zpytela / rpms / selinux-policy

Forked from rpms/selinux-policy 4 years ago
Clone
Source Code
GIT

c16bee6 * Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-48

Authored and Committed by lvrabec 5 years ago
raw patch tree parent
3 files changed. 38 lines added. 6 lines removed.
.gitignore
file modified
+2 -0
selinux-policy.spec
file modified
+33 -3
sources
file modified
+3 -3 
    * Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-48
    - Allow sensord_t domain to use nsswitch and execute shell
    - Allow opafm_t domain to execute lib_t files
    - Allow opafm_t domain to manage kdump_crash_t files and dirs
    - Allow virt domains to read/write cephfs filesystems
    - Allow virtual machine to write to fixed_disk_device_t
    - Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
    - Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
    - Allow vhostmd_t read libvirt configuration files
    - Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
    - Allow boltd_t domain to read cache_home_t files BZ(1669911)
    - Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
    - Allow gpg_agent_t to create own tmpfs dirs and sockets
    - Add multiple interfaces for vpnc interface file
    - Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
    - Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
    - In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
    - Allow gssd_t domain to manage kernel keyrings of every domain.
    - Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
    - Add miscfiles_filetrans_named_content_letsencrypt() to optional_block
    - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t
    - Allow staff_t user to systemctl iptables units.
    - Allow systemd to read selinux logind config
    - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u Resolves: rhbz#1664448
    - Add interface systemd_hostnamed_signull()
    - Allow init_t domain access to USB ttys BZ(1663620)
    - Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions.
    - Allow init_t create a directory in directories with var_log_t label
    - Add new interface domain_manage_all_domains_keyrings()
file modified
+2 -0
file modified
+33 -3
file modified
+3 -3
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.