|
|
 |
|
|
Changelog for selinux-policy-doc-3.10.0-46.fc16.noarch.rpm :
Thu Oct 20 14:00:00 2011 Miroslav Grepl 3.10.0-46
- Policy update should not modify local contexts
Thu Oct 20 14:00:00 2011 Dan Walsh 3.10.0-45.1
- Allow systemd_passwd to talk to sock_files in systemd_passwd_var_run_t directories
Thu Oct 20 14:00:00 2011 Miroslav Grepl 3.10.0-45
- Remove tzdata policy
Thu Oct 20 14:00:00 2011 Miroslav Grepl 3.10.0-44
- Add labeling for udev
- Add cloudform policy
- Fixes for bootloader policy
Wed Oct 19 14:00:00 2011 Miroslav Grepl 3.10.0-43
- Add policies for nova openstack
Tue Oct 18 14:00:00 2011 Miroslav Grepl 3.10.0-42
- Add fixes for nova-stack policy
Tue Oct 18 14:00:00 2011 Miroslav Grepl 3.10.0-41
- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
- Allow init process to setrlimit on itself
- Take away transition rules for users executing ssh-keygen
- Allow setroubleshoot_fixit_t to read /dev/urand
- Allow sshd to relbale tunnel sockets
- Allow fail2ban domtrans to shorewall in the same way as with iptables
- Add support for lnk files in the /var/lib/sssd directory
- Allow system mail to connect to courier-authdaemon over an unix stream socket
Fri Oct 14 14:00:00 2011 Miroslav Grepl 3.10.0-40
- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
- Make corosync to be able to relabelto cluster lib fies
- Allow samba domains to search /var/run/nmbd
- Allow dirsrv to use pam
- Allow thumb to call getuid
- chrome less likely to get mmap_zero bug so removing dontaudit
- gimp help-browser has built in javascript
- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
- Re-write glance policy
Mon Oct 10 14:00:00 2011 Miroslav Grepl 3.10.0-39
- Fixes for bootloader policy
- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
- Allow nsplugin to read /usr/share/config
- Allow sa-update to update rules
- Add use_fusefs_home_dirs for chroot ssh option
- Fixes for grub2
- Update systemd_exec_systemctl() interface
- Allow gpg to read the mail spool
- More fixes for sa-update running out of cron job
- Allow ipsec_mgmt_t to read hardware state information
- Allow pptp_t to connect to unreserved_port_t
- Dontaudit getattr on initctl in /dev from chfn
- Dontaudit getattr on kernel_core from chfn
- Add systemd_list_unit_dirs to systemd_exec_systemctl call
- Fixes for collectd policy
- CHange sysadm_t to create content as user_tmp_t under /tmp
Wed Oct 5 14:00:00 2011 Miroslav Grepl 3.10.0-38
- Allow virsh to read xenstored pid file
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
Wed Oct 5 14:00:00 2011 Miroslav Grepl 3.10.0-37
- Allow nmbd to manage sock file in /var/run/nmbd
- ricci_modservice send syslog msgs
- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
- Allow systemd_logind_t to manage /run/USER/dconf/user
Mon Oct 3 14:00:00 2011 Miroslav Grepl 3.10.0-36
- Allow logrotate setuid and setgid since logrotate is supposed to do it
- Fixes for thumb policy by grift
- Add new nfsd ports
- Added fix to allow confined apps to execmod on chrome
- Add labeling for additional vdsm directories
- Allow Exim and Dovecot SASL
- Add label for /var/run/nmbd
- Add fixes to make virsh and xen working together
- Colord executes ls
- /var/spool/cron is now labeled as user_cron_spool_t
Thu Sep 29 14:00:00 2011 Miroslav Grepl 3.10.0-35
- Stop complaining about leaked file descriptors during install
Thu Sep 29 14:00:00 2011 Miroslav Grepl 3.10.0-34
- Add support for Clustered Samba commands
- Allow ricci_modrpm_t to send log msgs
- move permissive virt_qmf_t from virt.te to permissivedomains.te
- Allow ssh_t to use kernel keyrings
- Add policy for libvirt-qmf and more fixes for linux containers
- Initial Polipo
- Sanlock needs to run ranged in order to kill svirt processes
- Allow smbcontrol to stream connect to ctdbd
Fri Sep 23 14:00:00 2011 Miroslav Grepl 3.10.0-33
- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
- Add SELinux support for ssh pre-auth net process in F17
- Add logging_syslogd_can_sendmail boolean
Wed Sep 21 14:00:00 2011 Miroslav Grepl 3.10.0-32
- Allow pwupdate to send mail
- Fix execmem_execmod() interface
- Allow pwupdate to send mail
- nfsd is binding to the nfs port 2049
- Add additional gitweb file context labeling
- Allow logrotate to set its own keys
Tue Sep 20 14:00:00 2011 Miroslav Grepl 3.10.0-31
- Needs to require a new version of checkpolicy
- Interface fixes
Mon Sep 19 14:00:00 2011 Miroslav Grepl 3.10.0-30
- systemd needs to read lnk files of systemd unit files
- FIx userdom filetrans rule to take all params
Fri Sep 16 14:00:00 2011 Dan Walsh 3.10.0-29.1
- Make colord unconfined so we can ship RC1
Fri Sep 16 14:00:00 2011 Miroslav Grepl 3.10.0-29
- Allow sanlock to manage virt lib files
- Add virt_use_sanlock booelan
- ksmtuned is trying to resolve uids
- Make sure .gvfs is labeled user_home_t in the users home directory
- Sanlock sends kill signals and needs the kill capability
- Allow mockbuild to work on nfs homedirs
- Fix kerberos_manage_host_rcache() interface
- Allow exim to read system state
Tue Sep 13 14:00:00 2011 Miroslav Grepl 3.10.0-28
- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
Tue Sep 13 14:00:00 2011 Miroslav Grepl 3.10.0-27
- Allow collectd to read hardware state information
- Add loop_control_device_t
- Allow mdadm to request kernel to load module
- Allow domains that start other domains via systemctl to search unit dir
- systemd_tmpfiles, needs to list any file systems mounted on /tmp
- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
- If I can manage etc_runtime files, I should be able to read the links
- Dontaudit hostname writing to mock library chr_files
- Have gdm_t setup labeling correctly in users home dir
- Label content unde /var/run/user/NAME/dconf as config_home_t
- Allow sa-update to execute shell
- Make ssh-keygen working with fips_enabled
- Make mock work for staff_t user
- Tighten security on mock_t
Fri Sep 9 14:00:00 2011 Miroslav Grepl 3.10.0-26
- removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
- Remove unconfined_mount_t
Tue Sep 6 14:00:00 2011 Miroslav Grepl 3.10.0-25
- For some reason chfn tries to stat all devices, dontaudit this
- On resume, devicekit_power is resetting X using xmodutil, so it needs to talk to the Xserver
- Allow saslauthd to be able to manipulate afs kernel subsystem at login
- allow xdm_t to execute content labeled xdm_tmp_t, needed for xdm to be able to run gnome-shell
- /etc/passwd.adjunct and /etc/passwd.adjunct.old need to be labeled shadow_t
Tue Sep 6 14:00:00 2011 Miroslav Grepl 3.10.0-24
- Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
- sssd need to search /var/cache/krb5rcache directory
- Allow corosync to relabel own tmp files
- Allow zarafa domains to send system log messages
- Allow ssh to do tunneling
- Allow initrc scripts to sendto init_t unix_stream_socket
- Changes to make sure dmsmasq and virt directories are labeled correctly
- Changes needed to allow sysadm_t to manage systemd unit files
- init is passing file descriptors to dbus and on to system daemons
- Allow sulogin additional access Reported by dgrift and Jeremy Miller
- Steve Grubb believes that wireshark does not need this access
- Fix /var/run/initramfs to stop restorecon from looking at
- pki needs another port
- Add more labels for cluster scripts
- Allow apps that manage cgroup_files to manage cgroup link files
- Fix label on nfs-utils scripts directories
- Allow gatherd to read /dev/rand and /dev/urand
Tue Aug 30 14:00:00 2011 Miroslav Grepl 3.10.0-23
- Add glance policy
- Allow mdadm setsched
- /var/run/initramfs should not be relabeled with a restorecon run
- memcache can be setup to override sys_resource
- Allow httpd_t to read tetex data
- Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
Mon Aug 29 14:00:00 2011 Miroslav Grepl 3.10.0-22
- Allow Postfix to deliver to Dovecot LMTP socket
- Ignore bogus sys_module for lldpad
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
- systemd_logind_t sets the attributes on usb devices
- Allow hddtemp_t to read etc_t files
- Add permissivedomains module
- Move all permissive domains calls to permissivedomain.te
- Allow pegasis to send kill signals to other UIDs
Wed Aug 24 14:00:00 2011 Miroslav Grepl 3.10.0-21
- Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
- Change sysctl unit file interfaces to use systemctl
- Add support for chronyd unit file
- Allow mozilla_plugin to read gnome_usr_config
- Add policy for new gpsd
- Allow cups to create kerberos rhost cache files
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
Tue Aug 23 14:00:00 2011 Dan Walsh 3.10.0-20
- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten
Tue Aug 23 14:00:00 2011 Miroslav Grepl 3.10.0-19
- Add policy for sa-update being run out of cron jobs
- Add create perms to postgresql_manage_db
- ntpd using a gps has to be able to read/write generic tty_device_t
- If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev
- fix spec file
- Remove qemu_domtrans_unconfined() interface
- Make passenger working together with puppet
- Add init_dontaudit_rw_stream_socket interface
- Fixes for wordpress
Thu Aug 11 14:00:00 2011 Miroslav Grepl 3.10.0-18
- Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Add abrt_handle_event_t domain for ABRT event scripts
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
- Allow httpd_git_script_t to read passwd data
- Allow openvpn to set its process priority when the nice parameter is used
Wed Aug 10 14:00:00 2011 Miroslav Grepl 3.10.0-17
- livecd fixes
- spec file fixes
Thu Aug 4 14:00:00 2011 Miroslav Grepl 3.10.0-16
- fetchmail can use kerberos
- ksmtuned reads in shell programs
- gnome_systemctl_t reads the process state of ntp
- dnsmasq_t asks the kernel to load multiple kernel modules
- Add rules for domains executing systemctl
- Bogus text within fc file
Wed Aug 3 14:00:00 2011 Miroslav Grepl 3.10.0-14
- Add cfengine policy
Tue Aug 2 14:00:00 2011 Miroslav Grepl 3.10.0-13
- Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
Mon Aug 1 14:00:00 2011 Miroslav Grepl 3.10.0-12
- Add sblim, uuidd policies
- Allow kernel_t dyntrasition to init_t
Fri Jul 29 14:00:00 2011 Miroslav Grepl 3.10.0-11
- init_t need setexec
- More fixes of rules which cause an explosion in rules by Dan Walsh
Tue Jul 26 14:00:00 2011 Miroslav Grepl 3.10.0-10
- Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module removed
Sat Jul 23 14:00:00 2011 Miroslav Grepl 3.10.0-9
- Allow systemd_logind to send dbus messages with users
- allow accountsd to read wtmp file
- Allow dhcpd to get and set capabilities
Fri Jul 22 14:00:00 2011 Miroslav Grepl 3.10.0-8
- Fix oracledb_port definition
- Allow mount to mounton the selinux file system
- Allow users to list /var directories
Thu Jul 21 14:00:00 2011 Miroslav Grepl 3.10.0-7
- systemd fixes
Tue Jul 19 14:00:00 2011 Miroslav Grepl 3.10.0-6
- Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
- Smoltclient is connecting to abrt
- Dontaudit leaked file descriptors to postdrop
- Allow abrt_dump_oops to look at kernel sysctls
- Abrt_dump_oops_t reads kernel ring buffer
- Allow mysqld to request the kernel to load modules
- systemd-login needs fowner
- Allow postfix_cleanup_t to searh maildrop
Mon Jul 18 14:00:00 2011 Miroslav Grepl 3.10.0-5
- Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
Thu Jul 14 14:00:00 2011 Miroslav Grepl 3.10.0-4
- Allow setsched for virsh
- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories
- iptables: the various /sbin/ip6?tables.
* are now symlinks for
/sbin/xtables-multi
Tue Jul 12 14:00:00 2011 Miroslav Grepl 3.10.0-3
- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit
- Allow colord to interact with the users through the tmpfs file system
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files
- Add label for /var/log/mcelog
- Allow asterisk to read /dev/random if it uses TLS
- Allow colord to read ini files which are labeled as bin_t
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first.
- Also lists /var and /var/spool directories
- Add openl2tpd to l2tpd policy
- qpidd is reading the sysfs file
Thu Jun 30 14:00:00 2011 Miroslav Grepl 3.10.0-2
- Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
Mon Jun 27 14:00:00 2011 Miroslav Grepl 3.10.0-1
- Update to upstream
Mon Jun 27 14:00:00 2011 Miroslav Grepl 3.9.16-30
- More fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git
Thu Jun 16 14:00:00 2011 Dan Walsh 3.9.16-29.1
- Fix spec file to not report Verify errors
Thu Jun 16 14:00:00 2011 Miroslav Grepl 3.9.16-29
- Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
Wed Jun 8 14:00:00 2011 Dan Walsh 3.9.16-28.1
- Add policy.26 to the payload
- Remove olpc stuff
- Remove policygentool
Wed Jun 8 14:00:00 2011 Miroslav Grepl 3.9.16-27
- Fixes for zabbix
- init script needs to be able to manage sanlock_var_run_...
- Allow sandlock and wdmd to create /var/run directories...
- mixclip.so has been compiled correctly
- Fix passenger policy module name
Tue Jun 7 14:00:00 2011 Miroslav Grepl 3.9.16-26
- Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
Thu Jun 2 14:00:00 2011 Miroslav Grepl 3.9.16-25
- Fixes for sanlock policy
- Fixes for colord policy
- Other fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
Thu May 26 14:00:00 2011 Miroslav Grepl 3.9.16-24
- Add rhev policy module to modules-targeted.conf
Tue May 24 14:00:00 2011 Miroslav Grepl 3.9.16-23
- Lot of fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
Tue May 17 14:00:00 2011 Miroslav Grepl 3.9.16-22
- Allow logrotate to execute systemctl
- Allow nsplugin_t to getattr on gpmctl
- Fix dev_getattr_all_chr_files() interface
- Allow shorewall to use inherited terms
- Allow userhelper to getattr all chr_file devices
- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t
- Fix labeling for ABRT Retrace Server
Mon May 9 14:00:00 2011 Miroslav Grepl 3.9.16-21
- Dontaudit sys_module for ifconfig
- Make telepathy and gkeyringd daemon working with confined users
- colord wants to read files in users homedir
- Remote login should be creating user_tmp_t not its own tmp files
Thu May 5 14:00:00 2011 Miroslav Grepl 3.9.16-20
- Fix label for /usr/share/munin/plugins/munin_
* plugins
- Add support for zarafa-indexer
- Fix boolean description
- Allow colord to getattr on /proc/scsi/scsi
- Add label for /lib/upstart/init
- Colord needs to list /mnt
Tue May 3 14:00:00 2011 Miroslav Grepl 3.9.16-19
- Forard port changes from F15 for telepathy
- NetworkManager should be allowed to use /dev/rfkill
- Fix dontaudit messages to say Domain to not audit
- Allow telepathy domains to read/write gnome_cache files
- Allow telepathy domains to call getpw
- Fixes for colord and vnstatd policy
Wed Apr 27 14:00:00 2011 Miroslav Grepl 3.9.16-18
- Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch
- aisexec will execute corosync
- colord tries to read files off noxattr file systems
- Allow init_t getcap and setcap
Thu Apr 21 14:00:00 2011 Miroslav Grepl 3.9.16-17
- Add support for ABRT retrace server
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners
- Allow telepath_msn_t to read /proc/PARENT/cmdline
- ftpd needs kill capability
- Allow telepath_msn_t to connect to sip port
- keyring daemon does not work on nfs homedirs
- Allow $1_sudo_t to read default SELinux context
- Add label for tgtd sock file in /var/run/
- Add apache_exec_rotatelogs interface
- allow all zaraha domains to signal themselves, server writes to /tmp
- Allow syslog to read the process state
- Add label for /usr/lib/chromium-browser/chrome
- Remove the telepathy transition from unconfined_t
- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts
- Allow initrc_t domain to manage abrt pid files
- Add support for AEOLUS project
- Virt_admin should be allowed to manage images and processes
- Allow plymountd to send signals to init
- Change labeling of fping6
Tue Apr 19 14:00:00 2011 Dan Walsh 3.9.16-16.1
- Add filename transitions
Tue Apr 19 14:00:00 2011 Miroslav Grepl 3.9.16-16
- Fixes for zarafa policy
- Add support for AEOLUS project
- Change labeling of fping6
- Allow plymountd to send signals to init
- Allow initrc_t domain to manage abrt pid files
- Virt_admin should be allowed to manage images and processes
Fri Apr 15 14:00:00 2011 Miroslav Grepl 3.9.16-15
- xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
Mon Apr 11 14:00:00 2011 Miroslav Grepl 3.9.16-14
- Add Dan\'s patch to remove 64 bit variants
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
Tue Apr 5 14:00:00 2011 Miroslav Grepl 3.9.16-13
- Fix typo
Mon Apr 4 14:00:00 2011 Miroslav Grepl 3.9.16-12
- Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
Mon Apr 4 14:00:00 2011 Miroslav Grepl 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state
Fri Apr 1 14:00:00 2011 Miroslav Grepl 3.9.16-10
- Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy
Fri Mar 25 13:00:00 2011 Miroslav Grepl 3.9.16-7
- Allow $1_sudo_t and $1_su_t open access to user terminals
- Allow initrc_t to use generic terminals
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
Wed Mar 23 13:00:00 2011 Miroslav Grepl 3.9.16-6
- Remove some unconfined domains
- Remove permissive domains
- Add policy-term.patch from Dan
Thu Mar 17 13:00:00 2011 Miroslav Grepl 3.9.16-5
- Fix multiple specification for boot.log
- devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
Tue Mar 15 13:00:00 2011 Miroslav Grepl 3.9.16-4
- Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is running
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
Thu Mar 10 13:00:00 2011 Miroslav Grepl 3.9.16-3
- mozilla_plugin_tmp_t needs to be treated as user tmp files
- More dontaudits of writes from readahead
- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
- systemd_tmpfiles needs to relabel faillog directory as well as the file
- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
Thu Mar 10 13:00:00 2011 Miroslav Grepl 3.9.16-2
- Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
* other fixes which relate with this change
Tue Mar 8 13:00:00 2011 Miroslav Grepl 3.9.16-1
- Update to upstream
- Fixes for telepathy
- Add port defition for ssdp port
- add policy for /bin/systemd-notify from Dan
- Mount command requires users read mount_var_run_t
- colord needs to read konject_uevent_socket
- User domains connect to the gkeyring socket
- Add colord policy and allow user_t and staff_t to dbus chat with it
- Add lvm_exec_t label for kpartx
- Dontaudit reading the mail_spool_t link from sandbox -X
- systemd is creating sockets in avahi_var_run and system_dbusd_var_run
Tue Mar 1 13:00:00 2011 Miroslav Grepl 3.9.15-5
- gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t
- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
Mon Feb 21 13:00:00 2011 Miroslav Grepl 3.9.15-2
- Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd
*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
Wed Feb 16 13:00:00 2011 Miroslav Grepl 3.9.15-1
- Update to upstream
Wed Feb 9 13:00:00 2011 Fedora Release Engineering - 3.9.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
Tue Feb 8 13:00:00 2011 Dan Walsh 3.9.14-1
- Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
Tue Feb 8 13:00:00 2011 Miroslav Grepl 3.9.13-10
- New labeling for postfmulti #675654
- dontaudit xdm_t listing noxattr file systems
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally
- shutdown is passed stdout to a xdm_log_t file
- smartd creates a fixed disk device
- dovecot_etc_t contains a lnk_file that domains need to read
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
Thu Feb 3 13:00:00 2011 Miroslav Grepl 3.9.13-9
- syslog_t needs syslog capability
- dirsrv needs to be able to create /var/lib/snmp
- Fix labeling for dirsrv
- Fix for dirsrv policy missing manage_dirs_pattern
- corosync needs to delete clvm_tmpfs_t files
- qdiskd needs to list hugetlbfs
- Move setsched to sandbox_x_domain, so firefox can run without network access
- Allow hddtemp to read removable devices
- Adding syslog and read_policy permissions to policy
* syslog
Allow unconfined, sysadm_t, secadm_t, logadm_t
* read_policy
allow unconfined, sysadm_t, secadm_t, staff_t on Targeted
allow sysadm_t (optionally), secadm_t on MLS
- mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
Tue Feb 1 13:00:00 2011 Dan Walsh 3.9.13-8
- Add tcsd policy
Tue Feb 1 13:00:00 2011 Miroslav Grepl 3.9.13-7
- ricci_modclusterd_t needs to bind to rpc ports 500-1023
- Allow dbus to use setrlimit to increase resoueces
- Mozilla_plugin is leaking to sandbox
- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control
- Allow awstats to read squid logs
- seunshare needs to manage tmp_t
- apcupsd cgi scripts have a new directory
Thu Jan 27 13:00:00 2011 Miroslav Grepl 3.9.13-6
- Fix xserver_dontaudit_read_xdm_pid
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
- Allow readahead to manage readahead pid dirs
- Allow readahead to read all mcs levels
- Allow mozilla_plugin_t to use nfs or samba homedirs
Tue Jan 25 13:00:00 2011 Miroslav Grepl 3.9.13-5
- Allow nagios plugin to read /proc/meminfo
- Fix for mozilla_plugin
- Allow samba_net_t to create /etc/keytab
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t
- nslcd can read user credentials
- Allow nsplugin to delete mozilla_plugin_tmpfs_t
- abrt tries to create dir in rpm_var_lib_t
- virt relabels fifo_files
- sshd needs to manage content in fusefs homedir
- mock manages link files in cache dir
Fri Jan 21 13:00:00 2011 Miroslav Grepl 3.9.13-4
- nslcd needs setsched and to read /usr/tmp
- Invalid call in likewise policy ends up creating a bogus role
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
- Allow screen to create screen_home_t in /root
- dirsrv sends syslog messages
- pinentry reads stuff in .kde directory
- Add labels for .kde directory in homedir
- Treat irpinit, iprupdate, iprdump services with raid policy
Wed Jan 19 13:00:00 2011 Miroslav Grepl 3.9.13-3
- NetworkManager wants to read consolekit_var_run_t
- Allow readahead to create /dev/.systemd/readahead
- Remove permissive domains
- Allow newrole to run namespace_init
Tue Jan 18 13:00:00 2011 Miroslav Grepl 3.9.13-2
- Add sepgsql_contexts file
Mon Jan 17 13:00:00 2011 Miroslav Grepl 3.9.13-1
- Update to upstream
Mon Jan 17 13:00:00 2011 Miroslav Grepl 3.9.12-8
- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
- Add puppetmaster_use_db boolean
- Fixes for zarafa policy
- Fixes for gnomeclock poliy
- Fix systemd-tmpfiles to use auth_use_nsswitch
Fri Jan 14 13:00:00 2011 Miroslav Grepl 3.9.12-7
- gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
Tue Jan 11 13:00:00 2011 Miroslav Grepl 3.9.12-6
- Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
Wed Jan 5 13:00:00 2011 Miroslav Grepl 3.9.12-5
- Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
Tue Dec 28 13:00:00 2010 Dan Walsh 3.9.12-4
- Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
Thu Dec 23 13:00:00 2010 Dan Walsh 3.9.12-3
- Allow xdm and syslog to use /var/log/boot.log
- Allow users to communicate with mozilla_plugin and kill it
- Add labeling for ipv6 and dhcp
Tue Dec 21 13:00:00 2010 Dan Walsh 3.9.12-2
- New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
- pm-suspend now creates log file for append access so we remove devicekit_wri
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
- Fixes for greylist_milter policy
Tue Dec 21 13:00:00 2010 Miroslav Grepl 3.9.12-1
- Update to upstream
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
Wed Dec 15 13:00:00 2010 Dan Walsh 3.9.11-2
- Update selinux policy to handle new /usr/share/sandbox/start script
Wed Dec 15 13:00:00 2010 Miroslav Grepl 3.9.11-1
- Update to upstream
- Fix version of policy in spec file
Tue Dec 14 13:00:00 2010 Miroslav Grepl 3.9.10-13
- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
- remove per sandbox domains devpts types
- Allow dkim-milter sending signal to itself
Mon Dec 13 13:00:00 2010 Dan Walsh 3.9.10-12
- Allow domains that transition to ping or traceroute, kill them
- Allow user_t to conditionally transition to ping_t and traceroute_t
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
Mon Dec 13 13:00:00 2010 Miroslav Grepl 3.9.10-11
- Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet packets
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac
* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
Fri Dec 10 13:00:00 2010 Miroslav Grepl 3.9.10-10
- Fixes for clamscan and boinc policy
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
Tue Dec 7 13:00:00 2010 Miroslav Grepl 3.9.10-9
- Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
Tue Dec 7 13:00:00 2010 Miroslav Grepl 3.9.10-8
- Fixes for lvm to work with systemd
Mon Dec 6 13:00:00 2010 Miroslav Grepl 3.9.10-7
- Fix the label for wicd log
- plymouthd creates force-display-on-active-vt file
- Allow avahi to request the kernel to load a module
- Dontaudit hal leaks
- Fix gnome_manage_data interface
- Add new interface corenet_packet to define a type as being an packet_type.
- Removed general access to packet_type from icecast and squid.
- Allow mpd to read alsa config
- Fix the label for wicd log
- Add systemd policy
Fri Dec 3 13:00:00 2010 Miroslav Grepl 3.9.10-6
- Fix gnome_manage_data interface
- Dontaudit sys_ptrace capability for iscsid
- Fixes for nagios plugin policy
Wed Dec 1 13:00:00 2010 Miroslav Grepl 3.9.10-5
- Fix cron to run ranged when started by init
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t
Tue Nov 30 13:00:00 2010 Dan Walsh 3.9.10-4
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
Tue Nov 30 13:00:00 2010 Miroslav Grepl 3.9.10-3
- fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
Thu Nov 25 13:00:00 2010 Miroslav Grepl 3.9.10-2
- Remove duplicate declaration
Thu Nov 25 13:00:00 2010 Miroslav Grepl 3.9.10-1
- Update to upstream
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
Mon Nov 22 13:00:00 2010 Miroslav Grepl 3.9.9-4
- Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
Thu Nov 18 13:00:00 2010 Dan Walsh 3.9.9-3
- Put back in lircd_etc_t so policy will install
Thu Nov 18 13:00:00 2010 Miroslav Grepl 3.9.9-2
- Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
Tue Nov 16 13:00:00 2010 Miroslav Grepl 3.9.9-1
- Update to upstream
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
Mon Nov 15 13:00:00 2010 Miroslav Grepl 3.9.8-7
- Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
Fri Nov 12 13:00:00 2010 Dan Walsh 3.9.8-6
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
Fri Nov 12 13:00:00 2010 Miroslav Grepl 3.9.8-5
- Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
Wed Nov 10 13:00:00 2010 Miroslav Grepl 3.9.8-4
- Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
Tue Nov 9 13:00:00 2010 Dan Walsh 3.9.8-3
- Fix up corecommands.fc to match upstream
- Make sure /lib/systemd/
* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.
*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
Fri Nov 5 13:00:00 2010 Dan Walsh 3.9.8-2
- Add conflicts for dirsrv package
Fri Nov 5 13:00:00 2010 Dan Walsh 3.9.8-1
- Update to upstream
- Add vlock policy
Wed Nov 3 13:00:00 2010 Dan Walsh 3.9.7-10
- Fix sandbox to work on nfs homedirs
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
Tue Nov 2 13:00:00 2010 Dan Walsh 3.9.7-9
- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it
- Udev needs to stream connect to init and kernel
- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory
Mon Nov 1 13:00:00 2010 Dan Walsh 3.9.7-8
- Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
Thu Oct 28 14:00:00 2010 Dan Walsh 3.9.7-7
- Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/
*
Fri Oct 22 14:00:00 2010 Dan Walsh 3.9.7-6
- Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
Tue Oct 19 14:00:00 2010 Dan Walsh 3.9.7-5
- Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
Fri Oct 15 14:00:00 2010 Dan Walsh 3.9.7-4
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
- Allow devicekit_power to domtrans to mount
- Allow dhcp to bind to udp ports > 1024 to do named stuff
- Allow ssh_t to exec ssh_exec_t
- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used
- Fix clamav_append_log() intefaces
- Fix \'psad_rw_fifo_file\' interface
Fri Oct 15 14:00:00 2010 Dan Walsh 3.9.7-3
- Allow cobblerd to list cobler appache content
Fri Oct 15 14:00:00 2010 Dan Walsh 3.9.7-2
- Fixup for the latest version of upowed
- Dontaudit sandbox sending SIGNULL to desktop apps
Wed Oct 13 14:00:00 2010 Dan Walsh 3.9.7-1
- Update to upstream
Tue Oct 12 14:00:00 2010 Dan Walsh 3.9.6-3
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
Fri Oct 8 14:00:00 2010 Dan Walsh 3.9.6-2
- Lots of fixes for systemd
- systemd now executes readahead and tmpwatch type scripts
- Needs to manage random seed
Thu Oct 7 14:00:00 2010 Dan Walsh 3.9.6-1
- Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
Wed Oct 6 14:00:00 2010 Dan Walsh 3.9.5-11
- Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
Mon Oct 4 14:00:00 2010 Dan Walsh 3.9.5-10
- Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
Thu Sep 30 14:00:00 2010 Dan Walsh 3.9.5-9
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
Wed Sep 29 14:00:00 2010 Dan Walsh 3.9.5-8
- Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
Mon Sep 27 14:00:00 2010 Dan Walsh 3.9.5-7
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
Sun Sep 26 14:00:00 2010 Dan Walsh 3.9.5-6
- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home
- Allow clamd to send signals to itself
- Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm.
- Allow haze to connect to yahoo chat and messenger port tcp:5050.
Bz #637339
- Allow guest to run ps command on its processes by allowing it to read /proc
- Allow firewallgui to sys_rawio which seems to be required to setup masqerading
- Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba.
- Add label for /var/log/slim.log
Fri Sep 24 14:00:00 2010 Dan Walsh 3.9.5-5
- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
Thu Sep 23 14:00:00 2010 Dan Walsh 3.9.5-4
- Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
Tue Sep 21 14:00:00 2010 Dan Walsh 3.9.5-3
- Fix up Xguest policy
Thu Sep 16 14:00:00 2010 Dan Walsh 3.9.5-2
- Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
Thu Sep 16 14:00:00 2010 Dan Walsh 3.9.5-1
- Update to upstream
Wed Sep 15 14:00:00 2010 Dan Walsh 3.9.4-3
- Add the ability to send audit messages to confined admin policies
- Remove permissive domain from cmirrord and dontaudit sys_tty_config
- Split out unconfined_domain() calls from other unconfined_ calls so we can d
- virt needs to be able to read processes to clearance for MLS
Tue Sep 14 14:00:00 2010 Dan Walsh 3.9.4-2
- Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.4-1
- Update to upstream
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.3-4
- Allow mdadm_t to create files and sock files in /dev/md/
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.3-3
- Add policy for ajaxterm
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.3-2
- Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
Tue Sep 7 14:00:00 2010 Dan Walsh 3.9.3-1
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
Tue Aug 31 14:00:00 2010 Dan Walsh 3.9.2-1
- Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
Tue Aug 31 14:00:00 2010 Dan Walsh 3.9.1-3
- Allow mdadm_t to read/write hugetlbfs
Mon Aug 30 14:00:00 2010 Dan Walsh 3.9.1-2
- Dominic Grift Cleanup
- Miroslav Grepl policy for jabberd
- Various fixes for mount/livecd and prelink
Mon Aug 30 14:00:00 2010 Dan Walsh 3.9.1-1
- Merge with upstream
Thu Aug 26 14:00:00 2010 Dan Walsh 3.9.0-2
- More access needed for devicekit
- Add dbadm policy
Thu Aug 26 14:00:00 2010 Dan Walsh 3.9.0-1
- Merge with upstream
Tue Aug 24 14:00:00 2010 Dan Walsh 3.8.8-21
- Allow seunshare to fowner
Tue Aug 24 14:00:00 2010 Dan Walsh 3.8.8-20
- Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
Mon Aug 23 14:00:00 2010 Dan Walsh 3.8.8-19
- Update policy for mozilla_plugin_t
Mon Aug 23 14:00:00 2010 Dan Walsh 3.8.8-18
- Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
Wed Aug 18 14:00:00 2010 Dan Walsh 3.8.8-17
- Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
Tue Aug 17 14:00:00 2010 Dan Walsh 3.8.8-16
- Fix /root/.forward definition
Tue Aug 17 14:00:00 2010 Dan Walsh 3.8.8-15
- label dead.letter as mail_home_t
Fri Aug 13 14:00:00 2010 Dan Walsh 3.8.8-14
- Allow login programs to search /cgroups
Thu Aug 12 14:00:00 2010 Dan Walsh 3.8.8-13
- Fix cert handling
Tue Aug 10 14:00:00 2010 Dan Walsh 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
Thu Aug 5 14:00:00 2010 Dan Walsh 3.8.8-11
- Fix nis calls to allow bind to ports 512-1024
- Fix smartmon
Wed Aug 4 14:00:00 2010 Dan Walsh 3.8.8-10
- Allow pcscd to read sysfs
- systemd fixes
- Fix wine_mmap_zero_ignore boolean
Tue Aug 3 14:00:00 2010 Dan Walsh 3.8.8-9
- Apply Miroslav munin patch
- Turn back on allow_execmem and allow_execmod booleans
Tue Jul 27 14:00:00 2010 Dan Walsh 3.8.8-8
- Merge in fixes from dgrift repository
Tue Jul 27 14:00:00 2010 Dan Walsh 3.8.8-7
- Update boinc policy
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
Mon Jul 26 14:00:00 2010 Dan Walsh 3.8.8-6
- New paths for upstart
Mon Jul 26 14:00:00 2010 Dan Walsh 3.8.8-5
- New permissions for syslog
- New labels for /lib/upstart
Fri Jul 23 14:00:00 2010 Dan Walsh 3.8.8-4
- Add mojomojo policy
Thu Jul 22 14:00:00 2010 Dan Walsh 3.8.8-3
- Allow systemd to setsockcon on sockets to immitate other services
Wed Jul 21 14:00:00 2010 Dan Walsh 3.8.8-2
- Remove debugfs label
Tue Jul 20 14:00:00 2010 Dan Walsh 3.8.8-1
- Update to latest policy
Wed Jul 14 14:00:00 2010 Dan Walsh 3.8.7-3
- Fix eclipse labeling from IBMSupportAssasstant packageing
Wed Jul 14 14:00:00 2010 Dan Walsh 3.8.7-2
- Make boot with systemd in enforcing mode
Wed Jul 14 14:00:00 2010 Dan Walsh 3.8.7-1
- Update to upstream
Mon Jul 12 14:00:00 2010 Dan Walsh 3.8.6-3
- Add boolean to turn off port forwarding in sshd.
Fri Jul 9 14:00:00 2010 Miroslav Grepl 3.8.6-2
- Add support for ebtables
- Fixes for rhcs and corosync policy
Tue Jun 22 14:00:00 2010 Dan Walsh 3.8.6-1
-Update to upstream
Mon Jun 21 14:00:00 2010 Dan Walsh 3.8.5-1
-Update to upstream
Thu Jun 17 14:00:00 2010 Dan Walsh 3.8.4-1
-Update to upstream
Wed Jun 16 14:00:00 2010 Dan Walsh 3.8.3-4
- Add Zarafa policy
Wed Jun 9 14:00:00 2010 Dan Walsh 3.8.3-3
- Cleanup of aiccu policy
- initial mock policy
Wed Jun 9 14:00:00 2010 Dan Walsh 3.8.3-2
- Lots of random fixes
Tue Jun 8 14:00:00 2010 Dan Walsh 3.8.3-1
- Update to upstream
Fri Jun 4 14:00:00 2010 Dan Walsh 3.8.2-1
- Update to upstream
- Allow prelink script to signal itself
- Cobbler fixes
Wed Jun 2 14:00:00 2010 Dan Walsh 3.8.1-5
- Add xdm_var_run_t to xserver_stream_connect_xdm
- Add cmorrord and mpd policy from Miroslav Grepl
Tue Jun 1 14:00:00 2010 Dan Walsh 3.8.1-4
- Fix sshd creation of krb cc files for users to be user_tmp_t
Thu May 27 14:00:00 2010 Dan Walsh 3.8.1-3
- Fixes for accountsdialog
- Fixes for boinc
Thu May 27 14:00:00 2010 Dan Walsh 3.8.1-2
- Fix label on /var/lib/dokwiki
- Change permissive domains to enforcing
- Fix libvirt policy to allow it to run on mls
Tue May 25 14:00:00 2010 Dan Walsh 3.8.1-1
- Update to upstream
Tue May 25 14:00:00 2010 Dan Walsh 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label
Mon May 24 14:00:00 2010 Dan Walsh 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: 594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
Thu May 20 14:00:00 2010 Dan Walsh 3.7.19-20
- Allow mount to r/w abrt fifo file
- Allow svirt_t to getattr on hugetlbfs
- Allow abrt to create a directory under /var/spool
Wed May 19 14:00:00 2010 Dan Walsh 3.7.19-19
- Add labels for /sys
- Allow sshd to getattr on shutdown
- Fixes for munin
- Allow sssd to use the kernel key ring
- Allow tor to send syslog messages
- Allow iptabels to read usr files
- allow policykit to read all domains state
Thu May 13 14:00:00 2010 Dan Walsh 3.7.19-17
- Fix path for /var/spool/abrt
- Allow nfs_t as an entrypoint for http_sys_script_t
- Add policy for piranha
- Lots of fixes for sosreport
Wed May 12 14:00:00 2010 Dan Walsh 3.7.19-16
- Allow xm_t to read network state and get and set capabilities
- Allow policykit to getattr all processes
- Allow denyhosts to connect to tcp port 9911
- Allow pyranha to use raw ip sockets and ptrace itself
- Allow unconfined_execmem_t and gconfsd mechanism to dbus
- Allow staff to kill ping process
- Add additional MLS rules
Mon May 10 14:00:00 2010 Dan Walsh 3.7.19-15
- Allow gdm to edit ~/.gconf dir
Resolves: #590677
- Allow dovecot to create directories in /var/lib/dovecot
Partially resolves 590224
- Allow avahi to dbus chat with NetworkManager
- Fix cobbler labels
- Dontaudit iceauth_t leaks
- fix /var/lib/lxdm file context
- Allow aiccu to use tun tap devices
- Dontaudit shutdown using xserver.log
Thu May 6 14:00:00 2010 Dan Walsh 3.7.19-14
- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
- Add dontaudit interface for bluetooth dbus
- Add chronyd_read_keys, append_keys for initrc_t
- Add log support for ksmtuned
Resolves: #586663
Thu May 6 14:00:00 2010 Dan Walsh 3.7.19-13
- Allow boinc to send mail
Wed May 5 14:00:00 2010 Dan Walsh 3.7.19-12
- Allow initrc_t to remove dhcpc_state_t
- Fix label on sa-update.cron
- Allow dhcpc to restart chrony initrc
- Don\'t allow sandbox to send signals to its parent processes
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
Resolves: #589136
Mon May 3 14:00:00 2010 Dan Walsh 3.7.19-11
- Fix location of oddjob_mkhomedir
Resolves: #587385
- fix labeling on /root/.shosts and ~/.shosts
- Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
Fri Apr 30 14:00:00 2010 Dan Walsh 3.7.19-10
- Dontaudit sandbox trying to connect to netlink sockets
Resolves: #587609
- Add policy for piranha
Thu Apr 29 14:00:00 2010 Dan Walsh 3.7.19-9
- Fixups for xguest policy
- Fixes for running sandbox firefox
Wed Apr 28 14:00:00 2010 Dan Walsh 3.7.19-8
- Allow ksmtuned to use terminals
Resolves: #586663
- Allow lircd to write to generic usb devices
Tue Apr 27 14:00:00 2010 Dan Walsh 3.7.19-7
- Allow sandbox_xserver to connectto unconfined stream
Resolves: #585171
Mon Apr 26 14:00:00 2010 Dan Walsh 3.7.19-6
- Allow initrc_t to read slapd_db_t
Resolves: #585476
- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf
Resolves: #585963
Thu Apr 22 14:00:00 2010 Dan Walsh 3.7.19-5
- Allow rlogind_t to search /root for .rhosts
Resolves: #582760
- Fix path for cached_var_t
- Fix prelink paths /var/lib/prelink
- Allow confined users to direct_dri
- Allow mls lvm/cryptosetup to work
Wed Apr 21 14:00:00 2010 Dan Walsh 3.7.19-4
- Allow virtd_t to manage firewall/iptables config
Resolves: #573585
Tue Apr 20 14:00:00 2010 Dan Walsh 3.7.19-3
- Fix label on /root/.rhosts
Resolves: #582760
- Add labels for Picasa
- Allow openvpn to read home certs
- Allow plymouthd_t to use tty_device_t
- Run ncftool as iptables_t
- Allow mount to unmount unlabeled_t
- Dontaudit hal leaks
Wed Apr 14 14:00:00 2010 Dan Walsh 3.7.19-2
- Allow livecd to transition to mount
Tue Apr 13 14:00:00 2010 Dan Walsh 3.7.19-1
- Update to upstream
- Allow abrt to delete sosreport
Resolves: #579998
- Allow snmp to setuid and gid
Resolves: #582155
- Allow smartd to use generic scsi devices
Resolves: #582145
Tue Apr 13 14:00:00 2010 Dan Walsh 3.7.18-3
- Allow ipsec_t to create /etc/resolv.conf with the correct label
- Fix reserved port destination
- Allow autofs to transition to showmount
- Stop crashing tuned
Mon Apr 12 14:00:00 2010 Dan Walsh 3.7.18-2
- Add telepathysofiasip policy
Mon Apr 5 14:00:00 2010 Dan Walsh 3.7.18-1
- Update to upstream
- Fix label for /opt/google/chrome/chrome-sandbox
- Allow modemmanager to dbus with policykit
Mon Apr 5 14:00:00 2010 Dan Walsh 3.7.17-6
- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)
- Allow accountsd to read shadow file
- Allow apache to send audit messages when using pam
- Allow asterisk to bind and connect to sip tcp ports
- Fixes for dovecot 2.0
- Allow initrc_t to setattr on milter directories
- Add procmail_home_t for .procmailrc file
Thu Apr 1 14:00:00 2010 Dan Walsh 3.7.17-5
- Fixes for labels during install from livecd
Thu Apr 1 14:00:00 2010 Dan Walsh 3.7.17-4
- Fix /cgroup file context
- Fix broken afs use of unlabled_t
- Allow getty to use the console for s390
Wed Mar 31 14:00:00 2010 Dan Walsh 3.7.17-3
- Fix cgroup handling adding policy for /cgroup
- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set
Tue Mar 30 14:00:00 2010 Dan Walsh 3.7.17-2
- Merge patches from dgrift
Mon Mar 29 14:00:00 2010 Dan Walsh 3.7.17-1
- Update upstream
- Allow abrt to write to the /proc under any process
Fri Mar 26 13:00:00 2010 Dan Walsh 3.7.16-2
- Fix ~/.fontconfig label
- Add /root/.cert label
- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
- Allow qemu_exec_t as an entrypoint to svirt_t
Tue Mar 23 13:00:00 2010 Dan Walsh 3.7.16-1
- Update to upstream
- Allow tmpreaper to delete sandbox sock files
- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems
- Fixes for gitosis
- No transition on livecd to passwd or chfn
- Fixes for denyhosts
Tue Mar 23 13:00:00 2010 Dan Walsh 3.7.15-4
- Add label for /var/lib/upower
- Allow logrotate to run sssd
- dontaudit readahead on tmpfs blk files
- Allow tmpreaper to setattr on sandbox files
- Allow confined users to execute dos files
- Allow sysadm_t to kill processes running within its clearance
- Add accountsd policy
- Fixes for corosync policy
- Fixes from crontab policy
- Allow svirt to manage svirt_image_t chr files
- Fixes for qdisk policy
- Fixes for sssd policy
- Fixes for newrole policy
Thu Mar 18 13:00:00 2010 Dan Walsh 3.7.15-3
- make libvirt work on an MLS platform
Thu Mar 18 13:00:00 2010 Dan Walsh 3.7.15-2
- Add qpidd policy
Thu Mar 18 13:00:00 2010 Dan Walsh 3.7.15-1
- Update to upstream
Tue Mar 16 13:00:00 2010 Dan Walsh 3.7.14-5
- Allow boinc to read kernel sysctl
- Fix snmp port definitions
- Allow apache to read anon_inodefs
Sun Mar 14 13:00:00 2010 Dan Walsh 3.7.14-4
- Allow shutdown dac_override
Sat Mar 13 13:00:00 2010 Dan Walsh 3.7.14-3
- Add device_t as a file system
- Fix sysfs association
Fri Mar 12 13:00:00 2010 Dan Walsh 3.7.14-2
- Dontaudit ipsec_mgmt sys_ptrace
- Allow at to mail its spool files
- Allow nsplugin to search in .pulse directory
Fri Mar 12 13:00:00 2010 Dan Walsh 3.7.14-1
- Update to upstream
Fri Mar 12 13:00:00 2010 Dan Walsh 3.7.13-4 | |
