|
|
- Allow kdump create and use its memfd: objects
|
|
|
|
* Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1
|
|
- Allow fedora-third-party get generic filesystem attributes
|
|
- Allow sssd use usb devices conditionally
|
|
- Update policy for qatlib
|
|
- Allow ssh_agent_type manage generic cache home files
|
|
|
|
* Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1
|
|
- Change file transition for systemd-network-generator
|
|
- Additional support for gnome-initial-setup
|
|
- Update gnome-initial-setup policy for geoclue
|
|
- Allow openconnect vpn open vhost net device
|
|
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
|
|
- Grant cifs.upcall more required capabilities
|
|
- Allow xenstored map xenfs files
|
|
- Update policy for fdo
|
|
- Allow keepalived watch var_run dirs
|
|
- Allow svirt to rw /dev/udmabuf
|
|
- Allow qatlib to modify hardware state information.
|
|
- Allow key.dns_resolve connect to avahi over a unix stream socket
|
|
- Allow key.dns_resolve create and use unix datagram socket
|
|
- Use quay.io as the container image source for CI
|
|
|
|
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1
|
|
- ci: Move srpm/rpm build to packit
|
|
- .copr: Avoid subshell and changing directory
|
|
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
|
|
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
|
- Make insights_client_t an unconfined domain
|
|
- Allow insights-client manage user temporary files
|
|
- Allow insights-client create all rpm logs with a correct label
|
|
- Allow insights-client manage generic logs
|
|
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
|
|
- Allow insights-client read and write cluster tmpfs files
|
|
- Allow ipsec read nsfs files
|
|
- Make tuned work with mls policy
|
|
- Remove nsplugin_role from mozilla.if
|
|
- allow mon_procd_t self:cap_userns sys_ptrace
|
|
- Allow pdns name_bind and name_connect all ports
|
|
- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
|
|
- ci: Move to actions/checkout@v3 version
|
|
- .copr: Replace chown call with standard workflow safe.directory setting
|
|
- .copr: Enable `set -u` for robustness
|
|
- .copr: Simplify root directory variable
|
|
|
|
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1
|
|
- Allow rhsmcertd dbus chat with policykit
|
|
- Allow polkitd execute pkla-check-authorization with nnp transition
|
|
- Allow user_u and staff_u get attributes of non-security dirs
|
|
- Allow unconfined user filetrans chrome_sandbox_home_t
|
|
- Allow svnserve execute postdrop with a transition
|
|
- Do not make postfix_postdrop_t type an MTA executable file
|
|
- Allow samba-dcerpc service manage samba tmp files
|
|
- Add use_nfs_home_dirs boolean for mozilla_plugin
|
|
- Fix labeling for no-stub-resolv.conf
|
|
|
|
* Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1
|
|
- Revert "Allow winbind-rpcd use its private tmp files"
|
|
- Allow upsmon execute upsmon via a helper script
|
|
- Allow openconnect vpn read/write inherited vhost net device
|
|
- Allow winbind-rpcd use its private tmp files
|
|
- Update samba-dcerpc policy for printing
|
|
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
|
|
- Allow nscd watch system db dirs
|
|
- Allow qatlib to read sssd public files
|
|
- Allow fedora-third-party read /sys and proc
|
|
- Allow systemd-gpt-generator mount a tmpfs filesystem
|
|
- Allow journald write to cgroup files
|
|
- Allow rpc.mountd read network sysctls
|
|
- Allow blueman read the contents of the sysfs filesystem
|
|
- Allow logrotate_t to map generic files in /etc
|
|
- Boolean: Allow virt_qemu_ga create ssh directory
|
|
|
|
* Tue Jul 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1
|
|
- Allow systemd-network-generator send system log messages
|
|
- Dontaudit the execute permission on sock_file globally
|
|
- Allow fsadm_t the file mounton permission
|
|
- Allow named and ndc the io_uring sqpoll permission
|
|
- Allow sssd io_uring sqpoll permission
|
|
- Fix location for /run/nsd
|
|
- Allow qemu-ga get fixed disk devices attributes
|
|
- Update bitlbee policy
|
|
- Label /usr/sbin/sos with sosreport_exec_t
|
|
- Update policy for the sblim-sfcb service
|
|
- Add the files_getattr_non_auth_dirs() interface
|
|
- Fix the CI to work with DNF5
|
|
|
|
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.21-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
|
|
|
* Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1
|
|
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
|
|
- Revert "Allow insights client map cache_home_t"
|
|
- Allow nfsidmapd connect to systemd-machined over a unix socket
|
|
- Allow snapperd connect to kernel over a unix domain stream socket
|
|
- Allow virt_qemu_ga_t create .ssh dir with correct label
|
|
- Allow targetd read network sysctls
|
|
- Set the abrt_handle_event boolean to on
|
|
- Permit kernel_t to change the user identity in object contexts
|
|
- Allow insights client map cache_home_t
|
|
- Label /usr/sbin/mariadbd with mysqld_exec_t
|
|
- Trim changelog so that it starts at F37 time
|
|
- Define equivalency for /run/systemd/generator.early
|
|
|
|
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1
|
|
- Allow httpd tcp connect to redis port conditionally
|
|
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
|
- Dontaudit aide the execmem permission
|
|
- Remove permissive from fdo
|
|
- Allow sa-update manage spamc home files
|
|
- Allow sa-update connect to systemlog services
|
|
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
|
- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
|
|
- Allow bootupd search EFI directory
|
|
|
|
* Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1
|
|
- Change init_audit_control default value to true
|
|
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
|
|
- Add the qatlib module
|
|
- Add the fdo module
|
|
- Add the bootupd module
|
|
- Set default ports for keylime policy
|
|
- Create policy for qatlib
|
|
- Add policy for FIDO Device Onboard
|
|
- Add policy for bootupd
|
|
- Add the qatlib module
|
|
- Add the fdo module
|
|
- Add the bootupd module
|
|
|
|
* Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
|
|
- Add support for kafs-dns requested by keyutils
|
|
- Allow insights-client execmem
|
|
- Add support for chronyd-restricted
|
|
- Add init_explicit_domain() interface
|
|
- Allow fsadm_t to get attributes of cgroup filesystems
|
|
- Add list_dir_perms to kerberos_read_keytab
|
|
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
|
|
- Allow sendmail manage its runtime files
|
|
- Allow keyutils_dns_resolver_exec_t be an entrypoint
|
|
- Allow collectd_t read network state symlinks
|
|
- Revert "Allow collectd_t read proc_net link files"
|
|
- Allow nfsd_t to list exports_t dirs
|
|
- Allow cupsd dbus chat with xdm
|
|
- Allow haproxy read hardware state information
|
|
- Add the kafs module
|
|
|
|
* Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
|
|
- Label /dev/userfaultfd with userfaultfd_t
|
|
- Allow blueman send general signals to unprivileged user domains
|
|
- Allow dkim-milter domain transition to sendmail
|
|
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
|
|
- Allow cifs-helper read sssd kerberos configuration files
|
|
- Allow rpm_t sys_admin capability
|
|
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
|
|
- Allow collectd_t read proc_net link files
|
|
- Allow insights-client getsession process permission
|
|
- Allow insights-client work with pipe and socket tmp files
|
|
- Allow insights-client map generic log files
|
|
- Update cyrus_stream_connect() to use sockets in /run
|
|
- Allow keyutils-dns-resolver read/view kernel key ring
|
|
- Label /var/log/kdump.log with kdump_log_t
|
|
|
|
* Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
|
|
- Add support for the systemd-pstore service
|
|
- Allow kdumpctl_t to execmem
|
|
- Update sendmail policy module for opensmtpd
|
|
- Allow nagios-mail-plugin exec postfix master
|
|
- Allow subscription-manager execute ip
|
|
- Allow ssh client connect with a user dbus instance
|
|
- Add support for ksshaskpass
|
|
- Allow rhsmcertd file transition in /run also for socket files
|
|
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
|
|
- Allow plymouthd read/write X server miscellaneous devices
|
|
- Allow systemd-sleep read udev pid files
|
|
- Allow exim read network sysctls
|
|
- Allow sendmail request load module
|
|
- Allow named map its conf files
|
|
- Allow squid map its cache files
|
|
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
|
|
|
|
* Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
|
|
- Update policy for systemd-sleep
|
|
- Remove permissive domain for rshim_t
|
|
- Remove permissive domain for mptcpd_t
|
|
- Allow systemd-bootchartd the sys_ptrace userns capability
|
|
- Allow sysadm_t read nsfs files
|
|
- Allow sysadm_t run kernel bpf programs
|
|
- Update ssh_role_template for ssh-agent
|
|
- Update ssh_role_template to allow read/write unallocated ttys
|
|
- Add the booth module to modules.conf
|
|
- Allow firewalld rw ica_tmpfs_t files
|
|
|
|
* Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
|
|
- Remove permissive domain for cifs_helper_t
|
|
- Update the cifs-helper policy
|
|
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
|
|
- Update pkcsslotd policy for sandboxing
|
|
- Allow abrt_t read kernel persistent storage files
|
|
- Dontaudit targetd search httpd config dirs
|
|
- Allow init_t nnp domain transition to policykit_t
|
|
- Allow rpcd_lsad setcap and use generic ptys
|
|
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
|
|
- Allow wireguard to rw network sysctls
|
|
- Add policy for boothd
|
|
- Allow kernel to manage its own BPF objects
|
|
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
|
|
|
|
* Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
|
|
- Add initial policy for cifs-helper
|
|
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
|
|
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
|
|
- Allow some systemd services write to cgroup files
|
|
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
|
|
- Allow systemd resolved to bind to arbitrary nodes
|
|
- Allow plymouthd_t bpf capability to run bpf programs
|
|
- Allow cupsd to create samba_var_t files
|
|
- Allow rhsmcert request the kernel to load a module
|
|
- Allow virsh name_connect virt_port_t
|
|
- Allow certmonger manage cluster library files
|
|
- Allow plymouthd read init process state
|
|
- Add chromium_sandbox_t setcap capability
|
|
- Allow snmpd read raw disk data
|
|
- Allow samba-rpcd work with passwords
|
|
- Allow unconfined service inherit signal state from init
|
|
- Allow cloud-init manage gpg admin home content
|
|
- Allow cluster_t dbus chat with various services
|
|
- Allow nfsidmapd work with systemd-userdbd and sssd
|
|
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
|
|
- Allow plymouthd map dri and framebuffer devices
|
|
- Allow rpmdb_migrate execute rpmdb
|
|
- Allow logrotate dbus chat with systemd-hostnamed
|
|
- Allow icecast connect to kernel using a unix stream socket
|
|
- Allow lldpad connect to systemd-userdbd over a unix socket
|
|
- Allow journalctl open user domain ptys and ttys
|
|
- Allow keepalived to manage its tmp files
|
|
- Allow ftpd read network sysctls
|
|
- Label /run/bgpd with zebra_var_run_t
|
|
- Allow gssproxy read network sysctls
|
|
- Add the cifsutils module
|
|
|
|
* Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1
|
|
- Allow telnetd read network sysctls
|
|
- Allow munin system plugin read generic SSL certificates
|
|
- Allow munin system plugin create and use netlink generic socket
|
|
- Allow login_userdomain create user namespaces
|
|
- Allow request-key to send syslog messages
|
|
- Allow request-key to read/view any key
|
|
- Add fs_delete_pstore_files() interface
|
|
- Allow insights-client work with teamdctl
|
|
- Allow insights-client read unconfined service semaphores
|
|
- Allow insights-client get quotas of all filesystems
|
|
- Add fs_read_pstore_files() interface
|
|
- Allow generic kernel helper to read inherited kernel pipes
|
|
|
|
* Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
|
|
- Allow dovecot-deliver write to the main process runtime fifo files
|
|
- Allow dmidecode write to cloud-init tmp files
|
|
- Allow chronyd send a message to cloud-init over a datagram socket
|
|
- Allow cloud-init domain transition to insights-client domain
|
|
- Allow mongodb read filesystem sysctls
|
|
- Allow mongodb read network sysctls
|
|
- Allow accounts-daemon read generic systemd unit lnk files
|
|
- Allow blueman watch generic device dirs
|
|
- Allow nm-dispatcher tlp plugin create tlp dirs
|
|
- Allow systemd-coredump mounton /usr
|
|
- Allow rabbitmq to read network sysctls
|
|
|
|
* Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
|
|
- Allow certmonger dbus chat with the cron system domain
|
|
- Allow geoclue read network sysctls
|
|
- Allow geoclue watch the /etc directory
|
|
- Allow logwatch_mail_t read network sysctls
|
|
- Allow insights-client read all sysctls
|
|
- Allow passt manage qemu pid sock files
|
|
|
|
* Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
|
|
- Allow sssd read accountsd fifo files
|
|
- Add support for the passt_t domain
|
|
- Allow virtd_t and svirt_t work with passt
|
|
- Add new interfaces in the virt module
|
|
- Add passt interfaces defined conditionally
|
|
- Allow tshark the setsched capability
|
|
- Allow poweroff create connections to system dbus
|
|
- Allow wg load kernel modules, search debugfs dir
|
|
- Boolean: allow qemu-ga manage ssh home directory
|
|
- Label smtpd with sendmail_exec_t
|
|
- Label msmtp and msmtpd with sendmail_exec_t
|
|
- Allow dovecot to map files in /var/spool/dovecot
|
|
|
|
* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
|
|
- Confine gnome-initial-setup
|
|
- Allow qemu-guest-agent create and use vsock socket
|
|
- Allow login_pgm setcap permission
|
|
- Allow chronyc read network sysctls
|
|
- Enhancement of the /usr/sbin/request-key helper policy
|
|
- Fix opencryptoki file names in /dev/shm
|
|
- Allow system_cronjob_t transition to rpm_script_t
|
|
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
|
- Add tunable to allow squid bind snmp port
|
|
- Allow staff_t getattr init pid chr & blk files and read krb5
|
|
- Allow firewalld to rw z90crypt device
|
|
- Allow httpd work with tokens in /dev/shm
|
|
- Allow svirt to map svirt_image_t char files
|
|
- Allow sysadm_t run initrc_t script and sysadm_r role access
|
|
- Allow insights-client manage fsadm pid files
|
|
|
|
* Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1
|
|
- Allowing snapper to create snapshots of /home/ subvolume/partition
|
|
- Add boolean qemu-ga to run unconfined script
|
|
- Label systemd-journald feature LogNamespace
|
|
- Add none file context for polyinstantiated tmp dirs
|
|
- Allow certmonger read the contents of the sysfs filesystem
|
|
- Add journalctl the sys_resource capability
|
|
- Allow nm-dispatcher plugins read generic files in /proc
|
|
- Add initial policy for the /usr/sbin/request-key helper
|
|
- Additional support for rpmdb_migrate
|
|
- Add the keyutils module
|
|
|
|
* Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
|
|
- Boolean: allow qemu-ga read ssh home directory
|
|
- Allow kernel_t to read/write all sockets
|
|
- Allow kernel_t to UNIX-stream connect to all domains
|
|
- Allow systemd-resolved send a datagram to journald
|
|
- Allow kernel_t to manage and have "execute" access to all files
|
|
- Fix the files_manage_all_files() interface
|
|
- Allow rshim bpf cap2 and read sssd public files
|
|
- Allow insights-client work with su and lpstat
|
|
- Allow insights-client tcp connect to all ports
|
|
- Allow nm-cloud-setup dispatcher plugin restart nm services
|
|
- Allow unconfined user filetransition for sudo log files
|
|
- Allow modemmanager create hardware state information files
|
|
- Allow ModemManager all permissions for netlink route socket
|
|
- Allow wg to send msg to kernel, write to syslog and dbus connections
|
|
- Allow hostname_t to read network sysctls.
|
|
- Dontaudit ftpd the execmem permission
|
|
- Allow svirt request the kernel to load a module
|
|
- Allow icecast rename its log files
|
|
- Allow upsd to send signal to itself
|
|
- Allow wireguard to create udp sockets and read net_conf
|
|
- Use '%autosetup' instead of '%setup'
|
|
- Pass -p 1 to '%autosetup'
|
|
|
|
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.5-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
|
|
|
* Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
|
|
- Allow insights client work with gluster and pcp
|
|
- Add insights additional capabilities
|
|
- Add interfaces in domain, files, and unconfined modules
|
|
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
|
|
- Allow sudodomain use sudo.log as a logfile
|
|
- Allow pdns server map its library files and bind to unreserved ports
|
|
- Allow sysadm_t read/write ipmi devices
|
|
- Allow prosody manage its runtime socket files
|
|
- Allow kernel threads manage kernel keys
|
|
- Allow systemd-userdbd the sys_resource capability
|
|
- Allow systemd-journal list cgroup directories
|
|
- Allow apcupsd dbus chat with systemd-logind
|
|
- Allow nut_domain manage also files and sock_files in /var/run
|
|
- Allow winbind-rpcd make a TCP connection to the ldap port
|
|
- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
|
|
- Allow tlp read generic SSL certificates
|
|
- Allow systemd-resolved watch tmpfs directories
|
|
- Revert "Allow systemd-resolved watch tmpfs directories"
|
|
|
|
* Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
|
|
- Allow NetworkManager and wpa_supplicant the bpf capability
|
|
- Allow systemd-rfkill the bpf capability
|
|
- Allow winbind-rpcd manage samba_share_t files and dirs
|
|
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
|
|
- Allow gpsd the sys_ptrace userns capability
|
|
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
|
|
- Allow load_policy_t write to unallocated ttys
|
|
- Allow ndc read hardware state information
|
|
- Allow system mail service read inherited certmonger runtime files
|
|
- Add lpr_roles to system_r roles
|
|
- Revert "Allow insights-client run lpr and allow the proper role"
|
|
- Allow stalld to read /sys/kernel/security/lockdown file
|
|
- Allow keepalived to set resource limits
|
|
- Add policy for mptcpd
|
|
- Add policy for rshim
|
|
- Allow admin users to create user namespaces
|
|
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
|
|
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
|
|
- Trim changelog so that it starts at F35 time
|
|
- Add mptcpd and rshim modules
|
|
|
|
* Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
|
|
- Allow insights-client dbus chat with various services
|
|
- Allow insights-client tcp connect to various ports
|
|
- Allow insights-client run lpr and allow the proper role
|
|
- Allow insights-client work with pcp and manage user config files
|
|
- Allow redis get user names
|
|
- Allow kernel threads to use fds from all domains
|
|
- Allow systemd-modules-load load kernel modules
|
|
- Allow login_userdomain watch systemd-passwd pid dirs
|
|
- Allow insights-client dbus chat with abrt
|
|
- Grant kernel_t certain permissions in the system class
|
|
- Allow systemd-resolved watch tmpfs directories
|
|
- Allow systemd-timedated watch init runtime dir
|
|
- Make `bootc` be `install_exec_t`
|
|
- Allow systemd-coredump create user_namespace
|
|
- Allow syslog the setpcap capability
|
|
- donaudit virtlogd and dnsmasq execmem
|
|
|
|
* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
|
|
- Don't make kernel_t an unconfined domain
|
|
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
|
|
- Allow kernel_t to execute systemctl to do a poweroff/reboot
|
|
- Grant basic permissions to the domain created by systemd_systemctl_domain()
|
|
- Allow kernel_t to request module loading
|
|
- Allow kernel_t to do compute_create
|
|
- Allow kernel_t to manage perf events
|
|
- Grant almost all capabilities to kernel_t
|
|
- Allow kernel_t to fully manage all devices
|
|
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
|
|
- Allow pulseaudio to write to session_dbusd tmp socket files
|
|
- Allow systemd and unconfined_domain_type create user_namespace
|
|
- Add the user_namespace security class
|
|
- Reuse tmpfs_t also for the ramfs filesystem
|
|
- Label udf tools with fsadm_exec_t
|
|
- Allow networkmanager_dispatcher_plugin work with nscd
|
|
- Watch_sb all file type directories.
|
|
- Allow spamc read hardware state information files
|
|
- Allow sysadm read ipmi devices
|
|
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
|
|
- Allow insights client read raw memory devices
|
|
- Allow the spamd_update_t domain get generic filesystem attributes
|
|
- Dontaudit systemd-gpt-generator the sys_admin capability
|
|
- Allow ipsec_t only read tpm devices
|
|
- Allow cups-pdf connect to the system log service
|
|
- Allow postfix/smtpd read kerberos key table
|
|
- Allow syslogd read network sysctls
|
|
- Allow cdcc mmap dcc-client-map files
|
|
- Add watch and watch_sb dosfs interface
|
|
|
|
* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
|
|
- Revert "Allow sysadm_t read raw memory devices"
|
|
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
|
|
- Allow rpc.gssd read network sysctls
|
|
- Allow winbind-rpcd get attributes of device and pty filesystems
|
|
- Allow insights-client domain transition on semanage execution
|
|
- Allow insights-client create gluster log dir with a transition
|
|
- Allow insights-client manage generic locks
|
|
- Allow insights-client unix_read all domain semaphores
|
|
- Add domain_unix_read_all_semaphores() interface
|
|
- Allow winbind-rpcd use the terminal multiplexor
|
|
- Allow mrtg send mails
|
|
- Allow systemd-hostnamed dbus chat with init scripts
|
|
- Allow sssd dbus chat with system cronjobs
|
|
- Add interface to watch all filesystems
|
|
- Add watch_sb interfaces
|
|
- Add watch interfaces
|
|
- Allow dhcpd bpf capability to run bpf programs
|
|
- Allow netutils and traceroute bpf capability to run bpf programs
|
|
- Allow pkcs_slotd_t bpf capability to run bpf programs
|
|
- Allow xdm bpf capability to run bpf programs
|
|
- Allow pcscd bpf capability to run bpf programs
|
|
- Allow lldpad bpf capability to run bpf programs
|
|
- Allow keepalived bpf capability to run bpf programs
|
|
- Allow ipsec bpf capability to run bpf programs
|
|
- Allow fprintd bpf capability to run bpf programs
|
|
- Allow systemd-socket-proxyd get filesystems attributes
|
|
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
|
|
|
|
* Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
|
|
- Allow rotatelogs read httpd_log_t symlinks
|
|
- Add winbind-rpcd to samba_enable_home_dirs boolean
|
|
- Allow system cronjobs dbus chat with setroubleshoot
|
|
- Allow setroubleshootd read device sysctls
|
|
- Allow virt_domain read device sysctls
|
|
- Allow rhcd compute selinux access vector
|
|
- Allow insights-client manage samba var dirs
|
|
- Label ports 10161-10162 tcp/udp with snmp
|
|
- Allow aide to connect to systemd_machined with a unix socket.
|
|
- Allow samba-dcerpcd use NSCD services over a unix stream socket
|
|
- Allow vlock search the contents of the /dev/pts directory
|
|
- Allow insights-client send null signal to rpm and system cronjob
|
|
- Label port 15354/tcp and 15354/udp with opendnssec
|
|
- Allow ftpd map ftpd_var_run files
|
|
- Allow targetclid to manage tmp files
|
|
- Allow insights-client connect to postgresql with a unix socket
|
|
- Allow insights-client domtrans on unix_chkpwd execution
|
|
- Add file context entries for insights-client and rhc
|
|
- Allow pulseaudio create gnome content (~/.config)
|
|
- Allow login_userdomain dbus chat with rhsmcertd
|
|
- Allow sbd the sys_ptrace capability
|
|
- Allow ptp4l_t name_bind ptp_event_port_t
|
|
|
|
* Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
|
|
- Remove the ipa module
|
|
- Allow sss daemons read/write unnamed pipes of cloud-init
|
|
- Allow postfix_mailqueue create and use unix dgram sockets
|
|
- Allow xdm watch user home directories
|
|
- Allow nm-dispatcher ddclient plugin load a kernel module
|
|
- Stop ignoring standalone interface files
|
|
- Drop cockpit module
|
|
- Allow init map its private tmp files
|
|
- Allow xenstored change its hard resource limits
|
|
- Allow system_mail-t read network sysctls
|
|
- Add bgpd sys_chroot capability
|
|
|
|
* Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
|
|
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
|
|
- Add numad the ipc_owner capability
|
|
- Allow gst-plugin-scanner read virtual memory sysctls
|
|
- Allow init read/write inherited user fifo files
|
|
- Update dnssec-trigger policy: setsched, module_request
|
|
- added policy for systemd-socket-proxyd
|
|
- Add the new 'cmd' permission to the 'io_uring' class
|
|
- Allow winbind-rpcd read and write its key ring
|
|
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
|
|
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
|
|
- pidof executed by abrt can readlink /proc/*/exe
|
|
- Fix typo in comment
|
|
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
|
|
|
|
* Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
|
|
- Allow tor get filesystem attributes
|
|
- Allow utempter append to login_userdomain stream
|
|
- Allow login_userdomain accept a stream connection to XDM
|
|
- Allow login_userdomain write to boltd named pipes
|
|
- Allow staff_u and user_u users write to bolt pipe
|
|
- Allow login_userdomain watch various directories
|
|
- Update rhcd policy for executing additional commands 5
|
|
- Update rhcd policy for executing additional commands 4
|
|
- Allow rhcd create rpm hawkey logs with correct label
|
|
- Allow systemd-gpt-auto-generator to check for empty dirs
|
|
- Update rhcd policy for executing additional commands 3
|
|
- Allow journalctl read rhcd fifo files
|
|
- Update insights-client policy for additional commands execution 5
|
|
- Allow init remount all file_type filesystems
|
|
- Confine insights-client systemd unit
|
|
- Update insights-client policy for additional commands execution 4
|
|
- Allow pcp pmcd search tracefs and acct_data dirs
|
|
- Allow httpd read network sysctls
|
|
- Dontaudit domain map permission on directories
|
|
- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
|
|
- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
|
|
- Update insights-client policy for additional commands execution 3
|
|
- Allow systemd permissions needed for sandboxed services
|
|
- Add rhcd module
|
|
- Make dependency on rpm-plugin-selinux unordered
|
|
|
|
* Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
|
|
- Allow ipsec_t read/write tpm devices
|
|
- Allow rhcd execute all executables
|
|
- Update rhcd policy for executing additional commands 2
|
|
- Update insights-client policy for additional commands execution 2
|
|
- Allow sysadm_t read raw memory devices
|
|
- Allow chronyd send and receive chronyd/ntp client packets
|
|
- Allow ssh client read kerberos homedir config files
|
|
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
|
|
- Update insights-client policy (auditctl, gpg, journal)
|
|
- Allow system_cronjob_t domtrans to rpm_script_t
|
|
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
|
|
- Update tor_bind_all_unreserved_ports interface
|
|
- Allow chronyd bind UDP sockets to ptp_event ports.
|
|
- Allow unconfined and sysadm users transition for /root/.gnupg
|
|
- Add gpg_filetrans_admin_home_content() interface
|
|
- Update rhcd policy for executing additional commands
|
|
- Update insights-client policy for additional commands execution
|
|
- Add userdom_view_all_users_keys() interface
|
|
- Allow gpg read and write generic pty type
|
|
- Allow chronyc read and write generic pty type
|
|
- Allow system_dbusd ioctl kernel with a unix stream sockets
|
|
- Allow samba-bgqd to read a printer list
|
|
- Allow stalld get and set scheduling policy of all domains.
|
|
- Allow unconfined_t transition to targetclid_home_t
|
|
|
|
* Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
|
|
- Allow nm-dispatcher custom plugin dbus chat with nm
|
|
- Allow nm-dispatcher sendmail plugin get status of systemd services
|
|
- Allow xdm read the kernel key ring
|
|
- Allow login_userdomain check status of mount units
|
|
- Allow postfix/smtp and postfix/virtual read kerberos key table
|
|
- Allow services execute systemd-notify
|
|
- Do not allow login_userdomain use sd_notify()
|
|
- Allow launch-xenstored read filesystem sysctls
|
|
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
|
|
- Allow openvswitch fsetid capability
|
|
- Allow openvswitch use its private tmpfs files and dirs
|
|
- Allow openvswitch search tracefs dirs
|
|
- Allow pmdalinux read files on an nfsd filesystem
|
|
- Allow winbind-rpcd write to winbind pid files
|
|
- Allow networkmanager to signal unconfined process
|
|
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
|
|
- Allow samba-bgqd get a printer list
|
|
- fix(init.fc): Fix section description
|
|
- Allow fedora-third-party read the passwords file
|
|
- Remove permissive domain for rhcd_t
|
|
- Allow pmie read network state information and network sysctls
|
|
- Revert "Dontaudit domain the fowner capability"
|
|
- Allow sysadm_t to run bpftool on the userdomain attribute
|
|
- Add the userdom_prog_run_bpf_userdomain() interface
|
|
- Allow insights-client rpm named file transitions
|
|
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
|
|
|
|
* Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
|
|
- Allow sa-update to get init status and start systemd files
|
|
- Use insights_client_filetrans_named_content
|
|
- Make default file context match with named transitions
|
|
- Allow nm-dispatcher tlp plugin send system log messages
|
|
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
|
|
- Add permissions to manage lnk_files into gnome_manage_home_config
|
|
- Allow rhsmcertd to read insights config files
|
|
- Label /etc/insights-client/machine-id
|
|
- fix(devices.fc): Replace single quote in comment to solve parsing issues
|
|
- Make NetworkManager_dispatcher_custom_t an unconfined domain
|
|
|
|
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
|
|
|
* Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
|
|
- Update winbind_rpcd_t
|
|
- Allow some domains use sd_notify()
|
|
- Revert "Allow rabbitmq to use systemd notify"
|
|
- fix(sedoctool.py): Fix syntax warning: "is not" with a literal
|
|
- Allow nm-dispatcher console plugin manage etc files
|
|
- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
|
|
- Allow nm-dispatcher console plugin setfscreate
|
|
- Support using systemd-update-helper in rpm scriptlets
|
|
- Allow nm-dispatcher winbind plugin read samba config files
|
|
- Allow domain use userfaultfd over all domains
|
|
- Allow cups-lpd read network sysctls
|
|
|
|
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
|
|
- Allow stalld set scheduling policy of kernel threads
|
|
- Allow targetclid read /var/target files
|
|
- Allow targetclid read generic SSL certificates (fixed)
|
|
- Allow firewalld read the contents of the sysfs filesystem
|
|
- Fix file context pattern for /var/target
|
|
- Use insights_client_etc_t in insights_search_config()
|
|
- Allow nm-dispatcher ddclient plugin handle systemd services
|
|
- Allow nm-dispatcher winbind plugin run smbcontrol
|
|
- Allow nm-dispatcher custom plugin create and use unix dgram socket
|
|
- Update samba-dcerpcd policy for kerberos usage 2
|
|
- Allow keepalived read the contents of the sysfs filesystem
|
|
- Allow amandad read network sysctls
|
|
- Allow cups-lpd read network sysctls
|
|
- Allow kpropd read network sysctls
|
|
- Update insights_client_filetrans_named_content()
|
|
- Allow rabbitmq to use systemd notify
|
|
- Label /var/target with targetd_var_t
|
|
- Allow targetclid read generic SSL certificates
|
|
- Update rhcd policy
|
|
- Allow rhcd search insights configuration directories
|
|
- Add the kernel_read_proc_files() interface
|
|
- Require policycoreutils >= 3.4-1
|
|
- Add a script for enclosing interfaces in ifndef statements
|
|
- Disable rpm verification on interface_info
|
|
|
|
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
|
|
- Allow transition to insights_client named content
|
|
- Add the insights_client_filetrans_named_content() interface
|
|
- Update policy for insights-client to run additional commands 3
|
|
- Allow dhclient manage pid files used by chronyd
|
|
- Allow stalld get scheduling policy of kernel threads
|
|
- Allow samba-dcerpcd work with sssd
|
|
- Allow dlm_controld send a null signal to a cluster daemon
|
|
- Allow ksmctl create hardware state information files
|
|
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
|
|
- Update samba-dcerpcd policy for kerberos usage
|
|
- Allow insights-client execute its private memfd: objects
|
|
- Update policy for insights-client to run additional commands 2
|
|
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
|
|
- Change space indentation to tab in insights-client
|
|
- Use socket permissions sets in insights-client
|
|
- Update policy for insights-client to run additional commands
|
|
- Change rpm_setattr_db_files() to use a pattern
|
|
- Allow init_t to rw insights_client unnamed pipe
|
|
- Add rpm setattr db files macro
|
|
- Fix insights client
|
|
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
|
|
- Allow rabbitmq to access its private memfd: objects
|
|
- Update policy for samba-dcerpcd
|
|
- Allow stalld setsched and sys_nice
|
|
|
|
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
|
|
- Allow auditd_t noatsecure for a transition to audisp_remote_t
|
|
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
|
|
- Allow pcp_domain execute its private memfd: objects
|
|
- Add support for samba-dcerpcd
|
|
- Add policy for wireguard
|
|
- Confine targetcli
|
|
- Allow systemd work with install_t unix stream sockets
|
|
- Allow iscsid the sys_ptrace userns capability
|
|
- Allow xdm connect to unconfined_service_t over a unix stream socket
|
|
|
|
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
|
|
- Allow nm-dispatcher custom plugin execute systemctl
|
|
- Allow nm-dispatcher custom plugin dbus chat with nm
|
|
- Allow nm-dispatcher custom plugin create and use udp socket
|
|
- Allow nm-dispatcher custom plugin create and use netlink_route_socket
|
|
- Use create_netlink_socket_perms in netlink_route_socket class permissions
|
|
- Add support for nm-dispatcher sendmail scripts
|
|
- Allow sslh net_admin capability
|
|
- Allow insights-client manage gpg admin home content
|
|
- Add the gpg_manage_admin_home_content() interface
|
|
- Allow rhsmcertd create generic log files
|
|
- Update logging_create_generic_logs() to use create_files_pattern()
|
|
- Label /var/cache/insights with insights_client_cache_t
|
|
- Allow insights-client search gconf homedir
|
|
- Allow insights-client create and use unix_dgram_socket
|
|
- Allow blueman execute its private memfd: files
|
|
- Move the chown call into make-srpm.sh
|
|
|
|
* Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
|
|
- Use the networkmanager_dispatcher_plugin attribute in allow rules
|
|
- Make a custom nm-dispatcher plugin transition
|
|
- Label port 4784/tcp and 4784/udp with bfd_multi
|
|
- Allow systemd watch and watch_reads user ptys
|
|
- Allow sblim-gatherd the kill capability
|
|
- Label more vdsm utils with virtd_exec_t
|
|
- Add ksm service to ksmtuned
|
|
- Add rhcd policy
|
|
- Dontaudit guest attempts to dbus chat with systemd domains
|
|
- Dontaudit guest attempts to dbus chat with system bus types
|
|
- Use a named transition in systemd_hwdb_manage_config()
|
|
- Add default fc specifications for patterns in /opt
|
|
- Add the files_create_etc_files() interface
|
|
- Allow nm-dispatcher console plugin create and write files in /etc
|
|
- Allow nm-dispatcher console plugin transition to the setfiles domain
|
|
- Allow more nm-dispatcher plugins append to init stream sockets
|
|
- Allow nm-dispatcher tlp plugin dbus chat with nm
|
|
- Reorder networkmanager_dispatcher_plugin_template() calls
|
|
- Allow svirt connectto virtlogd
|
|
- Allow blueman map its private memfd: files
|
|
- Allow sysadm user execute init scripts with a transition
|
|
- Allow sblim-sfcbd connect to sblim-reposd stream
|
|
- Allow keepalived_unconfined_script_t dbus chat with init
|
|
- Run restorecon with "-i" not to report errors
|
|
|
|
* Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
|
|
- Fix users for SELinux userspace 3.4
|
|
- Label /var/run/machine-id as machineid_t
|
|
- Add stalld to modules.conf
|
|
- Use files_tmpfs_file() for rhsmcertd_tmpfs_t
|
|
- Allow blueman read/write its private memfd: objects
|
|
- Allow insights-client read rhnsd config files
|
|
- Allow insights-client create_socket_perms for tcp/udp sockets
|