|
|
 |
|
|
Changelog for selinux-policy-3.7.19-279.el6_7.4.noarch.rpm :
Tue Aug 4 14:00:00 2015 Miroslav Grepl 3.7.19-279.el6_7.4
- Allow nsswitch domain to search samba pid dirs to allow to connect to nmbd_t
Resolves:#1248520
Mon Aug 3 14:00:00 2015 Miroslav Grepl 3.7.19-279.el6_7.3
- Add default labeling for /var/run/samba/nmbd
Resolves:#1248520
Thu Jul 30 14:00:00 2015 Miroslav Grepl 3.7.19-279.el6_7.2
- Allow nmbd to create pids files/dirs under /var/run/samba with correct labeling.
Resolves:#1248520
Thu Jul 30 14:00:00 2015 Miroslav Grepl 3.7.19-279.el6_7.1
- Backport gluster fixes from RHEL7
- execute showmount in own domain
Resolves:#1248520
- execute nsfd in own domain
- allow gluster to connect to all ports
- Add support for /usr/sbin/ctdbd_wrapper.
- nrpe needs kill capability to make gluster moniterd nodes working.
Tue Jun 23 14:00:00 2015 Miroslav Grepl 3.7.19-278
- Allow logrotate get attributes of all unallocated tty device nodes.
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Allow glusterd to connect to init.
Resolves:#1230371
- Allow gluster do dbus chat with domain running as initrc_t.
Wed Jun 17 14:00:00 2015 Miroslav Grepl 3.7.19-277
- Allow glusterd to interact with gluster tools running in a user domain
Resolves:#1229605
Wed Jun 17 14:00:00 2015 Miroslav Grepl 3.7.19-276
- Allow gluster to manage own log files.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Label gluster python hooks also as bin_t.
- Allow samba_t net_admin capability to make CIFS mount working.
Resolves:#1229605
- Allow ssh_keygen_t to manage keys located in /var/lib/gluster.
Fri Jun 12 14:00:00 2015 Miroslav Grepl 3.7.19-275
- Allow glusterd to have transition to insmod.
- Allow glusterd to use geo-replication gluster tool.
- Remove gluster from permissive domains.
Resolves:#1229605
Mon Jun 8 14:00:00 2015 Miroslav Grepl 3.7.19-275
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
- Update rules related to glusterd_brick_t.
- Allow glusterd to execute lvm tools in the lvm_t target domain.
- Allow glusterd to execute xfs_growfs in the target domain.
- Add support for /usr/sbin/xfs_growfs.
- Allow glusterd to create samba config files if it is started by service script and running with unconfined_u.
Resolves:#1228109
- Fix description for ftpd_use_passive_mode boolean.
Sat Jun 6 14:00:00 2015 Miroslav Grepl 3.7.19-274
- Don\'t ship pam_selinux to avoin a conflict with pam package
Resolves:#1220691
Thu Jun 4 14:00:00 2015 Miroslav Grepl 3.7.19-273
- Fix redis_stream_connect interface.
Resolves:#1220691
- Allow kadmind to bind to kprop port.
- Add new man pages for bacula
Wed Jun 3 14:00:00 2015 Miroslav Grepl 3.7.19-272
- Allow hypervkvp to read default SELinux contexts.
- Allow hypervkvp to write to /etc directories.
- Update all man pages for RHEL6.7 SELinux domains/roles using the latest sepolicy-manpage from RHEL7.
- Fix labeling for /var/lib/graphite-web
- ALlow kpropd to connect to tcp/754 port.
Resolves:#1220691
- Allow php-fpm write access to /var/run/redis/redis.sock
- Update fs_rw_inherited_nfs_files() to allow search auto mountpoints.
- Dontaudit rpm leaks for prelink_mask_t.
- Allow sysctl to have running under hypervkvp_t domain.
Wed May 27 14:00:00 2015 Miroslav Grepl 3.7.19-271
- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.
Resolves:#1221929
Tue May 26 14:00:00 2015 Miroslav Grepl 3.7.19-270
- Update policy rules for afs_fserver_t to allow connectto on unix_stream_socket instead of afs_t.
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
- Allow glusterd to execute consoletype.
- Glusterd wants to manage samba config files if they are setup together.
Resolves:#1221929
Mon May 25 14:00:00 2015 Miroslav Grepl 3.7.19-269
- Fix labeling for /var/tmp/kiprop_0 to kadmind_tmp_t.
- Allow postdrop runinng as postfix_postdrop_t to access /var/spool/postfix/public/pickup socket.
- Allow gluster hooks scripts to transition to ctdbd_t.
- Update policy rules for afs_fserver_t to allow connectto on unix_stream_socket.
- Allow gluster transition to smbd_t also using samba init script.
Resolves:#1221929
Wed May 20 14:00:00 2015 Miroslav Grepl 3.7.19-268
- Add labeling for /var/run/ctdb and allow samba domains to connect to ctdbd.
Resolves:#1221929
- Allow glusterd to read/write samba config files.
- Update mysqld rules related to mysqld log files.
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
- Update netlink_route_socket for ptp4l.
- Allow sosreport to dbus chat with NM.
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
- Allow glusterd to read /dev/random.
- Label all gluster hooks in /var/lib/gluster as bin_t. Thy are not created on the fly.
- Update nagios_run_sudo boolean to allow run chkpwd.
- Add labeling for /usr/sbin/kpropd.
- Add nagios_run_sudo boolean
- Allow ctdb to create rawip socket.
Wed May 13 14:00:00 2015 Miroslav Grepl 3.7.19-267
- Allow ctdb to create rawip socket.
- ALlow nmbd_t to crate nmbd_var_run_t dir under smbd_var_run_t.
- Make ctdbd as userdom_home_reader.
- Allow ctdbd to bind smbd port.
Resolves:#1219317
Tue May 12 14:00:00 2015 Miroslav Grepl 3.7.19-266
- Add audit_access permissions
- Allow cupsd_t access to files in /etc dir
- Allow hplip to dbus chat with all users.
- Allow sblim-gathered sys_ptrace capability.
- Allow sys_admin capability for gfs_controld
- Add more cobbler labels to /var/lib/tftpboot/
- Add new smbd_tmpfs_t type.
- Add more fixes related to timemaster+ntp+ptp4l.
- Fix cgdcbxd_admin() interface.
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0.
- Dontaudit read access on admin_home_t for load_policy.
Tue Apr 14 14:00:00 2015 Miroslav Grepl 3.7.19-265
- Allow redis to create /var/run/redis/redis.sock
- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
Resolves:#1206244
- Allow rhn_check running as rpm to domtrans to shutdown domain
- openshift_cache_t does exist
Fri Apr 10 14:00:00 2015 Miroslav Grepl 3.7.19-264
- Allow qpidd to read own init script file.
- Allow passenger to accept connection
- Back port hypervkvp fixes from RHEL7
- ALlow load_policy to list inotifyfs filesystem
- Allow cluster domain to execute ldconfig and update lvm_read_config() interface
- Allow sssd_t to connect to samba TCP port
- Allow NetworkManager to run arping
Resolves:#1209854
- Backport RHEL7 redis policy
- Add apache log and lib labels for roundcubemail
Fri Apr 3 14:00:00 2015 Miroslav Grepl 3.7.19-263
- Allow userdomain to manage pcscd pid fifo files.
- Allow prelink domain access to /dev/console
Resolves:#1145662
- Allow httpd search access on tomcat6 directory
- Allow apcupsd to get attributes of filesystems with xattrs
- Allow qemu-ga getattr access of all filesystems
- Allow abrt to read network state information
- Make collectd_t as unconfined domain.
- Make rpcbind as nsswitch domain.
- Back port labeling for /etc/my.cnf.d dir.
- Allow dhcpd kill capability.
- Allow cachefilesd to create cachefilesd_var_t
- cvs_home backport from RHEL7.
- Add support for new fence agent fence_mpath which is executed by fence_node
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices
- Allow sblim-sfcb setuid.
- Allow sblim domain to read sysctls.
- Allow ntp to read localtime and allow timemaster send a signal to ntpd.
- Add cobblerd_t fixes
- Allow mysqld_t to use pam
- Dontaudit xguest_t communication with avahi_t via dbus
- Allow cobblerd_t to communicate with sssd
- Allow pmwebd to send and receive messages from avahi over dbus
- Allow conman_t to commmunicate with sssd
- Allow mysqld_t to send audit messages
- Allow load_policy rw access to inherited sssd pipes
- Update label for /etc/mcelog/.
* files
- Allow bacula_t to connect to psql via tcp/unix socket
- Remove type to only match directories on /boot
- Add more labels for ownCloud
- Dontaudit net_admin capability for munin
Wed Mar 4 13:00:00 2015 Miroslav Grepl 3.7.19-262
- Allow lsmd_t getattr all exec.
Resolves:#1141719
- Update afs policy
Resolves:#1136396
- Add support for /usr/sbin/named-sdb.
- Add support for mongos service.
- Allow cyrus to use tcp/2005 port.
- More service wants to auth_use_nsswitch.
- Allow apps that need to read sysctl_vm_overcommit_t be able to read it.
- Update passenger rules from RHEL7.
- Allow smartd to manage generich devices if they are created with wrong label.
- Allow sblim-sfcb to execute itself.
Tue Mar 3 13:00:00 2015 Miroslav Grepl 3.7.19-261
- Allow sys_ptrace and dac_override caps for collectd.
- Add labeling for /etc/rc\\.d/init\\.d/htcacheclean.
- Allow /usr/sbin/sfcbd to send audit msgs.
- Allow postdrop to connect to master process over unix stream socket.
- Allow ssh_t to connect to all unreserved ports.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- Don\'t relabel files under /dev/shm/
- Allow munin_disk_plugin_t getattr access on blk_file
- Allow xauth_t and sshd_t to search automount_tmp_t if use_nfs_home_dirs boolean.
- Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
- Allow antivirus domains to read all dirs/files regardless of their MCS category set.
- Add labeling for mariadb log/pid files/dirs.
- Allow rsyslogd to read /proc/sys/vm/overcommit_memory file.
- Allow slapd to read /usr/share/cracklib/pw_dict.hwm.
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it.
- Allow qpidd to read network state and sysctls dirs
Resolves:#1171275
- Add labeling for /var/bacula directory.
- mcelog runs as a daemon domain
- Allow shutdown to r/w iherited rhev-agetnd pipes.
- Allow sshd to seind signull itself.
- Add the \'base_ro_file_type\' and \'base_file_type\' attributes to RHEL6.
- Allow prelink_mask_t getattr on filesystems that support xattrs
- Allow radious to connect to apache ports to do OCSP check.
- remove transition from unconfined user to auditctl.
- Backport RHEL7 sblim-sfcb fixes.
- Add bacula fixes related to unconfined scripts based on ssekiddeAATTredhat.com patch.
- Allow zebra to communicate with sssd
- Add interfaces fixes.
- Added some optional blogs from timemaster policy to chronyd.
- Added linuxptp policy
- Add interface to read mysql db link files
- Added cinder policy
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow hv_vss_daemon to call ioctl(FIFREEZE) on /boot.
- Add rsync_server boolean to don\'t have a transition from initrc by default.
- Dontaudit to r/w inherited pipes from httpd because of certmonger unconfined scripts.
- Backport all capabilities for cvs from RHEL7.
- Allow dccproc to execute bash.
- Fix labeling for /usr/libexec/nm-dispatcher.action.
- Allow logrotate to manage virt_cache.
- Allow osad to execute rhn_check.
- Make osad_t as unconfined domain.
- Allow osad connect to jabber client port.
- Allow rhev-agentd to access /dev/.udev/db/block:sr0.
Wed Sep 17 14:00:00 2014 Miroslav Grepl 3.7.19-260
- Add virt_getattr_images and call it for sblim_sfcbd_t.
- We also need to call virt_search_images for sblim.
Resolves:#1140614
Wed Sep 17 14:00:00 2014 Miroslav Grepl 3.7.19-259
- Add missing nagios_var_lib_t definition
Resolves:#1103674
Wed Sep 17 14:00:00 2014 Miroslav Grepl 3.7.19-258
- Allow unlink lib_t located in /tmp for prelink_mask_t.
Resolves:#1103674
- Add support for pnp4nagios
- Allow mysql to read all domain state
- Allow sblim_sfcbd_t to search virt images
- Revert \"Remove shadow_t label from /etc/security/opasswd \"
Tue Sep 16 14:00:00 2014 Miroslav Grepl 3.7.19-257
- Add fixes for sblim_sfcbd to make libvirt-cim working.
- Allow keepalived stream connect to snmpd
- Allow local_login_t and xdm_t to manage etc_t if authlogin_can_shadow boolean.
- Allow prelink_transition_domain to send signal to prelink_mask_t.
Resolves:#1103674
Fri Sep 12 14:00:00 2014 Miroslav Grepl 3.7.19-256
- Allow sosreport to domtrans to prelink_t instead of prelink_mask_t.
Resolves:#1103674
Thu Sep 11 14:00:00 2014 Miroslav Grepl 3.7.19-255
- Allow couriertcpd to read /var/spool/courier dir.
- Allow prelink domain to rea /dev/mem.
- ALlow transition to prelink_t instead of prelink_mask_t to ABRT domains/rpm.
Resolves:#1103674
Fri Sep 5 14:00:00 2014 Miroslav Grepl 3.7.19-254
- Dontaudit to read/write all dev nodes for prelink_mask_t.
- Add label for path /var/lib/ctdb
- Allow escd access to /var/run/pcscd.events directory
Resolves:#1103674
Tue Sep 2 14:00:00 2014 Miroslav Grepl 3.7.19-253
- Add additional dontaudits for prelink_mask_t
Resolves:#1103674
- Allow local_login_t and xdm_t to manage shadow_t because of PAM
Tue Aug 26 14:00:00 2014 Miroslav Grepl 3.7.19-252
- Allow aide_t to read /dev/random and /dev/urandom.
- Allow sysadm to talk with lldpad over unix dgram socket.
- Allow sysadm to send/recv with unix dgram socket.
- Allow crond_t to read lastlog.
- Allow xdm_t to read plymouthd_spool_t files
Resolves:#1131195
- Allow hald to rpm dbus chat
- Additional dontaudits for prelink_mask_t.
- Add samba_domain attribute also for smbcontrol_t and winbind_helper_t.
Wed Aug 20 14:00:00 2014 Miroslav Grepl 3.7.19-251
- Allow tgtd service to read kernel network state
Resolves: 1130040
- Allow mail-servers policies to read pcp libs
Resolves: 1130934
- Allow passwd_t to read/write stream sockets
Resolves: #1129296
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run \'semodule -d unconfined\' to make system running without unconfined domains.
- Dontaudit zebra to read getattr for all files and dirs
Resolves: 1122031
- Allow zebra to read /dev/urandom
Resolves: #1122031
- Label /var/lib/asterisk/agi-bin as bin_t
- Added to lldpad policy sys_resource cap. and allow read localization
Resolves:1021984
- Fix path to luci(/usr/sbin/luci)
Resolves:1023202
- Add auth_can_read_shadow_passwords for rlogind.
- Add authlogin_shadow boolean for all login domains.
- Dontaudit rw all non security leaks.
Fri Aug 8 14:00:00 2014 Miroslav Grepl 3.7.19-250
- Dontaudit read/write/setattr all pipes for prelink domains on all domains
Resolves:#1103674
- Allow chroot_user_t to change the role.
- Add sys_time caps for virt_qemu_ga_t
- Add label for /usr/sbin/luci
Thu Aug 7 14:00:00 2014 Miroslav Grepl 3.7.19-249
- Add support for luci.
- Add support for rhsmd and treat it with rhsmcertd_t.
- Make zabbix_agent_t as unconfined domain for rhel6.6.
- Allow chroot_user_t to change process identity.
Resolves:#1082183
- Revert \"Remove shadow_t label from /etc/security/opasswd
- Dontaudit relabel lib_t files for prelink_mask_t.
Tue Aug 5 14:00:00 2014 Miroslav Grepl 3.7.19-248
- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift
Resolves: #1034206
- Do not send/receive packets when ftpd_use_passive_mode is disabled
Resolves: #1105544
- Allow qemu-ga domtrans to hwclock
Resolves: #1062384
- Allow sshd read access to files on ftp directory
Resolves: #1097387
- dontaudit r/w inherited certs for prelink_mask_t.
- Allow sblim_gatherd_t to search all mountpoints. This is caused by ps. Should not be needed in Fedora.
- Fix labeling in dhcpc.fc.
- Add labels also for glusterd sockets.
Tue Jul 29 14:00:00 2014 Miroslav Grepl 3.7.19-247
- Add all login domain auth_can_read_shadow_passwords attribute.
- Added support for dhcrelay service
Resolves: #1123338
- We need to call auth_tunable_read_shadow in auth_shadow boolean.
- Move authlogin_shadow to authlogin.if.
- Add filetrans also for bacula log files.
- Dontaudit kdumpgui to read openshift_initrc_exec_t
Resolves: #1023336
- Allow squid to manage squid_var_run_t sock_file
Resolves: #1102346
- Alloe bacula manage bacula_log_t dirs
Resolves: #1122545
- Added sys_ptrace cap. to stapserver_t
Resolves: #811366
- Label also /var/run/glusterd.socket file as glusterd_var_run_t
Resolves: #1052206
- Added support for collectd daemon
Resolves: #1024715
- Label conmans pid file as conman_var_run_t, Resolves: #1122106
- Fix authlogin_shadow boolean to have it for all login_pgm domains
- Dontaudit r/w inherited all log files for prelink_mask_t
- Label zabbix_var_lib_t directories
Resolves: #1053205
- Allow all sblim domain to read localization data
Resolves:##1122022
Mon Jul 21 14:00:00 2014 Miroslav Grepl 3.7.19-246
- Add boolean to allow user login programs access to /etc/shadow
- Use old icecast_connect_any boolean name and dontaudit list /tmp with tmp_t labeling
- Remove unused interface rtas_errd_systemctl
Resolves:#1121169
- Allow prelink_mask to use user terminals and dontaudit relabel tmpfiles.
- Dontaudit r/w inherited lockfiles/tmpfiles for prelink_mask_t.
- Allow prelink_mask to append all log files.
Fri Jul 18 14:00:00 2014 Miroslav Grepl 3.7.19-245
- Allow setpgid for all sandbox domains.
- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs working with sandbox.
- One more fix for osad.te
- Back port osad changes from RHEL7.
- Rename svirt_lxc_file_t to svirt_sandbox_file_t.
- Label nginx init script as httpd_initrc_exec_t
Resolves:#1045041
- Allow postfix_smtpd to stream connect to antivirus
Resolves:#1105889
- Label init thttpd file as httpd_initrc_exec_t
Resolves:#1069843
- Allow httpd to setattr on httpd_log files
Resolves:#1111581
- Add tomcat
- Allow zabbix to read system network state
- Allow ndc to read random and urandom device
Resolves:#1110397
- Add kerberos support for radiusd.
- Allow procmail to ioctl on zarafa-deliver executable.
Mon Jul 14 14:00:00 2014 Miroslav Grepl 3.7.19-244
- Add support for vdsm
Resolves:#1064270
- Allow userdomain role to access prelink_mask_t
- Rename module glusterfs to glusterd
Resolves:#1052206
- Allow gfs_controld_t to getattr on all file systems
Resolves:#1110886
- Allow apache to manage pid sock files
Resolves:#1042864
- Bind TCP/UDP sockets to the nfs port
- The /var/run/tuned directory is not a regular file
Resolves:#1117685
- Allow utilize winbind for authentication to AD.
Resolves:#1084177
- Dont audit access on /etc/init.d/mcollective for kdump_t
- FIx labeling in networkmanager.fc
- Allow passenger to connect to MySQL
- ALlow passenger to read locales
- Dontaudit relabelfrom/relabelto for all variablefiles for prelink_map_t
- Change all var_lib_t types to have also variablestatefile attribute
- Implement new prelink_mask_t domain to which transition all domain by default (using fips_mode boolean) except prelink_transition domains.
Thu Jul 10 14:00:00 2014 Miroslav Grepl 3.7.19-243
- Implement new prelink_mask_t domain to which transition all domain by default (using fips_mode boolean) except prelink_transition domains.
Tue Jul 8 14:00:00 2014 Miroslav Grepl 3.7.19-242
- Added support for glance-scrubber
Resolves:#1113271
- Fix labeling for /var/lib/dokuwiki
Tue Jul 8 14:00:00 2014 Miroslav Grepl 3.7.19-241
- Remove deny_ptrace from interfaces
- Add setpgid procces to mip6d_t
- Added support for hv_vss_daemon
- Allow keepalived also managed snmp lib dirs
- Allow chroot_user_t unconfined shell domtrans
Resolves:#1082183
- Label swift-object-expirer as swift_exec_t
- Allow keepalived manage snmp files, dontaudit list tmp files
Resolves:#1053450
- Additional fix for calling postfix interfaces in sysadm.te to make postfix_admin() working
Fri Jul 4 14:00:00 2014 Miroslav Grepl 3.7.19-240
- Allow nagios to stream connect to postgresqlBZ #1015708
Resolves:#1015708
- Allow hypervkvp read localization
- Fix postfix_admin()
- Add lldpad policy for MLS
Fri Jul 4 14:00:00 2014 Miroslav Grepl 3.7.19-239
- Fixed lsmd_plugin_t
Resolves:#1111619
- Added glusterd_conf_t alias glusterd_etc_t
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
Resolves:#982160
- Label zabbix-proxy files
Resolves:#1018211
- allow sshd to write to all process levels in order to change passwd when running at a level
Resolves:#837616
- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
Resolves:#837616
- Rename quantum port to neutron
Resolves:#1024927
- Added zarafa_read_lib_files interface
- Added dont audit list non security files in xdm_t
Resolves:#1030760
- Added more fixes relates to
Resolves:#1060656
- Added dontaudit rules to xdm_t
Resolves:#1030760
- Allow procmail to run zarafa-degent
Resolves:#1060656
- Add userdom_user_application_domain in xauth
Resolves:#1013832
- Allow dmesg read raw memory
Resolves:#1030762
- Allow communication between postfix and cyrus
Resolves:#1057307
Wed Jul 2 14:00:00 2014 Miroslav Grepl 3.7.19-238
- Allow domain to read an append inherited tmp files
- Dontauit leaks of var_t into ifconfig_t
- Allow fsdaemon_t to read/write device_t char files
Resolves:#1035363
- Remove sblim_filetrans_named_content in RHEL6
- We don\'t have systemd in RHEL6.
- one more fix for bacula_admin()
- fix bacula_run_admin()
- Remove shadow_t label from /etc/security/opasswd
- Fix logrotate_use_nfs boolean
- Allow userdom to read inherited users files in /tmp
- Allow certmonger_t read puppet libs
- Allow in logging_inherit_append_all_logs also ioctl and append
- Label pacemaker_remoted as cluster_exec_t
- Tag some conman exec files
- Allow conman to read localization
- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
- Added conman fixes
- Allow apache to manage passenger sock_files
- Allow bacula to bind on 9103 tcp port
- Allow postfix stream connect to antivirus
- Allow osad to read localization
Tue Jun 24 14:00:00 2014 Miroslav Grepl 3.7.19-237
- Fixes for mirrormanager
- Fix swift interface
- Allow lsmd_plugin_t to read localization
- Allow keepalived read snmp libs, Allow keepalived connect to agentx port
- Allow keepalived read localization
- Added setuid capability to lsm service
- Added some swift rules to rsync policy
- Remove duplicate line entry in .fc
- Do not send/receive packets when ftpd_use_passive_mode is disabled
- Add mirrormanager policy to RHEL6 Fixes Bug 1042864
- Update permissivedomains by mirrormanager
- Add mirrormanager policy
- Added support for openwsmand
- Added policy for swift
- Added support for sblim
- label also 64bit heartbeat libs
- Allow kill capability on varnish
- Added haveged policy
- Add missing kernel_rw_stream_socket_perms
- Label tcp/udp port no. 3052 as apc, Allow apcups to bind on apc port
- Allow logwatch stream connect to courier service
- Fix mcelog policy
- Back port rsyslog fixes from RHEL7 for rsyslog7
- Fix whitespace
- Add support for osad
- Fix automount policy
- Added policy for bacula
- add radvd_read_pid_files inteface
- Add missing syslog-conn port
- Allow httpd_t write to kernel keyring
- Allow httpd_sys_script_t domain to send system log messages
- Allow passwd_t to write to ipa trusted user files in /tmp
- Boolean to allow mcelog use all the user ttys
- Allow icecast to use any tcp ports
- Define oracleasm_t as a device node
- Allow sudomain to getattr of kernel interface
- Add squid directory in /var/run
- Allow automount read nfs symlinks
- Allow asterisk to connect to the apache ports
- allow abrt to read mcelog log file
- allow udev to search radvd files under the /run dir
- allow auditctl getattr access on blk_file
Resolves:#1080555
- Allow ssh to manage nfs links
Wed Apr 23 14:00:00 2014 Miroslav Grepl 3.7.19-236
- Added conman policy
- Added label for conman port
- Added support for mip6d policy
- Added support for isns
- Added rtas_errd policy
- Added support for keepalived policy
- Add label samba_spool_t for /var/spool/samba
- Allow httpd_t to bind preupgrade port if httpd_run_preupgrade boolean is enabled
- Allow openshift_cron_t to append to openshift log files
- dontaudit sudo domains listing /dev
- Allow read/write to login records
- Allow auditctl getattr access on blk_file
- Allow nova-scheduler to read utmp
- Added stapserver policy
- Added support for freeipmi services
- Added lsm policy
- Added support for pcp service
- Added chown capability to dhcpd_t domain
- Add boolean to allow openshift domains nfs access
- Allow abrt to read man pages and getcap
- Allow cgroupdrulesengd to create content in cgoups directories
- Dontaudit smbd_t sending out random signuls
- Backport all zabbix changes
- Allow mcelog write access to nscd socket
Thu Apr 17 14:00:00 2014 Miroslav Grepl 3.7.19-235
- Add support for nginx
Resolves:#1045041
- Change shutdown_t to also read wtmp
- Added support for hypervkvpd
- Add preupgrade policy
Mon Mar 31 14:00:00 2014 Miroslav Grepl 3.7.19-234
- Add httpd_dbus_sssd boolean to make mod_lookup_identit working
- Add support for ABRT FAF
Fri Mar 21 13:00:00 2014 Miroslav Grepl 3.7.19-233
- Add support for OpenShift syslog plugin
- Allow snmpd to getattr on removeable and fixed disks
- Add shmemnetgrp and getnetgrp to access_vectors
Resolves:#1025758
Fri Dec 13 13:00:00 2013 Miroslav Grepl 3.7.19-232
- Add more fixes for zabbix-agent
- Fix neutron labeling
- Allow all domains to read sysfs_t due to glibc change
- Allow ping to read inherited zabbix tmp files
Resolves:#1039851
- Allow hostname to read/write inherited rpm script files
Tue Oct 29 13:00:00 2013 Miroslav Grepl 3.7.19-231
- Add named_cache_t label for /var/lib/unbound
- Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config files
- Allow anitvirus domains to manage own log dirs
Tue Oct 29 13:00:00 2013 Miroslav Grepl 3.7.19-230
- Add missing transition from dovecot-auth to oddjob_mkhomedir
Thu Oct 24 14:00:00 2013 Miroslav Grepl 3.7.19-229
- Add bootloader_exec_t labeling for /sbin/grubby
Resolves:#915729
- Add etc_runtime_t label for zipl.conf
- Allow daemons to manage cluster lib files if daemons_enable_cluster_mode is enabled
Wed Oct 23 14:00:00 2013 Miroslav Grepl 3.7.19-228
- Add daemons_enable_cluster_mode boolean and turn on it by default until RHEL6.6
Resolves:#915151
- Add tcp/8893 as milter port
- Allow antivirus domain to read localization without the boolean
Tue Oct 22 14:00:00 2013 Miroslav Grepl 3.7.19-227
- Resource agents needs to manage /etc/cluster to place own config files
Resolves:#915151
- tgtd needs ipc_lock
Mon Oct 21 14:00:00 2013 Miroslav Grepl 3.7.19-226
- Label /usr/sbin/fence_scsi as fenced_exec_t
- Fix cluster domains to create dirs in /var/run/cluster as var_run_t to make resource scripts working
Resolves:#915151
Tue Oct 15 14:00:00 2013 Miroslav Grepl 3.7.19-225
- Re-write rules to create tmpfs for all piranha tmpfs files/dirs
- Allow piranha-lvs to manage piranha_tmpfs_t
Resolves:#1018306
Tue Oct 15 14:00:00 2013 Miroslav Grepl 3.7.19-224
- Allow piranha_pulse_t to create tmpfs and send sigkill to piranha domains
Tue Oct 15 14:00:00 2013 Miroslav Grepl 3.7.19-223
- Fix dovecot_rw_pipes() interface
- Allow piranha_pulse_t to search tmpfs
- Allow sysadm to stream connect to postfix-master process
- Label /usr/sbin/fence_sanlockd as fenced_exec_t
Wed Oct 9 14:00:00 2013 Miroslav Grepl 3.7.19-222
- Add kdumpgui_run_bootloader to allow execute zipl correctly
Wed Oct 9 14:00:00 2013 Miroslav Grepl 3.7.19-221
- Fix /var/run/charon labeling
- More fix for strongswant and ipsec.secretes
- Allow sandbox domain to use inherited user terminals
Tue Oct 8 14:00:00 2013 Miroslav Grepl 3.7.19-220
- Allow cobblerd to stream connect to MySQL
- Allow cobblerd to execute ldconfig
- Allow openstack-glance to access to amqp
- Add labeling for /var/run/charon.
*
- Make munin \"df\" plugins working
Resolves:#908095
Wed Oct 2 14:00:00 2013 Miroslav Grepl 3.7.19-219
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop
- Allow tzdate to unlink etc_t lnk files
- Allow jabberd to connect to jabber_interserver port
- Fix description for logging_syslog_can_read_tmp boolean
- Update ipsec rules and labels
Resolves:#986883
- Allow pegasus transition to mount_t
Fri Sep 27 14:00:00 2013 Miroslav Grepl 3.7.19-218
- Add support for /var/log/qemu-ga directory
- Regenerate man pages for domains
Resolves:#880728
- Allow setgid capability for ipsec_t
- Allow ipsec to send signull to itself
- Add tcp/9000 as http_port_t
- Allow dirsrv_t to create tmpfs_t directories
- Fix git_role() interface
Fri Sep 20 14:00:00 2013 Miroslav Grepl 3.7.19-217
- Fix virtd_lxc_t to be able to communicate with hal
- Allow NM and wireless working together
Resolves:#1009661
- Allow my_print_default to read /dev/urand
Fri Sep 13 14:00:00 2013 Miroslav Grepl 3.7.19-216
- Remove transition from virtd_t to qemu_t to stay in virtd_t if selinux_driver is None in qemu.conf
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
Wed Sep 11 14:00:00 2013 Miroslav Grepl 3.7.19-215
- Add port definition of pka_ca to port 829 for openshift
- Rename quantum to neutron
- Allow rpcd to request the kernel to load a module
- Allow ovsdb-server to create dirs/files in /tmp directory
Fri Sep 6 14:00:00 2013 Miroslav Grepl 3.7.19-214
- Allow git daemons to read localization
- Allow tgtd_t to connect to isns ports
Resolves:#1003571
- Cleanup antivirus policy and add additional fixes
- Fix labeling for munin CGI scripts
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Fix fs_search_auto_mountpoints to allow search automount tmp dirs
Resolves:#990661
Tue Aug 27 14:00:00 2013 Miroslav Grepl 3.7.19-213
- Add openhpid policy
Resolves:#1000521
- Fix rhcs_domain_template to allow cluster_t to create socket in /var/run with correct labeling
Fri Aug 23 14:00:00 2013 Miroslav Grepl 3.7.19-212
- Update rules for antivirus domains
Resolves:#999471
- Allow virt_domain to read virt_var_run_t symlinks
- Allow chroot_user_t to read/write inherited user domain pty
- Allow to start guest while the libvirtd is started with valgrind
- Allow lldpad to talk with fcoemon
- Allow chronyd sched_setscheduler
Thu Aug 8 14:00:00 2013 Miroslav Grepl 3.7.19-211
- Fix spec file
- Fix zabbix labeling
Tue Aug 6 14:00:00 2013 Miroslav Grepl 3.7.19-210
- Allow nrpe to list /var
- Allow apache to search automount tmp dirs if http_use_nfs is enabled
- Add support for strongswan
- Fix description of ftpd_use_fusefs boolean
- Allow kdumpgui to write dos files for /boot/efi/EFI/fedora/grub.cfg
- Back port tgtd fixes from Fedora to allow sys_rawio cap
- Add support for OpenDMARCD
Resolves:#983551
- Allow openvpn to run unconfined scripts
- Allow amavis to execute shell
Resolves:#979421
- man pages should be owned only by selinux-policy-doc package
- Fix fs_manage_nfs_files and fs_manage_nfs_dirs boolean to allow to search autofs
- Allow mysqld-safe sys_nice/sys_resource caps
Resolves:#975921
- Add labeling for /boot/etc/yaboot.conf
Resolves:#973156
- /var/log/syslog-ng should be labeled var_log_t
- Back port munin-cgi fixes
- Fix ftp_home_dir boolean
- Allow kdump to read kcore on MLS system
- Add support for svn ports
- Add labels for /dev/ptp
*
- Add labels for /etc/security/opasswd
- Fix labeling for /etc/localtime lnk file
- Add tftp booleans for NFS/CIFS access
- Merge amavis,clamd,clamscan,freshclam policies to antivirus policy
- Label all nagios plugins as nagios_unconfined_plugin_exec_t by default
- Add additional ports as mongod_port_t
- Allow sandbox domains to use inherted terminals
- Allow pegasus to execute mount in pegasus_t domain
- Fix
*_admin interfaces and interface descriptions
- Allow yppasswdd to use NIS
- Allow nagios to manage nagios spool files
- Allow ABRT to domtrans to prelink
Resolves:#921234
- Fix labeling for /var/lib/dspam/
Resolves:#919456
- Label postfix-policyd-spf-perl as bin_t
- Allow nrpe to run sudo
- Label /usr/bin/yum-builddep as rpm_exec_t
- Label /usr/local/bin/x11vnc as xserver_exec_t
- Allow logwatch to domtrans to mdadm
- Allow postfix-master to list /tmp dir
- Add lldpad policy and make it as unconfined domain
- Allow sysadm to admin postfix
- ALlow postfix_virtual to stream connect to mysql
- Update zabbix policy
- Activate watchod policy and make it as unconfined
- Add httpd_serve_cobbler_files boolean
- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache
- Add oracleasm policy
- Add support for pand
- Add awstats_purge_apache_log_files boolean
- Back port smstools policy
Fri Jul 19 14:00:00 2013 Miroslav Grepl 3.7.19-209
- Remove old cluster policies also for MLS
Resolves:#915151
Wed Jul 17 14:00:00 2013 Miroslav Grepl 3.7.19-208
- Merge cluster administrative domains to cluster_t. Back ported from Fedora
Resolves:#915151
- Aadd additinal rules for disk plugins
- Allow setuid/setgid caps for syslogd_t
- Dontaudit sendmail to write dovecote-deliver tmp files
- Add suppport for /var/lib/openvpn
- /var/spool/snmptt is a directory which snmdp needs to write to
Tue Jul 9 14:00:00 2013 Miroslav Grepl 3.7.19-207
- Make tcp/81 as http port
- Add cert_t labeling for pki stuff
Resolves:#959554
Tue Jun 25 14:00:00 2013 Miroslav Grepl 3.7.19-206
- Update openvswitch policy
Resolves:#977415
- Add support for zfs
Wed Jun 12 14:00:00 2013 Miroslav Grepl 3.7.19-205
- Remove domtrans for quantum which needs to stay in the same domain
- Allow qemu to manage nova lib files
- Allow hald to read svirt images
Resolves:#966106
Thu Jun 6 14:00:00 2013 Miroslav Grepl 3.7.19-204
- Allow iptables to read and write quantum inherited pipes
- Allow iptables to send sigchld to quantum
Resolves:#966106
Wed Jun 5 14:00:00 2013 Miroslav Grepl 3.7.19-203
- Allow dnsmasq to stream connect to quantum
- Allow ifconfig domtrans to iptables and execute ldconfig
Resolves:#966106
- Make openshift_initrc_t as initrc domain
Thu May 30 14:00:00 2013 Miroslav Grepl 3.7.19-202
- Make Quantum 2013.1.1 working with netns
- Make SSHing into an Openshift Enterprise Node working
Thu May 23 14:00:00 2013 Miroslav Grepl 3.7.19-201
- Add virt_qemu_ga_unconfined_t for hook scripts
Tue May 21 14:00:00 2013 Miroslav Grepl 3.7.19-200
- Add virt_kill interface and use it for sanlock
Sun Apr 21 14:00:00 2013 Miroslav Grepl 3.7.19-199
- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga
- Allow openshift_cron_t to manage openshift_var_lib_t sym links
- Allow dovecot-auth to execute bin_t
- Allow mysqld-safe to execute bin_t
- Allow procmail to manage user tmp files
- Allow sanlock to kill svirt_t
Resolves:#913673
Tue Apr 16 14:00:00 2013 Miroslav Grepl 3.7.19-198
- Allow dirsrv-admin script to exec apache modules
- Add labeling for dirsrv-admin lock file
- Add labeling for /var/lib/owncloud
- Add labeling for /var/www/moodle
Resolves:#913673
Thu Apr 4 14:00:00 2013 Miroslav Grepl 3.7.19-197
- Fix /etc/dhcp labeling
- Back port openshift fixes
- Make dirsrv-admin server restarted from console working
- Add ftpd_use_fusefs boolean
Resolves:#913673
- openshift_cron_t needs dac_override
Thu Mar 21 13:00:00 2013 Miroslav Grepl 3.7.19-196
- Backport openshfit fixes
- Allow cgred to use notify
Resolves:#913673
- Allow mount to transition to gluster
- Fix tuned policy to make it working with the lastet tuned package
Tue Jan 22 13:00:00 2013 Miroslav Grepl 3.7.19-195
- Make matahari domains as unconfined
- Allow nscd to connect to nmbd
Resolves:#901565
- Allow setcap/getcap for syslogd
Wed Jan 16 13:00:00 2013 Miroslav Grepl 3.7.19-194
- qdiskd needs to read usr_t/bin_t files
- Allow dpsam to connect/bind to spamd ports
- Allow munin services plugins to bind to generic node
Resolves:#865759
Tue Jan 15 13:00:00 2013 Miroslav Grepl 3.7.19-193
- Fix ssh_sysadm_login boolean for MLS
Resolves:#865759
- Allow rpm_script_t to dbus communicate with certmonger_t
- More fixes for qemu-ga to make \"guest-fsfreeze-freeze\" working
Wed Jan 9 13:00:00 2013 Miroslav Grepl 3.7.19-192
- Label /usr/lib/yaboot/addnote as bin_t
- Allow postfix_local to read/write /var/spool/postfix/active
- Allow postfix domains to list /tmp
- Allow wdmd to transition to kdump
Resolves:#887793
- Add labeling for /var/named/chroot/etc/localtime
Fri Jan 4 13:00:00 2013 Miroslav Grepl 3.7.19-191
- Remove pam_selinux due to conflict
- Add labeling for /etc/multipath - lvm_metadata_t
Resolves:#880407
- Add additional gitolite3 labeling
Fri Jan 4 13:00:00 2013 Miroslav Grepl 3.7.19-190
- Allow virtd to settattr on virt image dirs in MLS
Resolves:#885045
- Allow all postfix domains to connect to mysql stream
- Call init_daemon_domain for rsync_t
- Add labeling for /var/lib/pgsql/ssh
- Allow certmonger to send signal to itself
- Allow rsyslog to read user tmp files using logging_syslog_can_read_tmp boolean
- Add support for 1228/tcp and 1228/udp ports and allow corosync touse them
- Allow corosync to read wdmd tmpfs
- Allow wdmd to execute consoletype
- Update man pages using sepolicy from Fedora
- Fix admin interfaces
Tue Dec 18 13:00:00 2012 Miroslav Grepl 3.7.19-189
- Allow virt_qemu_ga to execute shutdown
- sssd needs to connect to kerberos password port if a user changes his password
- More fixes for the dspam domain
- Allow dovecot to execute bash
- Additional fixes for passenger
Resolves:#886619
- Add labeling for /var/run/checkquorum-timer
Tue Dec 18 13:00:00 2012 Miroslav Grepl 3.7.19-188
- Allow rpcd_t to read /var/run/utmp
- Make glance domains as permissive instead of just glance_t
- Allow kill capability for ftpd
- Add labeling for prespawn helper script
Resolves:#886619
- Allow winbind to stream connect to nmbd
- Allow transition from virt domains to bridgehelper domain
- Add support for watchdog script from sanlock
- Add labeling for tmp-inst
- Fix rhev policy
- Update virt_qemu_ga policy
- Backport wm_domain policy
- Backport virtd_lxc_t and make it as unconfined domain
Wed Dec 12 13:00:00 2012 Miroslav Grepl 3.7.19-187
- Add missing labeling for /usr/share/ovirt-guest-agent/ovirt-guest-agent.py
Resolves:#885432
- Add labeling for /var/nmbd
- apache/drupal can run clamscan on uploaded content
Mon Dec 10 13:00:00 2012 Miroslav Grepl 3.7.19-186
- Allow virtd to manage dnsmasq pid files
- Allow all samba domains to create samba directory in var_t directory
- Dontaudit attempts by openshift to read apache logs
- Add labeling for /usr/share/ovirt-guest-agent/ovirt-guest-agent.py
Resolves:#885432
Wed Dec 5 13:00:00 2012 Miroslav Grepl 3.7.19-185
- Apache is sending sinal to openshift_initrc_t now
- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t
- Allow winbind to manage samba_var_t sock files
- Allow git-daemon and httpd to serve the same dir
Resolves:#883143
- Allow dac_override for nrpe
Mon Dec 3 13:00:00 2012 Miroslav Grepl 3.7.19-184
- Add support for tcp/10026 port as dspam_port_t
- Allow dspam to connect/bind to dspam_port_t
- Add uconfined_munin_plugin_exec_t for all plugins which are not covered by munin plugins policy
- Allow domains that can read sssd_public_t files to also list the directory
Resolves:#881413
- Allow programs to run in fips_mode using fips_mode boolean
- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob
- Allow sshd to look into the mysql home directory for authorized_keys
- Make rsync as homemanager which allows to manage CIFS/NFS
-
Tue Nov 27 13:00:00 2012 Miroslav Grepl 3.7.19-183
- Allow quota to manage openshift_var_lib_t directories
Resolves:#843732
Tue Nov 27 13:00:00 2012 Miroslav Grepl 3.7.19-182
- Fix labeling for /var/named/chroot/usr/lib
Resolves:#843732
- Allow amavis to stream connect to snmpd
Resolves:#839250
- Additional fixes for log files related to logrotate
- Allow all domains to read base etc_t file type
- Allow logrotate to list root home directory
- Fix labeling for /var/log/z-push
- Allow cyrus init scriptu to manage cyrus data files
- Dontaudit leaks of locks or generic log files to systemprocesses
- Allow ricci-modrpm to send syslog msgs
- Allow munin to have kill capability
Mon Nov 19 13:00:00 2012 Miroslav Grepl 3.7.19-181
- Allow kdumpgui to read/write to zipl.conf
Resolves:#877108
- Add /proc/numactl support for confined users
- Make proc_numa_t an MLS Trusted Object
- Make ccs_tool and cman_tool labeled as rgmanager_exec_t
- Fix cron_admin_role interface
- Add support for opendkim
Wed Nov 14 13:00:00 2012 Miroslav Grepl 3.7.19-180
- Allow openshift domains to execute tmux
- Allow wdmd to getattr on tmpfs_t
Resolves:#831908
- Add labeling for /var/nmbd/unexpected
- Allow winbind to create samba pid dir
- Dontaudit write access on /var/lib/net-snmp/mib_indexes for syslogd
- Fenced communicates with libvirt
- Fix labeling for libflashplayer.so
- Add labeling for /var/lib/zarafa-webapp
- Allow dspam to read localization
- Add labeling for Z-Push
- Allow rpc.svcgssd to search nfsd_fs_t dirs
- Allo cgred to read all sysctl
Mon Nov 5 13:00:00 2012 Miroslav Grepl 3.7.19-179
- Fix labeling for /var/lib/sss/mc
Resolves:#871816
Thu Nov 1 13:00:00 2012 Miroslav Grepl 3.7.19-178
- Fix labeling for OpenShift binaries
- Add samba_portmapper boolean and labeling for /var/run/samba
Resolves:#871816
- Backport dspam policy
Wed Oct 31 13:00:00 2012 Miroslav Grepl 3.7.19-177
- Allow dnsmasq to manage virt run files
Resolves:#843543
- Allow setroubleshootd to read /proc/irq
- Backport fixes for virt_use_
* booleans
- Allow qemu-ga to use ttyS0
- Allow dhcpc to manage dhclient-eth0.pid labeled as virt_var_run_t
Tue Oct 30 13:00:00 2012 Miroslav Grepl 3.7.19-176
- Add unconfined munin plugin
Resolves:#871106
- Add new httpd_verify_dns boolean
Tue Oct 23 14:00:00 2012 Miroslav Grepl 3.7.19-175
- Add initial openswitch policy. Domains are unconfined
Resolves:#845417
- Add labeling for /usr/sbin/mcollectived
- Allow openshift domains to read /dev/urandom
Fri Oct 19 14:00:00 2012 Miroslav Grepl 3.7.19-174
- openshift user domains wants to r/w ssh tcp sockets
- Allow mount to relabelfrom unlabeled file systems
- Additional fix for syslog/kerberos
Resolves:#867001
Thu Oct 18 14:00:00 2012 Miroslav Grepl 3.7.19-173
- syslogd_t now support kerberos
Resolves:#867001
- Fix openshift labeling for binaries
- Allow passwd to read usr_t links/files
- Add labeling for /var/lib/sss/mc
Mon Oct 15 14:00:00 2012 Miroslav Grepl 3.7.19-172
- Update httpd_runstickshift boolean
- Remove transition from sysadm_t to fsadm_t
Resolves:#852763
- Make vmware-host as unconfined domain
- Allow all domains to read usr_t
- Fix labeling for all log files
Sat Oct 13 14:00:00 2012 Miroslav Grepl 3.7.19-171
- Add labeling for /usr/bin/oo-admin-ctl-gears
Resolves:#839831
Fri Oct 12 14:00:00 2012 Miroslav Grepl 3.7.19-170
- Fix passenger labeling to support lib64 paths. Needed by openshift
Resolves:#839831
Thu Oct 11 14:00:00 2012 Miroslav Grepl 3.7.19-169
- Fix spec file to silent restorecon errors on files which do not exist
- Fix passenger backport
Resolves:#839831
Tue Oct 9 14:00:00 2012 Miroslav Grepl 3.7.19-168
- Add support for HTTPProxy
* in /etc/freshclam.conf
- pppd wants to read /usr/share/radiusclient-ng/dictionary
- Add ssh_chroot_manage_apache_content and ssh_chroot_full_access booleans
- snmp wants to also manage snmp dirs for amavisd-snmp support
- Add labeling for virsh_fenced
- Allow nmbd_t to crate dirs with samba_var_t labeling
- Add clamscan_can_scan_system boolean
- Allow all domains to getattr on prelink_exec_t
- Add postgresql_can_rsync boolean
- Allow pulse to domain transition to iptables
- Allow nslcd sys_nice capability
- Allow corosync to connect to saphostctrl ports
- Allow passwd to read generic /tmp dirs
- Add policy for qemu-qa
- Add new antivirus policy module for antivirus programs
Resolves:#838260
Fri Oct 5 14:00:00 2012 Miroslav Grepl 3.7.19-167
- Allow postfix_locat to search stickshift lib files
- Dontaudit sys_ptrace cap for httpd if httpd_stickshift is on
- Allow openshift domains change process identity
- SELinux is reporting that openshift domains are trying to write into their proc directories
Resolves:#855889
Wed Oct 3 14:00:00 2012 Miroslav Grepl 3.7.19-166
- More fixes for openshift and add support for opeshift labeling instead of stickshift
- /etc/selinux//logins should be owned by the policy package
Resolves:#855889
- Add labeling for /var/tmp/DNS_25
- Allow postfix_local_t to execute files on nfs_t
- Add fixes for kadmind
- Add rhnsd policy
Tue Oct 2 14:00:00 2012 Miroslav Grepl 3.7.19-165
- Add httpd_run_stickshift boolean
- Add labeling for /var/lib/stickshift/.httpd.d
Resolves:#836241
Tue Oct 2 14:00:00 2012 Miroslav Grepl 3.7.19-164
- Add additional part of openshift patch
Resolves:#836241
Mon Oct 1 14:00:00 2012 Miroslav Grepl 3.7.19-163
- Backport openshift policy
- Allow dovecot_deliver_t to search /root/mail
Resolves:#836241
Mon Sep 10 14:00:00 2012 Miroslav Grepl 3.7.19-162
- Add pkcslotd policy
Resolves:#851483
- Allow cyrus-imapd init script to write cyrus data
- Fix labeling for /dev/twa
Mon Sep 10 14:00:00 2012 Miroslav Grepl 3.7.19-161
- Fix labeling for /var/run/cachefilesd.pid
Resolves:#851113
Fri Sep 7 14:00:00 2012 Miroslav Grepl 3.7.19-160
- Add named_bind_http_port boolean
- Add port definition for 8953/tcp
- spice-vdagent(d)\'s are going to log over to syslog
- Fix labeling for /usr/sbin/rpc.
* binaries to label them as rpcd_exec_t
- Add sensord policy
- Allow oddjob_mkhomedir to write on nfs share
- Add virt_bridgehelper policy
- Allow clamd to write/delete own pid file with clamd_var_run_t label
- Add support for wdmd tmpfs
- Add initrc_domain attribute
- Add bcfg2 policy
- Modify ssh_chroot_rw_homedirs boolean to allow manage apache system r/w content if for /var/www as home
- Add pacemaker policy
- Allow snmpd to connect to corosync over unix stream socket
- Allow crontab to read NFS
- Add new type selinux_login_config_t for /etc/selinux/TYPE/logins directory and allow sssd to manage files in this directory
Resolves:#843814
- Add labeling for /opt/sartest directory
- Add initrc_domain attribute to allow domains to work as initrc_t domain
- heartbeat should be running as rgmanager_t instead of corosync_t
- Add glusterd policy
- Add l2tpd policy
- Add numad policy
Resolves:#801493
Wed Aug 8 14:00:00 2012 Miroslav Grepl 3.7.19-159
- Allow munin_stats to read munin logs
- Allow updpwd to write all MLS levels
- Make piranha_web_t as nsswitch domain
- Allow munin mail plugins to read exim log files
- Backport sanlock policy from Fedora
Resolves:#831908
- Allos dac_override, sys_nice for sasl
- Add labeling for /var/named/chroot/usr/lib64
- Add support for gitolite3
- Allow confined users to send mail
Thu Jul 26 14:00:00 2012 Miroslav Grepl 3.7.19-158
- Add amavis_use_jit boolean
Thu Jul 26 14:00:00 2012 Miroslav Grepl 3.7.19-157
- Allow procmail to manage mail home data
- We should only block MCS node_bind on mcsuntrustedproc
- Fixes for amavis
Resolves:#837815
Tue Jul 17 14:00:00 2012 Miroslav Grepl 3.7.19-156
- Allow user to login using ssh with random MLS range
Resolves:#837815
- Allow virtd_t to create mtab with the proper labeling
- Add support for check_icmp nagios plugin
- Make chkconfig working on MLS for sysadm_t
- Allow dovecot to manage mail_home_rw_t
- Add support for fsav
- Allow clamscan to use amavisd-new
- Add support for rhnsd
Mon Jun 18 14:00:00 2012 Miroslav Grepl 3.7.19-155
- Allow setroubleshootd to execute rpm
Resolves:#833053
- Add labeling for /usr/lib/flash-plugin/libflashplayer.so
Thu May 24 14:00:00 2012 Miroslav Grepl 3.7.19-154
- distcvs to distgit corruption fix
Resolves:#823991
Wed May 23 14:00:00 2012 Miroslav Grepl 3.7.19-154
- Allow fenced to manage snmpd lib files
- Allow certmonger to get attributes on init script files
Resolves:#790967
- Fix labeling for Firefox plugins
Resolves:#747993
- Add mta_signal_user_agent() interface
Wed May 16 14:00:00 2012 Miroslav Grepl 3.7.19-153
- user_tcp_server boolean should be also for sysadm_t
Resolves:#798534
Wed May 16 14:00:00 2012 Miroslav Grepl 3.7.19-152
- Add label for condor_starter
Resolves:#807682
- Dontaudit sys_module for brctl
- Allow winbind to send signull to smbd
- Add jacorb port definition
Tue May 15 14:00:00 2012 Miroslav Grepl 3.7.19-151
- Add openstack-nova, openstack-keystone, openstack-glance, openstack-quantum policies
- Allow sysadm_t to create other crontabs
- Allow nfsd_t to read defaul_t link files
- Fix labeling for /var/run/heartbeat
- Fixes for admin_template() interface to make sysadm_secadm.pp module working correctly
- More fixes for condor policy
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Fix auth_role() interface
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
Wed May 9 14:00:00 2012 Miroslav Grepl 3.7.19-150
- Allow condor-startd to dbus chat with hal
- Allow rpc.mountd to read all files/dirs
Tue May 8 14:00:00 2012 Miroslav Grepl 3.7.19-149
- Add labeling for /usr/sbin/matahari-dbus-sysconfigd
- Add additional labeling for zarafa
- Allow guest_t to fix labeling
- Corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- squashfs does not support xattr in RHEL6
Resolves:#815898
- Remove pyzor labeling and move it to spamassassin.fc
- Fix config.tgz
Wed May 2 14:00:00 2012 Miroslav Grepl 3.7.19-148
- Add mysql_list_db() interface
- Allow sshd to read/write condor-startd tcp socket
Tue Apr 24 14:00:00 2012 Miroslav Grepl 3.7.19-147
- Fix man pages for SELinux users
- Allow all user domains to setexec
- Allow cobblerd to get SELinux status and booleans
- Add labeling for /etc/zipl.conf
Resolves:#813803
- Allow fenced to read SNMP lib files
Tue Apr 17 14:00:00 2012 Miroslav Grepl 3.7.19-146
- Add sysadm_secadm policy module to separate in secadm_r, sysadm_r
Resolves:#787413
- Fixes for libvirt-qmf
- Add label for package-cleanup
- Add support for zfs
- Make cfengine domains as unconfined
Resolves:#753184
- Allow sshd_t to dyntransition to sysadm_t
Wed Apr 4 14:00:00 2012 Miroslav Grepl 3.7.19-145
- Fix labeling for /var/run/slapd.
* sockets
Resolves:#799102
- Add condor policy
Tue Apr 3 14:00:00 2012 Miroslav Grepl 3.7.19-144
- Fixes for cfengine policy
* changed labeling for /var/cfengine/outputs from var_log to cfengine_var_log_t
* re-arranged policy to use template and cfengine_domain
- Allow dovecot to domtrans sendmail to handle sieve scripts
- Bacport libvirt-qmf policy for Fedora
- Remove labeling for postmaster.pid file
- Fix for virtual network which looses network connection
- Add man pages for SELinux users
- cgconfig needs to use getpw calls
- Allow lvm and fsadm to write sysfs_t
- Allow rpc.mounted to list user tmp files
- Fix permissivedomains declarations
Resolves:#806220
- Fix spec file to instal minimum policy properly
Wed Mar 21 13:00:00 2012 Miroslav Grepl 3.7.19-143
- Add missing transition from certmonger to certmonger_unconfined_t
Resolves:#790967
Tue Mar 20 13:00:00 2012 Miroslav Grepl 3.7.19-142
- Fixes for man pages
- Allow rpcd to execute sm-notify
Resolves:#802247
- Add support for matahari-qmf-rpcd
- Add support matahari vios-proxy-
* apps
- Allow quota-check to create files on nonxattr filesystems
- Add support for ~/Maildir
- Allow unconfined dyntransition
- Fixes for certmonger_unconfined and certmonger
- Fixes for certmonger policy
Wed Mar 14 13:00:00 2012 Miroslav Grepl 3.7.19-141
- Add man pages for apps, services
- Allow nagios to use user terminals
Resolves:#782325
- Add support for unconfined certmonger scripts
- Add support for matahari-qmf-rpcd service
- Allow chsh to use PAM
- Allow rpc.statd to execute sm-notify which has bin_t label
- Make sure files which are created by /usr/bin/R get proper label in home directories
Wed Mar 7 13:00:00 2012 Miroslav Grepl 3.7.19-140
- Add additional fixes for nagios handlers
Resolves:#749311
- Add 7600 and 4447 as jboss_management ports
Tue Mar 6 13:00:00 2012 Miroslav Grepl 3.7.19-139
- Allow nfsd_t to getattr on all fs
Resolves:#738628
- Make mailx working together with cron without unconfined module
- Allow sssd sys_resource capability
Wed Feb 29 13:00:00 2012 Miroslav Grepl 3.7.19-138
- Add new policy for cfengine
- Add new policy for sge gridengine jobs
- Add support for nagios eventhandlers
- Make system cron jobs run in the proper domain
- Add policy to support privsep ssh process running in user domain
- Add fixes relates to nss/FIPS
- Add new rsync_use_
* booleans
- Allow qpidd to connect to matahari ports
- Allow sysadm_u to read system_r in MLS
- Remove razor labeling because we treat razor with spam policy
- Add support for matahari-qmf-sysconfig-consoled, clean up matahari policy
- Fixes for interfaces
Resolves:#791294
Resolves:#796351
Thu Feb 16 13:00:00 2012 Miroslav Grepl 3.7.19-137
- Remove nfs_
* booleans because nfs runs in kernel_t domain
Resolves:#760405
- Add httpd_manage_ipa boolean
- Dontaudit sys_ptrace for matahari-netd
- Allow vhostmd to getattr on virtd
- Allow snmpd to connect to the ricci_modcluster
- qpidd should be allowed to connect to the amqp port
Thu Jan 26 13:00:00 2012 Miroslav Grepl 3.7.19-136
- backport mozilla_plugin policy
- backport sandbox policy to support nacl
- Add support for selinux_avcstat munin plugin
- Treat hearbeat with corosync policy
- Allow system cronjobs to read kernel network state
- Allow corosync to read and write to qpidd shared memory
- More fixes for qpidd
Resolves:#769352
- Add policy for quota-nld
Wed Jan 25 13:00:00 2012 Miroslav Grepl 3.7.19-135
- Add fixes for qpidd policy, support for tmpfs_t
Resolves:#769352
- Add fixes for mcelog policy, for new location of pid,sock files
- Make sendmail and postfix working together
Wed Jan 11 13:00:00 2012 Miroslav Grepl 3.7.19-134
- Backport ABRT policy
- Backport matahari policy
- Add interfaces for libra
- Add jboss_dubeg port definition
Wed Jan 4 13:00:00 2012 Miroslav Grepl 3.7.19-133
- Allow mta_user_agents to send sigchld to transitioning domain
Tue Jan 3 13:00:00 2012 Miroslav Grepl 3.7.19-132
- Fixes for nagios policy
- Add a new interface for libra
- Fix spec file to be testing SELinux status correctly
Mon Dec 5 13:00:00 2011 Miroslav Grepl 3.7.19-131
- Fixes for rhev policy
- Make ssh-keygen as unconfined domain
- Add sanlock_use_nfs boolean
- Add ssh_dontaudit_search_user_home_dir interface
- namespace_init and MLS fix
Mon Nov 21 13:00:00 2011 Miroslav Grepl 3.7.19-130
- Fix cloudform_exec_mongod interface
Resolves:#753184
Mon Nov 21 13:00:00 2011 Miroslav Grepl 3.7.19-129
- Cron and libra fixes
Mon Nov 21 13:00:00 2011 Miroslav Grepl 3.7.19-128
- Add cronjob_role for sysadm
- Change label for /var/spool/cron
- Add interface to allow exec of mongod
Tue Nov 15 13:00:00 2011 Miroslav Grepl 3.7.19-127
- Make cronjob working on MLS
Wed Nov 9 13:00:00 2011 Miroslav Grepl 3.7.19-126
- Fix dev_rw_generic_usb_dev
Wed Nov 9 13:00:00 2011 Miroslav Grepl 3.7.19-125
- Change the postinstall to load_policy separately from the semodule command
- This will put the proper files in place even if the kernel rejects the policy.
- Allow login programs to connect to the pki_ca_port
- Allow vhostmd to read /dev/rand and signal
Mon Nov 7 13:00:00 2011 Miroslav Grepl 3.7.19-124
- Add MCS fixes to make sVirt working correctly
- Fixes for httpd_dirsrvadmin_script_t policy
Thu Nov 3 13:00:00 2011 Miroslav Grepl 3.7.19-123
- MLS Overrides needed for a user running at a level to be able to use sudo and talk to sssd
- Allow initrc_t to manage dirsrv pid files with disabled unconfined module
- Fixed for deltacloudd policy
Wed Nov 2 13:00:00 2011 Miroslav Grepl 3.7.19-122
- Add label for imagefactory images directory
- Allow dovecot sys_nice
Resolves:#749690
Mon Oct 31 13:00:00 2011 Miroslav Grepl 3.7.19-121
- Add support for dbomatic
Resolves: #745531
Wed Oct 26 14:00:00 2011 Miroslav Grepl 3.7.19-120
- dhcpd needs dac_override
Tue Oct 25 14:00:00 2011 Miroslav Grepl 3.7.19-119
- Add cloudform policy
Tue Oct 18 14:00:00 2011 Miroslav Grepl 3.7.19-118
- Fix label for /root/.hushlogin
- Allow domain to send/recv unlabeled packet
- Allow sshd to relabel tun socket
- Allow puppetmasterd to relabel puppet config files
- Add label for lvs.conf
- Fix labeling for matahari-netd agents
Thu Oct 13 14:00:00 2011 Miroslav Grepl 3.7.19-117
- Fix device interfaces
- Add label for /dev/bsr4096_
* devices
Wed Oct 12 14:00:00 2011 Miroslav Grepl 3.7.19-116
- Interfaces fixes
- Allow dirsrv to use PAM
- Fix matahari labeling
Wed Oct 5 14:00:00 2011 Miroslav Grepl 3.7.19-115
- Add unlabelednet policy module
- Add chrome role for xguest
- Fix for vdagent policy
- Add fix to allow confined apps to execmod on chrome
Thu Sep 29 14:00:00 2011 Miroslav Grepl 3.7.19-114
- Fix httpd_selinux man page
- Add corenet_packet() interface
- Add support for Clustered Samba commands
Wed Sep 21 14:00:00 2011 Miroslav Grepl 3.7.19-113
- Fix execmem_execmod() interface
Resolves:#739618
Tue Sep 20 14:00:00 2011 Miroslav Grepl 3.7.19-112
- Fix description of allow_
* booleans
- Allow sanlock to manage libvirt lib files
- Fix bug in lsassd policy
- Add label for /var/run/luci
- move port 18001 from http_port_t to jboss_management_port_t
Fri Sep 16 14:00:00 2011 Miroslav Grepl 3.7.19-111
- Add git_cgit_read_gitosis_content boolean
- Add support for cma port
- Add virt_use_sanlock boolean and make sanlock working together libvirt
- Make passenger and puppet working together
Thu Sep 8 14:00:00 2011 Miroslav Grepl 3.7.19-110
- Add label for passwd.adjunct
- Allow pulse to execute /usr/sbin/fos
- Fix labeling for passenger
- Add selinux policy support for IP-in-SSH tunnelling
- Allow sulogin to write /dev/pts/0 in single user mode
Wed Aug 31 14:00:00 2011 Miroslav Grepl 3.7.19-109
- Add abrt man page
- Make internal-sftpd working
- Fixes for cluster
Wed Aug 24 14:00:00 2011 Miroslav Grepl 3.7.19-108
- Add squid man page
- Add git man page
- Make puppet working with passenger
- Allow procmail to execute hostname command
Thu Aug 11 14:00:00 2011 Miroslav Grepl 3.7.19-107
- Make new domains as unconfined
- Add abrt_handle_event_t domain for ABRT event script
- Add selinux_mysql man page
- Fix httpd selinux man page
- Fix interfaces
Tue Aug 2 14:00:00 2011 Miroslav Grepl 3.7.19-106
- Add ctdbd, uuidd, sblim policies
Tue Jul 26 14:00:00 2011 Miroslav Grepl 3.7.19-105
- Add zarafa, drbd, fcoemon, lldpad policies
Wed Jul 20 14:00:00 2011 Miroslav Grepl 3.7.19-104
- Allow puppet to Check access to the passwd executable
- Add label for /var/www/html/logs directory
- Add label for /var/lib/squeezeboxserver directory
- Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions
Thu Jul 14 14:00:00 2011 Miroslav Grepl 3.7.19-103
- Fixes in postfix policy
Thu Jun 30 14:00:00 2011 Miroslav Grepl 3.7.19-102
- Add rhsmcertd policy
Wed Jun 29 14:00:00 2011 Miroslav Grepl 3.7.19-101
- Add sanlock and wdmd policy
- Allow syslogd ipc_lock
Mon Jun 20 14:00:00 2011 Miroslav Grepl 3.7.19-100
- More fixes for rhev-agentd
Fri Jun 17 14:00:00 2011 Miroslav Grepl 3.7.19-99
- Add mta_user_agent attribute
* Needed for libra
Fri Jun 10 14:00:00 2011 Miroslav Grepl 3.7.19-98
- Fix for OpenShift
Mon Jun 6 14:00:00 2011 Miroslav Grepl 3.7.19-97
- Allow postfix-pickup to write files and directories regardless of their MCS category set.
- Make xinetd trusted to write outbound packets regardless of the network\'s or node\'s MLS range
Resolves: #705772
Thu May 26 14:00:00 2011 Miroslav Grepl 3.7.19-96
- Add rhev policy
- Make vhostd device MLS trusted
Tue May 24 14:00:00 2011 Miroslav Grepl 3.7.19-95
- Allow secadm to manage selinux config files
- Allow apache to use jboss management port
- Add fenced_can_ssh boolean
Thu May 12 14:00:00 2011 Miroslav Grepl 3.7.19-94
- Fixes for libra
Fri Apr 29 14:00:00 2011 Miroslav Grepl 3.7.19-93
- Make init_t MLS trusted for reading/writing from/to sockets at any level
Wed Apr 27 14:00:00 2011 Miroslav Grepl 3.7.19-92
- Fix virt_admin interface
Wed Apr 27 14:00:00 2011 Miroslav Grepl 3.7.19-91
- Allow netlabel_mgmt_t to use all terms
Wed Apr 27 14:00:00 2011 Miroslav Grepl 3.7.19-90
- Add label for /dev/hpilo directory
- Fix label for /var/cache/libvirt
Tue Apr 26 14:00:00 2011 Miroslav Grepl 3.7.19-89
- More fixes for aide
Tue Apr 26 14:00:00 2011 Miroslav Grepl 3.7.19-88
- Aide policy does not handle MLS mode well
- Make netlabelctl working in MLS
Wed Apr 20 14:00:00 2011 Miroslav Grepl 3.7.19-87
- Allow $1_sudo_t to read default SELinux context
- Allow tgtd to create a sock file
- Allow initrc_t to manage faillock
Tue Apr 19 14:00:00 2011 Miroslav Grepl 3.7.19-86
- Allow squid to manage krb5_host_rcache_t files
Wed Apr 13 14:00:00 2011 Miroslav Grepl 3.7.19-85
- Allow unconfined to run libvirt in virtd_t domain
- Make foghorn unconfined domain
Mon Apr 11 14:00:00 2011 Miroslav Grepl 3.7.19-84
- Allow foghorn to read usr files
Fri Apr 8 14:00:00 2011 Miroslav Grepl 3.7.19-83
- Add label for matahari-broker.pid file
- Allow foghor to read snmp lib files
- Make sysadm security admin
- Fix ssh_sysadm_login boolean
Resolves: #694551
Wed Apr 6 14:00:00 2011 Miroslav Grepl 3.7.19-82
- Allow ssh_keygen_t read and write a user TTYs and PTYs
Tue Apr 5 14:00:00 2011 Miroslav Grepl 3.7.19-81
- Add allow_sysadm_manage_security boolean
- Add label for /dev/dlm.
*
- Allow auditadm_screen_t and secadm_screen_t dac_override capability
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Fixes for nslcd policy
Resolves: #693368
- Allow qpidd to manage pid and lib matahari files
- Allow rgmanager to send the kill signal to all users
Fri Mar 25 13:00:00 2011 Miroslav Grepl 3.7.19-80
- Add support for a new cluster service - foghorn
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- Add support for vdsm
- Allow syslogd setrlimit, sys_nice
Resolves: #689431
- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
Thu Mar 17 13:00:00 2011 Miroslav Grepl 3.7.19-79
- Fixes for sandbox/seunshare policy
Resolves:#684919
- Allow ssh_keygen_t dac_override
- Add matahari policy
- Add label for /etc/securetty
- Fixes for pirahna-pulse policy
- Fixes for radius, samba, dirsrv, kerberos policies
- Allow console login on MLS
- Fix file context to show several labels as SystemHigh
- Add port definition for dogtag, matahari, movaz ports
Thu Mar 10 13:00:00 2011 Miroslav Grepl 3.7.19-78
- Change context for /var/run/faillock
Wed Mar 9 13:00:00 2011 Miroslav Grepl 3.7.19-77
- Add spice fixes
- Add label for /dev/hpilo/
*
Tue Mar 8 13:00:00 2011 Miroslav Grepl 3.7.19-76
- Fixes for ssh_keygen policy
- Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain
- Backport spice vdagent policy
Fri Mar 4 13:00:00 2011 Miroslav Grepl 3.7.19-75
- Allow svirt to manage sock_file in ~/.libvirt directory
- Allow sysamd to run udev in udev_t domain
- Remove capability from svirt
- Add lvm_exec_t label for kpartx
Tue Mar 1 13:00:00 2011 Miroslav Grepl 3.7.19-74
- Add virt_home_ type files located in ~/.libvirt directory
- virt creates monitor sockets in the users home dir
- Allow lvm setfscreate
Resolves: #680388
- Make lsusb and lsblk working on MLS
Resolves: #680426
Thu Feb 24 13:00:00 2011 Miroslav Grepl 3.7.19-73
- Fix spec file
- Fix for policykit
Resolves: #678044
Tue Feb 22 13:00:00 2011 Miroslav Grepl 3.7.19-72
- Fix for cmirrord
Resolves: #676664
- Add mcsnetwrite attribute
Thu Feb 17 13:00:00 2011 Miroslav Grepl 3.7.19-71
- Allow cmirrord to create physical disk devices in /dev
- Allow cluster domains to use the system bus and send each other dbus messages
- Add label for /dev/tgt
Tue Feb 8 13:00:00 2011 Miroslav Grepl 3.7.19-70
- Make screen working for sysadm_u
Resolves: #669439
Mon Feb 7 13:00:00 2011 Miroslav Grepl 3.7.19-69
- Make Spacewalk to work with selinux-policy
Resolves: #673112
- Fix /root/.ssh labeling
Resolves: #637109
- Fix for the spec file
Mon Jan 24 13:00:00 2011 Miroslav Grepl 3.7.19-68
- Other fixes for namespace policy
Thu Jan 20 13:00:00 2011 Miroslav Grepl 3.7.19-67
- Treat irpinit, iprupdate, iprdump services with raid policy
Resolves: #669402
Wed Jan 19 13:00:00 2011 Miroslav Grepl 3.7.19-66
- Fixes for newrole related with namespace.init
Tue Jan 18 13:00:00 2011 Miroslav Grepl 3.7.19-65
- Allow newrole to run namespace_init
Fri Jan 14 13:00:00 2011 Miroslav Grepl 3.7.19-64
- Add namespace policy
- Allow udev to stream connect to init
Resolves: #667370
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
Mon Jan 10 13:00:00 2011 Miroslav Grepl 3.7.19-63
- Make kernel_t domain MLS trusted for lowering the level of files
Wed Dec 22 13:00:00 2010 Miroslav Grepl 3.7.19-62
- Allow apache to read cobbler lib files
Resolves: #658410
Tue Dec 21 13:00:00 2010 Miroslav Grepl 3.7.19-61
- Fixes for passenger policy
- Allow user_t to conditionally transition to ping_t and traceroute_t
Resolves: #663054
Mon Dec 20 13:00:00 2010 Miroslav Grepl 3.7.19-60
- Fixes for certmonger
- Backport passenger policy
- Allow run_init to read console_device
Resolves: #657568
- Add label for /var/lib/dkim-milter
- Fixes for munin policy
Thu Dec 9 13:00:00 2010 Miroslav Grepl 3.7.19-59
- Allow cdrecord setrlimiit
Resolves: #615731
- Define debugfs_t as mountpoint
Resolves: #646856
- Fix fenced_can_network_connect boolean description
Resolves: #650136
- Add label for /var/run/faillock
- Add dirsrv and dirsrv-admin policy
Resolves: #655206
- Fixes for cobbler policy
- Allow certmonger to manage dirsrv config
Resolves: #658591
Tue Oct 26 14:00:00 2010 Miroslav Grepl 3.7.19-58
- Fix httpd_setrlimit boolean to allow sys_resource capability
- Fix label for ip6tables.save
- Allow ssh_t to exec ssh_exec_t
- Dontaudit init leaks
Resolves: #639083
Wed Oct 13 14:00:00 2010 Miroslav Grepl 3.7.19-57
- Allow system_mail_t to append ~/dead.letter
- Allow mount to communicate with gfs_controld
Resolves: #636683
- Dontaudit hal leaks in setfiles
- gpm needs to use the user terminal
Wed Oct 6 14:00:00 2010 Miroslav Grepl 3.7.19-56
- Allow smartd to read usr files
- Allow devicekit-power transition to dhcpc
- Add label for /etc/timezone
- Remove transition from unconfined_t to iptables_t
- Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
Resolves: #634945
- Allow nrpe to send signal and sigkill to the plugins
- Fix up xguest to allow it to read hwdata and gconf_etc_t
Thu Sep 16 14:00:00 2010 Miroslav Grepl 3.7.19-55
- Add cluster_var_lib_t type and label for /var/lib/cluster
- Add labeling for /root/.debug
- Remove permissive from cmirrord domain
- Dontaudit cmirrord_t sys_tty_config capability
- Allow virtd to read from processes up to its clearance
- Allow dovecot-deliver to create tmp files
- Allow tor to send signals to itself
- Handle /var/db/sudo
- Remove allow_corosync_rw_tmpfs boolean
Resolves: #631564
Thu Sep 2 14:00:00 2010 Miroslav Grepl 3.7.19-54
- Allow clmvd to create tmpfs files
Resolves: #629391
Resolves: #594833
Wed Sep 1 14:00:00 2010 Miroslav Grepl 3.7.19-53
- Fixes for jabberd policy
- Fixes for sandbox policy
Mon Aug 30 14:00:00 2010 Miroslav Grepl 3.7.19-52
- Fix label for /bin/mountpoint
- Allow fsadm to read virt blk image files
Wed Aug 25 14:00:00 2010 Miroslav Grepl 3.7.19-51
- Allow seunshare fowner capability
- Allow dovecot to manage postfix privet socket
Tue Aug 24 14:00:00 2010 Miroslav Grepl 3.7.19-50
- Fixes for boinc policy
- Fixes for shorewall policy
Fri Aug 20 14:00:00 2010 Miroslav Grepl 3.7.19-49
- Add label for /var/cache/rpcbind directory
- Add chrome_role for xguest
- Fix amavis_read_spool_files interface
Wed Aug 18 14:00:00 2010 Miroslav Grepl 3.7.19-48
- Fixes for shorewall policy
- Allow sssd chown capability
- Fix label for /usr/bin/mutter
- Label dead.letter as mail_home_t
- Allow pcscd to read hardware state information
- Fixes for ulogd policy
Fri Aug 13 14:00:00 2010 Miroslav Grepl 3.7.19-47
- Fixes for boinc-project policy
- Allow swat to read nmbd pid file
- Allow fail2ban to read BIND log files
- Fix cert handling from Dan
- Remove transition from unconfined to ncftool domain
Wed Aug 11 14:00:00 2010 Miroslav Grepl 3.7.19-46
- Allow ipsec-mgmt to dbus chat with unconfined
- Fixes for boinc policy
Tue Aug 10 14:00:00 2010 Miroslav Grepl 3.7.19-45
- Fixes for cgroup policy
- Fixes for ncftool policy
- Add ncftool_read_user_content boolean
- Fix label for boinc init script
- Fix label for fence_tool
- Allow vhostmd to write virt content
- Allow ricci domtrans ot shutdown
Thu Aug 5 14:00:00 2010 Miroslav Grepl 3.7.19-44
- Add support for luci
- Add label for /var/spool/up2date
Wed Aug 4 14:00:00 2010 Miroslav Grepl 3.7.19-43
- Allow ncftool to run brctl
- Fixes for ricci-modclusterd policy
- Allow uucpd to execute ssh client
- Add label for dayplanner
- Allow sandbox_xserver execstack
Mon Aug 2 14:00:00 2010 Miroslav Grepl 3.7.19-42 | |
