08b890
%define distro redhat
771686
%define polyinstatiate n
1580c8
%define monolithic n
dc4ca7
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1}
dc4ca7
%define BUILD_DOC 1
dc4ca7
%endif
bd3f0e
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
bd3f0e
%define BUILD_TARGETED 1
bd3f0e
%endif
675bba
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
675bba
%define BUILD_MINIMUM 1
675bba
%endif
bd3f0e
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
211fb9
%define BUILD_MLS 1
bd3f0e
%endif
5d7b1f
%define POLICYVER 30
5d7b1f
%define POLICYCOREUTILSVER 2.5
5d7b1f
%define CHECKPOLICYVER 2.5
1580c8
Summary: SELinux policy configuration
1580c8
Name: selinux-policy
0f9b0d
Version: 3.13.1
f6de2d
Release: 213%{?dist}
d83af2
License: GPLv2+
1580c8
Group: System Environment/Base
1580c8
Source: serefpolicy-%{version}.tgz
26e9de
# Use the following commands to create patches from https://github.com/fedora-selinux/selinux-policy
26e9de
# git diff eb4512f6eb13792c76ff8d3e6f2df3a7155db577 rawhide-base > policy-rawhide-base.patch
26e9de
# git diff 64302b790bf2b39d93610e1452c8361d56966ae0 rawhide-contrib > policy-rawhide-contrib.patch
eb0fd2
patch: policy-rawhide-base.patch
eb0fd2
patch1: policy-rawhide-contrib.patch
650be6
patch2: policy-rawhide-base-cockpit.patch
a27009
Source1: modules-targeted-base.conf 
a27009
Source31: modules-targeted-contrib.conf
504da9
Source2: booleans-targeted.conf
585f82
Source3: Makefile.devel
504da9
Source4: setrans-targeted.conf
a27009
Source5: modules-mls-base.conf
a27009
Source32: modules-mls-contrib.conf
487de6
Source6: booleans-mls.conf
504da9
Source8: setrans-mls.conf
ee095f
Source14: securetty_types-targeted
ee095f
Source15: securetty_types-mls
a27009
#Source16: modules-minimum.conf
675bba
Source17: booleans-minimum.conf
675bba
Source18: setrans-minimum.conf
675bba
Source19: securetty_types-minimum
80beee
Source20: customizable_types
faf9cb
Source21: config.tgz
fc05ac
Source22: users-mls
fc05ac
Source23: users-targeted
fc05ac
Source25: users-minimum
86354f
Source26: file_contexts.subs_dist
bce4ec
Source27: selinux-policy.conf
7c8404
Source28: permissivedomains.cil
e392ec
Source29: serefpolicy-contrib-%{version}.tgz
c39563
Source30: booleans.subs_dist
d395cb
fadb0d
Source35: docker-selinux.tgz
4dfcf7
Url: http://github.com/TresysTechnology/refpolicy/wiki
ca8bc2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
1580c8
BuildArch: noarch
471c1e
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 
a27009
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
4a27ed
Requires(post): /bin/awk /usr/bin/sha512sum
1580c8
1335ee
%description 
9cef10
SELinux Base package for SELinux Reference Policy - modular.
9cef10
Based off of reference policy: Checked out revision  2.20091117
9cef10
1335ee
1335ee
%files 
487de6
%defattr(-,root,root,-)
4abfbc
%{!?_licensedir:%global license %%doc}
4abfbc
%license COPYING
585f82
%dir %{_usr}/share/selinux
62cfaf
%dir %{_usr}/share/selinux/packages
b59d07
%dir %{_sysconfdir}/selinux
585f82
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
585f82
%ghost %{_sysconfdir}/sysconfig/selinux
4a27ed
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
fdaea4
%attr(0755, root, root) %dir %{_rpmconfigdir}
fdaea4
%attr(0755, root, root) %dir %{_rpmconfigdir}/macros.d
26bb0a
%{_rpmconfigdir}/macros.d/macros.selinux-policy
1b0e09
1b0e09
%package sandbox
1b0e09
Summary: SELinux policy sandbox
1b0e09
Group: System Environment/Base
1b0e09
Requires(pre): selinux-policy-base = %{version}-%{release}
1b0e09
1b0e09
%description sandbox
1b0e09
SELinux sandbox policy used for the policycoreutils-sandbox package
1b0e09
1b0e09
%files sandbox
1b0e09
%defattr(-,root,root,-)
1b0e09
%verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp
1b0e09
1b0e09
%post sandbox
1b0e09
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
a345bb
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
1b0e09
semodule -n -i /usr/share/selinux/packages/sandbox.pp
1b0e09
if /usr/sbin/selinuxenabled ; then
1b0e09
    /usr/sbin/load_policy
1b0e09
fi;
1b0e09
exit 0
1b0e09
1b0e09
%preun sandbox
1b0e09
semodule -n -d sandbox 2>/dev/null
1b0e09
if /usr/sbin/selinuxenabled ; then
1b0e09
    /usr/sbin/load_policy
1b0e09
fi;exit 0
4a27ed
4a27ed
%package devel
4a27ed
Summary: SELinux policy devel
4a27ed
Group: System Environment/Base
4a27ed
Requires(pre): selinux-policy = %{version}-%{release}
610d03
Requires: selinux-policy = %{version}-%{release}
a27009
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
a27009
Requires: /usr/bin/make
9f52d7
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
4a27ed
4a27ed
%description devel
4a27ed
SELinux policy development and man page package
4a27ed
4a27ed
%files devel
4a27ed
%defattr(-,root,root,-)
4a27ed
%dir %{_usr}/share/selinux/devel
4a27ed
%dir %{_usr}/share/selinux/devel/include
d19b68
%{_usr}/share/selinux/devel/include/*
a7c9a9
%dir %{_usr}/share/selinux/devel/html
a7c9a9
%{_usr}/share/selinux/devel/html/*html
5dcd63
%{_usr}/share/selinux/devel/html/*css
d19b68
%{_usr}/share/selinux/devel/Makefile
d19b68
%{_usr}/share/selinux/devel/example.*
bdd37e
%{_usr}/share/selinux/devel/policy.*
412570
9f52d7
%post devel
9f52d7
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null 
859a10
exit 0
9f52d7
412570
%package doc
412570
Summary: SELinux policy documentation
412570
Group: System Environment/Base
412570
Requires(pre): selinux-policy = %{version}-%{release}
610d03
Requires: selinux-policy = %{version}-%{release}
f5a104
Requires: /usr/bin/xdg-open
412570
412570
%description doc
412570
SELinux policy documentation package
412570
412570
%files doc
352daf
%defattr(-,root,root,-)
d6fa25
%{_mandir}/man*/*
d6fa25
%{_mandir}/ru/*/*
0ea841
%doc %{_usr}/share/doc/%{name}
d2c260
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
1335ee
487de6
%define makeCmds() \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024  conf \
487de6
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
487de6
cp -f selinux_config/users-%1 ./policy/users \
a27009
#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
a27009
a27009
%define makeModulesConf() \
a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules-base.conf \
a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules.conf \
a27009
if [ %3 == "contrib" ];then \
a27009
	cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
a27009
	cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
a27009
fi; \
998737
de82d8
%define installCmds() \
4d0973
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \
4d0973
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
191c43
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
a345bb
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \
4a27ed
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
86354f
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
487de6
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
86354f
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
487de6
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
487de6
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
7c8404
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.homedirs.bin \
e3bf3e
sefcontext_compile -o %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
c39563
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
053565
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp*  \
4a27ed
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
4a27ed
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
3fc099
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
3e930b
%nil
1580c8
1580c8
%define fileList() \
1580c8
%defattr(-,root,root) \
d7e0f9
%dir %{_usr}/share/selinux/%1 \
1580c8
%dir %{_sysconfdir}/selinux/%1 \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
042e3a
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
4a27ed
%dir %{_sysconfdir}/selinux/%1/logins \
a345bb
%dir %{_sharedstatedir}/selinux/%1/active \
a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
a345bb
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
a345bb
%ghost %{_sysconfdir}/selinux/%1/*.bin \
1580c8
%dir %{_sysconfdir}/selinux/%1/policy/ \
042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
4a27ed
%{_sysconfdir}/selinux/%1/.policy.sha512 \
1580c8
%dir %{_sysconfdir}/selinux/%1/contexts \
d2c260
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
ee095f
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
5ca2ff
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
7c94e8
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
4a27ed
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
d4e55c
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
a34c78
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
f1ed4e
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
c3183a
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
1580c8
%dir %{_sysconfdir}/selinux/%1/contexts/files \
042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
a345bb
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
dd88f3
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
dd88f3
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
ad3add
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
7c8404
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
e1f17e
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
c39563
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
c39563
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
d19b68
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
da0829
%dir %{_sysconfdir}/selinux/%1/contexts/users \
a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
a80e7a
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
2f9313
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
2f9313
%{_usr}/share/selinux/%1/base.lst \
2f9313
%{_usr}/share/selinux/%1/modules-base.lst \
2f9313
%{_usr}/share/selinux/%1/modules-contrib.lst \
2f9313
%{_usr}/share/selinux/%1/nonbasemodules.lst \
2f9313
%{_sharedstatedir}/selinux/%1/active/commit_num \
2f9313
%{_sharedstatedir}/selinux/%1/active/users_extra \
2f9313
%{_sharedstatedir}/selinux/%1/active/homedir_template \
2f9313
%{_sharedstatedir}/selinux/%1/active/seusers \
2f9313
%{_sharedstatedir}/selinux/%1/active/file_contexts \
2f9313
%{_sharedstatedir}/selinux/%1/active/policy.kern \
2f9313
%nil
1580c8
1580c8
%define relabel() \
1580c8
. %{_sysconfdir}/selinux/config; \
1580c8
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
fb5b77
/usr/sbin/selinuxenabled; \
e080bb
if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
4a27ed
     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
487de6
     rm -f ${FILE_CONTEXT}.pre; \
5eea0f
fi; \
d61e0b
if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
d61e0b
    continue; \
d61e0b
fi; \
8a78e8
8a78e8
%define preInstall() \
5d837b
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
8a78e8
     . %{_sysconfdir}/selinux/config; \
8a78e8
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
8a78e8
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
8a78e8
        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
8a78e8
     fi; \
8a78e8
     touch /etc/selinux/%1/.rebuild; \
4a27ed
     if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
26bb0a
        POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \
26bb0a
        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
4a27ed
	checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
4a27ed
	if [ "$sha512" == "$checksha512" ] ; then \
8a78e8
		rm /etc/selinux/%1/.rebuild; \
8a78e8
	fi; \
8a78e8
   fi; \
8a78e8
fi;
1580c8
857c81
%define postInstall() \
857c81
. %{_sysconfdir}/selinux/config; \
8a78e8
if [ -e /etc/selinux/%2/.rebuild ]; then \
8a78e8
   rm /etc/selinux/%2/.rebuild; \
901609
   /usr/sbin/semodule -B -n -s %2; \
857c81
fi; \
5a73fd
[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
857c81
if [ %1 -eq 1 ]; then \
19cd06
   /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
857c81
else \
857c81
%relabel %2 \
857c81
fi;
857c81
50f07b
%define modulesList() \
a345bb
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
a345bb
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \
a27009
if [ -e ./policy/modules-contrib.conf ];then \
a345bb
	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
a27009
fi;
50f07b
c04c31
%define nonBaseModulesList() \
c04c31
contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \
c04c31
base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \
c04c31
for i in $contrib_modules $base_modules; do \
a345bb
    if [ $i != "sandbox" ];then \
a345bb
        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
c04c31
    fi; \
c04c31
done
c04c31
d83af2
%build
d83af2
3e930b
%prep 
3dd200
%setup -n serefpolicy-contrib-%{version} -q -b 29
3dd200
%patch1 -p1
fadb0d
tar -xf %{SOURCE35}
3dd200
contrib_path=`pwd`
d83af2
%setup -n serefpolicy-%{version} -q
3c584c
%patch -p1
650be6
%patch2 -p1
3dd200
refpolicy_path=`pwd`
3dd200
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
add957
487de6
mkdir selinux_config
504f8f
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
487de6
 cp $i selinux_config
487de6
done
487de6
tar zxvf selinux_config/config.tgz
a345bb
a345bb
%install
e56873
# Build targeted policy
ca8bc2
%{__rm} -fR %{buildroot}
ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/selinux
ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
ca8bc2
touch %{buildroot}%{_sysconfdir}/selinux/config
ca8bc2
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
bce4ec
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
bce4ec
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
1335ee
b4cab5
# Always create policy module package directories
2fbeb7
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
a345bb
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
a345bb
a345bb
mkdir -p %{buildroot}%{_usr}/share/selinux/packages
b4cab5
d19b68
# Install devel
d19b68
make clean
bd3f0e
%if %{BUILD_TARGETED}
129ba1
# Build targeted policy
129ba1
# Commented out because only targeted ref policy currently builds
7c8404
cp %{SOURCE28} %{buildroot}/
191c43
%makeCmds targeted mcs n allow
a27009
%makeModulesConf targeted base contrib
191c43
%installCmds targeted mcs n allow
7c8404
# install permissivedomains.cil
7c8404
semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil
7c8404
rm -rf %{buildroot}/permissivedomains.cil
a345bb
# recreate sandbox.pp
a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
a345bb
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp
a345bb
mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
a27009
%modulesList targeted 
c04c31
%nonBaseModulesList targeted
bd3f0e
%endif
3e930b
675bba
%if %{BUILD_MINIMUM}
675bba
# Build minimum policy
675bba
# Commented out because only minimum ref policy currently builds
4a27ed
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
191c43
%makeCmds minimum mcs n allow
a27009
%makeModulesConf targeted base contrib
191c43
%installCmds minimum mcs n allow
b03c86
rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
50f07b
%modulesList minimum
c04c31
%nonBaseModulesList minimum
675bba
%endif
675bba
bd3f0e
%if %{BUILD_MLS}
129ba1
# Build mls policy
191c43
%makeCmds mls mls n deny
a27009
%makeModulesConf mls base contrib
191c43
%installCmds mls mls n deny
a27009
%modulesList mls
c04c31
%nonBaseModulesList mls
a4ec9b
%endif
a4ec9b
4a27ed
mkdir -p %{buildroot}%{_mandir}
4a27ed
cp -R  man/* %{buildroot}%{_mandir}
b8f3f1
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs
b8f3f1
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers
ce7f30
mkdir %{buildroot}%{_usr}/share/selinux/devel/
ce7f30
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
487de6
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
ce7f30
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
364044
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
0ea841
echo  "xdg-open file:///usr/share/doc/selinux-policy/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
ce7f30
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
d395cb
/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot}
504f8f
mkdir %{buildroot}%{_usr}/share/selinux/devel/html
504f8f
mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html
504f8f
mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html
1b0e09
1b0e09
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
26bb0a
echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
4a27ed
a345bb
487de6
rm -rf selinux_config
1580c8
%clean
ca8bc2
%{__rm} -fR %{buildroot}
1580c8
9c64bb
%post
af6090
if [ ! -s /etc/selinux/config ]; then
487de6
#
487de6
#     New install so we will default to targeted policy
487de6
#
487de6
echo "
af6090
# This file controls the state of SELinux on the system.
af6090
# SELINUX= can take one of these three values:
487de6
#     enforcing - SELinux security policy is enforced.
487de6
#     permissive - SELinux prints warnings instead of enforcing.
487de6
#     disabled - No SELinux policy is loaded.
af6090
SELINUX=enforcing
3dc79f
# SELINUXTYPE= can take one of these three values:
487de6
#     targeted - Targeted processes are protected,
4a27ed
#     minimum - Modification of targeted policy. Only selected processes are protected. 
487de6
#     mls - Multi Level Security protection.
af6090
SELINUXTYPE=targeted 
af6090
af6090
" > /etc/selinux/config
af6090
487de6
     ln -sf ../selinux/config /etc/sysconfig/selinux 
487de6
     restorecon /etc/selinux/config 2> /dev/null || :
af6090
else
487de6
     . /etc/selinux/config
af6090
fi
081b6a
exit 0
9c64bb
5ff36d
%postun
bbaa1f
if [ $1 = 0 ]; then
487de6
     setenforce 0 2> /dev/null
487de6
     if [ ! -s /etc/selinux/config ]; then
487de6
          echo "SELINUX=disabled" > /etc/selinux/config
487de6
     else
487de6
          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
487de6
     fi
5ff36d
fi
a4ec9b
exit 0
5ff36d
bd3f0e
%if %{BUILD_TARGETED}
bd3f0e
%package targeted
bd3f0e
Summary: SELinux targeted base policy
487de6
Provides: selinux-policy-base = %{version}-%{release}
bd3f0e
Group: System Environment/Base
d83af2
Obsoletes: selinux-policy-targeted-sources < 2
23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
d83af2
Requires(pre): coreutils
d83af2
Requires(pre): selinux-policy = %{version}-%{release}
3b5466
Requires: selinux-policy = %{version}-%{release}
b4cab5
Conflicts:  audispd-plugins <= 1.7.7-1
487de6
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
bc4089
Obsoletes: cachefilesd-selinux <= 0.10-1
6b7b0c
Conflicts:  seedit
fc9bf2
Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
96a0f6
Conflicts: docker-selinux < 2:1.12.1-21
bd3f0e
bd3f0e
%description targeted
bd3f0e
SELinux Reference policy targeted base module.
bd3f0e
bd3f0e
%pre targeted
8a78e8
%preInstall targeted
bd3f0e
9c64bb
%post targeted
857c81
%postInstall $1 targeted
e080bb
exit 0
d83af2
7c810a
%triggerin -- pcre
7c810a
selinuxenabled && semodule -nB
7c810a
exit 0
7c810a
1b0e09
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
1b0e09
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
1b0e09
exit 0
1b0e09
57b06e
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
57b06e
CR=$'\n'
57b06e
INPUT=""
a345bb
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do
57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
57b06e
    if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then
57b06e
        touch /var/lib/selinux/targeted/active/modules/disabled/$p
57b06e
    fi
a345bb
done
a345bb
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do
57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
a345bb
done
982e48
for i in $(find /etc/selinux/targeted/modules/active -name \*.local); do
982e48
    cp $i /var/lib/selinux/targeted/active
982e48
done
57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
57b06e
if /usr/sbin/selinuxenabled ; then
57b06e
        /usr/sbin/load_policy
57b06e
fi
a345bb
exit 0
a345bb
c04c31
%files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
487de6
%defattr(-,root,root,-)
4d59c2
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
74b303
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u 
4d59c2
%fileList targeted
7c8404
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
a4ec9b
%endif
a4ec9b
675bba
%if %{BUILD_MINIMUM}
675bba
%package minimum
675bba
Summary: SELinux minimum base policy
487de6
Provides: selinux-policy-base = %{version}-%{release}
675bba
Group: System Environment/Base
2fc3e7
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
675bba
Requires(pre): coreutils
675bba
Requires(pre): selinux-policy = %{version}-%{release}
3b5466
Requires: selinux-policy = %{version}-%{release}
6b7b0c
Conflicts:  seedit
0a89ba
Conflicts: docker-selinux <= 1.9.0-9
675bba
675bba
%description minimum
675bba
SELinux Reference policy minimum base module.
675bba
675bba
%pre minimum
8a78e8
%preInstall minimum
857c81
if [ $1 -ne 1 ]; then
57b06e
    /usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst
857c81
fi
675bba
675bba
%post minimum
a27009
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
a27009
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
57b06e
if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
57b06e
    mkdir /var/lib/selinux/minimum/active/modules/disabled
57b06e
fi
0e31a0
if [ $1 -eq 1 ]; then
a27009
for p in $contribpackages; do
57b06e
    touch /var/lib/selinux/minimum/active/modules/disabled/$p
857c81
done
57b06e
for p in $basepackages apache dbus inetd kerberos mta nis; do
57b06e
    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
857c81
done
70c60d
/usr/sbin/semanage import -S minimum -f - << __eof
675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
675bba
__eof
fb5b77
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
fb5b77
/usr/sbin/semodule -B -s minimum
675bba
else
857c81
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
a27009
for p in $contribpackages; do
57b06e
    touch /var/lib/selinux/minimum/active/modules/disabled/$p
857c81
done
a27009
for p in $instpackages apache dbus inetd kerberos mta nis; do
57b06e
    rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
857c81
done
fb5b77
/usr/sbin/semodule -B -s minimum
675bba
%relabel minimum
675bba
fi
675bba
exit 0
675bba
57b06e
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
57b06e
if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then
57b06e
    rm -f /var/lib/selinux/minimum/active/modules/disabled/*
57b06e
fi
57b06e
CR=$'\n'
57b06e
INPUT=""
57b06e
for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*disabled`; do
57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
57b06e
    if [ -d /var/lib/selinux/minimum/active/modules/100/$module ]; then
57b06e
        touch /var/lib/selinux/minimum/active/modules/disabled/$p
57b06e
    fi
57b06e
done
57b06e
for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*.pp`; do
57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
57b06e
done
57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
57b06e
if /usr/sbin/selinuxenabled ; then
57b06e
    /usr/sbin/load_policy
57b06e
fi
57b06e
exit 0
57b06e
c04c31
%files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst
487de6
%defattr(-,root,root,-)
675bba
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
c9394c
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u 
675bba
%fileList minimum
675bba
%endif
675bba
bd3f0e
%if %{BUILD_MLS}
504da9
%package mls 
504da9
Summary: SELinux mls base policy
1580c8
Group: System Environment/Base
487de6
Provides: selinux-policy-base = %{version}-%{release}
d83af2
Obsoletes: selinux-policy-mls-sources < 2
c77aca
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
d83af2
Requires(pre): coreutils
d83af2
Requires(pre): selinux-policy = %{version}-%{release}
3b5466
Requires: selinux-policy = %{version}-%{release}
6b7b0c
Conflicts:  seedit
0a89ba
Conflicts: docker-selinux <= 1.9.0-9
1580c8
504da9
%description mls 
504da9
SELinux Reference policy mls base module.
1580c8
504da9
%pre mls 
8a78e8
%preInstall mls
1580c8
504da9
%post mls 
857c81
%postInstall $1 mls
1580c8
57b06e
57b06e
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
57b06e
CR=$'\n'
57b06e
INPUT=""
57b06e
for i in `find /etc/selinux/mls/modules/active/modules/ -name \*disabled`; do
57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
57b06e
    if [ -d /var/lib/selinux/mls/active/modules/100/$module ]; then
57b06e
        touch /var/lib/selinux/mls/active/modules/disabled/$p
57b06e
    fi
57b06e
done
57b06e
for i in `find /etc/selinux/mls/modules/active/modules/ -name \*.pp`; do
57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
57b06e
done
57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
57b06e
if /usr/sbin/selinuxenabled ; then
57b06e
        /usr/sbin/load_policy
57b06e
fi
57b06e
exit 0
57b06e
57b06e
c04c31
%files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst
487de6
%defattr(-,root,root,-)
57ae10
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
504da9
%fileList mls
bd3f0e
%endif
bd3f0e
56187c
%changelog
f6de2d
* Fri Sep 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-213
f6de2d
- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module
f6de2d
- Label /usr/bin/pappet as puppetagent_exec_t
f6de2d
- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label
f6de2d
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
f6de2d
69374e
* Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-212
69374e
- udisk2 module is part of devicekit module now
69374e
- Fix file context for /etc/pki/pki-tomcat/ca/
69374e
- new interface oddjob_mkhomedir_entrypoint()
69374e
- Allow mdadm to get attributes from all devices.
69374e
- Label /etc/puppetlabs as puppet_etc_t.
69374e
- quota: allow init to run quota tools
69374e
- Add new domain ipa_ods_exporter_t BZ(1366640)
69374e
- Create new interface opendnssec_stream_connect()
69374e
- Allow VirtualBox to manage udev rules.
69374e
- Allow systemd_resolved to send dbus msgs to userdomains
69374e
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
69374e
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t
69374e
0c7ae4
* Thu Aug 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-211
0c7ae4
- Add new domain ipa_ods_exporter_t BZ(1366640)
0c7ae4
- Create new interface opendnssec_stream_connect()
0c7ae4
- Allow systemd-machined to communicate to lxc container using dbus
0c7ae4
- Dontaudit accountsd domain creating dirs in /root
0c7ae4
- Add new policy for Disk Manager called udisks2
0c7ae4
- Dontaudit firewalld wants write to /root
0c7ae4
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
0c7ae4
- Allow certmonger to manage all systemd unit files
0c7ae4
- Allow ipa_helper_t stream connect to dirsrv_t domain
0c7ae4
- Update oracleasm SELinux module
0c7ae4
- label /var/lib/kubelet as svirt_sandbox_file_t
0c7ae4
- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)
0c7ae4
- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness
0c7ae4
- Add new userdom_dontaudit_manage_admin_dir() interface
0c7ae4
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
0c7ae4
ba0eef
* Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-210
ba0eef
- Add few interfaces to cloudform.if file
ba0eef
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
ba0eef
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
ba0eef
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
ba0eef
- Make confined users working again
ba0eef
- Fix hypervkvp module
ba0eef
- Allow ipmievd domain to create lock files in /var/lock/subsys/
ba0eef
- Update policy for ipmievd daemon. Contain:    Allowing reading sysfs, passwd,kernel modules   Execuring bin_t,insmod_t
ba0eef
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
ba0eef
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
ba0eef
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
ba0eef
6140a0
* Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
6140a0
- Fix lsm SELinux module
6140a0
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
6140a0
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
6140a0
- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
6140a0
- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
6140a0
- Add sys_admin capability to sbd domain
6140a0
- Allow vdagent to comunnicate with systemd-logind via dbus
6140a0
- Allow lsmd_plugin_t domain to create fixed_disk device.
6140a0
- Allow opendnssec domain to create and manage own tmp dirs/files
6140a0
- Allow opendnssec domain to read system state
6140a0
- Allow systemd_logind stop system init_t
6140a0
- Add interface init_stop()
6140a0
- Add interface userdom_dontaudit_create_admin_dir()
6140a0
- Label /var/run/storaged as lvm_var_run_t.
6140a0
- Allow unconfineduser to run ipa_helper_t.
6140a0
347800
* Fri Aug 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-208
347800
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
347800
- Add wake_alarm capability to fprintd domain BZ(1362430)
347800
- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)
347800
- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)
347800
- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
347800
- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)
347800
- Dontaudit mock to write to generic certs.
347800
- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
347800
- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
347800
- Merge pull request #144 from rhatdan/modemmanager
347800
- Allow modemmanager to write to systemd inhibit pipes
347800
- Label corosync-qnetd and corosync-qdevice as corosync_t domain
347800
- Allow ipa_helper to read network state
347800
- Label oddjob_reqiest as oddjob_exec_t
347800
- Add interface oddjob_run()
347800
- Allow modemmanager chat with systemd_logind via dbus
347800
- Allow NetworkManager chat with puppetagent via dbus
347800
- Allow NetworkManager chat with kdumpctl via dbus
347800
- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
347800
- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
347800
- Allow rasdaemon to use tracefs filesystem
347800
- Fix typo bug in dirsrv policy
347800
- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
347800
- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
347800
- Allow dirsrv to read dirsrv_share_t content
347800
- Allow virtlogd_t to append svirt_image_t files.
347800
- Allow hypervkvp domain to read hugetlbfs dir/files.
347800
- Allow mdadm daemon to read nvme_device_t blk files
347800
- Allow systemd_resolved to connect on system bus. BZ(1366334)
347800
- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)
347800
- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)
347800
- label tcp/udp port 853 as dns_port_t. BZ(1365609)
347800
- Merge pull request #145 from rhatdan/init
347800
- systemd is doing a gettattr on blk and chr devices in /run
347800
- Allow selinuxusers and unconfineduser to run oddjob_request
347800
- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
347800
- Fix typo in device interfaces
347800
- Add interfaces for managing ipmi devices
347800
- Add interfaces to allow mounting/umounting tracefs filesystem
347800
- Add interfaces to allow rw tracefs filesystem
347800
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
347800
- Merge pull request #138 from rhatdan/userns
347800
- Allow iptables to creating netlink generic sockets.
347800
- Fix filecontext for systemd shared lib.
347800
0ab5f5
* Thu Aug 04 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-207
0ab5f5
- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t
0ab5f5
4d7576
* Tue Aug 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-206
4d7576
- collectd: update policy for 5.5
4d7576
- Allow puppet_t transtition to shorewall_t
4d7576
- Grant certmonger "chown" capability
4d7576
- Boinc updates from Russell Coker.
4d7576
- Allow sshd setcap capability. This is needed due to latest changes in sshd.
4d7576
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
4d7576
- Revert "Fix typo in ssh policy"
4d7576
- Get attributes of generic ptys, from Russell Coker.
4d7576
247a84
* Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-205
247a84
- Dontaudit mock_build_t can list all ptys.
247a84
- Allow ftpd_t to mamange userhome data without any boolean.
247a84
- Add logrotate permissions for creating netlink selinux sockets.
247a84
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
247a84
- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
247a84
- Allow systemd gpt generator to run fstools BZ(1353585)
247a84
- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)
247a84
- Allow gnome-keyring also manage user_tmp_t sockets.
247a84
- Allow systemd to mounton /etc filesystem. BZ(1341753)
247a84
95987e
* Tue Jul 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-204
95987e
- Allow lsmd_plugin_t to exec ldconfig.
95987e
- Allow vnstatd domain to read /sys/class/net/ files
95987e
- Remove duplicate allow rules in spamassassin SELinux module
95987e
- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs
95987e
- Allow ipa_dnskey domain to search cache dirs
95987e
- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file
95987e
- Allow ipa-dnskey read system state.
95987e
- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245
95987e
- Add interface to write to nsfs inodes
95987e
- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721)
95987e
- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf
95987e
- sysadmin should be allowed to use docker.
95987e
5b18dd
* Mon Jul 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-203
5b18dd
- Allow hypervkvp domain to run restorecon.
5b18dd
- Allow firewalld to manage net_conf_t files
5b18dd
- Remove double graphite-web context declaration
5b18dd
- Fix typo in rhsmcertd SELinux policy
5b18dd
- Allow logrotate read logs inside containers.
5b18dd
- Allow sssd to getattr on fs_t
5b18dd
- Allow opendnssec domain to manage bind chace files
5b18dd
- Allow systemd to get status of systemd-logind daemon
5b18dd
- Label more ndctl devices not just ndctl0
5b18dd
449da6
* Wed Jul 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-202
449da6
- Allow systemd_logind_t to start init_t BZ(1355861)
449da6
- Add init_start() interface
449da6
- Allow sysadm user to run systemd-tmpfiles
449da6
- Add interface systemd_tmpfiles_run
449da6
1ad890
* Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-201
1ad890
- Allow lttng tools to block suspending
1ad890
- Allow creation of vpnaas in openstack
1ad890
- remove rules with compromised_kernel permission
1ad890
- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)
1ad890
- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263
1ad890
- Update makefile to support snapperd_contexts file
1ad890
- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission
1ad890
- Remove duplicate declaration of class service
1ad890
- Fix typo in access_vectors file
1ad890
- Merge branch 'rawhide-base-modules-load' into rawhide-base
1ad890
- Add new policy for systemd-modules-load
1ad890
- Add systemd access vectors.
1ad890
- Revert "Revert "Revert "Missed this version of exec_all"""
1ad890
- Revert "Revert "Missed this version of exec_all""
1ad890
- Revert "Missed this version of exec_all"
1ad890
- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.
1ad890
- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.
1ad890
- Revert "Allow xserver to compromise_kernel access"BZ(1351624)
1ad890
- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624)
1ad890
- Revert "add ptrace_child access to process" (BZ1351624)
1ad890
- Add user namespace capability object classes.
1ad890
- Allow udev to manage systemd-hwdb files
1ad890
- Add interface systemd_hwdb_manage_config()
1ad890
- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.
1ad890
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
1ad890
- iptables: add fcontext for nftables
1ad890
6c34b3
* Tue Jul 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-200
6c34b3
- Fix typo in brltty policy
6c34b3
- Add new SELinux module sbd
6c34b3
- Allow pcp dmcache metrics collection
6c34b3
- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t
6c34b3
- Allow openvpn to create sock files labeled as openvpn_var_run_t
6c34b3
- Allow hypervkvp daemon to getattr on  all filesystem types.
6c34b3
- Allow firewalld to create net_conf_t files
6c34b3
- Allow mock to use lvm
6c34b3
- Allow mirromanager creating log files in /tmp
6c34b3
- Allow vmtools_t to transition to rpm_script domain
6c34b3
- Allow nsd daemon to manage nsd_conf_t dirs and files
6c34b3
- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t
6c34b3
- Allow sssd read also sssd_conf_t dirs
6c34b3
- Allow opensm daemon to rw infiniband_mgmt_device_t
6c34b3
- Allow krb5kdc_t to communicate with sssd
6c34b3
- Allow prosody to bind on prosody ports
6c34b3
- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678
6c34b3
- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637
6c34b3
- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726
6c34b3
- Add label for brltty log file Resolves: rhbz#1328818
6c34b3
- Allow snort_t to communicate with sssd Resolves: rhbz#1284908
6c34b3
- Add interface lttng_sessiond_tmpfs_t()
6c34b3
- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl
6c34b3
- Add interface lvm_getattr_exec_files()
6c34b3
- Make label for new infiniband_mgmt deivices
6c34b3
- Add prosody ports Resolves: rhbz#1304664
6c34b3
962020
* Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-199
962020
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
962020
- Allow glusterd daemon to get systemd status
962020
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
962020
- Merge pull request #135 from rhatdan/rawip_socket
962020
- Allow logrotate dbus-chat with system_logind daemon
962020
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
962020
- Add interface cron_read_pid_files()
962020
- Allow pcp_pmlogger to create unix dgram sockets
962020
- Add interface dirsrv_run()
962020
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
962020
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
962020
- Create label for openhpid log files.
962020
- Container processes need to be able to listen on rawip sockets
962020
- Label /var/lib/ganglia as httpd_var_lib_t
962020
- Allow firewalld_t to create entries in net_conf_t dirs.
962020
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
962020
- Label /etc/dhcp/scripts dir as bin_t
962020
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
962020
8037d6
* Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198
8037d6
- Allow firewalld_t to create entries in net_conf_t dirs.
8037d6
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
8037d6
- Allow rhsmcertd connect to port tcp 9090
8037d6
- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.
8037d6
- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.
8037d6
- Add new boolean spamd_update_can_network.
8037d6
- Add proper label for /var/log/proftpd.log
8037d6
- Allow rhsmcertd connect to tcp netport_port_t
8037d6
- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.
8037d6
- Allow prosody to bind to fac_restore tcp port.
8037d6
- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager
8037d6
- Allow ninfod to read raw packets
8037d6
- Fix broken hostapd policy
8037d6
- Allow hostapd to create netlink_generic sockets. BZ(1343683)
8037d6
- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall
8037d6
- Allow pegasus get attributes from qemu binary files.
8037d6
- Allow tuned to use policykit. This change is required by cockpit.
8037d6
- Allow conman_t to read dir with conman_unconfined_script_t binary files.
8037d6
- Allow pegasus to read /proc/sysinfo.
8037d6
- Allow puppet_t transtition to shorewall_t
8037d6
- Allow conman to kill conman_unconfined_script.
8037d6
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
8037d6
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base
8037d6
- Allow systemd to execute all init daemon executables.
8037d6
- Add init_exec_notrans_direct_init_entry() interface.
8037d6
- Label tcp ports:16379, 26379 as redis_port_t
8037d6
- Allow systemd to relabel /var and /var/lib directories during boot.
8037d6
- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
8037d6
- Add files_relabelto_var_lib_dirs() interface.
8037d6
- Label tcp and udp port 5582 as fac_restore_port_t
8037d6
- Allow sysadm_t user to run postgresql-setup.
8037d6
- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
8037d6
- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
8037d6
- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
8037d6
4a34c4
* Thu Jun 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-197
4a34c4
- Allow conman to kill conman_unconfined_script.
4a34c4
- Make conman_unconfined_script_t as init_system_domain.
4a34c4
- Allow init dbus chat with apmd.
4a34c4
- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.
4a34c4
- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t
4a34c4
- Allow collectd_t to stream connect to postgresql.
4a34c4
- Allow mysqld_safe to inherit rlimit information from mysqld
4a34c4
- Allow ip netns to mounton root fs and unmount proc_t fs.
4a34c4
- Allow sysadm_t to run newaliases command.
4a34c4
be9b0d
* Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-196
be9b0d
- Allow svirt_sandbox_domains to r/w onload sockets
be9b0d
- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
be9b0d
- Add interface sysnet_filetrans_named_net_conf()
be9b0d
- Rawhide fails to boot, systemd-logind needs to config transient config files
be9b0d
- User Namespace is requires create on process domains
be9b0d
a24ea5
* Wed Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
04ed47
- Add hwloc-dump-hwdata SELinux policy
04ed47
- Add labels for mediawiki123
04ed47
- Fix label for all fence_scsi_check scripts
04ed47
- Allow setcap for fenced
04ed47
- Allow glusterd domain read krb5_keytab_t files.
04ed47
- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
04ed47
- Update refpolicy to handle hwloc
04ed47
- Fix typo in files_setattr_non_security_dirs.
04ed47
- Add interface files_setattr_non_security_dirs()
04ed47
c2ab48
* Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
c2ab48
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
c2ab48
- Add nrpe_dontaudit_write_pipes()
c2ab48
- Merge pull request #129 from rhatdan/onload
c2ab48
- Add support for onloadfs
c2ab48
- Merge pull request #127 from rhatdan/device-node
c2ab48
- Additional access required for unconfined domains
c2ab48
- Dontaudit ping attempts to write to nrpe unnamed pipes
c2ab48
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
2506c0
* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
2506c0
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
2506c0
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
2506c0
- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
2506c0
- Allow ipa_dnskey_t search httpd config files.
2506c0
- Dontaudit certmonger to write to etc_runtime_t
2506c0
- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
2506c0
- Add interface ipa_delete_tmp()
2506c0
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
2506c0
- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
2506c0
3289d1
* Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192
3289d1
- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
3289d1
- Add SELinux policy for opendnssec service. BZ(1333106)
3289d1
4c0cee
* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
4c0cee
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
4c0cee
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
4c0cee
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
4c0cee
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
4c0cee
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
4c0cee
- Merge pull request #125 from rhatdan/typebounds
4c0cee
- Typebounds user domains
4c0cee
- Allow systemd_resolved_t to check if ipv6 is disabled.
4c0cee
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
4c0cee
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
4c0cee
5e78b0
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
5e78b0
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
5e78b0
- Allow zabbix to connect to postgresql port
5e78b0
- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)
5e78b0
- Allow systemd to read efivarfs. Resolve: #121
5e78b0
a2f43d
* Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-189
a2f43d
- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed
a2f43d
70515f
* Mon May 09 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-188
70515f
- Label tcp port 8181 as intermapper_port_t.
70515f
- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588)
70515f
- Label tcp/udp port 2024 as xinuexpansion4_port_t
70515f
- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t
70515f
7ff0b8
* Thu May 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-187
7ff0b8
- Allow stunnel create log files. BZ(1333033)
7ff0b8
- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574)
7ff0b8
- Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287)
7ff0b8
- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs.
7ff0b8
- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980)
7ff0b8
- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927)
7ff0b8
- Label /usr/sbin/xrdp* files as bin_t BZ(1258453)
7ff0b8
- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318
7ff0b8
7a1df1
* Fri Apr 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-186
7a1df1
- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)
7a1df1
- Label named-pkcs11 binary as named_exec_t. BZ(1331316)
7a1df1
- Revert "Add new permissions stop/start to class system. rhbz#1324453"
7a1df1
- Fix typo in module compilation message
7a1df1
02b9e4
* Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-185
02b9e4
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
02b9e4
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)
02b9e4
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970)
02b9e4
- Add mls support for some db classes
02b9e4
343326
* Tue Apr 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-184
343326
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
343326
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
343326
- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
343326
- Make virt_use_pcscd boolean off by default.
343326
- Create boolean to allow virtual machine use smartcards. rhbz#1029297
343326
- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754
343326
- Allow mongod log to syslog.
343326
- Allow nsd daemon to create log file in /var/log as nsd_log_t
343326
- unlabeled_t can not be an entrypoint.
343326
- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909
343326
- Add new permissions stop/start to class system. rhbz#1324453
343326
64f816
* Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
64f816
- Allow modemmanager to talk to logind
64f816
- Dontaudit tor daemon needs net_admin capability. rhbz#1311788
64f816
- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042
64f816
- Xorg now writes content in users homedir.
64f816
4c6178
* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
4c6178
- rename several contrib modules according to their filenames
4c6178
- Add interface gnome_filetrans_cert_home_content()
4c6178
- By default container domains should not be allowed to create devices
4c6178
- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
4c6178
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
4c6178
- Allow systemd gpt generator to read removable devices. BZ(1323458)
4c6178
- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands  BZ(1323454)
4c6178
c13001
* Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
c13001
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
c13001
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
c13001
- Label all run tgtd files, not just socket files.
c13001
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
c13001
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
c13001
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
c13001
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
c13001
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
c13001
- New cgroup2 file system in Rawhide
c13001
fac3fc
* Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
fac3fc
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
fac3fc
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
fac3fc
- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints.
fac3fc
- Allow sandbox domain to have entrypoint access only for executables and mountpoints.
fac3fc
- Allow bitlee to create bitlee_var_t dirs.
fac3fc
- Allow CIM provider to read sssd public files.
fac3fc
- Fix some broken interfaces in distro policy.
fac3fc
- Allow power button to shutdown the laptop.
fac3fc
- Allow lsm plugins to create named fixed disks. rhbz#1238066
fac3fc
- Allow hyperv domains to rw hyperv devices. rhbz#1241636
fac3fc
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.
fac3fc
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/
fac3fc
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.
fac3fc
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics
fac3fc
- Label nagios scripts as httpd_sys_script_exec_t.
fac3fc
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.
fac3fc
- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576
fac3fc
- Merge pull request #104 from berrange/rawhide-contrib-virtlogd
fac3fc
- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336
fac3fc
- Dontaudit logrotate to setrlimit itself. rhbz#1309604
fac3fc
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
fac3fc
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
fac3fc
- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446)
fac3fc
- Merge pull request #115 from rhatdan/nvidea
fac3fc
- Label all nvidia binaries as xserver_exec_t
fac3fc
- Add new systemd_hwdb_read_config() interface. rhbz#1316514
fac3fc
- Add back corecmd_read_all_executables() interface.
fac3fc
- Call files_type() instead of file_type() for unlabeled_t.
fac3fc
- Add files_entrypoint_all_mountpoint() interface.
fac3fc
- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling.
fac3fc
- Add corecmd_entrypoint_all_executables() interface.
fac3fc
- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361
fac3fc
- Add neverallow assertion for unlabaled_t to increase policy security.
fac3fc
- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
fac3fc
- Label 8952 tcp port as nsd_control.
fac3fc
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
fac3fc
3f0021
* Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
3f0021
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
3f0021
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
3f0021
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
3f0021
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
3f0021
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
3f0021
- Merge pull request #108 from rhatdan/rkt
3f0021
- Merge pull request #109 from rhatdan/virt_sandbox
3f0021
- Add new interface to define virt_sandbox_network domains
3f0021
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
3f0021
- Fix typo in drbd policy
3f0021
- Remove declaration of empty booleans in virt policy.
3f0021
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
3f0021
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
3f0021
- Additional rules to make rkt work in enforcing mode
3f0021
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
3f0021
- Allow ipsec to use pam. rhbz#1317988
3f0021
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
3f0021
- Allow setrans daemon to read /proc/meminfo.
3f0021
- Merge pull request #107 from rhatdan/rkt-base
3f0021
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
3f0021
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
3f0021
cdb2ae
* Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
cdb2ae
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
cdb2ae
- Add support systemd-resolved.
cdb2ae
d14d37
* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
d14d37
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
d14d37
- Allow sending dbus msgs between firewalld and system_cronjob domains.
d14d37
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
d14d37
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
d14d37
- Add support for systemd-gpt-auto-generator. rhbz#1314968
d14d37
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
d14d37
- Add support for systemd-hwdb daemon. rhbz#1306243
d14d37
9fc76d
* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
9fc76d
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
9fc76d
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
9fc76d
- Fix new rkt policy
9fc76d
- Remove some redundant rules.
9fc76d
- Fix cosmetic issues in interface file.
9fc76d
- Merge pull request #100 from rhatdan/rawhide-contrib
9fc76d
- Add interface fs_setattr_cifs_dirs().
9fc76d
- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
9fc76d
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
9fc76d
-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
9fc76d
 This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
9fc76d
 file_contexts is parsed in selabel_open().
9fc76d
Resolves: rhbz#1314372
9fc76d
ca2575
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
ca2575
- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
ca2575
- Add policy for rkt services
ca2575
e98b09
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-174
e98b09
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
e98b09
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
e98b09
7ac3a5
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
7ac3a5
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
7ac3a5
- Allow keepalived to create netlink generic sockets. rhbz#1311756
7ac3a5
- Allow modemmanager to read /etc/passwd file.
7ac3a5
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
7ac3a5
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
7ac3a5
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
7ac3a5
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
7ac3a5
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
7ac3a5
352a55
* Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
352a55
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
352a55
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
352a55
- Allow collectd setgid capability Resolves:#1310896
352a55
- Allow adcli running as sssd_t to write krb5.keytab file.
352a55
- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)
352a55
- Allow kexec to read kernel module files in /usr/lib/modules.
352a55
- Add httpd_log_t for /var/log/graphite-web rhbz#1306981
352a55
- Remove redudant rules and fix _admin interface.
352a55
- Add SELinux policy for LTTng 2.x central tracing registry session daemon.
352a55
- Allow create mongodb unix dgram sockets. rhbz#1306819
352a55
- Support for InnoDB Tablespace Encryption.
352a55
- Dontaudit leaded file descriptors from firewalld
352a55
- Add port for rkt services
352a55
- Add support for the default lttng-sessiond port - tcp/5345.  This port is used by LTTng 2.x central tracing registry session daemon.
352a55
d6823d
* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
d6823d
- Allow setroubleshoot_fixit_t to use temporary files
d6823d
ead49a
* Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
ead49a
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
ead49a
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
ead49a
- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
ead49a
- Add interface to dontaudit leaked files from firewalld
ead49a
- fwupd needs to dbus chat with policykit
ead49a
- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
ead49a
- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
ead49a
- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
ead49a
- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
ead49a
- Fix wrong name for openqa_websockets tcp port.
ead49a
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
ead49a
- Add interface ssh_getattr_server_keys() interface. rhbz#1299106
ead49a
- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312
ead49a
- Add interface fs_getattr_nsfs_files()
ead49a
- Add interface xserver_exec().
ead49a
- Revert "Allow all domains some process flags."BZ(1190364)
ead49a
edb36e
* Wed Feb 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-169
edb36e
- Allow openvswitch domain capability sys_rawio.
edb36e
- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"
edb36e
- Allow openvswitch to manage hugetlfs files and dirs.
edb36e
- Allow NetworkManager create dhcpc pid files. BZ(1229755)
edb36e
- Allow apcupsd to read kernel network state. BZ(1282003)
edb36e
- Label /sys/kernel/debug/tracing filesystem
edb36e
- Add fs_manage_hugetlbfs_files() interface.
edb36e
- Add sysnet_filetrans_dhcpc_pid() interface.
edb36e
4c488a
* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
4c488a
- Label virtlogd binary as virtd_exec_t. BZ(1291940)
4c488a
- Allow iptables to read nsfs files. BZ(1296826)
4c488a
6d3ee1
* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
6d3ee1
- Add fwupd policy for daemon to allow session software to update device firmware
6d3ee1
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
6d3ee1
- Allow systemd services to use PrivateNetwork feature
6d3ee1
- Add a type and genfscon for nsfs.
6d3ee1
- Fix SELinux context for rsyslog unit file. BZ(1284173)
6d3ee1
5d165e
* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
5d165e
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
5d165e
- Allow condor_master_t domain capability chown. BZ(1297048)
5d165e
- Allow chronyd to be dbus bus client. BZ(1297129)
5d165e
- Allow openvswitch read/write hugetlb filesystem.
5d165e
- Revert "Allow openvswitch read/write hugetlb filesystem."
5d165e
- Allow smbcontrol domain to send sigchld to ctdbd domain.
5d165e
- Allow openvswitch read/write hugetlb filesystem.
5d165e
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
5d165e
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
5d165e
- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
5d165e
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
5d165e
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
5d165e
- Merge pull request #86 from rhatdan/rawhide-contrib
5d165e
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
5d165e
- Added interface logging_systemctl_syslogd
5d165e
- Label rsyslog unit file
5d165e
- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
5d165e
936bb7
* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
936bb7
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
936bb7
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
936bb7
- Allow arping running as netutils_t sys_module capability for removing tap devices.
936bb7
- Add userdom_connectto_stream() interface.
936bb7
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
936bb7
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
936bb7
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
936bb7
- Allow arping running as netutils_t sys_module capability for removing tap devices.
936bb7
- Add userdom_connectto_stream() interface.
936bb7
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
936bb7
f1750f
* Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
f1750f
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
f1750f
- Add interface firewalld_read_pid_files()
f1750f
- Allow iptables to read firewalld pid files. BZ(1291243)
f1750f
- Allow the user cronjobs to run in their userdomain
f1750f
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
f1750f
- Merge pull request #81 from rhatdan/rawhide-base
f1750f
- New access needed by systemd domains
f1750f
5c898c
* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
5c898c
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
5c898c
- Add ipsec_read_pid() interface
5c898c
2b449e
* Mon Dec 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-162
2b449e
- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
2b449e
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
2b449e
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
2b449e
- init_t domain should be running without unconfined_domain attribute.
2b449e
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
2b449e
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
2b449e
- systemd needs to access /dev/rfkill on early boot.
2b449e
- Allow dspam to read /etc/passwd
2b449e
71a663
* Mon Nov 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-161
71a663
- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)
71a663
78826f
* Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
78826f
- Allow apcupsd sending mails about battery state. BZ(1274018)
78826f
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
78826f
- Merge pull request #68 from rhatdan/rawhide-contrib
78826f
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
78826f
-  Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
78826f
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
78826f
0e8453
* Fri Nov 20 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-159
0e8453
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
0e8453
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
0e8453
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
0e8453
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
0e8453
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
0e8453
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
0e8453
- cockpit has grown content in /var/run directory
0e8453
- Add support for /dev/mptctl device used to check RAID status.
0e8453
- Allow systemd-hostnamed to communicate with dhcp via dbus.
0e8453
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
0e8453
- Add userdom_destroy_unpriv_user_shared_mem() interface.
0e8453
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
0e8453
- Access needed by systemd-machine to manage docker containers
0e8453
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
0e8453
db55b6
* Tue Nov 10 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-158
db55b6
- Merge pull request #48 from lkundrak/contrib-openfortivpn
db55b6
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
db55b6
02b374
* Mon Nov 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-157
02b374
- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
02b374
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
02b374
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
02b374
66791f
* Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
66791f
- Allow fail2ban-client to execute ldconfig. #1268715
66791f
- Add interface virt_sandbox_domain()
66791f
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
66791f
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
66791f
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
66791f
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
66791f
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
66791f
- Add interface auth_use_nsswitch() to systemd_domain_template.
66791f
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
66791f
- auth_use_nsswitch can be used with attribute systemd_domain.
66791f
- ipsec: fix stringSwan charon-nm
66791f
- docker is communicating with systemd-machined
66791f
- Add missing systemd_dbus_chat_machined, needed by docker
66791f
5d2c76
* Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
5d2c76
- Build including docker selinux interfaces.
5d2c76
0bdc24
* Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
0bdc24
- Allow winbindd to send signull to kernel. BZ(#1269193)
0bdc24
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
0bdc24
- Fixes for chrony version 2.2 BZ(#1259636)
0bdc24
  * Allow chrony chown capability
0bdc24
  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
0bdc24
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
0bdc24
- Add boolean allowing mysqld to connect to http port. #1262125
0bdc24
- Merge pull request #52 from 1dot75cm/rawhide-base
0bdc24
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
0bdc24
- Fix attribute in corenetwork.if.in
0bdc24
2bd687
* Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
2bd687
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
2bd687
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
2bd687
- Add abrt_stub interface.
2bd687
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
2bd687
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
2bd687
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
2bd687
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
2bd687
- Add samba_manage_var_dirs() interface.
2bd687
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
2bd687
- Allow spamd to read system network state. BZ(1260234)
2bd687
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
2bd687
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
2bd687
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
2bd687
- Add fs_read_xenfs_files() interface.
2bd687
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
2bd687
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
2bd687
a6a253
* Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
a6a253
- Allow pcp_pmlogger to read system state. BZ(1258699)
a6a253
- Allow cupsd to connect on socket. BZ(1258089)
a6a253
- Allow named to bind on ephemeral ports. BZ(#1259766)
a6a253
- Allow iscsid create netlink iscsid sockets.
a6a253
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
a6a253
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
a6a253
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
a6a253
- Allow search dirs in sysfs types in kernel_read_security_state.
a6a253
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
a6a253
0927e3
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
0927e3
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
0927e3
- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
0927e3
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
0927e3
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
0927e3
615148
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
615148
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
615148
- Clean up pkcs11proxyd policy.
615148
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
615148
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
615148
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
615148
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
615148
- Update modules_filetrans_named_content() interface to cover more modules.* files.
615148
- New policy for systemd-machined. #1255305
615148
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
615148
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
615148
- Merge pull request #42 from vmojzis/rawhide-base
615148
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
615148
b03747
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-149
b03747
- Add few rules related to new policy for pkcs11proxyd
b03747
- Added new policy for pkcs11proxyd daemon
b03747
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
b03747
- Dontaudit abrt_t to rw lvm_lock_t dir.
b03747
- Allow abrt_d domain to write to kernel msg device.
b03747
- Add interface lvm_dontaudit_rw_lock_dir()
b03747
- Merge pull request #35 from lkundrak/lr-libreswan
b03747
ec0c1b
* Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-148
ec0c1b
- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
ec0c1b
- Added support for permissive domains
ec0c1b
- Allow rpcbind_t domain to change file owner and group
ec0c1b
- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)
ec0c1b
- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)
ec0c1b
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
ec0c1b
- Revert "Add apache_read_pid_files() interface"
ec0c1b
- Allow dirsrv-admin read httpd pid files.
ec0c1b
- Add apache_read_pid_files() interface
ec0c1b
- Add label for dirsrv-admin unit file.
ec0c1b
- Allow qpid daemon to connect on amqp tcp port.
ec0c1b
- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl
ec0c1b
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager
ec0c1b
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.
ec0c1b
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
ec0c1b
- Revert "Allow pcp to read docker lib files."
ec0c1b
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper  as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
ec0c1b
- Allow pcp to read docker lib files.
ec0c1b
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
ec0c1b
- Add login_userdomain attribute also for unconfined_t.
ec0c1b
- Add userdom_login_userdomain() interface.
ec0c1b
- Label /etc/ipa/nssdb dir as cert_t
ec0c1b
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
ec0c1b
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
ec0c1b
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
ec0c1b
- Add userdom_transition_login_userdomain() interface
ec0c1b
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
ec0c1b
- Add init_entrypoint_exec() interface.
ec0c1b
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
ec0c1b
281867
* Mon Sep 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-147
281867
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)
281867
- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.
281867
- Dontaudit fenced search gnome config
281867
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
281867
- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.
281867
- Sanlock policy update. #1255307   - New sub-domain for sanlk-reset daemon
281867
- Fix labeling for fence_scsi_check script
281867
- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.
281867
- Allow openhpid to read snmp var lib files.
281867
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe
281867
- Fix regexp in chronyd.fc file
281867
- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)
281867
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.
281867
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t
281867
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl
281867
f1ab24
* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
f1ab24
- Allow passenger to getattr filesystem xattr
f1ab24
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
f1ab24
- Label mdadm.conf.anackbak as mdadm_conf_t file.
f1ab24
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
f1ab24
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
f1ab24
- Allow blueman to create own tmp files in /tmp. (#1234647)
f1ab24
- Add new audit_read access vector in capability2 class
f1ab24
- Add "binder" security class and access vectors
f1ab24
- Update netlink socket classes.
f1ab24
- Allow getty to read network state. BZ(#1255177)
f1ab24
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
f1ab24
0d7034
* Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
0d7034
- Allow watchdog execute fenced python script.
0d7034
- Added inferface watchdog_unconfined_exec_read_lnk_files()
0d7034
- Allow pmweb daemon to exec shell. BZ(1256127)
0d7034
- Allow pmweb daemon to read system state. BZ(#1256128)
0d7034
- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
0d7034
- Revert "Revert default_range change in targeted policy"
0d7034
- Allow dhcpc_t domain transition to chronyd_t
0d7034
96de56
* Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
96de56
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
96de56
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
96de56
- Add interface dnssec_trigger_sigkill
96de56
- Allow smsd use usb ttys. BZ(#1250536)
96de56
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
96de56
- Revert default_range change in targeted policy
96de56
- Allow systemd-sysctl cap. sys_ptrace  BZ(1253926)
96de56
f5f681
* Fri Aug 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-143
f5f681
- Add ipmievd policy creaed by vmojzis@redhat.com
f5f681
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
f5f681
- Allow NetworkManager to write audit log messages
f5f681
- Add new policy for ipmievd (ipmitool).
f5f681
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
f5f681
- Allow sandbox domain to be also /dev/mem writer
f5f681
- Fix neverallow assertion for sys_module capability for openvswitch.
f5f681
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
f5f681
- Fix neverallow assertion for sys_module capability.
f5f681
- Add more attributes for sandbox domains to avoid neverallow assertion issues.  
f5f681
- Add neverallow asserition fixes related to storage.
f5f681
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
f5f681
- Allow openhpid_t to read system state.
f5f681
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
f5f681
- Added labels for files provided by rh-nginx18 collection
f5f681
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
f5f681
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
f5f681
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
f5f681
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
f5f681
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
f5f681
- Add dev_raw_memory_writer() interface
f5f681
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
f5f681
- Add dev_raw_memory_reader() interface.
f5f681
- Add storage_rw_inherited_scsi_generic() interface.
f5f681
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
f5f681
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
f5f681
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
f5f681
1ba0a9
* Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
1ba0a9
- Allow samba_net_t to manage samba_var_t sock files.
1ba0a9
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
1ba0a9
- Allow collectd stream connect to pdns.(BZ #1191044)
1ba0a9
- Add interface pdns_stream_connect()
1ba0a9
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
1ba0a9
- Allow chronyd exec systemctl
1ba0a9
- Merge pull request #30 from vmojzis/rawhide-contrib
1ba0a9
- Hsqldb policy upgrade -Allow sock_file management
1ba0a9
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.
1ba0a9
- Hsqldb policy upgrade.  -Disallow hsqldb_tmp_t link_file management
1ba0a9
- Hsqldb policy upgrade:  -Remove tmp link_file transition  -Add policy summary  -Remove redundant parameter for "hsqldb_admin" interface
1ba0a9
- Label /var/run/chrony-helper dir as chronyd_var_run_t.
1ba0a9
- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t
1ba0a9
- Fix label on /var/tmp/kiprop_0
1ba0a9
- Add mountpoint dontaudit access check in rhsmcertd policy.
1ba0a9
- Allow pcp_domain to manage pcp_var_lib_t lnk_files.
1ba0a9
- Allow chronyd to execute mkdir command.
1ba0a9
- Allow chronyd_t to read dhcpc state.
1ba0a9
- Label /usr/libexec/chrony-helper as chronyd_exec_t
1ba0a9
- Allow openhpid liboa_soap plugin to read resolv.conf file.
1ba0a9
- Allow openhpid liboa_soap plugin to read generic certs.
1ba0a9
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
1ba0a9
- Allow logrotate to reload services.
1ba0a9
- Allow apcupsd_t to read /sys/devices
1ba0a9
- Allow kpropd to connect to kropd tcp port.
1ba0a9
- Allow systemd_networkd to send logs to syslog.
1ba0a9
- Added interface fs_dontaudit_write_configfs_dirs
1ba0a9
- Allow audisp client to read system state.
1ba0a9
- Label /var/run/xtables.lock as iptables_var_run_t.
1ba0a9
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
1ba0a9
- Add interface to read/write watchdog device.
1ba0a9
- Add transition rule for iptables_var_lib_t
1ba0a9
28b73b
* Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-141
28b73b
- Allow chronyd to execute mkdir command.
28b73b
- Allow chronyd_t to read dhcpc state.
28b73b
- Label /usr/libexec/chrony-helper as chronyd_exec_t
28b73b
- Allow openhpid liboa_soap plugin to read resolv.conf file.
28b73b
- Allow openhpid liboa_soap plugin to read generic certs.
28b73b
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)
28b73b
- Allow logrotate to reload services.
28b73b
- Allow apcupsd_t to read /sys/devices
28b73b
- Allow kpropd to connect to kropd tcp port.
28b73b
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
28b73b
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
28b73b
- Add snapper_read_inherited_pipe() interface.
28b73b
- Add missing ";" in kerberos.te
28b73b
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
28b73b
- Add support for /etc/sanlock which is writable by sanlock daemon.
28b73b
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
28b73b
-  Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
28b73b
- Add interface to read/write watchdog device.
28b73b
- Add transition rule for iptables_var_lib_t
28b73b
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
28b73b
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
28b73b
- Allow grubby to manage and create /run/blkid with correct labeling
28b73b
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
28b73b
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
28b73b
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
28b73b
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
28b73b
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
28b73b
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
28b73b
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
28b73b
d8af5a
* Wed Aug 05 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-140
d8af5a
- firewalld needs to relabel own config files. BZ(#1250537)
d8af5a
- Allow rhsmcertd to send signull to unconfined_service
d8af5a
- Allow lsm_plugin_t to rw raw_fixed_disk.
d8af5a
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
d8af5a
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
d8af5a
d8af5a
f35d90
* Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
f35d90
- Add header for sslh.if file
f35d90
- Fix sslh_admin() interface
f35d90
- Clean up sslh.if
f35d90
- Fix typo in pdns.if
f35d90
- Allow qpid to create lnk_files in qpid_var_lib_t.
f35d90
- Allow httpd_suexec_t to read and write Apache stream sockets
f35d90
- Merge pull request #21 from hogarthj/rawhide-contrib
f35d90
- Allow virt_qemu_ga_t domtrans to passwd_t.
f35d90
- use read and manage files_patterns and the description for the admin interface
f35d90
- Merge pull request #17 from rubenk/pdns-policy
f35d90
- Allow redis to read kernel parameters.
f35d90
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
f35d90
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
f35d90
- Allow bumblebee to seng kill signal to xserver
f35d90
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
f35d90
- Allow drbd to get attributes from filesystems.
f35d90
- Allow drbd to read configuration options used when loading modules.
f35d90
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
f35d90
- Added Booleans: pcp_read_generic_logs.
f35d90
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
f35d90
- Allow glusterd to communicate with cluster domains over stream socket.
f35d90
- fix copy paste error with writing the admin interface
f35d90
- fix up the regex in sslh.fc, add sslh_admin() interface
f35d90
- adding selinux policy files for sslh
f35d90
- Remove diplicate sftpd_write_ssh_home boolean rule.
f35d90
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
f35d90
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
f35d90
- Allow glusterd to manage nfsd and rpcd services.
f35d90
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
f35d90
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
f35d90
- kdbusfs should not be accessible for now.
f35d90
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
f35d90
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
f35d90
- Label /usr/sbin/chpasswd as passwd_exec_t.
f35d90
- Allow audisp_remote_t to read/write user domain pty.
f35d90
- Allow audisp_remote_t to start power unit files domain to allow halt system.
f35d90
e5e6b1
* Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-138
e5e6b1
- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.
e5e6b1
- Prepare selinux-policy package for SELinux store migration
e5e6b1
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
e5e6b1
- Allow glusterd to manage nfsd and rpcd services.
e5e6b1
- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.
e5e6b1
- Add samba_manage_winbind_pid() interface
e5e6b1
- Allow networkmanager to  communicate via dbus with systemd_hostanmed.
e5e6b1
- Allow stream connect logrotate to prosody.
e5e6b1
- Add prosody_stream_connect() interface.
e5e6b1
-  httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
e5e6b1
- Allow prosody to create own tmp files/dirs.
e5e6b1
- Allow keepalived request kernel load module
e5e6b1
- kadmind should not read generic files in /usr
e5e6b1
- Allow kadmind_t access to /etc/krb5.keytab
e5e6b1
- Add more fixes to kerberos.te
e5e6b1
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
e5e6b1
- Add lsmd_t to nsswitch_domain.
e5e6b1
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
e5e6b1
- Add fixes to pegasus_openlmi_domain
e5e6b1
- Allow Glance Scrubber to connect to commplex_main port
e5e6b1
- Allow RabbitMQ to connect to amqp port
e5e6b1
- Allow isnsd read access on the file /proc/net/unix
e5e6b1
- Allow qpidd access to /proc/<pid>/net/psched
e5e6b1
- Allow openshift_initrc_t to communicate with firewalld over dbus.
e5e6b1
- Allow ctdbd_t send signull to samba_unconfined_net_t.
e5e6b1
- Add samba_signull_unconfined_net()
e5e6b1
- Add samba_signull_winbind()
e5e6b1
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
e5e6b1
- Fix ctdb policy
e5e6b1
- Label /var/db/ as system_db_t.
e5e6b1
04f749
* Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
04f749
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
04f749
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
04f749
ee724a
* Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
ee724a
- Add samba_unconfined_script_exec_t to samba_admin header.
ee724a
- Add jabberd_lock_t label to jabberd_admin header.
ee724a
- Add rpm_var_run_t label to rpm_admin header.
ee724a
- Make all interfaces related to openshift_cache_t as deprecated.
ee724a
- Remove non exits nfsd_ro_t label.
ee724a
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
ee724a
- Fix *_admin intefaces where body is not consistent with header.
ee724a
- Allow networkmanager read rfcomm port.
ee724a
- Fix nova_domain_template interface, Fix typo bugs in nova policy
ee724a
- Create nova sublabels.
ee724a
- Merge all nova_* labels under one nova_t.
ee724a
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
ee724a
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
ee724a
- Fix label openstack-nova-metadata-api binary file
ee724a
- Allow nova_t to bind on geneve tcp port, and all udp ports
ee724a
- Label swift-container-reconciler binary as swift_t.
ee724a
- Allow glusterd to execute showmount in the showmount domain.
ee724a
- Allow NetworkManager_t send signull to dnssec_trigger_t.
ee724a
- Add support for openstack-nova-* packages.
ee724a
- Allow audisp-remote searching devpts.
ee724a
- Label 6080 tcp port as geneve
ee724a
f53ebe
* Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
f53ebe
- Update mta_filetrans_named_content() interface to cover more db files.
f53ebe
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
f53ebe
- Allow pcp domains to connect to own process using unix_stream_socket.
f53ebe
- Typo in abrt.te
f53ebe
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
f53ebe
- Add nagios_domtrans_unconfined_plugins() interface.
f53ebe
- Add nagios_domtrans_unconfined_plugins() interface.
f53ebe
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
f53ebe
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
f53ebe
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
f53ebe
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
f53ebe
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
f53ebe
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
f53ebe
- nrpe needs kill capability to make gluster moniterd nodes working.
f53ebe
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
f53ebe
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
f53ebe
- Allow prosody connect to postgresql port.
f53ebe
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
f53ebe
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
f53ebe
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
f53ebe
- Add new interfaces
f53ebe
- Add fs_fusefs_entry_type() interface.
f53ebe
d04212
* Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
d04212
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
d04212
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
d04212
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
d04212
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
d04212
- nrpe needs kill capability to make gluster moniterd nodes working.
d04212
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
d04212
- Allow prosody connect to postgresql port.
d04212
- Add new interfaces
d04212
- Add fs_fusefs_entry_type() interface.
d04212
1428c0
* Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133
1428c0
- Cleanup permissive domains.
1428c0
20e7f0
* Mon Jun 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-132
20e7f0
- Rename xodbc-connect port to xodbc_connect
20e7f0
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
20e7f0
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
20e7f0
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
20e7f0
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
20e7f0
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
20e7f0
- Dontaudit chrome to read passwd file. BZ(1204307)
20e7f0
- Allow firewalld exec ldconfig. BZ(1232748)
20e7f0
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
20e7f0
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
20e7f0
- Allow NetworkManager write to sysfs. BZ(1234086)
20e7f0
- Fix bogus line in logrotate.fc.
20e7f0
- Add dontaudit interface for kdumpctl_tmp_t
20e7f0
- Rename xodbc-connect port to xodbc_connect
20e7f0
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
20e7f0
- Label tcp port 6640 as ovsdb port. BZ (1179809)
20e7f0
7100c5
* Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
7100c5
- Allow NetworkManager write to sysfs. BZ(1234086)
7100c5
- Fix bogus line in logrotate.fc.
7100c5
- Add dontaudit interface for kdumpctl_tmp_t
7100c5
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
7100c5
- Add postgresql support for systemd unit files.
7100c5
- Fix missing bracket
7100c5
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
7100c5
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
7100c5
66628c
* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
66628c
- Allow glusterd to interact with gluster tools running in a user domain
66628c
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
66628c
- Call rpm_transition_script() from rpm_run() interface.
66628c
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
66628c
- Add glusterd_manage_lib_files() interface.
66628c
- Allow samba_t net_admin capability to make CIFS mount working.
66628c
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
66628c
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
66628c
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
66628c
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
66628c
- Allow nagios to generate charts.
66628c
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
66628c
- Allow glusterd to run init scripts.
66628c
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
66628c
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
66628c
- Allow samba-net to access /var/lib/ctdbd dirs/files.
66628c
- Allow glusterd to send a signal to smbd.
66628c
- Make ctdbd as home manager to access also FUSE.
66628c
- Allow glusterd to use geo-replication gluster tool.
66628c
- Allow glusterd to execute ssh-keygen.
66628c
- Allow glusterd to interact with cluster services.
66628c
- Add rhcs_dbus_chat_cluster()
66628c
- systemd-logind accesses /dev/shm. BZ(1230443)
66628c
- Label gluster python hooks also as bin_t.
66628c
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
66628c
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
66628c
8f4622
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-129
8f4622
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489)
8f4622
5bcffd
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-128
5bcffd
- Add ipsec_rw_inherited_pipes() interface.
5bcffd
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. 
5bcffd
- Label /usr/libexec/Xorg.wrap as xserver_exec_t.
5bcffd
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file.
5bcffd
- Add fixes for selinux userspace moving the policy store to /var/lib/selinux.
5bcffd
- Remove optional else block for dhcp ping (needed by CIL)
5bcffd
- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly.
5bcffd
- Access required to run with unconfine.pp disabled
5bcffd
- Fix selinux_search_fs() interface.
5bcffd
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. 
5bcffd
- Add seutil_search_config() interface.
5bcffd
- Make ssh-keygen as nsswitch domain to access SSSD.
5bcffd
- Label ctdb events scripts as bin_t.
5bcffd
- Add support for /usr/sbin/lvmpolld.
5bcffd
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.
5bcffd
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. 
5bcffd
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
5bcffd
- Allow hypervkvp to read /dev/urandom and read  addition states/config files.
5bcffd
- Add cgdcbxd policy.
5bcffd
- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain.
5bcffd
- Add labeling for pacemaker.log.
5bcffd
- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.
5bcffd
- Allow lsmd plugin to connect to tcp/5989 by default.
5bcffd
- Allow lsmd plugin to connect to tcp/5988 by default.
5bcffd
- Allow setuid/setgid for selinux_child.
5bcffd
- Allow radiusd to connect to radsec ports.
5bcffd
- ALlow bind to read/write inherited ipsec pipes.
5bcffd
- Allow fowner capability for sssd because of selinux_child handling.
5bcffd
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.
5bcffd
- Allow cluster domain to dbus chat with systemd-logind.
5bcffd
- Allow tmpreaper_t to manage ntp log content 
5bcffd
- Allow openvswitch_t to communicate with sssd.
5bcffd
- Allow isnsd_t to communicate with sssd.
5bcffd
- Allow rwho_t to communicate with sssd.
5bcffd
- Allow pkcs_slotd_t to communicate with sssd.
5bcffd
- Add httpd_var_lib_t label for roundcubemail 
5bcffd
- Allow puppetagent_t to transfer firewalld messages over dbus.
5bcffd
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
5bcffd
- Update rules related to glusterd_brick_t.
5bcffd
- Allow glusterd to execute lvm tools in the lvm_t target domain.
5bcffd
- Allow glusterd to execute xfs_growfs in the target domain.
5bcffd
- Allow sysctl to have running under hypervkvp_t domain.
5bcffd
- Allow smartdnotify to use user terminals. 
5bcffd
- Allow pcp domains to create root.socket in /var/lip/pcp directroy. 
5bcffd
- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain.
5bcffd
- Allow rpcbind to create rpcbind.xdr as a temporary file. 
5bcffd
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. 
5bcffd
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. 
5bcffd
- rsync server can be setup to send mail
5bcffd
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. 
5bcffd
- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.
5bcffd
- Fix samba_load_libgfapi decl in samba.te.
5bcffd
- Fix typo in nagios_run_sudo() boolean.
5bcffd
- remove duplicate declaration from hypervkvp.te.
5bcffd
- Move ctdd_domtrans() from ctdbd to gluster.
5bcffd
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
5bcffd
- Glusterd wants to manage samba config files if they are setup together.
5bcffd
- ALlow NM to do access check on /sys.
5bcffd
- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel.
5bcffd
- Allow NetworkManager nm-dispacher to read links.
5bcffd
- Allow gluster hooks scripts to transition to ctdbd_t.
5bcffd
- Allow glusterd to read/write samba config files.
5bcffd
- Update mysqld rules related to mysqld log files.
5bcffd
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
5bcffd
- Update netlink_route_socket for ptp4l.
5bcffd
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
5bcffd
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
5bcffd
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
5bcffd
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
5bcffd
- Allow glusterd to read /dev/random.
5bcffd
- Update nagios_run_sudo boolean to allow run chkpwd.
5bcffd
- Allow docker and container tools to control caps, don't rely on SELinux for now.  Since there is no easy way for SELinux modification of policy as far as caps.  docker run --cap-add will work now
5bcffd
- Allow sosreport to dbus chat with NM.
5bcffd
- Allow anaconda to run iscsid in own domain. BZ(1220948).
5bcffd
- Allow rhsmcetd to use the ypbind service to access NIS services.
5bcffd
- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios.
5bcffd
- Allow ctdb to create rawip socket.
5bcffd
- Allow ctdbd to bind  smbd port.
5bcffd
- Make ctdbd as userdom_home_reader.
5bcffd
- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
5bcffd
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
5bcffd
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
5bcffd
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
5bcffd
- Add glusterd_filetrans_named_pid() interface.
5bcffd
- Allow antivirus_t to read system state info.
5bcffd
- Dontaudit use console for chrome-sandbox. 
5bcffd
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. 
5bcffd
- Clamd needs to have fsetid capability. 
5bcffd
- Allow cinder-backup to dbus chat with systemd-logind. 
5bcffd
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
5bcffd
- Allow gssd to access kernel keyring for login_pgm domains.
5bcffd
- Add more fixes related to timemaster+ntp+ptp4l.
5bcffd
- Allow docker sandbox domains to search all mountpoiunts
5bcffd
- update winbind_t rules to allow IPC for winbind.
5bcffd
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
5bcffd
- Allow inet_gethost called by couchdb to access /proc/net/unix. 
5bcffd
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so 
5bcffd
- Label /usr/bin/yum-deprecated as rpm_exec_t. 
5bcffd
6a726d
* Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
6a726d
- Add missing typealiases in apache_content_template() for script domain/executable.
6a726d
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
6a726d
- Add support for new cobbler dir locations:
6a726d
- Add support for iprdbg logging files in /var/log.
6a726d
- Add relabel_user_home_dirs for use by docker_t
6a726d
9cef10
* Thu Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
229bf3
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
229bf3
- Add nagios_read_lib() interface.
229bf3
- Additional fix for mongod_unit_file_t in mongodb.te.
229bf3
- Fix decl of mongod_unit_file to mongod_unit_file_t.
229bf3
- Fix mongodb unit file declaration.
229bf3
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
229bf3
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
229bf3
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
229bf3
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
229bf3
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
229bf3
- Add support for mongod/mongos systemd unit files.
229bf3
- Allow dnssec-trigger to send sigchld to networkmanager
229bf3
- add interface networkmanager_sigchld
229bf3
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
229bf3
- Remove duplicate  specification for /etc/localtime.
229bf3
- Add default labeling for /etc/localtime symlink.
229bf3
0bfe8f
* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
0bfe8f
- Define ipa_var_run_t type
0bfe8f
- Allow certmonger to manage renewal.lock. BZ(1213256)
0bfe8f
- Add ipa_manage_pid_files interface.
0bfe8f
- Add rules for netlink_socket in iotop.
0bfe8f
- Allow iotop netlink socket.
0bfe8f
- cloudinit and rhsmcertd need to communicate with dbus
0bfe8f
- Allow apcupsd to use USBttys. BZ(1210960)
0bfe8f
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
0bfe8f
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
0bfe8f
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
0bfe8f
28cc16
* Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
28cc16
- Add more restriction on entrypoint for unconfined domains.
28cc16
28cc16
* Tue Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
578b67
- Allow abrtd to list home config. BZ(1199658)
578b67
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
578b67
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
578b67
- Allow mock_t to use ptmx. BZ(1181333)
578b67
- Allow dnssec_trigger_t to stream connect to networkmanager.
578b67
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
578b67
- Fix labeling for keystone CGI scripts.
578b67
b9a1c7
* Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
b9a1c7
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
b9a1c7
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
b9a1c7
- Allow mongod to work with configured SSSD.
b9a1c7
- Add collectd net_raw capability. BZ(1194169)
b9a1c7
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
b9a1c7
- Allow dhcpd kill capability.
b9a1c7
- Make rwhod as nsswitch domain.
b9a1c7
- Add support for new fence agent fence_mpath which is executed by fence_node.
b9a1c7
- Fix cloudform policy.(m4 is case sensitive)
b9a1c7
- Allow networkmanager and cloud_init_t to dbus chat
b9a1c7
- Allow lsmd plugin to run with configured SSSD.
b9a1c7
- Allow bacula access to tape devices.