SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-targeted-20230428-1.315.noarch.rpm :

* Fri Apr 28 2023 jsegitzAATTsuse.com- Update to version 20230428:
* training modifications
* cron
* Revert \"Apply fix_nagios.patch\"
* Revert \"Apply fix_miscfiles.patch\"
* Revert \"Apply fix_rtkit.patch\"
* Revert \"Apply fix_bitlbee.patch\"
* make kernel_t unconfined again
* prevent labeling of overlayfs filesystems based on the /var/lib/overlay path
* allow kernel_t to relabel etc_t files
* allow kernel_t to relabel sysnet config files
* Thu Apr 20 2023 jsegitzAATTsuse.com- Update to version 20230420:
* libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
* only use rsync_exec_t for the rsync server, not for the client (bsc#1209890)
* properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation
* Allow dovecot-deliver write to the main process runtime fifo files
* Allow dmidecode write to cloud-init tmp files
* Allow chronyd send a message to cloud-init over a datagram socket
* Allow cloud-init domain transition to insights-client domain
* Allow mongodb read filesystem sysctls
* Allow mongodb read network sysctls
* Allow accounts-daemon read generic systemd unit lnk files
* Allow blueman watch generic device dirs
* Allow nm-dispatcher tlp plugin create tlp dirs
* Allow systemd-coredump mounton /usr
* Allow rabbitmq to read network sysctls
* Allow certmonger dbus chat with the cron system domain
* Allow geoclue read network sysctls
* Allow geoclue watch the /etc directory
* Allow logwatch_mail_t read network sysctls
* allow systemd_resolved_t to bind to all nodes (bsc#1200182)
* Allow insights-client read all sysctls
* Allow passt manage qemu pid sock files
* Allow sssd read accountsd fifo files
* Add support for the passt_t domain
* Allow virtd_t and svirt_t work with passt
* Add new interfaces in the virt module
* Add passt interfaces defined conditionally
* Allow tshark the setsched capability
* Allow poweroff create connections to system dbus
* Allow wg load kernel modules, search debugfs dir
* Boolean: allow qemu-ga manage ssh home directory
* Label smtpd with sendmail_exec_t
* Label msmtp and msmtpd with sendmail_exec_t
* Allow dovecot to map files in /var/spool/dovecot
* Confine gnome-initial-setup
* Allow qemu-guest-agent create and use vsock socket
* Allow login_pgm setcap permission
* Allow chronyc read network sysctls
* Enhancement of the /usr/sbin/request-key helper policy
* Fix opencryptoki file names in /dev/shm
* Allow system_cronjob_t transition to rpm_script_t
* Revert \"Allow system_cronjob_t domtrans to rpm_script_t\"
* Add tunable to allow squid bind snmp port
* Allow staff_t getattr init pid chr & blk files and read krb5
* Allow firewalld to rw z90crypt device
* Allow httpd work with tokens in /dev/shm
* Allow svirt to map svirt_image_t char files
* Allow sysadm_t run initrc_t script and sysadm_r role access
* Allow insights-client manage fsadm pid files
* Allowing snapper to create snapshots of /home/ subvolume/partition
* Add boolean qemu-ga to run unconfined script
* Label systemd-journald feature LogNamespace
* Add none file context for polyinstantiated tmp dirs
* Allow certmonger read the contents of the sysfs filesystem
* Add journalctl the sys_resource capability
* Allow nm-dispatcher plugins read generic files in /proc
* Tue Mar 28 2023 Hu - Add debug-build.sh script to make debugging without committing easier
* Tue Mar 21 2023 jsegitzAATTsuse.com- Update to version 20230321:
* make kernel_t unconfined again
* Thu Mar 16 2023 jsegitzAATTsuse.com- Update to version 20230316:
* prevent labeling of overlayfs filesystems based on the /var/lib/overlay path
* allow kernel_t to relabel etc_t files
* allow kernel_t to relabel sysnet config files
* allow kernel_t to relabel systemd hwdb etc files
* add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
* change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply to files and lnk_files. lnk_files are commonly used in SUSE to allow easy management of config files
* add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic interfaces to allow labeling on etc_t, not on the broader configfiles attribute
* Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The watch permissions reported are already fixed in a current policy.- Reinstate update.sh and remove container-selinux from the service. Having both repos in there causes issues and update.sh makes the update process easier in general. Updated README.Update
* Tue Mar 07 2023 Johannes Segitz - Remove erroneous SUSE man page. Will not be created with the 3.5 toolchain
* Tue Feb 14 2023 Hu - Complete packaging rework: Move policy to git repository and only use tar_scm obs service to refresh from there: https://gitlab.suse.de/selinux/selinux-policy Please use `osc service manualrun` to update this OBS package to the newest git version.
* Added README.Update describing how to update this package
* Added _service file that pulls from selinux-policy and upstream container-selinux and tars them
* Adapted selinux-policy.spec to build selinux-policy with container-selinux
* Removed update.sh as no longer needed
* Removed suse specific modules as they are now covered by git commits
* packagekit.te packagekit.if packagekit.fc
* rebootmgr.te rebootmgr.if rebootmgr.fc
* rtorrent.te rtorrent.if rtorrent.fc
* wicked.te wicked.if wicked.fc
* Removed
*.patch as they are now covered by git commits:
* distro_suse_to_distro_redhat.patch
* dontaudit_interface_kmod_tmpfs.patch
* fix_accountsd.patch
* fix_alsa.patch
* fix_apache.patch
* fix_auditd.patch
* fix_authlogin.patch
* fix_automount.patch
* fix_bitlbee.patch
* fix_chronyd.patch
* fix_cloudform.patch
* fix_colord.patch
* fix_corecommand.patch
* fix_cron.patch
* fix_dbus.patch
* fix_djbdns.patch
* fix_dnsmasq.patch
* fix_dovecot.patch
* fix_entropyd.patch
* fix_firewalld.patch
* fix_fwupd.patch
* fix_geoclue.patch
* fix_hypervkvp.patch
* fix_init.patch
* fix_ipsec.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_java.patch
* fix_kernel.patch
* fix_kernel_sysctl.patch
* fix_libraries.patch
* fix_locallogin.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_mcelog.patch
* fix_miscfiles.patch
* fix_nagios.patch
* fix_networkmanager.patch
* fix_nis.patch
* fix_nscd.patch
* fix_ntp.patch
* fix_openvpn.patch
* fix_postfix.patch
* fix_rpm.patch
* fix_rtkit.patch
* fix_screen.patch
* fix_selinuxutil.patch
* fix_sendmail.patch
* fix_smartmon.patch
* fix_snapper.patch
* fix_sslh.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_userdomain.patch
* fix_usermanage.patch
* fix_wine.patch
* fix_xserver.patch
* sedoctool.patch
* systemd_domain_dyntrans_type.patch
* Mon Feb 06 2023 Johannes Segitz - Update to version 20230206. Refreshed:
* fix_entropyd.patch
* fix_networkmanager.patch
* fix_systemd_watch.patch
* fix_unconfineduser.patch- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn\'t run in it\'s own domain in early boot
* Mon Jan 16 2023 Johannes Segitz - Update to version 20230125. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_dnsmasq.patch
* fix_init.patch
* fix_ipsec.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd_watch.patch
* fix_userdomain.patch- More flexible lib(exec) matching in fix_fwupd.patch- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch- Dropped fix_container.patch, is now upstream- Added fix_entropyd.patch
* Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn\'t work yet, so work around with next item
* Allow reading tempfs files- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld- Added fix_rtkit.patch to fix labeling of binary- Modified fix_ntp.patch:
* Proper labeling for start-ntpd
* Fixed label rules for chroot path
* Temporarily allow dac_override for ntpd_t (bsc#1207577)
* Add interface ntp_manage_pid_files to allow management of pid files- Updated fix_networkmanager.patch to allow managing ntp pid files
* Thu Jan 12 2023 Johannes Segitz - Update fix_container.patch to allow privileged containers to use localectl (bsc#1207077)
* Wed Jan 11 2023 Johannes Segitz - Add fix_container.patch to allow privileged containers to use timedatectl (bsc#1207054)
* Thu Dec 15 2022 Hu - Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan (bnc#1206445)
* Wed Dec 14 2022 Hu - Added policy for wicked scripts under /etc/sysconfig/network/scripts (bnc#1205770)
* Wed Dec 14 2022 Johannes Segitz - Add fix_sendmail.patch
* fix context of custom sendmail startup helper
* fix context of /var/run/sendmail and add necessary rules to manage content in there
* Tue Dec 13 2022 Johannes Segitz - Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and nm-priv-helper until the packaging is adjusted (bsc#1206355)- Update fix_chronyd.patch to allow sendto towards NetworkManager_dispatcher_custom_t. Added new interface networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
* Tue Dec 06 2022 Johannes Segitz - Updated fix_networkmanager.patch to allow NetworkManager to watch net_conf_t (bsc#1206109)
* Wed Nov 30 2022 Filippo Bonazzi - Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
* Wed Nov 30 2022 Filippo Bonazzi - Drop fix_irqbalance.patch: superseded by upstream
* Thu Nov 24 2022 Hu - fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for network interface definition instead of /etc/sysconfig/network-scripts/, modified sysnetwork.fc to reflect that (bsc#1205580).
* Wed Oct 19 2022 Johannes Segitz - Update to version 20221019. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_apache.patch
* fix_chronyd.patch
* fix_cron.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_rpm.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch- Dropped fix_cockpit.patch as this is now packaged with cockpit itself- Remove the ipa module, freeip ships their own module- Added fix_alsa.patch to allow reading of config files in home directories- Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
* Fri Sep 30 2022 Johannes Segitz - Updated quilt couldn\'t unpack tarball. This will cause ongoing issues so drop the sed statement in the %prep section and add distro_suse_to_distro_redhat.patch to add the necessary changes via a patch
* Thu Sep 29 2022 Johannes Segitz - Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager. Also allow NetworkManager_dispatcher_custom_t to query systemd status (bsc#1203824)
* Tue Sep 27 2022 Filippo Bonazzi - Update fix_xserver.patch to add greetd support (bsc#1198559)
* Mon Sep 12 2022 Johannes Segitz - Revamped rtorrent module
* Fri Aug 26 2022 Thorsten Kukuk - Move SUSE directory from manual page section to html docu
* Wed Jul 27 2022 Hu - fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t and NetworkManager_dispatcher_custom_t to access nscd socket (bsc#1201741)
* Tue Jul 26 2022 Zdenek Kubala - Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper (bnc#1201015)
* Thu Jul 14 2022 Johannes Segitz - Update to version 20220714. Refreshed:
* fix_init.patch
* fix_systemd_watch.patch
* Wed Jul 13 2022 Johannes Segitz - Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for systemd_gpt_generator_t (bsc#1200911)
* Mon Jul 11 2022 Johannes Segitz - postfix: Label PID files and some helpers correctly (bsc#1197242)
* Fri Jun 24 2022 Johannes Segitz - Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
* Fri Jun 24 2022 Johannes Segitz - Update to version 20220624. Refreshed:
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_networkmanager.patch
* fix_unprivuser.patch Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd (bsc#1199630)
* Fri May 20 2022 Johannes Segitz - Update to version 20220520 to pass stricter 3.4 toolchain checks
* Fri May 20 2022 Johannes Segitz - Update to version 20220428. Refreshed:
* fix_apache.patch
* fix_hadoop.patch
* fix_init.patch
* fix_iptables.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unprivuser.patch
* fix_usermanage.patch
* fix_wine.patch
* Thu May 19 2022 Johannes Segitz - Add fix_dnsmasq.patch to fix problems with virtualization on Microos (bsc#1199518)
* Tue May 03 2022 Johannes Segitz - Modified fix_init.patch to allow init to setup contrained environment for accountsservice. This needs a better, more general solution (bsc#1197610)
* Mon May 02 2022 Johannes Segitz - Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. This happens in certain boot conditions (bsc#1182500)- Changed fix_unconfineduser.patch to not transition into ldconfig_t from unconfined_t (bsc#1197169)
* Thu Feb 17 2022 Klaus Kämpf - use %license tag for COPYING file
* Thu Feb 10 2022 Johannes Segitz - Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
* Wed Feb 09 2022 Filippo Bonazzi - Fix bitlbee runtime directory (bsc#1193230)
* add fix_bitlbee.patch
* Mon Jan 24 2022 Johannes Segitz - Update to version 20220124. Refreshed:
* fix_hadoop.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_systemd.patch
* fix_systemd_watch.patch- Added fix_hypervkvp.patch to fix issues with hyperv labeling (bsc#1193987)
* Fri Jan 14 2022 Johannes Segitz - Allow colord to use systemd hardenings (bsc#1194631)
* Thu Nov 11 2021 Johannes Segitz - Update to version 20211111. Refreshed:
* fix_dbus.patch
* fix_systemd.patch
* fix_authlogin.patch
* fix_auditd.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_chronyd.patch
* fix_unconfineduser.patch
* fix_unconfined.patch
* fix_firewalld.patch
* fix_init.patch
* fix_xserver.patch
* fix_logging.patch
* fix_hadoop.patch
* Mon Oct 25 2021 Marcus Meissner - fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
* Tue Sep 28 2021 Enzo Matsumiya - Fix auditd service start with systemd hardening directives (boo#1190918)
* add fix_auditd.patch
* Thu Sep 02 2021 Johannes Segitz - Modified fix_systemd.patch to allow systemd gpt generator access to udev files (bsc#1189280)
* Fri Aug 27 2021 Ales Kedroutek - fix rebootmgr does not trigger the reboot properly (boo#1189878)
* fix managing /etc/rebootmgr.conf
* allow rebootmgr_t to cope with systemd and dbus messaging
* Thu Aug 26 2021 Johannes Segitz - Properly label cockpit files- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
* Mon Aug 23 2021 Ales Kedroutek - Added policy module for rebootmgr (jsc#SMO-28)
* Tue Aug 17 2021 Ludwig Nussel - Allow systemd-sysctl to read kernel specific sysctl.conf (fix_kernel_sysctl.patch, boo#1184804)
* Tue Aug 10 2021 Ludwig Nussel - Fix quoting in postInstall macro
* Fri Jul 16 2021 Johannes Segitz - Update to version 20210716- Remove interfaces for container module before building the package (bsc#1188184)- Updated
* fix_init.patch
* fix_systemd_watch.patch to adapt to upstream changes
* Thu Jul 15 2021 Callum Farmer - Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing here
* Tue Jul 06 2021 Alberto Planas Dominguez - Add tabrmd SELinux modules from upstream (bsc#1187925) https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux- Automatic spec-cleaner to fix ordering and misaligned spaces
* Mon Jun 28 2021 Johannes Segitz - Update to version 20210419- Dropped fix_gift.patch, module was removed- Updated wicked.te to removed dropped interface- Refreshed:
* fix_cockpit.patch
* fix_hadoop.patch
* fix_init.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_networkmanager.patch
* fix_nscd.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
* Tue May 18 2021 Ludwig Nussel - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch- own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/
* to allow packages to install files there
* Wed Apr 28 2021 Ludwig Nussel - allow cockpit socket to bind nodes (fix_cockpit.patch)- use %autosetup to get rid of endless patch lines
* Tue Apr 27 2021 Johannes Segitz - Updated fix_networkmanager.patch to allow NetworkManager to watch its configuration directories- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
* Mon Apr 26 2021 Johannes Segitz - Added Recommends for selinux-autorelabel (bsc#1181837)- Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch
* Fri Apr 23 2021 Johannes Segitz - Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch
* Mon Apr 19 2021 Johannes Segitz - Update to version 20210419- Refreshed:
* fix_dbus.patch
* fix_hadoop.patch
* fix_init.patch
* fix_unprivuser.patch
* Fri Mar 12 2021 Ales Kedroutek - Adjust fix_init.patch to allow systemd to do sd-listen on tcp socket [bsc#1183177]
* Tue Mar 09 2021 Johannes Segitz - Update to version 20210309- Refreshed
* fix_systemd.patch
* fix_selinuxutil.patch
* fix_iptables.patch
* fix_init.patch
* fix_logging.patch
* fix_nscd.patch
* fix_hadoop.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_unprivuser.patch
* fix_rpm.patch- Ensure that /usr/etc is labeled according to /etc rules
* Tue Feb 23 2021 Thorsten Kukuk - Update to version 20210223- Change name of tar file to a more common schema to allow parallel installation of several source versions- Adjust fix_init.patch
* Mon Jan 11 2021 Thorsten Kukuk - Update to version 20210111 - Drop fix_policykit.patch (integrated upstream) - Adjust fix_iptables.patch - update container policy
  
ICM