SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-targeted-20230523+git25.ad22dd7f-1.1.noarch.rpm :

* Wed Sep 04 2024 cathy.huAATTsuse.com- Update to version 20230523+git25.ad22dd7f:
* Backport wtmpdb label change to have the same wtmpdb label as in SL Micro 6.1 (bsc#1229132)
* Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
* Add auth_rw_wtmpdb_login_records to modules
* Allow xdm_t to read-write to wtmpdb (bsc#1225984)
* Introduce types for wtmpdb and rw interface
* Introduce wtmp_file_type attribute
* Revert \"Add policy for wtmpdb (bsc#1210717)\"
* Fri Aug 09 2024 cathy.huAATTsuse.com- Update to version 20230523+git18.f44daf8a:
* Provide type for sysstat lock files (bsc#1228247)
* Wed Jul 17 2024 cathy.huAATTsuse.com- Update to version 20230523+git16.0849f54c:
* allow firewalld access to /dev/random and write HW acceleration logs (bsc#1215405, bsc#1227930)
* Mon Mar 04 2024 cathy.huAATTsuse.com- Update to version 20230523+git14.ef49ab54:
* Allow ssh-keygen to use the libica crypto module (bsc#1220373)
* Wed Feb 28 2024 cathy.huAATTsuse.com- Extend module list for targeted policy
* timedatex
* rrdcached
* stratisd
* ica (bsc#1215405)
* fedoratp
* stalld
* rhcd
* wireguard
* keyutils
* Mon Feb 26 2024 cathy.huAATTsuse.com- Update to version 20230523+git12.05dc86ac:
* Add dontaudit rules for the checkpoint_restore capability used by getty and plymouth (bsc#1220361)
* Wed Feb 07 2024 cathy.huAATTsuse.com- Update to version 20230523+git10.e010174f:
* Remove the lockdown-class rules from the policy
* Wed Jan 31 2024 cathy.huAATTsuse.com- Update to version 20230523+git8.ab5aa47a:
* Allow kdump create and use its memfd: objects (bsc#1219207)
* Tue Nov 28 2023 cathy.huAATTsuse.com- Trigger rebuild of the policy when pcre2 gets updated to avoid regex version mismatch errors (bsc#1216747).
* Thu Oct 12 2023 cathy.huAATTsuse.com- Update to version 20230523+git6.b3649209:
* Allow keepalived to manage its tmp files (bsc#1216060)
* Tue Sep 12 2023 cathy.huAATTsuse.com- Update to version 20230523+git4.261ed027:
* Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
* Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
* Tue May 23 2023 cathy.huAATTsuse.com- Initial ALP release using git workflow: 20230523+git0.41d70255
* Tue Apr 25 2023 cathy.huAATTsuse.com- Update to version 20230425:
* Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
* Add policy for wtmpdb (bsc#1210717)
* Tue Apr 25 2023 cathy.huAATTsuse.com- Update to version 20230425:
* Add support for lastlog2 (bsc#1210461)
* allow the chrony client to use unallocated ttys (bsc#1210672)
* Thu Apr 20 2023 jsegitzAATTsuse.com- Update to version 20230420:
* libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
* only use rsync_exec_t for the rsync server, not for the client (bsc#1209890)
* properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation
* Allow dovecot-deliver write to the main process runtime fifo files
* Allow dmidecode write to cloud-init tmp files
* Allow chronyd send a message to cloud-init over a datagram socket
* Allow cloud-init domain transition to insights-client domain
* Allow mongodb read filesystem sysctls
* Allow mongodb read network sysctls
* Allow accounts-daemon read generic systemd unit lnk files
* Allow blueman watch generic device dirs
* Allow nm-dispatcher tlp plugin create tlp dirs
* Allow systemd-coredump mounton /usr
* Allow rabbitmq to read network sysctls
* Allow certmonger dbus chat with the cron system domain
* Allow geoclue read network sysctls
* Allow geoclue watch the /etc directory
* Allow logwatch_mail_t read network sysctls
* allow systemd_resolved_t to bind to all nodes (bsc#1200182)
* Allow insights-client read all sysctls
* Allow passt manage qemu pid sock files
* Allow sssd read accountsd fifo files
* Add support for the passt_t domain
* Allow virtd_t and svirt_t work with passt
* Add new interfaces in the virt module
* Add passt interfaces defined conditionally
* Allow tshark the setsched capability
* Allow poweroff create connections to system dbus
* Allow wg load kernel modules, search debugfs dir
* Boolean: allow qemu-ga manage ssh home directory
* Label smtpd with sendmail_exec_t
* Label msmtp and msmtpd with sendmail_exec_t
* Allow dovecot to map files in /var/spool/dovecot
* Confine gnome-initial-setup
* Allow qemu-guest-agent create and use vsock socket
* Allow login_pgm setcap permission
* Allow chronyc read network sysctls
* Enhancement of the /usr/sbin/request-key helper policy
* Fix opencryptoki file names in /dev/shm
* Allow system_cronjob_t transition to rpm_script_t
* Revert \"Allow system_cronjob_t domtrans to rpm_script_t\"
* Add tunable to allow squid bind snmp port
* Allow staff_t getattr init pid chr & blk files and read krb5
* Allow firewalld to rw z90crypt device
* Allow httpd work with tokens in /dev/shm
* Allow svirt to map svirt_image_t char files
* Allow sysadm_t run initrc_t script and sysadm_r role access
* Allow insights-client manage fsadm pid files
* Allowing snapper to create snapshots of /home/ subvolume/partition
* Add boolean qemu-ga to run unconfined script
* Label systemd-journald feature LogNamespace
* Add none file context for polyinstantiated tmp dirs
* Allow certmonger read the contents of the sysfs filesystem
* Add journalctl the sys_resource capability
* Allow nm-dispatcher plugins read generic files in /proc
* Tue Mar 28 2023 cathy.huAATTsuse.com- Add debug-build.sh script to make debugging without committing easier
* Tue Mar 21 2023 jsegitzAATTsuse.com- Update to version 20230321:
* make kernel_t unconfined again
* Thu Mar 16 2023 jsegitzAATTsuse.com- Update to version 20230316:
* prevent labeling of overlayfs filesystems based on the /var/lib/overlay path
* allow kernel_t to relabel etc_t files
* allow kernel_t to relabel sysnet config files
* allow kernel_t to relabel systemd hwdb etc files
* add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
* change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply to files and lnk_files. lnk_files are commonly used in SUSE to allow easy management of config files
* add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic interfaces to allow labeling on etc_t, not on the broader configfiles attribute
* Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The watch permissions reported are already fixed in a current policy.- Reinstate update.sh and remove container-selinux from the service. Having both repos in there causes issues and update.sh makes the update process easier in general. Updated README.Update
* Tue Mar 07 2023 jsegitzAATTsuse.com- Remove erroneous SUSE man page. Will not be created with the 3.5 toolchain
* Tue Feb 14 2023 cathy.huAATTsuse.com- Complete packaging rework: Move policy to git repository and only use tar_scm obs service to refresh from there: https://gitlab.suse.de/selinux/selinux-policy Please use `osc service manualrun` to update this OBS package to the newest git version.
* Added README.Update describing how to update this package
* Added _service file that pulls from selinux-policy and upstream container-selinux and tars them
* Adapted selinux-policy.spec to build selinux-policy with container-selinux
* Removed update.sh as no longer needed
* Removed suse specific modules as they are now covered by git commits
* packagekit.te packagekit.if packagekit.fc
* rebootmgr.te rebootmgr.if rebootmgr.fc
* rtorrent.te rtorrent.if rtorrent.fc
* wicked.te wicked.if wicked.fc
* Removed
*.patch as they are now covered by git commits:
* distro_suse_to_distro_redhat.patch
* dontaudit_interface_kmod_tmpfs.patch
* fix_accountsd.patch
* fix_alsa.patch
* fix_apache.patch
* fix_auditd.patch
* fix_authlogin.patch
* fix_automount.patch
* fix_bitlbee.patch
* fix_chronyd.patch
* fix_cloudform.patch
* fix_colord.patch
* fix_corecommand.patch
* fix_cron.patch
* fix_dbus.patch
* fix_djbdns.patch
* fix_dnsmasq.patch
* fix_dovecot.patch
* fix_entropyd.patch
* fix_firewalld.patch
* fix_fwupd.patch
* fix_geoclue.patch
* fix_hypervkvp.patch
* fix_init.patch
* fix_ipsec.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_java.patch
* fix_kernel.patch
* fix_kernel_sysctl.patch
* fix_libraries.patch
* fix_locallogin.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_mcelog.patch
* fix_miscfiles.patch
* fix_nagios.patch
* fix_networkmanager.patch
* fix_nis.patch
* fix_nscd.patch
* fix_ntp.patch
* fix_openvpn.patch
* fix_postfix.patch
* fix_rpm.patch
* fix_rtkit.patch
* fix_screen.patch
* fix_selinuxutil.patch
* fix_sendmail.patch
* fix_smartmon.patch
* fix_snapper.patch
* fix_sslh.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_userdomain.patch
* fix_usermanage.patch
* fix_wine.patch
* fix_xserver.patch
* sedoctool.patch
* systemd_domain_dyntrans_type.patch
* Mon Feb 06 2023 jsegitzAATTsuse.com- Update to version 20230206. Refreshed:
* fix_entropyd.patch
* fix_networkmanager.patch
* fix_systemd_watch.patch
* fix_unconfineduser.patch- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn\'t run in it\'s own domain in early boot
* Mon Jan 16 2023 jsegitzAATTsuse.com- Update to version 20230125. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_dnsmasq.patch
* fix_init.patch
* fix_ipsec.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd_watch.patch
* fix_userdomain.patch- More flexible lib(exec) matching in fix_fwupd.patch- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch- Dropped fix_container.patch, is now upstream- Added fix_entropyd.patch
* Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn\'t work yet, so work around with next item
* Allow reading tempfs files- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld- Added fix_rtkit.patch to fix labeling of binary- Modified fix_ntp.patch:
* Proper labeling for start-ntpd
* Fixed label rules for chroot path
* Temporarily allow dac_override for ntpd_t (bsc#1207577)
* Add interface ntp_manage_pid_files to allow management of pid files- Updated fix_networkmanager.patch to allow managing ntp pid files
* Thu Jan 12 2023 jsegitzAATTsuse.com- Update fix_container.patch to allow privileged containers to use localectl (bsc#1207077)
* Wed Jan 11 2023 jsegitzAATTsuse.com- Add fix_container.patch to allow privileged containers to use timedatectl (bsc#1207054)
* Thu Dec 15 2022 cathy.huAATTsuse.com- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan (bnc#1206445)
* Wed Dec 14 2022 cathy.huAATTsuse.com- Added policy for wicked scripts under /etc/sysconfig/network/scripts (bnc#1205770)
* Wed Dec 14 2022 jsegitzAATTsuse.com- Add fix_sendmail.patch
* fix context of custom sendmail startup helper
* fix context of /var/run/sendmail and add necessary rules to manage content in there
* Tue Dec 13 2022 jsegitzAATTsuse.com- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and nm-priv-helper until the packaging is adjusted (bsc#1206355)- Update fix_chronyd.patch to allow sendto towards NetworkManager_dispatcher_custom_t. Added new interface networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
* Tue Dec 06 2022 jsegitzAATTsuse.com- Updated fix_networkmanager.patch to allow NetworkManager to watch net_conf_t (bsc#1206109)
* Wed Nov 30 2022 filippo.bonazziAATTsuse.com- Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
* Wed Nov 30 2022 filippo.bonazziAATTsuse.com- Drop fix_irqbalance.patch: superseded by upstream
* Thu Nov 24 2022 cathy.huAATTsuse.com- fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for network interface definition instead of /etc/sysconfig/network-scripts/, modified sysnetwork.fc to reflect that (bsc#1205580).
* Wed Oct 19 2022 jsegitzAATTsuse.com- Update to version 20221019. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_apache.patch
* fix_chronyd.patch
* fix_cron.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_rpm.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch- Dropped fix_cockpit.patch as this is now packaged with cockpit itself- Remove the ipa module, freeip ships their own module- Added fix_alsa.patch to allow reading of config files in home directories- Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
* Fri Sep 30 2022 jsegitzAATTsuse.com- Updated quilt couldn\'t unpack tarball. This will cause ongoing issues so drop the sed statement in the %prep section and add distro_suse_to_distro_redhat.patch to add the necessary changes via a patch
* Thu Sep 29 2022 jsegitzAATTsuse.com- Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager. Also allow NetworkManager_dispatcher_custom_t to query systemd status (bsc#1203824)
* Tue Sep 27 2022 filippo.bonazziAATTsuse.com- Update fix_xserver.patch to add greetd support (bsc#1198559)
* Mon Sep 12 2022 jsegitzAATTsuse.com- Revamped rtorrent module
* Fri Aug 26 2022 kukukAATTsuse.com- Move SUSE directory from manual page section to html docu
* Wed Jul 27 2022 cathy.huAATTsuse.com- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t and NetworkManager_dispatcher_custom_t to access nscd socket (bsc#1201741)
* Tue Jul 26 2022 zkubalaAATTsuse.com- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper (bnc#1201015)
* Thu Jul 14 2022 jsegitzAATTsuse.com- Update to version 20220714. Refreshed:
* fix_init.patch
* fix_systemd_watch.patch
* Wed Jul 13 2022 jsegitzAATTsuse.com- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for systemd_gpt_generator_t (bsc#1200911)
* Mon Jul 11 2022 jsegitzAATTsuse.com- postfix: Label PID files and some helpers correctly (bsc#1197242)
* Fri Jun 24 2022 jsegitzAATTsuse.com- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
* Fri Jun 24 2022 jsegitzAATTsuse.com- Update to version 20220624. Refreshed:
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_networkmanager.patch
* fix_unprivuser.patch Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd (bsc#1199630)
* Fri May 20 2022 jsegitzAATTsuse.com- Update to version 20220520 to pass stricter 3.4 toolchain checks
* Fri May 20 2022 jsegitzAATTsuse.com- Update to version 20220428. Refreshed:
* fix_apache.patch
* fix_hadoop.patch
* fix_init.patch
* fix_iptables.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unprivuser.patch
* fix_usermanage.patch
* fix_wine.patch
* Thu May 19 2022 jsegitzAATTsuse.com- Add fix_dnsmasq.patch to fix problems with virtualization on Microos (bsc#1199518)
* Tue May 03 2022 jsegitzAATTsuse.com- Modified fix_init.patch to allow init to setup contrained environment for accountsservice. This needs a better, more general solution (bsc#1197610)
* Mon May 02 2022 jsegitzAATTsuse.com- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. This happens in certain boot conditions (bsc#1182500)- Changed fix_unconfineduser.patch to not transition into ldconfig_t from unconfined_t (bsc#1197169)
* Thu Feb 17 2022 kkaempfAATTsuse.com- use %license tag for COPYING file
* Thu Feb 10 2022 jsegitzAATTsuse.com- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
* Wed Feb 09 2022 filippo.bonazziAATTsuse.com- Fix bitlbee runtime directory (bsc#1193230)
* add fix_bitlbee.patch
* Mon Jan 24 2022 jsegitzAATTsuse.com- Update to version 20220124. Refreshed:
* fix_hadoop.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_systemd.patch
* fix_systemd_watch.patch- Added fix_hypervkvp.patch to fix issues with hyperv labeling (bsc#1193987)
* Fri Jan 14 2022 jsegitzAATTsuse.com- Allow colord to use systemd hardenings (bsc#1194631)
* Thu Nov 11 2021 jsegitzAATTsuse.com- Update to version 20211111. Refreshed:
* fix_dbus.patch
* fix_systemd.patch
* fix_authlogin.patch
* fix_auditd.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_chronyd.patch
* fix_unconfineduser.patch
* fix_unconfined.patch
* fix_firewalld.patch
* fix_init.patch
* fix_xserver.patch
* fix_logging.patch
* fix_hadoop.patch
* Mon Oct 25 2021 meissnerAATTsuse.com- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
* Tue Sep 28 2021 ematsumiyaAATTsuse.com- Fix auditd service start with systemd hardening directives (boo#1190918)
* add fix_auditd.patch
* Thu Sep 02 2021 jsegitzAATTsuse.com- Modified fix_systemd.patch to allow systemd gpt generator access to udev files (bsc#1189280)
* Fri Aug 27 2021 ales.kedroutekAATTsuse.com- fix rebootmgr does not trigger the reboot properly (boo#1189878)
* fix managing /etc/rebootmgr.conf
* allow rebootmgr_t to cope with systemd and dbus messaging
* Thu Aug 26 2021 jsegitzAATTsuse.com- Properly label cockpit files- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
* Mon Aug 23 2021 ales.kedroutekAATTsuse.com- Added policy module for rebootmgr (jsc#SMO-28)
* Tue Aug 17 2021 lnusselAATTsuse.de- Allow systemd-sysctl to read kernel specific sysctl.conf (fix_kernel_sysctl.patch, boo#1184804)
* Tue Aug 10 2021 lnusselAATTsuse.de- Fix quoting in postInstall macro
* Fri Jul 16 2021 jsegitzAATTsuse.com- Update to version 20210716- Remove interfaces for container module before building the package (bsc#1188184)- Updated
* fix_init.patch
* fix_systemd_watch.patch to adapt to upstream changes
* Thu Jul 15 2021 gmbr3AATTopensuse.org- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing here
* Tue Jul 06 2021 aplanasAATTsuse.com- Add tabrmd SELinux modules from upstream (bsc#1187925) https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux- Automatic spec-cleaner to fix ordering and misaligned spaces
* Mon Jun 28 2021 jsegitzAATTsuse.com- Update to version 20210419- Dropped fix_gift.patch, module was removed- Updated wicked.te to removed dropped interface- Refreshed:
* fix_cockpit.patch
* fix_hadoop.patch
* fix_init.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_networkmanager.patch
* fix_nscd.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
* Tue May 18 2021 lnusselAATTsuse.de- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch- own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/
* to allow packages to install files there
* Wed Apr 28 2021 lnusselAATTsuse.de- allow cockpit socket to bind nodes (fix_cockpit.patch)- use %autosetup to get rid of endless patch lines
* Tue Apr 27 2021 jsegitzAATTsuse.com- Updated fix_networkmanager.patch to allow NetworkManager to watch its configuration directories- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
* Mon Apr 26 2021 jsegitzAATTsuse.com- Added Recommends for selinux-autorelabel (bsc#1181837)- Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch
* Fri Apr 23 2021 jsegitzAATTsuse.com- Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch
* Mon Apr 19 2021 jsegitzAATTsuse.com- Update to version 20210419- Refreshed:
* fix_dbus.patch
* fix_hadoop.patch
* fix_init.patch
* fix_unprivuser.patch
* Fri Mar 12 2021 ales.kedroutekAATTsuse.com- Adjust fix_init.patch to allow systemd to do sd-listen on tcp socket [bsc#1183177]
* Tue Mar 09 2021 jsegitzAATTsuse.com- Update to version 20210309- Refreshed
* fix_systemd.patch
* fix_selinuxutil.patch
* fix_iptables.patch
* fix_init.patch
* fix_logging.patch
* fix_nscd.patch
* fix_hadoop.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_unprivuser.patch
* fix_rpm.patch- Ensure that /usr/etc is labeled according to /etc rules
* Tue Feb 23 2021 kukukAATTsuse.com- Update to version 20210223- Change name of tar file to a more common schema to allow parallel installation of several source versions- Adjust fix_init.patch
* Mon Jan 11 2021 kukukAATTsuse.com- Update to version 20210111 - Drop fix_policykit.patch (integrated upstream) - Adjust fix_iptables.patch - update container policy
* Tue Nov 10 2020 jsegitzAATTsuse.com- Updated fix_corecommand.patch to set correct types for the OBS build tools
* Thu Oct 29 2020 kukukAATTsuse.com- wicked.fc: add libexec directories- Update to version 20201029 - update container policy
* Fri Oct 16 2020 kukukAATTsuse.com- Update to version 20201016- Use python3 to build (fc_sort.c was replaced by fc_sort.py which uses python3)- Drop SELINUX=disabled, \"selinux=0\" kernel commandline option has to be used instead. New default is \"permissive\" [bsc#1176923].
* Thu Sep 10 2020 jsegitzAATTsuse.com- Update to version 20200910. Refreshed
* fix_authlogin.patch
* fix_nagios.patch
* fix_systemd.patch
* fix_usermanage.patch- Delete suse_specific.patch, moved content into fix_selinuxutil.patch- Cleanup of booleans-
* presets
* Enabled user_rw_noexattrfile unconfined_chrome_sandbox_transition unconfined_mozilla_plugin_transition for the minimal policy
* Disabled xserver_object_manager for the MLS policy
* Disabled openvpn_enable_homedirs privoxy_connect_any selinuxuser_direct_dri_enabled selinuxuser_ping (aka user_ping) squid_connect_any telepathy_tcp_connect_generic_network_ports for the targeted policy Change your local config if you need them- Build HTML version of manpages for the -devel package
* Thu Sep 03 2020 jsegitzAATTsuse.com- Drop BuildRequires for python, python-xml. It\'s not needed anymore
* Tue Sep 01 2020 jsegitzAATTsuse.com- Drop fix_dbus.patch_orig, was included by accident- Drop segenxml_interpreter.patch, not used anymore
* Tue Aug 11 2020 kukukAATTsuse.com- macros.selinux-policy: move rpm-state directory to /run and make sure it exists
* Wed Aug 05 2020 kukukAATTsuse.com- Cleanup spec file and follow more closely Fedora- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf- Move config to /etc/selinux/config and create during %post install to be compatible with upstream and documentation.- Add RPM macros for SELinux (macros.selinux-policy)- Install booleans.subs_dist- Remove unused macros- Sync make/install macros with Fedora spec file- Introduce sandbox sub-package
* Wed Jul 29 2020 kukukAATTsuse.com- Add policycoreutils-devel as BuildRequires
* Fri Jul 17 2020 jsegitzAATTsuse.com- Update to version 20200717. Refreshed
* fix_fwupd.patch
* fix_hadoop.patch
* fix_init.patch
* fix_irqbalance.patch
* fix_logrotate.patch
* fix_nagios.patch
* fix_networkmanager.patch
* fix_postfix.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unprivuser.patch
* selinux-policy.spec- Added update.sh to make updating easier
* Tue Jul 14 2020 jsegitzAATTsuse.com- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access to accountsd dbus- New patch:
* fix_nis.patch- Updated patches:
* fix_postfix.patch: Transition is done in distribution specific script
* Tue Jun 02 2020 jsegitzAATTsuse.de- Added module for wicked- New patches:
* fix_authlogin.patch
* fix_screen.patch
* fix_unprivuser.patch
* fix_rpm.patch
* fix_apache.patch
* Thu Mar 26 2020 jsegitzAATTsuse.de- Added module for rtorrent- Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot
* Mon Mar 09 2020 jsegitzAATTsuse.de- New patches:
* fix_accountsd.patch
* fix_automount.patch
* fix_colord.patch
* fix_mcelog.patch
* fix_sslh.patch
* fix_nagios.patch
* fix_openvpn.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_smartmon.patch
* fix_geoclue.patch
* suse_specific.patch Default systems should now work without selinuxuser_execmod- Removed xdm_entrypoint_pam.patch, necessary change is in fix_unconfineduser.patch- Enable SUSE specific settings again
* Wed Feb 19 2020 jsegitzAATTsuse.de- Update to version 20200219 Refreshed fix_hadoop.patch Updated
* fix_dbus.patch
* fix_hadoop.patch
* fix_nscd.patch
* fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added
* fix_init.patch
* fix_locallogin.patch
* fix_policykit.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_ntp.patch
* fix_fwupd.patch
* fix_firewalld.patch
* fix_logrotate.patch
* fix_selinuxutil.patch
* fix_corecommand.patch
* fix_snapper.patch
* fix_systemd.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* xdm_entrypoint_pam.patch- Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies- Reduced default module list of minimum policy by removing apache inetd nis postfix mta modules- Adding/removing necessary pam config automatically- Minimum and targeted policy: Enable domain_can_mmap_files by default- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and selinuxuser_execstack to have safe defaults
* Fri Aug 09 2019 jsegitzAATTsuse.de- Moved back to fedora policy (20190802)- Removed spec file conditionals for old SELinux userland- Removed config.tgz- Removed patches:
* label_sysconfig.selinux.patch
* label_var_run_rsyslog.patch
* suse_additions_obs.patch
* suse_additions_sslh.patch
* suse_modifications_apache.patch
* suse_modifications_cron.patch
* suse_modifications_getty.patch
* suse_modifications_logging.patch
* suse_modifications_ntp.patch
* suse_modifications_usermanage.patch
* suse_modifications_virt.patch
* suse_modifications_xserver.patch
* sysconfig_network_scripts.patch
* segenxml_interpreter.patch- Added patches:
* fix_djbdns.patch
* fix_dbus.patch
* fix_gift.patch
* fix_java.patch
* fix_hadoop.patch
* fix_thunderbird.patch
* postfix_paths.patch
* fix_nscd.patch
* fix_sysnetwork.patch
* fix_logging.patch
* fix_xserver.patch
* fix_miscfiles.patch to fix problems with the coresponding modules- Added sedoctool.patch to prevent build failures- This also adds three modules:
* packagekit.(te|if|fc) Basic (currently permissive) module for packagekit
* minimum_temp_fixes.(te|if|fc) and
* targeted_temp_fixes.(te|if|fc) both are currently necessary to get the systems to boot in enforcing mode. Most of them obviosly stem from mislabeled files, so this needs to be worked through and then removed eventually Also selinuxuser_execstack, selinuxuser_execmod and domain_can_mmap_files need to be enabled. Especially the first two are bad and should be removed ASAP
* Thu Jul 11 2019 jsegitzAATTsuse.com- Update to refpolicy 20190609. New modules for stubby and several systemd updates, including initial support for systemd --user sessions. Refreshed
* label_var_run_rsyslog.patch
* suse_modifications_cron.patch
* suse_modifications_logging.patch
* suse_modifications_ntp.patch
* suse_modifications_usermanage.patch
* suse_modifications_xserver.patch
* sysconfig_network_scripts.patch
* Mon Feb 04 2019 jsegitzAATTsuse.com- Update to refpolicy 20190201. New modules for chromium, hostapd, and sigrok and minor fixes for existing modules. Refreshed suse_modifications_usermanage.patch
* Wed Nov 28 2018 jsegitzAATTsuse.com- Change default state to disabled and disable SELinux after uninstallation of policy to prevent unbootable system (bsc#1108949, bsc#1109590)
* Tue Nov 27 2018 jsegitzAATTsuse.com- Use refpolicy 20180701 as a base- Dropped patches
* allow-local_login_t-read-shadow.patch
* dont_use_xmllint_in_make_conf.patch
* label_sysconfig.selinux-policy.patch
* policy-rawhide-base.patch
* policy-rawhide-contrib.patch
* suse_modifications_authlogin.patch
* suse_modifications_dbus.patch
* suse_modifications_glusterfs.patch
* suse_modifications_ipsec.patch
* suse_modifications_passenger.patch
* suse_modifications_policykit.patch
* suse_modifications_postfix.patch
* suse_modifications_rtkit.patch
* suse_modifications_selinuxutil.patch
* suse_modifications_ssh.patch
* suse_modifications_staff.patch
* suse_modifications_stapserver.patch
* suse_modifications_systemd.patch
* suse_modifications_unconfined.patch
* suse_modifications_unconfineduser.patch
* suse_modifications_unprivuser.patch
* systemd-tmpfiles.patch
* type_transition_contrib.patch
* type_transition_file_class.patch
* useradd-netlink_selinux_socket.patch
* xconsole.patch Rebased the other patches to apply to refpolicy- Added segenxml_interpreter.patch to not use env in shebang- Added rpmlintrc to surpress duplicate file warnings
* Mon Mar 26 2018 rgoldwynAATTsuse.com- Add overlayfs as xattr capable (bsc#1073741)
* add-overlayfs-as-xattr-capable.patch
* Tue Dec 12 2017 jsegitzAATTsuse.com- Added
* suse_modifications_glusterfs.patch
* suse_modifications_passenger.patch
* suse_modifications_stapserver.patch to modify module name to make the current tools happy
* Wed Nov 29 2017 rbrownAATTsuse.com- Repair erroneous changes introduced with %_fillupdir macro
* Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
* Wed Mar 15 2017 mwilckAATTsuse.com- POLCYVER depends both on the libsemanage/policycoreutils version and the kernel. The former is more important for us, kernel seems to have all necessary features in Leap 42.1 already.- Replaced = runtime dependencies on checkpolicy/policycoreutils with \"=\". 2.5 policy is not supposed to work with 2.3 tools, The runtime policy tools need to be same the policy was built with.
* Wed Mar 15 2017 mwilckAATTsuse.com- Changes required by policycoreutils update to 2.5
* lots of spec file content needs to be conditional on policycoreutils version.- Specific policycoreutils 2.5 related changes:
* modules moved from /etc/selinux to /var/lib/selinux (https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration)
* module path now includes includes priority. Users override default policies by setting higher priority. Thus installed policy modules can be fully verified by RPM.
* Installed modules have a different format and path. Raw bzip2 doesn\'t suffice to create them any more, but we can process them all in a single semodule -i command.- Policy version depends on kernel / distro version
* do not touch policy., rather fail if it\'s not created- Enabled building mls policy for Leap (not for SLES)- Other
* Bug: \"sandbox.disabled\" should be \"sandbox.pp.disabled\" for old policycoreutils
* Bug: (minimum) additional modules that need to be activated: postfix (required by apache), plymouthd (required by getty)
* Cleanup: /etc -> %{sysconfdir} etc.
* Thu Aug 13 2015 jsegitzAATTnovell.com- fixed missing role assignment in cron_unconfined_role
* Tue Aug 11 2015 jsegitzAATTnovell.com- Updated suse_modifications_ipsec.patch, removed dontaudits for ipsec_mgmt_t and granted matching permissions
* Wed Aug 05 2015 jsegitzAATTnovell.com- Added suse_modifications_ipsec.patch to grant additional privileges to ipsec_mgmt_t
* Tue Jul 21 2015 jsegitzAATTnovell.com- Minor changes for CC evaluation. Allow reading of /dev/random and ipc_lock for dbus and dhcp
* Wed Jun 24 2015 jsegitzAATTnovell.com- Transition from unconfined user to cron admin type- Allow systemd_timedated_t to talk to unconfined dbus for minimal policy (bsc#932826)- Allow hostnamectl to set the hostname (bsc#933764)
* Wed May 20 2015 jsegitzAATTnovell.com- Removed ability of staff_t and user_t to use svirt. Will reenable this later on with a policy upgrade Added suse_modifications_staff.patch
* Wed Feb 25 2015 jsegitzAATTnovell.com- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage in make conf. This currently breaks manual builds.- Added BuildRequires for libxml2-tools to enable xmllint checks once the issue mentioned above is solved
* Thu Jan 29 2015 jsegitzAATTnovell.com- adjusted suse_modifications_ntp to match SUSE chroot paths
* Wed Jan 28 2015 jsegitzAATTnovell.com- Added
* suse_additions_obs.patch to allow local builds by OBS
* suse_additions_sslh.patch to confine sslh- Added suse_modifications_cron.patch to adjust crontabs contexts- Modified suse_modifications_postfix.patch to match SUSE paths- Modified suse_modifications_ssh.patch to bring boolean sshd_forward_ports back- Modified
* suse_modifications_dbus.patch
* suse_modifications_unprivuser.patch
* suse_modifications_xserver.patch to allow users to be confined- Added
* suse_modifications_apache.patch
* suse_modifications_ntp.patch and modified
* suse_modifications_xserver.patch to fix labels on startup scripts used by systemd- Removed unused and incorrect interface dev_create_all_dev_nodes from systemd-tmpfiles.patch- Removed BuildRequire for selinux-policy-devel
* Fri Jan 23 2015 jsegitzAATTnovell.com- Major cleanup of the spec file
* Fri Jan 23 2015 jsegitzAATTnovell.com- removed suse_minimal_cc.patch and splitted them into
* suse_modifications_dbus.patch
* suse_modifications_policykit.patch
* suse_modifications_postfix.patch
* suse_modifications_rtkit.patch
* suse_modifications_unconfined.patch
* suse_modifications_systemd.patch
* suse_modifications_unconfineduser.patch
* suse_modifications_selinuxutil.patch
* suse_modifications_logging.patch
* suse_modifications_getty.patch
* suse_modifications_authlogin.patch
* suse_modifications_xserver.patch
* suse_modifications_ssh.patch
* suse_modifications_usermanage.patch- Added suse_modifications_virt.patch to enable svirt on s390x
* Sat Nov 08 2014 ledestAATTgmail.com- fix bashism in post script
* Thu Sep 18 2014 jsegitzAATTsuse.comRedid changes done by vcizekAATTsuse.com in SLE12 package- disable build of MLS policy- removed outdated description files
* Alan_Rouse-openSUSE_with_SELinux.txt
* Alan_Rouse-Policy_Development_Process.txt
* Mon Sep 08 2014 jsegitzAATTsuse.com- removed remove_duplicate_filetrans_pattern_rules.patch
* Fri Sep 05 2014 jsegitzAATTsuse.com- Updated policy to include everything up until 20140730 (refpolicy and fedora rawhide improvements). Rebased all patches that are still necessary- Removed permissivedomains.pp. Doesn\'t work with the new policy- modified spec file so that all modifications for distro=redhat and distro=suse will be used.- added selinux-policy-rpmlintrc to suppress some warnings that aren\'t valid for this package- added suse_minimal_cc.patch to create a suse specific module to prevent errors while using the minimum policy. Will rework them in the proper places once the minimum policy is reworked to really only confine a minimal set of domains.
* Tue Sep 02 2014 vcizekAATTsuse.com- removed source files which were not used
* modules-minimum.conf, modules-mls.conf, modules-targeted.conf, permissivedomains.fc, permissivedomains.if, permissivedomains.te, seusers, seusers-mls, seusers-targeted, users_extra-mls, users_extra-targeted
* Mon Jun 02 2014 vcizekAATTsuse.com- remove duplicate filetrans_pattern rules
* fixes build with libsepol-2.3
* added remove_duplicate_filetrans_pattern_rules.patch
* Mon Dec 09 2013 vcizekAATTsuse.com- enable build of mls and targeted policies- fixes to the minimum policy:- label /var/run/rsyslog correctly
* label_var_run_rsyslog.patch- allow systemd-tmpfiles to create devices
* systemd-tmpfiles.patch- add rules for sysconfig
* correctly label /dev/.sysconfig/network
* added sysconfig_network_scripts.patch- run restorecon and fixfiles only if if selinux is enabled- fix console login
* allow-local_login_t-read-shadow.patch- allow rsyslog to write to xconsole
* xconsole.patch- useradd needs to call selinux_check_access (via pam_rootok)
* useradd-netlink_selinux_socket.patch
* Mon Aug 12 2013 roAATTsuse.de- fix build on factory: newer rpm does not allow to mark non-directories as dir anymore (like symlinks in this case)
* Thu Jul 11 2013 cooloAATTsuse.com- install COPYING
* Fri Mar 22 2013 vcizekAATTsuse.com- switch to Fedora as upstream- added patches:
* policy-rawhide-base.patch
* policy-rawhide-contrib.patch
* type_transition_file_class.patch
* type_transition_contrib.patch
* label_sysconfig.selinux-policy.patch
* Tue Dec 11 2012 vcizekAATTsuse.com- bump up policy version to 27, due to recent libsepol update- dropped currently unused policy-rawhide.patch- fix installing of file_contexts (this enables restorecond to run properly)- Recommends: audit and setools
* Mon Dec 10 2012 meissnerAATTsuse.com- mark included files in source
* Mon Oct 22 2012 vcizekAATTsuse.com- update to 2.20120725- added selinux-policy-run_sepolgen_during_build.patch- renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch- dropped policygentool and OLPC stuff
* Wed May 09 2012 cooloAATTsuse.com- patch license to be in spdx.org format
* Fri May 21 2010 prusnakAATTsuse.cz- use policy created by Alan Rouse
* Sun Apr 11 2010 justinmattockAATTgmail.com- Adjust selinux-policy.spec so that the policy source tree is put in /usr/share/doc/packages/selinux-
* so users can build the policy [bnc#582404]
* Wed Apr 07 2010 thomasAATTnovell.com- fixed fileperms of /etc/selinux/config to be 644 to allow libselinux to read from it (bnc#582399) this is also the default file mode in fedora 12
* Fri Jun 26 2009 thomasAATTnovell.com- added config file for /etc/selinux/
* Wed Jan 14 2009 prusnakAATTsuse.cz- updated to version 2008.12.10
* Fix consistency of audioentropy and iscsi module naming.
* Debian file context fix for xen from Russell Coker.
* Xserver MLS fix from Eamon Walsh.
* Add omapi port for dhcpcd.
* Deprecate per-role templates and rolemap support.
* Implement user-based access control for use as role separations.
* Move shared library calls from individual modules to the domain module.
* Enable open permission checks policy capability.
* Remove hierarchy from portage module as it is not a good example of hieararchy.
* Remove enableaudit target from modular build as semodule -DB supplants it.
* Added modules: - milter (Paul Howarth)
* Thu Oct 16 2008 prusnakAATTsuse.cz- updated to version 2008.10.14
* Debian update for NetworkManager/wpa_supplicant from Martin Orr.
* Logrotate and Bind updates from Vaclav Ovsik.
* Init script file and domain support.
* Glibc 2.7 fix from Vaclav Ovsik.
* Samba/winbind update from Mike Edenfield.
* Policy size optimization with a non-security file attribute from James Carter.
* Database labeled networking update from KaiGai Kohei.
* Several misc changes from the Fedora policy, cherry picked by David Hardeman.
* Large whitespace fix from Dominick Grift.
* Pam_mount fix for local login from Stefan Schulze Frielinghaus.
* Issuing commands to upstart is over a datagram socket, not the initctl named pipe.
* Updated init_telinit() to match.
* Added modules: - cyphesis (Dan Walsh) - memcached (Dan Walsh) - oident (Dominick Grift) - w3c (Dan Walsh)
* Tue Jul 22 2008 prusnakAATTsuse.cz- initial version 2008.07.02 from tresys
  
ICM