|
|
|
|
Changelog for selinux-policy-minimum-3.14.3-67.el8.noarch.rpm :
* Mon Mar 15 2021 Zdenek Pytela - 3.14.3-67- Allow systemd the audit_control capability conditionallyResolves: rhbz#1861771 * Thu Mar 04 2021 Zdenek Pytela - 3.14.3-66- Disallow user_t run su/sudo and staff_t run suResolves: rhbz#1907517 * Mon Feb 22 2021 Zdenek Pytela - 3.14.3-65- Relabel /usr/sbin/charon-systemd as ipsec_exec_tResolves: rhbz#1889542 * Wed Feb 17 2021 Zdenek Pytela - 3.14.3-64- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right contextResolves: rhbz#1874527Resolves: rhbz#1877044- Allow rhsmcertd bind tcp sockets to a generic nodeResolves: rhbz#1923985- Allow ipsec_mgmt_t mmap ipsec_conf_file_t filesResolves: rhbz#1889542- Allow strongswan start using swanctl methodResolves: rhbz#1889542- Allow systemd-importd manage machines.lock fileResolves: rhbz#1788055 * Thu Feb 11 2021 Zdenek Pytela - 3.14.3-63- Allow rtkit_daemon_t domain set process nice value in user namespacesResolves: rhbz#1910507- Allow gpsd read and write ptp4l_t shared memory.Resolves: rhbz#1803845- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t typeResolves: rhbz#1804626- Allow Certmonger to use opencryptoki servicesResolves: rhbz#1894132- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpmResolves: rhbz#1815603- Allow rhsmcertd_t read kpatch lib filesResolves: rhbz#1895322- Allow ipsec_t connectto ipsec_mgmt_tResolves: rhbz#1848355- Allow IPsec to use opencryptoki servicesResolves: rhbz#1894132- Allow systemd-importd create /run/systemd/machines.lock fileResolves: rhbz#1788055 * Fri Jan 29 2021 Zdenek Pytela - 3.14.3-62- Allow rhsmcertd_t domain transition to kpatch_tResolves: rhbz#1895322- Revert \"Add kpatch_exec() interface\"Resolves: rhbz#1895322- Revert \"Allow rhsmcertd execute kpatch\"Resolves: rhbz#1895322- Dontaudit NetworkManager_t domain to write to kdump temp pipiesResolves: rhbz#1842897- Allow NetworkManager_t domain to get status of samba servicesResolves: rhbz#1781806- Allow openvswitch create and use xfrm netlink socketsResolves: rhbz#1916046- Allow openvswitch_t perf_event write permissionResolves: rhbz#1916046- Add write_perf_event_perms object permission setRelated: rhbz#1916046 * Wed Jan 27 2021 Zdenek Pytela - 3.14.3-61- Add kpatch_exec() interfaceResolves: rhbz#1895322- Allow rhsmcertd execute kpatchResolves: rhbz#1895322- Allow openvswitch_t perf_event open permissionResolves: rhbz#1916046- Allow openvswitch fowner capability and create netlink socketsResolves: rhbz#1883980- Add net_broadcast capability to openvswitch_t domainResolves: rhbz#1883980- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t filesResolves: rhbz#1883980- Allow machinectl to run pull-tarResolves: rhbz#1788055 * Wed Jan 13 2021 Zdenek Pytela - 3.14.3-60- Allow wireshark create and use rdma socketResolves: rhbz#1844370- Allow to use nnp_transition in pulseaudio_roleResolves: rhbz#1854471- Allow certmonger fsetid capabilityResolves: rhbz#1873211- Add rsync_sys_admin tunable to allow rsync sys_admin capabilityResolves: rhbz#1889673- Allow sysadm read and write /dev/rfkillResolves: rhbz#1831630- Allow staff_u run pam_console_applyResolves: rhbz#1817690- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_tResolves: rhbz#1907485 * Thu Dec 17 2020 Zdenek Pytela - 3.14.3-59- Add cron_dbus_chat_system_job() interfaceResolves: rhbz#1883906- Dontaudit firewalld dac_override capabilityResolves: rhbz#1759010- Allow tcsd the setgid capabilityResolves: rhbz#1898694- Allow timedatex dbus chat with cron system domainResolves: rhbz#1883906- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domainResolves: rhbz#1854299- Allow pcp-pmcd manage perf_eventsResolves: rhbz#1901958- Label /dev/isst_interface as cpu_device_tResolves: rhbz#1902227- Allow ipsec set the context of a SPD entry to the default contextResolves: rhbz#1880474- Allow sysadm_u user and unconfined_domain_type manage perf_eventsResolves: rhbz#1901958- Add manage_perf_event_perms object permissions setResolves: rhbz#1901958- Add perf_event access vectors.Resolves: rhbz#1901958- Remove \"ipa = module\" from modules-targeted-contrib.confResolves: rhbz#1461914 * Thu Dec 03 2020 Zdenek Pytela - 3.14.3-58- Allow kexec manage generic tmp filesResolves: rhbz#1896424- Update systemd-sleep policyResolves: rhbz#1850177- Add groupadd_t fowner capabilityResolves: rhbz#1884179 * Tue Nov 24 2020 Zdenek Pytela - 3.14.3-57- Allow dovecot bind to smtp portsResolves: rhbz#1881884- Change fetchmail temporary files path to /var/spool/mailResolves: rhbz#1853389- Set file context for symlinks in /etc/httpd to etc_tResolves: rhbz#1900650- Allow dnsmasq read public filesResolves: rhbz#1782539- Fix range for unreserved portsResolves: rhbz#1794531- Introduce logging_syslogd_append_public_content tunableResolves: rhbz#1823672- Add files_search_non_security_dirs() interfaceResolves: rhbz#1823672- Add miscfiles_append_public_files() interfaceResolves: rhbz#1823672 * Thu Nov 12 2020 Zdenek Pytela - 3.14.3-56- Let keepalived bind a raw socketResolves: rhbz#1895130- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pidResolves: rhbz#1853389- Allow arpwatch create and use rdma socketResolves: rhbz#1843409- Set correct default file context for /usr/libexec/pcp/lib/ *Resolves: rhbz#1886369- Allow systemd-logind manage efivarfs filesResolves: rhbz#1869979- Allow systemd_resolved_t to read efivarfsResolves: rhbz#1869979- Allow systemd_modules_load_t to read efivarfsResolves: rhbz#1869979- Allow read efivarfs_t files by domains executing systemctl fileResolves: rhbz#1869979- Introduce systemd_read_efivarfs_type attributeResolves: rhbz#1869979 * Mon Oct 26 2020 Zdenek Pytela - 3.14.3-55- Allow init dbus chat with kernelResolves: rhbz#1694681- Confine systemd-sleep serviceResolves: rhbz#1850177- Add default file context for /usr/libexec/pcp/lib/ *Resolves: rhbz#1886369- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capabilityResolves: rhbz#1873658- Add fstools_rw_swap_files() interfaceResolves: rhbz#1850177 * Thu Sep 17 2020 Zdenek Pytela - 3.14.3-54- Allow plymouth sys_chroot capabilityResolves: rhbz#1869814 * Sun Aug 23 2020 Zdenek Pytela - 3.14.3-53- Allow certmonger fowner capabilityResolves: rhbz#1870596- Define named file transition for saslauthd on /tmp/krb5_0.rcache2Resolves: rhbz#1870300- Label /usr/libexec/qemu-pr-helper with virtd_exec_tResolves: rhbz#1867115 * Thu Aug 13 2020 Zdenek Pytela - 3.14.3-52- Add ipa_helper_noatsecure() interface unconditionallyResolves: rhbz#1853432- Conditionally allow nagios_plugin_domain dbus chat with initResolves: rhbz#1750821- Revert \"Update allow rules set for nrpe_t domain\"Resolves: rhbz#1750821- Add ipa_helper_noatsecure() interface to ipa.ifResolves: rhbz#1853432- Allow tomcat map user temporary filesResolves: rhbz#1857675- Allow tomcat manage user temporary filesResolves: rhbz#1857675- Add file context for /sys/kernel/tracingResolves: rhbz#1847331- Define named file transition for sshd on /tmp/krb5_0.rcache2Resolves: rhbz#1848953 * Mon Aug 03 2020 Zdenek Pytela - 3.14.3-51- Allow kadmind manage kerberos host rcacheResolves: rhbz#1863043- Allow virtlockd only getattr and lock block devicesResolves: rhbz#1832756- Allow qemu-ga read all non security file types conditionallyResolves: rhbz#1747960- Allow virtlockd manage VMs posix file locksResolves: rhbz#1832756- Add dev_lock_all_blk_files() interfaceResolves: rhbz#1832756- Allow systemd-logind dbus chat with fwupdResolves: rhbz#1851932- Update xserver_rw_session macroResolves: rhbz#1851448 * Wed Jul 29 2020 Zdenek Pytela - 3.14.3-50- Revert \"Allow qemu-kvm read and write /dev/mapper/control\"This reverts commit f948eaf3d010215fc912e42013e4f88870279093.- Allow smbd get attributes of device files labeled samba_share_tResolves: rhbz#1851816- Allow tomcat read user temporary filesResolves: rhbz#1857675- Revert \"Dontaudit and disallow sys_admin capability for keepalived_t domain\"Resolves: rhbz#1815281- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_tResolves: rhbz#1848953- Allow auditd manage kerberos host rcache filesResolves: rhbz#1855770 * Thu Jul 09 2020 Zdenek Pytela - 3.14.3-49- Additional support for keepalived running in a namespaceResolves: rhbz#1815281- Allow keepalived manage its private type runtime directoriesResolves: rhbz#1815281- Run ipa_helper_noatsecure(oddjob_t) only if the interface existsResolves: rhbz#1853432- Allow oddjob_t process noatsecure permission for ipa_helper_tResolves: rhbz#1853432- Allow domain dbus chat with systemd-resolvedResolves: rhbz#1852378- Define file context for /var/run/netns directory onlyRelated: rhbz#1815281 * Mon Jun 29 2020 Zdenek Pytela - 3.14.3-48- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_tResolves: rhbz#1836820 * Mon Jun 29 2020 Zdenek Pytela - 3.14.3-47- Allow virtlogd_t manage virt lib filesResolves: rhbz#1832756- Allow pdns server to read system stateResolves: rhbz#1801214- Support systemctl --user in machinectlResolves: rhbz#1788616- Allow chkpwd_t read and write systemd-machined devpts character nodesResolves: rhbz#1788616- Allow init_t write to inherited systemd-logind sessions pipesResolves: rhbz#1788616- Label systemd-growfs and systemd-makefs as fsadm_exec_tResolves: rhbz#1820798- Allow staff_u and user_u setattr generic usb devicesResolves: rhbz#1783325- Allow sysadm_t dbus chat with accountsdResolves: rhbz#1828809 * Tue Jun 23 2020 Zdenek Pytela - 3.14.3-46- Fix description tag for the sssd_connect_all_unreserved_ports tunableRelated: rhbz#1826748- Allow journalctl process set its resource limitsResolves: rhbz#1825894- Add sssd_access_kernel_keys tunable to conditionally access kernel keysResolves: rhbz#1802062- Make keepalived work with network namespacesResolves: rhbz#1815281- Create sssd_connect_all_unreserved_ports booleanResolves: rhbz#1826748- Allow hypervkvpd to request kernel to load a moduleResolves: rhbz#1842414- Allow systemd_private_tmp(dirsrv_tmp_t)Resolves: rhbz#1836820- Allow radiusd connect to gssproxy over unix domain stream socketResolves: rhbz#1813572- Add fwupd_cache_t file context for \'/var/cache/fwupd(/. *)?\'Resolves: rhbz#1832231- Modify kernel_rw_key() not to include append permissionRelated: rhbz#1802062- Add kernel_rw_key() interface to access to kernel keyringsRelated: rhbz#1802062- Modify systemd_delete_private_tmp() to use delete_ *_pattern macrosResolves: rhbz#1836820- Allow systemd-modules to load kernel modulesResolves: rhbz#1823246- Add cachefiles_dev_t as a typealias to cachefiles_device_tResolves: rhbz#1814796 * Mon Jun 15 2020 Zdenek Pytela - 3.14.3-45- Remove files_mmap_usr_files() call for particular domainsRelated: rhbz#1801214- Allow dirsrv_t list cgroup directoriesResolves: rhbz#1836795- Create the kerberos_write_kadmind_tmp_files() interfaceRelated: rhbz#1841488- Allow realmd_t dbus chat with accountsd_tResolves: rhbz#1792895- Allow nagios_plugin_domain execute programs in bin directoriesResolves: rhbz#1815621- Update allow rules set for nrpe_t domainResolves: rhbz#1750821- Allow Gluster mount client to mount files_typeResolves: rhbz#1753626- Allow qemu-kvm read and write /dev/mapper/controlResolves: rhbz#1835909- Introduce logrotate_use_cifs booleanResolves: rhbz#1795923- Allow ptp4l_t sys_admin capability to run bpf programsResolves: rhbz#1759214- Allow rhsmd mmap /etc/passwdResolves: rhbz#1814644- Remove files_mmap_usr_files() call for systemd_localed_tRelated: rhbz#1801214- Allow domain mmap usr_t filesResolves: rhbz#1801214- Allow libkrb5 lib read client keytabsResolves: rhbz#1831769- Add files_dontaudit_manage_boot_dirs() interfaceRelated: rhbz#1803868- Create files_create_non_security_dirs() interfaceRelated: rhbz#1840265- Add new interface dev_mounton_all_device_nodes()Related: rhbz#1840265- Add new interface dev_create_all_files()Related: rhbz#1840265- Allow sshd write to kadmind temporary filesResolves: rhbz#1841488- Create init_create_dirs boolean to allow init create directoriesResolves: rhbz#1832231- Do not audit staff_t and user_t attempts to manage boot_t entriesResolves: rhbz#1803868- Allow systemd to relabel all files on system.Resolves: rhbz#1818981- Make dbus-broker service working on s390x archResolves: rhbz#1840265 * Wed May 20 2020 Zdenek Pytela - 3.14.3-44- Make boinc_var_lib_t label system mountdir attributeResolves: rhbz#1779070- Allow aide to be executed by systemd with correct (aide_t) domainResolves: rhbz#1814809- Allow chronyc_t domain to use nsswitchResolves: rhbz#1772852- Allow nscd_socket_use() for domains in nscd_use() unconditionallyResolves: rhbz#1772852- Allow gluster geo-replication in rsync modeResolves: rhbz#1831109- Update networkmanager_read_pid_files() to allow also list_dir_permsResolves: rhbz#1781818- Allow associating all labels with CephFSResolves: bz#1814689- Allow tcpdump sniffing offloaded (RDMA) trafficResolves: rhbz#1834773 * Fri Apr 17 2020 Zdenek Pytela - 3.14.3-43- Update radiusd policyResolves: rhbz#1803407- Allow sssd read NetworkManager\'s runtime directoryResolves: rhbz#1781818- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_tResolves: rhbz#1777506- Allow ipa_helper_t to read kr5_keytab_t filesResolves: rhbz#1769423- Add ibacm_t ipc_lock capabilityResolves: rhbz#1754719- Allow opafm_t to create and use netlink rdma sockets.Resolves: rhbz#1786670- Allow ptp4l_t create and use packet_socket socketsResolves: rhbz#1759214- Update ctdbd_t policyResolves: rhbz#1735748- Allow glusterd synchronize between master and slaveResolves: rhbz#1824662- Allow auditd poweroff or switch to single modeResolves: rhbz#1826788- Allow init_t set the nice level of all domainsResolves: rhbz#1819121- Label /etc/sysconfig/ip6?tables\\.save as system_conf_tResolves: rhbz#1776873- Add file context entry and file transition for /var/run/pam_timestampResolves: rhbz#1791957 * Wed Apr 08 2020 Zdenek Pytela - 3.14.3-42- Allow ssh-keygen create file in /var/lib/glusterdResolves: rhbz#1816663- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t filesResolves: rhbz#1819243- Remove container interface calling by named_filetrans_domain.- Makefile: fix tmp/%.mod.fc targetResolves: rhbz#1821191 * Mon Mar 16 2020 Zdenek Pytela - 3.14.3-41- Allow NetworkManager read its unit files and manage services- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_tResolves: rhbz#1806894 * Tue Feb 18 2020 Lukas Vrabec - 3.14.3-40- Update virt_read_qemu_pid_files intefaceResolves: rhbz#1782925 * Sat Feb 15 2020 Lukas Vrabec - 3.14.3-39- Allow vhostmd communication with hosted virtual machines- Add and update virt interfacesResolves: rhbz#1782925 * Tue Jan 28 2020 Zdenek Pytela - 3.14.3-38- Dontaudit timedatex_t read file_contexts_t and validate security contextsResolves: rhbz#1779098 * Tue Jan 21 2020 Lukas Vrabec - 3.14.3-37- Make stratisd_t domain unconfined for RHEL-8.2Resolves: rhbz#1791557- stratisd_t policy updatesResolves: rhbz#1791557 * Thu Jan 16 2020 Lukas Vrabec - 3.14.3-36- Label /stratis as stratisd_data_tResolves: rhbz#1791557 * Tue Jan 14 2020 Lukas Vrabec - 3.14.3-35- Allow stratisd_t domain to read/write fixed disk devices and removable devices.Resolves: rhbz#1790795 * Mon Jan 13 2020 Lukas Vrabec - 3.14.3-34- Added macro for stratisd to chat over dbus- Add dac_override capability to stratisd_t domain- Allow userdomain to chat with stratisd over dbus.Resolves: rhbz#1787298 * Fri Jan 10 2020 Lukas Vrabec - 3.14.3-33- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directoryResolves: rhbz#1778126 * Wed Jan 08 2020 Lukas Vrabec - 3.14.3-32- Allow create udp sockets for abrt_upload_watch_t domainsResolves: rhbz#1777761 * Wed Jan 08 2020 Lukas Vrabec - 3.14.3-31- Allow sssd_t domain to read kernel net sysctlsResolves: rhbz#1777042 * Fri Dec 13 2019 Zdenek Pytela - 3.14.3-30- Allow userdomain dbus chat with systemd_resolved_tResolves: rhbz#1773463- Allow init_t read and setattr on /var/lib/fprintdResolves: rhbz#1781696- Allow sysadm_t dbus chat with colord_tResolves: rhbz#1772669- Allow confined users run fwupdmgrResolves: rhbz#1772619- Allow confined users run machinectlResolves: rhbz#1772625- Allow systemd labeled as init_t domain to create dirs labeled as var_tResolves: rhbz#1778126- Allow systemd labeled as init_t domain to manage faillog_t objectsResolves: rhbz#1671019- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfacesResolves: rhbz#1781696- Allow pulseaudio create .config and dgram sendto to unpriv_userdomainResolves: rhbz#1703231- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)Resolves: rhbz#1777761- Change type in transition for /var/cache/{dnf,yum} directoryResolves: rhbz#1686833- Revert \"Update zebra SELinux policy to make it work also with frr service\"This reverts commit 73653250a252ad6eefcb3aae00749017e396ab8d.- Revert \"Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t\"This reverts commit a19eb1021cbd6c637344954cead54caae081e07c.- Allow stratis_t domain to request load modulesResolves: rhbz#1726259- Allow stratisd to connect to dbusResolves: rhbz#1726259- Run stratisd service as stratisd_tResolves: rhbz#1726259- Add support for smart card authentication in cockpit BZ(1690444)Resolves: rhbz#1771414- cockpit: Support split-out TLS proxyResolves: rhbz#1771414- cockpit: Allow cockpit-session to read cockpit-tls stateResolves: rhbz#1771414- Update cockpit policyResolves: rhbz#1771414- cockpit: Support https instance factoryResolves: rhbz#1771414- cockpit: Allow cockpit-session to read cockpit-tls state directoryResolves: rhbz#1771414- Fix nonexisting types in rtas_errd_rw_lock interfaceResolves: rhbz#1744234 * Wed Nov 27 2019 Lukas Vrabec - 3.14.3-29- Allow timedatex_t domain to read relatime clock and adjtime_t filesResolves: rhbz#1771513 * Fri Nov 22 2019 Lukas Vrabec - 3.14.3-28- Update timedatex policy to add macrosResolves: rhbz#1771513 * Fri Nov 15 2019 Lukas Vrabec - 3.14.3-27- Allow timedatex_t domain dbus chat with both confined and unconfined usersResolves: rhbz#1771513- Fix typo bugs in rtas_errd_read_lock() interfaceResolves: rhbz#1750096- Allow timedatex_t domain to systemctl chronyd domainsResolves: rhbz#1771513- Fix typo in dev_filetrans_all_named_dev()Resolves: rhbz#1750096 * Mon Nov 11 2019 Lukas Vrabec - 3.14.3-26- New policy for rrdcachedResolves: rhbz#1726255- Update timedatex policy- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if- Add new macro systemd_timedated_status to systemd.if to get timedated service statusResolves: rhbz#1730204- Update lldpad_t policy moduleResolves: rhbz#1726246- Dontaudit sandbox web types to setattr lib_t dirsResolves: rhbz#1739858- Fix typo in cachefiles deviceResolves: rhbz#1750096 * Thu Nov 07 2019 Lukas Vrabec - 3.14.3-25- Allow sssd_t domain to read gnome config and named cache filesResolves: rhbz#1743907- Allow httpd_t to signull mailman_cgi_t processResolves: rhbz#1686462- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and filesResolves: rhbz#1758545- Allow cachefilesd_t domain to read/write cachefiles_device_t devicesResolves: rhbz#1750096- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policyResolves: rhbz#1750096- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_tResolves:rhbz#1746511- Label libvirt drivers as virtd_exec_tResolves: rhbz#1745076- Update apache and pkcs policies to make active opencryptoki rulesResolves: rhbz#1744198- Introduce new bolean httpd_use_opencryptokiResolves: rhbz#1744198- Allow gssproxy_t domain read state of all processes on systemResolves: rhbz#1752031- Dontaudit tmpreaper_t getting attributes from sysctl_type filesResolves: rhbz#1730204- Added macro for timedatex to chat over dbus.Resolves: rhbz#1730204- Run timedatex service as timedatex_tResolves: rhbz#1730204- Run lldpd service as lldpad_t.Resolves: rhbz#1726246- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_tResolves: rhbz#1765065- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t filesResolves: rhbz#1744234- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.Resolves: rhbz#1765065- Update tmpreaper_t policy due to fuser commandResolves: rhbz#1765065- Allow fail2ban_t domain to create netlink netfilter sockets.Resolves: rhbz#1766415- Label /dev/cachefilesd as cachefiles_device_tResolves: rhbz#1750096- Label udp 8125 port as statsd_port_tResolves: rhbz#1746511- Allow systemd(init_t) to load kernel modulesResolves: rhbz#1758255- Dontaudit sys_admin capability for auditd_t domainsResolves: rhbz#1669040- Allow x_userdomain to dbus_chat with timedatex.Resolves: rhbz#1730204 * Fri Oct 25 2019 Lukas Vrabec - 3.14.3-24- Allow confined users to run newaliasesResolves:rhbz#1750405- Add interface mysql_dontaudit_rw_db()Resolves: rhbz#1747926- Label /var/lib/xfsdump/inventory as amanda_var_lib_tResolves: rhbz#1739137- Allow tmpreaper_t domain to read all domains stateResolves: rhbz#1765065- Allow ipa_ods_exporter_t domain to read krb5_keytab filesResolves: rhbz#1759900- Allow rhsmcertd_t domain to read rtas_errd lock filesResolves: rhbz#1744234- Add new interface rtas_errd_read_lock()Resolves: rhbz#1744234- Donaudit ifconfig_t domain to read/write mysqld_db_t filesResolves: rhbz#1747926 * Thu Oct 17 2019 Lukas Vrabec - 3.14.3-23- Label only regular files inside /usr/lib/frr direcotry as zebra_exec_tResolves: rhbz#1714984- Dontaudit and disallow sys_admin capability for keepalived_t domainResolves: rhbz#1729174- Allow processes labeled as keepalived_t domain to get process groupResolves: rhbz#1746955 * Mon Oct 14 2019 Lukas Vrabec - 3.14.3-22- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo filesResolves: rhbz#1756006- Allow user domains to manage user session servicesResolves: rhbz#1727887- Allow staff and user users to get status of user systemd sessionResolves: rhbz#1727887 * Fri Oct 11 2019 Lukas Vrabec - 3.14.3-21- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.Resolves: rhbz#1750405- Allow dlm_controld_t domain to read random deviceResolves: rhbz#1752943- Allow haproxy_t domain to read network state of systemResolves: rhbz#1746974- Allow avahi_t to send msg to lpr_tResolves: rhbz#1752843- Create new type ipmievd_helper_t domain for loading kernel modules.Resolves: rhbz#1673804- networkmanager: allow NetworkManager_t to create bluetooth_socketResolves: rhbz#1747768- Label /etc/named direcotory as named_conf_tResolves: rhbz#1759505- Update aide_t domain to allow this tool to analyze also /dev filesystemResolves: rhbz#1758265- Update zebra SELinux policy to make it work also with frr serviceResolves: rhbz#1714984- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.Resolves: rhbz#1711909- Allow chronyc_t domain to append to all non_security files Resolves: rhbz#1696252- Allow httpd_t domain to read/write named_cache_t filesResolves: rhbz#1690484- Add new interface bind_rw_cache()Resolves: rhbz#1690484- Label /var/run/mysql as mysqld_var_run_tResolves: rhbz#1687867- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.Resolves: rhbz#1612552- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t typesResolves: rhbz#1647971- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespacesResolves: rhbz#1663874- Update gnome_dontaudit_read_configResolves: rhbz#1663874- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis portsResolves: rhbz#1687499- Update keepalived policyResolves: rhbz#1728332- Add sys_admin capability for keepalived_t labeled processesResolves: rhbz#1729174- Fix abrt_upload_watch_t in abrt policyResolves: rhbz#1737419- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t labelResolves: rhbz#1737550- Allow amanda_t to manage its var lib files and read random_device_tResolves: rhbz#1739137- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)Resolves: rhbz#1743684- Allow pesign_t domain to read/write named cache files.Resolves: rhbz#1745429- Allow login user type to use systemd user sessionResolves: rhbz#1727887- Allow avahi_t to send msg to xdm_tResolves: rhbz#1755401- Allow ldconfig_t domain to manage initrc_tmp_t objectsResolves: rhbz#1756006- Add new interface init_write_initrc_tmp_pipes()- Add new interface init_manage_script_tmp_files()- Add new interface udev_getattr_rules_chr_files()- Run lvmdbusd service as lvm_tResolves: rhbz#1726166- Label 2618/tcp and 2618/udp as priority_e_com_port_t- Label 2616/tcp and 2616/udp as appswitch_emp_port_t- Label 2615/tcp and 2615/udp as firepower_port_t- Label 2610/tcp and 2610/udp as versa_tek_port_t- Label 2613/tcp and 2613/udp as smntubootstrap_port_t- Label 3784/tcp and 3784/udp as bfd_control_port_t- Allow systemd labeled as init_t domain to remount rootfs filesystemResolves: rhbz#1698197- Add interface files_remount_rootfs()- New interface files_append_non_security_files()- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbusResolves: rhbz#1612552- Update userdomains to pass correct parametes based on updates from cron_ *_role interfaces Resolves: rhbz#1647971- Dontaudit sys_admin capability for iptables_t SELinux domainResolves: rhbz#1669040- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)Resolves: rhbz#1671019- Allow userdomains to dbus chat with policykit daemonResolves: rhbz#1727902- Allow ipsec_t domain to read/write named cache filesResolves: rhbz#1743777- Add sys_admin capability for ipsec_t domainResolves: rhbz#1753662 * Mon Sep 16 2019 Lukas Vrabec - 3.14.3-20- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux labelResolves: rhbz#1720639 * Fri Aug 30 2019 Lukas Vrabec - 3.14.3-19- Update cpucontrol_t SELinux policyResolves: rhbz#1743930 * Mon Aug 19 2019 Lukas Vrabec - 3.14.3-18- Allow dlm_controld_t domain to transition to the lvm_tResolves: rhbz#1732956 * Fri Aug 16 2019 Lukas Vrabec - 3.14.3-17- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_tResolves: rhbz#1669485- Fix typo in networkmanager_append_log() interfaceResolves: rhbz#1687460- Update gpg policy to make ti working with confined usersResolves: rhbz#1640296 * Wed Aug 14 2019 Lukas Vrabec - 3.14.3-16- Allow audisp_remote_t domain to read kerberos keytabResolves: rhbz#1740146 * Mon Aug 12 2019 Lukas Vrabec - 3.14.3-15- Dontaudit abrt_t domain to read root_t filesResolves: rhbz#1734403- Allow ipa_dnskey_t domain to read kerberos keytabResolves: rhbz#1730144- Update ibacm_t policy- Allow dlm_controld_t domain setgid capabilityResolves: rhbz#1738608- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmpResolves: rhbz#1740146- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirsResolves: rhbz#1670139 * Wed Aug 07 2019 Lukas Vrabec - 3.14.3-14- Allow cgdcbxd_t domain to list cgroup dirsResolves: rhbz#1651991 * Mon Jul 29 2019 Lukas Vrabec - 3.14.3-13- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytabResolves: rhbz#1730144- Allow virtlockd process read virtlockd.conf fileResolves: rhbz#1733185- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.Resolves: rhbz#1733185- Allow brltty to request to load kernel moduleResolves: rhbz#1689955- Add svnserve_tmp_t label forl svnserve temp files to system private tmpResolves: rhbz#1729955- Dontaudit svirt_tcg_t domain to read process state of libvirtResolves: rhbz#1732500- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig toolResolves: rhbz#1732381- Allow cyrus work with PrivateTmpResolves: rhbz#1725023- Make cgdcbxd_t domain working with SELinux enforcing.Resolves: rhbz#1651991- Remove system_r role from staff_u user.Resolves: rhbz#1677052- Add systemd_private_tmp_type attributeResolves: rhbz#1725023- Allow systemd to load kernel modules during boot process.Resolves: rhbz#1644805 * Fri Jul 19 2019 Lukas Vrabec - 3.14.3-12- Make working wireshark execute byt confined users staff_t and sysadm_tResolves: rhbz#1712788- Label user cron spool file with user_cron_spool_tResolves: rhbz#1727342- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line toolResolves: rhbz#1668667- Update svnserve_t policy to make working svnserve hooksResolves: rhbz#1729955- Allow varnishlog_t domain to check for presence of varnishd_t domainsResolves: rhbz#1730270- Allow lsmd_t domain to execute /usr/bin/debuginfo-installResolves: rhbz#1720648- Update sandboxX policy to make working firefox inside SELinux sandboxResolves: rhbz#1663874- Remove allow rule from svirt_transition_svirt_sandbox interface to don\'t allow containers to connect to random servicesResolves: rhbz#1695248- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devicesResolves: rhbz#1690484- Allow opafm_t domain to modify scheduling information of another process.Resolves: rhbz#1725874- Allow gssd_t domain to list tmpfs_t dirsResolves: rhbz#1674470- Allow mdadm_t domain to read tmpfs_t filesResolves: rhbz#1669996- Allow sbd_t domain to check presence of processes labeled as cluster_tResolves: rhbz#1669595- Dontaudit httpd_sys_script_t to read systemd unit filesResolves: rhbz#1670139- Allow blkmapd_t domain to read nvme devicesResolves: rhbz#1669985- Update cpucontrol_t domain to make working microcode serviceResolves: rhbz#1669485- Allow domain transition from logwatch_t do postfix_postqueue_tResolves: rhbz#1669162- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: \'chronyc -n tracking > /var/lib/test\'Resolves: rhbz#1696252- Allow httpd_sys_script_t domain to mmap httpdcontentResolves: rhbz#1693137- Allow sbd_t to manage cgroups_t filesResolves: rhbz#1715134- Update wireshark policy to make working tshar labeled as wireshark_tResolves: rhbz#1711005- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t filesResolves: rhbz#1719083- Allow sbd_t domain to use nsswitchResolves: rhbz#1723498- Allow sysadm_t and staff_t domains to read wireshark shared memoryResolves: rhbz#1712788- Label /usr/libexec/utempter/utempter as utemper_exec_tResolves: rhbz#1729571- Allow unconfined_domain_type to setattr own process lnk files.Resolves: rhbz#1730500- Add interface files_write_generic_pid_sockets()- Dontaudit writing to user home dirs by gnome-keyring-daemonResolves: rhbz#1689797- Allow staff and admin domains to setpcap in user namespaceResolves: rhbz#1673922- Allow staff and sysadm to use lockdevResolves: rhbz#1673269- Allow staff and sysadm users to run iotop.Resolves: rhbz#1671241- Dontaudit traceroute_t domain require sys_admin capabilityResolves: rhbz#1671672- Dontaudit dbus chat between kernel_t and init_tResolves: rhbz#1669095- Allow systemd labeled as init_t to create mountpoints without any specific label as default_tResolves: rhbz#1696144 * Wed Jul 10 2019 Lukas Vrabec - 3.14.3-11- Fix minor changes to pass coverity scanResolves: rhbz#1728578 * Tue Jul 09 2019 Lukas Vrabec - 3.14.3-10- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files- Label /var/kerberos/krb5 as krb5_keytab_tResolves: rhbz#1669975- Allow sbd_t domain to manage cgroup dirsResolves: rhbz#1715134- Allow wireshark_t domain to create netlink netfilter socketsResolves: rhbz#1711005- Allow gpg_agent_t domain to use nsswitchResolves: rhbz#1567073- Allow httpd script types to mmap httpd rw contentResolves: rhbz#1693137- Allow confined users to login via cockpitResolves: rhbz#1718814- Replace \"-\" by \"_\" in speechdispatcher types names- Change condor_domain declaration in condor_systemctl- Update interface networkmanager_manage_pid_files() to allow manage also dirsResolves: rhbz#1720070- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t filesResolves: rhbz#1719083- Fix all interfaces which cannot by compiled because of typosResolves: rhbz#1687460- Allow auditd_t domain to send signals to audisp_remote_t domainResolves: rhbz#1726659- Allow associate efivarfs_t on sysfs_tResolves: rhbz#1709747- Allow userdomain attribute to manage cockpit_ws_t stream socketsResolves: rhbz#1718814- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes- Add interface ssh_agent_signal()- Dontaudit unpriv_userdomain to manage boot_t filesResolves: rhbz#1723773- Allow crack_t domain read /et/passwd filesResolves: rhbz#1721132- Allow dhcpc_t domain to manage network manager pid filesResolves: rhbz#1720070 * Mon Jun 10 2019 Lukas Vrabec - 3.14.3-9- Allow redis_t domain to read public sssd filesResolves: rhbz#1718200- Label /usr/sbin/nft as iptables_exec_tResolves: rhbz#1656891 * Wed Jun 05 2019 Lukas Vrabec - 3.14.3-8- Allow sbd_t domain to read tmpfs_t symlinksResolves: rhbz#1715134 * Mon Jun 03 2019 Lukas Vrabec - 3.14.3-7- Allow kadmind_t domain to read home config dataResolves: rhbz#1664983- Allow sbd_t domain to readwrite cgroupsResolves: rhbz#1715134- Label /var/log/pacemaker/pacemaker as cluster_var_log_tResolves: rhbz#1712058- Allow certmonger_t domain to manage named cache files/dirs * Mon May 27 2019 Lukas Vrabec - 3.14.3-6- Allow kadmind_t domain to read pkcs11 module configsResolves: rhbz#1664983- Allow kadmind_t domain to read named_cache_t filesResolves: rhbz#1703241- Fix bind_read_cache() interface to allow only read perms to caller domains- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram socketsResolves: rhbz#1711909- Allow wireshark_t domain to create fifo temp filesResolves: rhbz#1711005- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_tResolves :rhbz#1656837- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t filesResolves: rhbz#1648854- Label /var/run/user/ */dbus-1 as session_dbusd_tmp_tResolves:rhbz#1688671- Add dac_override capability to namespace_init_t domainResolves: rhbz#1557420- Label /usr/sbin/corosync-qdevice as cluster_exec_tResolves: rhbz#1690925- Label /usr/libexec/dnf-utils as debuginfo_exec_tResolves: rhbz#1711183- Allow rtkit_scheduled for sysadmResolves: rhbz#1703241- Fix find commands in Makefiles- Allow associate all filesystem_types with fs_tResolves: rhbz#1614209- Allow init_t to manage session_dbusd_tmp_t dirsResolves: rhbz#1688671- Allow systemd_gpt_generator_t to read/write to clearanceResolves: rhbz#1558573- Allow su_domain_type to getattr to /dev/gpmctlResolves: rhbz#1593667 * Fri May 17 2019 Lukas Vrabec - 3.14.3-5- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_tResolves :rhbz#1656837- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t filesResolves: rhbz#1648854- Label /var/run/user/ */dbus-1 as session_dbusd_tmp_tResolves:rhbz#1688671- Add dac_override capability to namespace_init_t domainResolves: rhbz#1557420- Label /usr/sbin/corosync-qdevice as cluster_exec_tResolves: rhbz#1690925- Label /usr/libexec/dnf-utils as debuginfo_exec_tResolves: rhbz#1711183- Label /usr/bin/tshark as wireshark_exec_tResolves: rhbz#1710962- Allow rhsmcertd_t domain to read rpm cache filesResolves: rhbz#1641648- Allow associate all filesystem_types with fs_tResolves: rhbz#1614209- Allow init_t to manage session_dbusd_tmp_t dirsResolves: rhbz#1688671- Allow systemd_gpt_generator_t to read/write to clearanceResolves: rhbz#1558573- Allow su_domain_type to getattr to /dev/gpmctlResolves: rhbz#1593667- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux usersResolves: rhbz#1709372 * Thu May 02 2019 Lukas Vrabec - 3.14.3-4- Rebase with Fedora 30 package selinux-policy-3.14.3-34.fc30Resolves: rhbz#1673107 * Tue Apr 23 2019 Lukas Vrabec - 3.14.3-3- Rebase with Fedora 30 package selinux-policy-3.14.3-31.fc30Resolves: rhbz#1673107 * Tue Apr 16 2019 Lukas Vrabec - 3.14.3-2- Fix interface kernel_mounton_kernel_sysctl()Resolves: rhbz#1700222 * Wed Apr 10 2019 Lukas Vrabec - 3.14.3-1- Rebase with Fedora 30 package selinux-policy-3.14.3-28.fc30Resolves: rhbz#1673107 * Fri Feb 22 2019 Lukas Vrabec - 3.14.1-61- Add dac_override capability for sbd_t SELinux domainResolves: rhbz#1677325- Allow syslogd_t domain to send null signal to all domains on systemResolves: rhbz#1676923 * Fri Feb 15 2019 Lukas Vrabec - 3.14.1-60- Update kdump_manage_crash() interface to allow also manage dirs by caller domainResolves: rhbz#1627861 * Mon Feb 11 2019 Lukas Vrabec - 3.14.1-59- Add dac_override capability to spamd_t domainResolves: rhbz#1567073 * Mon Feb 11 2019 Lukas Vrabec - 3.14.1-58- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/runResolves: rhbz#1635674- Update mount_read_pid_files macro to allow also list mount_var_run_t dirsResolves: rhbz#1664448- Allow userdomain to stop systemd user session during logout.Resolves: rhbz#1664448 * Wed Feb 06 2019 Lukas Vrabec - 3.14.1-57- Allow read network state of system for processes labeled as ibacm_tResolves: rhbz#1635674- Allow ibacm_t domain to send dgram sockets to kernel processesResolves: rhbz#1635674- Allow virt_doamin to read/write dev deviceResolves: rhbz#1672188- Update ibacm_t policy after testing lastest version of this componentResolves: rhbz#1635674- Allow sensord_t domain to mmap own log filesResolves:rhbz#1656055- Label /dev/sev char device as sev_device_tResolves: rhbz#1672188 * Wed Feb 06 2019 Lukas Vrabec - 3.14.1-56- Allow virt_doamin to read/write dev deviceResolves: rhbz#1672188- Update ibacm_t policy after testing lastest version of this componentResolves: rhbz#1635674- Allow sensord_t domain to mmap own log filesResolves:rhbz#1656055- Add dac_override capability for ipa_helper_tResolves: rhbz#1668168- Allow sensord_t domain to use nsswitch and execute shellResolves: rhbz#1656055- Allow opafm_t domain to execute lib_t filesResolves: rhbz#1627861- Allow opafm_t domain to manage kdump_crash_t files and dirsResolves: rhbz#1627861- Label /dev/sev char device as sev_device_tResolves: rhbz#1672188 * Fri Feb 01 2019 Lukas Vrabec - 3.14.1-55- Fix broken config files because of missing level specification in user_t contextsResolves: rhbz#1664448 * Fri Feb 01 2019 Lukas Vrabec - 3.14.1-54- Allow sensord_t domain to use nsswitch and execute shellResolves: rhbz#1656055- Allow opafm_t domain to execute lib_t filesResolves: rhbz#1627861 * Tue Jan 29 2019 Lukas Vrabec - 3.14.1-53- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domainsResolves: rhbz#1664448- Allow systemd to read selinux logind configResolves: rhbz#1664448- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions.- Allow transition from init_t domain to user_t domain during ssh login with confined user user_uResolves: rhbz#1664448 * Thu Jan 24 2019 Lukas Vrabec - 3.14.1-52- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions.Resolves: rhbz#1557301 * Mon Jan 14 2019 Lukas Vrabec - 3.14.1-51- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_tResolves: rhbz#1664345- Create tangd_port_t with default label tcp/7406Resolves: rhbz#1664345- Remove tangd_t domain from permissive domains.Resolves: rhbz#1664345 * Fri Jan 11 2019 Lukas Vrabec - 3.14.1-50- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_tResolves: rhbz#1656055- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.Resolves: rhbz#1630198- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag socketsResolves: rhbz#1557301- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domainResolves: rhbz#1630198 * Tue Dec 11 2018 Lukas Vrabec - 3.14.1-49- Update nslcd_t domain to allow view kernel and systemd keyringsResolves: rhbz#1657916- Allow arpwatch_t domains to execute shell BZ(1644568)- Allow processes labeled as ipa_otpd_t stream connect to sssd.- Add new SELinux domain pcp_plugin_t.Resolves: rhbz#1648386- Remove all ganesha bits from gluster and rpc policyResolves: rhbz#1639227- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_tResolves: rhbz#1656837- Add dac_override capability to ssad_t domainsResolves: rhbz#1655551- Allow pesign_t domain to read gnome home configsResolves: rhbz#1644796- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_tResolves: rhbz#1656055- Allow rngd_t domains read kernel stateResolves: rhbz#1656054- Allow certmonger_t domains to read bind cacheResolves: rhbz#1655077- Allow ypbind_t domain to stream connect to sssdResolves: rhbz#1583953- Allow rngd_t domain to setschedResolves: rhbz#1653872- Add interface init_view_key()- Allow systemd to mmap all pidfilesResolves: rhbz#1622548- Add files_map_all_pids() interface- Allow passwd_t domain mamange sssd public nad lib files, read pid files and send signals to sssd_t domainsResolves: rhbz#1657291- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_tResolves: rhbz#1639846- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t- Add sys_resource capability to the systemd_passwd_agent_t domainResolves: rhbz#1590981- Allow ipsec_t domains to read bind cacheResolves: rhbz#1654692- kernel/files.fc: Label /run/motd as etc_t- Allow systemd to stream connect to userdomain processesResolves: rhbz#1644733 * Tue Nov 27 2018 Lukas Vrabec - 3.14.1-48- Allow sanlock_t domain to read/write sysfs_t filesResolves: rhbz#1647594- Add dac_override capability to postfix_local_t domain- Allow ypbind_t to search sssd_var_lib_t dirs- Allow virt_qemu_ga_t domain to write to user_tmp_t files- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files- Label /var/lib/private/systemd/ as init_var_lib_tResolves: rhbz#1649312- Allow initrc_t domain to create new socket labeled as init_t- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.Resolves: rhbz#1639675- Add tracefs_t type to mountpoint attributeResolves: rhbz#1647819- Allow useradd_t and groupadd_t domains to send signals to sssd_tResolves: rhbz#1651531- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utilsResolves: rhbz#1651531 * Wed Nov 07 2018 Lukas Vrabec - 3.14.1-47- Update pesign policy to allow pesign_t domain to read bind cache files/dirsResolves: rhbz#1644796- Add dac_override capability to mdadm_t domainResolves: rhbz#1599646- Create ibacm_tmpfs_t type for the ibacm policyResolves: rhbz#1581715- Dontaudit capability sys_admin for dhcpd_t domainResolves: rhbz#1635643- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.Resolves: rhbz#1639181- Allow abrt_t domain to mmap generic tmp_t filesResolves:rhbz#1644727- Label /usr/sbin/wpa_cli as wpa_cli_exec_tResolves: rhbz#1644899- Allow sandbox_xserver_t domain write to user_tmp_t filesResolves:rhbz#1644315- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)- Add dac_override capability to postgrey_t domain BZ(1638954)- Allow thumb_t domain to execute own tmpfs files BZ(1643698)- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpointsResolves: rhbz#1644727- Add interface files_map_generic_tmp_files()- Add dac_override capability to the syslogd_t domainResolves: rhbz#1644373- Create systemd_timedated_var_run_t label- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)- kernel/files.fc: Label /run/motd.d(/. *)? as etc_t- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) * Mon Oct 22 2018 Lukas Vrabec - 3.14.1-46- Add dac_override capability to ftpd_t domainResolves: rhbz#1641049- Allow X display manager to check status and reload services which are part of x_domain attributeResolves: rhbz#1641082 * Fri Oct 19 2018 Lukas Vrabec - 3.14.1-45- Allow gpg_t to create own tmpfs dirs and sockets- Allow rhsmcertd_t domain to relabel cert_t files- Add SELinux policy for kpatchResolves: rhbz#1630198- Allow nova_t domain to use pam- sysstat: grant sysstat_t the search_dir_perms set- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)- Allow caller domains using cron_ *_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)- Add interface cron_system_spool_entrypoint()- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)- Add interfaces for boltd SELinux module- Add dac_override capability to modemmanager_t domain BZ(1636608)- Add interface miscfiles_relabel_generic_cert()- Make kpatch policy active- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs- Dontaudit sys_admin capability for netutils_t domain- Label tcp and udp ports 2611 as qpasa_agent_port_t- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)- Label correctly /var/named/chroot */dev/unrandom in bind chroot. * Sat Oct 13 2018 Lukas Vrabec - 3.14.1-44- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macrosResolves: rhbz#1633198- Allow boltd_t to read fwupd_t processes state- Turn named_write_master_zones boolean on by default.Resolves: rhbz#1633158- Label /etc/rhsm as rhsmcertd_config_tResolves: rhbz#1636212- Allow httpd_t domain to write to httpd_config_t dirs if httpd_run_ipa boolean is turned onResolves: rhbz#1624930- Allow dhcpd_t domain to mmap dhcpd_state_t filesResolves: rhbz#1635643- Allow abrt_t domain to manage usr_t dirsResolves: rhbz#1619001- Allow certmonger_t domain to manage cockpit pid filesResolves: rhbz#1629685- Update opafm_t domain after basic testing this serviceResolves: rhbz#1627861- Allow systemd-tty-ask to ask for password of encrypted partions during bootResolves: rhbz#1638666- Update sysnet_read_dhcp_config interface to allow caller domain also mmap dhcp_etc_t files- Add interface files_manage_usr_dirs() * Wed Oct 10 2018 Lukas Vrabec - 3.14.1-43- Allow ibacm_t domain to read/write to infiniband devices Allow ibacm_t domain to getattr tmpfs_t filesystem.Resolves: rhbz#1635674- Update SELinux policy for libreswan based on the latest rebase 3.26Resolves: rhbz#1637089 * Mon Oct 08 2018 Lukas Vrabec - 3.14.1-42- Allow cockpit to create motd file in /var/run/cockpitResolves: rhbz#1629678- Allow cockpit_t domain to read systemd stateResolves: rhbz#1629588 * Thu Oct 04 2018 Lukas Vrabec - 3.14.1-41- Tomcat should not be unconfined domain- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t- Add interface apcupsd_read_power_files()- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain- Allow dac_override capability to amanda_t domain- Allow geoclue_t domain to get attributes of fs_t filesystems- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-clientResolves: rhbz#1629678Resolves: rhbz#1629685Resolves: rhbz#1626100Resolves: rhbz#1629588Resolves: rhbz#1630317 * Sat Sep 15 2018 Lukas Vrabec - 3.14.1-40- Tomcat should not be unconfined domain- Allow cockpit_t domain to read systemd state- Allow abrt_t domain to write to usr_t files- Allow cockpit to create motd file in /var/run/cockpit- Label /usr/sbin/pcsd as cluster_exec_t- Allow pesign_t domain to getattr all fs- Allow tomcat servers to manage usr_t files- Dontaudit tomcat serves to append to /dev/random device- Allow dirsrvadmin_script_t domain to read httpd tmp files- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs- Revert \"Allow firewalld_t domain to read random device\"- Allow postfix domains to mmap system db files- Allow geoclue_t domain to execute own tmp files- Allow virt_qemu_ga_t domain to read network state BZ(1592145)- Update ibacm_read_pid_files interface to allow also reading link files- Allow zebra_t domain to create packet_sockets- Allow opafm_t domain to list sysfs- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t- Add boolean: domain_can_mmap_files.- Allow sshd_t domain to read cockpit pid files- Allow syslogd_t domain to manage cert_t files- Allow getattr as part of files_mounton_kernel_symbol_table.- Fix typo \"aduit\" -> \"audit\"- Revert \"Add new interface dev_map_userio()\"- Add new interface dev_map_userio()- Allow systemd to read ibacm pid filesResolves: rhbz#1615318Resolves: rhbz#1619001Resolves: rhbz#1627646 * Fri Sep 07 2018 Lukas Vrabec - 3.14.1-39- Merge remote-tracking branch \'fedora-contrib/f28\' into rhel8.0-contrib- Tomcat should not be unconfined domain- Update ibacm_read_pid_files interface to allow also reading link files- Allow zebra_t domain to create packet_sockets- Allow opafm_t domain to list sysfs- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.- Allow chronyd_t domain to read virt_var_lib_t files- Allow tomcat services create link file in /tmp- Label /etc/shorewall6 as shorewall_etc_t- Allow winbind_t domain kill in user namespaces- Allow firewalld_t domain to read random device- Allow abrt_t domain to do execmem- Allow geoclue_t domain to execute own var_lib_t files- Allow openfortivpn_t domain to read system network state- Allow dnsmasq_t domain to read networkmanager lib files- sssd: Allow to limit capabilities using libcap- sssd: Remove unnecessary capability- sssd: Do not audit usage of lib nss_systemd.so- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file- Add correct namespace_init_exec_t context to /etc/security/namespace.d/ *- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files- Allow exim_t domain to mmap bin files- Allow mysqld_t domain to executed with nnp transition- Allow svirt_t domain to mmap svirt_image_t block files- Add caps dac_read_search and dav_override to pesign_t domain- Allow iscsid_t domain to mmap userio chr files- Merge remote-tracking branch \'fedora-base/f28\' into rhel8.0-base- Revert \"Add new interface dev_map_userio()\"- Add new interface dev_map_userio()- Allow systemd to read ibacm pid files- Allow systemd to create symlinks in for /var/lib- Add comment to show that template call also allows changing shells- Document userdom_change_password_template() behaviour- Merge remote-tracking branch \'fedora-base/f28\' into rhel8.0-base- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file- Fix typo in logging SELinux module- Allow usertype to mmap user_tmp_type files- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue- Revert \"Add execute_no_trans permission to mmap_exec_file_perms pattern\"- Add boolean: domain_can_mmap_files.- Allow ipsec_t domian to mmap own tmp files- Add .gitignore file- Add execute_no_trans permission to mmap_exec_file_perms pattern- Allow sudodomain to search caller domain proc info- Allow audisp_remote_t domain to read auditd_etc_t- netlabel: Remove unnecessary sssd nsswitch related macros- Allow to use sss module in auth_use_nsswitch- Limit communication with init_t over dbus- Add actual modules.conf to the git repo- Add few interfaces to optional block- Allow sysadm_t and staff_t domain to manage systemd unit files- Add interface dev_map_userio_dev()Resolves: rhbz#1623411Resolves: rhbz#1624648Resolves: rhbz#1596618Resolves: rhbz#1574878Resolves: rhbz#1577324Resolves: rhbz#1625202Resolves: rhbz#1581715Resolves: rhbz#1625127 * Tue Aug 28 2018 Lukas Vrabec - 3.14.1-38- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socketResolves: rhbz#1621142- Add interface devicekit_mounton_var_lib()- Allow httpd_t domain to mmap tmp files- Allow tcsd_t domain to have dac_override capability- Allow cupsd_t to rename cupsd_etc_t files- Allow iptables_t domain to create rawip sockets- Allow amanda_t domain to mmap own tmpfs files- Allow fcoemon_t domain to write to sysfs_t dirs- Allow dovecot_auth_t domain to have dac_override capability- Allow geoclue_t domain to mmap own tmp files- Allow chronyc_t domain to read network state- Allow apcupsd_t domain to execute itself- Allow modemmanager_t domain to stream connect to sssd- Allow chonyc_t domain to rw userdomain pipes- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks- Allow nagios_script_t domain to mmap nagios_spool_t files- Allow geoclue_t domain to mmap geoclue_var_lib_t files- Allow geoclue_t domain to map generic certs- Update munin_manage_var_lib_files to allow manage also dirs- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl- Fix typo in virt SELinux policy module- Allow virtd_t domain to create netlink_socket- Allow rpm_t domain to write to audit- Allow nagios_script_t domain to mmap nagios_etc_t files- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t- Allow kdumpctl_t domain to getattr fixed disk device in mls- Fix typo in stapserver policy- Dontaudit abrt_t domain to write to usr_t dirs- Revert \"Allow rpcbind to bind on all unreserved udp ports\"- Allow rpcbind to bind on all unreserved udp ports- Allow virtlogd to execute itself- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs- Allos systemd to socket activate ibacm service- Allow dirsrv_t domain to mmap user_t files- Allow dhcpc_t domain to read /dev/random- Allow systemd to mounton device_var_lib_t dirs- Allow systemd to mounton kernel system table- Label also chr_file /dev/mtd. * devices as fixed_disk_device_t- Allow syslogd_t domain to create netlink generic sockets- Label /dev/tpmrm[0-9] * as tpm_device_t- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl- Allow insmod_t domain to read iptables pid files- Allow systemd to mounton /etc- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry- Allow xserver_t domain to start using systemd socket activation- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature- Associate several proc labels to fs_t- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run * Tue Aug 21 2018 Lukas Vrabec - 3.14.1-37- Dontaudit abrt_t domain to write to usr_t dirs- Revert \"Allow rpcbind to bind on all unreserved udp ports\"- Allow rpcbind to bind on all unreserved udp ports- Allow virtlogd to execute itself- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs- Allos systemd to socket activate ibacm service- Allow dirsrv_t domain to mmap user_t files- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files- Allow kdumpctl to write to files on all levels- Allow httpd_t domain to mmap httpd_config_t files- Allow sanlock_t domain to connectto to unix_stream_socket- Revert \"Add same context for symlink as binary\"- Allow mysql execute rsync- Update nfsd_t policy because of ganesha features- Allow conman to getattr devpts_t- Allow tomcat_domain to connect to smtp ports- Allow tomcat_t domain to mmap tomcat_var_lib_t files- Allow nagios_t domain to mmap nagios_log_t files- Allow kpropd_t domain to mmap krb5kdc_principal_t files- Allow kdumpctl_t domain to read fixed disk storage- Allow xserver_t domain to start using systemd socket activation- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature- Associate several proc labels to fs_t- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run- Fix typo in syslogd policy- Update syslogd policy to make working elasticsearch- Label tcp and udp ports 9200 as wap_wsp_port- Allow few domains to rw inherited kdumpctl tmp pipes * Mon Aug 13 2018 Lukas Vrabec - 3.14.1-36- Add missing tarball from sourcesResolves: rhbz#1615312 * Mon Aug 13 2018 Daniel Kopeček - 3.14.1-35- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildrootResolves: rhbz#1615312 * Fri Aug 10 2018 Lukas Vrabec - 3.14.1-34- Fix issue with aliases in apache interface fileResolves: rhbz#1596618- Add same context for symlink as binary- Allow boltd_t to send logs to journal- Allow colord_use_nfs to allow colord also mmap nfs_t files- Allow mysqld_safe_t do execute itself- Allow smbd_t domain to chat via dbus with avahi daemon- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain- Add alias httpd__script_t to _script_t to make sepolicy generate working- Allow gpg_t domain to mmap gpg_agent_tmp_t files- Allow kprop_t domain to read network state- Add support boltd policy- Allow kpropd domain to exec itself- Allow pdns_t to bind on tcp transproxy port- Add support for opafm service- Allow hsqldb_t domain to read cgroup files- Allow rngd_t domain to read generic certs- Allow innd_t domain to mmap own var_lib_t files- Update screen_role_temaplate interface- Allow chronyd_t domain to mmap own tmpfs files- Allow chronyd_t domain to mmap own tmpfs files- label /var/lib/pgsql/data/log as postgresql_log_t- Allow sysadm_t domain to accept socket- Allow systemd to manage passwd_file_t- Allow sshd_t domain to mmap user_tmp_t files- Allow systemd to mounont boltd lib dirs- Allow sysadm_t domain to create rawip sockets- Allow sysadm_t domain to listen on socket- Update sudo_role_template() to allow caller domain also setattr generic ptys * Sun Jul 29 2018 Lukas Vrabec - 3.14.1-33- Allow sblim_sfcbd_t domain to mmap own tmpfs files- Allow nfsd_t domain to read krb5 keytab files- Allow nfsd_t domain to manage fadm pid files- Allow virt_domain to create icmp sockets BZ(1609142)- Dontaudit oracleasm_t domain to request sys_admin capability- Update logging_manage_all_logs() interface to allow caller domain map all logfiles * Thu Jul 26 2018 Lukas Vrabec - 3.14.1-32- Allow aide to mmap all files- Revert \"Allow firewalld_t do read iptables_var_run_t files\"- Revert \"Allow firewalld to create rawip sockets\"- Allow svirt_tcg_t domain to read system state of virtd_t domains- Update rhcs contexts to reflects the latest fenced changes- Allow httpd_t domain to rw user_tmp_t files- Fix typo in openct policy- Allow winbind_t domian to connect to all ephemeral ports- Allow firewalld_t do read iptables_var_run_t files- Allow abrt_t domain to mmap data_home files- Allow glusterd_t domain to mmap user_tmp_t files- Allow mongodb_t domain to mmap own var_lib_t files- Allow firewalld to read kernel usermodehelper state- Allow modemmanager_t to read sssd public files- Allow openct_t domain to mmap own var_run_t files- Allow nnp transition for devicekit daemons- Allow firewalld to create rawip sockets- Allow firewalld to getattr proc filesystem- Dontaudit sys_admin capability for pcscd_t domain- Revert \"Allow pcsd_t domain sys_admin capability\"- Allow fetchmail_t domain to stream connect to sssd- Allow pcsd_t domain sys_admin capability- Allow cupsd_t to create cupsd_etc_t dirs- Allow varnishlog_t domain to list varnishd_var_lib_t dirs- Allow mongodb_t domain to read system network state BZ(1599230)- Allow zoneminder_t to getattr of fs_t- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)- Allow iscsid_t domain to mmap sysfs_t files- Allow httpd_t domain to mmap own cache files- Add sys_resource capability to nslcd_t domain- Fixed typo in logging_audisp_domain interface- Add interface files_mmap_all_files()- Add interface iptables_read_var_run()- Allow systemd to mounton init_var_run_t files- Update policy rules for auditd_t based on changes in audit version 3- Allow systemd_tmpfiles_t do mmap system db files- Don\'t setup unlabeled_t as an entry_type- Allow unconfined_service_t to transition to container_runtime_t- Improve domain_transition_pattern to allow mmap entrypoint bin file. * Wed Jul 18 2018 Lukas Vrabec - 3.14.1-31- Allow cupsd_t domain to mmap cupsd_etc_t files- Allow kadmind_t domain to mmap krb5kdc_principal_t- Allow virtlogd_t domain to read virt_etc_t link files- Allow dirsrv_t domain to read crack db- Dontaudit pegasus_t to require sys_admin capability- Allow mysqld_t domain to exec mysqld_exec_t binary files- Allow abrt_t odmain to read rhsmcertd lib files- Allow winbind_t domain to request kernel module loads- Allow tomcat_domain to read cgroup_t files- Allow varnishlog_t domain to mmap varnishd_var_lib_t files- Allow innd_t domain to mmap news_spool_t files- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t- Allow fenced_t domain to reboot- Allow amanda_t domain to read network system state- Allow abrt_t domain to read rhsmcertd logs- Fix typo in radius policy- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)- Label /usr/bin/esmtp-wrapper as sendmail_exec_t- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files- Dontaudit thumb to read mmap_min_addr- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)- Allow collectd_t domain to use ecryptfs files BZ(1592640)- Dontaudit mmap home type files for abrt_t domain- Allow fprintd_t domain creating own tmp files BZ(1590686)- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)- Allow fail2ban_t domain to getpgid BZ(1591421)- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)- Allow radiusd_t domain to mmap radius_etc_rw_t files- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)- Add dac_read_search capability to thumb_t domain- Add dac_override capability to cups_pdf_t domain BZ(1594271)- Add net_admin capability to connntrackd_t domain BZ(1594221)- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)- Allow motion_t to mmap video devices BZ(1590446)- Add dac_override capability to mpd_t domain BZ(1585358)- Allow fsdaemon_t domain to write to mta home files BZ(1588212)- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)- Allow sssd_t domain to write to general cert files BZ(1589339)- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)- Allow cockpit_session_t to read kernel network state BZ(1596941)- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)- Allows systemd to get attribues of core kernel interface BZ(1596928)- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled- Revert \"Allow unconfined and sysadm users to use bpftool BZ(1591440)\"- Allow userdomain sudo domains to use generic ptys- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690)- Remove duplicated userdom_delete_user_home_content_files- Add systemd_dbus_chat_resolved interface- Allow load_policy_t domain to read/write to systemd sockets BZ(1582812)- Add new interface init_prog_run_bpf()- Allow unconfined and sysadm users to use bpftool BZ(1591440)- Label /run/cockpit/motd as etc_t BZ(1584167)- Allow systemd_machined_t domain to sendto syslogd_t over unix dgram sockets- Add interface userdom_dontaudit_mmap_user_home_content_files()- Allow systemd to listen bluetooth sockets BZ(1592223)- Allow systemd to remove user_home_t files BZ(1418463)- Allow xdm_t domain to mmap and read cert_t files BZ(1553761)- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)- Allow systemd to delete user temp files BZ(1595189)- Allow systemd to mounton core kernel interface- Add dac_override capability to ipsec_t domain BZ(1589534)- Allow systemd domain to mmap lvm config files BZ(1594584)- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files- Allow systemd_modules_load_t to access unabeled infiniband pkeys * Fri Jun 29 2018 Lukas Vrabec - 3.14.1-30- Add ibacm policy- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t- Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services- Allow crond_t domain to create netlink selinux sockets and dac_override cap.- Allow radiusd_t domain to have dac_override capability- Allow amanda_t domain to have setgid capability- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label- Allow abrt_t domain to write to rhsmcertd pid files- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control- Add vhostmd_t domain to read/write to svirt images- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files- Allow sssd_t and slpad_t domains to mmap generic certs- Allow chronyc_t domain use inherited user ttys- Allow stapserver_t domain to mmap own tmp files- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain- Merge pull request #60 from vmojzis/rawhide- Allow tangd_t domain stream connect to sssd- Allow oddjob_t domain to chat with systemd via dbus- Allow freeipmi domains to mmap sysfs files- Fix typo in logwatch interface file- Allow spamd_t to manage logwatch_cache_t files/dirs- Allow dnsmasw_t domain to create own tmp files and manage mnt files- Allow fail2ban_client_t to inherit rlimit information from parent process- Allow nscd_t to read kernel sysctls- Label /var/log/conman.d as conman_log_t- Add dac_override capability to tor_t domain- Allow certmonger_t to readwrite to user_tmp_t dirs- Allow abrt_upload_watch_t domain to read general certs- Allow chornyd_t read phc2sys_t shared memory- Add several allow rules for pesign policy:- Add setgid and setuid capabilities to mysqlfd_safe_t domain- Add tomcat_can_network_connect_db boolean- Update virt_use_sanlock() boolean to read sanlock state- Add sanlock_read_state() interface- Allow zoneminder_t to getattr of fs_t- Allow rhsmcertd_t domain to send signull to postgresql_t domain- Add log file type to collectd and allow corresponding access- Allow policykit_t domain to dbus chat with dhcpc_t- Adding new boolean keepalived_connect_any()- Allow amanda to create own amanda_tmpfs_t files- Allow gdomap_t domain to connect to qdomap_port_t- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type- Allow ntop_t domain to create/map various sockets/files.- Enable the dictd to communicate via D-bus.- Allow inetd_child process to chat via dbus with abrt- Allow zabbix_agent_t domain to connect to redis_port_t- Allow rhsmcertd_t domain to read xenfs_t files- Allow zabbix_agent_t to run zabbix scripts- Fix openvswith SELinux module- Fix wrong path in tlp context file BZ(1586329)- Update brltty SELinux module- Allow rabbitmq_t domain to create own tmp files/dirs- Allow policykit_t mmap policykit_auth_exec_t files- Allow ipmievd_t domain to read general certs- Add sys_ptrace capability to pcp_pmie_t domain- Allow squid domain to exec ldconfig- Update gpg SELinux policy module- Allow mailman_domain to read system network state- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices- Allow antivirus_domain to read all domain system state- Allow targetd_t domain to red gconf_home_t files/dirs- Label /usr/libexec/bluetooth/obexd as obexd_exec_t- Allow init_t domain to create netlink rdma sockets for ibacm policy- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files- Allow lvm_t domain to write files to all mls levels- Add to su_role_template allow rule for creating netlink_selinux sockets- Allow sysadm_t domain to mmap hwdb db- Allow udev_t domain to mmap kernel modules- Allow sysadm_screen_t to have capability dac_override and chown- Allow sysadm_t domain to mmap journal- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Label /etc/systemd/system.control/ dir as systemd_unit_file_t- Merge pull request #215 from bachradsusi/merge-conf-from-fedora- Allow sysadm_t and staff_t domains to use sudo io logging- Allow sysadm_t domain create sctp sockets- Add snapperd_contexts to the policy- Use system_u:system_r:unconfined_t:s0 in userhelper_context- Remove unneeded system_u seusers mapping.- Fedora targeted default user is unconfined_u, root is unconfined_u as well- Update config to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.- Change failsafe_context to unconfined_r:unconfined_t:s0- Update lxc_contexts from Fedora config.tgz- Add lxc_contexts config file- Allow traceroute_t domain to exec bin_t binaries- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override- Add new interface dev_map_sysfs()- Allow sshd_keygen_t to execute plymouthd- Allow systemd_networkd_t create and relabel tun sockets- Add new interface postgresql_signull()- Merge pull request #214 from wrabcak/fb-dhcpc- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)- Allow confined users get AFS tokens- Allow sysadm_t domain to chat via dbus- Associate sysctl_kernel_t type with filesystem attribute * Fri Jun 08 2018 Lukas Vrabec - 3.14.1-29- Fix typos in zabbix.te file- Add missing requires- Allow tomcat domain sends email- Fix typo in sge policy- Allow certmonger to sends emails- Allow tomcat_t do mmap tomcat_tmp_t files- Improve sge_rw_tcp_sockets interface- Adding new interface: sge_rw_tcp_sockets()- Update sge_execd_t domain with few rules- Add new zabbix_run_sudo boolean- Allow virtual machines to manage cephfs filesystems.- Allow rhsmcertd_t domain to read sssd public files and stream connect to sssd- Add dac_override capability to sendmail_t domain- Fix typo in netutils.te file- Update traceroute_t domain to allow create dccp sockets- Update ssh_keysign policy- Allow sshd_t domain to read/write sge tcp sockets * Wed Jun 06 2018 Lukas Vrabec - 3.14.1-28- Update ctdb domain to support gNFS setup- Allow authconfig_t dbus chat with policykit- Allow lircd_t domain to read system state- Revert \"Allow fsdaemon_t do send emails BZ(1582701)\"- Typo in uuidd policy- Allow tangd_t domain read certs- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)- Allow vpnc_t domain to read generic certs BZ(1583100)- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)- Allow NetworkManager_ssh_t domain to be system dbud client- Allow virt_qemu_ga_t read utmp- Add capability dac_override to system_mail_t domain- Update uuidd policy to reflect last changes from base branch- Add cap dac_override to procmail_t domain- Allow sendmail to mmap etc_aliases_t files BZ(1578569)- Add new interface dbus_read_pid_sock_files()- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled- Allow fsdaemon_t do send emails BZ(1582701)- Allow firewalld_t domain to request kernel module BZ(1573501)- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)- Add sys_admin capability to fprint_t SELinux domain- Allow cyrus_t domain to create own files under /var/run BZ(1582885)- Allow cachefiles_kernel_t domain to have capability dac_override- Update policy for ypserv_t domain- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t- Allow cyrus to have dac_override capability- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets- Fix homedir polyinstantion under mls- Fixed typo in init.if file- Allow systemd to remove generic tmpt files BZ(1583144)- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)- Fix typo in authlogin SELinux security module- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)- Allow audisp_t domain to mmap audisp_exec_t binary- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file- Label tcp/udp ports 2612 as qpasa_agetn_port_t * Sat May 26 2018 Lukas Vrabec - 3.14.1-27- Add dac_override to exim policy BZ(1574303)- Fix typo in conntrackd.fc file- Allow sssd_t to kill sssd_selinux_manager_t- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp- Allow policykit_auth_t to read udev db files BZ(1574419)- Allow varnishd_t do be dbus client BZ(1582251)- Allow cyrus_t domain to mmap own pid files BZ(1582183)- Allow user_mail_t domain to mmap etc_aliases_t files- Allow gkeyringd domains to run ssh agents- Allow gpg_pinentry_t domain read ssh state- Allow gpg_agent_t to send msgs to syslog/journal- Add dac_override capability to dovecot_t domain- Allow nscd_t domain to mmap system_db_t files- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files- Allow mailman_mail_t domain to search for apache configs- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.- Improve procmail_domtrans() to allow mmaping procmail_exec_t- Allow ptrace arbitrary processes- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)- Allow certmonger to geattr of filesystems BZ(1578755)- Allow hypervvssd_t domain to read fixed disk devices- Allow several domains to manage ecryptfs_t filesystem- Allow userdom_use_user_ttys for loadkeys_t domain- Add dac_override capability to cachefiles_kernel_t domain- Allow blueman to execute ldconfig BZ(1577581)- Allow gpg_pinentry_t domain to read state of gpg_t processes- Add dac_override capability to cgconfig_t domain BZ(1574649)- Add dac_override to glusterd_t domain BZ(1578501)- Allow fsdaemon_t to create own fsdaemon_var_lib_t dirs BZ(1569724)- Allow plymouth_t domain to read/write systemd sockets BZ(1578882)- Allow use of U2F Yubikey as authentication for a sudo command BZ(1578915)- Append map permission to apache_read_modules() interface- Allow certwatch_t domain to getattr of extended attributes fs_t filesystem- Add new interface: dirsrv_noatsecure()- Add dac_override capability to remote_login_t domain- Allow chrome_sandbox_t to mmap tmp files- Update ulogd SELinux security policy- Allow sysadm_u use xdm- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)- Add interface ssh_read_state()- Fix typo in sysnetwork.if file- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files- Allow noatsecure permission for all domain transitions from systemd.- Allow systemd to read tangd db files- Fix typo in ssh.if file- Allow xdm_t domain to mmap xserver_misc_device_t files- Allow xdm_t domain to execute systemd-coredump binary- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used- Associate sysctl_vm_overcommit_t with fs_t- Allow systemd creating bluetooth sockets- Allow ssh client to read network sysctl BZ(1574170)- Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files- Allow sysadm user to sys_ptrace cap_userns- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.- Allow ssh client to read network state BZ(1574174)- Allow ssh basic client to read/write to tun tap devices BZ(1574184)- Allow ssh basic client to create tun sockets BZ(1574186)- Disable secure mode environment cleansing for dirsrv_t * Mon May 21 2018 Lukas Vrabec - 3.14.1-26- Disable secure mode environment cleansing for dirsrv_t- - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. * Mon May 21 2018 Lukas Vrabec - 3.14.1-25- Add dac_override capability to remote_login_t domain- Allow chrome_sandbox_t to mmap tmp files- Update ulogd SELinux security policy- Allow rhsmcertd_t domain send signull to apache processes- Allow systemd socket activation for modemmanager- Allow geoclue to dbus chat with systemd- Fix file contexts on conntrackd policy- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t- Allow nscd_t domain to be system dbusd client- Allow abrt_t domain to read sysctl- Add dac_read_search capability for tangd- Allow systemd socket activation for rshd domain- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t- Allow kdump_t domain to map /boot files- Allow conntrackd_t domain to send msgs to syslog- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t- Allow swnserve_t domain to stream connect to sasl domain- Allow smbcontrol_t to create dirs with samba_var_t label- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)- Allow tangd to read public sssd files BZ(1509054)- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)- Allow ctdb_t domain modify ctdb_exec_t files- Allow firewalld_t domain to create netlink_netfilter sockets- Allow radiusd_t domain to read network sysctls- Allow pegasus_t domain to mount tracefs_t filesystem- Allow psad_t domain to read all domains state- Allow tomcat_t domain to connect to mongod_t tcp port- Allow dovecot and postfix to connect to systemd stream sockets- Make nmbd_t domain dbus system client BZ(1569856)- Merge pull request #55 from SISheogorath/fix/tlp-policy- Merge pull request #54 from tmzullinger/rawhide- Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro BZ(1566168)- Allow gssproxy_t domain to read gssd_t state BZ(1572945)- Allow create systemd to mount pid files- Add files_map_boot_files() interface- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)- Fix typo xserver SELinux module- Allow systemd to mmap files with var_log_t label- Allow x_userdomains read/write to xserver session- Allow users staff and sysadm to run wireshark on own domain- Fix typos s/xserver/xdm/ for allow creating xserver misc devices- Allow systemd-bootchart to create own tmpfs files- Merge pull request #213 from tmzullinger/rawhide- Allow xdm_t domain to install Nouveau drivers BZ(1570996) * Sat Apr 28 2018 Lukas Vrabec - 3.14.1-24- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) * Fri Apr 27 2018 Lukas Vrabec - 3.14.1-23- Allow dnssec_trigger_t domain to read system network state BZ(1570205)- Add dac_override capability to mailman_mail_t domain- Add dac_override capability to radvd_t domain- Update openvswitch policy- Add dac_override capability to oddjob_homedir_t domain- Allow slapd_t domain to mmap slapd_var_run_t files- Rename tang policy to tangd- Allow virtd_t domain to relabel virt_var_lib_t files- Allow logrotate_t domain to stop services via systemd- Add tang policy- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t- Allow snapperd_t daemon to create unlabeled dirs.- Make httpd_var_run_t mountpoint- Allow hsqldb_t domain to mmap own temp files- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP- Add new Boolean tomcat_use_execmem- Allow nfsd_t domain to read/write sysctl fs files- Allow conman to read system state- Allow brltty_t domain to be dbusd system client- Allow zebra_t domain to bind on babel udp port- Allow freeipmi domain to read sysfs_t files- Allow targetd_t domain mmap lvm config files- Allow abrt_t domain to manage kdump crash files- gnome_data_filetrans macro should be in optional block- Allow netutils_t domain to create bluetooth sockets- Allow traceroute to bind on generic sctp node- Allow traceroute to search network sysctls- Allow systemd to use virtio console- Label /dev/op_panel and /dev/opal-prd as opal_device_t- Label /run/ebtables.lock as iptables_var_run_t- Allow udev_t domain to manage udev_rules_t char files.- Assign babel_port_t label to udp port 6696- Add new interface lvm_map_config- Merge pull request #212 from stlaz/patch-1- Allow local_login_t reads of udev_var_run_t context * Wed Apr 18 2018 Lukas Vrabec - 3.14.1-22- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)- Allow l2tpd domain to stream connect to sssd BZ(1568160)- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) * Mon Apr 16 2018 Lukas Vrabec - 3.14.1-21- Allow certwatch to manage cert files BZ(1561418)- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.- Allow pppd_t domain creating pppox sockets BZ(1566271)- Allow abrt to map var_lib_t files- Allow chronyc to read system state BZ(1565217)- Allow keepalived_t domain to chat with systemd via dbus- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)- removed boinc dev_getattr_ *_dev- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels- Allow x userdomain to mmap xserver_tmpfs_t files- Allow sysadm_t to mount tracefs_t- Allow unconfined user all perms under bpf class BZ(1565738)- Allow SELinux users (except guest and xguest) to using bluetooth sockets- Add new interface files_map_var_lib_files()- Allow user_t and staff_t domains create netlink tcpdiag sockets- Allow systemd-networkd to read sysctl_t files- Allow systemd_networkd_t to read/write tun tap devices- refpolicy: Update for kernel sctp support * Sat Apr 07 2018 Lukas Vrabec - 3.14.1-20- Add new boolean redis_enable_notify()- Label /var/log/shibboleth-www(/. *) as httpd_sys_rw_content_t- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab- Add dac_override and dac_read_search capability to hypervvssd_t domain- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t- Allow samba to create /tmp/host_0 as krb5_host_rcache_t- Add dac_override capability to fsdaemon_t BZ(1564143)- Allow abrt_t domain to map dos files BZ(1564193)- Add dac_override capability to automount_t domain- Allow keepalived_t domain to connect to system dbus bus- Allow nfsd_t to read nvme block devices BZ(1562554)- Allow lircd_t domain to execute bin_t files BZ(1562835)- Allow l2tpd_t domain to read sssd public files BZ(1563355)- Allow logrotate_t domain to do dac_override BZ(1539327)- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t- Add capability sys_resource to systemd_sysctl_t domain- Label all /dev/rbd * devices as fixed_disk_device_t- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)- Allow local_login_t domain to rread udev db- Allow systemd_gpt_generator_t to read /dev/random device- add definition of bpf class and systemd perms * Thu Mar 29 2018 Lukas Vrabec - 3.14.1-19- Allow accountsd_t domain to dac override BZ(1561304)- Allow cockpit_ws_t domain to read system state BZ(1561053)- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)- Allow abrt_dump_oops_t domain dac override BZ(1561467)- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)- Allow crontab domains to do dac override- Allow snapperd_t domain to unmount fs_t filesystems- Allow pcp processes to read fixed_disk devices BZ(1560816)- Allow unconfined and confined users to use dccp sockets- Allow systemd to manage bpf dirs/files- Allow traceroute_t to create dccp_sockets * Mon Mar 26 2018 Lukas Vrabec - 3.14.1-18Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) * Sun Mar 25 2018 Lukas Vrabec - 3.14.1-17- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)- Allow nagios to mmap nagios config files BZ(1559683)- Fixing Ganesha module- Fix typo in NetworkManager module- Fix bug in gssproxy SELinux module- Allow abrt_t domain to mmap container_file_t files BZ(1525573)- Allow networkmanager to be run ssh client BZ(1558441)- Allow pcp domains to do dc override BZ(1557913)- Dontaudit pcp_pmie_t to reaquest lost kernel module- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955)- Allow httpd_t to read httpd_log_t dirs BZ(1554912)- Allow fail2ban_t to read system network state BZ(1557752)- Allow dac override capability to mandb_t domain BZ(1529399)- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681)- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369)- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439)- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359)- Allow snapperd to relabel snapperd_data_t- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow insmod_t to load modules BZ(1544189)- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595)- Allow systemd_networkd_t to read/write tun tap devices- Add shell_exec_t file as domain entry for init_t- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347)- Improve userdom_mmap_user_home_content_files- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Wed Mar 21 2018 Lukas Vrabec - 3.14.1-16- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Tue Mar 20 2018 Lukas Vrabec - 3.14.1-15- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/- Allow newrole_t dacoverride capability- Allow traceroute_t domain to mmap packet sockets- Allow netutils_t domain to mmap usmmon device- Allow netutils_t domain to use mmap on packet_sockets- Allow traceroute to create icmp packets- Allos sysadm_t domain to create tipc sockets- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets * Thu Mar 15 2018 Lukas Vrabec - 3.14.1-14- Allow rpcd_t domain dac override- Allow rpm domain to mmap rpm_var_lib_t files- Allow arpwatch domain to create bluetooth sockets- Allow secadm_t domain to mmap audit config and log files- Update init_abstract_socket_activation() to allow also creating tcp sockets- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.- Add SELinux support for systemd-importd- Create new type bpf_t and label /sys/fs/bpf with this type * Mon Mar 12 2018 Lukas Vrabec - 3.14.1-13- allow bluetooth_t domain to create alg_socket bz(1554410)- allow tor_t domain to execute bin_t files bz(1496274)- allow iscsid_t domain to mmap kernel modules bz(1553759)- update minidlna selinux policy bz(1554087)- allow motion_t domain to read sysfs_t files bz(1554142)- allow snapperd_t domain to getattr on all files,dirs,sockets,pipes bz(1551738)- allow l2tp_t domain to read ipsec config files bz(1545348)- allow colord_t to mmap home user files bz(1551033)- dontaudit httpd_t creating kobject uevent sockets bz(1552536)- allow ipmievd_t to mmap kernel modules bz(1552535)- allow boinc_t domain to read cgroup files bz(1468381)- backport allow rules from refpolicy upstream repo- allow gpg_t domain to bind on all unereserved udp ports- allow systemd to create systemd_rfkill_var_lib_t dirs bz(1502164)- allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t bz(1483655)- allow xdm_t domain to sys_ptrace bz(1554150)- allow application_domain_type also mmap inherited user temp files bz(1552765)- update ipsec_read_config() interface- fix broken sysadm selinux module- allow ipsec_t to search for bind cache bz(1542746)- allow staff_t to send sigkill to mount_t domain bz(1544272)- label /run/systemd/resolve/stub-resolv.conf as net_conf_t bz(1471545)- label ip6tables.init as iptables_exec_t bz(1551463)- allow hostname_t to use usb ttys bz(1542903)- add fsetid capability to updpwd_t domain bz(1543375)- allow systemd machined send signal to all domains bz(1372644)- dontaudit create netlink selinux sockets for unpriv selinux users bz(1547876)- allow sysadm_t to create netlink generic sockets bz(1547874)- allow passwd_t domain chroot- dontaudit confined unpriviliged users setuid capability * Tue Mar 06 2018 Lukas Vrabec - 3.14.1-12- Allow l2tpd_t domain to create pppox sockets- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)- Add interface abrt_map_cache()- Update gnome_manage_home_config() to allow also map permission BZ(1544270)- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770)- Dontaudit kernel bug when several services requesting load kernel module- Allow traceroute and unconfined domains creating sctp sockets- Add interface corenet_sctp_bind_generic_node()- Allow ping_t domain to create icmp sockets- Allow staff_t to mmap abrt_var_cache_t BZ(1544273)- Fix typo bug in dev_map_framebuffer() interface BZ(1551842)- Dontaudit kernel bug when several services requesting load kernel module * Mon Mar 05 2018 Lukas Vrabec - 3.14.1-11- Allow vdagent_t domain search cgroup dirs BZ(1541564)- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)- Allow bluetooth domain creating bluetooth sockets BZ(1551577)- pki_log_t should be log_file- Allow gpgdomain to unix_stream socket connectto- Make working gpg agent in gpg_agent_t domain- Dontaudit thumb_t to rw lvm pipes BZ(154997)- Allow start cups_lpd via systemd socket activation BZ(1532015)- Improve screen_role_template Resolves: rhbz#1534111- Dontaudit modemmanager to setpgid. BZ(1520482)- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227)- Allow systemd-networkd to create netlink generic sockets BZ(1551578)- refpolicy: Define getrlimit permission for class process- refpolicy: Define smc_socket security class- Allow transition from sysadm role into mdadm_t domain.- ssh_t trying to communicate with gpg agent not sshd_t- Allow sshd_t communicate with gpg_agent_t- Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643)- Revert \"Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)\"- Revert \"Allow systemd to request load kernel module BZ(1547227)\"- Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576)- Add interface lvm_dontaudit_rw_pipes() BZ(154997)- Add interfaces for systemd socket activation- Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098) * Thu Feb 22 2018 Lukas Vrabec - 3.14.1-10- refpolicy: Define extended_socket_class policy capability and socket classes- Make bluetooth_var_lib_t as mountpoint BZ(1547416)- Allow systemd to request load kernel module BZ(1547227)- Allow ipsec_t domain to read l2tpd pid files- Allow sysadm to read/write trace filesystem BZ(1547875)- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761) * Tue Feb 20 2018 Lukas Vrabec - 3.14.1-9- Fix broken cups Security Module- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079)- Allow geoclue to connect to tcp nmea port BZ(1362118)- Allow pcp_pmcd_t to read mock lib files BZ(1536152)- Allow abrt_t domain to mmap passwd file BZ(1540666)- Allow gpsd_t domain to get session id of another process BZ(1540584)- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405)- Allow cluster_t dbus chat with systemd BZ(1540163)- Add interface raid_stream_connect()- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689)- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911)- Make cups_pdf_t domain system dbusd client BZ(1532043)- Allow logrotate to read auditd_log_t files BZ(1525017)- Improve snapperd SELinux policy BZ(1514272)- Allow virt_domain to read virt_image_t files BZ(1312572)- Allow openvswitch_t stream connect svirt_t- Update dbus_dontaudit_stream_connect_system_dbusd() interface- Allow openvswitch domain to manage svirt_tmp_t sock files- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210)- Merge pull request #50 from dodys/pkcs- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118)- Allow systemd to access rfkill lib dirs BZ(1539733)- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044)- Allow vxfs filesystem to use SELinux labels- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231)- Allow few services to dbus chat with snapperd BZ(1514272)- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180)- Fix logging as staff_u into Fedora 27- Fix broken systemd_tmpfiles_run() interface * Fri Feb 09 2018 Igor Gnatenko - 3.14.1-8- Escape macros in %changelog * Thu Feb 08 2018 Lukas Vrabec - 3.14.1-7- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600)- Allow keepalived_t domain getattr proc filesystem- Allow init_t to create UNIX sockets for unconfined services (BZ1543049)- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t * Tue Feb 06 2018 Lukas Vrabec - 3.14.1-6- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets- Add new interface ppp_filetrans_named_content()- Allow keepalived_t read sysctl_net_t files- Allow puppetmaster_t domtran to puppetagent_t- Allow kdump_t domain to read kernel ring buffer- Allow boinc_t to mmap boinc tmpfs files BZ(1540816)- Merge pull request #47 from masatake/keepalived-signal- Allow keepalived_t create and write a file under /tmp- Allow ipsec_t domain to exec ifconfig_exec_t binaries.- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock- Allow updpwd_t domain to create files in /etc with shadow_t label * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-5- Allow opendnssec daemon to execute ods-signer BZ(1537971) * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-4- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)- Update dbus_role_template() BZ(1536218)- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)- Allow blueman_t dbus chat with policykit_t BZ(1470501)- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)- Allow jetty_t domain to mmap own temp files BZ(1534628)- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)- Consistently label usr_t for kernel/initrd in /usr- kernel/files.fc: Label /usr/lib/sysimage as usr_t- Allow iptables sysctl load list support with SELinux enforced- Label HOME_DIR/.config/systemd/user/ * user unit files as systemd_unit_file_t BZ(1531864) * Fri Jan 19 2018 Lukas Vrabec - 3.14.1-3- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide- Allow virt_domains to acces infiniband pkeys.- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t- Allow audisp_remote_t domain write to files on all levels * Mon Jan 15 2018 Lukas Vrabec - 3.14.1-2- Allow aide to mmap usr_t files BZ(1534182)- Allow ypserv_t domain to connect to tcp ports BZ(1534245)- Allow vmtools_t domain creating vmware_log_t files- Allow openvswitch_t domain to acces infiniband devices- Allow dirsrv_t domain to create tmp link files- Allow pcp_pmie_t domain to exec itself. BZ(153326)- Update openvswitch SELinux module- Allow virtd_t to create also sock_files with label virt_var_run_t- Allow chronyc_t domain to manage chronyd_keys_t files.- Allow logwatch to exec journal binaries BZ(1403463)- Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864)- Update logging_read_all_logs to allow mmap all logfiles BZ(1403463)- Add Label systemd_unit_file_t for /var/run/systemd/units/ * Mon Jan 08 2018 Lukas Vrabec - 3.14.1-1- Removed big SELinux policy patches against tresys refpolicy and use tarballs from fedora-selinux github organisation * Mon Jan 08 2018 Lukas Vrabec - 3.13.1-310- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy * Fri Jan 05 2018 Lukas Vrabec - 3.13.1-309- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy- Allow git_script_t to mmap git_user_content_t files BZ(1530937)- Allow certmonger domain to create temp files BZ(1530795)- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)- Allow fsdaemon_t to read nvme devices BZ(1530018)- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)- Update munin plugin policy BZ(1528471)- Allow sendmail_t domain to be system dbusd client BZ(1478735)- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)- Allow thumb_t to mmap non security files BZ(1517393)- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)- Fix broken sysnet_filetrans_named_content() interface- Allow init_t to create tcp sockets for unconfined services BZ(1366968)- Allow xdm_t to getattr on xserver_t process files BZ(1506116)- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)- Add interface files_map_non_security_files() * Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308- Make working SELinux sandbox with Wayland. BZ(1474082)- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)- Allow collectd to connect to lmtp_port_t BZ(1304029)- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)- Allow thumb_t to mmap removable_t files. BZ(1522724)- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)- Add interface fs_mmap_removable_files() * Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307- Allow crond_t to read pcp lib files BZ(1525420)- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)- Allow certwatch_t to mmap generic certs. BZ(1527173)- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)- Add interface userdom_map_user_home_files()- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/ * as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)- All domains accessing home_cert_t objects should also mmap it. BZ(1519810) * Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306- Allow thumb_t domain to dosfs_t BZ(1517720)- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)- Allow git_script_t to mmap git_sys_content_t BZ(1517541)- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)- Allow colord_t to mmap xdm pid files BZ(1518382)- Allow arpwatch to mmap usbmon device BZ(152456)- Allow mandb_t to read public sssd files BZ(1514093)- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)- Allow qpid to map files.- Allow plymouthd_t to mmap firamebuf device BZ(1517405)- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)- Add interface fs_map_dos_files()- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)- Add interface xserver_map_xdm_pid() BZ(1518382)- Add new interface dev_map_usbmon_dev() BZ(1524256)- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)- Fix typo in filesystem.if- Add interface dev_map_framebuffer()- Allow chkpwd command to mmap /etc/shadow BZ(1513704)- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)- Add interface fs_map_cifs_files()- Merge pull request #207 from rhatdan/labels- Merge pull request #208 from rhatdan/logdir- Allow domains that manage logfiles to man logdirs * Fri Nov 24 2017 Lukas Vrabec - 3.13.1-305- Make ganesha nfs server * Tue Nov 21 2017 Lukas Vrabec - 3.13.1-304- Add interface raid_relabel_mdadm_var_run_content()- Fix iscsi SELinux module- Allow spamc_t domain to read home mail content BZ(1414366)- Allow sendmail_t to list postfix config dirs BZ(1514868)- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)- Allow cupsd_t domain to localization BZ(1514350)- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)- Allow httpd_t domain to mmap all httpd content type BZ(1514866)- Allow mandb_t to read /etc/passwd BZ(1514903)- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)- Allow systemd to read/write to mount_var_run_t files BZ(1515373)- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)- Allow home managers to mmap nfs_t files BZ(1514372)- Add interface fs_mmap_nfs_files()- Allow systemd-mount to create new directory for mountpoint BZ(1514880)- Allow getty to use usbttys- Add interface systemd_rfkill_domtrans()- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)- Add interface fs_mmap_fusefs_files()- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251) * Thu Nov 16 2017 Lukas Vrabec - 3.13.1-303- Allow pcp_pmlogger to send logs to journal BZ(1512367)- Merge pull request #40 from lslebodn/kcm_kerberos- Allow services to use kerberos KCM BZ(1512128)- Allow system_mail_t domain to be system_dbus_client BZ(1512476)- Allow aide domain to stream connect to sssd_t BZ(1512500)- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)- Allow lircd_t domain to execute shell BZ(1512787)- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)- Allow redis to creating tmp files with own label BZ(1513518)- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)- Add map permission to samba_rw_var_files interface. BZ(1513908)- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t- Add dac_read_search and dac_override capabilities to ganesha- Allow ldap_t domain to manage also slapd_tmp_t lnk files- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)- Add dac_override capability to dhcpd_t doamin BZ(1510030)- Allow snapperd_t to remove old snaps BZ(1510862)- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)- Allow fs associate for sysctl_vm_t BZ(1447301)- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)- Allow systemd to mmap kernel modules BZ(1513399)- Allow userdomains to mmap fifo_files BZ(1512242)- Merge pull request #205 from rhatdan/labels- Add map permission to init_domtrans() interface BZ(1513832)- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)- Unconfined domains, need to create content with the correct labels- Container runtimes are running iptables within a different user namespace- Add interface files_rmdir_all_dirs() * Mon Nov 06 2017 Lukas Vrabec - 3.13.1-302- Allow jabber domains to connect to postgresql ports- Dontaudit slapd_t to block suspend system- Allow spamc_t to stream connect to cyrys.- Allow passenger to connect to mysqld_port_t- Allow ipmievd to use nsswitch- Allow chronyc_t domain to use user_ptys- Label all files /var/log/opensm. * as opensm_log_t because opensm creating new log files with name opensm-subnet.lst- Fix typo bug in tlp module- Allow userdomain gkeyringd domain to create stream socket with userdomain * Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301- Merge pull request #37 from milosmalik/rawhide- Allow mozilla_plugin_t domain to dbus chat with devicekit- Dontaudit leaked logwatch pipes- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)- Allow chronyd daemon to execute chronyc. BZ(1507478)- Allow pdns to read network system state BZ(1507244)- Allow gssproxy to read network system state Resolves: rhbz#1507191- Allow nfsd_t domain to read configfs_t files/dirs- Allow tgtd_t domain to read generic certs- Allow ptp4l to send msgs via dgram socket to unprivileged user domains- Allow dirsrv_snmp_t to use inherited user ptys and read system state- Allow glusterd_t domain to create own tmpfs dirs/files- Allow keepalived stream connect to snmp * Thu Oct 26 2017 Lukas Vrabec - 3.13.1-300- Allow zabbix_t domain to change its resource limits- Add new boolean nagios_use_nfs- Allow system_mail_t to search network sysctls- Hide all allow rules with ptrace inside deny_ptrace boolean- Allow nagios_script_t to read nagios_spool_t files- Allow sbd_t to create own sbd_tmpfs_t dirs/files- Allow firewalld and networkmanager to chat with hypervkvp via dbus- Allow dmidecode to read rhsmcert_log_t files- Allow mail system to connect mariadb sockets.- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)- Allow iptables_t to run setfiles to restore context on system- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466) * Tue Oct 24 2017 Lukas Vrabec - 3.13.1-299- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t- Allow chronyd_t do request kernel module and block_suspend capability- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables- Allow svnserve to use kerberos- Allow conman to use ptmx. Add conman_use_nfs boolean- Allow nnp transition for amavis and tmpreaper SELinux domains- Allow chronyd_t to mmap chronyc_exec_t binary files- Add dac_read_search capability to openvswitch_t domain- Allow svnserve to manage own svnserve_log_t files/dirs- Allow keepalived_t to search network sysctls- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain- Add kill capability to openvswitch_t domain- Label also compressed logs in /var/log for different services- Allow inetd_child_t and system_cronjob_t to run chronyc.- Allow chrony to create netlink route sockets- Add SELinux support for chronyc- Add support for running certbot(letsencrypt) in crontab- Allow nnp trasintion for unconfined_service_t- Allow unpriv user domains and unconfined_service_t to use chronyc * Sun Oct 22 2017 Lukas Vrabec - 3.13.1-298- Drop *.lst files from file list- Ship file_contexts.homedirs in store- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)- Allow haproxy daemon to reexec itself. BZ(1447800)- Allow conmand to use usb ttys.- Allow systemd_machined to read mock lib files. BZ(1504493)- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) * Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297- Fix typo in virt file contexts file- allow ipa_dnskey_t to read /proc/net/unix file- Allow openvswitch to run setfiles in setfiles_t domain.- Allow openvswitch_t domain to read process data of neutron_t domains- Fix typo in ipa_cert_filetrans_named_content() interface- Fix typo bug in summary of xguest SELinux module- Allow virtual machine with svirt_t label to stream connect to openvswitch.- Label qemu-pr-helper script as virt_exec_t so this script won\'t run as unconfined_service_t * Tue Oct 17 2017 Lukas Vrabec - 3.13.1-296- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)- Add nnp transition rule for services using NoNewPrivileges systemd feature- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)- Add init_nnp_daemon_domain interface- Allow nnp transition capability- Merge pull request #204 from konradwilk/rhbz1484908- Label postgresql-check-db-dir as postgresql_exec_t * Tue Oct 10 2017 Lukas Vrabec - 3.13.1-295- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)- Allow fail2ban_t domain to mmap journals. BZ(1500089)- Add dac_override to abrt_t domain BZ(1499860)- Allow pppd domain to mmap own pid files BZ(1498587)- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules- Allow systemd to read sysfs sym links. BZ(1499327)- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)- Make systemd_networkd_var_run as mountpoint BZ(1499862)- Allow noatsecure for java-based unconfined services. BZ(1358476)- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) * Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294- Allow cloud-init to create content in /var/run/cloud-init- Dontaudit VM to read gnome-boxes process data BZ(1415975)- Allow winbind_t domain mmap samba_var_t files- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)- Add dac_override capability to groupadd_t domain BZ(1497091)- Allow unconfined_service_t to start containers * Sun Oct 08 2017 Petr Lautrbach - 3.13.1-293- Drop policyhelp utility BZ(1498429) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-292- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)- Allow systemd to maange sysfs BZ(1471361) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-291- Switch default value of SELinux boolean httpd_graceful_shutdown to off. * Fri Sep 29 2017 Lukas Vrabec - 3.13.1-290- Allow virtlogd_t domain to write inhibit systemd pipes.- Add dac_override capability to openvpn_t domain- Add dac_override capability to xdm_t domain- Allow dac_override to groupadd_t domain BZ(1497081)- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) * Wed Sep 27 2017 Lukas Vrabec - 3.13.1-289- Allow tlp_t domain stream connect to sssd_t domain- Add missing dac_override capability- Add systemd_tmpfiles_t dac_override capability * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288- Remove all unnecessary dac_override capability in SELinux modules * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287- Allow init noatsecure httpd_t- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)- Allow unconfined_t domain to create new users with proper SELinux lables- Allow init noatsecure httpd_t- Label tcp port 3269 as ldap_port_t * Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286- Add new boolean tomcat_read_rpm_db()- Allow tomcat to connect on mysqld tcp ports- Add new interface apache_delete_tmp()- Add interface fprintd_exec()- Add interface fprintd_mounton_var_lib()- Allow mozilla plugin to mmap video devices BZ(1492580)- Add ctdbd_t domain sys_source capability and allow setrlimit- Allow systemd-logind to use ypbind- Allow systemd to remove apache tmp files- Allow ldconfig domain to mmap ldconfig cache files- Allow systemd to exec fprintd BZ(1491808)- Allow systemd to mounton fprintd lib dir * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285- Allow svirt_t read userdomain state * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files- Allow automount domain to manage mount pid files- Allow stunnel_t domain setsched- Add keepalived domain setpgid capability- Merge pull request #24 from teg/rawhide- Merge pull request #28 from lslebodn/revert_1e8403055- Allow sysctl_irq_t assciate with proc_t- Enable cgourp sec labeling- Allow sshd_t domain to send signull to xdm_t processes * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283- Allow passwd_t domain mmap /etc/shadow and /etc/passwd- Allow pulseaudio_t domain to map user tmp files- Allow mozilla plugin to mmap mozilla tmpfs files * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282- Add new bunch of map rules- Merge pull request #25 from NetworkManager/nm-ovs- Make working webadm_t userdomain- Allow redis domain to execute shell scripts.- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t- Add couple capabilities to keepalived domain and allow get attributes of all domains- Allow dmidecode read rhsmcertd lock files- Add new interface rhsmcertd_rw_lock_files()- Add new bunch of map rules- Merge pull request #199 from mscherer/add_conntrackd- Add support labeling for vmci and vsock device- Add userdom_dontaudit_manage_admin_files() interface * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281- Allow domains reading raw memory also use mmap. * Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)- Fix denials during ipa-server-install process on F27+- Allow httpd_t to mmap cert_t- Add few rules to make tlp_t domain working in enforcing mode- Allow cloud_init_t to dbus chat with systemd_timedated_t- Allow logrotate_t to write to kmsg- Add capability kill to rhsmcertd_t- Allow winbind to manage smbd_tmp_t files- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)- Add interface miscfiles_map_generic_certs() * Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279- Allow abrt_dump_oops_t to read sssd_public_t files- Allow cockpit_ws_t to mmap usr_t files- Allow systemd to read/write dri devices. * Thu Aug 31 2017 Lukas Vrabec - 3.13.1-278- Add couple rules related to map permissions- Allow ddclient use nsswitch BZ(1456241)- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)- Add interface dbus_manage_session_tmp_dirs()- Dontaudit useradd_t sys_ptrace BZ(1480121)- Allow ipsec_t can exec ipsec_exec_t- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs * Mon Aug 28 2017 Lukas Vrabec - 3.13.1-277- Allow cupsd_t to execute ld_so_cache- Add cgroup_seclabel policycap.- Allow xdm_t to read systemd hwdb- Add new interface systemd_hwdb_mmap_config()- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050) * Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276- Allow couple map rules * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275- Make confined users working- Allow ipmievd_t domain to load kernel modules- Allow logrotate to reload transient systemd unit * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-274- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain- Allow nscd_t domain to search network sysctls- Allow iscsid_t domain to read mount pid files- Allow ksmtuned_t domain manage sysfs_t files/dirs- Allow keepalived_t domain domtrans into iptables_t- Allow rshd_t domain reads net sysctls- Allow systemd to create syslog netlink audit socket- Allow ifconfig_t domain unmount fs_t- Label /dev/gpiochip * devices as gpio_device_t * Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.- Label /var/run/agetty.reload as getty_var_run_t- Add missing filecontext for sln binary- Allow systemd to read/write to event_device_t BZ(1471401) * Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272- Allow sssd_t domain to map sssd_var_lib_t files- allow map permission where needed- contrib: allow map permission where needed- Allow syslogd_t to map syslogd_var_run_t files- allow map permission where needed * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc- Label /usr/libexec/sudo/sesh as shell_exec_t * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270- refpolicy: Infiniband pkeys and endport * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy- refpolicy: Define and allow map permission- init: Add NoNewPerms support for systemd.- Add nnp_nosuid_transition policycap and related class/perm definitions. * Mon Aug 07 2017 Petr Lautrbach - 3.13.1-268- Update for SELinux userspace release 20170804 / 2.7- Omit precompiled regular expressions from file_contexts.bin files * Mon Aug 07 2017 Lukas Vrabec - 3.13.1-267- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy * Thu Jul 27 2017 Fedora Release Engineering - 3.13.1-266- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Fri Jul 21 2017 Lukas Vrabec - 3.13.1-265- Allow llpdad send dgram to libvirt- Allow abrt_t domain dac_read_search capability- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) * Mon Jul 17 2017 Lukas Vrabec - 3.13.1-264- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) * Tue Jul 11 2017 Lukas Vrabec - 3.13.1-263- Add new boolean gluster_use_execmem * Mon Jul 10 2017 Lukas Vrabec - 3.13.1-262- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service- Allow iptables to read container runtime files * Fri Jun 23 2017 Lukas Vrabec - 3.13.1-261- Allow boinc_t nsswitch- Dontaudit firewalld to write to lib_t dirs- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t- Allow thumb_t domain to allow create dgram sockets- Disable mysqld_safe_t secure mode environment cleansing- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode- Allow dirsrv domain setrlimit- Dontaudit staff_t user read admin_home_t files.- Add interface lvm_manage_metadata- Add permission open to files_read_inherited_tmp_files() interface * Mon Jun 19 2017 Lukas Vrabec - 3.13.1-260- Allow sssd_t to read realmd lib files.- Fix init interface file. init_var_run_t is type not attribute * Mon Jun 19 2017 Lukas Vrabec - 3.13.1-258- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.- Merge branch \'rawhide\' of github.com:wrabcak/selinux-policy-contrib into rawhide- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.- Allow httpd_t to read realmd_var_lib_t files- Allow unconfined_t user all user namespace capabilties.- Add interface systemd_tmpfiles_exec()- Add interface libs_dontaudit_setattr_lib_files()- Dontaudit xdm_t domain to setattr on lib_t dirs- Allow sysadm_r role to jump into dirsrv_t * Thu Jun 08 2017 Lukas Vrabec - 3.13.1-257- Merge pull request #10 from mscherer/fix_tor_dac- Merge pull request #9 from rhatdan/rawhide- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t- Allow kdumpgui to read removable disk device- Allow systemd_dbusd_t domain read/write to nvme devices- Allow udisks2 domain to read removable devices BZ(1443981)- Allow virtlogd_t to execute itself- Allow keepalived to read/write usermodehelper state- Allow named_t to bind on udp 4321 port- Fix interface tlp_manage_pid_files()- Allow collectd domain read lvm config files. BZ(1459097)- Merge branch \'rawhide\' of github.com:wrabcak/selinux-policy-contrib into rawhide- Allow samba_manage_home_dirs boolean to manage user content- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify- Allow pki_tomcat_t execute ldconfig.- Merge pull request #191 from rhatdan/udev- Allow systemd_modules_load_t to load modules * Mon Jun 05 2017 Lukas Vrabec - 3.13.1-256- Allow keepalived domain connect to squid tcp port- Allow krb5kdc_t domain read realmd lib files.- Allow tomcat to connect on all unreserved ports- Allow keepalived domain connect to squid tcp port- Allow krb5kdc_t domain read realmd lib files.- Allow tomcat to connect on all unreserved ports- Allow ganesha to connect to all rpc ports- Update ganesha with few allow rules- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.- virt_use_glusterd boolean should be in optional block- Add new boolean virt_use_glusterd- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls.- Allow ganesha_t domain to manage glusterd_var_run_t pid files.- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls- Add few allow rules to ganesha module- Allow condor_master_t to read sysctls.- Add dac_override cap to ctdbd_t domain- Add ganesha_use_fusefs boolean.- Allow httpd_t reading kerberos kdc config files- Allow tomcat_t domain connect to ibm_dt_2 tcp port.- Allow stream connect to initrc_t domains- Add pki_exec_common_files() interface- Allow dnsmasq_t domain to read systemd-resolved pid files.- Allow tomcat domain name_bind on tcp bctp_port_t- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.- Allow condor_master_t write to sysctl_net_t- Allow nagios check disk plugin read /sys/kernel/config/- Allow pcp_pmie_t domain execute systemctl binary- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl- xdm_t should view kernel keys- Hide broken symptoms when machine is configured with network bounding.- Label 8750 tcp/udp port as dey_keyneg_port_t- Label tcp/udp port 1792 as ibm_dt_2_port_t- Add interface fs_read_configfs_dirs()- Add interface fs_read_configfs_files()- Fix systemd_resolved_read_pid interface- Add interface systemd_resolved_read_pid()- Allow sshd_net_t domain read/write into crypto devices- Label 8999 tcp/udp as bctp_port_t * Thu May 18 2017 Lukas Vrabec - 3.13.1-255- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t- Add interface pki_manage_common_files()- Allow rngd domain read sysfs_t- Allow tomcat_t domain to manage pki_common_t files and dirs- Merge pull request #3 from rhatdan/devicekit- Merge pull request #12 from lslebodn/sssd_sockets_fc- Allow certmonger reads httpd_config_t files- Allow keepalived_t domain creating netlink_netfilter_socket.- Use stricter fc rules for sssd sockets in /var/run- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit- ejabberd small fixes- Update targetd policy to accommodate changes in the service- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit- Dontaudit net_admin capability for useradd_t domain- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723)- Make able deply overcloud via neutron_t to label nsfs as fs_t- Add fs_manage_configfs_lnk_files() interface * Mon May 15 2017 Lukas Vrabec - 3.13.1-254- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit- ejabberd small fixes- Update targetd policy to accommodate changes in the service- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit- Allow glusterd_t domain start ganesha service- Made few cosmetic changes in sssd SELinux module- Merge pull request #11 from lslebodn/sssd_kcm- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.- Allow keepalived_t domain read usermodehelper_t- Allow radius domain stream connec to postgresql- Merge pull request #8 from bowlofeggs/142-rawhide- Add fs_manage_configfs_lnk_files() interface * Fri May 12 2017 Lukas Vrabec - 3.13.1-253- auth_use_nsswitch can call only domain not attribute- Dontaudit net_admin cap for winbind_t- Allow tlp_t domain to stream connect to system bus- Allow tomcat_t domain read pki_common_t files- Add interface pki_read_common_files()- Fix broken cermonger module- Fix broken apache module- Allow hypervkvp_t domain execute hostname- Dontaudit sssd_selinux_manager_t use of net_admin capability- Allow tomcat_t stream connect to pki_common_t- Dontaudit xguest_t\'s attempts to listen to its tcp_socket- Allow sssd_selinux_manager_t to ioctl init_t sockets- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.- Allow pki_tomcat_t domain read /etc/passwd.- Allow tomcat_t domain read ipa_tmp_t files- Label new path for ipa-otpd- Allow radiusd_t domain stream connect to postgresql_t- Allow rhsmcertd_t to execute hostname_exec_t binaries.- Allow virtlogd to append nfs_t files when virt_use_nfs=1- Allow httpd_t domain read also httpd_user_content_type lnk_files.- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t- Dontaudit _gkeyringd_t stream connect to system_dbusd_t- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t- Add interface ipa_filetrans_named_content()- Allow tomcat use nsswitch- Allow certmonger_t start/status generic services- Allow dirsrv read cgroup files.- Allow ganesha_t domain read/write infiniband devices.- Allow sendmail_t domain sysctl_net_t files- Allow targetd_t domain read network state and getattr on loop_control_device_t- Allow condor_schedd_t domain send mails.- Allow ntpd to creating sockets. BZ(1434395)- Alow certmonger to create own systemd unit files.- Add kill namespace capability to xdm_t domain- Revert \"su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization.\"- Revert \"Allow _su_t to create netlink_selinux_socket\"- Allow _su_t to create netlink_selinux_socket- Allow unconfined_t to module_load any file- Allow staff to systemctl virt server when staff_use_svirt=1- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context- Allow netutils setpcap capability- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124) * Thu Apr 20 2017 Michael Scherer - 3.13.1-252- fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade * Tue Apr 18 2017 Lukas Vrabec - 3.13.1-251- Fix abrt module to reflect all changes in abrt release * Tue Apr 18 2017 Lukas Vrabec - 3.13.1-250- Allow tlp_t domain to ioctl removable devices BZ(1436830)- Allow tlp_t domain domtrans into mount_t BZ(1442571)- Allow lircd_t to read/write to sysfs BZ(1442443)- Fix policy to reflect all changes in new IPA release- Allow virtlogd_t to creating tmp files with virt_tmp_t labels.- Allow sbd_t to read/write fixed disk devices- Add sys_ptrace capability to radiusd_t domain- Allow cockpit_session_t domain connects to ssh tcp ports.- Update tomcat policy to make working ipa install process- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383- Update pki interfaces and tomcat module- Allow sendmail to search network sysctls- Add interface gssd_noatsecure()- Add interface gssproxy_noatsecure()- Allow chronyd_t net_admin capability to allow support HW timestamping.- Update tomcat policy.- Allow certmonger to start haproxy service- Fix init Module- Make groupadd_t domain as system bus client BZ(1416963)- Make useradd_t domain as system bus client BZ(1442572)- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090)- Dontaudit gdm-session-worker to view key unknown. BZ(1433191)- Allow init noatsecure for gssd and gssproxy- Allow staff user to read fwupd_cache_t files- Remove typo bugs- Remove /proc <> from fedora policy, it\'s no longer necessary * Mon Apr 03 2017 Lukas Vrabec - 3.13.1-249- Merge pull request #4 from lslebodn/sssd_socket_activated- Remove /proc <> from fedora policy, it\'s no longer necessary- Allow iptables get list of kernel modules- Allow unconfined_domain_type to enable/disable transient unit- Add interfaces init_enable_transient_unit() and init_disable_transient_unit- Revert \"Allow sshd setcap capability. This is needed due to latest changes in sshd\"- Label sysroot dir under ostree as root_t * Mon Mar 27 2017 Adam Williamson - 3.13.1-248- Put tomcat_t back in unconfined domains for now. BZ(1436434) * Tue Mar 21 2017 Lukas Vrabec - 3.13.1-247- Make fwupd_var_lib_t type mountpoint. BZ(1429341)- Remove tomcat_t domain from unconfined domains- Create new boolean: sanlock_enable_home_dirs()- Allow mdadm_t domain to read/write nvme_device_t- Remove httpd_user_ *_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content- Add interface dev_rw_nvme- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555) * Sat Mar 18 2017 Lukas Vrabec - 3.13.1-246- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555) * Fri Mar 17 2017 Lukas Vrabec - 3.13.1-245- Allow vdagent domain to getattr cgroup filesystem- Allow abrt_dump_oops_t stream connect to sssd_t domain- Allow cyrus stream connect to gssproxy- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules- Allow colord_t to read systemd hwdb.bin file- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t- Allow certmonger to manage /etc/krb5kdc_conf_t- Allow kdumpctl to getenforce- Allow ptp4l wake_alarm capability- Allow ganesha to chat with unconfined domains via dbus- Add nmbd_t capability2 block_suspend- Add domain transition from sosreport_t to iptables_t- Dontaudit init_t to mounton modules_object_t- Add interface files_dontaudit_mounton_modules_object- Allow xdm_t to execute files labeled as xdm_var_lib_t- Make mtrr_device_t mountpoint.- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd * Tue Mar 07 2017 Lukas Vrabec - 3.13.1-244- Update fwupd policy- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t- Update ganesha policy- Allow chronyd to read adjtime- Merge pull request #194 from hogarthj/certbot_policy- get the correct cert_t context on certbot certificates bz#1289778- Label /dev/ss0 as gpfs_device_t * Thu Mar 02 2017 Lukas Vrabec - 3.13.1-243- Allow abrt_t to send mails. * Mon Feb 27 2017 Lukas Vrabec - 3.13.1-242- Add radius_use_jit boolean- Allow nfsd_t domain to create sysctls_rpc_t files- add the policy required for nextcloud- Allow can_load_kernmodule to load kernel modules. BZ(1426741)- Create kernel_create_rpc_sysctls() interface * Tue Feb 21 2017 Lukas Vrabec - 3.13.1-241- Remove ganesha from gluster module and create own module for ganesha- FIx label for /usr/lib/libGLdispatch.so.0.0.0 * Wed Feb 15 2017 Lukas Vrabec - 3.13.1-240- Dontaudit xdm_t wake_alarm capability2- Allow systemd_initctl_t to create and connect unix_dgram sockets- Allow ifconfig_t to mount/unmount nsfs_t filesystem- Add interfaces allowing mount/unmount nsfs_t filesystem- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944) * Mon Feb 13 2017 Lukas Vrabec - 3.13.1-239- Allow syslog client to connect to kernel socket. BZ(1419946) * Thu Feb 09 2017 Lukas Vrabec - 3.13.1-238- Allow shiftfs to use xattr SELinux labels- Fix ssh_server_template by add sshd_t to require section. * Wed Feb 08 2017 Lukas Vrabec - 3.13.1-237- Merge pull request #187 from rhatdan/container-selinux- Allow rhsmcertd domain signull kernel.- Allow container-selinux to handle all policy for container processes- Fix label for nagios plugins in nagios file conxtext file- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987- Add SELinux support for systemd-initctl daemon- Add SELinux support for systemd-bootchart- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987- Add module_load permission to can_load_kernmodule- Add module_load permission to class system- Add the validate_trans access vector to the security class- Restore connecto permssions for init_t * Thu Feb 02 2017 Lukas Vrabec - 3.13.1-236- Allow kdumpgui domain to read nvme device- Add amanda_tmpfs_t label. BZ(1243752)- Fix typo in sssd interface file- Allow sssd_t domain setpgid BZ(1411437)- Allow ifconfig_t domain read nsfs_t- Allow ping_t domain to load kernel modules.- Allow systemd to send user information back to pid1. BZ(1412750)- rawhide-base: Fix wrong type/attribute flavors in require blocks * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235- Allow libvirt daemon to create /var/chace/libvirt dir.- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829) * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017)- Tighten security on containe types- Make working cracklib_password_check for MariaDB service- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505) * Sun Jan 08 2017 Lukas Vrabec - 3.13.1-233-Allow thumb domain sendto via dgram sockets. BZ(1398813)- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)- Allow cobbler domain to create netlink_audit sockets BZ(1384600)- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626)- Add dhcpd_t domain fowner capability BZ(1409963)- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942)- Fix broken interfaces- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456)- Allow user_t run systemctl --user BZ(1401625) * Fri Jan 06 2017 Lukas Vrabec - 3.13.1-232- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)- Allow tlp_t domain to read proc_net_t BZ(1403487)- Merge pull request #179 from rhatdan/virt1- Allow tlp_t domain to read/write cpu microcode BZ(1403103)- Allow virt domain to use interited virtlogd domains fifo_file- Fixes for containers- Allow glusterd_t to bind on glusterd_port_t udp ports.- Update ctdbd_t policy to reflect all changes.- Allow ctdbd_t domain transition to rpcd_t * Wed Dec 14 2016 Lukas Vrabec - 3.13.1-231- Allow pptp_t to read /dev/random BZ(1404248)- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t- Allow systemd to stop glusterd_t domains.- Merge branch \'rawhide-base\' of github.com:fedora-selinux/selinux-policy into rawhide-base- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)- Revert \"Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.\" * Thu Dec 08 2016 Lukas Vrabec - 3.13.1-230- Label /usr/bin/rpcbind as rpcbind_exec_t- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)- Merge pull request #174 from rhatdan/netlink * Wed Dec 07 2016 Lukas Vrabec - 3.13.1-229- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service- Allot tlp domain to create unix_dgram sockets BZ(1401233)- Allow antivirus domain to create lnk_files in /tmp- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)- Allow svnserve_t domain to read /dev/random BZ(1401827)- Allow lircd to use nsswitch. BZ(1401375)- Allow hostname_t domain to manage cluster_tmp_t files * Mon Dec 05 2016 Lukas Vrabec - 3.13.1-228- Fix some boolean descriptions.- Add fwupd_dbus_chat() interface- Allow tgtd_t domain wake_alarm- Merge pull request #172 from vinzent/allow_puppetagent_timedated- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)- Allow systemd_machined_t to start unit files labeled as init_var_run_t- Add init_manage_config_transient_files() interface- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn\'t work and binaries dumped here get mislabeled as var_t.- Allow systemd to raise rlimit to all domains.BZ(1365435)- Add interface domain_setrlimit_all_domains() interface- Allow staff_t user to chat with fwupd_t domain via dbus- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)- Allow systemd-networkd to read network state BZ(1400016)- Allow systemd-resolved bind to dns port. BZ(1400023)- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)- Add interface fs_dontaudit_getattr_nsfs_files()- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) * Tue Nov 29 2016 Lukas Vrabec - 3.13.1-227- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)- Allow pmie daemon to send signal pcmd daemon BZ(1398078)- Allow spamd_t to manage /var/spool/mail. BZ(1398437)- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)- Merge pull request #171 from t-woerner/rawhide-contrib- Allow firewalld to getattr open search read modules_object_t:dir- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)- Add interface fs_dontaudit_getattr_nsfs_files()- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187) * Wed Nov 16 2016 Lukas Vrabec - 3.13.1-226- Adding policy for tlp- Add interface dev_manage_sysfs()- Allow ifconfig domain to manage tlp pid files. * Wed Nov 09 2016 Lukas Vrabec - 3.13.1-225- Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373) * Tue Nov 08 2016 Lukas Vrabec - 3.13.1-224- Allow watching netflix using Firefox * Mon Nov 07 2016 Lukas Vrabec - 3.13.1-223- nmbd_t needs net_admin capability like smbd- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids- Add wake_alarm capability2 to openct_t domain- Allow abrt_t to getattr on nsfs_t files.- Add cupsd_t domain wake_alarm capability.- Allow sblim_reposd_t domain to read cert_f files.- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)- Revert \"Allow abrt_dump_oops_t to drop capabilities. bz(1391040)\"- Allow isnsd_t to accept tcp connections * Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222- Allow abrt_dump_oops_t to drop capabilities. bz(1391040)- Add named_t domain net_raw capability bz(1389240)- Allow geoclue to read system info. bz(1389320)- Make openfortivpn_t as init_deamon_domain. bz(1159899)- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487)- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Add interace lldpad_relabel_tmpfs- Merge pull request #155 from rhatdan/sandbox_nfs- Add pscsd_t wake_alarm capability2- Allow sandbox domains to mount fuse file systems- Add boolean to allow sandbox domains to mount nfs- Allow hypervvssd_t to read all dirs.- Allow isnsd_t to connect to isns_port_t- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.- Make tor_var_lib_t and tor_var_log_t as mountpoints.- Allow systemd-rfkill to write to /proc/kmsg bz(1388669)- Allow init_t to relabel /dev/shm/lldpad.state- Merge pull request #168 from rhatdan/docker- Label tcp 51954 as isns_port_t- Lots of new domains like OCID and RKT are user container processes * Mon Oct 17 2016 Miroslav Grepl - 3.13.1-221- Add container_file_t into contexts/customizable_types. * Sun Oct 16 2016 Lukas Vrabec - 3.13.1-220- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain.- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.- Merge pull request #167 from rhatdan/container- Add transition rules for sandbox domains- container_typebounds() should be part of sandbox domain template- Fix broken container_ * interfaces- unconfined_typebounds() should be part of sandbox domain template- Fixed unrecognized characters at sandboxX module- unconfined_typebounds() should be part of sandbox domain template- svirt_file_type is atribute no type.- Merge pull request #166 from rhatdan/container- Allow users to transition from unconfined_t to container types- Add dbus_stream_connect_system_dbusd() interface.- Merge pull request #152 from rhatdan/network_filetrans- Fix typo in filesystem module- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473) * Mon Oct 10 2016 Lukas Vrabec - 3.13.1-219- Dontaudit leaked file descriptors for thumb. BZ(1383071)- Fix typo in cobbler SELinux module- Merge pull request #165 from rhatdan/container- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156)- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t- Rename svirt_lxc_net_t to container_t- Rename docker.pp to container.pp, causes change in interface name- Allow httpd_t domain to list inotify filesystem.- Fix couple AVC to start roundup properly- Allow dovecot_t send signull to dovecot_deliver_t- Add sys_ptrace capability to pegasus domain- Allow firewalld to stream connect to NetworkManager. BZ(1380954)- rename docker intefaces to container- Merge pull request #164 from rhatdan/docker-base- Rename docker.pp to container.pp, causes change in interface name- Allow gvfs to read /dev/nvme * devices BZ(1380951) * Wed Oct 05 2016 Colin Walters - 3.13.1-218- Revert addition of systemd service for factory reset, since it is basically worse than what we had before. BZ(1290659) * Fri Sep 30 2016 Lukas Vrabec 3.13.1-216- Allow devicekit to chat with policykit via DBUS. BZ(1377113)- Add interface virt_rw_stream_sockets_svirt() BZ(1379314)- Allow xdm_t to read mount pid files. BZ(1377113)- Allow staff to rw svirt unix stream sockets. BZ(1379314)- Allow staff_t to read tmpfs files BZ(1378446) * Fri Sep 23 2016 Lukas Vrabec 3.13.1-215- Make tor_var_run_t as mountpoint. BZ(1368621)- Fix typo in ftpd SELinux module.- Allow cockpit-session to reset expired passwords BZ(1374262)- Allow ftp daemon to manage apache_user_content- Label /etc/sysconfig/oracleasm as oracleasm_conf_t- Allow oracleasm to rw inherited fixed disk device- Allow collectd to connect on unix_stream_socket- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868)- Dontaudit systemd is mounting unlabeled dirs BZ(1367292)- Add interface files_dontaudit_mounton_isid() * Thu Sep 15 2016 Lukas Vrabec 3.13.1-214- Allow attach usb device to virtual machine BZ(1276873)- Dontaudit mozilla_plugin to sys_ptrace- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636)- Fix typo- Allow geoclue to send msgs to syslog. BZ(1371818)- Allow abrt to read rpm_tmp_t dirs- Add interface rpm_read_tmp_files()- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service- Revert \"label /var/lib/kubelet as svirt_sandbox_file_t\"- Remove file context for /var/lib/kubelet. This filecontext is part of docker now- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t- Allow mdadm_t to getattr all device nodes- Dontaudit gkeyringd_domain to connect to system_dbusd_t- Add interface dbus_dontaudit_stream_connect_system_dbusd()- Allow guest-set-user-passwd to set users password.- Allow domains using kerberos to read also kerberos config dirs- Allow add new interface to new namespace BZ(1375124)- Allow systemd to relalbel files stored in /run/systemd/inaccessible/- Add interface fs_getattr_tmpfs_blk_file()- Dontaudit domain to create any file in /proc. This is kernel bug.- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.- Add new interface fs_getattr_oracleasmfs_fs()- Add interface fs_manage_oracleasm()- Label /dev/kfd as hsa_device_t- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs * Fri Sep 02 2016 Lukas Vrabec 3.13.1-213- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module- Label /usr/bin/pappet as puppetagent_exec_t- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label- Allow run sulogin_t in range mls_systemlow-mls_systemhigh. * Wed Aug 31 2016 Lukas Vrabec 3.13.1-212- udisk2 module is part of devicekit module now- Fix file context for /etc/pki/pki-tomcat/ca/- new interface oddjob_mkhomedir_entrypoint()- Allow mdadm to get attributes from all devices.- Label /etc/puppetlabs as puppet_etc_t.- quota: allow init to run quota tools- Add new domain ipa_ods_exporter_t BZ(1366640)- Create new interface opendnssec_stream_connect()- Allow VirtualBox to manage udev rules.- Allow systemd_resolved to send dbus msgs to userdomains- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t- Label all files in /dev/oracleasmfs/ as oracleasmfs_t * Thu Aug 25 2016 Lukas Vrabec 3.13.1-211- Add new domain ipa_ods_exporter_t BZ(1366640)- Create new interface opendnssec_stream_connect()- Allow systemd-machined to communicate to lxc container using dbus- Dontaudit accountsd domain creating dirs in /root- Add new policy for Disk Manager called udisks2- Dontaudit firewalld wants write to /root- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t- Allow certmonger to manage all systemd unit files- Allow ipa_helper_t stream connect to dirsrv_t domain- Update oracleasm SELinux module- label /var/lib/kubelet as svirt_sandbox_file_t- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280)- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness- Add new userdom_dontaudit_manage_admin_dir() interface- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type * Tue Aug 23 2016 Lukas Vrabec 3.13.1-210- Add few interfaces to cloudform.if file- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module- Allow krb5kdc_t to read krb4kdc_conf_t dirs.- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.- Make confined users working again- Fix hypervkvp module- Allow ipmievd domain to create lock files in /var/lock/subsys/- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ * Tue Aug 16 2016 Lukas Vrabec 3.13.1-209- Fix lsm SELinux module- Dontaudit firewalld to create dirs in /root/ BZ(1340611)- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)- Add sys_admin capability to sbd domain- Allow vdagent to comunnicate with systemd-logind via dbus- Allow lsmd_plugin_t domain to create fixed_disk device.- Allow opendnssec domain to create and manage own tmp dirs/files- Allow opendnssec domain to read system state- Allow systemd_logind stop system init_t- Add interface init_stop()- Add interface userdom_dontaudit_create_admin_dir()- Label /var/run/storaged as lvm_var_run_t.- Allow unconfineduser to run ipa_helper_t. * Fri Aug 12 2016 Lukas Vrabec 3.13.1-208- Allow cups_config_t domain also mange sock_files. BZ(1361299)- Add wake_alarm capability to fprintd domain BZ(1362430)- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)- Dontaudit mock to write to generic certs.- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t- Revert \"Label corosync-qnetd and corosync-qdevice as corosync_t domain\"- Merge pull request #144 from rhatdan/modemmanager- Allow modemmanager to write to systemd inhibit pipes- Label corosync-qnetd and corosync-qdevice as corosync_t domain- Allow ipa_helper to read network state- Label oddjob_reqiest as oddjob_exec_t- Add interface oddjob_run()- Allow modemmanager chat with systemd_logind via dbus- Allow NetworkManager chat with puppetagent via dbus- Allow NetworkManager chat with kdumpctl via dbus- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t- Allow rasdaemon to use tracefs filesystem- Fix typo bug in dirsrv policy- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t- Allow dirsrv to read dirsrv_share_t content- Allow virtlogd_t to append svirt_image_t files.- Allow hypervkvp domain to read hugetlbfs dir/files.- Allow mdadm daemon to read nvme_device_t blk files- Allow systemd_resolved to connect on system bus. BZ(1366334)- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)- label tcp/udp port 853 as dns_port_t. BZ(1365609)- Merge pull request #145 from rhatdan/init- systemd is doing a gettattr on blk and chr devices in /run- Allow selinuxusers and unconfineduser to run oddjob_request- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.- Fix typo in device interfaces- Add interfaces for managing ipmi devices- Add interfaces to allow mounting/umounting tracefs filesystem- Add interfaces to allow rw tracefs filesystem- Merge branch \'rawhide-base\' of github.com:fedora-selinux/selinux-policy into rawhide-base- Merge pull request #138 from rhatdan/userns- Allow iptables to creating netlink generic sockets.- Fix filecontext for systemd shared lib. * Thu Aug 04 2016 Lukas Vrabec 3.13.1-207- Fix filesystem inteface file, we don\'t have nsfs_fs_t type, just nsfs_t * Tue Aug 02 2016 Lukas Vrabec 3.13.1-206- collectd: update policy for 5.5- Allow puppet_t transtition to shorewall_t- Grant certmonger \"chown\" capability- Boinc updates from Russell Coker.- Allow sshd setcap capability. This is needed due to latest changes in sshd.- Revert \"Allow sshd setcap capability. This is needed due to latest changes in sshd\"- Revert \"Fix typo in ssh policy\"- Get attributes of generic ptys, from Russell Coker. * Fri Jul 29 2016 Lukas Vrabec 3.13.1-205- Dontaudit mock_build_t can list all ptys.- Allow ftpd_t to mamange userhome data without any boolean.- Add logrotate permissions for creating netlink selinux sockets.- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)- Allow systemd gpt generator to run fstools BZ(1353585)- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)- Allow gnome-keyring also manage user_tmp_t sockets.- Allow systemd to mounton /etc filesystem. BZ(1341753) * Tue Jul 26 2016 Lukas Vrabec 3.13.1-204- Allow lsmd_plugin_t to exec ldconfig.- Allow vnstatd domain to read /sys/class/net/ files- Remove duplicate allow rules in spamassassin SELinux module- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs- Allow ipa_dnskey domain to search cache dirs- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file- Allow ipa-dnskey read system state.- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245- Add interface to write to nsfs inodes- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721)- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf- sysadmin should be allowed to use docker. * Mon Jul 18 2016 Lukas Vrabec 3.13.1-203- Allow hypervkvp domain to run restorecon.- Allow firewalld to manage net_conf_t files- Remove double graphite-web context declaration- Fix typo in rhsmcertd SELinux policy- Allow logrotate read logs inside containers.- Allow sssd to getattr on fs_t- Allow opendnssec domain to manage bind chace files- Allow systemd to get status of systemd-logind daemon- Label more ndctl devices not just ndctl0 * Wed Jul 13 2016 Lukas Vrabec 3.13.1-202- Allow systemd_logind_t to start init_t BZ(1355861)- Add init_start() interface- Allow sysadm user to run systemd-tmpfiles- Add interface systemd_tmpfiles_run * Mon Jul 11 2016 Lukas Vrabec 3.13.1-201- Allow lttng tools to block suspending- Allow creation of vpnaas in openstack- remove rules with compromised_kernel permission- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100)- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263- Update makefile to support snapperd_contexts file- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission- Remove duplicate declaration of class service- Fix typo in access_vectors file- Merge branch \'rawhide-base-modules-load\' into rawhide-base- Add new policy for systemd-modules-load- Add systemd access vectors.- Revert \"Revert \"Revert \"Missed this version of exec_all\"\"\"- Revert \"Revert \"Missed this version of exec_all\"\"- Revert \"Missed this version of exec_all\"- Revert \"Revert \"Fix name of capability2 secure_firmware->compromise_kernel\"\" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.- Revert \"Fix name of capability2 secure_firmware->compromise_kernel\" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.- Revert \"Allow xserver to compromise_kernel access\"BZ(1351624)- Revert \"Allow anyone who can load a kernel module to compromise_kernel\"BZ(1351624)- Revert \"add ptrace_child access to process\" (BZ1351624)- Add user namespace capability object classes.- Allow udev to manage systemd-hwdb files- Add interface systemd_hwdb_manage_config()- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.- corecmd: Remove fcontext for /etc/sysconfig/libvirtd- iptables: add fcontext for nftables * Tue Jul 05 2016 Lukas Vrabec 3.13.1-200- Fix typo in brltty policy- Add new SELinux module sbd- Allow pcp dmcache metrics collection- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t- Allow openvpn to create sock files labeled as openvpn_var_run_t- Allow hypervkvp daemon to getattr on all filesystem types.- Allow firewalld to create net_conf_t files- Allow mock to use lvm- Allow mirromanager creating log files in /tmp- Allow vmtools_t to transition to rpm_script domain- Allow nsd daemon to manage nsd_conf_t dirs and files- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t- Allow sssd read also sssd_conf_t dirs- Allow opensm daemon to rw infiniband_mgmt_device_t- Allow krb5kdc_t to communicate with sssd- Allow prosody to bind on prosody ports- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726- Add label for brltty log file Resolves: rhbz#1328818- Allow snort_t to communicate with sssd Resolves: rhbz#1284908- Add interface lttng_sessiond_tmpfs_t()- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl- Add interface lvm_getattr_exec_files()- Make label for new infiniband_mgmt deivices- Add prosody ports Resolves: rhbz#1304664 * Tue Jun 28 2016 Lukas Vrabec 3.13.1-199- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.- Allow glusterd daemon to get systemd status- Merge branch \'rawhide-contrib\' of github.com:fedora-selinux/selinux-policy into rawhide-contrib- Merge pull request #135 from rhatdan/rawip_socket- Allow logrotate dbus-chat with system_logind daemon- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files- Add interface cron_read_pid_files()- Allow pcp_pmlogger to create unix dgram sockets- Add interface dirsrv_run()- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()- Create label for openhpid log files.- Container processes need to be able to listen on rawip sockets- Label /var/lib/ganglia as httpd_var_lib_t- Allow firewalld_t to create entries in net_conf_t dirs.- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals- Label /etc/dhcp/scripts dir as bin_t- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. * Wed Jun 22 2016 Lukas Vrabec 3.13.1-198- Allow firewalld_t to create entries in net_conf_t dirs.- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals- Allow rhsmcertd connect to port tcp 9090- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove.- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.- Add new boolean spamd_update_can_network.- Add proper label for /var/log/proftpd.log- Allow rhsmcertd connect to tcp netport_port_t- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.- Allow prosody to bind to fac_restore tcp port.- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager- Allow ninfod to read raw packets- Fix broken hostapd policy- Allow hostapd to create netlink_generic sockets. BZ(1343683)- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall- Allow pegasus get attributes from qemu binary files.- Allow tuned to use policykit. This change is required by cockpit.- Allow conman_t to read dir with conman_unconfined_script_t binary files.- Allow pegasus to read /proc/sysinfo.- Allow puppet_t transtition to shorewall_t- Allow conman to kill conman_unconfined_script.- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.- Merge remote-tracking branch \'refs/remotes/origin/rawhide-base\' into rawhide-base- Allow systemd to execute all init daemon executables.- Add init_exec_notrans_direct_init_entry() interface.- Label tcp ports:16379, 26379 as redis_port_t- Allow systemd to relabel /var and /var/lib directories during boot.- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.- Add files_relabelto_var_lib_dirs() interface.- Label tcp and udp port 5582 as fac_restore_port_t- Allow sysadm_t user to run postgresql-setup.- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd * Thu Jun 16 2016 Lukas Vrabec 3.13.1-197- Allow conman to kill conman_unconfined_script.- Make conman_unconfined_script_t as init_system_domain.- Allow init dbus chat with apmd.- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t- Allow collectd_t to stream connect to postgresql.- Allow mysqld_safe to inherit rlimit information from mysqld- Allow ip netns to mounton root fs and unmount proc_t fs.- Allow sysadm_t to run newaliases command. | |