|
|
 |
|
|
Changelog for selinux-policy-3.9.16-51.fc15.noarch.rpm :
Thu Jan 19 13:00:00 2012 Miroslav Grepl 3.9.16-51
- Fix BOINC bug
Wed Dec 14 13:00:00 2011 Miroslav Grepl 3.9.16-50
- BOinc fixes
- Allow mysqld_safe to delete the mysql_db_t sock_file
- Dovecot has a new fifo_file /var/run/stats-mail
Fri Dec 2 13:00:00 2011 Miroslav Grepl 3.9.16-49
- Allow gnomeclock to send system log msgs
- Users that use X and spice need to use the virtio device
- squashfs supports extended attributes
- Allow system_cronjob to dbus chat with NetworkManager
- Allow all postfix domains to use the fifo_file
- Allow squid to check the network state
- Allow spamd to send mail
Wed Nov 16 13:00:00 2011 Miroslav Grepl 3.9.16-48
- Fix typo in ssh.if
Wed Nov 16 13:00:00 2011 Miroslav Grepl 3.9.16-47
- Allow spamd and clamd to steam connect to each other
- Allow colord to execute ifconfig
- Allow smbcontrol to signal themselves
- Make faillog MLS trusted to make sudo_$1_t working
Mon Nov 7 13:00:00 2011 Miroslav Grepl 3.9.16-46
- Backport MCS fixes from F16
- Other chrome fixes from F16
Wed Oct 26 14:00:00 2011 Miroslav Grepl 3.9.16-45
- Backport chrome fixes
- Backport cloudform policy
Fri Oct 21 14:00:00 2011 Miroslav Grepl 3.9.16-44
- Fixes for systemd
- Add FIPS suppport for dirsrv
Tue Oct 11 14:00:00 2011 Miroslav Grepl 3.9.16-43
- Allow sa-update to update rules
- Allow sa-update to read spamd tmp file
- Allow screen to read all domain state
- Allow sa-update to execute shell
- More fixes for sa-update running out of cron job
- Allow initrc to manage cron system spool
- Fixes for collectd policy
- Fixes added during clean up bugzillas
- Dontaudit fail2ban_client_t sys_tty_config capability
- Fix for puppet which does execute check on passwd
- ricci_modservice send syslog msgs
- Fix dev_dontaudit_write_mtrr() interface
Tue Sep 27 14:00:00 2011 Miroslav Grepl 3.9.16-42
- Make mta_role() active
- Add additional gitweb file context labeling
- Allow asterisk to connect to jabber client port
- Allow sssd to read the contents of /sys/class/net/$IFACE_NAME
- Allow fsdaemon dac_override
Thu Sep 22 14:00:00 2011 Miroslav Grepl 3.9.16-41
- Add logging_syslogd_can_sendmail boolean
- Add support for exim and confined users
- support for ommail module to send logs via mail
- Add execmem_execmod() to execmem role
- Allow pptp to send generic signal to kernel threads
- Fix kerberos_manage_host_rcache() interface
Mon Sep 12 14:00:00 2011 Miroslav Grepl 3.9.16-40
- Fixes for mock
Tue Sep 6 14:00:00 2011 Miroslav Grepl 3.9.16-39
- Backport F16 fixes
- livecd fixes
- systemd fixes
Thu Aug 11 14:00:00 2011 Miroslav Grepl 3.9.16-38
- Allow hostname read network state
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Fix syslog port definition
- Allow openvpn to set its process priority when the nice parameter is used
- Restorecond should be able to watch and relabel devices in /dev
- Alow hddtemp to perform DNS name resolution
Fri Aug 5 14:00:00 2011 Miroslav Grepl 3.9.16-37
- Fixes for zarafa, postfix policy
- Backport collect policy
Wed Jul 27 14:00:00 2011 Miroslav Grepl 3.9.16-36
- Backport ABRT changes
- Make tmux working with scree policy
- Allow root cron jobs can\'t run without unconfined
- add interface to dontaudit writes to urand, needed by libra
- Add label for /var/cache/krb5rcache directory
Wed Jul 20 14:00:00 2011 Miroslav Grepl 3.9.16-35
- Allow jabberd_router_t to read system state
- Rename oracledb_port to oracle_port
- Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions
- screen wants to manage sock file in screen home dirs
- Make screen working with confined users
- Allow gssd to search access on the directory /proc/fs/nfsd
Fri Jul 15 14:00:00 2011 Miroslav Grepl 3.9.16-34
- More fixes for postfix policy
- Allow virsh_t setsched
- Add mcelog_log_t type for mcelog log file
- Add virt_ptynode attribute
Mon Jul 11 14:00:00 2011 Miroslav Grepl 3.9.16-33
- Add l2tpd policy
- Fixes for abrt
- Backport fail2ban_client policy
Fri Jul 1 14:00:00 2011 Miroslav Grepl 3.9.16-32
- Allow getcap, setcap for syslogd
- Fix label for /usr/lib64/opera/opera
Thu Jun 30 14:00:00 2011 Miroslav Grepl 3.9.16-31
- Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content()
- Allow init to delete all pid sockets
- Allow colord to read /proc/stat
- Add label for /var/www/html/wordpress/wp-content/plugins directory
- Allow pppd to search /var/lock dir
- puppetmaster use nsswitch: #711804
- Update abrt to match rawhide policy
- allow privoxy to read network data
- support gecko mozilla browser plugin
- Allow chrome_sandbox to execute content in nfs homedir
- postfix_qmgr needs to read /var/spool/postfix/deferred
- abrt_t needs fsetid
Tue Jun 14 14:00:00 2011 Miroslav Grepl 3.9.16-30
- Fixes for zarafa policy
- Other fixes for fail2ban
- Allow keyring to drop capabilities
- Allow cobblerd to send syslog messages
- Allow xserver to read/write the xserver_misk device
- ppp also installs /var/log/ppp and /var/run/ppp directories
* remove filetrans rules
- fix for pppd_lock
- Allow fail2ban run ldconfig
- Allow lvm to read/write pipes inherited from login programs
Fri Jun 10 14:00:00 2011 Miroslav Grepl 3.9.16-29
- Fix /var/lock labeling issue
Mon Jun 6 14:00:00 2011 Miroslav Grepl 3.9.16-28
- Allow ssh to execute systemctl
- fail2ban fixes related to /tmp directory
- Allow puppetmaster to create dirs in /var/run/puppet
Thu Jun 2 14:00:00 2011 Miroslav Grepl 3.9.16-27
- Add label for /var/lock/ppp
- Fixes for colord policy
- Allow sys_chroot for postfix domains
Fri May 27 14:00:00 2011 Miroslav Grepl 3.9.16-26
- Add label for dev/ati/card
*
- Allowe secadm to manage selinux config files
Thu May 26 14:00:00 2011 Miroslav Grepl 3.9.16-25
- Add Dominicks patch for dccp_socket
- dnsmasq needs to read nm-dns-dnsmasq.conf in /var/run/
- Colord inherits open file descriptors from the users...\'
- cgred needs auth_use_nsswitch()
- apcupsd lock file was missing file context specificatio...
- Make cron work
- Allow clamav to manage amavis spool files
- Use httpd_can_sendmail boolean also for httpd_suexec_t
- Add fenced_can_ssh boolean
- Add dev_dontaudit_read_generic_files() for hplip
- Allow xauthority to create shared memory
- Make postfix user domains application_domains
- Allow xend to sys_admin privs
- Allow mount to read usr files
- Allow logrotate to connect to init script using unix stream socket
- Allow nsplugin_t to getattr on gpmctl
Tue May 17 14:00:00 2011 Miroslav Grepl 3.9.16-24
- Allow logrotate to connect to init script using unix domain stream socket
- Allow shorewall read and write inherited user domain pty/tty
- virt will attempt to us another virtualizations pulsesaudio tmpfs_t, ignore error
- Allow colord to get the attributes of fixed disk device nodes
- Allow nsplugin_t to getattr on gpmctl
- Allow mozilla_plugin to connect to pcscd over an unix stream socket
- Allow logrotate to execute systemctl
- colord wants to read files in users homedir
- Remote login should create user_tmp_t content not its own tmp files
- Allow psad signal
- Fix cobbler_read_lib_files interface
- Allow rlogind to r/w user terminals
- Allow prelink_cron_system_t to relabel content and ignore obj_id
- Allow gnomeclock_systemctl_t to list init_var_run_t
- Dbus domains will inherit fds from the init system
Fri May 6 14:00:00 2011 Miroslav Grepl 3.9.16-23
- Add label for /lib/upstart/init
- Allow colord to getattr on /proc/scsi/scsi
- Dontaudit sys_module for ifconfig and irqbalance
Thu May 5 14:00:00 2011 Miroslav Grepl 3.9.16-22
- Make telepathy working with confined users
- Allow colord signal
- prelink_cron_system_t needs to be able to detect systemd
- Allow cupsd_config_t to read user\'s symlinks in /tmp
Mon May 2 14:00:00 2011 Dan Walsh 3.9.16-21
- Fixes for colord and vnstatd policy
- telepathy needs to dbus chat with unconfined_t and unconfined_dbusd_t
- Remove dbus.patch and move it to policy-F15.patch
Fri Apr 29 14:00:00 2011 Dan Walsh 3.9.16-20
- Adding in unconfined_r telepathy domains so telepathy apps will not crash on update
Fri Apr 29 14:00:00 2011 Dan Walsh 3.9.16-19
- Fix dbus_session_domain
- Stop transitiong from unconfined_t to telepathy domains or to gkeyring domains
Wed Apr 27 14:00:00 2011 Miroslav Grepl 3.9.16-18
- Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch
- aisexec will execute corosync
- colord tries to read files off noxattr file systems
Tue Apr 26 14:00:00 2011 Miroslav Grepl 3.9.16-17
- Add back transition from unconfined to telepathy domains
Thu Apr 21 14:00:00 2011 Miroslav Grepl 3.9.16-16
- Allow spamd to sent mail
- Needs to be able to write to its systemhigh log file
- Fix aide policy to run on MLS boxes
- Allow NetworkManager to manage content in /etc/NetworkManager/system-connections
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners
- Allow telepath_msn_t to read /proc/PARENT/cmdline
- ftpd needs kill capability
- Allow telepath_msn_t to connect to sip port
- keyring daemon does not work on nfs homedirs
- Allow $1_sudo_t to read default SELinux context
- Add label for tgtd sock file in /var/run/
- Add apache_exec_rotatelogs interface
- allow all zaraha domains to signal themselves, server writes to /tmp
- Allow syslog to read the process state
- Add label for /usr/lib/chromium-browser/chrome
- Remove the telepathy transition from unconfined_t
- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts
- Allow initrc_t domain to manage abrt pid files
- Add support for AEOLUS project
- Virt_admin should be allowed to manage images and processes
- Allow plymountd to send signals to init
- Change labeling of fping6
Wed Apr 13 14:00:00 2011 Miroslav Grepl 3.9.16-15
- xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port
- Fixes for colord policy
Mon Apr 11 14:00:00 2011 Miroslav Grepl 3.9.16-14
- Need to allow apps that use locks to read /var/lock if it is a symlink
- Allow systemd to create tasks
- Logwatch reads /etc/sysctl.conf and /proc/sys/net/ipv4/ip_forward
- Fixes for foghorn policy
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
Thu Apr 7 14:00:00 2011 Miroslav Grepl 3.9.16-13
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
Mon Apr 4 14:00:00 2011 Miroslav Grepl 3.9.16-12
- Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
Sat Apr 2 14:00:00 2011 Miroslav Grepl 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t
Fri Apr 1 14:00:00 2011 Miroslav Grepl 3.9.16-10
- Add label for /run/udev
- Mock needs to be able to read network state
Fri Apr 1 14:00:00 2011 Miroslav Grepl 3.9.16-9
- Other fixes to make boot working
Thu Mar 31 14:00:00 2011 Miroslav Grepl 3.9.16-8
- A lot of fixes making /run change working
- Add subs file to equate /var/run with /run and /var/lock with /run/lock
- Allow rgmanager to send the kill signal to all users
- Allow ssh_t to search /root/.ssh and create it if it does not exist
- dontaudit read of user_tmp_t from load_policy
- Allow abrt fowner capability
- Allow audit daemons to change the run level in MLS environments
- Since /var/lock is moving to /run/lock. We need to allow all interfaces for lock files to search var_run_t
- Add file labelfor MathKernel
- Add label for /dev/dlm
*
- Allow systemd_tmpfiles_t to manage sandbox data
- More /run directories labels
- rlogind sends kill signal to chkpwd_t
- systemd is now mounting on /var/lock
Fri Mar 25 13:00:00 2011 Miroslav Grepl 3.9.16-7
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
Tue Mar 22 13:00:00 2011 Miroslav Grepl 3.9.16-6
- Add syslogd_exec_t label for systemd-kmsg-syslogd
- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
- Allow rythmbox and other apps to share music over daap port
- Allow qemu and pulseaudio to work together
- Allow httpd to create socket file in /tmp
- Allow tuned to write to sysfs
- Allow systemd_tmpfiles to send kernel messages
- Add a dev_filetrans to readahead_manage_pid_files so any callers can create directories and files in /dev with this label
- mrtg needs to be able to create /var/lock/mrtg
- Add label for /usr/share/shorewall/getparams
- xdm needs to read KDE config files
- Smolt needs to look at urand and read hwdata
- google talk plugin in nsplugin is listing the contents
- Add support for KDE ksysguardprocesslist_helper
- Add support for a new cluster service - foghorn
- gnome-control-center reads colord lib files when monitor is plugged
- Add interface for defining node_types
Thu Mar 17 13:00:00 2011 Miroslav Grepl 3.9.16-5
- Fix multiple specification for boot.log
- devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
Tue Mar 15 13:00:00 2011 Miroslav Grepl 3.9.16-4
- Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is running
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
Thu Mar 10 13:00:00 2011 Miroslav Grepl 3.9.16-3
- More dontaudits of writes from readahead
- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
- systemd_tmpfiles needs to relabel faillog directory as well as the file
- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
Tue Mar 8 13:00:00 2011 Miroslav Grepl 3.9.16-1
- Update to upstream
- Fixes for telepathy
- Add port defition for ssdp port
- add policy for /bin/systemd-notify from Dan
- Mount command requires users read mount_var_run_t
- colord needs to read konject_uevent_socket
- User domains connect to the gkeyring socket
- Add colord policy and allow user_t and staff_t to dbus chat with it
- Add lvm_exec_t label for kpartx
- Dontaudit reading the mail_spool_t link from sandbox -X
- systemd is creating sockets in avahi_var_run and system_dbusd_var_run
Thu Mar 3 13:00:00 2011 Miroslav Grepl 3.9.15-6
- Make a lot of modules independent
- Update to make new seunshare/sandbox work
- allow virt_domains to use inherited noxattrs file systems
- Dont allow svirt_t to send kill signals
- Cleanup policy to allow less modules in base
- Cleanup to allow minimal files in base policy
Tue Mar 1 13:00:00 2011 Miroslav Grepl 3.9.15-5
- gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t
- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
Fri Feb 25 13:00:00 2011 Miroslav Grepl 3.9.15-4
- Allow sysadm type people to look at usb devices
- Cron needs to be able to run shutdown
- virt creates monitor sockets in the users home dir
Fri Feb 25 13:00:00 2011 Miroslav Grepl 3.9.15-3
- gnome-keyring-daemon needs nsswitch getpw calls
- Symantic places a pipe in the /opt directory tree that it expects syslogd to be able to write to
- keyringd daemon sends/recieves dbus messages from user types
- sudo domains need to be able to signal all users \"sysadm_t\"
- allow systemd-ask-passwd to create unix dgram socket
- allow puppet master to read usr files
- fixes for mock policy
- Add mock_enable_homedirs boolean
- Allow systemd to relabel /dev
- Moving to only one file type sandbox_file_t
- mta search /var/lib/logcheck
- sssd needs to bind to random UDP ports
- Allow amavis sigkill
- Add systemd_passwd_agent_dev_template interface and use it for lvm
Mon Feb 21 13:00:00 2011 Miroslav Grepl 3.9.15-2
- Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd
*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
Wed Feb 16 13:00:00 2011 Miroslav Grepl 3.9.15-1
- Update to upstream
- Allow systemd-tmpfiles to getattr on all files/dirs
Wed Feb 9 13:00:00 2011 Fedora Release Engineering - 3.9.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
Tue Feb 8 13:00:00 2011 Dan Walsh 3.9.14-1
- Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
Tue Feb 8 13:00:00 2011 Miroslav Grepl 3.9.13-10
- New labeling for postfmulti #675654
- dontaudit xdm_t listing noxattr file systems
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally
- shutdown is passed stdout to a xdm_log_t file
- smartd creates a fixed disk device
- dovecot_etc_t contains a lnk_file that domains need to read
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
Thu Feb 3 13:00:00 2011 Miroslav Grepl 3.9.13-9
- syslog_t needs syslog capability
- dirsrv needs to be able to create /var/lib/snmp
- Fix labeling for dirsrv
- Fix for dirsrv policy missing manage_dirs_pattern
- corosync needs to delete clvm_tmpfs_t files
- qdiskd needs to list hugetlbfs
- Move setsched to sandbox_x_domain, so firefox can run without network access
- Allow hddtemp to read removable devices
- Adding syslog and read_policy permissions to policy
* syslog
Allow unconfined, sysadm_t, secadm_t, logadm_t
* read_policy
allow unconfined, sysadm_t, secadm_t, staff_t on Targeted
allow sysadm_t (optionally), secadm_t on MLS
- mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
Tue Feb 1 13:00:00 2011 Dan Walsh 3.9.13-8
- Add tcsd policy
Tue Feb 1 13:00:00 2011 Miroslav Grepl 3.9.13-7
- ricci_modclusterd_t needs to bind to rpc ports 500-1023
- Allow dbus to use setrlimit to increase resoueces
- Mozilla_plugin is leaking to sandbox
- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control
- Allow awstats to read squid logs
- seunshare needs to manage tmp_t
- apcupsd cgi scripts have a new directory
Thu Jan 27 13:00:00 2011 Miroslav Grepl 3.9.13-6
- Fix xserver_dontaudit_read_xdm_pid
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
- Allow readahead to manage readahead pid dirs
- Allow readahead to read all mcs levels
- Allow mozilla_plugin_t to use nfs or samba homedirs
Tue Jan 25 13:00:00 2011 Miroslav Grepl 3.9.13-5
- Allow nagios plugin to read /proc/meminfo
- Fix for mozilla_plugin
- Allow samba_net_t to create /etc/keytab
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t
- nslcd can read user credentials
- Allow nsplugin to delete mozilla_plugin_tmpfs_t
- abrt tries to create dir in rpm_var_lib_t
- virt relabels fifo_files
- sshd needs to manage content in fusefs homedir
- mock manages link files in cache dir
Fri Jan 21 13:00:00 2011 Miroslav Grepl 3.9.13-4
- nslcd needs setsched and to read /usr/tmp
- Invalid call in likewise policy ends up creating a bogus role
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
- Allow screen to create screen_home_t in /root
- dirsrv sends syslog messages
- pinentry reads stuff in .kde directory
- Add labels for .kde directory in homedir
- Treat irpinit, iprupdate, iprdump services with raid policy
Wed Jan 19 13:00:00 2011 Miroslav Grepl 3.9.13-3
- NetworkManager wants to read consolekit_var_run_t
- Allow readahead to create /dev/.systemd/readahead
- Remove permissive domains
- Allow newrole to run namespace_init
Tue Jan 18 13:00:00 2011 Miroslav Grepl 3.9.13-2
- Add sepgsql_contexts file
Mon Jan 17 13:00:00 2011 Miroslav Grepl 3.9.13-1
- Update to upstream
Mon Jan 17 13:00:00 2011 Miroslav Grepl 3.9.12-8
- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
- Add puppetmaster_use_db boolean
- Fixes for zarafa policy
- Fixes for gnomeclock poliy
- Fix systemd-tmpfiles to use auth_use_nsswitch
Fri Jan 14 13:00:00 2011 Miroslav Grepl 3.9.12-7
- gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
Tue Jan 11 13:00:00 2011 Miroslav Grepl 3.9.12-6
- Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
Wed Jan 5 13:00:00 2011 Miroslav Grepl 3.9.12-5
- Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
Tue Dec 28 13:00:00 2010 Dan Walsh 3.9.12-4
- Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
Thu Dec 23 13:00:00 2010 Dan Walsh 3.9.12-3
- Allow xdm and syslog to use /var/log/boot.log
- Allow users to communicate with mozilla_plugin and kill it
- Add labeling for ipv6 and dhcp
Tue Dec 21 13:00:00 2010 Dan Walsh 3.9.12-2
- New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
- pm-suspend now creates log file for append access so we remove devicekit_wri
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
- Fixes for greylist_milter policy
Tue Dec 21 13:00:00 2010 Miroslav Grepl 3.9.12-1
- Update to upstream
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
Wed Dec 15 13:00:00 2010 Dan Walsh 3.9.11-2
- Update selinux policy to handle new /usr/share/sandbox/start script
Wed Dec 15 13:00:00 2010 Miroslav Grepl 3.9.11-1
- Update to upstream
- Fix version of policy in spec file
Tue Dec 14 13:00:00 2010 Miroslav Grepl 3.9.10-13
- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
- remove per sandbox domains devpts types
- Allow dkim-milter sending signal to itself
Mon Dec 13 13:00:00 2010 Dan Walsh 3.9.10-12
- Allow domains that transition to ping or traceroute, kill them
- Allow user_t to conditionally transition to ping_t and traceroute_t
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
Mon Dec 13 13:00:00 2010 Miroslav Grepl 3.9.10-11
- Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet packets
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac
* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
Fri Dec 10 13:00:00 2010 Miroslav Grepl 3.9.10-10
- Fixes for clamscan and boinc policy
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
Tue Dec 7 13:00:00 2010 Miroslav Grepl 3.9.10-9
- Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
Tue Dec 7 13:00:00 2010 Miroslav Grepl 3.9.10-8
- Fixes for lvm to work with systemd
Mon Dec 6 13:00:00 2010 Miroslav Grepl 3.9.10-7
- Fix the label for wicd log
- plymouthd creates force-display-on-active-vt file
- Allow avahi to request the kernel to load a module
- Dontaudit hal leaks
- Fix gnome_manage_data interface
- Add new interface corenet_packet to define a type as being an packet_type.
- Removed general access to packet_type from icecast and squid.
- Allow mpd to read alsa config
- Fix the label for wicd log
- Add systemd policy
Fri Dec 3 13:00:00 2010 Miroslav Grepl 3.9.10-6
- Fix gnome_manage_data interface
- Dontaudit sys_ptrace capability for iscsid
- Fixes for nagios plugin policy
Wed Dec 1 13:00:00 2010 Miroslav Grepl 3.9.10-5
- Fix cron to run ranged when started by init
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t
Tue Nov 30 13:00:00 2010 Dan Walsh 3.9.10-4
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
Tue Nov 30 13:00:00 2010 Miroslav Grepl 3.9.10-3
- fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
Thu Nov 25 13:00:00 2010 Miroslav Grepl 3.9.10-2
- Remove duplicate declaration
Thu Nov 25 13:00:00 2010 Miroslav Grepl 3.9.10-1
- Update to upstream
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
Mon Nov 22 13:00:00 2010 Miroslav Grepl 3.9.9-4
- Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
Thu Nov 18 13:00:00 2010 Dan Walsh 3.9.9-3
- Put back in lircd_etc_t so policy will install
Thu Nov 18 13:00:00 2010 Miroslav Grepl 3.9.9-2
- Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
Tue Nov 16 13:00:00 2010 Miroslav Grepl 3.9.9-1
- Update to upstream
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
Mon Nov 15 13:00:00 2010 Miroslav Grepl 3.9.8-7
- Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
Fri Nov 12 13:00:00 2010 Dan Walsh 3.9.8-6
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
Fri Nov 12 13:00:00 2010 Miroslav Grepl 3.9.8-5
- Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
Wed Nov 10 13:00:00 2010 Miroslav Grepl 3.9.8-4
- Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
Tue Nov 9 13:00:00 2010 Dan Walsh 3.9.8-3
- Fix up corecommands.fc to match upstream
- Make sure /lib/systemd/
* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.
*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
Fri Nov 5 13:00:00 2010 Dan Walsh 3.9.8-2
- Add conflicts for dirsrv package
Fri Nov 5 13:00:00 2010 Dan Walsh 3.9.8-1
- Update to upstream
- Add vlock policy
Wed Nov 3 13:00:00 2010 Dan Walsh 3.9.7-10
- Fix sandbox to work on nfs homedirs
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
Tue Nov 2 13:00:00 2010 Dan Walsh 3.9.7-9
- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it
- Udev needs to stream connect to init and kernel
- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory
Mon Nov 1 13:00:00 2010 Dan Walsh 3.9.7-8
- Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
Thu Oct 28 14:00:00 2010 Dan Walsh 3.9.7-7
- Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/
*
Fri Oct 22 14:00:00 2010 Dan Walsh 3.9.7-6
- Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
Tue Oct 19 14:00:00 2010 Dan Walsh 3.9.7-5
- Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
Fri Oct 15 14:00:00 2010 Dan Walsh 3.9.7-4
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
- Allow devicekit_power to domtrans to mount
- Allow dhcp to bind to udp ports > 1024 to do named stuff
- Allow ssh_t to exec ssh_exec_t
- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used
- Fix clamav_append_log() intefaces
- Fix \'psad_rw_fifo_file\' interface
Fri Oct 15 14:00:00 2010 Dan Walsh 3.9.7-3
- Allow cobblerd to list cobler appache content
Fri Oct 15 14:00:00 2010 Dan Walsh 3.9.7-2
- Fixup for the latest version of upowed
- Dontaudit sandbox sending SIGNULL to desktop apps
Wed Oct 13 14:00:00 2010 Dan Walsh 3.9.7-1
- Update to upstream
Tue Oct 12 14:00:00 2010 Dan Walsh 3.9.6-3
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
Fri Oct 8 14:00:00 2010 Dan Walsh 3.9.6-2
- Lots of fixes for systemd
- systemd now executes readahead and tmpwatch type scripts
- Needs to manage random seed
Thu Oct 7 14:00:00 2010 Dan Walsh 3.9.6-1
- Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
Wed Oct 6 14:00:00 2010 Dan Walsh 3.9.5-11
- Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
Mon Oct 4 14:00:00 2010 Dan Walsh 3.9.5-10
- Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
Thu Sep 30 14:00:00 2010 Dan Walsh 3.9.5-9
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
Wed Sep 29 14:00:00 2010 Dan Walsh 3.9.5-8
- Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
Mon Sep 27 14:00:00 2010 Dan Walsh 3.9.5-7
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
Sun Sep 26 14:00:00 2010 Dan Walsh 3.9.5-6
- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home
- Allow clamd to send signals to itself
- Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm.
- Allow haze to connect to yahoo chat and messenger port tcp:5050.
Bz #637339
- Allow guest to run ps command on its processes by allowing it to read /proc
- Allow firewallgui to sys_rawio which seems to be required to setup masqerading
- Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba.
- Add label for /var/log/slim.log
Fri Sep 24 14:00:00 2010 Dan Walsh 3.9.5-5
- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
Thu Sep 23 14:00:00 2010 Dan Walsh 3.9.5-4
- Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
Tue Sep 21 14:00:00 2010 Dan Walsh 3.9.5-3
- Fix up Xguest policy
Thu Sep 16 14:00:00 2010 Dan Walsh 3.9.5-2
- Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
Thu Sep 16 14:00:00 2010 Dan Walsh 3.9.5-1
- Update to upstream
Wed Sep 15 14:00:00 2010 Dan Walsh 3.9.4-3
- Add the ability to send audit messages to confined admin policies
- Remove permissive domain from cmirrord and dontaudit sys_tty_config
- Split out unconfined_domain() calls from other unconfined_ calls so we can d
- virt needs to be able to read processes to clearance for MLS
Tue Sep 14 14:00:00 2010 Dan Walsh 3.9.4-2
- Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.4-1
- Update to upstream
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.3-4
- Allow mdadm_t to create files and sock files in /dev/md/
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.3-3
- Add policy for ajaxterm
Wed Sep 8 14:00:00 2010 Dan Walsh 3.9.3-2
- Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
Tue Sep 7 14:00:00 2010 Dan Walsh 3.9.3-1
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
Tue Aug 31 14:00:00 2010 Dan Walsh 3.9.2-1
- Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
Tue Aug 31 14:00:00 2010 Dan Walsh 3.9.1-3
- Allow mdadm_t to read/write hugetlbfs
Mon Aug 30 14:00:00 2010 Dan Walsh 3.9.1-2
- Dominic Grift Cleanup
- Miroslav Grepl policy for jabberd
- Various fixes for mount/livecd and prelink
Mon Aug 30 14:00:00 2010 Dan Walsh 3.9.1-1
- Merge with upstream
Thu Aug 26 14:00:00 2010 Dan Walsh 3.9.0-2
- More access needed for devicekit
- Add dbadm policy
Thu Aug 26 14:00:00 2010 Dan Walsh 3.9.0-1
- Merge with upstream
Tue Aug 24 14:00:00 2010 Dan Walsh 3.8.8-21
- Allow seunshare to fowner
Tue Aug 24 14:00:00 2010 Dan Walsh 3.8.8-20
- Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
Mon Aug 23 14:00:00 2010 Dan Walsh 3.8.8-19
- Update policy for mozilla_plugin_t
Mon Aug 23 14:00:00 2010 Dan Walsh 3.8.8-18
- Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
Wed Aug 18 14:00:00 2010 Dan Walsh 3.8.8-17
- Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
Tue Aug 17 14:00:00 2010 Dan Walsh 3.8.8-16
- Fix /root/.forward definition
Tue Aug 17 14:00:00 2010 Dan Walsh 3.8.8-15
- label dead.letter as mail_home_t
Fri Aug 13 14:00:00 2010 Dan Walsh 3.8.8-14
- Allow login programs to search /cgroups
Thu Aug 12 14:00:00 2010 Dan Walsh 3.8.8-13
- Fix cert handling
Tue Aug 10 14:00:00 2010 Dan Walsh 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
Thu Aug 5 14:00:00 2010 Dan Walsh 3.8.8-11
- Fix nis calls to allow bind to ports 512-1024
- Fix smartmon
Wed Aug 4 14:00:00 2010 Dan Walsh 3.8.8-10
- Allow pcscd to read sysfs
- systemd fixes
- Fix wine_mmap_zero_ignore boolean
Tue Aug 3 14:00:00 2010 Dan Walsh 3.8.8-9
- Apply Miroslav munin patch
- Turn back on allow_execmem and allow_execmod booleans
Tue Jul 27 14:00:00 2010 Dan Walsh 3.8.8-8
- Merge in fixes from dgrift repository
Tue Jul 27 14:00:00 2010 Dan Walsh 3.8.8-7
- Update boinc policy
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
Mon Jul 26 14:00:00 2010 Dan Walsh 3.8.8-6
- New paths for upstart
Mon Jul 26 14:00:00 2010 Dan Walsh 3.8.8-5
- New permissions for syslog
- New labels for /lib/upstart
Fri Jul 23 14:00:00 2010 Dan Walsh 3.8.8-4
- Add mojomojo policy
Thu Jul 22 14:00:00 2010 Dan Walsh 3.8.8-3
- Allow systemd to setsockcon on sockets to immitate other services
Wed Jul 21 14:00:00 2010 Dan Walsh 3.8.8-2
- Remove debugfs label
Tue Jul 20 14:00:00 2010 Dan Walsh 3.8.8-1
- Update to latest policy
Wed Jul 14 14:00:00 2010 Dan Walsh 3.8.7-3
- Fix eclipse labeling from IBMSupportAssasstant packageing
Wed Jul 14 14:00:00 2010 Dan Walsh 3.8.7-2
- Make boot with systemd in enforcing mode
Wed Jul 14 14:00:00 2010 Dan Walsh 3.8.7-1
- Update to upstream
Mon Jul 12 14:00:00 2010 Dan Walsh 3.8.6-3
- Add boolean to turn off port forwarding in sshd.
Fri Jul 9 14:00:00 2010 Miroslav Grepl 3.8.6-2
- Add support for ebtables
- Fixes for rhcs and corosync policy
Tue Jun 22 14:00:00 2010 Dan Walsh 3.8.6-1
-Update to upstream
Mon Jun 21 14:00:00 2010 Dan Walsh 3.8.5-1
-Update to upstream
Thu Jun 17 14:00:00 2010 Dan Walsh 3.8.4-1
-Update to upstream
Wed Jun 16 14:00:00 2010 Dan Walsh 3.8.3-4
- Add Zarafa policy
Wed Jun 9 14:00:00 2010 Dan Walsh 3.8.3-3
- Cleanup of aiccu policy
- initial mock policy
Wed Jun 9 14:00:00 2010 Dan Walsh 3.8.3-2
- Lots of random fixes
Tue Jun 8 14:00:00 2010 Dan Walsh 3.8.3-1
- Update to upstream
Fri Jun 4 14:00:00 2010 Dan Walsh 3.8.2-1
- Update to upstream
- Allow prelink script to signal itself
- Cobbler fixes
Wed Jun 2 14:00:00 2010 Dan Walsh 3.8.1-5
- Add xdm_var_run_t to xserver_stream_connect_xdm
- Add cmorrord and mpd policy from Miroslav Grepl
Tue Jun 1 14:00:00 2010 Dan Walsh 3.8.1-4
- Fix sshd creation of krb cc files for users to be user_tmp_t
Thu May 27 14:00:00 2010 Dan Walsh 3.8.1-3
- Fixes for accountsdialog
- Fixes for boinc
Thu May 27 14:00:00 2010 Dan Walsh 3.8.1-2
- Fix label on /var/lib/dokwiki
- Change permissive domains to enforcing
- Fix libvirt policy to allow it to run on mls
Tue May 25 14:00:00 2010 Dan Walsh 3.8.1-1
- Update to upstream
Tue May 25 14:00:00 2010 Dan Walsh 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label
Mon May 24 14:00:00 2010 Dan Walsh 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: 594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
Thu May 20 14:00:00 2010 Dan Walsh 3.7.19-20
- Allow mount to r/w abrt fifo file
- Allow svirt_t to getattr on hugetlbfs
- Allow abrt to create a directory under /var/spool
Wed May 19 14:00:00 2010 Dan Walsh 3.7.19-19
- Add labels for /sys
- Allow sshd to getattr on shutdown
- Fixes for munin
- Allow sssd to use the kernel key ring
- Allow tor to send syslog messages
- Allow iptabels to read usr files
- allow policykit to read all domains state
Thu May 13 14:00:00 2010 Dan Walsh 3.7.19-17
- Fix path for /var/spool/abrt
- Allow nfs_t as an entrypoint for http_sys_script_t
- Add policy for piranha
- Lots of fixes for sosreport
Wed May 12 14:00:00 2010 Dan Walsh 3.7.19-16
- Allow xm_t to read network state and get and set capabilities
- Allow policykit to getattr all processes
- Allow denyhosts to connect to tcp port 9911
- Allow pyranha to use raw ip sockets and ptrace itself
- Allow unconfined_execmem_t and gconfsd mechanism to dbus
- Allow staff to kill ping process
- Add additional MLS rules
Mon May 10 14:00:00 2010 Dan Walsh 3.7.19-15
- Allow gdm to edit ~/.gconf dir
Resolves: #590677
- Allow dovecot to create directories in /var/lib/dovecot
Partially resolves 590224
- Allow avahi to dbus chat with NetworkManager
- Fix cobbler labels
- Dontaudit iceauth_t leaks
- fix /var/lib/lxdm file context
- Allow aiccu to use tun tap devices
- Dontaudit shutdown using xserver.log
Thu May 6 14:00:00 2010 Dan Walsh 3.7.19-14
- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
- Add dontaudit interface for bluetooth dbus
- Add chronyd_read_keys, append_keys for initrc_t
- Add log support for ksmtuned
Resolves: #586663
Thu May 6 14:00:00 2010 Dan Walsh 3.7.19-13
- Allow boinc to send mail
Wed May 5 14:00:00 2010 Dan Walsh 3.7.19-12
- Allow initrc_t to remove dhcpc_state_t
- Fix label on sa-update.cron
- Allow dhcpc to restart chrony initrc
- Don\'t allow sandbox to send signals to its parent processes
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
Resolves: #589136
Mon May 3 14:00:00 2010 Dan Walsh 3.7.19-11
- Fix location of oddjob_mkhomedir
Resolves: #587385
- fix labeling on /root/.shosts and ~/.shosts
- Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
Fri Apr 30 14:00:00 2010 Dan Walsh 3.7.19-10
- Dontaudit sandbox trying to connect to netlink sockets
Resolves: #587609
- Add policy for piranha
Thu Apr 29 14:00:00 2010 Dan Walsh 3.7.19-9
- Fixups for xguest policy
- Fixes for running sandbox firefox
Wed Apr 28 14:00:00 2010 Dan Walsh 3.7.19-8
- Allow ksmtuned to use terminals
Resolves: #586663
- Allow lircd to write to generic usb devices
Tue Apr 27 14:00:00 2010 Dan Walsh 3.7.19-7
- Allow sandbox_xserver to connectto unconfined stream
Resolves: #585171
Mon Apr 26 14:00:00 2010 Dan Walsh 3.7.19-6
- Allow initrc_t to read slapd_db_t
Resolves: #585476
- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf
Resolves: #585963
Thu Apr 22 14:00:00 2010 Dan Walsh 3.7.19-5
- Allow rlogind_t to search /root for .rhosts
Resolves: #582760
- Fix path for cached_var_t
- Fix prelink paths /var/lib/prelink
- Allow confined users to direct_dri
- Allow mls lvm/cryptosetup to work
Wed Apr 21 14:00:00 2010 Dan Walsh 3.7.19-4
- Allow virtd_t to manage firewall/iptables config
Resolves: #573585
Tue Apr 20 14:00:00 2010 Dan Walsh 3.7.19-3
- Fix label on /root/.rhosts
Resolves: #582760
- Add labels for Picasa
- Allow openvpn to read home certs
- Allow plymouthd_t to use tty_device_t
- Run ncftool as iptables_t
- Allow mount to unmount unlabeled_t
- Dontaudit hal leaks
Wed Apr 14 14:00:00 2010 Dan Walsh 3.7.19-2
- Allow livecd to transition to mount
Tue Apr 13 14:00:00 2010 Dan Walsh 3.7.19-1
- Update to upstream
- Allow abrt to delete sosreport
Resolves: #579998
- Allow snmp to setuid and gid
Resolves: #582155
- Allow smartd to use generic scsi devices
Resolves: #582145
Tue Apr 13 14:00:00 2010 Dan Walsh 3.7.18-3
- Allow ipsec_t to create /etc/resolv.conf with the correct label
- Fix reserved port destination
- Allow autofs to transition to showmount
- Stop crashing tuned
Mon Apr 12 14:00:00 2010 Dan Walsh 3.7.18-2
- Add telepathysofiasip policy
Mon Apr 5 14:00:00 2010 Dan Walsh 3.7.18-1
- Update to upstream
- Fix label for /opt/google/chrome/chrome-sandbox
- Allow modemmanager to dbus with policykit
Mon Apr 5 14:00:00 2010 Dan Walsh 3.7.17-6
- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)
- Allow accountsd to read shadow file
- Allow apache to send audit messages when using pam
- Allow asterisk to bind and connect to sip tcp ports
- Fixes for dovecot 2.0
- Allow initrc_t to setattr on milter directories
- Add procmail_home_t for .procmailrc file
Thu Apr 1 14:00:00 2010 Dan Walsh 3.7.17-5
- Fixes for labels during install from livecd
Thu Apr 1 14:00:00 2010 Dan Walsh 3.7.17-4
- Fix /cgroup file context
- Fix broken afs use of unlabled_t
- Allow getty to use the console for s390
Wed Mar 31 14:00:00 2010 Dan Walsh 3.7.17-3
- Fix cgroup handling adding policy for /cgroup
- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set
Tue Mar 30 14:00:00 2010 Dan Walsh 3.7.17-2
- Merge patches from dgrift
Mon Mar 29 14:00:00 2010 Dan Walsh 3.7.17-1
- Update upstream
- Allow abrt to write to the /proc under any process
Fri Mar 26 13:00:00 2010 Dan Walsh 3.7.16-2
- Fix ~/.fontconfig label
- Add /root/.cert label
- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
- Allow qemu_exec_t as an entrypoint to svirt_t
Tue Mar 23 13:00:00 2010 Dan Walsh 3.7.16-1
- Update to upstream
- Allow tmpreaper to delete sandbox sock files
- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems
- Fixes for gitosis
- No transition on livecd to passwd or chfn
- Fixes for denyhosts
Tue Mar 23 13:00:00 2010 Dan Walsh 3.7.15-4
- Add label for /var/lib/upower
- Allow logrotate to run sssd
- dontaudit readahead on tmpfs blk files
- Allow tmpreaper to setattr on sandbox files
- Allow confined users to execute dos files
- Allow sysadm_t to kill processes running within its clearance
- Add accountsd policy
- Fixes for corosync policy
- Fixes from crontab policy
- Allow svirt to manage svirt_image_t chr files
- Fixes for qdisk policy
- Fixes for sssd policy
- Fixes for newrole policy
Thu Mar 18 13:00:00 2010 Dan Walsh 3.7.15-3
- make libvirt work on an MLS platform
Thu Mar 18 13:00:00 2010 Dan Walsh 3.7.15-2
- Add qpidd policy
Thu Mar 18 13:00:00 2010 Dan Walsh 3.7.15-1
- Update to upstream
Tue Mar 16 13:00:00 2010 Dan Walsh 3.7.14-5
- Allow boinc to read kernel sysctl
- Fix snmp port definitions
- Allow apache to read anon_inodefs
Sun Mar 14 13:00:00 2010 Dan Walsh 3.7.14-4
- Allow shutdown dac_override
Sat Mar 13 13:00:00 2010 Dan Walsh 3.7.14-3
- Add device_t as a file system
- Fix sysfs association
Fri Mar 12 13:00:00 2010 Dan Walsh 3.7.14-2
- Dontaudit ipsec_mgmt sys_ptrace
- Allow at to mail its spool files
- Allow nsplugin to search in .pulse directory
Fri Mar 12 13:00:00 2010 Dan Walsh 3.7.14-1
- Update to upstream
Fri Mar 12 13:00:00 2010 Dan Walsh 3.7.13-4
- Allow users to dbus chat with xdm
- Allow users to r/w wireless_device_t
- Dontaudit reading of process states by ipsec_mgmt
Thu Mar 11 13:00:00 2010 Dan Walsh 3.7.13-3
- Fix openoffice from unconfined_t
Wed Mar 10 13:00:00 2010 Dan Walsh 3.7.13-2
- Add shutdown policy so consolekit can shutdown system
Tue Mar 9 13:00:00 2010 Dan Walsh 3.7.13-1
- Update to upstream
Thu Mar 4 13:00:00 2010 Dan Walsh 3.7.12-1
- Update to upstream
Thu Mar 4 13:00:00 2010 Dan Walsh 3.7.11-1
- Update to upstream - These are merges of my patches
- Remove 389 labeling conflicts
- Add MLS fixes found in RHEL6 testing
- Allow pulseaudio to run as a service
- Add label for mssql and allow apache to connect to this database port if boolean set
- Dontaudit searches of debugfs mount point
- Allow policykit_auth to send signals to itself
- Allow modcluster to call getpwnam
- Allow swat to signal winbind
- Allow usbmux to run as a system role
- Allow svirt to create and use devpts
Mon Mar 1 13:00:00 2010 Dan Walsh 3.7.10-5
- Add MLS fixes found in RHEL6 testing
- Allow domains to append to rpm_tmp_t
- Add cachefilesfd policy
- Dontaudit leaks when transitioning
Tue Feb 23 13:00:00 2010 Dan Walsh 3.7.10-4
- Change allow_execstack and allow_execmem booleans to on
- dontaudit acct using console
- Add label for fping
- Allow tmpreaper to delete sandbox_file_t
- Fix wine dontaudit mmap_zero
- Allow abrt to read var_t symlinks
Mon Feb 22 13:00:00 2010 Dan Walsh 3.7.10-3
- Additional policy for rgmanager
Mon Feb 22 13:00:00 2010 Dan Walsh 3.7.10-2
- Allow sshd to setattr on pseudo terms
Mon Feb 22 13:00:00 2010 Dan Walsh 3.7.10-1
- Update to upstream
Thu Feb 18 13:00:00 2010 Dan Walsh 3.7.9-4
- Allow policykit to send itself signals
Wed Feb 17 13:00:00 2010 Dan Walsh 3.7.9-3
- Fix duplicate cobbler definition
Wed Feb 17 13:00:00 2010 Dan Walsh 3.7.9-2
- Fix file context of /var/lib/avahi-autoipd
Fri Feb 12 13:00:00 2010 Dan Walsh 3.7.9-1
- Merge with upstream
Thu Feb 11 13:00:00 2010 Dan Walsh 3.7.8-11
- Allow sandbox to work with MLS
Tue Feb 9 13:00:00 2010 Dan Walsh 3.7.8-9
- Make Chrome work with staff user
Thu Feb 4 13:00:00 2010 Dan Walsh 3.7.8-8
- Add icecast policy
- Cleanup spec file
Wed Feb 3 13:00:00 2010 Dan Walsh 3.7.8-7
- Add mcelog policy
Mon Feb 1 13:00:00 2010 Dan Walsh 3.7.8-6
- Lots of fixes found in F12
Wed Jan 27 13:00:00 2010 Dan Walsh 3.7.8-5
- Fix rpm_dontaudit_leaks
Wed Jan 27 13:00:00 2010 Dan Walsh 3.7.8-4
- Add getsched to hald_t
- Add file context for Fedora/Redhat Directory Server
Mon Jan 25 13:00:00 2010 Dan Walsh 3.7.8-3
- Allow abrt_helper to getattr on all filesystems
- Add label for /opt/real/RealPlayer/plugins/oggfformat\\.so
Thu Jan 21 13:00:00 2010 Dan Walsh 3.7.8-2
- Add gstreamer_home_t for ~/.gstreamer
Mon Jan 18 13:00:00 2010 Dan Walsh 3.7.8-1 | |
