|
|
 |
|
|
Changelog for selinux-policy-3.7.19-307.el6.noarch.rpm :
* Wed Dec 14 2016 Lukas Vrabec 3.7.19-307- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_tResolves: rhbz#1404152- Label /usr/bin/puppet
* binaries as puppet_exec_tResolves: rhbz#1386181
* Tue Dec 06 2016 Lukas Vrabec 3.7.19-306- Allow hostname_t domain to manage cluster_tmp_t filesResolves: rhbz#1400234- Allow ipsec_mgmt_t domain use nsswitchResolves:rhbz#1401611- Allow conman_t domain to list conman_uconfined_script_exec_t dirs.Resolves:rhbz#1397117
* Thu Nov 24 2016 Lukas Vrabec 3.7.19-305- Fix typo bug sepgsql_contexts fileResolves: rhbz#1397703- Allow sssd_t domain to manage samba files and dirs.Resolves: rhbz#1395403- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/Resolves: rhbz#1397117- Allow consolekit_t domain to manage consolekit_log_t dirsResolves: rhbz#1397802
* Mon Nov 14 2016 Lukas Vrabec 3.7.19-304- Allow _java_t domain to read systemd state.Resolves:rhbz#1393938- Allow kdumpgui to read/write to nvme filesystem.Resolves:rhbz#1323293
* Tue Nov 08 2016 Lukas Vrabec 3.7.19-303- Dontaudit freeipmi_bmc_watchdog_t to write to /var/lock/kdump/Resolves: rhbz#1288565- Allow guest-set-user-passwd to set users passwordResolves: rhbz#1369699
* Tue Nov 08 2016 Lukas Vrabec 3.7.19-302- Label /var/lock/kdump as kdump_lock_t.- Dontaudit freeipmi_bmc_watchdog_t to write to /var/lock/kdump/Resolves: rhbz#1288565
* Tue Nov 08 2016 Lukas Vrabec 3.7.19-301- Allow hald_t to read nvme devices.Resolves: rhbz#1389982- Allow ftpdctl_t domain to manage own socketsResolves: rhbz#1392525
* Mon Nov 07 2016 Lukas Vrabec 3.7.19-300- Allow sblim_reposd_t domain to read cert_f filesResolves:rhbz#1392382- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.Resolves: rhbz#1392406
* Fri Nov 04 2016 Lukas Vrabec 3.7.19-299- Support for InnoDB Tablespace Encryption.Resolves: rhbz#1391525
* Fri Nov 04 2016 Lukas Vrabec 3.7.19-298- Allow isnsd_t to accept tcp connectionsResolves:rhbz#1365501- Add label for alsa_var_lib_t dirs and files.Resolves: rhbz#1340150
* Wed Nov 02 2016 Lukas Vrabec 3.7.19-297- Remove setgid and setuid capabilities from userdom_login_user_templateResolves: rhbz#1378463- Allow logrotate to read chronyd keysResolves: rhbz#1390657- Allow fail2ban to domtrans to shorewall.Resolves: rhbz#1390810
* Tue Nov 01 2016 Lukas Vrabec 3.7.19-296- Allow hypervvssd_t to read all dirs.Resolves: rhbz#1335733- Dontaudit abrt_t writing to cert_t files.Resolves: rhbz#1334606- Allow isns_t domain to connect on port 51954 labeled as isns_port_t.Resolves: rhbz#1365501- Fixed vsftpd can access nfs even if allow_ftpd_use_nfs is off under specific conditionsResolves: rhbz#1310077- Allow asterisk domain to connect on port 5222 labeled as jabber_client_port_tResolves:rhbz#1334756- Label /etc/puppetlabs as puppet_etc_t.Resolves:rhbz#1386181- Allow mount to read nvme devicesResolves: rhbz#1389982- Allow roundup to use nsswitch.Resolves: rhbz#1286994- Backport domain transition from pegasus_t to rpm_t- Allow pegasus to read all sysctls- Allow pegasus to read raw memory.Resolves:rhbz#980439
* Wed Oct 26 2016 Lukas Vrabec 3.7.19-295- Allow ipc_lock capability for glusterd.Resolves: #1384487
* Fri Oct 07 2016 Lukas Vrabec 3.7.19-294- Added boolean: authlogin_yubikeyResolves:rhbz#1362033 - Add new type: alsa_lock_t, Allow alsa_t domain creating files in /var/lock labeled as alsa_lock_t. Resolves:rhbz#1340150 - Allow bacula send signull itself. Resolves: rhbz#1313382 - label /var/lib/pcsd/ as cluster_var_lib_t. Resolves:rhbz#1326718 - Allow httpd also write to anon_inodefs files Resolves: rhbz#1377644 - Allow lsmd to read localization. Allow lsmd plugins to exec ldconfig Resolves: rhbz#1336590 - Allow auditctl_t domain read localization. Resolves:rhbz#1316444 - Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t. Resolves: rhbz#1318166 - Allow httpd_t domain to list inotify filesystem Resolves:rhbz#1299552 - Allow dovecot_t send signull to dovecot_deliver_t Resolves:rhbz#1320037 - Fix couple AVC to start roundup properly Resolves: rhbz#1286994 - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 Resolves:rhbz#1299306 - Add sys_ptrace capability to pegasus domain Resolves:rhbz#980439 - Allow sshd to set mcs process categories. Resolves: rhbz#1322409 - Add setgid capability to winbind domain. Allow getcap for winbind domain. Resolves: rhbz#1336394 - Allow rebuild mdadm arraiy with SELinux enabled in enforcing mode. Resolves: rhbz#1343754 - Allow kpropd_t domain to use nsswitch. Resolves: rhbz#1337895
* Mon Sep 26 2016 Lukas Vrabec 3.7.19-293- Add setgid capability to winbind domain.- Allow getcap for winbind domain.Resolves: rhbz#1336394- Allow rebuild mdadm arraiy with SELinux enabled in enforcing mode.Resolves: rhbz#1343754- Allow kpropd_t domain to use nsswitch.Resolves: rhbz#1337895- Allow glusterd to manage socket files labeled as glusterd_brick_t.Resolves: rhbz#1331585
* Wed Apr 13 2016 Lukas Vrabec 3.7.19-292- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.Related: #1326621
* Mon Apr 11 2016 Lukas Vrabec 3.7.19-291- Allow ssh daemon to get attributes about all filesystems on the systemResolves: rhbz#1320775
* Wed Mar 30 2016 Miroslav Grepl 3.7.19-290- Label /dev/prandom as random_device_t.Resolves:#1320856
* Mon Feb 22 2016 Miroslav Grepl 3.7.19-289- Allow adcli running as sssd_t to write krb5.keytab file.Resolves:#1308911
* Fri Feb 12 2016 Miroslav Grepl 3.7.19-288- Allow netutils_t domain to chown capability.Resolves:#1298514- Allow all jabber domain to access SSL certs.Resolves:#1261145- Allow shorewall request kernel load moduleResolves:#1290705- Allow passwd to create temporary files to support ssh logins if gnome-keyring-daemon is called by passwd and runs in passwd_t.Resolves:#1131531- Allow stunnel to write log outputs on users pty.Resolves:#1296238- Allow polkit-1/actions to get attributes for all filesytems.Resolves:#1301561- Allow p11-child to connect to apache ports. Allow p11-child to manage authentication cache.
* Mon Jan 11 2016 Miroslav Grepl 3.7.19-287- Allow sssd-ifp to dbus chat with all users. Resolves:#1296693- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.Resolves:#1296854- Add support for stunnel custom log files, allow transition and label /log/stunnel
* log files. Resolves:#1296238- Provide conman_unconfined_script_exec_t/conman_unconfined_script_t SELinux types used for conman scripts.- Resolves:#1290565- Allow ctdbd trasition to smbcontrol_t when \"ctdb disablescript 50.samba\" is executed.- Resolves:#1293787- Label ctdbd event scripts as ctdbd_exec_t instead of bin_t. Resolves:#1293787- Allow watchdog to read localization files. It wants to access localtime. Resolves:#1267974- Backport rules allowing sssd_t to be able to request the kernel to load a module.Resolves:#1246634
* Mon Dec 21 2015 Miroslav Grepl 3.7.19-286- arping running as netutils_t sys_module capability for removing tap devices. Dontaudit this access.- Allow hv_vss_daemon to write access on all mount point directories to make VSS live backup if working if there is home partition.- Add support for squid to be able to create temoporary files. Resolves:#1291164- Allow usbhid-ups to access /proc/bus/usb to have it working on ppc64 machines. Resolves:#1290693- Add support for /var/run/chronyd.sock. Resolves:#1290310- Update apache_content_template() inteface to allow \"shutdown\" permissions for apache scripts on unix_stream_socket. Resolves:#1286052- Fix label for /var/lib/graphite-web Resolves:#1221934- Dontaudit rpm write access for prelink_mask_t Resolves:#1216907- Allow apcupsd_t to communicate with sssd Add default label for /var/lock/subsys/apcupsd and /var/lock/LCK.Resolves:#1286030- Allow shorewall_t to create netlink_socket Resolves:#1290705
* Tue Dec 08 2015 Miroslav Grepl 3.7.19-285-Allow munin apache scripts to manage munin logs and talk with httpd over unix stream socket. Resolves:#1286052-Allow httpd to send generic signal to httpd suexec if htpasswd is invoked. Resolves:#1286007-Dontaudit httpd running as piranha_web_t accesses to snmp mib indexes. Resolves:#1285674-Allow ipsec running as ipsec_t to create pluto.log with correct labeling.Resolves:#1267212-Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes \"ipsec auto --status\" executed by sysadm_t. Resolves:#1257591-Dontaudit attemps to write generic tmp_t dirs if gnome-keyring-daemon runs under passwd_t domain. Resovles:#1131531
* Fri Dec 04 2015 Miroslav Grepl 3.7.19-284- Allow ipsec_mgmt_t to access netlink route socket and set attributes for /var/run/pluto directories.Resolves:#1287182
* Fri Nov 13 2015 Miroslav Grepl 3.7.19-283- Remove duplicate file context definition in virt.fc
* Fri Nov 13 2015 Miroslav Grepl 3.7.19-282- Add missing fs_setattr_nfs_dirs() and samba_setattr_samba_share_dirs() interfaces.- Allow g-k-daemon running as passwd_t to manage Gnome config files to allow a use change his/here password via SSH conncetions. Resolves:#1131531- Allow chronyd to set attributes on chronyd keys.- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf. Resolves;#1278771- Add default labeling for /var/run/qemu-ga.pid and /var/run/qga.state. - Dontaudit sys_module capability for asterisk. Backported from RHEL7. Resolves:#1277199- Allow nfsd to execute mount in nfsd_t domain. It wants also manage mount PID files. Resolves:#1275221- Add tmpreaper_use_nfs and tmpreaper_use_samba booleans. Resolves:#1271996- Add labeling for /usr/libexec/mock/mock as we have it for /usr/sbin/mock. Resolves:#1271211- Allow jabberd to read /etc/pki/tls/cert.pem. Resolves:#1261145- Turn the nagios_run_sudo boolean on by default. Previously a part of these rules was turn on by default and wit this boolean we turned them of. Resolves:#1240793- In RHEL-6, we have a transition from unconfined_t to xauth_t. It causes xauth commands wants to reas/write inherited stream. Resolves:#988117- Add unconfined_rw_stream() interface.- Add support for /dev/mptctl device used to check RAID status.- Update qpidd policy to set kerberos authentication. Resolves:#1224666- Allow logwatch to read bacula store log files. - Add cobler_var_lib_t labeling for /var/lib/tftpboot/boot/grub. It allows cobblerd to manage it by default. Resolves:#1213539- Allow cobbler to execute reposync in the cobberld_t domain. It wants to manage rpm cache files. And add dontaudit rules for rpm db files. Resolves:#1207260- Allow dnssec_t mounton access Resolves:#1246460- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd. Resolves:#1242082- Allow all MTA user agent (postfix_postdrop_t for this fix) to read/write inherited fail2ban temporary files. Resolves:#1241968
* Fri Oct 16 2015 Miroslav Grepl 3.7.19-281- Backport ipsec-mgmt fixes to have libreswan working correctly on RHEL-6.8.Resolves:#1260471
* Wed Aug 26 2015 Miroslav Grepl 3.7.19-280- Allow Chromium to use setcap inside its SUID sandbox.- Allow qpidd to be working with MRG. It requires to manage symlinks in /var/lib/qpidd.Resolves:#1251584
* Thu Jul 23 2015 Miroslav Grepl 3.7.19-279- Backport gluster fixes from RHEL7 - execute showmount in own domain - execute nsfd in own domain - allow gluster to connect to all ports- Add support for /usr/sbin/ctdbd_wrapper.- nrpe needs kill capability to make gluster moniterd nodes working.Resolves:#1235405
* Tue Jun 23 2015 Miroslav Grepl 3.7.19-278- Allow logrotate get attributes of all unallocated tty device nodes.- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.- Allow glusterd to connect to init.Resolves:#1230371- Allow gluster do dbus chat with domain running as initrc_t.
* Wed Jun 17 2015 Miroslav Grepl 3.7.19-277- Allow glusterd to interact with gluster tools running in a user domainResolves:#1229605
* Wed Jun 17 2015 Miroslav Grepl 3.7.19-276- Allow gluster to manage own log files.- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.- Label gluster python hooks also as bin_t.- Allow samba_t net_admin capability to make CIFS mount working.Resolves:#1229605- Allow ssh_keygen_t to manage keys located in /var/lib/gluster.
* Fri Jun 12 2015 Miroslav Grepl 3.7.19-275- Allow glusterd to have transition to insmod.- Allow glusterd to use geo-replication gluster tool.- Remove gluster from permissive domains.Resolves:#1229605
* Mon Jun 08 2015 Miroslav Grepl 3.7.19-275- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick. - Update rules related to glusterd_brick_t. - Allow glusterd to execute lvm tools in the lvm_t target domain. - Allow glusterd to execute xfs_growfs in the target domain. - Add support for /usr/sbin/xfs_growfs. - Allow glusterd to create samba config files if it is started by service script and running with unconfined_u.Resolves:#1228109- Fix description for ftpd_use_passive_mode boolean.
* Sat Jun 06 2015 Miroslav Grepl 3.7.19-274- Don\'t ship pam_selinux to avoin a conflict with pam packageResolves:#1220691
* Thu Jun 04 2015 Miroslav Grepl 3.7.19-273- Fix redis_stream_connect interface.Resolves:#1220691- Allow kadmind to bind to kprop port.- Add new man pages for bacula
* Wed Jun 03 2015 Miroslav Grepl 3.7.19-272- Allow hypervkvp to read default SELinux contexts.- Allow hypervkvp to write to /etc directories.- Update all man pages for RHEL6.7 SELinux domains/roles using the latest sepolicy-manpage from RHEL7.- Fix labeling for /var/lib/graphite-web- ALlow kpropd to connect to tcp/754 port.Resolves:#1220691- Allow php-fpm write access to /var/run/redis/redis.sock- Update fs_rw_inherited_nfs_files() to allow search auto mountpoints.- Dontaudit rpm leaks for prelink_mask_t.- Allow sysctl to have running under hypervkvp_t domain.
* Wed May 27 2015 Miroslav Grepl 3.7.19-271- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.Resolves:#1221929
* Tue May 26 2015 Miroslav Grepl 3.7.19-270- Update policy rules for afs_fserver_t to allow connectto on unix_stream_socket instead of afs_t.- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.- Allow glusterd to execute consoletype.- Glusterd wants to manage samba config files if they are setup together.Resolves:#1221929
* Mon May 25 2015 Miroslav Grepl 3.7.19-269- Fix labeling for /var/tmp/kiprop_0 to kadmind_tmp_t.- Allow postdrop runinng as postfix_postdrop_t to access /var/spool/postfix/public/pickup socket.- Allow gluster hooks scripts to transition to ctdbd_t.- Update policy rules for afs_fserver_t to allow connectto on unix_stream_socket.- Allow gluster transition to smbd_t also using samba init script.Resolves:#1221929
* Wed May 20 2015 Miroslav Grepl 3.7.19-268- Add labeling for /var/run/ctdb and allow samba domains to connect to ctdbd.Resolves:#1221929- Allow glusterd to read/write samba config files.- Update mysqld rules related to mysqld log files.- Add fixes for hypervkvp realed to ifdown/ifup scripts.- Update netlink_route_socket for ptp4l.- Allow sosreport to dbus chat with NM.- Allow glusterd to connect to /var/run/dbus/system_bus_socket.- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.- Allow glusterd to read /dev/random.- Label all gluster hooks in /var/lib/gluster as bin_t. Thy are not created on the fly.- Update nagios_run_sudo boolean to allow run chkpwd.- Add labeling for /usr/sbin/kpropd.- Add nagios_run_sudo boolean- Allow ctdb to create rawip socket.
* Wed May 13 2015 Miroslav Grepl 3.7.19-267- Allow ctdb to create rawip socket.- ALlow nmbd_t to crate nmbd_var_run_t dir under smbd_var_run_t.- Make ctdbd as userdom_home_reader.- Allow ctdbd to bind smbd port.Resolves:#1219317
* Tue May 12 2015 Miroslav Grepl 3.7.19-266- Add audit_access permissions- Allow cupsd_t access to files in /etc dir- Allow hplip to dbus chat with all users.- Allow sblim-gathered sys_ptrace capability.- Allow sys_admin capability for gfs_controld- Add more cobbler labels to /var/lib/tftpboot/- Add new smbd_tmpfs_t type.- Add more fixes related to timemaster+ntp+ptp4l.- Fix cgdcbxd_admin() interface.- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0.- Dontaudit read access on admin_home_t for load_policy.
* Tue Apr 14 2015 Miroslav Grepl 3.7.19-265- Allow redis to create /var/run/redis/redis.sock- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.Resolves:#1206244- Allow rhn_check running as rpm to domtrans to shutdown domain- openshift_cache_t does exist
* Fri Apr 10 2015 Miroslav Grepl 3.7.19-264- Allow qpidd to read own init script file.- Allow passenger to accept connection- Back port hypervkvp fixes from RHEL7- ALlow load_policy to list inotifyfs filesystem- Allow cluster domain to execute ldconfig and update lvm_read_config() interface- Allow sssd_t to connect to samba TCP port- Allow NetworkManager to run arpingResolves:#1209854- Backport RHEL7 redis policy- Add apache log and lib labels for roundcubemail
* Fri Apr 03 2015 Miroslav Grepl 3.7.19-263- Allow userdomain to manage pcscd pid fifo files.- Allow prelink domain access to /dev/console Resolves:#1145662- Allow httpd search access on tomcat6 directory- Allow apcupsd to get attributes of filesystems with xattrs- Allow qemu-ga getattr access of all filesystems- Allow abrt to read network state information- Make collectd_t as unconfined domain.- Make rpcbind as nsswitch domain.- Back port labeling for /etc/my.cnf.d dir.- Allow dhcpd kill capability.- Allow cachefilesd to create cachefilesd_var_t- cvs_home backport from RHEL7.- Add support for new fence agent fence_mpath which is executed by fence_node- Allow lsmd plugin to run with configured SSSD.- Allow bacula access to tape devices- Allow sblim-sfcb setuid.- Allow sblim domain to read sysctls.- Allow ntp to read localtime and allow timemaster send a signal to ntpd.- Add cobblerd_t fixes- Allow mysqld_t to use pam- Dontaudit xguest_t communication with avahi_t via dbus- Allow cobblerd_t to communicate with sssd- Allow pmwebd to send and receive messages from avahi over dbus- Allow conman_t to commmunicate with sssd- Allow mysqld_t to send audit messages- Allow load_policy rw access to inherited sssd pipes- Update label for /etc/mcelog/.
* files- Allow bacula_t to connect to psql via tcp/unix socket- Remove type to only match directories on /boot- Add more labels for ownCloud- Dontaudit net_admin capability for munin
* Wed Mar 04 2015 Miroslav Grepl 3.7.19-262- Allow lsmd_t getattr all exec.Resolves:#1141719- Update afs policyResolves:#1136396- Add support for /usr/sbin/named-sdb.- Add support for mongos service.- Allow cyrus to use tcp/2005 port.- More service wants to auth_use_nsswitch.- Allow apps that need to read sysctl_vm_overcommit_t be able to read it.- Update passenger rules from RHEL7.- Allow smartd to manage generich devices if they are created with wrong label.- Allow sblim-sfcb to execute itself.
* Tue Mar 03 2015 Miroslav Grepl 3.7.19-261- Allow sys_ptrace and dac_override caps for collectd.- Add labeling for /etc/rc\\.d/init\\.d/htcacheclean.- Allow /usr/sbin/sfcbd to send audit msgs.- Allow postdrop to connect to master process over unix stream socket.- Allow ssh_t to connect to all unreserved ports.- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.- Don\'t relabel files under /dev/shm/- Allow munin_disk_plugin_t getattr access on blk_file - Allow xauth_t and sshd_t to search automount_tmp_t if use_nfs_home_dirs boolean.- Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.- Allow antivirus domains to read all dirs/files regardless of their MCS category set.- Add labeling for mariadb log/pid files/dirs.- Allow rsyslogd to read /proc/sys/vm/overcommit_memory file.- Allow slapd to read /usr/share/cracklib/pw_dict.hwm.- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.- Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it.- Allow qpidd to read network state and sysctls dirsResolves:#1171275- Add labeling for /var/bacula directory.- mcelog runs as a daemon domain - Allow shutdown to r/w iherited rhev-agetnd pipes.- Allow sshd to seind signull itself.- Add the \'base_ro_file_type\' and \'base_file_type\' attributes to RHEL6.- Allow prelink_mask_t getattr on filesystems that support xattrs- Allow radious to connect to apache ports to do OCSP check.- remove transition from unconfined user to auditctl.- Backport RHEL7 sblim-sfcb fixes.- Add bacula fixes related to unconfined scripts based on ssekiddeAATTredhat.com patch.- Allow zebra to communicate with sssd - Add interfaces fixes.- Added some optional blogs from timemaster policy to chronyd.- Added linuxptp policy- Add interface to read mysql db link files- Added cinder policy- Make munin yum plugin as unconfined by default.- Allow bitlbee connections to the system DBUS.- Allow hv_vss_daemon to call ioctl(FIFREEZE) on /boot.- Add rsync_server boolean to don\'t have a transition from initrc by default.- Dontaudit to r/w inherited pipes from httpd because of certmonger unconfined scripts.- Backport all capabilities for cvs from RHEL7.- Allow dccproc to execute bash.- Fix labeling for /usr/libexec/nm-dispatcher.action.- Allow logrotate to manage virt_cache.- Allow osad to execute rhn_check.- Make osad_t as unconfined domain.- Allow osad connect to jabber client port.- Allow rhev-agentd to access /dev/.udev/db/block:sr0.
* Wed Sep 17 2014 Miroslav Grepl 3.7.19-260- Add virt_getattr_images and call it for sblim_sfcbd_t.- We also need to call virt_search_images for sblim.Resolves:#1140614
* Wed Sep 17 2014 Miroslav Grepl 3.7.19-259- Add missing nagios_var_lib_t definitionResolves:#1103674
* Wed Sep 17 2014 Miroslav Grepl 3.7.19-258- Allow unlink lib_t located in /tmp for prelink_mask_t.Resolves:#1103674- Add support for pnp4nagios- Allow mysql to read all domain state- Allow sblim_sfcbd_t to search virt images- Revert \"Remove shadow_t label from /etc/security/opasswd \"
* Tue Sep 16 2014 Miroslav Grepl 3.7.19-257- Add fixes for sblim_sfcbd to make libvirt-cim working.- Allow keepalived stream connect to snmpd- Allow local_login_t and xdm_t to manage etc_t if authlogin_can_shadow boolean.- Allow prelink_transition_domain to send signal to prelink_mask_t.Resolves:#1103674
* Fri Sep 12 2014 Miroslav Grepl 3.7.19-256- Allow sosreport to domtrans to prelink_t instead of prelink_mask_t.Resolves:#1103674
* Thu Sep 11 2014 Miroslav Grepl 3.7.19-255- Allow couriertcpd to read /var/spool/courier dir.- Allow prelink domain to rea /dev/mem.- ALlow transition to prelink_t instead of prelink_mask_t to ABRT domains/rpm.Resolves:#1103674
* Fri Sep 05 2014 Miroslav Grepl 3.7.19-254- Dontaudit to read/write all dev nodes for prelink_mask_t.- Add label for path /var/lib/ctdb- Allow escd access to /var/run/pcscd.events directoryResolves:#1103674
* Tue Sep 02 2014 Miroslav Grepl 3.7.19-253- Add additional dontaudits for prelink_mask_tResolves:#1103674- Allow local_login_t and xdm_t to manage shadow_t because of PAM
* Tue Aug 26 2014 Miroslav Grepl 3.7.19-252- Allow aide_t to read /dev/random and /dev/urandom.- Allow sysadm to talk with lldpad over unix dgram socket.- Allow sysadm to send/recv with unix dgram socket.- Allow crond_t to read lastlog.- Allow xdm_t to read plymouthd_spool_t filesResolves:#1131195- Allow hald to rpm dbus chat- Additional dontaudits for prelink_mask_t.- Add samba_domain attribute also for smbcontrol_t and winbind_helper_t.
* Wed Aug 20 2014 Miroslav Grepl 3.7.19-251- Allow tgtd service to read kernel network stateResolves: 1130040- Allow mail-servers policies to read pcp libsResolves: 1130934- Allow passwd_t to read/write stream socketsResolves: #1129296- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run \'semodule -d unconfined\' to make system running without unconfined domains. - Dontaudit zebra to read getattr for all files and dirsResolves: 1122031- Allow zebra to read /dev/urandomResolves: #1122031- Label /var/lib/asterisk/agi-bin as bin_t- Added to lldpad policy sys_resource cap. and allow read localization Resolves:1021984- Fix path to luci(/usr/sbin/luci) Resolves:1023202- Add auth_can_read_shadow_passwords for rlogind.- Add authlogin_shadow boolean for all login domains.- Dontaudit rw all non security leaks.
* Fri Aug 08 2014 Miroslav Grepl 3.7.19-250- Dontaudit read/write/setattr all pipes for prelink domains on all domainsResolves:#1103674- Allow chroot_user_t to change the role.- Add sys_time caps for virt_qemu_ga_t- Add label for /usr/sbin/luci
* Thu Aug 07 2014 Miroslav Grepl 3.7.19-249- Add support for luci.- Add support for rhsmd and treat it with rhsmcertd_t.- Make zabbix_agent_t as unconfined domain for rhel6.6.- Allow chroot_user_t to change process identity.Resolves:#1082183- Revert \"Remove shadow_t label from /etc/security/opasswd- Dontaudit relabel lib_t files for prelink_mask_t.
* Tue Aug 05 2014 Miroslav Grepl 3.7.19-248- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift Resolves: #1034206- Do not send/receive packets when ftpd_use_passive_mode is disabled Resolves: #1105544- Allow qemu-ga domtrans to hwclock Resolves: #1062384- Allow sshd read access to files on ftp directory Resolves: #1097387- dontaudit r/w inherited certs for prelink_mask_t.- Allow sblim_gatherd_t to search all mountpoints. This is caused by ps. Should not be needed in Fedora.- Fix labeling in dhcpc.fc.- Add labels also for glusterd sockets.
* Tue Jul 29 2014 Miroslav Grepl 3.7.19-247- Add all login domain auth_can_read_shadow_passwords attribute.- Added support for dhcrelay serviceResolves: #1123338- We need to call auth_tunable_read_shadow in auth_shadow boolean.- Move authlogin_shadow to authlogin.if.- Add filetrans also for bacula log files.- Dontaudit kdumpgui to read openshift_initrc_exec_tResolves: #1023336- Allow squid to manage squid_var_run_t sock_fileResolves: #1102346- Alloe bacula manage bacula_log_t dirsResolves: #1122545- Added sys_ptrace cap. to stapserver_tResolves: #811366- Label also /var/run/glusterd.socket file as glusterd_var_run_tResolves: #1052206- Added support for collectd daemonResolves: #1024715- Label conmans pid file as conman_var_run_t, Resolves: #1122106- Fix authlogin_shadow boolean to have it for all login_pgm domains- Dontaudit r/w inherited all log files for prelink_mask_t- Label zabbix_var_lib_t directoriesResolves: #1053205- Allow all sblim domain to read localization dataResolves:##1122022
* Mon Jul 21 2014 Miroslav Grepl 3.7.19-246- Add boolean to allow user login programs access to /etc/shadow- Use old icecast_connect_any boolean name and dontaudit list /tmp with tmp_t labeling- Remove unused interface rtas_errd_systemctl Resolves:#1121169- Allow prelink_mask to use user terminals and dontaudit relabel tmpfiles.- Dontaudit r/w inherited lockfiles/tmpfiles for prelink_mask_t.- Allow prelink_mask to append all log files.
* Fri Jul 18 2014 Miroslav Grepl 3.7.19-245- Allow setpgid for all sandbox domains.- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs working with sandbox.- One more fix for osad.te- Back port osad changes from RHEL7.- Rename svirt_lxc_file_t to svirt_sandbox_file_t.- Label nginx init script as httpd_initrc_exec_t Resolves:#1045041- Allow postfix_smtpd to stream connect to antivirus Resolves:#1105889- Label init thttpd file as httpd_initrc_exec_t Resolves:#1069843- Allow httpd to setattr on httpd_log filesResolves:#1111581- Add tomcat- Allow zabbix to read system network state- Allow ndc to read random and urandom device Resolves:#1110397- Add kerberos support for radiusd.- Allow procmail to ioctl on zarafa-deliver executable.
* Mon Jul 14 2014 Miroslav Grepl 3.7.19-244- Add support for vdsm Resolves:#1064270- Allow userdomain role to access prelink_mask_t- Rename module glusterfs to glusterd Resolves:#1052206- Allow gfs_controld_t to getattr on all file systems Resolves:#1110886- Allow apache to manage pid sock files Resolves:#1042864- Bind TCP/UDP sockets to the nfs port- The /var/run/tuned directory is not a regular file Resolves:#1117685- Allow utilize winbind for authentication to AD. Resolves:#1084177- Dont audit access on /etc/init.d/mcollective for kdump_t- FIx labeling in networkmanager.fc- Allow passenger to connect to MySQL- ALlow passenger to read locales- Dontaudit relabelfrom/relabelto for all variablefiles for prelink_map_t- Change all var_lib_t types to have also variablestatefile attribute- Implement new prelink_mask_t domain to which transition all domain by default (using fips_mode boolean) except prelink_transition domains.
* Thu Jul 10 2014 Miroslav Grepl 3.7.19-243- Implement new prelink_mask_t domain to which transition all domain by default (using fips_mode boolean) except prelink_transition domains.
* Tue Jul 08 2014 Miroslav Grepl 3.7.19-242- Added support for glance-scrubberResolves:#1113271- Fix labeling for /var/lib/dokuwiki
* Tue Jul 08 2014 Miroslav Grepl 3.7.19-241- Remove deny_ptrace from interfaces- Add setpgid procces to mip6d_t- Added support for hv_vss_daemon- Allow keepalived also managed snmp lib dirs- Allow chroot_user_t unconfined shell domtransResolves:#1082183- Label swift-object-expirer as swift_exec_t- Allow keepalived manage snmp files, dontaudit list tmp filesResolves:#1053450- Additional fix for calling postfix interfaces in sysadm.te to make postfix_admin() working
* Fri Jul 04 2014 Miroslav Grepl 3.7.19-240- Allow nagios to stream connect to postgresqlBZ #1015708Resolves:#1015708- Allow hypervkvp read localization- Fix postfix_admin()- Add lldpad policy for MLS
* Fri Jul 04 2014 Miroslav Grepl 3.7.19-239- Fixed lsmd_plugin_tResolves:#1111619- Added glusterd_conf_t alias glusterd_etc_t- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory Resolves:#982160- Label zabbix-proxy filesResolves:#1018211- allow sshd to write to all process levels in order to change passwd when running at a levelResolves:#837616- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range Resolves:#837616- Rename quantum port to neutron Resolves:#1024927- Added zarafa_read_lib_files interface- Added dont audit list non security files in xdm_t Resolves:#1030760- Added more fixes relates to Resolves:#1060656- Added dontaudit rules to xdm_t Resolves:#1030760- Allow procmail to run zarafa-degent Resolves:#1060656- Add userdom_user_application_domain in xauth Resolves:#1013832- Allow dmesg read raw memory Resolves:#1030762- Allow communication between postfix and cyrus Resolves:#1057307
* Wed Jul 02 2014 Miroslav Grepl 3.7.19-238- Allow domain to read an append inherited tmp files- Dontauit leaks of var_t into ifconfig_t- Allow fsdaemon_t to read/write device_t char files Resolves:#1035363- Remove sblim_filetrans_named_content in RHEL6- We don\'t have systemd in RHEL6.- one more fix for bacula_admin()- fix bacula_run_admin()- Remove shadow_t label from /etc/security/opasswd - Fix logrotate_use_nfs boolean- Allow userdom to read inherited users files in /tmp - Allow certmonger_t read puppet libs- Allow in logging_inherit_append_all_logs also ioctl and append- Label pacemaker_remoted as cluster_exec_t- Tag some conman exec files- Allow conman to read localization- Should use rw_socket_perms rather then sock_file on a unix_stream_socket- Added conman fixes- Allow apache to manage passenger sock_files- Allow bacula to bind on 9103 tcp port- Allow postfix stream connect to antivirus- Allow osad to read localization
* Tue Jun 24 2014 Miroslav Grepl 3.7.19-237- Fixes for mirrormanager- Fix swift interface- Allow lsmd_plugin_t to read localization- Allow keepalived read snmp libs, Allow keepalived connect to agentx port- Allow keepalived read localization- Added setuid capability to lsm service- Added some swift rules to rsync policy- Remove duplicate line entry in .fc- Do not send/receive packets when ftpd_use_passive_mode is disabled- Add mirrormanager policy to RHEL6 Fixes Bug 1042864- Update permissivedomains by mirrormanager- Add mirrormanager policy- Added support for openwsmand- Added policy for swift- Added support for sblim- label also 64bit heartbeat libs- Allow kill capability on varnish- Added haveged policy- Add missing kernel_rw_stream_socket_perms- Label tcp/udp port no. 3052 as apc, Allow apcups to bind on apc port- Allow logwatch stream connect to courier service- Fix mcelog policy- Back port rsyslog fixes from RHEL7 for rsyslog7- Fix whitespace- Add support for osad- Fix automount policy- Added policy for bacula- add radvd_read_pid_files inteface- Add missing syslog-conn port- Allow httpd_t write to kernel keyring- Allow httpd_sys_script_t domain to send system log messages - Allow passwd_t to write to ipa trusted user files in /tmp - Boolean to allow mcelog use all the user ttys - Allow icecast to use any tcp ports - Define oracleasm_t as a device node - Allow sudomain to getattr of kernel interface- Add squid directory in /var/run- Allow automount read nfs symlinks- Allow asterisk to connect to the apache ports- allow abrt to read mcelog log file - allow udev to search radvd files under the /run dir - allow auditctl getattr access on blk_file Resolves:#1080555- Allow ssh to manage nfs links
* Wed Apr 23 2014 Miroslav Grepl 3.7.19-236- Added conman policy- Added label for conman port- Added support for mip6d policy- Added support for isns- Added rtas_errd policy- Added support for keepalived policy- Add label samba_spool_t for /var/spool/samba- Allow httpd_t to bind preupgrade port if httpd_run_preupgrade boolean is enabled- Allow openshift_cron_t to append to openshift log files- dontaudit sudo domains listing /dev- Allow read/write to login records- Allow auditctl getattr access on blk_file- Allow nova-scheduler to read utmp- Added stapserver policy- Added support for freeipmi services- Added lsm policy- Added support for pcp service- Added chown capability to dhcpd_t domain- Add boolean to allow openshift domains nfs access- Allow abrt to read man pages and getcap- Allow cgroupdrulesengd to create content in cgoups directories- Dontaudit smbd_t sending out random signuls- Backport all zabbix changes- Allow mcelog write access to nscd socket
* Thu Apr 17 2014 Miroslav Grepl 3.7.19-235- Add support for nginxResolves:#1045041- Change shutdown_t to also read wtmp- Added support for hypervkvpd- Add preupgrade policy
* Mon Mar 31 2014 Miroslav Grepl 3.7.19-234- Add httpd_dbus_sssd boolean to make mod_lookup_identit working- Add support for ABRT FAF
* Fri Mar 21 2014 Miroslav Grepl 3.7.19-233- Add support for OpenShift syslog plugin- Allow snmpd to getattr on removeable and fixed disks- Add shmemnetgrp and getnetgrp to access_vectorsResolves:#1025758
* Fri Dec 13 2013 Miroslav Grepl 3.7.19-232- Add more fixes for zabbix-agent- Fix neutron labeling- Allow all domains to read sysfs_t due to glibc change- Allow ping to read inherited zabbix tmp filesResolves:#1039851- Allow hostname to read/write inherited rpm script files
* Tue Oct 29 2013 Miroslav Grepl 3.7.19-231- Add named_cache_t label for /var/lib/unbound- Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config files- Allow anitvirus domains to manage own log dirs
* Tue Oct 29 2013 Miroslav Grepl 3.7.19-230- Add missing transition from dovecot-auth to oddjob_mkhomedir
* Thu Oct 24 2013 Miroslav Grepl 3.7.19-229- Add bootloader_exec_t labeling for /sbin/grubbyResolves:#915729- Add etc_runtime_t label for zipl.conf- Allow daemons to manage cluster lib files if daemons_enable_cluster_mode is enabled
* Wed Oct 23 2013 Miroslav Grepl 3.7.19-228- Add daemons_enable_cluster_mode boolean and turn on it by default until RHEL6.6Resolves:#915151- Add tcp/8893 as milter port- Allow antivirus domain to read localization without the boolean
* Tue Oct 22 2013 Miroslav Grepl 3.7.19-227- Resource agents needs to manage /etc/cluster to place own config filesResolves:#915151- tgtd needs ipc_lock
* Mon Oct 21 2013 Miroslav Grepl 3.7.19-226- Label /usr/sbin/fence_scsi as fenced_exec_t- Fix cluster domains to create dirs in /var/run/cluster as var_run_t to make resource scripts workingResolves:#915151
* Tue Oct 15 2013 Miroslav Grepl 3.7.19-225- Re-write rules to create tmpfs for all piranha tmpfs files/dirs- Allow piranha-lvs to manage piranha_tmpfs_tResolves:#1018306
* Tue Oct 15 2013 Miroslav Grepl 3.7.19-224- Allow piranha_pulse_t to create tmpfs and send sigkill to piranha domains
* Tue Oct 15 2013 Miroslav Grepl 3.7.19-223- Fix dovecot_rw_pipes() interface- Allow piranha_pulse_t to search tmpfs- Allow sysadm to stream connect to postfix-master process- Label /usr/sbin/fence_sanlockd as fenced_exec_t
* Wed Oct 09 2013 Miroslav Grepl 3.7.19-222- Add kdumpgui_run_bootloader to allow execute zipl correctly
* Wed Oct 09 2013 Miroslav Grepl 3.7.19-221- Fix /var/run/charon labeling- More fix for strongswant and ipsec.secretes- Allow sandbox domain to use inherited user terminals
* Tue Oct 08 2013 Miroslav Grepl 3.7.19-220- Allow cobblerd to stream connect to MySQL- Allow cobblerd to execute ldconfig- Allow openstack-glance to access to amqp- Add labeling for /var/run/charon.
*- Make munin \"df\" plugins workingResolves:#908095
* Wed Oct 02 2013 Miroslav Grepl 3.7.19-219- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop- Allow tzdate to unlink etc_t lnk files- Allow jabberd to connect to jabber_interserver port- Fix description for logging_syslog_can_read_tmp boolean- Update ipsec rules and labelsResolves:#986883- Allow pegasus transition to mount_t
* Fri Sep 27 2013 Miroslav Grepl 3.7.19-218- Add support for /var/log/qemu-ga directory- Regenerate man pages for domainsResolves:#880728- Allow setgid capability for ipsec_t- Allow ipsec to send signull to itself- Add tcp/9000 as http_port_t- Allow dirsrv_t to create tmpfs_t directories- Fix git_role() interface
* Fri Sep 20 2013 Miroslav Grepl 3.7.19-217- Fix virtd_lxc_t to be able to communicate with hal- Allow NM and wireless working togetherResolves:#1009661- Allow my_print_default to read /dev/urand
* Fri Sep 13 2013 Miroslav Grepl 3.7.19-216- Remove transition from virtd_t to qemu_t to stay in virtd_t if selinux_driver is None in qemu.conf- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
* Wed Sep 11 2013 Miroslav Grepl 3.7.19-215- Add port definition of pka_ca to port 829 for openshift- Rename quantum to neutron- Allow rpcd to request the kernel to load a module- Allow ovsdb-server to create dirs/files in /tmp directory
* Fri Sep 06 2013 Miroslav Grepl 3.7.19-214- Allow git daemons to read localization- Allow tgtd_t to connect to isns portsResolves:#1003571- Cleanup antivirus policy and add additional fixes- Fix labeling for munin CGI scripts- Allow virtd_t also relabel unix stream sockets for virt_image_type- Fix fs_search_auto_mountpoints to allow search automount tmp dirsResolves:#990661
* Tue Aug 27 2013 Miroslav Grepl 3.7.19-213- Add openhpid policyResolves:#1000521- Fix rhcs_domain_template to allow cluster_t to create socket in /var/run with correct labeling
* Fri Aug 23 2013 Miroslav Grepl 3.7.19-212- Update rules for antivirus domainsResolves:#999471- Allow virt_domain to read virt_var_run_t symlinks- Allow chroot_user_t to read/write inherited user domain pty- Allow to start guest while the libvirtd is started with valgrind- Allow lldpad to talk with fcoemon- Allow chronyd sched_setscheduler
* Thu Aug 08 2013 Miroslav Grepl 3.7.19-211- Fix spec file- Fix zabbix labeling
* Tue Aug 06 2013 Miroslav Grepl 3.7.19-210- Allow nrpe to list /var- Allow apache to search automount tmp dirs if http_use_nfs is enabled- Add support for strongswan- Fix description of ftpd_use_fusefs boolean- Allow kdumpgui to write dos files for /boot/efi/EFI/fedora/grub.cfg- Back port tgtd fixes from Fedora to allow sys_rawio cap- Add support for OpenDMARCDResolves:#983551- Allow openvpn to run unconfined scripts- Allow amavis to execute shellResolves:#979421- man pages should be owned only by selinux-policy-doc package- Fix fs_manage_nfs_files and fs_manage_nfs_dirs boolean to allow to search autofs- Allow mysqld-safe sys_nice/sys_resource capsResolves:#975921- Add labeling for /boot/etc/yaboot.confResolves:#973156- /var/log/syslog-ng should be labeled var_log_t- Back port munin-cgi fixes- Fix ftp_home_dir boolean - Allow kdump to read kcore on MLS system- Add support for svn ports- Add labels for /dev/ptp
*- Add labels for /etc/security/opasswd- Fix labeling for /etc/localtime lnk file- Add tftp booleans for NFS/CIFS access- Merge amavis,clamd,clamscan,freshclam policies to antivirus policy- Label all nagios plugins as nagios_unconfined_plugin_exec_t by default- Add additional ports as mongod_port_t- Allow sandbox domains to use inherted terminals- Allow pegasus to execute mount in pegasus_t domain- Fix
*_admin interfaces and interface descriptions- Allow yppasswdd to use NIS- Allow nagios to manage nagios spool files- Allow ABRT to domtrans to prelinkResolves:#921234- Fix labeling for /var/lib/dspam/Resolves:#919456- Label postfix-policyd-spf-perl as bin_t- Allow nrpe to run sudo- Label /usr/bin/yum-builddep as rpm_exec_t- Label /usr/local/bin/x11vnc as xserver_exec_t- Allow logwatch to domtrans to mdadm- Allow postfix-master to list /tmp dir- Add lldpad policy and make it as unconfined domain- Allow sysadm to admin postfix- ALlow postfix_virtual to stream connect to mysql- Update zabbix policy- Activate watchod policy and make it as unconfined- Add httpd_serve_cobbler_files boolean- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache- Add oracleasm policy- Add support for pand- Add awstats_purge_apache_log_files boolean- Back port smstools policy
* Fri Jul 19 2013 Miroslav Grepl 3.7.19-209- Remove old cluster policies also for MLSResolves:#915151
* Wed Jul 17 2013 Miroslav Grepl 3.7.19-208- Merge cluster administrative domains to cluster_t. Back ported from FedoraResolves:#915151- Aadd additinal rules for disk plugins- Allow setuid/setgid caps for syslogd_t- Dontaudit sendmail to write dovecote-deliver tmp files- Add suppport for /var/lib/openvpn- /var/spool/snmptt is a directory which snmdp needs to write to
* Tue Jul 09 2013 Miroslav Grepl 3.7.19-207- Make tcp/81 as http port- Add cert_t labeling for pki stuffResolves:#959554
* Tue Jun 25 2013 Miroslav Grepl 3.7.19-206- Update openvswitch policyResolves:#977415- Add support for zfs
* Wed Jun 12 2013 Miroslav Grepl 3.7.19-205- Remove domtrans for quantum which needs to stay in the same domain- Allow qemu to manage nova lib files- Allow hald to read svirt imagesResolves:#966106
* Thu Jun 06 2013 Miroslav Grepl 3.7.19-204- Allow iptables to read and write quantum inherited pipes- Allow iptables to send sigchld to quantumResolves:#966106
* Wed Jun 05 2013 Miroslav Grepl 3.7.19-203- Allow dnsmasq to stream connect to quantum- Allow ifconfig domtrans to iptables and execute ldconfigResolves:#966106- Make openshift_initrc_t as initrc domain
* Thu May 30 2013 Miroslav Grepl 3.7.19-202- Make Quantum 2013.1.1 working with netns- Make SSHing into an Openshift Enterprise Node working
* Thu May 23 2013 Miroslav Grepl 3.7.19-201- Add virt_qemu_ga_unconfined_t for hook scripts
* Tue May 21 2013 Miroslav Grepl 3.7.19-200- Add virt_kill interface and use it for sanlock
* Sun Apr 21 2013 Miroslav Grepl 3.7.19-199- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga- Allow openshift_cron_t to manage openshift_var_lib_t sym links- Allow dovecot-auth to execute bin_t- Allow mysqld-safe to execute bin_t- Allow procmail to manage user tmp files- Allow sanlock to kill svirt_tResolves:#913673
* Tue Apr 16 2013 Miroslav Grepl 3.7.19-198- Allow dirsrv-admin script to exec apache modules- Add labeling for dirsrv-admin lock file- Add labeling for /var/lib/owncloud- Add labeling for /var/www/moodleResolves:#913673
* Thu Apr 04 2013 Miroslav Grepl 3.7.19-197- Fix /etc/dhcp labeling- Back port openshift fixes- Make dirsrv-admin server restarted from console working- Add ftpd_use_fusefs booleanResolves:#913673- openshift_cron_t needs dac_override
* Thu Mar 21 2013 Miroslav Grepl 3.7.19-196- Backport openshfit fixes- Allow cgred to use notify Resolves:#913673- Allow mount to transition to gluster - Fix tuned policy to make it working with the lastet tuned package
* Tue Jan 22 2013 Miroslav Grepl 3.7.19-195- Make matahari domains as unconfined- Allow nscd to connect to nmbdResolves:#901565- Allow setcap/getcap for syslogd
* Wed Jan 16 2013 Miroslav Grepl 3.7.19-194- qdiskd needs to read usr_t/bin_t files- Allow dpsam to connect/bind to spamd ports- Allow munin services plugins to bind to generic nodeResolves:#865759
* Tue Jan 15 2013 Miroslav Grepl 3.7.19-193- Fix ssh_sysadm_login boolean for MLSResolves:#865759- Allow rpm_script_t to dbus communicate with certmonger_t- More fixes for qemu-ga to make \"guest-fsfreeze-freeze\" working
* Wed Jan 09 2013 Miroslav Grepl 3.7.19-192- Label /usr/lib/yaboot/addnote as bin_t- Allow postfix_local to read/write /var/spool/postfix/active- Allow postfix domains to list /tmp- Allow wdmd to transition to kdumpResolves:#887793- Add labeling for /var/named/chroot/etc/localtime
* Fri Jan 04 2013 Miroslav Grepl 3.7.19-191- Remove pam_selinux due to conflict- Add labeling for /etc/multipath - lvm_metadata_tResolves:#880407- Add additional gitolite3 labeling
* Fri Jan 04 2013 Miroslav Grepl 3.7.19-190- Allow virtd to settattr on virt image dirs in MLSResolves:#885045- Allow all postfix domains to connect to mysql stream- Call init_daemon_domain for rsync_t- Add labeling for /var/lib/pgsql/ssh - Allow certmonger to send signal to itself- Allow rsyslog to read user tmp files using logging_syslog_can_read_tmp boolean- Add support for 1228/tcp and 1228/udp ports and allow corosync touse them- Allow corosync to read wdmd tmpfs- Allow wdmd to execute consoletype- Update man pages using sepolicy from Fedora- Fix admin interfaces
* Tue Dec 18 2012 Miroslav Grepl 3.7.19-189- Allow virt_qemu_ga to execute shutdown- sssd needs to connect to kerberos password port if a user changes his password- More fixes for the dspam domain- Allow dovecot to execute bash- Additional fixes for passengerResolves:#886619- Add labeling for /var/run/checkquorum-timer
* Tue Dec 18 2012 Miroslav Grepl 3.7.19-188- Allow rpcd_t to read /var/run/utmp- Make glance domains as permissive instead of just glance_t- Allow kill capability for ftpd- Add labeling for prespawn helper scriptResolves:#886619- Allow winbind to stream connect to nmbd- Allow transition from virt domains to bridgehelper domain- Add support for watchdog script from sanlock- Add labeling for tmp-inst- Fix rhev policy- Update virt_qemu_ga policy- Backport wm_domain policy- Backport virtd_lxc_t and make it as unconfined domain
* Wed Dec 12 2012 Miroslav Grepl 3.7.19-187- Add missing labeling for /usr/share/ovirt-guest-agent/ovirt-guest-agent.pyResolves:#885432- Add labeling for /var/nmbd- apache/drupal can run clamscan on uploaded content
* Mon Dec 10 2012 Miroslav Grepl 3.7.19-186- Allow virtd to manage dnsmasq pid files- Allow all samba domains to create samba directory in var_t directory- Dontaudit attempts by openshift to read apache logs- Add labeling for /usr/share/ovirt-guest-agent/ovirt-guest-agent.pyResolves:#885432
* Wed Dec 05 2012 Miroslav Grepl 3.7.19-185- Apache is sending sinal to openshift_initrc_t now- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t- Allow winbind to manage samba_var_t sock files- Allow git-daemon and httpd to serve the same dirResolves:#883143- Allow dac_override for nrpe
* Mon Dec 03 2012 Miroslav Grepl 3.7.19-184- Add support for tcp/10026 port as dspam_port_t- Allow dspam to connect/bind to dspam_port_t- Add uconfined_munin_plugin_exec_t for all plugins which are not covered by munin plugins policy- Allow domains that can read sssd_public_t files to also list the directoryResolves:#881413- Allow programs to run in fips_mode using fips_mode boolean- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob- Allow sshd to look into the mysql home directory for authorized_keys- Make rsync as homemanager which allows to manage CIFS/NFS -
* Tue Nov 27 2012 Miroslav Grepl 3.7.19-183- Allow quota to manage openshift_var_lib_t directoriesResolves:#843732
* Tue Nov 27 2012 Miroslav Grepl 3.7.19-182- Fix labeling for /var/named/chroot/usr/libResolves:#843732- Allow amavis to stream connect to snmpdResolves:#839250- Additional fixes for log files related to logrotate- Allow all domains to read base etc_t file type- Allow logrotate to list root home directory- Fix labeling for /var/log/z-push- Allow cyrus init scriptu to manage cyrus data files- Dontaudit leaks of locks or generic log files to systemprocesses- Allow ricci-modrpm to send syslog msgs- Allow munin to have kill capability
* Mon Nov 19 2012 Miroslav Grepl 3.7.19-181- Allow kdumpgui to read/write to zipl.confResolves:#877108- Add /proc/numactl support for confined users- Make proc_numa_t an MLS Trusted Object- Make ccs_tool and cman_tool labeled as rgmanager_exec_t- Fix cron_admin_role interface- Add support for opendkim
* Wed Nov 14 2012 Miroslav Grepl 3.7.19-180- Allow openshift domains to execute tmux- Allow wdmd to getattr on tmpfs_tResolves:#831908- Add labeling for /var/nmbd/unexpected- Allow winbind to create samba pid dir- Dontaudit write access on /var/lib/net-snmp/mib_indexes for syslogd- Fenced communicates with libvirt- Fix labeling for libflashplayer.so- Add labeling for /var/lib/zarafa-webapp- Allow dspam to read localization- Add labeling for Z-Push- Allow rpc.svcgssd to search nfsd_fs_t dirs- Allo cgred to read all sysctl
* Mon Nov 05 2012 Miroslav Grepl 3.7.19-179- Fix labeling for /var/lib/sss/mcResolves:#871816
* Thu Nov 01 2012 Miroslav Grepl 3.7.19-178- Fix labeling for OpenShift binaries- Add samba_portmapper boolean and labeling for /var/run/sambaResolves:#871816- Backport dspam policy
* Wed Oct 31 2012 Miroslav Grepl 3.7.19-177- Allow dnsmasq to manage virt run filesResolves:#843543- Allow setroubleshootd to read /proc/irq- Backport fixes for virt_use_
* booleans- Allow qemu-ga to use ttyS0- Allow dhcpc to manage dhclient-eth0.pid labeled as virt_var_run_t
* Tue Oct 30 2012 Miroslav Grepl 3.7.19-176- Add unconfined munin pluginResolves:#871106- Add new httpd_verify_dns boolean
* Tue Oct 23 2012 Miroslav Grepl 3.7.19-175- Add initial openswitch policy. Domains are unconfinedResolves:#845417- Add labeling for /usr/sbin/mcollectived- Allow openshift domains to read /dev/urandom
* Fri Oct 19 2012 Miroslav Grepl 3.7.19-174- openshift user domains wants to r/w ssh tcp sockets- Allow mount to relabelfrom unlabeled file systems- Additional fix for syslog/kerberosResolves:#867001
* Thu Oct 18 2012 Miroslav Grepl 3.7.19-173- syslogd_t now support kerberosResolves:#867001- Fix openshift labeling for binaries- Allow passwd to read usr_t links/files- Add labeling for /var/lib/sss/mc
* Mon Oct 15 2012 Miroslav Grepl 3.7.19-172- Update httpd_runstickshift boolean- Remove transition from sysadm_t to fsadm_tResolves:#852763- Make vmware-host as unconfined domain- Allow all domains to read usr_t- Fix labeling for all log files
* Sat Oct 13 2012 Miroslav Grepl 3.7.19-171- Add labeling for /usr/bin/oo-admin-ctl-gearsResolves:#839831
* Fri Oct 12 2012 Miroslav Grepl 3.7.19-170- Fix passenger labeling to support lib64 paths. Needed by openshiftResolves:#839831
* Thu Oct 11 2012 Miroslav Grepl 3.7.19-169- Fix spec file to silent restorecon errors on files which do not exist- Fix passenger backportResolves:#839831
* Tue Oct 09 2012 Miroslav Grepl 3.7.19-168- Add support for HTTPProxy
* in /etc/freshclam.conf- pppd wants to read /usr/share/radiusclient-ng/dictionary- Add ssh_chroot_manage_apache_content and ssh_chroot_full_access booleans- snmp wants to also manage snmp dirs for amavisd-snmp support- Add labeling for virsh_fenced- Allow nmbd_t to crate dirs with samba_var_t labeling- Add clamscan_can_scan_system boolean- Allow all domains to getattr on prelink_exec_t- Add postgresql_can_rsync boolean- Allow pulse to domain transition to iptables- Allow nslcd sys_nice capability- Allow corosync to connect to saphostctrl ports- Allow passwd to read generic /tmp dirs- Add policy for qemu-qa- Add new antivirus policy module for antivirus programsResolves:#838260
* Fri Oct 05 2012 Miroslav Grepl 3.7.19-167- Allow postfix_locat to search stickshift lib files- Dontaudit sys_ptrace cap for httpd if httpd_stickshift is on- Allow openshift domains change process identity- SELinux is reporting that openshift domains are trying to write into their proc directoriesResolves:#855889
* Wed Oct 03 2012 Miroslav Grepl 3.7.19-166- More fixes for openshift and add support for opeshift labeling instead of stickshift- /etc/selinux//logins should be owned by the policy packageResolves:#855889- Add labeling for /var/tmp/DNS_25 - Allow postfix_local_t to execute files on nfs_t- Add fixes for kadmind- Add rhnsd policy
* Tue Oct 02 2012 Miroslav Grepl 3.7.19-165- Add httpd_run_stickshift boolean- Add labeling for /var/lib/stickshift/.httpd.dResolves:#836241
* Tue Oct 02 2012 Miroslav Grepl 3.7.19-164- Add additional part of openshift patchResolves:#836241
* Mon Oct 01 2012 Miroslav Grepl 3.7.19-163- Backport openshift policy- Allow dovecot_deliver_t to search /root/mailResolves:#836241
* Mon Sep 10 2012 Miroslav Grepl 3.7.19-162- Add pkcslotd policyResolves:#851483- Allow cyrus-imapd init script to write cyrus data- Fix labeling for /dev/twa
* Mon Sep 10 2012 Miroslav Grepl 3.7.19-161- Fix labeling for /var/run/cachefilesd.pidResolves:#851113
* Fri Sep 07 2012 Miroslav Grepl 3.7.19-160- Add named_bind_http_port boolean- Add port definition for 8953/tcp- spice-vdagent(d)\'s are going to log over to syslog- Fix labeling for /usr/sbin/rpc.
* binaries to label them as rpcd_exec_t- Add sensord policy- Allow oddjob_mkhomedir to write on nfs share- Add virt_bridgehelper policy- Allow clamd to write/delete own pid file with clamd_var_run_t label- Add support for wdmd tmpfs- Add initrc_domain attribute - Add bcfg2 policy- Modify ssh_chroot_rw_homedirs boolean to allow manage apache system r/w content if for /var/www as home- Add pacemaker policy- Allow snmpd to connect to corosync over unix stream socket- Allow crontab to read NFS- Add new type selinux_login_config_t for /etc/selinux/TYPE/logins directory and allow sssd to manage files in this directoryResolves:#843814- Add labeling for /opt/sartest directory- Add initrc_domain attribute to allow domains to work as initrc_t domain- heartbeat should be running as rgmanager_t instead of corosync_t- Add glusterd policy- Add l2tpd policy- Add numad policyResolves:#801493
* Wed Aug 08 2012 Miroslav Grepl 3.7.19-159- Allow munin_stats to read munin logs- Allow updpwd to write all MLS levels- Make piranha_web_t as nsswitch domain- Allow munin mail plugins to read exim log files- Backport sanlock policy from FedoraResolves:#831908- Allos dac_override, sys_nice for sasl- Add labeling for /var/named/chroot/usr/lib64- Add support for gitolite3- Allow confined users to send mail
* Thu Jul 26 2012 Miroslav Grepl 3.7.19-158- Add amavis_use_jit boolean
* Thu Jul 26 2012 Miroslav Grepl 3.7.19-157- Allow procmail to manage mail home data- We should only block MCS node_bind on mcsuntrustedproc- Fixes for amavisResolves:#837815
* Tue Jul 17 2012 Miroslav Grepl 3.7.19-156- Allow user to login using ssh with random MLS rangeResolves:#837815- Allow virtd_t to create mtab with the proper labeling- Add support for check_icmp nagios plugin- Make chkconfig working on MLS for sysadm_t- Allow dovecot to manage mail_home_rw_t- Add support for fsav- Allow clamscan to use amavisd-new- Add support for rhnsd
* Mon Jun 18 2012 Miroslav Grepl 3.7.19-155- Allow setroubleshootd to execute rpmResolves:#833053- Add labeling for /usr/lib/flash-plugin/libflashplayer.so
* Thu May 24 2012 Miroslav Grepl 3.7.19-154- distcvs to distgit corruption fixResolves:#823991
* Wed May 23 2012 Miroslav Grepl 3.7.19-154- Allow fenced to manage snmpd lib files- Allow certmonger to get attributes on init script filesResolves:#790967- Fix labeling for Firefox pluginsResolves:#747993- Add mta_signal_user_agent() interface
* Wed May 16 2012 Miroslav Grepl 3.7.19-153- user_tcp_server boolean should be also for sysadm_tResolves:#798534
* Wed May 16 2012 Miroslav Grepl 3.7.19-152- Add label for condor_starterResolves:#807682- Dontaudit sys_module for brctl- Allow winbind to send signull to smbd- Add jacorb port definition
* Tue May 15 2012 Miroslav Grepl 3.7.19-151- Add openstack-nova, openstack-keystone, openstack-glance, openstack-quantum policies- Allow sysadm_t to create other crontabs- Allow nfsd_t to read defaul_t link files- Fix labeling for /var/run/heartbeat- Fixes for admin_template() interface to make sysadm_secadm.pp module working correctly- More fixes for condor policy- Allow chfn_t to creat user_tmp_files- Allow chfn_t to execute bin_t- Fix auth_role() interface- Fixes to make privsep+SELinux working if we try to use chage to change passwd
* Wed May 09 2012 Miroslav Grepl 3.7.19-150- Allow condor-startd to dbus chat with hal- Allow rpc.mountd to read all files/dirs
* Tue May 08 2012 Miroslav Grepl 3.7.19-149- Add labeling for /usr/sbin/matahari-dbus-sysconfigd- Add additional labeling for zarafa- Allow guest_t to fix labeling- Corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean- squashfs does not support xattr in RHEL6Resolves:#815898- Remove pyzor labeling and move it to spamassassin.fc- Fix config.tgz
* Wed May 02 2012 Miroslav Grepl 3.7.19-148- Add mysql_list_db() interface- Allow sshd to read/write condor-startd tcp socket
* Tue Apr 24 2012 Miroslav Grepl 3.7.19-147- Fix man pages for SELinux users- Allow all user domains to setexec- Allow cobblerd to get SELinux status and booleans- Add labeling for /etc/zipl.confResolves:#813803- Allow fenced to read SNMP lib files
* Tue Apr 17 2012 Miroslav Grepl 3.7.19-146- Add sysadm_secadm policy module to separate in secadm_r, sysadm_rResolves:#787413- Fixes for libvirt-qmf- Add label for package-cleanup - Add support for zfs- Make cfengine domains as unconfinedResolves:#753184- Allow sshd_t to dyntransition to sysadm_t
* Wed Apr 04 2012 Miroslav Grepl 3.7.19-145- Fix labeling for /var/run/slapd.
* socketsResolves:#799102- Add condor policy
* Tue Apr 03 2012 Miroslav Grepl 3.7.19-144- Fixes for cfengine policy
* changed labeling for /var/cfengine/outputs from var_log to cfengine_var_log_t
* re-arranged policy to use template and cfengine_domain - Allow dovecot to domtrans sendmail to handle sieve scripts- Bacport libvirt-qmf policy for Fedora- Remove labeling for postmaster.pid file - Fix for virtual network which looses network connection- Add man pages for SELinux users- cgconfig needs to use getpw calls- Allow lvm and fsadm to write sysfs_t- Allow rpc.mounted to list user tmp files- Fix permissivedomains declarationsResolves:#806220- Fix spec file to instal minimum policy properly
* Wed Mar 21 2012 Miroslav Grepl 3.7.19-143- Add missing transition from certmonger to certmonger_unconfined_tResolves:#790967
* Tue Mar 20 2012 Miroslav Grepl 3.7.19-142- Fixes for man pages- Allow rpcd to execute sm-notifyResolves:#802247- Add support for matahari-qmf-rpcd- Add support matahari vios-proxy-
* apps- Allow quota-check to create files on nonxattr filesystems- Add support for ~/Maildir- Allow unconfined dyntransition- Fixes for certmonger_unconfined and certmonger- Fixes for certmonger policy
* Wed Mar 14 2012 Miroslav Grepl 3.7.19-141- Add man pages for apps, services- Allow nagios to use user terminalsResolves:#782325- Add support for unconfined certmonger scripts- Add support for matahari-qmf-rpcd service- Allow chsh to use PAM- Allow rpc.statd to execute sm-notify which has bin_t label- Make sure files which are created by /usr/bin/R get proper label in home directories
* Wed Mar 07 2012 Miroslav Grepl 3.7.19-140- Add additional fixes for nagios handlersResolves:#749311- Add 7600 and 4447 as jboss_management ports
* Tue Mar 06 2012 Miroslav Grepl 3.7.19-139- Allow nfsd_t to getattr on all fsResolves:#738628- Make mailx working together with cron without unconfined module- Allow sssd sys_resource capability
* Wed Feb 29 2012 Miroslav Grepl 3.7.19-138- Add new policy for cfengine- Add new policy for sge gridengine jobs- Add support for nagios eventhandlers- Make system cron jobs run in the proper domain- Add policy to support privsep ssh process running in user domain- Add fixes relates to nss/FIPS- Add new rsync_use_
* booleans- Allow qpidd to connect to matahari ports- Allow sysadm_u to read system_r in MLS- Remove razor labeling because we treat razor with spam policy- Add support for matahari-qmf-sysconfig-consoled, clean up matahari policy- Fixes for interfacesResolves:#791294Resolves:#796351
* Thu Feb 16 2012 Miroslav Grepl 3.7.19-137- Remove nfs_
* booleans because nfs runs in kernel_t domainResolves:#760405- Add httpd_manage_ipa boolean- Dontaudit sys_ptrace for matahari-netd- Allow vhostmd to getattr on virtd- Allow snmpd to connect to the ricci_modcluster- qpidd should be allowed to connect to the amqp port
* Thu Jan 26 2012 Miroslav Grepl 3.7.19-136- backport mozilla_plugin policy- backport sandbox policy to support nacl- Add support for selinux_avcstat munin plugin- Treat hearbeat with corosync policy- Allow system cronjobs to read kernel network state- Allow corosync to read and write to qpidd shared memory- More fixes for qpiddResolves:#769352- Add policy for quota-nld
* Wed Jan 25 2012 Miroslav Grepl 3.7.19-135- Add fixes for qpidd policy, support for tmpfs_tResolves:#769352- Add fixes for mcelog policy, for new location of pid,sock files- Make sendmail and postfix working together
* Wed Jan 11 2012 Miroslav Grepl 3.7.19-134- Backport ABRT policy- Backport matahari policy- Add interfaces for libra- Add jboss_dubeg port definition
* Wed Jan 04 2012 Miroslav Grepl 3.7.19-133- Allow mta_user_agents to send sigchld to transitioning domain
* Tue Jan 03 2012 Miroslav Grepl 3.7.19-132- Fixes for nagios policy- Add a new interface for libra- Fix spec file to be testing SELinux status correctly
* Mon Dec 05 2011 Miroslav Grepl 3.7.19-131- Fixes for rhev policy- Make ssh-keygen as unconfined domain- Add sanlock_use_nfs boolean- Add ssh_dontaudit_search_user_home_dir interface- namespace_init and MLS fix
* Mon Nov 21 2011 Miroslav Grepl 3.7.19-130- Fix cloudform_exec_mongod interfaceResolves:#753184
* Mon Nov 21 2011 Miroslav Grepl 3.7.19-129- Cron and libra fixes
* Mon Nov 21 2011 Miroslav Grepl 3.7.19-128- Add cronjob_role for sysadm- Change label for /var/spool/cron- Add interface to allow exec of mongod
* Tue Nov 15 2011 Miroslav Grepl 3.7.19-127- Make cronjob working on MLS
* Wed Nov 09 2011 Miroslav Grepl 3.7.19-126- Fix dev_rw_generic_usb_dev
* Wed Nov 09 2011 Miroslav Grepl 3.7.19-125- Change the postinstall to load_policy separately from the semodule command- This will put the proper files in place even if the kernel rejects the policy.- Allow login programs to connect to the pki_ca_port- Allow vhostmd to read /dev/rand and signal
* Mon Nov 07 2011 Miroslav Grepl 3.7.19-124- Add MCS fixes to make sVirt working correctly- Fixes for httpd_dirsrvadmin_script_t policy
* Thu Nov 03 2011 Miroslav Grepl 3.7.19-123- MLS Overrides needed for a user running at a level to be able to use sudo and talk to sssd- Allow initrc_t to manage dirsrv pid files with disabled unconfined module- Fixed for deltacloudd policy
* Wed Nov 02 2011 Miroslav Grepl 3.7.19-122- Add label for imagefactory images directory- Allow dovecot sys_niceResolves:#749690
* Mon Oct 31 2011 Miroslav Grepl 3.7.19-121- Add support for dbomaticResolves: #745531
* Wed Oct 26 2011 Miroslav Grepl 3.7.19-120- dhcpd needs dac_override
* Tue Oct 25 2011 Miroslav Grepl 3.7.19-119- Add cloudform policy
* Tue Oct 18 2011 Miroslav Grepl 3.7.19-118- Fix label for /root/.hushlogin- Allow domain to send/recv unlabeled packet- Allow sshd to relabel tun socket- Allow puppetmasterd to relabel puppet config files- Add label for lvs.conf- Fix labeling for matahari-netd agents
* Thu Oct 13 2011 Miroslav Grepl 3.7.19-117- Fix device interfaces- Add label for /dev/bsr4096_
* devices
* Wed Oct 12 2011 Miroslav Grepl 3.7.19-116- Interfaces fixes- Allow dirsrv to use PAM- Fix matahari labeling
* Wed Oct 05 2011 Miroslav Grepl 3.7.19-115- Add unlabelednet policy module- Add chrome role for xguest- Fix for vdagent policy- Add fix to allow confined apps to execmod on chrome
* Thu Sep 29 2011 Miroslav Grepl 3.7.19-114- Fix httpd_selinux man page- Add corenet_packet() interface- Add support for Clustered Samba commands
* Wed Sep 21 2011 Miroslav Grepl 3.7.19-113- Fix execmem_execmod() interfaceResolves:#739618
* Tue Sep 20 2011 Miroslav Grepl 3.7.19-112- Fix description of allow_
* booleans- Allow sanlock to manage libvirt lib files- Fix bug in lsassd policy- Add label for /var/run/luci- move port 18001 from http_port_t to jboss_management_port_t
* Fri Sep 16 2011 Miroslav Grepl 3.7.19-111- Add git_cgit_read_gitosis_content boolean- Add support for cma port- Add virt_use_sanlock boolean and make sanlock working together libvirt- Make passenger and puppet working together
* Thu Sep 08 2011 Miroslav Grepl 3.7.19-110- Add label for passwd.adjunct- Allow pulse to execute /usr/sbin/fos- Fix labeling for passenger- Add selinux policy support for IP-in-SSH tunnelling- Allow sulogin to write /dev/pts/0 in single user mode
* Wed Aug 31 2011 Miroslav Grepl 3.7.19-109- Add abrt man page- Make internal-sftpd working- Fixes for cluster
* Wed Aug 24 2011 Miroslav Grepl 3.7.19-108- Add squid man page- Add git man page- Make puppet working with passenger- Allow procmail to execute hostname command
* Thu Aug 11 2011 Miroslav Grepl 3.7.19-107- Make new domains as unconfined- Add abrt_handle_event_t domain for ABRT event script- Add selinux_mysql man page- Fix httpd selinux man page- Fix interfaces
* Tue Aug 02 2011 Miroslav Grepl 3.7.19-106- Add ctdbd, uuidd, sblim policies
* Tue Jul 26 2011 Miroslav Grepl 3.7.19-105- Add zarafa, drbd, fcoemon, lldpad policies
* Wed Jul 20 2011 Miroslav Grepl 3.7.19-104- Allow puppet to Check access to the passwd executable- Add label for /var/www/html/logs directory- Add label for /var/lib/squeezeboxserver directory- Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions
* Thu Jul 14 2011 Miroslav Grepl 3.7.19-103- Fixes in postfix policy
* Thu Jun 30 2011 Miroslav Grepl 3.7.19-102- Add rhsmcertd policy
* Wed Jun 29 2011 Miroslav Grepl 3.7.19-101- Add sanlock and wdmd policy- Allow syslogd ipc_lock
* Mon Jun 20 2011 Miroslav Grepl 3.7.19-100- More fixes for rhev-agentd
* Fri Jun 17 2011 Miroslav Grepl 3.7.19-99- Add mta_user_agent attribute
* Needed for libra
* Fri Jun 10 2011 Miroslav Grepl 3.7.19-98- Fix for OpenShift
* Mon Jun 06 2011 Miroslav Grepl 3.7.19-97- Allow postfix-pickup to write files and directories regardless of their MCS category set.- Make xinetd trusted to write outbound packets regardless of the network\'s or node\'s MLS rangeResolves: #705772
* Thu May 26 2011 Miroslav Grepl 3.7.19-96- Add rhev policy- Make vhostd device MLS trusted
* Tue May 24 2011 Miroslav Grepl 3.7.19-95- Allow secadm to manage selinux config files- Allow apache to use jboss management port- Add fenced_can_ssh boolean
* Thu May 12 2011 Miroslav Grepl 3.7.19-94- Fixes for libra
* Fri Apr 29 2011 Miroslav Grepl 3.7.19-93- Make init_t MLS trusted for reading/writing from/to sockets at any level
* Wed Apr 27 2011 Miroslav Grepl 3.7.19-92- Fix virt_admin interface
* Wed Apr 27 2011 Miroslav Grepl 3.7.19-91- Allow netlabel_mgmt_t to use all terms
* Wed Apr 27 2011 Miroslav Grepl 3.7.19-90- Add label for /dev/hpilo directory- Fix label for /var/cache/libvirt
* Tue Apr 26 2011 Miroslav Grepl 3.7.19-89- More fixes for aide
* Tue Apr 26 2011 Miroslav Grepl 3.7.19-88- Aide policy does not handle MLS mode well- Make netlabelctl working in MLS
* Wed Apr 20 2011 Miroslav Grepl 3.7.19-87- Allow $1_sudo_t to read default SELinux context- Allow tgtd to create a sock file- Allow initrc_t to manage faillock
* Tue Apr 19 2011 Miroslav Grepl 3.7.19-86- Allow squid to manage krb5_host_rcache_t files
* Wed Apr 13 2011 Miroslav Grepl 3.7.19-85- Allow unconfined to run libvirt in virtd_t domain- Make foghorn unconfined domain
* Mon Apr 11 2011 Miroslav Grepl 3.7.19-84- Allow foghorn to read usr files
* Fri Apr 08 2011 Miroslav Grepl 3.7.19-83- Add label for matahari-broker.pid file- Allow foghor to read snmp lib files- Make sysadm security admin- Fix ssh_sysadm_login booleanResolves: #694551
* Wed Apr 06 2011 Miroslav Grepl 3.7.19-82- Allow ssh_keygen_t read and write a user TTYs and PTYs
* Tue Apr 05 2011 Miroslav Grepl 3.7.19-81- Add allow_sysadm_manage_security boolean- Add label for /dev/dlm.
*- Allow auditadm_screen_t and secadm_screen_t dac_override capability- SSH_USE_STRONG_RNG is 1 which requires /dev/random- Fix auth_rw_faillog definition- Fixes for nslcd policyResolves: #693368- Allow qpidd to manage pid and lib matahari files- Allow rgmanager to send the kill signal to all users
* Fri Mar 25 2011 Miroslav Grepl 3.7.19-80- Add support for a new cluster service - foghorn- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems- sssd wants to read .k5login file in users homedir- Add support for vdsm- Allow syslogd setrlimit, sys_niceResolves: #689431- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
* Thu Mar 17 2011 Miroslav Grepl 3.7.19-79- Fixes for sandbox/seunshare policy Resolves:#684919- Allow ssh_keygen_t dac_override- Add matahari policy - Add label for /etc/securetty - Fixes for pirahna-pulse policy- Fixes for radius, samba, dirsrv, kerberos policies - Allow console login on MLS- Fix file context to show several labels as SystemHigh- Add port definition for dogtag, matahari, movaz ports
* Thu Mar 10 2011 Miroslav Grepl 3.7.19-78- Change context for /var/run/faillock
* Wed Mar 09 2011 Miroslav Grepl 3.7.19-77- Add spice fixes- Add label for /dev/hpilo/
*
* Tue Mar 08 2011 Miroslav Grepl 3.7.19-76- Fixes for ssh_keygen policy- Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain- Backport spice vdagent policy
* Fri Mar 04 2011 Miroslav Grepl 3.7.19-75- Allow svirt to manage sock_file in ~/.libvirt directory- Allow sysamd to run udev in udev_t domain- Remove capability from svirt- Add lvm_exec_t label for kpartx
* Tue Mar 01 2011 Miroslav Grepl 3.7.19-74- Add virt_home_ type files located in ~/.libvirt directory- virt creates monitor sockets in the users home dir- Allow lvm setfscreateResolves: #680388- Make lsusb and lsblk working on MLSResolves: #680426
* Thu Feb 24 2011 Miroslav Grepl 3.7.19-73- Fix spec file- Fix for policykitResolves: #678044
* Tue Feb 22 2011 Miroslav Grepl 3.7.19-72- Fix for cmirrordResolves: #676664- Add mcsnetwrite attribute
* Thu Feb 17 2011 Miroslav Grepl 3.7.19-71- Allow cmirrord to create physical disk devices in /dev- Allow cluster domains to use the system bus and send each other dbus messages- Add label for /dev/tgt
* Tue Feb 08 2011 Miroslav Grepl 3.7.19-70- Make screen working for sysadm_uResolves: #669439
* Mon Feb 07 2011 Miroslav Grepl 3.7.19-69- Make Spacewalk to work with selinux-policyResolves: #673112- Fix /root/.ssh labelingResolves: #637109 - Fix for the spec file
* Mon Jan 24 2011 Miroslav Grepl 3.7.19-68- Other fixes for namespace policy
* Thu Jan 20 2011 Miroslav Grepl 3.7.19-67- Treat irpinit, iprupdate, iprdump services with raid policyResolves: #669402 | |
