|
|
 |
|
|
Changelog for selinux-policy-doc-3.10.0-166.fc17.noarch.rpm :
Tue Dec 3 13:00:00 2013 Miroslav Grepl 3.10.0-166
- Allow gpsd_t to setattr on usbtty_device
- Allow mail_munin_plugins domain to run postconf
- Dontaudit reading of domain states for mozilla-plugin-config
- Backport corenetwork.te.in fixes related to http and keystone ports
- Backport cloudform policy from F18
- ALlow logrotate sys_ptrace capability
- Allow mscan to read /etc/MailScanner/conf.d directory
- Add support for HOME_DIR/.lyx
- Add support for rt4
- Back rhsmcertd policy from F18
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Add ntp_exec() interface
- Dontaudit settatr on user tmp files for mozilla plugins
- Allow colord-sane to read proc/sys/kernel/osrelease
- Allow setroubleshoot_fixit to execute rpm
- Allow logwatch to getattr on all dirs
- Allow chrome and mozilla_plugin to create msgq and semaphores
- systemd_logind_t is looking at all files under /run/user/apache
- Allow confine users to ptrace screen
Mon Dec 17 13:00:00 2012 Miroslav Grepl 3.10.0-165
- Add php-fpm support
- Allow munin disk plugins to get attributes of all directories
- Fix gnome_manage_config() to allow to manage sock_file
Fri Dec 14 13:00:00 2012 Miroslav Grepl 3.10.0-164
- Add labeling for /var/www/openshift/{broker,console}
- Allow openshift_initrc domain to dbus chat with systemd_logind
- Allow httpd to getattr passenger log file if run_stickshift
- Add passenger_getattr_log_files interface
- Backport svirt_tcg policy
- munint wants to send sigkill to ping
- Allow munin plugins to send a signal to itself
- Allow munin to send signal to ping
Thu Dec 13 13:00:00 2012 Miroslav Grepl 3.10.0-163
- Allow openshift domain to read /dev/urand
- Add labeling for /var/www/openshift/console/{tmp,log} dirs
- gems seems to be placed in lots of places
- Add labeling for /usr/bin/pg_ctl
- Add labeling for HOME_DIR/irclogs
- Allow systemd-logind to manage keyring user tmp dirs. We allow it for user_tmp_t dirs.
- Add gnome_manage_gkeyringd_tmp_dirs() interface
- Allow spamd_update to create spamd_var_lib_t directories and ignore DAC when searching for directories
- Allow xend to run scsi_id
- Allow rhsmcertd-worker to read \"physical_package_id\"
- Allow lpr to read /usr/share/fonts
- Allow open file from CD/DVD drive on domU
- Dontaudit attempts by openshift to read apache logs
- Add sntp support to ntp policy
- Allow tor to read /proc/sys/kernel/random/uuid
Wed Dec 5 13:00:00 2012 Miroslav Grepl 3.10.0-162
- Backport openvswitch policy from F18
- Allow logrotate to transition to openvswitch domain
- opendkim should be a part of milter
- Add filename transition for /etc/tuned/active_profile
- Allow condor_master to send mails
- Allow condor_master to create /tmp files/dirs
- Allow condor_mater to send sigkill to other condor domains
- Allow condor_procd sigkill capability
- tuned-adm wants to talk with tuned daemon
- Allow all application domains to use fifo_files passed in from userdomains
- pppd wants sys_nice by nmcli because of \"syscall=sched_setscheduler\"
- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
- The host and a virtual machine can share the same printer on a usb device
- Backport thumb.te from F18
- Dontaudit leaks of locks or generic log files to systemprocesses
- Allow blueman to transition to ifconfig, dnsmasq
- Backport virt_lock_t from F18
- Allow syslogd to request the kernel to load a module
- Allow syslogd_t to read the network state information
- Add awstats_purge_apache_log boolean
- Allow ksysguardproces to read /.config/Trolltech.conf
- Allow passenger to create and append puppet log files
- Add puppet_append_log and puppet_create_log interfaces
- Allow rhsmcertd to send signal to itself
Wed Nov 21 13:00:00 2012 Miroslav Grepl 3.10.0-161
- Add commands needed to get mock to build from staff_t in enforcing mode
- Allow dbus-daemon to read/write inherited removable devices
- Add storage_rw_inherited_removable_device() interface
- fetchmail reads /etc/passwd
- Allow rhnsd to execute bin_t in the caller rhnsd_t domain
- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files
- Allow enabling Network Access Point service using blueman
- Make vmware_host_t as unconfined domain
- Allow authenticate users in webaccess via squid, using mysql as backend
- Allow firewalld to read /etc/hosts
- Backport openshift.te from F18
- Dontaudit xdm_t to getattr on BOINC lib files
- Allow chrome and mozilla plugin to connect to msnp ports
Tue Nov 13 13:00:00 2012 Miroslav Grepl 3.10.0-160
- Allow BOINC client to use an HTTP proxy for all connections
- Add labeling for /var/lib/zarafa-webapp
- Allow mozilla plugins to read /dev/hpet
- Allow MPD to read /dev/radnom
- Allow dnsmasq to read /etc/NetworkManager
- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file
- httpd needs to send signull to openshift init script
- Fix tftp_read_content() interface
Mon Nov 5 13:00:00 2012 Miroslav Grepl 3.10.0-159
- More fixes for passwd/group labeling
- New ypbind pkg wants to search /var/run which is caused by sd_notify
- dbus needs to be able to read/write inherited fixed disk device_t passed through it
- Allow NM to read certs on NFS/CIFS using use_nfs_
*, use_samba_
* booleans
- Add interface to make sure rpcbind.sock is created with the correct label
- Add support for OpenShift sbin labeling
Tue Oct 30 13:00:00 2012 Miroslav Grepl 3.10.0-158
- Fix labeling for passwd
*
Tue Oct 23 14:00:00 2012 Miroslav Grepl 3.10.0-157
- logwatch wants sys_nice/setsched
- Add labeling for mcollectived
- Allow openshift domains to read localization
- Allow smokeping to execute fping in the neutils_t domain
- Allow support for notifyclamd option in /etc/freshclam.conf
- Allow mozilla-plugin-config to getattr on all fs
- Add tftp_homedir boolean
- Allow nslcd to connect to ldap port without boolean
- policykit-auth wants sys_nice
- openshift user domains wants to r/w ssh tcp sockets
Wed Oct 17 14:00:00 2012 Miroslav Grepl 3.10.0-156
- Allow nfsd to write to mount_var_run_t
- Allow smokeping to execute bin_t
- Allow sshd_t to execute login program
- Allow prelink to read power_supply
- Allow alsa to r/w alsa config files
- Allow tuned to setsched kernel
- Add labeling for /usr/sbin/mkhomedir_helper
- Allow initrc_t to readl all systemd unit files
- Allow mozilla_plugin_t to create .mplayer in users homedir
- Allow sshd to send syslog msgs
- Allow varnish execmem
- Allow mongodb_t to getattr on all file systems
- Allow pyzor running as spamc to manage amavis spool
- Allow rhnsd to read /usr/lib/locale
Tue Oct 16 14:00:00 2012 Miroslav Grepl 3.10.0-155
- Allow all openshift domains to read sysfs info
- Allow openshift domains to getattr on all domains
- Update httpd_run_stickshift boolean
- Allow hplip to execute bin_t
Tue Oct 9 14:00:00 2012 Miroslav Grepl 3.10.0-154
- fix opeshift labeling
- Allow groupadd to read SELinux file context
Sun Oct 7 14:00:00 2012 Miroslav Grepl 3.10.0-153
- Add openshift policy
- Add changes needed by openshift policy
- Allow vmnet-natd to request the kernel to load a module
- Allown winbind to read /usr/share/samba/codepages/lowcase.dat
- Access needed to allow hplip to send faxes
- abrt_dump_oops needs to read debugfs
- Add support for HTTPProxy
* in /etc/freshclam.conf
Fri Oct 5 14:00:00 2012 Miroslav Grepl 3.10.0-152
- Add file transition for mongodb lib dirs
- Add labeling for /var/lib/mongo, /var/run/mongo
- Allow gpg to write to /etc/mail/spamassassiin directories
- Add support for hplip logs stored in /var/log/hp/tmp
- Allow winbind to read usr_t
- Add rhnsd policy
- Add labeling for /etc/owncloud/config.php
Thu Sep 27 14:00:00 2012 Miroslav Grepl 3.10.0-151
- Allow winbind to connect do ldap without a boolean
- Allow mozilla-plugin to connect to commplex port
- Fix tomcat template interface
- Allow thumb to use user fonts
Mon Sep 24 14:00:00 2012 Miroslav Grepl 3.10.0-150
- Backport tomcat fixes from F18
- Add filename transition for mongod.log
- Dontaudit jockey to search /root/.local
- Fix passenger labeling
- fix corenetwork interfaces which needs to require ephemeral_port_t
- Allow user domains to use tmpfs_t when it is created by the kernel and inherited by the app, IE No Open
Mon Sep 17 14:00:00 2012 Miroslav Grepl 3.10.0-149
- Add sanlock_use_fusefs boolean
- Add stapserver policy from F18
- Allow rhnsd to send syslog msgs
- ABRT wants to read Xorg.0.log if if it detects problem with Xorg
- ALlow chrome_sandbox to leak unix_dram_socket into chrome_sandbox_nacl_t
- Allow postalias to read postfix config files
- Allow tmpreaper to cleanup all files in /tmp
- Allow chown capability for zarafa domains
- Allow xauth to read /dev/urandom
- Allow tmpreaper to list admin_home dir
- Allow clamd to write/delete own pid file with clamd_var_run_t label
- Add support for gitolite3
- Allow virsh_t to getattr on virtd_exec_t
- Allow virsh can_exec on virsh_exec_t
- Look up group name by spamass-milter-postfix
- Add mozilla_plugin_can_network_connect boolean
- Fix /var/lib/sqlgrey labeling
- Add support for a new path for passenger
Tue Aug 28 14:00:00 2012 Miroslav Grepl 3.10.0-148
- Allow virsh to stream connect to virtd
- Add support for $HOME/.cache/libvirt
- Allow groupadd_t to search default_context
- Allow xdm_t to search dirs with xdm_unconfined_exec_t label
- Allow ksysguardproces to read/write config_usr_t
- Backport passenger policy from F18
- Allow wdmd to create wdmd_tmpfs_t
Thu Aug 23 14:00:00 2012 Miroslav Grepl 3.10.0-147
- Fix passenger labeling
- Add thumb_tmpfs_t files type
- Add file name transitions for ttyACM0
- Allow virtd to send dbus messages to firewalld
Mon Aug 20 14:00:00 2012 Miroslav Grepl 3.10.0-146
- Allow tmpreaper to delete unlabeled files
- Backport selinux_login_config fixes from F18 for sssd
- Allow thumb drives to create shared memory and semaphores
- Make \"snmpwalk -mREDHAT-CLUSTER-MIB ....\" working
- Allow dlm_controld to execute dlm_stonith labeled as bin_t
- Allow GFS2 working on F17
- Allow thumb to gettatr on all fs
- Allow condor domains to read kernel sysctls
- Allow condor_master to connect to amqp
- Allow abrt to read mozilla_plugin config files
- Backport squid policy with support for lightsquid
- Allow useradd to modify /etc/default/useradd
- dovecot_auth_t uses ldap for user auth
- Dontaudit mozilla_plugin attempts to ipc_lock
- Allow tmpreaper to search unlabeled /tmp/kdecache-root
- Allow jockey to list the contents of modeprobe.d
- Allow web plugins to connect to the asterisk ports
Wed Aug 8 14:00:00 2012 Miroslav Grepl 3.10.0-145
- Allow Chrome_ChildIO to read dosfs_t
- Fix svirt to be allowed to use fusefs file system
- Sanlock needs to send Kill Signals to non root process
- Allow sendmail to read/write postfix_delivery_t
Mon Aug 6 14:00:00 2012 Miroslav Grepl 3.10.0-144
- Allow sendmail to read/write postfix_delivery_t
- Update sanlock policy to solve all AVC\'s
- Change virt interface so confined users can optionally manage virt content
- setroubleshoot was trying to getattr on sysctl and proc stuff
- Need to allow svirt_t ability to getattr on nfs_t file system
- Allow staff users to run svirt_t processes
- Add new booleans to allow staff user and unprivuser to use boxes
Thu Aug 2 14:00:00 2012 Miroslav Grepl 3.10.0-143
- Alias firstboot_tmp_t to tmp_t
- Add support for sqlgre
- Allow postfix to connect to spampd
- Add support for spampd and treat it as spamd_t policy
- Allow munin mail plugin to read exim.log
- Fix mta_mailserver_delivery() interface
- Allow logrotate to getattr on systemd unit files
- Allow tor to read kernel sysctls
- Add new man pages
- Fix labeling for pingus
Fri Jul 27 14:00:00 2012 Miroslav Grepl 3.10.0-142
- Regenerate man pages
- Dontaudit mysqld_safe sending signull to random domains
- Add interface for mysqld to dontaudit signull to all processes
- Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group
- Allow smbd to read cluster config
- Add additional labelinf for passenger
- Add labeling for /var/motion
- Add amavis_use_jit boolean
- Allow mongod to connet to postgresql port
Tue Jul 24 14:00:00 2012 Miroslav Grepl 3.10.0-141
- Allow samba_net to read /proc/net
- Allow hplip_t to send notification dbus messages to users
- Allow mailserver_deliver to read/write own pip
- Allow munin-plugin domains to read /etc/passwd
- Allow postfix_cleanup to use sockets create for smtpd
- Dovecot seems to be searching directories of every mountpoint, lets just dontaudit this
- Allow mozilla-plugin to read all kernel sysctls
- Allow jockey to read random/urandom
- Dontaudit dovecot to search all dirs
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- Add labelling and allow rules based on avc\'s from RHEL6 for amavis
Wed Jul 18 14:00:00 2012 Miroslav Grepl 3.10.0-140
- Add support for rhnsd daemon
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Fix rhsmcertd pid filetrans
- Allow NM to execute wpa_cli
- Allow procmail to manage /home/user/Maildir content
- Allow amavis to read clamd system state
- Allow postdrop to use unix_stream_sockets leaked into it
- Allow uucpd_t to uucpd port
Sun Jul 15 14:00:00 2012 Miroslav Grepl 3.10.0-139
- Add support for ecryptfs
* ecryptfs does not support xattr
- Allow lpstat.cups to read fips_enabled file
- Allow pyzor running as spamc_t to create /root/.pyzor directory
- Add labeling for amavisd-snmp init script
- Add support for amavisd-snmp
- Allow fprintd sigkill self
- Allow xend (w/o libvirt) to start virtual machines
- Allow aiccu to read /etc/passwd
- accountsd needs to fchown some files/directories
- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
- Allow xend_t to read the /etc/passwd file
- Allow freshclam to update databases thru HTTP proxy
- Add init_access_check() interface
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Allow tuned sys_nice, sys_admin caps
- Allow amavisd to execute fsav
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
Tue Jul 10 14:00:00 2012 Miroslav Grepl 3.10.0-138
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix alsa_manage_home_files interface
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
Tue Jul 3 14:00:00 2012 Miroslav Grepl 3.10.0-137
- Fixes for passenger running within openshift
- Add labeling for all tomcat6 dirs
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow systemd_logind_t to read/write /dev/input0
Fri Jun 29 14:00:00 2012 Miroslav Grepl 3.10.0-136
- Fixes to make minimal policy to be installed
Wed Jun 27 14:00:00 2012 Miroslav Grepl 3.10.0-135
- abrt_watch_log should be abrt_domain
- add ptrace_child access to process
- Allow mozilla_plugin to connect to gatekeeper port
- Allow dbomatic to execute ruby
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- add support for boinc.log
- Allow httpd_smokeping_cgi_script_t to read /etc/passwd
Tue Jun 26 14:00:00 2012 Miroslav Grepl 3.10.0-134
- Allow mozilla_plugin execmod on mozilla home files if allow_execmod
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Add tomcat policy from F18
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Add kdumpctl policy
- Move thin policy out from cloudform.pp and add a new thin policy files
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users homedir
- rhsmcertd reads the rpm database
- Add support for lightdm
Fri Jun 22 14:00:00 2012 Miroslav Grepl 3.10.0-133
- Dontaudit thumb to setattr on xdm_tmp dirs
- Allow wicd to execute ldconfig
- Add /var/run/cherokee\\.pid labeling
- Allow snort to create netlink_socket
- Allow setpcap for rpcd_t
- Firstboot should be just creating tmp_t dirs
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Allow firstboot to create tmp_t files/directories
- Label tuned scripts located in /etc as bin_t
- Add port definition for mxi port
- Fix labeling for /var/log/lxdm.log.old
- Allow ddclient to read /etc/passwd
- change dovecot_deliver to manage mail_home_rw_t
- Remove razor/pyzor policy
- Allow local_login_t to execute tmux
- Allow mozilla_plugin_t to execute the dynamic link/loader
Mon Jun 18 14:00:00 2012 Miroslav Grepl 3.10.0-132
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
* support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
Fri Jun 15 14:00:00 2012 Miroslav Grepl 3.10.0-131
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct
- When staff_t runs libvirt it reads dnsmasq_var_run_t
- Mount command now lists user_tmp looking for gvfs
- /etc/blkid is moving to /run/blkid
- Allow rw_cgroup_files to also read a symlink
- Make sure gdm directory in ~/.cache/gdm gets created with the correct label
- Add labeling for .cache/gdm in the homedir
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
Mon Jun 11 14:00:00 2012 Miroslav Grepl 3.10.0-130
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
- Allow systemd_login to send signals to devicekit power
- Allow systemd_logind to signal initrc scripts to handle third party packages running as initrc_t
- Allow virsh to read /etc/passwd
- Allow policykit to manage kerberos rcache files
- Allow systemd-logind to send a signal to init_t
- /usr/sbin/xl2tpd wants to read /etc/group
- Allow ncftool to list of content /etc/modprobe.d
- Allow dkim-milter to listen own tcp_socke
Fri Jun 8 14:00:00 2012 Miroslav Grepl 3.10.0-129
- Allow collectd to read virt config
- Allow collectd setsched
- Add support for /usr/sbin/mdm
*
- Fix java binaries labels when installed under /usr/lib/jvm/java
- Add labeling for /var/run/mdm
- Allow apps that can read net_conf_t files read symlinks
- Allow all domains that can search or read tmp_t, able to read a tmp_t link
- Dontaudit mozilla_plugin looking at xdm_tmp_t
- Looks like collectd needs to change it scheduling priority
- Allow uux_t to access nsswitch data
- New labeling for samba, pid dirs moved to subdirs of samba
- Allow nova_api to use nsswitch
- Allow mozilla_plugin to execute files labeled as lib_t
- Label content under HOME_DIR/zimbrauserdata as mozilla_home date
- abrt is fooled into reading mozilla_plugin content, we want to dontaudit
- Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window
- Allow winbind to create content in smbd_var_run_t directories
- Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it
- Support libvirt plugin for collectd
Wed May 30 14:00:00 2012 Miroslav Grepl 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
- Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
Mon May 28 14:00:00 2012 Miroslav Grepl 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd\'s tmpfiles.d \"w\" type
Wed May 23 14:00:00 2012 Miroslav Grepl 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id
- Fix corecmd_read_bin_symlinks cut and paste error
Wed May 16 14:00:00 2012 Miroslav Grepl 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console
*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
Wed May 9 14:00:00 2012 Miroslav Grepl 3.10.0-124
- Make systemd unit files less specific
Mon May 7 14:00:00 2012 Miroslav Grepl 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring
* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
Mon May 7 14:00:00 2012 Miroslav Grepl 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
Fri May 4 14:00:00 2012 Miroslav Grepl 3.10.0-121
- Add labeling for /usr/share/jetty/bin/jetty.sh
- Add jetty policy which contains file type definitios
- Allow jockey to use its own fifo_file and make this the default for all domains
- Allow mozilla_plugins to use spice (vnc_port/couchdb)
- asterisk wants to read the network state
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
- Allow mozilla_plugin_t to create ~/.pki directory and content
Wed May 2 14:00:00 2012 Miroslav Grepl 3.10.0-120
- Add clamscan_can_scan_system boolean
- Allow mysqld to read kernel network state
- Allow sshd to read/write condor lib files
- Allow sshd to read/write condor-startd tcp socket
- Fix description on httpd_graceful_shutdown
- Allow glance_registry to communicate with mysql
- dbus_system_domain is using systemd to lauch applications
- add interfaces to allow domains to send kill signals to user mail agents
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
- Lots of new access required for secure containers
- Corosync needs sys_admin capability
- ALlow colord to create shm
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
- Add new interface to allow domains to list msyql_db directories, needed for libra
- shutdown has to be allowed to delete etc_runtime_t
- Fail2ban needs to read /etc/passwd
- Allow ldconfig to create /var/cache/ldconfig
- Allow tgtd to read hardware state information
- Allow collectd to create packet socket
- Allow chronyd to send signal to itself
- Allow collectd to read /dev/random
- Allow collectd to send signal to itself
- firewalld needs to execute restorecon
- Allow restorecon and other login domains to execute restorecon
Thu Apr 26 14:00:00 2012 Miroslav Grepl 3.10.0-119
- Allow logrotate to getattr on systemd unit files
- Add support for tor systemd unit file
- Allow apmd to create /var/run/pm-utils with the correct label
- Allow l2tpd to send sigkill to pppd
- Allow pppd to stream connect to l2tpd
- Add label for scripts in /etc/gdm/
- Allow systemd_logind_t to ignore mcs constraints on sigkill
- Fix files_filetrans_system_conf_named_files() interface
- Add labels for /usr/share/wordpress/wp-includes/
*.php
- Allow cobbler to get SELinux mode and booleans
Mon Apr 23 14:00:00 2012 Miroslav Grepl 3.10.0-118
- Add unconfined_execmem_exec_t as an alias to bin_t
- Allow fenced to read snmp var lib files, also allow it to read usr_t
- ontaudit access checks on all executables from mozilla_plugin
- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode
- Allow systemd_tmpfiles_t to getattr all pipes and sockets
- Allow glance-registry to send system log messages
- semanage needs to manage mock lib files/dirs
Sun Apr 22 14:00:00 2012 Miroslav Grepl 3.10.0-117
- Add policy for abrt-watch-log
- Add definitions for jboss_messaging ports
- Allow systemd_tmpfiles to manage printer devices
- Allow oddjob to use nsswitch
- Fix labeling of log files for postgresql
- Allow mozilla_plugin_t to execmem and execstack by default
- Allow firewalld to execute shell
- Fix /etc/wicd content files to get created with the correct label
- Allow mcelog to exec shell
- Add ~/.orc as a gstreamer_home_t
- /var/spool/postfix/lib64 should be labeled lib_t
- mpreaper should be able to list all file system labeled directories
- Add support for apache to use openstack
- Add labeling for /etc/zipl.conf and zipl binary
- Turn on allow_execstack and turn off telepathy transition for final release
Sun Apr 15 14:00:00 2012 Miroslav Grepl 3.10.0-116
- More access required for virt_qmf_t
- Additional assess required for systemd-logind to support multi-seat
- Allow mozilla_plugin to setrlimit
- Revert changes to fuse file system to stop deadlock
Sun Apr 15 14:00:00 2012 Miroslav Grepl 3.10.0-115
- Allow condor domains to connect to ephemeral ports
- More fixes for condor policy
- Allow keystone to stream connect to mysqld
- Allow mozilla_plugin_t to read generic USB device to support GPS devices
- Allow thum to file name transition gstreamer home content
- Allow thum to read all non security files
- Allow glance_api_t to connect to ephemeral ports
- Allow nagios plugins to read /dev/urandom
- Allow syslogd to search postfix spool to support postfix chroot env
- Fix labeling for /var/spool/postfix/dev
- Allow wdmd chown
- Label .esd_auth as pulseaudio_home_t
- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
Fri Apr 13 14:00:00 2012 Miroslav Grepl 3.10.0-114
- Add support for clamd+systemd
- Allow fresclam to execute systemctl to handle clamd
- Change labeling for /usr/sbin/rpc.ypasswd.env
- Allow yppaswd_t to execute yppaswd_exec_t
- Allow yppaswd_t to read /etc/passwd
- Gnomekeyring socket has been moved to /run/user/USER/
- Allow samba-net to connect to ldap port
- Allow signal for vhostmd
- allow mozilla_plugin_t to read user_home_t socket
- New access required for secure Linux Containers
- zfs now supports xattrs
- Allow quantum to execute sudo and list sysfs
- Allow init to dbus chat with the firewalld
- Allow zebra to read /etc/passwd
Tue Apr 10 14:00:00 2012 Miroslav Grepl 3.10.0-113
- Allow svirt_t to create content in the users homedir under ~/.libvirt
- Fix label on /var/lib/heartbeat
- Allow systemd_logind_t to send kill signals to all processes started by a user
- Fuse now supports Xattr Support
Tue Apr 10 14:00:00 2012 Miroslav Grepl 3.10.0-112
- upowered needs to setsched on the kernel
- Allow mpd_t to manage log files
- Allow xdm_t to create /var/run/systemd/multi-session-x
- Add rules for missedfont.log to be used by thumb.fc
- Additional access required for virt_qmf_t
- Allow dhclient to dbus chat with the firewalld
- Add label for lvmetad
- Allow systemd_logind_t to remove userdomain sock_files
- Allow cups to execute usr_t files
- Fix labeling on nvidia shared libraries
- wdmd_t needs access to sssd and /etc/passwd
- Add boolean to allow ftp servers to run in passive mode
- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
- Fix using httpd_use_fusefs
- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
Fri Apr 6 14:00:00 2012 Miroslav Grepl 3.10.0-111
- Rename rdate port to time port, and allow gnomeclock to connect to it
- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
- /etc/auto.
* should be labeled bin_t
- Add httpd_use_fusefs boolean
- Add fixes for heartbeat
- Allow sshd_t to signal processes that it transitions to
- Add condor policy
- Allow svirt to create monitors in ~/.libvirt
- Allow dovecot to domtrans sendmail to handle sieve scripts
- Lot of fixes for cfengine
Tue Apr 3 14:00:00 2012 Miroslav Grepl 3.10.0-110
- /var/run/postmaster.
* labeling is no longer needed
- Alllow drbdadmin to read /dev/urandom
- l2tpd_t seems to use ptmx
- group+ and passwd+ should be labeled as /etc/passwd
- Zarafa-indexer is a socket
Fri Mar 30 14:00:00 2012 Miroslav Grepl 3.10.0-109
- Ensure lastlog is labeled correctly
- Allow accountsd to read /proc data about gdm
- Add fixes for tuned
- Add bcfg2 fixes which were discovered during RHEL6 testing
- More fixes for gnome-keyring socket being moved
- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
- Fix description for files_dontaudit_read_security_files() interface
Wed Mar 28 14:00:00 2012 Miroslav Grepl 3.10.0-108
- Add new policy and man page for bcfg2
- cgconfig needs to use getpw calls
- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt
- gnome-keyring wants to create a directory in cache_home_t
- sanlock calls getpw
Wed Mar 28 14:00:00 2012 Miroslav Grepl 3.10.0-107
- Add numad policy and numad man page
- Add fixes for interface bugs discovered by SEWatch
- Add /tmp support for squid
- Add fix for #799102
* change default labeling for /var/run/slapd.
* sockets
- Make thumb_t as userdom_home_reader
- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
- Allow smbspool running as cups_t to stream connect to nmbd
- accounts needs to be able to execute passwd on behalf of users
- Allow systemd_tmpfiles_t to delete boot flags
- Allow dnssec_trigger to connect to apache ports
- Allow gnome keyring to create sock_files in ~/.cache
- google_authenticator is using .google_authenticator
- sandbox running from within firefox is exposing more leaks
- Dontaudit thumb to read/write /dev/card0
- Dontaudit getattr on init_exec_t for gnomeclock_t
- Allow certmonger to do a transition to certmonger_unconfined_t
- Allow dhcpc setsched which is caused by nmcli
- Add rpm_exec_t for /usr/sbin/bcfg2
- system cronjobs are sending dbus messages to systemd_logind
- Thumnailers read /dev/urand
Thu Mar 22 13:00:00 2012 Miroslav Grepl 3.10.0-106
- Allow auditctl getcap
- Allow vdagent to use libsystemd-login
- Allow abrt-dump-oops to search /etc/abrt
- Got these avc\'s while trying to print a boarding pass from firefox
- Devicekit is now putting the media directory under /run/media
- Allow thumbnailers to create content in ~/.thumbails directory
- Add support for proL2TPd by Dominick Grift
- Allow all domains to call getcap
- wdmd seems to get a random chown capability check that it does not need
- Allow vhostmd to read kernel sysctls
Wed Mar 21 13:00:00 2012 Miroslav Grepl 3.10.0-105
- Allow chronyd to read unix
- Allow hpfax to read /etc/passwd
- Add support matahari vios-proxy-
* apps and add virtd_exec_t label for them
- Allow rpcd to read quota_db_t
- Update to man pages to match latest policy
- Fix bug in jockey interface for sepolgen-ifgen
- Add initial svirt_prot_exec_t policy
Mon Mar 19 13:00:00 2012 Miroslav Grepl 3.10.0-104
- More fixes for systemd from Dan Walsh
Mon Mar 19 13:00:00 2012 Miroslav Grepl 3.10.0-103
- Add a new type for /etc/firewalld and allow firewalld to write to this directory
- Add definition for ~/Maildir, and allow mail deliver domains to write there
- Allow polipo to run from a cron job
- Allow rtkit to schedule wine processes
- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label
- Allow users domains to send signals to consolehelper domains
Fri Mar 16 13:00:00 2012 Miroslav Grepl 3.10.0-102
- More fixes for boinc policy
- Allow polipo domain to create its own cache dir and pid file
- Add systemctl support to httpd domain
- Add systemctl support to polipo, allow NetworkManager to manage the service
- Add policy for jockey-backend
- Add support for motion daemon which is now covered by zoneminder policy
- Allow colord to read/write motion tmpfs
- Allow vnstat to search through var_lib_t directories
- Stop transitioning to quota_t, from init an sysadm_t
Wed Mar 14 13:00:00 2012 Miroslav Grepl 3.10.0-101
- Add svirt_lxc_file_t as a customizable type
Wed Mar 14 13:00:00 2012 Miroslav Grepl 3.10.0-100
- Add additional fixes for icmp nagios plugin
- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
- Add certmonger_unconfined_exec_t
- Make sure tap22 device is created with the correct label
- Allow staff users to read systemd unit files
- Merge in previously built policy
- Arpwatch needs to be able to start netlink sockets in order to start
- Allow cgred_t to sys_ptrace to look at other DAC Processes
Mon Mar 12 13:00:00 2012 Miroslav Grepl 3.10.0-99
- Back port some of the access that was allowed in nsplugin_t
- Add definitiona for couchdb ports
- Allow nagios to use inherited users ttys
- Add git support for mock
- Allow inetd to use rdate port
- Add own type for rdate port
- Allow samba to act as a portmapper
- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
- New fixes needed for samba4
- Allow apps that use lib_t to read lib_t symlinks
Fri Mar 9 13:00:00 2012 Miroslav Grepl 3.10.0-98
- Add policy for nove-cert
- Add labeling for nova-openstack systemd unit files
- Add policy for keystoke
Thu Mar 8 13:00:00 2012 Miroslav Grepl 3.10.0-97
- Fix man pages fro domains
- Add man pages for SELinux users and roles
- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon
- Add policy for matahari-rpcd
- nfsd executes mount command on restart
- Matahari domains execute renice and setsched
- Dontaudit leaked tty in mozilla_plugin_config
- mailman is changing to a per instance naming
- Add 7600 and 4447 as jboss_management ports
- Add fixes for nagios event handlers
- Label httpd.event as httpd_exec_t, it is an apache daemon
Mon Mar 5 13:00:00 2012 Miroslav Grepl 3.10.0-96
- Add labeling for /var/spool/postfix/dev/log
- NM reads sysctl.conf
- Iscsi log file context specification fix
- Allow mozilla plugins to send dbus messages to user domains that transition to it
- Allow mysql to read the passwd file
- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
- Allow deltacloud to read kernel sysctl
- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
- Allow postgresql_t to connectto itself
- Add login_userdomain attribute for users which can log in using terminal
Tue Feb 28 13:00:00 2012 Miroslav Grepl 3.10.0-95
- Allow sysadm_u to reach system_r by default #784011
- Allow nagios plugins to use inherited user terminals
- Razor labeling is not used no longer
- Add systemd support for matahari
- Add port_types to man page, move booleans to the top, fix some english
- Add support for matahari-sysconfig-console
- Clean up matahari.fc
- Fix matahari_admin() interfac
- Add labels for/etc/ssh/ssh_host_
*.pub keys
Mon Feb 27 13:00:00 2012 Miroslav Grepl 3.10.0-94
- Allow ksysguardproces to send system log msgs
- Allow boinc setpgid and signull
- Allow xdm_t to sys_ptrace to run pidof command
- Allow smtpd_t to manage spool files/directories and symbolic links
- Add labeling for jetty
- Needed changes to get unbound/dnssec to work with openswan
Thu Feb 23 13:00:00 2012 Miroslav Grepl 3.10.0-93
- Add user_fonts_t alias xfs_tmp_t
- Since depmod now runs as insmod_t we need to write to kernel_object_t
- Allow firewalld to dbus chat with networkmanager
- Allow qpidd to connect to matahari ports
- policykit needs to read /proc for uses not owned by it
- Allow systemctl apps to connecto the init stream
Wed Feb 22 13:00:00 2012 Miroslav Grepl 3.10.0-92
- Turn on deny_ptrace boolean
Tue Feb 21 13:00:00 2012 Miroslav Grepl 3.10.0-91
- Remove pam_selinux.8 man page. There was a conflict.
Tue Feb 21 13:00:00 2012 Miroslav Grepl 3.10.0-90
- Add proxy class and read access for gssd_proxy
- Separate out the sharing public content booleans
- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate
- Add label transition for gstream-0.10 and 12
- Add booleans to allow rsync to share nfs and cifs file sytems
- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it
- Fix filename transitions for cups files
- Allow denyhosts to read \"unix\"
- Add file name transition for locale.conf.new
- Allow boinc projects to gconf config files
- sssd needs to be able to increase the socket limit under certain loads
- sge_execd needs to read /etc/passwd
- Allow denyhost to check network state
- NetworkManager needs to read sessions data
- Allow denyhost to check network state
- Allow xen to search virt images directories
- Add label for /dev/megaraid_sas_ioctl_node
- Add autogenerated man pages
Thu Feb 16 13:00:00 2012 Miroslav Grepl 3.10.0-89
- Allow boinc project to getattr on fs
- Allow init to execute initrc_state_t
- rhev-agent package was rename to ovirt-guest-agent
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
- sytemd writes content to /run/initramfs and executes it on shutdown
- kdump_t needs to read /etc/mtab, should be back ported to F16
- udev needs to load kernel modules in early system boot
Tue Feb 14 13:00:00 2012 Miroslav Grepl 3.10.0-88
- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
- Add additional systemd interfaces which are needed fro
*_admin interfaces
- Fix bind_admin() interface
Mon Feb 13 13:00:00 2012 Miroslav Grepl 3.10.0-87
- Allow firewalld to read urand
- Alias java, execmem_mono to bin_t to allow third parties
- Add label for kmod
- /etc/redhat-lsb contains binaries
- Add boolean to allow gitosis to send mail
- Add filename transition also for \"event20\"
- Allow systemd_tmpfiles_t to delete all file types
- Allow collectd to ipc_lock
Fri Feb 10 13:00:00 2012 Miroslav Grepl 3.10.0-86
- make consoletype_exec optional, so we can remove consoletype policy
- remove unconfined_permisive.patch
- Allow openvpn_t to inherit user home content and tmp content
- Fix dnssec-trigger labeling
- Turn on obex policy for staff_t
- Pem files should not be secret
- Add lots of rules to fix AVC\'s when playing with containers
- Fix policy for dnssec
- Label ask-passwd directories correctly for systemd
Thu Feb 9 13:00:00 2012 Miroslav Grepl 3.10.0-85
- sshd fixes seem to be causing unconfined domains to dyntrans to themselves
- fuse file system is now being mounted in /run/user
- systemd_logind is sending signals to processes that are dbus messaging with it
- Add support for winshadow port and allow iscsid to connect to this port
- httpd should be allowed to bind to the http_port_t udp socket
- zarafa_var_lib_t can be a lnk_file
- A couple of new .xsession-errors files
- Seems like user space and login programs need to read logind_sessions_files
- Devicekit disk seems to be being launched by systemd
- Cleanup handling of setfiles so most of rules in te file
- Correct port number for dnssec
- logcheck has the home dir set to its cache
Tue Feb 7 13:00:00 2012 Miroslav Grepl 3.10.0-84
- Add policy for grindengine MPI jobs
Mon Feb 6 13:00:00 2012 Miroslav Grepl 3.10.0-83
- Add new sysadm_secadm.pp module
* contains secadm definition for sysadm_t
- Move user_mail_domain access out of the interface into the te file
- Allow httpd_t to create httpd_var_lib_t directories as well as files
- Allow snmpd to connect to the ricci_modcluster stream
- Allow firewalld to read /etc/passwd
- Add auth_use_nsswitch for colord
- Allow smartd to read network state
- smartdnotify needs to read /etc/group
Fri Feb 3 13:00:00 2012 Miroslav Grepl 3.10.0-82
- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory
- lxdm startup scripts should be labeled bin_t, so confined users will work
- mcstransd now creates a pid, needs back port to F16
- qpidd should be allowed to connect to the amqp port
- Label devices 010-029 as usb devices
- ypserv packager says ypserv does not use tmp_t so removing selinux policy types
- Remove all ptrace commands that I believe are caused by the kernel/ps avcs
- Add initial Obex policy
- Add logging_syslogd_use_tty boolean
- Add polipo_connect_all_unreserved bolean
- Allow zabbix to connect to ftp port
- Allow systemd-logind to be able to switch VTs
- Allow apache to communicate with memcached through a sock_file
Tue Jan 31 13:00:00 2012 Dan Walsh 3.10.0-81.2
- Fix file_context.subs_dist for now to work with pre usrmove
Mon Jan 30 13:00:00 2012 Miroslav Grepl 3.10.0-81
- More /usr move fixes
Thu Jan 26 13:00:00 2012 Miroslav Grepl 3.10.0-80
- Add zabbix_can_network boolean
- Add httpd_can_connect_zabbix boolean
- Prepare file context labeling for usrmove functions
- Allow system cronjobs to read kernel network state
- Add support for selinux_avcstat munin plugin
- Treat hearbeat with corosync policy
- Allow corosync to read and write to qpidd shared mem
- mozilla_plugin is trying to run pulseaudio
- Fixes for new sshd patch for running priv sep domains as the users context
- Turn off dontaudit rules when turning on allow_ypbind
- udev now reads /etc/modules.d directory
Tue Jan 24 13:00:00 2012 Miroslav Grepl 3.10.0-79
- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out
- Cups exchanges dbus messages with init
- udisk2 needs to send syslog messages
- certwatch needs to read /etc/passwd
Mon Jan 23 13:00:00 2012 Miroslav Grepl 3.10.0-78
- Add labeling for udisks2
- Allow fsadmin to communicate with the systemd process
Mon Jan 23 13:00:00 2012 Miroslav Grepl 3.10.0-77
- Treat Bip with bitlbee policy
* Bip is an IRC proxy
- Add port definition for interwise port
- Add support for ipa_memcached socket
- systemd_jounald needs to getattr on all processes
- mdadmin fixes
* uses getpw
- amavisd calls getpwnam()
- denyhosts calls getpwall()
Fri Jan 20 13:00:00 2012 Miroslav Grepl 3.10.0-76
- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
- bluetooth says they do not use /tmp and want to remove the type
- Allow init to transition to colord
- Mongod needs to read /proc/sys/vm/zone_reclaim_mode
- Allow postfix_smtpd_t to connect to spamd
- Add boolean to allow ftp to connect to all ports > 1023
- Allow sendmain to write to inherited dovecot tmp files
- setroubleshoot needs to be able to execute rpm to see what version of packages
Mon Jan 16 13:00:00 2012 Miroslav Grepl 3.10.0-75
- Merge systemd patch
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
- Allow deltacloudd dac_override, setuid, setgid caps
- Allow aisexec to execute shell
- Add use_nfs_home_dirs boolean for ssh-keygen
Fri Jan 13 13:00:00 2012 Dan Walsh 3.10.0-74.2
- Fixes to make rawhide boot in enforcing mode with latest systemd changes
Wed Jan 11 13:00:00 2012 Miroslav Grepl 3.10.0-74
- Add labeling for /var/run/systemd/journal/syslog
- libvirt sends signals to ifconfig
- Allow domains that read logind session files to list them
Wed Jan 11 13:00:00 2012 Miroslav Grepl 3.10.0-73
- Fixed destined form libvirt-sandbox
- Allow apps that list sysfs to also read sympolicy links in this filesystem
- Add ubac_constrained rules for chrome_sandbox
- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra
- Allow postgresql to be executed by the caller
- Standardize interfaces of daemons
- Add new labeling for mm-handler
- Allow all matahari domains to read network state and etc_runtime_t files
Wed Jan 4 13:00:00 2012 Miroslav Grepl 3.10.0-72
- New fix for seunshare, requires seunshare_domains to be able to mounton /
- Allow systemctl running as logrotate_t to connect to private systemd socket
- Allow tmpwatch to read meminfo
- Allow rpc.svcgssd to read supported_krb5_enctype
- Allow zarafa domains to read /dev/random and /dev/urandom
- Allow snmpd to read dev_snmp6
- Allow procmail to talk with cyrus
- Add fixes for check_disk and check_nagios plugins
Tue Dec 20 13:00:00 2011 Miroslav Grepl 3.10.0-71
- default trans rules for Rawhide policy
- Make sure sound_devices controlC
* are labeled correctly on creation
- sssd now needs sys_admin
- Allow snmp to read all proc_type
- Allow to setup users homedir with quota.group
Mon Dec 19 13:00:00 2011 Miroslav Grepl 3.10.0-70
- Add httpd_can_connect_ldap() interface
- apcupsd_t needs to use seriel ports connected to usb devices
- Kde puts procmail mail directory under ~/.local/share
- nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now
- Add labeling for /sbin/iscsiuio
Wed Dec 14 13:00:00 2011 Miroslav Grepl 3.10.0-69
- Add label for /var/lib/iscan/interpreter
- Dont audit writes to leaked file descriptors or redirected output for nacl
- NetworkManager needs to write to /sys/class/net/ib
*/mode
Tue Dec 13 13:00:00 2011 Miroslav Grepl 3.10.0-68
- Allow abrt to request the kernel to load a module
- Make sure mozilla content is labeled correctly
- Allow tgtd to read system state
- More fixes for boinc
* allow to resolve dns name
* re-write boinc policy to use boinc_domain attribute
- Allow munin services plugins to use NSCD services
Thu Dec 8 13:00:00 2011 Miroslav Grepl 3.10.0-67
- Allow mozilla_plugin_t to manage mozilla_home_t
- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain
- Add label for tumblerd
Wed Dec 7 13:00:00 2011 Miroslav Grepl 3.10.0-66
- Fixes for xguest package
Tue Dec 6 13:00:00 2011 Miroslav Grepl 3.10.0-65
- Fixes related to /bin, /sbin
- Allow abrt to getattr on blk files
- Add type for rhev-agent log file
- Fix labeling for /dev/dmfm
- Dontaudit wicd leaking
- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it
- Label /etc/locale.conf correctly
- Allow user_mail_t to read /dev/random
- Allow postfix-smtpd to read MIMEDefang
- Add label for /var/log/suphp.log
- Allow swat_t to connect and read/write nmbd_t sock_file
- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
- Allow systemd-tmpfiles to change user identity in object contexts
- More fixes for rhev_agentd_t consolehelper policy
Thu Dec 1 13:00:00 2011 Miroslav Grepl 3.10.0-64
- Use fs_use_xattr for squashf
- Fix procs_type interface
- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
- Dovecot has a new fifo_file /var/run/stats-mail
- Colord does not need to connect to network
- Allow system_cronjob to dbus chat with NetworkManager
- Puppet manages content, want to make sure it labels everything correctly
Tue Nov 29 13:00:00 2011 Miroslav Grepl 3.10.0-63
- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
- Allow all postfix domains to use the fifo_file
- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
- Allow apmd_t to read grub.cfg
- Let firewallgui read the selinux config
- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp
- Fix devicekit_manage_pid_files() interface
- Allow squid to check the network state
- Dontaudit colord getattr on file systems
- Allow ping domains to read zabbix_tmp_t files
Wed Nov 23 13:00:00 2011 Miroslav Grepl 3.10.0-59
- Allow mcelog_t to create dir and file in /var/run and label it correctly
- Allow dbus to manage fusefs
- Mount needs to read process state when mounting gluster file systems
- Allow collectd-web to read collectd lib files
- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr
- Allow colord to get the attributes of tmpfs filesystem
- Add sanlock_use_nfs and sanlock_use_samba booleans
- Add bin_t label for /usr/lib/virtualbox/VBoxManage
Wed Nov 16 13:00:00 2011 Miroslav Grepl 3.10.0-58
- Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\\.conf
- Allow networkmanager to chat with virtd_t
Fri Nov 11 13:00:00 2011 Dan Walsh 3.10.0-57
- Pulseaudio changes
- Merge patches
Thu Nov 10 13:00:00 2011 Dan Walsh 3.10.0-56
- Merge patches back into git repository.
Tue Nov 8 13:00:00 2011 Dan Walsh 3.10.0-55.2
- Remove allow_execmem boolean and replace with deny_execmem boolean
Tue Nov 8 13:00:00 2011 Dan Walsh 3.10.0-55.1
- Turn back on allow_execmem boolean
Mon Nov 7 13:00:00 2011 Miroslav Grepl 3.10.0-55
- Add more MCS fixes to make sandbox working
- Make faillog MLS trusted to make sudo_$1_t working
- Allow sandbox_web_client_t to read passwd_file_t
- Add .mailrc file context
- Remove execheap from openoffice domain
- Allow chrome_sandbox_nacl_t to read cpu_info
- Allow virtd to relabel generic usb which is need if USB device
- Fixes for virt.if interfaces to consider chr_file as image file type
Sat Nov 5 13:00:00 2011 Dan Walsh 3.10.0-54.1
- Remove Open Office policy
- Remove execmem policy
Sat Nov 5 13:00:00 2011 Miroslav Grepl 3.10.0-54
- MCS fixes
- quota fixes
Fri Nov 4 13:00:00 2011 Dan Walsh 3.10.0-53.1
- Remove transitions to consoletype
Tue Nov 1 13:00:00 2011 Miroslav Grepl 3.10.0-53
- Make nvidia
* to be labeled correctly
- Fix abrt_manage_cache() interface
- Make filetrans rules optional so base policy will build
- Dontaudit chkpwd_t access to inherited TTYS
- Make sure postfix content gets created with the correct label
- Allow gnomeclock to read cgroup
- Fixes for cloudform policy
Thu Oct 27 14:00:00 2011 Miroslav Grepl 3.10.0-52
- Check in fixed for Chrome nacl support
Thu Oct 27 14:00:00 2011 Miroslav Grepl 3.10.0-51
- Begin removing qemu_t domain, we really no longer need this domain.
- systemd_passwd needs dac_overide to communicate with users TTY\'s
- Allow svirt_lxc domains to send kill signals within their container
Thu Oct 27 14:00:00 2011 Dan Walsh 3.10.0-50.2
- Remove qemu.pp again without causing a crash
Wed Oct 26 14:00:00 2011 Dan Walsh 3.10.0-50.1
- Remove qemu.pp, everything should use svirt_t or stay in its current domain
Wed Oct 26 14:00:00 2011 Miroslav Grepl 3.10.0-50
- Allow policykit to talk to the systemd via dbus
- Move chrome_sandbox_nacl_t to permissive domains
- Additional rules for chrome_sandbox_nacl
Tue Oct 25 14:00:00 2011 Miroslav Grepl 3.10.0-49
- Change bootstrap name to nacl
- Chrome still needs execmem
- Missing role for chrome_sandbox_bootstrap
- Add boolean to remove execmem and execstack from virtual machines
- Dontaudit xdm_t doing an access_check on etc_t directories
Mon Oct 24 14:00:00 2011 Miroslav Grepl 3.10.0-48
- Allow named to connect to dirsrv by default
- add ldapmap1_0 as a krb5_host_rcache_t file
- Google chrome developers asked me to add bootstrap policy for nacl stuff
- Allow rhev_agentd_t to getattr on mountpoints
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
Mon Oct 24 14:00:00 2011 Miroslav Grepl 3.10.0-47
- Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
Fri Oct 21 14:00:00 2011 Dan Walsh 3.10.0-46.1
- Turn on mock_t and thumb_t for unconfined domains
Fri Oct 21 14:00:00 2011 Miroslav Grepl 3.10.0-46
- Policy update should not modify local contexts
Thu Oct 20 14:00:00 2011 Dan Walsh 3.10.0-45.1
- Remove ada policy
Thu Oct 20 14:00:00 2011 Miroslav Grepl 3.10.0-45
- Remove tzdata policy
- Add labeling for udev
- Add cloudform policy
- Fixes for bootloader policy
Wed Oct 19 14:00:00 2011 Miroslav Grepl 3.10.0-43
- Add policies for nova openstack
Tue Oct 18 14:00:00 2011 Miroslav Grepl 3.10.0-42
- Add fixes for nova-stack policy
Tue Oct 18 14:00:00 2011 Miroslav Grepl 3.10.0-41
- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
- Allow init process to setrlimit on itself
- Take away transition rules for users executing ssh-keygen
- Allow setroubleshoot_fixit_t to read /dev/urand
- Allow sshd to relbale tunnel sockets
- Allow fail2ban domtrans to shorewall in the same way as with iptables
- Add support for lnk files in the /var/lib/sssd directory
- Allow system mail to connect to courier-authdaemon over an unix stream socket
Mon Oct 17 14:00:00 2011 Dan Walsh 3.10.0-40.2
- Add passwd_file_t for /etc/ptmptmp
Fri Oct 14 14:00:00 2011 Miroslav Grepl 3.10.0-40
- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
- Make corosync to be able to relabelto cluster lib fies
- Allow samba domains to search /var/run/nmbd
- Allow dirsrv to use pam
- Allow thumb to call getuid
- chrome less likely to get mmap_zero bug so removing dontaudit
- gimp help-browser has built in javascript
- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
- Re-write glance policy
Thu Oct 13 14:00:00 2011 Dan Walsh 3.10.0-39.3
- Move dontaudit sys_ptrace line from permissive.te to domain.te
- Remove policy for hal, it no longer exists
Wed Oct 12 14:00:00 2011 Dan Walsh 3.10.0-39.2
- Don\'t check md5 size or mtime on certain config files
Tue Oct 11 14:00:00 2011 Dan Walsh 3.10.0-39.1
- Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
- Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
Mon Oct 10 14:00:00 2011 Miroslav Grepl 3.10.0-39
- Fixes for bootloader policy
- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
- Allow nsplugin to read /usr/share/config
- Allow sa-update to update rules
- Add use_fusefs_home_dirs for chroot ssh option
- Fixes for grub2
- Update systemd_exec_systemctl() interface
- Allow gpg to read the mail spool
- More fixes for sa-update running out of cron job
- Allow ipsec_mgmt_t to read hardware state information
- Allow pptp_t to connect to unreserved_port_t
- Dontaudit getattr on initctl in /dev from chfn
- Dontaudit getattr on kernel_core from chfn
- Add systemd_list_unit_dirs to systemd_exec_systemctl call
- Fixes for collectd policy
- CHange sysadm_t to create content as user_tmp_t under /tmp
Thu Oct 6 14:00:00 2011 Dan Walsh 3.10.0-38.1
- Shrink size of policy through use of attributes for userdomain and apache
Wed Oct 5 14:00:00 2011 Miroslav Grepl 3.10.0-38
- Allow virsh to read xenstored pid file
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
Wed Oct 5 14:00:00 2011 Miroslav Grepl 3.10.0-37
- Allow nmbd to manage sock file in /var/run/nmbd
- ricci_modservice send syslog msgs
- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
- Allow systemd_logind_t to manage /run/USER/dconf/user
Mon Oct 3 14:00:00 2011 Dan Walsh 3.10.0-36.1
- Fix missing patch from F16
Mon Oct 3 14:00:00 2011 Miroslav Grepl 3.10.0-36
- Allow logrotate setuid and setgid since logrotate is supposed to do it
- Fixes for thumb policy by grift
- Add new nfsd ports
- Added fix to allow confined apps to execmod on chrome
- Add labeling for additional vdsm directories
- Allow Exim and Dovecot SASL
- Add label for /var/run/nmbd
- Add fixes to make virsh and xen working together
- Colord executes ls
- /var/spool/cron is now labeled as user_cron_spool_t
Mon Oct 3 14:00:00 2011 Dan Walsh 3.10.0-35
- Stop complaining about leaked file descriptors during install
Thu Sep 29 14:00:00 2011 Dan Walsh 3.10.0-34.7
- Remove java and mono module and merge into execmem
Thu Sep 29 14:00:00 2011 Dan Walsh 3.10.0-34.6
- Fixes for thumb policy and passwd_file_t
Thu Sep 29 14:00:00 2011 Dan Walsh 3.10.0-34.4
- Fixes caused by the labeling of /etc/passwd
- Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
Thu Sep 29 14:00:00 2011 Miroslav Grepl 3.10.0-34.3
- Add support for Clustered Samba commands
- Allow ricci_modrpm_t to send log msgs
- move permissive virt_qmf_t from virt.te to permissivedomains.te
- Allow ssh_t to use kernel keyrings
- Add policy for libvirt-qmf and more fixes for linux containers
- Initial Polipo
- Sanlock needs to run ranged in order to kill svirt processes
- Allow smbcontrol to stream connect to ctdbd
Mon Sep 26 14:00:00 2011 Dan Walsh 3.10.0-34.2
- Add label for /etc/passwd
Mon Sep 26 14:00:00 2011 Dan Walsh 3.10.0-34.1
- Change unconfined_domains to permissive for Rawhide
- Add definition for the ephemeral_ports
Mon Sep 26 14:00:00 2011 Miroslav Grepl 3.10.0-34
- Make mta_role() active
- Allow asterisk to connect to jabber client port
- Allow procmail to read utmp
- Add NIS support for systemd_logind_t
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t
- Fix systemd_manage_unit_dirs() interface
- Allow ssh_t to manage directories passed into it
- init needs to be able to create and delete unit file directories
- Fix typo in apache_exec_sys_script
- Add ability for logrotate to transition to awstat domain
Fri Sep 23 14:00:00 2011 Miroslav Grepl 3.10.0-33
- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
- Add SELinux support for ssh pre-auth net process in F17
- Add logging_syslogd_can_sendmail boolean
Tue Sep 20 14:00:00 2011 Dan Walsh 3.10.0-31.1
- Add definition for ephemeral ports
- Define user_tty_device_t as a customizable_type
Tue Sep 20 14:00:00 2011 Miroslav Grepl 3.10.0-31
- Needs to require a new version of checkpolicy
- Interface fixes
Fri Sep 16 14:00:00 2011 Miroslav Grepl 3.10.0-29
- Allow sanlock to manage virt lib files
- Add virt_use_sanlock booelan
- ksmtuned is trying to resolve uids
- Make sure .gvfs is labeled user_home_t in the users home directory
- Sanlock sends kill signals and needs the kill capability
- Allow mockbuild to work on nfs homedirs
- Fix kerberos_manage_host_rcache() interface
- Allow exim to read system state
Tue Sep 13 14:00:00 2011 Miroslav Grepl 3.10.0-28
- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
Tue Sep 13 14:00:00 2011 Miroslav Grepl 3.10.0-27
- Allow collectd to read hardware state information
- Add loop_control_device_t
- Allow mdadm to request kernel to load module
- Allow domains that start other domains via systemctl to search unit dir
- systemd_tmpfiles, needs to list any file systems mounted on /tmp
- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
- If I can manage etc_runtime files, I should be able to read the links
- Dontaudit hostname writing to mock library chr_files
- Have gdm_t setup labeling correctly in users home dir
- Label content unde /var/run/user/NAME/dconf as config_home_t
- Allow sa-update to execute shell
- Make ssh-keygen working with fips_enabled
- Make mock work for staff_t user
- Tighten security on mock_t
Fri Sep 9 14:00:00 2011 Miroslav Grepl 3.10.0-26
- removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
- Remove unconfined_mount_t
Tue Sep 6 14:00:00 2011 Miroslav Grepl 3.10.0-25
- Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
- sssd need to search /var/cache/krb5rcache directory
- Allow corosync to relabel own tmp files
- Allow zarafa domains to send system log messages
- Allow ssh to do tunneling
- Allow initrc scripts to sendto init_t unix_stream_socket
- Changes to make sure dmsmasq and virt directories are labeled correctly
- Changes needed to allow sysadm_t to manage systemd unit files
- init is passing file descriptors to dbus and on to system daemons
- Allow sulogin additional access Reported by dgrift and Jeremy Miller
- Steve Grubb believes that wireshark does not need this access
- Fix /var/run/initramfs to stop restorecon from looking at
- pki needs another port
- Add more labels for cluster scripts
- Allow apps that manage cgroup_files to manage cgroup link files
- Fix label on nfs-utils scripts directories
- Allow gatherd to read /dev/rand and /dev/urand
Wed Aug 31 14:00:00 2011 Miroslav Grepl 3.10.0-24
- pki needs another port
- Add more labels for cluster scripts
- Fix label on nfs-utils scripts directories
- Fixes for cluster
- Allow gatherd to read /dev/rand and /dev/urand
- abrt leaks fifo files
Tue Aug 30 14:00:00 2011 Miroslav Grepl 3.10.0-23
- Add glance policy
- Allow mdadm setsched
- /var/run/initramfs should not be relabeled with a restorecon run
- memcache can be setup to override sys_resource
- Allow httpd_t to read tetex data
- Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
Mon Aug 29 14:00:00 2011 Miroslav Grepl 3.10.0-22
- Allow Postfix to deliver to Dovecot LMTP socket
- Ignore bogus sys_module for lldpad
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
- systemd_logind_t sets the attributes on usb devices
- Allow hddtemp_t to read etc_t files
- Add permissivedomains module
- Move all permissive domains calls to permissivedomain.te
- Allow pegasis to send kill signals to other UIDs
Wed Aug 24 14:00:00 2011 Miroslav Grepl 3.10.0-21
- Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
- Change sysctl unit file interfaces to use systemctl
- Add support for chronyd unit file
- Allow mozilla_plugin to read gnome_usr_config
- Add policy for new gpsd
- Allow cups to create kerberos rhost cache files
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
Tue Aug 23 14:00:00 2011 Dan Walsh 3.10.0-20
- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten
Tue Aug 23 14:00:00 2011 Miroslav Grepl 3.10.0-19
- Add policy for sa-update being run out of cron jobs
- Add create perms to postgresql_manage_db
- ntpd using a gps has to be able to read/write generic tty_device_t
- If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev
- fix spec file
- Remove qemu_domtrans_unconfined() interface
- Make passenger working together with puppet
- Add init_dontaudit_rw_stream_socket interface
- Fixes for wordpress
Thu Aug 11 14:00:00 2011 Miroslav Grepl 3.10.0-18
- Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Add abrt_handle_event_t domain for ABRT event scripts
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
- Allow httpd_git_script_t to read passwd data
- Allow openvpn to set its process priority when the nice parameter is used
Wed Aug 10 14:00:00 2011 Miroslav Grepl 3.10.0-17
- livecd fixes
- spec file fixes
Thu Aug 4 14:00:00 2011 Miroslav Grepl 3.10.0-16
- fetchmail can use kerberos
- ksmtuned reads in shell programs
- gnome_systemctl_t reads the process state of ntp
- dnsmasq_t asks the kernel to load multiple kernel modules
- Add rules for domains executing systemctl
- Bogus text within fc file
Wed Aug 3 14:00:00 2011 Miroslav Grepl 3.10.0-14
- Add cfengine policy
Tue Aug 2 14:00:00 2011 Miroslav Grepl 3.10.0-13
- Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
Mon Aug 1 14:00:00 2011 Miroslav Grepl 3.10.0-12
- Add sblim, uuidd policies
- Allow kernel_t dyntrasition to init_t
Fri Jul 29 14:00:00 2011 Miroslav Grepl 3.10.0-11
- init_t need setexec
- More fixes of rules which cause an explosion in rules by Dan Walsh
Tue Jul 26 14:00:00 2011 Miroslav Grepl 3.10.0-10
- Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module removed
Sat Jul 23 14:00:00 2011 Miroslav Grepl 3.10.0-9
- Allow systemd_logind to send dbus messages with users
- allow accountsd to read wtmp file
- Allow dhcpd to get and set capabilities
Fri Jul 22 14:00:00 2011 Miroslav Grepl 3.10.0-8
- Fix oracledb_port definition
- Allow mount to mounton the selinux file system
- Allow users to list /var directories
Thu Jul 21 14:00:00 2011 Miroslav Grepl 3.10.0-7
- systemd fixes
Tue Jul 19 14:00:00 2011 Miroslav Grepl 3.10.0-6
- Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
- Smoltclient is connecting to abrt
- Dontaudit leaked file descriptors to postdrop
- Allow abrt_dump_oops to look at kernel sysctls
- Abrt_dump_oops_t reads kernel ring buffer
- Allow mysqld to request the kernel to load modules
- systemd-login needs fowner
- Allow postfix_cleanup_t to searh maildrop
Mon Jul 18 14:00:00 2011 Miroslav Grepl 3.10.0-5
- Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
Thu Jul 14 14:00:00 2011 Miroslav Grepl 3.10.0-4
- Allow setsched for virsh
- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories
- iptables: the various /sbin/ip6?tables.
* are now symlinks for
/sbin/xtables-multi
Tue Jul 12 14:00:00 2011 Miroslav Grepl 3.10.0-3
- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit
- Allow colord to interact with the users through the tmpfs file system
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files
- Add label for /var/log/mcelog
- Allow asterisk to read /dev/random if it uses TLS
- Allow colord to read ini files which are labeled as bin_t
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first.
- Also lists /var and /var/spool directories
- Add openl2tpd to l2tpd policy
- qpidd is reading the sysfs file
Thu Jun 30 14:00:00 2011 Miroslav Grepl 3.10.0-2
- Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
Mon Jun 27 14:00:00 2011 Miroslav Grepl 3.10.0-1
- Update to upstream
Mon Jun 27 14:00:00 2011 Miroslav Grepl 3.9.16-30
- More fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git
Thu Jun 16 14:00:00 2011 Dan Walsh 3.9.16-29.1
- Fix spec file to not report Verify errors
Thu Jun 16 14:00:00 2011 Miroslav Grepl 3.9.16-29
- Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
Wed Jun 8 14:00:00 2011 Dan Walsh 3.9.16-28.1
- Add policy.26 to the payload
- Remove olpc stuff
- Remove policygentool
Wed Jun 8 14:00:00 2011 Miroslav Grepl 3.9.16-27
- Fixes for zabbix
- init script needs to be able to manage sanlock_var_run_...
- Allow sandlock and wdmd to create /var/run directories...
- mixclip.so has been compiled correctly
- Fix passenger policy module name
Tue Jun 7 14:00:00 2011 Miroslav Grepl 3.9.16-26
- Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
Thu Jun 2 14:00:00 2011 Miroslav Grepl 3.9.16-25
- Fixes for sanlock policy
- Fixes for colord policy
- Other fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
Thu May 26 14:00:00 2011 Miroslav Grepl 3.9.16-24
- Add rhev policy module to modules-targeted.conf
Tue May 24 14:00:00 2011 Miroslav Grepl 3.9.16-23
- Lot of fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
Tue May 17 14:00:00 2011 Miroslav Grepl 3.9.16-22
- Allow logrotate to execute systemctl
- Allow nsplugin_t to getattr on gpmctl
- Fix dev_getattr_all_chr_files() interface
- Allow shorewall to use inherited terms
- Allow userhelper to getattr all chr_file devices
- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t
- Fix labeling for ABRT Retrace Server
Mon May 9 14:00:00 2011 Miroslav Grepl 3.9.16-21
- Dontaudit sys_module for ifconfig
- Make telepathy and gkeyringd daemon working with confined users
- colord wants to read files in users homedir
- Remote login should be creating user_tmp_t not its own tmp files
Thu May 5 14:00:00 2011 Miroslav Grepl 3.9.16-20
- Fix label for /usr/share/munin/plugins/munin_
* plugins
- Add support for zarafa-indexer
- Fix boolean description
- Allow colord to getattr on /proc/scsi/scsi
- Add label for /lib/upstart/init
- Colord needs to list /mnt
Tue May 3 14:00:00 2011 Miroslav Grepl 3.9.16-19
- Forard port changes from F15 for telepathy
- NetworkManager should be allowed to use /dev/rfkill
- Fix dontaudit messages to say Domain to not audit
- Allow telepathy domains to read/write gnome_cache files
- Allow telepathy domains to call getpw
- Fixes for colord and vnstatd policy
Wed Apr 27 14:00:00 2011 Miroslav Grepl 3.9.16-18
- Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch
- aisexec will execute corosync
- colord tries to read files off noxattr file systems
- Allow init_t getcap and setcap
Thu Apr 21 14:00:00 2011 Miroslav Grepl 3.9.16-17
- Add support for ABRT retrace server
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners
- Allow telepath_msn_t to read /proc/PARENT/cmdline
- ftpd needs kill capability
- Allow telepath_msn_t to connect to sip port
- keyring daemon does not work on nfs homedirs
- Allow $1_sudo_t to read default SELinux context
- Add label for tgtd sock file in /var/run/
- Add apache_exec_rotatelogs interface
- allow all zaraha domains to signal themselves, server writes to /tmp
- Allow syslog to read the process state
- Add label for /usr/lib/chromium-browser/chrome
- Remove the telepathy transition from unconfined_t
- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts
- Allow initrc_t domain to manage abrt pid files
- Add support for AEOLUS project
- Virt_admin should be allowed to manage images and processes
- Allow plymountd to send signals to init
- Change labeling of fping6
Tue Apr 19 14:00:00 2011 Dan Walsh 3.9.16-16.1
- Add filename transitions
Tue Apr 19 14:00:00 2011 Miroslav Grepl 3.9.16-16
- Fixes for zarafa policy
- Add support for AEOLUS project
- Change labeling of fping6
- Allow plymountd to send signals to init
- Allow initrc_t domain to manage abrt pid files
- Virt_admin should be allowed to manage images and processes
Fri Apr 15 14:00:00 2011 Miroslav Grepl 3.9.16-15
- xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
Mon Apr 11 14:00:00 2011 Miroslav Grepl 3.9.16-14
- Add Dan\'s patch to remove 64 bit variants
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
Tue Apr 5 14:00:00 2011 Miroslav Grepl 3.9.16-13
- Fix typo
Mon Apr 4 14:00:00 2011 Miroslav Grepl 3.9.16-12
- Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
Mon Apr 4 14:00:00 2011 Miroslav Grepl 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state
Fri Apr 1 14:00:00 2011 Miroslav Grepl 3.9.16-10
- Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy
Fri Mar 25 13:00:00 2011 Miroslav Grepl 3.9.16-7
- Allow $1_sudo_t and $1_su_t open access to user terminals
- Allow initrc_t to use generic terminals
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
Wed Mar 23 13:00:00 2011 Miroslav Grepl 3.9.16-6
- Remove some unconfined domains
- Remove permissive domains
- Add policy-term.patch from Dan
Thu Mar 17 13:00:00 2011 Miroslav Grepl 3.9.16-5
- Fix multiple specification for boot.log
- devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
Tue Mar 15 13:00:00 2011 Miroslav Grepl 3.9.16-4
- Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is running
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
Thu Mar 10 13:00:00 2011 Miroslav Grepl 3.9.16-3
- mozilla_plugin_tmp_t needs to be treated as user tmp files
- More dontaudits of writes from readahead
- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
- systemd_tmpfiles needs to relabel faillog directory as well as the file
- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
Thu Mar 10 13:00:00 2011 Miroslav Grepl 3.9.16-2
- Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
* other fixes which relate with this change
Tue Mar 8 13:00:00 2011 Miroslav Grepl 3.9.16-1
- Update to upstream
- Fixes for telepathy
- Add port defition for ssdp port
- add policy for /bin/systemd-notify from Dan
- Mount command requires users read mount_var_run_t
- colord needs to read konject_uevent_socket
- User domains connect to the gkeyring socket
- Add colord policy and allow user_t and staff_t to dbus chat with it
- Add lvm_exec_t label for kpartx
- Dontaudit reading the mail_spool_t link from sandbox -X
- systemd is creating sockets in avahi_var_run and system_dbusd_var_run
Tue Mar 1 13:00:00 2011 Miroslav Grepl 3.9.15-5
- gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t
- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
Mon Feb 21 13:00:00 2011 Miroslav Grepl 3.9.15-2
- Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd
*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
Wed Feb 16 13:00:00 2011 Miroslav Grepl 3.9.15-1
- Update to upstream
Wed Feb 9 13:00:00 2011 Fedora Release Engineering - 3.9.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
Tue Feb 8 13:00:00 2011 Dan Walsh 3.9.14-1
- Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
Tue Feb 8 13:00:00 2011 Miroslav Grepl 3.9.13-10
- New labeling for postfmulti #675654
- dontaudit xdm_t listing noxattr file systems
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally
- shutdown is passed stdout to a xdm_log_t file
- smartd creates a fixed disk device
- dovecot_etc_t contains a lnk_file that domains need to read
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
Thu Feb 3 13:00:00 2011 Miroslav Grepl 3.9.13-9
- syslog_t needs syslog capability
- dirsrv needs to be able to create /var/lib/snmp
- Fix labeling for dirsrv
- Fix for dirsrv policy missing manage_dirs_pattern
- corosync needs to delete clvm_tmpfs_t files
- qdiskd needs to list hugetlbfs
- Move setsched to sandbox_x_domain, so firefox can run without network access
- Allow hddtemp to read removable devices
- Adding syslog and read_policy permissions to policy
* syslog
Allow unconfined, sysadm_t, secadm_t, logadm_t
* read_policy
allow unconfined, sysadm_t, secadm_t, staff_t on Targeted
allow sysadm_t (optionally), secadm_t on MLS
- mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
Tue Feb 1 13:00:00 2011 Dan Walsh 3.9.13-8
- Add tcsd policy
Tue Feb 1 13:00:00 2011 Miroslav Grepl 3.9.13-7
- ricci_modclusterd_t needs to bind to rpc ports 500-1023
- Allow dbus to use setrlimit to increase resoueces
- Mozilla_plugin is leaking to sandbox
- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control
- Allow awstats to read squid logs
- seunshare needs to manage tmp_t
- apcupsd cgi scripts have a new directory
Thu Jan 27 13:00:00 2011 Miroslav Grepl 3.9.13-6
- Fix xserver_dontaudit_read_xdm_pid
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
- Allow readahead to manage readahead pid dirs
- Allow readahead to read all mcs levels
- Allow mozilla_plugin_t to use nfs or samba homedirs
Tue Jan 25 13:00:00 2011 Miroslav Grepl 3.9.13-5
- Allow nagios plugin to read /proc/meminfo
- Fix for mozilla_plugin
- Allow samba_net_t to create /etc/keytab
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t
- nslcd can read user credentials
- Allow nsplugin to delete mozilla_plugin_tmpfs_t
- abrt tries to create dir in rpm_var_lib_t
- virt relabels fifo_files
- sshd needs to manage content in fusefs homedir
- mock manages link files in cache dir
Fri Jan 21 13:00:00 2011 Miroslav Grepl 3.9.13-4
- nslcd needs setsched and to read /usr/tmp
- Invalid call in likewise policy ends up creating a bogus role
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
- Allow screen to create screen_home_t in /root
- dirsrv sends syslog messages
- pinentry reads stuff in .kde directory
- Add labels for .kde directory in homedir
- Treat irpinit, iprupdate, iprdump services with raid policy
Wed Jan 19 13:00:00 2011 Miroslav Grepl 3.9.13-3
- NetworkManager wants to read consolekit_var_run_t
- Allow readahead to create /dev/.systemd/readahead
- Remove permissive domains
- Allow newrole to run namespace_init
Tue Jan 18 13:00:00 2011 Miroslav Grepl 3.9.13-2
- Add sepgsql_contexts file
Mon Jan 17 13:00:00 2011 Miroslav Grepl 3.9.13-1
- Update to upstream
Mon Jan 17 13:00:00 2011 Miroslav Grepl 3.9.12-8
- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
- Add puppetmaster_use_db boolean
- Fixes for zarafa policy
- Fixes for gnomeclock poliy
- Fix systemd-tmpfiles to use auth_use_nsswitch
Fri Jan 14 13:00:00 2011 Miroslav Grepl 3.9.12-7
- gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
Tue Jan 11 13:00:00 2011 Miroslav Grepl 3.9.12-6
- Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
Wed Jan 5 13:00:00 2011 Miroslav Grepl 3.9.12-5
- Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
Tue Dec 28 13:00:00 2010 Dan Walsh 3.9.12-4
- Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
Thu Dec 23 13:00:00 2010 Dan Walsh 3.9.12-3
- Allow xdm and syslog to use /var/log/boot.log
- Allow users to communicate with mozilla_plugin and kill it
- Add labeling for ipv6 and dhcp
Tue Dec 21 13:00:00 2010 Dan Walsh 3.9.12-2
- New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
- pm-suspend now creates log file for append access so we remove devicekit_wri
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
- Fixes for greylist_milter policy
Tue Dec 21 13:00:00 2010 Miroslav Grepl 3.9.12-1
- Update to upstream
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
Wed Dec 15 13:00:00 2010 Dan Walsh 3.9.11-2
- Update selinux policy to handle new /usr/share/sandbox/start script
Wed Dec 15 13:00:00 2010 Miroslav Grepl 3.9.11-1
- Update to upstream
- Fix version of policy in spec file
Tue Dec 14 13:00:00 2010 Miroslav Grepl 3.9.10-13
- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
- remove per sandbox domains devpts types
- Allow dkim-milter sending signal to itself
Mon Dec 13 13:00:00 2010 Dan Walsh 3.9.10-12
- Allow domains that transition to ping or traceroute, kill them
- Allow user_t to conditionally transition to ping_t and traceroute_t
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
Mon Dec 13 13:00:00 2010 Miroslav Grepl 3.9.10-11
- Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet packets
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac
* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
Fri Dec 10 13:00:00 2010 Miroslav Grepl 3.9.10-10
- Fixes for clamscan and boinc policy
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
Tue Dec 7 13:00:00 2010 Miroslav Grepl 3.9.10-9
- Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
Tue Dec 7 13:00:00 2010 Miroslav Grepl 3.9.10-8
- Fixes for lvm to work with systemd
Mon Dec 6 13:00:00 2010 Miroslav Grepl 3.9.10-7 | |
