08b890
%define distro redhat
771686
%define polyinstatiate n
1580c8
%define monolithic n
dc4ca7
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1}
dc4ca7
%define BUILD_DOC 1
dc4ca7
%endif
bd3f0e
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
bd3f0e
%define BUILD_TARGETED 1
bd3f0e
%endif
675bba
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
675bba
%define BUILD_MINIMUM 1
675bba
%endif
bd3f0e
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
211fb9
%define BUILD_MLS 1
bd3f0e
%endif
fa970c
%define POLICYVER 29
a345bb
%define POLICYCOREUTILSVER 2.4-0
a345bb
%define CHECKPOLICYVER 2.4-0
1580c8
Summary: SELinux policy configuration
1580c8
Name: selinux-policy
0f9b0d
Version: 3.13.1
a345bb
Release: 137%{?dist}.1
d83af2
License: GPLv2+
1580c8
Group: System Environment/Base
1580c8
Source: serefpolicy-%{version}.tgz
26e9de
# Use the following commands to create patches from https://github.com/fedora-selinux/selinux-policy
26e9de
# git diff eb4512f6eb13792c76ff8d3e6f2df3a7155db577 rawhide-base > policy-rawhide-base.patch
26e9de
# git diff 64302b790bf2b39d93610e1452c8361d56966ae0 rawhide-contrib > policy-rawhide-contrib.patch
eb0fd2
patch: policy-rawhide-base.patch
eb0fd2
patch1: policy-rawhide-contrib.patch
650be6
patch2: policy-rawhide-base-cockpit.patch
a27009
Source1: modules-targeted-base.conf 
a27009
Source31: modules-targeted-contrib.conf
504da9
Source2: booleans-targeted.conf
585f82
Source3: Makefile.devel
504da9
Source4: setrans-targeted.conf
a27009
Source5: modules-mls-base.conf
a27009
Source32: modules-mls-contrib.conf
487de6
Source6: booleans-mls.conf
504da9
Source8: setrans-mls.conf
ee095f
Source14: securetty_types-targeted
ee095f
Source15: securetty_types-mls
a27009
#Source16: modules-minimum.conf
675bba
Source17: booleans-minimum.conf
675bba
Source18: setrans-minimum.conf
675bba
Source19: securetty_types-minimum
80beee
Source20: customizable_types
faf9cb
Source21: config.tgz
fc05ac
Source22: users-mls
fc05ac
Source23: users-targeted
fc05ac
Source25: users-minimum
86354f
Source26: file_contexts.subs_dist
bce4ec
Source27: selinux-policy.conf
4a27ed
Source28: permissivedomains.pp
e392ec
Source29: serefpolicy-contrib-%{version}.tgz
c39563
Source30: booleans.subs_dist
3e930b
4dfcf7
Url: http://github.com/TresysTechnology/refpolicy/wiki
ca8bc2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
1580c8
BuildArch: noarch
471c1e
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 
a27009
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
4a27ed
Requires(post): /bin/awk /usr/bin/sha512sum
1580c8
1335ee
%description 
9cef10
SELinux Base package for SELinux Reference Policy - modular.
9cef10
Based off of reference policy: Checked out revision  2.20091117
9cef10
1335ee
1335ee
%files 
487de6
%defattr(-,root,root,-)
4abfbc
%{!?_licensedir:%global license %%doc}
4abfbc
%license COPYING
585f82
%dir %{_usr}/share/selinux
62cfaf
%dir %{_usr}/share/selinux/packages
b59d07
%dir %{_sysconfdir}/selinux
585f82
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
585f82
%ghost %{_sysconfdir}/sysconfig/selinux
4a27ed
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
fdaea4
%attr(0755, root, root) %dir %{_rpmconfigdir}
fdaea4
%attr(0755, root, root) %dir %{_rpmconfigdir}/macros.d
26bb0a
%{_rpmconfigdir}/macros.d/macros.selinux-policy
1b0e09
1b0e09
%package sandbox
1b0e09
Summary: SELinux policy sandbox
1b0e09
Group: System Environment/Base
1b0e09
Requires(pre): selinux-policy-base = %{version}-%{release}
1b0e09
1b0e09
%description sandbox
1b0e09
SELinux sandbox policy used for the policycoreutils-sandbox package
1b0e09
1b0e09
%files sandbox
1b0e09
%defattr(-,root,root,-)
1b0e09
%verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp
1b0e09
1b0e09
%post sandbox
1b0e09
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
a345bb
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
1b0e09
semodule -n -i /usr/share/selinux/packages/sandbox.pp
1b0e09
if /usr/sbin/selinuxenabled ; then
1b0e09
    /usr/sbin/load_policy
1b0e09
fi;
1b0e09
exit 0
1b0e09
1b0e09
%preun sandbox
1b0e09
semodule -n -d sandbox 2>/dev/null
1b0e09
if /usr/sbin/selinuxenabled ; then
1b0e09
    /usr/sbin/load_policy
1b0e09
fi;exit 0
4a27ed
4a27ed
%package devel
4a27ed
Summary: SELinux policy devel
4a27ed
Group: System Environment/Base
4a27ed
Requires(pre): selinux-policy = %{version}-%{release}
a27009
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
a27009
Requires: /usr/bin/make
9f52d7
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
4a27ed
4a27ed
%description devel
4a27ed
SELinux policy development and man page package
4a27ed
4a27ed
%files devel
4a27ed
%defattr(-,root,root,-)
4a27ed
%{_mandir}/man*/*
4a27ed
%{_mandir}/ru/*/*
4a27ed
%dir %{_usr}/share/selinux/devel
4a27ed
%dir %{_usr}/share/selinux/devel/include
d19b68
%{_usr}/share/selinux/devel/include/*
a7c9a9
%dir %{_usr}/share/selinux/devel/html
a7c9a9
%{_usr}/share/selinux/devel/html/*html
5dcd63
%{_usr}/share/selinux/devel/html/*css
d19b68
%{_usr}/share/selinux/devel/Makefile
d19b68
%{_usr}/share/selinux/devel/example.*
bdd37e
%{_usr}/share/selinux/devel/policy.*
412570
9f52d7
%post devel
9f52d7
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null 
859a10
exit 0
9f52d7
412570
%package doc
412570
Summary: SELinux policy documentation
412570
Group: System Environment/Base
412570
Requires(pre): selinux-policy = %{version}-%{release}
f5a104
Requires: /usr/bin/xdg-open
412570
412570
%description doc
412570
SELinux policy documentation package
412570
412570
%files doc
352daf
%defattr(-,root,root,-)
0ea841
%doc %{_usr}/share/doc/%{name}
d2c260
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
1335ee
487de6
%define makeCmds() \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024  conf \
487de6
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
487de6
cp -f selinux_config/users-%1 ./policy/users \
a27009
#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
a27009
a27009
%define makeModulesConf() \
a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules-base.conf \
a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules.conf \
a27009
if [ %3 == "contrib" ];then \
a27009
	cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
a27009
	cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
a27009
fi; \
998737
de82d8
%define installCmds() \
a27009
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
a27009
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
a345bb
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \
4a27ed
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
86354f
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
487de6
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
86354f
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
487de6
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
487de6
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.homedirs.bin \
a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.bin \
c39563
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
053565
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp*  \
4a27ed
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
4a27ed
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
3fc099
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
3e930b
%nil
1580c8
1580c8
%define fileList() \
1580c8
%defattr(-,root,root) \
d7e0f9
%dir %{_usr}/share/selinux/%1 \
1580c8
%dir %{_sysconfdir}/selinux/%1 \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
042e3a
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
4a27ed
%dir %{_sysconfdir}/selinux/%1/logins \
a345bb
%dir %{_sharedstatedir}/selinux/%1/active \
a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
a345bb
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
a345bb
%ghost %{_sysconfdir}/selinux/%1/*.bin \
1580c8
%dir %{_sysconfdir}/selinux/%1/policy/ \
042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
4a27ed
%{_sysconfdir}/selinux/%1/.policy.sha512 \
1580c8
%dir %{_sysconfdir}/selinux/%1/contexts \
d2c260
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
ee095f
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
5ca2ff
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
7c94e8
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
4a27ed
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
d4e55c
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
a34c78
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
f1ed4e
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
1580c8
%dir %{_sysconfdir}/selinux/%1/contexts/files \
042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
a345bb
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
a345bb
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs* \
a345bb
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
a345bb
# %ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
e1f17e
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
c39563
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
c39563
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
d19b68
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
da0829
%dir %{_sysconfdir}/selinux/%1/contexts/users \
a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
a80e7a
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
74b303
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u 
1580c8
1580c8
%define relabel() \
1580c8
. %{_sysconfdir}/selinux/config; \
1580c8
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
fb5b77
/usr/sbin/selinuxenabled; \
e080bb
if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
4a27ed
     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
487de6
     rm -f ${FILE_CONTEXT}.pre; \
5eea0f
fi; \
d61e0b
if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
d61e0b
    continue; \
d61e0b
fi; \
1b0e09
if /sbin/restorecon -R /home/*/.config 2> /dev/null;then \
d61e0b
    continue; \
d61e0b
fi;
8a78e8
8a78e8
%define preInstall() \
5d837b
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
8a78e8
     . %{_sysconfdir}/selinux/config; \
8a78e8
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
8a78e8
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
8a78e8
        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
8a78e8
     fi; \
8a78e8
     touch /etc/selinux/%1/.rebuild; \
4a27ed
     if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
26bb0a
        POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \
26bb0a
        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
4a27ed
	checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
4a27ed
	if [ "$sha512" == "$checksha512" ] ; then \
8a78e8
		rm /etc/selinux/%1/.rebuild; \
8a78e8
	fi; \
8a78e8
   fi; \
8a78e8
fi;
1580c8
857c81
%define postInstall() \
857c81
. %{_sysconfdir}/selinux/config; \
443a36
(cd /etc/selinux/%2/modules/active/modules; rm -f vbetool.pp l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp nsplugin.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qemu.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp pkcsslotd.pp smstools.pp ) \
8a78e8
if [ -e /etc/selinux/%2/.rebuild ]; then \
8a78e8
   rm /etc/selinux/%2/.rebuild; \
901609
   /usr/sbin/semodule -B -n -s %2; \
857c81
fi; \
5a73fd
[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
857c81
if [ %1 -eq 1 ]; then \
19cd06
   /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
857c81
else \
857c81
%relabel %2 \
857c81
fi;
857c81
50f07b
%define modulesList() \
a345bb
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
a345bb
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \
a27009
if [ -e ./policy/modules-contrib.conf ];then \
a345bb
	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
a27009
fi;
50f07b
c04c31
%define nonBaseModulesList() \
c04c31
contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \
c04c31
base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \
c04c31
for i in $contrib_modules $base_modules; do \
a345bb
    if [ $i != "sandbox" ];then \
a345bb
        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
c04c31
    fi; \
c04c31
done
c04c31
d83af2
%build
d83af2
3e930b
%prep 
3dd200
%setup -n serefpolicy-contrib-%{version} -q -b 29
3dd200
%patch1 -p1
3dd200
contrib_path=`pwd`
d83af2
%setup -n serefpolicy-%{version} -q
3c584c
%patch -p1
650be6
%patch2 -p1
3dd200
refpolicy_path=`pwd`
3dd200
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
add957
487de6
mkdir selinux_config
a27009
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
487de6
 cp $i selinux_config
487de6
done
487de6
tar zxvf selinux_config/config.tgz
a345bb
a345bb
%install
e56873
# Build targeted policy
ca8bc2
%{__rm} -fR %{buildroot}
ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/selinux
ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
ca8bc2
touch %{buildroot}%{_sysconfdir}/selinux/config
ca8bc2
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
bce4ec
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
bce4ec
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
1335ee
b4cab5
# Always create policy module package directories
2fbeb7
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
a345bb
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
a345bb
a345bb
mkdir -p %{buildroot}%{_usr}/share/selinux/packages
b4cab5
d19b68
# Install devel
d19b68
make clean
bd3f0e
%if %{BUILD_TARGETED}
129ba1
# Build targeted policy
129ba1
# Commented out because only targeted ref policy currently builds
4a27ed
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
191c43
%makeCmds targeted mcs n allow
a27009
%makeModulesConf targeted base contrib
191c43
%installCmds targeted mcs n allow
a345bb
# recreate sandbox.pp
a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
a345bb
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp
a345bb
mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
a27009
%modulesList targeted 
c04c31
%nonBaseModulesList targeted
bd3f0e
%endif
3e930b
675bba
%if %{BUILD_MINIMUM}
675bba
# Build minimum policy
675bba
# Commented out because only minimum ref policy currently builds
4a27ed
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
4a27ed
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
191c43
%makeCmds minimum mcs n allow
a27009
%makeModulesConf targeted base contrib
191c43
%installCmds minimum mcs n allow
b03c86
rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
50f07b
%modulesList minimum
c04c31
%nonBaseModulesList minimum
675bba
%endif
675bba
bd3f0e
%if %{BUILD_MLS}
129ba1
# Build mls policy
191c43
%makeCmds mls mls n deny
a27009
%makeModulesConf mls base contrib
191c43
%installCmds mls mls n deny
a27009
%modulesList mls
c04c31
%nonBaseModulesList mls
a4ec9b
%endif
a4ec9b
4a27ed
mkdir -p %{buildroot}%{_mandir}
4a27ed
cp -R  man/* %{buildroot}%{_mandir}
b8f3f1
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs
b8f3f1
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers
ce7f30
mkdir %{buildroot}%{_usr}/share/selinux/devel/
ce7f30
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
487de6
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
ce7f30
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
364044
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
0ea841
echo  "xdg-open file:///usr/share/doc/selinux-policy/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
ce7f30
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
a7c9a9
/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot}
a7c9a9
mkdir %{buildroot}%{_usr}/share/selinux/devel/html
6acb58
mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html
5dcd63
mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html
1b0e09
1b0e09
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
26bb0a
echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
4a27ed
a345bb
487de6
rm -rf selinux_config
1580c8
%clean
ca8bc2
%{__rm} -fR %{buildroot}
1580c8
9c64bb
%post
af6090
if [ ! -s /etc/selinux/config ]; then
487de6
#
487de6
#     New install so we will default to targeted policy
487de6
#
487de6
echo "
af6090
# This file controls the state of SELinux on the system.
af6090
# SELINUX= can take one of these three values:
487de6
#     enforcing - SELinux security policy is enforced.
487de6
#     permissive - SELinux prints warnings instead of enforcing.
487de6
#     disabled - No SELinux policy is loaded.
af6090
SELINUX=enforcing
3dc79f
# SELINUXTYPE= can take one of these three values:
487de6
#     targeted - Targeted processes are protected,
4a27ed
#     minimum - Modification of targeted policy. Only selected processes are protected. 
487de6
#     mls - Multi Level Security protection.
af6090
SELINUXTYPE=targeted 
af6090
af6090
" > /etc/selinux/config
af6090
487de6
     ln -sf ../selinux/config /etc/sysconfig/selinux 
487de6
     restorecon /etc/selinux/config 2> /dev/null || :
af6090
else
487de6
     . /etc/selinux/config
af6090
fi
081b6a
exit 0
9c64bb
5ff36d
%postun
bbaa1f
if [ $1 = 0 ]; then
487de6
     setenforce 0 2> /dev/null
487de6
     if [ ! -s /etc/selinux/config ]; then
487de6
          echo "SELINUX=disabled" > /etc/selinux/config
487de6
     else
487de6
          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
487de6
     fi
5ff36d
fi
a4ec9b
exit 0
5ff36d
bd3f0e
%if %{BUILD_TARGETED}
bd3f0e
%package targeted
bd3f0e
Summary: SELinux targeted base policy
487de6
Provides: selinux-policy-base = %{version}-%{release}
bd3f0e
Group: System Environment/Base
d83af2
Obsoletes: selinux-policy-targeted-sources < 2
23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
d83af2
Requires(pre): coreutils
d83af2
Requires(pre): selinux-policy = %{version}-%{release}
3b5466
Requires: selinux-policy = %{version}-%{release}
b4cab5
Conflicts:  audispd-plugins <= 1.7.7-1
487de6
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
bc4089
Obsoletes: cachefilesd-selinux <= 0.10-1
6b7b0c
Conflicts:  seedit
fc9bf2
Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
bd3f0e
bd3f0e
%description targeted
bd3f0e
SELinux Reference policy targeted base module.
bd3f0e
bd3f0e
%pre targeted
8a78e8
%preInstall targeted
bd3f0e
9c64bb
%post targeted
857c81
%postInstall $1 targeted
e080bb
exit 0
d83af2
7c810a
%triggerin -- pcre
7c810a
selinuxenabled && semodule -nB
7c810a
exit 0
7c810a
1b0e09
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
1b0e09
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
1b0e09
exit 0
1b0e09
1b0e09
%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-75
62163c
restorecon -R -p /home
a4ec9b
exit 0
af6090
a345bb
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-137.1
a345bb
set -x
a345bb
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do
a345bb
	module=`basename $i | sed 's/.pp.disabled//'`
a345bb
	if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then
a345bb
		semodule -d $module
a345bb
	fi
a345bb
done
a345bb
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do
a345bb
	semodule -i $i
a345bb
done
a345bb
exit 0
a345bb
c04c31
%files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
487de6
%defattr(-,root,root,-)
4d59c2
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
74b303
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u 
4d59c2
%fileList targeted
a345bb
# %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
38dae9
%{_usr}/share/selinux/targeted/base.lst
a27009
%{_usr}/share/selinux/targeted/modules-base.lst
a27009
%{_usr}/share/selinux/targeted/modules-contrib.lst
c04c31
%{_usr}/share/selinux/targeted/nonbasemodules.lst
a345bb
%{_sharedstatedir}/selinux/targeted/active/commit_num
a4ec9b
%endif
a4ec9b
675bba
%if %{BUILD_MINIMUM}
675bba
%package minimum
675bba
Summary: SELinux minimum base policy
487de6
Provides: selinux-policy-base = %{version}-%{release}
675bba
Group: System Environment/Base
23e708
Requires(post): policycoreutils-python >= %{POLICYCOREUTILSVER}
675bba
Requires(pre): coreutils
675bba
Requires(pre): selinux-policy = %{version}-%{release}
3b5466
Requires: selinux-policy = %{version}-%{release}
6b7b0c
Conflicts:  seedit
675bba
675bba
%description minimum
675bba
SELinux Reference policy minimum base module.
675bba
675bba
%pre minimum
8a78e8
%preInstall minimum
857c81
if [ $1 -ne 1 ]; then
a27009
   /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst
857c81
fi
675bba
675bba
%post minimum
a27009
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
a27009
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
0e31a0
if [ $1 -eq 1 ]; then
a27009
for p in $contribpackages; do
a27009
	touch /etc/selinux/minimum/modules/active/modules/$p.disabled
857c81
done
a27009
for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do
a27009
	rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled
857c81
done
70c60d
/usr/sbin/semanage import -S minimum -f - << __eof
675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
675bba
__eof
fb5b77
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
fb5b77
/usr/sbin/semodule -B -s minimum
675bba
else
857c81
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
a27009
for p in $contribpackages; do
857c81
    touch /etc/selinux/minimum/modules/active/modules/$p.disabled
857c81
done
a27009
for p in $instpackages apache dbus inetd kerberos mta nis; do
857c81
    rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled
857c81
done
fb5b77
/usr/sbin/semodule -B -s minimum
675bba
%relabel minimum
675bba
fi
675bba
exit 0
675bba
c04c31
%files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst
487de6
%defattr(-,root,root,-)
675bba
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
c9394c
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u 
675bba
%fileList minimum
a345bb
# %verify(not md5 size mtime) %{_sysconfdir}/selinux/minimum/modules/active/modules/permissivedomains.pp
38dae9
%{_usr}/share/selinux/minimum/base.lst
a27009
%{_usr}/share/selinux/minimum/modules-base.lst
a27009
%{_usr}/share/selinux/minimum/modules-contrib.lst
c04c31
%{_usr}/share/selinux/minimum/nonbasemodules.lst
a345bb
%{_sharedstatedir}/selinux/minimum/active/commit_num
675bba
%endif
675bba
bd3f0e
%if %{BUILD_MLS}
504da9
%package mls 
504da9
Summary: SELinux mls base policy
1580c8
Group: System Environment/Base
487de6
Provides: selinux-policy-base = %{version}-%{release}
d83af2
Obsoletes: selinux-policy-mls-sources < 2
c77aca
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
d83af2
Requires(pre): coreutils
d83af2
Requires(pre): selinux-policy = %{version}-%{release}
3b5466
Requires: selinux-policy = %{version}-%{release}
6b7b0c
Conflicts:  seedit
1580c8
504da9
%description mls 
504da9
SELinux Reference policy mls base module.
1580c8
504da9
%pre mls 
8a78e8
%preInstall mls
1580c8
504da9
%post mls 
857c81
%postInstall $1 mls
1580c8
c04c31
%files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst
487de6
%defattr(-,root,root,-)
57ae10
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
504da9
%fileList mls
38dae9
%{_usr}/share/selinux/mls/base.lst
a27009
%{_usr}/share/selinux/mls/modules-base.lst
a27009
%{_usr}/share/selinux/mls/modules-contrib.lst
c04c31
%{_usr}/share/selinux/mls/nonbasemodules.lst
a345bb
%{_sharedstatedir}/selinux/mls/active/commit_num
bd3f0e
%endif
bd3f0e
56187c
%changelog
04f749
* Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
04f749
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
04f749
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
04f749
ee724a
* Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
ee724a
- Add samba_unconfined_script_exec_t to samba_admin header.
ee724a
- Add jabberd_lock_t label to jabberd_admin header.
ee724a
- Add rpm_var_run_t label to rpm_admin header.
ee724a
- Make all interfaces related to openshift_cache_t as deprecated.
ee724a
- Remove non exits nfsd_ro_t label.
ee724a
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
ee724a
- Fix *_admin intefaces where body is not consistent with header.
ee724a
- Allow networkmanager read rfcomm port.
ee724a
- Fix nova_domain_template interface, Fix typo bugs in nova policy
ee724a
- Create nova sublabels.
ee724a
- Merge all nova_* labels under one nova_t.
ee724a
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
ee724a
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
ee724a
- Fix label openstack-nova-metadata-api binary file
ee724a
- Allow nova_t to bind on geneve tcp port, and all udp ports
ee724a
- Label swift-container-reconciler binary as swift_t.
ee724a
- Allow glusterd to execute showmount in the showmount domain.
ee724a
- Allow NetworkManager_t send signull to dnssec_trigger_t.
ee724a
- Add support for openstack-nova-* packages.
ee724a
- Allow audisp-remote searching devpts.
ee724a
- Label 6080 tcp port as geneve
ee724a
f53ebe
* Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
f53ebe
- Update mta_filetrans_named_content() interface to cover more db files.
f53ebe
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
f53ebe
- Allow pcp domains to connect to own process using unix_stream_socket.
f53ebe
- Typo in abrt.te
f53ebe
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
f53ebe
- Add nagios_domtrans_unconfined_plugins() interface.
f53ebe
- Add nagios_domtrans_unconfined_plugins() interface.
f53ebe
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
f53ebe
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
f53ebe
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
f53ebe
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
f53ebe
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
f53ebe
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
f53ebe
- nrpe needs kill capability to make gluster moniterd nodes working.
f53ebe
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
f53ebe
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
f53ebe
- Allow prosody connect to postgresql port.
f53ebe
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
f53ebe
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
f53ebe
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
f53ebe
- Add new interfaces
f53ebe
- Add fs_fusefs_entry_type() interface.
f53ebe
d04212
* Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
d04212
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
d04212
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
d04212
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
d04212
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
d04212
- nrpe needs kill capability to make gluster moniterd nodes working.
d04212
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
d04212
- Allow prosody connect to postgresql port.
d04212
- Add new interfaces
d04212
- Add fs_fusefs_entry_type() interface.
d04212
1428c0
* Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133
1428c0
- Cleanup permissive domains.
1428c0
20e7f0
* Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132
20e7f0
- Rename xodbc-connect port to xodbc_connect
20e7f0
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
20e7f0
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
20e7f0
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
20e7f0
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
20e7f0
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
20e7f0
- Dontaudit chrome to read passwd file. BZ(1204307)
20e7f0
- Allow firewalld exec ldconfig. BZ(1232748)
20e7f0
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
20e7f0
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
20e7f0
- Allow NetworkManager write to sysfs. BZ(1234086)
20e7f0
- Fix bogus line in logrotate.fc.
20e7f0
- Add dontaudit interface for kdumpctl_tmp_t
20e7f0
- Rename xodbc-connect port to xodbc_connect
20e7f0
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
20e7f0
- Label tcp port 6640 as ovsdb port. BZ (1179809)
20e7f0
7100c5
* Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
7100c5
- Allow NetworkManager write to sysfs. BZ(1234086)
7100c5
- Fix bogus line in logrotate.fc.
7100c5
- Add dontaudit interface for kdumpctl_tmp_t
7100c5
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
7100c5
- Add postgresql support for systemd unit files.
7100c5
- Fix missing bracket
7100c5
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
7100c5
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
7100c5
66628c
* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
66628c
- Allow glusterd to interact with gluster tools running in a user domain
66628c
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
66628c
- Call rpm_transition_script() from rpm_run() interface.
66628c
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
66628c
- Add glusterd_manage_lib_files() interface.
66628c
- Allow samba_t net_admin capability to make CIFS mount working.
66628c
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
66628c
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
66628c
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
66628c
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
66628c
- Allow nagios to generate charts.
66628c
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
66628c
- Allow glusterd to run init scripts.
66628c
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
66628c
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
66628c
- Allow samba-net to access /var/lib/ctdbd dirs/files.
66628c
- Allow glusterd to send a signal to smbd.
66628c
- Make ctdbd as home manager to access also FUSE.
66628c
- Allow glusterd to use geo-replication gluster tool.
66628c
- Allow glusterd to execute ssh-keygen.
66628c
- Allow glusterd to interact with cluster services.
66628c
- Add rhcs_dbus_chat_cluster()
66628c
- systemd-logind accesses /dev/shm. BZ(1230443)
66628c
- Label gluster python hooks also as bin_t.
66628c
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
66628c
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
66628c
8f4622
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-129
8f4622
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489)
8f4622
5bcffd
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-128
5bcffd
- Add ipsec_rw_inherited_pipes() interface.
5bcffd
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. 
5bcffd
- Label /usr/libexec/Xorg.wrap as xserver_exec_t.
5bcffd
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file.
5bcffd
- Add fixes for selinux userspace moving the policy store to /var/lib/selinux.
5bcffd
- Remove optional else block for dhcp ping (needed by CIL)
5bcffd
- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly.
5bcffd
- Access required to run with unconfine.pp disabled
5bcffd
- Fix selinux_search_fs() interface.
5bcffd
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. 
5bcffd
- Add seutil_search_config() interface.
5bcffd
- Make ssh-keygen as nsswitch domain to access SSSD.
5bcffd
- Label ctdb events scripts as bin_t.
5bcffd
- Add support for /usr/sbin/lvmpolld.
5bcffd
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.
5bcffd
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. 
5bcffd
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
5bcffd
- Allow hypervkvp to read /dev/urandom and read  addition states/config files.
5bcffd
- Add cgdcbxd policy.
5bcffd
- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain.
5bcffd
- Add labeling for pacemaker.log.
5bcffd
- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.
5bcffd
- Allow lsmd plugin to connect to tcp/5989 by default.
5bcffd
- Allow lsmd plugin to connect to tcp/5988 by default.
5bcffd
- Allow setuid/setgid for selinux_child.
5bcffd
- Allow radiusd to connect to radsec ports.
5bcffd
- ALlow bind to read/write inherited ipsec pipes.
5bcffd
- Allow fowner capability for sssd because of selinux_child handling.
5bcffd
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.
5bcffd
- Allow cluster domain to dbus chat with systemd-logind.
5bcffd
- Allow tmpreaper_t to manage ntp log content 
5bcffd
- Allow openvswitch_t to communicate with sssd.
5bcffd
- Allow isnsd_t to communicate with sssd.
5bcffd
- Allow rwho_t to communicate with sssd.
5bcffd
- Allow pkcs_slotd_t to communicate with sssd.
5bcffd
- Add httpd_var_lib_t label for roundcubemail 
5bcffd
- Allow puppetagent_t to transfer firewalld messages over dbus.
5bcffd
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
5bcffd
- Update rules related to glusterd_brick_t.
5bcffd
- Allow glusterd to execute lvm tools in the lvm_t target domain.
5bcffd
- Allow glusterd to execute xfs_growfs in the target domain.
5bcffd
- Allow sysctl to have running under hypervkvp_t domain.
5bcffd
- Allow smartdnotify to use user terminals. 
5bcffd
- Allow pcp domains to create root.socket in /var/lip/pcp directroy. 
5bcffd
- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain.
5bcffd
- Allow rpcbind to create rpcbind.xdr as a temporary file. 
5bcffd
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. 
5bcffd
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. 
5bcffd
- rsync server can be setup to send mail
5bcffd
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. 
5bcffd
- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.
5bcffd
- Fix samba_load_libgfapi decl in samba.te.
5bcffd
- Fix typo in nagios_run_sudo() boolean.
5bcffd
- remove duplicate declaration from hypervkvp.te.
5bcffd
- Move ctdd_domtrans() from ctdbd to gluster.
5bcffd
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
5bcffd
- Glusterd wants to manage samba config files if they are setup together.
5bcffd
- ALlow NM to do access check on /sys.
5bcffd
- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel.
5bcffd
- Allow NetworkManager nm-dispacher to read links.
5bcffd
- Allow gluster hooks scripts to transition to ctdbd_t.
5bcffd
- Allow glusterd to read/write samba config files.
5bcffd
- Update mysqld rules related to mysqld log files.
5bcffd
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
5bcffd
- Update netlink_route_socket for ptp4l.
5bcffd
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
5bcffd
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
5bcffd
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
5bcffd
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
5bcffd
- Allow glusterd to read /dev/random.
5bcffd
- Update nagios_run_sudo boolean to allow run chkpwd.
5bcffd
- Allow docker and container tools to control caps, don't rely on SELinux for now.  Since there is no easy way for SELinux modification of policy as far as caps.  docker run --cap-add will work now
5bcffd
- Allow sosreport to dbus chat with NM.
5bcffd
- Allow anaconda to run iscsid in own domain. BZ(1220948).
5bcffd
- Allow rhsmcetd to use the ypbind service to access NIS services.
5bcffd
- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios.
5bcffd
- Allow ctdb to create rawip socket.
5bcffd
- Allow ctdbd to bind  smbd port.
5bcffd
- Make ctdbd as userdom_home_reader.
5bcffd
- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
5bcffd
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
5bcffd
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
5bcffd
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
5bcffd
- Add glusterd_filetrans_named_pid() interface.
5bcffd
- Allow antivirus_t to read system state info.
5bcffd
- Dontaudit use console for chrome-sandbox. 
5bcffd
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. 
5bcffd
- Clamd needs to have fsetid capability. 
5bcffd
- Allow cinder-backup to dbus chat with systemd-logind. 
5bcffd
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
5bcffd
- Allow gssd to access kernel keyring for login_pgm domains.
5bcffd
- Add more fixes related to timemaster+ntp+ptp4l.
5bcffd
- Allow docker sandbox domains to search all mountpoiunts
5bcffd
- update winbind_t rules to allow IPC for winbind.
5bcffd
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
5bcffd
- Allow inet_gethost called by couchdb to access /proc/net/unix. 
5bcffd
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so 
5bcffd
- Label /usr/bin/yum-deprecated as rpm_exec_t. 
5bcffd
6a726d
* Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
6a726d
- Add missing typealiases in apache_content_template() for script domain/executable.
6a726d
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
6a726d
- Add support for new cobbler dir locations:
6a726d
- Add support for iprdbg logging files in /var/log.
6a726d
- Add relabel_user_home_dirs for use by docker_t
6a726d
9cef10
* Thu Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
229bf3
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
229bf3
- Add nagios_read_lib() interface.
229bf3
- Additional fix for mongod_unit_file_t in mongodb.te.
229bf3
- Fix decl of mongod_unit_file to mongod_unit_file_t.
229bf3
- Fix mongodb unit file declaration.
229bf3
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
229bf3
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
229bf3
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
229bf3
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
229bf3
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
229bf3
- Add support for mongod/mongos systemd unit files.
229bf3
- Allow dnssec-trigger to send sigchld to networkmanager
229bf3
- add interface networkmanager_sigchld
229bf3
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
229bf3
- Remove duplicate  specification for /etc/localtime.
229bf3
- Add default labeling for /etc/localtime symlink.
229bf3
0bfe8f
* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
0bfe8f
- Define ipa_var_run_t type
0bfe8f
- Allow certmonger to manage renewal.lock. BZ(1213256)
0bfe8f
- Add ipa_manage_pid_files interface.
0bfe8f
- Add rules for netlink_socket in iotop.
0bfe8f
- Allow iotop netlink socket.
0bfe8f
- cloudinit and rhsmcertd need to communicate with dbus
0bfe8f
- Allow apcupsd to use USBttys. BZ(1210960)
0bfe8f
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
0bfe8f
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
0bfe8f
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
0bfe8f
28cc16
* Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
28cc16
- Add more restriction on entrypoint for unconfined domains.
28cc16
28cc16
* Tue Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
578b67
- Allow abrtd to list home config. BZ(1199658)
578b67
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
578b67
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
578b67
- Allow mock_t to use ptmx. BZ(1181333)
578b67
- Allow dnssec_trigger_t to stream connect to networkmanager.
578b67
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
578b67
- Fix labeling for keystone CGI scripts.
578b67
b9a1c7
* Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
b9a1c7
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
b9a1c7
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
b9a1c7
- Allow mongod to work with configured SSSD.
b9a1c7
- Add collectd net_raw capability. BZ(1194169)
b9a1c7
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
b9a1c7
- Allow dhcpd kill capability.
b9a1c7
- Make rwhod as nsswitch domain.
b9a1c7
- Add support for new fence agent fence_mpath which is executed by fence_node.
b9a1c7
- Fix cloudform policy.(m4 is case sensitive)
b9a1c7
- Allow networkmanager and cloud_init_t to dbus chat
b9a1c7
- Allow lsmd plugin to run with configured SSSD.
b9a1c7
- Allow bacula access to tape devices.
b9a1c7
- Allow sblim domain to read sysctls..
b9a1c7
- Allow timemaster send a signal to ntpd.
b9a1c7
- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used.
b9a1c7
- two 'l' is enough.
b9a1c7
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
b9a1c7
- Allow polkit to dbus chat with xserver. (1207478)
b9a1c7
- Add lvm_stream_connect() interface.
b9a1c7
- Set label of /sys/kernel/debug
b9a1c7
5852f3
* Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
5852f3
- Allow kmscon to read system state. BZ (1206871)
5852f3
- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
5852f3
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
5852f3
734dd8
* Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
734dd8
- Allow mysqld_t to use pam. BZ(1196104)
734dd8
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
734dd8
- Allow fetchmail to read mail_spool_t. BZ(1200552)
734dd8
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
734dd8
- Allow all domains some process flags.
734dd8
- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base
734dd8
- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL
734dd8
f9d977
* Wed Mar 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-119
f9d977
- build without docker
f9d977
e2a064
* Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
e2a064
- docker watches for content in the /etc directory
e2a064
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
e2a064
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
e2a064
- Allow docker to communicate with openvswitch
e2a064
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
e2a064
- Allow docker to relablefrom/to sockets and docker_log_t
e2a064
- Allow journald to set loginuid. BZ(1190498)
e2a064
- Add cap. sys_admin for passwd_t. BZ(1185191)
e2a064
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
e2a064
c4df3c
* Mon Mar 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-117
ed576d
- Allow spamc read spamd_etc_t files. BZ(1199339).
ed576d
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
ed576d
- Allow abrt_watch_log_t read passwd file. BZ(1197396)
ed576d
- Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659)
ed576d
- Allow cups to read colord_var_lib_t files. BZ(1199765)
ed576d
b61b8d
* Fri Mar 06 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-116
b61b8d
- Turn on rolekit in F23
b61b8d
f6c116
* Thu Mar 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-115
f6c116
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
f6c116
- Add gluster_exec_lib interface.
f6c116
- Allow l2tpd to manage NetworkManager pid files
f6c116
- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327)
f6c116
- Allow cyrus bind tcp berknet port. BZ(1198347)
f6c116
- Add nsswitch domain for more serviecs.
f6c116
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
f6c116
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
f6c116
- Make munin yum plugin as unconfined by default.
f6c116
- Allow bitlbee connections to the system DBUS.
f6c116
- Allow system apache scripts to send log messages.
f6c116
- Allow denyhosts execute iptables. BZ(1197371)
f6c116
- Allow brltty rw event device. BZ(1190349)
f6c116
- Allow cupsd config to execute ldconfig. BZ(1196608)
f6c116
- xdm_t now needs to manage user ttys
f6c116
- Allow ping_t read urand. BZ(1181831)
f6c116
- Add support for tcp/2005 port.
f6c116
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
f6c116
- In F23 we are running xserver as the user, need this to allow confined users to us X
f6c116
c4df3c
* Wed Feb 25 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-114
2ee001
- Fix source filepath for moving html files.
2ee001
946068
* Mon Feb 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-113
946068
- Xserver needs to be transitioned to from confined users
946068
- Added logging_syslogd_pid_filetrans
946068
- xdm_t now talks to hostnamed
946068
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
946068
- Additional fix for labeleling /dev/log correctly.
946068
- cups chats with network manager
946068
- Allow parent domains to read/write fifo files in mozilla plugin
946068
- Allow spc_t to transition to svirt domains
946068
- Cleanup spc_t
946068
- docker needs more control over spc_t
946068
- pcp domains are executed out of cron
946068
83d645
* Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112
83d645
- Allow audisp to connect to system DBUS for service.
83d645
- Label /dev/log correctly.
83d645
- Add interface init_read_var_lib_files().
83d645
- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
83d645
e79332
* Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
e79332
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
e79332
- Remove automatcically running filetrans_named_content form sysnet_manage_config
e79332
- Allow syslogd/journal to read netlink audit socket
e79332
- Allow brltty ioctl on usb_device_t. BZ(1190349)
e79332
- Make sure NetworkManager configures resolv.conf correctly
e79332
ae5733
* Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
ae5733
- Allow cockpit_session_t to create tmp files
ae5733
- apmd needs sys_resource when shutting down the machine
ae5733
- Fix path label to resolv.conf under NetworkManager
ae5733
1fd39e
* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-109
1fd39e
- Allow search all pid dirs when managing net_conf_t files.
1fd39e
203031
* Wed Feb 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-108
203031
- Fix labels, improve sysnet_manage_config interface.
203031
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
203031
- Dontaudit network connections related to thumb_t. BZ(1187981)
203031
- Remove sysnet_filetrans_named_content from fail2ban
203031
c4df3c
* Mon Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-107
1808b7
- Fix labels on new location of resolv.conf
1808b7
- syslog is not writing to the audit socket
1808b7
- seunshare is doing getattr on unix_stream_sockets leaked into it
1808b7
- Allow sshd_t to manage gssd keyring
1808b7
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
1808b7
- Posgresql listens on port 9898 when running PCP (pgpool Control Port)
1808b7
- Allow svirt sandbox domains to read /proc/mtrr
1808b7
- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
1808b7
- Allow dovecot domains to use sys_resouce
1808b7
- Allow sshd_t to manage gssd keyring
1808b7
- gpg_pinentry_t needs more access in f22
1808b7
a84953
* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-106
a84953
- Allow docker to attach to the sandbox and user domains tun devices
a84953
- Allow pingd to read /dev/urandom. BZ(1181831)
a84953
- Allow virtd to list all mountpoints
a84953
- Allow sblim-sfcb to search images
a84953
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
a84953
- Call correct macro in virt_read_content().
a84953
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
a84953
- Allow docker_t to changes it rlimit
a84953
- Allow neutron to read rpm DB.
a84953
- Allow radius to connect/bind radsec ports
a84953
- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log.
a84953
- Add devicekit_read_log_files().
a84953
- Allow  virt_qemu_ga to dbus chat with rpm.
a84953
- Allow netutils chown capability to make tcpdump working with -w.
a84953
- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t.
a84953
- journald now reads the netlink audit socket
a84953
- Add auditing support for ipsec.
a84953
a84953
* Thu Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-105
a84953
- Bump release
a84953
72c96b
* Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
72c96b
- remove duplicate filename transition rules.
72c96b
- Call proper interface in sosreport.te.
72c96b
- Allow fetchmail to manage its keyring
72c96b
- Allow mail munin to create udp_sockets
72c96b
- Allow couchdb to sendto kernel unix domain sockets
72c96b
f1ed4e
* Sat Jan 3 2015 Dan Walsh <dwalsh@redhat.com> 3.13.1-103
f1ed4e
- Add /etc/selinux/targeted/contexts/openssh_contexts
f1ed4e
6eb726
* Mon Dec 15 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-101
6eb726
- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
6eb726
- Allow virt_qemu_ga_t to execute kmod.
6eb726
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean
6eb726
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
6eb726
- Add support for /usr/share/vdsm/daemonAdapter.
6eb726
- Docker has a new config/key file it writes to /etc/docker
6eb726
- Allow bacula to connect also to postgresql.
6eb726
e4ea46
* Thu Dec 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-100
e4ea46
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS.
e4ea46
- Fix miscfiles_manage_generic_cert_files() to allow manage link files
e4ea46
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
e4ea46
- Add support for /var/run/gluster.
e4ea46
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
e4ea46
c4df3c
* Tue Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-99
1c8cf3
- Add files_dontaudit_list_security_dirs() interface.
1c8cf3
- Added seutil_dontaudit_access_check_semanage_module_store interface.
1c8cf3
- Allow docker to create /root/.docker
1c8cf3
- Allow rlogind to use also rlogin ports
1c8cf3
- dontaudit list security dirs for samba domain
1c8cf3
- Dontaudit couchdb to list /var
1c8cf3
e4ea46
* Sat Nov 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-98
cf94d6
- Update to have all _systemctl() interface also init_reload_services()
cf94d6
- Dontaudit access check on SELinux module store for sssd.
cf94d6
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
cf94d6
b52709
* Fri Nov 28 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97
e4d7a4
- Allow reading of symlinks in /etc/puppet
e4d7a4
- Added TAGS to gitignore
e4d7a4
- I guess there can be content under /var/lib/lockdown #1167502
e4d7a4
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
e4d7a4
- Allow keystone to send a generic signal to own process.
e4d7a4
- Allow radius to bind tcp/1812 radius port.
e4d7a4
- Dontaudit list user_tmp files for system_mail_t
e4d7a4
- label virt-who as virtd_exec_t
e4d7a4
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
e4d7a4
- Add virt_signull() interface
e4d7a4
- Add missing alias for _content_rw_t
e4d7a4
- Allow .snapshots to be created in other directories, on all mountpoints
e4d7a4
- Allow spamd to access razor-agent.log
e4d7a4
- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
e4d7a4
- Allow .snapshots to be created in other directories, on all mountpoints
e4d7a4
- Label tcp port 5280 as ejabberd port. BZ(1059930)
e4d7a4
- Make /usr/bin/vncserver running as unconfined_service_t
e4d7a4
- Label /etc/docker/certs.d as cert_t
e4d7a4
- Allow all systemd domains to search file systems
e4d7a4
48f969
* Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
48f969
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
48f969
feb8db
* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
feb8db
- Allow networkmanager manage also openvpn sock pid files.
feb8db
c88e65
* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
c88e65
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
c88e65
- Allow sendmail to create dead.letter. BZ(1165443)
c88e65
- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
c88e65
- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
c88e65
- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
c88e65
- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
c88e65
24d43e
* Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
24d43e
- Allow bumblebee to use nsswitch. BZ(1155339)
24d43e
- Allow openvpn to stream connect to networkmanager. BZ(1164182)
24d43e
- Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS.
24d43e
- Allow cpuplug rw virtual memory sysctl. BZ (1077831)
24d43e
- Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
24d43e
24d43e
* Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-92
b6161d
- Add kdump_rw_inherited_kdumpctl_tmp_pipes()
b6161d
- Added fixes related to linuxptp. BZ (1149693)
b6161d
- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424
b6161d
- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
b6161d
- Fix seutil_dontaudit_access_check_load_policy()
b6161d
- Add dontaudit interfaces for audit_access in seutil
b6161d
- Label /etc/strongimcv as ipsec_conf_file_t.
b6161d
062b36
* Fri Nov 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-91
062b36
- Added interface userdom_dontaudit_manage_user_home_dirs
062b36
- Fix unconfined_server_dbus_chat() interface.
062b36
- Add unconfined_server_dbus_chat() inteface.
062b36
- Allow login domains to create kernel keyring with different level.
062b36
- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
062b36
- Make tuned as unconfined domain.
062b36
- Added support for linuxptp policy. BZ(1149693)
062b36
- make zoneminder as dbus client by default.
062b36
- Allow bluetooth read/write uhid devices. BZ (1161169)
062b36
- Add fixes for hypervkvp daemon
062b36
- Allow guest to connect to libvirt using unix_stream_socket.
062b36
- Allow all bus client domains to dbus chat with unconfined_service_t.
062b36
- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
062b36
- Make opensm as nsswitch domain to make it working with sssd.
062b36
- Allow brctl to read meminfo.
062b36
- Allow winbind-helper to execute ntlm_auth in the caller domain.
062b36
- Make plymouthd as nsswitch domain to make it working with sssd.
062b36
- Make drbd as nsswitch domain to make it working with sssd.
062b36
- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
062b36
- Add support for /var/lib/sntp directory.
062b36
a38ffb
* Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
a38ffb
- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
a38ffb
- Add 15672 as amqp_port_t
a38ffb
- Allow wine domains to read user homedir content
a38ffb
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
a38ffb
- Allow winbind to read usermodehelper
a38ffb
- Allow telepathy domains to execute shells and bin_t
a38ffb
- Allow gpgdomains to create netlink_kobject_uevent_sockets
a38ffb
- Allow abrt to read software raid state. BZ (1157770)
a38ffb
- Fix rhcs_signull_haproxy() interface.
a38ffb
-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
a38ffb
- Allow snapperd to dbus chat with system cron jobs.
a38ffb
- Allow nslcd to read /dev/urandom.
a38ffb
- Allow dovecot to create user's home directory when they log into IMAP.
a38ffb
- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
ba65f5
- Allow wine domains to read user homedir content
ba65f5
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
a38ffb
af3cfa
* Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
af3cfa
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
af3cfa
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
af3cfa
- Allow rabbitmq to read nfs state data. BZ(1122412)
af3cfa
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
af3cfa
- Add rolekit policy
af3cfa
- ALlow rolekit domtrans to sssd_t.
af3cfa
- Add kerberos_tmp_filetrans_kadmin() interface.
af3cfa
- rolekit should be noaudit.
af3cfa
- Add rolekit_manage_keys().
af3cfa
- Need to label rpmnew file correctly
af3cfa
- Allow modemmanger to connectto itself
af3cfa
317f5a
* Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
317f5a
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
317f5a
- Allow osad to connect to jabber client port. BZ (1154242)
317f5a
- Allow mon_statd to send syslog msgs. BZ (1077821
317f5a
- Allow apcupsd to get attributes of filesystems with xattrs
317f5a
650be6
* Fri Oct 17 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-87
650be6
- Allow systemd-networkd to be running as dhcp client.
650be6
- Label /usr/bin/cockpit-bridge as shell_exec_t.
650be6
- Add label for /var/run/systemd/resolve/resolv.conf.
650be6
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
650be6
- Allow systemd-networkd to be running as dhcp client.
650be6
- Label /usr/bin/cockpit-bridge as shell_exec_t.
650be6
- Add label for /var/run/systemd/resolve/resolv.conf.
650be6
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
650be6
8db354
* Tue Oct 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-86
8db354
- Dontaudit aicuu to search home config dir. BZ (#1104076)
8db354
- couchdb is using erlang so it needs execmem privs
8db354
- ALlow sanlock to send a signal to virtd_t.
8db354
- Allow mondogdb to  'accept' accesses on the tcp_socket port.
8db354
- Make sosreport as unconfined domain.
8db354
- Allow nova-console to connect to mem_cache port.
8db354
- Allow mandb to getattr on file systems
8db354
- Allow read antivirus domain all kernel sysctls.
8db354
- Allow lmsd_plugin to read passwd file. BZ(1093733)
8db354
- Label /usr/share/corosync/corosync as cluster_exec_t.
8db354
- ALlow sensord to getattr on sysfs.
8db354
- automount policy is non-base module so it needs to be called in optional block.
8db354
- Add auth_use_nsswitch for portreserve to make it working with sssd.
8db354
- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.
8db354
- Allow openvpn to execute  systemd-passwd-agent in  systemd_passwd_agent_t to make openvpn working with systemd.
8db354
- Allow openvpn to access /sys/fs/cgroup dir.
8db354
- Allow nova-scheduler to read certs
8db354
- Add support for /var/lib/swiftdirectory.
8db354
- Allow neutron connections to system dbus.
8db354
- Allow mongodb to manage own log files.
8db354
- Allow opensm_t to read/write /dev/infiniband/umad1.
8db354
- Added policy for mon_statd and mon_procd services. BZ (1077821)
8db354
- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.
8db354
- Allow dnssec_trigger_t to execute unbound-control in own domain.
8db354
- Allow all RHCS services to read system state.
8db354
- Added monitor device
8db354
- Add interfaces for /dev/infiniband
8db354
- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type.
8db354
- Add files_dontaudit_search_security_files()
8db354
- Add selinuxuser_udp_server boolean
8db354
- ALlow syslogd_t to create /var/log/cron  with correct labeling
8db354
- Add support for /etc/.updated and /var/.updated
8db354
- Allow iptables read fail2ban logs. BZ (1147709)
8db354
- ALlow ldconfig to read proc//net/sockstat.
8db354
cf8979
* Mon Oct 06 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-85
cf8979
- Allow nova domains to getattr on all filesystems.
cf8979
- ALlow zebra for user/group look-ups.
cf8979
- Allow lsmd to search own plguins.
cf8979
- Allow sssd to read selinux config to add SELinux user mapping.
cf8979
- Allow swift to connect to all ephemeral ports by default.
cf8979
- Allow NetworkManager to create Bluetooth SDP sockets
cf8979
- Allow keepalived manage snmp var lib sock files. BZ(1102228)
cf8979
- Added policy for blrtty. BZ(1083162)
cf8979
- Allow rhsmcertd manage rpm db. BZ(#1134173)
cf8979
- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173)
cf8979
- Label /usr/libexec/rhsmd as rhsmcertd_exec_t
cf8979
- Fix broken interfaces
cf8979
- Added sendmail_domtrans_unconfined interface
cf8979
- Added support for cpuplug. BZ (#1077831)
cf8979
- Fix bug in drbd policy, BZ (#1134883)
cf8979
- Make keystone_cgi_script_t domain. BZ (#1138424)
cf8979
- fix dev_getattr_generic_usb_dev interface
cf8979
- Label 4101 tcp port as brlp port
cf8979
- Allow libreswan to connect to VPN via NM-libreswan.
cf8979
- Add userdom_manage_user_tmpfs_files interface
cf8979
245c83
* Tue Sep 30 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-84
245c83
- Allow all domains to read fonts
245c83
- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
245c83
- Allow pki-tomcat to change SELinux object identity.
245c83
- Allow radious to connect to apache ports to do OCSP check
245c83
- Allow git cgi scripts to create content in /tmp
245c83
- Allow cockpit-session to do GSSAPI logins.
245c83
343033
* Mon Sep 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-83
343033
- Make sure /run/systemd/generator and system is labeled correctly on creation.
343033
- Additional access required by usbmuxd
343033
- Allow sensord read in /proc BZ(#1143799)
343033
0399c8
* Thu Sep 18 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-82
0399c8
- Allow du running in logwatch_t read hwdata.
0399c8
- Allow sys_admin capability for antivirus domians.
0399c8
- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc.
0399c8
- Add support for pnp4nagios.
0399c8
- Add missing labeling for /var/lib/cockpit.
0399c8
- Label resolv.conf as docker_share_t under docker so we can read within a container
0399c8
- Remove labeling for rabbitmqctl
0399c8
- setfscreate in pki.te is not capability class.
0399c8
- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd.
0399c8
- Allow wine domains to create cache dirs.
0399c8
- Allow newaliases to systemd inhibit pipes.
0399c8
- Add fixes for pki-tomcat scriptlet handling.
0399c8
- Allow user domains to manage all gnome home content
0399c8
- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
0399c8
- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
0399c8
6021c0
* Thu Sep 11 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-81
6021c0
- Label /usr/lib/erlang/erts.*/bin files as bin_t
6021c0
- Added changes related to rabbitmq daemon.
6021c0
- Fix labeling in couchdb policy
6021c0
- Allow rabbitmq bind on epmd port
6021c0
- Clean up rabbitmq policy
6021c0
- fix domtrans_rabbitmq interface
6021c0
- Added rabbitmq_beam_t and rabbitmq_epmd_t alias
6021c0
- Allow couchdb to getattr
6021c0
- Allow couchdb write to couchdb_conf files
6021c0
- Allow couchdb to create dgram_sockets
6021c0
- Added support for ejabberd
6021c0
ae5a64
* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80
ae5a64
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
ae5a64
- Since docker will now label volumes we can tighten the security of docker
ae5a64
6c07cc
* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79
6c07cc
- Re-arange openshift_net_read_t rules.
6c07cc
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide
6c07cc
- Allow jockey_t to use tmpfs files
6c07cc
- Allow pppd to create sock_files in /var/run
6c07cc
- Allow geoclue to stream connect to smart card service
6c07cc
- Allow docker to read all of /proc
6c07cc
- ALlow passeneger to read/write apache stream socket.
6c07cc
- Dontaudit read init state for svirt_t.
6c07cc
- Label /usr/sbin/unbound-control as named_exec_t (#1130510)
6c07cc
- Add support for /var/lbi/cockpit directory.
6c07cc
- Add support for ~/. speech-dispatcher.
6c07cc
- Allow nmbd to read /proc/sys/kernel/core_pattern.
6c07cc
- aLlow wine domains to create wine_home symlinks.
6c07cc
- Allow policykit_auth_t access check and read usr config files.
6c07cc
- Dontaudit access check on home_root_t for policykit-auth.
6c07cc
- hv_vss_daemon wants to list /boot
6c07cc
- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent
6c07cc
- Fix label for /usr/bin/courier/bin/sendmail
6c07cc
- Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain.
6c07cc
- Allow unconfined_r to access unconfined_service_t.
6c07cc
- Add label for ~/.local/share/fonts
6c07cc
- Add init_dontaudit_read_state() interface.
6c07cc
- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it.
6c07cc
- Allow udev_t mounton udev_var_run_t dirs #(1128618)
6c07cc
- Add files_dontaudit_access_check_home_dir() inteface.
6c07cc
9532ec
* Tue Sep 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-78
9532ec
- Allow unconfined_service_t to dbus chat with all dbus domains
9532ec
- Assign rabbitmq port.  BZ#1135523
9532ec
- Add new interface to allow creation of file with lib_t type
9532ec
- Allow init to read all config files
9532ec
- We want to remove openshift_t domains ability to look at /proc/net
9532ec
- I guess lockdown is a file not a directory
9532ec
- Label /var/bacula/ as bacula_store_t
9532ec
- Allow rhsmcertd to seng signull to sosreport.
9532ec
- Allow sending of snmp trap messages by radiusd.
9532ec
- remove redundant rule fron nova.te.
9532ec
- Add auth_use_nsswitch() for ctdbd.
9532ec
- call nova_vncproxy_t instead of vncproxy.
9532ec
- Allow nova-vncproxy to use varnishd port.
9532ec
- Fix rhnsd_manage_config() to allow manage also symlinks.
9532ec
- Allow bacula to create dirs/files in /tmp
9532ec
- Allow nova-api to use nsswitch.
9532ec
- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface.
9532ec
- Allow usbmuxd connect to itself by stream socket. (#1135945)
9532ec
- I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft
9532ec
- Allow nswrapper_32_64.nppdf.so to be created with the proper label
9532ec
- Assign rabbitmq port.  BZ#1135523
9532ec
- Dontaudit leaks of file descriptors from domains that transition to  thumb_t
9532ec
- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource
9532ec
- Allow unconfined_service_t to dbus chat with all dbus domains
9532ec
- Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way)
9532ec
- Allow avahi_t communicate with pcp_pmproxy_t over dbus.
9532ec
c46359
* Thu Aug 28 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-77
c46359
- Allow aide to read random number generator
c46359
- Allow pppd to connect to http port. (#1128947)
c46359
- sssd needs to be able write krb5.conf.
c46359
- Labeli initial-setup as install_exec_t.
c46359
- Allow domains to are allowed to mounton proc to mount on files as well as dirs
c46359
45b429
* Tue Aug 26 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-76
45b429
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
45b429
- Add a port definition for shellinaboxd
45b429
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
45b429
- Allow thumb_t to read/write video devices
45b429
- fail2ban 0.9 reads the journal by default.
45b429
- Allow sandbox net domains to bind to rawip socket
45b429
f9cc8e
* Fri Aug 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-75
f9cc8e
- Allow haproxy to read /dev/random and /dev/urandom.
f9cc8e
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
f9cc8e
- geoclue needs to connect to http and http_cache ports
f9cc8e
- Allow passenger to use unix_stream_sockets leaked into it, from httpd
f9cc8e
- Add SELinux policy for highly-available key value store for shared configuration.
f9cc8e
- drbd executes modinfo.
f9cc8e
- Add glance_api_can_network boolean since glance-api uses huge range port.
f9cc8e
- Fix glance_api_can_network() definition.
f9cc8e
- Allow smoltclient to connect on http_cache port. (#982199)
f9cc8e
- Allow userdomains to stream connect to pcscd for smart cards
f9cc8e
- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix)
f9cc8e
- Added MLS fixes to support labeled socket activation which is going to be done by systemd
f9cc8e
- Add kernel_signull() interface.
f9cc8e
- sulogin_t executes plymouth commands
f9cc8e
- lvm needs to be able to accept connections on stream generic sockets
f9cc8e
5f1085
* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 3.13.1-74
5f1085
- Rebuild for rpm bug 1131960
5f1085
9229b6
* Mon Aug 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-73
9229b6
- Allow ssytemd_logind_t to list tmpfs directories
9229b6
- Allow lvm_t to create undefined sockets
9229b6
- Allow passwd_t to read/write stream sockets
9229b6
- Allow docker lots more access.
9229b6
- Fix label for ports
9229b6
- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
9229b6
- Label tcp port 4194 as kubernetes port.
9229b6
- Additional access required for passenger_t
9229b6
- sandbox domains should be allowed to use libraries which require execmod
9229b6
- Allow qpid to read passwd files BZ (#1130086)
9229b6
- Remove cockpit port, it is now going to use websm port
9229b6
- Add getattr to the list of access to dontaudit on unix_stream_sockets
9229b6
- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
9229b6
9229b6
9229b6
* Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-72
3399c5
- docker needs to be able to look at everything in /dev
3399c5
- Allow all processes to send themselves signals
3399c5
- Allow sysadm_t to create netlink_tcpdiag socket
3399c5
- sysadm_t should be allowed to communicate with networkmanager
3399c5
- These are required for bluejeans to work on a unconfined.pp disabled machine
3399c5
- docker needs setfcap
3399c5
- Allow svirt domains to manage chr files and blk files for mknod commands
3399c5
- Allow fail2ban to read audit logs
3399c5
- Allow cachefilesd_t to send itself signals
3399c5
- Allow smokeping cgi script to send syslog messages
3399c5
- Allow svirt sandbox domains to relabel content
3399c5
- Since apache content can be placed anywhere, we should just allow apache to search through any directory
3399c5
- These are required for bluejeans to work on a unconfined.pp disabled machin
3399c5
0bd1c4
* Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-71
0bd1c4
- shell_exec_t should not be in cockip.fc
0bd1c4
c950f2
* Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-70
c950f2
- Add additional fixes for  abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t.
c950f2
- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
c950f2
- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
c950f2
- Dontaudit write access on generic cert files. We don't audit also access check.
c950f2
- Add support for arptables.
c950f2
- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
c950f2
4abfbc
* Mon Aug  4 2014 Tom Callaway <spot@fedoraproject.org> 3.13.1-69
4abfbc
- fix license handling
4abfbc
540429
* Thu Jul 31 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-68
540429
- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow users to use these plugins properly using this boolean. (#1109681)
540429
- Allow smokeping cgi scripts to accept connection on httpd stream socket.
540429
- docker does a getattr on all file systems
540429
- Label all abort-dump programs
540429
- Allow alsa to create lock file to see if it fixes.
540429
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running without unconfined domains. The default location of these scripts is /usr/lib/zabbix/externalscripts. If a user change DATADIR in CONFIG_EXTERNALSCRIPTS then he needs to set labeling for this new location.
540429
- Add interface for journalctl_exec
540429
- Add labels also for glusterd sockets.
540429
- Change virt.te to match default docker capabilies
540429
- Add additional booleans for turning on mknod or all caps.
540429
- Also add interface to allow users to write policy that matches docker defaults
540429
- for capabilies.
540429
- Label dhcpd6 unit file.
540429
- Add support also for dhcp IPv6 services.
540429
- Added support for dhcrelay service
540429
- Additional access for bluejeans
540429
- docker needs more access, need back port to RHEL7
540429
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
540429
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
540429
- Allow bacula manage bacula_log_t dirs
540429
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t 
540429
- Fix mistakes keystone and quantum
540429
- Label neutron var run dir 
540429
- Label keystone var run dir
540429
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
540429
- Dontaudit attempts to access check cert dirs/files for sssd.
540429
- Allow sensord to send a signal.
540429
- Allow certmonger to stream connect to dirsrv to make  ipa-server-install working.
540429
- Label zabbix_var_lib_t directories
540429
- Label conmans pid file as conman_var_run_t
540429
- Label also /var/run/glusterd.socket file as gluster_var_run_t
540429
- Fix policy for pkcsslotd from opencryptoki
540429
- Update cockpik policy from cockpit usptream.
540429
- Allow certmonger to exec ldconfig to make  ipa-server-install  working. 
540429
- Added support for Naemon policy 
540429
- Allow keepalived manage snmp files
540429
- Add setpgid process to mip6d
540429
- remove duplicate rule
540429
- Allow postfix_smtpd to stream connect to antivirus 
540429
- Dontaudit list /tmp for icecast 
540429
- Allow zabbix domains to access /proc//net/dev.
540429
540429
* Wed Jul 23 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-67
0a90ee
- Allow zabbix domains to access /proc//net/dev.
0a90ee
- Dontaudit list /tmp for icecast (#894387)
0a90ee
- Allow postfix_smtpd to stream connect to antivirus (#1105889)
0a90ee
- Add setpgid process to mip6d
0a90ee
- Allow keepalived manage snmp files(#1053450)
0a90ee
- Added support for Naemon policy (#1120789).
0a90ee
- Allow certmonger to exec ldconfig to make  ipa-server-install  working. (#1122110)
0a90ee
- Update cockpik policy from cockpit usptream.
0a90ee
668337
* Mon Jul 21 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-66
668337
- Revert labeling back to /var/run/systemd/initctl/fifo
668337
- geoclue dbus chats with modemmanger
668337
- Bluejeans wants to connect to port 5000
668337
- geoclue dbus chats with modemmange
668337
ee1386
* Fri Jul 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65
ee1386
- Allow sysadm to dbus chat with systemd
ee1386
- Add logging_dontaudit_search_audit_logs()
ee1386
- Add new files_read_all_mountpoint_symlinks() 
ee1386
- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo.
ee1386
- Allow ndc to read random and urandom device (#1110397)
ee1386
- Allow zabbix to read system network state
ee1386
- Allow fprintd to execute usr_t/bin_t
ee1386
- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t
ee1386
- Add glance_use_execmem boolean to have glance configured to use Ceph/rbd
ee1386
- Dontaudit search audit logs for fail2ban
ee1386
- Allow mailserver_domain domains to create mail home content with right labeling
ee1386
- Dontaudit svirt_sandbox_domain doing access checks on /proc
ee1386
- Fix  files_pid_filetrans() calling in nut.te to reflect allow rules.
ee1386
- Use nut_domain attribute for files_pid_filetrans() for nut domains.
ee1386
- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs
ee1386
- Fix nut domains only have type transition on dirs in /run/nut directory.
ee1386
- Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt()
ee1386
- Clean up osad policy. Remove additional interfaces/rules
ee1386
3e33a0
* Mon Jul 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-64
3e33a0
- Allow systemd domains to check lvm status
3e33a0
- Allow getty to execute plymouth.#1112870
3e33a0
- Allow sshd to send signal to chkpwd_t
3e33a0
- initrctl fifo file has been renamed
3e33a0
- Set proper labeling on /var/run/sddm
3e33a0
- Fix labeling for cloud-init logs
3e33a0
- Allow kexec to read kallsyms
3e33a0
- Add rhcs_stream_connect_haproxy interface, Allow neutron stream connect to rhcs
3e33a0
- Add fsetid caps for mandb. #1116165
3e33a0
- Allow all nut domains to read  /dev/(u)?random.
3e33a0
- Allow deltacloudd_t to read network state BZ #1116940
3e33a0
- Add support for KVM virtual machines to use NUMA pre-placement
3e33a0
- Allow utilize winbind for authentication to AD
3e33a0
- Allow chrome sandbox to use udp_sockets leaked in by its parent
3e33a0
- Allow gfs_controld_t to getattr on all file systems
3e33a0
- Allow logrotate to manage virt_cache
3e33a0
- varnishd needs to have fsetid capability
3e33a0
- Allow dovecot domains to send signal perms to themselves
3e33a0
- Allow apache to manage pid sock files
3e33a0
- Allow nut_upsmon_t to create sock_file in /run dir
3e33a0
- Add capability sys_ptrace to stapserver
3e33a0
- Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof
3e33a0
- Added support for vdsm
3e33a0
682896
* Fri Jul 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-63
682896
- If I can create a socket I need to be able to set the attributes
682896
- Add tcp/8775 port as neutron port
682896
- Add additional ports for swift ports
682896
- Added changes to fedora from bug bz#1082183
682896
- Add support for tcp/6200 port
682896
- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
682896
- Update neutron_manage_lib_files() interface
682896
- Allow glustered to connect to ephemeral ports
682896
- Allow apache to search ipa lib files by default
682896
- Allow neutron to domtrans to haproxy
682896
- Add rhcs_domtrans_haproxy()
682896
- Add support for openstack-glance-* unit files
682896
- Add initial support for /usr/bin/glance-scrubber
682896
- Allow swift to connect to keystone and memcache ports.
682896
- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
682896
- Add policies for openstack-cinder
682896
- Add support for /usr/bin/nova-conductor
682896
- Add neutron_can_network boolean
682896
- Allow neutron to connet to neutron port
682896
- Allow glance domain to use syslog
682896
- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
682896
24862f
* Wed Jun 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-62
24862f
- Allow swift to use tcp/6200 swift port
24862f
- ALlow swift to search apache configs
24862f
- Remove duplicate .fc entry for Grilo plugin bookmarks
24862f
- Remove duplicate .fc entry for telepathy-gabble
24862f
- Additional allow rules for docker sandbox processes
24862f
- Allow keepalived connect to agentx port
24862f
- Allow neutron-ns-metadata to connectto own unix stream socket
24862f
- Add support for tcp/6200 port
24862f
- Remove ability for confined users to run xinit
24862f
- New tool for managing wireless /usr/sbin/iw
24862f
211fb9
* Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61
211fb9
- Add back MLS policy
211fb9
c04c31
* Thu Jun 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-60
c04c31
- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy
c04c31
1c0c71
* Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-59
1c0c71
- Allow system_bus_types to use stream_sockets inherited from system_dbusd
1c0c71
- Allow journalctl to call getpw
1c0c71
- New access needed by dbus to talk to kernel stream
1c0c71
- Label sm-notifypid files correctly
1c0c71
- contrib: Add KMSCon policy module
1c0c71
a62949
* Wed Jun 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-58
a62949
- Add mozilla_plugin_use_bluejeans boolean
a62949
- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
a62949
686a38
* Mon Jun 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-57
686a38
- Allow staff_t to communicate and run docker
686a38
- Fix *_ecryptfs_home_dirs booleans
686a38
- Allow ldconfig_t to read/write inherited user tmp pipes
686a38
- Allow storaged to dbus chat with lvm_t
686a38
- Add support for storaged  and storaged-lvm-helper. Labeled it as lvm_exec_t.
686a38
- Use proper calling in ssh.te for userdom_home_manager attribute
686a38
- Use userdom_home_manager_type() also for ssh_keygen_t
686a38
- Allow locate to list directories without labels
686a38
- Allow bitlbee to use tcp/7778 port
686a38
- /etc/cron.daily/logrotate to execute fail2ban-client.
686a38
- Allow keepalives to connect to SNMP port. Support to do  SNMP stuff
686a38
- Allow staff_t to communicate and run docker
686a38
- Dontaudit search mgrepl/.local for cobblerd_t
686a38
- Allow neutron to execute kmod in insmod_t
686a38
- Allow neutron to execute udevadm in udev_t
686a38
- Allow also fowner cap for varnishd
686a38
- Allow keepalived to execute bin_t/shell_exec_t
686a38
- rhsmcertd seems to need these accesses.  We need this backported to RHEL7 and perhaps RHEL6 policy
686a38
- Add cups_execmem boolean
686a38
- Allow gear to manage gear service
686a38
- New requires for gear to use systemctl and init var_run_t
686a38
- Allow cups to execute its rw_etc_t files, for brothers printers
686a38
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs.
686a38
- Allow swift to execute bin_t
686a38
- Allow swift to bind http_cache
686a38
07a8be
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.1-56
07a8be
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
07a8be
0ddb74
* Tue May 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-55
0ddb74
- Add decl for cockip port
0ddb74
- Allow sysadm_t to read all kernel proc
0ddb74
- Allow logrotate to execute all executables
0ddb74
- Allow lircd_t to use tty_device_t for use withmythtv
0ddb74
- Make sure all zabbix files direcories in /var/log have the correct label
0ddb74
- Allow bittlebee to create directories and files in /var/log with the correct label
0ddb74
- Label /var/log/horizon as an apache log
0ddb74
- Add squid directory in /var/run
0ddb74
- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label
0ddb74
- Wronly labeled avahi_var_lib_t as a pid file
0ddb74
- Fix labels on rabbitmq_var_run_t on file/dir creation
0ddb74
- Allow neutron to create sock files
0ddb74
- Allow postfix domains to getattr on all file systems
0ddb74
- Label swift-proxy-server as swift_exec_t
0ddb74
- Tighten SELinux capabilities to match docker capabilities
0ddb74
- Add fixes for squid which is configured to run with more than one worker.
0ddb74
- Allow cockpit to bind to its port
0ddb74
cccaf8
* Tue May 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-54
cccaf8
- geard seems to do a lot of relabeling
cccaf8
- Allow system_mail_t to append to munin_var_lib_t
cccaf8
- Allow mozilla_plugin to read alsa_rw_ content
cccaf8
- Allow asterisk to connect to the apache ports
cccaf8
- Dontaudit attempts to read fixed disk
cccaf8
- Dontaudit search gconf_home_t
cccaf8
- Allow rsync to create  swift_server.lock with swift.log labeling
cccaf8
- Add labeling for swift lock files
cccaf8
- Use swift_virt_lock in swift.te
cccaf8
- Allow openwsman to getattr on sblim_sfcbd executable
cccaf8
- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
cccaf8
- Allow openwsman_t to read/write sblim-sfcb shared mem
cccaf8
- Allow openwsman to stream connec to sblim-sfcbd
cccaf8
- Allow openwsman to create tmpfs files/dirs
cccaf8
- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t
cccaf8
- Allow sblim_sfcbd to execute shell
cccaf8
- Allow swift to create lock file
cccaf8
- Allow openwsman to use tcp/80
cccaf8
- Allow neutron to create also dirs in /tmp
cccaf8
- Allow seunshare domains to getattr on all executables
cccaf8
- Allow ssh-keygen to create temporary files/dirs needed by OpenStack
cccaf8
- Allow named_filetrans_domain to create /run/netns
cccaf8
- Allow ifconfig to create /run/netns
cccaf8
dfbb9a
* Tue May 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-53
dfbb9a
- Add missing dyntransition for sandbox_x_domain
dfbb9a
6fbf46
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-52
6fbf46
- More rules for gears and openshift
dbf4ab
- Added iotop policy. Thanks William Brown
dbf4ab
- Allow spamc to read .pyzor located in /var/spool/spampd
dbf4ab
- Allow spamc to create home content with correct labeling
dbf4ab
- Allow logwatch_mail_t to create dead.letter with correct labelign
dbf4ab
- Add labeling for min-cloud-agent
dbf4ab
- Allow geoclue to read unix in proc.
dbf4ab
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
dbf4ab
- add support for min-cloud-agent
dbf4ab
- Allow ulogd to request the kernel to load a module
dbf4ab
- remove unconfined_domain for openwsman_t
dbf4ab
- Add openwsman_tmp_t rules
dbf4ab
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
dbf4ab
- Allow nova-scheduler to read passwd file
dbf4ab
- Allow neutron execute arping in neutron_t
dbf4ab
- Dontaudit logrotate executing systemctl command attempting to net_admin
dbf4ab
- Allow mozilla plugins to use /dev/sr0
dbf4ab
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
dbf4ab
- Any app that executes systemctl will attempt a net_admin
dbf4ab
- Fix path to mmap_min_addr
6fbf46
4c682c
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
4c682c
- Add gear fixes from dwalsh
4c682c
9d0057
* Tue May 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-50
9d0057
- selinux_unconfined_type should not be able to set booleans if the securemode is set
9d0057
- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
9d0057
4e5d63
* Mon May 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-49
4e5d63
- Fix labeling for /root/\.yubico
4e5d63
- userdom_search_admin_dir() calling needs to be optional in kernel.te
4e5d63
- Dontaudit leaked xserver_misc_device_t into plugins
4e5d63
- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
4e5d63
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
4e5d63
- Bootloader wants to look at init state
4e5d63
- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm
4e5d63
- init reads kdbump etc files
4e5d63
- Add support for tcp/9697
4e5d63
- Fix labeling for /var/run/user/<UID>/gvfs
4e5d63
- Add support for us_cli ports
4e5d63
- fix sysnet_use_ldap
4e5d63
- Allow mysql to execute ifconfig if Red Hat OpenStack
4e5d63
- ALlow stap-server to get attr on all fs
4e5d63
- Fix mail_pool_t to mail_spool_t
4e5d63
- Dontaudit leaked xserver_misc_device_t into plugins
4e5d63
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
4e5d63
- Add new labeling for /var/spool/smtpd
4e5d63
- Allow httpd_t to kill passenger
4e5d63
- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
4e5d63
- Allow nova-scheduler to read passwd/utmp files
4e5d63
- Additional rules required by openstack,  needs backport to F20 and RHEL7
4e5d63
- Additional access required by docker
4e5d63
- ALlow motion to use tcp/8082 port
4e5d63
3f5abd
* Fri Apr 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-48
3f5abd
- Fix virt_use_samba boolean
3f5abd
- Looks like all domains that use dbus libraries are now reading /dev/urand
3f5abd
- Add glance_use_fusefs() boolean
3f5abd
- Allow tgtd to read /proc/net/psched
3f5abd
- Additional access required for gear management of openshift directories
3f5abd
- Allow sys_ptrace for mock-build
3f5abd
- Fix mock_read_lib_files() interface
3f5abd
- Allow mock-build to write all inherited ttys and ptys
3f5abd
- Allow spamd to create razor home dirs with correct labeling
3f5abd
- Clean up sysnet_use_ldap()
3f5abd
- systemd calling needs to be optional
3f5abd
- Allow init_t to setattr/relabelfrom dhcp state files
3f5abd
bf38d6
* Wed Apr 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-47
bf38d6
- mongod should not be a part of cloudforms.pp
bf38d6
- Fix labeling in snapper.fc
bf38d6
- Allow docker to read unconfined_t process state
bf38d6
- geoclue dbus chats with NetworkManager
bf38d6
- Add cockpit policy
bf38d6
- Add interface to allow tools to check the processes state of bind/named
bf38d6
- Allow myslqd to use the tram port for Galera/MariaDB
bf38d6
7ca2b3
* Fri Apr 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-46
7ca2b3
- Allow init_t to setattr/relabelfrom dhcp state files
7ca2b3
- Allow dmesg to read hwdata and memory dev
7ca2b3
- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
7ca2b3
- Dontaudit antivirus domains read access on all security files by default
7ca2b3
- Add missing alias for old amavis_etc_t type
7ca2b3
- Additional fixes for  instack overcloud
7ca2b3
- Allow block_suspend cap for haproxy
7ca2b3
- Allow OpenStack to read mysqld_db links and connect to MySQL
7ca2b3
- Remove dup filename rules in gnome.te
7ca2b3
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
7ca2b3
- Add labeling for /lib/systemd/system/thttpd.service
7ca2b3
- Allow iscsid to handle own unit files
7ca2b3
- Add iscsi_systemctl()
7ca2b3
- Allow mongod also create sock_file with correct labeling in /run
7ca2b3
- Allow aiccu stream connect to pcscd
7ca2b3
- Allow rabbitmq_beam to connect to httpd port
7ca2b3
- Allow httpd to send signull to apache script domains and don't audit leaks
7ca2b3
- Fix labeling in drbd.fc
7ca2b3
- Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7
7ca2b3
- Allow all freeipmi domains to read/write ipmi devices
7ca2b3
- Allow rabbitmq_epmd to manage rabbit_var_log_t files
7ca2b3
- Allow sblim_sfcbd to use also pegasus-https port
7ca2b3
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
7ca2b3
- Add httpd_run_preupgrade boolean
7ca2b3
- Add interfaces to access preupgrade_data_t
7ca2b3
- Add preupgrade policy
7ca2b3
- Add labeling for puppet helper scripts
7ca2b3
1aabaf
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
1aabaf
Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
1aabaf
3f1341
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-44
3f1341
- Change hsperfdata_root to have as user_tmp_t
3f1341
- Allow rsyslog low-level network access
3f1341
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm
3f1341
- Allow conman to resolve DNS and use user ptys
3f1341
- update pegasus_openlmi_admin_t policy
3f1341
- nslcd wants chown capability
3f1341
- Dontaudit exec insmod in boinc policy
3f1341
c14474
* Fri Apr 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-43
c14474
- Add labels for /var/named/chroot_sdb/dev devices
c14474
- Add support for strongimcv
c14474
- Add additional fixes for yubikeys based on william@firstyear.id.au
c14474
- Allow init_t run /sbin/augenrules
c14474
- Remove dup decl for dev_unmount_sysfs_fs
c14474
- Allow unpriv SELinux user to use sandbox
c14474
- Fix ntp_filetrans_named_content for sntp-kod file
c14474
- Add httpd_dbus_sssd boolean
c14474
- Dontaudit exec insmod in boinc policy
c14474
- Add dbus_filetrans_named_content_system()
c14474
- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
c14474
- varnishd wants chown capability
c14474
- update ntp_filetrans_named_content() interface
c14474
- Add additional fixes for neutron_t. #1083335
c14474
- Dontaudit sandbox_t getattr on proc_kcore_t
c14474
- Allow pki_tomcat_t to read ipa lib files
c14474
33665e
* Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
33665e
- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
33665e
f8f75f
* Thu Mar 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-41
f8f75f
- Turn on gear_port_t
f8f75f
- Add gear policy and remove permissive domains.
f8f75f
- Add labels for ostree
f8f75f
- Add SELinux awareness for NM
f8f75f
- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
f8f75f
1f53e6
* Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-40
1f53e6
- update storage_filetrans_all_named_dev for sg* devices
1f53e6
- Allow auditctl_t  to getattr on all removeable devices
1f53e6
- Allow nsswitch_domains to stream connect to nmbd
1f53e6
- Allow rasdaemon to rw /dev/cpu//msr
1f53e6
- fix /var/log/pki file spec
1f53e6
- make bacula_t as auth_nsswitch domain
1f53e6
- Allow certmonger to manage ipa lib files
1f53e6
- Add support for /var/lib/ipa
1f53e6
8ad914
* Tue Mar 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-39
8ad914
- Manage_service_perms should include enable and disable, need backport to RHEL7
8ad914
- Allow also unpriv user to run vmtools
8ad914
- Allow secadm to read /dev/urandom and meminfo
8ad914
- Add userdom_tmp_role for secadm_t
8ad914
- Allow postgresql to read network state
8ad914
- Add a new file context for /var/named/chroot/run directory
8ad914
- Add booleans to allow docker processes to use nfs and samba
8ad914
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t
8ad914
- Allow puppet stream connect to mysql
8ad914
- Fixed some rules related to puppet policy
8ad914
- Allow vmware-user-sui to use user ttys
8ad914
- Allow talk 2 users logged via console too
8ad914
- Additional avcs for docker when running tests
8ad914
- allow anaconda to dbus chat with systemd-localed
8ad914
- clean up rhcs.te
8ad914
- remove dup rules from haproxy.te
8ad914
- Add fixes for haproxy based on bperkins@redhat.com
8ad914
- Allow cmirrord to make dmsetup working
8ad914
- Allow NM to execute arping
8ad914
- Allow users to send messages through talk
8ad914
- update rtas_errd policy
8ad914
- Add support for /var/spool/rhsm/debug
8ad914
- Make virt_sandbox_use_audit as True by default
8ad914
- Allow svirt_sandbox_domains to ptrace themselves
8ad914
- Allow snmpd to getattr on removeable and fixed disks
8ad914
- Allow docker containers to manage /var/lib/docker content
8ad914
8e18cc
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
8e18cc
- Label sddm as xdm_exec_t to make KDE working again
8e18cc
- Allow postgresql to read network state
8e18cc
- Allow java running as pki_tomcat to read network sysctls
8e18cc
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
8e18cc
- Allow beam.smp to use ephemeral ports
8e18cc
- Allow winbind to use the nis to authenticate passwords
8e18cc
633767
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-37
633767
- Allow collectd to talk to libvirt
633767
- Allow chrome_sandbox to use leaked unix_stream_sockets
633767
- Dontaudit leaks of sockets into chrome_sandbox_t
633767
- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
633767
- Run vmtools as unconfined domains
633767
- Allow snort to manage its log files
633767
- Allow systemd_cronjob_t to be entered via bin_t
633767
- Allow procman to list doveconf_etc_t
633767
- allow keyring daemon to create content in tmpfs directories
633767
- Add proper labelling for icedtea-web
633767
- vpnc is creating content in networkmanager var run directory
633767
- unconfined_service should be allowed to transition to rpm_script_t
633767
- Allow couchdb to listen on port 6984
633767
- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
633767
- Allow systemd-logind to setup user tmpfs directories
633767
- Add additional fixes for systemd_networkd_t
633767
- Allow systemd-logind to manage user_tmpfs_t
633767
- Allow systemd-logind to mount /run/user/1000 to get gdm working
633767
3f9fe1
* Fri Mar 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-36
3f9fe1
- Add additional fixes for systemd_networkd_t
3f9fe1
- Allow systemd-logind to manage user_tmpfs_t
3f9fe1
- Allow systemd-logind to mount /run/user/1000 to get gdm working
3f9fe1
- Dontaudit attempts to setsched on the kernel_t threads
3f9fe1
- Allow munin mail plugins to read network systcl
3f9fe1
- Fix git_system_enable_homedirs boolean
3f9fe1
- Make cimtest script 03_defineVS.py of ComputerSystem group working
3f9fe1
- Make  abrt-java-connector working
3f9fe1
- Allow net_admin cap for fence_virtd running as fenced_t
3f9fe1
- Allow vmtools_helper_t to execute bin_t
3f9fe1
- Add support for /usr/share/joomla
3f9fe1
0575d6
* Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-35
0575d6
- sshd to read network sysctls
0575d6
- Allow vmtools_helper_t to execute bin_t
0575d6
- Add support for /usr/share/joomla
0575d6
- /var/lib/containers should be labeled as openshift content for now
0575d6
- Allow docker domains to talk to the login programs, to allow a process to login into the container
0575d6
695bbc
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-34
695bbc
- Add install_t for anaconda
695bbc
ab84f4
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-33
ab84f4
- Allow init_t to stream connect to ipsec
ab84f4
- Add /usr/lib/systemd/systemd-networkd policy
ab84f4
- Add sysnet_manage_config_dirs()
ab84f4
- Add support for /var/run/systemd/network and labeled it as net_conf_t
ab84f4
- Allow unpriv SELinux users to dbus chat with firewalld
ab84f4
- Add lvm_write_metadata()
ab84f4
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
ab84f4
- Add support for /dev/vmcp and /dev/sclp
ab84f4
- Add docker_connect_any boolean
ab84f4
- Fix zabbix policy
ab84f4
- Allow zabbix to send system log msgs
ab84f4
- Allow pegasus_openlmi_storage_t to write lvm metadata
ab84f4
- Updated pcp_bind_all_unreserved_ports
ab84f4
- Allow numad to write scan_sleep_millisecs
ab84f4
- Turn on entropyd_use_audio boolean by default
ab84f4
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
ab84f4
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
ab84f4
24a25f
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
24a25f
- Allow numad to write scan_sleep_millisecs
24a25f
- Turn on entropyd_use_audio boolean by default
24a25f
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
24a25f
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
24a25f
- Allow numad to write scan_sleep_millisecs
24a25f
- Turn on entropyd_use_audio boolean by default
24a25f
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
24a25f
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
24a25f
- Fix label on irclogs in the homedir
24a25f
2d6801
* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-31
2d6801
- Modify xdm_write_home to allow create files/links in /root with xdm_home_t
2d6801
- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
2d6801
- Add xserver_dbus_chat() interface
2d6801
- Add sysnet_filetrans_named_content_ifconfig() interface
2d6801
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask
2d6801
- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1063503
2d6801
- Allow lscpu running as rhsmcertd_t to read sysinfo
2d6801
- Allow virt domains to read network state
2d6801
- Added pcp rules
2d6801
- Allow ctdbd to connect own ports
2d6801
- Fix samba_export_all_rw booleanto cover also non security dirs
2d6801
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
2d6801
- Allow neutron to create /run/netns with correct labeling
2d6801
- Allow to run ip cmd in neutron_t domain
2d6801
- Allow rpm_script_t to dbus chat also with systemd-located
2d6801
- Fix ipa_stream_connect_otpd()
2d6801
08fe2e
* Tue Mar 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-30
08fe2e
- Allow block_suspend cap2 for systemd-logind and rw dri device
08fe2e
- Add labeling for /usr/libexec/nm-libreswan-service
08fe2e
- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working
08fe2e
- Add xserver_rw_xdm_keys()
08fe2e
- Allow rpm_script_t to dbus chat also with systemd-located
08fe2e
- Fix ipa_stream_connect_otpd()
08fe2e
- update lpd_manage_spool() interface
08fe2e
- Allow krb5kdc to stream connect to ipa-otpd
08fe2e
- Add ipa_stream_connect_otpd() interface
08fe2e
- Allow vpnc to unlink NM pids
08fe2e
- Add networkmanager_delete_pid_files()
08fe2e
- Allow munin plugins to access unconfined plugins
08fe2e
- update abrt_filetrans_named_content to cover /var/spool/debug
08fe2e
- Label /var/spool/debug as abrt_var_cache_t
08fe2e
- Allow rhsmcertd to connect to squid port
08fe2e
- Make docker_transition_unconfined as optional boolean
08fe2e
- Allow certmonger to list home dirs
08fe2e
18bb7e
* Fri Feb 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-29
18bb7e
- Make docker as permissive domain
18bb7e
439063
* Thu Feb 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-28
439063
- Allow bumblebeed to send signal to insmod
439063
- Dontaudit attempts by crond_t net_admin caused by journald
439063
- Allow the docker daemon to mounton tty_device_t
439063
- Add addtional snapper fixes to allo relabel file_t
439063
- Allow setattr for all mountpoints
439063
- Allow snapperd to write all dirs
439063
- Add support for /etc/sysconfig/snapper
439063
- Allow mozilla_plugin to getsession