SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-minimum-20230321-5.1.noarch.rpm :

* Tue Mar 21 2023 jsegitzAATTsuse.com- Update to version 20230321:
* make kernel_t unconfined again
* Thu Mar 16 2023 jsegitzAATTsuse.com- Update to version 20230316:
* prevent labeling of overlayfs filesystems based on the /var/lib/overlay path
* allow kernel_t to relabel etc_t files
* allow kernel_t to relabel sysnet config files
* allow kernel_t to relabel systemd hwdb etc files
* add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
* change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply to files and lnk_files. lnk_files are commonly used in SUSE to allow easy management of config files
* add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic interfaces to allow labeling on etc_t, not on the broader configfiles attribute
* Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The watch permissions reported are already fixed in a current policy.- Reinstate update.sh and remove container-selinux from the service. Having both repos in there causes issues and update.sh makes the update process easier in general. Updated README.Update
* Tue Mar 07 2023 Johannes Segitz - Remove erroneous SUSE man page. Will not be created with the 3.5 toolchain
* Tue Feb 14 2023 Hu - Complete packaging rework: Move policy to git repository and only use tar_scm obs service to refresh from there: https://gitlab.suse.de/selinux/selinux-policy Please use `osc service manualrun` to update this OBS package to the newest git version.
* Added README.Update describing how to update this package
* Added _service file that pulls from selinux-policy and upstream container-selinux and tars them
* Adapted selinux-policy.spec to build selinux-policy with container-selinux
* Removed update.sh as no longer needed
* Removed suse specific modules as they are now covered by git commits
* packagekit.te packagekit.if packagekit.fc
* rebootmgr.te rebootmgr.if rebootmgr.fc
* rtorrent.te rtorrent.if rtorrent.fc
* wicked.te wicked.if wicked.fc
* Removed
*.patch as they are now covered by git commits:
* distro_suse_to_distro_redhat.patch
* dontaudit_interface_kmod_tmpfs.patch
* fix_accountsd.patch
* fix_alsa.patch
* fix_apache.patch
* fix_auditd.patch
* fix_authlogin.patch
* fix_automount.patch
* fix_bitlbee.patch
* fix_chronyd.patch
* fix_cloudform.patch
* fix_colord.patch
* fix_corecommand.patch
* fix_cron.patch
* fix_dbus.patch
* fix_djbdns.patch
* fix_dnsmasq.patch
* fix_dovecot.patch
* fix_entropyd.patch
* fix_firewalld.patch
* fix_fwupd.patch
* fix_geoclue.patch
* fix_hypervkvp.patch
* fix_init.patch
* fix_ipsec.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_java.patch
* fix_kernel.patch
* fix_kernel_sysctl.patch
* fix_libraries.patch
* fix_locallogin.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_mcelog.patch
* fix_miscfiles.patch
* fix_nagios.patch
* fix_networkmanager.patch
* fix_nis.patch
* fix_nscd.patch
* fix_ntp.patch
* fix_openvpn.patch
* fix_postfix.patch
* fix_rpm.patch
* fix_rtkit.patch
* fix_screen.patch
* fix_selinuxutil.patch
* fix_sendmail.patch
* fix_smartmon.patch
* fix_snapper.patch
* fix_sslh.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_userdomain.patch
* fix_usermanage.patch
* fix_wine.patch
* fix_xserver.patch
* sedoctool.patch
* systemd_domain_dyntrans_type.patch
* Mon Feb 06 2023 Johannes Segitz - Update to version 20230206. Refreshed:
* fix_entropyd.patch
* fix_networkmanager.patch
* fix_systemd_watch.patch
* fix_unconfineduser.patch- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn\'t run in it\'s own domain in early boot
* Mon Jan 16 2023 Johannes Segitz - Update to version 20230125. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_dnsmasq.patch
* fix_init.patch
* fix_ipsec.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd_watch.patch
* fix_userdomain.patch- More flexible lib(exec) matching in fix_fwupd.patch- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch- Dropped fix_container.patch, is now upstream- Added fix_entropyd.patch
* Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn\'t work yet, so work around with next item
* Allow reading tempfs files- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld- Added fix_rtkit.patch to fix labeling of binary- Modified fix_ntp.patch:
* Proper labeling for start-ntpd
* Fixed label rules for chroot path
* Temporarily allow dac_override for ntpd_t (bsc#1207577)
* Add interface ntp_manage_pid_files to allow management of pid files- Updated fix_networkmanager.patch to allow managing ntp pid files
* Thu Jan 12 2023 Johannes Segitz - Update fix_container.patch to allow privileged containers to use localectl (bsc#1207077)
* Wed Jan 11 2023 Johannes Segitz - Add fix_container.patch to allow privileged containers to use timedatectl (bsc#1207054)
* Thu Dec 15 2022 Hu - Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan (bnc#1206445)
* Wed Dec 14 2022 Hu - Added policy for wicked scripts under /etc/sysconfig/network/scripts (bnc#1205770)
* Wed Dec 14 2022 Johannes Segitz - Add fix_sendmail.patch
* fix context of custom sendmail startup helper
* fix context of /var/run/sendmail and add necessary rules to manage content in there
* Tue Dec 13 2022 Johannes Segitz - Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and nm-priv-helper until the packaging is adjusted (bsc#1206355)- Update fix_chronyd.patch to allow sendto towards NetworkManager_dispatcher_custom_t. Added new interface networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
* Tue Dec 06 2022 Johannes Segitz - Updated fix_networkmanager.patch to allow NetworkManager to watch net_conf_t (bsc#1206109)
* Wed Nov 30 2022 Filippo Bonazzi - Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
* Wed Nov 30 2022 Filippo Bonazzi - Drop fix_irqbalance.patch: superseded by upstream
* Thu Nov 24 2022 Hu - fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for network interface definition instead of /etc/sysconfig/network-scripts/, modified sysnetwork.fc to reflect that (bsc#1205580).
* Wed Oct 19 2022 Johannes Segitz - Update to version 20221019. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_apache.patch
* fix_chronyd.patch
* fix_cron.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_rpm.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch- Dropped fix_cockpit.patch as this is now packaged with cockpit itself- Remove the ipa module, freeip ships their own module- Added fix_alsa.patch to allow reading of config files in home directories- Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
* Fri Sep 30 2022 Johannes Segitz - Updated quilt couldn\'t unpack tarball. This will cause ongoing issues so drop the sed statement in the %prep section and add distro_suse_to_distro_redhat.patch to add the necessary changes via a patch
* Thu Sep 29 2022 Johannes Segitz - Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager. Also allow NetworkManager_dispatcher_custom_t to query systemd status (bsc#1203824)
* Tue Sep 27 2022 Filippo Bonazzi - Update fix_xserver.patch to add greetd support (bsc#1198559)
* Mon Sep 12 2022 Johannes Segitz - Revamped rtorrent module
* Fri Aug 26 2022 Thorsten Kukuk - Move SUSE directory from manual page section to html docu
* Wed Jul 27 2022 Hu - fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t and NetworkManager_dispatcher_custom_t to access nscd socket (bsc#1201741)
* Tue Jul 26 2022 Zdenek Kubala - Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper (bnc#1201015)
* Thu Jul 14 2022 Johannes Segitz - Update to version 20220714. Refreshed:
* fix_init.patch
* fix_systemd_watch.patch
* Wed Jul 13 2022 Johannes Segitz - Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for systemd_gpt_generator_t (bsc#1200911)
* Mon Jul 11 2022 Johannes Segitz - postfix: Label PID files and some helpers correctly (bsc#1197242)
* Fri Jun 24 2022 Johannes Segitz - Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
* Fri Jun 24 2022 Johannes Segitz - Update to version 20220624. Refreshed:
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_networkmanager.patch
* fix_unprivuser.patch Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd (bsc#1199630)
* Fri May 20 2022 Johannes Segitz - Update to version 20220520 to pass stricter 3.4 toolchain checks
* Fri May 20 2022 Johannes Segitz - Update to version 20220428. Refreshed:
* fix_apache.patch
* fix_hadoop.patch
* fix_init.patch
* fix_iptables.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unprivuser.patch
* fix_usermanage.patch
* fix_wine.patch
* Thu May 19 2022 Johannes Segitz - Add fix_dnsmasq.patch to fix problems with virtualization on Microos (bsc#1199518)
* Tue May 03 2022 Johannes Segitz - Modified fix_init.patch to allow init to setup contrained environment for accountsservice. This needs a better, more general solution (bsc#1197610)
* Mon May 02 2022 Johannes Segitz - Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. This happens in certain boot conditions (bsc#1182500)- Changed fix_unconfineduser.patch to not transition into ldconfig_t from unconfined_t (bsc#1197169)
* Thu Feb 17 2022 Klaus Kämpf - use %license tag for COPYING file
* Thu Feb 10 2022 Johannes Segitz - Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
* Wed Feb 09 2022 Filippo Bonazzi - Fix bitlbee runtime directory (bsc#1193230)
* add fix_bitlbee.patch
* Mon Jan 24 2022 Johannes Segitz - Update to version 20220124. Refreshed:
* fix_hadoop.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_systemd.patch
* fix_systemd_watch.patch- Added fix_hypervkvp.patch to fix issues with hyperv labeling (bsc#1193987)
* Fri Jan 14 2022 Johannes Segitz - Allow colord to use systemd hardenings (bsc#1194631)
* Thu Nov 11 2021 Johannes Segitz - Update to version 20211111. Refreshed:
* fix_dbus.patch
* fix_systemd.patch
* fix_authlogin.patch
* fix_auditd.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_chronyd.patch
* fix_unconfineduser.patch
* fix_unconfined.patch
* fix_firewalld.patch
* fix_init.patch
* fix_xserver.patch
* fix_logging.patch
* fix_hadoop.patch
* Mon Oct 25 2021 Marcus Meissner - fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
* Tue Sep 28 2021 Enzo Matsumiya - Fix auditd service start with systemd hardening directives (boo#1190918)
* add fix_auditd.patch
* Thu Sep 02 2021 Johannes Segitz - Modified fix_systemd.patch to allow systemd gpt generator access to udev files (bsc#1189280)
* Fri Aug 27 2021 Ales Kedroutek - fix rebootmgr does not trigger the reboot properly (boo#1189878)
* fix managing /etc/rebootmgr.conf
* allow rebootmgr_t to cope with systemd and dbus messaging
* Thu Aug 26 2021 Johannes Segitz - Properly label cockpit files- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
* Mon Aug 23 2021 Ales Kedroutek - Added policy module for rebootmgr (jsc#SMO-28)
* Tue Aug 17 2021 Ludwig Nussel - Allow systemd-sysctl to read kernel specific sysctl.conf (fix_kernel_sysctl.patch, boo#1184804)
* Tue Aug 10 2021 Ludwig Nussel - Fix quoting in postInstall macro
* Fri Jul 16 2021 Johannes Segitz - Update to version 20210716- Remove interfaces for container module before building the package (bsc#1188184)- Updated
* fix_init.patch
* fix_systemd_watch.patch to adapt to upstream changes
* Thu Jul 15 2021 Callum Farmer - Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing here
* Tue Jul 06 2021 Alberto Planas Dominguez - Add tabrmd SELinux modules from upstream (bsc#1187925) https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux- Automatic spec-cleaner to fix ordering and misaligned spaces
* Mon Jun 28 2021 Johannes Segitz - Update to version 20210419- Dropped fix_gift.patch, module was removed- Updated wicked.te to removed dropped interface- Refreshed:
* fix_cockpit.patch
* fix_hadoop.patch
* fix_init.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_networkmanager.patch
* fix_nscd.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
* Tue May 18 2021 Ludwig Nussel - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch- own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/
* to allow packages to install files there
* Wed Apr 28 2021 Ludwig Nussel - allow cockpit socket to bind nodes (fix_cockpit.patch)- use %autosetup to get rid of endless patch lines
* Tue Apr 27 2021 Johannes Segitz - Updated fix_networkmanager.patch to allow NetworkManager to watch its configuration directories- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
* Mon Apr 26 2021 Johannes Segitz - Added Recommends for selinux-autorelabel (bsc#1181837)- Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch
* Fri Apr 23 2021 Johannes Segitz - Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch
* Mon Apr 19 2021 Johannes Segitz - Update to version 20210419- Refreshed:
* fix_dbus.patch
* fix_hadoop.patch
* fix_init.patch
* fix_unprivuser.patch
* Fri Mar 12 2021 Ales Kedroutek - Adjust fix_init.patch to allow systemd to do sd-listen on tcp socket [bsc#1183177]
* Tue Mar 09 2021 Johannes Segitz - Update to version 20210309- Refreshed
* fix_systemd.patch
* fix_selinuxutil.patch
* fix_iptables.patch
* fix_init.patch
* fix_logging.patch
* fix_nscd.patch
* fix_hadoop.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_unprivuser.patch
* fix_rpm.patch- Ensure that /usr/etc is labeled according to /etc rules
* Tue Feb 23 2021 Thorsten Kukuk - Update to version 20210223- Change name of tar file to a more common schema to allow parallel installation of several source versions- Adjust fix_init.patch
* Mon Jan 11 2021 Thorsten Kukuk - Update to version 20210111 - Drop fix_policykit.patch (integrated upstream) - Adjust fix_iptables.patch - update container policy
* Tue Nov 10 2020 Johannes Segitz - Updated fix_corecommand.patch to set correct types for the OBS build tools
* Thu Oct 29 2020 Thorsten Kukuk - wicked.fc: add libexec directories- Update to version 20201029 - update container policy
* Fri Oct 16 2020 Thorsten Kukuk - Update to version 20201016- Use python3 to build (fc_sort.c was replaced by fc_sort.py which uses python3)- Drop SELINUX=disabled, \"selinux=0\" kernel commandline option has to be used instead. New default is \"permissive\" [bsc#1176923].
* Thu Sep 10 2020 Johannes Segitz - Update to version 20200910. Refreshed
* fix_authlogin.patch
* fix_nagios.patch
* fix_systemd.patch
* fix_usermanage.patch- Delete suse_specific.patch, moved content into fix_selinuxutil.patch- Cleanup of booleans-
* presets
* Enabled user_rw_noexattrfile unconfined_chrome_sandbox_transition unconfined_mozilla_plugin_transition for the minimal policy
* Disabled xserver_object_manager for the MLS policy
* Disabled openvpn_enable_homedirs privoxy_connect_any selinuxuser_direct_dri_enabled selinuxuser_ping (aka user_ping) squid_connect_any telepathy_tcp_connect_generic_network_ports for the targeted policy Change your local config if you need them- Build HTML version of manpages for the -devel package
* Thu Sep 03 2020 Johannes Segitz - Drop BuildRequires for python, python-xml. It\'s not needed anymore
* Tue Sep 01 2020 Johannes Segitz - Drop fix_dbus.patch_orig, was included by accident- Drop segenxml_interpreter.patch, not used anymore
* Tue Aug 11 2020 Thorsten Kukuk - macros.selinux-policy: move rpm-state directory to /run and make sure it exists
* Wed Aug 05 2020 Thorsten Kukuk - Cleanup spec file and follow more closely Fedora- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf- Move config to /etc/selinux/config and create during %post install to be compatible with upstream and documentation.- Add RPM macros for SELinux (macros.selinux-policy)- Install booleans.subs_dist- Remove unused macros- Sync make/install macros with Fedora spec file- Introduce sandbox sub-package
* Wed Jul 29 2020 Thorsten Kukuk - Add policycoreutils-devel as BuildRequires
* Fri Jul 17 2020 Johannes Segitz - Update to version 20200717. Refreshed
* fix_fwupd.patch
* fix_hadoop.patch
* fix_init.patch
* fix_irqbalance.patch
* fix_logrotate.patch
* fix_nagios.patch
* fix_networkmanager.patch
* fix_postfix.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unprivuser.patch
* selinux-policy.spec- Added update.sh to make updating easier
* Tue Jul 14 2020 Johannes Segitz - Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access to accountsd dbus- New patch:
* fix_nis.patch- Updated patches:
* fix_postfix.patch: Transition is done in distribution specific script
* Tue Jun 02 2020 Johannes Segitz - Added module for wicked- New patches:
* fix_authlogin.patch
* fix_screen.patch
* fix_unprivuser.patch
* fix_rpm.patch
* fix_apache.patch
* Thu Mar 26 2020 Johannes Segitz - Added module for rtorrent- Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot
* Mon Mar 09 2020 Johannes Segitz - New patches:
* fix_accountsd.patch
* fix_automount.patch
* fix_colord.patch
* fix_mcelog.patch
* fix_sslh.patch
* fix_nagios.patch
* fix_openvpn.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_smartmon.patch
* fix_geoclue.patch
* suse_specific.patch Default systems should now work without selinuxuser_execmod- Removed xdm_entrypoint_pam.patch, necessary change is in fix_unconfineduser.patch- Enable SUSE specific settings again
* Wed Feb 19 2020 Johannes Segitz - Update to version 20200219 Refreshed fix_hadoop.patch Updated
* fix_dbus.patch
* fix_hadoop.patch
* fix_nscd.patch
* fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added
* fix_init.patch
* fix_locallogin.patch
* fix_policykit.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_ntp.patch
* fix_fwupd.patch
* fix_firewalld.patch
* fix_logrotate.patch
* fix_selinuxutil.patch
* fix_corecommand.patch
* fix_snapper.patch
* fix_systemd.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* xdm_entrypoint_pam.patch- Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies- Reduced default module list of minimum policy by removing apache inetd nis postfix mta modules- Adding/removing necessary pam config automatically- Minimum and targeted policy: Enable domain_can_mmap_files by default- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and selinuxuser_execstack to have safe defaults
  
ICM