|
|
|
|
Changelog for selinux-policy-mls-3.14.4-21.fc31.noarch.rpm :
* Tue Jun 18 2019 Lukas Vrabec - 3.14.4-21- Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864)- cockpit: Support split-out TLS proxy- Allow dkim_milter_t to use shell BZ(1716937)- Create explicit fc rule for mailman executable BZ(1666004)- Update interface networkmanager_manage_pid_files() to allow manage also dirs- Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)- Add new interface bind_map_dnssec_keys()- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files- Allow redis_t domain to read public sssd files- Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569)- Allow confined users to login via cockpit- Allow nfsd_t domain to do chroot becasue of new version of nfsd- Add gpg_agent_roles to system_r roles- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files- Allow rhsmcertd_t domain to manage rpm cache- Allow sbd_t domain to read tmpfs_t symlinks- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs- Allow kadmind_t domain to read home config data- Allow sbd_t domain to readwrite cgroups- Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)- Label /var/log/pacemaker/pacemaker as cluster_var_log_t- Allow certmonger_t domain to manage named cache files/dirs- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)- Allow crack_t domain read /et/passwd files- Label fontconfig cache and config files and directories BZ(1659905)- Allow dhcpc_t domain to manage network manager pid files- Label /usr/sbin/nft as iptables_exec_t- Allow userdomain attribute to manage cockpit_ws_t stream sockets- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes- Add interface ssh_agent_signal() * Thu May 30 2019 Lukas Vrabec - 3.14.4-20- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)- Allow spamd_update_t to exec itsef- Fix broken logwatch SELinux module- Allow logwatch_mail_t to manage logwatch cache files/dirs- Update wireshark_t domain to use several sockets- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t * Mon May 27 2019 Lukas Vrabec - 3.14.4-19- Fix bind_read_cache() interface to allow only read perms to caller domains- [speech-dispatcher.if] m4 macro names can not have - in them- Grant varnishlog_t access to varnishd_etc_t- Allow nrpe_t domain to read process state of systemd_logind_t- Allow mongod_t domain to connect on https port BZ(1711922)- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)- Revert \"Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)\"- Make boinc_var_lib_t mountpoint BZ(1711682)- Allow wireshark_t domain to create fifo temp files- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)- Fix typo in gpg SELinux module- Update gpg policy to make ti working with confined users- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files- Label /var/run/user/ */dbus-1 as session_dbusd_tmp_t- Add dac_override capability to namespace_init_t domain- Label /usr/sbin/corosync-qdevice as cluster_exec_t- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)- Label /usr/libexec/dnf-utils as debuginfo_exec_t- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Build in parallel on Travis- Fix parallel build of the policy- Revert \"Make able deply overcloud via neutron_t to label nsfs as fs_t\"- Add interface systemd_logind_read_state()- Fix find commands in Makefiles- Allow systemd-timesyncd to read network state BZ(1694272)- Update userdomains to allow confined users to create gpg keys- Allow associate all filesystem_types with fs_t- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)- Allow init_t to manage session_dbusd_tmp_t dirs- Allow systemd_gpt_generator_t to read/write to clearance- Allow su_domain_type to getattr to /dev/gpmctl- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users * Fri May 17 2019 Lukas Vrabec - 3.14.4-18- Fix typo in gpg SELinux module- Update gpg policy to make ti working with confined users- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files- Label /var/run/user/ */dbus-1 as session_dbusd_tmp_t- Add dac_override capability to namespace_init_t domain- Label /usr/sbin/corosync-qdevice as cluster_exec_t- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)- Label /usr/libexec/dnf-utils as debuginfo_exec_t- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Label /usr/bin/tshark as wireshark_exec_t- Update userdomains to allow confined users to create gpg keys- Allow associate all filesystem_types with fs_t- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)- Allow init_t to manage session_dbusd_tmp_t dirs- Allow systemd_gpt_generator_t to read/write to clearance- Allow su_domain_type to getattr to /dev/gpmctl- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users * Fri May 17 2019 Lukas Vrabec - 3.14.4-17- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Label /usr/bin/tshark as wireshark_exec_t- Fix typo in dbus_role_template()- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)- Allow virt domains to access xserver devices BZ(1705685)- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)- Allow gpsd_t domain to read udev db BZ(1709025)- Add sys_ptrace capaiblity for namespace_init_t domain- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)- Allow rhsmcertd_t domain to read rpm cache files- Label /efi same as /boot/efi boot_t BZ(1571962)- Allow transition from udev_t to tlp_t BZ(1705246)- Remove initrc_exec_t for /usr/sbin/apachectl file * Fri May 03 2019 Lukas Vrabec - 3.14.4-16- Add fcontext for apachectl util to fix missing output when executed \"httpd -t\" from this script. * Thu May 02 2019 Lukas Vrabec - 3.14.4-15- Allow iscsid_t domain to mmap modules_dep_t files- Allow ngaios to use chown capability- Dontaudit gpg_domain to create netlink_audit sockets- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)- Allow dirsrv_t domain to execute own tmp files BZ(1703111)- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files- Update domain_can_mmap_files() boolean to allow also mmap lnk files- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch * Fri Apr 26 2019 Lukas Vrabec - 3.14.4-14- Allow transition from cockpit_session to unpriv user domains * Thu Apr 25 2019 Lukas Vrabec - 3.14.4-13- Introduce deny_bluetooth boolean- Allow greylist_milter_t to read network system state BZ(1702672)- Allow freeipmi domains to mmap freeipmi_var_cache_t files- Allow rhsmcertd_t and rpm_t domains to chat over dbus- Allow thumb_t domain to delete cache_home_t files BZ(1701643)- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus- Add new interface boltd_dbus_chat()- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)- Allow cockpit_ws_t domain to set limits BZ(1701703)- Update Nagios policy when sudo is used- Deamon rhsmcertd is able to install certs for docker again- Introduce deny_bluetooth boolean- Don\'t allow a container to connect to random services- Remove file context /usr/share/spamassassin/sa-update\\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus- Allow unconfined_t to use bpf tools- Allow x_userdomains to communicate with boltd daemon over dbus * Fri Apr 19 2019 Lukas Vrabec - 3.14.4-12- Fix typo in cups SELinux policy- Allow iscsid_t to read modules deps BZ(1700245)- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442)- Allow httpd_rotatelogs_t to execute generic binaries- Update system_dbus policy because of dbus-broker-20-2- Allow httpd_t doman to read/write /dev/zero device BZ(1700758)- Allow tlp_t domain to read module deps files BZ(1699459)- Add file context for /usr/lib/dotnet/dotnet- Update dev_rw_zero() interface by adding map permission- Allow bounded transition for executing init scripts * Fri Apr 12 2019 Lukas Vrabec - 3.14.4-11- Allow mongod_t domain to lsearch in cgroups BZ(1698743)- Allow rngd communication with pcscd BZ(1679217)- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service * Tue Apr 09 2019 Lukas Vrabec - 3.14.4-10- Allow systemd_modules_load to read modules_dep_t files- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667) * Mon Apr 08 2019 Lukas Vrabec - 3.14.4-9- Merge #18 `Add check for config file consistency`- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943)- Fix typo in rhsmcertd SELinux module- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t- Allow unconfined users to use vsock unlabeled sockets- Add interface kernel_rw_unlabeled_vsock_socket()- Allow unconfined users to use smc unlabeled sockets- Add interface kernel_rw_unlabeled_smc_socket- Allow systemd_resolved_t domain to read system network state BZ(1697039)- Allow systemd to mounton kernel sysctls BZ(1696201)- Add interface kernel_mounton_kernel_sysctl() BZ(1696201)- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201 * Fri Apr 05 2019 Lukas Vrabec - 3.14.4-8- Allow systemd to mounton several systemd direstory to increase security of systemdResolves: rhbz#1696201 * Wed Apr 03 2019 Lukas Vrabec - 3.14.4-7- Allow fontconfig file transition for xguest_u user- Add gnome_filetrans_fontconfig_home_content interface- Add permissions needed by systemd\'s machinectl shell/login- Update SELinux policy for xen services- Add dac_override capability for kdumpctl_t process domain- Allow chronyd_t domain to exec shell- Fix varnisncsa typo- Allow init start freenx-server BZ(1678025)- Create logrotate_use_fusefs boolean- Add tcpd_wrapped_domain for telnetd BZ(1676940)- Allow tcpd bind to services ports BZ(1676940)- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy-contrib into rawhide- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t- Allow esmtp access .esmtprc BZ(1691149)- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy-contrib into rawhide- Allow tlp_t domain to read nvme block devices BZ(1692154)- Add support for smart card authentication in cockpit BZ(1690444)- Add permissions needed by systemd\'s machinectl shell/login- Allow kmod_t domain to mmap modules_dep_t files.- Allow systemd_machined_t dac_override capability BZ(1670787)- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files- Allow unconfined_domain_type to use bpf tools BZ(1694115)- Revert \"Allow unconfined_domain_type to use bpf tools BZ(1694115)\"- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Allow unconfined_domain_type to use bpf tools BZ(1694115)- Allow init_t read mnt_t symlinks BZ(1637070)- Update dev_filetrans_all_named_dev() interface- Allow xdm_t domain to execmod temp files BZ(1686675)- Revert \"Allow xdm_t domain to create own tmp files BZ(1686675)\"- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)- Allow confined users labeled as staff_t to run iptables.- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Allow xdm_t domain to create own tmp files BZ(1686675)- Add miscfiles_dontaudit_map_generic_certs interface. * Sat Mar 23 2019 Lukas Vrabec - 3.14.4-6- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)- Allow fail2ban execute journalctl BZ(1689034)- Update sudodomains to make working confined users run sudo/su- Introduce new boolean unconfined_dyntrans_all.- Allow iptables_t domain to read NetworkManager state BZ(1690881) * Tue Mar 19 2019 Lukas Vrabec - 3.14.4-5- Update xen SELinux module- Improve labeling for PCP plugins- Allow varnishd_t domain to read sysfs_t files- Update vmtools policy- Allow virt_qemu_ga_t domain to read udev_var_run_t files- Update nagios_run_sudo boolean with few allow rules related to accessing sssd- Update file context for modutils rhbz#1689975- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293- Grant permissions for onloadfs files of all classes.- Allow all domains to send dbus msgs to vmtools_unconfined_t processes- Label /dev/pkey as crypt_device_t- Allow sudodomains to write to systemd_logind_sessions_t pipes.- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. * Tue Mar 12 2019 Lukas Vrabec - 3.14.4-4- Update vmtools policy- Allow virt_qemu_ga_t domain to read udev_var_run_t files- Update nagios_run_sudo boolean with few allow rules related to accessing sssd- Update travis CI to install selinux-policy dependencies without checking for gpg check- Allow journalctl_t domain to mmap syslogd_var_run_t files- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046- Allow sbd_t domain to bypass permission checks for sending signals- Allow sbd_t domain read/write all sysctls- Allow kpatch_t domain to communicate with policykit_t domsin over dbus- Allow boltd_t to stream connect to sytem dbus- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)- Allow all domains to send dbus msgs to vmtools_unconfined_t processes- Label /dev/pkey as crypt_device_t- Allow sudodomains to write to systemd_logind_sessions_t pipes.- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.- Allow ifconfig_t domain to read /dev/random BZ(1687516)- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660- Update travis CI to install selinux-policy dependencies without checking for gpg check- Label /usr/sbin/nodm as xdm_exec_t same as other display managers- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process. * Wed Feb 27 2019 Lukas Vrabec - 3.14.4-3- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because \"%pretrans\" cannot use shell scripts.Resolves: rhbz#1683365 * Tue Feb 26 2019 Lukas Vrabec - 3.14.4-2- Merge insmod_t, depmod_t and update_modules_t do kmod_t * Mon Feb 25 2019 Lukas Vrabec - 3.14.4-1- Allow openvpn_t domain to set capability BZ(1680276)- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on- Allow chronyd_t domain to send data over dgram socket- Add rolekit_dgram_send() interface- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./ *)? and /var/run/motd as pam_var_run_t * Thu Feb 14 2019 Lukas Vrabec - 3.14.3-22- Allow dovecot_t domain to connect to mysql db- Add dac_override capability for sbd_t SELinux domain- Add dac_override capability for spamd_update_t domain- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface * Tue Feb 12 2019 Lukas Vrabec - 3.14.3-21- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243- Allow ddclient_t to setcap Resolves: rhbz#1674298- Add dac_override capability to vpnc_t domain- Add dac_override capability to spamd_t domain- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run- Allow read network state of system for processes labeled as ibacm_t- Allow ibacm_t domain to send dgram sockets to kernel processes- Allow dovecot_t to connect to MySQL UNIX socket- Fix CI for use on forks- Fix typo bug in sensord policy- Update ibacm_t policy after testing lastest version of this component- Allow sensord_t domain to mmap own log files- Allow virt_doamin to read/write dev device- Add dac_override capability for ipa_helper_t- Update policy with multiple allow rules to make working installing VM in MLS policy- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd * Sat Feb 02 2019 Lukas Vrabec - 3.14.3-20- Allow sensord_t domain to use nsswitch and execute shell- Allow opafm_t domain to execute lib_t files- Allow opafm_t domain to manage kdump_crash_t files and dirs- Allow virt domains to read/write cephfs filesystems- Allow virtual machine to write to fixed_disk_device_t- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t- Allow vhostmd_t read libvirt configuration files- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u * Tue Jan 29 2019 Lukas Vrabec - 3.14.3-19- Add new xdp_socket class- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains- Allow boltd_t domain to read cache_home_t files BZ(1669911)- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)- Allow gpg_agent_t to create own tmpfs dirs and sockets- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)- Add multiple interfaces for vpnc interface file- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).- Allow gssd_t domain to manage kernel keyrings of every domain.- Revert \"Allow gssd_t domain to read/write kernel keyrings of every domain.\"- Allow plymouthd_t search efivarfs directory BZ(1664143) * Tue Jan 15 2019 Lukas Vrabec - 3.14.3-18- Allow plymouthd_t search efivarfs directory BZ(1664143)- Allow arpwatch send e-mail notifications BZ(1657327)- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t- Allow gssd_t domain to read/write kernel keyrings of every domain.- Allow systemd_timedated_t domain nnp_transition BZ(1666222)- Add the fs_search_efivarfs_dir interface- Create tangd_port_t with default label tcp/7406- Add interface domain_rw_all_domains_keyrings()- Some of the selinux-policy macros doesn\'t work in chroots/initial installs. BZ(1665643) * Fri Jan 11 2019 Lukas Vrabec - 3.14.3-17- Allow staff_t domain to read read_binfmt_misc filesystem- Add interface fs_read_binfmt_misc()- Revert \"Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)\" * Fri Jan 11 2019 Lukas Vrabec - 3.14.3-16- Allow sensord_t to execute own binary files- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)- Allow virtd_lxc_t domains use BPF BZ(1662613)- Allow openvpn_t domain to read systemd state BZ(1661065)- Dontaudit ptrace all domains for blueman_t BZ(1653671)- Used correct renamed interface for imapd_t domain- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)- Allow hddtemp_t domain to read nvme block devices BZ(1663579)- Add dac_override capability to spamd_t domain BZ(1645667)- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)- Specify recipients that will be notified about build CI results.- Allow saslauthd_t domain to mmap own pid files BZ(1653024)- Add dac_override capability for snapperd_t domain BZ(1619356)- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)- Add new interface: rpm_script_signal()- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)- Make workin: systemd-run --system --pty bash BZ(1647162)- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)- Specify recipients that will be notified about build CI results.- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.- Allow x_userdomains to stream connect to pulseaudio BZ(1658286) * Sun Dec 16 2018 Lukas Vrabec - 3.14.3-15- Add macro-expander script to selinux-policy-devel package * Thu Dec 06 2018 Lukas Vrabec - 3.14.3-14- Remove all ganesha bits from gluster and rpc policy- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t- Add dac_override capability to ssad_t domains- Allow pesign_t domain to read gnome home configs- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t- Allow rngd_t domains read kernel state- Allow certmonger_t domains to read bind cache- Allow ypbind_t domain to stream connect to sssd- Allow rngd_t domain to setsched- Allow sanlock_t domain to read/write sysfs_t files- Add dac_override capability to postfix_local_t domain- Allow ypbind_t to search sssd_var_lib_t dirs- Allow virt_qemu_ga_t domain to write to user_tmp_t files- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files- Add new interface sssd_signal()- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t- Add sys_resource capability to the systemd_passwd_agent_t domain- Allow ipsec_t domains to read bind cache- kernel/files.fc: Label /run/motd as etc_t- Allow systemd to stream connect to userdomain processes- Label /var/lib/private/systemd/ as init_var_lib_t- Allow initrc_t domain to create new socket labeled as init_T- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.- Add tracefs_t type to mountpoint attribute- Allow useradd_t and groupadd_t domains to send signals to sssd_t- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils * Wed Nov 07 2018 Lukas Vrabec - 3.14.3-13- Update pesign policy to allow pesign_t domain to read bind cache files/dirs- Add dac_override capability to mdadm_t domain- Create ibacm_tmpfs_t type for the ibacm policy- Dontaudit capability sys_admin for dhcpd_t domain- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.- Allow abrt_t domain to mmap generic tmp_t files- Label /usr/sbin/wpa_cli as wpa_cli_exec_t- Allow sandbox_xserver_t domain write to user_tmp_t files- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints- Add interface files_map_generic_tmp_files()- Add dac_override capability to the syslogd_t domain- Create systemd_timedated_var_run_t label- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces * Sun Nov 04 2018 Lukas Vrabec - 3.14.3-12- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)- Add dac_override capability to postgrey_t domain BZ(1638954)- Allow thumb_t domain to execute own tmpfs files BZ(1643698)- Allow xdm_t domain to manage dosfs_t files BZ(1645770)- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) * Sun Nov 04 2018 Lukas Vrabec - 3.14.3-11- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)- Add dac_override capability to ftpd_t domain- Allow gpg_t to create own tmpfs dirs and sockets- Allow rhsmcertd_t domain to relabel cert_t files- Add SELinux policy for kpatch- Allow nova_t domain to use pam- sysstat: grant sysstat_t the search_dir_perms set- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)- Allow systemd_logind_t to read fixed dist device BZ(1645631)- Allow systemd_logind_t domain to read nvme devices BZ(1645567)- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)- kernel/files.fc: Label /run/motd.d(/. *)? as etc_t- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)- Allow X display manager to check status and reload services which are part of x_domain attribute- Add interface miscfiles_relabel_generic_cert()- Make kpatch policy active- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs- Dontaudit sys_admin capability for netutils_t domain- Label tcp and udp ports 2611 as qpasa_agent_port_t * Tue Oct 16 2018 Lukas Vrabec - 3.14.3-10- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786) * Mon Oct 15 2018 Lukas Vrabec - 3.14.3-9- Allow caller domains using cron_ *_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)- Add interface cron_system_spool_entrypoint()- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)- Add interfaces for boltd SELinux module- Add dac_override capability to modemmanager_t domain BZ(1636608)- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)- Label correctly /var/named/chroot */dev/unrandom in bind chroot. * Sat Oct 13 2018 Lukas Vrabec - 3.14.3-8- ejabberd SELinux module removed, it\'s shipped by ejabberd-selinux package * Sat Oct 13 2018 Lukas Vrabec - 3.14.3-7- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros * Tue Oct 09 2018 Lukas Vrabec - 3.14.3-6- Allow boltd_t to be activated by init socket activation- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)- Update SELinux policy for libreswan based on the latest rebase 3.26- Fix typo in init_named_socket_activation interface * Thu Oct 04 2018 Lukas Vrabec - 3.14.3-5- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)- Fix typo in boltd.te policy- Allow fail2ban_t domain to mmap journal- Add kill capability to named_t domain- Allow neutron domain to read/write /var/run/utmp- Create boltd_var_run_t type for boltd pid files- Allow tomcat_domain to read /dev/random- Allow neutron_t domain to use pam- Add the port used by nsca (Nagios Service Check Acceptor) * Mon Sep 24 2018 Lukas Vrabec - 3.14.3-4- Update sources to include SELinux policy for containers * Thu Sep 20 2018 Lukas Vrabec - 3.14.3-3- Allow certmonger to manage cockpit_var_run_t pid files- Allow cockpit_ws_t domain to manage cockpit services- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs- Add interface apache_read_tmp_dirs()- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t- Add interface apcupsd_read_power_files()- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain- Allow dac_override capability to amanda_t domain- Allow geoclue_t domain to get attributes of fs_t filesystems- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client- Allow cockpit_t domain to read systemd state- Allow abrt_t domain to write to usr_t files- Allow cockpit to create motd file in /var/run/cockpit- Label /usr/sbin/pcsd as cluster_exec_t- Allow pesign_t domain to getattr all fs- Allow tomcat servers to manage usr_t files- Dontaudit tomcat serves to append to /dev/random device- Allow dirsrvadmin_script_t domain to read httpd tmp files- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs- Fix path where are sources for CI- Revert \"Allow firewalld_t domain to read random device\"- Add travis CI for selinux-policy-contrib repo- Allow postfix domains to mmap system db files- Allow geoclue_t domain to execute own tmp files- Update ibacm_read_pid_files interface to allow also reading link files- Allow zebra_t domain to create packet_sockets- Allow opafm_t domain to list sysfs- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.- Allow chronyd_t domain to read virt_var_lib_t files- Allow systemd to read apcupsd power files- Revert \"Allow polydomain to create /tmp-inst labeled as tmp_t\"- Allow polydomain to create /tmp-inst labeled as tmp_t- Allow polydomain to create /tmp-inst labeled as tmp_t- Allow systemd_resolved_t domain to bind on udp howl port- Add new boolean use_virtualbox Resolves: rhbz#1510478- Allow sshd_t domain to read cockpit pid files- Allow syslogd_t domain to manage cert_t files- Fix path where are sources for CI- Add travis.yml to to create CI for selinux-policy sources- Allow getattr as part of files_mounton_kernel_symbol_table.- Fix typo \"aduit\" -> \"audit\"- Revert \"Add new interface dev_map_userio()\"- Add new interface dev_map_userio()- Allow systemd to read ibacm pid files * Thu Sep 06 2018 Lukas Vrabec - 3.14.3-2- Allow tomcat services create link file in /tmp- Label /etc/shorewall6 as shorewall_etc_t- Allow winbind_t domain kill in user namespaces- Allow firewalld_t domain to read random device- Allow abrt_t domain to do execmem- Allow geoclue_t domain to execute own var_lib_t files- Allow openfortivpn_t domain to read system network state- Allow dnsmasq_t domain to read networkmanager lib files- sssd: Allow to limit capabilities using libcap- sssd: Remove unnecessary capability- sssd: Do not audit usage of lib nss_systemd.so- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file- Add correct namespace_init_exec_t context to /etc/security/namespace.d/ *- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files- Allow exim_t domain to mmap bin files- Allow mysqld_t domain to executed with nnp transition- Allow svirt_t domain to mmap svirt_image_t block files- Add caps dac_read_search and dav_override to pesign_t domain- Allow iscsid_t domain to mmap userio chr files- Add read interfaces for mysqld_log_t that was added in commit df832bf- Allow boltd_t to dbus chat with xdm_t- Conntrackd need to load kernel module to work- Allow mysqld sys_nice capability- Update boltd policy based on SELinux denials from rhbz#1607974- Allow systemd to create symlinks in for /var/lib- Add comment to show that template call also allows changing shells- Document userdom_change_password_template() behaviour- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file- Fix typo in logging SELinux module- Allow usertype to mmap user_tmp_type files- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue- Revert \"Add execute_no_trans permission to mmap_exec_file_perms pattern\"- Add boolean: domain_can_mmap_files.- Allow ipsec_t domian to mmap own tmp files- Add .gitignore file- Add execute_no_trans permission to mmap_exec_file_perms pattern- Allow sudodomain to search caller domain proc info- Allow audisp_remote_t domain to read auditd_etc_t- netlabel: Remove unnecessary sssd nsswitch related macros- Allow to use sss module in auth_use_nsswitch- Limit communication with init_t over dbus- Add actual modules.conf to the git repo- Add few interfaces to optional block- Allow sysadm_t and staff_t domain to manage systemd unit files- Add interface dev_map_userio_dev() * Tue Aug 28 2018 Lukas Vrabec - 3.14.3-1- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket- Add interface devicekit_mounton_var_lib()- Allow httpd_t domain to mmap tmp files- Allow tcsd_t domain to have dac_override capability- Allow cupsd_t to rename cupsd_etc_t files- Allow iptables_t domain to create rawip sockets- Allow amanda_t domain to mmap own tmpfs files- Allow fcoemon_t domain to write to sysfs_t dirs- Allow dovecot_auth_t domain to have dac_override capability- Allow geoclue_t domain to mmap own tmp files- Allow chronyc_t domain to read network state- Allow apcupsd_t domain to execute itself- Allow modemmanager_t domain to stream connect to sssd- Allow chonyc_t domain to rw userdomain pipes- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files- Allow nagios_script_t domain to mmap nagios_spool_t files- Allow geoclue_t domain to mmap geoclue_var_lib_t files- Allow geoclue_t domain to map generic certs- Update munin_manage_var_lib_files to allow manage also dirs- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl- Fix typo in virt SELinux policy module- Allow virtd_t domain to create netlink_socket- Allow rpm_t domain to write to audit- Allow nagios_script_t domain to mmap nagios_etc_t files- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t- Allow kdumpctl_t domain to getattr fixed disk device in mls- Fix typo in stapserver policy- Dontaudit abrt_t domain to write to usr_t dirs- Revert \"Allow rpcbind to bind on all unreserved udp ports\"- Allow rpcbind to bind on all unreserved udp ports- Allow virtlogd to execute itself- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs- Allos systemd to socket activate ibacm service- Allow dirsrv_t domain to mmap user_t files- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files- Allow kdumpctl to write to files on all levels- Allow httpd_t domain to mmap httpd_config_t files- Allow sanlock_t domain to connectto to unix_stream_socket- Revert \"Add same context for symlink as binary\"- Allow mysql execute rsync- Update nfsd_t policy because of ganesha features- Allow conman to getattr devpts_t- Allow tomcat_domain to connect to smtp ports- Allow tomcat_t domain to mmap tomcat_var_lib_t files- Allow nagios_t domain to mmap nagios_log_t files- Allow kpropd_t domain to mmap krb5kdc_principal_t files- Allow kdumpctl_t domain to read fixed disk storage- Fix issue with aliases in apache interface file- Add same context for symlink as binary- Allow boltd_t to send logs to journal- Allow colord_use_nfs to allow colord also mmap nfs_t files- Allow mysqld_safe_t do execute itself- Allow smbd_t domain to chat via dbus with avahi daemon- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain- Add alias httpd__script_t to _script_t to make sepolicy generate working- Allow dhcpc_t domain to read /dev/random- Allow systemd to mounton kernel system table- Allow systemd to mounton device_var_lib_t dirs- Label also chr_file /dev/mtd. * devices as fixed_disk_device_t- Allow syslogd_t domain to create netlink generic sockets- Label /dev/tpmrm[0-9] * as tpm_device_t- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl- Allow insmod_t domain to read iptables pid files- Allow systemd to mounton /etc- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry- Allow xserver_t domain to start using systemd socket activation- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature- Associate several proc labels to fs_t- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run- Fix typo in syslogd policy- Update syslogd policy to make working elasticsearch- Label tcp and udp ports 9200 as wap_wsp_port- Allow few domains to rw inherited kdumpctl tmp pipes- label /var/lib/pgsql/data/log as postgresql_log_t- Allow sysadm_t domain to accept socket- Allow systemd to manage passwd_file_t * Fri Aug 10 2018 Lukas Vrabec - 3.14.2-32- Fix issue with aliases in apache interface file- Add same context for symlink as binary- Allow boltd_t to send logs to journal- Allow colord_use_nfs to allow colord also mmap nfs_t files- Allow mysqld_safe_t do execute itself- Allow smbd_t domain to chat via dbus with avahi daemon- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain- Add alias httpd__script_t to _script_t to make sepolicy generate working- Allow gpg_t domain to mmap gpg_agent_tmp_t files- label /var/lib/pgsql/data/log as postgresql_log_t- Allow sysadm_t domain to accept socket- Allow systemd to manage passwd_file_t- Allow sshd_t domain to mmap user_tmp_t files * Tue Aug 07 2018 Lukas Vrabec - 3.14.2-31- Allow kprop_t domain to read network state- Add support boltd policy- Allow kpropd domain to exec itself- Allow pdns_t to bind on tcp transproxy port- Add support for opafm service- Allow hsqldb_t domain to read cgroup files- Allow rngd_t domain to read generic certs- Allow innd_t domain to mmap own var_lib_t files- Update screen_role_temaplate interface- Allow chronyd_t domain to mmap own tmpfs files- Allow sblim_sfcbd_t domain to mmap own tmpfs files- Allow systemd to mounont boltd lib dirs- Allow sysadm_t domain to create rawip sockets- Allow sysadm_t domain to listen on socket- Update sudo_role_template() to allow caller domain also setattr generic ptys- Update logging_manage_all_logs() interface to allow caller domain map all logfiles * Sun Jul 29 2018 Lukas Vrabec - 3.14.2-30- Allow sblim_sfcbd_t domain to mmap own tmpfs files- Allow nfsd_t domain to read krb5 keytab files- Allow nfsd_t domain to manage fadm pid files- Allow virt_domain to create icmp sockets BZ(1609142)- Dontaudit oracleasm_t domain to request sys_admin capability- Update logging_manage_all_logs() interface to allow caller domain map all logfiles * Wed Jul 25 2018 Lukas Vrabec - 3.14.2-29- Allow aide to mmap all files- Revert \"Allow firewalld to create rawip sockets\"- Revert \"Allow firewalld_t do read iptables_var_run_t files\"- Allow svirt_tcg_t domain to read system state of virtd_t domains- Update rhcs contexts to reflects the latest fenced changes- Allow httpd_t domain to rw user_tmp_t files- Fix typo in openct policy- Allow winbind_t domian to connect to all ephemeral ports- Allow firewalld_t do read iptables_var_run_t files- Allow abrt_t domain to mmap data_home files- Allow glusterd_t domain to mmap user_tmp_t files- Allow mongodb_t domain to mmap own var_lib_t files- Allow firewalld to read kernel usermodehelper state- Allow modemmanager_t to read sssd public files- Allow openct_t domain to mmap own var_run_t files- Allow nnp transition for devicekit daemons- Allow firewalld to create rawip sockets- Allow firewalld to getattr proc filesystem- Dontaudit sys_admin capability for pcscd_t domain- Revert \"Allow pcsd_t domain sys_admin capability\"- Allow fetchmail_t domain to stream connect to sssd- Allow pcsd_t domain sys_admin capability- Allow cupsd_t to create cupsd_etc_t dirs- Allow varnishlog_t domain to list varnishd_var_lib_t dirs- Allow mongodb_t domain to read system network state BZ(1599230)- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)- Allow iscsid_t domain to mmap sysfs_t files- Allow httpd_t domain to mmap own cache files- Add sys_resource capability to nslcd_t domain- Fixed typo in logging_audisp_domain interface- Add interface files_mmap_all_files()- Add interface iptables_read_var_run()- Allow systemd to mounton init_var_run_t files- Update policy rules for auditd_t based on changes in audit version 3- Allow systemd_tmpfiles_t do mmap system db files- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Improve domain_transition_pattern to allow mmap entrypoint bin file.- Don\'t setup unlabeled_t as an entry_type- Allow unconfined_service_t to transition to container_runtime_t * Wed Jul 18 2018 Lukas Vrabec - 3.14.2-28- Allow cupsd_t domain to mmap cupsd_etc_t files- Allow kadmind_t domain to mmap krb5kdc_principal_t- Allow virtlogd_t domain to read virt_etc_t link files- Allow dirsrv_t domain to read crack db- Dontaudit pegasus_t to require sys_admin capability- Allow mysqld_t domain to exec mysqld_exec_t binary files- Allow abrt_t odmain to read rhsmcertd lib files- Allow winbind_t domain to request kernel module loads- Allow tomcat_domain to read cgroup_t files- Allow varnishlog_t domain to mmap varnishd_var_lib_t files- Allow innd_t domain to mmap news_spool_t files- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t- Allow fenced_t domain to reboot- Allow amanda_t domain to read network system state- Allow abrt_t domain to read rhsmcertd logs- Fix typo in radius policy- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)- Label /usr/bin/esmtp-wrapper as sendmail_exec_t- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files- Dontaudit thumb to read mmap_min_addr- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)- Allow collectd_t domain to use ecryptfs files BZ(1592640)- Dontaudit mmap home type files for abrt_t domain- Allow fprintd_t domain creating own tmp files BZ(1590686)- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)- Allow fail2ban_t domain to getpgid BZ(1591421)- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)- Allow virt_qemu_ga_t domain to read network state BZ(1592145)- Allow radiusd_t domain to mmap radius_etc_rw_t files- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)- Add dac_read_search capability to thumb_t domain- Add dac_override capability to cups_pdf_t domain BZ(1594271)- Add net_admin capability to connntrackd_t domain BZ(1594221)- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)- Allow motion_t to mmap video devices BZ(1590446)- Add dac_override capability to mpd_t domain BZ(1585358)- Allow fsdaemon_t domain to write to mta home files BZ(1588212)- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)- Allow sssd_t domain to write to general cert files BZ(1589339)- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)- Allow cockpit_session_t to read kernel network state BZ(1596941)- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files- Allow chronyc_t domain to use nscd shm- Label /var/lib/tomcats dir as tomcat_var_lib_t- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files- Add ibacm policy- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled- Allow userdomain sudo domains to use generic ptys- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690)- Remove duplicated userdom_delete_user_home_content_files- Merge pull request #216 from rhatdan/resolved- Allow load_policy_t domain to read/write to systemd sockets BZ(1582812)- Add new interface init_prog_run_bpf()- Allow unconfined and sysadm users to use bpftool BZ(1591440)- Label /run/cockpit/motd as etc_t BZ(1584167)- Allow systemd_machined_t domain to sendto syslogd_t over unix dgram sockets- Add interface userdom_dontaudit_mmap_user_home_content_files()- Allow systemd to listen bluetooth sockets BZ(1592223)- Allow systemd to remove user_home_t files BZ(1418463)- Allow xdm_t domain to mmap and read cert_t files BZ(1553761)- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)- Allow systemd to delete user temp files BZ(1595189)- Allow systemd to mounton core kernel interface- Add dac_override capability to ipsec_t domain BZ(1589534)- Allow systemd domain to mmap lvm config files BZ(1594584)- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files- Allows systemd to get attribues of core kernel interface BZ(1596928)- Allow systemd_modules_load_t to access unabeled infiniband pkeys- Add systemd_dbus_chat_resolved interface- Allow init_t domain to create netlink rdma sockets for ibacm policy- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files- Allow lvm_t domain to write files to all mls levels- Add to su_role_template allow rule for creating netlink_selinux sockets * Sat Jul 14 2018 Fedora Release Engineering - 3.14.2-27- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Wed Jun 27 2018 Lukas Vrabec - 3.14.2-26- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label- Allow abrt_t domain to write to rhsmcertd pid files- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control- Add vhostmd_t domain to read/write to svirt images- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files- Allow sssd_t and slpad_t domains to mmap generic certs- Allow chronyc_t domain use inherited user ttys- Allow stapserver_t domain to mmap own tmp files- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain- Merge pull request #60 from vmojzis/rawhide- Allow tangd_t domain stream connect to sssd- Allow oddjob_t domain to chat with systemd via dbus- Allow freeipmi domains to mmap sysfs files- Fix typo in logwatch interface file- Allow sysadm_t and staff_t domains to use sudo io logging- Allow sysadm_t domain create sctp sockets- Allow traceroute_t domain to exec bin_t binaries- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override- Add new interface dev_map_sysfs() * Thu Jun 14 2018 Lukas Vrabec - 3.14.2-25- Merge pull request #60 from vmojzis/rawhide- Allow tangd_t domain stream connect to sssd- Allow oddjob_t domain to chat with systemd via dbus- Allow freeipmi domains to mmap sysfs files- Fix typo in logwatch interface file- Allow spamd_t to manage logwatch_cache_t files/dirs- Allow dnsmasw_t domain to create own tmp files and manage mnt files- Allow fail2ban_client_t to inherit rlimit information from parent process- Allow nscd_t to read kernel sysctls- Label /var/log/conman.d as conman_log_t- Add dac_override capability to tor_t domain- Allow certmonger_t to readwrite to user_tmp_t dirs- Allow abrt_upload_watch_t domain to read general certs- Allow chornyd_t read phc2sys_t shared memory- Add several allow rules for pesign policy:- Add setgid and setuid capabilities to mysqlfd_safe_t domain- Add tomcat_can_network_connect_db boolean- Update virt_use_sanlock() boolean to read sanlock state- Add sanlock_read_state() interface- Allow zoneminder_t to getattr of fs_t- Allow rhsmcertd_t domain to send signull to postgresql_t domain- Add log file type to collectd and allow corresponding access- Allow policykit_t domain to dbus chat with dhcpc_t- Allow traceroute_t domain to exec bin_t binaries- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override- Add new interface dev_map_sysfs()- Allow sshd_keygen_t to execute plymouthd- Allow systemd_networkd_t create and relabel tun sockets- Add new interface postgresql_signull() * Tue Jun 12 2018 Lukas Vrabec - 3.14.2-24- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type- Allow ntop_t domain to create/map various sockets/files.- Enable the dictd to communicate via D-bus.- Allow inetd_child process to chat via dbus with abrt- Allow zabbix_agent_t domain to connect to redis_port_t- Allow rhsmcertd_t domain to read xenfs_t files- Allow zabbix_agent_t to run zabbix scripts- Fix openvswith SELinux module- Fix wrong path in tlp context file BZ(1586329)- Update brltty SELinux module- Allow rabbitmq_t domain to create own tmp files/dirs- Allow policykit_t mmap policykit_auth_exec_t files- Allow ipmievd_t domain to read general certs- Add sys_ptrace capability to pcp_pmie_t domain- Allow squid domain to exec ldconfig- Update gpg SELinux policy module- Allow mailman_domain to read system network state- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices- Allow antivirus_domain to read all domain system state- Allow targetd_t domain to red gconf_home_t files/dirs- Label /usr/libexec/bluetooth/obexd as obexd_exec_t- Add interface nagios_unconfined_signull()- Fix typos in zabbix.te file- Add missing requires- Allow tomcat domain sends email- Fix typo in sge policy- Merge pull request #214 from wrabcak/fb-dhcpc- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)- Allow confined users get AFS tokens- Allow sysadm_t domain to chat via dbus- Associate sysctl_kernel_t type with filesystem attribute- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t- Fix typo in netutils.te file * Wed Jun 06 2018 Lukas Vrabec - 3.14.2-23- Add dac_override capability to sendmail_t domian * Wed Jun 06 2018 Lukas Vrabec - 3.14.2-22- Fix typo in authconfig policy- Update ctdb domain to support gNFS setup- Allow authconfig_t dbus chat with policykit- Allow lircd_t domain to read system state- Revert \"Allow fsdaemon_t do send emails BZ(1582701)\"- Typo in uuidd policy- Allow tangd_t domain read certs- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)- Allow vpnc_t domain to read generic certs BZ(1583100)- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)- Allow NetworkManager_ssh_t domain to be system dbud client- Allow virt_qemu_ga_t read utmp- Add capability dac_override to system_mail_t domain- Update uuidd policy to reflect last changes from base branch- Add cap dac_override to procmail_t domain- Allow sendmail to mmap etc_aliases_t files BZ(1578569)- Add new interface dbus_read_pid_sock_files()- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled- Allow fsdaemon_t do send emails BZ(1582701)- Allow firewalld_t domain to request kernel module BZ(1573501)- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)- Add sys_admin capability to fprint_t SELinux domain- Allow cyrus_t domain to create own files under /var/run BZ(1582885)- Allow cachefiles_kernel_t domain to have capability dac_override- Update policy for ypserv_t domain- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t- Allow cyrus to have dac_override capability- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets- Fix homedir polyinstantion under mls- Fixed typo in init.if file- Allow systemd to remove generic tmpt files BZ(1583144)- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)- Fix typo in authlogin SELinux security module- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)- Allow audisp_t domain to mmap audisp_exec_t binary- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file- Label tcp/udp ports 2612 as qpasa_agetn_port_t * Sat May 26 2018 Lukas Vrabec - 3.14.2-21- Add dac_override to exim policy BZ(1574303)- Fix typo in conntrackd.fc file- Allow sssd_t to kill sssd_selinux_manager_t- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp- Allow policykit_auth_t to read udev db files BZ(1574419)- Allow varnishd_t do be dbus client BZ(1582251)- Allow cyrus_t domain to mmap own pid files BZ(1582183)- Allow user_mail_t domain to mmap etc_aliases_t files- Allow gkeyringd domains to run ssh agents- Allow gpg_pinentry_t domain read ssh state- Allow sysadm_u use xdm- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)- Add interface ssh_read_state()- Fix typo in sysnetwork.if file * Thu May 24 2018 Lukas Vrabec - 3.14.2-20- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files- Allow mailman_mail_t domain to search for apache configs- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.- Improve procmail_domtrans() to allow mmaping procmail_exec_t- Allow ptrace arbitrary processes- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)- Allow certmonger to geattr of filesystems BZ(1578755)- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files- Allow noatsecure permission for all domain transitions from systemd.- Allow systemd to read tangd db files- Fix typo in ssh.if file- Allow xdm_t domain to mmap xserver_misc_device_t files- Allow xdm_t domain to execute systemd-coredump binary- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used * Tue May 22 2018 Lukas Vrabec - 3.14.2-19- Increase dependency versions of policycoreutils and checkpolicy packages * Mon May 21 2018 Lukas Vrabec - 3.14.2-18- Disable secure mode environment cleansing for dirsrv_t- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. * Mon May 21 2018 Lukas Vrabec - 3.14.2-17- Add dac_override capability to remote_login_t domain- Allow chrome_sandbox_t to mmap tmp files- Update ulogd SELinux security policy- Allow rhsmcertd_t domain send signull to apache processes- Allow systemd socket activation for modemmanager- Allow geoclue to dbus chat with systemd- Fix file contexts on conntrackd policy- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t- Allow nscd_t domain to be system dbusd client- Allow abrt_t domain to read sysctl- Add dac_read_search capability for tangd- Allow systemd socket activation for rshd domain- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t- Allow kdump_t domain to map /boot files- Allow conntrackd_t domain to send msgs to syslog- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t- Allow swnserve_t domain to stream connect to sasl domain- Allow smbcontrol_t to create dirs with samba_var_t label- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)- Allow tangd to read public sssd files BZ(1509054)- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)- Allow ctdb_t domain modify ctdb_exec_t files- Allow firewalld_t domain to create netlink_netfilter sockets- Allow radiusd_t domain to read network sysctls- Allow pegasus_t domain to mount tracefs_t filesystem- Allow create systemd to mount pid files- Add files_map_boot_files() interface- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)- Fix typo xserver SELinux module- Allow systemd to mmap files with var_log_t label- Allow x_userdomains read/write to xserver session * Mon Apr 30 2018 Lukas Vrabec - 3.14.2-16- Allow systemd to mmap files with var_log_t label- Allow x_userdomains read/write to xserver session * Sat Apr 28 2018 Lukas Vrabec - 3.14.2-15- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) * Fri Apr 27 2018 Lukas Vrabec - 3.14.2-14- Add dac_override capability to mailman_mail_t domain- Add dac_override capability to radvd_t domain- Update openvswitch policy- Add dac_override capability to oddjob_homedir_t domain- Allow slapd_t domain to mmap slapd_var_run_t files- Rename tang policy to tangd- Allow virtd_t domain to relabel virt_var_lib_t files- Allow logrotate_t domain to stop services via systemd- Add tang policy- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t- Allow snapperd_t daemon to create unlabeled dirs.- Make httpd_var_run_t mountpoint- Allow hsqldb_t domain to mmap own temp files- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP- Add new Boolean tomcat_use_execmem- Allow nfsd_t domain to read/write sysctl fs files- Allow conman to read system state- Allow brltty_t domain to be dbusd system client- Allow zebra_t domain to bind on babel udp port- Allow freeipmi domain to read sysfs_t files- Allow targetd_t domain mmap lvm config files- Allow abrt_t domain to manage kdump crash files- Add capability dac_override to antivirus domain- Allow svirt_t domain mmap svirt_image_t files BZ(1514538)- Allow ftpd_t domain to chat with systemd- Allow systemd init named socket activation for uuidd policy- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)- Allow l2tpd domain to stream connect to sssd BZ(1568160)- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)- Allow certwatch to manage cert files BZ(1561418)- Merge pull request #53 from tmzullinger/rawhide- Merge pull request #52 from thetra0/rawhide- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.- Allow pppd_t domain creating pppox sockets BZ(1566271)- Allow abrt to map var_lib_t files- Allow chronyc to read system state BZ(1565217)- Allow keepalived_t domain to chat with systemd via dbus- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)- Allow netutils_t domain to create bluetooth sockets- Allow traceroute to bind on generic sctp node- Allow traceroute to search network sysctls- Allow systemd to use virtio console- Label /dev/op_panel and /dev/opal-prd as opal_device_t- Label /run/ebtables.lock as iptables_var_run_t- Allow udev_t domain to manage udev_rules_t char files.- Assign babel_port_t label to udp port 6696- Add new interface lvm_map_config- Merge pull request #212 from stlaz/patch-1- Allow local_login_t reads of udev_var_run_t context- Associate sysctl_crypto_t fs with fs_t BZ(1569313)- Label /dev/vhost-vsock char device as vhost_device_t- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels- Allow x userdomain to mmap xserver_tmpfs_t files- Allow sysadm_t to mount tracefs_t- Allow unconfined user all perms under bpf class BZ(1565738)- Allow SELinux users (except guest and xguest) to using bluetooth sockets- Add new interface files_map_var_lib_files()- Allow user_t and staff_t domains create netlink tcpdiag sockets- Allow systemd-networkd to read sysctl_t files- Allow systemd_networkd_t to read/write tun tap devices- refpolicy: Update for kernel sctp support * Thu Apr 12 2018 Lukas Vrabec - 3.14.2-13- refpolicy: Update for kernel sctp support- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)- Allow antivirus domain to be client for system dbus BZ(1562457)- Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383)- Add new boolean: colord_use_nfs() BZ(1562818)- Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317)- Allow colord_t to mmap gconf_home_t files- Add new boolean redis_enable_notify()- Label /var/log/shibboleth-www(/. *) as httpd_sys_rw_content_t- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t * Sat Apr 07 2018 Lukas Vrabec - 3.14.2-12- Add new boolean redis_enable_notify()- Label /var/log/shibboleth-www(/. *) as httpd_sys_rw_content_t- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab- Add dac_override and dac_read_search capability to hypervvssd_t domain- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t- Allow samba to create /tmp/host_0 as krb5_host_rcache_t- Add dac_override capability to fsdaemon_t BZ(1564143)- Allow abrt_t domain to map dos files BZ(1564193)- Add dac_override capability to automount_t domain- Allow keepalived_t domain to connect to system dbus bus- Allow nfsd_t to read nvme block devices BZ(1562554)- Allow lircd_t domain to execute bin_t files BZ(1562835)- Allow l2tpd_t domain to read sssd public files BZ(1563355)- Allow logrotate_t domain to do dac_override BZ(1539327)- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t- Add capability sys_resource to systemd_sysctl_t domain- Label all /dev/rbd * devices as fixed_disk_device_t- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)- Allow local_login_t domain to rread udev db- Allow systemd_gpt_generator_t to read /dev/random device- add definition of bpf class and systemd perms * Thu Mar 29 2018 Lukas Vrabec - 3.14.2-11- Allow accountsd_t domain to dac override BZ(1561304)- Allow cockpit_ws_t domain to read system state BZ(1561053)- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)- Allow abrt_dump_oops_t domain dac override BZ(1561467)- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)- Allow crontab domains to do dac override- Allow snapperd_t domain to unmount fs_t filesystems- Allow pcp processes to read fixed_disk devices BZ(1560816)- Allow unconfined and confined users to use dccp sockets- Allow systemd to manage bpf dirs/files- Allow traceroute_t to create dccp_sockets * Mon Mar 26 2018 Lukas Vrabec - 3.14.2-10- Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) * Sun Mar 25 2018 Lukas Vrabec - 3.14.2-9- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)- Allow nagios to mmap nagios config files BZ(1559683)- Fixing Ganesha module- Fix typo in NetworkManager module- Fix bug in gssproxy SELinux module- Allow abrt_t domain to mmap container_file_t files BZ(1525573)- Allow networkmanager to be run ssh client BZ(1558441)- Allow pcp domains to do dc override BZ(1557913)- Dontaudit pcp_pmie_t to reaquest lost kernel module- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955)- Allow httpd_t to read httpd_log_t dirs BZ(1554912)- Allow fail2ban_t to read system network state BZ(1557752)- Allow dac override capability to mandb_t domain BZ(1529399)- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681)- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369)- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439)- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359)- Allow snapperd to relabel snapperd_data_t- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow insmod_t to load modules BZ(1544189)- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595)- Allow systemd_networkd_t to read/write tun tap devices- Add shell_exec_t file as domain entry for init_t- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347)- Improve userdom_mmap_user_home_content_files- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Wed Mar 21 2018 Lukas Vrabec - 3.14.2-8- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Tue Mar 20 2018 Lukas Vrabec - 3.14.2-7- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/- Allow newrole_t dacoverride capability- Allow traceroute_t domain to mmap packet sockets- Allow netutils_t domain to mmap usmmon device- Allow netutils_t domain to use mmap on packet_sockets- Allow traceroute to create icmp packets- Allos sysadm_t domain to create tipc sockets- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets * Thu Mar 15 2018 Lukas Vrabec - 3.14.2-6- Allow rpcd_t domain dac override- Allow rpm domain to mmap rpm_var_lib_t files- Allow arpwatch domain to create bluetooth sockets- Allow secadm_t domain to mmap audit config and log files- Update init_abstract_socket_activation() to allow also creating tcp sockets- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.- Add SELinux support for systemd-importd- Create new type bpf_t and label /sys/fs/bpf with this type * Mon Mar 12 2018 Lukas Vrabec - 3.14.2-5- Allow bluetooth_t domain to create alg_socket BZ(1554410)- Allow tor_t domain to execute bin_t files BZ(1496274)- Allow iscsid_t domain to mmap kernel modules BZ(1553759)- Update minidlna SELinux policy BZ(1554087)- Allow motion_t domain to read sysfs_t files BZ(1554142)- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738)- Allow l2tp_t domain to read ipsec config files BZ(1545348)- Allow colord_t to mmap home user files BZ(1551033)- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536)- Allow ipmievd_t to mmap kernel modules BZ(1552535)- Allow boinc_t domain to read cgroup files BZ(1468381)- Backport allow rules from refpolicy upstream repo- Allow gpg_t domain to bind on all unereserved udp ports- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164)- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)- Allow xdm_t domain to sys_ptrace BZ(1554150)- Allow application_domain_type also mmap inherited user temp files BZ(1552765)- Update ipsec_read_config() interface- Fix broken sysadm SELinux module- Allow ipsec_t to search for bind cache BZ(1542746)- Allow staff_t to send sigkill to mount_t domain BZ(1544272)- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545)- Label ip6tables.init as iptables_exec_t BZ(1551463)- Allow hostname_t to use usb ttys BZ(1542903)- Add fsetid capability to updpwd_t domain BZ(1543375)- Allow systemd machined send signal to all domains BZ(1372644)- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876)- Allow sysadm_t to create netlink generic sockets BZ(1547874)- Allow passwd_t domain chroot- Dontaudit confined unpriviliged users setuid capability * Tue Mar 06 2018 Lukas Vrabec - 3.14.2-4- Allow l2tpd_t domain to create pppox sockets- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)- Add interface abrt_map_cache()- Update gnome_manage_home_config() to allow also map permission BZ(1544270)- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770)- Dontaudit kernel bug when several services requesting load kernel module- Allow traceroute and unconfined domains creating sctp sockets- Add interface corenet_sctp_bind_generic_node()- Allow ping_t domain to create icmp sockets- Allow staff_t to mmap abrt_var_cache_t BZ(1544273)- Fix typo bug in dev_map_framebuffer() interface BZ(1551842)- Dontaudit kernel bug when several services requesting load kernel module * Mon Mar 05 2018 Lukas Vrabec - 3.14.2-3- Allow vdagent_t domain search cgroup dirs BZ(1541564)- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)- Allow bluetooth domain creating bluetooth sockets BZ(1551577)- pki_log_t should be log_file- Allow gpgdomain to unix_stream socket connectto- Make working gpg agent in gpg_agent_t domain- Dontaudit thumb_t to rw lvm pipes BZ(154997)- Allow start cups_lpd via systemd socket activation BZ(1532015)- Improve screen_role_template Resolves: rhbz#1534111- Dontaudit modemmanager to setpgid. BZ(1520482)- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227)- Allow systemd-networkd to create netlink generic sockets BZ(1551578)- refpolicy: Define getrlimit permission for class process- refpolicy: Define smc_socket security class- Allow transition from sysadm role into mdadm_t domain.- ssh_t trying to communicate with gpg agent not sshd_t- Allow sshd_t communicate with gpg_agent_t- Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643)- Revert \"Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)\"- Revert \"Allow systemd to request load kernel module BZ(1547227)\"- Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576)- Add interface lvm_dontaudit_rw_pipes() BZ(154997)- Add interfaces for systemd socket activation- Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098) * Thu Feb 22 2018 Lukas Vrabec - 3.14.2-2- refpolicy: Define extended_socket_class policy capability and socket classes- Make bluetooth_var_lib_t as mountpoint BZ(1547416)- Allow systemd to request load kernel module BZ(1547227)- Allow ipsec_t domain to read l2tpd pid files- Allow sysadm to read/write trace filesystem BZ(1547875)- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761) * Wed Feb 21 2018 Lukas Vrabec - 3.14.2-1- Rebuild for current rawhide (fc29) * Tue Feb 20 2018 Lukas Vrabec - 3.14.1-9- Fix broken cups Security Module- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079)- Allow geoclue to connect to tcp nmea port BZ(1362118)- Allow pcp_pmcd_t to read mock lib files BZ(1536152)- Allow abrt_t domain to mmap passwd file BZ(1540666)- Allow gpsd_t domain to get session id of another process BZ(1540584)- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405)- Allow cluster_t dbus chat with systemd BZ(1540163)- Add interface raid_stream_connect()- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689)- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911)- Make cups_pdf_t domain system dbusd client BZ(1532043)- Allow logrotate to read auditd_log_t files BZ(1525017)- Improve snapperd SELinux policy BZ(1514272)- Allow virt_domain to read virt_image_t files BZ(1312572)- Allow openvswitch_t stream connect svirt_t- Update dbus_dontaudit_stream_connect_system_dbusd() interface- Allow openvswitch domain to manage svirt_tmp_t sock files- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210)- Merge pull request #50 from dodys/pkcs- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118)- Allow systemd to access rfkill lib dirs BZ(1539733)- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044)- Allow vxfs filesystem to use SELinux labels- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231)- Allow few services to dbus chat with snapperd BZ(1514272)- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180)- Fix logging as staff_u into Fedora 27- Fix broken systemd_tmpfiles_run() interface * Fri Feb 09 2018 Igor Gnatenko - 3.14.1-8- Escape macros in %changelog * Thu Feb 08 2018 Lukas Vrabec - 3.14.1-7- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600)- Allow keepalived_t domain getattr proc filesystem- Allow init_t to create UNIX sockets for unconfined services (BZ1543049)- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t * Tue Feb 06 2018 Lukas Vrabec - 3.14.1-6- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets- Add new interface ppp_filetrans_named_content()- Allow keepalived_t read sysctl_net_t files- Allow puppetmaster_t domtran to puppetagent_t- Allow kdump_t domain to read kernel ring buffer- Allow boinc_t to mmap boinc tmpfs files BZ(1540816)- Merge pull request #47 from masatake/keepalived-signal- Allow keepalived_t create and write a file under /tmp- Allow ipsec_t domain to exec ifconfig_exec_t binaries.- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock- Allow updpwd_t domain to create files in /etc with shadow_t label * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-5- Allow opendnssec daemon to execute ods-signer BZ(1537971) * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-4- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)- Update dbus_role_template() BZ(1536218)- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)- Allow blueman_t dbus chat with policykit_t BZ(1470501)- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)- Allow jetty_t domain to mmap own temp files BZ(1534628)- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)- Consistently label usr_t for kernel/initrd in /usr- kernel/files.fc: Label /usr/lib/sysimage as usr_t- Allow iptables sysctl load list support with SELinux enforced- Label HOME_DIR/.config/systemd/user/ * user unit files as systemd_unit_file_t BZ(1531864) * Fri Jan 19 2018 Lukas Vrabec - 3.14.1-3- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide- Allow virt_domains to acces infiniband pkeys.- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t- Allow audisp_remote_t domain write to files on all levels * Mon Jan 15 2018 Lukas Vrabec - 3.14.1-2- Allow aide to mmap usr_t files BZ(1534182)- Allow ypserv_t domain to connect to tcp ports BZ(1534245)- Allow vmtools_t domain creating vmware_log_t files- Allow openvswitch_t domain to acces infiniband devices- Allow dirsrv_t domain to create tmp link files- Allow pcp_pmie_t domain to exec itself. BZ(153326)- Update openvswitch SELinux module- Allow virtd_t to create also sock_files with label virt_var_run_t- Allow chronyc_t domain to manage chronyd_keys_t files.- Allow logwatch to exec journal binaries BZ(1403463)- Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864)- Update logging_read_all_logs to allow mmap all logfiles BZ(1403463)- Add Label systemd_unit_file_t for /var/run/systemd/units/ * Mon Jan 08 2018 Lukas Vrabec - 3.14.1-1- Removed big SELinux policy patches against tresys refpolicy and use tarballs from fedora-selinux github organisation * Mon Jan 08 2018 Lukas Vrabec - 3.13.1-310- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy * Fri Jan 05 2018 Lukas Vrabec - 3.13.1-309- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy- Allow git_script_t to mmap git_user_content_t files BZ(1530937)- Allow certmonger domain to create temp files BZ(1530795)- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)- Allow fsdaemon_t to read nvme devices BZ(1530018)- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)- Update munin plugin policy BZ(1528471)- Allow sendmail_t domain to be system dbusd client BZ(1478735)- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)- Allow thumb_t to mmap non security files BZ(1517393)- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)- Fix broken sysnet_filetrans_named_content() interface- Allow init_t to create tcp sockets for unconfined services BZ(1366968)- Allow xdm_t to getattr on xserver_t process files BZ(1506116)- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)- Add interface files_map_non_security_files() * Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308- Make working SELinux sandbox with Wayland. BZ(1474082)- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)- Allow collectd to connect to lmtp_port_t BZ(1304029)- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)- Allow thumb_t to mmap removable_t files. BZ(1522724)- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)- Add interface fs_mmap_removable_files() * Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307- Allow crond_t to read pcp lib files BZ(1525420)- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)- Allow certwatch_t to mmap generic certs. BZ(1527173)- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)- Add interface userdom_map_user_home_files()- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/ * as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)- All domains accessing home_cert_t objects should also mmap it. BZ(1519810) * Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306- Allow thumb_t domain to dosfs_t BZ(1517720)- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)- Allow git_script_t to mmap git_sys_content_t BZ(1517541)- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)- Allow colord_t to mmap xdm pid files BZ(1518382)- Allow arpwatch to mmap usbmon device BZ(152456)- Allow mandb_t to read public sssd files BZ(1514093)- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)- Allow qpid to map files.- Allow plymouthd_t to mmap firamebuf device BZ(1517405)- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)- Add interface fs_map_dos_files()- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)- Add interface xserver_map_xdm_pid() BZ(1518382)- Add new interface dev_map_usbmon_dev() BZ(1524256)- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)- Fix typo in filesystem.if- Add interface dev_map_framebuffer()- Allow chkpwd command to mmap /etc/shadow BZ(1513704)- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)- Add interface fs_map_cifs_files()- Merge pull request #207 from rhatdan/labels- Merge pull request #208 from rhatdan/logdir- Allow domains that manage logfiles to man logdirs * Fri Nov 24 2017 Lukas Vrabec - 3.13.1-305- Make ganesha nfs server * Tue Nov 21 2017 Lukas Vrabec - 3.13.1-304- Add interface raid_relabel_mdadm_var_run_content()- Fix iscsi SELinux module- Allow spamc_t domain to read home mail content BZ(1414366)- Allow sendmail_t to list postfix config dirs BZ(1514868)- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)- Allow cupsd_t domain to localization BZ(1514350)- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)- Allow httpd_t domain to mmap all httpd content type BZ(1514866)- Allow mandb_t to read /etc/passwd BZ(1514903)- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)- Allow systemd to read/write to mount_var_run_t files BZ(1515373)- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)- Allow home managers to mmap nfs_t files BZ(1514372)- Add interface fs_mmap_nfs_files()- Allow systemd-mount to create new directory for mountpoint BZ(1514880)- Allow getty to use usbttys- Add interface systemd_rfkill_domtrans()- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)- Add interface fs_mmap_fusefs_files()- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251) * Thu Nov 16 2017 Lukas Vrabec - 3.13.1-303- Allow pcp_pmlogger to send logs to journal BZ(1512367)- Merge pull request #40 from lslebodn/kcm_kerberos- Allow services to use kerberos KCM BZ(1512128)- Allow system_mail_t domain to be system_dbus_client BZ(1512476)- Allow aide domain to stream connect to sssd_t BZ(1512500)- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)- Allow lircd_t domain to execute shell BZ(1512787)- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)- Allow redis to creating tmp files with own label BZ(1513518)- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)- Add map permission to samba_rw_var_files interface. BZ(1513908)- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t- Add dac_read_search and dac_override capabilities to ganesha- Allow ldap_t domain to manage also slapd_tmp_t lnk files- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)- Add dac_override capability to dhcpd_t doamin BZ(1510030)- Allow snapperd_t to remove old snaps BZ(1510862)- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)- Allow fs associate for sysctl_vm_t BZ(1447301)- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)- Allow systemd to mmap kernel modules BZ(1513399)- Allow userdomains to mmap fifo_files BZ(1512242)- Merge pull request #205 from rhatdan/labels- Add map permission to init_domtrans() interface BZ(1513832)- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)- Unconfined domains, need to create content with the correct labels- Container runtimes are running iptables within a different user namespace- Add interface files_rmdir_all_dirs() * Mon Nov 06 2017 Lukas Vrabec - 3.13.1-302- Allow jabber domains to connect to postgresql ports- Dontaudit slapd_t to block suspend system- Allow spamc_t to stream connect to cyrys.- Allow passenger to connect to mysqld_port_t- Allow ipmievd to use nsswitch- Allow chronyc_t domain to use user_ptys- Label all files /var/log/opensm. * as opensm_log_t because opensm creating new log files with name opensm-subnet.lst- Fix typo bug in tlp module- Allow userdomain gkeyringd domain to create stream socket with userdomain * Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301- Merge pull request #37 from milosmalik/rawhide- Allow mozilla_plugin_t domain to dbus chat with devicekit- Dontaudit leaked logwatch pipes- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)- Allow chronyd daemon to execute chronyc. BZ(1507478)- Allow pdns to read network system state BZ(1507244)- Allow gssproxy to read network system state Resolves: rhbz#1507191- Allow nfsd_t domain to read configfs_t files/dirs- Allow tgtd_t domain to read generic certs- Allow ptp4l to send msgs via dgram socket to unprivileged user domains- Allow dirsrv_snmp_t to use inherited user ptys and read system state- Allow glusterd_t domain to create own tmpfs dirs/files- Allow keepalived stream connect to snmp * Thu Oct 26 2017 Lukas Vrabec - 3.13.1-300- Allow zabbix_t domain to change its resource limits- Add new boolean nagios_use_nfs- Allow system_mail_t to search network sysctls- Hide all allow rules with ptrace inside deny_ptrace boolean- Allow nagios_script_t to read nagios_spool_t files- Allow sbd_t to create own sbd_tmpfs_t dirs/files- Allow firewalld and networkmanager to chat with hypervkvp via dbus- Allow dmidecode to read rhsmcert_log_t files- Allow mail system to connect mariadb sockets.- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)- Allow iptables_t to run setfiles to restore context on system- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466) * Tue Oct 24 2017 Lukas Vrabec - 3.13.1-299- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t- Allow chronyd_t do request kernel module and block_suspend capability- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables- Allow svnserve to use kerberos- Allow conman to use ptmx. Add conman_use_nfs boolean- Allow nnp transition for amavis and tmpreaper SELinux domains- Allow chronyd_t to mmap chronyc_exec_t binary files- Add dac_read_search capability to openvswitch_t domain- Allow svnserve to manage own svnserve_log_t files/dirs- Allow keepalived_t to search network sysctls- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain- Add kill capability to openvswitch_t domain- Label also compressed logs in /var/log for different services- Allow inetd_child_t and system_cronjob_t to run chronyc.- Allow chrony to create netlink route sockets- Add SELinux support for chronyc- Add support for running certbot(letsencrypt) in crontab- Allow nnp trasintion for unconfined_service_t- Allow unpriv user domains and unconfined_service_t to use chronyc * Sun Oct 22 2017 Lukas Vrabec - 3.13.1-298- Drop *.lst files from file list- Ship file_contexts.homedirs in store- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)- Allow haproxy daemon to reexec itself. BZ(1447800)- Allow conmand to use usb ttys.- Allow systemd_machined to read mock lib files. BZ(1504493)- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) * Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297- Fix typo in virt file contexts file- allow ipa_dnskey_t to read /proc/net/unix file- Allow openvswitch to run setfiles in setfiles_t domain.- Allow openvswitch_t domain to read process data of neutron_t domains- Fix typo in ipa_cert_filetrans_named_content() interface- Fix typo bug in summary of xguest SELinux module- Allow virtual machine with svirt_t label to stream connect to openvswitch.- Label qemu-pr-helper script as virt_exec_t so this script won\'t run as unconfined_service_t * Tue Oct 17 2017 Lukas Vrabec - 3.13.1-296- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)- Add nnp transition rule for services using NoNewPrivileges systemd feature- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)- Add init_nnp_daemon_domain interface- Allow nnp transition capability- Merge pull request #204 from konradwilk/rhbz1484908- Label postgresql-check-db-dir as postgresql_exec_t * Tue Oct 10 2017 Lukas Vrabec - 3.13.1-295- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)- Allow fail2ban_t domain to mmap journals. BZ(1500089)- Add dac_override to abrt_t domain BZ(1499860)- Allow pppd domain to mmap own pid files BZ(1498587)- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules- Allow systemd to read sysfs sym links. BZ(1499327)- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)- Make systemd_networkd_var_run as mountpoint BZ(1499862)- Allow noatsecure for java-based unconfined services. BZ(1358476)- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) * Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294- Allow cloud-init to create content in /var/run/cloud-init- Dontaudit VM to read gnome-boxes process data BZ(1415975)- Allow winbind_t domain mmap samba_var_t files- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)- Add dac_override capability to groupadd_t domain BZ(1497091)- Allow unconfined_service_t to start containers * Sun Oct 08 2017 Petr Lautrbach - 3.13.1-293- Drop policyhelp utility BZ(1498429) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-292- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)- Allow systemd to maange sysfs BZ(1471361) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-291- Switch default value of SELinux boolean httpd_graceful_shutdown to off. * Fri Sep 29 2017 Lukas Vrabec - 3.13.1-290- Allow virtlogd_t domain to write inhibit systemd pipes.- Add dac_override capability to openvpn_t domain- Add dac_override capability to xdm_t domain- Allow dac_override to groupadd_t domain BZ(1497081)- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) * Wed Sep 27 2017 Lukas Vrabec - 3.13.1-289- Allow tlp_t domain stream connect to sssd_t domain- Add missing dac_override capability- Add systemd_tmpfiles_t dac_override capability * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288- Remove all unnecessary dac_override capability in SELinux modules * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287- Allow init noatsecure httpd_t- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)- Allow unconfined_t domain to create new users with proper SELinux lables- Allow init noatsecure httpd_t- Label tcp port 3269 as ldap_port_t * Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286- Add new boolean tomcat_read_rpm_db()- Allow tomcat to connect on mysqld tcp ports- Add new interface apache_delete_tmp()- Add interface fprintd_exec()- Add interface fprintd_mounton_var_lib()- Allow mozilla plugin to mmap video devices BZ(1492580)- Add ctdbd_t domain sys_source capability and allow setrlimit- Allow systemd-logind to use ypbind- Allow systemd to remove apache tmp files- Allow ldconfig domain to mmap ldconfig cache files- Allow systemd to exec fprintd BZ(1491808)- Allow systemd to mounton fprintd lib dir * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285- Allow svirt_t read userdomain state * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files- Allow automount domain to manage mount pid files- Allow stunnel_t domain setsched- Add keepalived domain setpgid capability- Merge pull request #24 from teg/rawhide- Merge pull request #28 from lslebodn/revert_1e8403055- Allow sysctl_irq_t assciate with proc_t- Enable cgourp sec labeling- Allow sshd_t domain to send signull to xdm_t processes * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283- Allow passwd_t domain mmap /etc/shadow and /etc/passwd- Allow pulseaudio_t domain to map user tmp files- Allow mozilla plugin to mmap mozilla tmpfs files * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282- Add new bunch of map rules- Merge pull request #25 from NetworkManager/nm-ovs- Make working webadm_t userdomain- Allow redis domain to execute shell scripts.- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t- Add couple capabilities to keepalived domain and allow get attributes of all domains- Allow dmidecode read rhsmcertd lock files- Add new interface rhsmcertd_rw_lock_files()- Add new bunch of map rules- Merge pull request #199 from mscherer/add_conntrackd- Add support labeling for vmci and vsock device- Add userdom_dontaudit_manage_admin_files() interface * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281- Allow domains reading raw memory also use mmap. * Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)- Fix denials during ipa-server-install process on F27+- Allow httpd_t to mmap cert_t- Add few rules to make tlp_t domain working in enforcing mode- Allow cloud_init_t to dbus chat with systemd_timedated_t- Allow logrotate_t to write to kmsg- Add capability kill to rhsmcertd_t- Allow winbind to manage smbd_tmp_t files- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)- Add interface miscfiles_map_generic_certs() * Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279- Allow abrt_dump_oops_t to read sssd_public_t files- Allow cockpit_ws_t to mmap usr_t files- Allow systemd to read/write dri devices. * Thu Aug 31 2017 Lukas Vrabec - 3.13.1-278- Add couple rules related to map permissions- Allow ddclient use nsswitch BZ(1456241)- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)- Add interface dbus_manage_session_tmp_dirs()- Dontaudit useradd_t sys_ptrace BZ(1480121)- Allow ipsec_t can exec ipsec_exec_t- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs * Mon Aug 28 2017 Lukas Vrabec - 3.13.1-277- Allow cupsd_t to execute ld_so_cache- Add cgroup_seclabel policycap.- Allow xdm_t to read systemd hwdb- Add new interface systemd_hwdb_mmap_config()- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050) * Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276- Allow couple map rules * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275- Make confined users working- Allow ipmievd_t domain to load kernel modules- Allow logrotate to reload transient systemd unit * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-274- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain- Allow nscd_t domain to search network sysctls- Allow iscsid_t domain to read mount pid files- Allow ksmtuned_t domain manage sysfs_t files/dirs- Allow keepalived_t domain domtrans into iptables_t- Allow rshd_t domain reads net sysctls- Allow systemd to create syslog netlink audit socket- Allow ifconfig_t domain unmount fs_t- Label /dev/gpiochip * devices as gpio_device_t * Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.- Label /var/run/agetty.reload as getty_var_run_t- Add missing filecontext for sln binary- Allow systemd to read/write to event_device_t BZ(1471401) * Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272- Allow sssd_t domain to map sssd_var_lib_t files- allow map permission where needed- contrib: allow map permission where needed- Allow syslogd_t to map syslogd_var_run_t files- allow map permission where needed * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc- Label /usr/libexec/sudo/sesh as shell_exec_t * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270- refpolicy: Infiniband pkeys and endport * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy- refpolicy: Define and allow map permission- init: Add NoNewPerms support for systemd.- Add nnp_nosuid_transition policycap and related class/perm definitions. * Mon Aug 07 2017 Petr Lautrbach - 3.13.1-268- Update for SELinux userspace release 20170804 / 2.7- Omit precompiled regular expressions from file_contexts.bin files * Mon Aug 07 2017 Lukas Vrabec - 3.13.1-267- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy * Thu Jul 27 2017 Fedora Release Engineering - 3.13.1-266- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Fri Jul 21 2017 Lukas Vrabec - 3.13.1-265- Allow llpdad send dgram to libvirt- Allow abrt_t domain dac_read_search capability- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476)- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036)- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) * Mon Jul 17 2017 Lukas Vrabec - 3.13.1-264- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) * Tue Jul 11 2017 Lukas Vrabec - 3.13.1-263- Add new boolean gluster_use_execmem * Mon Jul 10 2017 Lukas Vrabec - 3.13.1-262- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service- Allow iptables to read container runtime files * Fri Jun 23 2017 Lukas Vrabec - 3.13.1-261- Allow boinc_t nsswitch- Dontaudit firewalld to write to lib_t dirs- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t- Allow thumb_t domain to allow create dgram sockets- Disable mysqld_safe_t secure mode environment cleansing- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode- Allow dirsrv domain setrlimit- Dontaudit staff_t user read admin_home_t files.- Add interface lvm_manage_metadata- Add permission open to files_read_inherited_tmp_files() interface * Mon Jun 19 2017 Lukas Vrabec - 3.13.1-260- Allow sssd_t to read realmd lib files.- Fix init interface file. init_var_run_t is type not attribute * Mon Jun 19 2017 Lukas Vrabec - 3.13.1-258- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files.- Merge branch \'rawhide\' of github.com:wrabcak/selinux-policy-contrib into rawhide- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t.- Allow httpd_t to read realmd_var_lib_t files- Allow unconfined_t user all user namespace capabilties.- Add interface systemd_tmpfiles_exec()- Add interface libs_dontaudit_setattr_lib_files()- Dontaudit xdm_t domain to setattr on lib_t dirs- Allow sysadm_r role to jump into dirsrv_t
|
|
|