|
|
|
|
Changelog for selinux-policy-mls-3.14.1-61.el8.noarch.rpm :
* Fri Feb 22 2019 Lukas Vrabec - 3.14.1-61- Add dac_override capability for sbd_t SELinux domainResolves: rhbz#1677325- Allow syslogd_t domain to send null signal to all domains on systemResolves: rhbz#1676923 * Fri Feb 15 2019 Lukas Vrabec - 3.14.1-60- Update kdump_manage_crash() interface to allow also manage dirs by caller domainResolves: rhbz#1627861 * Mon Feb 11 2019 Lukas Vrabec - 3.14.1-59- Add dac_override capability to spamd_t domainResolves: rhbz#1567073 * Mon Feb 11 2019 Lukas Vrabec - 3.14.1-58- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/runResolves: rhbz#1635674- Update mount_read_pid_files macro to allow also list mount_var_run_t dirsResolves: rhbz#1664448- Allow userdomain to stop systemd user session during logout.Resolves: rhbz#1664448 * Wed Feb 06 2019 Lukas Vrabec - 3.14.1-57- Allow read network state of system for processes labeled as ibacm_tResolves: rhbz#1635674- Allow ibacm_t domain to send dgram sockets to kernel processesResolves: rhbz#1635674- Allow virt_doamin to read/write dev deviceResolves: rhbz#1672188- Update ibacm_t policy after testing lastest version of this componentResolves: rhbz#1635674- Allow sensord_t domain to mmap own log filesResolves:rhbz#1656055- Label /dev/sev char device as sev_device_tResolves: rhbz#1672188 * Wed Feb 06 2019 Lukas Vrabec - 3.14.1-56- Allow virt_doamin to read/write dev deviceResolves: rhbz#1672188- Update ibacm_t policy after testing lastest version of this componentResolves: rhbz#1635674- Allow sensord_t domain to mmap own log filesResolves:rhbz#1656055- Add dac_override capability for ipa_helper_tResolves: rhbz#1668168- Allow sensord_t domain to use nsswitch and execute shellResolves: rhbz#1656055- Allow opafm_t domain to execute lib_t filesResolves: rhbz#1627861- Allow opafm_t domain to manage kdump_crash_t files and dirsResolves: rhbz#1627861- Label /dev/sev char device as sev_device_tResolves: rhbz#1672188 * Fri Feb 01 2019 Lukas Vrabec - 3.14.1-55- Fix broken config files because of missing level specification in user_t contextsResolves: rhbz#1664448 * Fri Feb 01 2019 Lukas Vrabec - 3.14.1-54- Allow sensord_t domain to use nsswitch and execute shellResolves: rhbz#1656055- Allow opafm_t domain to execute lib_t filesResolves: rhbz#1627861 * Tue Jan 29 2019 Lukas Vrabec - 3.14.1-53- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domainsResolves: rhbz#1664448- Allow systemd to read selinux logind configResolves: rhbz#1664448- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions.- Allow transition from init_t domain to user_t domain during ssh login with confined user user_uResolves: rhbz#1664448 * Thu Jan 24 2019 Lukas Vrabec - 3.14.1-52- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions.Resolves: rhbz#1557301 * Mon Jan 14 2019 Lukas Vrabec - 3.14.1-51- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_tResolves: rhbz#1664345- Create tangd_port_t with default label tcp/7406Resolves: rhbz#1664345- Remove tangd_t domain from permissive domains.Resolves: rhbz#1664345 * Fri Jan 11 2019 Lukas Vrabec - 3.14.1-50- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_tResolves: rhbz#1656055- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.Resolves: rhbz#1630198- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag socketsResolves: rhbz#1557301- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domainResolves: rhbz#1630198 * Tue Dec 11 2018 Lukas Vrabec - 3.14.1-49- Update nslcd_t domain to allow view kernel and systemd keyringsResolves: rhbz#1657916- Allow arpwatch_t domains to execute shell BZ(1644568)- Allow processes labeled as ipa_otpd_t stream connect to sssd.- Add new SELinux domain pcp_plugin_t.Resolves: rhbz#1648386- Remove all ganesha bits from gluster and rpc policyResolves: rhbz#1639227- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_tResolves: rhbz#1656837- Add dac_override capability to ssad_t domainsResolves: rhbz#1655551- Allow pesign_t domain to read gnome home configsResolves: rhbz#1644796- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_tResolves: rhbz#1656055- Allow rngd_t domains read kernel stateResolves: rhbz#1656054- Allow certmonger_t domains to read bind cacheResolves: rhbz#1655077- Allow ypbind_t domain to stream connect to sssdResolves: rhbz#1583953- Allow rngd_t domain to setschedResolves: rhbz#1653872- Add interface init_view_key()- Allow systemd to mmap all pidfilesResolves: rhbz#1622548- Add files_map_all_pids() interface- Allow passwd_t domain mamange sssd public nad lib files, read pid files and send signals to sssd_t domainsResolves: rhbz#1657291- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_tResolves: rhbz#1639846- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t- Add sys_resource capability to the systemd_passwd_agent_t domainResolves: rhbz#1590981- Allow ipsec_t domains to read bind cacheResolves: rhbz#1654692- kernel/files.fc: Label /run/motd as etc_t- Allow systemd to stream connect to userdomain processesResolves: rhbz#1644733 * Tue Nov 27 2018 Lukas Vrabec - 3.14.1-48- Allow sanlock_t domain to read/write sysfs_t filesResolves: rhbz#1647594- Add dac_override capability to postfix_local_t domain- Allow ypbind_t to search sssd_var_lib_t dirs- Allow virt_qemu_ga_t domain to write to user_tmp_t files- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files- Label /var/lib/private/systemd/ as init_var_lib_tResolves: rhbz#1649312- Allow initrc_t domain to create new socket labeled as init_t- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.Resolves: rhbz#1639675- Add tracefs_t type to mountpoint attributeResolves: rhbz#1647819- Allow useradd_t and groupadd_t domains to send signals to sssd_tResolves: rhbz#1651531- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utilsResolves: rhbz#1651531 * Wed Nov 07 2018 Lukas Vrabec - 3.14.1-47- Update pesign policy to allow pesign_t domain to read bind cache files/dirsResolves: rhbz#1644796- Add dac_override capability to mdadm_t domainResolves: rhbz#1599646- Create ibacm_tmpfs_t type for the ibacm policyResolves: rhbz#1581715- Dontaudit capability sys_admin for dhcpd_t domainResolves: rhbz#1635643- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.Resolves: rhbz#1639181- Allow abrt_t domain to mmap generic tmp_t filesResolves:rhbz#1644727- Label /usr/sbin/wpa_cli as wpa_cli_exec_tResolves: rhbz#1644899- Allow sandbox_xserver_t domain write to user_tmp_t filesResolves:rhbz#1644315- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)- Add dac_override capability to postgrey_t domain BZ(1638954)- Allow thumb_t domain to execute own tmpfs files BZ(1643698)- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpointsResolves: rhbz#1644727- Add interface files_map_generic_tmp_files()- Add dac_override capability to the syslogd_t domainResolves: rhbz#1644373- Create systemd_timedated_var_run_t label- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)- kernel/files.fc: Label /run/motd.d(/. *)? as etc_t- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) * Mon Oct 22 2018 Lukas Vrabec - 3.14.1-46- Add dac_override capability to ftpd_t domainResolves: rhbz#1641049- Allow X display manager to check status and reload services which are part of x_domain attributeResolves: rhbz#1641082 * Fri Oct 19 2018 Lukas Vrabec - 3.14.1-45- Allow gpg_t to create own tmpfs dirs and sockets- Allow rhsmcertd_t domain to relabel cert_t files- Add SELinux policy for kpatchResolves: rhbz#1630198- Allow nova_t domain to use pam- sysstat: grant sysstat_t the search_dir_perms set- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)- Allow caller domains using cron_ *_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)- Add interface cron_system_spool_entrypoint()- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)- Add interfaces for boltd SELinux module- Add dac_override capability to modemmanager_t domain BZ(1636608)- Add interface miscfiles_relabel_generic_cert()- Make kpatch policy active- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs- Dontaudit sys_admin capability for netutils_t domain- Label tcp and udp ports 2611 as qpasa_agent_port_t- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)- Label correctly /var/named/chroot */dev/unrandom in bind chroot. * Sat Oct 13 2018 Lukas Vrabec - 3.14.1-44- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macrosResolves: rhbz#1633198- Allow boltd_t to read fwupd_t processes state- Turn named_write_master_zones boolean on by default.Resolves: rhbz#1633158- Label /etc/rhsm as rhsmcertd_config_tResolves: rhbz#1636212- Allow httpd_t domain to write to httpd_config_t dirs if httpd_run_ipa boolean is turned onResolves: rhbz#1624930- Allow dhcpd_t domain to mmap dhcpd_state_t filesResolves: rhbz#1635643- Allow abrt_t domain to manage usr_t dirsResolves: rhbz#1619001- Allow certmonger_t domain to manage cockpit pid filesResolves: rhbz#1629685- Update opafm_t domain after basic testing this serviceResolves: rhbz#1627861- Allow systemd-tty-ask to ask for password of encrypted partions during bootResolves: rhbz#1638666- Update sysnet_read_dhcp_config interface to allow caller domain also mmap dhcp_etc_t files- Add interface files_manage_usr_dirs() * Wed Oct 10 2018 Lukas Vrabec - 3.14.1-43- Allow ibacm_t domain to read/write to infiniband devices Allow ibacm_t domain to getattr tmpfs_t filesystem.Resolves: rhbz#1635674- Update SELinux policy for libreswan based on the latest rebase 3.26Resolves: rhbz#1637089 * Mon Oct 08 2018 Lukas Vrabec - 3.14.1-42- Allow cockpit to create motd file in /var/run/cockpitResolves: rhbz#1629678- Allow cockpit_t domain to read systemd stateResolves: rhbz#1629588 * Thu Oct 04 2018 Lukas Vrabec - 3.14.1-41- Tomcat should not be unconfined domain- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t- Add interface apcupsd_read_power_files()- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain- Allow dac_override capability to amanda_t domain- Allow geoclue_t domain to get attributes of fs_t filesystems- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-clientResolves: rhbz#1629678Resolves: rhbz#1629685Resolves: rhbz#1626100Resolves: rhbz#1629588Resolves: rhbz#1630317 * Sat Sep 15 2018 Lukas Vrabec - 3.14.1-40- Tomcat should not be unconfined domain- Allow cockpit_t domain to read systemd state- Allow abrt_t domain to write to usr_t files- Allow cockpit to create motd file in /var/run/cockpit- Label /usr/sbin/pcsd as cluster_exec_t- Allow pesign_t domain to getattr all fs- Allow tomcat servers to manage usr_t files- Dontaudit tomcat serves to append to /dev/random device- Allow dirsrvadmin_script_t domain to read httpd tmp files- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs- Revert \"Allow firewalld_t domain to read random device\"- Allow postfix domains to mmap system db files- Allow geoclue_t domain to execute own tmp files- Allow virt_qemu_ga_t domain to read network state BZ(1592145)- Update ibacm_read_pid_files interface to allow also reading link files- Allow zebra_t domain to create packet_sockets- Allow opafm_t domain to list sysfs- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t- Add boolean: domain_can_mmap_files.- Allow sshd_t domain to read cockpit pid files- Allow syslogd_t domain to manage cert_t files- Allow getattr as part of files_mounton_kernel_symbol_table.- Fix typo \"aduit\" -> \"audit\"- Revert \"Add new interface dev_map_userio()\"- Add new interface dev_map_userio()- Allow systemd to read ibacm pid filesResolves: rhbz#1615318Resolves: rhbz#1619001Resolves: rhbz#1627646 * Fri Sep 07 2018 Lukas Vrabec - 3.14.1-39- Merge remote-tracking branch \'fedora-contrib/f28\' into rhel8.0-contrib- Tomcat should not be unconfined domain- Update ibacm_read_pid_files interface to allow also reading link files- Allow zebra_t domain to create packet_sockets- Allow opafm_t domain to list sysfs- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.- Allow chronyd_t domain to read virt_var_lib_t files- Allow tomcat services create link file in /tmp- Label /etc/shorewall6 as shorewall_etc_t- Allow winbind_t domain kill in user namespaces- Allow firewalld_t domain to read random device- Allow abrt_t domain to do execmem- Allow geoclue_t domain to execute own var_lib_t files- Allow openfortivpn_t domain to read system network state- Allow dnsmasq_t domain to read networkmanager lib files- sssd: Allow to limit capabilities using libcap- sssd: Remove unnecessary capability- sssd: Do not audit usage of lib nss_systemd.so- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file- Add correct namespace_init_exec_t context to /etc/security/namespace.d/ *- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files- Allow exim_t domain to mmap bin files- Allow mysqld_t domain to executed with nnp transition- Allow svirt_t domain to mmap svirt_image_t block files- Add caps dac_read_search and dav_override to pesign_t domain- Allow iscsid_t domain to mmap userio chr files- Merge remote-tracking branch \'fedora-base/f28\' into rhel8.0-base- Revert \"Add new interface dev_map_userio()\"- Add new interface dev_map_userio()- Allow systemd to read ibacm pid files- Allow systemd to create symlinks in for /var/lib- Add comment to show that template call also allows changing shells- Document userdom_change_password_template() behaviour- Merge remote-tracking branch \'fedora-base/f28\' into rhel8.0-base- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file- Fix typo in logging SELinux module- Allow usertype to mmap user_tmp_type files- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue- Revert \"Add execute_no_trans permission to mmap_exec_file_perms pattern\"- Add boolean: domain_can_mmap_files.- Allow ipsec_t domian to mmap own tmp files- Add .gitignore file- Add execute_no_trans permission to mmap_exec_file_perms pattern- Allow sudodomain to search caller domain proc info- Allow audisp_remote_t domain to read auditd_etc_t- netlabel: Remove unnecessary sssd nsswitch related macros- Allow to use sss module in auth_use_nsswitch- Limit communication with init_t over dbus- Add actual modules.conf to the git repo- Add few interfaces to optional block- Allow sysadm_t and staff_t domain to manage systemd unit files- Add interface dev_map_userio_dev()Resolves: rhbz#1623411Resolves: rhbz#1624648Resolves: rhbz#1596618Resolves: rhbz#1574878Resolves: rhbz#1577324Resolves: rhbz#1625202Resolves: rhbz#1581715Resolves: rhbz#1625127 * Tue Aug 28 2018 Lukas Vrabec - 3.14.1-38- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socketResolves: rhbz#1621142- Add interface devicekit_mounton_var_lib()- Allow httpd_t domain to mmap tmp files- Allow tcsd_t domain to have dac_override capability- Allow cupsd_t to rename cupsd_etc_t files- Allow iptables_t domain to create rawip sockets- Allow amanda_t domain to mmap own tmpfs files- Allow fcoemon_t domain to write to sysfs_t dirs- Allow dovecot_auth_t domain to have dac_override capability- Allow geoclue_t domain to mmap own tmp files- Allow chronyc_t domain to read network state- Allow apcupsd_t domain to execute itself- Allow modemmanager_t domain to stream connect to sssd- Allow chonyc_t domain to rw userdomain pipes- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks- Allow nagios_script_t domain to mmap nagios_spool_t files- Allow geoclue_t domain to mmap geoclue_var_lib_t files- Allow geoclue_t domain to map generic certs- Update munin_manage_var_lib_files to allow manage also dirs- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl- Fix typo in virt SELinux policy module- Allow virtd_t domain to create netlink_socket- Allow rpm_t domain to write to audit- Allow nagios_script_t domain to mmap nagios_etc_t files- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t- Allow kdumpctl_t domain to getattr fixed disk device in mls- Fix typo in stapserver policy- Dontaudit abrt_t domain to write to usr_t dirs- Revert \"Allow rpcbind to bind on all unreserved udp ports\"- Allow rpcbind to bind on all unreserved udp ports- Allow virtlogd to execute itself- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs- Allos systemd to socket activate ibacm service- Allow dirsrv_t domain to mmap user_t files- Allow dhcpc_t domain to read /dev/random- Allow systemd to mounton device_var_lib_t dirs- Allow systemd to mounton kernel system table- Label also chr_file /dev/mtd. * devices as fixed_disk_device_t- Allow syslogd_t domain to create netlink generic sockets- Label /dev/tpmrm[0-9] * as tpm_device_t- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl- Allow insmod_t domain to read iptables pid files- Allow systemd to mounton /etc- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry- Allow xserver_t domain to start using systemd socket activation- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature- Associate several proc labels to fs_t- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run * Tue Aug 21 2018 Lukas Vrabec - 3.14.1-37- Dontaudit abrt_t domain to write to usr_t dirs- Revert \"Allow rpcbind to bind on all unreserved udp ports\"- Allow rpcbind to bind on all unreserved udp ports- Allow virtlogd to execute itself- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs- Allos systemd to socket activate ibacm service- Allow dirsrv_t domain to mmap user_t files- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files- Allow kdumpctl to write to files on all levels- Allow httpd_t domain to mmap httpd_config_t files- Allow sanlock_t domain to connectto to unix_stream_socket- Revert \"Add same context for symlink as binary\"- Allow mysql execute rsync- Update nfsd_t policy because of ganesha features- Allow conman to getattr devpts_t- Allow tomcat_domain to connect to smtp ports- Allow tomcat_t domain to mmap tomcat_var_lib_t files- Allow nagios_t domain to mmap nagios_log_t files- Allow kpropd_t domain to mmap krb5kdc_principal_t files- Allow kdumpctl_t domain to read fixed disk storage- Allow xserver_t domain to start using systemd socket activation- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature- Associate several proc labels to fs_t- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run- Fix typo in syslogd policy- Update syslogd policy to make working elasticsearch- Label tcp and udp ports 9200 as wap_wsp_port- Allow few domains to rw inherited kdumpctl tmp pipes * Mon Aug 13 2018 Lukas Vrabec - 3.14.1-36- Add missing tarball from sourcesResolves: rhbz#1615312 * Mon Aug 13 2018 Daniel Kopeček - 3.14.1-35- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildrootResolves: rhbz#1615312 * Fri Aug 10 2018 Lukas Vrabec - 3.14.1-34- Fix issue with aliases in apache interface fileResolves: rhbz#1596618- Add same context for symlink as binary- Allow boltd_t to send logs to journal- Allow colord_use_nfs to allow colord also mmap nfs_t files- Allow mysqld_safe_t do execute itself- Allow smbd_t domain to chat via dbus with avahi daemon- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain- Add alias httpd__script_t to _script_t to make sepolicy generate working- Allow gpg_t domain to mmap gpg_agent_tmp_t files- Allow kprop_t domain to read network state- Add support boltd policy- Allow kpropd domain to exec itself- Allow pdns_t to bind on tcp transproxy port- Add support for opafm service- Allow hsqldb_t domain to read cgroup files- Allow rngd_t domain to read generic certs- Allow innd_t domain to mmap own var_lib_t files- Update screen_role_temaplate interface- Allow chronyd_t domain to mmap own tmpfs files- Allow chronyd_t domain to mmap own tmpfs files- label /var/lib/pgsql/data/log as postgresql_log_t- Allow sysadm_t domain to accept socket- Allow systemd to manage passwd_file_t- Allow sshd_t domain to mmap user_tmp_t files- Allow systemd to mounont boltd lib dirs- Allow sysadm_t domain to create rawip sockets- Allow sysadm_t domain to listen on socket- Update sudo_role_template() to allow caller domain also setattr generic ptys * Sun Jul 29 2018 Lukas Vrabec - 3.14.1-33- Allow sblim_sfcbd_t domain to mmap own tmpfs files- Allow nfsd_t domain to read krb5 keytab files- Allow nfsd_t domain to manage fadm pid files- Allow virt_domain to create icmp sockets BZ(1609142)- Dontaudit oracleasm_t domain to request sys_admin capability- Update logging_manage_all_logs() interface to allow caller domain map all logfiles * Thu Jul 26 2018 Lukas Vrabec - 3.14.1-32- Allow aide to mmap all files- Revert \"Allow firewalld_t do read iptables_var_run_t files\"- Revert \"Allow firewalld to create rawip sockets\"- Allow svirt_tcg_t domain to read system state of virtd_t domains- Update rhcs contexts to reflects the latest fenced changes- Allow httpd_t domain to rw user_tmp_t files- Fix typo in openct policy- Allow winbind_t domian to connect to all ephemeral ports- Allow firewalld_t do read iptables_var_run_t files- Allow abrt_t domain to mmap data_home files- Allow glusterd_t domain to mmap user_tmp_t files- Allow mongodb_t domain to mmap own var_lib_t files- Allow firewalld to read kernel usermodehelper state- Allow modemmanager_t to read sssd public files- Allow openct_t domain to mmap own var_run_t files- Allow nnp transition for devicekit daemons- Allow firewalld to create rawip sockets- Allow firewalld to getattr proc filesystem- Dontaudit sys_admin capability for pcscd_t domain- Revert \"Allow pcsd_t domain sys_admin capability\"- Allow fetchmail_t domain to stream connect to sssd- Allow pcsd_t domain sys_admin capability- Allow cupsd_t to create cupsd_etc_t dirs- Allow varnishlog_t domain to list varnishd_var_lib_t dirs- Allow mongodb_t domain to read system network state BZ(1599230)- Allow zoneminder_t to getattr of fs_t- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)- Allow iscsid_t domain to mmap sysfs_t files- Allow httpd_t domain to mmap own cache files- Add sys_resource capability to nslcd_t domain- Fixed typo in logging_audisp_domain interface- Add interface files_mmap_all_files()- Add interface iptables_read_var_run()- Allow systemd to mounton init_var_run_t files- Update policy rules for auditd_t based on changes in audit version 3- Allow systemd_tmpfiles_t do mmap system db files- Don\'t setup unlabeled_t as an entry_type- Allow unconfined_service_t to transition to container_runtime_t- Improve domain_transition_pattern to allow mmap entrypoint bin file. * Wed Jul 18 2018 Lukas Vrabec - 3.14.1-31- Allow cupsd_t domain to mmap cupsd_etc_t files- Allow kadmind_t domain to mmap krb5kdc_principal_t- Allow virtlogd_t domain to read virt_etc_t link files- Allow dirsrv_t domain to read crack db- Dontaudit pegasus_t to require sys_admin capability- Allow mysqld_t domain to exec mysqld_exec_t binary files- Allow abrt_t odmain to read rhsmcertd lib files- Allow winbind_t domain to request kernel module loads- Allow tomcat_domain to read cgroup_t files- Allow varnishlog_t domain to mmap varnishd_var_lib_t files- Allow innd_t domain to mmap news_spool_t files- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t- Allow fenced_t domain to reboot- Allow amanda_t domain to read network system state- Allow abrt_t domain to read rhsmcertd logs- Fix typo in radius policy- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)- Label /usr/bin/esmtp-wrapper as sendmail_exec_t- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files- Dontaudit thumb to read mmap_min_addr- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)- Allow collectd_t domain to use ecryptfs files BZ(1592640)- Dontaudit mmap home type files for abrt_t domain- Allow fprintd_t domain creating own tmp files BZ(1590686)- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)- Allow fail2ban_t domain to getpgid BZ(1591421)- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)- Allow radiusd_t domain to mmap radius_etc_rw_t files- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)- Add dac_read_search capability to thumb_t domain- Add dac_override capability to cups_pdf_t domain BZ(1594271)- Add net_admin capability to connntrackd_t domain BZ(1594221)- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)- Allow motion_t to mmap video devices BZ(1590446)- Add dac_override capability to mpd_t domain BZ(1585358)- Allow fsdaemon_t domain to write to mta home files BZ(1588212)- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)- Allow sssd_t domain to write to general cert files BZ(1589339)- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)- Allow cockpit_session_t to read kernel network state BZ(1596941)- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)- Allows systemd to get attribues of core kernel interface BZ(1596928)- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled- Revert \"Allow unconfined and sysadm users to use bpftool BZ(1591440)\"- Allow userdomain sudo domains to use generic ptys- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690)- Remove duplicated userdom_delete_user_home_content_files- Add systemd_dbus_chat_resolved interface- Allow load_policy_t domain to read/write to systemd sockets BZ(1582812)- Add new interface init_prog_run_bpf()- Allow unconfined and sysadm users to use bpftool BZ(1591440)- Label /run/cockpit/motd as etc_t BZ(1584167)- Allow systemd_machined_t domain to sendto syslogd_t over unix dgram sockets- Add interface userdom_dontaudit_mmap_user_home_content_files()- Allow systemd to listen bluetooth sockets BZ(1592223)- Allow systemd to remove user_home_t files BZ(1418463)- Allow xdm_t domain to mmap and read cert_t files BZ(1553761)- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)- Allow systemd to delete user temp files BZ(1595189)- Allow systemd to mounton core kernel interface- Add dac_override capability to ipsec_t domain BZ(1589534)- Allow systemd domain to mmap lvm config files BZ(1594584)- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files- Allow systemd_modules_load_t to access unabeled infiniband pkeys * Fri Jun 29 2018 Lukas Vrabec - 3.14.1-30- Add ibacm policy- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t- Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services- Allow crond_t domain to create netlink selinux sockets and dac_override cap.- Allow radiusd_t domain to have dac_override capability- Allow amanda_t domain to have setgid capability- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label- Allow abrt_t domain to write to rhsmcertd pid files- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control- Add vhostmd_t domain to read/write to svirt images- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files- Allow sssd_t and slpad_t domains to mmap generic certs- Allow chronyc_t domain use inherited user ttys- Allow stapserver_t domain to mmap own tmp files- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain- Merge pull request #60 from vmojzis/rawhide- Allow tangd_t domain stream connect to sssd- Allow oddjob_t domain to chat with systemd via dbus- Allow freeipmi domains to mmap sysfs files- Fix typo in logwatch interface file- Allow spamd_t to manage logwatch_cache_t files/dirs- Allow dnsmasw_t domain to create own tmp files and manage mnt files- Allow fail2ban_client_t to inherit rlimit information from parent process- Allow nscd_t to read kernel sysctls- Label /var/log/conman.d as conman_log_t- Add dac_override capability to tor_t domain- Allow certmonger_t to readwrite to user_tmp_t dirs- Allow abrt_upload_watch_t domain to read general certs- Allow chornyd_t read phc2sys_t shared memory- Add several allow rules for pesign policy:- Add setgid and setuid capabilities to mysqlfd_safe_t domain- Add tomcat_can_network_connect_db boolean- Update virt_use_sanlock() boolean to read sanlock state- Add sanlock_read_state() interface- Allow zoneminder_t to getattr of fs_t- Allow rhsmcertd_t domain to send signull to postgresql_t domain- Add log file type to collectd and allow corresponding access- Allow policykit_t domain to dbus chat with dhcpc_t- Adding new boolean keepalived_connect_any()- Allow amanda to create own amanda_tmpfs_t files- Allow gdomap_t domain to connect to qdomap_port_t- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type- Allow ntop_t domain to create/map various sockets/files.- Enable the dictd to communicate via D-bus.- Allow inetd_child process to chat via dbus with abrt- Allow zabbix_agent_t domain to connect to redis_port_t- Allow rhsmcertd_t domain to read xenfs_t files- Allow zabbix_agent_t to run zabbix scripts- Fix openvswith SELinux module- Fix wrong path in tlp context file BZ(1586329)- Update brltty SELinux module- Allow rabbitmq_t domain to create own tmp files/dirs- Allow policykit_t mmap policykit_auth_exec_t files- Allow ipmievd_t domain to read general certs- Add sys_ptrace capability to pcp_pmie_t domain- Allow squid domain to exec ldconfig- Update gpg SELinux policy module- Allow mailman_domain to read system network state- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices- Allow antivirus_domain to read all domain system state- Allow targetd_t domain to red gconf_home_t files/dirs- Label /usr/libexec/bluetooth/obexd as obexd_exec_t- Allow init_t domain to create netlink rdma sockets for ibacm policy- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files- Allow lvm_t domain to write files to all mls levels- Add to su_role_template allow rule for creating netlink_selinux sockets- Allow sysadm_t domain to mmap hwdb db- Allow udev_t domain to mmap kernel modules- Allow sysadm_screen_t to have capability dac_override and chown- Allow sysadm_t domain to mmap journal- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Label /etc/systemd/system.control/ dir as systemd_unit_file_t- Merge pull request #215 from bachradsusi/merge-conf-from-fedora- Allow sysadm_t and staff_t domains to use sudo io logging- Allow sysadm_t domain create sctp sockets- Add snapperd_contexts to the policy- Use system_u:system_r:unconfined_t:s0 in userhelper_context- Remove unneeded system_u seusers mapping.- Fedora targeted default user is unconfined_u, root is unconfined_u as well- Update config to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.- Change failsafe_context to unconfined_r:unconfined_t:s0- Update lxc_contexts from Fedora config.tgz- Add lxc_contexts config file- Allow traceroute_t domain to exec bin_t binaries- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override- Add new interface dev_map_sysfs()- Allow sshd_keygen_t to execute plymouthd- Allow systemd_networkd_t create and relabel tun sockets- Add new interface postgresql_signull()- Merge pull request #214 from wrabcak/fb-dhcpc- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)- Allow confined users get AFS tokens- Allow sysadm_t domain to chat via dbus- Associate sysctl_kernel_t type with filesystem attribute * Fri Jun 08 2018 Lukas Vrabec - 3.14.1-29- Fix typos in zabbix.te file- Add missing requires- Allow tomcat domain sends email- Fix typo in sge policy- Allow certmonger to sends emails- Allow tomcat_t do mmap tomcat_tmp_t files- Improve sge_rw_tcp_sockets interface- Adding new interface: sge_rw_tcp_sockets()- Update sge_execd_t domain with few rules- Add new zabbix_run_sudo boolean- Allow virtual machines to manage cephfs filesystems.- Allow rhsmcertd_t domain to read sssd public files and stream connect to sssd- Add dac_override capability to sendmail_t domain- Fix typo in netutils.te file- Update traceroute_t domain to allow create dccp sockets- Update ssh_keysign policy- Allow sshd_t domain to read/write sge tcp sockets * Wed Jun 06 2018 Lukas Vrabec - 3.14.1-28- Update ctdb domain to support gNFS setup- Allow authconfig_t dbus chat with policykit- Allow lircd_t domain to read system state- Revert \"Allow fsdaemon_t do send emails BZ(1582701)\"- Typo in uuidd policy- Allow tangd_t domain read certs- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)- Allow vpnc_t domain to read generic certs BZ(1583100)- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)- Allow NetworkManager_ssh_t domain to be system dbud client- Allow virt_qemu_ga_t read utmp- Add capability dac_override to system_mail_t domain- Update uuidd policy to reflect last changes from base branch- Add cap dac_override to procmail_t domain- Allow sendmail to mmap etc_aliases_t files BZ(1578569)- Add new interface dbus_read_pid_sock_files()- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled- Allow fsdaemon_t do send emails BZ(1582701)- Allow firewalld_t domain to request kernel module BZ(1573501)- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)- Add sys_admin capability to fprint_t SELinux domain- Allow cyrus_t domain to create own files under /var/run BZ(1582885)- Allow cachefiles_kernel_t domain to have capability dac_override- Update policy for ypserv_t domain- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t- Allow cyrus to have dac_override capability- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets- Fix homedir polyinstantion under mls- Fixed typo in init.if file- Allow systemd to remove generic tmpt files BZ(1583144)- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)- Fix typo in authlogin SELinux security module- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)- Allow audisp_t domain to mmap audisp_exec_t binary- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file- Label tcp/udp ports 2612 as qpasa_agetn_port_t * Sat May 26 2018 Lukas Vrabec - 3.14.1-27- Add dac_override to exim policy BZ(1574303)- Fix typo in conntrackd.fc file- Allow sssd_t to kill sssd_selinux_manager_t- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp- Allow policykit_auth_t to read udev db files BZ(1574419)- Allow varnishd_t do be dbus client BZ(1582251)- Allow cyrus_t domain to mmap own pid files BZ(1582183)- Allow user_mail_t domain to mmap etc_aliases_t files- Allow gkeyringd domains to run ssh agents- Allow gpg_pinentry_t domain read ssh state- Allow gpg_agent_t to send msgs to syslog/journal- Add dac_override capability to dovecot_t domain- Allow nscd_t domain to mmap system_db_t files- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files- Allow mailman_mail_t domain to search for apache configs- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.- Improve procmail_domtrans() to allow mmaping procmail_exec_t- Allow ptrace arbitrary processes- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)- Allow certmonger to geattr of filesystems BZ(1578755)- Allow hypervvssd_t domain to read fixed disk devices- Allow several domains to manage ecryptfs_t filesystem- Allow userdom_use_user_ttys for loadkeys_t domain- Add dac_override capability to cachefiles_kernel_t domain- Allow blueman to execute ldconfig BZ(1577581)- Allow gpg_pinentry_t domain to read state of gpg_t processes- Add dac_override capability to cgconfig_t domain BZ(1574649)- Add dac_override to glusterd_t domain BZ(1578501)- Allow fsdaemon_t to create own fsdaemon_var_lib_t dirs BZ(1569724)- Allow plymouth_t domain to read/write systemd sockets BZ(1578882)- Allow use of U2F Yubikey as authentication for a sudo command BZ(1578915)- Append map permission to apache_read_modules() interface- Allow certwatch_t domain to getattr of extended attributes fs_t filesystem- Add new interface: dirsrv_noatsecure()- Add dac_override capability to remote_login_t domain- Allow chrome_sandbox_t to mmap tmp files- Update ulogd SELinux security policy- Allow sysadm_u use xdm- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)- Add interface ssh_read_state()- Fix typo in sysnetwork.if file- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files- Allow noatsecure permission for all domain transitions from systemd.- Allow systemd to read tangd db files- Fix typo in ssh.if file- Allow xdm_t domain to mmap xserver_misc_device_t files- Allow xdm_t domain to execute systemd-coredump binary- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used- Associate sysctl_vm_overcommit_t with fs_t- Allow systemd creating bluetooth sockets- Allow ssh client to read network sysctl BZ(1574170)- Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files- Allow sysadm user to sys_ptrace cap_userns- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.- Allow ssh client to read network state BZ(1574174)- Allow ssh basic client to read/write to tun tap devices BZ(1574184)- Allow ssh basic client to create tun sockets BZ(1574186)- Disable secure mode environment cleansing for dirsrv_t * Mon May 21 2018 Lukas Vrabec - 3.14.1-26- Disable secure mode environment cleansing for dirsrv_t- - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. * Mon May 21 2018 Lukas Vrabec - 3.14.1-25- Add dac_override capability to remote_login_t domain- Allow chrome_sandbox_t to mmap tmp files- Update ulogd SELinux security policy- Allow rhsmcertd_t domain send signull to apache processes- Allow systemd socket activation for modemmanager- Allow geoclue to dbus chat with systemd- Fix file contexts on conntrackd policy- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t- Allow nscd_t domain to be system dbusd client- Allow abrt_t domain to read sysctl- Add dac_read_search capability for tangd- Allow systemd socket activation for rshd domain- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t- Allow kdump_t domain to map /boot files- Allow conntrackd_t domain to send msgs to syslog- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t- Allow swnserve_t domain to stream connect to sasl domain- Allow smbcontrol_t to create dirs with samba_var_t label- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)- Allow tangd to read public sssd files BZ(1509054)- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)- Allow ctdb_t domain modify ctdb_exec_t files- Allow firewalld_t domain to create netlink_netfilter sockets- Allow radiusd_t domain to read network sysctls- Allow pegasus_t domain to mount tracefs_t filesystem- Allow psad_t domain to read all domains state- Allow tomcat_t domain to connect to mongod_t tcp port- Allow dovecot and postfix to connect to systemd stream sockets- Make nmbd_t domain dbus system client BZ(1569856)- Merge pull request #55 from SISheogorath/fix/tlp-policy- Merge pull request #54 from tmzullinger/rawhide- Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro BZ(1566168)- Allow gssproxy_t domain to read gssd_t state BZ(1572945)- Allow create systemd to mount pid files- Add files_map_boot_files() interface- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)- Fix typo xserver SELinux module- Allow systemd to mmap files with var_log_t label- Allow x_userdomains read/write to xserver session- Allow users staff and sysadm to run wireshark on own domain- Fix typos s/xserver/xdm/ for allow creating xserver misc devices- Allow systemd-bootchart to create own tmpfs files- Merge pull request #213 from tmzullinger/rawhide- Allow xdm_t domain to install Nouveau drivers BZ(1570996) * Sat Apr 28 2018 Lukas Vrabec - 3.14.1-24- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) * Fri Apr 27 2018 Lukas Vrabec - 3.14.1-23- Allow dnssec_trigger_t domain to read system network state BZ(1570205)- Add dac_override capability to mailman_mail_t domain- Add dac_override capability to radvd_t domain- Update openvswitch policy- Add dac_override capability to oddjob_homedir_t domain- Allow slapd_t domain to mmap slapd_var_run_t files- Rename tang policy to tangd- Allow virtd_t domain to relabel virt_var_lib_t files- Allow logrotate_t domain to stop services via systemd- Add tang policy- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t- Allow snapperd_t daemon to create unlabeled dirs.- Make httpd_var_run_t mountpoint- Allow hsqldb_t domain to mmap own temp files- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP- Add new Boolean tomcat_use_execmem- Allow nfsd_t domain to read/write sysctl fs files- Allow conman to read system state- Allow brltty_t domain to be dbusd system client- Allow zebra_t domain to bind on babel udp port- Allow freeipmi domain to read sysfs_t files- Allow targetd_t domain mmap lvm config files- Allow abrt_t domain to manage kdump crash files- gnome_data_filetrans macro should be in optional block- Allow netutils_t domain to create bluetooth sockets- Allow traceroute to bind on generic sctp node- Allow traceroute to search network sysctls- Allow systemd to use virtio console- Label /dev/op_panel and /dev/opal-prd as opal_device_t- Label /run/ebtables.lock as iptables_var_run_t- Allow udev_t domain to manage udev_rules_t char files.- Assign babel_port_t label to udp port 6696- Add new interface lvm_map_config- Merge pull request #212 from stlaz/patch-1- Allow local_login_t reads of udev_var_run_t context * Wed Apr 18 2018 Lukas Vrabec - 3.14.1-22- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)- Allow l2tpd domain to stream connect to sssd BZ(1568160)- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) * Mon Apr 16 2018 Lukas Vrabec - 3.14.1-21- Allow certwatch to manage cert files BZ(1561418)- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.- Allow pppd_t domain creating pppox sockets BZ(1566271)- Allow abrt to map var_lib_t files- Allow chronyc to read system state BZ(1565217)- Allow keepalived_t domain to chat with systemd via dbus- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)- removed boinc dev_getattr_ *_dev- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels- Allow x userdomain to mmap xserver_tmpfs_t files- Allow sysadm_t to mount tracefs_t- Allow unconfined user all perms under bpf class BZ(1565738)- Allow SELinux users (except guest and xguest) to using bluetooth sockets- Add new interface files_map_var_lib_files()- Allow user_t and staff_t domains create netlink tcpdiag sockets- Allow systemd-networkd to read sysctl_t files- Allow systemd_networkd_t to read/write tun tap devices- refpolicy: Update for kernel sctp support * Sat Apr 07 2018 Lukas Vrabec - 3.14.1-20- Add new boolean redis_enable_notify()- Label /var/log/shibboleth-www(/. *) as httpd_sys_rw_content_t- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab- Add dac_override and dac_read_search capability to hypervvssd_t domain- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t- Allow samba to create /tmp/host_0 as krb5_host_rcache_t- Add dac_override capability to fsdaemon_t BZ(1564143)- Allow abrt_t domain to map dos files BZ(1564193)- Add dac_override capability to automount_t domain- Allow keepalived_t domain to connect to system dbus bus- Allow nfsd_t to read nvme block devices BZ(1562554)- Allow lircd_t domain to execute bin_t files BZ(1562835)- Allow l2tpd_t domain to read sssd public files BZ(1563355)- Allow logrotate_t domain to do dac_override BZ(1539327)- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t- Add capability sys_resource to systemd_sysctl_t domain- Label all /dev/rbd * devices as fixed_disk_device_t- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)- Allow local_login_t domain to rread udev db- Allow systemd_gpt_generator_t to read /dev/random device- add definition of bpf class and systemd perms * Thu Mar 29 2018 Lukas Vrabec - 3.14.1-19- Allow accountsd_t domain to dac override BZ(1561304)- Allow cockpit_ws_t domain to read system state BZ(1561053)- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)- Allow abrt_dump_oops_t domain dac override BZ(1561467)- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)- Allow crontab domains to do dac override- Allow snapperd_t domain to unmount fs_t filesystems- Allow pcp processes to read fixed_disk devices BZ(1560816)- Allow unconfined and confined users to use dccp sockets- Allow systemd to manage bpf dirs/files- Allow traceroute_t to create dccp_sockets * Mon Mar 26 2018 Lukas Vrabec - 3.14.1-18Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) * Sun Mar 25 2018 Lukas Vrabec - 3.14.1-17- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)- Allow nagios to mmap nagios config files BZ(1559683)- Fixing Ganesha module- Fix typo in NetworkManager module- Fix bug in gssproxy SELinux module- Allow abrt_t domain to mmap container_file_t files BZ(1525573)- Allow networkmanager to be run ssh client BZ(1558441)- Allow pcp domains to do dc override BZ(1557913)- Dontaudit pcp_pmie_t to reaquest lost kernel module- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955)- Allow httpd_t to read httpd_log_t dirs BZ(1554912)- Allow fail2ban_t to read system network state BZ(1557752)- Allow dac override capability to mandb_t domain BZ(1529399)- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681)- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369)- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439)- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359)- Allow snapperd to relabel snapperd_data_t- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow insmod_t to load modules BZ(1544189)- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595)- Allow systemd_networkd_t to read/write tun tap devices- Add shell_exec_t file as domain entry for init_t- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347)- Improve userdom_mmap_user_home_content_files- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Wed Mar 21 2018 Lukas Vrabec - 3.14.1-16- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Tue Mar 20 2018 Lukas Vrabec - 3.14.1-15- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/- Allow newrole_t dacoverride capability- Allow traceroute_t domain to mmap packet sockets- Allow netutils_t domain to mmap usmmon device- Allow netutils_t domain to use mmap on packet_sockets- Allow traceroute to create icmp packets- Allos sysadm_t domain to create tipc sockets- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets * Thu Mar 15 2018 Lukas Vrabec - 3.14.1-14- Allow rpcd_t domain dac override- Allow rpm domain to mmap rpm_var_lib_t files- Allow arpwatch domain to create bluetooth sockets- Allow secadm_t domain to mmap audit config and log files- Update init_abstract_socket_activation() to allow also creating tcp sockets- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.- Add SELinux support for systemd-importd- Create new type bpf_t and label /sys/fs/bpf with this type * Mon Mar 12 2018 Lukas Vrabec - 3.14.1-13- allow bluetooth_t domain to create alg_socket bz(1554410)- allow tor_t domain to execute bin_t files bz(1496274)- allow iscsid_t domain to mmap kernel modules bz(1553759)- update minidlna selinux policy bz(1554087)- allow motion_t domain to read sysfs_t files bz(1554142)- allow snapperd_t domain to getattr on all files,dirs,sockets,pipes bz(1551738)- allow l2tp_t domain to read ipsec config files bz(1545348)- allow colord_t to mmap home user files bz(1551033)- dontaudit httpd_t creating kobject uevent sockets bz(1552536)- allow ipmievd_t to mmap kernel modules bz(1552535)- allow boinc_t domain to read cgroup files bz(1468381)- backport allow rules from refpolicy upstream repo- allow gpg_t domain to bind on all unereserved udp ports- allow systemd to create systemd_rfkill_var_lib_t dirs bz(1502164)- allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t bz(1483655)- allow xdm_t domain to sys_ptrace bz(1554150)- allow application_domain_type also mmap inherited user temp files bz(1552765)- update ipsec_read_config() interface- fix broken sysadm selinux module- allow ipsec_t to search for bind cache bz(1542746)- allow staff_t to send sigkill to mount_t domain bz(1544272)- label /run/systemd/resolve/stub-resolv.conf as net_conf_t bz(1471545)- label ip6tables.init as iptables_exec_t bz(1551463)- allow hostname_t to use usb ttys bz(1542903)- add fsetid capability to updpwd_t domain bz(1543375)- allow systemd machined send signal to all domains bz(1372644)- dontaudit create netlink selinux sockets for unpriv selinux users bz(1547876)- allow sysadm_t to create netlink generic sockets bz(1547874)- allow passwd_t domain chroot- dontaudit confined unpriviliged users setuid capability * Tue Mar 06 2018 Lukas Vrabec - 3.14.1-12- Allow l2tpd_t domain to create pppox sockets- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)- Add interface abrt_map_cache()- Update gnome_manage_home_config() to allow also map permission BZ(1544270)- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770)- Dontaudit kernel bug when several services requesting load kernel module- Allow traceroute and unconfined domains creating sctp sockets- Add interface corenet_sctp_bind_generic_node()- Allow ping_t domain to create icmp sockets- Allow staff_t to mmap abrt_var_cache_t BZ(1544273)- Fix typo bug in dev_map_framebuffer() interface BZ(1551842)- Dontaudit kernel bug when several services requesting load kernel module * Mon Mar 05 2018 Lukas Vrabec - 3.14.1-11- Allow vdagent_t domain search cgroup dirs BZ(1541564)- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)- Allow bluetooth domain creating bluetooth sockets BZ(1551577)- pki_log_t should be log_file- Allow gpgdomain to unix_stream socket connectto- Make working gpg agent in gpg_agent_t domain- Dontaudit thumb_t to rw lvm pipes BZ(154997)- Allow start cups_lpd via systemd socket activation BZ(1532015)- Improve screen_role_template Resolves: rhbz#1534111- Dontaudit modemmanager to setpgid. BZ(1520482)- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227)- Allow systemd-networkd to create netlink generic sockets BZ(1551578)- refpolicy: Define getrlimit permission for class process- refpolicy: Define smc_socket security class- Allow transition from sysadm role into mdadm_t domain.- ssh_t trying to communicate with gpg agent not sshd_t- Allow sshd_t communicate with gpg_agent_t- Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643)- Revert \"Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)\"- Revert \"Allow systemd to request load kernel module BZ(1547227)\"- Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576)- Add interface lvm_dontaudit_rw_pipes() BZ(154997)- Add interfaces for systemd socket activation- Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098) * Thu Feb 22 2018 Lukas Vrabec - 3.14.1-10- refpolicy: Define extended_socket_class policy capability and socket classes- Make bluetooth_var_lib_t as mountpoint BZ(1547416)- Allow systemd to request load kernel module BZ(1547227)- Allow ipsec_t domain to read l2tpd pid files- Allow sysadm to read/write trace filesystem BZ(1547875)- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761) * Tue Feb 20 2018 Lukas Vrabec - 3.14.1-9- Fix broken cups Security Module- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079)- Allow geoclue to connect to tcp nmea port BZ(1362118)- Allow pcp_pmcd_t to read mock lib files BZ(1536152)- Allow abrt_t domain to mmap passwd file BZ(1540666)- Allow gpsd_t domain to get session id of another process BZ(1540584)- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405)- Allow cluster_t dbus chat with systemd BZ(1540163)- Add interface raid_stream_connect()- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689)- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911)- Make cups_pdf_t domain system dbusd client BZ(1532043)- Allow logrotate to read auditd_log_t files BZ(1525017)- Improve snapperd SELinux policy BZ(1514272)- Allow virt_domain to read virt_image_t files BZ(1312572)- Allow openvswitch_t stream connect svirt_t- Update dbus_dontaudit_stream_connect_system_dbusd() interface- Allow openvswitch domain to manage svirt_tmp_t sock files- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210)- Merge pull request #50 from dodys/pkcs- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118)- Allow systemd to access rfkill lib dirs BZ(1539733)- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044)- Allow vxfs filesystem to use SELinux labels- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231)- Allow few services to dbus chat with snapperd BZ(1514272)- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180)- Fix logging as staff_u into Fedora 27- Fix broken systemd_tmpfiles_run() interface * Fri Feb 09 2018 Igor Gnatenko - 3.14.1-8- Escape macros in %changelog * Thu Feb 08 2018 Lukas Vrabec - 3.14.1-7- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600)- Allow keepalived_t domain getattr proc filesystem- Allow init_t to create UNIX sockets for unconfined services (BZ1543049)- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t * Tue Feb 06 2018 Lukas Vrabec - 3.14.1-6- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets- Add new interface ppp_filetrans_named_content()- Allow keepalived_t read sysctl_net_t files- Allow puppetmaster_t domtran to puppetagent_t- Allow kdump_t domain to read kernel ring buffer- Allow boinc_t to mmap boinc tmpfs files BZ(1540816)- Merge pull request #47 from masatake/keepalived-signal- Allow keepalived_t create and write a file under /tmp- Allow ipsec_t domain to exec ifconfig_exec_t binaries.- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock- Allow updpwd_t domain to create files in /etc with shadow_t label * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-5- Allow opendnssec daemon to execute ods-signer BZ(1537971) * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-4- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)- Update dbus_role_template() BZ(1536218)- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)- Allow blueman_t dbus chat with policykit_t BZ(1470501)- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)- Allow jetty_t domain to mmap own temp files BZ(1534628)- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)- Consistently label usr_t for kernel/initrd in /usr- kernel/files.fc: Label /usr/lib/sysimage as usr_t- Allow iptables sysctl load list support with SELinux enforced- Label HOME_DIR/.config/systemd/user/ * user unit files as systemd_unit_file_t BZ(1531864) * Fri Jan 19 2018 Lukas Vrabec - 3.14.1-3- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide- Allow virt_domains to acces infiniband pkeys.- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t- Allow audisp_remote_t domain write to files on all levels * Mon Jan 15 2018 Lukas Vrabec - 3.14.1-2- Allow aide to mmap usr_t files BZ(1534182)- Allow ypserv_t domain to connect to tcp ports BZ(1534245)- Allow vmtools_t domain creating vmware_log_t files- Allow openvswitch_t domain to acces infiniband devices- Allow dirsrv_t domain to create tmp link files- Allow pcp_pmie_t domain to exec itself. BZ(153326)- Update openvswitch SELinux module- Allow virtd_t to create also sock_files with label virt_var_run_t- Allow chronyc_t domain to manage chronyd_keys_t files.- Allow logwatch to exec journal binaries BZ(1403463)- Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864)- Update logging_read_all_logs to allow mmap all logfiles BZ(1403463)- Add Label systemd_unit_file_t for /var/run/systemd/units/ * Mon Jan 08 2018 Lukas Vrabec - 3.14.1-1- Removed big SELinux policy patches against tresys refpolicy and use tarballs from fedora-selinux github organisation * Mon Jan 08 2018 Lukas Vrabec - 3.13.1-310- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy * Fri Jan 05 2018 Lukas Vrabec - 3.13.1-309- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy- Allow git_script_t to mmap git_user_content_t files BZ(1530937)- Allow certmonger domain to create temp files BZ(1530795)- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)- Allow fsdaemon_t to read nvme devices BZ(1530018)- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)- Update munin plugin policy BZ(1528471)- Allow sendmail_t domain to be system dbusd client BZ(1478735)- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)- Allow thumb_t to mmap non security files BZ(1517393)- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)- Fix broken sysnet_filetrans_named_content() interface- Allow init_t to create tcp sockets for unconfined services BZ(1366968)- Allow xdm_t to getattr on xserver_t process files BZ(1506116)- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)- Add interface files_map_non_security_files() * Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308- Make working SELinux sandbox with Wayland. BZ(1474082)- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)- Allow collectd to connect to lmtp_port_t BZ(1304029)- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)- Allow thumb_t to mmap removable_t files. BZ(1522724)- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)- Add interface fs_mmap_removable_files() * Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307- Allow crond_t to read pcp lib files BZ(1525420)- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)- Allow certwatch_t to mmap generic certs. BZ(1527173)- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)- Add interface userdom_map_user_home_files()- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/ * as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)- All domains accessing home_cert_t objects should also mmap it. BZ(1519810) * Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306- Allow thumb_t domain to dosfs_t BZ(1517720)- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)- Allow git_script_t to mmap git_sys_content_t BZ(1517541)- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)- Allow colord_t to mmap xdm pid files BZ(1518382)- Allow arpwatch to mmap usbmon device BZ(152456)- Allow mandb_t to read public sssd files BZ(1514093)- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)- Allow qpid to map files.- Allow plymouthd_t to mmap firamebuf device BZ(1517405)- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)- Add interface fs_map_dos_files()- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)- Add interface xserver_map_xdm_pid() BZ(1518382)- Add new interface dev_map_usbmon_dev() BZ(1524256)- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)- Fix typo in filesystem.if- Add interface dev_map_framebuffer()- Allow chkpwd command to mmap /etc/shadow BZ(1513704)- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)- Add interface fs_map_cifs_files()- Merge pull request #207 from rhatdan/labels- Merge pull request #208 from rhatdan/logdir- Allow domains that manage logfiles to man logdirs * Fri Nov 24 2017 Lukas Vrabec - 3.13.1-305- Make ganesha nfs server * Tue Nov 21 2017 Lukas Vrabec - 3.13.1-304- Add interface raid_relabel_mdadm_var_run_content()- Fix iscsi SELinux module- Allow spamc_t domain to read home mail content BZ(1414366)- Allow sendmail_t to list postfix config dirs BZ(1514868)- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)- Allow cupsd_t domain to localization BZ(1514350)- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)- Allow httpd_t domain to mmap all httpd content type BZ(1514866)- Allow mandb_t to read /etc/passwd BZ(1514903)- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)- Allow systemd to read/write to mount_var_run_t files BZ(1515373)- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)- Allow home managers to mmap nfs_t files BZ(1514372)- Add interface fs_mmap_nfs_files()- Allow systemd-mount to create new directory for mountpoint BZ(1514880)- Allow getty to use usbttys- Add interface systemd_rfkill_domtrans()- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)- Add interface fs_mmap_fusefs_files()- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251) * Thu Nov 16 2017 Lukas Vrabec - 3.13.1-303- Allow pcp_pmlogger to send logs to journal BZ(1512367)- Merge pull request #40 from lslebodn/kcm_kerberos- Allow services to use kerberos KCM BZ(1512128)- Allow system_mail_t domain to be system_dbus_client BZ(1512476)- Allow aide domain to stream connect to sssd_t BZ(1512500)- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)- Allow lircd_t domain to execute shell BZ(1512787)- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)- Allow redis to creating tmp files with own label BZ(1513518)- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)- Add map permission to samba_rw_var_files interface. BZ(1513908)- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t- Add dac_read_search and dac_override capabilities to ganesha- Allow ldap_t domain to manage also slapd_tmp_t lnk files- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)- Add dac_override capability to dhcpd_t doamin BZ(1510030)- Allow snapperd_t to remove old snaps BZ(1510862)- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)- Allow fs associate for sysctl_vm_t BZ(1447301)- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)- Allow systemd to mmap kernel modules BZ(1513399)- Allow userdomains to mmap fifo_files BZ(1512242)- Merge pull request #205 from rhatdan/labels- Add map permission to init_domtrans() interface BZ(1513832)- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)- Unconfined domains, need to create content with the correct labels- Container runtimes are running iptables within a different user namespace- Add interface files_rmdir_all_dirs() * Mon Nov 06 2017 Lukas Vrabec - 3.13.1-302- Allow jabber domains to connect to postgresql ports- Dontaudit slapd_t to block suspend system- Allow spamc_t to stream connect to cyrys.- Allow passenger to connect to mysqld_port_t- Allow ipmievd to use nsswitch- Allow chronyc_t domain to use user_ptys- Label all files /var/log/opensm. * as opensm_log_t because opensm creating new log files with name opensm-subnet.lst- Fix typo bug in tlp module- Allow userdomain gkeyringd domain to create stream socket with userdomain * Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301- Merge pull request #37 from milosmalik/rawhide- Allow mozilla_plugin_t domain to dbus chat with devicekit- Dontaudit leaked logwatch pipes- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)- Allow chronyd daemon to execute chronyc. BZ(1507478)- Allow pdns to read network system state BZ(1507244)- Allow gssproxy to read network system state Resolves: rhbz#1507191- Allow nfsd_t domain to read configfs_t files/dirs- Allow tgtd_t domain to read generic certs- Allow ptp4l to send msgs via dgram socket to unprivileged user domains- Allow dirsrv_snmp_t to use inherited user ptys and read system state- Allow glusterd_t domain to create own tmpfs dirs/files- Allow keepalived stream connect to snmp * Thu Oct 26 2017 Lukas Vrabec - 3.13.1-300- Allow zabbix_t domain to change its resource limits- Add new boolean nagios_use_nfs- Allow system_mail_t to search network sysctls- Hide all allow rules with ptrace inside deny_ptrace boolean- Allow nagios_script_t to read nagios_spool_t files- Allow sbd_t to create own sbd_tmpfs_t dirs/files- Allow firewalld and networkmanager to chat with hypervkvp via dbus- Allow dmidecode to read rhsmcert_log_t files- Allow mail system to connect mariadb sockets.- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)- Allow iptables_t to run setfiles to restore context on system- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466) * Tue Oct 24 2017 Lukas Vrabec - 3.13.1-299- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t- Allow chronyd_t do request kernel module and block_suspend capability- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables- Allow svnserve to use kerberos- Allow conman to use ptmx. Add conman_use_nfs boolean- Allow nnp transition for amavis and tmpreaper SELinux domains- Allow chronyd_t to mmap chronyc_exec_t binary files- Add dac_read_search capability to openvswitch_t domain- Allow svnserve to manage own svnserve_log_t files/dirs- Allow keepalived_t to search network sysctls- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain- Add kill capability to openvswitch_t domain- Label also compressed logs in /var/log for different services- Allow inetd_child_t and system_cronjob_t to run chronyc.- Allow chrony to create netlink route sockets- Add SELinux support for chronyc- Add support for running certbot(letsencrypt) in crontab- Allow nnp trasintion for unconfined_service_t- Allow unpriv user domains and unconfined_service_t to use chronyc * Sun Oct 22 2017 Lukas Vrabec - 3.13.1-298- Drop *.lst files from file list- Ship file_contexts.homedirs in store- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)- Allow haproxy daemon to reexec itself. BZ(1447800)- Allow conmand to use usb ttys.- Allow systemd_machined to read mock lib files. BZ(1504493)- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) * Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297- Fix typo in virt file contexts file- allow ipa_dnskey_t to read /proc/net/unix file- Allow openvswitch to run setfiles in setfiles_t domain.- Allow openvswitch_t domain to read process data of neutron_t domains- Fix typo in ipa_cert_filetrans_named_content() interface- Fix typo bug in summary of xguest SELinux module- Allow virtual machine with svirt_t label to stream connect to openvswitch.- Label qemu-pr-helper script as virt_exec_t so this script won\'t run as unconfined_service_t * Tue Oct 17 2017 Lukas Vrabec - 3.13.1-296- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)- Add nnp transition rule for services using NoNewPrivileges systemd feature- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)- Add init_nnp_daemon_domain interface- Allow nnp transition capability- Merge pull request #204 from konradwilk/rhbz1484908- Label postgresql-check-db-dir as postgresql_exec_t * Tue Oct 10 2017 Lukas Vrabec - 3.13.1-295- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)- Allow fail2ban_t domain to mmap journals. BZ(1500089)- Add dac_override to abrt_t domain BZ(1499860)- Allow pppd domain to mmap own pid files BZ(1498587)- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules- Allow systemd to read sysfs sym links. BZ(1499327)- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)- Make systemd_networkd_var_run as mountpoint BZ(1499862)- Allow noatsecure for java-based unconfined services. BZ(1358476)- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) * Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294- Allow cloud-init to create content in /var/run/cloud-init- Dontaudit VM to read gnome-boxes process data BZ(1415975)- Allow winbind_t domain mmap samba_var_t files- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)- Add dac_override capability to groupadd_t domain BZ(1497091)- Allow unconfined_service_t to start containers * Sun Oct 08 2017 Petr Lautrbach - 3.13.1-293- Drop policyhelp utility BZ(1498429) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-292- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)- Allow systemd to maange sysfs BZ(1471361) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-291- Switch default value of SELinux boolean httpd_graceful_shutdown to off. * Fri Sep 29 2017 Lukas Vrabec - 3.13.1-290- Allow virtlogd_t domain to write inhibit systemd pipes.- Add dac_override capability to openvpn_t domain- Add dac_override capability to xdm_t domain- Allow dac_override to groupadd_t domain BZ(1497081)- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) * Wed Sep 27 2017 Lukas Vrabec - 3.13.1-289- Allow tlp_t domain stream connect to sssd_t domain- Add missing dac_override capability- Add systemd_tmpfiles_t dac_override capability * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288- Remove all unnecessary dac_override capability in SELinux modules * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287- Allow init noatsecure httpd_t- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)- Allow unconfined_t domain to create new users with proper SELinux lables- Allow init noatsecure httpd_t- Label tcp port 3269 as ldap_port_t * Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286- Add new boolean tomcat_read_rpm_db()- Allow tomcat to connect on mysqld tcp ports- Add new interface apache_delete_tmp()- Add interface fprintd_exec()- Add interface fprintd_mounton_var_lib()- Allow mozilla plugin to mmap video devices BZ(1492580)- Add ctdbd_t domain sys_source capability and allow setrlimit- Allow systemd-logind to use ypbind- Allow systemd to remove apache tmp files- Allow ldconfig domain to mmap ldconfig cache files- Allow systemd to exec fprintd BZ(1491808)- Allow systemd to mounton fprintd lib dir * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285- Allow svirt_t read userdomain state * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files- Allow automount domain to manage mount pid files- Allow stunnel_t domain setsched- Add keepalived domain setpgid capability- Merge pull request #24 from teg/rawhide- Merge pull request #28 from lslebodn/revert_1e8403055- Allow sysctl_irq_t assciate with proc_t- Enable cgourp sec labeling- Allow sshd_t domain to send signull to xdm_t processes * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283- Allow passwd_t domain mmap /etc/shadow and /etc/passwd- Allow pulseaudio_t domain to map user tmp files- Allow mozilla plugin to mmap mozilla tmpfs files * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282- Add new bunch of map rules- Merge pull request #25 from NetworkManager/nm-ovs- Make working webadm_t userdomain- Allow redis domain to execute shell scripts.- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t- Add couple capabilities to keepalived domain and allow get attributes of all domains- Allow dmidecode read rhsmcertd lock files- Add new interface rhsmcertd_rw_lock_files()- Add new bunch of map rules- Merge pull request #199 from mscherer/add_conntrackd- Add support labeling for vmci and vsock device- Add userdom_dontaudit_manage_admin_files() interface * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281- Allow domains reading raw memory also use mmap. * Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)- Fix denials during ipa-server-install process on F27+- Allow httpd_t to mmap cert_t- Add few rules to make tlp_t domain working in enforcing mode- Allow cloud_init_t to dbus chat with systemd_timedated_t- Allow logrotate_t to write to kmsg- Add capability kill to rhsmcertd_t- Allow winbind to manage smbd_tmp_t files- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)- Add interface miscfiles_map_generic_certs() * Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279- Allow abrt_dump_oops_t to read sssd_public_t files- Allow cockpit_ws_t to mmap usr_t files- Allow systemd to read/write dri devices. * Thu Aug 31 2017 Lukas Vrabec - 3.13.1-278- Add couple rules related to map permissions- Allow ddclient use nsswitch BZ(1456241)- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)- Add interface dbus_manage_session_tmp_dirs()- Dontaudit useradd_t sys_ptrace BZ(1480121)- Allow ipsec_t can exec ipsec_exec_t- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs * Mon Aug 28 2017 Lukas Vrabec - 3.13.1-277- Allow cupsd_t to execute ld_so_cache- Add cgroup_seclabel policycap.- Allow xdm_t to read systemd hwdb- Add new interface systemd_hwdb_mmap_config()- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050) * Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276- Allow couple map rules * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275- Make confined users working- Allow ipmievd_t domain to load kernel modules- Allow logrotate to reload transient systemd unit * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-274- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain- Allow nscd_t domain to search network sysctls- Allow iscsid_t domain to read mount pid files- Allow ksmtuned_t domain manage sysfs_t files/dirs- Allow keepalived_t domain domtrans into iptables_t- Allow rshd_t domain reads net sysctls- Allow systemd to create syslog netlink audit socket- Allow ifconfig_t domain unmount fs_t- Label /dev/gpiochip * devices as gpio_device_t * Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.- Label /var/run/agetty.reload as getty_var_run_t- Add missing filecontext for sln binary- Allow systemd to read/write to event_device_t BZ(1471401) * Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272- Allow sssd_t domain to map sssd_var_lib_t files- allow map permission where needed- contrib: allow map permission where needed- Allow syslogd_t to map syslogd_var_run_t files- allow map permission where needed * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc- Label /usr/libexec/sudo/sesh as shell_exec_t * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270- refpolicy: Infiniband pkeys and endport * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy- refpolicy: Define and allow map permission- init: Add NoNewPerms support for systemd.- Add nnp_nosuid_transition policycap and related class/perm definitions. * Mon Aug 07 2017 Petr Lautrbach - 3.13.1-268- Update for SELinux userspace release 20170804 / 2.7- Omit precompiled regular expressions from file_contexts.bin files * Mon Aug 07 2017 Lukas Vrabec - 3.13.1-267- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy * Thu Jul 27 2017 Fedora Release Engineering - 3.13.1-266- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Fri Jul 21 2017 Lukas Vrabec - 3.13.1-265- Allow llpdad send dgram to libvirt- Allow abrt_t domain dac_read_search capability- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) * Mon Jul 17 2017 Lukas Vrabec - 3.13.1-264- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) * Tue Jul 11 2017 Lukas Vrabec - 3.13.1-263- Add new boolean gluster_use_execmem * Mon Jul 10 2017 Lukas Vrabec - 3.13.1-262- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service- Allow iptables to read container runtime files * Fri Jun 23 2017 Lukas Vrabec - 3.13.1-261- Allow boinc_t nsswitch- Dontaudit firewalld to write to lib_t dirs- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t- Allow thumb_t domain to allow create dgram sockets- Disable mysqld_safe_t secure mode environment cleansing- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode- Allow dirsrv domain setrlimit- Dontaudit staff_t user read admin_home_t files.- Add interface lvm_manage_metadata- Add permission open to files_read_inherited_tmp_files() interface * Mon Jun 19 2017 Lukas Vrabec - 3.13.1-260- Allow sssd_t to read realmd lib files.- Fix init interface file. init_var_run_t is type not attribute * Mon Jun 19 2017 Lukas Vrabec - 3.13.1-258- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.- Merge branch \'rawhide\' of github.com:wrabcak/selinux-policy-contrib into rawhide- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.- Allow httpd_t to read realmd_var_lib_t files- Allow unconfined_t user all user namespace capabilties.- Add interface systemd_tmpfiles_exec()- Add interface libs_dontaudit_setattr_lib_files()- Dontaudit xdm_t domain to setattr on lib_t dirs- Allow sysadm_r role to jump into dirsrv_t * Thu Jun 08 2017 Lukas Vrabec - 3.13.1-257- Merge pull request #10 from mscherer/fix_tor_dac- Merge pull request #9 from rhatdan/rawhide- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t- Allow kdumpgui to read removable disk device- Allow systemd_dbusd_t domain read/write to nvme devices- Allow udisks2 domain to read removable devices BZ(1443981)- Allow virtlogd_t to execute itself- Allow keepalived to read/write usermodehelper state- Allow named_t to bind on udp 4321 port- Fix interface tlp_manage_pid_files()- Allow collectd domain read lvm config files. BZ(1459097)- Merge branch \'rawhide\' of github.com:wrabcak/selinux-policy-contrib into rawhide- Allow samba_manage_home_dirs boolean to manage user content- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify- Allow pki_tomcat_t execute ldconfig.- Merge pull request #191 from rhatdan/udev- Allow systemd_modules_load_t to load modules * Mon Jun 05 2017 Lukas Vrabec - 3.13.1-256- Allow keepalived domain connect to squid tcp port- Allow krb5kdc_t domain read realmd lib files.- Allow tomcat to connect on all unreserved ports- Allow keepalived domain connect to squid tcp port- Allow krb5kdc_t domain read realmd lib files.- Allow tomcat to connect on all unreserved ports- Allow ganesha to connect to all rpc ports- Update ganesha with few allow rules- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.- virt_use_glusterd boolean should be in optional block- Add new boolean virt_use_glusterd- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls.- Allow ganesha_t domain to manage glusterd_var_run_t pid files.- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls- Add few allow rules to ganesha module- Allow condor_master_t to read sysctls.- Add dac_override cap to ctdbd_t domain- Add ganesha_use_fusefs boolean.- Allow httpd_t reading kerberos kdc config files- Allow tomcat_t domain connect to ibm_dt_2 tcp port.- Allow stream connect to initrc_t domains- Add pki_exec_common_files() interface- Allow dnsmasq_t domain to read systemd-resolved pid files.- Allow tomcat domain name_bind on tcp bctp_port_t- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.- Allow condor_master_t write to sysctl_net_t- Allow nagios check disk plugin read /sys/kernel/config/- Allow pcp_pmie_t domain execute systemctl binary- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl- xdm_t should view kernel keys- Hide broken symptoms when machine is configured with network bounding.- Label 8750 tcp/udp port as dey_keyneg_port_t- Label tcp/udp port 1792 as ibm_dt_2_port_t- Add interface fs_read_configfs_dirs()- Add interface fs_read_configfs_files()- Fix systemd_resolved_read_pid interface- Add interface systemd_resolved_read_pid()- Allow sshd_net_t domain read/write into crypto devices- Label 8999 tcp/udp as bctp_port_t * Thu May 18 2017 Lukas Vrabec - 3.13.1-255- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t- Add interface pki_manage_common_files()- Allow rngd domain read sysfs_t- Allow tomcat_t domain to manage pki_common_t files and dirs- Merge pull request #3 from rhatdan/devicekit- Merge pull request #12 from lslebodn/sssd_sockets_fc- Allow certmonger reads httpd_config_t files- Allow keepalived_t domain creating netlink_netfilter_socket.- Use stricter fc rules for sssd sockets in /var/run- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit- ejabberd small fixes- Update targetd policy to accommodate changes in the service- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit- Dontaudit net_admin capability for useradd_t domain- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)- Make able deply overcloud via neutron_t to label nsfs as fs_t- Add fs_manage_configfs_lnk_files() interface * Mon May 15 2017 Lukas Vrabec - 3.13.1-254- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit- ejabberd small fixes- Update targetd policy to accommodate changes in the service- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit- Allow glusterd_t domain start ganesha service- Made few cosmetic changes in sssd SELinux module- Merge pull request #11 from lslebodn/sssd_kcm- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.- Allow keepalived_t domain read usermodehelper_t- Allow radius domain stream connec to postgresql- Merge pull request #8 from bowlofeggs/142-rawhide- Add fs_manage_configfs_lnk_files() interface * Fri May 12 2017 Lukas Vrabec - 3.13.1-253- auth_use_nsswitch can call only domain not attribute- Dontaudit net_admin cap for winbind_t- Allow tlp_t domain to stream connect to system bus- Allow tomcat_t domain read pki_common_t files- Add interface pki_read_common_files()- Fix broken cermonger module- Fix broken apache module- Allow hypervkvp_t domain execute hostname- Dontaudit sssd_selinux_manager_t use of net_admin capability- Allow tomcat_t stream connect to pki_common_t- Dontaudit xguest_t\'s attempts to listen to its tcp_socket- Allow sssd_selinux_manager_t to ioctl init_t sockets- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.- Allow pki_tomcat_t domain read /etc/passwd.- Allow tomcat_t domain read ipa_tmp_t files- Label new path for ipa-otpd- Allow radiusd_t domain stream connect to postgresql_t- Allow rhsmcertd_t to execute hostname_exec_t binaries.- Allow virtlogd to append nfs_t files when virt_use_nfs=1- Allow httpd_t domain read also httpd_user_content_type lnk_files.- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t- Dontaudit _gkeyringd_t stream connect to system_dbusd_t- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t- Add interface ipa_filetrans_named_content()- Allow tomcat use nsswitch- Allow certmonger_t start/status generic services- Allow dirsrv read cgroup files.- Allow ganesha_t domain read/write infiniband devices.- Allow sendmail_t domain sysctl_net_t files- Allow targetd_t domain read network state and getattr on loop_control_device_t- Allow condor_schedd_t domain send mails.- Allow ntpd to creating sockets. BZ(1434395)- Alow certmonger to create own systemd unit files.- Add kill namespace capability to xdm_t domain- Revert \"su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization.\"- Revert \"Allow _su_t to create netlink_selinux_socket\"- Allow _su_t to create netlink_selinux_socket- Allow unconfined_t to module_load any file- Allow staff to systemctl virt server when staff_use_svirt=1- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context- Allow netutils setpcap capability- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124) * Thu Apr 20 2017 Michael Scherer - 3.13.1-252- fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade * Tue Apr 18 2017 Lukas Vrabec - 3.13.1-251- Fix abrt module to reflect all changes in abrt release * Tue Apr 18 2017 Lukas Vrabec - 3.13.1-250- Allow tlp_t domain to ioctl removable devices BZ(1436830)- Allow tlp_t domain domtrans into mount_t BZ(1442571)- Allow lircd_t to read/write to sysfs BZ(1442443)- Fix policy to reflect all changes in new IPA release- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.- Allow sbd_t to read/write fixed disk devices- Add sys_ptrace capability to radiusd_t domain- Allow cockpit_session_t domain connects to ssh tcp ports.- Update tomcat policy to make working ipa install process- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383- Update pki interfaces and tomcat module- Allow sendmail to search network sysctls- Add interface gssd_noatsecure()- Add interface gssproxy_noatsecure()- Allow chronyd_t net_admin capability to allow support HW timestamping.- Update tomcat policy.- Allow certmonger to start haproxy service- Fix init Module- Make groupadd_t domain as system bus client BZ(1416963)- Make useradd_t domain as system bus client BZ(1442572)- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)- Allow init noatsecure for gssd and gssproxy- Allow staff user to read fwupd_cache_t files- Remove typo bugs- Remove /proc <> from fedora policy, it\'s no longer necessary * Mon Apr 03 2017 Lukas Vrabec - 3.13.1-249- Merge pull request #4 from lslebodn/sssd_socket_activated- Remove /proc <> from fedora policy, it\'s no longer necessary- Allow iptables get list of kernel modules- Allow unconfined_domain_type to enable/disable transient unit- Add interfaces init_enable_transient_unit() and init_disable_transient_unit- Revert \"Allow sshd setcap capability. This is needed due to latest changes in sshd\"- Label sysroot dir under ostree as root_t * Mon Mar 27 2017 Adam Williamson - 3.13.1-248- Put tomcat_t back in unconfined domains for now. BZ(1436434) * Tue Mar 21 2017 Lukas Vrabec - 3.13.1-247- Make fwupd_var_lib_t type mountpoint. BZ(1429341)- Remove tomcat_t domain from unconfined domains- Create new boolean: sanlock_enable_home_dirs()- Allow mdadm_t domain to read/write nvme_device_t- Remove httpd_user_ *_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content- Add interface dev_rw_nvme- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555) * Sat Mar 18 2017 Lukas Vrabec - 3.13.1-246- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555) * Fri Mar 17 2017 Lukas Vrabec - 3.13.1-245- Allow vdagent domain to getattr cgroup filesystem- Allow abrt_dump_oops_t stream connect to sssd_t domain- Allow cyrus stream connect to gssproxy- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules- Allow colord_t to read systemd hwdb.bin file- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t- Allow certmonger to manage /etc/krb5kdc_conf_t- Allow kdumpctl to getenforce- Allow ptp4l wake_alarm capability- Allow ganesha to chat with unconfined domains via dbus- Add nmbd_t capability2 block_suspend- Add domain transition from sosreport_t to iptables_t- Dontaudit init_t to mounton modules_object_t- Add interface files_dontaudit_mounton_modules_object- Allow xdm_t to execute files labeled as xdm_var_lib_t- Make mtrr_device_t mountpoint.- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd * Tue Mar 07 2017 Lukas Vrabec - 3.13.1-244- Update fwupd policy- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t- Update ganesha policy- Allow chronyd to read adjtime- Merge pull request #194 from hogarthj/certbot_policy- get the correct cert_t context on certbot certificates bz#1289778- Label /dev/ss0 as gpfs_device_t * Thu Mar 02 2017 Lukas Vrabec - 3.13.1-243- Allow abrt_t to send mails. * Mon Feb 27 2017 Lukas Vrabec - 3.13.1-242- Add radius_use_jit boolean- Allow nfsd_t domain to create sysctls_rpc_t files- add the policy required for nextcloud- Allow can_load_kernmodule to load kernel modules. BZ(1426741)- Create kernel_create_rpc_sysctls() interface * Tue Feb 21 2017 Lukas Vrabec - 3.13.1-241- Remove ganesha from gluster module and create own module for ganesha- FIx label for /usr/lib/libGLdispatch.so.0.0.0 * Wed Feb 15 2017 Lukas Vrabec - 3.13.1-240- Dontaudit xdm_t wake_alarm capability2- Allow systemd_initctl_t to create and connect unix_dgram sockets- Allow ifconfig_t to mount/unmount nsfs_t filesystem- Add interfaces allowing mount/unmount nsfs_t filesystem- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944) * Mon Feb 13 2017 Lukas Vrabec - 3.13.1-239- Allow syslog client to connect to kernel socket. BZ(1419946) * Thu Feb 09 2017 Lukas Vrabec - 3.13.1-238- Allow shiftfs to use xattr SELinux labels- Fix ssh_server_template by add sshd_t to require section. * Wed Feb 08 2017 Lukas Vrabec - 3.13.1-237- Merge pull request #187 from rhatdan/container-selinux- Allow rhsmcertd domain signull kernel.- Allow container-selinux to handle all policy for container processes- Fix label for nagios plugins in nagios file conxtext file- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987- Add SELinux support for systemd-initctl daemon- Add SELinux support for systemd-bootchart- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987- Add module_load permission to can_load_kernmodule- Add module_load permission to class system- Add the validate_trans access vector to the security class- Restore connecto permssions for init_t * Thu Feb 02 2017 Lukas Vrabec - 3.13.1-236- Allow kdumpgui domain to read nvme device- Add amanda_tmpfs_t label. BZ(1243752)- Fix typo in sssd interface file- Allow sssd_t domain setpgid BZ(1411437)- Allow ifconfig_t domain read nsfs_t- Allow ping_t domain to load kernel modules.- Allow systemd to send user information back to pid1. BZ(1412750)- rawhide-base: Fix wrong type/attribute flavors in require blocks * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235- Allow libvirt daemon to create /var/chace/libvirt dir.- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829) * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)- Tighten security on containe types- Make working cracklib_password_check for MariaDB service- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505) * Sun Jan 08 2017 Lukas Vrabec - 3.13.1-233-Allow thumb domain sendto via dgram sockets. BZ(1398813)- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)- Allow cobbler domain to create netlink_audit sockets BZ(1384600)- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626)- Add dhcpd_t domain fowner capability BZ(1409963)- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942)- Fix broken interfaces- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456)- Allow user_t run systemctl --user BZ(1401625) * Fri Jan 06 2017 Lukas Vrabec - 3.13.1-232- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)- Allow tlp_t domain to read proc_net_t BZ(1403487)- Merge pull request #179 from rhatdan/virt1- Allow tlp_t domain to read/write cpu microcode BZ(1403103)- Allow virt domain to use interited virtlogd domains fifo_file- Fixes for containers- Allow glusterd_t to bind on glusterd_port_t udp ports.- Update ctdbd_t policy to reflect all changes.- Allow ctdbd_t domain transition to rpcd_t * Wed Dec 14 2016 Lukas Vrabec - 3.13.1-231- Allow pptp_t to read /dev/random BZ(1404248)- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t- Allow systemd to stop glusterd_t domains.- Merge branch \'rawhide-base\' of github.com:fedora-selinux/selinux-policy into rawhide-base- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)- Revert \"Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.\" * Thu Dec 08 2016 Lukas Vrabec - 3.13.1-230- Label /usr/bin/rpcbind as rpcbind_exec_t- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)- Merge pull request #174 from rhatdan/netlink * Wed Dec 07 2016 Lukas Vrabec - 3.13.1-229- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service- Allot tlp domain to create unix_dgram sockets BZ(1401233)- Allow antivirus domain to create lnk_files in /tmp- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)- Allow svnserve_t domain to read /dev/random BZ(1401827)- Allow lircd to use nsswitch. BZ(1401375)- Allow hostname_t domain to manage cluster_tmp_t files * Mon Dec 05 2016 Lukas Vrabec - 3.13.1-228- Fix some boolean descriptions.- Add fwupd_dbus_chat() interface- Allow tgtd_t domain wake_alarm- Merge pull request #172 from vinzent/allow_puppetagent_timedated- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)- Allow systemd_machined_t to start unit files labeled as init_var_run_t- Add init_manage_config_transient_files() interface- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn\'t work and binaries dumped here get mislabeled as var_t.- Allow systemd to raise rlimit to all domains.BZ(1365435)- Add interface domain_setrlimit_all_domains() interface- Allow staff_t user to chat with fwupd_t domain via dbus- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)- Allow systemd-networkd to read network state BZ(1400016)- Allow systemd-resolved bind to dns port. BZ(1400023)- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)- Add interface fs_dontaudit_getattr_nsfs_files()- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) * Tue Nov 29 2016 Lukas Vrabec - 3.13.1-227- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)- Allow pmie daemon to send signal pcmd daemon BZ(1398078)- Allow spamd_t to manage /var/spool/mail. BZ(1398437)- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)- Merge pull request #171 from t-woerner/rawhide-contrib- Allow firewalld to getattr open search read modules_object_t:dir- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)- Add interface fs_dontaudit_getattr_nsfs_files()- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187) * Wed Nov 16 2016 Lukas Vrabec - 3.13.1-226- Adding policy for tlp- Add interface dev_manage_sysfs()- Allow ifconfig domain to manage tlp pid files. * Wed Nov 09 2016 Lukas Vrabec - 3.13.1-225- Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373) * Tue Nov 08 2016 Lukas Vrabec - 3.13.1-224- Allow watching netflix using Firefox * Mon Nov 07 2016 Lukas Vrabec - 3.13.1-223- nmbd_t needs net_admin capability like smbd- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids- Add wake_alarm capability2 to openct_t domain- Allow abrt_t to getattr on nsfs_t files.- Add cupsd_t domain wake_alarm capability.- Allow sblim_reposd_t domain to read cert_f files.- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)- Revert \"Allow abrt_dump_oops_t to drop capabilities. bz(1391040)\"- Allow isnsd_t to accept tcp connections * Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)- Add named_t domain net_raw capability bz(1389240)- Allow geoclue to read system info. bz(1389320)- Make openfortivpn_t as init_deamon_domain. bz(1159899)- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Add interace lldpad_relabel_tmpfs- Merge pull request #155 from rhatdan/sandbox_nfs- Add pscsd_t wake_alarm capability2- Allow sandbox domains to mount fuse file systems- Add boolean to allow sandbox domains to mount nfs- Allow hypervvssd_t to read all dirs.- Allow isnsd_t to connect to isns_port_t- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.- Make tor_var_lib_t and tor_var_log_t as mountpoints.- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)- Allow init_t to relabel /dev/shm/lldpad.state- Merge pull request #168 from rhatdan/docker- Label tcp 51954 as isns_port_t- Lots of new domains like OCID and RKT are user container processes * Mon Oct 17 2016 Miroslav Grepl - 3.13.1-221- Add container_file_t into contexts/customizable_types. * Sun Oct 16 2016 Lukas Vrabec - 3.13.1-220- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain.- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.- Merge pull request #167 from rhatdan/container- Add transition rules for sandbox domains- container_typebounds() should be part of sandbox domain template- Fix broken container_ * interfaces- unconfined_typebounds() should be part of sandbox domain template- Fixed unrecognized characters at sandboxX module- unconfined_typebounds() should be part of sandbox domain template- svirt_file_type is atribute no type.- Merge pull request #166 from rhatdan/container- Allow users to transition from unconfined_t to container types- Add dbus_stream_connect_system_dbusd() interface.- Merge pull request #152 from rhatdan/network_filetrans- Fix typo in filesystem module- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473) * Mon Oct 10 2016 Lukas Vrabec - 3.13.1-219- Dontaudit leaked file descriptors for thumb. BZ(1383071)- Fix typo in cobbler SELinux module- Merge pull request #165 from rhatdan/container- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156)- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t- Rename svirt_lxc_net_t to container_t- Rename docker.pp to container.pp, causes change in interface name- Allow httpd_t domain to list inotify filesystem.- Fix couple AVC to start roundup properly- Allow dovecot_t send signull to dovecot_deliver_t- Add sys_ptrace capability to pegasus domain- Allow firewalld to stream connect to NetworkManager. BZ(1380954)- rename docker intefaces to container- Merge pull request #164 from rhatdan/docker-base- Rename docker.pp to container.pp, causes change in interface name- Allow gvfs to read /dev/nvme * devices BZ(1380951) * Wed Oct 05 2016 Colin Walters - 3.13.1-218- Revert addition of systemd service for factory reset, since it is basically worse than what we had before. BZ(1290659) * Fri Sep 30 2016 Lukas Vrabec 3.13.1-216- Allow devicekit to chat with policykit via DBUS. BZ(1377113)- Add interface virt_rw_stream_sockets_svirt() BZ(1379314)- Allow xdm_t to read mount pid files. BZ(1377113)- Allow staff to rw svirt unix stream sockets. BZ(1379314)- Allow staff_t to read tmpfs files BZ(1378446) * Fri Sep 23 2016 Lukas Vrabec 3.13.1-215- Make tor_var_run_t as mountpoint. BZ(1368621)- Fix typo in ftpd SELinux module.- Allow cockpit-session to reset expired passwords BZ(1374262)- Allow ftp daemon to manage apache_user_content- Label /etc/sysconfig/oracleasm as oracleasm_conf_t- Allow oracleasm to rw inherited fixed disk device- Allow collectd to connect on unix_stream_socket- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)- Add interface files_dontaudit_mounton_isid() * Thu Sep 15 2016 Lukas Vrabec 3.13.1-214- Allow attach usb device to virtual machine BZ(1276873)- Dontaudit mozilla_plugin to sys_ptrace- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)- Fix typo- Allow geoclue to send msgs to syslog. BZ(1371818)- Allow abrt to read rpm_tmp_t dirs- Add interface rpm_read_tmp_files()- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service- Revert \"label /var/lib/kubelet as svirt_sandbox_file_t\"- Remove file context for /var/lib/kubelet. This filecontext is part of docker now- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t- Allow mdadm_t to getattr all device nodes- Dontaudit gkeyringd_domain to connect to system_dbusd_t- Add interface dbus_dontaudit_stream_connect_system_dbusd()- Allow guest-set-user-passwd to set users password.- Allow domains using kerberos to read also kerberos config dirs- Allow add new interface to new namespace BZ(1375124)- Allow systemd to relalbel files stored in /run/systemd/inaccessible/- Add interface fs_getattr_tmpfs_blk_file()- Dontaudit domain to create any file in /proc. This is kernel bug.- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.- Add new interface fs_getattr_oracleasmfs_fs()- Add interface fs_manage_oracleasm()- Label /dev/kfd as hsa_device_t- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs * Fri Sep 02 2016 Lukas Vrabec 3.13.1-213- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module- Label /usr/bin/pappet as puppetagent_exec_t- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label- Allow run sulogin_t in range mls_systemlow-mls_systemhigh. * Wed Aug 31 2016 Lukas Vrabec 3.13.1-212- udisk2 module is part of devicekit module now- Fix file context for /etc/pki/pki-tomcat/ca/- new interface oddjob_mkhomedir_entrypoint()- Allow mdadm to get attributes from all devices.- Label /etc/puppetlabs as puppet_etc_t.- quota: allow init to run quota tools- Add new domain ipa_ods_exporter_t BZ(1366640)- Create new interface opendnssec_stream_connect()- Allow VirtualBox to manage udev rules.- Allow systemd_resolved to send dbus msgs to userdomains- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t- Label all files in /dev/oracleasmfs/ as oracleasmfs_t * Thu Aug 25 2016 Lukas Vrabec 3.13.1-211- Add new domain ipa_ods_exporter_t BZ(1366640)- Create new interface opendnssec_stream_connect()- Allow systemd-machined to communicate to lxc container using dbus- Dontaudit accountsd domain creating dirs in /root- Add new policy for Disk Manager called udisks2- Dontaudit firewalld wants write to /root- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t- Allow certmonger to manage all systemd unit files- Allow ipa_helper_t stream connect to dirsrv_t domain- Update oracleasm SELinux module- label /var/lib/kubelet as svirt_sandbox_file_t- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness- Add new userdom_dontaudit_manage_admin_dir() interface- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type * Tue Aug 23 2016 Lukas Vrabec 3.13.1-210- Add few interfaces to cloudform.if file- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module- Allow krb5kdc_t to read krb4kdc_conf_t dirs.- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.- Make confined users working again- Fix hypervkvp module- Allow ipmievd domain to create lock files in /var/lock/subsys/- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ * Tue Aug 16 2016 Lukas Vrabec 3.13.1-209- Fix lsm SELinux module- Dontaudit firewalld to create dirs in /root/ BZ(1340611)- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)- Add sys_admin capability to sbd domain- Allow vdagent to comunnicate with systemd-logind via dbus- Allow lsmd_plugin_t domain to create fixed_disk device.- Allow opendnssec domain to create and manage own tmp dirs/files- Allow opendnssec domain to read system state- Allow systemd_logind stop system init_t- Add interface init_stop()- Add interface userdom_dontaudit_create_admin_dir()- Label /var/run/storaged as lvm_var_run_t.- Allow unconfineduser to run ipa_helper_t. * Fri Aug 12 2016 Lukas Vrabec 3.13.1-208- Allow cups_config_t domain also mange sock_files. BZ(1361299)- Add wake_alarm capability to fprintd domain BZ(1362430)- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)- Dontaudit mock to write to generic certs.- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t- Revert \"Label corosync-qnetd and corosync-qdevice as corosync_t domain\"- Merge pull request #144 from rhatdan/modemmanager- Allow modemmanager to write to systemd inhibit pipes- Label corosync-qnetd and corosync-qdevice as corosync_t domain- Allow ipa_helper to read network state- Label oddjob_reqiest as oddjob_exec_t- Add interface oddjob_run()- Allow modemmanager chat with systemd_logind via dbus- Allow NetworkManager chat with puppetagent via dbus- Allow NetworkManager chat with kdumpctl via dbus- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t- Allow rasdaemon to use tracefs filesystem- Fix typo bug in dirsrv policy- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t- Allow dirsrv to read dirsrv_share_t content- Allow virtlogd_t to append svirt_image_t files.- Allow hypervkvp domain to read hugetlbfs dir/files.- Allow mdadm daemon to read nvme_device_t blk files- Allow systemd_resolved to connect on system bus. BZ(1366334)- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)- label tcp/udp port 853 as dns_port_t. BZ(1365609)- Merge pull request #145 from rhatdan/init- systemd is doing a gettattr on blk and chr devices in /run- Allow selinuxusers and unconfineduser to run oddjob_request- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.- Fix typo in device interfaces- Add interfaces for managing ipmi devices- Add interfaces to allow mounting/umounting tracefs filesystem- Add interfaces to allow rw tracefs filesystem- Merge branch \'rawhide-base\' of github.com:fedora-selinux/selinux-policy into rawhide-base- Merge pull request #138 from rhatdan/userns- Allow iptables to creating netlink generic sockets.- Fix filecontext for systemd shared lib. * Thu Aug 04 2016 Lukas Vrabec 3.13.1-207- Fix filesystem inteface file, we don\'t have nsfs_fs_t type, just nsfs_t * Tue Aug 02 2016 Lukas Vrabec 3.13.1-206- collectd: update policy for 5.5- Allow puppet_t transtition to shorewall_t- Grant certmonger \"chown\" capability- Boinc updates from Russell Coker.- Allow sshd setcap capability. This is needed due to latest changes in sshd.- Revert \"Allow sshd setcap capability. This is needed due to latest changes in sshd\"- Revert \"Fix typo in ssh policy\"- Get attributes of generic ptys, from Russell Coker. * Fri Jul 29 2016 Lukas Vrabec 3.13.1-205- Dontaudit mock_build_t can list all ptys.- Allow ftpd_t to mamange userhome data without any boolean.- Add logrotate permissions for creating netlink selinux sockets.- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)- Allow systemd gpt generator to run fstools BZ(1353585)- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)- Allow gnome-keyring also manage user_tmp_t sockets.- Allow systemd to mounton /etc filesystem. BZ(1341753) * Tue Jul 26 2016 Lukas Vrabec 3.13.1-204- Allow lsmd_plugin_t to exec ldconfig.- Allow vnstatd domain to read /sys/class/net/ files- Remove duplicate allow rules in spamassassin SELinux module- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs- Allow ipa_dnskey domain to search cache dirs- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file- Allow ipa-dnskey read system state.- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245- Add interface to write to nsfs inodes- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721)- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf- sysadmin should be allowed to use docker. * Mon Jul 18 2016 Lukas Vrabec 3.13.1-203- Allow hypervkvp domain to run restorecon.- Allow firewalld to manage net_conf_t files- Remove double graphite-web context declaration- Fix typo in rhsmcertd SELinux policy- Allow logrotate read logs inside containers.- Allow sssd to getattr on fs_t- Allow opendnssec domain to manage bind chace files- Allow systemd to get status of systemd-logind daemon- Label more ndctl devices not just ndctl0 * Wed Jul 13 2016 Lukas Vrabec 3.13.1-202- Allow systemd_logind_t to start init_t BZ(1355861)- Add init_start() interface- Allow sysadm user to run systemd-tmpfiles- Add interface systemd_tmpfiles_run * Mon Jul 11 2016 Lukas Vrabec 3.13.1-201- Allow lttng tools to block suspending- Allow creation of vpnaas in openstack- remove rules with compromised_kernel permission- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263- Update makefile to support snapperd_contexts file- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission- Remove duplicate declaration of class service- Fix typo in access_vectors file- Merge branch \'rawhide-base-modules-load\' into rawhide-base- Add new policy for systemd-modules-load- Add systemd access vectors.- Revert \"Revert \"Revert \"Missed this version of exec_all\"\"\"- Revert \"Revert \"Missed this version of exec_all\"\"- Revert \"Missed this version of exec_all\"- Revert \"Revert \"Fix name of capability2 secure_firmware->compromise_kernel\"\" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.- Revert \"Fix name of capability2 secure_firmware->compromise_kernel\" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.- Revert \"Allow xserver to compromise_kernel access\"BZ(1351624)- Revert \"Allow anyone who can load a kernel module to compromise_kernel\"BZ(1351624)- Revert \"add ptrace_child access to process\" (BZ1351624)- Add user namespace capability object classes.- Allow udev to manage systemd-hwdb files- Add interface systemd_hwdb_manage_config()- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.- corecmd: Remove fcontext for /etc/sysconfig/libvirtd- iptables: add fcontext for nftables * Tue Jul 05 2016 Lukas Vrabec 3.13.1-200- Fix typo in brltty policy- Add new SELinux module sbd- Allow pcp dmcache metrics collection- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t- Allow openvpn to create sock files labeled as openvpn_var_run_t- Allow hypervkvp daemon to getattr on all filesystem types.- Allow firewalld to create net_conf_t files- Allow mock to use lvm- Allow mirromanager creating log files in /tmp- Allow vmtools_t to transition to rpm_script domain- Allow nsd daemon to manage nsd_conf_t dirs and files- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t- Allow sssd read also sssd_conf_t dirs- Allow opensm daemon to rw infiniband_mgmt_device_t- Allow krb5kdc_t to communicate with sssd- Allow prosody to bind on prosody ports- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726- Add label for brltty log file Resolves: rhbz#1328818- Allow snort_t to communicate with sssd Resolves: rhbz#1284908- Add interface lttng_sessiond_tmpfs_t()- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl- Add interface lvm_getattr_exec_files()- Make label for new infiniband_mgmt deivices- Add prosody ports Resolves: rhbz#1304664 * Tue Jun 28 2016 Lukas Vrabec 3.13.1-199- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.- Allow glusterd daemon to get systemd status- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Merge pull request #135 from rhatdan/rawip_socket- Allow logrotate dbus-chat with system_logind daemon- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files- Add interface cron_read_pid_files()- Allow pcp_pmlogger to create unix dgram sockets- Add interface dirsrv_run()- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()- Create label for openhpid log files.- Container processes need to be able to listen on rawip sockets- Label /var/lib/ganglia as httpd_var_lib_t- Allow firewalld_t to create entries in net_conf_t dirs.- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals- Label /etc/dhcp/scripts dir as bin_t- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. * Wed Jun 22 2016 Lukas Vrabec 3.13.1-198- Allow firewalld_t to create entries in net_conf_t dirs.- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals- Allow rhsmcertd connect to port tcp 9090- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.- Add new boolean spamd_update_can_network.- Add proper label for /var/log/proftpd.log- Allow rhsmcertd connect to tcp netport_port_t- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.- Allow prosody to bind to fac_restore tcp port.- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager- Allow ninfod to read raw packets- Fix broken hostapd policy- Allow hostapd to create netlink_generic sockets. BZ(1343683)- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall- Allow pegasus get attributes from qemu binary files.- Allow tuned to use policykit. This change is required by cockpit.- Allow conman_t to read dir with conman_unconfined_script_t binary files.- Allow pegasus to read /proc/sysinfo.- Allow puppet_t transtition to shorewall_t- Allow conman to kill conman_unconfined_script.- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.- Merge remote-tracking branch \'refs/remotes/origin/rawhide-base\' into rawhide-base- Allow systemd to execute all init daemon executables.- Add init_exec_notrans_direct_init_entry() interface.- Label tcp ports:16379, 26379 as redis_port_t- Allow systemd to relabel /var and /var/lib directories during boot.- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.- Add files_relabelto_var_lib_dirs() interface.- Label tcp and udp port 5582 as fac_restore_port_t- Allow sysadm_t user to run postgresql-setup.- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd * Thu Jun 16 2016 Lukas Vrabec 3.13.1-197- Allow conman to kill conman_unconfined_script.- Make conman_unconfined_script_t as init_system_domain.- Allow init dbus chat with apmd.- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t- Allow collectd_t to stream connect to postgresql.- Allow mysqld_safe to inherit rlimit information from mysqld- Allow ip netns to mounton root fs and unmount proc_t fs.- Allow sysadm_t to run newaliases command. * Mon Jun 13 2016 Lukas Vrabec 3.13.1-196- Allow svirt_sandbox_domains to r/w onload sockets- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.- Add interface sysnet_filetrans_named_net_conf()- Rawhide fails to boot, systemd-logind needs to config transient config files- User Namespace is requires create on process domains * Wed Jun 08 2016 Lukas Vrabec 3.13.1-195- Add hwloc-dump-hwdata SELinux policy- Add labels for mediawiki123- Fix label for all fence_scsi_check scripts- Allow setcap for fenced- Allow glusterd domain read krb5_keytab_t files.- Allow tmpreaper_t to read/setattr all non_security_file_type dirs- Update refpolicy to handle hwloc- Fix typo in files_setattr_non_security_dirs.- Add interface files_setattr_non_security_dirs() * Tue Jun 07 2016 Lukas Vrabec 3.13.1-194- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)- Add nrpe_dontaudit_write_pipes()- Merge pull request #129 from rhatdan/onload- Add support for onloadfs- Merge pull request #127 from rhatdan/device-node- Additional access required for unconfined domains- Dontaudit ping attempts to write to nrpe unnamed pipes- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952) * Mon May 30 2016 Lukas Vrabec 3.13.1-193- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)- Allow ipa_dnskey_t search httpd config files.- Dontaudit certmonger to write to etc_runtime_t- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.- Add interface ipa_delete_tmp()- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106) * Wed May 25 2016 Lukas Vrabec 3.13.1-192- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)- Add SELinux policy for opendnssec service. BZ(1333106) * Tue May 24 2016 Lukas Vrabec 3.13.1-191- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus- Merge pull request #125 from rhatdan/typebounds- Typebounds user domains- Allow systemd_resolved_t to check if ipv6 is disabled.- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120- Label /dev/xen/privcmd as xen_device_t. BZ(1334115) * Mon May 16 2016 Lukas Vrabec 3.13.1-190- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.- Allow zabbix to connect to postgresql port- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)- Allow systemd to read efivarfs. Resolve: #121 * Tue May 10 2016 Lukas Vrabec 3.13.1-189- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed * Mon May 09 2016 Lukas Vrabec 3.13.1-188- Label tcp port 8181 as intermapper_port_t.- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588)- Label tcp/udp port 2024 as xinuexpansion4_port_t- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t * Thu May 05 2016 Lukas Vrabec 3.13.1-187- Allow stunnel create log files. BZ(1333033)- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574)- Allow stunnel sys_nice capability. Stunnel sched_ * syscalls in some cases. BZ(1332287)- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs.- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980)- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927)- Label /usr/sbin/xrdp * files as bin_t BZ(1258453)- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318 * Fri Apr 29 2016 Lukas Vrabec 3.13.1-186- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732)- Label named-pkcs11 binary as named_exec_t. BZ(1331316)- Revert \"Add new permissions stop/start to class system. rhbz#1324453\"- Fix typo in module compilation message * Wed Apr 27 2016 Lukas Vrabec 3.13.1-185- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970)- Add mls support for some db classes * Tue Apr 26 2016 Lukas Vrabec 3.13.1-184- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732- Make virt_use_pcscd boolean off by default.- Create boolean to allow virtual machine use smartcards. rhbz#1029297- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754- Allow mongod log to syslog.- Allow nsd daemon to create log file in /var/log as nsd_log_t- unlabeled_t can not be an entrypoint.- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909- Add new permissions stop/start to class system. rhbz#1324453 * Mon Apr 18 2016 Lukas Vrabec 3.13.1-183- Allow modemmanager to talk to logind- Dontaudit tor daemon needs net_admin capability. rhbz#1311788- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042- Xorg now writes content in users homedir. * Fri Apr 08 2016 Lukas Vrabec 3.13.1-182- rename several contrib modules according to their filenames- Add interface gnome_filetrans_cert_home_content()- By default container domains should not be allowed to create devices- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when \'systemd.log_target=kmsg\' option is used- Allow systemd gpt generator to read removable devices. BZ(1323458)- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454) * Fri Apr 01 2016 Lukas Vrabec 3.13.1-181- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)- Label all run tgtd files, not just socket files.- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)- New cgroup2 file system in Rawhide * Wed Mar 30 2016 Lukas Vrabec 3.13.1-180- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints.- Allow sandbox domain to have entrypoint access only for executables and mountpoints.- Allow bitlee to create bitlee_var_t dirs.- Allow CIM provider to read sssd public files.- Fix some broken interfaces in distro policy.- Allow power button to shutdown the laptop.- Allow lsm plugins to create named fixed disks. rhbz#1238066- Allow hyperv domains to rw hyperv devices. rhbz#1241636- Label /var/www/html(/. *)?/wp_backups(/. *)? as httpd_sys_rw_content_t.- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics- Label nagios scripts as httpd_sys_script_exec_t.- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576- Merge pull request #104 from berrange/rawhide-contrib-virtlogd- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336- Dontaudit logrotate to setrlimit itself. rhbz#1309604- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.- Allow pcp_pmie and pcp_pmlogger to read all domains state.- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446)- Merge pull request #115 from rhatdan/nvidea- Label all nvidia binaries as xserver_exec_t- Add new systemd_hwdb_read_config() interface. rhbz#1316514- Add back corecmd_read_all_executables() interface.- Call files_type() instead of file_type() for unlabeled_t.- Add files_entrypoint_all_mountpoint() interface.- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling.- Add corecmd_entrypoint_all_executables() interface.- Create hyperv * devices and create rw interfaces for this devices. rhbz#1309361- Add neverallow assertion for unlabaled_t to increase policy security.- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499- Label 8952 tcp port as nsd_control.- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 * Wed Mar 16 2016 Lukas Vrabec 3.13.1-179- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.- Revert \"Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.\"- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.- Allow pcp_pmie and pcp_pmlogger to read all domains state.- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717- Merge pull request #108 from rhatdan/rkt- Merge pull request #109 from rhatdan/virt_sandbox- Add new interface to define virt_sandbox_network domains- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.- Fix typo in drbd policy- Remove declaration of empty booleans in virt policy.- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.- Label /etc/ctdb/events.d/ * as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.- Additional rules to make rkt work in enforcing mode- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020- Allow ipsec to use pam. rhbz#1317988- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968- Allow setrans daemon to read /proc/meminfo.- Merge pull request #107 from rhatdan/rkt-base- Allow systemd_notify_t to write to kmsg_device_t when \'systemd.log_target=kmsg\' option is used.- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. * Thu Mar 10 2016 Lukas Vrabec 3.13.1-178- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution- Add support systemd-resolved. * Tue Mar 08 2016 Lukas Vrabec 3.13.1-177- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251- Allow sending dbus msgs between firewalld and system_cronjob domains.- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)- Add support for systemd-gpt-auto-generator. rhbz#1314968- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.- Add support for systemd-hwdb daemon. rhbz#1306243 * Thu Mar 03 2016 Lukas Vrabec 3.13.1-176- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.- Merge pull request #105 from rhatdan/NO_NEW_PRIV- Fix new rkt policy- Remove some redundant rules.- Fix cosmetic issues in interface file.- Merge pull request #100 from rhatdan/rawhide-contrib- Add interface fs_setattr_cifs_dirs().- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there\'s no .bin files, file_contexts is parsed in selabel_open().Resolves: rhbz#1314372 * Fri Feb 26 2016 Lukas Vrabec 3.13.1-175- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)- Add policy for rkt services * Fri Feb 26 2016 Lukas Vrabec 3.13.1-174- Revert \"Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019\"- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019 * Fri Feb 26 2016 Lukas Vrabec 3.13.1-173- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759- Allow keepalived to create netlink generic sockets. rhbz#1311756- Allow modemmanager to read /etc/passwd file.- Label all files named /var/run/. *nologin. * as systemd_logind_var_run_t.- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319 * Thu Feb 25 2016 Lukas Vrabec 3.13.1-172- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033- Allow collectd setgid capability Resolves:#1310896- Allow adcli running as sssd_t to write krb5.keytab file.- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304)- Allow kexec to read kernel module files in /usr/lib/modules.- Add httpd_log_t for /var/log/graphite-web rhbz#1306981- Remove redudant rules and fix _admin interface.- Add SELinux policy for LTTng 2.x central tracing registry session daemon.- Allow create mongodb unix dgram sockets. rhbz#1306819- Support for InnoDB Tablespace Encryption.- Dontaudit leaded file descriptors from firewalld- Add port for rkt services- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. * Thu Feb 11 2016 Lukas Vrabec 3.13.1-171- Allow setroubleshoot_fixit_t to use temporary files * Wed Feb 10 2016 Lukas Vrabec 3.13.1-170- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533- Add interface to dontaudit leaked files from firewalld- fwupd needs to dbus chat with policykit- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)- Fix wrong name for openqa_websockets tcp port.- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106- Add interface ssh_getattr_server_keys() interface. rhbz#1299106- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312- Add interface fs_getattr_nsfs_files()- Add interface xserver_exec().- Revert \"Allow all domains some process flags.\"BZ(1190364) * Wed Feb 03 2016 Lukas Vrabec 3.13.1-169- Allow openvswitch domain capability sys_rawio.- Revert \"Allow NetworkManager create dhcpc pid files. BZ(1229755)\"- Allow openvswitch to manage hugetlfs files and dirs.- Allow NetworkManager create dhcpc pid files. BZ(1229755)- Allow apcupsd to read kernel network state. BZ(1282003)- Label /sys/kernel/debug/tracing filesystem- Add fs_manage_hugetlbfs_files() interface.- Add sysnet_filetrans_dhcpc_pid() interface. * Wed Jan 20 2016 Lukas Vrabec 3.13.1-168- Label virtlogd binary as virtd_exec_t. BZ(1291940)- Allow iptables to read nsfs files. BZ(1296826) * Mon Jan 18 2016 Lukas Vrabec 3.13.1-167- Add fwupd policy for daemon to allow session software to update device firmware- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)- Allow systemd services to use PrivateNetwork feature- Add a type and genfscon for nsfs.- Fix SELinux context for rsyslog unit file. BZ(1284173) * Wed Jan 13 2016 Lukas Vrabec 3.13.1-166- Allow logrotate to systemctl rsyslog service. BZ(1284173)- Allow condor_master_t domain capability chown. BZ(1297048)- Allow chronyd to be dbus bus client. BZ(1297129)- Allow openvswitch read/write hugetlb filesystem.- Revert \"Allow openvswitch read/write hugetlb filesystem.\"- Allow smbcontrol domain to send sigchld to ctdbd domain.- Allow openvswitch read/write hugetlb filesystem.- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.- Merge remote-tracking branch \'refs/remotes/origin/rawhide-contrib\' into rawhide-contrib- Merge remote-tracking branch \'refs/remotes/origin/rawhide-contrib\' into rawhide-contrib- Merge pull request #86 from rhatdan/rawhide-contrib- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)- Added interface logging_systemctl_syslogd- Label rsyslog unit file- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now. * Wed Jan 06 2016 Lukas Vrabec 3.13.1-165- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)- Revert \"Allow arping running as netutils_t sys_module capability for removing tap devices.\"- Allow arping running as netutils_t sys_module capability for removing tap devices.- Add userdom_connectto_stream() interface.- Allow systemd-logind to read /run/utmp. BZ(#1278662)- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)- Revert \"Allow arping running as netutils_t sys_module capability for removing tap devices.\"- Allow arping running as netutils_t sys_module capability for removing tap devices.- Add userdom_connectto_stream() interface.- Allow systemd-logind to read /run/utmp. BZ(#1278662) * Tue Dec 15 2015 Lukas Vrabec 3.13.1-164- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)- Add interface firewalld_read_pid_files()- Allow iptables to read firewalld pid files. BZ(1291243)- Allow the user cronjobs to run in their userdomain- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)- Merge pull request #81 from rhatdan/rawhide-base- New access needed by systemd domains * Wed Dec 09 2015 Lukas Vrabec 3.13.1-163- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes \"ipsec auto --status\" executed by sysadm_t.- Add ipsec_read_pid() interface * Mon Dec 07 2015 Miroslav Grepl 3.13.1-162- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.- init_t domain should be running without unconfined_domain attribute.- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.- Update userdom_transition_login_userdomain() to have \"sigchld\" and \"noatsecure\" permissions.- systemd needs to access /dev/rfkill on early boot.- Allow dspam to read /etc/passwd * Mon Nov 30 2015 Lukas Vrabec 3.13.1-161- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177) * Tue Nov 24 2015 Lukas Vrabec 3.13.1-160- Allow apcupsd sending mails about battery state. BZ(1274018)- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)- Merge pull request #68 from rhatdan/rawhide-contrib- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269) * Fri Nov 20 2015 Miroslav Grepl 3.13.1-159- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)- Allow abrt-hook-ccpp to change SELinux user identity for created objects.- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.- Allow setuid/setgid capabilities for abrt-hook-ccpp.- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.- cockpit has grown content in /var/run directory- Add support for /dev/mptctl device used to check RAID status.- Allow systemd-hostnamed to communicate with dhcp via dbus.- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.- Add userdom_destroy_unpriv_user_shared_mem() interface.- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.- Access needed by systemd-machine to manage docker containers- Allow systemd-logind to read /run/utmp when shutdown is invoked. * Tue Nov 10 2015 Miroslav Grepl 3.13.1-158- Merge pull request #48 from lkundrak/contrib-openfortivpn- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. * Mon Nov 09 2015 Miroslav Grepl 3.13.1-157- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain. * Tue Oct 27 2015 Lukas Vrabec 3.13.1-156- Allow fail2ban-client to execute ldconfig. #1268715- Add interface virt_sandbox_domain()- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().- Remove auth_login_pgm_domain(init_t) which has been added by accident.- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by \"selinux.get_default_context(sel_user,fromcon)\" defined in the policy user config files.- Add interface auth_use_nsswitch() to systemd_domain_template.- Revert \"auth_use_nsswitch can be used with attribute systemd_domain.\"- auth_use_nsswitch can be used with attribute systemd_domain.- ipsec: fix stringSwan charon-nm- docker is communicating with systemd-machined- Add missing systemd_dbus_chat_machined, needed by docker * Tue Oct 20 2015 Lukas Vrabec 3.13.1-155- Build including docker selinux interfaces. * Tue Oct 20 2015 Lukas Vrabec 3.13.1-154- Allow winbindd to send signull to kernel. BZ(#1269193)- Merge branch \'rawhide-contrib-chrony\' into rawhide-contrib- Fixes for chrony version 2.2 BZ(#1259636) * Allow chrony chown capability * Allow sendto dgram_sockets to itself and to unconfined_t domains.- Merge branch \'rawhide-contrib-chrony\' into rawhide-contrib- Add boolean allowing mysqld to connect to http port. #1262125- Merge pull request #52 from 1dot75cm/rawhide-base- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)- Fix attribute in corenetwork.if.in * Tue Oct 13 2015 Lukas Vrabec 3.13.1-153- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Add abrt_stub interface.- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)- Allow usbmuxd to access /run/udev/data/+usb: *. BZ(#1269633)- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)- Allow sssd_t to manage samba var files/dirs to SSSD\'s GPO support which is enabled against an Active Directory domain. BZ(#1225200).- Add samba_manage_var_dirs() interface.- Allow pcp_pmlogger to exec bin_t BZ(#1258698)- Allow spamd to read system network state. BZ(1260234)- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)- Add fs_read_xenfs_files() interface.- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make \'machinectl shell\' working correctly.- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850) * Thu Oct 08 2015 Lukas Vrabec 3.13.1-152- Allow pcp_pmlogger to read system state. BZ(1258699)- Allow cupsd to connect on socket. BZ(1258089)- Allow named to bind on ephemeral ports. BZ(#1259766)- Allow iscsid create netlink iscsid sockets.- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.- Allow search dirs in sysfs types in kernel_read_security_state.- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. * Fri Oct 02 2015 Lukas Vrabec 3.13.1-151- Update modules_filetrans_named_content() to make sure we don\'t get modules_dep labeling by filename transitions.- Remove /usr/lib/modules/[^/]+/modules\\..+ labeling- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package. * Fri Oct 02 2015 Lukas Vrabec 3.13.1-150- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.- Clean up pkcs11proxyd policy.- We need to require sandbox_web_type attribute in sandbox_x_domain_template().- Revert \"depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.\"- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.- Update modules_filetrans_named_content() interface to cover more modules. * files.- New policy for systemd-machined. #1255305- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)- Merge pull request #42 from vmojzis/rawhide-base- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) * Tue Sep 29 2015 Lukas Vrabec 3.13.1-149- Add few rules related to new policy for pkcs11proxyd- Added new policy for pkcs11proxyd daemon- We need to require sandbox_web_type attribute in sandbox_x_domain_template().- Dontaudit abrt_t to rw lvm_lock_t dir.- Allow abrt_d domain to write to kernel msg device.- Add interface lvm_dontaudit_rw_lock_dir()- Merge pull request #35 from lkundrak/lr-libreswan * Tue Sep 22 2015 Lukas Vrabec 3.13.1-148- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.- Added support for permissive domains- Allow rpcbind_t domain to change file owner and group- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988)- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.- Revert \"Add apache_read_pid_files() interface\"- Allow dirsrv-admin read httpd pid files.- Add apache_read_pid_files() interface- Add label for dirsrv-admin unit file.- Allow qpid daemon to connect on amqp tcp port.- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem.- Allow rhsmcertd_t send signull to unconfined_service_t domains.- Revert \"Allow pcp to read docker lib files.\"- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)- Allow pcp to read docker lib files.- Revert \"init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so\"- Add login_userdomain attribute also for unconfined_t.- Add userdom_login_userdomain() interface.- Label /etc/ipa/nssdb dir as cert_t- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.- Add userdom_transition_login_userdomain() interface- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)- Add init_entrypoint_exec() interface.- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350) * Mon Sep 14 2015 Lukas Vrabec 3.13.1-147- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272)- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling.- Dontaudit fenced search gnome config- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t.- Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon- Fix labeling for fence_scsi_check script- Allow openhpid to read system state Aloow openhpid to connect to tcp http port.- Allow openhpid to read snmp var lib files.- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe- Fix regexp in chronyd.fc file- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175)- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS.- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t- Remove bin_t label for /usr/share/cluster/fence_scsi_check\\.pl * Tue Sep 01 2015 Lukas Vrabec 3.13.1-146- Allow passenger to getattr filesystem xattr- Revert \"Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.\"- Label mdadm.conf.anackbak as mdadm_conf_t file.- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)- Allow dnssec-trigger to exec pidof. BZ(#1256737)- Allow blueman to create own tmp files in /tmp. (#1234647)- Add new audit_read access vector in capability2 class- Add \"binder\" security class and access vectors- Update netlink socket classes.- Allow getty to read network state. BZ(#1255177)- Remove labeling for /var/db/. *\\.db as etc_t to label db files as system_db_t. * Sun Aug 30 2015 Lukas Vrabec 3.13.1-145- Allow watchdog execute fenced python script.- Added inferface watchdog_unconfined_exec_read_lnk_files()- Allow pmweb daemon to exec shell. BZ(1256127)- Allow pmweb daemon to read system state. BZ(#1256128)- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.- Revert \"Revert default_range change in targeted policy\"- Allow dhcpc_t domain transition to chronyd_t * Mon Aug 24 2015 Lukas Vrabec 3.13.1-144- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)- Add interface dnssec_trigger_sigkill- Allow smsd use usb ttys. BZ(#1250536)- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.- Revert default_range change in targeted policy- Allow systemd-sysctl cap. sys_ptrace BZ(1253926) * Fri Aug 21 2015 Miroslav Grepl 3.13.1-143- Add ipmievd policy creaed by vmojzisAATTredhat.com- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.- Allow NetworkManager to write audit log messages- Add new policy for ipmievd (ipmitool).- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.- Allow sandbox domain to be also /dev/mem writer- Fix neverallow assertion for sys_module capability for openvswitch.- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.- Fix neverallow assertion for sys_module capability.- Add more attributes for sandbox domains to avoid neverallow assertion issues. - Add neverallow asserition fixes related to storage.- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS- Allow openhpid_t to read system state.- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.- Added labels for files provided by rh-nginx18 collection- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.- Add dev_raw_memory_writer() interface- Add auth_reader_shadow() and auth_writer_shadow() interfaces- Add dev_raw_memory_reader() interface.- Add storage_rw_inherited_scsi_generic() interface.- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process. * Tue Aug 18 2015 Lukas Vrabec 3.13.1-142- Allow samba_net_t to manage samba_var_t sock files.- Allow httpd daemon to manage httpd_var_lib_t lnk_files.- Allow collectd stream connect to pdns.(BZ #1191044)- Add interface pdns_stream_connect()- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Allow chronyd exec systemctl- Merge pull request #30 from vmojzis/rawhide-contrib- Hsqldb policy upgrade -Allow sock_file management- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.- Hsqldb policy upgrade. -Disallow hsqldb_tmp_t link_file management- Hsqldb policy upgrade: -Remove tmp link_file transition -Add policy summary -Remove redundant parameter for \"hsqldb_admin\" interface- Label /var/run/chrony-helper dir as chronyd_var_run_t.- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad. * as lldapd_tmpfs_t- Fix label on /var/tmp/kiprop_0- Add mountpoint dontaudit access check in rhsmcertd policy.- Allow pcp_domain to manage pcp_var_lib_t lnk_files.- Allow chronyd to execute mkdir command.- Allow chronyd_t to read dhcpc state.- Label /usr/libexec/chrony-helper as chronyd_exec_t- Allow openhpid liboa_soap plugin to read resolv.conf file.- Allow openhpid liboa_soap plugin to read generic certs.- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)- Allow logrotate to reload services.- Allow apcupsd_t to read /sys/devices- Allow kpropd to connect to kropd tcp port.- Allow systemd_networkd to send logs to syslog.- Added interface fs_dontaudit_write_configfs_dirs- Allow audisp client to read system state.- Label /var/run/xtables.lock as iptables_var_run_t.- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde- Add interface to read/write watchdog device.- Add transition rule for iptables_var_lib_t * Mon Aug 10 2015 Lukas Vrabec 3.13.1-141- Allow chronyd to execute mkdir command.- Allow chronyd_t to read dhcpc state.- Label /usr/libexec/chrony-helper as chronyd_exec_t- Allow openhpid liboa_soap plugin to read resolv.conf file.- Allow openhpid liboa_soap plugin to read generic certs.- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)- Allow logrotate to reload services.- Allow apcupsd_t to read /sys/devices- Allow kpropd to connect to kropd tcp port.- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.- Add snapper_read_inherited_pipe() interface.- Add missing \";\" in kerberos.te- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.- Add support for /etc/sanlock which is writable by sanlock daemon.- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde- Add interface to read/write watchdog device.- Add transition rule for iptables_var_lib_t- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.- Revert \"Allow grubby to manage and create /run/blkid with correct labeling\"- Allow grubby to manage and create /run/blkid with correct labeling- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if \'dracut -fv\' is executed in MLS.- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if \'dracut -vf\' is executed. We allow it for other SELinux users.- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS). * Wed Aug 05 2015 Miroslav Grepl 3.13.1-140- firewalld needs to relabel own config files. BZ(#1250537)- Allow rhsmcertd to send signull to unconfined_service- Allow lsm_plugin_t to rw raw_fixed_disk.- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). * Tue Aug 04 2015 Lukas Vrabec 3.13.1-139- Add header for sslh.if file- Fix sslh_admin() interface- Clean up sslh.if- Fix typo in pdns.if- Allow qpid to create lnk_files in qpid_var_lib_t.- Allow httpd_suexec_t to read and write Apache stream sockets- Merge pull request #21 from hogarthj/rawhide-contrib- Allow virt_qemu_ga_t domtrans to passwd_t.- use read and manage files_patterns and the description for the admin interface- Merge pull request #17 from rubenk/pdns-policy- Allow redis to read kernel parameters.- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)- Allow bumblebee to seng kill signal to xserver- glusterd call pcs utility which calls find for cib. * files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.- Allow drbd to get attributes from filesystems.- Allow drbd to read configuration options used when loading modules.- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface- Added Booleans: pcp_read_generic_logs.- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.- Allow glusterd to communicate with cluster domains over stream socket.- fix copy paste error with writing the admin interface- fix up the regex in sslh.fc, add sslh_admin() interface- adding selinux policy files for sslh- Remove diplicate sftpd_write_ssh_home boolean rule.- Revert \"Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.\"- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te- Allow glusterd to manage nfsd and rpcd services.- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp- kdbusfs should not be accessible for now.- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).- Label /usr/sbin/chpasswd as passwd_exec_t.- Allow audisp_remote_t to read/write user domain pty.- Allow audisp_remote_t to start power unit files domain to allow halt system. * Mon Jul 20 2015 Lukas Vrabec 3.13.1-138- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.- Prepare selinux-policy package for SELinux store migration- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te- Allow glusterd to manage nfsd and rpcd services.- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs.- Add samba_manage_winbind_pid() interface- Allow networkmanager to communicate via dbus with systemd_hostanmed.- Allow stream connect logrotate to prosody.- Add prosody_stream_connect() interface.- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.- Allow prosody to create own tmp files/dirs.- Allow keepalived request kernel load module- kadmind should not read generic files in /usr- Allow kadmind_t access to /etc/krb5.keytab- Add more fixes to kerberos.te- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0- Add lsmd_t to nsswitch_domain.- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.- Add fixes to pegasus_openlmi_domain- Allow Glance Scrubber to connect to commplex_main port- Allow RabbitMQ to connect to amqp port- Allow isnsd read access on the file /proc/net/unix- Allow qpidd access to /proc//net/psched- Allow openshift_initrc_t to communicate with firewalld over dbus.- Allow ctdbd_t send signull to samba_unconfined_net_t.- Add samba_signull_unconfined_net()- Add samba_signull_winbind()- Revert \"Add interfaces winbind_signull(), samba_unconfined_net_signull().\"- Fix ctdb policy- Label /var/db/ as system_db_t. * Wed Jul 15 2015 Lukas Vrabec 3.13.1-137- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. * Tue Jul 14 2015 Lukas Vrabec 3.13.1-136- Add samba_unconfined_script_exec_t to samba_admin header.- Add jabberd_lock_t label to jabberd_admin header.- Add rpm_var_run_t label to rpm_admin header.- Make all interfaces related to openshift_cache_t as deprecated.- Remove non exits nfsd_ro_t label.- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config- Fix *_admin intefaces where body is not consistent with header.- Allow networkmanager read rfcomm port.- Fix nova_domain_template interface, Fix typo bugs in nova policy- Create nova sublabels.- Merge all nova_ * labels under one nova_t.- Add cobbler_var_lib_t to \"/var/lib/tftpboot/boot(/. *)?\"- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.- Fix label openstack-nova-metadata-api binary file- Allow nova_t to bind on geneve tcp port, and all udp ports- Label swift-container-reconciler binary as swift_t.- Allow glusterd to execute showmount in the showmount domain.- Allow NetworkManager_t send signull to dnssec_trigger_t.- Add support for openstack-nova- * packages.- Allow audisp-remote searching devpts.- Label 6080 tcp port as geneve * Thu Jul 09 2015 Lukas Vrabec 3.13.1-135- Update mta_filetrans_named_content() interface to cover more db files.- Revert \"Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.\"- Allow pcp domains to connect to own process using unix_stream_socket.- Typo in abrt.te- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.- Add nagios_domtrans_unconfined_plugins() interface.- Add nagios_domtrans_unconfined_plugins() interface.- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.- Add support for oddjob based helper in FreeIPA. BZ(1238165)- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires \"entrypoint\" permissios on nfs_t, cifs_t and fusefs_t SELinux types.- nrpe needs kill capability to make gluster moniterd nodes working.- Revert \"Dontaudit ctbd_t sending signull to smbd_t.\"- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)- Allow prosody connect to postgresql port.- Fix logging_syslogd_run_nagios_plugins calling in logging.te- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.- Add support for oddjob based helper in FreeIPA. BZ(1238165)- Add new interfaces- Add fs_fusefs_entry_type() interface. * Thu Jul 02 2015 Lukas Vrabec 3.13.1-134- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires \"entrypoint\" permissios on nfs_t, cifs_t and fusefs_t SELinux types.- Merge remote-tracking branch \'refs/remotes/origin/rawhide-contrib\' into rawhide-contrib- nrpe needs kill capability to make gluster moniterd nodes working.- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)- Allow prosody connect to postgresql port.- Add new interfaces- Add fs_fusefs_entry_type() interface. * Tue Jun 30 2015 Lukas Vrabec 3.13.1-133- Cleanup permissive domains. * Mon Jun 29 2015 Lukas Vrabec 3.13.1-132- Rename xodbc-connect port to xodbc_connect- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)- Add interface snmp_dontaudit_manage_snmp_var_lib_files().- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)- Dontaudit chrome to read passwd file. BZ(1204307)- Allow firewalld exec ldconfig. BZ(1232748)- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)- Allow NetworkManager write to sysfs. BZ(1234086)- Fix bogus line in logrotate.fc.- Add dontaudit interface for kdumpctl_tmp_t- Rename xodbc-connect port to xodbc_connect- Label tcp port 6632 as xodbc-connect port. BZ (1179809)- Label tcp port 6640 as ovsdb port. BZ (1179809) * Tue Jun 23 2015 Lukas Vrabec 3.13.1-131- Allow NetworkManager write to sysfs. BZ(1234086)- Fix bogus line in logrotate.fc.- Add dontaudit interface for kdumpctl_tmp_t- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te- Add postgresql support for systemd unit files.- Fix missing bracket- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface | |