|
|
|
|
Changelog for selinux-policy-doc-3.13.1-105.21.fc21.noarch.rpm :
Mon Aug 24 14:00:00 2015 Lukas Vrabec 3.13.1-105.21 - Fix networkmanager_sigchld interface. - Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764) - Add interface dnssec_trigger_sigkill - Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500) - Allow bumblebee to seng kill signal to xserver - Allow debugfs associate to a sysfs filesystem.
Tue Jul 21 14:00:00 2015 Lukas Vrabec 3.13.1-105.20 - Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3. - Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. - Allow NetworkManager_t send signull to dnssec_trigger_t. - Allow abrt_t read all proc files. BZ (1240885) - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840) - Set label of /sys/kernel/debug - Label new dnssec-trigger files.
Mon Jun 29 14:00:00 2015 Lukas Vrabec 3.13.1-105.19 - Add networkmanager_sigkill() and networkmanager_signull() interfaces. - Add interface snmp_dontaudit_manage_snmp_var_lib_files(). - Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214) - Rename xodbc-connect port to xodbc_connect - Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809) - Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043) - Allow dnssec-trigger to send sigkill,signull to NM - Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798) - Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798) - Allow abrt_dump_oops_t fowner chown fsetid cap itself. BZ(1235944) - Rename xodbc-connect port to xodbc_connect - Label tcp port 6632 as xodbc-connect port. BZ (1179809) - Label tcp port 6640 as ovsdb port. BZ (1179809)
Wed Jun 24 14:00:00 2015 Lukas Vrabec 3.13.1-105.18 - Add unconfined_dontaudit_write_state() interface. - Make docker_t as unconfined. BZ(1215842)
Tue Jun 23 14:00:00 2015 Lukas Vrabec 3.13.1-105.17 - Dontaudit use console for chrome-sandbox. BZ(1216087) - Dontaudit chrome-sandbox write access its parent process information. BZ(1220958) - Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type. - ALlow NM to do access check on /sys. - Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel. - Allow NetworkManager nm-dispacher to read links. - Fix missing bracket in apache.te. - Fix httpd_use_openstack boolean related to keystone_read_pid. - Add postgresql support for systemd unit files. - Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. - Add term_open_unallocated_ttys() interface. - Add dev_access_check_sysfs() interface.
Tue May 19 14:00:00 2015 Lukas Vrabec 3.13.1-105.16 - Allow net_admin cap for dnssec-trigger to make wifi reconnect working. - Allow antivirus_t to read system state info.BZ(1217616) - Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359) - Clamd needs to have fsetid capability. BZ(1215308) - Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098) - Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files. - Allow gssd to access kernel keyring for login_pgm domains. - Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410) - Fix description for seutil_search_config() interface. - Fix selinux_search_fs() interface. - Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. BZ(1219045) - Add seutil_search_config() interface. - Allow login_pgm domains to access kernel keyring for nsswitch domains.
Thu Apr 30 14:00:00 2015 Lukas Vrabec 3.13.1-105.15 - Allow dnssec-trigger to send sigchld to networkmanager - add interface networkmanager_sigchld - Add dnssec-trigger unit file Label dnssec-trigger script in libexec
Mon Apr 20 14:00:00 2015 Lukas Vrabec 3.13.1-105.14 - Define ipa_var_run_t type - Allow certmonger to manage renewal.lock. BZ(1213256) - Add ipa_manage_pid_files interface. - Allow apcupsd to use USBttys. BZ(1210960) - Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574) - Allow syslogd_t to manage devlog_t lnk files. BZ(1210968) - Add more restriction on entrypoint for unconfined domains.
Wed Apr 15 14:00:00 2015 Lukas Vrabec 3.13.1-105.13 -Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) - Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to create resolv files labeled as net_conf_t - Allow dnssec_trigger_t to stream connect to networkmanager. - Add more restriction on entrypoint for unconfined domains. - Allow systemd_networkd_t to load kernel module. BZ(1209402) - Allow systemd_networkd cap. dac_override. BZ(1204352)
Tue Apr 7 14:00:00 2015 Lukas Vrabec 3.13.1-105.12 - Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) - Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180) - Merge postfix spool types(maildrop,flush) to one postfix_spool_t - Add collectd net_raw capability. BZ(1194169)
Thu Apr 2 14:00:00 2015 Lukas Vrabec 3.13.1-105.11 - Allow networkmanager and cloud_init_t to dbus chat - Fix sysnet_filetrans_named_content interface. BZ(1207942) - Fix cloudform policy.(m4 is case sensitive)
Mon Mar 30 14:00:00 2015 Lukas Vrabec 3.13.1-105.10 - Allow kmscon to read system state. BZ (1206871) - Allow plymouthd to open usbttys. BZ(1202429) - apmd needs sys_resource when shutting down the machine - Allow xdm_t to read colord_var_lib_t files. BZ(1201985) - Allow all domains some process flags
Mon Mar 23 13:00:00 2015 Lukas Vrabec 3.13.1-105.9 - Allow mysqld_t to use pam. BZ(1196104) - Allow fetchmail to read mail_spool_t. BZ(1200552) - Dontaudit blueman_t write to all mountpoints. BZ(1198272)
Mon Mar 16 13:00:00 2015 Lukas Vrabec 3.13.1-105.8 - Merge docker policy from rawhide. - Allow docker to relablefrom/to sockets and docker_log_t - Allow docker to communicate with openvswitch - Fix some resolv problems - Remove automatcically running filetrans_named_content form sysnet_manage_config - Allow all domains that read resolv.conf to search through /run. Since multiple domains including NetworkManager will be putting their resolv.conf into this directory - Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager - Fix labels, improve sysnet_manage_config interface.
Mon Mar 9 13:00:00 2015 Lukas Vrabec 3.13.1-105.7 - Allow spamc read spamd_etc_t files. BZ(1199339). - Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278) - Allow abrt_watch_log_t read passwd file. BZ(1197396) - Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659) - Allow cups to read colord_var_lib_t files. BZ(1199765)
Thu Mar 5 13:00:00 2015 Lukas Vrabec 3.13.1-105.6 - Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406) - Add gluster_exec_lib interface. - Allow cyrus bind tcp berknet port. BZ(1198347) - Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190) - Allow l2tp to manage NetworkManager_var_run_t files. BZ(1197428) - Allow denyhosts execute iptables. BZ(1197371) - Allow brltty rw event device. BZ(1190349) - Allow cupsd config to execute ldconfig. BZ(1196608) - Allow ping_t read urand. BZ(1181831) - Add support for tcp/2005 port.
Wed Feb 25 13:00:00 2015 Lukas Vrabec 3.13.1-105.5 - Make sure NetworkManager configures resolv.conf correctly - Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t. - Added interface files_search_all_pids - Allow search all pid dirs when managing net_conf_t files - Fix path label to resolv.conf under NetworkManager
Mon Feb 23 13:00:00 2015 Lukas Vrabec 3.13.1-105.4 - Added logging_syslogd_pid_filetrans - Additional fix for labeleling /dev/log correctly - Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102) - Label /dev/log correctly. - Create dnf and yum directories in /var with correct label - Dontaudit sys_resource in prelink_cron)_system_t - Add filename transitions for /var/lib/rpm and /var/cache/rpm - Create dnf and yum directories in /var with correct label - Allow brltty ioctl on usb_device_t. BZ(1190349)
Thu Feb 5 13:00:00 2015 Lukas Vrabec 3.13.1-105.3 - apmd needs sys_resource when shutting down the machine - Allow upsmon_t to read urandom device.
Mon Feb 2 13:00:00 2015 Lukas Vrabec 3.13.1-105.2 - Added boolean xdm_bind_vnc_tcp_port. BZ(1187975) - Allow svirt sandbox domains to read /proc/mtrr - Allow sshd_t to manage gssd keyring - Allow docker to attach to the sandbox and user domains tun devices - Dontaudit network connections related to thumb_t. BZ(1187981) - Allow dovecot domains to use sys_resouce - Allow svirt sandbox domains to read /proc/mtrr - Allow polipo_deamon connect to all ephemeral ports. BZ(1187723) - Allow sshd_t to manage gssd keyring
Thu Jan 29 13:00:00 2015 Lukas Vrabec 3.13.1-105.1 - Add unconfined_setsched() interface - Add ipsec_rw_inherited_pipes() interface. - Update seutil_manage_config() interface. - journald now reads the netlink audit socket - Update ipsec_manage_pid() interface. - Allow netutils chown capability to make tcpdump working with -w - Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t. - Allow ipsec to execute _updown.netkey script to run unbound-control. - Add auditing support for ipsec. - Allow nut_upsmon_t to read random_device_t. BZ(1186072) - Allow fowner capability for sssd because of selinux_child handling. - ALlow bind to read/write inherited ipsec pipes - Allow hypervkvp to read /dev/urandom and read addition states/config files. - Allow cluster domain to dbus chat with systemd-logind. - Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd - Add glusterd_filetrans_named_pid() interface. - Allow radiusd to connect to radsec ports. - Allow setuid/setgid for selinux_child. - Allow pingd to read /dev/urandom. BZ(1181831) - Allow lsmd plugin to connect to tcp/5989 by default. - pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. - Allow docker_t to changes it rlimit - Allow docker to setsched on unconfined_t user - Dontaudit couchdb search in gconf_home_t. BZ(1177717) - Call correct macro in virt_read_content(). - Allow neutron to read rpm DB. - Add labeling for pacemaker.log. - Allow radius to connect/bind radsec ports. - Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log. - Add devicekit_read_log_files() - Allow virt_qemu_ga to dbus chat with rpm. - Update virt_read_content() interface to allow read also char devices.
Thu Jan 15 13:00:00 2015 Lukas Vrabec 3.13.1-105 - Fix labels on /etc/kde/kdm - Allow texlive managers to relabelfrom - Add iptables_var_lib_t for /var/lib/ebtables - Allow mount_ecryptfs_t to read/write pam_console data - allow mozilla plugins to connect to bluetooth devices - Allow system_mail_t to create content in /var/lib/munin - Allow prosody_t to execmem, since it is using loajit. - Allow NetworkManager to noatsecure openvpn - Allow canna go call getpw * - Allow telepathy_mission_control to create tmp files - Remove boolean gpg_agent_env_file - Allow shorewall to transition to the netutils domain - Allow bumblebee read proc_net_t. BZ (1176329) - Dontaudit attempts by thumb_t to setfscreate, this is caused by executing mv command under thumb_t domain
Thu Jan 15 13:00:00 2015 Lukas Vrabec 3.13.1-104 - Fix unconfined_server_dbus_chat() interface - Add type for tcp/18700 port and have it as lsm_plugin_port_t. - Fix mount_entry_type() interface. - Update xserver_rw_xdm_keys() interface to have \'setattr\'. - fix storage_tmp_filetrans_fixed_disk() interface. - Allow sulogin to read /dev/urandom and /dev/random. - Update radius port definition to have also tcp/18121. - Add 18120/tcp as radius port. - Label prandom as random_device_t. - Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t. - Dontaudit svirt_domains attempting to setattr on /proc - Allow systemd_passwd_agent to look at processes in /proc - Fix label on /var/lib/sddm - Allow systemd_logind_t to delete tmpfs files - Allow systemd to manage all lock files - Allow mdadm_t to create fixed_disk_device_t on /tmp file systems - Allow init_t to create gnome content in homedirs - systemd_sysctl needs to have sys_rawio - userdom_dontaudit_search_user_home_content should not search through any homedirs and subdirs - Allow userdomains to use mount commands as entrypoints - bug #1178562 shows systemd_hostnamed_t reads /proc/xen - Label /usr/libexec/Xorg.bin as xserver_exec_t. - Allow sssd to send dbus all user domains. - Allow lsm plugin to read certificates. - Make snapperd as unconfined domain. - Fix labeling for keystone CGI scripts - Fix bugs in interfaces discovered by sepolicy. - Allow slapd to read /usr/share/cracklib/pw_dict.hwm. - Allow lsm plugins to connect to tcp/18700 by default. - Allow brltty mknod capability to allow create /var/run/brltty/vcsa. - Fix pcp_domain_template() interface. - Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc. - Allow glance-scrubber to connect tcp/9191. - Add conman_can_network. - Allow conman to create files/dirs in /tmp. - Allow rabbitmq_t to run hostname - Allow named to manage files in dnssec_trigger_var_run_t directory - Allow rabbitmq_t to deal with link files created with its content - Allow pcp_domains to connect to ephemeral ports, allow webd domain to dbus with avahi - Dontaudit svirt_domains attempting to setattr on /proc - Allow mdadm_t to getattr on init status files - Allow rpcd_t to write to /proc - Allow mdadm_t to create fixed_disk_device_t on /tmp file systems - Add lmt-req.lock as a apmd_lock file - Allow rpm running under sblim domain to send signull to setroubleshootd.
Mon Dec 15 13:00:00 2014 Lukas Vrabec 3.13.1-103 - Docker has a new config/key file it writes to /etc/docker - Add support for /usr/share/vdsm/daemonAdapter - Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. - Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. - Allow virt_qemu_ga_t to execute kmod - Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
Thu Dec 11 13:00:00 2014 Lukas Vrabec 3.13.1-102 - Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258) - Allow docker daemon to start transitiant units - Add support for /var/run/gluster. - Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085) - Fix /usr/libexec/sssd/selinux_child labeling. - Label /usr/libexec/tomcat/server as tomcat_exec_t.
Tue Dec 2 13:00:00 2014 Lukas Vrabec 3.13.1-101 - Add files_dontaudit_list_security_dirs() interface - Allow rlogind to use also rlogin ports - Dontaudit couchdb to list /var - couchdb: allow disksup to monitor the local disks - dontaudit list security dirs for samba domain. - Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
Tue Nov 25 13:00:00 2014 Lukas Vrabec 3.13.1-100 - Add seutil_dontaudit_access_check_semanage_module_store() interface - Update to have all _systemctl() interface also init_reload_services() - Allow named_filetrans_domain to create ibus directory with correct labeling - Add labeling for /sbin/iw. - Label tcp port 5280 as ejabberd port. BZ(1059930) - Make /usr/bin/vncserver running as unconfined_service_t. - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain - Label /etc/docker/certs.d as cert_t - Allow all systemd domains to search file systems - I guess there can be content under /var/lib/lockdown #1167502 - Dontaudit access check on SELinux module store for sssd - Update to have all _systemctl() interface also init_reload_services() - Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working - Allow keystone to send a generic signal to own process. - Dontaudit list user_tmp files for system_mail_t - label virt-who as virtd_exec_t - Allow rhsmcertd to send a null signal to virt-who running as virtd_t - Add virt_signull() interface - Allow .snapshots to be created in other directories, on all mountpoints - Add missing alias for _content_rw_t - Allow spamd to access razor-agent.log
Thu Nov 20 13:00:00 2014 Lukas Vrabec 3.13.1-99 - Allow NetworkManager stream connect on openvpn. BZ(1165110)
Wed Nov 19 13:00:00 2014 Lukas Vrabec 3.13.1-98 - Allow networkmanager manage also openvpn sock pid files.
Wed Nov 19 13:00:00 2014 Lukas Vrabec 3.13.1-97 - Allow login programs to write to processes at all levels. - Fix seutil_dontaudit_access_check_semanage_read_lock() - Fix audit_access interfaces to make it sense in seutils.if. - Label sock file charon.vici as ipsec_var_run_t. BZ(1165065) - Add seutil_access_check_module_store() interfaces. - Add seutil_access_check_semanage_read_lock(). - Add seutil_access_check_setfiles() interface. - Add additional interfaces for access checks on load_policy - Allow sendmail to create dead.letter. BZ(1165443) - Add support for /usr/bin/start-puppet-ca helper script. - Allow rpm scripts to enable/disable transient systemd units. - Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. - Make kpropdas nsswitch domain - Make all glance domain as nsswitch domains. - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active. - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
Fri Nov 14 13:00:00 2014 Lukas Vrabec 3.13.1-96 - Allow bumblebee to use nsswitch. BZ(1155339) - Allow openvpn to stream connect to networkmanager. BZ(1164182) - Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS. - Allow cpuplug rw virtual memory sysctl. BZ (1077831) - Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
Mon Nov 10 13:00:00 2014 Lukas Vrabec 3.13.1-95 - Allow ifconfig to read/write inhertited kdumpctl pipes. - Label /etc/strongimcv as ipsec_conf_file_t. - Add dontaudit interfaces for audit_access in seutil. - Fix seutil_dontaudit_access_check_load_policy() - Dontaudit access check on setfiles/load_policy for sssd_t. - Add kdump_rw_inherited_kdumpctl_tmp_pipes() - Make linuxptp services as unconfined. - Added new policy linuxptp. - Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424) - Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
Fri Nov 7 13:00:00 2014 Lukas Vrabec 3.13.1-94 - Added interface userdom_dontaudit_manage_user_home_dirs - New interface dev_rw_uhid_dev - Fix unconfined_server_dbus_chat() interface. - Allow login domains to create kernel keyring with different level. - Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256) - Make tuned as unconfined domain. - Allow bluetooth read/write uhid devices. BZ (1161169) - Add fixes for hypervkvp daemon - make zoneminder as dbus client by default. - Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. - Make plymouthd as nsswitch domain to make it working with sssd. - Make drbd as nsswitch domain to make it working with sssd - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory.
Mon Nov 3 13:00:00 2014 Lukas Vrabec 3.13.1-93 - Add 15672 as amqp_port_t - Add support for /dev/nvme controllerdevice nodes created by nvme driver. - Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835) - Allow dovecot to create user\'s home directory when they log into IMAP. - Allow nslcd to read /dev/urandom. - Allow snapperd to dbus chat with system cron jobs. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Fix rhcs_signull_haproxy() interface. - Allow nslcd to execute netstat. - Allow abrt to read software raid state. BZ (1157770)
Wed Oct 29 13:00:00 2014 Lukas Vrabec 3.13.1-92 - Allow modemmanger to connectto itself
Fri Oct 24 14:00:00 2014 Miroslav Grepl 3.13.1-91 - Allow rolekit transition to rpm_script_t. - Need to label rpmnew file correctly - Allow setpcap capability for dhcpd.
Wed Oct 22 14:00:00 2014 Miroslav Grepl 3.13.1-90 - Additional fixes for rolekit
Wed Oct 22 14:00:00 2014 Miroslav Grepl 3.13.1-89 - Add rolekit policy based on lvrabecAATTredhat.com policy. This is more unconfined initial policy to allow us to add dbus chat with random domains - Allow domains to dbus chat with rolekit.
Tue Oct 21 14:00:00 2014 Lukas Vrabec 3.13.1-88 - Allow couchdb read sysctl_fs_t files. BZ(1154327) - Allow osad to connect to jabber client port. BZ (1154242) - Allow mon_statd to send syslog msgs. BZ (1077821 - Allow apcupsd to get attributes of filesystems with xattrs - Add back kill/load permissions for system/service classes. It breaks updates from f20->f21.
Fri Oct 17 14:00:00 2014 Miroslav Grepl 3.13.1-87 - Allow systemd-networkd to be running as dhcp client. - Label /usr/bin/cockpit-bridge as shell_exec_t. - Add label for /var/run/systemd/resolve/resolv.conf. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow systemd-networkd to be running as dhcp client. - Label /usr/bin/cockpit-bridge as shell_exec_t. - Add label for /var/run/systemd/resolve/resolv.conf. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.
Tue Oct 14 14:00:00 2014 Lukas Vrabec 3.13.1-86 - Dontaudit aicuu to search home config dir. BZ (#1104076) - couchdb is using erlang so it needs execmem privs - ALlow sanlock to send a signal to virtd_t. - Allow mondogdb to \'accept\' accesses on the tcp_socket port. - Make sosreport as unconfined domain. - Allow nova-console to connect to mem_cache port. - Allow mandb to getattr on file systems - Allow read antivirus domain all kernel sysctls. - Allow lmsd_plugin to read passwd file. BZ(1093733) - Label /usr/share/corosync/corosync as cluster_exec_t. - ALlow sensord to getattr on sysfs. - automount policy is non-base module so it needs to be called in optional block. - Add auth_use_nsswitch for portreserve to make it working with sssd. - Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. - Allow openvpn to access /sys/fs/cgroup dir. - Allow nova-scheduler to read certs - Add support for /var/lib/swiftdirectory. - Allow neutron connections to system dbus. - Allow mongodb to manage own log files. - Allow opensm_t to read/write /dev/infiniband/umad1. - Added policy for mon_statd and mon_procd services. BZ (1077821) - kernel_read_system_state needs to be called with type. Moved it to antivirus.if. - Allow dnssec_trigger_t to execute unbound-control in own domain. - Allow all RHCS services to read system state. - Added monitor device - Add interfaces for /dev/infiniband - Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type. - Add files_dontaudit_search_security_files() - Add selinuxuser_udp_server boolean - ALlow syslogd_t to create /var/log/cron with correct labeling - Add support for /etc/.updated and /var/.updated - Allow iptables read fail2ban logs. BZ (1147709) - ALlow ldconfig to read proc//net/sockstat.
Mon Oct 6 14:00:00 2014 Lukas Vrabec 3.13.1-85 - Allow nova domains to getattr on all filesystems. - ALlow zebra for user/group look-ups. - Allow lsmd to search own plguins. - Allow sssd to read selinux config to add SELinux user mapping. - Allow swift to connect to all ephemeral ports by default. - Allow NetworkManager to create Bluetooth SDP sockets - Allow keepalived manage snmp var lib sock files. BZ(1102228) - Added policy for blrtty. BZ(1083162) - Allow rhsmcertd manage rpm db. BZ(#1134173) - Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173) - Label /usr/libexec/rhsmd as rhsmcertd_exec_t - Fix broken interfaces - Added sendmail_domtrans_unconfined interface - Added support for cpuplug. BZ (#1077831) - Fix bug in drbd policy, BZ (#1134883) - Make keystone_cgi_script_t domain. BZ (#1138424) - fix dev_getattr_generic_usb_dev interface - Label 4101 tcp port as brlp port - Allow libreswan to connect to VPN via NM-libreswan. - Add userdom_manage_user_tmpfs_files interface
Tue Sep 30 14:00:00 2014 Lukas Vrabec 3.13.1-84 - Allow all domains to read fonts - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028) - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins.
Mon Sep 22 14:00:00 2014 Lukas Vrabec 3.13.1-83 - Make sure /run/systemd/generator and system is labeled correctly on creation. - Additional access required by usbmuxd - Allow sensord read in /proc BZ(#1143799)
Thu Sep 18 14:00:00 2014 Miroslav Grepl 3.13.1-82 - Allow du running in logwatch_t read hwdata. - Allow sys_admin capability for antivirus domians. - Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc. - Add support for pnp4nagios. - Add missing labeling for /var/lib/cockpit. - Label resolv.conf as docker_share_t under docker so we can read within a container - Remove labeling for rabbitmqctl - setfscreate in pki.te is not capability class. - Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd. - Allow wine domains to create cache dirs. - Allow newaliases to systemd inhibit pipes. - Add fixes for pki-tomcat scriptlet handling. - Allow user domains to manage all gnome home content - Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
Thu Sep 11 14:00:00 2014 Lukas Vrabec 3.13.1-81 - Label /usr/lib/erlang/erts. */bin files as bin_t - Added changes related to rabbitmq daemon. - Fix labeling in couchdb policy - Allow rabbitmq bind on epmd port - Clean up rabbitmq policy - fix domtrans_rabbitmq interface - Added rabbitmq_beam_t and rabbitmq_epmd_t alias - Allow couchdb to getattr - Allow couchdb write to couchdb_conf files - Allow couchdb to create dgram_sockets - Added support for ejabberd
Wed Sep 10 14:00:00 2014 Lukas Vrabec 3.13.1-80 - Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21. - Since docker will now label volumes we can tighten the security of docker
Wed Sep 10 14:00:00 2014 Lukas Vrabec 3.13.1-79 - Re-arange openshift_net_read_t rules. - Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide - Allow jockey_t to use tmpfs files - Allow pppd to create sock_files in /var/run - Allow geoclue to stream connect to smart card service - Allow docker to read all of /proc - ALlow passeneger to read/write apache stream socket. - Dontaudit read init state for svirt_t. - Label /usr/sbin/unbound-control as named_exec_t (#1130510) - Add support for /var/lbi/cockpit directory. - Add support for ~/. speech-dispatcher. - Allow nmbd to read /proc/sys/kernel/core_pattern. - aLlow wine domains to create wine_home symlinks. - Allow policykit_auth_t access check and read usr config files. - Dontaudit access check on home_root_t for policykit-auth. - hv_vss_daemon wants to list /boot - update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent - Fix label for /usr/bin/courier/bin/sendmail - Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain. - Allow unconfined_r to access unconfined_service_t. - Add label for ~/.local/share/fonts - Add init_dontaudit_read_state() interface. - Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. - Allow udev_t mounton udev_var_run_t dirs #(1128618) - Add files_dontaudit_access_check_home_dir() inteface.
Tue Sep 2 14:00:00 2014 Lukas Vrabec 3.13.1-78 - Allow unconfined_service_t to dbus chat with all dbus domains - Assign rabbitmq port. BZ#1135523 - Add new interface to allow creation of file with lib_t type - Allow init to read all config files - We want to remove openshift_t domains ability to look at /proc/net - I guess lockdown is a file not a directory - Label /var/bacula/ as bacula_store_t - Allow rhsmcertd to seng signull to sosreport. - Allow sending of snmp trap messages by radiusd. - remove redundant rule fron nova.te. - Add auth_use_nsswitch() for ctdbd. - call nova_vncproxy_t instead of vncproxy. - Allow nova-vncproxy to use varnishd port. - Fix rhnsd_manage_config() to allow manage also symlinks. - Allow bacula to create dirs/files in /tmp - Allow nova-api to use nsswitch. - Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface. - Allow usbmuxd connect to itself by stream socket. (#1135945) - I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft - Allow nswrapper_32_64.nppdf.so to be created with the proper label - Assign rabbitmq port. BZ#1135523 - Dontaudit leaks of file descriptors from domains that transition to thumb_t - Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource - Allow unconfined_service_t to dbus chat with all dbus domains - Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way)
Thu Aug 28 14:00:00 2014 Lukas Vrabec 3.13.1-77 - Allow aide to read random number generator - Allow pppd to connect to http port. (#1128947) - sssd needs to be able write krb5.conf. - Labeli initial-setup as install_exec_t. - Allow domains to are allowed to mounton proc to mount on files as well as dirs - Allow bacula to connect to postgresql if is configured for that as a back end.
Tue Aug 26 14:00:00 2014 Lukas Vrabec 3.13.1-76 - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Add a port definition for shellinaboxd - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories - Allow thumb_t to read/write video devices - fail2ban 0.9 reads the journal by default. - Allow sandbox net domains to bind to rawip socket
Fri Aug 22 14:00:00 2014 Lukas Vrabec 3.13.1-75 - Allow haproxy to read /dev/random and /dev/urandom. - Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot. - geoclue needs to connect to http and http_cache ports - Allow passenger to use unix_stream_sockets leaked into it, from httpd - Add SELinux policy for highly-available key value store for shared configuration. - drbd executes modinfo. - Add glance_api_can_network boolean since glance-api uses huge range port. - Fix glance_api_can_network() definition. - Allow smoltclient to connect on http_cache port. (#982199) - Allow userdomains to stream connect to pcscd for smart cards - Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) - Added MLS fixes to support labeled socket activation which is going to be done by systemd - Add kernel_signull() interface. - sulogin_t executes plymouth commands - lvm needs to be able to accept connections on stream generic sockets
Thu Aug 21 14:00:00 2014 Kevin Fenzi - 3.13.1-74 - Rebuild for rpm bug 1131960
Mon Aug 18 14:00:00 2014 Lukas Vrabec 3.13.1-73 - Allow ssytemd_logind_t to list tmpfs directories - Allow lvm_t to create undefined sockets - Allow passwd_t to read/write stream sockets - Allow docker lots more access. - Fix label for ports - Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service. - Label tcp port 4194 as kubernetes port. - Additional access required for passenger_t - sandbox domains should be allowed to use libraries which require execmod - Allow qpid to read passwd files BZ (#1130086) - Remove cockpit port, it is now going to use websm port - Add getattr to the list of access to dontaudit on unix_stream_sockets - Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
Tue Aug 12 14:00:00 2014 Lukas Vrabec 3.13.1-72 - docker needs to be able to look at everything in /dev - Allow all processes to send themselves signals - Allow sysadm_t to create netlink_tcpdiag socket - sysadm_t should be allowed to communicate with networkmanager - These are required for bluejeans to work on a unconfined.pp disabled machine - docker needs setfcap - Allow svirt domains to manage chr files and blk files for mknod commands - Allow fail2ban to read audit logs - Allow cachefilesd_t to send itself signals - Allow smokeping cgi script to send syslog messages - Allow svirt sandbox domains to relabel content - Since apache content can be placed anywhere, we should just allow apache to search through any directory - These are required for bluejeans to work on a unconfined.pp disabled machine
Mon Aug 4 14:00:00 2014 Miroslav Grepl 3.13.1-71 - shell_exec_t should not be in cockip.fc
Mon Aug 4 14:00:00 2014 Miroslav Grepl 3.13.1-70 - Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t. - Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port. - Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t. - Dontaudit write access on generic cert files. We don\'t audit also access check. - Add support for arptables. - Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
Mon Aug 4 14:00:00 2014 Tom Callaway 3.13.1-69 - fix license handling
Thu Jul 31 14:00:00 2014 Miroslav Grepl 3.13.1-68 - Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow users to use these plugins properly using this boolean. (#1109681) - Allow smokeping cgi scripts to accept connection on httpd stream socket. - docker does a getattr on all file systems - Label all abort-dump programs - Allow alsa to create lock file to see if it fixes. - Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run \"semodule -d unconfined\" to make system running without unconfined domains. The default location of these scripts is /usr/lib/zabbix/externalscripts. If a user change DATADIR in CONFIG_EXTERNALSCRIPTS then he needs to set labeling for this new location. - Add interface for journalctl_exec - Add labels also for glusterd sockets. - Change virt.te to match default docker capabilies - Add additional booleans for turning on mknod or all caps. - Also add interface to allow users to write policy that matches docker defaults - for capabilies. - Label dhcpd6 unit file. - Add support also for dhcp IPv6 services. - Added support for dhcrelay service - Additional access for bluejeans - docker needs more access, need back port to RHEL7 - Allow mdadm to connect to own socket created by mdadm running as kernel_t. - Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks - Allow bacula manage bacula_log_t dirs - Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t - Fix mistakes keystone and quantum - Label neutron var run dir - Label keystone var run dir - Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc. - Dontaudit attempts to access check cert dirs/files for sssd. - Allow sensord to send a signal. - Allow certmonger to stream connect to dirsrv to make ipa-server-install working. - Label zabbix_var_lib_t directories - Label conmans pid file as conman_var_run_t - Label also /var/run/glusterd.socket file as gluster_var_run_t - Fix policy for pkcsslotd from opencryptoki - Update cockpik policy from cockpit usptream. - Allow certmonger to exec ldconfig to make ipa-server-install working. - Added support for Naemon policy - Allow keepalived manage snmp files - Add setpgid process to mip6d - remove duplicate rule - Allow postfix_smtpd to stream connect to antivirus - Dontaudit list /tmp for icecast - Allow zabbix domains to access /proc//net/dev.
Wed Jul 23 14:00:00 2014 Lukas Vrabec 3.13.1-67 - Allow zabbix domains to access /proc//net/dev. - Dontaudit list /tmp for icecast (#894387) - Allow postfix_smtpd to stream connect to antivirus (#1105889) - Add setpgid process to mip6d - Allow keepalived manage snmp files(#1053450) - Added support for Naemon policy (#1120789). - Allow certmonger to exec ldconfig to make ipa-server-install working. (#1122110) - Update cockpik policy from cockpit usptream.
Mon Jul 21 14:00:00 2014 Miroslav Grepl 3.13.1-66 - Revert labeling back to /var/run/systemd/initctl/fifo - geoclue dbus chats with modemmanger - Bluejeans wants to connect to port 5000 - geoclue dbus chats with modemmange
Fri Jul 18 14:00:00 2014 Lukas Vrabec 3.13.1-65 - Allow sysadm to dbus chat with systemd - Add logging_dontaudit_search_audit_logs() - Add new files_read_all_mountpoint_symlinks() - Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo. - Allow ndc to read random and urandom device (#1110397) - Allow zabbix to read system network state - Allow fprintd to execute usr_t/bin_t - Allow mailserver_domain domains to append dead.letter labeled as mail_home_t - Add glance_use_execmem boolean to have glance configured to use Ceph/rbd - Dontaudit search audit logs for fail2ban - Allow mailserver_domain domains to create mail home content with right labeling - Dontaudit svirt_sandbox_domain doing access checks on /proc - Fix files_pid_filetrans() calling in nut.te to reflect allow rules. - Use nut_domain attribute for files_pid_filetrans() for nut domains. - Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs - Fix nut domains only have type transition on dirs in /run/nut directory. - Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt() - Clean up osad policy. Remove additional interfaces/rules
Mon Jul 14 14:00:00 2014 Lukas Vrabec 3.13.1-64 - Allow systemd domains to check lvm status - Allow getty to execute plymouth.#1112870 - Allow sshd to send signal to chkpwd_t - initrctl fifo file has been renamed - Set proper labeling on /var/run/sddm - Fix labeling for cloud-init logs - Allow kexec to read kallsyms - Add rhcs_stream_connect_haproxy interface, Allow neutron stream connect to rhcs - Add fsetid caps for mandb. #1116165 - Allow all nut domains to read /dev/(u)?random. - Allow deltacloudd_t to read network state BZ #1116940 - Add support for KVM virtual machines to use NUMA pre-placement - Allow utilize winbind for authentication to AD - Allow chrome sandbox to use udp_sockets leaked in by its parent - Allow gfs_controld_t to getattr on all file systems - Allow logrotate to manage virt_cache - varnishd needs to have fsetid capability - Allow dovecot domains to send signal perms to themselves - Allow apache to manage pid sock files - Allow nut_upsmon_t to create sock_file in /run dir - Add capability sys_ptrace to stapserver - Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof - Added support for vdsm
Fri Jul 4 14:00:00 2014 Miroslav Grepl 3.13.1-63 - If I can create a socket I need to be able to set the attributes - Add tcp/8775 port as neutron port - Add additional ports for swift ports - Added changes to fedora from bug bz#1082183 - Add support for tcp/6200 port - Allow collectd getattr access to configfs_t dir Fixes Bug 1115040 - Update neutron_manage_lib_files() interface - Allow glustered to connect to ephemeral ports - Allow apache to search ipa lib files by default - Allow neutron to domtrans to haproxy - Add rhcs_domtrans_haproxy() - Add support for openstack-glance- * unit files - Add initial support for /usr/bin/glance-scrubber - Allow swift to connect to keystone and memcache ports. - Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup - Add policies for openstack-cinder - Add support for /usr/bin/nova-conductor - Add neutron_can_network boolean - Allow neutron to connet to neutron port - Allow glance domain to use syslog - Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
Wed Jun 25 14:00:00 2014 Miroslav Grepl 3.13.1-62 - Allow swift to use tcp/6200 swift port - ALlow swift to search apache configs - Remove duplicate .fc entry for Grilo plugin bookmarks - Remove duplicate .fc entry for telepathy-gabble - Additional allow rules for docker sandbox processes - Allow keepalived connect to agentx port - Allow neutron-ns-metadata to connectto own unix stream socket - Add support for tcp/6200 port - Remove ability for confined users to run xinit - New tool for managing wireless /usr/sbin/iw
Fri Jun 20 14:00:00 2014 Miroslav Grepl 3.13.1-61 - Add back MLS policy
Thu Jun 19 14:00:00 2014 Miroslav Grepl 3.13.1-60 - Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy
Tue Jun 17 14:00:00 2014 Miroslav Grepl 3.13.1-59 - Allow system_bus_types to use stream_sockets inherited from system_dbusd - Allow journalctl to call getpw - New access needed by dbus to talk to kernel stream - Label sm-notifypid files correctly - contrib: Add KMSCon policy module
Wed Jun 11 14:00:00 2014 Miroslav Grepl 3.13.1-58 - Add mozilla_plugin_use_bluejeans boolean - Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
Mon Jun 9 14:00:00 2014 Miroslav Grepl 3.13.1-57 - Allow staff_t to communicate and run docker - Fix *_ecryptfs_home_dirs booleans - Allow ldconfig_t to read/write inherited user tmp pipes - Allow storaged to dbus chat with lvm_t - Add support for storaged and storaged-lvm-helper. Labeled it as lvm_exec_t. - Use proper calling in ssh.te for userdom_home_manager attribute - Use userdom_home_manager_type() also for ssh_keygen_t - Allow locate to list directories without labels - Allow bitlbee to use tcp/7778 port - /etc/cron.daily/logrotate to execute fail2ban-client. - Allow keepalives to connect to SNMP port. Support to do SNMP stuff - Allow staff_t to communicate and run docker - Dontaudit search mgrepl/.local for cobblerd_t - Allow neutron to execute kmod in insmod_t - Allow neutron to execute udevadm in udev_t - Allow also fowner cap for varnishd - Allow keepalived to execute bin_t/shell_exec_t - rhsmcertd seems to need these accesses. We need this backported to RHEL7 and perhaps RHEL6 policy - Add cups_execmem boolean - Allow gear to manage gear service - New requires for gear to use systemctl and init var_run_t - Allow cups to execute its rw_etc_t files, for brothers printers - Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs. - Allow swift to execute bin_t - Allow swift to bind http_cache
Sun Jun 8 14:00:00 2014 Fedora Release Engineering - 3.13.1-56 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
Tue May 27 14:00:00 2014 Miroslav Grepl 3.13.1-55 - Add decl for cockip port - Allow sysadm_t to read all kernel proc - Allow logrotate to execute all executables - Allow lircd_t to use tty_device_t for use withmythtv - Make sure all zabbix files direcories in /var/log have the correct label - Allow bittlebee to create directories and files in /var/log with the correct label - Label /var/log/horizon as an apache log - Add squid directory in /var/run - Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label - Wronly labeled avahi_var_lib_t as a pid file - Fix labels on rabbitmq_var_run_t on file/dir creation - Allow neutron to create sock files - Allow postfix domains to getattr on all file systems - Label swift-proxy-server as swift_exec_t - Tighten SELinux capabilities to match docker capabilities - Add fixes for squid which is configured to run with more than one worker. - Allow cockpit to bind to its port
Tue May 20 14:00:00 2014 Miroslav Grepl 3.13.1-54 - geard seems to do a lot of relabeling - Allow system_mail_t to append to munin_var_lib_t - Allow mozilla_plugin to read alsa_rw_ content - Allow asterisk to connect to the apache ports - Dontaudit attempts to read fixed disk - Dontaudit search gconf_home_t - Allow rsync to create swift_server.lock with swift.log labeling - Add labeling for swift lock files - Use swift_virt_lock in swift.te - Allow openwsman to getattr on sblim_sfcbd executable - Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t - Allow openwsman_t to read/write sblim-sfcb shared mem - Allow openwsman to stream connec to sblim-sfcbd - Allow openwsman to create tmpfs files/dirs - dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t - Allow sblim_sfcbd to execute shell - Allow swift to create lock file - Allow openwsman to use tcp/80 - Allow neutron to create also dirs in /tmp - Allow seunshare domains to getattr on all executables - Allow ssh-keygen to create temporary files/dirs needed by OpenStack - Allow named_filetrans_domain to create /run/netns - Allow ifconfig to create /run/netns
Tue May 13 14:00:00 2014 Miroslav Grepl 3.13.1-53 - Add missing dyntransition for sandbox_x_domain
Wed May 7 14:00:00 2014 Miroslav Grepl 3.13.1-52 - More rules for gears and openshift - Added iotop policy. Thanks William Brown - Allow spamc to read .pyzor located in /var/spool/spampd - Allow spamc to create home content with correct labeling - Allow logwatch_mail_t to create dead.letter with correct labelign - Add labeling for min-cloud-agent - Allow geoclue to read unix in proc. - Add support for /usr/local/Brother labeling. We removed /usr/local equiv. - add support for min-cloud-agent - Allow ulogd to request the kernel to load a module - remove unconfined_domain for openwsman_t - Add openwsman_tmp_t rules - Allow openwsman to execute chkpwd and make this domain as unconfined for F20. - Allow nova-scheduler to read passwd file - Allow neutron execute arping in neutron_t - Dontaudit logrotate executing systemctl command attempting to net_admin - Allow mozilla plugins to use /dev/sr0 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files - Any app that executes systemctl will attempt a net_admin - Fix path to mmap_min_addr
Wed May 7 14:00:00 2014 Miroslav Grepl 3.13.1-51 - Add gear fixes from dwalsh
Tue May 6 14:00:00 2014 Miroslav Grepl 3.13.1-50 - selinux_unconfined_type should not be able to set booleans if the securemode is set - Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
Mon May 5 14:00:00 2014 Miroslav Grepl 3.13.1-49 - Fix labeling for /root/\\.yubico - userdom_search_admin_dir() calling needs to be optional in kernel.te - Dontaudit leaked xserver_misc_device_t into plugins - Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy - Need to allow sssd_t to manage kernel keyrings in login programs since they don\'t get labeled with user domains - Bootloader wants to look at init state - Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm - init reads kdbump etc files - Add support for tcp/9697 - Fix labeling for /var/run/user//gvfs - Add support for us_cli ports - fix sysnet_use_ldap - Allow mysql to execute ifconfig if Red Hat OpenStack - ALlow stap-server to get attr on all fs - Fix mail_pool_t to mail_spool_t - Dontaudit leaked xserver_misc_device_t into plugins - Need to allow sssd_t to manage kernel keyrings in login programs since they don\'t get labeled with user domains - Add new labeling for /var/spool/smtpd - Allow httpd_t to kill passenger - Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets - Allow nova-scheduler to read passwd/utmp files - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port
Fri Apr 25 14:00:00 2014 Miroslav Grepl 3.13.1-48 - Fix virt_use_samba boolean - Looks like all domains that use dbus libraries are now reading /dev/urand - Add glance_use_fusefs() boolean - Allow tgtd to read /proc/net/psched - Additional access required for gear management of openshift directories - Allow sys_ptrace for mock-build - Fix mock_read_lib_files() interface - Allow mock-build to write all inherited ttys and ptys - Allow spamd to create razor home dirs with correct labeling - Clean up sysnet_use_ldap() - systemd calling needs to be optional - Allow init_t to setattr/relabelfrom dhcp state files
Wed Apr 23 14:00:00 2014 Miroslav Grepl 3.13.1-47 - mongod should not be a part of cloudforms.pp - Fix labeling in snapper.fc - Allow docker to read unconfined_t process state - geoclue dbus chats with NetworkManager - Add cockpit policy - Add interface to allow tools to check the processes state of bind/named - Allow myslqd to use the tram port for Galera/MariaDB
Fri Apr 18 14:00:00 2014 Miroslav Grepl 3.13.1-46 - Allow init_t to setattr/relabelfrom dhcp state files - Allow dmesg to read hwdata and memory dev - Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Additional fixes for instack overcloud - Allow block_suspend cap for haproxy - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Add labeling for /lib/systemd/system/thttpd.service - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod also create sock_file with correct labeling in /run - Allow aiccu stream connect to pcscd - Allow rabbitmq_beam to connect to httpd port - Allow httpd to send signull to apache script domains and don\'t audit leaks - Fix labeling in drbd.fc - Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7 - Allow all freeipmi domains to read/write ipmi devices - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow sblim_sfcbd to use also pegasus-https port - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Add httpd_run_preupgrade boolean - Add interfaces to access preupgrade_data_t - Add preupgrade policy - Add labeling for puppet helper scripts
Tue Apr 8 14:00:00 2014 Miroslav Grepl 3.13.1-45 Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
Tue Apr 8 14:00:00 2014 Miroslav Grepl 3.13.1-44 - Change hsperfdata_root to have as user_tmp_t - Allow rsyslog low-level network access - Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm - Allow conman to resolve DNS and use user ptys - update pegasus_openlmi_admin_t policy - nslcd wants chown capability - Dontaudit exec insmod in boinc policy
Fri Apr 4 14:00:00 2014 Miroslav Grepl 3.13.1-43 - Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv - Add additional fixes for yubikeys based on williamAATTfirstyear.id.au - Allow init_t run /sbin/augenrules - Remove dup decl for dev_unmount_sysfs_fs - Allow unpriv SELinux user to use sandbox - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Add dbus_filetrans_named_content_system() - We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t - varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit sandbox_t getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files
Tue Apr 1 14:00:00 2014 Miroslav Grepl 3.13.1-42 - Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
Thu Mar 27 13:00:00 2014 Miroslav Grepl 3.13.1-41 - Turn on gear_port_t - Add gear policy and remove permissive domains. - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t
Wed Mar 26 13:00:00 2014 Miroslav Grepl 3.13.1-40 - update storage_filetrans_all_named_dev for sg * devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa
Tue Mar 25 13:00:00 2014 Miroslav Grepl 3.13.1-39 - Manage_service_perms should include enable and disable, need backport to RHEL7 - Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo - Add userdom_tmp_role for secadm_t - Allow postgresql to read network state - Add a new file context for /var/named/chroot/run directory - Add booleans to allow docker processes to use nfs and samba - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t - Allow puppet stream connect to mysql - Fixed some rules related to puppet policy - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Additional avcs for docker when running tests - allow anaconda to dbus chat with systemd-localed - clean up rhcs.te - remove dup rules from haproxy.te - Add fixes for haproxy based on bperkinsAATTredhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - update rtas_errd policy - Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves - Allow snmpd to getattr on removeable and fixed disks - Allow docker containers to manage /var/lib/docker content
Mon Mar 17 13:00:00 2014 Miroslav Grepl 3.13.1-38 - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords
Mon Mar 17 13:00:00 2014 Miroslav Grepl 3.13.1-37 - Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - unconfined_service should be allowed to transition to rpm_script_t - Allow couchdb to listen on port 6984 - Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command - Allow systemd-logind to setup user tmpfs directories - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working
Fri Mar 14 13:00:00 2014 Miroslav Grepl 3.13.1-36 - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working - Dontaudit attempts to setsched on the kernel_t threads - Allow munin mail plugins to read network systcl - Fix git_system_enable_homedirs boolean - Make cimtest script 03_defineVS.py of ComputerSystem group working - Make abrt-java-connector working - Allow net_admin cap for fence_virtd running as fenced_t - Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla
Thu Mar 13 13:00:00 2014 Miroslav Grepl 3.13.1-35 - sshd to read network sysctls - Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container
Wed Mar 12 13:00:00 2014 Miroslav Grepl 3.13.1-34 - Add install_t for anaconda
Wed Mar 12 13:00:00 2014 Miroslav Grepl 3.13.1-33 - Allow init_t to stream connect to ipsec - Add /usr/lib/systemd/systemd-networkd policy - Add sysnet_manage_config_dirs() - Add support for /var/run/systemd/network and labeled it as net_conf_t - Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Add support for /dev/vmcp and /dev/sclp - Add docker_connect_any boolean - Fix zabbix policy - Allow zabbix to send system log msgs - Allow pegasus_openlmi_storage_t to write lvm metadata - Updated pcp_bind_all_unreserved_ports - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
Mon Mar 10 13:00:00 2014 Miroslav Grepl 3.13.1-32 - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir
Fri Mar 7 13:00:00 2014 Miroslav Grepl 3.13.1-31 - Modify xdm_write_home to allow create files/links in /root with xdm_home_t - Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights - Add xserver_dbus_chat() interface - Add sysnet_filetrans_named_content_ifconfig() interface - Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Turn on cron_userdomain_transition by default for now. Until we get a fix for #1063503 - Allow lscpu running as rhsmcertd_t to read sysinfo - Allow virt domains to read network state - Added pcp rules - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow to run ip cmd in neutron_t domain - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd()
Tue Mar 4 13:00:00 2014 Miroslav Grepl 3.13.1-30 - Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs
Fri Feb 28 13:00:00 2014 Miroslav Grepl 3.13.1-29 - Make docker as permissive domain
Thu Feb 27 13:00:00 2014 Miroslav Grepl 3.13.1-28 - Allow bumblebeed to send signal to insmod - Dontaudit attempts by crond_t net_admin caused by journald - Allow the docker daemon to mounton tty_device_t - Add addtional snapper fixes to allo relabel file_t - Allow setattr for all mountpoints - Allow snapperd to write all dirs - Add support for /etc/sysconfig/snapper - Allow mozilla_plugin to getsession - Add labeling for thttpd - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolea - Add support for ipset - Add support for /dev/sclp_line0 - Add modutils_signal_insmod() - Add files_relabelto_all_mountpoints() interface - Allow the docker daemon to mounton tty_device_t - Allow all systemd domains to read /proc/1 - Login programs talking to journald are attempting to net_admin, add dontaudit - init is not gettar on processes as shutdown time - Add systemd_hostnamed_manage_config() interface - Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Add lvm_read_metadata()
Mon Feb 24 13:00:00 2014 Miroslav Grepl 3.13.1-27 - Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Treat usermodehelper_t as a sysctl_type - xdm communicates with geo - Add lvm_read_metadata() - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools
Fri Feb 21 13:00:00 2014 Miroslav Grepl 3.13.1-26 - Add labeling for /usr/sbin/amavi - Colin asked for this program to be treated as cloud-init - Allow ftp services to manage xferlog_t - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow certmonger to search home content - Allow pkcsslotd to read users state - Allow exim to use pam stack to check passwords - Add labeling for /usr/sbin/amavi - Colin asked for this program to be treated as cloud-init - Allow ftp services to manage xferlog_t - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow certmonger to search home content - Allow pkcsslotd to read users state - Allow exim to use pam stack to check passwords
Tue Feb 18 13:00:00 2014 Miroslav Grepl 3.13.1-25 - Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def
Fri Feb 14 13:00:00 2014 Miroslav Grepl 3.13.1-24 - Dontaudit rendom domains listing /proc and hittping system_map_t - devicekit_power sends out a signal to all processes on the message bus when power is going down - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - systemd_tmpfiles_t needs to _setcheckreqprot - Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it - Fixed snapperd policy - Fixed broken interfaces - Should use rw_socket_perms rather then sock_file on a unix_stream_socket - Fixed bugsfor pcp policy - pcscd seems to be using policy kit and looking at domains proc data that transition to it - Allow dbus_system_domains to be started by init - Fixed some interfaces - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Allow ABRT to read puppet certs - Allow virtd_lxc_t to specify the label of a socket - New version of docker requires more access
Mon Feb 10 13:00:00 2014 Miroslav Grepl 3.13.1-23 - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi
Wed Feb 5 13:00:00 2014 Miroslav Grepl 3.13.1-22 - Fix /dev/vfio/vfio labeling
Wed Feb 5 13:00:00 2014 Miroslav Grepl 3.13.1-21 - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi - Add support for dey_sapi port - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - drbdadm executes drbdmeta - Added osad policy - Allow postfix to deliver to procmail - Allow vmtools to execute /usr/bin/lsb_release - Allow geoclue to read /etc/passwd - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl
Thu Jan 30 13:00:00 2014 Miroslav Grepl 3.13.1-20 - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring - Allow geoclue to create temporary files/dirs in /tmp - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs
Tue Jan 28 13:00:00 2014 Miroslav Grepl 3.13.1-19 - Add net_admin also for systemd_passwd_agent_t - Allow Associate usermodehelper_t to sysfs filesystem - Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Adding a new service script to enable setcheckreqprot - Add interface to getattr on an isid_type for any type of file - Allow initrc_t domtrans to authconfig if unconfined is enabled - Add labeling for snapper.log - Allow tumbler to execute dbusd-daemon in thumb_t - Add dbus_exec_dbusd() - Add snapperd_data_t type - Add additional fixes for snapperd - FIx bad calling in samba.te - Allow smbd to create tmpfs - Allow rhsmcertd-worker send signull to rpm process - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Allow postfix and cyrus-imapd to work out of box - Remove logwatch_can_sendmail which is no longer used - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call \'systemctl --force reboot\'
Fri Jan 24 13:00:00 2014 Miroslav Grepl 3.13.1-18 - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default - Fix /usr/lib/firefox/plugin-container decl - Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications - Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t - Fix type in docker.te - Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory - Adding a new service script to enable setcheckreqprot - Add interface to getattr on an isid_type for any type of file - Allow initrc_t domtrans to authconfig if unconfined is enabled type in docker.te - Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
Thu Jan 23 13:00:00 2014 Miroslav Grepl 3.13.1-17 - init calling needs to be optional in domain.te - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t - Fix type in docker.te - Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container - Allow docker to use the network and build images - Allow docker to read selinux files for labeling, and mount on devpts chr_file - Allow domains that transition to svirt_sandbox to send it signals - Allow docker to transition to unconfined_t if boolean set
Wed Jan 22 13:00:00 2014 Miroslav Grepl 3.13.1-16 - New access needed to allow docker + lxc +SELinux to work together - Allow apache to write to the owncloud data directory in /var/www/html... - Cleanup sandbox X AVC\'s - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file - Allow kdump to create lnk lock file - Allow ABRT write core_pattern - Allwo ABRT to read core_pattern - Add policy for Geoclue. Geoclue is a D-Bus service that provides location information - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - No longer need the rpm_script_roles line since rpm_transition_script now does this for us - Add/fix interfaces for usermodehelper_t - Add interfaces to handle transient - Fixes for new usermodehelper and proc_securit_t types, added to increase security on /proc and /sys file systems
Mon Jan 20 13:00:00 2014 Miroslav Grepl 3.13.1-15 - Add cron unconfined role support for uncofined SELinux user - Call kernel_rw_usermodehelper_state() in init.te - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Fix calling usermodehelper to use _state in interface name - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Call kernel_read_usermodhelper/kernel_rw_usermodhelper - Make rpm_transition_script accept a role - Added new policy for pcp - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata
Fri Jan 17 13:00:00 2014 Miroslav Grepl 3.13.1-14 - Make rpm_transition_script accept a role - Clean up pcp.te - Added new policy for pcp - Allow bumbleed to connect to xserver port - Added support for named-sdb in bind policy - Allow NetworkManager to signal and sigkill init scripts - Allow pegasus_openlmi_storage_t to read hwdata - Fix rhcs_rw_cluster_tmpfs() - Allow fenced_t to bind on zented udp port - Fix mirrormanager_read_lib_files() - Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files - Dontaudit read/write to init stream socket for lsmd_plugin_t - Allow automount to read nfs link files - Allow lsm plugins to read/write lsmd stream socket - Allow svirt_lxc domains to umount dockersocket filesytem - Allow gnome keyring domains to create gnome config dirs - Allow rpm scritplets to create /run/gather with correct labeling - Add sblim_filetrans_named_content() interface - Allow ctdb to create sock files in /var/run/ctdb - Add also labeling for /var/run/ctdb - Add missing labeling for /var/lib/ctdb - ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 - Dontaudit hypervkvp to search homedirs - Dontaudit hypervkvp to search admin homedirs - Allow hypervkvp to execute bin_t and ifconfig in the caller domain - Dontaudit xguest_t to read ABRT conf files - Add abrt_dontaudit_read_config() - Allow namespace-init to getattr on fs - Add thumb_role() also for xguest - Add filename transitions to create .spamassassin with correct labeling - Allow apache domain to read mirrormanager pid files - Allow domains to read/write shm and sem owned by mozilla_plugin_t - Allow alsactl to send a generic signal to kernel_t - Allow plymouthd to read run/udev/queue.bin - Allow sys_chroot for NM required by iodine service - Change glusterd to allow mounton all non security - Labeled ~/.nv/GLCache as being gstreamer output - Restrict the ability to set usermodehelpers and proc security settings. - Limit the ability to write to the files that configure kernel i - usermodehelpers and security-sensitive proc settings to the init domain. i - Permissive domains can also continue to set these values. - The current list is not exhaustive, just an initial set. - Not all of these files will exist on all kernels/devices. - Controlling access to certain kernel usermodehelpers, e.g. cgroup - release_agent, will require kernel changes to support and cannot be - addressed here. - Ideas come from Stephen Smalley and seandroid - Make rpm_transition_script accept a role - Make rpm_transition_script accept a role - Allow NetworkManager to signal and sigkill init scripts - Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config() - Update sysnet_dns_name_resolve() to allow connect to dnssec port
Mon Jan 13 13:00:00 2014 Miroslav Grepl 3.13.1-13 - Remove file_t from the system and realias it with unlabeled_t
Thu Jan 9 13:00:00 2014 Miroslav Grepl 3.13.1-12 - Add gluster fixes - Remove ability to transition to unconfined_t from confined domains - Additional allow rules to get libvirt-lxc containers working with docker
Mon Jan 6 13:00:00 2014 Miroslav Grepl 3.13.1-11 - passwd to create gnome-keyring passwd socket - systemd_systemctl needs sys_admin capability - Allow cobbler to search dhcp_etc_t directory - Allow sytemd_tmpfiles_t to delete all directories - allow sshd to write to all process levels in order to change passwd when running at a level - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range - Allow apcuspd_t to status and start the power unit file - Allow udev to manage kdump unit file - Added new interface modutils_dontaudit_exec_insmod - Add labeling for /var/lib/servicelog/servicelog.db-journal - Allow init_t to create tmpfs_t lnk_file - Add label for ~/.cvsignore - Allow fprintd_t to send syslog messages - Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and gid, as well as read user keyrings - Allow sandbox apps to attempt to set and get capabilties - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - allow modemmanger to read /dev/urand - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow rsync_t to manage all non auth files - Allow certmonger to manage home cert files - Allow user_mail_domains to write certain files to the /root and ~/ directories - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Add new access for mythtv - Allow irc_t to execute shell and bin-t files: - Allow smbd_t to signull cluster - Allow sssd to read systemd_login_var_run_t - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow virt_domains to read cert files - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Additional fixes for docker.te - Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot - Add tftp_write_rw_content/tftp_read_rw_content interfaces - Allow amanda to do backups over UDP
Fri Dec 13 13:00:00 2013 Miroslav Grepl 3.13.1-10 - Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow journalctl running as ABRT to read /run/log/journal - Allow NM to read dispatcher.d directory - Update freeipmi policy - Type transitions with a filename not allowed inside conditionals - Allow tor to bind to hplip port - Make new type to texlive files in homedir - Allow zabbix_agent to transition to dmidecode - Add rules for docker - Allow sosreport to send signull to unconfined_t - Add virt_noatsecure and virt_rlimitinh interfaces - Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port - Add sysadm_u_default_contexts - Add logging_read_syslog_pid() - Fix userdom_manage_home_texlive() interface - Make new type to texlive files in homedir - Add filename transitions for /run and /lock links - Allow virtd to inherit rlimit information
Mon Dec 9 13:00:00 2013 Miroslav Grepl 3.13.1-9 - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Allow conman to connect to freeipmi services and clean up conman policy - Allow conmand just bind on 7890 port - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Added policy for conmand - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - Fix aliases in pegasus.te - Allow chrome sandbox to read generic cache files in homedir - Dontaudit mandb searching all mountpoints - Make sure wine domains create .wine with the correct label - Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t - Allow windbind the kill capability - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices - Make sure wine domains create .wine with the correct label - Allow manage dirs in kernel_manage_debugfs interface. - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t - Fix userdom_confined_admin_template() - Add back exec_content boolean for secadm, logadm, auditadm - Fix files_filetrans_system_db_named_files() interface - Allow sulogin to getattr on /proc/kcore - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface - Allow mount to manage mount_var_run_t files/dirs
Tue Dec 3 13:00:00 2013 Miroslav Grepl 3.13.1-8 - Add back fixes for gnome_role_template() - Label /usr/sbin/htcacheclean as httpd_exec_t - Add missing alias for pegasus_openlmi_service_exec_t - Added support for rdisc unit file - Added new policy for ninfod - Added new policy for openwsman - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs - Allow runuser running as logrotate connections to system DBUS - Add connectto perm for NM unix stream socket - Allow watchdog to be executed from cron - Allow cloud_init to transition to rpm_script_t - Allow lsmd_plugin_t send system log messages - Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT policy for sosreport running as abrt_t - Added new capabilities for mip6d policy - Label bcache devices as fixed_disk_device_t - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
Tue Nov 26 13:00:00 2013 Miroslav Grepl 3.13.1-7 - Add lsmd_plugin_t for lsm plugins - Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Add back exec_content boolean for secadm, logadm, auditadm - Allow sulogin to getattr on /proc/kcore
Tue Nov 26 13:00:00 2013 Miroslav Grepl 3.13.1-6 - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface - Allow mount to manage mount_var_run_t files/dirs - Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level - Make sure boot.log is created with the correct label - call logging_relabel_all_log_dirs() in systemd.te - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to run frequency command - Allow staff_t to read xserver_log file - This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f. - Label hsperfdata_root as tmp_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Add glusterd_brick_t files type - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Allow zabbix_agentd to read all domain state - Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Clean up rtas.if - Clean up docker.if - drop /var/lib/glpi/files labeling in cron.fc - Added new policy for rasdaemon - Add apache labeling for glpi - Allow pegasus to transition to dmidecode - Make sure boot.log is created with the correct label - Fix typo in openshift.te - remove dup bumblebee_systemctl() - Allow watchdog to read /etc/passwd - Allow condor domains to read/write condor_master udp_socket - Allow openshift_cron_t to append to openshift log files, label /var/log/openshift - Add back file_pid_filetrans for /var/run/dlm_controld - Allow smbd_t to use inherited tmpfs content - Allow mcelog to use the /dev/cpu device - sosreport runs rpcinfo - sosreport runs subscription-manager - Allow setpgid for sosreport - Allow browser plugins to connect to bumblebee - New policy for bumblebee and freqset - Add new policy for mip6d daemon - Add new policy for opensm daemon
Mon Nov 18 13:00:00 2013 Miroslav Grepl 3.13.1-5 - Add back /dev/shm labeling
Mon Nov 18 13:00:00 2013 Miroslav Grepl 3.13.1-4 - Fix gnome_role_template() interface
Thu Nov 14 13:00:00 2013 Miroslav Grepl 3.13.1-3 - Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh
Thu Nov 14 13:00:00 2013 Dan Walsh 3.13.1-2 - Fix config.tgz to include lxc_contexts and systemd_contexts
Wed Nov 13 13:00:00 2013 Miroslav Grepl 3.13.1-1 - Update to upstream
Tue Nov 12 13:00:00 2013 Miroslav Grepl 3.12.1-100 - Fix passenger_stream_connect interface - setroubleshoot_fixit wants to read network state - Allow procmail_t to connect to dovecot stream sockets - Allow cimprovagt service providers to read network states - Add labeling for /var/run/mariadb - pwauth uses lastlog() to update system\'s lastlog - Allow account provider to read login records - Add support for texlive2013 - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - Allow passwd_t to connect to gnome keyring to change password - Update mls config files to have cronjobs in the user domains - Remove access checks that systemd does not actually do
Fri Nov 8 13:00:00 2013 Miroslav Grepl 3.12.1-99 - Add support for yubikey in homedir - Add support for upd/3052 port - Allow apcupsd to use PowerChute Network Shutdown - Allow lsmd to execute various lsmplugins - Add labeling also for /etc/watchdog\\.d where are watchdog scripts located too - Update gluster_export_all_rw boolean to allow relabel all base file types - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling
Wed Nov 6 13:00:00 2013 Miroslav Grepl 3.12.1-98 - Add files_relabel_base_file_types() interface - Allow netlabel-config to read passwd - update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling - Allow pegasus to domtrans to mount_t - Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts - Add support for unconfined watchdog scripts - Allow watchdog to manage own log files
Wed Nov 6 13:00:00 2013 Miroslav Grepl 3.12.1-97 - Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. - Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/ */.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files - Allow all antivirus domains to manage also own log dirs - Allow pegasus_openlmi_services_t to stream connect to sssd_t
Fri Nov 1 13:00:00 2013 Miroslav Grepl 3.12.1-96 - Add missing permission checks for nscd
Wed Oct 30 13:00:00 2013 Miroslav Grepl 3.12.1-95 - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Add file transition rules for content created by f5link - Rename quantum_port information to neutron - Allow all antivirus domains to manage also own log dirs - Rename quantum_port information to neutron - Allow pegasus_openlmi_services_t to stream connect to sssd_t
Mon Oct 28 13:00:00 2013 Miroslav Grepl 3.12.1-94 - Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts - Add systemd_contexts - Add fs_exec_hugetlbfs_files() interface - Add daemons_enable_cluster_mode boolean - Fix rsync_filetrans_named_content() - Add rhcs_read_cluster_pid_files() interface - Update rhcs.if with additional interfaces from RHEL6 - Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config - Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label - Allow mozilla_plugin_t to mmap hugepages as an executable
Thu Oct 24 14:00:00 2013 Miroslav Grepl 3.12.1-93 - Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
Tue Oct 22 14:00:00 2013 Miroslav Grepl 3.12.1-92 - Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t - Make sur kdump lock is created with correct label if kdumpctl is executed - gnome interface calls should always be made within an optional_block - Allow syslogd_t to connect to the syslog_tls port - Add labeling for /var/run/charon.ctl socket - Add kdump_filetrans_named_content() - Allo setpgid for fenced_t - Allow setpgid and r/w cluster tmpfs for fenced_t - gnome calls should always be within optional blocks - wicd.pid should be labeled as networkmanager_var_run_t - Allow sys_resource for lldpad
Thu Oct 17 14:00:00 2013 Miroslav Grepl 3.12.1-91 - Add rtas policy
Thu Oct 17 14:00:00 2013 Miroslav Grepl 3.12.1-90 - Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands - Allow mailserver_domains to manage and transition to mailman data - Allow svirt_domains to read sysctl_net_t - Allow thumb_t to use tmpfs inherited from the user - Allow mozilla_plugin to bind to the vnc port if running with spice - Add new attribute to discover confined_admins and assign confined admin to it - Fix zabbix to handle attributes in interfaces - Fix zabbix to read system states for all zabbix domains - Fix piranha_domain_template() - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow lldpad sys_rouserce cap due to #986870 - Allow dovecot-auth to read nologin - Allow openlmi-networking to read /proc/net/dev - Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t - Add zabbix_domain attribute for zabbix domains to treat them together - Add labels for zabbix-poxy- * (#1018221) - Update openlmi-storage policy to reflect #1015067 - Back port piranha tmpfs fixes from RHEL6 - Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop - Add postfix_rw_spool_maildrop_files interface - Call new userdom_admin_user_templat() also for sysadm_secadm.pp - Fix typo in userdom_admin_user_template() - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it - Dontaudit leaked write descriptor to dmesg
Mon Oct 14 14:00:00 2013 Miroslav Grepl 3.12.1-89 - Fix gnome_read_generic_data_home_files() - allow openshift_cgroup_t to read/write inherited openshift file types - Remove httpd_cobbler_content * from cobbler_admin interface - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container - Allow httpd_t to read also git sys content symlinks - Allow init_t to read gnome home data - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow virsh to execute systemctl - Fix for nagios_services plugins - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - Fix hypervkvp.te - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Fix logging policy - Allow syslog to bind to tls ports - Update labeling for /dev/cdc-wdm - Allow to su_domain to read init states - Allow init_t to read gnome home data - Make sure if systemd_logind creates nologin file with the correct label - Clean up ipsec.te
Tue Oct 8 14:00:00 2013 Miroslav Grepl 3.12.1-88 - Add auth_exec_chkpwd interface - Fix port definition for ctdb ports - Allow systemd domains to read /dev/urand - Dontaudit attempts for mozilla_plugin to append to /dev/random - Add label for /var/run/charon. * - Add labeling for /usr/lib/systemd/system/lvm2. *dd policy for motion service - Fix for nagios_services plugins - Fix some bugs in zoneminder policy - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - glusterd binds to random unreserved ports - Additional allow rules found by testing glusterfs - apcupsd needs to send a message to all users on the system so needs to look them up - Fix the label on ~/.juniper_networks - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow polipo_daemon to connect to flash ports - Allow gssproxy_t to create replay caches - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type
Fri Oct 4 14:00:00 2013 Miroslav Grepl 3.12.1-87 - init reload from systemd_localed_t - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs
Fri Oct 4 14:00:00 2013 Miroslav Grepl 3.12.1-86 - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Add additional fixes forpegasus_openlmi_account_t - Allow mdadm to read /dev/urand - Allow pegasus_openlmi_storage_t to create mdadm.conf and write it - Add label/rules for /etc/mdadm.conf - Allow pegasus_openlmi_storage_t to transition to fsadm_t - Fixes for interface definition problems - Dontaudit dovecot-deliver to gettatr on all fs dirs - Allow domains to search data_home_t directories - Allow cobblerd to connect to mysql - Allow mdadm to r/w kdump lock files - Add support for kdump lock files - Label zarafa-search as zarafa-indexer - Openshift cgroup wants to read /etc/passwd - Add new sandbox domains for kvm - Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on - Fix labeling for /usr/lib/systemd/system/lvm2. * - Add labeling for /usr/lib/systemd/system/lvm2. * - Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules - Add sshd_keygen_t policy for sshd-keygen - Fix alsa_home_filetrans interface name and definition - Allow chown for ssh_keygen_t - Add fs_dontaudit_getattr_all_dirs() - Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys - Fix up patch to allow systemd to manage home content - Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled - Allow getty to exec hostname to get info - Add systemd_home_t for ~/.local/share/systemd directory
Wed Oct 2 14:00:00 2013 Miroslav Grepl 3.12.1-85 - Fix lxc labeling in config.tgz
Mon Sep 30 14:00:00 2013 Miroslav Grepl 3.12.1-84 - Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Add support for MySQL/PostgreSQL for amavis - Allow openvpn_t to manage openvpn_var_log_t files. - Allow dirsrv_t to create tmpfs_t directories - Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Allow nsswitch domains to manage own process key - Fix labeling for mgetty. * logs - Allow systemd to dbus chat with upower - Allow ipsec to send signull to itself - Allow setgid cap for ipsec_t - Match upstream labeling
Wed Sep 25 14:00:00 2013 Miroslav Grepl 3.12.1-83 - Do not build sanbox pkg on MLS
Wed Sep 25 14:00:00 2013 Miroslav Grepl 3.12.1-82 - wine_tmp is no longer needed - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow mozilla_plugin to transition to itself - Allow certwatch to write to cert_t directories - New abrt application - Allow NetworkManager to set the kernel scheduler - Make wine_domain shared by all wine domains - Allow mdadm_t to read images labeled svirt_image_t - Allow amanda to read /dev/urand - ALlow my_print_default to read /dev/urand - Allow mdadm to write to kdumpctl fifo files - Allow nslcd to send signull to itself - Allow yppasswd to read /dev/urandom - Fix zarafa_setrlimit - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add additional alias for user_tmp_t because wine_tmp_t is no longer used - More handling of ther kernel keyring required by kerberos - New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed
Thu Sep 19 14:00:00 2013 Miroslav Grepl 3.12.1-81 - Dontaudit attempts by sosreport to read shadow_t - Allow browser sandbox plugins to connect to cups to print - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add labels for apache logs under miq package - Allow irc_t to use tcp sockets - fix labels in puppet.if - Allow tcsd to read utmp file - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys - Define svirt_socket_t as a domain_type - Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t - Fix label on pam_krb5 helper apps
Thu Sep 12 14:00:00 2013 Miroslav Grepl 3.12.1-80 - Allow ldconfig to write to kdumpctl fifo files - allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks
Mon Sep 9 14:00:00 2013 Miroslav Grepl 3.12.1-79 - Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files - Allow nslcd to read /sys/devices/system/cpu - Allow selinux_store to use symlinks
Mon Sep 9 14:00:00 2013 Miroslav Grepl 3.12.1-78 - Allow xdm_t to transition to itself - Call neutron interfaces instead of quantum - Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t - Make sure directories in /run get created with the correct label - Make sure /root/.pki gets created with the right label - try to remove labeling for motion from zoneminder_exec_t to bin_t - Allow inetd_t to execute shell scripts - Allow cloud-init to read all domainstate - Fix to use quantum port - Add interface netowrkmanager_initrc_domtrans - Fix boinc_execmem - Allow t-mission-control to read gabble cache home - Add labeling for ~/.cache/telepathy/avatars/gabble - Allow memcache to read sysfs data - Cleanup antivirus policy and add additional fixes - Add boolean boinc_enable_execstack - Add support for couchdb in rabbitmq policy - Add interface couchdb_search_pid_dirs - Allow firewalld to read NM state - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files()
Thu Sep 5 14:00:00 2013 Miroslav Grepl 3.12.1-77 - Split out rlogin ports from inetd - Treat files labeld as usr_t like bin_t when it comes to transitions - Allow staff_t to read login config - Allow ipsec_t to read .google authenticator data - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files() - Call the correct interface - corenet_udp_bind_ktalkd_port() - Allow all domains that can read gnome_config to read kde config - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow mdadm to getattr any file system - Allow a confined domain to executes mozilla_exec_t via dbus - Allow cupsd_lpd_t to bind to the printer port - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow apache domain to connect to gssproxy socket - Allow rlogind to bind to the rlogin_port - Allow telnetd to bind to the telnetd_port - Allow ktalkd to bind to the ktalkd_port - Allow cvs to bind to the cvs_port
Wed Sep 4 14:00:00 2013 Miroslav Grepl 3.12.1-76 - Cleanup related to init_domain()+inetd_domain fixes - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - svirt domains neeed to create kobject_uevint_sockets - Lots of new access required for sosreport - Allow tgtd_t to connect to isns ports - Allow init_t to transition to all inetd domains: - openct needs to be able to create netlink_object_uevent_sockets - Dontaudit leaks into ldconfig_t - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Move kernel_stream_connect into all Xwindow using users - Dontaudit inherited lock files in ifconfig o dhcpc_t
Tue Sep 3 14:00:00 2013 Miroslav Grepl 3.12.1-75 - Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix polipo.te - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Allow polipo to connect to tor ports - Cleanup lsmd.if - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Fix cupsd.te - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Make ktalk as init domain - Fix to define ktalkd_unit_file_t correctly - Fix ktalk.fc - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add fixes for hypervkvp policy - Add logwatch_can_sendmail boolean - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Allow xdm_t to delete gkeyringd_tmp_t files on logout
Thu Aug 29 14:00:00 2013 Miroslav Grepl 3.12.1-74 - Add selinux-policy-sandbox pkg
Tue Aug 27 14:00:00 2013 Miroslav Grepl 3.12.1-73 0 - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch - Fix lsm.if summary - Fix collectd_t can read /etc/passwd file - Label systemd unit files under dracut correctly - Add support for pam_mount to mount user\'s encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n - Label umount.crypt as lvm_exec_t - Allow syslogd to search psad lib files - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files
Fri Aug 23 14:00:00 2013 Miroslav Grepl 3.12.1-72 - Add policy for lsmd - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Update condor_master rules to allow read system state info and allow logging - Add labeling for /etc/condor and allow condor domain to write it (bug) - Allow condor domains to manage own logs - Allow glusterd to read domains state - Fix initial hypervkvp policy - Add policy for hypervkvpd - Fix redis.if summary
Wed Aug 21 14:00:00 2013 Miroslav Grepl 3.12.1-71 - Allow boinc to connect to AATT/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket
Thu Aug 8 14:00:00 2013 Miroslav Grepl 3.12.1-70 - selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Label 10933 as a pop port, for dovecot - New policy to allow selinux_server.py to run as semanage_t as a dbus service - Add fixes to make netlabelctl working on MLS - AVCs required for running sepolicy gui as staff_t - Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC - New dbus server to be used with new gui - After modifying some files in /etc/mail, I saw this needed on the next boot - Loading a vm from /usr/tmp with virt-manager - Clean up oracleasm policy for Fedora - Add oracleasm policy written by rlopezAATTredhat.com - Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow httpd_user_script_t to call getpw - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Make PAM authentication working if it is enabled in ejabberd - Add fixes for rabbit to fix ##992920,#992931 - Allow glusterd to mount filesystems - Loading a vm from /usr/tmp with virt-manager - Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device - Add fix for pand service - shorewall touches own log - Allow nrpe to list /var - Mozilla_plugin_roles can not be passed into lpd_run_lpr - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket
Wed Jul 31 14:00:00 2013 Miroslav Grepl 3.12.1-69 - Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec
Tue Jul 30 14:00:00 2013 Miroslav Grepl 3.12.1-68 - Allow xdm_t to act as a dbus client to itsel - Allow fetchmail to resolve host names - Allow gnupg apps to write to pcscd socket - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te -httpd_t does access_check on certs
Fri Jul 26 14:00:00 2013 Miroslav Grepl 3.12.1-67 - Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info
Mon Jul 22 14:00:00 2013 Miroslav Grepl 3.12.1-66 - Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool
Wed Jul 17 14:00:00 2013 Miroslav Grepl 3.12.1-65 - Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don\'t do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files
Fri Jul 12 14:00:00 2013 Miroslav Grepl 3.12.1-64 - Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files
Thu Jul 11 14:00:00 2013 Miroslav Grepl 3.12.1-63 - Add mdadm fixes
Tue Jul 9 14:00:00 2013 Miroslav Grepl 3.12.1-62 - Fix definition of sandbox.disabled to sandbox.pp.disabled
Mon Jul 8 14:00:00 2013 Miroslav Grepl 3.12.1-61 - Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content
Mon Jul 8 14:00:00 2013 Miroslav Grepl 3.12.1-60 - Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean
Wed Jul 3 14:00:00 2013 Miroslav Grepl 3.12.1-59 - Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean
Fri Jun 28 14:00:00 2013 Miroslav Grepl 3.12.1-58 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab
Wed Jun 26 14:00:00 2013 Miroslav Grepl 3.12.1-57 - Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t
Mon Jun 24 14:00:00 2013 Miroslav Grepl 3.12.1-56 - Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition
Fri Jun 21 14:00:00 2013 Miroslav Grepl 3.12.1-55 - condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r
Wed Jun 19 14:00:00 2013 Miroslav Grepl 3.12.1-54 - Don\'t audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don\'t audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm- * binaries - Add filename trans for /dev/md126p1
Tue Jun 18 14:00:00 2013 Miroslav Grepl 3.12.1-53 - Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files
Fri Jun 14 14:00:00 2013 Miroslav Grepl 3.12.1-52 - Add labeling for /dev/tgt - Dontaudit leak fd from firewalld for modprobe - Allow runuser running as rpm_script_t to create netlink_audit socket - Allow mdadm to read BIOS non-volatile RAM
Thu Jun 13 14:00:00 2013 Miroslav Grepl 3.12.1-51 - accountservice watches when accounts come and go in wtmp - /usr/java/jre1.7.0_21/bin/java needs to create netlink socket - Add httpd_use_sasl boolean - Allow net_admin for tuned_t - iscsid needs sys_module to auto-load kernel modules - Allow blueman to read bluetooth conf - Add nova_manage_lib_files() interface - Fix mplayer_filetrans_home_content() - Add mplayer_filetrans_home_content() - mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t - Revert \"Allow thumb_t to append inherited xdm stream socket\" - Add iscsi_filetrans_named_content() interface - Allow to create .mplayer with the correct labeling for unconfined - Allow iscsiadmin to create lock file with the correct labeling
Tue Jun 11 14:00:00 2013 Miroslav Grepl 3.12.1-50 - Allow wine to manage wine home content - Make amanda working with socket actiovation - Add labeling for /usr/sbin/iscsiadm - Add support for /var/run/gssproxy.sock - dnsmasq_t needs to read sysctl_net_t
Fri Jun 7 14:00:00 2013 Miroslav Grepl 3.12.1-49 - Fix courier_domain_template() interface - Allow blueman to write ip_forward - Allow mongodb to connect to mongodb port - Allow mongodb to connect to mongodb port - Allow java to bind jobss_debug port - Fixes for *_admin interfaces - Allow iscsid auto-load kernel modules needed for proper iSCSI functionality - Need to assign attribute for courier_domain to all courier_domains - Fail2ban reads /etc/passwd - postfix_virtual will create new files in postfix_spool_t - abrt triggers sys_ptrace by running pidof - Label ~/abc as mozilla_home_t, since java apps as plugin want to create it - Add passenger fixes needed by foreman - Remove dup interfaces - Add additional interfaces for quantum - Add new interfaces for dnsmasq - Allow passenger to read localization and send signull to itself - Allow dnsmasq to stream connect to quantum - Add quantum_stream_connect() - Make sure that mcollective starts the service with the correct labeling - Add labels for ~/.manpath - Dontaudit attempts by svirt_t to getpw * calls - sandbox domains are trying to look at parent process data - Allow courior auth to create its pid file in /var/spool/courier subdir - Add fixes for beam to have it working with couchdb - Add labeling for /run/nm-xl2tpd.con - Allow apache to stream connect to thin - Add systemd support for amand - Make public types usable for fs mount points - Call correct mandb interface in domain.te - Allow iptables to r/w quantum inherited pipes and send sigchld - Allow ifconfig domtrans to iptables and execute ldconfig - Add labels for ~/.manpath - Allow systemd to read iscsi lib files - seunshare is trying to look at parent process data
Mon Jun 3 14:00:00 2013 Miroslav Grepl 3.12.1-48 - Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working
Wed May 29 14:00:00 2013 Miroslav Grepl 3.12.1-47 - Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - with the proper label. - Update files_filetrans_named_content() interface to get right labeling for pam.d conf files - Allow systemd-timedated to create adjtime - Add clock_create_adjtime() - Additional fix ifconfing for #966106 - Allow kernel_t to create boot.log with correct labeling - Remove unconfined_mplayer for which we don\'t have rules - Rename interfaces - Add userdom_manage_user_home_files/dirs interfaces - Fix files_dontaudit_read_all_non_security_files - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Fix labeling for ipse.secrets - Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid - Add files_dontaudit_read_all_non_security_files() interface - /var/log/syslog-ng should be labeled var_log_t - Make ifconfig_var_run_t a mountpoint - Add transition from ifconfig to dnsmasq - Allow ifconfig to execute bin_t/shell_exec_t - We want to have hwdb.bin labeled as etc_t - update logging_filetrans_named_content() interface - Allow systemd_timedate_t to manage /etc/adjtime - Allow NM to send signals to l2tpd - Update antivirus_can_scan_system boolean - Allow devicekit_disk_t to sys_config_tty - Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories - Make printing from vmware working - Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes - Add virt_qemu_ga_data_t for qemu-ga - Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both - Fix typo in virt.te - Add virt_qemu_ga_unconfined_t for hook scripts - Make sure NetworkManager files get created with the correct label - Add mozilla_plugin_use_gps boolean - Fix cyrus to have support for net-snmp - Additional fixes for dnsmasq and quantum for #966106 - Add plymouthd_create_log() - remove httpd_use_oddjob for which we don\'t have rules - Add missing rules for httpd_can_network_connect_cobbler - Add missing cluster_use_execmem boolean - Call userdom_manage_all_user_home_type_files/dirs - Additional fix for ftp_home_dir - Fix ftp_home_dir boolean - Allow squit to recv/send client squid packet - Fix nut.te to have nut_domain attribute - Add support for ejabberd; TODO: revisit jabberd and rabbit policy - Fix amanda policy - Add more fixes for domains which use libusb - Make domains which use libusb working correctly - Allow l2tpd to create ipsec key files with correct labeling and manage them - Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files - Allow rabbitmq-beam to bind generic node - Allow l2tpd to read ipse-mgmt pid files - more fixes for l2tpd, NM and pppd from #967072
Wed May 22 14:00:00 2013 Miroslav Grepl 3.12.1-46 - Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql socket - Add kerberos support for radiusd - Allow saslauthd to connect to ldap port - Allow postfix to manage postfix_private_t files - Add chronyd support for #965457 - Fix labeling for HOME_DIR/\\.icedtea - CHange squid and snmpd to be allowed also write own logs - Fix labeling for /usr/libexec/qemu-ga - Allow virtd_t to use virt_lock_t - Allow also sealert to read the policy from the kernel - qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content - Dontaudit listing of users homedir by sendmail Seems like a leak - Allow passenger to transition to puppet master - Allow apache to connect to mythtv - Add definition for mythtv ports
Fri May 17 14:00:00 2013 Miroslav Grepl 3.12.1-45 - Add additional fixes for #948073 bug - Allow sge_execd_t to also connect to sge ports - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files - Add networkmanager_stream_connect() - Make gnome-abrt wokring with staff_t - Fix openshift_manage_lib_files() interface - mdadm runs ps command which seems to getattr on random log files - Allow mozilla_plugin_t to create pulseaudit_home_t directories - Allow qemu-ga to shutdown virtual hosts - Add labelling for cupsd-browsed - Add web browser plugins to connect to aol ports - Allow nm-dhcp-helper to stream connect to NM - Add port definition for sge ports
Mon May 13 14:00:00 2013 Miroslav Grepl 3.12.1-44 - Make sure users and unconfined domains create .hushlogin with the correct label - Allow pegaus to chat with realmd over DBus - Allow cobblerd to read network state - Allow boicn-client to stat on /dev/input/mice - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label
Mon May 13 14:00:00 2013 Miroslav Grepl 3.12.1-43 - Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files - update policy rules for pegasus_openlmi_account_t - Add support for svnserve_tmp_t - Activate account openlmi policy - pegasus_openlmi_domain_template needs also require pegasus_t - One more fix for policykit.te - Call fs_list_cgroups_dirs() in policykit.te - Allow nagios service plugin to read mysql config files - Add labeling for /var/svn - Fix chrome.te - Fix pegasus_openlmi_domain_template() interfaces - Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks - Fix location of google-chrome data - Add support for chome_sandbox to store content in the homedir - Allow policykit to watch for changes in cgroups file system - Add boolean to allow mozilla_plugin_t to use spice - Allow collectd to bind to udp port - Allow collected_t to read all of /proc - Should use netlink socket_perms - Should use netlink socket_perms - Allow glance domains to connect to apache ports - Allow apcupsd_t to manage its log files - Allow chrome objects to rw_inherited unix_stream_socket from callers - Allow staff_t to execute virtd_exec_t for running vms - nfsd_t needs to bind mountd port to make nfs-mountd.service working - Allow unbound net_admin capability because of setsockopt syscall - Fix fs_list_cgroup_dirs() - Label /usr/lib/nagios/plugins/utils.pm as bin_t - Remove uplicate definition of fs_read_cgroup_files() - Remove duplicate definition of fs_read_cgroup_files() - Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd - Additional interfaces needed to list and read cgroups config - Add port definition for collectd port - Add labels for /dev/ptp * - Allow staff_t to execute virtd_exec_t for running vms
Mon May 6 14:00:00 2013 Miroslav Grepl 3.12.1-42 - Allow samba-net to also read realmd tmp files - Allow NUT to use serial ports - realmd can be started by systemctl now
Mon May 6 14:00:00 2013 Miroslav Grepl 3.12.1-41 - Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly - Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow glance-api to connect to http port to make glance image-create working - Allow keystonte_t to execute rpm
Fri May 3 14:00:00 2013 Miroslav Grepl 3.12.1-40 - Fix realmd cache interfaces
Fri May 3 14:00:00 2013 Miroslav Grepl 3.12.1-39 - Allow tcpd to execute leafnode - Allow samba-net to read realmd cache files - Dontaudit sys_tty_config for alsactl - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow pegasus to read exports - Allow systemd-timedate to read xdm state - Allow mout to stream connect to rpcbind - Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki
Tue Apr 30 14:00:00 2013 Miroslav Grepl 3.12.1-38 - Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_suspend - Add lib interfaces for smsd - Add support for nginx - Allow s2s running as jabberd_t to connect to jabber_interserver_port_t - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Allow iw running as tuned_t to create netlink socket - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Allow useradd to manager smsd lib files - Allow useradd_t to add homedirs in /var/lib - Fix typo in userdomain.te - Cleanup userdom_read_home_certs - Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t - Allow staff to stream connect to svirt_t to make gnome-boxes working
Fri Apr 26 14:00:00 2013 Miroslav Grepl 3.12.1-37 - Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t - Add filetrans rules for tw devices - Add transition from cupsd_config_t to cupsd_t
Wed Apr 24 14:00:00 2013 Miroslav Grepl 3.12.1-36 - Add filetrans rules for tw devices - Cleanup bad transition lines
Tue Apr 23 14:00:00 2013 Miroslav Grepl 3.12.1-35 - Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t
Thu Apr 18 14:00:00 2013 Miroslav Grepl 3.12.1-34 - Allow certmonger to dbus communicate with realmd - Make realmd working
Thu Apr 18 14:00:00 2013 Miroslav Grepl 3.12.1-33 - Fix mozilla specification of homedir content - Allow certmonger to read network state - Allow tmpwatch to read tmp in /var/spool/{cups,lpd} - Label all nagios plugin as unconfined by default - Add httpd_serve_cobbler_files() - Allow mdadm to read /dev/sr0 and create tmp files - Allow certwatch to send mails - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t
Wed Apr 17 14:00:00 2013 Miroslav Grepl 3.12.1-32 - Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems
Tue Apr 16 14:00:00 2013 Miroslav Grepl 3.12.1-31 - Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - thumb_t needs to be able to create ~/.cache if it does not exist - virtd needs to be able to sys_ptrace when starting and stoping containers
Mon Apr 15 14:00:00 2013 Miroslav Grepl 3.12.1-30 - Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Fix deny_ptrace boolean, certain ptrace leaked into the system - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs - Fix vmware_role() interface - Fix cobbler_manage_lib_files() interface - Allow nagios check disk plugins to execute bin_t - Allow quantum to transition to openvswitch_t - Allow postdrop to stream connect to postfix-master - Allow quantum to stream connect to openvswitch - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Allow kdm to start the power service to initiate a reboot or poweroff
Thu Apr 11 14:00:00 2013 Miroslav Grepl 3.12.1-29 - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don\'t audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user content - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface
Mon Apr 8 14:00:00 2013 Dan Walsh 3.12.1-28 - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface
Sat Apr 6 14:00:00 2013 Dan Walsh 3.12.1-27 - Fix file_contexts.subs to label /run/lock correctly
Fri Apr 5 14:00:00 2013 Miroslav Grepl 3.12.1-26 - Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6
Tue Apr 2 14:00:00 2013 Miroslav Grepl 3.12.1-25 - Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc\'s about people status on init_t:service - Make sure we label content under /var/run/lock as <> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain - Add unconfined_write_keys() interface
Tue Mar 26 13:00:00 2013 Miroslav Grepl 3.12.1-24 - Add labeling for /usr/share/pki - Allow programs that read var_run_t symlinks also read var_t symlinks - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports - Fix labeling for /etc/dhcp directory - add missing systemd_stub_unit_file() interface - Add files_stub_var() interface - Add lables for cert_t directories - Make localectl set-x11-keymap working at all - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow thumb_t to execute user home content - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow certwatch to execut /usr/bin/httpd - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow openshift_cron_t to look at quota - Allow cups_t to read inhered tmpfs_t from the kernel - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Add ftpd_use_fusefs boolean - Allow dirsrvadmin_t to signal itself
Wed Mar 20 13:00:00 2013 Miroslav Grepl 3.12.1-23 - Allow localectl to read /etc/X11/xorg.conf.d directory - Revert \"Revert \"Fix filetrans rules for kdm creates .xsession-errors\"\" - Allow mount to transition to systemd_passwd_agent - Make sure abrt directories are labeled correctly - Allow commands that are going to read mount pid files to search mount_var_run_t - label /usr/bin/repoquery as rpm_exec_t - Allow automount to block suspend - Add abrt_filetrans_named_content so that abrt directories get labeled correctly - Allow virt domains to setrlimit and read file_context
Mon Mar 18 13:00:00 2013 Miroslav Grepl 3.12.1-22 - Allow nagios to manage nagios spool files - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 - Add swift_alias. * policy files which contain typealiases for swift types - Add support for /run/lock/opencryptoki - Allow pkcsslotd chown capability - Allow pkcsslotd to read passwd - Add rsync_stub() interface - Allow systemd_timedate also manage gnome config homedirs - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t - Fix filetrans rules for kdm creates .xsession-errors - Allow sytemd_tmpfiles to create wtmp file - Really should not label content under /var/lock, since it could have labels on it different from var_lock_t - Allow systemd to list all file system directories - Add some basic stub interfaces which will be used in PRODUCT policies
Wed Mar 13 13:00:00 2013 Miroslav Grepl 3.12.1-21 - Fix log transition rule for cluster domains - Start to group all cluster log together - Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data - Allow bluetooth to read machine-info - Allow boinc domain to send signal to itself - Fix gnome_filetrans_home_content() interface - Allow mozilla_plugins to list apache modules, for use with gxine - Fix labels for POkemon in the users homedir - Allow xguest to read mdstat - Dontaudit virt_domains getattr on /dev/ * - These fixes were all required to build a MLS virtual Machine with single level desktops - Need to back port this to RHEL6 for openshift - Add tcp/8891 as milter port - Allow nsswitch domains to read sssd_var_lib_t files - Allow ping to read network state. - Fix typo - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
Fri Mar 8 13:00:00 2013 Miroslav Grepl 3.12.1-20 - Adopt swift changes from lhhAATTredhat.com - Add rhcs_manage_cluster_pid_files() interface - Allow screen domains to configure tty and setup sock_file in ~/.screen directory - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Allow sshd to stream connect to an lxc domain
Thu Mar 7 13:00:00 2013 Miroslav Grepl 3.12.1-19 - Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them - All systemd domains that create content are reading the file_context file and setfscreate - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Dontaudit leaked locked files into openshift_domains - Add fixes for oo-cgroup-read - it nows creates tmp files - Allow gluster to manage all directories as well as files - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow sysstat to manage its own log files - Allow virtual machines to setrlimit and send itself signals. - Add labeling for /var/run/hplip
Mon Mar 4 13:00:00 2013 Miroslav Grepl 3.12.1-18 - Fix POSTIN scriptlet
Fri Mar 1 13:00:00 2013 Miroslav Grepl 3.12.1-17 - Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp
Wed Feb 27 13:00:00 2013 Miroslav Grepl 3.12.1-16 - Fix authconfig.py labeling - Make any domains that write homedir content do it correctly - Allow glusterd to read/write anyhwere on the file system by default - Be a little more liberal with the rsync log files - Fix iscsi_admin interface - Allow iscsid_t to read /dev/urand - Fix up iscsi domain for use with unit files - Add filename transition support for spamassassin policy - Allow web plugins to use badly formated libraries - Allow nmbd_t to create samba_var_t directories - Add filename transition support for spamassassin policy - Add filename transition support for tvtime - Fix alsa_home_filetrans_alsa_home() interface - Move all userdom_filetrans_home_content() calling out of booleans - Allow logrotote to getattr on all file sytems - Remove duplicate userdom_filetrans_home_content() calling - Allow kadmind to read /etc/passwd - Dontaudit append .xsession-errors file on ecryptfs for policykit-auth - Allow antivirus domain to manage antivirus db links - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - Remove mozilla_plugin_enable_homedirs boolean - Fix ftp_home_dir boolean - homedir mozilla filetrans has been moved to userdom_home_manager - homedir telepathy filetrans has been moved to userdom_home_manager - Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() - Might want to eventually write a daemon on fusefsd. - Add policy fixes for sshd [net] child from plautrbaAATTredhat.com - Tor uses a new port - Remove bin_t for authconfig.py - Fix so only one call to userdom_home_file_trans - Allow home_manager_types to create content with the correctl label - Fix all domains that write data into the homedir to do it with the correct label - Change the postgresql to use proper boolean names, which is causing httpd_t to - not get access to postgresql_var_run_t - Hostname needs to send syslog messages - Localectl needs to be able to send dbus signals to users - Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default - Allow user_home_manger domains to create spam * homedir content with correct labeling - Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling - Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working - Declare userdom_filetrans_type attribute - userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute - fusefsd is mounding a fuse file system on /run/user/UID/gvfs
Thu Feb 21 13:00:00 2013 Miroslav Grepl 3.12.1-15 - Man pages are now generated in the build process - Allow cgred to list inotifyfs filesystem
Wed Feb 20 13:00:00 2013 Miroslav Grepl 3.12.1-14 - Allow gluster to get attrs on all fs - New access required for virt-sandbox - Allow dnsmasq to execute bin_t - Allow dnsmasq to create content in /var/run/NetworkManager - Fix openshift_initrc_signal() interface - Dontaudit openshift domains doing getattr on other domains - Allow consolehelper domain to communicate with session bus - Mock should not be transitioning to any other domains, we should keep mock_t as mock_t - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow condor domains to read /etc/passwd - Allow dnsmasq to execute shell scripts, openstack requires this access - Fix glusterd labeling - Allow virtd_t to interact with the socket type - Allow nmbd_t to override dac if you turned on sharing all files - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - Add new interface for virt - Remove depracated interfaces - Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Remove some more unconfined_t process transitions, that I don\'t believe are necessary - Stop transitioning uncofnined_t to checkpc - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Fix userdom_restricted_xwindows_user_template() interface - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/
Thu Feb 14 13:00:00 2013 Miroslav Grepl 3.12.1-13 - virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected
Mon Feb 11 13:00:00 2013 Miroslav Grepl 3.12.1-12 - Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file - Add missing files_rw_inherited_tmp_files interface - Add additional interface for ecryptfs - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow all cups domains to getattr on filesystems - Allow pppd to send signull - Allow tuned to execute ldconfig - Allow gpg to read fips_enabled - Add additional fixes for ecryptfs - Allow httpd to work with posgresql - Allow keystone getsched and setsched
Fri Feb 8 13:00:00 2013 Miroslav Grepl 3.12.1-11 - Allow gpg to read fips_enabled - Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy
Tue Feb 5 13:00:00 2013 Miroslav Grepl 3.12.1-10 - Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Fix ntp_filetrans_named_content calling in init.te - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync working - Change ntp.conf to be labeled net_conf_t - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Allod initrc_t and unconfined domains, and sysadm_t to manage ntp - New policy for openstack swift domains - More access required for openshift_cron_t - Use cupsd_log_t instead of cupsd_var_log_t - rpm_script_roles should be used in rpm_run - Fix rpm_run() interface - Fix openshift_initrc_run() - Fix sssd_dontaudit_stream_connect() interface - Fix sssd_dontaudit_stream_connect() interface - Allow LDA\'s job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow mozilla-plugin-config to read power_supply info - Implement cups_domain attribute for cups domains - We now need access to user terminals since we start by executing a command outside the tty - We now need access to user terminals since we start by executing a command outside the tty - svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Change rpm to use rpm_script_roles - More fixes for rsync to make rsync wokring - Allow logwatch to domtrans to mdadm - Allow pacemaker to domtrans to ifconfig - Allow pacemaker to setattr on corosync.log - Add pacemaker_use_execmem for memcheck-amd64 command - Allow block_suspend capability - Allow create fifo_file in /tmp with pacemaker_tmp_t - Allow systat to getattr on fixed disk - Relabel /etc/ntp.conf to be net_conf_t - ntp_admin should create files in /etc with the correct label - Add interface to create ntp_conf_t files in /etc - Add additional labeling for quantum - Allow quantum to execute dnsmasq with transition
Wed Jan 30 13:00:00 2013 Miroslav Grepl 3.12.1-9 - boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie
Mon Jan 28 13:00:00 2013 Miroslav Grepl 3.12.1-8 - Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information - libmpg ships badly created libraries - Add support for strongswan.service - Add labeling for strongswan - Allow l2tpd_t to read network manager content in /run directory - Allow rsync to getattr any file in rsync_data_t - Add labeling and filename transition for .grl-podcasts
Fri Jan 25 13:00:00 2013 Miroslav Grepl 3.12.1-7 - mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd - Dontaudit any user doing a access check - Allow obex-data-server to request the kernel to load a module - Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) - Allow gpg-agent to read /proc/sys/crypto/fips_enabled - Add new types for antivirus.pp policy module - Allow gnomesystemmm_t caps because of ioprio_set - Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - files_relabel_non_security_files can not be used with boolean - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp
Wed Jan 23 13:00:00 2013 Miroslav Grepl 3.12.1-6 - kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 - Add missing vpnc_roles type line - Allow stapserver to write content in /tmp - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Add interface to colord_t dbus_chat to allow it to read remote process state - Allow colord_t to read cupsd_t state - Add mate-thumbnail-font as thumnailer - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow qpidd to list /tmp. Needed by ssl - Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 - - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Looks like qpidd_t needs to read /dev/random - Lots of probing avc\'s caused by execugting gpg from staff_t - Dontaudit senmail triggering a net_admin avc - Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface
Wed Jan 16 13:00:00 2013 Miroslav Grepl 3.12.1-5 - Fix systemd_manage_unit_symlinks() interface - Call systemd_manage_unit_symlinks(() which is correct interface - Add filename transition for opasswd - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t - colord needs to communicate with systemd and systemd_logind, also remove duplicate rules - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow gpg_t to manage all gnome files - Stop using pcscd_read_pub_files - New rules for xguest, dontaudit attempts to dbus chat - Allow firewalld to create its mmap files in tmpfs and tmp directories - Allow firewalld to create its mmap files in tmpfs and tmp directories - run unbound-chkconf as named_t, so it can read dnssec - Colord is reading xdm process state, probably reads state of any apps that sends dbus message - Allow mdadm_t to change the kernel scheduler - mythtv policy - Update mandb_admin() interface - Allow dsspam to listen on own tpc_socket - seutil_filetrans_named_content needs to be optional - Allow sysadm_t to execute content in his homedir - Add attach_queue to tun_socket, new patch from Paul Moore - Change most of selinux configuration types to security_file_type. - Add filename transition rules for selinux configuration - ssh into a box with -X -Y requires ssh_use_ptys - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow all unpriv userdomains to send dbus messages to hostnamed and timedated - New allow rules found by Tom London for systemd_hostnamed
Mon Jan 14 13:00:00 2013 Miroslav Grepl 3.12.1-4 - Allow systemd-tmpfiles to relabel lpd spool files - Ad labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Remove duplicate rules from *.te - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/. *)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix gnome_filetrans_home_content() to include also \"fontconfig\" dir as cache_home_t - llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
Fri Jan 11 13:00:00 2013 Miroslav Grepl 3.12.1-3 - Allow gnomeclock to talk to puppet over dbus - Allow numad access discovered by Dominic - Add support for HOME_DIR/.maildir - Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog
Thu Jan 10 13:00:00 2013 Miroslav Grepl 3.12.1-2 - Remove all mcs overrides and replace with t1 != mcs_constrained_types - Add attribute_role for iptables - mcs_process_set_categories needs to be called for type - Implement additional role_attribute statements - Sodo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - Allow svirt_t images to compromise_kernel when using pci-passthrough - Add label for dns lib files - Bluetooth aquires a dbus name - Remove redundant files_read_usr_file calling - Remove redundant files_read_etc_file calling - Fix mozilla_run_plugin() - Add role_attribute support for more domains
Wed Jan 9 13:00:00 2013 Miroslav Grepl 3.12.1-1 - Mass merge with upstream
Sat Jan 5 13:00:00 2013 Dan Walsh 3.11.1-69.1 - Bump the policy version to 28 to match selinux userspace - Rebuild versus latest libsepol
Wed Jan 2 13:00:00 2013 Miroslav Grepl 3.11.1-69 - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim
Thu Dec 27 13:00:00 2012 Miroslav Grepl 3.11.1-68 - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories
Fri Dec 21 13:00:00 2012 Miroslav Grepl 3.11.1-67 - systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd\'s tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe
Mon Dec 17 13:00:00 2012 Miroslav Grepl 3.11.1-66 - Allow munin disk plugins to get attributes of all directories - Allow munin disk plugins to get attributes of all directorie - Allow logwatch to get attributes of all directories - Fix networkmanager_manage_lib() interface - Fix gnome_manage_config() to allow to manage sock_file - Fix virtual_domain_context - Add support for dynamic DNS for DHCPv6
Sat Dec 15 13:00:00 2012 Miroslav Grepl 3.11.1-65 - Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch - Add additional labeling for /var/www/openshift/broker - Fix rhev policy - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Allow consolehelper-gtk to connect to xserver - Add labeling for the tmp-inst directory defined in pam_namespace.conf - Add lvm_metadata_t labeling for /etc/multipath
Fri Dec 14 13:00:00 2012 Miroslav Grepl 3.11.1-64 - consoletype is no longer used
Wed Dec 12 13:00:00 2012 Miroslav Grepl 3.11.1-63 - Add label for efivarfs - Allow certmonger to send signal to itself - Allow plugin-config to read own process status - Add more fixes for pacemaker - apache/drupal can run clamscan on uploaded content - Allow chrome_sandbox_nacl_t to read pid 1 content
Tue Dec 11 13:00:00 2012 Miroslav Grepl 3.11.1-62 - Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_nokvm_t to svirt_tcg_t - Allow tuned to request the kernel to load kernel modules
Mon Dec 10 13:00:00 2012 Miroslav Grepl 3.11.1-61 - Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl - Allow systemd-logind to manage keyring user tmp dirs - Add support for 7389/tcp port - gems seems to be placed in lots of places - Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus - Add back tcp/8123 port as http_cache port - Add ovirt-guest-agent\\.pid labeling - Allow xend to run scsi_id - Allow rhsmcertd-worker to read \"physical_package_id\" - Allow pki_tomcat to connect to ldap port - Allow lpr to read /usr/share/fonts - Allow open file from CD/DVD drive on domU - Allow munin services plugins to talk to SSSD - Allow all samba domains to create samba directory in var_t directories - Take away svirt_t ability to use nsswitch - Dontaudit attempts by openshift to read apache logs - Allow apache to create as well as append _ra_content_t - Dontaudit sendmail_t reading a leaked file descriptor - Add interface to have admin transition /etc/prelink.cache to the proper label - Add sntp support to ntp policy - Allow firewalld to dbus chat with devicekit_power - Allow tuned to call lsblk - Allow tor to read /proc/sys/kernel/random/uuid - Add tor_can_network_relay boolean
Wed Dec 5 13:00:00 2012 Miroslav Grepl 3.11.1-60 - Add openshift_initrc_signal() interface - Fix typos - dspam port is treat as spamd_port_t - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /etc/tuned - Allow apache to create directories to store its log files - Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t - Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 - Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to read submit.cf - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow kadmind and krb5kdc to also list sssd_public_t - Allow accountsd to dbus chat with init - Fix git_read_generic_system_content_files() interface - pppd wants sys_nice by nmcli because of \"syscall=sched_setscheduler\" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t - dspam wants to search /var/spool for opendkim data - Revert \"Add support for tcp/10026 port as dspam_port_t\" - Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 - Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain - Allow systemd_tmpfiles_t to setattr on mandb_cache_t
Sat Dec 1 13:00:00 2012 Miroslav Grepl 3.11.1-59 - consolekit.pp was not removed from the postinstall script
Fri Nov 30 13:00:00 2012 Miroslav Grepl 3.11.1-58 - Add back consolekit policy - Silence bootloader trying to use inherited tty - Silence xdm_dbusd_t trying to execute telepathy apps - Fix shutdown avcs when machine has unconfined.pp disabled - The host and a virtual machine can share the same printer on a usb device - Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob - Allow abrt_watch_log_t to execute bin_t - Allow chrome sandbox to write content in ~/.config/chromium - Dontaudit setattr on fontconfig dir for thumb_t - Allow lircd to request the kernel to load module - Make rsync as userdom_home_manager - Allow rsync to search automount filesystem - Add fixes for pacemaker
Wed Nov 28 13:00:00 2012 Miroslav Grepl 3.11.1-57 - Add support for 4567/tcp port - Random fixes from Tuomo Soini - xdm wants to get init status - Allow programs to run in fips_mode - Add interface to allow the reading of all blk device nodes - Allow init to relabel rpcbind sock_file - Fix labeling for lastlog and faillog related to logrotate - ALlow aeolus_configserver to use TRAM port - Add fixes for aeolus_configserver - Allow snmpd to connect to snmp port - Allow spamd_update to create spamd_var_lib_t directories - Allow domains that can read sssd_public_t files to also list the directory - Remove miscfiles_read_localization, this is defined for all domains
Mon Nov 26 13:00:00 2012 Miroslav Grepl 3.11.1-56 | |