SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-targeted-3.13.1-268.el7.noarch.rpm :

* Tue May 12 2020 Zdenek Pytela - 3.13.1-268- Allow rhsmd read process state of all domains and kernel threadsResolves: rhbz#1837461- Allow ipa-adtrust-install restart sssd and dirsrv servicesResolves: rhbz#1820298- Allow nagios_plugin_domain execute programs in bin directoriesResolves: rhbz#1824625- selinux policy: add the right context for org.freeipa.server.trust-enable-agentRelated: rhbz#1820298
* Mon Mar 23 2020 Zdenek Pytela - 3.13.1-267- Allow chronyd_t domain to exec shellResolves: rhbz#1775573- Allow pmie daemon to send signal pcmd daemonResolves: rhbz#1770123- Allow auditd poweroff or switch to single modeResolves: rhbz#1780332
* Wed Nov 06 2019 Lukas Vrabec - 3.13.1-266- Dontaudit tmpreaper_t getting attributes from sysctl_type filesResolves: rhbz#1765063
* Thu Oct 31 2019 Lukas Vrabec - 3.13.1-265- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_tResolves: rhbz#1765063
* Wed Oct 30 2019 Lukas Vrabec - 3.13.1-264- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser commandResolves: rhbz#1765063
* Wed Oct 30 2019 Lukas Vrabec - 3.13.1-263- Update tmpreaper_t policy due to fuser commandResolves: rhbz#1765063
* Fri Oct 25 2019 Lukas Vrabec - 3.13.1-262- Allow tmpreaper_t domain to read all domains stateResolves: rhbz#1765063
* Mon Oct 14 2019 Lukas Vrabec - 3.13.1-261- Update sudo_role_template() to allow caller domain to read syslog pid filesResolves: rhbz#1651253
* Fri Oct 11 2019 Lukas Vrabec - 3.13.1-260- Allow sbd_t domain to check presence of processes labeled as cluster_tResolves: rhbz#1753623
* Wed Sep 25 2019 Lukas Vrabec - 3.13.1-259- Allow ganesha_t domain to read system network state and connect to cyphesis_port_tResolves: rhbz#1653857- Label /var/log/collectd.log as collectd_log_t- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessionsResolves: rhbz#1688729- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t labelResolves: rhbz#1658319- Update sbd policy to allow manage cgroupsResolves: rhbz#1715136- Allow sudo userdomain to run rpm related commands- Update rpm_run() interface to avoid duplicate role transition in sudo_role_templateResolves: rhbz#1651253
* Fri Aug 16 2019 Lukas Vrabec - 3.13.1-258- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessionsResolves: rhbz#1688729- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t labelResolves: rhbz#1658319
* Wed Aug 14 2019 Lukas Vrabec - 3.13.1-257- Update sbd policy to allow manage cgroupsResolves: rhbz#1715136
* Tue Aug 13 2019 Lukas Vrabec - 3.13.1-256- Allow cupsd_t domain to manage cupsd_tmp_t temp link filesResolves: rhbz#1719754- Allow svnserve_t domain to read /dev/randomResolves: rhbz#1727458- Update sudodomains to make working confined users run sudo/suResolves: rhbz#1699391
* Tue Aug 06 2019 Lukas Vrabec - 3.13.1-255- Allow virtlockd process read virtlockd.conf fileResolves: rhbz#1714896
* Fri Jul 26 2019 Lukas Vrabec - 3.13.1-254- Rebuild selinux-policy build because of broken RHEL-7.8 buildroodduring build of selinux-policy-3.13.1-253Resolves: rhbz#1727341
* Mon Jul 22 2019 Lukas Vrabec - 3.13.1-253- Label user cron spool file with user_cron_spool_tResolves: rhbz#1727341- Allow svnserve_t domain to read system stateResolves: rhbz#1727458- Update svnserve_t policy to make working svnserve hooksResolves: rhbz#1727458- Update gnome_role_template() template to allow sysadm_t confined user to login to xsessionResolves: rhbz#1727379- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbusResolves: rhbz#1727379- Allow userdomain gkeyringd domain to create stream socket with userdomainResolves: rhbz#1727379- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)Resolves: rhbz#1719754- Allow mysqld_t domain to manage cluster pid filesResolves: rhbz#1715805- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.Resolves: rhbz#1714896- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domainResolves: rhbz#1705599- Allow rhsmcertd_t domain to send signull to all domainsResolves: rhbz#1701338- Allow cloud_init_t domain to ccreate iptables files with correct SELinux labelResolves: rhbz#1699249- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files- Allow certmonger to geattr of filesystems BZ(1578755)- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports Resolves: rhbz#1687497- Allow lograte_t domain to manage collect_rw_content files and dirsResolves: rhbz#1658319- Add interface collectd_manage_rw_content()- Allow glusterd_t domain to setpgidResolves: rhbz#1653857- Allow sysadm_sudo_t to use SELinux tooling.Resolves: rhbz#1727341- Allow sysadm_t domain to create netlink selinux socketsResolves: rhbz#1727379- Allow systemd_resolved_t to dbusd chat with NetworkManager_tResolves: rhbz#1723877- Allow crack_t domain read /et/passwd filesResolves: rhbz#1721093- Allow sysadm_t domain to dbus chat with rtkit daemonResolves: rhbz#1720546- Allow x_userdomains to nnp domain transition to thumb_t domainResolves: rhbz#1712603- Dontaudit writing to user home dirs by gnome-keyring-daemonResolves: rhbz#1703959- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit serviceResolves: rhbz#1699391- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t filesResolves: rhbz#1699063- Add interface kernel_relabelfrom_usermodehelper()
* Wed Jul 10 2019 Lukas Vrabec - 3.13.1-252.1- Allow sbd_t domain to use nsswitchResolves: rhbz#1728593
* Thu Jun 27 2019 Lukas Vrabec - 3.13.1-252- Allow ganesha_t domain to connect to tcp portmap_port_tResolves: rhbz#1715088
* Mon Jun 10 2019 Lukas Vrabec - 3.13.1-251- Allow redis to creating tmp files with own labelResolves: rhbz#1646765
* Wed Jun 05 2019 Lukas Vrabec - 3.13.1-250- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirsResolves: rhbz#1716400
* Wed May 22 2019 Lukas Vrabec - 3.13.1-249- Allow nrpe_t domain to read process state of systemd_logind_t- Add interface systemd_logind_read_state()Resolves: rhbz#1653309
* Tue May 21 2019 Lukas Vrabec - 3.13.1-248- Label /etc/rhsm as rhsmcertd_config_tResolves: rhbz#1703573
* Fri May 17 2019 Lukas Vrabec - 3.13.1-247- Fix typo in gpg SELinux module- Update gpg policy to make ti working with confined usersResolves: rhbz#1535109- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned onResolves: rhbz#1653309- Allow nrpe_t domain to be dbus clienntResolves: rhbz#1653309- Add interface sssd_signull()Resolves: rhbz#1653309- Update userdomains to allow confined users to create gpg keysResolves: rhbz#1535109
* Thu May 02 2019 Lukas Vrabec - 3.13.1-246- Allow ngaios to use chown capabilityResolves: rhbz#1653309- Dontaudit gpg_domain to create netlink_audit socketsResolves: rhbz#1535109- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk filesResolves: rhbz#1558836- Update domain_can_mmap_files() boolean to allow also mmap lnk files
* Thu Apr 25 2019 Lukas Vrabec - 3.13.1-245- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_tResolves: rhbz#1695342
* Tue Apr 23 2019 Lukas Vrabec - 3.13.1-244- Update Nagios policy when sudo is usedResolves: rhbz#1653309
* Mon Apr 08 2019 Lukas Vrabec - 3.13.1-243- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_tResolves: rhbz#1676810
* Tue Mar 26 2019 Lukas Vrabec - 3.13.1-242- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.Resolves: rhbz#1656814
* Wed Mar 13 2019 Lukas Vrabec - 3.13.1-241- Update vmtools policy Resolves: rhbz#1656814 Allow domain transition from vmtools_t to vmtools_unconfined_t when shell_exec_t is entrypoint.- Allow virt_qemu_ga_t domain to read udev_var_run_t filesResolves: rhbz#1663092- Update nagios_run_sudo boolean with few allow rules related to accessing sssdResolves: rhbz#1653309- Allow nfsd_t to read nvme block devices BZ(1562554)Resolves: rhbz#1655493- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_tResolves: rhbz#1650909- Allow all domains to send dbus msgs to vmtools_unconfined_t processesResolves: rhbz#1656814- Label /dev/pkey as crypt_device_tResolves: rhbz#1623068- Allow sudodomains to write to systemd_logind_sessions_t pipes.Resolves: rhbz#1687452- Allow all user domains to read realmd_var_lib_t files and dirs to check if IPA is configured on the systemResolves: rhbz#1667962- Fixes: xenconsole does not startResolves: rhbz#1601525- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.Resolves: rhbz#1636197- Create tangd_port_t with default label tcp/7406Resolves: rhbz#1650909
* Tue Mar 05 2019 Lukas Vrabec - 3.13.1-240- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range.Resolves: rhbz#1683754- Allow sbd_t domain to bypass permission checks for sending signalsResolves: rhbz#1671132- Allow sbd_t domain read/write all sysctlsResolves: rhbz#1671132- Allow kpatch_t domain to communicate with policykit_t domsin over dbusResolves: rhbz#1602435- Allow boltd_t to stream connect to sytem dbusResolves: rhbz#1589086- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined adminResolves: rhbz#1626115- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.Resolves: rhbz#1589086
* Fri Mar 01 2019 Lukas Vrabec - 3.13.1-239- Allow sbd_t domain read/write all sysctlsResolves: rhbz#1671132- Allow kpatch_t domain to communicate with policykit_t domsin over dbusResolves: rhbz#1602435- Allow boltd_t to stream connect to sytem dbusResolves: rhbz#1589086- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.Resolves: rhbz#1589086
* Mon Feb 25 2019 Lukas Vrabec - 3.13.1-238- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned onResolves: rhbz#1646765
* Tue Feb 19 2019 Lukas Vrabec - 3.13.1-237- Allow virtd_lxc_t domains use BPFResolves: rhbz#1626115- F29 NetworkManager implements a new code for IPv4 address conflict detection (RFC 5227) based on n-acd [1], which uses eBPF to process ARP packets from the network.Resolves: rhbz#1626115- Allow unconfined user all perms under bpf class BZ(1565738Resolves: rhbz#1626115- Allow unconfined and sysadm users to use bpftool BZ(1591440)Resolves: rhbz#1626115- Allow systemd to manage bpf dirs/filesResolves: rhbz#1626115- Create new type bpf_t and label /sys/fs/bpf with this typeResolves:rhbz#1626115- Add new interface init_prog_run_bpf()Resolves:rhbz#1626115- add definition of bpf class and systemd permsResolves: rhbz#1626115
* Sun Feb 03 2019 Lukas Vrabec - 3.13.1-236- Update policy with multiple allow rules to make working installing VM in MLS policyResolves: rhbz#1558121- Allow virt domain to use interited virtlogd domains fifo_fileResolves: rhbz#1558121- Allow chonyc_t domain to rw userdomain pipesResolves: rhbz#1618757- Add file contexts in ganesha.fc file to label logging ganesha files properly.Resolves: rhbz#1628247
* Thu Jan 31 2019 Lukas Vrabec - 3.13.1-235- Allow sandbox_xserver_t domain write to user_tmp_t filesResolves: rhbz#1646521- Allow virt_qemu_ga_t domain to read network stateResolves: rhbz#1630347- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipesResolves: rhbz#1589086- Add boltd policyResolves: rhbz#1589086- Allow virt domains to read/write cephfs filesystemsResolves: rhbz#1558836- Allow gpg_t to create own tmpfs dirs and socketsResolves: rhbz#1535109- Allow gpg_agent_t to send msgs to syslog/journalResolves: rhbz#1535109- Allow virtual machine to write to fixed_disk_device_tResolves: rhbz#1499208- Update kdump_manage_crash() interface to allow also manage dirs by caller domainResolves: rhbz#1491585- Add kpatch policyResolves: rhbz#1602435- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_tResolves: rhbz#1623942- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_tResolves: rhbz#1475271- Allow systemd to mount boltd_var_run_t dirsResolves: rhbz#1589086- Allow systemd to mounont boltd lib dirsResolves: rhbz#1589086- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domainResolves: rhbz#1602435- Allow passwd_t domain chroot- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_tResolves: rhbz#1447278- Allow staff_t user to systemctl iptables units.Resolves: rhbz#1360470
* Thu Jan 31 2019 Lukas Vrabec - 3.13.1-234- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_tResolves: rhbz#1623942- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_tResolves: rhbz#1475271- Allow passwd_t domain chroot- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_tResolves: rhbz#1447278- Allow staff_t user to systemctl iptables units.Resolves: rhbz#1360470
* Thu Jan 17 2019 Lukas Vrabec - 3.13.1-233- Allow gssd_t domain to manage kernel keyrings of every domain.Resolves: rhbz#1487350- Add new interface domain_manage_all_domains_keyrings()Resolves: rhbz#1487350
* Sun Jan 13 2019 Lukas Vrabec - 3.13.1-232- Allow gssd_t domain to read/write kernel keyrings of every domain.Resolves: rhbz#1487350- Add interface domain_rw_all_domains_keyrings()Resolves: rhbz#1487350
* Wed Dec 19 2018 Lukas Vrabec - 3.13.1-231- Update snapperd policy to allow snapperd manage all non security dirs.Resolves: rhbz#1619306
* Fri Nov 09 2018 Lukas Vrabec - 3.13.1-230-Allow nova_t domain to use pamResolves: rhbz:#1640528- sysstat: grant sysstat_t the search_dir_perms setResolves: rhbz#1637416- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domainResolves: rhbz#1630318- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature \'io logging\'Resolves: rhbz#1564470- Make ganesha policy active againResolves: rhbz#1511489
* Fri Oct 12 2018 Lukas Vrabec - 3.13.1-229.5- Remove disabling ganesha module in pre install phase of installation new selinux-policy package where ganesha is again standalone moduleResolves: rhbz#1638257
* Thu Oct 11 2018 Lukas Vrabec - 3.13.1-229.4- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature \'io logging\'Resolves: rhbz#1638427
* Thu Oct 11 2018 Lukas Vrabec - 3.13.1-229.3- Run ganesha as ganesha_t domain again, revert changes where ganesha is running as nfsd_tResolves: rhbz#1638257
* Wed Oct 10 2018 Lukas Vrabec - 3.13.1-229.2- Fix missing patch in spec fileResolves: rhbz#1635704
* Fri Oct 05 2018 Lukas Vrabec - 3.13.1-229.1- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domainResolves: rhbz#1635704
* Wed Sep 26 2018 Lukas Vrabec - 3.13.1-229- Allow neutron domain to read/write /var/run/utmpResolves: rhbz#1630318
* Tue Sep 25 2018 Lukas Vrabec - 3.13.1-228- Allow tomcat_domain to read /dev/randomResolves: rhbz#1631666- Allow neutron_t domain to use pamResolves: rhbz#1630318
* Mon Sep 17 2018 Lukas Vrabec - 3.13.1-227- Add interface apache_read_tmp_dirs()- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirsResolves: rhbz#1622602
* Sat Sep 15 2018 Lukas Vrabec - 3.13.1-226- Allow tomcat servers to manage usr_t filesResolves: rhbz#1625678- Dontaudit tomcat serves to append to /dev/random deviceResolves: rhbz#1625678- Allow sys_nice capability to mysqld_t domain- Allow dirsrvadmin_script_t domain to read httpd tmp filesResolves: rhbz#1622602- Allow syslogd_t domain to manage cert_t filesResolves: rhbz#1615995
* Wed Sep 12 2018 Lukas Vrabec - 3.13.1-225- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirsResolves: rhbz#1627114- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_tResolves: rhbz#1567753
* Fri Sep 07 2018 Lukas Vrabec - 3.13.1-224- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.Resolves: rhbz#1625678- Allow chronyd_t domain to read virt_var_lib_t files- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)Resolves: rhbz#1625613- Allow tomcat services create link file in /tmpResolves: rhbz#1624289- Add boolean: domain_can_mmap_files.Resolves: rhbz#1460322
* Sun Sep 02 2018 Lukas Vrabec - 3.13.1-223- Make working SELinux sandbox with Wayland.Resolves: rhbz#1624308- Allow svirt_t domain to mmap svirt_image_t block filesResolves: rhbz#1624224- Add caps dac_read_search and dav_override to pesign_t domain- Allow iscsid_t domain to mmap userio chr filesResolves: rhbz#1623589- Add boolean: domain_can_mmap_files.Resolves: rhbz#1460322- Add execute_no_trans permission to mmap_exec_file_perms pattern- Allow sudodomain to search caller domain proc info- Allow xdm_t domain to mmap and read cert_t files- Replace optional policy blocks to make dbus interfaces effectiveResolves: rhbz#1624414- Add interface dev_map_userio_dev()
* Wed Aug 29 2018 Lukas Vrabec - 3.13.1-222- Allow readhead_t domain to mmap own pid filesResolves: rhbz#1614169
* Tue Aug 28 2018 Lukas Vrabec - 3.13.1-221- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket- Allow httpd_t domain to mmap tmp filesResolves: rhbz#1608355- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks- Label /dev/tpmrm[0-9]
* as tpm_device_t- Allow semanage_t domain mmap usr_t filesResolves: rhbz#1622607- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t
* Fri Aug 24 2018 Lukas Vrabec - 3.13.1-220- Allow nagios_script_t domain to mmap nagios_log_t filesResolves: rhbz#1620013- Allow nagios_script_t domain to mmap nagios_spool_t filesResolves: rhbz#1620013- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctlResolves: rhbz#1622197- Update selinux_validate_context() interface to allow caller domain to mmap security_t filesResolves: rhbz#1622061
* Wed Aug 22 2018 Lukas Vrabec - 3.13.1-219- Allow virtd_t domain to create netlink_socket- Allow rpm_t domain to write to audit- Allow rpm domain to mmap rpm_var_lib_t filesResolves: rhbz#1619785- Allow nagios_script_t domain to mmap nagios_etc_t filesResolves: rhbz#1620013- Update nscd_socket_use() to allow caller domain to stream connect to nscd_tResolves: rhbz#1460715- Allow secadm_t domain to mmap audit config and log files- Allow insmod_t domain to read iptables pid files- Allow systemd to mounton /etcResolves: rhbz#1619785
* Tue Aug 21 2018 Lukas Vrabec - 3.13.1-218- Allow kdumpctl_t domain to getattr fixed disk device in mlsResolves: rhbz#1615342- Allow initrc_domain to mmap all binaries labeled as systemprocess_entryResolves: rhbz#1615342
* Tue Aug 21 2018 Lukas Vrabec - 3.13.1-217- Allow virtlogd to execute itselfResolves: rhbz#1598392
* Mon Aug 20 2018 Lukas Vrabec - 3.13.1-216- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo filesResolves: rhbz#1615342- Allow kdumpctl to write to files on all levelsResolves: rhbz#1615342- Fix typo in radius policyResolves: rhbz#1619197- Allow httpd_t domain to mmap httpd_config_t filesResolves: rhbz#1615894- Add interface dbus_acquire_svc_system_dbusd()- Allow sanlock_t domain to connectto to unix_stream_socketResolves: rhbz#1614965- Update nfsd_t policy because of ganesha featuresResolves: rhbz#1511489- Allow conman to getattr devpts_tResolves: rhbz#1377915- Allow tomcat_domain to connect to smtp portsResolves: rhbz#1253502- Allow tomcat_t domain to mmap tomcat_var_lib_t filesResolves: rhbz#1618519- Allow slapd_t domain to mmap slapd_var_run_t filesResolves: rhbz#1615319- Allow nagios_t domain to mmap nagios_log_t filesResolves: rhbz#1618675- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)- Allow nagios to mmap nagios config files BZ(1559683)- Allow kpropd_t domain to mmap krb5kdc_principal_t filesResolves: rhbz#1619252- Update syslogd policy to make working elasticsearch- Label tcp and udp ports 9200 as wap_wsp_port- Allow few domains to rw inherited kdumpctl tmp pipesResolves: rhbz#1615342
* Fri Aug 10 2018 Lukas Vrabec - 3.13.1-215- Allow systemd_dbusd_t domain read/write to nvme devicesResolves: rhbz#1614236- Allow mysqld_safe_t do execute itself- Allow smbd_t domain to chat via dbus with avahi daemonResolves: rhbz#1600157- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_tResolves: rhbz#1452595- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)Resolves: rhbz#1452444- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domainResolves: rhbz#1384769- Add alias httpd__script_t to _script_t to make sepolicy generate workingResolves: rhbz#1271324- Allow kprop_t domain to read network stateResolves: rhbz#1600705- Allow sysadm_t domain to accept socketResolves: rhbz#1557299- Allow sshd_t domain to mmap user_tmp_t filesResolves: rhbz#1613437
* Tue Aug 07 2018 Lukas Vrabec - 3.13.1-214- Allow sshd_t domain to mmap user_tmp_t filesResolves: rhbz#1613437
* Tue Aug 07 2018 Lukas Vrabec - 3.13.1-213- Allow kprop_t domain to read network stateResolves: rhbz#1600705
* Tue Aug 07 2018 Lukas Vrabec - 3.13.1-212- Allow kpropd domain to exec itselfResolves: rhbz#1600705- Allow ipmievd_t to mmap kernel modules BZ(1552535)- Allow hsqldb_t domain to mmap own temp filesResolves: rhbz#1612143- Allow hsqldb_t domain to read cgroup filesResolves: rhbz#1612143- Allow rngd_t domain to read generic certsResolves: rhbz#1612456- Allow innd_t domain to mmap own var_lib_t filesResolves: rhbz#1600591- Update screen_role_temaplate interfaceResolves: rhbz#1384769- Allow cupsd_t to create cupsd_etc_t dirsResolves: rhbz#1452595- Allow chronyd_t domain to mmap own tmpfs filesResolves: rhbz#1596563- Allow cyrus domain to mmap own var_lib_t and var_run filesResolves: rhbz#1610374- Allow sysadm_t domain to create rawip socketsResolves: rhbz#1571591- Allow sysadm_t domain to listen on socketResolves: rhbz#1557299- Update sudo_role_template() to allow caller domain also setattr generic ptysResolves: rhbz#1564470- Allow netutils_t domain to create bluetooth socketsResolves: rhbz#1600586
* Fri Aug 03 2018 Lukas Vrabec - 3.13.1-211- Allow innd_t domain to mmap own var_lib_t filesResolves: rhbz#1600591- Update screen_role_temaplate interfaceResolves: rhbz#1384769- Allow cupsd_t to create cupsd_etc_t dirsResolves: rhbz#1452595- Allow chronyd_t domain to mmap own tmpfs filesResolves: rhbz#1596563- Allow cyrus domain to mmap own var_lib_t and var_run filesResolves: rhbz#1610374- Allow sysadm_t domain to create rawip socketsResolves: rhbz#1571591- Allow sysadm_t domain to listen on socketResolves: rhbz#1557299- Update sudo_role_template() to allow caller domain also setattr generic ptysResolves: rhbz#1564470- Allow netutils_t domain to create bluetooth socketsResolves: rhbz#1600586
* Tue Jul 31 2018 Lukas Vrabec - 3.13.1-210- Allow virtlogd_t domain to chat via dbus with systemd_logindResolves: rhbz#1593740
* Sun Jul 29 2018 Lukas Vrabec - 3.13.1-209- Allow sblim_sfcbd_t domain to mmap own tmpfs filesResolves: rhbz#1609384- Update logging_manage_all_logs() interface to allow caller domain map all logfilesResolves: rhbz#1592028
* Thu Jul 26 2018 Lukas Vrabec - 3.13.1-208- Dontaudit oracleasm_t domain to request sys_admin capability- Allow iscsid_t domain to load kernel moduleResolves: rhbz#1589295- Update rhcs contexts to reflects the latest fenced changes- Allow httpd_t domain to rw user_tmp_t filesResolves: rhbz#1608355- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_tResolves: rhbz#1521063- Allow tangd_t dac_read_searchResolves: rhbz#1607810- Allow glusterd_t domain to mmap user_tmp_t files- Allow mongodb_t domain to mmap own var_lib_t filesResolves: rhbz#1607729- Allow iscsid_t domain to mmap sysfs_t filesResolves: rhbz#1602508- Allow tomcat_domain to search cgroup dirsResolves: rhbz#1600188- Allow httpd_t domain to mmap own cache filesResolves: rhbz#1603505- Allow cupsd_t domain to mmap cupsd_etc_t filesResolves: rhbz#1599694- Allow kadmind_t domain to mmap krb5kdc_principal_tResolves: rhbz#1601004- Allow virtlogd_t domain to read virt_etc_t link filesResolves: rhbz#1598593- Allow dirsrv_t domain to read crack dbResolves: rhbz#1599726- Dontaudit pegasus_t to require sys_admin capabilityResolves: rhbz#1374570- Allow mysqld_t domain to exec mysqld_exec_t binary files- Allow abrt_t odmain to read rhsmcertd lib filesResolves: rhbz#1601389- Allow winbind_t domain to request kernel module loadsResolves: rhbz#1599236- Allow gpsd_t domain to getsession and mmap own tmpfs filesResolves: rhbz#1598388- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)Resolves: rhbz#1600157- Allow tomcat_domain to read cgroup_t filesResolves: rhbz#1601151- Allow varnishlog_t domain to mmap varnishd_var_lib_t filesResolves: rhbz#1600704- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)Resolves: rhbz#1600692- Fix ntp SELinux module- Allow innd_t domain to mmap news_spool_t filesResolves: rhbz#1600591- Allow haproxy daemon to reexec itself. BZ(1447800)Resolves: rhbz#1600578- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_tResolves: rhbz#1559859- Allow pkcs_slotd_t domain to mmap own tmpfs filesResolves: rhbz#1600434- Allow fenced_t domain to rebootResolves: rhbz#1293384- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)Resolves: rhbz#1557299- Allow lircd to use nsswitch. BZ(1401375)- Allow targetd_t domain mmap lvm config filesResolves: rhbz#1546671- Allow amanda_t domain to read network system stateResolves: rhbz#1452444- Allow abrt_t domain to read rhsmcertd logsResolves: rhbz#1492059- Allow application_domain_type also mmap inherited user temp files BZ(1552765)Resolves: rhbz#1608421- Allow ipsec_t domain to read l2tpd pid filesResolves: rhbz#1607994- Allow systemd_tmpfiles_t do mmap system db files- Improve domain_transition_pattern to allow mmap entrypoint bin file.Resolves: rhbz#1460322- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)Resolves: rhbz#1600528- Dontaudit syslogd to watching top llevel dirs when imfile module is enabledResolves: rhbz#1601928- Allow ipsec_t can exec ipsec_exec_tResolves: rhbz#1600684- Allow netutils_t domain to mmap usmmon deviceResolves: rhbz#1600586- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)- Allow userdomain sudo domains to use generic ptysResolves: rhbz#1564470- Allow traceroute to create icmp packetsResolves: rhbz#1548350- Allow systemd domain to mmap lvm config files BZ(1594584)- Add new interface lvm_map_config- refpolicy: Update for kernel sctp support Resolves: rhbz#1597111 Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16
* Fri Jun 29 2018 Lukas Vrabec - 3.13.1-207- Update oddjob_domtrans_mkhomedir() interface to allow caller domain also mmap oddjob_mkhomedir_exec_t filesResolves: rhbz#1596306- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t filesResolves: rhbz#1589257- Allow radiusd_t domain to read network sysctlsResolves: rhbz#1516233- Allow chronyc_t domain to use nscd shmResolves: rhbz#1596563- Label /var/lib/tomcats dir as tomcat_var_lib_tResolves: rhbz#1596367- Allow lsmd_t domain to mmap lsmd_plugin_exec_t filesResolves: rhbz#bea0c8174- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_tResolves: rhbz#1596509- Update seutil_exec_loadpolicy() interface to allow caller domain to mmap load_policy_exec_t filesResolves: rhbz#1596072- Allow xdm_t to read systemd hwdbResolves: rhbz#1596720- Allow dhcpc_t domain to mmap files labeled as ping_exec_tResolves: rhbz#1596065
* Wed Jun 27 2018 Lukas Vrabec - 3.13.1-206- Allow tangd_t domain to create tcp socketsResolves: rhbz#1595775- Update postfix policy to allow postfix_master_t domain to mmap all postfix
* binariesResolves: rhbz#1595328- Allow amanda_t domain to have setgid capabilityResolves: rhbz#1452444- Update usermanage_domtrans_useradd() to allow caller domain to mmap useradd_exec_t filesResolves: rhbz#1595667
* Tue Jun 26 2018 Lukas Vrabec - 3.13.1-205- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t Resolves: rhbz#1591191- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t labelResolves: rhbz#1452595- Allow abrt_t domain to write to rhsmcertd pid filesResolves: rhbz#1492059- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm controlResolves: rhbz#1463470- Add vhostmd_t domain to read/write to svirt imagesResolves: rhbz#1465276- Dontaudit action when abrt-hook-ccpp is writing to nscd socketsResolves: rhbz#1460715- Update openvswitch policyResolves: rhbz#1594729- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t filesResolves: rhbz#1583084- Allow sssd_t and slpad_t domains to mmap generic certsResolves: rhbz#1592016Resolves: rhbz#1592019- Allow oddjob_t domain to mmap binary files as oddjob_mkhomedir_exec_t filesResolves: rhbz#1592022- Update dbus_system_domain() interface to allow system_dbusd_t domain to mmap binary file from second parameterResolves: rhbz#1583080- Allow chronyc_t domain use inherited user ttysResolves: rhbz#1593267- Allow stapserver_t domain to mmap own tmp filesResolves: rhbz#1593122- Allow sssd_t domain to mmap files labeled as sssd_selinux_manager_exec_tResolves: rhbz#1592026- Update policy for ypserv_t domainResolves: rhbz#1592032- Allow abrt_dump_oops_t domain to mmap all non security filesResolves: rhbz#1593728- Allow svirt_t domain mmap svirt_image_t filesResolves: rhbz#1592688- Allow virtlogd_t domain to write inhibit systemd pipes.Resolves: rhbz#1593740- Allow sysadm_t and staff_t domains to use sudo io loggingResolves: rhbz#1564470- Allow sysadm_t domain create sctp socketsResolves: rhbz#1571591- Update mount_domtrans() interface to allow caller domain mmap mount_exec_tResolves: rhbz#1592025- Allow dhcpc_t to mmap all binaries with label hostname_exec_t, ifconfig_exec_t and netutils_exec_tResolves: rhbz#1594661
* Thu Jun 14 2018 Lukas Vrabec - 3.13.1-204- Fix typo in logwatch interface file- Allow spamd_t to manage logwatch_cache_t files/dirs- Allow dnsmasw_t domain to create own tmp files and manage mnt files- Allow fail2ban_client_t to inherit rlimit information from parent processResolves: rhbz#1513100- Allow nscd_t to read kernel sysctlsResolves: rhbz#1512852- Label /var/log/conman.d as conman_log_tResolves: rhbz#1538363- Add dac_override capability to tor_t domainResolves: rhbz#1540711- Allow certmonger_t to readwrite to user_tmp_t dirsResolves: rhbz#1543382- Allow abrt_upload_watch_t domain to read general certsResolves: rhbz#1545098- Update postfix_domtrans_master() interface to allow caller domain also mmap postfix_master_exec_t binaryResolves: rhbz#1583087- Allow postfix_domain to mmap postfix_qmgr_exec_t binariesResolves: rhbz#1583088- Allow postfix_domain to mmap postfix_pickup_exec_t binariesResolves: rhbz#1583091- Allow chornyd_t read phc2sys_t shared memoryResolves: rhbz#1578883- Allow virt_qemu_ga_t read utmpResolves: rhbz#1571202- Add several allow rules for pesign policy: Resolves: rhbz#1468744 - Allow pesign domain to read /dev/random - Allow pesign domain to create netlink_kobject_uevent_t sockets - Allow pesign domain create own tmp files- Add setgid and setuid capabilities to mysqlfd_safe_t domainResolves: rhbz#1474440- Add tomcat_can_network_connect_db booleanResolves: rhbz#1477948- Update virt_use_sanlock() boolean to read sanlock stateResolves: rhbz#1448799- Add sanlock_read_state() interface- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)Resolves: rhbz#1563423- Update abrt_domtrans and abrt_exec() interfaces to allow caller domain to mmap binary fileResolves:rhbz#1583080- Update nscd_domtrans and nscd_exec interfaces to allow caller domain also mmap nscd binariesResolves: rhbz#1583086- Update snapperd_domtrans() interface to allow caller domain to mmap snapperd_exec_t fileResolves: rhbz#1583802- Allow zoneminder_t to getattr of fs_tResolves: rhbz#1585328- Fix denials during ipa-server-install process on F27+Resolves: rhbz#1586029- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t filesResolves: rhbz#1586033- Allow rhsmcertd_t domain to send signull to postgresql_t domainResolves: rhbz#1588119- Allow policykit_t domain to dbus chat with dhcpc_tResolves: rhbz#1364513- Adding new boolean keepalived_connect_any()Resolves: rhbz#1443473- Allow amanda to create own amanda_tmpfs_t filesResolves: rhbz#1452444- Add amanda_tmpfs_t label. BZ(1243752)- Allow gdomap_t domain to connect to qdomap_port_tResolves: rhbz#1551944- Fix typos in sge- Fix typo in openvswitch policy- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type- Allow sshd_keygen_t to execute plymouthdResolves: rhbz#1583531- Update seutil_domtrans_setfiles() interface to allow caller domain to do mmap on setfiles_exec_t binaryResolves: rhbz#1583090- Allow systemd_networkd_t create and relabel tun socketsResolves: rhbz#1583830- Allow map audisp_exec_t files fordomains executing this binaryResolves: rhbz#1586042- Add new interface postgresql_signull()- Add fs_read_xenfs_files() interface.
* Mon Jun 11 2018 Lukas Vrabec - 3.13.1-203- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type- Allow dac override capability to mandb_t domain BZ(1529399)Resolves: rhbz#1423361- Allow inetd_child process to chat via dbus with abrtResolves: rhbz#1428805- Allow zabbix_agent_t domain to connect to redis_port_tResolves: rhbz#1418860- Allow rhsmcertd_t domain to read xenfs_t filesResolves: rhbz#1405870- Allow zabbix_agent_t to run zabbix scriptsResolves: rhbz#1380697- Allow rabbitmq_t domain to create own tmp files/dirsResolves: rhbz#1546897- Allow policykit_t mmap policykit_auth_exec_t filesResolves: rhbz#1583082- Allow ipmievd_t domain to read general certsResolves: rhbz#1514591- Add sys_ptrace capability to pcp_pmie_t domain- Allow squid domain to exec ldconfigResolves: rhbz#1532017- Make working gpg agent in gpg_agent_t domainResolves: rhbz#1535109- Update gpg SELinux policy module- Allow kexec to read kernel module files in /usr/lib/modules.Resolves: rhbz#1536690- Allow mailman_domain to read system network stateResolves: rhbz#1413510- Allow mailman_mail_t domain to search for apache configsResolves: rhbz#1413510- Allow openvswitch_t domain to read neutron state and read/write fixed disk devicesResolves: rhbz#1499208- Allow antivirus_domain to read all domain system stateResolves: rhbz#1560986- Allow targetd_t domain to red gconf_home_t files/dirsResolves: rhbz#1546671- Allow freeipmi domain to map sysfs_t filesResolves: rhbz#1575918- Label /usr/libexec/bluetooth/obexd as obexd_exec_tResolves: rhbz#1351750- Update rhcs SELinux moduleResolves: rhbz#1589257- Allow iscsid_t domain mmap kernel modulesResolves: rhbz#1589295- Allow iscsid_t domain mmap own tmp filesResolves: rhbz#1589295- Update iscsid_domtrans() interface to allow mmap iscsid_exec_t binaryResolves: rhbz#1589295- Update nscd_socket_use interface to allow caller domain also mmap nscd_var_run_t files.Resolves: rhbz#1589271- Allow nscd_t domain to mmap system_db_t filesResolves: rhbz#1589271- Add interface nagios_unconfined_signull()- Allow lircd_t domain read sssd public files Add setgid capability to lircd_t domainResolves: rhbz#1550700- Add missing requires- Allow tomcat domain sends emailResolves: rhbz#1585184- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)Resolves: rhbz#1585714- Allow kdump_t domain to map /boot filesResolves: rhbz#1588884- Fix typo in netutils policy- Allow confined users get AFS tokensResolves: rhbz#1417671- Allow sysadm_t domain to chat via dbusResolves: rhbz#1582146- Associate sysctl_kernel_t type with filesystem attribute- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag socketsResolves: rhbz#1557299- Allow user_t and staff_t domains create netlink tcpdiag socketsResolves: rhbz#1557281- Add interface dev_map_sysfs- Allow xdm_t domain to execute xdm_var_lib_t filesResolves: rhbz#1589139- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_tResolves: rhbz#1569344- Label /dev/vhost-vsock char device as vhost_device_t- Add files_map_boot_files() interfaceResolves: rhbz#1588884- Update traceroute_t domain to allow create dccp socketsResolves: rhbz#1548350
* Wed Jun 06 2018 Lukas Vrabec - 3.13.1-202- Update ctdb domain to support gNFS setup Resolves: rhbz#1576818- Allow authconfig_t dbus chat with policykitResolves: rhbz#1551241- Allow lircd_t domain to read passwd_file_tResolves: rhbz:#1550700- Allow lircd_t domain to read system stateResolves: rhbz#1550700- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)Resolves: rhbz#1574521- Allow tangd_t domain read certsResolves: rhbz#1509055- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned onResolves: rhbz:#1579219- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmpResolves: rhbz#1574418- Allow ctdb_t domain modify ctdb_exec_t filesResolves: rhbz#1572584- Allow chrome_sandbox_t to mmap tmp filesResolves: rhbz#1574392- Allow ulogd_t to create netlink_netfilter sockets.Resolves: rhbz#1575924- Update ulogd SELinux security policy- Allow rhsmcertd_t domain send signull to apache processesResolves: rhbz#1576555- Allow freeipmi domain to read sysfs_t filesResolves: rhbz#1575918- Allow smbcontrol_t to create dirs with samba_var_t labelResolves: rhbz#1574521- Allow swnserve_t domain to stream connect to sasl domainResolves: rhbz#1574537- Allow SELinux users (except guest and xguest) to using bluetooth socketsResolves: rhbz#1557299- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag socketsResolves: rhbz#1557299- Fix broken sysadm SELinux moduleResolves: rhbz#1557311- Allow user_t and staff_t domains create netlink tcpdiag socketsResolves: rhbz#1557281- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary fileResolves: rhbz#1583089- Allow systemd_networkd_t to read/write tun tap devicesResolves: rhbz#1583830- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_setResolves: rhbz#1583771- Allow audisp_t domain to mmap audisp_exec_t binaryResolves: rhbz#1583551- Fix duplicates in sysadm.te fileResolves: rhbz#1307183- Allow sysadm_u use xdmResolves: rhbz#1307183- Fix typo in sysnetwork.if fileResolves: rhbz#1581551
* Sun May 27 2018 Lukas Vrabec - 3.13.1-201- Fix duplicates in sysadm.te fileResolves: rhbz#1307183
* Sat May 26 2018 Lukas Vrabec - 3.13.1-200- Allow sysadm_u use xdmResolves: rhbz#1307183
* Fri May 25 2018 Lukas Vrabec - 3.13.1-199- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned onResolves: rhbz:#1579219- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmpResolves: rhbz#1574418- Allow chrome_sandbox_t to mmap tmp filesResolves: rhbz#1574392- Allow ulogd_t to create netlink_netfilter sockets.Resolves: rhbz#1575924- Update ulogd SELinux security policy- Allow rhsmcertd_t domain send signull to apache processesResolves: rhbz#1576555- Allow freeipmi domain to read sysfs_t filesResolves: rhbz#1575918- Allow smbcontrol_t to create dirs with samba_var_t labelResolves: rhbz#1574521- Allow swnserve_t domain to stream connect to sasl domainResolves: rhbz#1574537- Fix typo in sysnetwork.if fileResolves: rhbz#1581551
* Fri May 25 2018 Lukas Vrabec - 3.13.1-198- Fix typo in sysnetwork.if fileResolves: rhbz#1581551
* Thu May 24 2018 Lukas Vrabec - 3.13.1-197- Improve procmail_domtrans() to allow mmaping procmail_exec_t- Allow hypervvssd_t domain to read fixed disk devicesResolves: rhbz#1581225- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binariesResolves: rhbz#1581551- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binaryResolves: rhbz#1581551- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binariesResolves: rhbz#1581551- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.Resolves: rhbz#1581551- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
* Mon May 21 2018 Lukas Vrabec - 3.13.1-196- Add dbus_stream_connect_system_dbusd() interface.- Allow pegasus_t domain to mount tracefs_t filesystemResolves:rhbz#1374570- Allow psad_t domain to read all domains stateResolves: rhbz#1558439- Add net_raw capability to named_t domain BZ(1545586)- Allow tomcat_t domain to connect to mongod_t tcp portResolves:rhbz#1539748- Allow dovecot and postfix to connect to systemd stream socketsResolves: rhbz#1368642- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_tResolves:rhbz#1351750- Rename tang policy to tangd- Add interface systemd_rfkill_domtrans()- Allow users staff and sysadm to run wireshark on own domainResolves:rhbz#1546362- Allow systemd-bootchart to create own tmpfs filesResolves:rhbz#1510412
* Wed Apr 25 2018 Lukas Vrabec - 3.13.1-195- Rename tang policy to tangd- Allow virtd_t domain to relabel virt_var_lib_t files Resolves: rhbz#1558121- Allow logrotate_t domain to stop services via systemdResolves: rhbz#1527522- Add tang policyResolves: rhbz#1509055- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_tResolves: rhbz#1559859- Improve snapperd SELinux policyResolves: rhbz#1365555- Allow snapperd_t daemon to create unlabeled dirs.Resolves: rhbz#1365555- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistenceResolves: rhbz#1271324- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDPResolves: rhbz#1503835- Add new Boolean tomcat_use_execmemResolves: rhbz#1565226- Allow domain transition from logrotate_t to chronyc_tResolves: rhbz#1568281- Allow nfsd_t domain to read/write sysctl fs filesResolves: rhbz#1516593- Allow conman to read system stateResolves: rhbz#1377915- Allow lircd_t to exec shell and add capabilities dac_read_search and dac_overrideResolves: rhbz#1550700- Allow usbmuxd to access /run/udev/data/+usb:
*.Resolves: rhbz#1521054- Allow abrt_t domain to manage kdump crash files Resolves: rhbz#1491585- Allow systemd to use virtio consoleResolves: rhbz#1558121- Allow transition from sysadm role into mdadm_t domain.Resolves: rhbz#1551568- Label /dev/op_panel and /dev/opal-prd as opal_device_tResolves: rhbz#1537618- Label /run/ebtables.lock as iptables_var_run_tResolves: rhbz#1511437- Allow udev_t domain to manage udev_rules_t char files.Resolves: rhbz#1545094- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin.Resolves: rhbz#1567753- Fix filesystem inteface file, we don\'t have nsfs_fs_t type, just nsfs_tResolves: rhbz#1547700- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels
* Sat Apr 07 2018 Lukas Vrabec - 3.13.1-194- Add new boolean redis_enable_notify()Resolves: rhbz#1421326- Label /var/log/shibboleth-www(/.
*) as httpd_sys_rw_content_tResolves: rhbz#1549514- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/Resolves: rbhz#1463593- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_tResolves: rbhz#1463593
* Thu Apr 05 2018 Lukas Vrabec - 3.13.1-193- Backport several changes for snapperdfrom Fedora RawhideResolves: rhbz#1556798- Allow snapperd_t to set priority for kernel processesResolves: rhbz#1556798- Make ganesha nfs server.Resolves: rhbz#1511489- Allow vxfs filesystem to use SELinux labelsResolves: rhbz#1482880- Add map permission to selinux-policyResolves: rhbz#1460322
* Tue Feb 27 2018 Lukas Vrabec - 3.13.1-192- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled.Resolves: rhbz#1546721
* Mon Feb 19 2018 Lukas Vrabec - 3.13.1-191- Allow openvswitch_t stream connect svirt_tResolves: rhbz#1540702
* Fri Feb 16 2018 Lukas Vrabec - 3.13.1-190- Allow openvswitch domain to manage svirt_tmp_t sock filesResolves: rhbz#1540702- Fix broken systemd_tmpfiles_run() interface
* Wed Feb 07 2018 Lukas Vrabec - 3.13.1-189- Allow dirsrv_t domain to create tmp link filesResolves: rhbz#1536011- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_tResolves: rhbz#1428568- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries- Allow ipsec_mgmt_t nnp domain transition to ifconfig_tResolves: rhbz#1539416
* Wed Feb 07 2018 Lukas Vrabec - 3.13.1-188- Allow svirt_domain to create socket files in /tmp with label svirt_tmp_tResolves: rhbz#1540702- Allow keepalived_t domain getattr proc filesystemResolves: rhbz#1477542- Rename svirt_sandbox_file_t to container_file_t and svirt_lxc_net_t to container_tResolves: rhbz#1538544- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_tResolves: rhbz:#1539416- Allow systemd_logind_t domain to bind on dhcpd_port_t,pki_ca_port_t,flash_port_tResolves: rhbz#1479350
* Tue Feb 06 2018 Lukas Vrabec - 3.13.1-187- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t socketsResolves: rhbz#1535196- Add new interface ppp_filetrans_named_content()Resolves: rhbz#1530601- Allow keepalived_t read sysctl_net_t filesResolves: rhbz#1477542- Allow puppetmaster_t domtran to puppetagent_tResolves: rhbz#1376893- Allow kdump_t domain to read kernel ring bufferResolves: rhbz#1540004- Allow ipsec_t domain to exec ifconfig_exec_t binaries.Resolves: rhbz#1539416- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lockResolves: rhbz#1530601- Allow updpwd_t domain to create files in /etc with shadow_t labelResolves: rhbz#1412838- Allow iptables sysctl load list support with SELinux enforcedResolves: rhbz#1535572
* Wed Jan 17 2018 Lukas Vrabec - 3.13.1-186- Allow virt_domains to acces infiniband pkeys.Resolves: rhbz#1533183- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_tResolves: rhbz#1535133- Allow audisp_remote_t domain write to files on all levelsResolves: rhbz#1534924
* Thu Jan 11 2018 Lukas Vrabec - 3.13.1-185- Allow vmtools_t domain creating vmware_log_t filesResolves: rhbz#1507048- Allow openvswitch_t domain to acces infiniband devicesResolves: rhbz#1532705
* Wed Jan 10 2018 Lukas Vrabec - 3.13.1-184- Allow chronyc_t domain to manage chronyd_keys_t files.Resolves: rhbz#1530525- Make virtlog_t domain system dbus clientResolves: rhbz#1481109- Update openvswitch SELinux moduleResolves: rhbz#1482682- Allow virtd_t to create also sock_files with label virt_var_run_tResolves: rhbz#1484075
* Mon Dec 11 2017 Lukas Vrabec - 3.13.1-183- Allow domains that manage logfiles to man logdirsResolves: rhbz#1523811
* Thu Dec 07 2017 Lukas Vrabec - 3.13.1-182- Label /dev/drm_dp_aux
* as xserver_misc_device_tResolves: rhbz#1520897- Allow sysadm_t to run puppet_exec_t binaries as puppet_tResolves: rhbz#1255745
* Mon Dec 04 2017 Lukas Vrabec - 3.13.1-181- Allow tomcat_t to manage pki_tomcat pid filesResolves: rhbz#1478371- networkmanager: allow talking to openvswitchResolves: rhbz#1517247- Allow networkmanager_t and opensm_t to manage subned endports for IPoIB VLANsResolves: rhbz#1517895- Allow domains networkmanager_t and opensm_t to control IPoIB VLANsResolves: rhbz#1517744- Fix typo in guest interface fileResolves: rhbz#1468254- Allow isnsd_t domain to accept tcp connections.Resolves: rhbz#1390208
* Mon Nov 20 2017 Lukas Vrabec - 3.13.1-180- Allow getty to use usbttysResolves: rhbz#1514235
* Mon Nov 13 2017 Lukas Vrabec - 3.13.1-179- Allow ldap_t domain to manage also slapd_tmp_t lnk filesResolves: rhbz#1510883- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_tResolves: rhbz:#1508360- Add dac_read_search and dac_override capabilities to ganeshaResolves: rhbz#1483451
* Wed Nov 08 2017 Lukas Vrabec - 3.13.1-178- Add dependency for policycoreutils-2.5.18 becuase of new cgroup_seclabel policy capabilityResolves: rhbz#1510145
* Mon Nov 06 2017 Lukas Vrabec - 3.13.1-177- Allow jabber domains to connect to postgresql portsResolves: rhbz#1438489- Dontaudit accountsd domain creating dirs in /rootResolves: rhbz#1456760 - Dontaudit slapd_t to block suspend systemResolves: rhbz: #1479759 - Allow spamc_t to stream connect to cyrus.Resolves: rhbz#1382955 - allow imapd to read /proc/net/unix fileResolves: rhbz#1393030 - Allow passenger to connect to mysqld_port_tResolves: rhbz#1433464
* Mon Nov 06 2017 Lukas Vrabec - 3.13.1-176- Allow chronyc_t domain to use user_ptysResolves: rhbz#1470150- allow ptp4l to read /proc/net/unix file- Allow conmand to use usb ttys.Resolves: rhbz#1505121- Label all files /var/log/opensm.
* as opensm_log_t because opensm creating new log files with name opensm-subnet.lstResolves: rhbz#1505845- Allow chronyd daemon to execute chronyc.Resolves: rhbz#1508486- Allow firewalld exec ldconfig.Resolves: rhbz#1375576- Allow mozilla_plugin_t domain to dbus chat with devicekitResolves: rhbz#1460477- Dontaudit leaked logwatch pipesResolves: rhbz#1450119- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.Resolves: rhbz#1507048- Allow httpd_t domain to execute hugetlbfs_t filesResolves: rhbz#1507682- Allow nfsd_t domain to read configfs_t files/dirsResolves: rhbz#1439442- Hide all allow rules with ptrace inside deny_ptrace booleanResolves: rhbz#1421075- Allow tgtd_t domain to read generic certsResolves: rhbz#1438532- Allow ptp4l to send msgs via dgram socket to unprivileged user domainsResolves: rhbz#1429853- Allow dirsrv_snmp_t to use inherited user ptys and read system stateResolves: rhbz#1428568- Allow glusterd_t domain to create own tmpfs dirs/filesResolves: rhbz#1411310- Allow keepalived stream connect to snmpResolves: rhbz#1401556- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policyResolves: rhbz#1507089
* Fri Oct 27 2017 Lukas Vrabec - 3.13.1-175- Allow pegasus_openlmi_services_t to read generic certsResolves: rhbz#1462292- Allow ganesha_t domain to read random deviceResolves: rhbz#1494382- Allow zabbix_t domain to change its resource limitsResolves: rhbz:#1504074- Add new boolean nagios_use_nfsResolves: rhbz#1504826- Allow system_mail_t to search network sysctlsResolves: rhbz#1505779- Add samba_manage_var_dirs() interface- Fix typo bug in virt filecontext file- Allow nagios_script_t to read nagios_spool_t filesResolves: rhbz#1426824- Allow samba to manage var dirs/filesResolves: rhbz#1415088- Allow sbd_t to create own sbd_tmpfs_t dirs/filesResolves: rhbz#1380795- Allow firewalld and networkmanager to chat with hypervkvp via dbusResolves: rhbz#1377276- Allow dmidecode to read rhsmcert_log_t filesResolves: rhbz#1300799- Allow mail system to connect mariadb sockets.Resolves: rhbz#1368642- Allow logrotate_t to change passwd and reloead servicesResolves: rhbz#1450789- Allow mail system to connect mariadb sockets.Resolves: rhbz#1368642- Allow logrotate_t to change passwd and reloead servicesResolves: rhbz#1450789- Allow pegasus_openlmi_services_t to read generic certsResolves: rhbz#1462292- Allow ganesha_t domain to read random deviceResolves: rhbz#1494382- Allow zabbix_t domain to change its resource limitsResolves: rhbz:#1504074- Add new boolean nagios_use_nfsResolves: rhbz#1504826- Allow system_mail_t to search network sysctlsResolves: rhbz#1505779- Add samba_manage_var_dirs() interface- Fix typo bug in virt filecontext file- Allow nagios_script_t to read nagios_spool_t filesResolves: rhbz#1426824- Allow samba to manage var dirs/filesResolves: rhbz#1415088- Allow sbd_t to create own sbd_tmpfs_t dirs/filesResolves: rhbz#1380795- Allow firewalld and networkmanager to chat with hypervkvp via dbusResolves: rhbz#1377276- Allow dmidecode to read rhsmcert_log_t filesResolves: rhbz#1300799- Allow mail system to connect mariadb sockets.Resolves: rhbz#1368642- Allow logrotate_t to change passwd and reloead servicesResolves: rhbz#1450789- Allow chronyd_t do request kernel module and block_suspend capabilityResolves: rhbz#1350765- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right labelResolves: rhbz#1447278- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enablesResolves: rhbz#1491994- Allow svnserve to use kerberosResolves: rhbz#1475271- Allow conman to use ptmx. Add conman_use_nfs booleanResolves: rhbz#1377915- Add nnp transition for services using: NoNewPrivileges systemd security featureResolves: rhbz#1311430- Add SELinux support for chronycResolves: rhbz#1470150- Add dac_read_search capability to openvswitch_t domainResolves: rhbz#1501336- Allow svnserve to manage own svnserve_log_t files/dirsResolves: rhbz#1480741- Allow keepalived_t to search network sysctlsResolves: rhbz#1477542- Allow puppetagent_t domain dbus chat with rhsmcertd_t domainResolves: rhbz#1446777- Add dccp_socket into socker_class_set subsetResolves: rhbz#1459941- Allow iptables_t to run setfiles to restore context on systemResolves: rhbz#1489118- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_tResolves: rhbz:#1411400- Make nnp transition ActiveResolves: rhbz#1480518- Label tcp 51954 as isns_port_tResolves: rhbz#1390208- Add dac_read_search capability chkpwd_tResolves: rhbz#1376991- Add support for running certbot(letsencrypt) in crontabResolves: rhbz#1447278- Add init_nnp_daemon_domain interface- Allow xdm_t to gettattr /dev/loop-control deviceResolves: rhbz#1462925- Allow nnp trasintion for unconfined_service_tResolves: rhbz#1311430- Allow unpriv user domains and unconfined_service_t to use chronycResolves: rhbz#1470150- Allow iptables to exec plymouth.Resolves: rhbz#1480374- Fix typo in fs_unmount_tracefs interface.Resolves: rhbz#1371057- Label postgresql-check-db-dir as postgresql_exec_tResolves: rhbz#1490956
* Tue Sep 26 2017 Lukas Vrabec - 3.13.1-174- We should not ship selinux-policy with permissivedomains enabled.Resolves: rhbz#1494172- Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandboxResolves: rhbz#1492606
* Tue Sep 19 2017 Lukas Vrabec - 3.13.1-173- Allow tomcat to setsched Resolves: rhbz#1492730- Fix rules blocking ipa-server upgrade processResolves: rhbz#1478371- Add new boolean tomcat_read_rpm_db()Resolves: rhbz#1477887- Allow tomcat to connect on mysqld tcp ports- Add ctdbd_t domain sys_source capability and allow setrlimitResolves: rhbz#1491235- Fix keepalived SELinux module- Allow automount domain to manage mount pid filesResolves: rhbz#1482381- Allow stunnel_t domain setschedResolves: rhbz#1479383- Add keepalived domain setpgid capabilityResolves: rhbz#1486638- Allow tomcat domain to connect to mssql portResolves: rhbz#1484572- Remove snapperd_t from unconfined domainesResolves: rhbz#1365555- Fix typo bug in apache moduleResolves: rhbz#1397311- Dontaudit that system_mail_t is trying to read /root/ filesResolves: rhbz#1147945- Make working webadm_t userdomainResolves: rhbz#1323792- Allow redis domain to execute shell scripts.Resolves: rhbz#1421326- Allow system_cronjob_t to create redhat-access-insights.log with var_log_tResolves: rhbz#1473303- Add couple capabilities to keepalived domain and allow get attributes of all domainsResolves: rhbz#1429327- Allow dmidecode read rhsmcertd lock filesResolves: rhbz#1300799- Add new interface rhsmcertd_rw_lock_files()Resolves: rhbz#1300799- Label all plymouthd archives as plymouthd_var_log_tResolves: rhbz#1478323- Allow cloud_init_t to dbus chat with systemd_timedated_tResolves: rhbz#1440730- Allow logrotate_t to write to kmsgResolves: rhbz#1397744- Add capability kill to rhsmcertd_tResolves: rhbz#1398338- Disable mysqld_safe_t secure mode environment cleansing.Resolves: rhbz#1464063- Allow winbind to manage smbd_tmp_t filesResolves: rhbz#1475566- Dontaudit that system_mail_t is trying to read /root/ filesResolves: rhbz#1147945- Make working webadm_t userdomainResolves: rhbz#1323792- Allow redis domain to execute shell scripts.Resolves: rhbz#1421326- Allow system_cronjob_t to create redhat-access-insights.log with var_log_tResolves: rhbz#1473303- Add couple capabilities to keepalived domain and allow get attributes of all domainsResolves: rhbz#1429327- Allow dmidecode read rhsmcertd lock filesResolves: rhbz#1300799- Add new interface rhsmcertd_rw_lock_files()Resolves: rhbz#1300799- Label all plymouthd archives as plymouthd_var_log_tResolves: rhbz#1478323 - Allow cloud_init_t to dbus chat with systemd_timedated_tResolves: rhbz#1440730- Allow logrotate_t to write to kmsgResolves: rhbz#1397744- Add capability kill to rhsmcertd_tResolves: rhbz#1398338- Disable mysqld_safe_t secure mode environment cleansing.Resolves: rhbz#1464063- Allow winbind to manage smbd_tmp_t filesResolves: rhbz#1475566- Add interface systemd_tmpfiles_run- End of file cannot be in comment- Allow systemd-logind to use ypbindResolves: rhbz#1479350- Add creating opasswd file with shadow_t SELinux label in auth_manage_shadow() interfaceResolves: rhbz#1412838- Allow sysctl_irq_t assciate with proc_tResolves: rhbz#1485909- Enable cgourp sec labelingResolves: rhbz#1485947- Add cgroup_seclabel policycap.Resolves: rhbz#1485947- Allow sshd_t domain to send signull to xdm_t processesResolves: rhbz#1448959- Allow updpwd_t domain auth file name transResolves: rhbz#1412838- Allow sysadm user to run systemd-tmpfilesResolves: rbhz#1325364- Add support labeling for vmci and vsock deviceResolves: rhbz#1451358- Add userdom_dontaudit_manage_admin_files() interfaceResolves: rhbz#1323792- Allow iptables_t domain to read files with modules_conf_t labelResolves: rhbz#1373220- init: Add NoNewPerms support for systemd.Resolves: rhbz#1480518- Add nnp_nosuid_transition policycap and related class/perm definitions.Resolves: rhbz#1480518- refpolicy: Infiniband pkeys and endportsResolves: rhbz#1464484
* Tue Aug 29 2017 Lukas Vrabec - 3.13.1-172- Allow certmonger using systemctl on pki_tomcat unit filesResolves: rhbz#1481388
* Tue Aug 29 2017 Lukas Vrabec - 3.13.1-171- Allow targetd_t to create own tmp files.- Dontaudit targetd_t to exec rpm binary file.Resolves: rhbz#1373860Resolves: rhbz#1424621
* Thu Aug 24 2017 Lukas Vrabec - 3.13.1-170- Add few rules to make working targetd daemon with SELinuxResolves: rhbz#1373860- Allow ipmievd_t domain to load kernel modulesResolves: rhbz#1441081- Allow logrotate to reload transient systemd unitResolves: rhbz#1440515- Add certwatch_t domain dac_override and dac_read_search capabilitiesResolves: rhbz#1422000- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domainResolves: rhbz#1412072- Allow nscd_t domain to search network sysctlsResolves: rhbz#1432361- Allow iscsid_t domain to read mount pid filesResolves: rhbz#1482097- Allow ksmtuned_t domain manage sysfs_t files/dirsResolves: rhbz#1413865- Allow keepalived_t domain domtrans into iptables_tResolves: rhbz#1477719- Allow rshd_t domain reads net sysctlsResolves: rhbz#1477908- Add interface seutil_dontaudit_read_module_store()- Update interface lvm_rw_pipes() by adding also open permission- Label /dev/clp device as vfio_device_tResolves: rhbz#1477624- Allow ifconfig_t domain unmount fs_tResolves: rhbz#1477445- Label /dev/gpiochip
* devices as gpio_device_tResolves: rhbz#1477618- Add interface dev_manage_sysfs()Resolves: rhbz#1474989
* Mon Aug 14 2017 Lukas Vrabec - 3.13.1-169- Label /usr/libexec/sudo/sesh as shell_exec_tResolves: rhbz#1480791
* Fri Aug 11 2017 Lukas Vrabec - 3.13.1-168- Allow tomcat_t domain couple capabilities to make working tomcat-jsvcResolves: rhbz#1470735
* Wed Aug 09 2017 Lukas Vrabec - 3.13.1-167- Allow llpdad send dgram to libvirtResolves: rhbz#1472722
* Mon Jul 10 2017 Lukas Vrabec - 3.13.1-166- Add new boolean gluster_use_execmemResolves: rhbz#1469027- Allow cluster_t and glusterd_t domains to dbus chat with ganesha serviceResolves: rhbz#1468581
* Mon Jun 26 2017 Lukas Vrabec - 3.13.1-165- Dontaudit staff_t user read admin_home_t files.Resolves: rhbz#1290633
* Wed Jun 21 2017 Lukas Vrabec - 3.13.1-164- Allow couple rules needed to start targetd daemon with SELinux in enforcing modeResolves: rhbz#1424621- Add interface lvm_manage_metadataResolves: rhbz#1424621
* Tue Jun 20 2017 Lukas Vrabec - 3.13.1-163- Allow sssd_t to read realmd lib files.Resolves: rhbz#1436689- Add permission open to files_read_inherited_tmp_files() interfaceResolves: rhbz#1290633Resolves: rhbz#1457106
* Thu Jun 15 2017 Lukas Vrabec - 3.13.1-162- Allow unconfined_t user all user namespace capabilties.Resolves: rhbz#1461488
* Thu Jun 08 2017 Lukas Vrabec - 3.13.1-161- Allow httpd_t to read realmd_var_lib_t files Resolves: rhbz#1436689
* Tue Jun 06 2017 Lukas Vrabec - 3.13.1-160- Allow named_t to bind on udp 4321 portResolves: rhbz#1312972- Allow systemd-sysctl cap. sys_ptraceResolves: rhbz#1458999
* Mon Jun 05 2017 Lukas Vrabec - 3.13.1-159- Allow pki_tomcat_t execute ldconfig.Resolves: rhbz#1436689
* Fri Jun 02 2017 Lukas Vrabec - 3.13.1-158- Allow iscsi domain load kernel module.Resolves: rhbz#1457874- Allow keepalived domain connect to squid tcp portResolves: rhbz#1457455- Allow krb5kdc_t domain read realmd lib files.Resolves: rhbz#1436689- xdm_t should view kernel keysResolves: rhbz#1432645
* Thu Jun 01 2017 Lukas Vrabec - 3.13.1-157- Allow tomcat to connect on all unreserved ports- Allow ganesha to connect to all rpc portsResolves: rhbz#1448090- Update ganesha with another fixes.Resolves: rhbz#1448090- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.Resolves: rhbz#1448090- virt_use_glusterd boolean should be in optional block Update ganesha module to allow create tmp filesResolves: rhbz#1448090- Hide broken symptoms when machine is configured with network bounding.
* Wed May 31 2017 Lukas Vrabec - 3.13.1-156- Add new boolean virt_use_glusterdResolves: rhbz#1455994- Add capability sys_boot for sbd_t domain- Allow sbd_t domain to create rpc sysctls.Resolves: rhbz#1455631- Allow ganesha_t domain to manage glusterd_var_run_t pid files.Resolves: rhbz#1448090
* Tue May 30 2017 Lukas Vrabec - 3.13.1-155- Create new interface: glusterd_read_lib_files()- Allow ganesha read glusterd lib files.- Allow ganesha read network sysctlsResolves: rhbz#1448090
* Mon May 29 2017 Lukas Vrabec - 3.13.1-154- Add few allow rules to ganesha moduleResolves: rhbz#1448090- Allow condor_master_t to read sysctls.Resolves: rhbz#1277506- Add dac_override cap to ctdbd_t domainResolves: rhbz#1435708- Label 8750 tcp/udp port as dey_keyneg_port_tResolves: rhbz#1448090
* Mon May 29 2017 Lukas Vrabec - 3.13.1-153- Add ganesha_use_fusefs boolean.Resolves: rhbz#1448090
* Wed May 24 2017 Lukas Vrabec - 3.13.1-152- Allow httpd_t reading kerberos kdc config filesResolves: rhbz#1452215- Allow tomcat_t domain connect to ibm_dt_2 tcp port.Resolves: rhbz#1447436- Allow stream connect to initrc_t domainsResolves: rhbz#1447436- Allow dnsmasq_t domain to read systemd-resolved pid files.Resolves: rhbz#1453114- Allow tomcat domain name_bind on tcp bctp_port_tResolves: rhbz#1451757- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.Resolves: rhbz#1447669- Allow condor_master_t write to sysctl_net_tResolves: rhbz#1277506- Allow nagios check disk plugin read /sys/kernel/config/Resolves: rhbz#1277718- Allow pcp_pmie_t domain execute systemctl binaryResolves: rhbz#1271998- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctlResolves: rhbz#1247635- Label tcp/udp port 1792 as ibm_dt_2_port_tResolves: rhbz#1447436- Add interface fs_read_configfs_dirs()- Add interface fs_read_configfs_files()- Fix systemd_resolved_read_pid interface- Add interface systemd_resolved_read_pid()Resolves: rhbz#1453114- Allow sshd_net_t domain read/write into crypto devicesResolves: rhbz#1452759- Label 8999 tcp/udp as bctp_port_tResolves: rhbz#1451757
* Thu May 18 2017 Lukas Vrabec - 3.13.1-151- nmbd_t needs net_admin capability like smbdResolves: rhbz#1431859- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_tResolves: rhbz#1431859- Allow rngd domain read sysfs_tResolves: rhbz#1451735- Add interface pki_manage_common_files()Resolves: rhbz#1447436- Allow tomcat_t domain to manage pki_common_t files and dirsResolves: rhbz#1447436- Use stricter fc rules for sssd sockets in /var/runResolves: rhbz#1448060- Allow certmonger reads httpd_config_t filesResolves: rhbz#1436689- Allow keepalived_t domain creating netlink_netfilter_socket.Resolves: rhbz#1451684- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.Resolves: rhbz#1451318- Make able deply overcloud via neutron_t to label nsfs as fs_tResolves: rhbz#1373321
* Tue May 16 2017 Lukas Vrabec - 3.13.1-150- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files.Resolves: rhbz#1451318- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/Resolves: rhbz#1448056 Resolves: rhbz#1448060- Allow tomcat_domain connect to
* postgresql_port_t
* amqp_port_t Allow tomcat_domain read network sysctlsResolves: rhbz#1450819- Make able deply overcloud via neutron_t to label nsfs as fs_tResolves: rhbz#1373321- Allow netutils setpcap capabilityResolves:1444438
* Mon May 15 2017 Lukas Vrabec - 3.13.1-149- Update targetd policy to accommodate changes in the serviceResolves: rhbz#1424621- Allow tomcat_domain connect to
* postgresql_port_t
* amqp_port_t Allow tomcat_domain read network sysctlsResolves: rhbz#1450819- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options.Resolves: rhbz#1415841- Allow radius domain stream connec to postgresqlResolves: rhbz#1446145- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommitResolves: rhbz#1449977- Allow glusterd_t domain start ganesha serviceResolves: rhbz#1448090- Made few cosmetic changes in sssd SELinux moduleResolves: rhbz#1448060- sssd-kcm should not run as unconfined_service_t BZ(1447411)Resolves: rhbz#1448060- Add sssd_secrets labeling Also add named_filetrans interface to make sure all labels are correctResolves: rhbz#1448056- Allow keepalived_t domain read usermodehelper_tResolves: rhbz#1449769- Allow tomcat_t domain read pki_common_t filesResolves: rhbz#1447436- Add interface pki_read_common_files()Resolves: rhbz#1447436
* Tue May 09 2017 Lukas Vrabec - 3.13.1-148- Allow hypervkvp_t domain execute hostnameResolves: rhbz#1449064- Dontaudit sssd_selinux_manager_t use of net_admin capabilityResolves: rhbz#1444955- Allow tomcat_t stream connect to pki_common_tResolves: rhbz#1447436- Dontaudit xguest_t\'s attempts to listen to its tcp_socket- Allow sssd_selinux_manager_t to ioctl init_t socketsResolves: rhbz#1436689- Allow _su_t to create netlink_selinux_socketResolves rhbz#1146987- Allow unconfined_t to module_load any fileResolves rhbz#1442994
* Sat Apr 29 2017 Lukas Vrabec - 3.13.1-147- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type.Resolves: rhbz#1436689
* Fri Apr 28 2017 Lukas Vrabec - 3.13.1-146- Allow pki_tomcat_t domain read /etc/passwd.Resolves: rhbz#1436689- Allow tomcat_t domain read ipa_tmp_t filesResolves: rhbz#1436689- Label new path for ipa-otpdResolves: rhbz#1446353- Allow radiusd_t domain stream connect to postgresql_tResolves: rhbz#1446145- Allow rhsmcertd_t to execute hostname_exec_t binaries.Resolves: rhbz#1445494- Allow virtlogd to append nfs_t files when virt_use_nfs=1Resolves: rhbz#1402561
* Wed Apr 26 2017 Lukas Vrabec - 3.13.1-145- Update tomcat policy to adjust for removing unconfined_domain attr.Resolves: rhbz#1432083- Allow httpd_t domain read also httpd_user_content_type lnk_files.Resolves: rhbz#1383621- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_tResolves: rhbz#1436689- Dontaudit _gkeyringd_t stream connect to system_dbusd_tResolves: rhbz#1052880- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_tResolves: rhbz#1425530- Add interface ipa_filetrans_named_content()Resolves: rhbz#1432115- Allow tomcat use nsswitchResolves: rhbz#1436689- Allow certmonger_t start/status generic servicesResolves: rhbz#1436689- Allow dirsrv read cgroup files.Resolves: rhbz#1436689- Allow ganesha_t domain read/write infiniband devices.Resolves: rhbz#1383784- Allow sendmail_t domain sysctl_net_t filesResolves: rhbz#1369376- Allow targetd_t domain read network state and getattr on loop_control_device_tResolves: rhbz#1373860- Allow condor_schedd_t domain send mails.Resolves: rhbz#1277506- Alow certmonger to create own systemd unit files.Resolves: rhbz#1436689- Allow staff to systemctl virt server when staff_use_svirt=1Resolves: rhbz#1415841- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t contextResolves: rhbz#1432115- Label /sysroot/ostree/deploy/rhel-atomic-host/
* as root_tResolves: rhbz#1428112
* Wed Apr 19 2017 Lukas Vrabec - 3.13.1-144- Alow certmonger to create own systemd unit files.Resolves: rhbz#1436689
* Tue Apr 18 2017 Lukas Vrabec - 3.13.1-143- Hide broken symptoms when using kernel 3.10.0-514+ with network bonding. Postfix_picup_t domain requires NET_ADMIN capability which is not really needed.Resolves: rhbz#1431859- Fix policy to reflect all changes in new IPA releaseResolves: rhbz#1432115Resolves: rhbz#1436689
* Wed Apr 12 2017 Lukas Vrabec - 3.13.1-142- Allow sbd_t to read/write fixed disk devicesResolves: rhbz#1440165- Add sys_ptrace capability to radiusd_t domainResolves: rhbz#1426641- Allow cockpit_session_t domain connects to ssh tcp ports.Resolves: rhbz#1413509
* Fri Apr 07 2017 Lukas Vrabec - 3.13.1-141- Update tomcat policy to make working ipa install processResolves: rhbz#1436689
* Wed Apr 05 2017 Lukas Vrabec - 3.13.1-140- Allow pcp_pmcd_t net_admin capability.- Allow pcp_pmcd_t read net sysctls- Allow system_cronjob_t create /var/run/pcp with pcp_var_run_tResolves: rhbz#1336211
* Wed Apr 05 2017 Lukas Vrabec - 3.13.1-139- Fix all AVC denials during pkispawn of CAResolves: rhbz#1436383- Update pki interfaces and tomcat moduleResolves: rhbz#1436689
* Tue Apr 04 2017 Lukas Vrabec - 3.13.1-138- Update pki interfaces and tomcat moduleResolves: rhbz#1436689
* Tue Apr 04 2017 Lukas Vrabec - 3.13.1-137- Dontaudit firewalld wants write to /rootResolves: rhbz#1438708- Dontaudit firewalld to create dirs in /root/Resolves: rhbz#1438708- Allow sendmail to search network sysctlsResolves: rhbz#1369376- Add interface gssd_noatsecure()Resolves: rhbz#1438036- Add interface gssproxy_noatsecure()Resolves: rhbz#1438036- Dontaudit pcp_pmlogger_t search for xserver logs. Allow pcp_pmlogger_t to send signals to unconfined doamins Allow pcp_pmlogger_t to send logs to journalsResolves: rhbz#1379371- Allow chronyd_t net_admin capability to allow support HW timestamping.Resolves: rhbz#1416015- Update tomcat policyResolves: rhbz#1436689Resolves: rhbz#1436383- Allow certmonger to start haproxy serviceResolves: rhbz#1349394- Allow init noatsecure for gssd and gssproxyResolves: rhbz#1438036
* Thu Mar 30 2017 Lukas Vrabec - 3.13.1-136- geoclue wants to dbus chat with avahiResolves: rhbz#1434286- Allow iptables get list of kernel modulesResolves: rhbz#1367520- Allow unconfined_domain_type to enable/disable transient unitResolves: rhbz#1337041- Add interfaces init_enable_transient_unit() and init_disable_transient_unit- Revert \"Allow sshd setcap capability. This is needed due to latest changes in sshd\"Resolves: rhbz#1435264- Label sysroot dir under ostree as root_tResolves: rhbz#1428112
* Wed Mar 29 2017 Lukas Vrabec - 3.13.1-135- Remove ganesha_t domain from permissive domains.Resolves: rhbz#1436988
* Tue Mar 28 2017 Lukas Vrabec - 3.13.1-134- Allow named_t domain bind on several udp portsResolves: rhbz#1312972- Update nscd_use() interfaceResolves: rhbz#1281716- Allow radius_t domain ptraceResolves: rhbz#1426641- Update nagios to allos exec systemctlResolves: rhbz#1247635- Update pcp SELinux module to reflect all pcp changesResolves: rhbz#1271998- Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_tResolves: rhbz#1325527- Allow pcp_pmcd_t domain search for network sysctl Allow pcp_pmcd_t domain sys_ptrace capability Resolves: rhbz#1336211
* Mon Mar 27 2017 Lukas Vrabec - 3.13.1-133- Allow drbd load modulesResolves: rhbz#1134883- Revert \"Add sys_module capability for drbdResolves: rhbz#1134883\"- Allow stapserver list kernel modulesResolves: rhbz#1325976- Update targetd policyResolves: rhbz#1373860- Add sys_admin capability to amandaResolves: rhbz#1371561- Allow hypervvssd_t to read all dirs.Resolves: rhbz#1331309- Label /run/haproxy.sock socket as haproxy_var_run_tResolves: rhbz#1386233- Allow oddjob_mkhomedir_t to mamange autofs_t dirs.Resolves: rhbz#1408819- Allow tomcat to connect on http_cache_port_tResolves: rhbz#1432083- Allow geoclue to send msgs to syslog.Resolves: rhbz#1434286- Allow condor_master_t domain capability chown.Resolves: rhbz#1277506- Update mta_filetrans_named_content() interface to allow calling domain create files labeled as etc_aliases_t in dir labeled as etc_mail_t.Resolves: rhbz#1167468- Allow nova domain search for httpd configuration.Resolves: rhbz#1190761- Add sys_module capability for drbdResolves: rhbz#1134883- Allow user_u users stream connect to dirsrv, Allow sysadm_u and staff_u users to manage dirsrv filesResolves: rhbz#1286474- Allow systemd_networkd_t communicate with systemd_networkd_t via dbusResolves: rhbz#1278010
* Wed Mar 22 2017 Lukas Vrabec - 3.13.1-132- Add haproxy_t domain fowner capabilityResolves: rhbz#1386233- Allow domain transition from ntpd_t to hwclock_t domainsResolves: rhbz#1375624- Allow cockpit_session_t setrlimit and sys_resourceResolves: rhbz#1402316- Dontaudit svirt_t read state of libvirtd domainResolves: rhbz#1426106- Update httpd and gssproxy modules to reflects latest changes in freeipaResolves: rhbz#1432115- Allow iptables read modules_conf_tResolves: rhbz#1367520
* Wed Mar 22 2017 Lukas Vrabec - 3.13.1-131- Remove tomcat_t domain from unconfined domainsResolves: rhbz#1432083- Create new boolean: sanlock_enable_home_dirs()Resolves: rhbz#1432783- Allow mdadm_t domain to read/write nvme_device_tResolves: rhbz#1431617- Remove httpd_user_
*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_contentResolves: rhbz#1383621- Dontaudit domain to create any file in /proc. This is kernel bug.Resolves: rhbz#1412679- Add interface dev_rw_nvmeResolves: rhbz#1431617
* Thu Mar 16 2017 Lukas Vrabec - 3.13.1-130- Allow gssproxy to get attributes on all filesystem object types.Resolves: rhbz#1430295- Allow ganesha to chat with unconfined domains via dbusResolves: rhbz#1426554- add the policy required for nextcloudResolves: rhbz#1425530- Add nmbd_t capability2 block_suspendResolves: rhbz#1425357- Label /var/run/chrony as chronyd_var_run_tResolves: rhbz#1416015- Add domain transition from sosreport_t to iptables_tResolves: rhbz#1359789- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmdResolves: rhbz:#1332803
* Tue Mar 14 2017 Lukas Vrabec - 3.13.1-129- Update rpm macrosResolves: rhbz#1380854
* Mon Mar 13 2017 Lukas Vrabec - 3.13.1-128- Add handling booleans via selinux-policy macros in custom policy spec files.Resolves: rhbz#1380854
* Thu Mar 09 2017 Lukas Vrabec - 3.13.1-127- Allow openvswitch to load kernel modulesResolves: rhbz#1405479
* Thu Mar 09 2017 Lukas Vrabec - 3.13.1-126- Allow openvswitch read script state.Resolves: rhbz#1405479
* Tue Mar 07 2017 Lukas Vrabec - 3.13.1-125- Update ganesha policyResolves: rhbz#1426554Resolves: rhbz#1383784- Allow chronyd to read adjtimeResolves: rhbz#1416015- Fixes for chrony version 2.2Resolves: rhbz#1416015- Add interface virt_rw_stream_sockets_svirt()Resolves: rhbz#1415841- Label /dev/ss0 as gpfs_device_tResolves: rhbz#1383784- Allow staff to rw svirt unix stream sockets.Resolves: rhbz#1415841- Label /rhev/data-center/mnt as mnt_tResolves: rhbz#1408275- Associate sysctl_rpc_t with proc filesystemsResolves: rhbz#1350927- Add new boolean: domain_can_write_kmsgResolves: rhbz#1415715
* Thu Mar 02 2017 Lukas Vrabec - 3.13.1-124- Allow rhsmcertd_t dbus chat with system_cronjob_tResolves: rhbz#1405341- Allow openvswitch exec hostname and readinitrc_t filesResolves: rhbz#1405479- Improve SELinux context for mysql_db_t objects.Resolves: rhbz#1391521- Allow postfix_postdrop to communicate with postfix_master via pipe.Resolves: rhbz#1379736- Add radius_use_jit booleanResolves: rhbz#1426205- Label /var/lock/subsys/iptables as iptables_lock_tResolves: rhbz#1405441- Label /usr/lib64/erlang/erts-5.10.4/bin/epmd as lib_tResolves: rhbz#1332803- Allow can_load_kernmodule to load kernel modules.Resolves: rhbz#1423427Resolves: rhbz#1424621
* Thu Feb 23 2017 Lukas Vrabec - 3.13.1-123- Allow nfsd_t domain to create sysctls_rpc_t filesResolves: rhbz#1405304- Allow openvswitch to create netlink generic sockets.Resolves: rhbz#1397974- Create kernel_create_rpc_sysctls() interfaceResolves: rhbz#1405304
* Fri Feb 17 2017 Lukas Vrabec - 3.13.1-122- Allow nfsd_t domain rw sysctl_rpc_t dirsResolves: rhbz#1405304- Allow cgdcbxd_t to manage cgroup files.Resolves: rhbz#1358493- Allow cmirrord_t domain to create netlink_connector socketsResolves: rhbz#1412670- Allow fcoemon to create netlink scsitransport socketsResolves: rhbz#1362496- Allow quota_nld_t create netlink_generic socketsResolves: rhbz#1358679- Allow cgred_t create netlink_connector socketsResolves: rhbz#1376357- Add dhcpd_t domain fowner capabilityResolves: rhbz#1358485- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.Resolves: rhbz#1358478- Rename docker module to container moduleResolves: rhbz#1386916- Allow setflies to mount tracefsResolves: rhbz#1376357- Allow iptables to read nsfs files.Resolves: rhbz#1411316- Allow systemd_bootchart_t domain create dgram sockets.Resolves: rhbz#1365953- Rename docker interfaces to containerResolves: rhbz#1386916
* Wed Feb 15 2017 Lukas Vrabec - 3.13.1-120- Allow initrc_t domain to run rhel-autorelabel script properly during boot processResolves: rhbz#1379722- Allow systemd_initctl_t to create and connect unix_dgram socketsResolves: rhbz#1365947- Allow ifconfig_t to mount/unmount nsfs_t filesystemResolves: rhbz#1349814- Add interfaces allowing mount/unmount nsfs_t filesystemResolves: rhbz#1349814
* Mon Feb 13 2017 Lukas Vrabec - 3.13.1-119- Add interface init_stream_connectto()Resolves:rhbz#1365947- Allow rhsmcertd domain signull kernel.Resolves: rhbz#1379781- Allow kdumpgui domain to read nvme device- Allow insmod_t to load kernel modulesResolves: rhbz#1421598- Add interface files_load_kernel_modules()Resolves: rhbz#1421598- Add SELinux support for systemd-initctl daemonResolves:rhbz#1365947- Add SELinux support for systemd-bootchartResolves: rhbz#1365953
* Tue Feb 07 2017 Lukas Vrabec - 3.13.1-118- Allow firewalld to getattr open search read modules_object_t:dirResolves: rhbz#1418391- Fix label for nagios plugins in nagios file conxtext fileResolves: rhbz#1277718- Add sys_ptrace capability to pegasus domainResolves: rhbz#1381238- Allow sssd_t domain setpgidResolves:rhbz#1416780- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk.Resolves: rhbz#1350927- Allow kdumpgui domain to read nvme deviceResolves: rhbz#1415084- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization.Resolves: rhbz#1146987- Add user namespace capability object classes.Resolves: rhbz#1368057- Add module_load permission to class systemResolves:rhbz#1368057- Add the validate_trans access vector to the security class Resolves: rhbz#1368057- Add \"binder\" security class and access vectorsResolves: rhbz#1368057- Allow ifconfig_t domain read nsfs_tResolves: rhbz#1349814- Allow ping_t domain to load kernel modules.Resolves: rhbz#1388363
* Mon Jan 09 2017 Lukas Vrabec - 3.13.1-117- Allow systemd container to read/write usermodehelperstateResolves: rhbz#1403254- Label udp ports in range 24007-24027 as gluster_port_tResolves: rhbz#1404152
* Tue Dec 20 2016 Lukas Vrabec - 3.13.1-116- Allow glusterd_t to bind on glusterd_port_t udp ports.Resolves: rhbz#1404152- Revert: Allow glusterd_t to bind on med_tlp port.
* Mon Dec 19 2016 Lukas Vrabec - 3.13.1-115- Allow glusterd_t to bind on med_tlp port.Resolves: rhbz#1404152- Update ctdbd_t policy to reflect all changes.Resolves: rhbz#1402451- Label tcp port 24009 as med_tlp_port_tResolves: rhbz#1404152- Issue appears during update directly from RHEL-7.0 to RHEL-7.3 or above. Modules pkcsslotd and vbetools missing in selinux-policy package for RHEL-7.3 which causing warnings during SELinux policy store migration process. Following patch fixes issue by skipping pkcsslotd and vbetools modules migration.
* Thu Dec 15 2016 Lukas Vrabec - 3.13.1-114- Allow ctdbd_t domain transition to rpcd_tResolves:rhbz#1402451
* Thu Dec 15 2016 Lukas Vrabec - 3.13.1-113- Fixes for containers Allow containers to attempt to write to unix_sysctls. Allow cotainers to use the FD\'s leaked to them from parent processes.Resolves: rhbz#1403254
* Tue Dec 13 2016 Lukas Vrabec - 3.13.1-112- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_tResolves: rhbz#1404152- Allow systemd to stop glusterd_t domains.Resolves: rhbz#1400493
* Fri Dec 09 2016 Lukas Vrabec - 3.13.1-111- Make working CTDB:NFS: CTDB failover from selinux-policy POVResolves: rhbz#1402451
* Fri Dec 02 2016 Lukas Vrabec - 3.13.1-110- Add kdump_t domain sys_admin capabilityResolves: rhbz#1375963
* Thu Dec 01 2016 Lukas Vrabec - 3.13.1-109- Allow puppetagent_t to access timedated dbus. Use the systemd_dbus_chat_timedated interface to allow puppetagent_t the access.Resolves: rhbz#1399250
* Mon Nov 14 2016 Lukas Vrabec - 3.13.1-108- Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning \"Access Denied\" errors to DBus clientsResolves: rhbz#1393505
* Wed Nov 09 2016 Lukas Vrabec - 3.13.1-107- Allow cluster_t communicate to fprintd_t via dbusResolves: rhbz#1349798
* Tue Nov 08 2016 Lukas Vrabec - 3.13.1-106- Fix error message during update from RHEL-7.2 to RHEL-7.3, when /usr/sbin/semanage command is not installed and selinux-policy-migrate-local-changes.sh script is executed in %post install phase of selinux-policy packageResolves: rhbz#1392010
* Tue Oct 18 2016 Miroslav Grepl - 3.13.1-105- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.Resolves: rhbz#1384488- Allow glusterd to get attributes on /sys/kernel/config directory.Resolves: rhbz#1384483
* Mon Oct 10 2016 Lukas Vrabec - 3.13.1-104- Use selinux-policy-migrate-local-changes.sh instead of migrateStore
* macros- Add selinux-policy-migrate-local-changes serviceResolves: rhbz#1381588
* Fri Sep 30 2016 Lukas Vrabec - 3.13.1-103- Allow sssd_selinux_manager_t to manage also dir class.Resolves: rhbz#1368097- Add interface seutil_manage_default_contexts_dirs()Resolves: rhbz#1368097
* Tue Sep 27 2016 Dan Walsh - 3.13.1-102- Add virt_sandbox_use_nfs -> virt_use_nfs boolean substitution.Resolves: rhbz#1355783
* Tue Sep 27 2016 Lukas Vrabec - 3.13.1-101- Allow pcp_pmcd_t domain transition to lvm_t Add capability kill and sys_ptrace to pcp_pmlogger_tResolves: rhbz#1309883
* Wed Sep 21 2016 Lukas Vrabec - 3.13.1-100- Allow ftp daemon to manage apache_user_contentResolves: rhbz#1097775- Label /etc/sysconfig/oracleasm as oracleasm_conf_tResolves: rhbz#1331383- Allow oracleasm to rw inherited fixed disk deviceResolves: rhbz#1331383- Allow collectd to connect on unix_stream_socketResolves: rhbz#1377259
* Wed Sep 14 2016 Lukas Vrabec - 3.13.1-99- Allow iscsid create netlink iscsid sockets.Resolves: rhbz#1358266- Improve regexp for power_unit_file_t files. To catch just systemd power unit files.Resolves: rhbz#1375462
* Tue Sep 13 2016 Lukas Vrabec - 3.13.1-98- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain.Resolves: rhbz#1331383- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger serviceResolves: rhbz#1206525
* Tue Sep 06 2016 Lukas Vrabec - 3.13.1-97- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasmResolves: rhbz#1331383- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_tResolves: rhbz#1206525- Allow mdadm_t to getattr all device nodesResolves: rhbz#1365171- Add interface dbus_dontaudit_stream_connect_system_dbusd()Resolves:rhbz#1052880- Add virt_stub_
* interfaces for docker policy which is no longer a part of our base policy.Resolves: rhbz#1372705- Allow guest-set-user-passwd to set users password.Resolves: rhbz#1369693- Allow samdbox domains to use msg classResolves: rhbz#1372677- Allow domains using kerberos to read also kerberos config dirsResolves: rhbz#1368492- Allow svirt_sandbox_domains to r/w onload socketsResolves: rhbz#1342930- Add interface fs_manage_oracleasm()Resolves: rhbz#1331383- Label /dev/kfd as hsa_device_tResolves: rhbz#1373488- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirsResolves: rhbz#1368097- Add interface to write to nsfs inodesResolves: rhbz#1372705- Allow systemd services to use PrivateNetwork featureResolves: rhbz#1372705- Add a type and genfscon for nsfs.Resolves: rhbz#1372705- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.Resolves: rhbz#1290400
* Wed Aug 31 2016 Lukas Vrabec - 3.13.1-96- Allow arpwatch to create netlink netfilter sockets. Resolves: rhbz#1358261- Fix file context for /etc/pki/pki-tomcat/ca/- new interface oddjob_mkhomedir_entrypoint()- Move label for /var/lib/docker/vfs/ to proper SELinux module- Allow mdadm to get attributes from all devices.- Label /etc/puppetlabs as puppet_etc_t.- Allow systemd-machined to communicate to lxc container using dbus- Allow systemd_resolved to send dbus msgs to userdomains Resolves: rhbz#1236579- Allow systemd-resolved to read network sysctls Resolves: rhbz#1236579- Allow systemd_resolved to connect on system bus. Resolves: rhbz#1236579- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t- Label all files in /dev/oracleasmfs/ as oracleasmfs_t Resolves: rhbz#1331383
* Tue Aug 23 2016 Lukas Vrabec - 3.13.1-95- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_tResolves:rhbz#1366915- Allow certmonger to manage all systemd unit filesResolves:rhbz#1366915- Grant certmonger \"chown\" capabilityResolves:rhbz#1366915- Allow ipa_helper_t stream connect to dirsrv_t domainResolves: rhbz#1368418- Update oracleasm SELinux moduleResolves: rhbz#1331383- label /var/lib/kubelet as svirt_sandbox_file_tResolves: rhbz#1369159- Add few interfaces to cloudform.if fileResolves: rhbz#1367834- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs moduleResolves: rhbz#1347514- Allow krb5kdc_t to read krb4kdc_conf_t dirs.Resolves: rhbz#1368492- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.Resolves: rhbz#1365653- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together.Resolves: rhbz#1365653- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t typeResolves: rhbz#1331383- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.Resolves: rhbz#1367834- Allow iptables to creating netlink generic sockets.Resolves: rhbz#1364359
* Wed Aug 17 2016 Lukas Vrabec - 3.13.1-94- Allow ipmievd domain to create lock files in /var/lock/subsys/Resolves:rhbz#1349058- Update policy for ipmievd daemon.Resolves:rhbz#1349058- Dontaudit hyperkvp to getattr on non security files.Resolves: rhbz#1349356- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_tResolves: rhbz#1347514- Fixed lsm SELinux module- Add sys_admin capability to sbd domainResolves: rhbz#1322725- Allow vdagent to comunnicate with systemd-logind via dbusResolves: rhbz#1366731- Allow lsmd_plugin_t domain to create fixed_disk device.Resolves: rhbz#1238066- Allow opendnssec domain to create and manage own tmp dirs/filesResolves: rhbz#1366649- Allow opendnssec domain to read system stateResolves: rhbz#1366649- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirsResolves: rhbz#1366649- Allow rasdaemon to mount/unmount tracefs filesystem.Resolves: rhbz#1364380- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/Resolves: rhbz#1367520- Modify interface den_read_nvme() to allow also read nvme_device_t block files.Resolves: rhbz#1362564- Label /var/run/storaged as lvm_var_run_t.Resolves: rhbz#1264390- Allow unconfineduser to run ipa_helper_t.Resolves: rhbz#1361636
* Wed Aug 10 2016 Lukas Vrabec - 3.13.1-93- Dontaudit mock to write to generic certs.Resolves: rhbz#1271209- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_tResolves: rhbz#1347514- Revert \"Label corosync-qnetd and corosync-qdevice as corosync_t domain\"- Allow modemmanager to write to systemd inhibit pipesResolves: rhbz#1365214- Label corosync-qnetd and corosync-qdevice as corosync_t domainResolves: rhbz#1347514- Allow ipa_helper to read network stateResolves: rhbz#1361636- Label oddjob_reqiest as oddjob_exec_tResolves: rhbz#1361636- Add interface oddjob_run()Resolves: rhbz#1361636- Allow modemmanager chat with systemd_logind via dbusResolves: rhbz#1362273- Allow NetworkManager chat with puppetagent via dbusResolves: rhbz#1363989- Allow NetworkManager chat with kdumpctl via dbusResolves: rhbz#1363977- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.Resolves: rhbz#1322725- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_tResolves: rhbz#1349058- Allow rasdaemon to use tracefs filesystem.Resolves: rhbz#1364380- Fix typo bug in dirsrv policy- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.Resolves: rhbz#1283134- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_tResolves: rhbz#1362688- Allow dirsrv to read dirsrv_share_t contentResolves: rhbz#1363662- Allow virtlogd_t to append svirt_image_t files.Resolves: rhbz#1358140- Allow hypervkvp domain to read hugetlbfs dir/files.Resolves: rhbz#1349356- Allow mdadm daemon to read nvme_device_t blk filesResolves: rhbz#1362564- Allow selinuxusers and unconfineduser to run oddjob_requestResolves: rhbz#1361636- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.Resolves: rhbz#1362539- Fix labeling issue in init.fc file. Path /usr/lib/systemd/fedora-
* changed to /usr/lib/systemd/rhel-
*.Resolves: rhbz#1363769- Fix typo in device interfacesResolves: rhbz#1349058- Add interfaces for managing ipmi devicesResolves: rhbz#1349058- Add interfaces to allow mounting/umounting tracefs filesystemResolves: rhbz#1364380- Add interfaces to allow rw tracefs filesystemResolves: rhbz#1364380- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.Resolves: rhbz#1362564- Label /sys/kernel/debug/tracing filesystemResolves: rhbz#1364380- Allow sshd setcap capability. This is needed due to latest changes in sshdResolves: rhbz#1357857
* Thu Jul 28 2016 Lukas Vrabec - 3.13.1-92- Dontaudit mock_build_t can list all ptys.Resolves: rhbz#1271209- Allow ftpd_t to mamange userhome data without any boolean.Resolves: rhbz#1097775- Add logrotate permissions for creating netlink selinux sockets.Resolves: rhbz#1283134- Allow lsmd_plugin_t to exec ldconfig.Resolves: rhbz#1238066- Allow vnstatd domain to read /sys/class/net/ filesResolves: rhbz#1358243- Remove duplicate allow rules in spamassassin SELinux moduleResolves:rhbz#1358175- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirsResolves:rhbz#1358175- Allow sshd setcap capability. This is needed due to latest changes in sshdResolves: rhbz#1357857- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.Resolves: rhbz#1330464- Allow gnome-keyring also manage user_tmp_t sockets.Resolves: rhbz#1257057- corecmd: Remove fcontext for /etc/sysconfig/libvirtdResolves:rhbz#1351382
* Tue Jul 19 2016 Lukas Vrabec - 3.13.1-91- Allow ipa_dnskey domain to search cache dirsResolves: rhbz#1350957
* Tue Jul 19 2016 Lukas Vrabec - 3.13.1-90- Allow ipa-dnskey read system state.Reasolves: rhbz#1350957- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log fileResolves: rhbz#1350957
* Mon Jul 18 2016 Lukas Vrabec - 3.13.1-89- Allow firewalld to manage net_conf_t files.Resolves:rhbz#1304723- Allow logrotate read logs inside containers.Resolves: rhbz#1303514- Allow sssd to getattr on fs_tResolves: rhbz#1356082- Allow opendnssec domain to manage bind chace filesResolves: rhbz#1350957- Fix typo in rhsmcertd policy moduleResolves: rhbz#1329475- Allow systemd to get status of systemd-logind daemonResolves: rhbz#1356141- Label more ndctl devices not just ndctl0Resolves: rhbz#1355809
* Thu Jul 14 2016 Lukas Vrabec - 3.13.1-88- Allow rhsmcertd to copy certs into /etc/docker/cert.d- Add interface docker_rw_config()Resolves: rhbz#1344500- Fix logrotate fc file to label also /var/lib/logrotate/ dir as logrotate_var_lib_tResolves: rhbz#1355632- Allow rhsmcertd to read network sysctlsResolves: rhbz#1329475- Label /var/log/graphite-web dir as httpd_log_tResolves: rhbz#1310898- Allow mock to use generic ptysResolves: rhbz#1271209- Allow adcli running as sssd_t to write krb5.keytab file.Resolves: rhbz#1356082- Allow openvswitch connect to openvswitch_port_t type.Resolves: rhbz#1335024- Add SELinux policy for opendnssec service.Resolves: rhbz#1350957- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncdResolves: rhbz#1350957- label /dev/ndctl0 device as nvram_device_tResolves: rhbz#1355809
* Mon Jul 11 2016 Lukas Vrabec - 3.13.1-87- Allow lttng tools to block suspendingResolves: rhbz#1256374- Allow creation of vpnaas in openstackResolves: rhbz#1352710- virt: add strict policy for virtlogd daemonResolves:rhbz#1311606- Update makefile to support snapperd_contexts fileResolves: rhbz#1352681
* Fri Jul 08 2016 Lukas Vrabec - 3.13.1-86- Allow udev to manage systemd-hwdb files- Add interface systemd_hwdb_manage_config()Resolves: rhbz#1350756- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.Resolves: rhbz#1210263
* Thu Jul 07 2016 Lukas Vrabec - 3.13.1-85- Allow virtual machines to rw infiniband devices.Resolves: rhbz#1210263- Allow opensm daemon to rw infiniband_mgmt_device_tResolves: rhbz#1210263- Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file.Resolves: rhbz#1350756- Make label for new infiniband_mgmt deivicesResolves: rhbz#1210263
* Tue Jul 05 2016 Lukas Vrabec - 3.13.1-84- Fix typo in brltty SELinux module- Add new SELinux module sbdResolves: rhbz#1322725- Allow pcp dmcache metrics collectionResolves: rhbz#1309883- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_tResolves: rhbz#1350782- Allow openvpn to create sock files labeled as openvpn_var_run_tResolves: rhbz#1328246- Allow hypervkvp daemon to getattr on all filesystem types.Resolves: rhbz#1349356- Allow firewalld to create net_conf_t filesResolves: rhbz#1304723- Allow mock to use lvmResolves: rhbz#1271209- Allow keepalived to create netlink generic sockets.Resolves: rhbz#1349809- Allow mirromanager creating log files in /tmpResolves:rhbz#1328818- Rename few modules to make it consistent with source filesResolves: rhbz#1351445- Allow vmtools_t to transition to rpm_script domainResolves: rhbz#1342119- Allow nsd daemon to manage nsd_conf_t dirs and filesResolves: rhbz#1349791- Allow cluster to create dirs in /var/run labeled as cluster_var_run_tResolves: rhbz#1346900- Allow sssd read also sssd_conf_t dirsResolves: rhbz#1350535- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctlResolves: rhbz#1086240- Add interface lvm_getattr_exec_files()Resolves: rhbz#1271209- Fix typo Compliling vs. CompilingResolves: rhbz#1351445
* Wed Jun 29 2016 Lukas Vrabec - 3.13.1-83- Allow krb5kdc_t to communicate with sssdResolves: rhbz#1319933- Allow prosody to bind on prosody portsResolves: rhbz#1304664- Add dac_override caps for fail2ban-clientResolves: rhbz#1316678- dontaudit read access for svirt_t on the file /var/db/nscd/groupResolves: rhbz#1301637- Allow inetd child process to communicate via dbus with systemd-logindResolves: rhbz#1333726- Add label for brltty log fileResolves: rhbz#1328818- Allow dspam to read the passwd fileResolves: rhbz#1286020- Allow snort_t to communicate with sssdResolves: rhbz#1284908- svirt_sandbox_domains need to be able to execmod for badly built libraries.Resolves: rhbz#1206339- Add policy for lttng-tools package.Resolves: rhbz#1256374- Make mirrormanager as application domain.Resolves: rhbz#1328234- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.- Add prosody portsResolves: rhbz#1304664- Allow sssd read also sssd_conf_t dirsResolves: rhbz#1350535
* Tue Jun 28 2016 Lukas Vrabec - 3.13.1-82- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.Resolves:rhbz#1331315- Label named-pkcs11 binary as named_exec_t.Resolves: rhbz#1331315- Allow glusterd daemon to get systemd statusResolves: rhbz#1321785- Allow logrotate dbus-chat with system_logind daemonResolves: rhbz#1283134- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid filesResolves: rhbz#1336211- Add interface cron_read_pid_files()Resolves: rhbz#1336211- Allow pcp_pmlogger to create unix dgram socketsResolves: rhbz#1336211- Add hwloc-dump-hwdata SELinux policyResolves: rhbz#1344054- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.Resolves: rhbz#1121171- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()Resolves: rhbz#1259764- Create label for openhpid log files. esolves: rhbz#1259764- Label /var/lib/ganglia as httpd_var_lib_tResolves: rhbz#1260536- Allow firewalld_t to create entries in net_conf_t dirs.Resolves: rhbz#1304723- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journalsResolves: rhbz#1288255- Include patch from distgit repo: policy-RHEL-7.1-flask.patch.Resolves: rhbz#1329560- Update refpolicy to handle hwlocResolves: rhbz#1344054- Label /etc/dhcp/scripts dir as bin_t- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.Resolves: rhbz#1288255
* Wed Jun 22 2016 Lukas Vrabec - 3.13.1-81- Allow firewalld_t to create entries in net_conf_t dirs.Resolves: rhbz#1304723- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journalsResolves: rhbz#1288255- Allow mongod log to syslog.Resolves: rhbz#1306995- Allow rhsmcertd connect to port tcp 9090Resolves: rhbz#1337319- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. Resolves: rhbz#1262483Resolves: rhbz#1277506- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t.Resolves: rhbz#1301516- Add new boolean spamd_update_can_network.Resolves: rhbz#1305469- Allow rhsmcertd connect to tcp netport_port_tResolves: rhbz#1329475- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t.Resolves: rhbz#1328234- Allow prosody to bind to fac_restore tcp port.Resolves: rhbz#1321787- Allow ninfod to read raw packetsResolves: rhbz#1317964- Allow pegasus get attributes from qemu binary files.Resolves: rhbz#1260835- Allow pegasus get attributes from qemu binary files.Resolves: rhbz#1271159- Allow tuned to use policykit. This change is required by cockpit.Resolves: rhbz#1346464- Allow conman_t to read dir with conman_unconfined_script_t binary files.Resolves: rhbz#1297323- Allow pegasus to read /proc/sysinfo.Resolves: rhbz#1265883- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.Resolves: rhbz#1288255- Label tcp ports:16379, 26379 as redis_port_tResolves: rhbz#1348471- Allow systemd to relabel /var and /var/lib directories during boot.- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.- Add files_relabelto_var_lib_dirs() interface.- Label tcp port 2004 as mailbox_port_t.Resolves: rhbz#1332843- Label tcp and udp port 5582 as fac_restore_port_tResolves: rhbz#1321787- Allow sysadm_t user to run postgresql-setup.Resolves: rhbz#1282543- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.Resolves: rhbz#1297480- Update netlink socket classes.
* Thu Jun 16 2016 Lukas Vrabec - 3.13.1-80- Allow conman to kill conman_unconfined_script.Resolves: rhbz#1297323- Make conman_unconfined_script_t as init_system_domain.Resolves:rhbz#1297323- Allow init dbus chat with apmd.Resolves:rhbz#995898- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.Resolves: rhbz#1233252- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_tResolves: rhbz#1052880- Add mediawiki rules to proper scopeResolves: rhbz#1301186- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_tResolves: rhbz#1052880- Allow mysqld_safe to inherit rlimit information from mysqldResolves: rhbz#1323673- Allow collectd_t to stream connect to postgresql.Resolves: rhbz#1344056- Allow mediawiki-script to read /etc/passwd file.Resolves: rhbz#1301186- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.Resolves: rhbz#1344505- Add labels for mediawiki123Resolves: rhbz#1293872- Fix label for all fence_scsi_check scripts- Allow ip netns to mounton root fs and unmount proc_t fs.Resolves: rhbz#1343776Resolves: rhbz#1286851- Allow sysadm_t to run newaliases command.Resolves: rhbz#1344828- Add interface sysnet_filetrans_named_net_conf()Resolves: rhbz#1344505
* Mon Jun 13 2016 Petr Lautrbach - 3.13.1-79- Fix several issues related to the SELinux Userspace changes
* Thu Jun 09 2016 Lukas Vrabec - 3.13.1-78- Allow glusterd domain read krb5_keytab_t files.Resolves: rhbz#1343929- Fix typo in files_setattr_non_security_dirs.Resolves: rhbz#1115987
* Thu Jun 09 2016 Lukas Vrabec - 3.13.1-77- Allow tmpreaper_t to read/setattr all non_security_file_type dirsResolves: rhbz#1115987- Allow firewalld to create firewalld_var_run_t directory.Resolves: rhbz#1304723- Add interface firewalld_read_pid_files()Resolves: rhbz#1304723- Label /usr/libexec/rpm-ostreed as rpm_exec_t.Resolves: rhbz#1340542- Allow sanlock service to read/write cephfs_t files.Resolves: rhbz#1315332- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)- Added missing docker interfaces: - docker_typebounds - docker_entrypointResolves: rhbz#1236580- Add interface files_setattr_non_security_dirs()Resolves: rhbz#1115987- Add support for onloadfs- Allow iptables to read firewalld pid files.Resolves: rhbz#1304723- Add SELinux support for ceph filesystem.Resolves: rhbz#1315332- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)Resolves: rhbz#1236580
* Mon Jun 06 2016 Lukas Vrabec - 3.13.1-76- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)- Added missing docker interfaces: - docker_typebounds - docker_entrypointResolves: rhbz#1236580- New interfaces needed for systemd-machinectlResolves: rhbz#1236580- New interfaces needed by systemd-machineResolves: rhbz#1236580- Add interface allowing sending and receiving messages from virt over dbus.Resolves: rhbz#1236580- Backport docker policy from Fedora.Related: #1303123Resolves: #1341257- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files.Resolves: rhbz#1236580- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)- Added interfaces needed by new docker policy.Related: rhbz#1303123- Add support for systemd-machined daemonResolves: rhbz#1236580- Allow rpm-ostree domain transition to install_t domain from init_t.Resolves: rhbz#1340542
* Tue May 31 2016 Lukas Vrabec - 3.13.1-75- dnsmasq: allow NetworkManager to control dnsmasq via D-BusResolves: rhbz#1336722- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.teResolves: rhbz#1333198- sftpd_
* booleans are functionless these days.Resolves: rhbz#1335656- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.Resolves: rhbz#1335828- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.Resolves: rhbz#1336760- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.Resolves: rhbz#1336737- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain.Resolves: rhbz#1264390- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.Resolves: rhbz#1337061- Revert \"Allow all domains some process flags.\"Resolves: rhbz#1303644- Revert \"Remove setrlimit to all domains.\"Resolves: rhbz#1303644- Label /usr/sbin/xrdp
* files as bin_tResolves: rhbz#1276777- Add mls support for some db classesResolves: rhbz#1303651- Allow systemd_resolved_t to check if ipv6 is disabled.Resolves: rhbz#1236579- Allow systemd_resolved to read systemd_networkd run files.Resolves: rhbz#1236579
* Mon May 23 2016 Lukas Vrabec - 3.13.1-74- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.Resolves: rhbz#1336760- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.Resolves: rhbz#1336737
* Mon May 16 2016 Lukas Vrabec - 3.13.1-73- Allow logwatch to domtrans to postqueueResolves: rhbz#1331542- Label /var/log/ganesha.log as gluster_log_t- Allow glusterd_t domain to create glusterd_log_t files.- Label /var/run/ganesha.pid as gluster_var_run_t.Resolves: rhbz#1335828- Allow zabbix to connect to postgresql portResolves: rhbz#1330479- Add userdom_destroy_unpriv_user_shared_mem() interface.Related: rhbz#1306403- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.Resolves: rhbz#1306403
* Mon May 16 2016 Lukas Vrabec - 3.13.1-72- We need to restore contexts on /etc/passwd
*,/etc/group
*,/etc/
*shadow
* during install phase to get proper labeling for these files until selinux-policy pkgs are installed.Resolves: rhbz#1333952
* Tue May 10 2016 Lukas Vrabec - 3.13.1-71- Add interface glusterd_dontaudit_read_lib_dirs()Resolves: rhbz#1295680- Dontaudit Occasionally observing AVC\'s while running geo-rep automationResolves: rhbz#1295680- Allow glusterd to manage socket files labeled as glusterd_brick_t.Resolves: rhbz#1331561- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1246522- Allow stunnel create log files. Resolves: rhbz#1296851- Label tcp port 8181 as intermapper_port_t.Resolves: rhbz#1334783- Label tcp/udp port 2024 as xinuexpansion4_port_tResolves: rhbz#1334783- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_tResolves: rhbz#1334783- Dontaudit ldconfig read gluster lib files.Resolves: rhbz#1295680- Add interface auth_use_nsswitch() to systemd_domain_template.Resolves: rhbz#1236579
* Tue May 03 2016 Lukas Vrabec - 3.13.1-70- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. Resolves: rhbz#1312809 Resolves: rhbz#1323947- Allow dbus chat between httpd_t and oddjob_t. Resolves: rhbz#1324144- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t.Resolves: rhbz#1324144- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports.Resolves: rhbz#1324144- Allow prosody to listen on port 5000 for mod_proxy65.Resolves: rhbz#1316918- Allow pcp_pmcd_t domain to manage docker lib files. This rule is needed to allow pcp to collect container information when SELinux is enabled.Resolves: rhbz#1309454
* Wed Apr 27 2016 Lukas Vrabec - 3.13.1-69- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.Resolves: rhbz#1319442- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap.Resolves: rhbz#1296640- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.Resolves: rhbz#1097775- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t.Resolves: rhbz#1262483- Allow nsd daemon to create log file in /var/log as nsd_log_tResolves: rhbz#1293140- Sanlock policy update. - New sub-domain for sanlk-reset daemonResolves: rhbz#1212324- Label all run tgtd files, not just socket filesResolves: rhbz#1280280- Label all run tgtd files, not just socket files.Resolves: rhbz#1280280- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.Resolves: rhbz#1321049- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.Resolves: rhbz#1318224- Allow prosody to listen on port 5000 for mod_proxy65.Resolves: rhbz#1316918- Allow targetd to read/write to /dev/mapper/control device.Resolves: rhbz#1063714- Allow KDM to get status about power services. This change allow kdm to be able do shutdown.Resolves: rhbz#1316724- Allow systemd-resolved daemon creating netlink_route sockets.Resolves:rhbz#1236579- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when \'systemd.log_target=kmsg\' option is usedResolves: rhbz#1065362- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_tResolves: rhbz#1321943- Label all nvidia binaries as xserver_exec_tResolves: rhbz#1322283
* Wed Mar 23 2016 Lukas Vrabec - 3.13.1-68- Create new permissivedomains CIL module and make it active.Resolves: rhbz#1320451- Add support for new mock location - /usr/libexec/mock/mock.Resolves: rhbz#1271209- Allow bitlee to create bitlee_var_t dirs.Resolves: rhbz#1268651- Allow CIM provider to read sssd public files.Resolves: rhbz#1263339- Fix some broken interfaces in distro policy.Resolves: rhbz#1121171- Allow power button to shutdown the laptop.Resolves: rhbz#995898- Allow lsm plugins to create named fixed disks.Resolves: rhbz#1238066- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.confResolves: rhbz#1278777- Allow hyperv domains to rw hyperv devices.Resolves: rhbz#1309361- Label /var/www/html(/.
*)?/wp_backups(/.
*)? as httpd_sys_rw_content_t.Resolves: rhbz#1246780- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/Resolves: rhbz#1297323- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.- Add support for /dev/mptctl device used to check RAID status. Resolves: rhbz#1258029- Create hyperv
* devices and create rw interfaces for this devices.Resolves: rhbz#1309361- Add fixes for selinux userspace moving the policy store to /var/lib/selinux.- Remove optional else block for dhcp ping
* Thu Mar 17 2016 Lukas Vrabec - 3.13.1-67- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.Resolves: rhbz#1263770- Fix context of \"/usr/share/nginx/html\".Resolves: rhbz#1261857- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnosticsResolves: rhbz#1270344- Allow pmlogger to create pmlogger.primary.socket link file. Resolves: rhbz#1270344- Label nagios scripts as httpd_sys_script_exec_t.Resolves: rhbz#1260306- Add dontaudit interface for kdumpctl_tmp_tResolves: rhbz#1156442- Allow mdadm read files in EFI partition.Resolves: rhbz#1291801- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.Resolves: rhbz#1293140- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirsResolves: rhbz#1293140- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.Resolves: rhbz#1265102- Add missing labeling for /usr/libexec/abrt-hook-ccpp.Resolves: rhbz#1213409- Allow pcp_pmie and pcp_pmlogger to read all domains state.Resolves: rhbz#1206525- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.Resolves: rhbz#1275246- cockpit has grown content in /var/run directoryResolves: rhbz#1279429- Allow collectd setgid capabilityResolves:#1310898- Remove declaration of empty booleans in virt policy.Resolves: rhbz#1103153- Fix typo in drbd policy- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. Allow drbd_t create drbd_tmp_t files in /tmp.Resolves: rhbz#1134883- Label /etc/ctdb/events.d/
* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.Resolves: rhbz#1293788- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.Resolves: rhbz#1254188- Allow abrt_t to read sysctl_net_t files.Resolves: rhbz#1254188- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.- Allow abrt-hook-ccpp to getattr on all executables.- Allow setuid/setgid capabilities for abrt-hook-ccpp. Resolves: rhbz#1254188- abrt-hook-ccpp needs to have setfscreate access because it is SELinux aware and compute a target labeling. Resolves: rhbz#1254188- Allow abrt-hook-ccpp to change SELinux user identity for created objects. Resolves: rhbz#1254188- Dontaudit write access to inherited kdumpctl tmp files. Resolves: rbhz#1156442- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) Resolves: rhbz#1291801- Label 8952 tcp port as nsd_control. Resolves: rhbz#1293140- Allow ipsec to use pam. Resolves: rhbz#1315700- Allow to log out to gdm after screen was resized in session via vdagent.Resolves: rhbz#1249020- Allow setrans daemon to read /proc/meminfo. Resolves: rhbz#1316804- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsgResolves: rhbz#1298151- Label tcp port 5355 as llmnr-> Link-Local Multicast Name ResolutionResolves: rhbz#1236579- Add new selinux policy for systemd-resolved dawmon.Resolves: rhbz#1236579- Add interface ssh_getattr_server_keys() interface.Resolves: rhbz#1306197- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106Resolves: rhbz#1306197- Allow systemd_notify_t to write to kmsg_device_t when \'systemd.log_target=kmsg\' option is used.Resolves: rhbz#1309417- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.Resolves: rhbz#1293788
* Thu Mar 17 2016 Petr Lautrbach - 3.13.1-66- Prepare selinux-policy package for userspace release 2016-02-23. Resolves: rhbz#1305982
* Tue Mar 08 2016 Lukas Vrabec 3.13.1-65- Allow sending dbus msgs between firewalld and system_cronjob domains. Resolves: rhbz#1284902- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols.Resolves: rhbz#1242506- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.Resolves: rhbz#1284972- Add support for systemd-hwdb daemon. Resolves: rhbz#1257940- Add interface fs_setattr_cifs_dirs(). Resolves: rhbz#1284972
* Mon Feb 29 2016 Lukas Vrabec 3.13.1-64- Add new SELinux policy fo targetd daemon.Resolves: rhbz#1063714- Add new SELinux policy fo ipmievd daemon.Resolves: rhbz#1083031- Add new SELinux policy fo hsqldb daemon.Resolves: rhbz#1083171- Add new SELinux policy for blkmapd daemon.Resolves: rhbz#1072997- Allow p11-child to connect to apache ports.- Label /usr/sbin/lvmlockd binary file as lvm_exec_t.Resolves: rhbz#1278028- Add interface \"lvm_manage_lock\" to lvm policy.Resolves: rhbz#1063714
* Wed Jan 27 2016 Lukas Vrabec 3.13.1-63- Allow openvswitch domain capability sys_rawio.Resolves: rhbz#1278495
* Tue Jan 26 2016 Lukas Vrabec 3.13.1-62- Allow openvswitch to manage hugetlfs files and dirs.Resolves: rhbz#1278495- Add fs_manage_hugetlbfs_files() interface.Resolves: rhbz#1278495
* Tue Jan 12 2016 Lukas Vrabec 3.13.1-61- Allow smbcontrol domain to send sigchld to ctdbd domain.Resolves: #1293784- Allow openvswitch read/write hugetlb filesystem.Resolves: #1278495
* Wed Oct 14 2015 Miroslav Grepl 3.13.1-60Allow hypervvssd to list all mountpoints to have VSS live backup working correctly.Resolves:#1247880
* Tue Oct 13 2015 Miroslav Grepl 3.13.1-59- Revert Add missing labeling for /usr/libexec/abrt-hook-ccpp patchResolves: #1254188
* Thu Oct 08 2015 Lukas Vrabec 3.13.1-58- Allow search dirs in sysfs types in kernel_read_security_state.Resolves: #1254188- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.Resolves: #1254188
* Wed Oct 07 2015 Lukas Vrabec 3.13.1-57- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugsResolves: #1254188- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.Resolves:#1261938
* Fri Oct 02 2015 Miroslav Grepl 3.13.1-56- Remove labeling for modules_dep_t file contexts to have labeled them as modules_object_t.- Update files_read_kernel_modules() to contain modutils_read_module_deps_files() calling because module deps labeling could remain and it allows to avoid regressions.Resolves:#1266928
* Tue Sep 29 2015 Lukas Vrabec 3.13.1-55- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). Resolves: #1261938- ipsec: The NM helper needs to read the SAsResolves: #1259786- ipsec: Allow ipsec management to create ptysResolves: #1259786
* Tue Sep 29 2015 Lukas Vrabec 3.13.1-54- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.Resolves:#1261938- Allow abrt_t domain to write to kernel msg device.Resolves: #1257828- Allow rpcbind_t domain to change file owner and groupResolves: #1265266
* Tue Sep 22 2015 Lukas Vrabec 3.13.1-53- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. Resolves: #1256459
* Fri Sep 18 2015 Lukas Vrabec 3.13.1-52- Allow dirsrv-admin script to read passwd file. Allow dirsrv-admin script to read httpd pid files. Label dirsrv-admin unit file and allow dirsrv-admin domains to use it.Resolves: #1230300- Allow qpid daemon to connect on amqp tcp port.Resolves: #1261805
* Fri Sep 18 2015 Miroslav Grepl 3.13.1-51- Label /etc/ipa/nssdb dir as cert_tResolves:#1262718- Do not provide docker policy files which is shipped by docker-selinux.rpmResolves:#1262812
* Thu Sep 17 2015 Lukas Vrabec 3.13.1-50- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager Resolves: #1192338- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. Resolves: #1238079- Allow rhsmcertd_t send signull to unconfined_service_t domains. Resolves: #1176078- Remove file transition from snmp_manage_var_lib_dirs() interface which created snmp_var_lib_t dirs in var_lib_t.- Allow openhpid_t daemon to manage snmp files and dirs. Resolves: #1243902- Allow mdadm_t domain read/write to general ptys and unallocated ttys. Resolves: #1073314- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t Resolves: #1176078
* Fri Sep 11 2015 Lukas Vrabec 3.13.1-49- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. Resolves:#1250456
* Thu Sep 10 2015 Lukas Vrabec 3.13.1-48- Fix labeling for fence_scsi_check scriptResolves: #1255020- Allow openhpid to read system state Allow openhpid to connect to tcp http port. Resolves: #1244248- Allow openhpid to read snmp var lib files. Resolves: #1243902- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_tResolves: #1243403- Remove bin_t label for /usr/share/cluster/fence_scsi_check\\.pl Resolves: #1255020
* Wed Sep 02 2015 Lukas Vrabec 3.13.1-47- Fix regexp in chronyd.fc fileResolves: #1243764- Allow passenger to getattr filesystem xattrResolves: #1196555- Label mdadm.conf.anackbak as mdadm_conf_t file.Resolves: #1088904- Revert \"Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.\"- Allow watchdog execute fenced python script.Resolves: #1255020- Added inferface watchdog_unconfined_exec_read_lnk_files()- Remove labeling for /var/db/.
*\\.db as etc_t to label db files as system_db_t.Resolves: #1230877
* Thu Aug 27 2015 Lukas Vrabec 3.13.1-46- Allow watchdog execute fenced python script. Resolves: #1255020- Added inferface watchdog_unconfined_exec_read_lnk_files()- Label /var/run/chrony-helper dir as chronyd_var_run_t. Resolves: #1243764- Allow dhcpc_t domain transition to chronyd_t Resolves: #1243764
* Fri Aug 21 2015 Lukas Vrabec 3.13.1-45- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.Resolves: #1252442
* Wed Aug 19 2015 Lukas Vrabec 3.13.1-44- Allow exec pidof under hypervkvp domain.Resolves: #1254870- Allow hypervkvp daemon create connection to the system DBUSResolves: #1254870
* Wed Aug 19 2015 Lukas Vrabec 3.13.1-43- Allow openhpid_t to read system state.Resolves: #1244248- Added labels for files provided by rh-nginx18 collectionResolves: #1249945- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.Resolves: #1252968- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.Resolves: #1243431- Allow abrt_dump_oops_t to read proc_security_t files.- Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains- Add interface abrt_dump_oops_domtrans()- Add mountpoint dontaudit access check in rhsmcertd policy.Resolves: #1243431- Allow samba_net_t to manage samba_var_t sock files.Resolves: #1252937- Allow chrome setcap to itself.Resolves: #1251996- Allow httpd daemon to manage httpd_var_lib_t lnk_files.Resolves: #1253706- Allow chronyd exec systemctlResolves: #1243764- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t.Resolves: #1243764- Added interface fs_dontaudit_write_configfs_dirs- Add label for kernel module dep files in /usr/lib/modulesResolves:#916635- Allow kernel_t domtrans to abrt_dump_oops_t- Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override.- Allow systemd-networkd to send logs to systemd-journald.Resolves: #1236616
* Wed Aug 12 2015 Lukas Vrabec 3.13.1-42- Fix label on /var/tmp/kiprop_0Resolves:#1220763- Allow lldpad_t to getattr tmpfs_t.Resolves: #1246220- Label /dev/shm/lldpad.
* as lldapd_tmpfs_tResolves: #1246220- Allow audisp client to read system state.
* Tue Aug 11 2015 Lukas Vrabec 3.13.1-41- Allow pcp_domain to manage pcp_var_lib_t lnk_files.Resolves: #1252341- Label /var/run/xtables.
* as iptables_var_run_tResolves: #1243403
* Mon Aug 10 2015 Lukas Vrabec 3.13.1-40- Add interface to read/write watchdog device- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekiddeResolves:#1210237- Allow apcupsd_t to read /sys/devices Resolves:#1189185- Allow logrotate to reload services.Resolves: #1242453- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device)Resolves: #1244260- Allow openhpid liboa_soap plugin to read generic certs.Resolves: #1244248- Allow openhpid liboa_soap plugin to read resolv.conf file.Resolves: #1244248- Label /usr/libexec/chrony-helper as chronyd_exec_t- Allow chronyd_t to read dhcpc state.- Allow chronyd to execute mkdir command.
* Fri Aug 07 2015 Miroslav Grepl 3.13.1-39- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.Resolves:#1073314- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if \'dracut -fv\' is executed in MLS.- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if \'dracut -vf\' is executed. We allow it for other SELinux users.- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.Resolves:#1183503- Add support for /etc/sanlock which is writable by sanlock daemon.Resolves:#1231377- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.Resolves:#1243775 - Allow snapperd to pass data (one way only) via pipe negotiated over dbusResolves:#1250550- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
* Wed Aug 05 2015 Lukas Vrabec 3.13.1-38- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). Resolves: #1243902- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device Resolves: #1238079- Allow lsm_plugin_t to rw raw_fixed_disk. Resolves:#1238079- Allow rhsmcertd to send signull to unconfined_service.
* Mon Aug 03 2015 Lukas Vrabec 3.13.1-37- Allow httpd_suexec_t to read and write Apache stream sockets Resolves: #1243569- Allow qpid to create lnk_files in qpid_var_lib_tResolves: #1247279
* Thu Jul 30 2015 Lukas Vrabec 3.13.1-36- Allow drbd to get attributes from filesystems.- Allow redis to read kernel parameters.Resolves: #1209518- Allow virt_qemu_ga_t domtrans to passwd_t- Allow audisp_remote_t to start power unit files domain to allow halt system.Resolves: #1186780- Allow audisp_remote_t to read/write user domain pty.Resolves: #1186780- Label /usr/sbin/chpasswd as passwd_exec_t.- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).Resolves:#1221121
* Mon Jul 27 2015 Lukas Vrabec 3.13.1-35- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te- Allow pcp_pmcd daemon to read postfix config files.- Allow pcp_pmcd daemon to search postfix spool dirs.Resolves: #1213740- Added Booleans: pcp_read_generic_logs.Resolves: #1213740- Allow drbd to read configuration options used when loading modules.Resolves: #1134883- Allow glusterd to manage nfsd and rpcd services.- Allow glusterd to communicate with cluster domains over stream socket.- glusterd call pcs utility which calls find for cib.
* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
* Mon Jul 20 2015 Lukas Vrabec 3.13.1-34- Allow glusterd to manage nfsd and rpcd services.- Allow networkmanager to communicate via dbus with systemd_hostanmed. Resolves: #1234954- Allow stream connect logrotate to prosody.- Add prosody_stream_connect() interface.- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.- Allow prosody to create own tmp files/dirs.Resolves:#1212498
* Wed Jul 15 2015 Lukas Vrabec 3.13.1-33- Allow networkmanager read rfcomm port.Resolves:#1212498- Remove non exists label.- Fix
*_admin intefaces where body is not consistent with header.- Label /usr/afs/ as afs_files_t, Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t, Allow afs_bosserver_t read kerberos config- Remove non exits nfsd_ro_t label.- Make all interfaces related to openshift_cache_t as deprecated.- Add rpm_var_run_t label to rpm_admin header- Add jabberd_lock_t label to jabberd_admin header.- Add samba_unconfined_script_exec_t to samba_admin header.- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t- Fix ctdb policy- Add samba_signull_winbind()- Add samba_signull_unconfined_net()- Allow ctdbd_t send signull to samba_unconfined_net_t.- Allow openshift_initrc_t to communicate with firewalld over dbus Resolves:#1221326
* Tue Jul 14 2015 Lukas Vrabec 3.13.1-32- Allow gluster to connect to all ports. It is required by random services executed by gluster.- Add interfaces winbind_signull(), samba_unconfined_net_signull().- Dontaudit smbd_t block_suspend capability. This is kernel bug.- Allow ctdbd sending signull to process winbind, samba_unconfined_net, to checking if processes exists.- Add tmpreaper booleans to use nfs_t and samba_share_t.- Fix path from /usr/sbin/redis-server to /usr/bin/redis-server- Allow connect ypserv to portmap_port_t- Fix paths in inn policy, Allow innd read innd_log_t dirs, Allow innd execute innd_etc_t files- Add support for openstack-nova-
* packages- Allow NetworkManager_t send signull to dnssec_trigger_t.- Allow glusterd to execute showmount in the showmount domain.- Label swift-container-reconciler binary as swift_t.- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.- Add cobbler_var_lib_t to \"/var/lib/tftpboot/boot(/.
*)?\"Resolves:#1213540- Merge all nova_
* labels under one nova_t.
* Wed Jul 08 2015 Miroslav Grepl 3.13.1-31- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined pluginsResolves:#1233550- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/- Add support for oddjob based helper in FreeIPA.- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.- Add nagios_domtrans_unconfined_plugins() interface.- Update mta_filetrans_named_content() interface to cover more db files. Resolves:#1167468- Add back ftpd_use_passive_mode boolean with fixed description.- Allow pmcd daemon stream connect to mysqld.- Allow pcp domains to connect to own process using unix_stream_socket. Resolves:#1213709- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.- Add support for oddjob based helper in FreeIPA.- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/
* Thu Jul 02 2015 Miroslav Grepl 3.13.1-30- Allow iptables to read ctdbd lib files.Resolves:#1224879- Add systemd_networkd_t to nsswitch domains.- Allow drbd_t write to fixed_disk_device. Reason: drbdmeta needs write to fixed_disk_device during initialization. Resolves:#1130675- Allow NetworkManager write to sysfs. - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires \"entrypoint\" permissios on nfs_t, cifs_t and fusefs_t SELinux types.- Allow NetworkManager write to sysfs. - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. - Dontaudit apache to manage snmpd_var_lib_t files/dirs. - Add interface snmp_dontaudit_manage_snmp_var_lib_files().- Dontaudit mozilla_plugin_t cap. sys_ptrace. - Rename xodbc-connect port to xodbc_connect- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. - Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. - Dontaudit chrome to read passwd file. - nrpe needs kill capability to make gluster moniterd nodes working. Resolves:#1235587
* Wed Jun 17 2015 Miroslav Grepl 3.13.1-29- We allow can_exec() on ssh_keygen on gluster. But there is a transition defined by init_initrc_domain() because we need to allow execute unconfined services by glusterd. So ssh-keygen ends up with ssh_keygen_t and we need to allow to manage /var/lib/glusterd/geo-replication/secret.pem.- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. - Label gluster python hooks also as bin_t.- Allow glusterd to interact with gluster tools running in a user domain- Add glusterd_manage_lib_files() interface.- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. - Allow samba_t net_admin capability to make CIFS mount working.- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.Resolves:#1224879
* Mon Jun 15 2015 Miroslav Grepl 3.13.1-28- Allow glusterd to send generic signals to systemd_passwd_agent processes.- Allow glusterd to access init scripts/units without defined policy- Allow glusterd to run init scripts.- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.Resolves:#1224879
* Fri Jun 12 2015 Miroslav Grepl 3.13.1-27- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.- Allow samba-net to access /var/lib/ctdbd dirs/files.- Allow glusterd to send a signal to smbd.- Make ctdbd as home manager to access also FUSE.- Allow glusterd to use geo-replication gluster tool.- Allow glusterd to execute ssh-keygen.- Allow glusterd to interact with cluster services.- Allow glusterd to connect to the system DBUS for service (acquire_svc).- Label /dev/log correctly.Resolves:#1230932
* Tue Jun 09 2015 Miroslav Grepl 3.13.1-26- Back port the latest F22 changes to RHEL7. It should fix most of RHEL7.2 bugs- Add cgdcbxd policy Resolves:#1072493- Fix ftp_homedir booleanResolve:#1097775- Dontaudit ifconfig writing inhertited /var/log/pluto.log.- Allow cluster domain to dbus chat with systemd-logind.Resolves:#1145215- Dontaudit write access to inherited kdumpctl tmp filesResolves:#1156442- Allow isnsd_t to communicate with sssdResolves:#1167702- Allow rwho_t to communicate with sssdResolves:#1167718- Allow sblim_gatherd_t to communicate with sssdResolves:#1167732- Allow pkcs_slotd_t to communicate with sssdResolves:#1167737- Allow openvswitch_t to communicate with sssdResolves:#1167816- Allow mysqld_safe_t to communicate with sssdResolves:#1167832- Allow sshd_keygen_t to communicate with sssdResolves:#1167840- Add support for iprdbg logging files in /var/log.Resolves:#1174363- Allow tmpreaper_t to manage ntp log contentResolves:#1176965- Allow gssd_t to manage ssh keyringResolves:#1184791- Allow httpd_sys_script_t to send system log messagesResolves:#1185231- Allow apcupsd_t to read /sys/devicesResolves:#1189185- Allow dovecot_t sys_resource capabilityResolves:#1191143- Add support for mongod/mongos systemd unit files.Resolves:#1197038- Add bacula fixes- Added label mysqld_etc_t for /etc/my.cnf.d/ dir.Resolves:#1203991
* Thu May 14 2015 Miroslav Grepl 3.13.1-25- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. - Add more restriction on entrypoint for unconfined domains.- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface- Allow all domains to read /dev/urandom. It is needed by all apps/services linked to libgcrypt. There is no harm to allow it by default.- Update policy/mls for sockets related to access perm. Rules were contradictory.- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios.Resolves:#1201054- Don\'t use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type- Label /var/lib/tftpboot/aarch64(/.
*)? and /var/lib/tftpboot/images2(/.
*)?- Add support for iprdbg logging files in /var/log.- Add fixes to rhsmcertd_t- Allow puppetagent_t to transfer firewalld messages over dbus- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.- Added label mysqld_etc_t for /etc/my.cnf.d/ dir.- Add support for mongod/mongos systemd unit files.- cloudinit and rhsmcertd need to communicate with dbus- Allow dovecot_t sys_resource capability
* Tue Mar 31 2015 Miroslav Grepl 3.13.1-24- ALlow mongod execmem by default.- Update policy/mls for sockets. Rules were contradictory.Resolves:#1207133- Allow a user to login with different security level via ssh.
* Fri Jan 30 2015 Miroslav Grepl 3.13.1-23- Update seutil_manage_config() interface.Resolves:#1185962- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.- Turn on docker_transition_unconfined by default
* Wed Jan 28 2015 Miroslav Grepl 3.13.1-22- Allow virtd to list all mountpoints.Resolves:#1180713
* Wed Jan 28 2015 Miroslav Grepl 3.13.1-21- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.- Allow fowner capability for sssd because of selinux_child handling.- ALlow bind to read/write inherited ipsec pipes- Allow hypervkvp to read /dev/urandom and read addition states/config files.- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.- Add glusterd_filetrans_named_pid() interface- Allow radiusd to connect to radsec ports.- Allow setuid/setgid for selinux_child- Allow lsmd plugin to connect to tcp/5988 by default.- Allow lsmd plugin to connect to tcp/5989 by default.- Update ipsec_manage_pid() interface.Resolves:#1184978
* Fri Jan 23 2015 Miroslav Grepl 3.13.1-20- Update ipsec_manage_pid() interface.Resolves:#1184978
* Wed Jan 21 2015 Miroslav Grepl 3.13.1-19- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.
* Wed Jan 21 2015 Miroslav Grepl 3.13.1-18- Add auditing support for ipsec.Resolves:#1182524- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t- Allow netutils chown capability to make tcpdump working with -w
* Tue Jan 20 2015 Miroslav Grepl 3.13.1-17- Allow ipsec to execute _updown.netkey script to run unbound-control.- Allow neutron to read rpm DB.- Add additional fixes for hyperkvp
* creates new ifcfg-{name} file
* Runs hv_set_ifconfig.sh, which does the following
* Copies ifcfg-{name} to /etc/sysconfig/network-scripts- Allow svirt to read symbolic links in /sys/fs/cgroups labeled as tmpfs_t- Add labeling for pacemaker.log.- Allow radius to connect/bind radsec ports.- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log- Allow virt_qemu_ga to dbus chat with rpm.- Update virt_read_content() interface to allow read also char devices.- Allow glance-registry to connect to keystone port.Resolves:#1181818
* Mon Jan 12 2015 Miroslav Grepl 3.13.1-16- Allow sssd to send dbus all user domains.Resolves:#1172291- Allow lsm plugin to read certificates.- Fix labeling for keystone CGI scripts.- Make snapperd back as unconfined domain.
* Fri Jan 09 2015 Miroslav Grepl 3.13.1-15- Fix bugs in interfaces discovered by sepolicy.- Allow slapd to read /usr/share/cracklib/pw_dict.hwm.- Allow lsm plugins to connect to tcp/18700 by default.- Allow brltty mknod capability to allow create /var/run/brltty/vcsa.- Fix pcp_domain_template() interface.- Fix conman.te.- Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc- Allow glance-scrubber to connect tcp/9191.- Add missing setuid capability for sblim-sfcbd.- Allow pegasus ioctl() on providers.- Add conman_can_network.- Allow chronyd to read chrony conf files located in /run/timemaster/.- Allow radius to bind on tcp/1813 port.- dontaudit block suspend access for openvpn_t - Allow conman to create files/dirs in /tmp.- Update xserver_rw_xdm_keys() interface to have \'setattr\'.Resolves:#1172291 - Allow sulogin to read /dev/urandom and /dev/random.- Update radius port definition to have also tcp/18121- Label prandom as random_device_t.- Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t.
* Fri Dec 12 2014 Miroslav Grepl 3.13.1-14- Allow virt_qemu_ga_t to execute kmod.- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean.- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.Resolves:#1113725- Enable OpenStack cinder policy- Add support for /usr/share/vdsm/daemonAdapter- Add support for /var/run/gluster
* Tue Dec 02 2014 Miroslav Grepl 3.13.1-13- Remove old pkcsslotd.pp from minimum package- Allow rlogind to use also rlogin ports.- Add support for /usr/libexec/ntpdate-wrapper. Label it as ntpdate_exec_t.- Allow bacula to connect also to postgresql.- Label /usr/libexec/tomcat/server as tomcat_exec_t- Add support for /usr/sbin/ctdbd_wrapper- Add support for /usr/libexec/ppc64-diag/rtas_errd- Allow rpm_script_roles to access system_mail_t- Allow brltty to create /var/run/brltty- Allow lsmd plugin to access netlink_route_socket- Allow smbcontrol to read passwd- Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for itResolves:#1140106- Allow osad to execute rhn_check- Allow load_policy to rw inherited sssd pipes because of selinux_child- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS- Add additional fixes for su_restricted_domain_template to make moving to sysadm_r and trying to su working correctly- Add additional booleans substitions
* Tue Nov 25 2014 Miroslav Grepl 3.13.1-12- Add seutil_dontaudit_access_check_semanage_module_store() interfaceResolves:#1140106- Update to have all _systemctl() interface also init_reload_services().- Dontaudit access check on SELinux module store for sssd.- Add labeling for /sbin/iw.- Allow named_filetrans_domain to create ibus directory with correct labeling.
* Mon Nov 24 2014 Miroslav Grepl 3.13.1-11- Allow radius to bind tcp/1812 radius port.- Dontaudit list user_tmp files for system_mail_t.- Label virt-who as virtd_exec_t.- Allow rhsmcertd to send a null signal to virt-who running as virtd_t.- Add missing alias for _content_rw_t.Resolves:#1089177- Allow spamd to access razor-agent.log.- Add fixes for sfcb from libvirt-cim TestOnly bug.- Allow NetworkManager stream connect on openvpn.- Make /usr/bin/vncserver running as unconfined_service_t.- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.- Label /etc/docker/certs.d as cert_t.
* Tue Nov 18 2014 Miroslav Grepl 3.13.1-10- Label /etc/strongimcv as ipsec_conf_file_t.- Add support for /usr/bin/start-puppet-ca helper scriptResolves:#1160727- Allow rpm scripts to enable/disable transient systemd units.Resolves:#1154613 - Make kpropdas nsswitch domainResolves:#1153561- Make all glance domain as nsswitch domainsResolves:#1113281- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_tResolves:#1140106
* Mon Nov 10 2014 Miroslav Grepl 3.13.1-9- Dontaudit access check on setfiles/load_policy for sssd_t.Resolves:#1140106- Add kdump_rw_inherited_kdumpctl_tmp_pipes()Resolves:#1156442- Make linuxptp services as unconfined.- Added new policy linuxptp.Resolves:#1149693- Label keystone cgi files as keystone_cgi_script_exec_t.Resolves:#1138424- Make tuned as unconfined domain
* Thu Nov 06 2014 Miroslav Grepl 3.13.1-8- Allow guest to connect to libvirt using unix_stream_socket.- Allow all bus client domains to dbus chat with unconfined_service_t.- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.- Make opensm as nsswitch domain to make it working with sssd.- Allow brctl to read meminfo.- Allow winbind-helper to execute ntlm_auth in the caller domain.Resolves:#1160339- Make plymouthd as nsswitch domain to make it working with sssd.Resolves:#1160196- Make drbd as nsswitch domain to make it working with sssd.- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.- Add support for /var/lib/sntp directory.- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc- Allow winbind to read usermodehelper- Allow telepathy domains to execute shells and bin_t- Allow gpgdomains to create netlink_kobject_uevent_sockets- Allow mongodb to bind to the mongo port and mongos to run as mongod_t- Allow abrt to read software raid state.- Allow nslcd to execute netstat.- Allow dovecot to create user\'s home directory when they log into IMAP.- Allow login domains to create kernel keyring with different level.
* Mon Nov 03 2014 Miroslav Grepl 3.13.1-7- Allow modemmanger to connectto itselfResolves:#1120152 - Allow pki_tomcat to create link files in /var/lib/pki-ca.Resolves:#1121744 - varnishd needs to have fsetid capabilityResolves:#1125165- Allow snapperd to dbus chat with system cron jobs.Resolves:#1152447- Allow dovecot to create user\'s home directory when they log into IMAP Resolves:#1152773 - Add labeling for /usr/sbin/haproxy-systemd-wrapper wrapper to make haproxy running haproxy_t.- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow nslcd to execute netstat.- Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.- Allow nslcd to read /dev/urandom.
* Thu Oct 16 2014 Miroslav Grepl 3.13.1-6- Add back kill permisiion for system classResolves:#1150011
* Wed Oct 15 2014 Miroslav Grepl 3.13.1-5- Add back kill permisiion for service classResolves:#1150011- Make rhsmcertd_t also as dbus domain.- Allow named to create DNS_25 with correct labeling.- Add cloudform_dontaudit_write_cloud_log()- Call auth_use_nsswitch to apache to read/write cloud-init keys.- Allow cloud-init to dbus chat with certmonger.- Fix path to mon_statd_initrc_t script.- Allow all RHCS services to read system state.- Allow dnssec_trigger_t to execute unbound-control in own domain.- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.- Added policy for mon_statd and mon_procd services. BZ (1077821)- Allow opensm_t to read/write /dev/infiniband/umad1.- Allow mongodb to manage own log files.- Allow neutron connections to system dbus.- Add support for /var/lib/swiftdirectory.- Allow nova-scheduler to read certs.- Allow openvpn to access /sys/fs/cgroup dir.- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd.- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.- Add auth_use_nsswitch for portreserve to make it working with sssd.- automount policy is non-base module so it needs to be called in optional block.- ALlow sensord to getattr on sysfs.- Label /usr/share/corosync/corosync as cluster_exec_t.- Allow lmsd_plugin to read passwd file. BZ(1093733)- Allow read antivirus domain all kernel sysctls.- Allow mandb to getattr on file systems- Allow nova-console to connect to mem_cache port.- Make sosreport as unconfined domain.- Allow mondogdb to \'accept\' accesses on the tcp_socket port.- ALlow sanlock to send a signal to virtd_t.
* Thu Oct 09 2014 Miroslav Grepl 3.13.1-4- Build also MLS policyResolves:#1138424
* Thu Oct 09 2014 Miroslav Grepl 3.13.1-3- Add back kill permisiion for system class- Allow iptables read fail2ban logs.- Fix radius labeled ports- Add userdom_manage_user_tmpfs_files interface- Allow libreswan to connect to VPN via NM-libreswan.- Label 4101 tcp port as brlp port- fix dev_getattr_generic_usb_dev interface- Allow all domains to read fonts- Make sure /run/systemd/generator and system is labeled correctly on creation.- Dontaudit aicuu to search home config dir. - Make keystone_cgi_script_t domain. Resolves:#1138424- Fix bug in drbd policy, - Added support for cpuplug. - ALlow sanlock_t to read sysfs_t.- Added sendmail_domtrans_unconfined interface- Fix broken interfaces- radiusd wants to write own log files.- Label /usr/libexec/rhsmd as rhsmcertd_exec_t- Allow rhsmcertd send signull to setroubleshoot. - Allow rhsmcertd manage rpm db. - Added policy for blrtty. - Fix keepalived policy- Allow rhev-agentd dbus chat with systemd-logind.- Allow keepalived manage snmp var lib sock files.- Add support for /var/lib/graphite-web- Allow NetworkManager to create Bluetooth SDP sockets- It\'s going to do the the discovery for DUN service for modems with Bluez 5.- Allow swift to connect to all ephemeral ports by default.- Allow sssd to read selinux config to add SELinux user mapping.- Allow lsmd to search own plguins.- Allow abrt to read /dev/memto generate an unique machine_id and uses sosuploader\'s algorithm based off dmidecode[1] fields.- ALlow zebra for user/group look-ups.- Allow nova domains to getattr on all filesystems.- Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes.- Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket.- Allow rhnsd_t to manage also rhnsd config symlinks.- ALlow user mail domains to create dead.letter.- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. - Allow pki-tomcat to change SELinux object identity.- Allow radious to connect to apache ports to do OCSP check- Allow git cgi scripts to create content in /tmp- Allow cockpit-session to do GSSAPI logins.- Allow sensord read in /proc - Additional access required by usbmuxd
* Thu Sep 18 2014 Miroslav Grepl 3.13.1-2- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems- Label /usr/lib/erlang/erts.
*/bin files as bin_t- Add files_dontaudit_access_check_home_dir() inteface.- Allow udev_t mounton udev_var_run_t dirs #(1128618)- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it.- Add init_dontaudit_read_state() interface.- Add label for ~/.local/share/fonts- Allow unconfined_r to access unconfined_service_t.- Allow init to read all config files- Add new interface to allow creation of file with lib_t type- Assign rabbitmq port.- Allow unconfined_service_t to dbus chat with all dbus domains- Add new interfaces to access users keys.- Allow domains to are allowed to mounton proc to mount on files as well as dirs- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories.- Add a port definition for shellinaboxd- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t- Allow userdomains to stream connect to pcscd for smart cards- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix)- Update to rawhide-contrib changesResolves:#1123844
* Thu Aug 21 2014 Miroslav Grepl 3.13.1-1- Rebase to 3.13.1 which we have in Fedora21Resolves:#1128284
* Fri Jun 13 2014 Miroslav Grepl 3.12.1-156- Back port fixes from Fedora. Mainly OpenStack and Docker fixes
* Wed Jun 11 2014 Miroslav Grepl 3.12.1-155- Add policy-rhel-7.1-{base,contrib} patches
* Mon May 05 2014 Miroslav Grepl 3.12.1-154- Add support for us_cli ports- Fix labeling for /var/run/user//gvfs- add support for tcp/9697- Additional rules required by openstack, needs backport to F20 and RHEL7- Additional access required by docker- ALlow motion to use tcp/8082 port- Allow init_t to setattr/relabelfrom dhcp state files- Dontaudit antivirus domains read access on all security files by default- Add missing alias for old amavis_etc_t type- Allow block_suspend cap for haproxy- Additional fixes for instack overcloud- Allow OpenStack to read mysqld_db links and connect to MySQL- Remove dup filename rules in gnome.te- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t- Allow iscsid to handle own unit files- Add iscsi_systemctl()- Allow mongod to create also sock_files in /run with correct labeling- Allow httpd to send signull to apache script domains and don\'t audit leaks- Allow rabbitmq_beam to connect to httpd port- Allow aiccu stream connect to pcscd- Allow dmesg to read hwdata and memory dev- Allow all freeipmi domains to read/write ipmi devices- Allow sblim_sfcbd to use also pegasus-https port- Allow rabbitmq_epmd to manage rabbit_var_log_t files- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input- Allow docker to status any unit file and allow it to start generic unit files
* Mon Apr 07 2014 Miroslav Grepl 3.12.1-153- Change hsperfdata_root to have as user_tmp_tResolves:#1076523
* Fri Apr 04 2014 Miroslav Grepl 3.12.1-152- Fix Multiple same specifications for /var/named/chroot/dev/zero- Add labels for /var/named/chroot_sdb/dev devices- Add support for strongimcv- Use kerberos_keytab_domains in auth_use_nsswitch- Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to- Allow net_raw cap for neutron_t and send sigkill to dnsmasq- Fix ntp_filetrans_named_content for sntp-kod file- Add httpd_dbus_sssd boolean- Dontaudit exec insmod in boinc policy- Rename kerberos_keytab_domain to kerberos_keytab_domains- Add kerberos_keytab_domain()- Fix kerberos_keytab_template()- Make all domains which use kerberos as kerberos_keytab_domainResolves:#1083670- Allow kill capability to winbind_t
* Wed Apr 02 2014 Miroslav Grepl 3.12.1-151- varnishd wants chown capability- update ntp_filetrans_named_content() interface- Add additional fixes for neutron_t. #1083335- Dontaudit getattr on proc_kcore_t- Allow pki_tomcat_t to read ipa lib files- Allow named_filetrans_domain to create /var/cache/ibus with correct labelign- Allow init_t run /sbin/augenrules- Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces- Allow unpriv SELinux user to use sandbox- Add default label for /tmp/hsperfdata_root
* Tue Apr 01 2014 Miroslav Grepl 3.12.1-149- Add file subs also for /var/home
* Mon Mar 31 2014 Miroslav Grepl 3.12.1-149- Allow xauth_t to read user_home_dir_t lnk_file- Add labeling for lightdm-data- Allow certmonger to manage ipa lib files- Add support for /var/lib/ipa- Allow pegasus to getattr virt_content- Added some new rules to pcp policy- Allow chrome_sandbox to execute config_home_t- Add support for ABRT FAF
* Fri Mar 28 2014 Miroslav Grepl 3.12.1-148- Allow kdm to send signull to remote_login_t process- Add gear policy- Turn on gear_port_t- Allow cgit to read gitosis lib files by default- Allow vdagent to read xdm state- Allow NM and fcoeadm to talk together over unix_dgram_socket
* Thu Mar 27 2014 Miroslav Grepl 3.12.1-147- Back port fixes for pegasus_openlmi_admin_t from rawhideResolves:#1080973- Add labels for ostree- Add SELinux awareness for NM- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
* Wed Mar 26 2014 Miroslav Grepl 3.12.1-146- add gnome_append_home_config()- Allow thumb to append GNOME config home files- Allow rasdaemon to rw /dev/cpu//msr- fix /var/log/pki file spec- make bacula_t as auth_nsswitch domain- Identify pki_tomcat_cert_t as a cert_type- Define speech-dispater_exec_t as an application executable- Add a new file context for /var/named/chroot/run directory- update storage_filetrans_all_named_dev for sg
* devices- Allow auditctl_t to getattr on all removeable devices- Allow nsswitch_domains to stream connect to nmbd- Allow unprivusers to connect to memcached- label /var/lib/dirsrv/scripts-INSTANCE as bin_t
* Mon Mar 24 2014 Miroslav Grepl 3.12.1-145- Allow also unpriv user to run vmtools- Allow secadm to read /dev/urandom and meminfoResolves:#1079250- Add booleans to allow docker processes to use nfs and samba- Add mdadm_tmpfs support- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t- Allow vmware-user-sui to use user ttys- Allow talk 2 users logged via console too- Allow ftp services to manage xferlog_t- Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies- allow anaconda to dbus chat with systemd-localed
* Fri Mar 21 2014 Miroslav Grepl 3.12.1-144- allow anaconda to dbus chat with systemd-localed- Add fixes for haproxy based on bperkinsAATTredhat.com- Allow cmirrord to make dmsetup working- Allow NM to execute arping- Allow users to send messages through talk- Add userdom_tmp_role for secadm_t
* Thu Mar 20 2014 Lukas Vrabec 3.12.1-143- Add additional fixes for rtas_errd- Fix transitions for tmp/tmpfs in rtas.te- Allow rtas_errd to readl all sysctls
* Wed Mar 19 2014 Miroslav Grepl 3.12.1-142- Add support for /var/spool/rhsm/debug- Make virt_sandbox_use_audit as True by default- Allow svirt_sandbox_domains to ptrace themselves
* Wed Mar 19 2014 Miroslav Grepl 3.12.1-141- Allow docker containers to manage /var/lib/docker content
* Mon Mar 17 2014 Miroslav Grepl 3.12.1-140- Allow docker to read tmpfs_t symlinks- Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets
* Mon Mar 17 2014 Miroslav Grepl 3.12.1-139- Allow collectd to talk to libvirt- Allow chrome_sandbox to use leaked unix_stream_sockets- Dontaudit leaks of sockets into chrome_sandbox_t- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t- Run vmtools as unconfined domains- Allow snort to manage its log files- Allow systemd_cronjob_t to be entered via bin_t- Allow procman to list doveconf_etc_t- allow keyring daemon to create content in tmpfs directories- Add proper labelling for icedtea-web- vpnc is creating content in networkmanager var run directory- Label sddm as xdm_exec_t to make KDE working again- Allow postgresql to read network state- Allow java running as pki_tomcat to read network sysctls- Fix cgroup.te to allow cgred to read cgconfig_etc_t- Allow beam.smp to use ephemeral ports- Allow winbind to use the nis to authenticate passwords
* Fri Mar 14 2014 Lukas Vrabec 3.12.1-138- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least.- Allow net_admin cap for fence_virtd running as fenced_t- Make abrt-java-connector working- Make cimtest script 03_defineVS.py of ComputerSystem group working- Fix git_system_enable_homedirs boolean- Allow munin mail plugins to read network systcl
* Thu Mar 13 2014 Miroslav Grepl 3.12.1-137- Allow vmtools_helper_t to execute bin_t- Add support for /usr/share/joomla- /var/lib/containers should be labeled as openshift content for now- Allow docker domains to talk to the login programs, to allow a process to login into the container- Allow install_t do dbus chat with NM- Fix interface names in anaconda.if- Add install_t for anaconda. A new type is a part of anaconda policy- sshd to read network sysctls
* Wed Mar 12 2014 Miroslav Grepl 3.12.1-136- Allow zabbix to send system log msgs- Allow init_t to stream connect to ipsecResolves:#1060775
* Tue Mar 11 2014 Miroslav Grepl 3.12.1-135- Add docker_connect_any boolean
* Tue Mar 11 2014 Miroslav Grepl 3.12.1-134- Allow unpriv SELinux users to dbus chat with firewalld- Add lvm_write_metadata()- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type- Allow pegasus_openlmi_storage_t to write lvm metadata- Add hide_broken_symptoms for kdumpgui because of systemd bug- Make kdumpgui_t as unconfined domainResolves:#1044299- Allow docker to connect to tcp/5000
* Mon Mar 10 2014 Miroslav Grepl 3.12.1-133- Allow numad to write scan_sleep_millisecs- Turn on entropyd_use_audio boolean by default- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo- Fix label on irclogs in the homedir- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix- Allow postgresql to use ldap- Add missing syslog-conn port- Add support for /dev/vmcp and /dev/sclpResolves:#1069310
* Fri Mar 07 2014 Miroslav Grepl 3.12.1-132- Modify xdm_write_home to allow create files/links in /root with xdm_home_- Allow virt domains to read network stateResolves:#1072019
* Thu Mar 06 2014 Miroslav Grepl 3.12.1-131- Added pcp rules- dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6- clean up ctdb.te- Allow ctdbd to connect own ports- Fix samba_export_all_rw booleanto cover also non security dirs- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs- Allow neutron to create /run/netns with correct labeling- Allow certmonger to list home dirs
* Wed Mar 05 2014 Miroslav Grepl 3.12.1-130- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask- Add sysnet_filetrans_named_content_ifconfig() interface- Allow ctdbd to connect own ports- Fix samba_export_all_rw booleanto cover also non security dirs- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs- Allow neutron to create /run/netns with correct labeling- Allow kerberos keytab domains to manage sssd/userdomain keys\"- Allow to run ip cmd in neutron_t domain
* Mon Mar 03 2014 Miroslav Grepl 3.12.1-129- Allow block_suspend cap2 for systemd-logind and rw dri device- Add labeling for /usr/libexec/nm-libreswan-service- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working- Add xserver_rw_xdm_keys()- Allow rpm_script_t to dbus chat also with systemd-located- Fix ipa_stream_connect_otpd()- update lpd_manage_spool() interface- Allow krb5kdc to stream connect to ipa-otpd- Add ipa_stream_connect_otpd() interface- Allow vpnc to unlink NM pids- Add networkmanager_delete_pid_files()- Allow munin plugins to access unconfined plugins- update abrt_filetrans_named_content to cover /var/spool/debug- Label /var/spool/debug as abrt_var_cache_t- Allow rhsmcertd to connect to squid port- Make docker_transition_unconfined as optional boolean- Allow certmonger to list home dirs
* Wed Feb 26 2014 Miroslav Grepl 3.12.1-128- Make snapperd as unconfined domain and add additional fixes for it- Remove nsplugin.pp module on upgrade
* Tue Feb 25 2014 Miroslav Grepl 3.12.1-127- Add snapperd_home_t for HOME_DIR/.snapshots directory- Make sosreport as unconfined domain- Allow sosreport to execute grub2-probe- Allow NM to manage hostname config file- Allow systemd_timedated_t to dbus chat with rpm_script_t- Allow lsmd plugins to connect to http/ssh/http_cache ports by default- Add lsmd_plugin_connect_any boolean- Allow mozilla_plugin to attempt to set capabilities- Allow lsdm_plugins to use tcp_socket- Dontaudit mozilla plugin from getattr on /proc or /sys- Dontaudit use of the keyring by the services in a sandbox- Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t- Allow rabbitmq_beam to connect to jabber_interserver_port- Allow logwatch_mail_t to transition to qmail_inject and queueu- Added new rules to pcp policy- Allow vmtools_helper_t to change role to system_r- Allow NM to dbus chat with vmtools- Fix couchdb_manage_files() to allow manage couchdb conf files- Add support for /var/run/redis.sock- dontaudit gpg trying to use audit- Allow consolekit to create log directories and files- Fix vmtools policy to allow user roles to access vmtools_helper_t- Allow block_suspend cap2 for ipa-otpd- Allow pkcsslotd to read users state- Add ioctl to init_dontaudit_rw_stream_socket- Add systemd_hostnamed_manage_config() interface- Remove transition for temp dirs created by init_t- gdm-simple-slave uses use setsockopt- sddm-greater is a xdm type program
* Tue Feb 18 2014 Miroslav Grepl 3.12.1-126- Add lvm_read_metadata()- Allow auditadm to search /var/log/audit dir- Add lvm_read_metadata() interface- Allow confined users to run vmtools helpers- Fix userdom_common_user_template()- Generic systemd unit scripts do write check on /- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files- Add additional fixes needed for init_t and setup script running in generic unit files- Allow general users to create packet_sockets- added connlcli port- Add init_manage_transient_unit() interface- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t- Fix userdomain.te to require passwd class- devicekit_power sends out a signal to all processes on the message bus when power is going down- Dontaudit rendom domains listing /proc and hittping system_map_t- Dontauit leaks of var_t into ifconfig_t- Allow domains that transition to ssh_t to manipulate its keyring- Define oracleasm_t as a device node- Change to handle /root as a symbolic link for os-tree- Allow sysadm_t to create packet_socket, also move some rules to attributes- Add label for openvswitch port- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.- Allow postfix_local to read .forward in pcp lib files- Allow pegasus_openlmi_storage_t to read lvm metadata- Add additional fixes for pegasus_openlmi_storage_t- Allow bumblebee to manage debugfs- Make bumblebee as unconfined domain- Allow snmp to read etc_aliases_t- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem- Allow pegasus_openlmi_storage_t to read /proc/1/environ- Dontaudit read gconf files for cupsd_config_t- make vmtools as unconfined domain- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.- Allow collectd_t to use a mysql database- Allow ipa-otpd to perform DNS name resolution- Added new policy for keepalived- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd- Add additional fixes new pscs-lite+polkit support- Add labeling for /run/krb5kdc- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20- Allow pcscd to read users proc info- Dontaudit smbd_t sending out random signuls- Add boolean to allow openshift domains to use nfs- Allow w3c_validator to create content in /tmp- zabbix_agent uses nsswitch- Allow procmail and dovecot to work together to deliver mail- Allow spamd to execute files in homedir if boolean turned on- Allow openvswitch to listen on port 6634- Add net_admin capability in collectd policy- Fixed snapperd policy- Fixed bugsfor pcp policy- Allow dbus_system_domains to be started by init- Fixed some interfaces- Add kerberos_keytab_domain attribute- Fix snapperd_conf_t def
* Tue Feb 11 2014 Miroslav Grepl 3.12.1-125- Addopt corenet rules for unbound-anchor to rpm_script_t- Allow runuser to send send audit messages.- Allow postfix-local to search .forward in munin lib dirs- Allow udisks to connect to D-Bus- Allow spamd to connect to spamd port- Fix syntax error in snapper.te- Dontaudit osad to search gconf home files- Allow rhsmcertd to manage /etc/sysconf/rhn director- Fix pcp labeling to accept /usr/bin for all daemon binaries- Fix mcelog_read_log() interface- Allow iscsid to manage iscsi lib files- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.- Make tuned_t as unconfined domain for RHEL7.0- Allow ABRT to read puppet certs- Add sys_time capability for virt-ga- Allow gemu-ga to domtrans to hwclock_t- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages- Fix some AVCs in pcp policy- Add to bacula capability setgid and setuid and allow to bind to bacula ports- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t- Add access rhnsd and osad to /etc/sysconfig/rhn- drbdadm executes drbdmeta- Fixes needed for docker- Allow epmd to manage /var/log/rabbitmq/startup_err file- Allow beam.smp connect to amqp port- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t- Allow systemd_tmpfiles_t to manage all non security files on the system- Added labels for bacula ports- Fix label on /dev/vfio/vfio- Add kernel_mounton_messages() interface- init wants to manage lock files for iscsi
* Mon Feb 03 2014 Miroslav Grepl 3.12.1-124- Added osad policy- Allow postfix to deliver to procmail- Allow bumblebee to seng kill signal to xserver- Allow vmtools to execute /usr/bin/lsb_release- Allow docker to write system net ctrls- Add support for rhnsd unit file- Add dbus_chat_session_bus() interface- Add dbus_stream_connect_session_bus() interface- Fix pcp.te- Fix logrotate_use_nfs boolean- Add lot of pcp fixes found in RHEL7- fix labeling for pmie for pcp pkg- Change thumb_t to be allowed to chat/connect with session bus type- Allow call renice in mlocate- Add logrotate_use_nfs boolean- Allow setroubleshootd to read rpc sysctl
* Fri Jan 31 2014 Miroslav Grepl 3.12.1-123- Turn on bacula, rhnsd policy- Add support for rhnsd unit file- Add dbus_chat_session_bus() interface- Add dbus_stream_connect_session_bus() interface- Fix logrotate_use_nfs boolean- Add lot of pcp fixes found in RHEL7- fix labeling for pmie for pcp pkg- Change thumb_t to be allowed to chat/connect with session bus type- Allow call renice in mlocate- Add logrotate_use_nfs boolean- Allow setroubleshootd to read rpc sysctl- Fixes for
*_admin interfaces- Add pegasus_openlmi_storage_var_run_t type def- Add support for /var/run/openlmi-storage- Allow tuned to create syslog.conf with correct labeling- Add httpd_dontaudit_search_dirs boolean- Add support for winbind.service- ALlow also fail2ban-client to read apache logs- Allow vmtools to getattr on all fs- Add support for dey_sapi port- Add logging_filetrans_named_conf()- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
* Tue Jan 28 2014 Miroslav Grepl 3.12.1-122- Update snapper policy- Allow domains to append rkhunter lib files- Allow snapperd to getattr on all fs- Allow xdm to create /var/gdm with correct labeling- Add label for snapper.log- Allow fail2ban-client to read apache log files- Allow thumb_t to execute dbus-daemon in thumb_t
* Mon Jan 27 2014 Miroslav Grepl 3.12.1-121- Allow gdm to create /var/gdm with correct labeling- Allow domains to append rkhunterl lib files. #1057982- Allow systemd_tmpfiles_t net_admin to communicate with journald- Add interface to getattr on an isid_type for any type of file- Update libs_filetrans_named_content() to have support for /usr/lib/debug directory- Allow initrc_t domtrans to authconfig if unconfined is enabled- Allow docker and mount on devpts chr_file- Allow docker to transition to unconfined_t if boolean set- init calling needs to be optional in domain.te- Allow uncofined domain types to handle transient unit files- Fix labeling for vfio devices- Allow net_admin capability and send system log msgs- Allow lldpad send dgram to NM- Add networkmanager_dgram_send()- rkhunter_var_lib_t is correct type- Back port pcp policy from rawhide- Allow openlmi-storage to read removable devices- Allow system cron jobs to manage rkhunter lib files- Add rkhunter_manage_lib_files()- Fix ftpd_use_fusefs boolean to allow manage also symlinks- Allow smbcontrob block_suspend cap2- Allow slpd to read network and system state info- Allow NM domtrans to iscsid_t if iscsiadm is executed- Allow slapd to send a signal itself- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.- Fix plymouthd_create_log() interface- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package- Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container- Allow postfix and cyrus-imapd to work out of box- Allow fcoemon to talk with unpriv user domain using unix_stream_socket- Dontaudit domains that are calling into journald to net_admin- Add rules to allow vmtools to do what it does- snapperd is D-Bus service- Allow OpenLMI PowerManagement to call \'systemctl --force reboot\'- Add haproxy_connect_any boolean- Allow haproxy also to use http cache port by defaultResolves:#1058248
* Tue Jan 21 2014 Miroslav Grepl 3.12.1-120- Allow apache to write to the owncloud data directory in /var/www/html...- Allow consolekit to create log dir- Add support for icinga CGI scripts- Add support for icinga- Allow kdumpctl_t to create kdump lock fileResolves:#1055634- Allow kdump to create lnk lock file- Allow nscd_t block_suspen capability- Allow unconfined domain types to manage own transient unit file- Allow systemd domains to handle transient init unit files- Add interfaces to handle transient
* Mon Jan 20 2014 Miroslav Grepl 3.12.1-119- Add cron unconfined role support for uncofined SELinux user- Call corenet_udp_bind_all_ports() in milter.te- Allow fence_virtd to connect to zented port- Fix header for mirrormanager_admin()- Allow dkim-milter to bind udp ports- Allow milter domains to send signull itself- Allow block_suspend for yum running as mock_t- Allow beam.smp to manage couchdb files- Add couchdb_manage_files()- Add labeling for /var/log/php_errors.log- Allow bumblebee to stream connect to xserver- Allow bumblebee to send a signal to xserver- gnome-thumbnail to stream connect to bumblebee- Allow xkbcomp running as bumblebee_t to execute bin_t- Allow logrotate to read squid.conf- Additional rules to get docker and lxc to play well with SELinux- Allow bumbleed to connect to xserver port- Allow pegasus_openlmi_storage_t to read hwdata
* Thu Jan 16 2014 Miroslav Grepl 3.12.1-118- Allow init_t to work on transitient and snapshot unit files- Add logging_manage_syslog_config()- Update sysnet_dns_name_resolve() to allow connect to dnssec por- Allow pegasus_openlmi_storage_t to read hwdataResolves:#1031721- Fix rhcs_rw_cluster_tmpfs()- Allow fenced_t to bind on zented udp port- Added policy for vmtools- Fix mirrormanager_read_lib_files()- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files- Allow ctdb to create sock files in /var/run/ctdb- Add sblim_filetrans_named_content() interface- Allow rpm scritplets to create /run/gather with correct labeling- Allow gnome keyring domains to create gnome config dirs- Dontaudit read/write to init stream socket for lsmd_plugin_t- Allow automount to read nfs link files- Allow lsm plugins to read/write lsmd stream socket- Allow certmonger to connect ldap port to make IPA CA certificate renewal working.- Add also labeling for /var/run/ctdb- Add missing labeling for /var/lib/ctdb- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446- Dontaudit hypervkvp to search homedirs- Dontaudit hypervkvp to search admin homedirs- Allow hypervkvp to execute bin_t and ifconfig in the caller domain- Dontaudit xguest_t to read ABRT conf files- Add abrt_dontaudit_read_config()- Allow namespace-init to getattr on fs- Add thumb_role() also for xguest- Add filename transitions to create .spamassassin with correct labeling- Allow apache domain to read mirrormanager pid files- Allow domains to read/write shm and sem owned by mozilla_plugin_t- Allow alsactl to send a generic signal to kernel_t
* Tue Jan 14 2014 Miroslav Grepl 3.12.1-117- Add back rpm_run() for unconfined user
* Tue Jan 14 2014 Miroslav Grepl 3.12.1-116- Add missing files_create_var_lib_dirs()- Fix typo in ipsec.te- Allow passwd to create directory in /var/lib- Add filename trans also for event21- Allow iptables command to read /dev/rand- Add sigkill capabilityfor ipsec_t- Add filename transitions for bcache devices- Add additional rules to create /var/log/cron by syslogd_t with correct labeling- Add give everyone full access to all key rings- Add default lvm_var_run_t label for /var/run/multipathd- Fix log labeling to have correct default label for them after logrotate- Labeled ~/.nv/GLCache as being gstreamer output- Allow nagios_system_plugin to read mrtg lib files- Add mrtg_read_lib_files()- Call rhcs_rw_cluster_tmpfs for dlm_controld- Make authconfing as named_filetrans domain- Allow virsh to connect to user process using stream socket- Allow rtas_errd to read rand/urand devices and add chown capability- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmpResolves:#1051497- Add also chown cap for abrt_upload_watch_t. It already has dac_override- Allow sosreport to manage rhsmcertd pid files- Add rhsmcertd_manage_pid_files()- Allow also setgid cap for rpc.gssd- Dontaudit access check for abrt on cert_t- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind
* Fri Jan 10 2014 Miroslav Grepl 3.12.1-115- Fix semanage import handling in spec file
* Fri Jan 10 2014 Miroslav Grepl 3.12.1-114- Add default lvm_var_run_t label for /var/run/multipathdResolves:#1051430- Fix log labeling to have correct default label for them after logrotate- Add files_write_root_dirs- Add new openflow port label for 6653/tcp and 6633/tcp- Add xserver_manage_xkb_libs()- Label tcp/8891 as milter por- Allow gnome_manage_generic_cache_files also create cache_home_t files- Fix aide.log labeling- Fix log labeling to have correct default label for them after logrotate- Allow mysqld-safe write access on /root to make mysqld working- Allow sosreport domtrans to prelikn- Allow OpenvSwitch to connec to openflow ports- Allow NM send dgram to lldpad- Allow hyperv domains to execute shell- Allow lsmd plugins stream connect to lsmd/init- Allow sblim domains to create /run/gather with correct labeling- Allow httpd to read ldap certs- Allow cupsd to send dbus msgs to process with different MLS level- Allow bumblebee to stream connect to apmd- Allow bumblebee to run xkbcomp- Additional allow rules to get libvirt-lxc containers working with docker- Additional allow rules to get libvirt-lxc containers working with docker- Allow docker to getattr on itself- Additional rules needed for sandbox apps- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled- httpd should be able to send signal/signull to httpd_suexec_t- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.
* Wed Jan 08 2014 Miroslav Grepl 3.12.1-113- Add neutron fixes
* Mon Jan 06 2014 Miroslav Grepl 3.12.1-112- Allow sshd to write to all process levels in order to change passwd when running at a level- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range- Allow apcuspd_t to status and start the power unit file- Allow udev to manage kdump unit file- Added new interface modutils_dontaudit_exec_insmod- Allow cobbler to search dhcp_etc_t directory- systemd_systemctl needs sys_admin capability- Allow sytemd_tmpfiles_t to delete all directories- passwd to create gnome-keyring passwd socket- Add missing zabbix_var_lib_t type- Fix filename trans for zabbixsrv in zabbix.te- Allow fprintd_t to send syslog messages- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port- Allow mozilla plugin to chat with policykit, needed for spice- Allow gssprozy to change user and gid, as well as read user keyrings- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly- Allow polipo to connect to http_cache_ports- Allow cron jobs to manage apache var lib content- Allow yppassword to manage the passwd_file_t- Allow showall_t to send itself signals- Allow cobbler to restart dhcpc, dnsmasq and bind services- Allow certmonger to manage home cert files- Add userdom filename trans for user mail domains- Allow apcuspd_t to status and start the power unit file- Allow cgroupdrulesengd to create content in cgoups directories- Allow smbd_t to signull cluster- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t- Add label for /var/spool/cron.aquota.user- Allow sandbox_x domains to use work with the mozilla plugin semaphore- Added new policy for speech-dispatcher- Added dontaudit rule for insmod_exec_t in rasdaemon policy- Updated rasdaemon policy- Allow system_mail_t to transition to postfix_postdrop_t- Clean up mirrormanager policy- Allow virt_domains to read cert files, needs backport to RHEL7- Allow sssd to read systemd_login_var_run_t- Allow irc_t to execute shell and bin-t files:- Add new access for mythtv- Allow rsync_t to manage all non auth files- allow modemmanger to read /dev/urand- Allow sandbox apps to attempt to set and get capabilties
* Thu Dec 19 2013 Miroslav Grepl 3.12.1-111- Add labeling for /var/lib/servicelog/servicelog.db-journal- Add support for freeipmi port- Add sysadm_u_default_contexts- Make new type to texlive files in homedir- Allow subscription-manager running as sosreport_t to manage rhsmcertd- Additional fixes for docker.te- Remove ability to do mount/sys_admin by default in virt_sandbox domains- New rules required to run docker images within libivrt- Add label for ~/.cvsignore- Change mirrormanager to be run by cron- Add mirrormanager policy- Fixed bumblebee_admin() and mip6d_admin()- Add log support for sensord- Fix typo in docker.te- Allow amanda to do backups over UDP- Allow bumblebee to read /etc/group and clean up bumblebee.te- type transitions with a filename not allowed inside conditionals- Don\'t allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7- Make new type to texlive files in homedir
* Thu Dec 12 2013 Miroslav Grepl 3.12.1-110- Allow freeipmi_ipmidetectd_t to use freeipmi port- Update freeipmi_domain_template()- Allow journalctl running as ABRT to read /run/log/journal- Allow NM to read dispatcher.d directory- Update freeipmi policy- Type transitions with a filename not allowed inside conditionals- Allow tor to bind to hplip port- Make new type to texlive files in homedir- Allow zabbix_agent to transition to dmidecode- Add rules for docker- Allow sosreport to send signull to unconfined_t- Add virt_noatsecure and virt_rlimitinh interfaces- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port- Add sysadm_u_default_contexts- Add logging_read_syslog_pid()- Fix userdom_manage_home_texlive() interface- Make new type to texlive files in homedir- Add filename transitions for /run and /lock links- Allow virtd to inherit rlimit informationResolves:#975358
* Tue Dec 10 2013 Miroslav Grepl 3.12.1-109- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_tResolves:#1039879- Add labeling for /usr/lib/systemd/system/mariadb.service- Allow hyperv_domain to read sysfs- Fix ldap_read_certs() interface to allow acess also link files- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt- Allow tuned to run modprobe- Allow portreserve to search /var/lib/sss dir- Add SELinux support for the teamd package contains team network device control daemon.- Dontaudit access check on /proc for bumblebee- Bumblebee wants to load nvidia modules- Fix rpm_named_filetrans_log_files and wine.te- Add conman policy for rawhide- DRM master and input event devices are used by the TakeDevice API- Clean up bumblebee policy- Update pegasus_openlmi_storage_t policy- Add freeipmi_stream_connect() interface- Allow logwatch read madm.conf to support RAID setup- Add raid_read_conf_files() interface- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling- add rpm_named_filetrans_log_files() interface- Allow dkim-milter to create files/dirs in /tmp- update freeipmi policy- Add policy for freeipmi services- Added rdisc_admin and rdisc_systemctl interfaces- opensm policy clean up- openwsman policy clean up- ninfod policy clean up- Added new policy for ninfod- Added new policy for openwsman- Added rdisc_admin and rdisc_systemctl interfaces- Fix kernel_dontaudit_access_check_proc()- Add support for /dev/uhid- Allow sulogin to get the attributes of initctl and sys_admin cap- Add kernel_dontaudit_access_check_proc()- Fix dev_rw_ipmi_dev()- Fix new interface in devices.if- DRM master and input event devices are used by the TakeDevice API- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()- Added support for default conman port- Add interfaces for ipmi devices
* Wed Dec 04 2013 Miroslav Grepl 3.12.1-108- Allow sosreport to send a signal to ABRT- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t- Label /usr/sbin/htcacheclean as httpd_exec_tResolves:#1037529- Added support for rdisc unit file- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs- Allow runuser running as logrotate connections to system DBUS- Label bcache devices as fixed_disk_device_t- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
* Mon Dec 02 2013 Miroslav Grepl 3.12.1-107- Add back setpgid/setsched for sosreport_t
* Mon Dec 02 2013 Dan Walsh 3.12.1-106- Added fix for clout_init to transition to rpm_script_t (dwalshAATTredhat.com)
* Tue Nov 26 2013 Miroslav Grepl 3.12.1-105- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel.- Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on- Add lsmd_plugin_t for lsm plugins- Allow dovecot-deliver to search mountpoints- Add labeling for /etc/mdadm.conf- Allow opelmi admin providers to dbus chat with init_t- Allow sblim domain to read /dev/urandom and /dev/random- Allow apmd to request the kernel load modules- Add glusterd_brick_t type- label mate-keyring-daemon with gkeyringd_exec_t- Add plymouthd_create_log()- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6- Allow sssd to request the kernel loads modules- Allow gpg_agent to use ssh-add- Allow gpg_agent to use ssh-add- Dontaudit access check on /root for myslqd_safe_t- Allow ctdb to getattr on al filesystems- Allow abrt to stream connect to syslog- Allow dnsmasq to list dnsmasq.d directory- Watchdog opens the raw socket- Allow watchdog to read network state info- Dontaudit access check on lvm lock dir- Allow sosreport to send signull to setroubleshootd- Add setroubleshoot_signull() interface- Fix ldap_read_certs() interface- Allow sosreport all signal perms- Allow sosreport to run systemctl- Allow sosreport to dbus chat with rpm- Add glusterd_brick_t files type- Allow zabbix_agentd to read all domain state- Clean up rtas.if- Allow smoltclient to execute ldconfig- Allow sosreport to request the kernel to load a module- Fix userdom_confined_admin_template()- Add back exec_content boolean for secadm, logadm, auditadm- Fix files_filetrans_system_db_named_files() interface- Allow sulogin to getattr on /proc/kcore- Add filename transition also for servicelog.db-journal- Add files_dontaudit_access_check_root()- Add lvm_dontaudit_access_check_lock() interface
* Thu Nov 21 2013 Miroslav Grepl 3.12.1-104- Allow watchdog to read /etc/passwd- Allow browser plugins to connect to bumblebee- New policy for bumblebee and freqset- Add new policy for mip6d daemon- Add new policy for opensm daemon- Allow condor domains to read/write condor_master udp_socket- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift- Add back file_pid_filetrans for /var/run/dlm_controld- Allow smbd_t to use inherited tmpfs content- Allow mcelog to use the /dev/cpu device- sosreport runs rpcinfo- sosreport runs subscription-manager- Allow staff_t to run frequency command- Allow systemd_tmpfiles to relabel log directories- Allow staff_t to read xserver_log file- Label hsperfdata_root as tmp_t
* Wed Nov 20 2013 Miroslav Grepl 3.12.1-103- More sosreport fixes to make ABRT working
* Fri Nov 15 2013 Miroslav Grepl 3.12.1-102- Fix files_dontaudit_unmount_all_mountpoints()- Add support for 2608-2609 tcp/udp ports- Should allow domains to lock the terminal device- More fixes for user config files to make crond_t running in userdomain- Add back disable/reload/enable permissions for system class- Fix manage_service_perms macro- We need to require passwd rootok- Fix zebra.fc- Fix dnsmasq_filetrans_named_content() interface- Allow all sandbox domains create content in svirt_home_t- Allow zebra domains also create zebra_tmp_t files in /tmp- Add support for new zebra services:isisd,babeld. Add systemd support for zebra services.- Fix labeling on neutron and remove transition to iconfig_t- abrt needs to read mcelog log file- Fix labeling on dnsmasq content- Fix labeling on /etc/dnsmasq.d- Allow glusterd to relabel own lib files- Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd- Allow ipc_lock for abrt to run journalctl
* Thu Nov 14 2013 Miroslav Grepl 3.12.1-101- Fix config.tgz
* Tue Nov 12 2013 Miroslav Grepl 3.12.1-100- Fix passenger_stream_connect interface- setroubleshoot_fixit wants to read network state- Allow procmail_t to connect to dovecot stream sockets- Allow cimprovagt service providers to read network states- Add labeling for /var/run/mariadb- pwauth uses lastlog() to update system\'s lastlog- Allow account provider to read login records- Add support for texlive2013- More fixes for user config files to make crond_t running in userdomain- Add back disable/reload/enable permissions for system class- Fix manage_service_perms macro- Allow passwd_t to connect to gnome keyring to change password- Update mls config files to have cronjobs in the user domains- Remove access checks that systemd does not actually do
* Fri Nov 08 2013 Miroslav Grepl 3.12.1-99- Add support for yubikey in homedir- Add support for upd/3052 port- Allow apcupsd to use PowerChute Network Shutdown- Allow lsmd to execute various lsmplugins- Add labeling also for /etc/watchdog\\.d where are watchdog scripts located too- Update gluster_export_all_rw boolean to allow relabel all base file types- Allow x86_energy_perf tool to modify the MSR- Fix /var/lib/dspam/data labeling
* Wed Nov 06 2013 Miroslav Grepl 3.12.1-98- Add files_relabel_base_file_types() interface- Allow netlabel-config to read passwd- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()- Allow x86_energy_perf tool to modify the MSR- Fix /var/lib/dspam/data labeling- Allow pegasus to domtrans to mount_t- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts- Add support for unconfined watchdog scripts- Allow watchdog to manage own log files
* Wed Nov 06 2013 Miroslav Grepl 3.12.1-97- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.- Label /etc/yum.repos.d as system_conf_t- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t- Allow dac_override for sysadm_screen_t- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.- Allow netlabel-config to read meminfo- Add interface to allow docker to mounton file_t- Add new interface to exec unlabeled files- Allow lvm to use docker semaphores- Setup transitons for .xsessions-errors.old- Change labels of files in /var/lib/
*/.ssh to transition properly- Allow staff_t and user_t to look at logs using journalctl- pluto wants to manage own log file- Allow pluto running as ipsec_t to create pluto.log- Fix alias decl in corenetwork.te.in- Add support for fuse.glusterfs- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.- Additional access for docker- Added more rules to sblim policy- Fix kdumpgui_run_bootloader boolean- Allow dspam to connect to lmtp port- Included sfcbd service into sblim policy- rhsmcertd wants to manaage /etc/pki/consumer dir- Add kdumpgui_run_bootloader boolean- Add support for /var/cache/watchdog- Remove virt_domain attribute for virt_qemu_ga_unconfined_t- Fixes for handling libvirt containes- Dontaudit attempts by mysql_safe to write content into /- Dontaudit attempts by system_mail to modify network config- Allow dspam to bind to lmtp ports- Add new policy to allow staff_t and user_t to look at logs using journalctl- Allow apache cgi scripts to list sysfs- Dontaudit attempts to write/delete user_tmp_t files- Allow all antivirus domains to manage also own log dirs- Allow pegasus_openlmi_services_t to stream connect to sssd_t
* Fri Nov 01 2013 Miroslav Grepl 3.12.1-96- Add missing permission checks for nscd
* Wed Oct 30 2013 Miroslav Grepl 3.12.1-95- Fix alias decl in corenetwork.te.in- Add support for fuse.glusterfs- Add file transition rules for content created by f5link- Rename quantum_port information to neutron- Allow all antivirus domains to manage also own log dirs- Rename quantum_port information to neutron- Allow pegasus_openlmi_services_t to stream connect to sssd_t
* Mon Oct 28 2013 Miroslav Grepl 3.12.1-94- Allow sysadm_t to read login information- Allow systemd_tmpfiles to setattr on var_log_t directories- Udpdate Makefile to include systemd_contexts- Add systemd_contexts- Add fs_exec_hugetlbfs_files() interface- Add daemons_enable_cluster_mode boolean- Fix rsync_filetrans_named_content()- Add rhcs_read_cluster_pid_files() interface- Update rhcs.if with additional interfaces from RHEL6- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t- Allow glusterd_t to mounton glusterd_tmp_t- Allow glusterd to unmout al filesystems- Allow xenstored to read virt config- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label- Allow mozilla_plugin_t to mmap hugepages as an executable
* Thu Oct 24 2013 Miroslav Grepl 3.12.1-94- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
* Tue Oct 22 2013 Miroslav Grepl 3.12.1-93- Allow sshd_t to read openshift content, needs backport to RHEL6.5- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t- Make sur kdump lock is created with correct label if kdumpctl is executed- gnome interface calls should always be made within an optional_block- Allow syslogd_t to connect to the syslog_tls port- Add labeling for /var/run/charon.ctl socket- Add kdump_filetrans_named_content()- Allo setpgid for fenced_t- Allow setpgid and r/w cluster tmpfs for fenced_t- gnome calls should always be within optional blocks- wicd.pid should be labeled as networkmanager_var_run_t- Allow sys_resource for lldpad
* Thu Oct 17 2013 Miroslav Grepl 3.12.1-92- Add rtas policy
* Thu Oct 17 2013 Miroslav Grepl 3.12.1-91- Allow mailserver_domains to manage and transition to mailman data- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands- Allow mailserver_domains to manage and transition to mailman data- Allow svirt_domains to read sysctl_net_t- Allow thumb_t to use tmpfs inherited from the user- Allow mozilla_plugin to bind to the vnc port if running with spice- Add new attribute to discover confined_admins and assign confined admin to it- Fix zabbix to handle attributes in interfaces- Fix zabbix to read system states for all zabbix domains- Fix piranha_domain_template()- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.- Allow lldpad sys_rouserce cap due to #986870- Allow dovecot-auth to read nologin- Allow openlmi-networking to read /proc/net/dev- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t- Add zabbix_domain attribute for zabbix domains to treat them together- Add labels for zabbix-poxy-
* (#1018221)- Update openlmi-storage policy to reflect #1015067- Back port piranha tmpfs fixes from RHEL6- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop- Add postfix_rw_spool_maildrop_files interface- Call new userdom_admin_user_templat() also for sysadm_secadm.pp- Fix typo in userdom_admin_user_template()- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey- Add new attribute to discover confined_admins- Fix labeling for /etc/strongswan/ipsec.d- systemd_logind seems to pass fd to anyone who dbus communicates with it- Dontaudit leaked write descriptor to dmesg
* Mon Oct 14 2013 Miroslav Grepl 3.12.1-90- Activate motion policy
* Mon Oct 14 2013 Miroslav Grepl 3.12.1-89- Fix gnome_read_generic_data_home_files()- allow openshift_cgroup_t to read/write inherited openshift file types- Remove httpd_cobbler_content
* from cobbler_admin interface- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container- Allow httpd_t to read also git sys content symlinks- Allow init_t to read gnome home data- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.- Allow virsh to execute systemctl- Fix for nagios_services plugins- add type defintion for ctdbd_var_t- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file- Allow net_admin/netlink_socket all hyperv_domain domains- Add labeling for zarafa-search.log and zarafa-search.pid- Fix hypervkvp.te- Fix nscd_shm_use()- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.- Add hypervkvp_unit_file_t type- Fix logging policy- Allow syslog to bind to tls ports- Update labeling for /dev/cdc-wdm- Allow to su_domain to read init states- Allow init_t to read gnome home data- Make sure if systemd_logind creates nologin file with the correct label- Clean up ipsec.te
* Tue Oct 08 2013 Miroslav Grepl 3.12.1-88- Add auth_exec_chkpwd interface- Fix port definition for ctdb ports- Allow systemd domains to read /dev/urand- Dontaudit attempts for mozilla_plugin to append to /dev/random- Add label for /var/run/charon.
*- Add labeling for /usr/lib/systemd/system/lvm2.
*dd policy for motion service- Fix for nagios_services plugins- Fix some bugs in zoneminder policy- add type defintion for ctdbd_var_t- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file- Allow net_admin/netlink_socket all hyperv_domain domains- Add labeling for zarafa-search.log and zarafa-search.pid- glusterd binds to random unreserved ports- Additional allow rules found by testing glusterfs- apcupsd needs to send a message to all users on the system so needs to look them up- Fix the label on ~/.juniper_networks- Dontaudit attempts for mozilla_plugin to append to /dev/random- Allow polipo_daemon to connect to flash ports- Allow gssproxy_t to create replay caches- Fix nscd_shm_use()- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.- Add hypervkvp_unit_file_t type
* Fri Oct 04 2013 Miroslav Grepl 3.12.1-87- init reload from systemd_localed_t- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd- Allow systemd_localed_t to ask systemd to reload the locale.- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory- Allow readahead to read /dev/urand- Fix lots of avcs about tuned- Any file names xenstored in /var/log should be treated as xenstored_var_log_t- Allow tuned to inderact with hugepages- Allow condor domains to list etc rw dirs
* Fri Oct 04 2013 Miroslav Grepl 3.12.1-86- Fix nscd_shm_use()- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.- Add hypervkvp_unit_file_t type- Add additional fixes forpegasus_openlmi_account_t- Allow mdadm to read /dev/urand- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it- Add label/rules for /etc/mdadm.conf- Allow pegasus_openlmi_storage_t to transition to fsadm_t- Fixes for interface definition problems- Dontaudit dovecot-deliver to gettatr on all fs dirs- Allow domains to search data_home_t directories- Allow cobblerd to connect to mysql- Allow mdadm to r/w kdump lock files- Add support for kdump lock files- Label zarafa-search as zarafa-indexer- Openshift cgroup wants to read /etc/passwd- Add new sandbox domains for kvm- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on- Fix labeling for /usr/lib/systemd/system/lvm2.
*- Add labeling for /usr/lib/systemd/system/lvm2.
*- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules- Add sshd_keygen_t policy for sshd-keygen- Fix alsa_home_filetrans interface name and definition- Allow chown for ssh_keygen_t- Add fs_dontaudit_getattr_all_dirs()- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys- Fix up patch to allow systemd to manage home content- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled- Allow getty to exec hostname to get info- Add systemd_home_t for ~/.local/share/systemd directory
* Wed Oct 02 2013 Miroslav Grepl 3.12.1-85- Fix lxc labels in config.tgz
* Mon Sep 30 2013 Miroslav Grepl 3.12.1-84- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper- Allow tuned to search all file system directories- Allow alsa_t to sys_nice, to get top performance for sound management- Add support for MySQL/PostgreSQL for amavis- Allow openvpn_t to manage openvpn_var_log_t files.- Allow dirsrv_t to create tmpfs_t directories- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label- Dontaudit leaked unix_stream_sockets into gnome keyring- Allow telepathy domains to inhibit pipes on telepathy domains- Allow cloud-init to domtrans to rpm- Allow abrt daemon to manage abrt-watch tmp files- Allow abrt-upload-watcher to search /var/spool directory- Allow nsswitch domains to manage own process key- Fix labeling for mgetty.
* logs- Allow systemd to dbus chat with upower- Allow ipsec to send signull to itself- Allow setgid cap for ipsec_t- Match upstream labeling
* Wed Sep 25 2013 Miroslav Grepl 3.12.1-83- Do not build sanbox pkg on MLS
* Wed Sep 25 2013 Miroslav Grepl 3.12.1-82- wine_tmp is no longer needed- Allow setroubleshoot to look at /proc- Allow telepathy domains to dbus with systemd logind- Fix handling of fifo files of rpm- Allow mozilla_plugin to transition to itself- Allow certwatch to write to cert_t directories- New abrt application- Allow NetworkManager to set the kernel scheduler- Make wine_domain shared by all wine domains- Allow mdadm_t to read images labeled svirt_image_t- Allow amanda to read /dev/urand- ALlow my_print_default to read /dev/urand- Allow mdadm to write to kdumpctl fifo files- Allow nslcd to send signull to itself- Allow yppasswd to read /dev/urandom- Fix zarafa_setrlimit- Add support for /var/lib/php/wsdlcache- Add zarafa_setrlimit boolean- Allow fetchmail to send mails- Add additional alias for user_tmp_t because wine_tmp_t is no longer used- More handling of ther kernel keyring required by kerberos- New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed
* Thu Sep 19 2013 Miroslav Grepl 3.12.1-81- Dontaudit attempts by sosreport to read shadow_t- Allow browser sandbox plugins to connect to cups to print- Add new label mpd_home_t- Label /srv/www/logs as httpd_log_t- Add support for /var/lib/php/wsdlcache- Add zarafa_setrlimit boolean- Allow fetchmail to send mails- Add labels for apache logs under miq package- Allow irc_t to use tcp sockets- fix labels in puppet.if- Allow tcsd to read utmp file- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys- Define svirt_socket_t as a domain_type- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t- Fix label on pam_krb5 helper apps
* Thu Sep 12 2013 Miroslav Grepl 3.12.1-80- Allow ldconfig to write to kdumpctl fifo files- allow neutron to connect to amqp ports- Allow kdump_manage_crash to list the kdump_crash_t directory- Allow glance-api to connect to amqp port- Allow virt_qemu_ga_t to read meminfo- Add antivirus_home_t type for antivirus date in HOMEDIRS- Allow mpd setcap which is needed by pulseaudio- Allow smbcontrol to create content in /var/lib/samba- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts- amanda_exec_t needs to be executable file- Allow block_suspend cap for samba-net- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t- Allow init_t to run crash utility- Treat usr_t just like bin_t for transitions and executions- Add port definition of pka_ca to port 829 for openshift- Allow selinux_store to use symlinks
* Mon Sep 09 2013 Miroslav Grepl 3.12.1-79- Allow block_suspend cap for samba-net- Allow t-mission-control to manage gabble cache files- Allow nslcd to read /sys/devices/system/cpu- Allow selinux_store to use symlinks
* Mon Sep 09 2013 Miroslav Grepl 3.12.1-78- Allow xdm_t to transition to itself- Call neutron interfaces instead of quantum- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t- Make sure directories in /run get created with the correct label- Make sure /root/.pki gets created with the right label- try to remove labeling for motion from zoneminder_exec_t to bin_t- Allow inetd_t to execute shell scripts- Allow cloud-init to read all domainstate- Fix to use quantum port- Add interface netowrkmanager_initrc_domtrans- Fix boinc_execmem- Allow t-mission-control to read gabble cache home- Add labeling for ~/.cache/telepathy/avatars/gabble- Allow memcache to read sysfs data- Cleanup antivirus policy and add additional fixes- Add boolean boinc_enable_execstack- Add support for couchdb in rabbitmq policy- Add interface couchdb_search_pid_dirs- Allow firewalld to read NM state- Allow systemd running as git_systemd to bind git port- Fix mozilla_plugin_rw_tmpfs_files()
* Thu Sep 05 2013 Miroslav Grepl 3.12.1-77- Split out rlogin ports from inetd- Treat files labeld as usr_t like bin_t when it comes to transitions- Allow staff_t to read login config- Allow ipsec_t to read .google authenticator data- Allow systemd running as git_systemd to bind git port- Fix mozilla_plugin_rw_tmpfs_files()- Call the correct interface - corenet_udp_bind_ktalkd_port()- Allow all domains that can read gnome_config to read kde config- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work- Allow mdadm to getattr any file system- Allow a confined domain to executes mozilla_exec_t via dbus- Allow cupsd_lpd_t to bind to the printer port- Dontaudit attempts to bind to ports < 1024 when nis is turned on- Allow apache domain to connect to gssproxy socket- Allow rlogind to bind to the rlogin_port- Allow telnetd to bind to the telnetd_port- Allow ktalkd to bind to the ktalkd_port- Allow cvs to bind to the cvs_port
* Wed Sep 04 2013 Miroslav Grepl 3.12.1-76- Cleanup related to init_domain()+inetd_domain fixes- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain- svirt domains neeed to create kobject_uevint_sockets- Lots of new access required for sosreport- Allow tgtd_t to connect to isns ports- Allow init_t to transition to all inetd domains:- openct needs to be able to create netlink_object_uevent_sockets- Dontaudit leaks into ldconfig_t- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls- Move kernel_stream_connect into all Xwindow using users- Dontaudit inherited lock files in ifconfig o dhcpc_t
* Tue Sep 03 2013 Miroslav Grepl 3.12.1-75- Also sock_file trans rule is needed in lsm- Fix labeling for fetchmail pid files/dirs- Add additional fixes for abrt-upload-watch- Fix polipo.te- Fix transition rules in asterisk policy- Add fowner capability to networkmanager policy- Allow polipo to connect to tor ports- Cleanup lsmd.if- Cleanup openhpid policy- Fix kdump_read_crash() interface- Make more domains as init domain- Fix cupsd.te- Fix requires in rpm_rw_script_inherited_pipes- Fix interfaces in lsm.if- Allow munin service plugins to manage own tmpfs files/dirs- Allow virtd_t also relabel unix stream sockets for virt_image_type- Make ktalk as init domain- Fix to define ktalkd_unit_file_t correctly- Fix ktalk.fc- Add systemd support for talk-server- Allow glusterd to create sock_file in /run- Allow xdm_t to delete gkeyringd_tmp_t files on logout- Add fixes for hypervkvp policy- Add logwatch_can_sendmail boolean- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb- Allow xdm_t to delete gkeyringd_tmp_t files on logout
* Thu Aug 29 2013 Miroslav Grepl 3.12.1-74- Add selinux-policy-sandbox pkg
* Tue Aug 27 2013 Miroslav Grepl 3.12.1-730 - Allow rhsmcertd to read init state- Allow fsetid for pkcsslotd- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service- Allow fetchmail to create own pid with correct labeling- Fix rhcs_domain_template()- Allow roles which can run mock to read mock lib files to view results- Allow rpcbind to use nsswitch- Fix lsm.if summary- Fix collectd_t can read /etc/passwd file- Label systemd unit files under dracut correctly- Add support for pam_mount to mount user\'s encrypted home When a user logs in and logs out using ssh- Add support for .Xauthority-n- Label umount.crypt as lvm_exec_t- Allow syslogd to search psad lib files- Allow ssh_t to use /dev/ptmx- Make sure /run/pluto dir is created with correct labeling- Allow syslog to run shell and bin_t commands- Allow ip to relabel tun_sockets- Allow mount to create directories in files under /run- Allow processes to use inherited fifo files
* Fri Aug 23 2013 Miroslav Grepl 3.12.1-72- Add policy for lsmd- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory- Update condor_master rules to allow read system state info and allow logging- Add labeling for /etc/condor and allow condor domain to write it (bug)- Allow condor domains to manage own logs- Allow glusterd to read domains state- Fix initial hypervkvp policy- Add policy for hypervkvpd- Fix redis.if summary
* Wed Aug 21 2013 Miroslav Grepl 3.12.1-71- Allow boinc to connect to AATT/tmp/.X11-unix/X0- Allow beam.smp to connect to tcp/5984- Allow named to manage own log files- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t- Add virt_transition_userdomain boolean decl- Allow httpd_t to sendto unix_dgram sockets on its children- Allow nova domains to execute ifconfig- bluetooth wants to create fifo_files in /tmp- exim needs to be able to manage mailman data- Allow sysstat to getattr on all file systems- Looks like bluetoothd has moved- Allow collectd to send ping packets- Allow svirt_lxc domains to getpgid- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff- Allow frpintd_t to read /dev/urandom- Allow asterisk_t to create sock_file in /var/run- Allow usbmuxd to use netlink_kobject- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket- More cleanup of svirt_lxc policy- virtd_lxc_t now talks to dbus- Dontaudit leaked ptmx_t- Allow processes to use inherited fifo files- Allow openvpn_t to connect to squid ports- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()- Allow ssh_t to use /dev/ptmx- Make sure /run/pluto dir is created with correct labeling- Allow syslog to run shell and bin_t commands- Allow ip to relabel tun_sockets- Allow mount to create directories in files under /run- Allow processes to use inherited fifo files- Allow user roles to connect to the journal socket
* Thu Aug 08 2013 Miroslav Grepl 3.12.1-70- selinux_set_enforce_mode needs to be used with type- Add append to the dontaudit for unix_stream_socket of xdm_t leak- Allow xdm_t to create symlinks in log direcotries- Allow login programs to read afs config- Label 10933 as a pop port, for dovecot- New policy to allow selinux_server.py to run as semanage_t as a dbus service- Add fixes to make netlabelctl working on MLS- AVCs required for running sepolicy gui as staff_t- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC- New dbus server to be used with new gui- After modifying some files in /etc/mail, I saw this needed on the next boot- Loading a vm from /usr/tmp with virt-manager- Clean up oracleasm policy for Fedora- Add oracleasm policy written by rlopezAATTredhat.com- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache- Add label for /var/crash- Allow fenced to domtrans to sanclok_t- Allow nagios to manage nagios spool files- Make tfptd as home_manager- Allow kdump to read kcore on MLS system- Allow mysqld-safe sys_nice/sys_resource caps- Allow apache to search automount tmp dirs if http_use_nfs is enabled- Allow crond to transition to named_t, for use with unbound- Allow crond to look at named_conf_t, for unbound- Allow mozilla_plugin_t to transition its home content- Allow dovecot_domain to read all system and network state- Allow httpd_user_script_t to call getpw- Allow semanage to read pid files- Dontaudit leaked file descriptors from user domain into thumb- Make PAM authentication working if it is enabled in ejabberd- Add fixes for rabbit to fix ##992920,#992931- Allow glusterd to mount filesystems- Loading a vm from /usr/tmp with virt-manager- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device- Add fix for pand service- shorewall touches own log- Allow nrpe to list /var- Mozilla_plugin_roles can not be passed into lpd_run_lpr- Allow afs domains to read afs_config files- Allow login programs to read afs config- Allow virt_domain to read virt_var_run_t symlinks- Allow smokeping to send its process signals- Allow fetchmail to setuid- Add kdump_manage_crash() interface- Allow abrt domain to write abrt.socket
* Wed Jul 31 2013 Miroslav Grepl 3.12.1-69- Add more aliases in pegasus.te- Add more fixes for
*_admin interfaces- Add interface fixes- Allow nscd to stream connect to nmbd- Allow gnupg apps to write to pcscd socket- Add more fixes for openlmi provides. Fix naming and support for additionals- Allow fetchmail to resolve host names- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t- Add labeling for cmpiLMI_Fan-cimprovagt- Allow net_admin for glusterd- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/- Add pegasus_openlmi_system_t- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te- Fix corecmd_exec_chroot()- Fix logging_relabel_syslog_pid_socket interface- Fix typo in unconfineduser.te- Allow system_r to access unconfined_dbusd_t to run hp_chec
* Tue Jul 30 2013 Miroslav Grepl 3.12.1-68- Allow xdm_t to act as a dbus client to itsel- Allow fetchmail to resolve host names- Allow gnupg apps to write to pcscd socket- Add labeling for cmpiLMI_Fan-cimprovagt- Allow net_admin for glusterd- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/- Add pegasus_openlmi_system_t- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te-httpd_t does access_check on certs
* Fri Jul 26 2013 Miroslav Grepl 3.12.1-67- Add support for cmpiLMI_Service-cimprovagt- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t- Add support for pycmpiLMI_Storage-cimprovagt- Add support for cmpiLMI_Networking-cimprovagt- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working- Allow virtual machines and containers to run as user doains, needed for virt-sandbox- Allow buglist.cgi to read cpu info
* Mon Jul 22 2013 Miroslav Grepl 3.12.1-66- Allow systemd-tmpfile to handle tmp content in print spool dir- Allow systemd-sysctl to send system log messages- Add support for RTP media ports and fmpro-internal- Make auditd working if audit is configured to perform SINGLE action on disk error- Add interfaces to handle systemd units- Make systemd-notify working if pcsd is used- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t- Instead of having all unconfined domains get all of the named transition rules,- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.- Add definition for the salt ports- Allow xdm_t to create link files in xdm_var_run_t- Dontaudit reads of blk files or chr files leaked into ldconfig_t- Allow sys_chroot for useradd_t- Allow net_raw cap for ipsec_t- Allow sysadm_t to reload services- Add additional fixes to make strongswan working with a simple conf- Allow sysadm_t to enable/disable init_t services- Add additional glusterd perms- Allow apache to read lnk files in the /mnt directory- Allow glusterd to ask the kernel to load a module- Fix description of ftpd_use_fusefs boolean- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t- Allow glusterds to request load a kernel module- Allow boinc to stream connect to xserver_t- Allow sblim domains to read /etc/passwd- Allow mdadm to read usb devices- Allow collectd to use ping plugin- Make foghorn working with SNMP- Allow sssd to read ldap certs- Allow haproxy to connect to RTP media ports- Add additional trans rules for aide_db- Add labeling for /usr/lib/pcsd/pcsd- Add labeling for /var/log/pcsd- Add support for pcs which is a corosync and pacemaker configuration tool
* Wed Jul 17 2013 Miroslav Grepl 3.12.1-65- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown- consolekit needs to be able to shut down system- Move around interfaces- Remove nfsd_rw_t and nfsd_ro_t, they don\'t do anything- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints- Allow gconf-defaults-m to read /etc/passwd- Fix pki_rw_tomcat_cert() interface to support lnk_files
* Fri Jul 12 2013 Miroslav Grepl 3.12.1-64- Add support for gluster ports- Make sure that all keys located in /etc/ssh/ are labeled correctly- Make sure apcuspd lock files get created with the correct label- Use getcap in gluster.te- Fix gluster policy- add additional fixes to allow beam.smp to interact with couchdb files- Additional fix for #974149- Allow gluster to user gluster ports- Allow glusterd to transition to rpcd_t and add additional fixes for #980683- Allow tgtd working when accessing to the passthrough device- Fix labeling for mdadm unit files
* Thu Jul 11 2013 Miroslav Grepl 3.12.1-63- Add mdadm fixes
* Tue Jul 09 2013 Miroslav Grepl 3.12.1-62- Fix definition of sandbox.disabled to sandbox.pp.disabled
* Mon Jul 08 2013 Miroslav Grepl 3.12.1-61- Allow mdamd to execute systemctl- Allow mdadm to read /dev/kvm- Allow ipsec_mgmt_t to read l2tpd pid content
* Mon Jul 08 2013 Miroslav Grepl 3.12.1-60- Allow nsd_t to read /dev/urand- Allow mdadm_t to read framebuffer- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t- Allow mozilla_plugin_config_t to create tmp files- Cleanup openvswitch policy- Allow mozilla plugin to getattr on all executables- Allow l2tpd_t to create fifo_files in /var/run- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory- Allow mdadm to connecto its own unix_stream_socket- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.- Allow apache to access smokeping pid files- Allow rabbitmq_beam_t to getattr on all filesystems- Add systemd support for iodined- Allow nup_upsdrvctl_t to execute its entrypoint- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch- add labeling for ~/.cache/libvirt-sandbox- Add interface to allow domains transitioned to by confined users to send sigchld to screen program- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.- Allow staff to getsched all domains, required to run htop- Add port definition for redis port- fix selinuxuser_use_ssh_chroot boolean
* Wed Jul 03 2013 Miroslav Grepl 3.12.1-59- Add prosody policy written by Michael Scherer- Allow nagios plugins to read /sys info- ntpd needs to manage own log files- Add support for HOME_DIR/.IBMERS- Allow iptables commands to read firewalld config- Allow consolekit_t to read utmp- Fix filename transitions on .razor directory- Add additional fixes to make DSPAM with LDA working- Allow snort to read /etc/passwd- Allow fail2ban to communicate with firewalld over dbus- Dontaudit openshift_cgreoup_file_t read/write leaked dev- Allow nfsd to use mountd port- Call th proper interface- Allow openvswitch to read sys and execute plymouth- Allow tmpwatch to read /var/spool/cups/tmp- Add support for /usr/libexec/telepathy-rakia- Add systemd support for zoneminder- Allow mysql to create files/directories under /var/log/mysql- Allow zoneminder apache scripts to rw zoneminder tmpfs- Allow httpd to manage zoneminder lib files- Add zoneminder_run_sudo boolean to allow to start zoneminder- Allow zoneminder to send mails- gssproxy_t sock_file can be under /var/lib- Allow web domains to connect to whois port.- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.- We really need to add an interface to corenet to define what a web_client_domain is and- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.- Add labeling for cmpiLMI_LogicalFile-cimprovagt- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules- Update policy rules for pegasus_openlmi_logicalfile_t- Add initial types for logicalfile/unconfined OpenLMI providers- mailmanctl needs to read own log- Allow logwatch manage own lock files- Allow nrpe to read meminfo- Allow httpd to read certs located in pki-ca- Add pki_read_tomcat_cert() interface- Add support for nagios openshift plugins- Add port definition for redis port- fix selinuxuser_use_ssh_chroot boolean
* Fri Jun 28 2013 Miroslav Grepl 3.12.1-58- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab
* Wed Jun 26 2013 Miroslav Grepl 3.12.1-57- Make DSPAM to act as a LDA working- Allow ntop to create netlink socket- Allow policykit to send a signal to policykit-auth- Allow stapserver to dbus chat with avahi/systemd-logind- Fix labeling on haproxy unit file- Clean up haproxy policy- A new policy for haproxy and placed it to rhcs.te- Add support for ldirectord and treat it with cluster_t- Make sure anaconda log dir is created with var_log_t
* Mon Jun 24 2013 Miroslav Grepl 3.12.1-56- Allow lvm_t to create default targets for filesystem handling- Fix labeling for razor-lightdm binaries- Allow insmod_t to read any file labeled var_lib_t- Add policy for pesign- Activate policy for cmpiLMI_Account-cimprovagt- Allow isnsd syscall=listen- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler- Allow ctdbd to use udp/4379- gatherd wants sys_nice and setsched- Add support for texlive2012- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)- Allow cobbler to execute apache with domain transition
* Fri Jun 21 2013 Miroslav Grepl 3.12.1-55- condor_collector uses tcp/9000- Label /usr/sbin/virtlockd as virtd_exec_t for now- Allow cobbler to execute ldconfig- Allow NM to execute ssh- Allow mdadm to read /dev/crash- Allow antivirus domains to connect to snmp port- Make amavisd-snmp working correctly- Allow nfsd_t to mounton nfsd_fs_t- Add initial snapper policy- We still need to have consolekit policy- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t- Dontaudit sandbox apps attempting to open user_devpts_t- Allow dirsrv to read network state- Fix pki_read_tomcat_lib_files- Add labeling for /usr/libexec/nm-ssh-service- Add label cert_t for /var/lib/ipa/pki-ca/publish- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant- Allow nfsd_t to mounton nfsd_fs_t- Dontaudit sandbox apps attempting to open user_devpts_t- Allow passwd_t to change role to system_r from unconfined_r
* Wed Jun 19 2013 Miroslav Grepl 3.12.1-54- Don\'t audit access checks by sandbox xserver on xdb var_lib- Allow ntop to read usbmon devices- Add labeling for new polcykit authorizor- Dontaudit access checks from fail2ban_client- Don\'t audit access checks by sandbox xserver on xdb var_lib- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream- Fix labeling for all /usr/bim/razor-lightdm-
* binaries- Add filename trans for /dev/md126p1
* Tue Jun 18 2013 Miroslav Grepl 3.12.1-53- Make vdagent able to request loading kernel module- Add support for cloud-init make it as unconfined domain- Allow snmpd to run smartctl in fsadm_t domain- remove duplicate openshift_search_lib() interface- Allow mysqld to search openshift lib files- Allow openshift cgroup to interact with passedin file descriptors- Allow colord to list directories inthe users homedir- aide executes prelink to check files- Make sure cupsd_t creates content in /etc/cups with the correct label- Lest dontaudit apache read all domains, so passenger will not cause this avc- Allow gssd to connect to gssproxy- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS- Allow systemd-tmpfiles to relabel also lock files- Allow useradd to add homdir in /var/lib/openshift- Allow setfiles and semanage to write output to /run/files
* Fri Jun 14 2013 Miroslav Grepl 3.12.1-52- Add labeling for /dev/tgt- Dontaudit leak fd from firewalld for modprobe- Allow runuser running as rpm_script_t to create netlink_audit socket- Allow mdadm to read BIOS non-volatile RAM
* Thu Jun 13 2013 Miroslav Grepl 3.12.1-51- accountservice watches when accounts come and go in wtmp- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket- Add httpd_use_sasl boolean- Allow net_admin for tuned_t- iscsid needs sys_module to auto-load kernel modules- Allow blueman to read bluetooth conf- Add nova_manage_lib_files() interface- Fix mplayer_filetrans_home_content()- Add mplayer_filetrans_home_content()- mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t- Revert \"Allow thumb_t to append inherited xdm stream socket\"- Add iscsi_filetrans_named_content() interface- Allow to create .mplayer with the correct labeling for unconfined- Allow iscsiadmin to create lock file with the correct labeling
* Tue Jun 11 2013 Miroslav Grepl 3.12.1-50- Allow wine to manage wine home content- Make amanda working with socket actiovation- Add labeling for /usr/sbin/iscsiadm- Add support for /var/run/gssproxy.sock- dnsmasq_t needs to read sysctl_net_t
* Fri Jun 07 2013 Miroslav Grepl 3.12.1-49- Fix courier_domain_template() interface- Allow blueman to write ip_forward- Allow mongodb to connect to mongodb port- Allow mongodb to connect to mongodb port- Allow java to bind jobss_debug port- Fixes for
*_admin interfaces- Allow iscsid auto-load kernel modules needed for proper iSCSI functionality- Need to assign attribute for courier_domain to all courier_domains- Fail2ban reads /etc/passwd- postfix_virtual will create new files in postfix_spool_t- abrt triggers sys_ptrace by running pidof- Label ~/abc as mozilla_home_t, since java apps as plugin want to create it- Add passenger fixes needed by foreman- Remove dup interfaces- Add additional interfaces for quantum- Add new interfaces for dnsmasq- Allow passenger to read localization and send signull to itself- Allow dnsmasq to stream connect to quantum- Add quantum_stream_connect()- Make sure that mcollective starts the service with the correct labeling- Add labels for ~/.manpath- Dontaudit attempts by svirt_t to getpw
* calls- sandbox domains are trying to look at parent process data- Allow courior auth to create its pid file in /var/spool/courier subdir- Add fixes for beam to have it working with couchdb- Add labeling for /run/nm-xl2tpd.con- Allow apache to stream connect to thin- Add systemd support for amand- Make public types usable for fs mount points- Call correct mandb interface in domain.te- Allow iptables to r/w quantum inherited pipes and send sigchld- Allow ifconfig domtrans to iptables and execute ldconfig- Add labels for ~/.manpath- Allow systemd to read iscsi lib files- seunshare is trying to look at parent process data
* Mon Jun 03 2013 Miroslav Grepl 3.12.1-48- Fix openshift_search_lib- Add support for abrt-uefioops-oops- Allow colord to getattr any file system- Allow chrome processes to look at each other- Allow sys_ptrace for abrt_t- Add new policy for gssproxy- Dontaudit leaked file descriptor writes from firewalld- openshift_net_type is interface not template- Dontaudit pppd to search gnome config- Update openshift_search_lib() interface- Add fs_list_pstorefs()- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18- Better labels for raspberry pi devices- Allow init to create devpts_t directory- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18- Allow sysadm_t to build kernels- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18- Allow userdomains to stream connect to gssproxy- Dontaudit leaked file descriptor writes from firewalld- Allow xserver to read /dev/urandom- Add additional fixes for ipsec-mgmt- Make SSHing into an Openshift Enterprise Node working
* Wed May 29 2013 Miroslav Grepl 3.12.1-47- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime- with the proper label.- Update files_filetrans_named_content() interface to get right labeling for pam.d conf files- Allow systemd-timedated to create adjtime- Add clock_create_adjtime()- Additional fix ifconfing for #966106- Allow kernel_t to create boot.log with correct labeling- Remove unconfined_mplayer for which we don\'t have rules- Rename interfaces- Add userdom_manage_user_home_files/dirs interfaces- Fix files_dontaudit_read_all_non_security_files- Fix ipsec_manage_key_file()- Fix ipsec_filetrans_key_file()- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t- Fix labeling for ipse.secrets- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid- Add files_dontaudit_read_all_non_security_files() interface- /var/log/syslog-ng should be labeled var_log_t- Make ifconfig_var_run_t a mountpoint- Add transition from ifconfig to dnsmasq- Allow ifconfig to execute bin_t/shell_exec_t- We want to have hwdb.bin labeled as etc_t- update logging_filetrans_named_content() interface- Allow systemd_timedate_t to manage /etc/adjtime- Allow NM to send signals to l2tpd- Update antivirus_can_scan_system boolean- Allow devicekit_disk_t to sys_config_tty- Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories- Make printing from vmware working- Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes- Add virt_qemu_ga_data_t for qemu-ga- Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both- Fix typo in virt.te- Add virt_qemu_ga_unconfined_t for hook scripts- Make sure NetworkManager files get created with the correct label- Add mozilla_plugin_use_gps boolean- Fix cyrus to have support for net-snmp- Additional fixes for dnsmasq and quantum for #966106- Add plymouthd_create_log()- remove httpd_use_oddjob for which we don\'t have rules- Add missing rules for httpd_can_network_connect_cobbler- Add missing cluster_use_execmem boolean- Call userdom_manage_all_user_home_type_files/dirs- Additional fix for ftp_home_dir- Fix ftp_home_dir boolean- Allow squit to recv/send client squid packet- Fix nut.te to have nut_domain attribute- Add support for ejabberd; TODO: revisit jabberd and rabbit policy- Fix amanda policy- Add more fixes for domains which use libusb- Make domains which use libusb working correctly- Allow l2tpd to create ipsec key files with correct labeling and manage them- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files- Allow rabbitmq-beam to bind generic node- Allow l2tpd to read ipse-mgmt pid files- more fixes for l2tpd, NM and pppd from #967072
* Wed May 22 2013 Miroslav Grepl 3.12.1-46- Dontaudit to getattr on dirs for dovecot-deliver- Allow raiudusd server connect to postgresql socket- Add kerberos support for radiusd- Allow saslauthd to connect to ldap port- Allow postfix to manage postfix_private_t files- Add chronyd support for #965457- Fix labeling for HOME_DIR/\\.icedtea- CHange squid and snmpd to be allowed also write own logs- Fix labeling for /usr/libexec/qemu-ga- Allow virtd_t to use virt_lock_t- Allow also sealert to read the policy from the kernel- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content- Dontaudit listing of users homedir by sendmail Seems like a leak- Allow passenger to transition to puppet master- Allow apache to connect to mythtv- Add definition for mythtv ports
* Fri May 17 2013 Miroslav Grepl 3.12.1-45- Add additional fixes for #948073 bug- Allow sge_execd_t to also connect to sge ports- Allow openshift_cron_t to manage openshift_var_lib_t sym links- Allow openshift_cron_t to manage openshift_var_lib_t sym links- Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files- Add networkmanager_stream_connect()- Make gnome-abrt wokring with staff_t- Fix openshift_manage_lib_files() interface- mdadm runs ps command which seems to getattr on random log files- Allow mozilla_plugin_t to create pulseaudit_home_t directories- Allow qemu-ga to shutdown virtual hosts- Add labelling for cupsd-browsed- Add web browser plugins to connect to aol ports- Allow nm-dhcp-helper to stream connect to NM- Add port definition for sge ports
* Mon May 13 2013 Miroslav Grepl 3.12.1-44- Make sure users and unconfined domains create .hushlogin with the correct label- Allow pegaus to chat with realmd over DBus- Allow cobblerd to read network state- Allow boicn-client to stat on /dev/input/mice- Allow certwatch to read net_config_t when it executes apache- Allow readahead to create /run/systemd and then create its own directory with the correct label
* Mon May 13 2013 Miroslav Grepl 3.12.1-43- Transition directories and files when in a user_tmp_t directory- Change certwatch to domtrans to apache instead of just execute- Allow virsh_t to read xen lib files- update policy rules for pegasus_openlmi_account_t- Add support for svnserve_tmp_t- Activate account openlmi policy- pegasus_openlmi_domain_template needs also require pegasus_t- One more fix for policykit.te- Call fs_list_cgroups_dirs() in policykit.te- Allow nagios service plugin to read mysql config files- Add labeling for /var/svn- Fix chrome.te- Fix pegasus_openlmi_domain_template() interfaces- Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks- Fix location of google-chrome data- Add support for chome_sandbox to store content in the homedir- Allow policykit to watch for changes in cgroups file system- Add boolean to allow mozilla_plugin_t to use spice- Allow collectd to bind to udp port- Allow collected_t to read all of /proc- Should use netlink socket_perms- Should use netlink socket_perms- Allow glance domains to connect to apache ports- Allow apcupsd_t to manage its log files- Allow chrome objects to rw_inherited unix_stream_socket from callers- Allow staff_t to execute virtd_exec_t for running vms- nfsd_t needs to bind mountd port to make nfs-mountd.service working- Allow unbound net_admin capability because of setsockopt syscall- Fix fs_list_cgroup_dirs()- Label /usr/lib/nagios/plugins/utils.pm as bin_t- Remove uplicate definition of fs_read_cgroup_files()- Remove duplicate definition of fs_read_cgroup_files()- Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd- Additional interfaces needed to list and read cgroups config- Add port definition for collectd port- Add labels for /dev/ptp
*- Allow staff_t to execute virtd_exec_t for running vms
* Mon May 06 2013 Miroslav Grepl 3.12.1-42- Allow samba-net to also read realmd tmp files- Allow NUT to use serial ports- realmd can be started by systemctl now
* Mon May 06 2013 Miroslav Grepl 3.12.1-41- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly- Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t- Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid- Allow virsh to read xen lock file- Allow qemu-ga to create files in /run with proper labeling- Allow glusterd to connect to own socket in /tmp- Allow glance-api to connect to http port to make glance image-create working- Allow keystonte_t to execute rpm
* Fri May 03 2013 Miroslav Grepl 3.12.1-40- Fix realmd cache interfaces
* Fri May 03 2013 Miroslav Grepl 3.12.1-39- Allow tcpd to execute leafnode- Allow samba-net to read realmd cache files- Dontaudit sys_tty_config for alsactl- Fix allow rules for postfix_var_run- Allow cobblerd to read /etc/passwd- Allow pegasus to read exports- Allow systemd-timedate to read xdm state- Allow mout to stream connect to rpcbind- Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki
* Tue Apr 30 2013 Miroslav Grepl 3.12.1-38- Allow thumbnails to share memory with apps which run thumbnails- Allow postfix-postqueue block_suspend- Add lib interfaces for smsd- Add support for nginx- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t- Allow pki apache domain to create own tmp files and execute httpd_suexec- Allow procmail to manger user tmp files/dirs/lnk_files- Add virt_stream_connect_svirt() interface- Allow dovecot-auth to execute bin_t- Allow iscsid to request that kernel load a kernel module- Add labeling support for /var/lib/mod_security- Allow iw running as tuned_t to create netlink socket- Dontaudit sys_tty_config for thumb_t- Add labeling for nm-l2tp-service- Allow httpd running as certwatch_t to open tcp socket- Allow useradd to manager smsd lib files- Allow useradd_t to add homedirs in /var/lib- Fix typo in userdomain.te- Cleanup userdom_read_home_certs- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t- Allow staff to stream connect to svirt_t to make gnome-boxes working
* Fri Apr 26 2013 Miroslav Grepl 3.12.1-37- Allow lvm to create its own unit files- Label /var/lib/sepolgen as selinux_config_t- Add filetrans rules for tw devices- Add transition from cupsd_config_t to cupsd_t
* Wed Apr 24 2013 Miroslav Grepl 3.12.1-36- Add filetrans rules for tw devices- Cleanup bad transition lines
* Tue Apr 23 2013 Miroslav Grepl 3.12.1-35- Fix lockdev_manage_files()- Allow setroubleshootd to read var_lib_t to make email_alert working- Add lockdev_manage_files()- Call proper interface in virt.te- Allow gkeyring_domain to create /var/run/UID/config/dbus file- system dbus seems to be blocking suspend- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need- When you enter a container from root, you generate avcs with a leaked file descriptor- Allow mpd getattr on file system directories- Make sure realmd creates content with the correct label- Allow systemd-tty-ask to write kmsg- Allow mgetty to use lockdev library for device locking- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music- When you enter a container from root, you generate avcs with a leaked file descriptor- Make sure init.fc files are labeled correctly at creation- File name trans vconsole.conf- Fix labeling for nagios plugins- label shared libraries in /opt/google/chrome as testrel_shlib_t
* Thu Apr 18 2013 Miroslav Grepl 3.12.1-34- Allow certmonger to dbus communicate with realmd - Make realmd working
* Thu Apr 18 2013 Miroslav Grepl 3.12.1-33- Fix mozilla specification of homedir content- Allow certmonger to read network state- Allow tmpwatch to read tmp in /var/spool/{cups,lpd}- Label all nagios plugin as unconfined by default- Add httpd_serve_cobbler_files()- Allow mdadm to read /dev/sr0 and create tmp files- Allow certwatch to send mails- Fix labeling for nagios plugins- label shared libraries in /opt/google/chrome as testrel_shlib_t
* Wed Apr 17 2013 Miroslav Grepl 3.12.1-32- Allow realmd to run ipa, really needs to be an unconfined_domain- Allow sandbox domains to use inherted terminals- Allow pscd to use devices labeled svirt_image_t in order to use cat cards.- Add label for new alsa pid- Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition- Add support for sshd_unit_file_t- Add oracleasmfs_t- Allow unlabeled_t files to be stored on unlabeled_t filesystems
* Tue Apr 16 2013 Miroslav Grepl 3.12.1-31- Fix description of deny_ptrace boolean- Remove allow for execmod lib_t for now- Allow quantum to connect to keystone port- Allow nova-console to talk with mysql over unix stream socket- Allow dirsrv to stream connect to uuidd- thumb_t needs to be able to create ~/.cache if it does not exist- virtd needs to be able to sys_ptrace when starting and stoping containers
* Mon Apr 15 2013 Miroslav Grepl 3.12.1-30- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms...- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets- Fix deny_ptrace boolean, certain ptrace leaked into the system- Allow winbind to manage kerberos_rcache_host- Allow spamd to create spamd_var_lib_t directories- Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs- Add mising nslcd_dontaudit_write_sock_file() interface- one more fix- Fix pki_read_tomcat_lib_files() interface- Allow certmonger to read pki-tomcat lib files- Allow certwatch to execute bin_t- Allow snmp to manage /var/lib/net-snmp files- Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs- Fix vmware_role() interface- Fix cobbler_manage_lib_files() interface- Allow nagios check disk plugins to execute bin_t- Allow quantum to transition to openvswitch_t- Allow postdrop to stream connect to postfix-master- Allow quantum to stream connect to openvswitch- Add xserver_dontaudit_xdm_rw_stream_sockets() interface- Allow daemon to send dgrams to initrc_t- Allow kdm to start the power service to initiate a reboot or poweroff
* Thu Apr 11 2013 Miroslav Grepl 3.12.1-29- Add mising nslcd_dontaudit_write_sock_file() interface- one more fix- Fix pki_read_tomcat_lib_files() interface- Allow certmonger to read pki-tomcat lib files- Allow certwatch to execute bin_t- Allow snmp to manage /var/lib/net-snmp files- Don\'t audit attempts to write to stream socket of nscld by thumbnailers- Allow git_system_t to read network state- Allow pegasas to execute mount command- Fix desc for drdb_admin- Fix condor_amin()- Interface fixes for uptime, vdagent, vnstatd- Fix labeling for moodle in /var/www/moodle/data- Add interface fixes- Allow bugzilla to read certs- /var/www/moodle needs to be writable by apache- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest- Fix namespace_init_t to create content with proper labels, and allow it to manage all user content- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean- Fixes for dlm_controld- Fix apache_read_sys_content_rw_dirs() interface- Allow logrotate to read /var/log/z-push dir- Fix sys_nice for cups_domain- Allow postfix_postdrop to acces postfix_public socket- Allow sched_setscheduler for cupsd_t- Add missing context for /usr/sbin/snmpd- Kernel_t needs mac_admin in order to support labeled NFS- Fix systemd_dontaudit_dbus_chat() interface- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest- Allow consolehelper domain to write Xauth files in /root- Add port definition for osapi_compute port- Allow unconfined to create /etc/hostname with correct labeling- Add systemd_filetrans_named_hostname() interface
* Mon Apr 08 2013 Dan Walsh 3.12.1-28- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean- Fixes for dlm_controld- Fix apache_read_sys_content_rw_dirs() interface- Allow logrotate to read /var/log/z-push dir- Allow postfix_postdrop to acces postfix_public socket- Allow sched_setscheduler for cupsd_t- Add missing context for /usr/sbin/snmpd- Allow consolehelper more access discovered by Tom London- Allow fsdaemon to send signull to all domain- Add port definition for osapi_compute port- Allow unconfined to create /etc/hostname with correct labeling- Add systemd_filetrans_named_hostname() interface
* Sat Apr 06 2013 Dan Walsh 3.12.1-27- Fix file_contexts.subs to label /run/lock correctly
* Fri Apr 05 2013 Miroslav Grepl 3.12.1-26- Try to label on controlC devices up to 30 correctly- Add mount_rw_pid_files() interface- Add additional mount/umount interfaces needed by mock- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk- Fix tabs- Allow initrc_domain to search rgmanager lib files- Add more fixes which make mock working together with confined users
* Allow mock_t to manage rpm files
* Allow mock_t to read rpm log files
* Allow mock to setattr on tmpfs, devpts
* Allow mount/umount filesystems- Add rpm_read_log() interface- yum-cron runs rpm from within it.- Allow tuned to transition to dmidecode- Allow firewalld to do net_admin- Allow mock to unmont tmpfs_t- Fix virt_sigkill() interface- Add additional fixes for mock. Mainly caused by mount running in mock_t- Allow mock to write sysfs_t and mount pid files- Add mailman_domain to mailman_template()- Allow openvswitch to execute shell- Allow qpidd to use kerberos- Allow mailman to use fusefs, needs back port to RHEL6- Allow apache and its scripts to use anon_inodefs- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7- Realmd needs to connect to samba ports, needs back port to F18 also- Allow colord to read /run/initial-setup-- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock- Add virt_kill() interface- Add rgmanager_search_lib() interface- Allow wdmd to getattr on all filesystems. Back ported from RHEL6
* Tue Apr 02 2013 Miroslav Grepl 3.12.1-25- Allow realmd to create tmp files- FIx ircssi_home_t type to irssi_home_t- Allow adcli running as realmd_t to connect to ldap port- Allow NetworkManager to transition to ipsec_t, for running strongswan- Make openshift_initrc_t an lxc_domain- Allow gssd to manage user_tmp_t files- Fix handling of irclogs in users homedir- Fix labeling for drupal an wp-content in subdirs of /var/www/html- Allow abrt to read utmp_t file- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6- fix labeling for (oo|rhc)-restorer-wrapper.sh- firewalld needs to be able to write to network sysctls- Fix mozilla_plugin_dontaudit_rw_sem() interface- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains- Add mozilla_plugin_dontaudit_rw_sem() interface- Allow svirt_lxc_t to transition to openshift domains- Allow condor domains block_suspend and dac_override caps- Allow condor_master to read passd- Allow condor_master to read system state- Allow NetworkManager to transition to ipsec_t, for running strongswan- Lots of access required by lvm_t to created encrypted usb device- Allow xdm_t to dbus communicate with systemd_localed_t- Label strongswan content as ipsec_exec_mgmt_t for now- Allow users to dbus chat with systemd_localed- Fix handling of .xsession-errors in xserver.if, so kde will work- Might be a bug but we are seeing avc\'s about people status on init_t:service- Make sure we label content under /var/run/lock as <>- Allow daemon and systemprocesses to search init_var_run_t directory- Add boolean to allow xdm to write xauth data to the home directory- Allow mount to write keys for the unconfined domain- Add unconfined_write_keys() interface
* Tue Mar 26 2013 Miroslav Grepl 3.12.1-24- Add labeling for /usr/share/pki- Allow programs that read var_run_t symlinks also read var_t symlinks- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports- Fix labeling for /etc/dhcp directory- add missing systemd_stub_unit_file() interface- Add files_stub_var() interface- Add lables for cert_t directories- Make localectl set-x11-keymap working at all- Allow abrt to manage mock build environments to catch build problems.- Allow virt_domains to setsched for running gdb on itself- Allow thumb_t to execute user home content- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000- Allow certwatch to execut /usr/bin/httpd- Allow cgred to send signal perms to itself, needs back port to RHEL6- Allow openshift_cron_t to look at quota- Allow cups_t to read inhered tmpfs_t from the kernel- Allow yppasswdd to use NIS- Tuned wants sys_rawio capability- Add ftpd_use_fusefs boolean- Allow dirsrvadmin_t to signal itself
* Wed Mar 20 2013 Miroslav Grepl 3.12.1-23- Allow localectl to read /etc/X11/xorg.conf.d directory- Revert \"Revert \"Fix filetrans rules for kdm creates .xsession-errors\"\"- Allow mount to transition to systemd_passwd_agent- Make sure abrt directories are labeled correctly- Allow commands that are going to read mount pid files to search mount_var_run_t- label /usr/bin/repoquery as rpm_exec_t- Allow automount to block suspend- Add abrt_filetrans_named_content so that abrt directories get labeled correctly- Allow virt domains to setrlimit and read file_context
* Mon Mar 18 2013 Miroslav Grepl 3.12.1-22- Allow nagios to manage nagios spool files- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6- Add swift_alias.
* policy files which contain typealiases for swift types- Add support for /run/lock/opencryptoki- Allow pkcsslotd chown capability- Allow pkcsslotd to read passwd- Add rsync_stub() interface- Allow systemd_timedate also manage gnome config homedirs- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t- Fix filetrans rules for kdm creates .xsession-errors- Allow sytemd_tmpfiles to create wtmp file- Really should not label content under /var/lock, since it could have labels on it different from var_lock_t- Allow systemd to list all file system directories- Add some basic stub interfaces which will be used in PRODUCT policies
* Wed Mar 13 2013 Miroslav Grepl 3.12.1-21- Fix log transition rule for cluster domains- Start to group all cluster log together- Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update- cups uses usbtty_device_t devices- These fixes were all required to build a MLS virtual Machine with single level desktops- Allow domains to transiton using httpd_exec_t- Allow svirt domains to manage kernel key rings- Allow setroubleshoot to execute ldconfig- Allow firewalld to read generate gnome data- Allow bluetooth to read machine-info- Allow boinc domain to send signal to itself- Fix gnome_filetrans_home_content() interface- Allow mozilla_plugins to list apache modules, for use with gxine- Fix labels for POkemon in the users homedir- Allow xguest to read mdstat- Dontaudit virt_domains getattr on /dev/
*- These fixes were all required to build a MLS virtual Machine with single level desktops- Need to back port this to RHEL6 for openshift- Add tcp/8891 as milter port- Allow nsswitch domains to read sssd_var_lib_t files- Allow ping to read network state.- Fix typo- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
* Fri Mar 08 2013 Miroslav Grepl 3.12.1-20- Adopt swift changes from lhhAATTredhat.com- Add rhcs_manage_cluster_pid_files() interface- Allow screen domains to configure tty and setup sock_file in ~/.screen directory- ALlow setroubleshoot to read default_context_t, needed to backport to F18- Label /etc/owncloud as being an apache writable directory- Allow sshd to stream connect to an lxc domain
* Thu Mar 07 2013 Miroslav Grepl 3.12.1-19- Allow postgresql to manage rgmanager pid files- Allow postgresql to read ccs data- Allow systemd_domain to send dbus messages to policykit- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them- All systemd domains that create content are reading the file_context file and setfscreate- Systemd domains need to search through init_var_run_t- Allow sshd to communicate with libvirt to set containers labels- Add interface to manage pid files- Allow NetworkManger_t to read /etc/hostname- Dontaudit leaked locked files into openshift_domains- Add fixes for oo-cgroup-read - it nows creates tmp files- Allow gluster to manage all directories as well as files- Dontaudit chrome_sandbox_nacl_t using user terminals- Allow sysstat to manage its own log files- Allow virtual machines to setrlimit and send itself signals.- Add labeling for /var/run/hplip
* Mon Mar 04 2013 Miroslav Grepl 3.12.1-18- Fix POSTIN scriptlet
* Fri Mar 01 2013 Miroslav Grepl 3.12.1-17- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp
* Wed Feb 27 2013 Miroslav Grepl 3.12.1-16- Fix authconfig.py labeling- Make any domains that write homedir content do it correctly- Allow glusterd to read/write anyhwere on the file system by default- Be a little more liberal with the rsync log files- Fix iscsi_admin interface- Allow iscsid_t to read /dev/urand- Fix up iscsi domain for use with unit files- Add filename transition support for spamassassin policy- Allow web plugins to use badly formated libraries- Allow nmbd_t to create samba_var_t directories- Add filename transition support for spamassassin policy- Add filename transition support for tvtime- Fix alsa_home_filetrans_alsa_home() interface- Move all userdom_filetrans_home_content() calling out of booleans- Allow logrotote to getattr on all file sytems- Remove duplicate userdom_filetrans_home_content() calling- Allow kadmind to read /etc/passwd- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth- Allow antivirus domain to manage antivirus db links- Allow logrotate to read /sys- Allow mandb to setattr on man dirs- Remove mozilla_plugin_enable_homedirs boolean- Fix ftp_home_dir boolean- homedir mozilla filetrans has been moved to userdom_home_manager- homedir telepathy filetrans has been moved to userdom_home_manager- Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd()- Might want to eventually write a daemon on fusefsd.- Add policy fixes for sshd [net] child from plautrbaAATTredhat.com- Tor uses a new port- Remove bin_t for authconfig.py- Fix so only one call to userdom_home_file_trans- Allow home_manager_types to create content with the correctl label- Fix all domains that write data into the homedir to do it with the correct label- Change the postgresql to use proper boolean names, which is causing httpd_t to- not get access to postgresql_var_run_t- Hostname needs to send syslog messages- Localectl needs to be able to send dbus signals to users- Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default- Allow user_home_manger domains to create spam
* homedir content with correct labeling- Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling- Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working- Declare userdom_filetrans_type attribute- userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute- fusefsd is mounding a fuse file system on /run/user/UID/gvfs
* Thu Feb 21 2013 Miroslav Grepl 3.12.1-15- Man pages are now generated in the build process- Allow cgred to list inotifyfs filesystem
* Wed Feb 20 2013 Miroslav Grepl 3.12.1-14- Allow gluster to get attrs on all fs- New access required for virt-sandbox- Allow dnsmasq to execute bin_t- Allow dnsmasq to create content in /var/run/NetworkManager- Fix openshift_initrc_signal() interface- Dontaudit openshift domains doing getattr on other domains- Allow consolehelper domain to communicate with session bus- Mock should not be transitioning to any other domains, we should keep mock_t as mock_t- Update virt_qemu_ga_t policy- Allow authconfig running from realmd to restart oddjob service- Add systemd support for oddjob- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd- Add labeling for gnashpluginrc- Allow chrome_nacl to execute /dev/zero- Allow condor domains to read /proc- mozilla_plugin_t will getattr on /core if firefox crashes- Allow condor domains to read /etc/passwd- Allow dnsmasq to execute shell scripts, openstack requires this access- Fix glusterd labeling- Allow virtd_t to interact with the socket type- Allow nmbd_t to override dac if you turned on sharing all files- Allow tuned to created kobject_uevent socket- Allow guest user to run fusermount- Allow openshift to read /proc and locale- Allow realmd to dbus chat with rpm- Add new interface for virt- Remove depracated interfaces- Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t- Remove some more unconfined_t process transitions, that I don\'t believe are necessary- Stop transitioning uncofnined_t to checkpc- dmraid creates /var/lock/dmraid- Allow systemd_localed to creatre unix_dgram_sockets- Allow systemd_localed to write kernel messages.- Also cleanup systemd definition a little.- Fix userdom_restricted_xwindows_user_template() interface- Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t- User accounts need to dbus chat with accountsd daemon- Gnome requires all users to be able to read /proc/1/
* Thu Feb 14 2013 Miroslav Grepl 3.12.1-13- virsh now does a setexeccon call- Additional rules required by openshift domains- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work- Allow spamd_update_t to search spamc_home_t- Avcs discovered by mounting an isci device under /mnt- Allow lspci running as logrotate to read pci.ids- Additional fix for networkmanager_read_pid_files()- Fix networkmanager_read_pid_files() interface- Allow all svirt domains to connect to svirt_socket_t- Allow virsh to set SELinux context for a process.- Allow tuned to create netlink_kobject_uevent_socket- Allow systemd-timestamp to set SELinux context- Add support for /var/lib/systemd/linger- Fix ssh_sysadm_login to be working on MLS as expected
* Mon Feb 11 2013 Miroslav Grepl 3.12.1-12- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file- Add missing files_rw_inherited_tmp_files interface- Add additional interface for ecryptfs- ALlow nova-cert to connect to postgresql- Allow keystone to connect to postgresql- Allow all cups domains to getattr on filesystems- Allow pppd to send signull- Allow tuned to execute ldconfig- Allow gpg to read fips_enabled- Add additional fixes for ecryptfs- Allow httpd to work with posgresql- Allow keystone getsched and setsched
* Fri Feb 08 2013 Miroslav Grepl 3.12.1-11- Allow gpg to read fips_enabled- Add support for /var/cache/realmd- Add support for /usr/sbin/blazer_usb and systemd support for nut- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t- bitlbee wants to read own log file- Allow glance domain to send a signal itself- Allow xend_t to request that the kernel load a kernel module- Allow pacemaker to execute heartbeat lib files- cleanup new swift policy
* Tue Feb 05 2013 Miroslav Grepl 3.12.1-10- Fix smartmontools- Fix userdom_restricted_xwindows_user_template() interface- Add xserver_xdm_ioctl_log() interface- Allow Xusers to ioctl lxdm.log to make lxdm working- Add MLS fixes to make MLS boot/log-in working- Add mls_socket_write_all_levels() also for syslogd- fsck.xfs needs to read passwd- Fix ntp_filetrans_named_content calling in init.te- Allow postgresql to create pg_log dir- Allow sshd to read rsync_data_t to make rsync working- Change ntp.conf to be labeled net_conf_t- Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it- Allow xdm_t to execute gstreamer home content- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp- New policy for openstack swift domains- More access required for openshift_cron_t- Use cupsd_log_t instead of cupsd_var_log_t- rpm_script_roles should be used in rpm_run- Fix rpm_run() interface- Fix openshift_initrc_run()- Fix sssd_dontaudit_stream_connect() interface- Fix sssd_dontaudit_stream_connect() interface- Allow LDA\'s job to deliver mail to the mailbox- dontaudit block_suspend for mozilla_plugin_t- Allow l2tpd_t to all signal perms- Allow uuidgen to read /dev/random- Allow mozilla-plugin-config to read power_supply info- Implement cups_domain attribute for cups domains- We now need access to user terminals since we start by executing a command outside the tty- We now need access to user terminals since we start by executing a command outside the tty- svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen- Add containment of openshift cron jobs- Allow system cron jobs to create tmp directories- Make userhelp_conf_t a config file- Change rpm to use rpm_script_roles- More fixes for rsync to make rsync wokring- Allow logwatch to domtrans to mdadm- Allow pacemaker to domtrans to ifconfig- Allow pacemaker to setattr on corosync.log- Add pacemaker_use_execmem for memcheck-amd64 command- Allow block_suspend capability- Allow create fifo_file in /tmp with pacemaker_tmp_t- Allow systat to getattr on fixed disk- Relabel /etc/ntp.conf to be net_conf_t- ntp_admin should create files in /etc with the correct label- Add interface to create ntp_conf_t files in /etc- Add additional labeling for quantum- Allow quantum to execute dnsmasq with transition
* Wed Jan 30 2013 Miroslav Grepl 3.12.1-9- boinc_cliean wants also execmem as boinc projecs have- Allow sa-update to search admin home for /root/.spamassassin- Allow sa-update to search admin home for /root/.spamassassin- Allow antivirus domain to read net sysctl- Dontaudit attempts from thumb_t to connect to ssd- Dontaudit attempts by readahead to read sock_files- Dontaudit attempts by readahead to read sock_files- Create tmpfs file while running as wine as user_tmpfs_t- Dontaudit attempts by readahead to read sock_files- libmpg ships badly created librarie
* Mon Jan 28 2013 Miroslav Grepl 3.12.1-8- Change ssh_use_pts to use macro and only inherited sshd_devpts_t- Allow confined users to read systemd_logind seat information- libmpg ships badly created libraries- Add support for strongswan.service- Add labeling for strongswan- Allow l2tpd_t to read network manager content in /run directory- Allow rsync to getattr any file in rsync_data_t- Add labeling and filename transition for .grl-podcasts
* Fri Jan 25 2013 Miroslav Grepl 3.12.1-7- mount.glusterfs executes glusterfsd binary- Allow systemd_hostnamed_t to stream connect to systemd- Dontaudit any user doing a access check- Allow obex-data-server to request the kernel to load a module- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info)- Allow gpg-agent to read /proc/sys/crypto/fips_enabled- Add new types for antivirus.pp policy module- Allow gnomesystemmm_t caps because of ioprio_set- Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t- Allow gnomesystemmm_t caps because of ioprio_set- Allow NM rawip socket- files_relabel_non_security_files can not be used with boolean- Add interface to thumb_t dbus_chat to allow it to read remote process state- ALlow logrotate to domtrans to mdadm_t- kde gnomeclock wants to write content to /tmp
* Wed Jan 23 2013 Miroslav Grepl 3.12.1-6- kde gnomeclock wants to write content to /tmp- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde- Allow blueman_t to rwx zero_device_t, for some kind of jre- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre- Ftp full access should be allowed to create directories as well as files- Add boolean to allow rsync_full_acces, so that an rsync server can write all- over the local machine- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6- Add missing vpnc_roles type line- Allow stapserver to write content in /tmp- Allow gnome keyring to create keyrings dir in ~/.local/share- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on- Add interface to colord_t dbus_chat to allow it to read remote process state- Allow colord_t to read cupsd_t state- Add mate-thumbnail-font as thumnailer- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.- Allow qpidd to list /tmp. Needed by ssl- Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18- - Added systemd support for ksmtuned- Added booleans ksmtuned_use_nfs ksmtuned_use_cifs- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow- Looks like qpidd_t needs to read /dev/random- Lots of probing avc\'s caused by execugting gpg from staff_t- Dontaudit senmail triggering a net_admin avc- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port- Logwatch does access check on mdadm binary- Add raid_access_check_mdadm() iterface
* Wed Jan 16 2013 Miroslav Grepl 3.12.1-5- Fix systemd_manage_unit_symlinks() interface- Call systemd_manage_unit_symlinks(() which is correct interface- Add filename transition for opasswd- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock- Allow sytstemd-timedated to get status of init_t- Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t- colord needs to communicate with systemd and systemd_logind, also remove duplicate rules- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock- Allow gpg_t to manage all gnome files- Stop using pcscd_read_pub_files- New rules for xguest, dontaudit attempts to dbus chat- Allow firewalld to create its mmap files in tmpfs and tmp directories- Allow firewalld to create its mmap files in tmpfs and tmp directories- run unbound-chkconf as named_t, so it can read dnssec- Colord is reading xdm process state, probably reads state of any apps that sends dbus message- Allow mdadm_t to change the kernel scheduler- mythtv policy- Update mandb_admin() interface- Allow dsspam to listen on own tpc_socket- seutil_filetrans_named_content needs to be optional- Allow sysadm_t to execute content in his homedir- Add attach_queue to tun_socket, new patch from Paul Moore- Change most of selinux configuration types to security_file_type.- Add filename transition rules for selinux configuration- ssh into a box with -X -Y requires ssh_use_ptys- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on- Allow all unpriv userdomains to send dbus messages to hostnamed and timedated- New allow rules found by Tom London for systemd_hostnamed
* Mon Jan 14 2013 Miroslav Grepl 3.12.1-4- Allow systemd-tmpfiles to relabel lpd spool files- Ad labeling for texlive bash scripts- Add xserver_filetrans_fonts_cache_home_content() interface- Remove duplicate rules from
*.te- Add support for /var/lock/man-db.lock- Add support for /var/tmp/abrt(/.
*)?- Add additional labeling for munin cgi scripts- Allow httpd_t to read munin conf files- Allow certwatch to read meminfo- Fix nscd_dontaudit_write_sock_file() interfac- Fix gnome_filetrans_home_content() to include also \"fontconfig\" dir as cache_home_t- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
* Fri Jan 11 2013 Miroslav Grepl 3.12.1-3- Allow gnomeclock to talk to puppet over dbus- Allow numad access discovered by Dominic- Add support for HOME_DIR/.maildir- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain- Allow udev to relabel udev_var_run_t lnk_files- New bin_t file in mcelog
* Thu Jan 10 2013 Miroslav Grepl 3.12.1-2- Remove all mcs overrides and replace with t1 != mcs_constrained_types- Add attribute_role for iptables- mcs_process_set_categories needs to be called for type- Implement additional role_attribute statements- Sodo domain is attempting to get the additributes of proc_kcore_t- Unbound uses port 8953- Allow svirt_t images to compromise_kernel when using pci-passthrough- Add label for dns lib files- Bluetooth aquires a dbus name- Remove redundant files_read_usr_file calling- Remove redundant files_read_etc_file calling- Fix mozilla_run_plugin()- Add role_attribute support for more domains
* Wed Jan 09 2013 Miroslav Grepl 3.12.1-1- Mass merge with upstream
* Sat Jan 05 2013 Dan Walsh 3.11.1-69.1- Bump the policy version to 28 to match selinux userspace- Rebuild versus latest libsepol
* Wed Jan 02 2013 Miroslav Grepl 3.11.1-69- Add systemd_status_all_unit_files() interface- Add support for nshadow- Allow sysadm_t to administrate the postfix domains- Add interface to setattr on isid directories for use by tmpreaper- Allow sshd_t sys_admin for use with afs logins- Allow systemd to read/write all sysctls- Allow sshd_t sys_admin for use with afs logins- Allow systemd to read/write all sysctls- Add systemd_status_all_unit_files() interface- Add support for nshadow- Allow sysadm_t to administrate the postfix domains- Add interface to setattr on isid directories for use by tmpreaper- Allow sshd_t sys_admin for use with afs logins- Allow systemd to read/write all sysctls- Allow sshd_t sys_admin for use with afs logins- Add labeling for /var/named/chroot/etc/localtim
* Thu Dec 27 2012 Miroslav Grepl 3.11.1-68- Allow setroubleshoot_fixit to execute rpm- zoneminder needs to connect to httpd ports where remote cameras are listening- Allow firewalld to execute content created in /run directory- Allow svirt_t to read generic certs- Dontaudit leaked ps content to mozilla plugin- Allow sshd_t sys_admin for use with afs logins- Allow systemd to read/write all sysctls- init scripts are creating systemd_unit_file_t directories
* Fri Dec 21 2012 Miroslav Grepl 3.11.1-67- systemd_logind_t is looking at all files under /run/user/apache- Allow systemd to manage all user tmp files- Add labeling for /var/named/chroot/etc/localtime- Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6- Keystone is now using a differnt port- Allow xdm_t to use usbmuxd daemon to control sound- Allow passwd daemon to execute gnome_exec_keyringd- Fix chrome_sandbox policy- Add labeling for /var/run/checkquorum-timer- More fixes for the dspam domain, needs back port to RHEL6- More fixes for the dspam domain, needs back port to RHEL6- sssd needs to connect to kerberos password port if a user changes his password- Lots of fixes from RHEL testing of dspam web- Allow chrome and mozilla_plugin to create msgq and semaphores- Fixes for dspam cgi scripts- Fixes for dspam cgi scripts- Allow confine users to ptrace screen- Backport virt_qemu_ga_t changes from RHEL- Fix labeling for dspam.cgi needed for RHEL6- We need to back port this policy to RHEL6, for lxc domains- Dontaudit attempts to set sys_resource of logrotate- Allow corosync to read/write wdmd\'s tmpfs files- I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set- Allow cron jobs to read bind config for unbound- libvirt needs to inhibit systemd- kdumpctl needs to delete boot_t files- Fix duplicate gnome_config_filetrans- virtd_lxc_t is using /dev/fuse- Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift- apcupsd can be setup to listen to snmp trafic- Allow transition from kdumpgui to kdumpctl- Add fixes for munin CGI scripts- Allow deltacloud to connect to openstack at the keystone port- Allow domains that transition to svirt domains to be able to signal them- Fix file context of gstreamer in .cache directory- libvirt is communicating with logind- NetworkManager writes to the systemd inhibit pipe
* Mon Dec 17 2012 Miroslav Grepl 3.11.1-66- Allow munin disk plugins to get attributes of all directories- Allow munin disk plugins to get attributes of all directorie- Allow logwatch to get attributes of all directories- Fix networkmanager_manage_lib() interface- Fix gnome_manage_config() to allow to manage sock_file- Fix virtual_domain_context- Add support for dynamic DNS for DHCPv6
* Sat Dec 15 2012 Miroslav Grepl 3.11.1-65- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch- Add additional labeling for /var/www/openshift/broker- Fix rhev policy- Allow openshift_initrc domain to dbus chat with systemd_logind- Allow httpd to getattr passenger log file if run_stickshift- Allow consolehelper-gtk to connect to xserver- Add labeling for the tmp-inst directory defined in pam_namespace.conf- Add lvm_metadata_t labeling for /etc/multipath
* Fri Dec 14 2012 Miroslav Grepl 3.11.1-64- consoletype is no longer used
* Wed Dec 12 2012 Miroslav Grepl 3.11.1-63- Add label for efivarfs- Allow certmonger to send signal to itself- Allow plugin-config to read own process status- Add more fixes for pacemaker- apache/drupal can run clamscan on uploaded content- Allow chrome_sandbox_nacl_t to read pid 1 content
* Tue Dec 11 2012 Miroslav Grepl 3.11.1-62- Fix MCS Constraints to control ingres and egres controls on the network.- Change name of svirt_nokvm_t to svirt_tcg_t- Allow tuned to request the kernel to load kernel modules
* Mon Dec 10 2012 Miroslav Grepl 3.11.1-61- Label /var/lib/pgsql/.ssh as ssh_home_t- Add labeling for /usr/bin/pg_ctl- Allow systemd-logind to manage keyring user tmp dirs- Add support for 7389/tcp port- gems seems to be placed in lots of places- Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus- Add back tcp/8123 port as http_cache port- Add ovirt-guest-agent\\.pid labeling- Allow xend to run scsi_id- Allow rhsmcertd-worker to read \"physical_package_id\"- Allow pki_tomcat to connect to ldap port- Allow lpr to read /usr/share/fonts- Allow open file from CD/DVD drive on domU- Allow munin services plugins to talk to SSSD- Allow all samba domains to create samba directory in var_t directories- Take away svirt_t ability to use nsswitch- Dontaudit attempts by openshift to read apache logs- Allow apache to create as well as append _ra_content_t- Dontaudit sendmail_t reading a leaked file descriptor- Add interface to have admin transition /etc/prelink.cache to the proper label- Add sntp support to ntp policy- Allow firewalld to dbus chat with devicekit_power- Allow tuned to call lsblk- Allow tor to read /proc/sys/kernel/random/uuid- Add tor_can_network_relay boolean
* Wed Dec 05 2012 Miroslav Grepl 3.11.1-60- Add openshift_initrc_signal() interface- Fix typos- dspam port is treat as spamd_port_t- Allow setroubleshoot to getattr on all executables- Allow tuned to execute profiles scripts in /etc/tuned- Allow apache to create directories to store its log files- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t- Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6- Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM- Add filename transition for /etc/tuned/active_profile- Allow condor_master to send mails- Allow condor_master to read submit.cf- Allow condor_master to create /tmp files/dirs- Allow condor_mater to send sigkill to other condor domains- Allow condor_procd sigkill capability- tuned-adm wants to talk with tuned daemon- Allow kadmind and krb5kdc to also list sssd_public_t- Allow accountsd to dbus chat with init- Fix git_read_generic_system_content_files() interface- pppd wants sys_nice by nmcli because of \"syscall=sched_setscheduler\"- Fix mozilla_plugin_can_network_connect to allow to connect to all ports- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t- dspam wants to search /var/spool for opendkim data- Revert \"Add support for tcp/10026 port as dspam_port_t\"- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain- Allow systemd_tmpfiles_t to setattr on mandb_cache_t
* Sat Dec 01 2012 Miroslav Grepl 3.11.1-59- consolekit.pp was not removed from the postinstall script
* Fri Nov 30 2012 Miroslav Grepl 3.11.1-58- Add back consolekit policy- Silence bootloader trying to use inherited tty- Silence xdm_dbusd_t trying to execute telepathy apps- Fix shutdown avcs when machine has unconfined.pp disabled- The host and a virtual machine can share the same printer on a usb device- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob- Allow abrt_watch_log_t to execute bin_t- Allow chrome sandbox to write content in ~/.config/chromium- Dontaudit setattr on fontconfig dir for thumb_t- Allow lircd to request the kernel to load module- Make rsync as userdom_home_manager- Allow rsync to search automount filesystem- Add fixes for pacemaker
* Wed Nov 28 2012 Miroslav Grepl 3.11.1-57- Add support for 4567/tcp port- Random fixes from Tuomo Soini- xdm wants to get init status- Allow programs to run in fips_mode- Add interface to allow the reading of all blk device nodes- Allow init to relabel rpcbind sock_file- Fix labeling for lastlog and faillog related to logrotate- ALlow aeolus_configserver to use TRAM port- Add fixes for aeolus_configserver- Allow snmpd to connect to snmp port- Allow spamd_update to create spamd_var_lib_t directories- Allow domains that can read sssd_public_t files to also list the directory- Remove miscfiles_read_localization, this is defined for all domains
* Mon Nov 26 2012 Miroslav Grepl 3.11.1-56- Allow syslogd to request the kernel to load a module- Allow syslogd_t to read the network state information- Allow xdm_dbusd_t connect to the system DBUS- Add support for 7389/tcp port- Allow domains to read/write all inherited sockets- Allow staff_t to read kmsg- Add awstats_purge_apache_log boolean- Allow ksysguardproces to read /.config/Trolltech.conf- Allow passenger to create and append puppet log files- Add puppet_append_log and puppet_create_log interfaces- Add puppet_manage_log() interface- Allow tomcat domain to search tomcat_var_lib_t- Allow pki_tomcat_t to connect to pki_ca ports- Allow pegasus_t to have net_admin capability- Allow pegasus_t to write /sys/class/net//flags- Allow mailserver_delivery to manage mail_home_rw_t lnk_files- Allow fetchmail to create log files- Allow gnomeclock to manage home config in .kde- Allow bittlebee to read kernel sysctls- Allow logrotate to list /root
* Mon Nov 19 2012 Miroslav Grepl 3.11.1-55- Fix userhelper_console_role_template()- Allow enabling Network Access Point service using blueman- Make vmware_host_t as unconfined domain- Allow authenticate users in webaccess via squid, using mysql as backend- Allow gathers to get various metrics on mounted file systems- Allow firewalld to read /etc/hosts- Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t- Allow kdumpgui to read/write to zipl.conf- Commands needed to get mock to build from staff_t in enforcing mode- Allow mdadm_t to manage cgroup files- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files- dontaudit ifconfig_t looking at fifo_files that are leaked to it- Add lableing for Quest Authentication System
* Thu Nov 15 2012 Miroslav Grepl 3.11.1-54- Fix filetrans interface definitions- Dontaudit xdm_t to getattr on BOINC lib files- Add systemd_reload_all_services() interface- Dontaudit write access on /var/lib/net-snmp/mib_indexes - Only stop mcsuntrustedproc from relableing files- Allow accountsd to dbus chat with gdm- Allow realmd to getattr on all fs- Allow logrotate to reload all services- Add systemd unit file for radiusd- Allow winbind to create samba pid dir- Add labeling for /var/nmbd/unexpected- Allow chrome and mozilla plugin to connect to msnp ports
* Mon Nov 12 2012 Miroslav Grepl 3.11.1-53- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file- Dontaudit setfiles reading /dev/random- On initial boot gnomeclock is going to need to be set buy gdm- Fix tftp_read_content() interface- Random apps looking at kernel file systems- Testing virt with lxc requiers additional access for virsh_t- New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container- Allow MPD to read /dev/radnom- Allow sandbox_web_type to read logind files which needs to read pulseaudio- Allow mozilla plugins to read /dev/hpet- Add labeling for /var/lib/zarafa-webap- Allow BOINC client to use an HTTP proxy for all connections- Allow rhsmertd to domain transition to dmidecod- Allow setroubleshootd to send D-Bus msg to ABRT
* Thu Nov 08 2012 Miroslav Grepl 3.11.1-52- Define usbtty_device_t as a term_tty- Allow svnserve to accept a connection- Allow xend manage default virt_image_t type- Allow prelink_cron_system_t to overide user componant when executing cp- Add labeling for z-push- Gnomeclock sets the realtime clock- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd- Allow lxc domains to use /dev/random and /dev/urandom
* Wed Nov 07 2012 Miroslav Grepl 3.11.1-51- Add port defintion for tcp/9000- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd- Add rules and labeling for $HOME/cache/\\.gstreamer-.
* directory- Add support for CIM provider openlmi-networking which uses NetworkManager dbus API- Allow shorewall_t to create netlink_socket- Allow krb5admind to block suspend- Fix labels on /var/run/dlm_controld /var/log/dlm_controld- Allow krb5kdc to block suspend- gnomessytemmm_t needs to read /etc/passwd- Allow cgred to read all sysctls
* Tue Nov 06 2012 Miroslav Grepl 3.11.1-50- Allow all domains to read /proc/sys/vm/overcommit_memory- Make proc_numa_t an MLS Trusted Object- Add /proc/numactl support for confined users- Allow ssh_t to connect to any port > 1023- Add openvswitch domain- Pulseaudio tries to create directories in gnome_home_t directories- New ypbind pkg wants to search /var/run which is caused by sd_notify- Allow NM to read certs on NFS/CIFS using use_nfs_
*, use_samba_
* booleans- Allow sanlock to read /dev/random- Treat php-fpm with httpd_t- Allow domains that can read named_conf_t to be able to list the directories- Allow winbind to create sock files in /var/run/samba
* Thu Nov 01 2012 Miroslav Grepl 3.11.1-49- Add smsd policy- Add support for OpenShift sbin labelin- Add boolean to allow virt to use rawip- Allow mozilla_plugin to read all file systems with noxattrs support- Allow kerberos to write on anon_inodefs fs- Additional access required by fenced- Add filename transitions for passwd.lock/group.lock- UPdate man pages- Create coolkey directory in /var/cache with the correct label
* Tue Oct 30 2012 Miroslav Grepl 3.11.1-48- Fix label on /etc/group.lock- Allow gnomeclock to create lnk_file in /etc- label /root/.pki as a home_cert_t- Add interface to make sure rpcbind.sock is created with the correct label- Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules- opendkim should be a part of milter- Allow libvirt to set the kernel sched algorythm- Allow mongod to read sysfs_t- Add authconfig policy- Remove calls to miscfiles_read_localization all domains get this- Allow virsh_t to read /root/.pki/ content- Add label for log directory under /var/www/stickshift
* Mon Oct 29 2012 Miroslav Grepl 3.11.1-47- Allow getty to setattr on usb ttys- Allow sshd to search all directories for sshd_home_t content- Allow staff domains to send dbus messages to kdumpgui- Fix labels on /etc/.pwd.lock and friends to be passwd_file_t- Dontaudit setfiles reading urand- Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched- Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir- Allow systemd-timedated to read /dev/urandom- Allow entropyd_t to read proc_t (meminfo)- Add unconfined munin plugin- Fix networkmanager_read_conf() interface- Allow blueman to list /tmp which is needed by sys_nic/setsched- Fix label of /etc/mail/aliasesdb-stamp- numad is searching cgroups- realmd is communicating with networkmanager using dbus- Lots of fixes to try to get kdump to work
* Fri Oct 26 2012 Miroslav Grepl 3.11.1-46- Allow loging programs to dbus chat with realmd- Make apache_content_template calling as optional- realmd is using policy kit
* Fri Oct 26 2012 Miroslav Grepl 3.11.1-45- Add new selinuxuser_use_ssh_chroot boolean- dbus needs to be able to read/write inherited fixed disk device_t passed through it- Cleanup netutils process allow rule- Dontaudit leaked fifo files from openshift to ping- sanlock needs to read mnt_t lnk files- Fail2ban needs to setsched and sys_nice
* Wed Oct 24 2012 Miroslav Grepl 3.11.1-44- Change default label of all files in /var/run/rpcbind- Allow sandbox domains (java) to read hugetlbfs_t- Allow awstats cgi content to create tmp files and read apache log files- Allow setuid/setgid for cupsd-config- Allow setsched/sys_nice pro cupsd-config- Fix /etc/localtime sym link to be labeled locale_t- Allow sshd to search postgresql db t since this is a homedir- Allow xwindows users to chat with realmd- Allow unconfined domains to configure all files and null_device_t service
* Tue Oct 23 2012 Miroslav Grepl 3.11.1-43- Adopt pki-selinux policy
* Mon Oct 22 2012 Miroslav Grepl 3.11.1-42- pki is leaking which we dontaudit until a pki code fix- Allow setcap for arping- Update man pages- Add labeling for /usr/sbin/mcollectived- pki fixes- Allow smokeping to execute fping in the netutils_t domain
* Fri Oct 19 2012 Miroslav Grepl 3.11.1-41- Allow mount to relabelfrom unlabeled file systems- systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working- Add label to get bin files under libreoffice labeled correctly- Fix interface to allow executing of base_ro_file_type- Add fixes for realmd- Update pki policy- Add tftp_homedir boolean- Allow blueman sched_setscheduler- openshift user domains wants to r/w ssh tcp sockets
* Wed Oct 17 2012 Miroslav Grepl 3.11.1-40- Additional requirements for disable unconfined module when booting- Fix label of systemd script files- semanage can use -F /dev/stdin to get input- syslog now uses kerberos keytabs- Allow xserver to compromise_kernel access- Allow nfsd to write to mount_var_run_t when running the mount command- Add filename transition rule for bin_t directories- Allow files to read usr_t lnk_files- dhcpc wants chown- Add support for new openshift labeling- Clean up for tunable+optional statements- Add labeling for /usr/sbin/mkhomedir_helper- Allow antivirus domain to managa amavis spool files- Allow rpcbind_t to read passwd - Allow pyzor running as spamc to manage amavis spool
* Tue Oct 16 2012 Miroslav Grepl 3.11.1-39- Add interfaces to read kernel_t proc info- Missed this version of exec_all- Allow anyone who can load a kernel module to compromise kernel- Add oddjob_dbus_chat to openshift apache policy- Allow chrome_sandbox_nacl_t to send signals to itself- Add unit file support to usbmuxd_t- Allow all openshift domains to read sysfs info- Allow openshift domains to getattr on all domains
* Fri Oct 12 2012 Miroslav Grepl 3.11.1-38- MLS fixes from Dan- Fix name of capability2 secure_firmware->compromise_kerne
* Thu Oct 11 2012 Miroslav Grepl 3.11.1-37- Allow xdm to search all file systems- Add interface to allow the config of all files- Add rngd policy- Remove kgpg as a gpg_exec_t type- Allow plymouthd to block suspend- Allow systemd_dbus to config any file- Allow system_dbus_t to configure all services- Allow freshclam_t to read usr_files- varnishd requires execmem to load modules
* Thu Oct 11 2012 Miroslav Grepl 3.11.1-36- Allow semanage to verify types- Allow sudo domain to execute user home files- Allow session_bus_type to transition to user_tmpfs_t- Add dontaudit caused by yum updates- Implement pki policy but not activated
* Wed Oct 10 2012 Miroslav Grepl 3.11.1-35- tuned wants to getattr on all filesystems- tuned needs also setsched. The build is needed for test day
* Wed Oct 10 2012 Miroslav Grepl 3.11.1-34- Add policy for qemu-qa- Allow razor to write own config files- Add an initial antivirus policy to collect all antivirus program- Allow qdisk to read usr_t- Add additional caps for vmware_host- Allow tmpfiles_t to setattr on mandb_cache_t- Dontaudit leaked files into mozilla_plugin_config_t- Allow wdmd to getattr on tmpfs- Allow realmd to use /dev/random- allow containers to send audit messages- Allow root mount any file via loop device with enforcing mls policy- Allow tmpfiles_t to setattr on mandb_cache_t- Allow tmpfiles_t to setattr on mandb_cache_t- Make userdom_dontaudit_write_all_ not allow open- Allow init scripts to read all unit files- Add support for saphostctrl ports
* Mon Oct 08 2012 Miroslav Grepl 3.11.1-33- Add kernel_read_system_state to sandbox_client_t- Add some of the missing access to kdumpgui- Allow systemd_dbusd_t to status the init system- Allow vmnet-natd to request the kernel to load a module- Allow gsf-office-thum to append .cache/gdm/session.log- realmd wants to read .config/dconf/user- Firewalld wants sys_nice/setsched- Allow tmpreaper to delete mandb cache files- Firewalld wants sys_nice/setsched- Allow firewalld to perform a DNS name resolution- Allown winbind to read /usr/share/samba/codepages/lowcase.dat- Add support for HTTPProxy
* in /etc/freshclam.conf- Fix authlogin_yubike boolean- Extend smbd_selinux man page to include samba booleans- Allow dhcpc to execute consoletype- Allow ping to use inherited tmp files created in init scripts- On full relabel with unconfined domain disabled, initrc was running some chcon\'s- Allow people who delete man pages to delete mandb cache files
* Thu Oct 04 2012 Miroslav Grepl 3.11.1-32- Add missing permissive domains
* Thu Oct 04 2012 Miroslav Grepl 3.11.1-31- Add new mandb policy- ALlow systemd-tmpfiles_t to relabel mandb_cache_t- Allow logrotate to start all unit files
* Thu Oct 04 2012 Miroslav Grepl 3.11.1-30- Add fixes for ctbd- Allow nmbd to stream connect to ctbd- Make cglear_t as nsswitch_domain- Fix bogus in interfaces- Allow openshift to read/write postfix public pipe- Add postfix_manage_spool_maildrop_files() interface- stickshift paths have been renamed to openshift- gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes- Update man pages, adding ENTRYPOINTS
* Tue Oct 02 2012 Miroslav Grepl 3.11.1-29- Add mei_device_t- Make sure gpg content in homedir created with correct label- Allow dmesg to write to abrt cache files- automount wants to search virtual memory sysctls- Add support for hplip logs stored in /var/log/hp/tmp- Add labeling for /etc/owncloud/config.php- Allow setroubleshoot to send analysys to syslogd-journal- Allow virsh_t to interact with new fenced daemon- Allow gpg to write to /etc/mail/spamassassiin directories- Make dovecot_deliver_t a mail server delivery type- Add label for /var/tmp/DNS25
* Thu Sep 27 2012 Miroslav Grepl 3.11.1-28- Fixes for tomcat_domain template interface
* Thu Sep 27 2012 Miroslav Grepl 3.11.1-27- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes- Add attribute to all base os types. Allow all domains to read all ro base OS types
* Wed Sep 26 2012 Miroslav Grepl 3.11.1-26- Additional unit files to be defined as power unit files- Fix more boolean names
* Tue Sep 25 2012 Miroslav Grepl 3.11.1-25- Fix boolean name so subs will continue to work
* Tue Sep 25 2012 Miroslav Grepl 3.11.1-24- dbus needs to start getty unit files- Add interface to allow system_dbusd_t to start the poweroff service- xdm wants to exec telepathy apps- Allow users to send messages to systemdlogind- Additional rules needed for systemd and other boot apps- systemd wants to list /home and /boot- Allow gkeyringd to write dbus/conf file- realmd needs to read /dev/urand- Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded
* Thu Sep 20 2012 Miroslav Grepl 3.11.1-23- Fixes to safe more rules- Re-write tomcat_domain_template()- Fix passenger labeling- Allow all domains to read man pages- Add ephemeral_port_t to the \'generic\' port interfaces- Fix the names of postgresql booleans
* Tue Sep 18 2012 Miroslav Grepl 3.11.1-22- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer- Move netlable_peer check out of booleans- Remove call to recvfrom_netlabel for kerberos call- Remove use of attributes when calling syslog call - Move -miscfiles_read_localization to domain.te to save hundreds of allow rules- Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface- Allow rndc to block suspend- tuned needs to modify the schedule of the kernel- Allow svirt_t domains to read alsa configuration files- ighten security on irc domains and make sure they label content in homedir correctly- Add filetrans_home_content for irc files- Dontaudit all getattr access for devices and filesystems for sandbox domains- Allow stapserver to search cgroups directories- Allow all postfix domains to talk to spamd
* Mon Sep 17 2012 Miroslav Grepl 3.11.1-21- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check- Change pam_t to pam_timestamp_t- Add dovecot_domain attribute and allow this attribute block_suspend capability2- Add sanlock_use_fusefs boolean- numad wants send/recieve msg- Allow rhnsd to send syslog msgs- Make piranha-pulse as initrc domain- Update openshift instances to dontaudit setattr until the kernel is fixed.
* Fri Sep 14 2012 Miroslav Grepl 3.11.1-20- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd- Remove pam_selinux.8 which conflicts with man page owned by the pam package- Allow glance-api to talk to mysql- ABRT wants to read Xorg.0.log if if it detects problem with Xorg- Fix gstreamer filename trans. interface
* Thu Sep 13 2012 Miroslav Grepl 3.11.1-19- Man page fixes by Dan Walsh
* Tue Sep 11 2012 Miroslav Grepl 3.11.1-18- Allow postalias to read postfix config files- Allow man2html to read man pages- Allow rhev-agentd to search all mountpoints- Allow rhsmcertd to read /dev/random- Add tgtd_stream_connect() interface- Add cyrus_write_data() interface- Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t- Add port definition for tcp/81 as http_port_t- Fix /dev/twa labeling- Allow systemd to read modules config
* Mon Sep 10 2012 Miroslav Grepl 3.11.1-17- Merge openshift policy- Allow xauth to read /dev/urandom- systemd needs to relabel content in /run/systemd directories- Files unconfined should be able to perform all services on all files- Puppet tmp file can be leaked to all domains- Dontaudit rhsmcertd-worker to search /root/.local- Allow chown capability for zarafa domains- Allow system cronjobs to runcon into openshift domains- Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories
* Fri Sep 07 2012 Miroslav Grepl 3.11.1-16- nmbd wants to create /var/nmbd- Stop transitioning out of anaconda and firstboot, just causes AVC messages- Allow clamscan to read /etc files- Allow bcfg2 to bind cyphesis port- heartbeat should be run as rgmanager_t instead of corosync_t- Add labeling for /etc/openldap/certs- Add labeling for /opt/sartest directory- Make crontab_t as userdom home reader- Allow tmpreaper to list admin_home dir- Add defition for imap_0 replay cache file- Add support for gitolite3- Allow virsh_t to send syslog messages- allow domains that can read samba content to be able to list the directories also- Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd- Separate out sandbox from sandboxX policy so we can disable it by default- Run dmeventd as lvm_t- Mounting on any directory requires setattr and write permissions- Fix use_nfs_home_dirs() boolean- New labels for pam_krb5- Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0- Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd
* Fri Aug 31 2012 Dan Walsh 3.11.1-15- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs- Allow domains that can read etc_t to read etc_runtime_t - Allow all domains to use inherited tmpfiles
* Wed Aug 29 2012 Miroslav Grepl 3.11.1-14- Allow realmd to read resolv.conf- Add pegasus_cache_t type- Label /usr/sbin/fence_virtd as virsh_exec_t- Add policy for pkcsslotd- Add support for cpglockd- Allow polkit-agent-helper to read system-auth-ac- telepathy-idle wants to read gschemas.compiled- Allow plymouthd to getattr on fs_t- Add slpd policy- Allow ksysguardproces to read/write config_usr_t
* Sat Aug 25 2012 Dan Walsh 3.11.1-13- Fix labeling substitution so rpm will label /lib/systemd content correctly
* Fri Aug 24 2012 Miroslav Grepl 3.11.1-12- Add file name transitions for ttyACM0- spice-vdagent(d)\'s are going to log over to syslog- Add sensord policy- Add more fixes for passenger policy related to puppet- Allow wdmd to create wdmd_tmpfs_t- Fix labeling for /var/run/cachefilesd\\.pid- Add thumb_tmpfs_t files type
* Mon Aug 20 2012 Miroslav Grepl 3.11.1-11- Allow svirt domains to manage the network since this is containerized- Allow svirt_lxc_net_t to send audit messages
* Mon Aug 20 2012 Miroslav Grepl 3.11.1-10- Make \"snmpwalk -mREDHAT-CLUSTER-MIB ....\" working- Allow dlm_controld to execute dlm_stonith labeled as bin_t- Allow GFS2 working on F17- Abrt needs to execute dmesg- Allow jockey to list the contents of modeprobe.d- Add policy for lightsquid as squid_cron_t- Mailscanner is creating files and directories in /tmp- dmesg is now reading /dev/kmsg- Allow xserver to communicate with secure_firmware- Allow fsadm tools (fsck) to read /run/mount contnet- Allow sysadm types to read /dev/kmsg-
* Thu Aug 16 2012 Dan Walsh 3.11.1-9- Allow postfix, sssd, rpcd to block_suspend- udev seems to need secure_firmware capability- Allow virtd to send dbus messages to firewalld so it can configure the firewall
* Thu Aug 16 2012 Dan Walsh 3.11.1-8- Fix labeling of content in /run created by virsh_t- Allow condor domains to read kernel sysctls- Allow condor_master to connect to amqp- Allow thumb drives to create shared memory and semaphores- Allow abrt to read mozilla_plugin config files- Add labels for lightsquid- Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow- dovecot_auth_t uses ldap for user auth- Allow domains that can read dhcp_etc_t to read lnk_files- Add more then one watchdog device- Allow useradd_t to manage etc_t files so it can rename it and edit them- Fix invalid class dir should be fifo_file- Move /run/blkid to fsadm and make sure labeling is correct
* Tue Aug 14 2012 Dan Walsh 3.11.1-7- Fix bogus regex found by eparis- Fix manage run interface since lvm needs more access- syslogd is searching cgroups directory- Fixes to allow virt-sandbox-service to manage lxc var run content
* Mon Aug 13 2012 Dan Walsh 3.11.1-6- Fix Boolean settings- Add new libjavascriptcoregtk as textrel_shlib_t- Allow xdm_t to create xdm_home_t directories- Additional access required for systemd- Dontaudit mozilla_plugin attempts to ipc_lock- Allow tmpreaper to delete unlabeled files- Eliminate screen_tmp_t and allow it to manage user_tmp_t- Dontaudit mozilla_plugin_config_t to append to leaked file descriptors- Allow web plugins to connect to the asterisk ports- Condor will recreate the lock directory if it does not exist- Oddjob mkhomedir needs to connectto user processes- Make oddjob_mkhomedir_t a userdom home manager
* Thu Aug 09 2012 Miroslav Grepl 3.11.1-5- Put placeholder back in place for proper numbering of capabilities- Systemd also configures init scripts
* Thu Aug 09 2012 Miroslav Grepl 3.11.1-4- Fix ecryptfs interfaces- Bootloader seems to be trolling around /dev/shm and /dev- init wants to create /etc/systemd/system-update.target.wants- Fix systemd_filetrans call to move it out of tunable- Fix up policy to work with systemd userspace manager- Add secure_firmware capability and remove bogus epolwakeup- Call seutil_
*_login_config interfaces where should be needed- Allow rhsmcertd to send signal to itself- Allow thin domains to send signal to itself- Allow Chrome_ChildIO to read dosfs_t
* Tue Aug 07 2012 Miroslav Grepl 3.11.1-3- Add role rules for realmd, sambagui
* Tue Aug 07 2012 Miroslav Grepl 3.11.1-2- Add new type selinux_login_config_t for /etc/selinux//logins/- Additional fixes for seutil_manage_module_store()- dbus_system_domain() should be used with optional_policy- Fix svirt to be allowed to use fusefs file system- Allow login programs to read /run/ data created by systemd_login- sssd wants to write /etc/selinux//logins/ for SELinux PAM module- Fix svirt to be allowed to use fusefs file system- Allow piranha domain to use nsswitch- Sanlock needs to send Kill Signals to non root processes- Pulseaudio wants to execute /run/user/PID/.orc
* Fri Aug 03 2012 Miroslav Grepl 3.11.1-1- Fix saslauthd when it tries to read /etc/shadow- Label gnome-boxes as a virt homedir- Need to allow svirt_t ability to getattr on nfs_t file systems- Update sanlock policy to solve all AVC\'s- Change confined users can optionally manage virt content- Handle new directories under ~/.cache- Add block suspend to appropriate domains- More rules required for containers- Allow login programs to read /run/ data created by systemd_logind- Allow staff users to run svirt_t processes
* Thu Aug 02 2012 Miroslav Grepl 3.11.1-0- Update to upstream
* Mon Jul 30 2012 Miroslav Grepl 3.11.0-15- More fixes for systemd to make rawhide booting from Dan Walsh
* Mon Jul 30 2012 Miroslav Grepl 3.11.0-14- Add systemd fixes to make rawhide booting
* Fri Jul 27 2012 Miroslav Grepl 3.11.0-13- Add systemd_logind_inhibit_var_run_t attribute- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type- Add interface for mysqld to dontaudit signull to all processes- Label new /var/run/journal directory correctly- Allow users to inhibit suspend via systemd- Add new type for the /var/run/inhibit directory- Add interface to send signull to systemd_login so avahi can send them- Allow systemd_passwd to send syslog messages- Remove corenet_all_recvfrom_unlabeled() calling fro policy files- Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group- Allow smbd to read cluster config- Add additional labeling for passenger- Allow dbus to inhibit suspend via systemd- Allow avahi to send signull to systemd_login
* Mon Jul 23 2012 Miroslav Grepl 3.11.0-12- Add interface to dontaudit getattr access on sysctls- Allow sshd to execute /bin/login- Looks like xdm is recreating the xdm directory in ~/.cache/ on login- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald- Fix semanage to work with unconfined domain disabled on F18- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls- Virt seems to be using lock files- Dovecot seems to be searching directories of every mountpoint- Allow jockey to read random/urandom, execute shell and install third-party drivers- Add aditional params to allow cachedfiles to manage its content- gpg agent needs to read /dev/random- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write- Add a bunch of dontaudit rules to quiet svirt_lxc domains- Additional perms needed to run svirt_lxc domains- Allow cgclear to read cgconfig- Allow sys_ptrace capability for snmp- Allow freshclam to read /proc- Allow procmail to manage /home/user/Maildir content- Allow NM to execute wpa_cli- Allow amavis to read clamd system state- Regenerate man pages
* Sat Jul 21 2012 Fedora Release Engineering - 3.11.0-11- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon Jul 16 2012 Miroslav Grepl 3.11.0-10- Add realmd and stapserver policies- Allow useradd to manage stap-server lib files- Tighten up capabilities for confined users- Label /etc/security/opasswd as shadow_t- Add label for /dev/ecryptfs- Allow condor_startd_t to start sshd with the ranged- Allow lpstat.cups to read fips_enabled file- Allow pyzor running as spamc_t to create /root/.pyzor directory- Add labelinf for amavisd-snmp init script- Add support for amavisd-snmp- Allow fprintd sigkill self- Allow xend (w/o libvirt) to start virtual machines- Allow aiccu to read /etc/passwd- Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes- Add condor_startd_ranged_domtrans_to() interface- Add ssd_conf_t for /etc/sssd- accountsd needs to fchown some files/directories- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit- Allow xend_t to read the /etc/passwd file
* Wed Jul 11 2012 Miroslav Grepl 3.11.0-9- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t- Add init_access_check() interface- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t- Allow tcpdump to create a netlink_socket- Label newusers like useradd- Change xdm log files to be labeled xdm_log_t- Allow sshd_t with privsep to work in MLS- Allow freshclam to update databases thru HTTP proxy- Allow s-m-config to access check on systemd- Allow abrt to read public files by default- Fix amavis_create_pid_files() interface- Add labeling and filename transition for dbomatic.log- Allow system_dbusd_t to stream connect to bluetooth, and use its socket- Allow amavisd to execute fsav- Allow tuned to use sys_admin and sys_nice capabilities- Add php-fpm policy from Bryan- Add labeling for aeolus-configserver-thinwrapper- Allow thin domains to execute shell- Fix gnome_role_gkeyringd() interface description- Lot of interface fixes- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files- Allow OpenMPI job to use kerberos- Make deltacloudd_t as nsswitch_domain- Allow xend_t to run lsscsi- Allow qemu-dm running as xend_t to create tun_socket- Add labeling for /opt/brother/Printers(.
*/)?inf- Allow jockey-backend to read pyconfig-64.h labeled as usr_t- Fix clamscan_can_scan_system boolean- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
* Tue Jul 03 2012 Miroslav Grepl 3.11.0-8- initrc is calling exportfs which is not confined so it attempts to read nfsd_files- Fixes for passenger running within openshift.- Add labeling for all tomcat6 dirs- Add support for tomcat6- Allow cobblerd to read /etc/passwd- Allow jockey to read sysfs and and execute binaries with bin_t- Allow thum to use user terminals- Allow cgclear to read cgconfig config files- Fix bcf2g.fc- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains- Allow dbomatic to execute ruby- abrt_watch_log should be abrt_domain- Allow mozilla_plugin to connect to gatekeeper port
* Wed Jun 27 2012 Miroslav Grepl 3.11.0-7- add ptrace_child access to process- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()- Allow boinc domains to manage boinc_lib_t lnk_files- Add support for boinc-client.service unit file- Add support for boinc.log- Allow mozilla_plugin execmod on mozilla home files if allow_ex- Allow dovecot_deliver_t to read dovecot_var_run_t- Allow ldconfig and insmod to manage kdumpctl tmp files- Move thin policy out from cloudform.pp and add a new thin poli- pacemaker needs to communicate with corosync streams- abrt is now started on demand by dbus- Allow certmonger to talk directly to Dogtag servers- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c- Allow mozila_plugin to execute gstreamer home files- Allow useradd to delete all file types stored in the users hom- rhsmcertd reads the rpm database- Add support for lightdm
* Mon Jun 25 2012 Miroslav Grepl 3.11.0-6- Add tomcat policy- Remove pyzor/razor policy- rhsmcertd reads the rpm database- Dontaudit thumb to setattr on xdm_tmp dir- Allow wicd to execute ldconfig in the networkmanager_t domain- Add /var/run/cherokee\\.pid labeling- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too- Allow postfix-master to r/w pipes other postfix domains- Allow snort to create netlink_socket- Add kdumpctl policy- Allow firstboot to create tmp_t files/directories- /usr/bin/paster should not be labeled as piranha_exec_t- remove initrc_domain from tomcat- Allow ddclient to read /etc/passwd- Allow useradd to delete all file types stored in the users homedir- Allow ldconfig and insmod to manage kdumpctl tmp files- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those- Transition xauth files within firstboot_tmp_t- Fix labeling of /run/media to match /media- Label all lxdm.log as xserver_log_t- Add port definition for mxi port- Allow local_login_t to execute tmux
* Tue Jun 19 2012 Miroslav Grepl 3.11.0-5- apcupsd needs to read /etc/passwd- Sanlock allso sends sigkill- Allow glance_registry to connect to the mysqld port- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl- Allow firefox plugins/flash to connect to port 1234- Allow mozilla plugins to delete user_tmp_t files- Add transition name rule for printers.conf.O- Allow virt_lxc_t to read urand- Allow systemd_loigind to list gstreamer_home_dirs- Fix labeling for /usr/bin- Fixes for cloudform services
* support FIPS- Allow polipo to work as web caching- Allow chfn to execute tmux
* Fri Jun 15 2012 Miroslav Grepl 3.11.0-4- Add support for ecryptfs
* ecryptfs does not support xattr
* we need labeling for HOMEDIR- Add policy for (u)mount.ecryptfs
*- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache- Allow dovecot to manage Maildir content, fix transitions to Maildir- Allow postfix_local to transition to dovecot_deliver- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code- Cleanup interface definitions- Allow apmd to change with the logind daemon- Changes required for sanlock in rhel6- Label /run/user/apache as httpd_tmp_t- Allow thumb to use lib_t as execmod if boolean turned on- Allow squid to create the squid directory in /var with the correct labe- Add a new policy for glusterd from Bryan Bickford (bbickforAATTredhat.com)- Allow virtd to exec xend_exec_t without transition- Allow virtd_lxc_t to unmount all file systems
* Tue Jun 12 2012 Miroslav Grepl 3.11.0-3- PolicyKit path has changed- Allow httpd connect to dirsrv socket- Allow tuned to write generic kernel sysctls- Dontaudit logwatch to gettr on /dev/dm-2- Allow policykit-auth to manage kerberos files- Make condor_startd and rgmanager as initrc domain- Allow virsh to read /etc/passwd- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs- xdm now needs to execute xsession_exec_t- Need labels for /var/lib/gdm- Fix files_filetrans_named_content() interface- Add new attribute - initrc_domain- Allow systemd_logind_t to signal, signull, sigkill all processes- Add filetrans rules for etc_runtime files
* Sat Jun 09 2012 Miroslav Grepl 3.11.0-2- Rename boolean names to remove allow_
* Thu Jun 07 2012 Miroslav Grepl 3.11.0-1- Mass merge with upstream
* new policy topology to include contrib policy modules
* we have now two base policy patches
* Wed May 30 2012 Miroslav Grepl 3.10.0-128- Fix description of authlogin_nsswitch_use_ldap- Fix transition rule for rhsmcertd_t needed for RHEL7- Allow useradd to list nfs state data- Allow openvpn to manage its log file and directory- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly- Allow thumb to use nvidia devices- Allow local_login to create user_tmp_t files for kerberos- Pulseaudio needs to read systemd_login /var/run content- virt should only transition named system_conf_t config files- Allow munin to execute its plugins- Allow nagios system plugin to read /etc/passwd- Allow plugin to connect to soundd port- Fix httpd_passwd to be able to ask passwords- Radius servers can use ldap for backing store- Seems to need to mount on /var/lib for xguest polyinstatiation to work.- Allow systemd_logind to list the contents of gnome keyring- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl 3.10.0-127- Add policy for subversion daemon- Allow boinc to read passwd- Allow pads to read kernel network state- Fix man2html interface for sepolgen-ifgen- Remove extra /usr/lib/systemd/system/smb- Remove all /lib/systemd and replace with /usr/lib/systemd- Add policy for man2html- Fix the label of kerberos_home_t to krb5_home_t- Allow mozilla plugins to use Citrix- Allow tuned to read /proc/sys/kernel/nmi_watchdog- Allow tune /sys options via systemd\'s tmpfiles.d \"w\" type
* Wed May 23 2012 Miroslav Grepl 3.10.0-126- Dontaudit lpr_t to read/write leaked mozilla tmp files- Add file name transition for .grl-podcasts directory- Allow corosync to read user tmp files- Allow fenced to create snmp lib dirs/files- More fixes for sge policy- Allow mozilla_plugin_t to execute any application- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain- Allow mongod to read system state information- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t- Allow polipo to manage polipo_cache dirs- Add jabbar_client port to mozilla_plugin_t- Cleanup procmail policy- system bus will pass around open file descriptors on files that do not have labels on them- Allow l2tpd_t to read system state- Allow tuned to run ls /dev- Allow sudo domains to read usr_t files- Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl 3.10.0-125- Fix pulseaudio port definition- Add labeling for condor_starter- Allow chfn_t to creat user_tmp_files- Allow chfn_t to execute bin_t- Allow prelink_cron_system_t to getpw calls- Allow sudo domains to manage kerberos rcache files- Allow user_mail_domains to work with courie- Port definitions necessary for running jboss apps within openshift- Add support for openstack-nova-metadata-api- Add support for nova-console
*- Add support for openstack-nova-xvpvncproxy- Fixes to make privsep+SELinux working if we try to use chage to change passwd- Fix auth_role() interface- Allow numad to read sysfs- Allow matahari-rpcd to execute shell- Add label for ~/.spicec- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it- Devicekit_disk wants to read the logind sessions file when writing a cd- Add fixes for condor to make condor jobs working correctly- Change label of /var/log/rpmpkgs to cron_log_t- Access requires to allow systemd-tmpfiles --create to work.- Fix obex to be a user application started by the session bus.- Add additional filename trans rules for kerberos- Fix /var/run/heartbeat labeling- Allow apps that are managing rcache to file trans correctly- Allow openvpn to authenticate against ldap server- Containers need to listen to network starting and stopping events
* Wed May 09 2012 Miroslav Grepl 3.10.0-124- Make systemd unit files less specific
* Tue May 08 2012 Miroslav Grepl 3.10.0-123- Fix zarafa labeling- Allow guest_t to fix labeling- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean- add lxc_contexts- Allow accountsd to read /proc- Allow restorecond to getattr on all file sytems- tmpwatch now calls getpw- Allow apache daemon to transition to pwauth domain- Label content under /var/run/user/NAME/keyring
* as gkeyringd_tmp_t- The obex socket seems to be a stream socket- dd label for /var/run/nologin
* Mon May 07 2012 Miroslav Grepl 3.10.0-122- Allow jetty running as httpd_t to read hugetlbfs files- Allow sys_nice and setsched for rhsmcertd- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports- Allow setfiles to append to xdm_tmp_t- Add labeling for /export as a usr_t directory- Add labels for .grl files created by gstreamer
* Fri May 04 2012 Miroslav Grepl 3.10.0-121- Add labeling for /usr/share/jetty/bin/jetty.sh- Add jetty policy which contains file type definitios- Allow jockey to use its own fifo_file and make this the default for all domains- Allow mozilla_plugins to use spice (vnc_port/couchdb)- asterisk wants to read the network state- Blueman now uses /var/lib/blueman- Add label for nodejs_debug- Allow mozilla_plugin_t to create ~/.pki directory and content
* Wed May 02 2012 Miroslav Grepl 3.10.0-120- Add clamscan_can_scan_system boolean- Allow mysqld to read kernel network state- Allow sshd to read/write condor lib files- Allow sshd to read/write condor-startd tcp socket- Fix description on httpd_graceful_shutdown- Allow glance_registry to communicate with mysql- dbus_system_domain is using systemd to lauch applications- add interfaces to allow domains to send kill signals to user mail agents- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t- Lots of new access required for secure containers- Corosync needs sys_admin capability- ALlow colord to create shm- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific- Add boolean to control whether or not mozilla plugins can create random content in the users homedir- Add new interface to allow domains to list msyql_db directories, needed for libra- shutdown has to be allowed to delete etc_runtime_t- Fail2ban needs to read /etc/passwd- Allow ldconfig to create /var/cache/ldconfig- Allow tgtd to read hardware state information- Allow collectd to create packet socket- Allow chronyd to send signal to itself- Allow collectd to read /dev/random- Allow collectd to send signal to itself- firewalld needs to execute restorecon- Allow restorecon and other login domains to execute restorecon
* Tue Apr 24 2012 Miroslav Grepl 3.10.0-119- Allow logrotate to getattr on systemd unit files- Add support for tor systemd unit file- Allow apmd to create /var/run/pm-utils with the correct label- Allow l2tpd to send sigkill to pppd- Allow pppd to stream connect to l2tpd- Add label for scripts in /etc/gdm/- Allow systemd_logind_t to ignore mcs constraints on sigkill- Fix files_filetrans_system_conf_named_files() interface- Add labels for /usr/share/wordpress/wp-includes/
*.php- Allow cobbler to get SELinux mode and booleans
* Mon Apr 23 2012 Miroslav Grepl 3.10.0-118- Add unconfined_execmem_exec_t as an alias to bin_t- Allow fenced to read snmp var lib files, also allow it to read usr_t- ontaudit access checks on all executables from mozilla_plugin- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode- Allow systemd_tmpfiles_t to getattr all pipes and sockets- Allow glance-registry to send system log messages- semanage needs to manage mock lib files/dirs
* Sun Apr 22 2012 Miroslav Grepl 3.10.0-117- Add policy for abrt-watch-log- Add definitions for jboss_messaging ports- Allow systemd_tmpfiles to manage printer devices- Allow oddjob to use nsswitch- Fix labeling of log files for postgresql- Allow mozilla_plugin_t to execmem and execstack by default- Allow firewalld to execute shell- Fix /etc/wicd content files to get created with the correct label- Allow mcelog to exec shell- Add ~/.orc as a gstreamer_home_t- /var/spool/postfix/lib64 should be labeled lib_t- mpreaper should be able to list all file system labeled directories- Add support for apache to use openstack- Add labeling for /etc/zipl.conf and zipl binary- Turn on allow_execstack and turn off telepathy transition for final release
* Mon Apr 16 2012 Miroslav Grepl 3.10.0-116- More access required for virt_qmf_t- Additional assess required for systemd-logind to support multi-seat- Allow mozilla_plugin to setrlimit- Revert changes to fuse file system to stop deadlock
* Mon Apr 16 2012 Miroslav Grepl 3.10.0-115- Allow condor domains to connect to ephemeral ports- More fixes for condor policy- Allow keystone to stream connect to mysqld- Allow mozilla_plugin_t to read generic USB device to support GPS devices- Allow thum to file name transition gstreamer home content- Allow thum to read all non security files- Allow glance_api_t to connect to ephemeral ports- Allow nagios plugins to read /dev/urandom- Allow syslogd to search postfix spool to support postfix chroot env- Fix labeling for /var/spool/postfix/dev- Allow wdmd chown- Label .esd_auth as pulseaudio_home_t- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
* Fri Apr 13 2012 Miroslav Grepl 3.10.0-114- Add support for clamd+systemd- Allow fresclam to execute systemctl to handle clamd- Change labeling for /usr/sbin/rpc.ypasswd.env - Allow yppaswd_t to execute yppaswd_exec_t - Allow yppaswd_t to read /etc/passwd- Gnomekeyring socket has been moved to /run/user/USER/- Allow samba-net to connect to ldap port- Allow signal for vhostmd- allow mozilla_plugin_t to read user_home_t socket- New access required for secure Linux Containers- zfs now supports xattrs- Allow quantum to execute sudo and list sysfs- Allow init to dbus chat with the firewalld- Allow zebra to read /etc/passwd
* Tue Apr 10 2012 Miroslav Grepl 3.10.0-113- Allow svirt_t to create content in the users homedir under ~/.libvirt- Fix label on /var/lib/heartbeat- Allow systemd_logind_t to send kill signals to all processes started by a user- Fuse now supports Xattr Support
* Tue Apr 10 2012 Miroslav Grepl 3.10.0-112- upowered needs to setsched on the kernel- Allow mpd_t to manage log files- Allow xdm_t to create /var/run/systemd/multi-session-x- Add rules for missedfont.log to be used by thumb.fc- Additional access required for virt_qmf_t- Allow dhclient to dbus chat with the firewalld- Add label for lvmetad- Allow systemd_logind_t to remove userdomain sock_files- Allow cups to execute usr_t files- Fix labeling on nvidia shared libraries- wdmd_t needs access to sssd and /etc/passwd- Add boolean to allow ftp servers to run in passive mode- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with- Fix using httpd_use_fusefs- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
* Fri Apr 06 2012 Miroslav Grepl 3.10.0-111- Rename rdate port to time port, and allow gnomeclock to connect to it- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda- /etc/auto.
* should be labeled bin_t- Add httpd_use_fusefs boolean- Add fixes for heartbeat- Allow sshd_t to signal processes that it transitions to- Add condor policy- Allow svirt to create monitors in ~/.libvirt- Allow dovecot to domtrans sendmail to handle sieve scripts- Lot of fixes for cfengine
* Tue Apr 03 2012 Miroslav Grepl 3.10.0-110- /var/run/postmaster.
* labeling is no longer needed- Alllow drbdadmin to read /dev/urandom- l2tpd_t seems to use ptmx- group+ and passwd+ should be labeled as /etc/passwd- Zarafa-indexer is a socket
* Fri Mar 30 2012 Miroslav Grepl 3.10.0-109- Ensure lastlog is labeled correctly- Allow accountsd to read /proc data about gdm- Add fixes for tuned- Add bcfg2 fixes which were discovered during RHEL6 testing- More fixes for gnome-keyring socket being moved- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown- Fix description for files_dontaudit_read_security_files() interface
* Wed Mar 28 2012 Miroslav Grepl 3.10.0-108- Add new policy and man page for bcfg2- cgconfig needs to use getpw calls- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt- gnome-keyring wants to create a directory in cache_home_t- sanlock calls getpw
* Wed Mar 28 2012 Miroslav Grepl 3.10.0-107- Add numad policy and numad man page- Add fixes for interface bugs discovered by SEWatch- Add /tmp support for squid- Add fix for #799102
* change default labeling for /var/run/slapd.
* sockets- Make thumb_t as userdom_home_reader- label /var/lib/sss/mc same as pubconf, so getpw domains can read it- Allow smbspool running as cups_t to stream connect to nmbd- accounts needs to be able to execute passwd on behalf of users- Allow systemd_tmpfiles_t to delete boot flags- Allow dnssec_trigger to connect to apache ports- Allow gnome keyring to create sock_files in ~/.cache- google_authenticator is using .google_authenticator- sandbox running from within firefox is exposing more leaks- Dontaudit thumb to read/write /dev/card0- Dontaudit getattr on init_exec_t for gnomeclock_t- Allow certmonger to do a transition to certmonger_unconfined_t- Allow dhcpc setsched which is caused by nmcli- Add rpm_exec_t for /usr/sbin/bcfg2- system cronjobs are sending dbus messages to systemd_logind- Thumnailers read /dev/urand
* Thu Mar 22 2012 Miroslav Grepl 3.10.0-106- Allow auditctl getcap- Allow vdagent to use libsystemd-login- Allow abrt-dump-oops to search /etc/abrt- Got these avc\'s while trying to print a boarding pass from firefox- Devicekit is now putting the media directory under /run/media- Allow thumbnailers to create content in ~/.thumbails directory- Add support for proL2TPd by Dominick Grift- Allow all domains to call getcap- wdmd seems to get a random chown capability check that it does not need- Allow vhostmd to read kernel sysctls
* Wed Mar 21 2012 Miroslav Grepl 3.10.0-105- Allow chronyd to read unix- Allow hpfax to read /etc/passwd- Add support matahari vios-proxy-
* apps and add virtd_exec_t label for them- Allow rpcd to read quota_db_t- Update to man pages to match latest policy- Fix bug in jockey interface for sepolgen-ifgen- Add initial svirt_prot_exec_t policy
* Mon Mar 19 2012 Miroslav Grepl 3.10.0-104- More fixes for systemd from Dan Walsh
* Mon Mar 19 2012 Miroslav Grepl 3.10.0-103- Add a new type for /etc/firewalld and allow firewalld to write to this directory- Add definition for ~/Maildir, and allow mail deliver domains to write there- Allow polipo to run from a cron job- Allow rtkit to schedule wine processes- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label- Allow users domains to send signals to consolehelper domains
* Fri Mar 16 2012 Miroslav Grepl 3.10.0-102- More fixes for boinc policy- Allow polipo domain to create its own cache dir and pid file- Add systemctl support to httpd domain- Add systemctl support to polipo, allow NetworkManager to manage the service- Add policy for jockey-backend- Add support for motion daemon which is now covered by zoneminder policy- Allow colord to read/write motion tmpfs- Allow vnstat to search through var_lib_t directories- Stop transitioning to quota_t, from init an sysadm_t
* Wed Mar 14 2012 Miroslav Grepl 3.10.0-101- Add svirt_lxc_file_t as a customizable type
* Wed Mar 14 2012 Miroslav Grepl 3.10.0-100- Add additional fixes for icmp nagios plugin- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin- Add certmonger_unconfined_exec_t- Make sure tap22 device is created with the correct label- Allow staff users to read systemd unit files- Merge in previously built policy- Arpwatch needs to be able to start netlink sockets in order to start- Allow cgred_t to sys_ptrace to look at other DAC Processes
* Mon Mar 12 2012 Miroslav Grepl 3.10.0-99- Back port some of the access that was allowed in nsplugin_t- Add definitiona for couchdb ports- Allow nagios to use inherited users ttys- Add git support for mock- Allow inetd to use rdate port- Add own type for rdate port- Allow samba to act as a portmapper- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev- New fixes needed for samba4- Allow apps that use lib_t to read lib_t symlinks
* Fri Mar 09 2012 Miroslav Grepl 3.10.0-98- Add policy for nove-cert- Add labeling for nova-openstack systemd unit files- Add policy for keystoke
* Thu Mar 08 2012 Miroslav Grepl 3.10.0-97- Fix man pages fro domains- Add man pages for SELinux users and roles- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon- Add policy for matahari-rpcd- nfsd executes mount command on restart- Matahari domains execute renice and setsched- Dontaudit leaked tty in mozilla_plugin_config- mailman is changing to a per instance naming- Add 7600 and 4447 as jboss_management ports- Add fixes for nagios event handlers- Label httpd.event as httpd_exec_t, it is an apache daemon
* Mon Mar 05 2012 Miroslav Grepl 3.10.0-96- Add labeling for /var/spool/postfix/dev/log- NM reads sysctl.conf- Iscsi log file context specification fix- Allow mozilla plugins to send dbus messages to user domains that transition to it- Allow mysql to read the passwd file- Allow mozilla_plugin_t to create mozilla home dirs in user homedir- Allow deltacloud to read kernel sysctl- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself- Allow postgresql_t to connectto itself- Add login_userdomain attribute for users which can log in using terminal
* Tue Feb 28 2012 Miroslav Grepl 3.10.0-95- Allow sysadm_u to reach system_r by default #784011- Allow nagios plugins to use inherited user terminals- Razor labeling is not used no longer- Add systemd support for matahari- Add port_types to man page, move booleans to the top, fix some english- Add support for matahari-sysconfig-console- Clean up matahari.fc- Fix matahari_admin() interfac- Add labels for/etc/ssh/ssh_host_
*.pub keys
* Mon Feb 27 2012 Miroslav Grepl 3.10.0-94- Allow ksysguardproces to send system log msgs- Allow boinc setpgid and signull- Allow xdm_t to sys_ptrace to run pidof command- Allow smtpd_t to manage spool files/directories and symbolic links- Add labeling for jetty- Needed changes to get unbound/dnssec to work with openswan
* Thu Feb 23 2012 Miroslav Grepl 3.10.0-93- Add user_fonts_t alias xfs_tmp_t- Since depmod now runs as insmod_t we need to write to kernel_object_t- Allow firewalld to dbus chat with networkmanager- Allow qpidd to connect to matahari ports- policykit needs to read /proc for uses not owned by it- Allow systemctl apps to connecto the init stream
* Wed Feb 22 2012 Miroslav Grepl 3.10.0-92- Turn on deny_ptrace boolean
* Tue Feb 21 2012 Miroslav Grepl 3.10.0-91- Remove pam_selinux.8 man page. There was a conflict.
* Tue Feb 21 2012 Miroslav Grepl 3.10.0-90- Add proxy class and read access for gssd_proxy- Separate out the sharing public content booleans- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate- Add label transition for gstream-0.10 and 12- Add booleans to allow rsync to share nfs and cifs file sytems- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it- Fix filename transitions for cups files- Allow denyhosts to read \"unix\"- Add file name transition for locale.conf.new- Allow boinc projects to gconf config files- sssd needs to be able to increase the socket limit under certain loads- sge_execd needs to read /etc/passwd- Allow denyhost to check network state- NetworkManager needs to read sessions data- Allow denyhost to check network state- Allow xen to search virt images directories- Add label for /dev/megaraid_sas_ioctl_node- Add autogenerated man pages
* Thu Feb 16 2012 Miroslav Grepl 3.10.0-89- Allow boinc project to getattr on fs- Allow init to execute initrc_state_t- rhev-agent package was rename to ovirt-guest-agent- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly- sytemd writes content to /run/initramfs and executes it on shutdown- kdump_t needs to read /etc/mtab, should be back ported to F16- udev needs to load kernel modules in early system boot
* Tue Feb 14 2012 Miroslav Grepl 3.10.0-88- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses- Add additional systemd interfaces which are needed fro
*_admin interfaces- Fix bind_admin() interface
* Mon Feb 13 2012 Miroslav Grepl 3.10.0-87- Allow firewalld to read urand- Alias java, execmem_mono to bin_t to allow third parties- Add label for kmod- /etc/redhat-lsb contains binaries- Add boolean to allow gitosis to send mail- Add filename transition also for \"event20\"- Allow systemd_tmpfiles_t to delete all file types- Allow collectd to ipc_lock
* Fri Feb 10 2012 Miroslav Grepl 3.10.0-86- make consoletype_exec optional, so we can remove consoletype policy- remove unconfined_permisive.patch- Allow openvpn_t to inherit user home content and tmp content- Fix dnssec-trigger labeling- Turn on obex policy for staff_t- Pem files should not be secret- Add lots of rules to fix AVC\'s when playing with containers- Fix policy for dnssec- Label ask-passwd directories correctly for systemd
* Thu Feb 09 2012 Miroslav Grepl 3.10.0-85- sshd fixes seem to be causing unconfined domains to dyntrans to themselves- fuse file system is now being mounted in /run/user- systemd_logind is sending signals to processes that are dbus messaging with it- Add support for winshadow port and allow iscsid to connect to this port- httpd should be allowed to bind to the http_port_t udp socket- zarafa_var_lib_t can be a lnk_file- A couple of new .xsession-errors files- Seems like user space and login programs need to read logind_sessions_files- Devicekit disk seems to be being launched by systemd- Cleanup handling of setfiles so most of rules in te file- Correct port number for dnssec- logcheck has the home dir set to its cache
* Tue Feb 07 2012 Miroslav Grepl 3.10.0-84- Add policy for grindengine MPI jobs
* Mon Feb 06 2012 Miroslav Grepl 3.10.0-83- Add new sysadm_secadm.pp module
* contains secadm definition for sysadm_t- Move user_mail_domain access out of the interface into the te file- Allow httpd_t to create httpd_var_lib_t directories as well as files- Allow snmpd to connect to the ricci_modcluster stream- Allow firewalld to read /etc/passwd- Add auth_use_nsswitch for colord- Allow smartd to read network state- smartdnotify needs to read /etc/group
* Fri Feb 03 2012 Miroslav Grepl 3.10.0-82- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory- lxdm startup scripts should be labeled bin_t, so confined users will work- mcstransd now creates a pid, needs back port to F16- qpidd should be allowed to connect to the amqp port- Label devices 010-029 as usb devices- ypserv packager says ypserv does not use tmp_t so removing selinux policy types- Remove all ptrace commands that I believe are caused by the kernel/ps avcs- Add initial Obex policy- Add logging_syslogd_use_tty boolean- Add polipo_connect_all_unreserved bolean- Allow zabbix to connect to ftp port- Allow systemd-logind to be able to switch VTs- Allow apache to communicate with memcached through a sock_file
* Tue Jan 31 2012 Dan Walsh 3.10.0-81.2- Fix file_context.subs_dist for now to work with pre usrmove
* Mon Jan 30 2012 Miroslav Grepl 3.10.0-81- More /usr move fixes
* Thu Jan 26 2012 Miroslav Grepl 3.10.0-80- Add zabbix_can_network boolean- Add httpd_can_connect_zabbix boolean- Prepare file context labeling for usrmove functions- Allow system cronjobs to read kernel network state- Add support for selinux_avcstat munin plugin- Treat hearbeat with corosync policy- Allow corosync to read and write to qpidd shared mem- mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users context- Turn off dontaudit rules when turning on allow_ypbind- udev now reads /etc/modules.d directory
* Tue Jan 24 2012 Miroslav Grepl 3.10.0-79- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out- Cups exchanges dbus messages with init- udisk2 needs to send syslog messages- certwatch needs to read /etc/passwd
* Mon Jan 23 2012 Miroslav Grepl 3.10.0-78- Add labeling for udisks2- Allow fsadmin to communicate with the systemd process
* Mon Jan 23 2012 Miroslav Grepl 3.10.0-77- Treat Bip with bitlbee policy
* Bip is an IRC proxy- Add port definition for interwise port- Add support for ipa_memcached socket- systemd_jounald needs to getattr on all processes- mdadmin fixes
* uses getpw- amavisd calls getpwnam()- denyhosts calls getpwall()
* Fri Jan 20 2012 Miroslav Grepl 3.10.0-76- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there- bluetooth says they do not use /tmp and want to remove the type- Allow init to transition to colord- Mongod needs to read /proc/sys/vm/zone_reclaim_mode- Allow postfix_smtpd_t to connect to spamd- Add boolean to allow ftp to connect to all ports > 1023- Allow sendmain to write to inherited dovecot tmp files- setroubleshoot needs to be able to execute rpm to see what version of packages
* Mon Jan 16 2012 Miroslav Grepl 3.10.0-75- Merge systemd patch- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online- Allow deltacloudd dac_override, setuid, setgid caps- Allow aisexec to execute shell- Add use_nfs_home_dirs boolean for ssh-keygen
* Fri Jan 13 2012 Dan Walsh 3.10.0-74.2- Fixes to make rawhide boot in enforcing mode with latest systemd changes
* Wed Jan 11 2012 Miroslav Grepl 3.10.0-74- Add labeling for /var/run/systemd/journal/syslog- libvirt sends signals to ifconfig- Allow domains that read logind session files to list them
* Wed Jan 11 2012 Miroslav Grepl 3.10.0-73- Fixed destined form libvirt-sandbox- Allow apps that list sysfs to also read sympolicy links in this filesystem- Add ubac_constrained rules for chrome_sandbox- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra- Allow postgresql to be executed by the caller- Standardize interfaces of daemons - Add new labeling for mm-handler- Allow all matahari domains to read network state and etc_runtime_t files
* Wed Jan 04 2012 Miroslav Grepl 3.10.0-72- New fix for seunshare, requires seunshare_domains to be able to mounton /- Allow systemctl running as logrotate_t to connect to private systemd socket- Allow tmpwatch to read meminfo- Allow rpc.svcgssd to read supported_krb5_enctype- Allow zarafa domains to read /dev/random and /dev/urandom- Allow snmpd to read dev_snmp6- Allow procmail to talk with cyrus- Add fixes for check_disk and check_nagios plugins
* Tue Dec 20 2011 Miroslav Grepl 3.10.0-71- default trans rules for Rawhide policy- Make sure sound_devices controlC
* are labeled correctly on creation- sssd now needs sys_admin- Allow snmp to read all proc_type- Allow to setup users homedir with quota.group
* Mon Dec 19 2011 Miroslav Grepl 3.10.0-70- Add httpd_can_connect_ldap() interface- apcupsd_t needs to use seriel ports connected to usb devices- Kde puts procmail mail directory under ~/.local/share- nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now- Add labeling for /sbin/iscsiuio
* Wed Dec 14 2011 Miroslav Grepl 3.10.0-69- Add label for /var/lib/iscan/interpreter- Dont audit writes to leaked file descriptors or redirected output for nacl- NetworkManager needs to write to /sys/class/net/ib
*/mode
* Tue Dec 13 2011 Miroslav Grepl 3.10.0-68- Allow abrt to request the kernel to load a module- Make sure mozilla content is labeled correctly- Allow tgtd to read system state- More fixes for boinc
* allow to resolve dns name
* re-write boinc policy to use boinc_domain attribute- Allow munin services plugins to use NSCD services
* Thu Dec 08 2011 Miroslav Grepl 3.10.0-67- Allow mozilla_plugin_t to manage mozilla_home_t- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain- Add label for tumblerd
* Wed Dec 07 2011 Miroslav Grepl 3.10.0-66- Fixes for xguest package
* Tue Dec 06 2011 Miroslav Grepl 3.10.0-65- Fixes related to /bin, /sbin- Allow abrt to getattr on blk files- Add type for rhev-agent log file- Fix labeling for /dev/dmfm- Dontaudit wicd leaking- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it- Label /etc/locale.conf correctly- Allow user_mail_t to read /dev/random- Allow postfix-smtpd to read MIMEDefang- Add label for /var/log/suphp.log- Allow swat_t to connect and read/write nmbd_t sock_file- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf- Allow systemd-tmpfiles to change user identity in object contexts- More fixes for rhev_agentd_t consolehelper policy
* Thu Dec 01 2011 Miroslav Grepl 3.10.0-64- Use fs_use_xattr for squashf- Fix procs_type interface- Dovecot has a new fifo_file /var/run/dovecot/stats-mail- Dovecot has a new fifo_file /var/run/stats-mail- Colord does not need to connect to network- Allow system_cronjob to dbus chat with NetworkManager- Puppet manages content, want to make sure it labels everything correctly
* Tue Nov 29 2011 Miroslav Grepl 3.10.0-63- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it- Allow all postfix domains to use the fifo_file- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t- Allow apmd_t to read grub.cfg- Let firewallgui read the selinux config- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp- Fix devicekit_manage_pid_files() interface- Allow squid to check the network state- Dontaudit colord getattr on file systems- Allow ping domains to read zabbix_tmp_t files
* Wed Nov 23 2011 Miroslav Grepl 3.10.0-59- Allow mcelog_t to create dir and file in /var/run and label it correctly- Allow dbus to manage fusefs- Mount needs to read process state when mounting gluster file systems- Allow collectd-web to read collectd lib files- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr- Allow colord to get the attributes of tmpfs filesystem- Add sanlock_use_nfs and sanlock_use_samba booleans- Add bin_t label for /usr/lib/virtualbox/VBoxManage
* Wed Nov 16 2011 Miroslav Grepl 3.10.0-58- Add ssh_dontaudit_search_home_dir- Changes to allow namespace_init_t to work- Add interface to allow exec of mongod, add port definition for mongod port, 27017- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t- Allow spamd and clamd to steam connect to each other- Add policy label for passwd.OLD- More fixes for postfix and postfix maildro- Add ftp support for mozilla plugins- Useradd now needs to manage policy since it calls libsemanage- Fix devicekit_manage_log_files() interface- Allow colord to execute ifconfig- Allow accountsd to read /sys- Allow mysqld-safe to execute shell- Allow openct to stream connect to pcscd- Add label for /var/run/nm-dns-dnsmasq\\.conf- Allow networkmanager to chat with virtd_t
* Fri Nov 11 2011 Dan Walsh 3.10.0-57- Pulseaudio changes- Merge patches
* Thu Nov 10 2011 Dan Walsh 3.10.0-56- Merge patches back into git repository.
* Tue Nov 08 2011 Dan Walsh 3.10.0-55.2- Remove allow_execmem boolean and replace with deny_execmem boolean
* Tue Nov 08 2011 Dan Walsh 3.10.0-55.1- Turn back on allow_execmem boolean
* Mon Nov 07 2011 Miroslav Grepl 3.10.0-55- Add more MCS fixes to make sandbox working- Make faillog MLS trusted to make sudo_$1_t working- Allow sandbox_web_client_t to read passwd_file_t- Add .mailrc file context- Remove execheap from openoffice domain- Allow chrome_sandbox_nacl_t to read cpu_info- Allow virtd to relabel generic usb which is need if USB device- Fixes for virt.if interfaces to consider chr_file as image file type
* Fri Nov 04 2011 Dan Walsh 3.10.0-54.1- Remove Open Office policy- Remove execmem policy
* Fri Nov 04 2011 Miroslav Grepl 3.10.0-54- MCS fixes- quota fixes
* Thu Nov 03 2011 Dan Walsh 3.10.0-53.1- Remove transitions to consoletype
* Tue Nov 01 2011 Miroslav Grepl 3.10.0-53- Make nvidia
* to be labeled correctly- Fix abrt_manage_cache() interface- Make filetrans rules optional so base policy will build- Dontaudit chkpwd_t access to inherited TTYS- Make sure postfix content gets created with the correct label- Allow gnomeclock to read cgroup- Fixes for cloudform policy
* Thu Oct 27 2011 Miroslav Grepl 3.10.0-52- Check in fixed for Chrome nacl support
* Thu Oct 27 2011 Miroslav Grepl 3.10.0-51- Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY\'s- Allow svirt_lxc domains to send kill signals within their container
* Thu Oct 27 2011 Dan Walsh 3.10.0-50.2- Remove qemu.pp again without causing a crash
* Wed Oct 26 2011 Dan Walsh 3.10.0-50.1- Remove qemu.pp, everything should use svirt_t or stay in its current domain
* Wed Oct 26 2011 Miroslav Grepl 3.10.0-50- Allow policykit to talk to the systemd via dbus- Move chrome_sandbox_nacl_t to permissive domains- Additional rules for chrome_sandbox_nacl
* Tue Oct 25 2011 Miroslav Grepl 3.10.0-49- Change bootstrap name to nacl- Chrome still needs execmem- Missing role for chrome_sandbox_bootstrap- Add boolean to remove execmem and execstack from virtual machines- Dontaudit xdm_t doing an access_check on etc_t directories
* Mon Oct 24 2011 Miroslav Grepl 3.10.0-48- Allow named to connect to dirsrv by default- add ldapmap1_0 as a krb5_host_rcache_t file- Google chrome developers asked me to add bootstrap policy for nacl stuff- Allow rhev_agentd_t to getattr on mountpoints- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
* Mon Oct 24 2011 Miroslav Grepl 3.10.0-47- Fixes for cloudform policies which need to connect to random ports- Make sure if an admin creates modules content it creates them with the correct label- Add port 8953 as a dns port used by unbound- Fix file name transition for alsa and confined users
* Fri Oct 21 2011 Dan Walsh 3.10.0-46.1- Turn on mock_t and thumb_t for unconfined domains
* Fri Oct 21 2011 Miroslav Grepl 3.10.0-46- Policy update should not modify local contexts
* Thu Oct 20 2011 Dan Walsh 3.10.0-45.1- Remove ada policy
* Thu Oct 20 2011 Miroslav Grepl 3.10.0-45- Remove tzdata policy- Add labeling for udev- Add cloudform policy- Fixes for bootloader policy
* Wed Oct 19 2011 Miroslav Grepl 3.10.0-43- Add policies for nova openstack
* Tue Oct 18 2011 Miroslav Grepl 3.10.0-42- Add fixes for nova-stack policy
* Tue Oct 18 2011 Miroslav Grepl 3.10.0-41- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain- Allow init process to setrlimit on itself- Take away transition rules for users executing ssh-keygen- Allow setroubleshoot_fixit_t to read /dev/urand- Allow sshd to relbale tunnel sockets- Allow fail2ban domtrans to shorewall in the same way as with iptables- Add support for lnk files in the /var/lib/sssd directory- Allow system mail to connect to courier-authdaemon over an unix stream socket
* Mon Oct 17 2011 Dan Walsh 3.10.0-40.2- Add passwd_file_t for /etc/ptmptmp
* Fri Oct 14 2011 Miroslav Grepl 3.10.0-40- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)- Make corosync to be able to relabelto cluster lib fies- Allow samba domains to search /var/run/nmbd- Allow dirsrv to use pam- Allow thumb to call getuid- chrome less likely to get mmap_zero bug so removing dontaudit- gimp help-browser has built in javascript- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t- Re-write glance policy
* Thu Oct 13 2011 Dan Walsh 3.10.0-39.3- Move dontaudit sys_ptrace line from permissive.te to domain.te- Remove policy for hal, it no longer exists
* Wed Oct 12 2011 Dan Walsh 3.10.0-39.2- Don\'t check md5 size or mtime on certain config files
* Tue Oct 11 2011 Dan Walsh 3.10.0-39.1- Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system- Remove 2000 dontaudit rules between confined domains on transitionand replace with singledontaudit domain domain:process { noatsecure siginh rlimitinh } ;
* Mon Oct 10 2011 Miroslav Grepl 3.10.0-39- Fixes for bootloader policy- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore- Allow nsplugin to read /usr/share/config- Allow sa-update to update rules- Add use_fusefs_home_dirs for chroot ssh option- Fixes for grub2- Update systemd_exec_systemctl() interface- Allow gpg to read the mail spool- More fixes for sa-update running out of cron job- Allow ipsec_mgmt_t to read hardware state information- Allow pptp_t to connect to unreserved_port_t- Dontaudit getattr on initctl in /dev from chfn- Dontaudit getattr on kernel_core from chfn- Add systemd_list_unit_dirs to systemd_exec_systemctl call- Fixes for collectd policy- CHange sysadm_t to create content as user_tmp_t under /tmp
* Thu Oct 06 2011 Dan Walsh 3.10.0-38.1- Shrink size of policy through use of attributes for userdomain and apache
* Wed Oct 05 2011 Miroslav Grepl 3.10.0-38- Allow virsh to read xenstored pid file- Backport corenetwork fixes from upstream- Do not audit attempts by thumb to search config_home_t dirs (~/.config)- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t- allow thumb to read generic data home files (mime.type)
* Wed Oct 05 2011 Miroslav Grepl 3.10.0-37- Allow nmbd to manage sock file in /var/run/nmbd- ricci_modservice send syslog msgs- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly- Allow systemd_logind_t to manage /run/USER/dconf/user
* Tue Oct 04 2011 Dan Walsh 3.10.0-36.1- Fix missing patch from F16
* Mon Oct 03 2011 Miroslav Grepl 3.10.0-36- Allow logrotate setuid and setgid since logrotate is supposed to do it- Fixes for thumb policy by grift- Add new nfsd ports- Added fix to allow confined apps to execmod on chrome- Add labeling for additional vdsm directories- Allow Exim and Dovecot SASL- Add label for /var/run/nmbd- Add fixes to make virsh and xen working together- Colord executes ls- /var/spool/cron is now labeled as user_cron_spool_t
* Mon Oct 03 2011 Dan Walsh 3.10.0-35- Stop complaining about leaked file descriptors during install
* Fri Sep 30 2011 Dan Walsh 3.10.0-34.7- Remove java and mono module and merge into execmem
* Fri Sep 30 2011 Dan Walsh 3.10.0-34.6- Fixes for thumb policy and passwd_file_t
* Fri Sep 30 2011 Dan Walsh 3.10.0-34.4- Fixes caused by the labeling of /etc/passwd- Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
* Thu Sep 29 2011 Miroslav Grepl 3.10.0-34.3- Add support for Clustered Samba commands- Allow ricci_modrpm_t to send log msgs- move permissive virt_qmf_t from virt.te to permissivedomains.te- Allow ssh_t to use kernel keyrings- Add policy for libvirt-qmf and more fixes for linux containers- Initial Polipo- Sanlock needs to run ranged in order to kill svirt processes- Allow smbcontrol to stream connect to ctdbd
* Mon Sep 26 2011 Dan Walsh 3.10.0-34.2- Add label for /etc/passwd
* Mon Sep 26 2011 Dan Walsh 3.10.0-34.1- Change unconfined_domains to permissive for Rawhide- Add definition for the ephemeral_ports
* Mon Sep 26 2011 Miroslav Grepl 3.10.0-34- Make mta_role() active- Allow asterisk to connect to jabber client port- Allow procmail to read utmp- Add NIS support for systemd_logind_t- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t- Fix systemd_manage_unit_dirs() interface- Allow ssh_t to manage directories passed into it- init needs to be able to create and delete unit file directories- Fix typo in apache_exec_sys_script- Add ability for logrotate to transition to awstat domain
* Fri Sep 23 2011 Miroslav Grepl 3.10.0-33- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state- Add SELinux support for ssh pre-auth net process in F17- Add logging_syslogd_can_sendmail boolean
* Wed Sep 21 2011 Dan Walsh 3.10.0-31.1- Add definition for ephemeral ports- Define user_tty_device_t as a customizable_type
* Tue Sep 20 2011 Miroslav Grepl 3.10.0-31- Needs to require a new version of checkpolicy- Interface fixes
* Fri Sep 16 2011 Miroslav Grepl 3.10.0-29- Allow sanlock to manage virt lib files- Add virt_use_sanlock booelan- ksmtuned is trying to resolve uids- Make sure .gvfs is labeled user_home_t in the users home directory- Sanlock sends kill signals and needs the kill capability- Allow mockbuild to work on nfs homedirs- Fix kerberos_manage_host_rcache() interface- Allow exim to read system state
* Tue Sep 13 2011 Miroslav Grepl 3.10.0-28- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
* Tue Sep 13 2011 Miroslav Grepl 3.10.0-27- Allow collectd to read hardware state information- Add loop_control_device_t- Allow mdadm to request kernel to load module- Allow domains that start other domains via systemctl to search unit dir- systemd_tmpfilses, needs to list any file systems mounted on /tmp- No one can explain why radius is listing the contents of /tmp, so we will dontaudit- If I can manage etc_runtime files, I should be able to read the links- Dontaudit hostname writing to mock library chr_files- Have gdm_t setup labeling correctly in users home dir- Label content unde /var/run/user/NAME/dconf as config_home_t- Allow sa-update to execute shell- Make ssh-keygen working with fips_enabled- Make mock work for staff_t user- Tighten security on mock_t
* Fri Sep 09 2011 Miroslav Grepl 3.10.0-26- removing unconfined_notrans_t no longer necessary- Clean up handling of secure_mode_insmod and secure_mode_policyload- Remove unconfined_mount_t
* Tue Sep 06 2011 Miroslav Grepl 3.10.0-25- Add exim_exec_t label for /usr/sbin/exim_tidydb- Call init_dontaudit_rw_stream_socket() interface in mta policy- sssd need to search /var/cache/krb5rcache directory- Allow corosync to relabel own tmp files- Allow zarafa domains to send system log messages- Allow ssh to do tunneling- Allow initrc scripts to sendto init_t unix_stream_socket- Changes to make sure dmsmasq and virt directories are labeled correctly- Changes needed to allow sysadm_t to manage systemd unit files- init is passing file descriptors to dbus and on to system daemons- Allow sulogin additional access Reported by dgrift and Jeremy Miller- Steve Grubb believes that wireshark does not need this access- Fix /var/run/initramfs to stop restorecon from looking at- pki needs another port- Add more labels for cluster scripts- Allow apps that manage cgroup_files to manage cgroup link files- Fix label on nfs-utils scripts directories- Allow gatherd to read /dev/rand and /dev/urand
* Wed Aug 31 2011 Miroslav Grepl 3.10.0-24- pki needs another port- Add more labels for cluster scripts- Fix label on nfs-utils scripts directories- Fixes for cluster- Allow gatherd to read /dev/rand and /dev/urand- abrt leaks fifo files
* Tue Aug 30 2011 Miroslav Grepl 3.10.0-23- Add glance policy- Allow mdadm setsched- /var/run/initramfs should not be relabeled with a restorecon run- memcache can be setup to override sys_resource- Allow httpd_t to read tetex data- Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
* Mon Aug 29 2011 Miroslav Grepl 3.10.0-22- Allow Postfix to deliver to Dovecot LMTP socket- Ignore bogus sys_module for lldpad- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock- systemd_logind_t sets the attributes on usb devices- Allow hddtemp_t to read etc_t files- Add permissivedomains module- Move all permissive domains calls to permissivedomain.te- Allow pegasis to send kill signals to other UIDs
* Wed Aug 24 2011 Miroslav Grepl 3.10.0-21- Allow insmod_t to use fds leaked from devicekit- dontaudit getattr between insmod_t and init_t unix_stream_sockets- Change sysctl unit file interfaces to use systemctl- Add support for chronyd unit file- Allow mozilla_plugin to read gnome_usr_config- Add policy for new gpsd- Allow cups to create kerberos rhost cache files- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
* Tue Aug 23 2011 Dan Walsh 3.10.0-20- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten
* Tue Aug 23 2011 Miroslav Grepl 3.10.0-19- Add policy for sa-update being run out of cron jobs- Add create perms to postgresql_manage_db- ntpd using a gps has to be able to read/write generic tty_device_t- If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev- fix spec file- Remove qemu_domtrans_unconfined() interface- Make passenger working together with puppet- Add init_dontaudit_rw_stream_socket interface- Fixes for wordpress
* Thu Aug 11 2011 Miroslav Grepl 3.10.0-18- Turn on allow_domain_fd_use boolean on F16- Allow syslog to manage all log files- Add use_fusefs_home_dirs boolean for chrome- Make vdagent working with confined users- Add abrt_handle_event_t domain for ABRT event scripts- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change- Allow httpd_git_script_t to read passwd data- Allow openvpn to set its process priority when the nice parameter is used
* Wed Aug 10 2011 Miroslav Grepl 3.10.0-17- livecd fixes- spec file fixes
* Thu Aug 04 2011 Miroslav Grepl 3.10.0-16- fetchmail can use kerberos- ksmtuned reads in shell programs- gnome_systemctl_t reads the process state of ntp- dnsmasq_t asks the kernel to load multiple kernel modules- Add rules for domains executing systemctl- Bogus text within fc file
* Wed Aug 03 2011 Miroslav Grepl 3.10.0-14- Add cfengine policy
* Tue Aug 02 2011 Miroslav Grepl 3.10.0-13- Add abrt_domain attribute- Allow corosync to manage cluster lib files- Allow corosync to connect to the system DBUS
* Mon Aug 01 2011 Miroslav Grepl 3.10.0-12- Add sblim, uuidd policies- Allow kernel_t dyntrasition to init_t
* Fri Jul 29 2011 Miroslav Grepl 3.10.0-11- init_t need setexec- More fixes of rules which cause an explosion in rules by Dan Walsh
* Tue Jul 26 2011 Miroslav Grepl 3.10.0-10- Allow rcsmcertd to perform DNS name resolution- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts- Allow tmux to run as screen- New policy for collectd- Allow gkeyring_t to interact with all user apps- Add rules to allow firstboot to run on machines with the unconfined.pp module removed
* Sat Jul 23 2011 Miroslav Grepl 3.10.0-9- Allow systemd_logind to send dbus messages with users- allow accountsd to read wtmp file- Allow dhcpd to get and set capabilities
* Fri Jul 22 2011 Miroslav Grepl 3.10.0-8- Fix oracledb_port definition- Allow mount to mounton the selinux file system- Allow users to list /var directories
* Thu Jul 21 2011 Miroslav Grepl 3.10.0-7- systemd fixes
* Tue Jul 19 2011 Miroslav Grepl 3.10.0-6- Add initial policy for abrt_dump_oops_t- xtables-multi wants to getattr of the proc fs- Smoltclient is connecting to abrt- Dontaudit leaked file descriptors to postdrop- Allow abrt_dump_oops to look at kernel sysctls- Abrt_dump_oops_t reads kernel ring buffer- Allow mysqld to request the kernel to load modules- systemd-login needs fowner- Allow postfix_cleanup_t to searh maildrop
* Mon Jul 18 2011 Miroslav Grepl 3.10.0-5- Initial systemd_logind policy- Add policy for systemd_logger and additional proivs for systemd_logind- More fixes for systemd policies
* Thu Jul 14 2011 Miroslav Grepl 3.10.0-4- Allow setsched for virsh- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories- iptables: the various /sbin/ip6?tables.
* are now symlinks for/sbin/xtables-multi
* Tue Jul 12 2011 Miroslav Grepl 3.10.0-3- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit- Allow colord to interact with the users through the tmpfs file system- Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files- Add label for /var/log/mcelog- Allow asterisk to read /dev/random if it uses TLS- Allow colord to read ini files which are labeled as bin_t- Allow dirsrvadmin sys_resource and setrlimit to use ulimit- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. - Also lists /var and /var/spool directories- Add openl2tpd to l2tpd policy- qpidd is reading the sysfs file
* Thu Jun 30 2011 Miroslav Grepl 3.10.0-2- Change usbmuxd_t to dontaudit attempts to read chr_file- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains- Allow pppd to search /var/lock dir- Add rhsmcertd policy
* Mon Jun 27 2011 Miroslav Grepl 3.10.0-1- Update to upstream
* Mon Jun 27 2011 Miroslav Grepl 3.9.16-30- More fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git
* Thu Jun 16 2011 Dan Walsh 3.9.16-29.1- Fix spec file to not report Verify errors
* Thu Jun 16 2011 Miroslav Grepl 3.9.16-29- Add dspam policy- Add lldpad policy- dovecot auth wants to search statfs #713555- Allow systemd passwd apps to read init fifo_file- Allow prelink to use inherited terminals- Run cherokee in the httpd_t domain- Allow mcs constraints on node connections- Implement pyicqt policy- Fixes for zarafa policy- Allow cobblerd to send syslog messages
* Wed Jun 08 2011 Dan Walsh 3.9.16-28.1- Add policy.26 to the payload- Remove olpc stuff- Remove policygentool
* Wed Jun 08 2011 Miroslav Grepl 3.9.16-27- Fixes for zabbix- init script needs to be able to manage sanlock_var_run_...- Allow sandlock and wdmd to create /var/run directories... - mixclip.so has been compiled correctly- Fix passenger policy module name
* Tue Jun 07 2011 Miroslav Grepl 3.9.16-26- Add mailscanner policy from dgrift- Allow chrome to optionally be transitioned to- Zabbix needs these rules when starting the zabbix_server_mysql- Implement a type for freedesktop openicc standard (~/.local/share/icc)- Allow system_dbusd_t to read inherited icc_data_home_t files.- Allow colord_t to read icc_data_home_t content. #706975- Label stuff under /usr/lib/debug as if it was labeled under /
* Thu Jun 02 2011 Miroslav Grepl 3.9.16-25- Fixes for sanlock policy- Fixes for colord policy- Other fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
* Thu May 26 2011 Miroslav Grepl 3.9.16-24- Add rhev policy module to modules-targeted.conf
* Tue May 24 2011 Miroslav Grepl 3.9.16-23- Lot of fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
* Thu May 19 2011 Miroslav Grepl 3.9.16-22- Allow logrotate to execute systemctl- Allow nsplugin_t to getattr on gpmctl- Fix dev_getattr_all_chr_files() interface- Allow shorewall to use inherited terms- Allow userhelper to getattr all chr_file devices- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t- Fix labeling for ABRT Retrace Server
* Mon May 09 2011 Miroslav Grepl 3.9.16-21- Dontaudit sys_module for ifconfig- Make telepathy and gkeyringd daemon working with confined users- colord wants to read files in users homedir- Remote login should be creating user_tmp_t not its own tmp files
* Thu May 05 2011 Miroslav Grepl 3.9.16-20- Fix label for /usr/share/munin/plugins/munin_
* plugins- Add support for zarafa-indexer- Fix boolean description- Allow colord to getattr on /proc/scsi/scsi- Add label for /lib/upstart/init- Colord needs to list /mnt
* Tue May 03 2011 Miroslav Grepl 3.9.16-19- Forard port changes from F15 for telepathy- NetworkManager should be allowed to use /dev/rfkill- Fix dontaudit messages to say Domain to not audit- Allow telepathy domains to read/write gnome_cache files- Allow telepathy domains to call getpw- Fixes for colord and vnstatd policy
* Wed Apr 27 2011 Miroslav Grepl 3.9.16-18- Allow init_t getcap and setcap- Allow namespace_init_t to use nsswitch- aisexec will execute corosync- colord tries to read files off noxattr file systems- Allow init_t getcap and setcap
* Thu Apr 21 2011 Miroslav Grepl 3.9.16-17- Add support for ABRT retrace server- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners- Allow telepath_msn_t to read /proc/PARENT/cmdline- ftpd needs kill capability- Allow telepath_msn_t to connect to sip port- keyring daemon does not work on nfs homedirs- Allow $1_sudo_t to read default SELinux context- Add label for tgtd sock file in /var/run/- Add apache_exec_rotatelogs interface- allow all zaraha domains to signal themselves, server writes to /tmp- Allow syslog to read the process state- Add label for /usr/lib/chromium-browser/chrome- Remove the telepathy transition from unconfined_t- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts- Allow initrc_t domain to manage abrt pid files- Add support for AEOLUS project- Virt_admin should be allowed to manage images and processes- Allow plymountd to send signals to init- Change labeling of fping6
* Tue Apr 19 2011 Dan Walsh 3.9.16-16.1- Add filename transitions
* Tue Apr 19 2011 Miroslav Grepl 3.9.16-16- Fixes for zarafa policy- Add support for AEOLUS project- Change labeling of fping6- Allow plymountd to send signals to init- Allow initrc_t domain to manage abrt pid files- Virt_admin should be allowed to manage images and processes
* Fri Apr 15 2011 Miroslav Grepl 3.9.16-15- xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdctl - Allow squid to manage krb5_host_rcache_t files - Allow foghorn to connect to agentx port - Fixes for colord policy
* Mon Apr 11 2011 Miroslav Grepl 3.9.16-14- Add Dan\'s patch to remove 64 bit variants- Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file - iscsid_t creates its own directory - Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch- Add labeling for systemd unit files- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added- Add label for matahari-broker.pid file- We want to remove untrustedmcsprocess from ability to read /proc/pid- Fixes for matahari policy- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
* Tue Apr 05 2011 Miroslav Grepl 3.9.16-13- Fix typo
* Mon Apr 04 2011 Miroslav Grepl 3.9.16-12- Add /var/run/lock /var/lock definition to file_contexts.subs- nslcd_t is looking for kerberos cc files- SSH_USE_STRONG_RNG is 1 which requires /dev/random- Fix auth_rw_faillog definition- Allow sysadm_t to set attributes on fixed disks- allow user domains to execute lsof and look at application sockets- prelink_cron job calls telinit -u if init is rewritten- Fixes to run qemu_t from staff_t
* Mon Apr 04 2011 Miroslav Grepl 3.9.16-11- Fix label for /var/run/udev to udev_var_run_t- Mock needs to be able to read network state
* Fri Apr 01 2011 Miroslav Grepl 3.9.16-10- Add file_contexts.subs to handle /run and /run/lock- Add other fixes relating to /run changes from F15 policy
* Fri Mar 25 2011 Miroslav Grepl 3.9.16-7- Allow $1_sudo_t and $1_su_t open access to user terminals- Allow initrc_t to use generic terminals- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs-systemd is going to be useing /run and /run/lock for early bootup files.- Fix some comments in rlogin.if- Add policy for KDE backlighthelper- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems- sssd wants to read .k5login file in users homedir- setroubleshoot reads executables to see if they have TEXTREL- Add /var/spool/audit support for new version of audit- Remove kerberos_connect_524() interface calling- Combine kerberos_master_port_t and kerberos_port_t- systemd has setup /dev/kmsg as stderr for apps it executes- Need these access so that init can impersonate sockets on unix_dgram_socket
* Wed Mar 23 2011 Miroslav Grepl 3.9.16-6- Remove some unconfined domains- Remove permissive domains- Add policy-term.patch from Dan
* Thu Mar 17 2011 Miroslav Grepl 3.9.16-5- Fix multiple specification for boot.log- devicekit leaks file descriptors to setfiles_t- Change all all_nodes to generic_node and all_if to generic_if- Should not use deprecated interface- Switch from using all_nodes to generic_node and from all_if to generic_if- Add support for xfce4-notifyd- Fix file context to show several labels as SystemHigh- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs- Add etc_runtime_t label for /etc/securetty- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly- login.krb needs to be able to write user_tmp_t- dirsrv needs to bind to port 7390 for dogtag- Fix a bug in gpg policy- gpg sends audit messages- Allow qpid to manage matahari files
* Tue Mar 15 2011 Miroslav Grepl 3.9.16-4- Initial policy for matahari- Add dev_read_watchdog- Allow clamd to connect clamd port- Add support for kcmdatetimehelper- Allow shutdown to setrlimit and sys_nice- Allow systemd_passwd to talk to /dev/log before udev or syslog is running- Purge chr_file and blk files on /tmp- Fixes for pads- Fixes for piranha-pulse- gpg_t needs to be able to encyprt anything owned by the user
* Thu Mar 10 2011 Miroslav Grepl 3.9.16-3- mozilla_plugin_tmp_t needs to be treated as user tmp files- More dontaudits of writes from readahead- Dontaudit readahead_t file_type:dir write, to cover up kernel bug- systemd_tmpfiles needs to relabel faillog directory as well as the file- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
* Thu Mar 10 2011 Miroslav Grepl 3.9.16-2- Add policykit fixes from Tim Waugh- dontaudit sandbox domains sandbox_file_t:dir mounton- Add new dontaudit rules for sysadm_dbusd_t- Change label for /var/run/faillock
* other fixes which relate with this change
* Tue Mar 08 2011 Miroslav Grepl 3.9.16-1- Update to upstream- Fixes for telepathy- Add port defition for ssdp port- add policy for /bin/systemd-notify from Dan- Mount command requires users read mount_var_run_t- colord needs to read konject_uevent_socket- User domains connect to the gkeyring socket- Add colord policy and allow user_t and staff_t to dbus chat with it- Add lvm_exec_t label for kpartx- Dontaudit reading the mail_spool_t link from sandbox -X- systemd is creating sockets in avahi_var_run and system_dbusd_var_run
* Tue Mar 01 2011 Miroslav Grepl 3.9.15-5- gpg_t needs to talk to gnome-keyring- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd- enforce MCS labeling on nodes- Allow arpwatch to read meminfo- Allow gnomeclock to send itself signals- init relabels /dev/.udev files on boot- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t- dnsmasq can run as a dbus service, needs acquire service- mysql_admin should be allowed to connect to mysql service- virt creates monitor sockets in the users home dir
* Mon Feb 21 2011 Miroslav Grepl 3.9.15-2- Allow usbhid-ups to read hardware state information- systemd-tmpfiles has moved- Allo cgroup to sys_tty_config- For some reason prelink is attempting to read gconf settings- Add allow_daemons_use_tcp_wrapper boolean- Add label for ~/.cache/wocky to make telepathy work in enforcing mode- Add label for char devices /dev/dasd
*- Fix for apache_role- Allow amavis to talk to nslcd- allow all sandbox to read selinux poilcy config files- Allow cluster domains to use the system bus and send each other dbus messages
* Wed Feb 16 2011 Miroslav Grepl 3.9.15-1- Update to upstream
* Wed Feb 09 2011 Fedora Release Engineering - 3.9.14-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Feb 08 2011 Dan Walsh 3.9.14-1- Update to ref policy- cgred needs chown capability- Add /dev/crash crash_dev_t- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
* Tue Feb 08 2011 Miroslav Grepl 3.9.13-10- New labeling for postfmulti #675654- dontaudit xdm_t listing noxattr file systems- dovecot-auth needs to be able to connect to mysqld via the network as well as locally- shutdown is passed stdout to a xdm_log_t file- smartd creates a fixed disk device- dovecot_etc_t contains a lnk_file that domains need to read- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
* Thu Feb 03 2011 Miroslav Grepl 3.9.13-9- syslog_t needs syslog capability- dirsrv needs to be able to create /var/lib/snmp- Fix labeling for dirsrv- Fix for dirsrv policy missing manage_dirs_pattern- corosync needs to delete clvm_tmpfs_t files- qdiskd needs to list hugetlbfs- Move setsched to sandbox_x_domain, so firefox can run without network access- Allow hddtemp to read removable devices- Adding syslog and read_policy permissions to policy
* syslog Allow unconfined, sysadm_t, secadm_t, logadm_t
* read_policy allow unconfined, sysadm_t, secadm_t, staff_t on Targeted allow sysadm_t (optionally), secadm_t on MLS- mdadm application will write into /sys/.../uevent whenever arrays areassembled or disassembled.
* Tue Feb 01 2011 Dan Walsh 3.9.13-8- Add tcsd policy
* Tue Feb 01 2011 Miroslav Grepl 3.9.13-7- ricci_modclusterd_t needs to bind to rpc ports 500-1023- Allow dbus to use setrlimit to increase resoueces- Mozilla_plugin is leaking to sandbox- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control- Allow awstats to read squid logs- seunshare needs to manage tmp_t- apcupsd cgi scripts have a new directory
* Thu Jan 27 2011 Miroslav Grepl 3.9.13-6- Fix xserver_dontaudit_read_xdm_pid- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t- Allow readahead to manage readahead pid dirs- Allow readahead to read all mcs levels- Allow mozilla_plugin_t to use nfs or samba homedirs
* Tue Jan 25 2011 Miroslav Grepl 3.9.13-5- Allow nagios plugin to read /proc/meminfo- Fix for mozilla_plugin- Allow samba_net_t to create /etc/keytab- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t- nslcd can read user credentials- Allow nsplugin to delete mozilla_plugin_tmpfs_t- abrt tries to create dir in rpm_var_lib_t- virt relabels fifo_files- sshd needs to manage content in fusefs homedir- mock manages link files in cache dir
* Fri Jan 21 2011 Miroslav Grepl 3.9.13-4- nslcd needs setsched and to read /usr/tmp- Invalid call in likewise policy ends up creating a bogus role- Cannon puts content into /var/lib/bjlib that cups needs to be able to write- Allow screen to create screen_home_t in /root- dirsrv sends syslog messages- pinentry reads stuff in .kde directory- Add labels for .kde directory in homedir- Treat irpinit, iprupdate, iprdump services with raid policy
* Wed Jan 19 2011 Miroslav Grepl 3.9.13-3- NetworkManager wants to read consolekit_var_run_t- Allow readahead to create /dev/.systemd/readahead- Remove permissive domains- Allow newrole to run namespace_init
* Tue Jan 18 2011 Miroslav Grepl 3.9.13-2- Add sepgsql_contexts file
* Mon Jan 17 2011 Miroslav Grepl 3.9.13-1- Update to upstream
* Mon Jan 17 2011 Miroslav Grepl 3.9.12-8- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on- Add puppetmaster_use_db boolean- Fixes for zarafa policy- Fixes for gnomeclock poliy- Fix systemd-tmpfiles to use auth_use_nsswitch
* Fri Jan 14 2011 Miroslav Grepl 3.9.12-7- gnomeclock executes a shell- Update for screen policy to handle pipe in homedir- Fixes for polyinstatiated homedir- Fixes for namespace policy and other fixes related to polyinstantiation- Add namespace policy- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts- Fixes for init, psad policy which relate with confined users- Do not audit bootloader attempts to read devicekit pid files- Allow nagios service plugins to read /proc
* Tue Jan 11 2011 Miroslav Grepl 3.9.12-6- Add firewalld policy- Allow vmware_host to read samba config- Kernel wants to read /proc Fix duplicate grub def in cobbler- Chrony sends mail, executes shell, uses fifo_file and reads /proc- devicekitdisk getattr all file systems- sambd daemon writes wtmp file- libvirt transitions to dmidecode
* Wed Jan 05 2011 Miroslav Grepl 3.9.12-5- Add initial policy for system-setup-keyboard which is now daemon- Label /var/lock/subsys/shorewall as shorewall_lock_t- Allow users to communicate with the gpg_agent_t- Dontaudit mozilla_plugin_t using the inherited terminal- Allow sambagui to read files in /usr- webalizer manages squid log files- Allow unconfined domains to bind ports to raw_ip_sockets- Allow abrt to manage rpm logs when running yum- Need labels for /var/run/bittlebee- Label .ssh under amanda- Remove unused genrequires for virt_domain_template- Allow virt_domain to use fd inherited from virtd_t- Allow iptables to read shorewall config
* Tue Dec 28 2010 Dan Walsh 3.9.12-4- Gnome apps list config_home_t- mpd creates lnk files in homedir- apache leaks write to mail apps on tmp files- /var/stockmaniac/templates_cache contains log files- Abrt list the connects of mount_tmp_t dirs- passwd agent reads files under /dev and reads utmp file- squid apache script connects to the squid port- fix name of plymouth log file- teamviewer is a wine app- allow dmesg to read system state- Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk
* Thu Dec 23 2010 Dan Walsh 3.9.12-3- Allow xdm and syslog to use /var/log/boot.log- Allow users to communicate with mozilla_plugin and kill it- Add labeling for ipv6 and dhcp
* Tue Dec 21 2010 Dan Walsh 3.9.12-2- New labels for ghc http content- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev- pm-suspend now creates log file for append access so we remove devicekit_wri- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap- Fixes for greylist_milter policy
* Tue Dec 21 2010 Miroslav Grepl 3.9.12-1- Update to upstream- Fixes for systemd policy- Fixes for passenger policy- Allow staff users to run mysqld in the staff_t domain, akonadi needs this- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data- Dontaudit (xdm_t) gok attempting to list contents of /var/account- Telepathy domains need to read urand- Need interface to getattr all file classes in a mock library for setroubleshoot
* Wed Dec 15 2010 Dan Walsh 3.9.11-2- Update selinux policy to handle new /usr/share/sandbox/start script
* Wed Dec 15 2010 Miroslav Grepl 3.9.11-1- Update to upstream- Fix version of policy in spec file
* Tue Dec 14 2010 Miroslav Grepl 3.9.10-13- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs- remove per sandbox domains devpts types- Allow dkim-milter sending signal to itself
* Mon Dec 13 2010 Dan Walsh 3.9.10-12- Allow domains that transition to ping or traceroute, kill them- Allow user_t to conditionally transition to ping_t and traceroute_t- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
* Mon Dec 13 2010 Miroslav Grepl 3.9.10-11- Turn on systemd policy- mozilla_plugin needs to read certs in the homedir.- Dontaudit leaked file descriptors from devicekit- Fix ircssi to use auth_use_nsswitch- Change to use interface without param in corenet to disable unlabelednet packets- Allow init to relabel sockets and fifo files in /dev- certmonger needs dac
* capabilities to manage cert files not owned by root- dovecot needs fsetid to change group membership on mail- plymouthd removes /var/log/boot.log- systemd is creating symlinks in /dev- Change label on /etc/httpd/alias to be all cert_t
* Fri Dec 10 2010 Miroslav Grepl 3.9.10-10- Fixes for clamscan and boinc policy- Add boinc_project_t setpgid- Allow alsa to create tmp files in /tmp
* Tue Dec 07 2010 Miroslav Grepl 3.9.10-9- Push fixes to allow disabling of unlabeled_t packet access- Enable unlabelednet policy
* Tue Dec 07 2010 Miroslav Grepl 3.9.10-8- Fixes for lvm to work with systemd
* Mon Dec 06 2010 Miroslav Grepl 3.9.10-7- Fix the label for wicd log- plymouthd creates force-display-on-active-vt file- Allow avahi to request the kernel to load a module- Dontaudit hal leaks- Fix gnome_manage_data interface- Add new interface corenet_packet to define a type as being an packet_type.- Removed general access to packet_type from icecast and squid.- Allow mpd to read alsa config- Fix the label for wicd log- Add systemd policy
* Fri Dec 03 2010 Miroslav Grepl 3.9.10-6- Fix gnome_manage_data interface- Dontaudit sys_ptrace capability for iscsid- Fixes for nagios plugin policy
* Thu Dec 02 2010 Miroslav Grepl 3.9.10-5- Fix cron to run ranged when started by init- Fix devicekit to use log files- Dontaudit use of devicekit_var_run_t for fstools- Allow init to setattr on logfile directories- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t
* Tue Nov 30 2010 Dan Walsh 3.9.10-4- Fix up handling of dnsmasq_t creating /var/run/libvirt/network- Turn on sshd_forward_ports boolean by default- Allow sysadmin to dbus chat with rpm- Add interface for rw_tpm_dev- Allow cron to execute bin- fsadm needs to write sysfs- Dontaudit consoletype reading /var/run/pm-utils- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin- certmonger needs to manage dirsrv data- /var/run/pm-utils should be labeled as devicekit_var_run_t
* Tue Nov 30 2010 Miroslav Grepl 3.9.10-3- fixes to allow /var/run and /var/lock as tmpfs- Allow chrome sandbox to connect to web ports- Allow dovecot to listem on lmtp and sieve ports- Allov ddclient to search sysctl_net_t- Transition back to original domain if you execute the shell
* Thu Nov 25 2010 Miroslav Grepl 3.9.10-2- Remove duplicate declaration
* Thu Nov 25 2010 Miroslav Grepl 3.9.10-1- Update to upstream- Cleanup for sandbox- Add attribute to be able to select sandbox types
* Mon Nov 22 2010 Miroslav Grepl 3.9.9-4- Allow ddclient to fix file mode bits of ddclient conf file- init leaks file descriptors to daemons- Add labels for /etc/lirc/ and- Allow amavis_t to exec shell- Add label for gssd_tmp_t for /var/tmp/nfs_0
* Thu Nov 18 2010 Dan Walsh 3.9.9-3- Put back in lircd_etc_t so policy will install
* Thu Nov 18 2010 Miroslav Grepl 3.9.9-2- Turn on allow_postfix_local_write_mail_spool- Allow initrc_t to transition to shutdown_t- Allow logwatch and cron to mls_read_to_clearance for MLS boxes- Allow wm to send signull to all applications and receive them from users- lircd patch from field- Login programs have to read /etc/samba- New programs under /lib/systemd- Abrt needs to read config files
* Tue Nov 16 2010 Miroslav Grepl 3.9.9-1- Update to upstream- Dontaudit leaked sockets from userdomains to user domains- Fixes for mcelog to handle scripts- Apply patch from Ruben Kerkhof- Allow syslog to search spool dirs
* Mon Nov 15 2010 Miroslav Grepl 3.9.8-7- Allow nagios plugins to read usr files- Allow mysqld-safe to send system log messages- Fixes fpr ddclient policy- Fix sasl_admin interface- Allow apache to search zarafa config- Allow munin plugins to search /var/lib directory- Allow gpsd to read sysfs_t- Fix labels on /etc/mcelog/triggers to bin_t
* Fri Nov 12 2010 Dan Walsh 3.9.8-6- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp- Fix xserver interface- Fix definition of /var/run/lxdm
* Fri Nov 12 2010 Miroslav Grepl 3.9.8-5- Turn on mediawiki policy- kdump leaks kdump_etc_t to ifconfig, add dontaudit- uux needs to transition to uucpd_t- More init fixes relabels man,faillog- Remove maxima defs in libraries.fc- insmod needs to be able to create tmpfs_t files- ping needs setcap
* Wed Nov 10 2010 Miroslav Grepl 3.9.8-4- Allow groupd transition to fenced domain when executes fence_node- Fixes for rchs policy- Allow mpd to be able to read samba/nfs files
* Tue Nov 09 2010 Dan Walsh 3.9.8-3- Fix up corecommands.fc to match upstream- Make sure /lib/systemd/
* is labeled init_exec_t- mount wants to setattr on all mountpoints- dovecot auth wants to read dovecot etc files- nscd daemon looks at the exe file of the comunicating daemon- openvpn wants to read utmp file- postfix apps now set sys_nice and lower limits- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly- Also resolves nsswitch- Fix labels on /etc/hosts.
*- Cleanup to make upsteam patch work- allow abrt to read etc_runtime_t
* Fri Nov 05 2010 Dan Walsh 3.9.8-2- Add conflicts for dirsrv package
* Fri Nov 05 2010 Dan Walsh 3.9.8-1- Update to upstream- Add vlock policy
* Wed Nov 03 2010 Dan Walsh 3.9.7-10- Fix sandbox to work on nfs homedirs- Allow cdrecord to setrlimit- Allow mozilla_plugin to read xauth- Change label on systemd-logger to syslogd_exec_t- Install dirsrv policy from dirsrv package
* Tue Nov 02 2010 Dan Walsh 3.9.7-9- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it- Udev needs to stream connect to init and kernel- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory
* Mon Nov 01 2010 Dan Walsh 3.9.7-8- Allow NetworkManager to read openvpn_etc_t- Dontaudit hplip to write of /usr dirs- Allow system_mail_t to create /root/dead.letter as mail_home_t- Add vdagent policy for spice agent daemon
* Thu Oct 28 2010 Dan Walsh 3.9.7-7- Dontaudit sandbox sending sigkill to all user domains- Add policy for rssh_chroot_helper- Add missing flask definitions- Allow udev to relabelto removable_t- Fix label on /var/log/wicd.log- Transition to initrc_t from init when executing bin_t- Add audit_access permissions to file- Make removable_t a device_node - Fix label on /lib/systemd/
*
* Fri Oct 22 2010 Dan Walsh 3.9.7-6- Fixes for systemd to manage /var/run- Dontaudit leaks by firstboot
* Tue Oct 19 2010 Dan Walsh 3.9.7-5- Allow chome to create netlink_route_socket- Add additional MATHLAB file context- Define nsplugin as an application_domain- Dontaudit sending signals from sandboxed domains to other domains- systemd requires init to build /tmp /var/auth and /var/lock dirs- mount wants to read devicekit_power /proc/ entries- mpd wants to connect to soundd port- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit- Treat lib_t and textrel_shlib_t directories the same- Allow mount read access on virtual images
* Fri Oct 15 2010 Dan Walsh 3.9.7-4- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.- Allow devicekit_power to domtrans to mount- Allow dhcp to bind to udp ports > 1024 to do named stuff- Allow ssh_t to exec ssh_exec_t- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used- Fix clamav_append_log() intefaces- Fix \'psad_rw_fifo_file\' interface
* Fri Oct 15 2010 Dan Walsh 3.9.7-3- Allow cobblerd to list cobler appache content
* Fri Oct 15 2010 Dan Walsh 3.9.7-2- Fixup for the latest version of upowed- Dontaudit sandbox sending SIGNULL to desktop apps
* Wed Oct 13 2010 Dan Walsh 3.9.7-1- Update to upstream
* Tue Oct 12 2010 Dan Walsh 3.9.6-3-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access- dovecot-auth_t needs ipc_lock- gpm needs to use the user terminal- Allow system_mail_t to append ~/dead.letter- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf- Add pid file to vnstatd- Allow mount to communicate with gfs_controld- Dontaudit hal leaks in setfiles
* Fri Oct 08 2010 Dan Walsh 3.9.6-2- Lots of fixes for systemd- systemd now executes readahead and tmpwatch type scripts- Needs to manage random seed
* Thu Oct 07 2010 Dan Walsh 3.9.6-1- Allow smbd to use sys_admin- Remove duplicate file context for tcfmgr- Update to upstream
* Wed Oct 06 2010 Dan Walsh 3.9.5-11- Fix fusefs handling- Do not allow sandbox to manage nsplugin_rw_t- Allow mozilla_plugin_t to connecto its parent- Allow init_t to connect to plymouthd running as kernel_t- Add mediawiki policy- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.- Disable transition from dbus_session_domain to telepathy for F14- Allow boinc_project to use shm- Allow certmonger to search through directories that contain certs- Allow fail2ban the DAC Override so it can read log files owned by non root users
* Mon Oct 04 2010 Dan Walsh 3.9.5-10- Start adding support for use_fusefs_home_dirs- Add /var/lib/syslog directory file context- Add /etc/localtime as locale file context
* Thu Sep 30 2010 Dan Walsh 3.9.5-9- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user - Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to.- Passwd in single user mode needs to talk to console_device_t- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio- locate tried to read a symbolic link, will dontaudit- New labels for telepathy-sunshine content in homedir- Google is storing other binaries under /opt/google/talkplugin- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15- modemmanger and bluetooth send dbus messages to devicekit_power- Samba needs to getquota on filesystems labeld samba_share_t
* Wed Sep 29 2010 Dan Walsh 3.9.5-8- Dontaudit attempts by xdm_t to write to bin_t for kdm- Allow initrc_t to manage system_conf_t
* Mon Sep 27 2010 Dan Walsh 3.9.5-7- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets- Allow confined users to read xdm_etc_t files- Allow xdm_t to transition to xauth_t for lxdm program
* Sun Sep 26 2010 Dan Walsh 3.9.5-6- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home- Allow clamd to send signals to itself- Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm.- Allow haze to connect to yahoo chat and messenger port tcp:5050.Bz #637339- Allow guest to run ps command on its processes by allowing it to read /proc- Allow firewallgui to sys_rawio which seems to be required to setup masqerading- Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba.- Add label for /var/log/slim.log
* Fri Sep 24 2010 Dan Walsh 3.9.5-5- Pull in cleanups from dgrift- Allow mozilla_plugin_t to execute mozilla_home_t- Allow rpc.quota to do quotamod
* Thu Sep 23 2010 Dan Walsh 3.9.5-4- Cleanup policy via dgrift- Allow dovecot_deliver to append to inherited log files- Lots of fixes for consolehelper
* Wed Sep 22 2010 Dan Walsh 3.9.5-3- Fix up Xguest policy
* Thu Sep 16 2010 Dan Walsh 3.9.5-2- Add vnstat policy- allow libvirt to send audit messages- Allow chrome-sandbox to search nfs_t
* Thu Sep 16 2010 Dan Walsh 3.9.5-1- Update to upstream
* Wed Sep 15 2010 Dan Walsh 3.9.4-3- Add the ability to send audit messages to confined admin policies- Remove permissive domain from cmirrord and dontaudit sys_tty_config- Split out unconfined_domain() calls from other unconfined_ calls so we can d- virt needs to be able to read processes to clearance for MLS
* Tue Sep 14 2010 Dan Walsh 3.9.4-2- Allow all domains that can use cgroups to search tmpfs_t directory- Allow init to send audit messages
* Thu Sep 09 2010 Dan Walsh 3.9.4-1- Update to upstream
* Thu Sep 09 2010 Dan Walsh 3.9.3-4- Allow mdadm_t to create files and sock files in /dev/md/
* Thu Sep 09 2010 Dan Walsh 3.9.3-3- Add policy for ajaxterm
* Wed Sep 08 2010 Dan Walsh 3.9.3-2- Handle /var/db/sudo- Allow pulseaudio to read alsa config- Allow init to send initrc_t dbus messages
* Tue Sep 07 2010 Dan Walsh 3.9.3-1Allow iptables to read shorewall tmp filesChange chfn and passwd to use auth_use_pam so they can send dbus messages to fprintdlabel vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chatAllow telepath_msn to execute ldconfig and its own tmp filesFix labels on hugepagesAllow mdadm to read files on /devRemove permissive domains and change back to unconfinedAllow freshclam to execute shell and bin_tAllow devicekit_power to transition to dhcpcAdd boolean to allow icecast to connect to any port
* Tue Aug 31 2010 Dan Walsh 3.9.2-1- Merge upstream fix of mmap_zero- Allow mount to write files in debugfs_t- Allow corosync to communicate with clvmd via tmpfs- Allow certmaster to read usr_t files- Allow dbus system services to search cgroup_t- Define rlogind_t as a login pgm
* Tue Aug 31 2010 Dan Walsh 3.9.1-3- Allow mdadm_t to read/write hugetlbfs
* Tue Aug 31 2010 Dan Walsh 3.9.1-2- Dominic Grift Cleanup- Miroslav Grepl policy for jabberd- Various fixes for mount/livecd and prelink
* Mon Aug 30 2010 Dan Walsh 3.9.1-1- Merge with upstream
* Thu Aug 26 2010 Dan Walsh 3.9.0-2- More access needed for devicekit- Add dbadm policy
* Thu Aug 26 2010 Dan Walsh 3.9.0-1- Merge with upstream
* Tue Aug 24 2010 Dan Walsh 3.8.8-21- Allow seunshare to fowner
* Tue Aug 24 2010 Dan Walsh 3.8.8-20- Allow cron to look at user_cron_spool links- Lots of fixes for mozilla_plugin_t- Add sysv file system- Turn unconfined domains to permissive to find additional avcs
* Mon Aug 23 2010 Dan Walsh 3.8.8-19- Update policy for mozilla_plugin_t
* Mon Aug 23 2010 Dan Walsh 3.8.8-18- Allow clamscan to read proc_t- Allow mount_t to write to debufs_t dir- Dontaudit mount_t trying to write to security_t dir
* Thu Aug 19 2010 Dan Walsh 3.8.8-17- Allow clamscan_t execmem if clamd_use_jit set- Add policy for firefox plugin-container
* Wed Aug 18 2010 Dan Walsh 3.8.8-16- Fix /root/.forward definition
* Tue Aug 17 2010 Dan Walsh 3.8.8-15- label dead.letter as mail_home_t
* Fri Aug 13 2010 Dan Walsh 3.8.8-14- Allow login programs to search /cgroups
* Thu Aug 12 2010 Dan Walsh 3.8.8-13- Fix cert handling
* Tue Aug 10 2010 Dan Walsh 3.8.8-12- Fix devicekit_power bug- Allow policykit_auth_t more access.
* Thu Aug 05 2010 Dan Walsh 3.8.8-11- Fix nis calls to allow bind to ports 512-1024- Fix smartmon
* Wed Aug 04 2010 Dan Walsh 3.8.8-10- Allow pcscd to read sysfs- systemd fixes - Fix wine_mmap_zero_ignore boolean
* Tue Aug 03 2010 Dan Walsh 3.8.8-9- Apply Miroslav munin patch- Turn back on allow_execmem and allow_execmod booleans
* Tue Jul 27 2010 Dan Walsh 3.8.8-8- Merge in fixes from dgrift repository
* Tue Jul 27 2010 Dan Walsh 3.8.8-7- Update boinc policy- Fix sysstat policy to allow sys_admin- Change failsafe_context to unconfined_r:unconfined_t:s0
* Mon Jul 26 2010 Dan Walsh 3.8.8-6- New paths for upstart
* Mon Jul 26 2010 Dan Walsh 3.8.8-5- New permissions for syslog- New labels for /lib/upstart
* Fri Jul 23 2010 Dan Walsh 3.8.8-4- Add mojomojo policy
* Thu Jul 22 2010 Dan Walsh 3.8.8-3- Allow systemd to setsockcon on sockets to immitate other services
* Wed Jul 21 2010 Dan Walsh 3.8.8-2- Remove debugfs label
* Tue Jul 20 2010 Dan Walsh 3.8.8-1- Update to latest policy
* Wed Jul 14 2010 Dan Walsh 3.8.7-3- Fix eclipse labeling from IBMSupportAssasstant packageing
* Wed Jul 14 2010 Dan Walsh 3.8.7-2- Make boot with systemd in enforcing mode
* Wed Jul 14 2010 Dan Walsh 3.8.7-1- Update to upstream
* Mon Jul 12 2010 Dan Walsh 3.8.6-3- Add boolean to turn off port forwarding in sshd.
* Fri Jul 09 2010 Miroslav Grepl 3.8.6-2- Add support for ebtables- Fixes for rhcs and corosync policy
* Tue Jun 22 2010 Dan Walsh 3.8.6-1-Update to upstream
* Mon Jun 21 2010 Dan Walsh 3.8.5-1-Update to upstream
* Thu Jun 17 2010 Dan Walsh 3.8.4-1-Update to upstream
* Wed Jun 16 2010 Dan Walsh 3.8.3-4- Add Zarafa policy
* Wed Jun 09 2010 Dan Walsh 3.8.3-3- Cleanup of aiccu policy- initial mock policy
* Wed Jun 09 2010 Dan Walsh 3.8.3-2- Lots of random fixes
* Tue Jun 08 2010 Dan Walsh 3.8.3-1- Update to upstream
* Fri Jun 04 2010 Dan Walsh 3.8.2-1- Update to upstream- Allow prelink script to signal itself- Cobbler fixes
* Wed Jun 02 2010 Dan Walsh 3.8.1-5- Add xdm_var_run_t to xserver_stream_connect_xdm- Add cmorrord and mpd policy from Miroslav Grepl
* Tue Jun 01 2010 Dan Walsh 3.8.1-4- Fix sshd creation of krb cc files for users to be user_tmp_t
* Thu May 27 2010 Dan Walsh 3.8.1-3- Fixes for accountsdialog- Fixes for boinc
* Thu May 27 2010 Dan Walsh 3.8.1-2- Fix label on /var/lib/dokwiki- Change permissive domains to enforcing- Fix libvirt policy to allow it to run on mls
* Tue May 25 2010 Dan Walsh 3.8.1-1- Update to upstream
* Tue May 25 2010 Dan Walsh 3.7.19-22- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t- Fix /var/run/abrtd.lock label
* Mon May 24 2010 Dan Walsh 3.7.19-21- Allow login programs to read krb5_home_tResolves: 594833- Add obsoletes for cachefilesfd-selinux packageResolves: #575084
* Thu May 20 2010 Dan Walsh 3.7.19-20- Allow mount to r/w abrt fifo file- Allow svirt_t to getattr on hugetlbfs- Allow abrt to create a directory under /var/spool
* Wed May 19 2010 Dan Walsh 3.7.19-19- Add labels for /sys- Allow sshd to getattr on shutdown- Fixes for munin- Allow sssd to use the kernel key ring- Allow tor to send syslog messages- Allow iptabels to read usr files- allow policykit to read all domains state
* Thu May 13 2010 Dan Walsh 3.7.19-17- Fix path for /var/spool/abrt- Allow nfs_t as an entrypoint for http_sys_script_t- Add policy for piranha- Lots of fixes for sosreport
* Wed May 12 2010 Dan Walsh 3.7.19-16- Allow xm_t to read network state and get and set capabilities- Allow policykit to getattr all processes- Allow denyhosts to connect to tcp port 9911- Allow pyranha to use raw ip sockets and ptrace itself- Allow unconfined_execmem_t and gconfsd mechanism to dbus- Allow staff to kill ping process- Add additional MLS rules
* Mon May 10 2010 Dan Walsh 3.7.19-15- Allow gdm to edit ~/.gconf dirResolves: #590677- Allow dovecot to create directories in /var/lib/dovecotPartially resolves 590224- Allow avahi to dbus chat with NetworkManager- Fix cobbler labels- Dontaudit iceauth_t leaks- fix /var/lib/lxdm file context- Allow aiccu to use tun tap devices- Dontaudit shutdown using xserver.log
* Fri May 07 2010 Dan Walsh 3.7.19-14- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory- Add dontaudit interface for bluetooth dbus- Add chronyd_read_keys, append_keys for initrc_t- Add log support for ksmtunedResolves: #586663
* Thu May 06 2010 Dan Walsh 3.7.19-13- Allow boinc to send mail
* Wed May 05 2010 Dan Walsh 3.7.19-12- Allow initrc_t to remove dhcpc_state_t- Fix label on sa-update.cron- Allow dhcpc to restart chrony initrc- Don\'t allow sandbox to send signals to its parent processes- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_tResolves: #589136
* Mon May 03 2010 Dan Walsh 3.7.19-11- Fix location of oddjob_mkhomedirResolves: #587385- fix labeling on /root/.shosts and ~/.shosts- Allow ipsec_mgmt_t to manage net_conf_tResolves: #586760
* Fri Apr 30 2010 Dan Walsh 3.7.19-10- Dontaudit sandbox trying to connect to netlink socketsResolves: #587609- Add policy for piranha
* Thu Apr 29 2010 Dan Walsh 3.7.19-9- Fixups for xguest policy- Fixes for running sandbox firefox
* Wed Apr 28 2010 Dan Walsh 3.7.19-8- Allow ksmtuned to use terminalsResolves: #586663- Allow lircd to write to generic usb devices
* Tue Apr 27 2010 Dan Walsh 3.7.19-7- Allow sandbox_xserver to connectto unconfined streamResolves: #585171
* Mon Apr 26 2010 Dan Walsh 3.7.19-6- Allow initrc_t to read slapd_db_tResolves: #585476- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.confResolves: #585963
* Thu Apr 22 2010 Dan Walsh 3.7.19-5- Allow rlogind_t to search /root for .rhostsResolves: #582760- Fix path for cached_var_t- Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri- Allow mls lvm/cryptosetup to work
* Wed Apr 21 2010 Dan Walsh 3.7.19-4- Allow virtd_t to manage firewall/iptables configResolves: #573585
* Tue Apr 20 2010 Dan Walsh 3.7.19-3- Fix label on /root/.rhostsResolves: #582760- Add labels for Picasa- Allow openvpn to read home certs- Allow plymouthd_t to use tty_device_t- Run ncftool as iptables_t- Allow mount to unmount unlabeled_t- Dontaudit hal leaks
* Wed Apr 14 2010 Dan Walsh 3.7.19-2- Allow livecd to transition to mount
* Tue Apr 13 2010 Dan Walsh 3.7.19-1- Update to upstream- Allow abrt to delete sosreportResolves: #579998- Allow snmp to setuid and gidResolves: #582155- Allow smartd to use generic scsi devicesResolves: #582145
* Tue Apr 13 2010 Dan Walsh 3.7.18-3- Allow ipsec_t to create /etc/resolv.conf with the correct label- Fix reserved port destination- Allow autofs to transition to showmount- Stop crashing tuned
* Mon Apr 12 2010 Dan Walsh 3.7.18-2- Add telepathysofiasip policy
* Mon Apr 05 2010 Dan Walsh 3.7.18-1- Update to upstream- Fix label for /opt/google/chrome/chrome-sandbox- Allow modemmanager to dbus with policykit
* Mon Apr 05 2010 Dan Walsh 3.7.17-6- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)- Allow accountsd to read shadow file- Allow apache to send audit messages when using pam- Allow asterisk to bind and connect to sip tcp ports- Fixes for dovecot 2.0- Allow initrc_t to setattr on milter directories- Add procmail_home_t for .procmailrc file
* Thu Apr 01 2010 Dan Walsh 3.7.17-5- Fixes for labels during install from livecd
* Thu Apr 01 2010 Dan Walsh 3.7.17-4- Fix /cgroup file context - Fix broken afs use of unlabled_t- Allow getty to use the console for s390
* Wed Mar 31 2010 Dan Walsh 3.7.17-3- Fix cgroup handling adding policy for /cgroup- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set
* Tue Mar 30 2010 Dan Walsh 3.7.17-2- Merge patches from dgrift
* Mon Mar 29 2010 Dan Walsh 3.7.17-1- Update upstream- Allow abrt to write to the /proc under any process
* Fri Mar 26 2010 Dan Walsh 3.7.16-2- Fix ~/.fontconfig label- Add /root/.cert label- Allow reading of the fixed_file_disk_t:lnk_file if you can read file- Allow qemu_exec_t as an entrypoint to svirt_t
* Tue Mar 23 2010 Dan Walsh 3.7.16-1- Update to upstream- Allow tmpreaper to delete sandbox sock files- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems- Fixes for gitosis- No transition on livecd to passwd or chfn- Fixes for denyhosts
* Tue Mar 23 2010 Dan Walsh 3.7.15-4- Add label for /var/lib/upower- Allow logrotate to run sssd- dontaudit readahead on tmpfs blk files- Allow tmpreaper to setattr on sandbox files- Allow confined users to execute dos files- Allow sysadm_t to kill processes running within its clearance- Add accountsd policy- Fixes for corosync policy- Fixes from crontab policy- Allow svirt to manage svirt_image_t chr files- Fixes for qdisk policy- Fixes for sssd policy- Fixes for newrole policy
* Thu Mar 18 2010 Dan Walsh 3.7.15-3- make libvirt work on an MLS platform
* Thu Mar 18 2010 Dan Walsh 3.7.15-2- Add qpidd policy
* Thu Mar 18 2010 Dan Walsh 3.7.15-1- Update to upstream
* Tue Mar 16 2010 Dan Walsh 3.7.14-5- Allow boinc to read kernel sysctl- Fix snmp port definitions- Allow apache to read anon_inodefs
* Sun Mar 14 2010 Dan Walsh 3.7.14-4- Allow shutdown dac_override
* Sat Mar 13 2010 Dan Walsh 3.7.14-3- Add device_t as a file system- Fix sysfs association
* Fri Mar 12 2010 Dan Walsh 3.7.14-2- Dontaudit ipsec_mgmt sys_ptrace- Allow at to mail its spool files- Allow nsplugin to search in .pulse directory
* Fri Mar 12 2010 Dan Walsh 3.7.14-1- Update to upstream
* Fri Mar 12 2010 Dan Walsh 3.7.13-4- Allow users to dbus chat with xdm- Allow users to r/w wireless_device_t- Dontaudit reading of process states by ipsec_mgmt
* Thu Mar 11 2010 Dan Walsh 3.7.13-3- Fix openoffice from unconfined_t
* Wed Mar 10 2010 Dan Walsh 3.7.13-2- Add shutdown policy so consolekit can shutdown system
* Tue Mar 09 2010 Dan Walsh 3.7.13-1- Update to upstream
* Thu Mar 04 2010 Dan Walsh 3.7.12-1- Update to upstream
* Thu Mar 04 2010 Dan Walsh 3.7.11-1- Update to upstream - These are merges of my patches- Remove 389 labeling conflicts- Add MLS fixes found in RHEL6 testing- Allow pulseaudio to run as a service- Add label for mssql and allow apache to connect to this database port if boolean set- Dontaudit searches of debugfs mount point- Allow policykit_auth to send signals to itself- Allow modcluster to call getpwnam- Allow swat to signal winbind- Allow usbmux to run as a system role- Allow svirt to create and use devpts
* Mon Mar 01 2010 Dan Walsh 3.7.10-5- Add MLS fixes found in RHEL6 testing- Allow domains to append to rpm_tmp_t- Add cachefilesfd policy- Dontaudit leaks when transitioning
* Wed Feb 24 2010 Dan Walsh 3.7.10-4- Change allow_execstack and allow_execmem booleans to on- dontaudit acct using console- Add label for fping- Allow tmpreaper to delete sandbox_file_t- Fix wine dontaudit mmap_zero- Allow abrt to read var_t symlinks
* Tue Feb 23 2010 Dan Walsh 3.7.10-3- Additional policy for rgmanager
* Mon Feb 22 2010 Dan Walsh 3.7.10-2- Allow sshd to setattr on pseudo terms
* Mon Feb 22 2010 Dan Walsh 3.7.10-1- Update to upstream
* Thu Feb 18 2010 Dan Walsh 3.7.9-4- Allow policykit to send itself signals
* Wed Feb 17 2010 Dan Walsh 3.7.9-3- Fix duplicate cobbler definition
* Wed Feb 17 2010 Dan Walsh 3.7.9-2- Fix file context of /var/lib/avahi-autoipd
* Fri Feb 12 2010 Dan Walsh 3.7.9-1- Merge with upstream
* Thu Feb 11 2010 Dan Walsh 3.7.8-11- Allow sandbox to work with MLS
* Tue Feb 09 2010 Dan Walsh 3.7.8-9- Make Chrome work with staff user
* Thu Feb 04 2010 Dan Walsh 3.7.8-8- Add icecast policy- Cleanup spec file
* Wed Feb 03 2010 Dan Walsh 3.7.8-7- Add mcelog policy
* Mon Feb 01 2010 Dan Walsh 3.7.8-6- Lots of fixes found in F12
* Thu Jan 28 2010 Dan Walsh 3.7.8-5- Fix rpm_dontaudit_leaks
* Wed Jan 27 2010 Dan Walsh 3.7.8-4- Add getsched to hald_t- Add file context for Fedora/Redhat Directory Server
* Mon Jan 25 2010 Dan Walsh 3.7.8-3- Allow abrt_helper to getattr on all filesystems- Add label for /opt/real/RealPlayer/plugins/oggfformat\\.so
* Thu Jan 21 2010 Dan Walsh 3.7.8-2- Add gstreamer_home_t for ~/.gstreamer
* Mon Jan 18 2010 Dan Walsh 3.7.8-1- Update to upstream
* Fri Jan 15 2010 Dan Walsh 3.7.7-3- Fix git
* Thu Jan 07 2010 Dan Walsh 3.7.7-2- Turn on puppet policy- Update to dgrift git policy
* Thu Jan 07 2010 Dan Walsh 3.7.7-1- Move users file to selection by spec file.- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
* Thu Jan 07 2010 Dan Walsh 3.7.6-1- Update to upstream
* Wed Jan 06 2010 Dan Walsh 3.7.5-8- Remove most of the permissive domains from F12.
* Tue Jan 05 2010 Dan Walsh 3.7.5-7- Add cobbler policy from dgrift
* Mon Jan 04 2010 Dan Walsh 3.7.5-6- add usbmon device- Add allow rulse for devicekit_disk
* Wed Dec 30 2009 Dan Walsh 3.7.5-5- Lots of fixes found in F12, fixes from Tom London
* Wed Dec 23 2009 Dan Walsh 3.7.5-4- Cleanups from dgrift
* Tue Dec 22 2009 Dan Walsh 3.7.5-3- Add back xserver_manage_home_fonts
* Mon Dec 21 2009 Dan Walsh 3.7.5-2- Dontaudit sandbox trying to read nscd and sssd
* Fri Dec 18 2009 Dan Walsh 3.7.5-1- Update to upstream
* Thu Dec 17 2009 Dan Walsh 3.7.4-4- Rename udisks-daemon back to devicekit_disk_t policy
* Wed Dec 16 2009 Dan Walsh 3.7.4-3- Fixes for abrt calls
* Fri Dec 11 2009 Dan Walsh 3.7.4-2- Add tgtd policy
* Fri Dec 04 2009 Dan Walsh 3.7.4-1- Update to upstream release
* Mon Nov 16 2009 Dan Walsh 3.7.3-1- Add asterisk policy back in- Update to upstream release 2.20091117
* Mon Nov 16 2009 Dan Walsh 3.7.1-1- Update to upstream release 2.20091117
* Mon Nov 16 2009 Dan Walsh 3.6.33-2- Fixup nut policy
* Thu Nov 12 2009 Dan Walsh 3.6.33-1- Update to upstream
* Thu Oct 01 2009 Dan Walsh 3.6.32-17- Allow vpnc request the kernel to load modules
* Wed Sep 30 2009 Dan Walsh 3.6.32-16- Fix minimum policy installs- Allow udev and rpcbind to request the kernel to load modules
* Wed Sep 30 2009 Dan Walsh 3.6.32-15- Add plymouth policy- Allow local_login to sys_admin
* Tue Sep 29 2009 Dan Walsh 3.6.32-13- Allow cupsd_config to read user tmp- Allow snmpd_t to signal itself- Allow sysstat_t to makedir in sysstat_log_t
* Fri Sep 25 2009 Dan Walsh 3.6.32-12- Update rhcs policy
* Thu Sep 24 2009 Dan Walsh 3.6.32-11- Allow users to exec restorecond
* Tue Sep 22 2009 Dan Walsh 3.6.32-10- Allow sendmail to request kernel modules load
* Mon Sep 21 2009 Dan Walsh 3.6.32-9- Fix all kernel_request_load_module domains
* Mon Sep 21 2009 Dan Walsh 3.6.32-8- Fix all kernel_request_load_module domains
* Sun Sep 20 2009 Dan Walsh 3.6.32-7- Remove allow_exec
* booleans for confined users. Only available for unconfined_t
* Fri Sep 18 2009 Dan Walsh 3.6.32-6- More fixes for sandbox_web_t
* Fri Sep 18 2009 Dan Walsh 3.6.32-5- Allow sshd to create .ssh directory and content
* Fri Sep 18 2009 Dan Walsh 3.6.32-4- Fix request_module line to module_request
* Fri Sep 18 2009 Dan Walsh 3.6.32-3- Fix sandbox policy to allow it to run under firefox. - Dont audit leaks.
* Thu Sep 17 2009 Dan Walsh 3.6.32-2- Fixes for sandbox
* Wed Sep 16 2009 Dan Walsh 3.6.32-1- Update to upstream- Dontaudit nsplugin search /root- Dontaudit nsplugin sys_nice
* Tue Sep 15 2009 Dan Walsh 3.6.31-5- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service- Remove policycoreutils-python requirement except for minimum
* Mon Sep 14 2009 Dan Walsh 3.6.31-4- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)
* Thu Sep 10 2009 Dan Walsh 3.6.31-3- Add wordpress/wp-content/uploads label- Fixes for sandbox when run from staff_t
* Thu Sep 10 2009 Dan Walsh 3.6.31-2- Update to upstream- Fixes for devicekit_disk
* Tue Sep 08 2009 Dan Walsh 3.6.30-6- More fixes
* Tue Sep 08 2009 Dan Walsh 3.6.30-5- Lots of fixes for initrc and other unconfined domains
* Fri Sep 04 2009 Dan Walsh 3.6.30-4- Allow xserver to use netlink_kobject_uevent_socket
* Thu Sep 03 2009 Dan Walsh 3.6.30-3- Fixes for sandbox
* Mon Aug 31 2009 Dan Walsh 3.6.30-2- Dontaudit setroubleshootfix looking at /root directory
* Mon Aug 31 2009 Dan Walsh 3.6.30-1- Update to upsteam
* Mon Aug 31 2009 Dan Walsh 3.6.29-2- Allow gssd to send signals to users- Fix duplicate label for apache content
* Fri Aug 28 2009 Dan Walsh 3.6.29-1- Update to upstream
* Fri Aug 28 2009 Dan Walsh 3.6.28-9- Remove polkit_auth on upgrades
* Wed Aug 26 2009 Dan Walsh 3.6.28-8- Add back in unconfined.pp and unconfineduser.pp- Add Sandbox unshare
* Tue Aug 25 2009 Dan Walsh 3.6.28-7- Fixes for cdrecord, mdadm, and others
* Sat Aug 22 2009 Dan Walsh 3.6.28-6- Add capability setting to dhcpc and gpm
* Sat Aug 22 2009 Dan Walsh 3.6.28-5- Allow cronjobs to read exim_spool_t
* Fri Aug 21 2009 Dan Walsh 3.6.28-4- Add ABRT policy
* Thu Aug 20 2009 Dan Walsh 3.6.28-3- Fix system-config-services policy
* Wed Aug 19 2009 Dan Walsh 3.6.28-2- Allow libvirt to change user componant of virt_domain
* Tue Aug 18 2009 Dan Walsh 3.6.28-1- Allow cupsd_config_t to be started by dbus- Add smoltclient policy
* Fri Aug 14 2009 Dan Walsh 3.6.27-1- Add policycoreutils-python to pre install
* Thu Aug 13 2009 Dan Walsh 3.6.26-11- Make all unconfined_domains permissive so we can see what AVC\'s happen
* Mon Aug 10 2009 Dan Walsh 3.6.26-10- Add pt_chown policy
* Mon Aug 10 2009 Dan Walsh 3.6.26-9- Add kdump policy for Miroslav Grepl- Turn off execstack boolean
* Fri Aug 07 2009 Bill Nottingham 3.6.26-8- Turn on execstack on a temporary basis (#512845)
* Thu Aug 06 2009 Dan Walsh 3.6.26-7- Allow nsplugin to connecto the session bus- Allow samba_net to write to coolkey data
* Wed Aug 05 2009 Dan Walsh 3.6.26-6- Allow devicekit_disk to list inotify
* Wed Aug 05 2009 Dan Walsh 3.6.26-5- Allow svirt images to create sock_file in svirt_var_run_t
* Tue Aug 04 2009 Dan Walsh 3.6.26-4- Allow exim to getattr on mountpoints- Fixes for pulseaudio
* Fri Jul 31 2009 Dan Walsh 3.6.26-3- Allow svirt_t to stream_connect to virtd_t
* Fri Jul 31 2009 Dan Walsh 3.6.26-2- Allod hald_dccm_t to create sock_files in /tmp
* Thu Jul 30 2009 Dan Walsh 3.6.26-1- More fixes from upstream
* Tue Jul 28 2009 Dan Walsh 3.6.25-1- Fix polkit label- Remove hidebrokensymptoms for nss_ldap fix- Add modemmanager policy- Lots of merges from upstream- Begin removing textrel_shlib_t labels, from fixed libraries
* Tue Jul 28 2009 Dan Walsh 3.6.24-1- Update to upstream
* Mon Jul 27 2009 Dan Walsh 3.6.23-2- Allow certmaster to override dac permissions
* Thu Jul 23 2009 Dan Walsh 3.6.23-1- Update to upstream
* Tue Jul 21 2009 Dan Walsh 3.6.22-3- Fix context for VirtualBox
* Tue Jul 14 2009 Dan Walsh 3.6.22-1- Update to upstream
* Fri Jul 10 2009 Dan Walsh 3.6.21-4- Allow clamscan read amavis spool files
* Wed Jul 08 2009 Dan Walsh 3.6.21-3- Fixes for xguest
* Tue Jul 07 2009 Tom \"spot\" Callaway 3.6.21-2- fix multiple directory ownership of mandirs
* Wed Jul 01 2009 Dan Walsh 3.6.21-1- Update to upstream
* Tue Jun 30 2009 Dan Walsh 3.6.20-2- Add rules for rtkit-daemon
* Thu Jun 25 2009 Dan Walsh 3.6.20-1- Update to upstream- Fix nlscd_stream_connect
* Thu Jun 25 2009 Dan Walsh 3.6.19-5- Add rtkit policy
* Wed Jun 24 2009 Dan Walsh 3.6.19-4- Allow rpcd_t to stream connect to rpcbind
* Tue Jun 23 2009 Dan Walsh 3.6.19-3- Allow kpropd to create tmp files
* Tue Jun 23 2009 Dan Walsh 3.6.19-2- Fix last duplicate /var/log/rpmpkgs
* Mon Jun 22 2009 Dan Walsh 3.6.19-1- Update to upstream
* add sssd
* Sat Jun 20 2009 Dan Walsh 3.6.18-1- Update to upstream
* cleanup
* Fri Jun 19 2009 Dan Walsh 3.6.17-1- Update to upstream- Additional mail ports- Add virt_use_usb boolean for svirt
* Thu Jun 18 2009 Dan Walsh 3.6.16-4- Fix mcs rules to include chr_file and blk_file
* Tue Jun 16 2009 Dan Walsh 3.6.16-3- Add label for udev-acl
* Mon Jun 15 2009 Dan Walsh 3.6.16-2- Additional rules for consolekit/udev, privoxy and various other fixes
* Fri Jun 12 2009 Dan Walsh 3.6.16-1- New version for upstream
* Thu Jun 11 2009 Dan Walsh 3.6.14-3- Allow NetworkManager to read inotifyfs
* Wed Jun 10 2009 Dan Walsh 3.6.14-2- Allow setroubleshoot to run mlocate
* Mon Jun 08 2009 Dan Walsh 3.6.14-1- Update to upstream
* Tue Jun 02 2009 Dan Walsh 3.6.13-3- Add fish as a shell- Allow fprintd to list usbfs_t- Allow consolekit to search mountpoints- Add proper labeling for shorewall
* Tue May 26 2009 Dan Walsh 3.6.13-2- New log file for vmware- Allow xdm to setattr on user_tmp_t
* Thu May 21 2009 Dan Walsh 3.6.13-1- Upgrade to upstream
* Wed May 20 2009 Dan Walsh 3.6.12-39- Allow fprintd to access sys_ptrace- Add sandbox policy
* Mon May 18 2009 Dan Walsh 3.6.12-38- Add varnishd policy
* Thu May 14 2009 Dan Walsh 3.6.12-37- Fixes for kpropd
* Tue May 12 2009 Dan Walsh 3.6.12-36- Allow brctl to r/w tun_tap_device_t
* Mon May 11 2009 Dan Walsh 3.6.12-35- Add /usr/share/selinux/packages
* Mon May 11 2009 Dan Walsh 3.6.12-34- Allow rpcd_t to send signals to kernel threads
* Fri May 08 2009 Dan Walsh 3.6.12-33- Fix upgrade for F10 to F11
* Thu May 07 2009 Dan Walsh 3.6.12-31- Add policy for /var/lib/fprint
* Tue May 05 2009 Dan Walsh 3.6.12-30-Remove duplicate line
* Tue May 05 2009 Dan Walsh 3.6.12-29- Allow svirt to manage pci and other sysfs device data
* Mon May 04 2009 Dan Walsh 3.6.12-28- Fix package selection handling
* Fri May 01 2009 Dan Walsh 3.6.12-27- Fix /sbin/ip6tables-save context- Allod udev to transition to mount- Fix loading of mls policy file
* Thu Apr 30 2009 Dan Walsh 3.6.12-26- Add shorewall policy
* Wed Apr 29 2009 Dan Walsh 3.6.12-25- Additional rules for fprintd and sssd
* Tue Apr 28 2009 Dan Walsh 3.6.12-24- Allow nsplugin to unix_read unix_write sem for unconfined_java
* Tue Apr 28 2009 Dan Walsh 3.6.12-23- Fix uml files to be owned by users
* Tue Apr 28 2009 Dan Walsh 3.6.12-22- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
* Mon Apr 27 2009 Dan Walsh 3.6.12-21- Allow confined users to manage virt_content_t, since this is home dir content- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
* Mon Apr 27 2009 Dan Walsh 3.6.12-20- Fix labeling on /var/lib/misc/prelink
*- Allow xserver to rw_shm_perms with all x_clients- Allow prelink to execute files in the users home directory
* Fri Apr 24 2009 Dan Walsh 3.6.12-19- Allow initrc_t to delete dev_null- Allow readahead to configure auditing- Fix milter policy- Add /var/lib/readahead
* Fri Apr 24 2009 Dan Walsh 3.6.12-16- Update to latest milter code from Paul Howarth
* Thu Apr 23 2009 Dan Walsh 3.6.12-15- Additional perms for readahead
* Thu Apr 23 2009 Dan Walsh 3.6.12-14- Allow pulseaudio to acquire_svc on session bus- Fix readahead labeling
* Thu Apr 23 2009 Dan Walsh 3.6.12-13- Allow sysadm_t to run rpm directly- libvirt needs fowner
* Wed Apr 22 2009 Dan Walsh 3.6.12-12- Allow sshd to read var_lib symlinks for freenx
* Tue Apr 21 2009 Dan Walsh 3.6.12-11- Allow nsplugin unix_read and write on users shm and sem- Allow sysadm_t to execute su
* Tue Apr 21 2009 Dan Walsh 3.6.12-10- Dontaudit attempts to getattr user_tmpfs_t by lvm- Allow nfs to share removable media
* Mon Apr 20 2009 Dan Walsh 3.6.12-9- Add ability to run postdrop from confined users
* Sat Apr 18 2009 Dan Walsh 3.6.12-8- Fixes for podsleuth
* Fri Apr 17 2009 Dan Walsh 3.6.12-7- Turn off nsplugin transition- Remove Konsole leaked file descriptors for release
* Fri Apr 17 2009 Dan Walsh 3.6.12-6- Allow cupsd_t to create link files in print_spool_t- Fix iscsi_stream_connect typo- Fix labeling on /etc/acpi/actions- Don\'t reinstall unconfine and unconfineuser on upgrade if they are not installed
* Tue Apr 14 2009 Dan Walsh 3.6.12-5- Allow audioentroy to read etc files
* Mon Apr 13 2009 Dan Walsh 3.6.12-4- Add fail2ban_var_lib_t- Fixes for devicekit_power_t
* Thu Apr 09 2009 Dan Walsh 3.6.12-3- Separate out the ucnonfined user from the unconfined.pp package
* Wed Apr 08 2009 Dan Walsh 3.6.12-2- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.
* Tue Apr 07 2009 Dan Walsh 3.6.12-1- Upgrade to latest upstream- Allow devicekit_disk sys_rawio
* Mon Apr 06 2009 Dan Walsh 3.6.11-1- Dontaudit binds to ports < 1024 for named- Upgrade to latest upstream
* Fri Apr 03 2009 Dan Walsh 3.6.10-9- Allow podsleuth to use tmpfs files
* Fri Apr 03 2009 Dan Walsh 3.6.10-8- Add customizable_types for svirt
* Fri Apr 03 2009 Dan Walsh 3.6.10-7- Allow setroubelshoot exec
* privs to prevent crash from bad libraries- add cpufreqselector
* Thu Apr 02 2009 Dan Walsh 3.6.10-6- Dontaudit listing of /root directory for cron system jobs
* Mon Mar 30 2009 Dan Walsh 3.6.10-5- Fix missing ld.so.cache label
* Fri Mar 27 2009 Dan Walsh 3.6.10-4- Add label for ~/.forward and /root/.forward
* Thu Mar 26 2009 Dan Walsh 3.6.10-3- Fixes for svirt
* Thu Mar 19 2009 Dan Walsh 3.6.10-2- Fixes to allow svirt read iso files in homedir
* Thu Mar 19 2009 Dan Walsh 3.6.10-1- Add xenner and wine fixes from mgrepl
* Wed Mar 18 2009 Dan Walsh 3.6.9-4- Allow mdadm to read/write mls override
* Tue Mar 17 2009 Dan Walsh 3.6.9-3- Change to svirt to only access svirt_image_t
* Thu Mar 12 2009 Dan Walsh 3.6.9-2- Fix libvirt policy
* Thu Mar 12 2009 Dan Walsh 3.6.9-1- Upgrade to latest upstream
* Tue Mar 10 2009 Dan Walsh 3.6.8-4- Fixes for iscsid and sssd- More cleanups for upgrade from F10 to Rawhide.
* Mon Mar 09 2009 Dan Walsh 3.6.8-3- Add pulseaudio, sssd policy- Allow networkmanager to exec udevadm
* Sat Mar 07 2009 Dan Walsh 3.6.8-2- Add pulseaudio context
* Thu Mar 05 2009 Dan Walsh 3.6.8-1- Upgrade to latest patches
* Wed Mar 04 2009 Dan Walsh 3.6.7-2- Fixes for libvirt
* Mon Mar 02 2009 Dan Walsh 3.6.7-1- Update to Latest upstream
* Sat Feb 28 2009 Dan Walsh 3.6.6-9- Fix setrans.conf to show SystemLow for s0
* Fri Feb 27 2009 Dan Walsh 3.6.6-8- Further confinement of qemu images via svirt
* Wed Feb 25 2009 Fedora Release Engineering - 3.6.6-7- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Thu Feb 19 2009 Dan Walsh 3.6.6-6- Allow NetworkManager to manage /etc/NetworkManager/system-connections
* Wed Feb 18 2009 Dan Walsh 3.6.6-5- add virtual_image_context and virtual_domain_context files
* Tue Feb 17 2009 Dan Walsh 3.6.6-4- Allow rpcd_t to send signal to mount_t- Allow libvirtd to run ranged
* Tue Feb 17 2009 Dan Walsh 3.6.6-3- Fix sysnet/net_conf_t
* Tue Feb 17 2009 Dan Walsh 3.6.6-2- Fix squidGuard labeling
* Wed Feb 11 2009 Dan Walsh 3.6.6-1- Re-add corenet_in_generic_if(unlabeled_t)
* Wed Feb 11 2009 Dan Walsh 3.6.5-3
* Tue Feb 10 2009 Dan Walsh 3.6.5-2- Add git web policy
* Mon Feb 09 2009 Dan Walsh 3.6.5-1- Add setrans contains from upstream
* Mon Feb 09 2009 Dan Walsh 3.6.4-6- Do transitions outside of the booleans
* Sun Feb 08 2009 Dan Walsh 3.6.4-5- Allow xdm to create user_tmp_t sockets for switch user to work
* Thu Feb 05 2009 Dan Walsh 3.6.4-4- Fix staff_t domain
* Thu Feb 05 2009 Dan Walsh 3.6.4-3- Grab remainder of network_peer_controls patch
* Wed Feb 04 2009 Dan Walsh 3.6.4-2- More fixes for devicekit
* Tue Feb 03 2009 Dan Walsh 3.6.4-1- Upgrade to latest upstream
* Mon Feb 02 2009 Dan Walsh 3.6.3-13- Add boolean to disallow unconfined_t login
* Fri Jan 30 2009 Dan Walsh 3.6.3-12- Add back transition from xguest to mozilla
* Fri Jan 30 2009 Dan Walsh 3.6.3-11- Add virt_content_ro_t and labeling for isos directory
* Tue Jan 27 2009 Dan Walsh 3.6.3-10- Fixes for wicd daemon
* Mon Jan 26 2009 Dan Walsh 3.6.3-9- More mls/rpm fixes
* Fri Jan 23 2009 Dan Walsh 3.6.3-8- Add policy to make dbus/nm-applet work
* Thu Jan 22 2009 Dan Walsh 3.6.3-7- Remove polgen-ifgen from post and add trigger to policycoreutils-python
* Wed Jan 21 2009 Dan Walsh 3.6.3-6- Add wm policy- Make mls work in graphics mode
* Tue Jan 20 2009 Dan Walsh 3.6.3-3- Fixed for DeviceKit
* Mon Jan 19 2009 Dan Walsh 3.6.3-2- Add devicekit policy
* Mon Jan 19 2009 Dan Walsh 3.6.3-1- Update to upstream
* Thu Jan 15 2009 Dan Walsh 3.6.2-5- Define openoffice as an x_domain
* Mon Jan 12 2009 Dan Walsh 3.6.2-4- Fixes for reading xserver_tmp_t
* Thu Jan 08 2009 Dan Walsh 3.6.2-3- Allow cups_pdf_t write to nfs_t
* Tue Jan 06 2009 Dan Walsh 3.6.2-2- Remove audio_entropy policy
* Mon Jan 05 2009 Dan Walsh 3.6.2-1- Update to upstream
* Sun Jan 04 2009 Dan Walsh 3.6.1-15- Allow hal_acl_t to getattr/setattr fixed_disk
* Sat Dec 27 2008 Dan Walsh 3.6.1-14- Change userdom_read_all_users_state to include reading symbolic links in /proc
* Mon Dec 22 2008 Dan Walsh 3.6.1-13- Fix dbus reading /proc information
* Thu Dec 18 2008 Dan Walsh 3.6.1-12- Add missing alias for home directory content
* Wed Dec 17 2008 Dan Walsh 3.6.1-11- Fixes for IBM java location
* Thu Dec 11 2008 Dan Walsh 3.6.1-10- Allow unconfined_r unconfined_java_t
* Tue Dec 09 2008 Dan Walsh 3.6.1-9- Add cron_role back to user domains
* Mon Dec 08 2008 Dan Walsh 3.6.1-8- Fix sudo setting of user keys
* Thu Dec 04 2008 Dan Walsh 3.6.1-7- Allow iptables to talk to terminals- Fixes for policy kit- lots of fixes for booting.
* Wed Dec 03 2008 Dan Walsh 3.6.1-4- Cleanup policy
* Mon Dec 01 2008 Ignacio Vazquez-Abrams - 3.6.1-2- Rebuild for Python 2.6
* Fri Nov 07 2008 Dan Walsh 3.5.13-19- Fix labeling on /var/spool/rsyslog
* Thu Nov 06 2008 Dan Walsh 3.5.13-18- Allow postgresl to bind to udp nodes
* Wed Nov 05 2008 Dan Walsh 3.5.13-17- Allow lvm to dbus chat with hal- Allow rlogind to read nfs_t
* Wed Nov 05 2008 Dan Walsh 3.5.13-16- Fix cyphesis file context
* Tue Nov 04 2008 Dan Walsh 3.5.13-15- Allow hal/pm-utils to look at /var/run/video.rom- Add ulogd policy
* Tue Nov 04 2008 Dan Walsh 3.5.13-14- Additional fixes for cyphesis- Fix certmaster file context- Add policy for system-config-samba- Allow hal to read /var/run/video.rom
* Mon Nov 03 2008 Dan Walsh 3.5.13-13- Allow dhcpc to restart ypbind- Fixup labeling in /var/run
* Thu Oct 30 2008 Dan Walsh 3.5.13-12- Add certmaster policy
* Wed Oct 29 2008 Dan Walsh 3.5.13-11- Fix confined users - Allow xguest to read/write xguest_dbusd_t
* Mon Oct 27 2008 Dan Walsh 3.5.13-9- Allow openoffice execstack/execmem privs
* Fri Oct 24 2008 Dan Walsh 3.5.13-8- Allow mozilla to run with unconfined_execmem_t
* Thu Oct 23 2008 Dan Walsh 3.5.13-7- Dontaudit domains trying to write to .xsession-errors
* Thu Oct 23 2008 Dan Walsh 3.5.13-6- Allow nsplugin to look at autofs_t directory
* Wed Oct 22 2008 Dan Walsh 3.5.13-5- Allow kerneloops to create tmp files
* Wed Oct 22 2008 Dan Walsh 3.5.13-4- More alias for fastcgi
* Tue Oct 21 2008 Dan Walsh 3.5.13-3- Remove mod_fcgid-selinux package
* Mon Oct 20 2008 Dan Walsh 3.5.13-2- Fix dovecot access
* Fri Oct 17 2008 Dan Walsh 3.5.13-1- Policy cleanup
* Thu Oct 16 2008 Dan Walsh 3.5.12-3- Remove Multiple spec- Add include- Fix makefile to not call per_role_expansion
* Wed Oct 15 2008 Dan Walsh 3.5.12-2- Fix labeling of libGL
* Fri Oct 10 2008 Dan Walsh 3.5.12-1- Update to upstream
* Wed Oct 08 2008 Dan Walsh 3.5.11-1- Update to upstream policy
* Mon Oct 06 2008 Dan Walsh 3.5.10-3- Fixes for confined xwindows and xdm_t
* Fri Oct 03 2008 Dan Walsh 3.5.10-2- Allow confined users and xdm to exec wm- Allow nsplugin to talk to fifo files on nfs
* Fri Oct 03 2008 Dan Walsh 3.5.10-1- Allow NetworkManager to transition to avahi and iptables- Allow domains to search other domains keys, coverup kernel bug
* Wed Oct 01 2008 Dan Walsh 3.5.9-4- Fix labeling for oracle
* Wed Oct 01 2008 Dan Walsh 3.5.9-3- Allow nsplugin to comminicate with xdm_tmp_t sock_file
* Mon Sep 29 2008 Dan Walsh 3.5.9-2- Change all user tmpfs_t files to be labeled user_tmpfs_t- Allow radiusd to create sock_files
* Wed Sep 24 2008 Dan Walsh 3.5.9-1- Upgrade to upstream
* Tue Sep 23 2008 Dan Walsh 3.5.8-7- Allow confined users to login with dbus
* Mon Sep 22 2008 Dan Walsh 3.5.8-6- Fix transition to nsplugin
* Mon Sep 22 2008 Dan Walsh 3.5.8-5- Add file context for /dev/mspblk.
*
* Sun Sep 21 2008 Dan Walsh 3.5.8-4- Fix transition to nsplugin\'
* Thu Sep 18 2008 Dan Walsh 3.5.8-3- Fix labeling on new pm
*log- Allow ssh to bind to all nodes
* Thu Sep 11 2008 Dan Walsh 3.5.8-1- Merge upstream changes- Add Xavier Toth patches
* Wed Sep 10 2008 Dan Walsh 3.5.7-2- Add qemu_cache_t for /var/cache/libvirt
* Fri Sep 05 2008 Dan Walsh 3.5.7-1- Remove gamin policy
* Thu Sep 04 2008 Dan Walsh 3.5.6-2- Add tinyxs-max file system support
* Wed Sep 03 2008 Dan Walsh 3.5.6-1- Update to upstream- New handling of init scripts
* Fri Aug 29 2008 Dan Walsh 3.5.5-4- Allow pcsd to dbus- Add memcache policy
* Fri Aug 29 2008 Dan Walsh 3.5.5-3- Allow audit dispatcher to kill his children
* Tue Aug 26 2008 Dan Walsh 3.5.5-2- Update to upstream- Fix crontab use by unconfined user
* Tue Aug 12 2008 Dan Walsh 3.5.4-2- Allow ifconfig_t to read dhcpc_state_t
* Mon Aug 11 2008 Dan Walsh 3.5.4-1- Update to upstream
* Thu Aug 07 2008 Dan Walsh 3.5.3-1- Update to upstream
* Sat Aug 02 2008 Dan Walsh 3.5.2-2- Allow system-config-selinux to work with policykit
* Fri Jul 25 2008 Dan Walsh 3.5.1-5- Fix novel labeling
* Fri Jul 25 2008 Dan Walsh 3.5.1-4- Consolodate pyzor,spamassassin, razor into one security domain- Fix xdm requiring additional perms.
* Fri Jul 25 2008 Dan Walsh 3.5.1-3- Fixes for logrotate, alsa
* Thu Jul 24 2008 Dan Walsh 3.5.1-2- Eliminate vbetool duplicate entry
* Wed Jul 16 2008 Dan Walsh 3.5.1-1- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t- Change dhclient to be able to red networkmanager_var_run
* Tue Jul 15 2008 Dan Walsh 3.5.0-1- Update to latest refpolicy- Fix libsemanage initial install bug
* Wed Jul 09 2008 Dan Walsh 3.4.2-14- Add inotify support to nscd
* Tue Jul 08 2008 Dan Walsh 3.4.2-13- Allow unconfined_t to setfcap
* Mon Jul 07 2008 Dan Walsh 3.4.2-12- Allow amanda to read tape- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi- Add support for netware file systems
* Thu Jul 03 2008 Dan Walsh 3.4.2-11- Allow ypbind apps to net_bind_service
* Wed Jul 02 2008 Dan Walsh 3.4.2-10- Allow all system domains and application domains to append to any log file
* Sun Jun 29 2008 Dan Walsh 3.4.2-9- Allow gdm to read rpm database- Allow nsplugin to read mplayer config files
* Thu Jun 26 2008 Dan Walsh 3.4.2-8- Allow vpnc to run ifconfig
* Tue Jun 24 2008 Dan Walsh 3.4.2-7- Allow confined users to use postgres- Allow system_mail_t to exec other mail clients- Label mogrel_rails as an apache server
* Mon Jun 23 2008 Dan Walsh 3.4.2-6- Apply unconfined_execmem_exec_t to haskell programs
* Sun Jun 22 2008 Dan Walsh 3.4.2-5- Fix prelude file context
* Fri Jun 13 2008 Dan Walsh 3.4.2-4- allow hplip to talk dbus- Fix context on ~/.local dir
* Thu Jun 12 2008 Dan Walsh 3.4.2-3- Prevent applications from reading x_device
* Thu Jun 12 2008 Dan Walsh 3.4.2-2- Add /var/lib/selinux context
* Wed Jun 11 2008 Dan Walsh 3.4.2-1- Update to upstream
* Wed Jun 04 2008 Dan Walsh 3.4.1-5- Add livecd policy
* Wed Jun 04 2008 Dan Walsh 3.4.1-3- Dontaudit search of admin_home for init_system_domain- Rewrite of xace interfaces- Lots of new fs_list_inotify- Allow livecd to transition to setfiles_mac
* Fri May 09 2008 Dan Walsh 3.4.1-2- Begin XAce integration
* Fri May 09 2008 Dan Walsh 3.4.1-1- Merge Upstream
* Wed May 07 2008 Dan Walsh 3.3.1-48- Allow amanada to create data files
* Wed May 07 2008 Dan Walsh 3.3.1-47- Fix initial install, semanage setup
* Tue May 06 2008 Dan Walsh 3.3.1-46- Allow system_r for httpd_unconfined_script_t
* Wed Apr 30 2008 Dan Walsh 3.3.1-45- Remove dmesg boolean- Allow user domains to read/write game data
* Mon Apr 28 2008 Dan Walsh 3.3.1-44- Change unconfined_t to transition to unconfined_mono_t when running mono- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work
* Mon Apr 28 2008 Dan Walsh 3.3.1-43- Remove old booleans from targeted-booleans.conf file
* Fri Apr 25 2008 Dan Walsh 3.3.1-42- Add boolean to mmap_zero- allow tor setgid- Allow gnomeclock to set clock
* Thu Apr 24 2008 Dan Walsh 3.3.1-41- Don\'t run crontab from unconfined_t
* Wed Apr 23 2008 Dan Walsh 3.3.1-39- Change etc files to config files to allow users to read them
* Fri Apr 18 2008 Dan Walsh 3.3.1-37- Lots of fixes for confined domains on NFS_t homedir
* Mon Apr 14 2008 Dan Walsh 3.3.1-36- dontaudit mrtg reading /proc- Allow iscsi to signal itself- Allow gnomeclock sys_ptrace
* Thu Apr 10 2008 Dan Walsh 3.3.1-33- Allow dhcpd to read kernel network state
* Thu Apr 10 2008 Dan Walsh 3.3.1-32- Label /var/run/gdm correctly- Fix unconfined_u user creation
* Tue Apr 08 2008 Dan Walsh 3.3.1-31- Allow transition from initrc_t to getty_t
* Tue Apr 08 2008 Dan Walsh 3.3.1-30- Allow passwd to communicate with user sockets to change gnome-keyring
* Sat Apr 05 2008 Dan Walsh 3.3.1-29- Fix initial install
* Fri Apr 04 2008 Dan Walsh 3.3.1-28- Allow radvd to use fifo_file- dontaudit setfiles reading links- allow semanage sys_resource- add allow_httpd_mod_auth_ntlm_winbind boolean- Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set
* Tue Apr 01 2008 Dan Walsh 3.3.1-27- Allow nsplugin to read /etc/mozpluggerrc, user_fonts- Allow syslog to manage innd logs.- Allow procmail to ioctl spamd_exec_t
* Sat Mar 29 2008 Dan Walsh 3.3.1-26- Allow initrc_t to dbus chat with consolekit.
* Thu Mar 27 2008 Dan Walsh 3.3.1-25- Additional access for nsplugin- Allow xdm setcap/getcap until pulseaudio is fixed
* Tue Mar 25 2008 Dan Walsh 3.3.1-24- Allow mount to mkdir on tmpfs- Allow ifconfig to search debugfs
* Fri Mar 21 2008 Dan Walsh 3.3.1-23- Fix file context for MATLAB- Fixes for xace
* Tue Mar 18 2008 Dan Walsh 3.3.1-22- Allow stunnel to transition to inetd children domains- Make unconfined_dbusd_t an unconfined domain
* Mon Mar 17 2008 Dan Walsh 3.3.1-21- Fixes for qemu/virtd
* Fri Mar 14 2008 Dan Walsh 3.3.1-20- Fix bug in mozilla policy to allow xguest transition- This will fix the libsemanage.dbase_llist_query: could not find record valuelibsemanage.dbase_llist_query: could not query record value (No such file ordirectory) bug in xguest
* Fri Mar 14 2008 Dan Walsh 3.3.1-19- Allow nsplugin to run acroread
* Thu Mar 13 2008 Dan Walsh 3.3.1-18- Add cups_pdf policy- Add openoffice policy to run in xguest
* Thu Mar 13 2008 Dan Walsh 3.3.1-17- prewika needs to contact mysql- Allow syslog to read system_map files
* Wed Mar 12 2008 Dan Walsh 3.3.1-16- Change init_t to an unconfined_domain
* Tue Mar 11 2008 Dan Walsh 3.3.1-15- Allow init to transition to initrc_t on shell exec.- Fix init to be able to sendto init_t.- Allow syslog to connect to mysql- Allow lvm to manage its own fifo_files- Allow bugzilla to use ldap- More mls fixes
* Tue Mar 11 2008 Bill Nottingham 3.3.1-14- fixes for init policy (#436988)- fix build
* Mon Mar 10 2008 Dan Walsh 3.3.1-13- Additional changes for MLS policy
* Thu Mar 06 2008 Dan Walsh 3.3.1-12- Fix initrc_context generation for MLS
* Mon Mar 03 2008 Dan Walsh 3.3.1-11- Fixes for libvirt
* Mon Mar 03 2008 Dan Walsh 3.3.1-10- Allow bitlebee to read locale_t
* Fri Feb 29 2008 Dan Walsh 3.3.1-9- More xselinux rules
* Thu Feb 28 2008 Dan Walsh 3.3.1-8- Change httpd_$1_script_r
*_t to httpd_$1_content_r
*_t
* Wed Feb 27 2008 Dan Walsh 3.3.1-6- Prepare policy for beta release- Change some of the system domains back to unconfined- Turn on some of the booleans
* Tue Feb 26 2008 Dan Walsh 3.3.1-5- Allow nsplugin_config execstack/execmem- Allow nsplugin_t to read alsa config- Change apache to use user content
* Tue Feb 26 2008 Dan Walsh 3.3.1-4- Add cyphesis policy
* Tue Feb 26 2008 Dan Walsh 3.3.1-2- Fix Makefile.devel to build mls modules- Fix qemu to be more specific on labeling
* Tue Feb 26 2008 Dan Walsh 3.3.1-1- Update to upstream fixes
* Fri Feb 22 2008 Dan Walsh 3.3.0-2- Allow staff to mounton user_home_t
* Fri Feb 22 2008 Dan Walsh 3.3.0-1- Add xace support
* Thu Feb 21 2008 Dan Walsh 3.2.9-2- Add fusectl file system
* Wed Feb 20 2008 Dan Walsh 3.2.9-1- Fixes from yum-cron- Update to latest upstream
* Tue Feb 19 2008 Dan Walsh 3.2.8-2- Fix userdom_list_user_files
* Fri Feb 15 2008 Dan Walsh 3.2.8-1- Merge with upstream
* Thu Feb 07 2008 Dan Walsh 3.2.7-6- Allow udev to send audit messages
* Thu Feb 07 2008 Dan Walsh 3.2.7-5- Add additional login users interfaces - userdom_admin_login_user_template(staff)
* Thu Feb 07 2008 Dan Walsh 3.2.7-3- More fixes for polkit
* Thu Feb 07 2008 Dan Walsh 3.2.7-2- Eliminate transition from unconfined_t to qemu by default- Fixes for gpg
* Tue Feb 05 2008 Dan Walsh 3.2.7-1- Update to upstream
* Tue Feb 05 2008 Dan Walsh 3.2.6-7- Fixes for staff_t
* Tue Feb 05 2008 Dan Walsh 3.2.6-6- Add policy for kerneloops- Add policy for gnomeclock
* Mon Feb 04 2008 Dan Walsh 3.2.6-5- Fixes for libvirt
* Sun Feb 03 2008 Dan Walsh 3.2.6-4- Fixes for nsplugin
* Sat Feb 02 2008 Dan Walsh 3.2.6-3- More fixes for qemu
* Sat Feb 02 2008 Dan Walsh 3.2.6-2- Additional ports for vnc and allow qemu and libvirt to search all directories
* Fri Feb 01 2008 Dan Walsh 3.2.6-1- Update to upstream- Add libvirt policy- add qemu policy
* Fri Feb 01 2008 Dan Walsh 3.2.5-25- Allow fail2ban to create a socket in /var/run
* Wed Jan 30 2008 Dan Walsh 3.2.5-24- Allow allow_httpd_mod_auth_pam to work
* Wed Jan 30 2008 Dan Walsh 3.2.5-22- Add audisp policy and prelude
* Mon Jan 28 2008 Dan Walsh 3.2.5-21- Allow all user roles to executae samba net command
* Fri Jan 25 2008 Dan Walsh 3.2.5-20- Allow usertypes to read/write noxattr file systems
* Thu Jan 24 2008 Dan Walsh 3.2.5-19- Fix nsplugin to allow flashplugin to work in enforcing mode
* Wed Jan 23 2008 Dan Walsh 3.2.5-18- Allow pam_selinux_permit to kill all processes
* Mon Jan 21 2008 Dan Walsh 3.2.5-17- Allow ptrace or user processes by users of same type- Add boolean for transition to nsplugin
* Mon Jan 21 2008 Dan Walsh 3.2.5-16- Allow nsplugin sys_nice, getsched, setsched
* Mon Jan 21 2008 Dan Walsh 3.2.5-15- Allow login programs to talk dbus to oddjob
* Thu Jan 17 2008 Dan Walsh 3.2.5-14- Add procmail_log support- Lots of fixes for munin
* Tue Jan 15 2008 Dan Walsh 3.2.5-13- Allow setroubleshoot to read policy config and send audit messages
* Mon Jan 14 2008 Dan Walsh 3.2.5-12- Allow users to execute all files in homedir, if boolean set- Allow mount to read samba config
* Sun Jan 13 2008 Dan Walsh 3.2.5-11- Fixes for xguest to run java plugin
* Mon Jan 07 2008 Dan Walsh 3.2.5-10- dontaudit pam_t and dbusd writing to user_home_t
* Mon Jan 07 2008 Dan Walsh 3.2.5-9- Update gpg to allow reading of inotify
* Wed Jan 02 2008 Dan Walsh 3.2.5-8- Change user and staff roles to work correctly with varied perms
* Mon Dec 31 2007 Dan Walsh 3.2.5-7- Fix munin log,- Eliminate duplicate mozilla file context- fix wpa_supplicant spec
* Mon Dec 24 2007 Dan Walsh 3.2.5-6- Fix role transition from unconfined_r to system_r when running rpm- Allow unconfined_domains to communicate with user dbus instances
* Sat Dec 22 2007 Dan Walsh 3.2.5-5- Fixes for xguest
* Thu Dec 20 2007 Dan Walsh 3.2.5-4- Let all uncofined domains communicate with dbus unconfined
* Thu Dec 20 2007 Dan Walsh 3.2.5-3- Run rpm in system_r
* Wed Dec 19 2007 Dan Walsh 3.2.5-2- Zero out customizable types
* Wed Dec 19 2007 Dan Walsh 3.2.5-1- Fix definiton of admin_home_t
* Wed Dec 19 2007 Dan Walsh 3.2.4-5- Fix munin file context
* Tue Dec 18 2007 Dan Walsh 3.2.4-4- Allow cron to run unconfined apps
* Mon Dec 17 2007 Dan Walsh 3.2.4-3- Modify default login to unconfined_u
* Thu Dec 13 2007 Dan Walsh 3.2.4-1- Dontaudit dbus user client search of /root
* Wed Dec 12 2007 Dan Walsh 3.2.4-1- Update to upstream
* Tue Dec 11 2007 Dan Walsh 3.2.3-2- Fixes for polkit- Allow xserver to ptrace
* Tue Dec 11 2007 Dan Walsh 3.2.3-1- Add polkit policy- Symplify userdom context, remove automatic per_role changes
* Tue Dec 04 2007 Dan Walsh 3.2.2-1- Update to upstream- Allow httpd_sys_script_t to search users homedirs
* Mon Dec 03 2007 Dan Walsh 3.2.1-3- Allow rpm_script to transition to unconfined_execmem_t
* Fri Nov 30 2007 Dan Walsh 3.2.1-1- Remove user based home directory separation
* Wed Nov 28 2007 Dan Walsh 3.1.2-2- Remove user specific crond_t
* Mon Nov 19 2007 Dan Walsh 3.1.2-1- Merge with upstream- Allow xsever to read hwdata_t- Allow login programs to setkeycreate
* Sat Nov 10 2007 Dan Walsh 3.1.1-1- Update to upstream
* Mon Oct 22 2007 Dan Walsh 3.1.0-1- Update to upstream
* Mon Oct 22 2007 Dan Walsh 3.0.8-30- Allow XServer to read /proc/self/cmdline- Fix unconfined cron jobs- Allow fetchmail to transition to procmail- Fixes for hald_mac- Allow system_mail to transition to exim- Allow tftpd to upload files- Allow xdm to manage unconfined_tmp- Allow udef to read alsa config- Fix xguest to be able to connect to sound port
* Fri Oct 19 2007 Dan Walsh 3.0.8-28- Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir- dontaudit rhgb writes to fonts and root
* Fri Oct 19 2007 Dan Walsh 3.0.8-27- Fix dnsmasq- Allow rshd full login privs
* Thu Oct 18 2007 Dan Walsh 3.0.8-26- Allow rshd to connect to ports > 1023
* Thu Oct 18 2007 Dan Walsh 3.0.8-25- Fix vpn to bind to port 4500- Allow ssh to create shm- Add Kismet policy
* Tue Oct 16 2007 Dan Walsh 3.0.8-24- Allow rpm to chat with networkmanager
* Mon Oct 15 2007 Dan Walsh 3.0.8-23- Fixes for ipsec and exim mail- Change default to unconfined user
* Fri Oct 12 2007 Dan Walsh 3.0.8-22- Pass the UNK_PERMS param to makefile- Fix gdm location
* Wed Oct 10 2007 Dan Walsh 3.0.8-21- Make alsa work
* Tue Oct 09 2007 Dan Walsh 3.0.8-20- Fixes for consolekit and startx sessions
* Mon Oct 08 2007 Dan Walsh 3.0.8-19- Dontaudit consoletype talking to unconfined_t
* Thu Oct 04 2007 Dan Walsh 3.0.8-18- Remove homedir_template
* Tue Oct 02 2007 Dan Walsh 3.0.8-17- Check asound.state
* Mon Oct 01 2007 Dan Walsh 3.0.8-16- Fix exim policy
* Thu Sep 27 2007 Dan Walsh 3.0.8-15- Allow tmpreadper to read man_t- Allow racoon to bind to all nodes- Fixes for finger print reader
* Tue Sep 25 2007 Dan Walsh 3.0.8-14- Allow xdm to talk to input device (fingerprint reader)- Allow octave to run as java
* Tue Sep 25 2007 Dan Walsh 3.0.8-13- Allow login programs to set ioctl on /proc
* Mon Sep 24 2007 Dan Walsh 3.0.8-12- Allow nsswitch apps to read samba_var_t
* Mon Sep 24 2007 Dan Walsh 3.0.8-11- Fix maxima
* Mon Sep 24 2007 Dan Walsh 3.0.8-10- Eliminate rpm_t:fifo_file avcs- Fix dbus path for helper app
* Sat Sep 22 2007 Dan Walsh 3.0.8-9- Fix service start stop terminal avc\'s
* Fri Sep 21 2007 Dan Walsh 3.0.8-8- Allow also to search var_lib- New context for dbus launcher
* Fri Sep 21 2007 Dan Walsh 3.0.8-7- Allow cupsd_config_t to read/write usb_device_t- Support for finger print reader,- Many fixes for clvmd- dbus starting networkmanager
* Thu Sep 20 2007 Dan Walsh 3.0.8-5- Fix java and mono to run in xguest account
* Wed Sep 19 2007 Dan Walsh 3.0.8-4- Fix to add xguest account when inititial install- Allow mono, java, wine to run in userdomains
* Wed Sep 19 2007 Dan Walsh 3.0.8-3- Allow xserver to search devpts_t- Dontaudit ldconfig output to homedir
* Tue Sep 18 2007 Dan Walsh 3.0.8-2- Remove hplip_etc_t change back to etc_t.
* Mon Sep 17 2007 Dan Walsh 3.0.8-1- Allow cron to search nfs and samba homedirs
* Tue Sep 11 2007 Dan Walsh 3.0.7-10- Allow NetworkManager to dbus chat with yum-updated
* Tue Sep 11 2007 Dan Walsh 3.0.7-9- Allow xfs to bind to port 7100
* Mon Sep 10 2007 Dan Walsh 3.0.7-8- Allow newalias/sendmail dac_override- Allow bind to bind to all udp ports
* Fri Sep 07 2007 Dan Walsh 3.0.7-7- Turn off direct transition
* Fri Sep 07 2007 Dan Walsh 3.0.7-6- Allow wine to run in system role
* Thu Sep 06 2007 Dan Walsh 3.0.7-5- Fix java labeling
* Thu Sep 06 2007 Dan Walsh 3.0.7-4- Define user_home_type as home_type
* Tue Aug 28 2007 Dan Walsh 3.0.7-3- Allow sendmail to create etc_aliases_t
* Tue Aug 28 2007 Dan Walsh 3.0.7-2- Allow login programs to read symlinks on homedirs
* Mon Aug 27 2007 Dan Walsh 3.0.7-1- Update an readd modules
* Fri Aug 24 2007 Dan Walsh 3.0.6-3- Cleanup spec file
* Fri Aug 24 2007 Dan Walsh 3.0.6-2- Allow xserver to be started by unconfined process and talk to tty
* Wed Aug 22 2007 Dan Walsh 3.0.6-1- Upgrade to upstream to grab postgressql changes
* Tue Aug 21 2007 Dan Walsh 3.0.5-11- Add setransd for mls policy
* Mon Aug 20 2007 Dan Walsh 3.0.5-10- Add ldconfig_cache_t
* Sat Aug 18 2007 Dan Walsh 3.0.5-9- Allow sshd to write to proc_t for afs login
* Sat Aug 18 2007 Dan Walsh 3.0.5-8- Allow xserver access to urand
* Tue Aug 14 2007 Dan Walsh 3.0.5-7- allow dovecot to search mountpoints
* Sat Aug 11 2007 Dan Walsh 3.0.5-6- Fix Makefile for building policy modules
* Fri Aug 10 2007 Dan Walsh 3.0.5-5- Fix dhcpc startup of service
* Fri Aug 10 2007 Dan Walsh 3.0.5-4- Fix dbus chat to not happen for xguest and guest users
* Mon Aug 06 2007 Dan Walsh 3.0.5-3- Fix nagios cgi- allow squid to communicate with winbind
* Mon Aug 06 2007 Dan Walsh 3.0.5-2- Fixes for ldconfig
* Thu Aug 02 2007 Dan Walsh 3.0.5-1- Update from upstream
* Wed Aug 01 2007 Dan Walsh 3.0.4-6- Add nasd support
* Wed Aug 01 2007 Dan Walsh 3.0.4-5- Fix new usb devices and dmfm
* Mon Jul 30 2007 Dan Walsh 3.0.4-4- Eliminate mount_ntfs_t policy, merge into mount_t
* Mon Jul 30 2007 Dan Walsh 3.0.4-3- Allow xserver to write to ramfs mounted by rhgb
* Tue Jul 24 2007 Dan Walsh 3.0.4-2- Add context for dbus machine id
* Tue Jul 24 2007 Dan Walsh 3.0.4-1- Update with latest changes from upstream
* Tue Jul 24 2007 Dan Walsh 3.0.3-6- Fix prelink to handle execmod
* Mon Jul 23 2007 Dan Walsh 3.0.3-5- Add ntpd_key_t to handle secret data
* Fri Jul 20 2007 Dan Walsh 3.0.3-4- Add anon_inodefs- Allow unpriv user exec pam_exec_t- Fix trigger
* Fri Jul 20 2007 Dan Walsh 3.0.3-3- Allow cups to use generic usb- fix inetd to be able to run random apps (git)
* Thu Jul 19 2007 Dan Walsh 3.0.3-2- Add proper contexts for rsyslogd
* Thu Jul 19 2007 Dan Walsh 3.0.3-1- Fixes for xguest policy
* Tue Jul 17 2007 Dan Walsh 3.0.2-9- Allow execution of gconf
* Sat Jul 14 2007 Dan Walsh 3.0.2-8- Fix moilscanner update problem
* Thu Jul 12 2007 Dan Walsh 3.0.2-7- Begin adding policy to separate setsebool from semanage- Fix xserver.if definition to not break sepolgen.if
* Wed Jul 11 2007 Dan Walsh 3.0.2-5- Add new devices
* Tue Jul 10 2007 Dan Walsh 3.0.2-4- Add brctl policy
* Fri Jul 06 2007 Dan Walsh 3.0.2-3- Fix root login to include system_r
* Fri Jul 06 2007 Dan Walsh 3.0.2-2- Allow prelink to read kernel sysctls
* Mon Jul 02 2007 Dan Walsh 3.0.1-5- Default to user_u:system_r:unconfined_t
* Sun Jul 01 2007 Dan Walsh 3.0.1-4- fix squid- Fix rpm running as uid
* Tue Jun 26 2007 Dan Walsh 3.0.1-3- Fix syslog declaration
* Tue Jun 26 2007 Dan Walsh 3.0.1-2- Allow avahi to access inotify- Remove a lot of bogus security_t:filesystem avcs
* Fri May 25 2007 Dan Walsh 3.0.1-1- Remove ifdef strict policy from upstream
* Fri May 18 2007 Dan Walsh 2.6.5-3- Remove ifdef strict to allow user_u to login
* Fri May 18 2007 Dan Walsh 2.6.5-2- Fix for amands- Allow semanage to read pp files- Allow rhgb to read xdm_xserver_tmp
* Fri May 18 2007 Dan Walsh 2.6.4-7- Allow kerberos servers to use ldap for backing store
* Thu May 17 2007 Dan Walsh 2.6.4-6- allow alsactl to read kernel state
* Wed May 16 2007 Dan Walsh 2.6.4-5- More fixes for alsactl- Transition from hal and modutils- Fixes for suspend resume. - insmod domtrans to alsactl - insmod writes to hal log
* Wed May 16 2007 Dan Walsh 2.6.4-2- Allow unconfined_t to transition to NetworkManager_t- Fix netlabel policy
* Mon May 14 2007 Dan Walsh 2.6.4-1- Update to latest from upstream
* Fri May 04 2007 Dan Walsh 2.6.3-1- Update to latest from upstream
* Mon Apr 30 2007 Dan Walsh 2.6.2-1- Update to latest from upstream
* Fri Apr 27 2007 Dan Walsh 2.6.1-4- Allow pcscd_t to send itself signals
* Wed Apr 25 2007 Dan Walsh 2.6.1-2- Fixes for unix_update- Fix logwatch to be able to search all dirs
* Mon Apr 23 2007 Dan Walsh 2.6.1-1- Upstream bumped the version
* Thu Apr 19 2007 Dan Walsh 2.5.12-12- Allow consolekit to syslog- Allow ntfs to work with hal
* Thu Apr 19 2007 Dan Walsh 2.5.12-11- Allow iptables to read etc_runtime_t
* Thu Apr 19 2007 Dan Walsh 2.5.12-10- MLS Fixes
* Wed Apr 18 2007 Dan Walsh 2.5.12-8- Fix path of /etc/lvm/cache directory- Fixes for alsactl and pppd_t- Fixes for consolekit
* Tue Apr 17 2007 Dan Walsh 2.5.12-5- Allow insmod_t to mount kvmfs_t filesystems
* Tue Apr 17 2007 Dan Walsh 2.5.12-4- Rwho policy- Fixes for consolekit
* Fri Apr 13 2007 Dan Walsh 2.5.12-3- fixes for fusefs
* Thu Apr 12 2007 Dan Walsh 2.5.12-2- Fix samba_net to allow it to view samba_var_t
* Tue Apr 10 2007 Dan Walsh 2.5.12-1- Update to upstream
* Tue Apr 10 2007 Dan Walsh 2.5.11-8- Fix Sonypic backlight- Allow snmp to look at squid_conf_t
* Mon Apr 09 2007 Dan Walsh 2.5.11-7- Fixes for pyzor, cyrus, consoletype on everything installs
* Mon Apr 09 2007 Dan Walsh 2.5.11-6- Fix hald_acl_t to be able to getattr/setattr on usb devices- Dontaudit write to unconfined_pipes for load_policy
* Thu Apr 05 2007 Dan Walsh 2.5.11-5- Allow bluetooth to read inotifyfs
* Wed Apr 04 2007 Dan Walsh 2.5.11-4- Fixes for samba domain controller.- Allow ConsoleKit to look at ttys
* Tue Apr 03 2007 Dan Walsh 2.5.11-3- Fix interface call
* Tue Apr 03 2007 Dan Walsh 2.5.11-2- Allow syslog-ng to read /var- Allow locate to getattr on all filesystems- nscd needs setcap
* Mon Mar 26 2007 Dan Walsh 2.5.11-1- Update to upstream
* Fri Mar 23 2007 Dan Walsh 2.5.10-2- Allow samba to run groupadd
* Thu Mar 22 2007 Dan Walsh 2.5.10-1- Update to upstream
* Thu Mar 22 2007 Dan Walsh 2.5.9-6- Allow mdadm to access generic scsi devices
* Wed Mar 21 2007 Dan Walsh 2.5.9-5- Fix labeling on udev.tbl dirs
* Tue Mar 20 2007 Dan Walsh 2.5.9-4- Fixes for logwatch
* Tue Mar 20 2007 Dan Walsh 2.5.9-3- Add fusermount and mount_ntfs policy
* Tue Mar 20 2007 Dan Walsh 2.5.9-2- Update to upstream- Allow saslauthd to use kerberos keytabs
* Mon Mar 19 2007 Dan Walsh 2.5.8-8- Fixes for samba_var_t
* Mon Mar 19 2007 Dan Walsh 2.5.8-7- Allow networkmanager to setpgid- Fixes for hal_acl_t
* Mon Mar 19 2007 Dan Walsh 2.5.8-6- Remove disable_trans booleans- hald_acl_t needs to talk to nscd
* Thu Mar 15 2007 Dan Walsh 2.5.8-5- Fix prelink to be able to manage usr dirs.
* Tue Mar 13 2007 Dan Walsh 2.5.8-4- Allow insmod to launch init scripts
* Tue Mar 13 2007 Dan Walsh 2.5.8-3- Remove setsebool policy
* Mon Mar 12 2007 Dan Walsh 2.5.8-2- Fix handling of unlabled_t packets
* Thu Mar 08 2007 Dan Walsh 2.5.8-1- More of my patches from upstream
* Thu Mar 01 2007 Dan Walsh 2.5.7-1- Update to latest from upstream- Add fail2ban policy
* Wed Feb 28 2007 Dan Walsh 2.5.6-1- Update to remove security_t:filesystem getattr problems
* Fri Feb 23 2007 Dan Walsh 2.5.5-2- Policy for consolekit
* Fri Feb 23 2007 Dan Walsh 2.5.5-1- Update to latest from upstream
* Wed Feb 21 2007 Dan Walsh 2.5.4-2- Revert Nemiver change- Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition.- Allow samba to execute useradd
* Tue Feb 20 2007 Dan Walsh 2.5.4-1- Upgrade to the latest from upstream
* Thu Feb 15 2007 Dan Walsh 2.5.3-3- Add sepolgen support- Add bugzilla policy
* Wed Feb 14 2007 Dan Walsh 2.5.3-2- Fix file context for nemiver
* Sun Feb 11 2007 Dan Walsh 2.5.3-1- Remove include sym link
* Mon Feb 05 2007 Dan Walsh 2.5.2-6- Allow mozilla, evolution and thunderbird to read dev_random.Resolves: #227002- Allow spamd to connect to smtp portResolves: #227184- Fixes to make ypxfr workResolves: #227237
* Sun Feb 04 2007 Dan Walsh 2.5.2-5- Fix ssh_agent to be marked as an executable- Allow Hal to rw sound device
* Thu Feb 01 2007 Dan Walsh 2.5.2-4- Fix spamassisin so crond can update spam files- Fixes to allow kpasswd to work- Fixes for bluetooth
* Fri Jan 26 2007 Dan Walsh 2.5.2-3- Remove some targeted diffs in file context file
* Thu Jan 25 2007 Dan Walsh 2.5.2-2- Fix squid cachemgr labeling
* Thu Jan 25 2007 Dan Walsh 2.5.2-1- Add ability to generate webadm_t policy- Lots of new interfaces for httpd- Allow sshd to login as unconfined_t
* Mon Jan 22 2007 Dan Walsh 2.5.1-5- Continue fixing, additional user domains
* Wed Jan 10 2007 Dan Walsh 2.5.1-4- Begin adding user confinement to targeted policy
* Wed Jan 10 2007 Dan Walsh 2.5.1-2- Fixes for prelink, ktalkd, netlabel
* Mon Jan 08 2007 Dan Walsh 2.5.1-1- Allow prelink when run from rpm to create tmp filesResolves: #221865- Remove file_context for exportfsResolves: #221181- Allow spamassassin to create ~/.spamassissinResolves: #203290- Allow ssh access to the krb tickets- Allow sshd to change passwd- Stop newrole -l from working on non securettyResolves: #200110- Fixes to run prelink in MLS machineResolves: #221233- Allow spamassassin to read var_lib_t dirResolves: #219234
* Fri Dec 29 2006 Dan Walsh 2.4.6-20- fix mplayer to work under strict policy- Allow iptables to use nscdResolves: #220794
* Thu Dec 28 2006 Dan Walsh 2.4.6-19- Add gconf policy and make it work with strict
* Sat Dec 23 2006 Dan Walsh 2.4.6-18- Many fixes for strict policy and by extension mls.
* Fri Dec 22 2006 Dan Walsh 2.4.6-17- Fix to allow ftp to bind to ports > 1024Resolves: #219349
* Tue Dec 19 2006 Dan Walsh 2.4.6-16- Allow semanage to exec it self. Label genhomedircon as semanage_exec_tResolves: #219421- Allow sysadm_lpr_t to manage other print spool jobsResolves: #220080
* Mon Dec 18 2006 Dan Walsh 2.4.6-15- allow automount to setgidResolves: #219999
* Thu Dec 14 2006 Dan Walsh 2.4.6-14- Allow cron to polyinstatiate - Fix creation of boot flagsResolves: #207433
* Thu Dec 14 2006 Dan Walsh 2.4.6-13- Fixes for irqbalanceResolves: #219606
* Thu Dec 14 2006 Dan Walsh 2.4.6-12- Fix vixie-cron to work on mlsResolves: #207433
* Wed Dec 13 2006 Dan Walsh 2.4.6-11Resolves: #218978
* Tue Dec 12 2006 Dan Walsh 2.4.6-10- Allow initrc to create files in /var directoriesResolves: #219227
* Fri Dec 08 2006 Dan Walsh 2.4.6-9- More fixes for MLSResolves: #181566
* Wed Dec 06 2006 Dan Walsh 2.4.6-8- More Fixes polyinstatiationResolves: #216184
* Wed Dec 06 2006 Dan Walsh 2.4.6-7- More Fixes polyinstatiation- Fix handling of keyringsResolves: #216184
* Mon Dec 04 2006 Dan Walsh 2.4.6-6- Fix polyinstatiation- Fix pcscd handling of terminalResolves: #218149Resolves: #218350
* Fri Dec 01 2006 Dan Walsh 2.4.6-5- More fixes for quotaResolves: #212957
* Fri Dec 01 2006 Dan Walsh 2.4.6-4- ncsd needs to use avahi socketsResolves: #217640Resolves: #218014
* Thu Nov 30 2006 Dan Walsh 2.4.6-3- Allow login programs to polyinstatiate homedirsResolves: #216184- Allow quotacheck to create database filesResolves: #212957
* Tue Nov 28 2006 Dan Walsh 2.4.6-1- Dontaudit appending hal_var_lib files Resolves: #217452Resolves: #217571Resolves: #217611Resolves: #217640Resolves: #217725
* Tue Nov 21 2006 Dan Walsh 2.4.5-4- Fix context for helix players file_context #216942
* Mon Nov 20 2006 Dan Walsh 2.4.5-3- Fix load_policy to be able to mls_write_down so it can talk to the terminal
* Mon Nov 20 2006 Dan Walsh 2.4.5-2- Fixes for hwclock, clamav, ftp
* Wed Nov 15 2006 Dan Walsh 2.4.5-1- Move to upstream version which accepted my patches
* Wed Nov 15 2006 Dan Walsh 2.4.4-2- Fixes for nvidia driver
* Tue Nov 14 2006 Dan Walsh 2.4.4-2- Allow semanage to signal mcstrans
* Tue Nov 14 2006 Dan Walsh 2.4.4-1- Update to upstream
* Mon Nov 13 2006 Dan Walsh 2.4.3-13- Allow modstorage to edit /etc/fstab file
* Mon Nov 13 2006 Dan Walsh 2.4.3-12- Fix for qemu, /dev/
* Mon Nov 13 2006 Dan Walsh 2.4.3-11- Fix path to realplayer.bin
* Fri Nov 10 2006 Dan Walsh 2.4.3-10- Allow xen to connect to xen port
* Fri Nov 10 2006 Dan Walsh 2.4.3-9- Allow cups to search samba_etc_t directory- Allow xend_t to list auto_mountpoints
* Thu Nov 09 2006 Dan Walsh 2.4.3-8- Allow xen to search automount
* Thu Nov 09 2006 Dan Walsh 2.4.3-7- Fix spec of jre files
* Wed Nov 08 2006 Dan Walsh 2.4.3-6- Fix unconfined access to shadow file
* Wed Nov 08 2006 Dan Walsh 2.4.3-5- Allow xend to create files in xen_image_t directories
* Wed Nov 08 2006 Dan Walsh 2.4.3-4- Fixes for /var/lib/hal
* Tue Nov 07 2006 Dan Walsh 2.4.3-3- Remove ability for sysadm_t to look at audit.log
* Tue Nov 07 2006 Dan Walsh 2.4.3-2- Fix rpc_port_types- Add aide policy for mls
* Mon Nov 06 2006 Dan Walsh 2.4.3-1- Merge with upstream
* Fri Nov 03 2006 Dan Walsh 2.4.2-8- Lots of fixes for ricci
* Fri Nov 03 2006 Dan Walsh 2.4.2-7- Allow xen to read/write fixed devices with a boolean- Allow apache to search /var/log
* Thu Nov 02 2006 James Antill 2.4.2-6- Fix policygentool specfile problem.- Allow apache to send signals to it\'s logging helpers.- Resolves: rhbz#212731
* Wed Nov 01 2006 Dan Walsh 2.4.2-5- Add perms for swat
* Tue Oct 31 2006 Dan Walsh 2.4.2-4- Add perms for swat
* Mon Oct 30 2006 Dan Walsh 2.4.2-3- Allow daemons to dump core files to /
* Fri Oct 27 2006 Dan Walsh 2.4.2-2- Fixes for ricci
* Fri Oct 27 2006 Dan Walsh 2.4.2-1- Allow mount.nfs to work
* Fri Oct 27 2006 Dan Walsh 2.4.1-5- Allow ricci-modstorage to look at lvm_etc_t
* Mon Oct 23 2006 Dan Walsh 2.4.1-4- Fixes for ricci using saslauthd
* Mon Oct 23 2006 Dan Walsh 2.4.1-3- Allow mountpoint on home_dir_t and home_t
* Mon Oct 23 2006 Dan Walsh 2.4.1-2- Update xen to read nfs files
* Mon Oct 23 2006 Dan Walsh 2.4-4- Allow noxattrfs to associate with other noxattrfs
* Mon Oct 23 2006 Dan Walsh 2.4-3- Allow hal to use power_device_t
* Fri Oct 20 2006 Dan Walsh 2.4-2- Allow procemail to look at autofs_t- Allow xen_image_t to work as a fixed device
* Thu Oct 19 2006 Dan Walsh 2.4-1- Refupdate from upstream
* Thu Oct 19 2006 Dan Walsh 2.3.19-4- Add lots of fixes for mls cups
* Wed Oct 18 2006 Dan Walsh 2.3.19-3- Lots of fixes for ricci
* Mon Oct 16 2006 Dan Walsh 2.3.19-2- Fix number of cats
* Mon Oct 16 2006 Dan Walsh 2.3.19-1- Update to upstream
* Thu Oct 12 2006 James Antill 2.3.18-10- More iSCSI changes for #209854
* Tue Oct 10 2006 James Antill 2.3.18-9- Test ISCSI fixes for #209854
* Sun Oct 08 2006 Dan Walsh 2.3.18-8- allow semodule to rmdir selinux_config_t dir
* Fri Oct 06 2006 Dan Walsh 2.3.18-7- Fix boot_runtime_t problem on ppc. Should not be creating these files.
* Thu Oct 05 2006 Dan Walsh 2.3.18-6- Fix context mounts on reboot- Fix ccs creation of directory in /var/log
* Thu Oct 05 2006 Dan Walsh 2.3.18-5- Update for tallylog
* Thu Oct 05 2006 Dan Walsh 2.3.18-4- Allow xend to rewrite dhcp conf files- Allow mgetty sys_admin capability
* Wed Oct 04 2006 Dan Walsh 2.3.18-3- Make xentapctrl work
* Tue Oct 03 2006 Dan Walsh 2.3.18-2- Don\'t transition unconfined_t to bootloader_t- Fix label in /dev/xen/blktap
* Tue Oct 03 2006 Dan Walsh 2.3.18-1- Patch for labeled networking
* Mon Oct 02 2006 Dan Walsh 2.3.17-2- Fix crond handling for mls
* Fri Sep 29 2006 Dan Walsh 2.3.17-1- Update to upstream
* Fri Sep 29 2006 Dan Walsh 2.3.16-9- Remove bluetooth-helper transition- Add selinux_validate for semanage- Require new version of libsemanage
* Fri Sep 29 2006 Dan Walsh 2.3.16-8- Fix prelink
* Fri Sep 29 2006 Dan Walsh 2.3.16-7- Fix rhgb
* Thu Sep 28 2006 Dan Walsh 2.3.16-6- Fix setrans handling on MLS and useradd
* Wed Sep 27 2006 Dan Walsh 2.3.16-5- Support for fuse- fix vigr
* Wed Sep 27 2006 Dan Walsh 2.3.16-4- Fix dovecot, amanda- Fix mls
* Mon Sep 25 2006 Dan Walsh 2.3.16-2- Allow java execheap for itanium
* Mon Sep 25 2006 Dan Walsh 2.3.16-1- Update with upstream
* Mon Sep 25 2006 Dan Walsh 2.3.15-2- mls fixes
* Fri Sep 22 2006 Dan Walsh 2.3.15-1- Update from upstream
* Fri Sep 22 2006 Dan Walsh 2.3.14-8- More fixes for mls- Revert change on automount transition to mount
* Wed Sep 20 2006 Dan Walsh 2.3.14-7- Fix cron jobs to run under the correct context
* Tue Sep 19 2006 Dan Walsh 2.3.14-6- Fixes to make pppd work
* Mon Sep 18 2006 Dan Walsh 2.3.14-4- Multiple policy fixes- Change max categories to 1023
* Sat Sep 16 2006 Dan Walsh 2.3.14-3- Fix transition on mcstransd
* Fri Sep 15 2006 Dan Walsh 2.3.14-2- Add /dev/em8300 defs
* Fri Sep 15 2006 Dan Walsh 2.3.14-1- Upgrade to upstream
* Thu Sep 14 2006 Dan Walsh 2.3.13-6- Fix ppp connections from network manager
* Wed Sep 13 2006 Dan Walsh 2.3.13-5- Add tty access to all domains boolean- Fix gnome-pty-helper context for ia64
* Mon Sep 11 2006 Dan Walsh 2.3.13-4- Fixed typealias of firstboot_rw_t
* Thu Sep 07 2006 Dan Walsh 2.3.13-3- Fix location of xel log files- Fix handling of sysadm_r -> rpm_exec_t
* Thu Sep 07 2006 Dan Walsh 2.3.13-2- Fixes for autofs, lp
* Wed Sep 06 2006 Dan Walsh 2.3.13-1- Update from upstream
* Tue Sep 05 2006 Dan Walsh 2.3.12-2- Fixup for test6
* Tue Sep 05 2006 Dan Walsh 2.3.12-1- Update to upstream
* Fri Sep 01 2006 Dan Walsh 2.3.11-1- Update to upstream
* Fri Sep 01 2006 Dan Walsh 2.3.10-7- Fix suspend to disk problems
* Thu Aug 31 2006 Dan Walsh 2.3.10-6- Lots of fixes for restarting daemons at the console.
* Wed Aug 30 2006 Dan Walsh 2.3.10-3- Fix audit line- Fix requires line
* Tue Aug 29 2006 Dan Walsh 2.3.10-1- Upgrade to upstream
* Mon Aug 28 2006 Dan Walsh 2.3.9-6- Fix install problems
* Fri Aug 25 2006 Dan Walsh 2.3.9-5- Allow setroubleshoot to getattr on all dirs to gather RPM data
* Thu Aug 24 2006 Dan Walsh 2.3.9-4- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform- Fix spec for /dev/adsp
* Thu Aug 24 2006 Dan Walsh 2.3.9-3- Fix xen tty devices
* Thu Aug 24 2006 Dan Walsh 2.3.9-2- Fixes for setroubleshoot
* Wed Aug 23 2006 Dan Walsh 2.3.9-1- Update to upstream
* Tue Aug 22 2006 Dan Walsh 2.3.8-2- Fixes for stunnel and postgresql- Update from upstream
* Sat Aug 12 2006 Dan Walsh 2.3.7-1- Update from upstream- More java fixes
* Fri Aug 11 2006 Dan Walsh 2.3.6-4- Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta
* Thu Aug 10 2006 Dan Walsh 2.3.6-3- Misc fixes
* Wed Aug 09 2006 Dan Walsh 2.3.6-2- More fixes for strict policy
* Tue Aug 08 2006 Dan Walsh 2.3.6-1- Quiet down anaconda audit messages
* Mon Aug 07 2006 Dan Walsh 2.3.5-1- Fix setroubleshootd
* Thu Aug 03 2006 Dan Walsh 2.3.4-1- Update to the latest from upstream
* Thu Aug 03 2006 Dan Walsh 2.3.3-20- More fixes for xen
* Thu Aug 03 2006 Dan Walsh 2.3.3-19- Fix anaconda transitions
* Wed Aug 02 2006 Dan Walsh 2.3.3-18- yet more xen rules
* Tue Aug 01 2006 Dan Walsh 2.3.3-17- more xen rules
* Mon Jul 31 2006 Dan Walsh 2.3.3-16- Fixes for Samba
* Sat Jul 29 2006 Dan Walsh 2.3.3-15- Fixes for xen
* Fri Jul 28 2006 Dan Walsh 2.3.3-14- Allow setroubleshootd to send mail
* Wed Jul 26 2006 Dan Walsh 2.3.3-13- Add nagios policy
* Wed Jul 26 2006 Dan Walsh 2.3.3-12- fixes for setroubleshoot
* Wed Jul 26 2006 Dan Walsh 2.3.3-11- Added Paul Howarth patch to only load policy packages shipped with this package- Allow pidof from initrc to ptrace higher level domains- Allow firstboot to communicate with hal via dbus
* Mon Jul 24 2006 Dan Walsh 2.3.3-10- Add policy for /var/run/ldapi
* Sat Jul 22 2006 Dan Walsh 2.3.3-9- Fix setroubleshoot policy
* Fri Jul 21 2006 Dan Walsh 2.3.3-8- Fixes for mls use of ssh- named has a new conf file
* Fri Jul 21 2006 Dan Walsh 2.3.3-7- Fixes to make setroubleshoot work
* Wed Jul 19 2006 Dan Walsh 2.3.3-6- Cups needs to be able to read domain state off of printer client
* Wed Jul 19 2006 Dan Walsh 2.3.3-5- add boolean to allow zebra to write config files
* Tue Jul 18 2006 Dan Walsh 2.3.3-4- setroubleshootd fixes
* Mon Jul 17 2006 Dan Walsh 2.3.3-3- Allow prelink to read bin_t symlink- allow xfs to read random devices- Change gfs to support xattr
* Mon Jul 17 2006 Dan Walsh 2.3.3-2- Remove spamassassin_can_network boolean
* Fri Jul 14 2006 Dan Walsh 2.3.3-1- Update to upstream- Fix lpr domain for mls
* Fri Jul 14 2006 Dan Walsh 2.3.2-4- Add setroubleshoot policy
* Fri Jul 07 2006 Dan Walsh 2.3.2-3- Turn off auditallow on setting booleans
* Fri Jul 07 2006 Dan Walsh 2.3.2-2- Multiple fixes
* Fri Jul 07 2006 Dan Walsh 2.3.2-1- Update to upstream
* Thu Jun 22 2006 Dan Walsh 2.3.1-1- Update to upstream- Add new class for kernel key ring
* Wed Jun 21 2006 Dan Walsh 2.2.49-1- Update to upstream
* Tue Jun 20 2006 Dan Walsh 2.2.48-1- Update to upstream
* Tue Jun 20 2006 Dan Walsh 2.2.47-5- Break out selinux-devel package
* Fri Jun 16 2006 Dan Walsh 2.2.47-4- Add ibmasmfs
* Thu Jun 15 2006 Dan Walsh 2.2.47-3- Fix policygentool gen_requires
* Tue Jun 13 2006 Dan Walsh 2.2.47-1- Update from Upstream
* Tue Jun 13 2006 Dan Walsh 2.2.46-2- Fix spec of realplay
* Tue Jun 13 2006 Dan Walsh 2.2.46-1- Update to upstream
* Mon Jun 12 2006 Dan Walsh 2.2.45-3- Fix semanage
* Mon Jun 12 2006 Dan Walsh 2.2.45-2- Allow useradd to create_home_dir in MLS environment
* Thu Jun 08 2006 Dan Walsh 2.2.45-1- Update from upstream
* Tue Jun 06 2006 Dan Walsh 2.2.44-1- Update from upstream
* Tue Jun 06 2006 Dan Walsh 2.2.43-4- Add oprofilefs
* Sun May 28 2006 Dan Walsh 2.2.43-3- Fix for hplip and Picasus
* Sat May 27 2006 Dan Walsh 2.2.43-2- Update to upstream
* Fri May 26 2006 Dan Walsh 2.2.43-1- Update to upstream
* Fri May 26 2006 Dan Walsh 2.2.42-4- fixes for spamd
* Wed May 24 2006 Dan Walsh 2.2.42-3- fixes for java, openldap and webalizer
* Mon May 22 2006 Dan Walsh 2.2.42-2- Xen fixes
* Thu May 18 2006 Dan Walsh 2.2.42-1- Upgrade to upstream
* Thu May 18 2006 Dan Walsh 2.2.41-1- allow hal to read boot_t files- Upgrade to upstream
* Wed May 17 2006 Dan Walsh 2.2.40-2- allow hal to read boot_t files
* Tue May 16 2006 Dan Walsh 2.2.40-1- Update from upstream
* Mon May 15 2006 Dan Walsh 2.2.39-2- Fixes for amavis
* Mon May 15 2006 Dan Walsh 2.2.39-1- Update from upstream
* Fri May 12 2006 Dan Walsh 2.2.38-6- Allow auditctl to search all directories
* Thu May 11 2006 Dan Walsh 2.2.38-5- Add acquire service for mono.
* Thu May 11 2006 Dan Walsh 2.2.38-4- Turn off allow_execmem boolean- Allow ftp dac_override when allowed to access users homedirs
* Wed May 10 2006 Dan Walsh 2.2.38-3- Clean up spec file- Transition from unconfined_t to prelink_t
* Mon May 08 2006 Dan Walsh 2.2.38-2- Allow execution of cvs command
* Fri May 05 2006 Dan Walsh 2.2.38-1- Update to upstream
* Wed May 03 2006 Dan Walsh 2.2.37-1- Update to upstream
* Mon May 01 2006 Dan Walsh 2.2.36-2- Fix libjvm spec
* Tue Apr 25 2006 Dan Walsh 2.2.36-1- Update to upstream
* Tue Apr 25 2006 James Antill 2.2.35-2- Add xm policy- Fix policygentool
* Mon Apr 24 2006 Dan Walsh 2.2.35-1- Update to upstream- Fix postun to only disable selinux on full removal of the packages
* Fri Apr 21 2006 Dan Walsh 2.2.34-3- Allow mono to chat with unconfined
* Thu Apr 20 2006 Dan Walsh 2.2.34-2- Allow procmail to sendmail- Allow nfs to share dosfs
* Thu Apr 20 2006 Dan Walsh 2.2.34-1- Update to latest from upstream- Allow selinux-policy to be removed and kernel not to crash
* Tue Apr 18 2006 Dan Walsh 2.2.33-1- Update to latest from upstream- Add James Antill patch for xen- Many fixes for pegasus
* Sat Apr 15 2006 Dan Walsh 2.2.32-2- Add unconfined_mount_t- Allow privoxy to connect to httpd_cache- fix cups labeleing on /var/cache/cups
* Fri Apr 14 2006 Dan Walsh 2.2.32-1- Update to latest from upstream
* Fri Apr 14 2006 Dan Walsh 2.2.31-1- Update to latest from upstream- Allow mono and unconfined to talk to initrc_t dbus objects
* Tue Apr 11 2006 Dan Walsh 2.2.30-2- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t
* Tue Apr 11 2006 Dan Walsh 2.2.30-1- Fix samba creating dirs in homedir- Fix NFS so its booleans would work
* Mon Apr 10 2006 Dan Walsh 2.2.29-6- Allow secadm_t ability to relabel all files- Allow ftp to search xferlog_t directories- Allow mysql to communicate with ldap- Allow rsync to bind to rsync_port_t
* Mon Apr 10 2006 Russell Coker 2.2.29-5- Fixed mailman with Postfix #183928- Allowed semanage to create file_context files.- Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t to bind to reserved ports. #149030- Don\'t allow devpts_t to be associated with tmp_t.- Allow hald_t to stat all mountpoints.- Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. - Make mount run in mount_t domain from unconfined_t to prevent mislabeling of /etc/mtab.- Changed the file_contexts to not have a regex before the first ^/[a-z]/ whenever possible, makes restorecon slightly faster.- Correct the label of /etc/named.caching-nameserver.conf- Now label /usr/src/kernels/.+/lib(/.
*)? as usr_t instead of /usr/src(/.
*)?/lib(/.
*)? - I don\'t think we need anything else under /usr/src hit by this.- Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed xenstored_t rw access to the xen device node.
* Tue Apr 04 2006 Dan Walsh 2.2.29-4- More textrel_shlib_t file path fixes- Add ada support
* Mon Apr 03 2006 Dan Walsh 2.2.29-3- Get auditctl working in MLS policy
* Mon Apr 03 2006 Dan Walsh 2.2.29-2- Add mono dbus support- Lots of file_context fixes for textrel_shlib_t in FC5- Turn off execmem auditallow since they are filling log files
* Fri Mar 31 2006 Dan Walsh 2.2.29-1- Update to upstream
* Thu Mar 30 2006 Dan Walsh 2.2.28-3- Allow automount and dbus to read cert files
* Thu Mar 30 2006 Dan Walsh 2.2.28-2- Fix ftp policy- Fix secadm running of auditctl
* Mon Mar 27 2006 Dan Walsh 2.2.28-1- Update to upstream
* Wed Mar 22 2006 Dan Walsh 2.2.27-1- Update to upstream
* Wed Mar 22 2006 Dan Walsh 2.2.25-3- Fix policyhelp
* Wed Mar 22 2006 Dan Walsh 2.2.25-2- Fix pam_console handling of usb_device- dontaudit logwatch reading /mnt dir
* Fri Mar 17 2006 Dan Walsh 2.2.24-1- Update to upstream
* Wed Mar 15 2006 Dan Walsh 2.2.23-19- Get transition rules to create policy.20 at SystemHigh
* Tue Mar 14 2006 Dan Walsh 2.2.23-18- Allow secadmin to shutdown system- Allow sendmail to exec newalias
* Tue Mar 14 2006 Dan Walsh 2.2.23-17- MLS Fixes dmidecode needs mls_file_read_up- add ypxfr_t- run init needs access to nscd- udev needs setuid- another xen log file- Dontaudit mount getattr proc_kcore_t
* Tue Mar 14 2006 Karsten Hopp 2.2.23-16- fix buildroot usage (#185391)
* Thu Mar 09 2006 Dan Walsh 2.2.23-15- Get rid of mount/fsdisk scan of /dev messages- Additional fixes for suspend/resume
* Thu Mar 09 2006 Dan Walsh 2.2.23-14- Fake make to rebuild enableaudit.pp
* Thu Mar 09 2006 Dan Walsh 2.2.23-13- Get xen networking running.
* Thu Mar 09 2006 Dan Walsh 2.2.23-12- Fixes for Xen- enableaudit should not be the same as base.pp- Allow ps to work for all process
* Thu Mar 09 2006 Jeremy Katz - 2.2.23-11- more xen policy fixups
* Wed Mar 08 2006 Jeremy Katz - 2.2.23-10- more xen fixage (#184393)
* Wed Mar 08 2006 Dan Walsh 2.2.23-9- Fix blkid specification- Allow postfix to execute mailman_que
* Wed Mar 08 2006 Dan Walsh 2.2.23-8- Blkid changes- Allow udev access to usb_device_t- Fix post script to create targeted policy config file
* Wed Mar 08 2006 Dan Walsh 2.2.23-7- Allow lvm tools to create drevice dir
* Tue Mar 07 2006 Dan Walsh 2.2.23-5- Add Xen support
* Mon Mar 06 2006 Dan Walsh 2.2.23-4- Fixes for cups- Make cryptosetup work with hal
* Sun Mar 05 2006 Dan Walsh 2.2.23-3- Load Policy needs translock
* Sat Mar 04 2006 Dan Walsh 2.2.23-2- Fix cups html interface
* Sat Mar 04 2006 Dan Walsh 2.2.23-1- Add hal changes suggested by Jeremy- add policyhelp to point at policy html pages
* Mon Feb 27 2006 Dan Walsh 2.2.22-2- Additional fixes for nvidia and cups
* Mon Feb 27 2006 Dan Walsh 2.2.22-1- Update to upstream- Merged my latest fixes- Fix cups policy to handle unix domain sockets
* Sat Feb 25 2006 Dan Walsh 2.2.21-9- NSCD socket is in nscd_var_run_t needs to be able to search dir
* Fri Feb 24 2006 Dan Walsh 2.2.21-8- Fixes Apache interface file
* Fri Feb 24 2006 Dan Walsh 2.2.21-7- Fixes for new version of cups
* Fri Feb 24 2006 Dan Walsh 2.2.21-6- Turn off polyinstatiate util after FC5
* Fri Feb 24 2006 Dan Walsh 2.2.21-5- Fix problem with privoxy talking to Tor
* Thu Feb 23 2006 Dan Walsh 2.2.21-4- Turn on polyinstatiation
* Thu Feb 23 2006 Dan Walsh 2.2.21-3- Don\'t transition from unconfined_t to fsadm_t
* Thu Feb 23 2006 Dan Walsh 2.2.21-2- Fix policy update model.
* Thu Feb 23 2006 Dan Walsh 2.2.21-1- Update to upstream
* Wed Feb 22 2006 Dan Walsh 2.2.20-1- Fix load_policy to work on MLS- Fix cron_rw_system_pipes for postfix_postdrop_t- Allow audotmount to run showmount
* Tue Feb 21 2006 Dan Walsh 2.2.19-2- Fix swapon- allow httpd_sys_script_t to be entered via a shell- Allow httpd_sys_script_t to read eventpolfs
* Tue Feb 21 2006 Dan Walsh 2.2.19-1- Update from upstream
* Tue Feb 21 2006 Dan Walsh 2.2.18-2- allow cron to read apache files
* Tue Feb 21 2006 Dan Walsh 2.2.18-1- Fix vpnc policy to work from NetworkManager
* Mon Feb 20 2006 Dan Walsh 2.2.17-2- Update to upstream- Fix semoudle polcy
* Thu Feb 16 2006 Dan Walsh 2.2.16-1- Update to upstream - fix sysconfig/selinux link
* Wed Feb 15 2006 Dan Walsh 2.2.15-4- Add router port for zebra- Add imaze port for spamd- Fixes for amanda and java
* Tue Feb 14 2006 Dan Walsh 2.2.15-3- Fix bluetooth handling of usb devices- Fix spamd reading of ~/- fix nvidia spec
* Tue Feb 14 2006 Dan Walsh 2.2.15-1- Update to upsteam
* Mon Feb 13 2006 Dan Walsh 2.2.14-2- Add users_extra files
* Fri Feb 10 2006 Dan Walsh 2.2.14-1- Update to upstream
* Fri Feb 10 2006 Dan Walsh 2.2.13-1- Add semodule policy
* Tue Feb 07 2006 Dan Walsh 2.2.12-1- Update from upstream
* Mon Feb 06 2006 Dan Walsh 2.2.11-2- Fix for spamd to use razor port
* Fri Feb 03 2006 Dan Walsh 2.2.11-1- Fixes for mcs- Turn on mount and fsadm for unconfined_t
* Wed Feb 01 2006 Dan Walsh 2.2.10-1- Fixes for the -devel package
* Wed Feb 01 2006 Dan Walsh 2.2.9-2- Fix for spamd to use ldap
* Fri Jan 27 2006 Dan Walsh 2.2.9-1- Update to upstream
* Fri Jan 27 2006 Dan Walsh 2.2.8-2- Update to upstream- Fix rhgb, and other Xorg startups
* Thu Jan 26 2006 Dan Walsh 2.2.7-1- Update to upstream
* Thu Jan 26 2006 Dan Walsh 2.2.6-3- Separate out role of secadm for mls
* Thu Jan 26 2006 Dan Walsh 2.2.6-2- Add inotifyfs handling
* Thu Jan 26 2006 Dan Walsh 2.2.6-1- Update to upstream- Put back in changes for pup/zen
* Tue Jan 24 2006 Dan Walsh 2.2.5-1- Many changes for MLS - Turn on strict policy
* Mon Jan 23 2006 Dan Walsh 2.2.4-1- Update to upstream
* Wed Jan 18 2006 Dan Walsh 2.2.3-1- Update to upstream- Fixes for booting and logging in on MLS machine
* Wed Jan 18 2006 Dan Walsh 2.2.2-1- Update to upstream- Turn off execheap execstack for unconfined users- Add mono/wine policy to allow execheap and execstack for them- Add execheap for Xdm policy
* Wed Jan 18 2006 Dan Walsh 2.2.1-1- Update to upstream- Fixes to fetchmail,
* Tue Jan 17 2006 Dan Walsh 2.1.13-1- Update to upstream
* Tue Jan 17 2006 Dan Walsh 2.1.12-3- Fix for procmail/spamassasin- Update to upstream- Add rules to allow rpcd to work with unlabeled_networks.
* Sat Jan 14 2006 Dan Walsh 2.1.11-1- Update to upstream- Fix ftp Man page
* Fri Jan 13 2006 Dan Walsh 2.1.10-1- Update to upstream
* Wed Jan 11 2006 Jeremy Katz - 2.1.9-2- fix pup transitions (#177262)- fix xen disks (#177599)
* Tue Jan 10 2006 Dan Walsh 2.1.9-1- Update to upstream
* Tue Jan 10 2006 Dan Walsh 2.1.8-3- More Fixes for hal and readahead
* Mon Jan 09 2006 Dan Walsh 2.1.8-2- Fixes for hal and readahead
* Mon Jan 09 2006 Dan Walsh 2.1.8-1- Update to upstream- Apply
* Fri Jan 06 2006 Dan Walsh 2.1.7-4- Add wine and fix hal problems
* Thu Jan 05 2006 Dan Walsh 2.1.7-3- Handle new location of hal scripts
* Thu Jan 05 2006 Dan Walsh 2.1.7-2- Allow su to read /etc/mtab
* Wed Jan 04 2006 Dan Walsh 2.1.7-1- Update to upstream
* Tue Jan 03 2006 Dan Walsh 2.1.6-24- Fix \"libsemanage.parse_module_headers: Data did not represent a module.\" problem
* Tue Jan 03 2006 Dan Walsh 2.1.6-23- Allow load_policy to read /etc/mtab
* Mon Jan 02 2006 Dan Walsh 2.1.6-22- Fix dovecot to allow dovecot_auth to look at /tmp
* Mon Jan 02 2006 Dan Walsh 2.1.6-21- Allow restorecon to read unlabeled_t directories in order to fix labeling.
* Fri Dec 30 2005 Dan Walsh 2.1.6-20- Add Logwatch policy
* Wed Dec 28 2005 Dan Walsh 2.1.6-18- Fix /dev/ub[a-z] file context
* Tue Dec 27 2005 Dan Walsh 2.1.6-17- Fix library specification- Give kudzu execmem privs
* Thu Dec 22 2005 Dan Walsh 2.1.6-16- Fix hostname in targeted policy
* Wed Dec 21 2005 Dan Walsh 2.1.6-15- Fix passwd command on mls
* Wed Dec 21 2005 Dan Walsh 2.1.6-14- Lots of fixes to make mls policy work
* Tue Dec 20 2005 Dan Walsh 2.1.6-13- Add dri libs to textrel_shlib_t- Add system_r role for java- Add unconfined_exec_t for vncserver- Allow slapd to use kerberos
* Mon Dec 19 2005 Dan Walsh 2.1.6-11- Add man pages
* Fri Dec 16 2005 Dan Walsh 2.1.6-10- Add enableaudit.pp
* Fri Dec 16 2005 Dan Walsh 2.1.6-9- Fix mls policy
* Fri Dec 16 2005 Dan Walsh 2.1.6-8- Update mls file from old version
* Thu Dec 15 2005 Dan Walsh 2.1.6-5- Add sids back in- Rebuild with update checkpolicy
* Thu Dec 15 2005 Dan Walsh 2.1.6-4- Fixes to allow automount to use portmap- Fixes to start kernel in s0-s15:c0.c255
* Wed Dec 14 2005 Dan Walsh 2.1.6-3- Add java unconfined/execmem policy
* Wed Dec 14 2005 Dan Walsh 2.1.6-2- Add file context for /var/cvs- Dontaudit webalizer search of homedir
* Tue Dec 13 2005 Dan Walsh 2.1.6-1- Update from upstream
* Tue Dec 13 2005 Dan Walsh 2.1.4-2- Clean up spec- range_transition crond to SystemHigh
* Mon Dec 12 2005 Dan Walsh 2.1.4-1- Fixes for hal- Update to upstream
* Mon Dec 12 2005 Dan Walsh 2.1.3-1- Turn back on execmem since we need it for java, firefox, ooffice- Allow gpm to stream socket to itself
* Mon Dec 12 2005 Jeremy Katz - 2.1.2-3- fix requirements to be on the actual packages so that policy can get created properly at install time
* Sun Dec 11 2005 Dan Walsh 2.1.2-2- Allow unconfined_t to execmod texrel_shlib_t
* Sat Dec 10 2005 Dan Walsh 2.1.2-1- Update to upstream - Turn off allow_execmem and allow_execmod booleans- Add tcpd and automount policies
* Fri Dec 09 2005 Dan Walsh 2.1.1-3- Add two new httpd booleans, turned off by default
* httpd_can_network_relay
* httpd_can_network_connect_db
* Fri Dec 09 2005 Dan Walsh 2.1.1-2- Add ghost for policy.20
* Thu Dec 08 2005 Dan Walsh 2.1.1-1- Update to upstream- Turn off boolean allow_execstack
* Thu Dec 08 2005 Dan Walsh 2.1.0-3- Change setrans-mls to use new libsetrans- Add default_context rule for xdm
* Thu Dec 08 2005 Dan Walsh 2.1.0-2.- Change Requires to PreReg for requiring of policycoreutils on install
* Wed Dec 07 2005 Dan Walsh 2.1.0-1.- New upstream release
* Wed Dec 07 2005 Dan Walsh 2.0.11-2.Add xdm policy
* Tue Dec 06 2005 Dan Walsh 2.0.11-1.Update from upstream
* Fri Dec 02 2005 Dan Walsh 2.0.9-1.Update from upstream
* Fri Dec 02 2005 Dan Walsh 2.0.8-1.Update from upstream
* Fri Dec 02 2005 Dan Walsh 2.0.7-3- Also trigger to rebuild policy for versions up to 2.0.7.
* Tue Nov 29 2005 Dan Walsh 2.0.7-2- No longer installing policy.20 file, anaconda handles the building of the app.
* Tue Nov 29 2005 Dan Walsh 2.0.6-2- Fixes for dovecot and saslauthd
* Wed Nov 23 2005 Dan Walsh 2.0.5-4- Cleanup pegasus and named - Fix spec file- Fix up passwd changing applications
* Tue Nov 22 2005 Dan Walsh 2.0.5-1-Update to latest from upstream
* Tue Nov 22 2005 Dan Walsh 2.0.4-1- Add rules for pegasus and avahi
* Mon Nov 21 2005 Dan Walsh 2.0.2-2- Start building MLS Policy
* Fri Nov 18 2005 Dan Walsh 2.0.2-1- Update to upstream
* Wed Nov 09 2005 Dan Walsh 2.0.1-2- Turn on bash
* Wed Nov 09 2005 Dan Walsh 2.0.1-1- Initial version
  
ICM