update selinux-policy package to match repos
This commit is contained in:
parent
c552946868
commit
7d845b195f
5 changed files with 323 additions and 580 deletions
Binary file not shown.
|
|
@ -1,8 +1,7 @@
|
|||
/var/run /run
|
||||
/var/lock /run/lock
|
||||
/run /var/run
|
||||
/run/lock /var/lock
|
||||
/run/systemd/system /usr/lib/systemd/system
|
||||
/run/systemd/generator /usr/lib/systemd/system
|
||||
/run/systemd/generator.early /usr/lib/systemd/system
|
||||
/run/systemd/generator.late /usr/lib/systemd/system
|
||||
/lib /usr/lib
|
||||
/lib64 /usr/lib
|
||||
|
|
@ -21,4 +20,3 @@
|
|||
/sysroot/tmp /tmp
|
||||
/var/usrlocal /usr/local
|
||||
/var/mnt /mnt
|
||||
/bin /usr/bin
|
||||
|
|
|
|||
|
|
@ -2712,73 +2712,3 @@ rshim = module
|
|||
# keyutils
|
||||
#
|
||||
keyutils = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: cifsutils
|
||||
#
|
||||
# cifsutils - Utilities for managing CIFS mounts
|
||||
#
|
||||
cifsutils = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: boothd
|
||||
#
|
||||
# boothd - Booth cluster ticket manager
|
||||
#
|
||||
boothd = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: kafs
|
||||
#
|
||||
# kafs - Tools for kAFS
|
||||
#
|
||||
kafs = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: bootupd
|
||||
#
|
||||
# bootupd - bootloader update daemon
|
||||
#
|
||||
bootupd = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: fdo
|
||||
#
|
||||
# fdo - fido device onboard protocol for IoT devices
|
||||
#
|
||||
fdo = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: qatlib
|
||||
#
|
||||
# qatlib - Intel QuickAssist technology library and resources management
|
||||
#
|
||||
qatlib = module
|
||||
|
||||
# Layer: services
|
||||
# Module: virt_supplementary
|
||||
#
|
||||
# non-libvirt virtualization libraries
|
||||
#
|
||||
virt_supplementary = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: nvme_stas
|
||||
#
|
||||
# nvme_stas
|
||||
#
|
||||
nvme_stas = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: coreos_installer
|
||||
#
|
||||
# coreos_installer
|
||||
#
|
||||
coreos_installer = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: afterburn
|
||||
#
|
||||
# afterburn
|
||||
#
|
||||
afterburn = module
|
||||
|
|
|
|||
BIN
selinux-policy/selinux-policy-bc228bd.tar.gz
Normal file
BIN
selinux-policy/selinux-policy-bc228bd.tar.gz
Normal file
Binary file not shown.
|
|
@ -1,6 +1,6 @@
|
|||
# github repo with selinux-policy sources
|
||||
%global giturl https://github.com/fedora-selinux/selinux-policy
|
||||
%global commit d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455
|
||||
%global commit bc228bd0c249a9e4aa3dcf238c2b1bb138943b07
|
||||
%global shortcommit %(c=%{commit}; echo ${c:0:7})
|
||||
|
||||
%define distro redhat
|
||||
|
|
@ -23,8 +23,8 @@
|
|||
%define CHECKPOLICYVER 3.2
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 40.13
|
||||
Release: 1%{?dist}
|
||||
Version: 38.8
|
||||
Release: 2%{?dist}
|
||||
License: GPL-2.0-or-later
|
||||
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
|
||||
Source1: modules-targeted-base.conf
|
||||
|
|
@ -61,9 +61,6 @@ Source35: container-selinux.tgz
|
|||
|
||||
Source36: selinux-check-proper-disable.service
|
||||
|
||||
# Script to convert /var/run file context entries to /run
|
||||
Source37: varrun-convert.sh
|
||||
|
||||
# Provide rpm macros for packages installing SELinux modules
|
||||
Source102: rpm.macros
|
||||
|
||||
|
|
@ -95,7 +92,6 @@ the policy has been adjusted to provide support for Fedora.
|
|||
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
||||
%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
%{_unitdir}/selinux-check-proper-disable.service
|
||||
%{_libexecdir}/selinux/varrun-convert.sh
|
||||
|
||||
%package sandbox
|
||||
Summary: SELinux sandbox policy
|
||||
|
|
@ -172,7 +168,6 @@ This package contains manual pages and documentation of the policy modules.
|
|||
%files doc
|
||||
%{_mandir}/man*/*
|
||||
%{_mandir}/ru/*/*
|
||||
%exclude %{_mandir}/man8/container_selinux.8.gz
|
||||
%doc %{_datadir}/doc/%{name}
|
||||
|
||||
%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
|
||||
|
|
@ -281,7 +276,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
|
|||
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
||||
%nil
|
||||
|
||||
%define relabel() \
|
||||
|
|
@ -429,8 +423,6 @@ mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
|
|||
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
|
||||
mkdir -p %{buildroot}%{_bindir}
|
||||
install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/
|
||||
mkdir -p %{buildroot}%{_libexecdir}/selinux
|
||||
install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
|
||||
|
||||
# Always create policy module package directories
|
||||
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
|
||||
|
|
@ -493,7 +485,7 @@ mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/de
|
|||
|
||||
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
||||
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
|
|
@ -591,7 +583,6 @@ exit 0
|
|||
|
||||
%posttrans targeted
|
||||
%checkConfigConsistency targeted
|
||||
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
||||
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
||||
|
||||
%postun targeted
|
||||
|
|
@ -705,7 +696,6 @@ exit 0
|
|||
|
||||
%posttrans minimum
|
||||
%checkConfigConsistency minimum
|
||||
%{_libexecdir}/selinux/varrun-convert.sh minimum
|
||||
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
||||
|
||||
%postun minimum
|
||||
|
|
@ -780,7 +770,6 @@ exit 0
|
|||
|
||||
%posttrans mls
|
||||
%checkConfigConsistency mls
|
||||
%{_libexecdir}/selinux/varrun-convert.sh mls
|
||||
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
||||
|
||||
%postun mls
|
||||
|
|
@ -824,497 +813,8 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
|
||||
- Only allow confined user domains to login locally without unconfined_login
|
||||
- Add userdom_spec_domtrans_confined_admin_users interface
|
||||
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
||||
- Add userdom_spec_domtrans_admin_users interface
|
||||
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
||||
- Update ssh_role_template() for user ssh-agent type
|
||||
- Allow init to inherit system DBus file descriptors
|
||||
- Allow init to inherit fds from syslogd
|
||||
- Allow any domain to inherit fds from rpm-ostree
|
||||
- Update afterburn policy
|
||||
- Allow init_t nnp domain transition to abrtd_t
|
||||
|
||||
* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
|
||||
- Rename all /var/lock file context entries to /run/lock
|
||||
- Rename all /var/run file context entries to /run
|
||||
- Invert the "/var/run = /run" equivalency
|
||||
|
||||
* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
|
||||
- Replace init domtrans rule for confined users to allow exec init
|
||||
- Update dbus_role_template() to allow user service status
|
||||
- Allow polkit status all systemd services
|
||||
- Allow setroubleshootd create and use inherited io_uring
|
||||
- Allow load_policy read and write generic ptys
|
||||
- Allow gpg manage rpm cache
|
||||
- Allow login_userdomain name_bind to howl and xmsg udp ports
|
||||
- Allow rules for confined users logged in plasma
|
||||
- Label /dev/iommu with iommu_device_t
|
||||
- Remove duplicate file context entries in /run
|
||||
- Dontaudit getty and plymouth the checkpoint_restore capability
|
||||
- Allow su domains write login records
|
||||
- Revert "Allow su domains write login records"
|
||||
- Allow login_userdomain delete session dbusd tmp socket files
|
||||
- Allow unix dgram sendto between exim processes
|
||||
- Allow su domains write login records
|
||||
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
|
||||
|
||||
* Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
|
||||
- Allow chronyd-restricted read chronyd key files
|
||||
- Allow conntrackd_t to use bpf capability2
|
||||
- Allow systemd-networkd manage its runtime socket files
|
||||
- Allow init_t nnp domain transition to colord_t
|
||||
- Allow polkit status systemd services
|
||||
- nova: Fix duplicate declarations
|
||||
- Allow httpd work with PrivateTmp
|
||||
- Add interfaces for watching and reading ifconfig_var_run_t
|
||||
- Allow collectd read raw fixed disk device
|
||||
- Allow collectd read udev pid files
|
||||
- Set correct label on /etc/pki/pki-tomcat/kra
|
||||
- Allow systemd domains watch system dbus pid socket files
|
||||
- Allow certmonger read network sysctls
|
||||
- Allow mdadm list stratisd data directories
|
||||
- Allow syslog to run unconfined scripts conditionally
|
||||
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
||||
- Allow qatlib set attributes of vfio device files
|
||||
|
||||
* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
|
||||
- Allow systemd-sleep set attributes of efivarfs files
|
||||
- Allow samba-dcerpcd read public files
|
||||
- Allow spamd_update_t the sys_ptrace capability in user namespace
|
||||
- Allow bluetooth devices work with alsa
|
||||
- Allow alsa get attributes filesystems with extended attributes
|
||||
|
||||
* Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2
|
||||
- Limit %%selinux_requires to version, not release
|
||||
|
||||
* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
|
||||
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
||||
- Add interface for write-only access to NetworkManager rw conf
|
||||
- Allow systemd-sleep send a message to syslog over a unix dgram socket
|
||||
- Allow init create and use netlink netfilter socket
|
||||
- Allow qatlib load kernel modules
|
||||
- Allow qatlib run lspci
|
||||
- Allow qatlib manage its private runtime socket files
|
||||
- Allow qatlib read/write vfio devices
|
||||
- Label /etc/redis.conf with redis_conf_t
|
||||
- Remove the lockdown-class rules from the policy
|
||||
- Allow init read all non-security socket files
|
||||
- Replace redundant dnsmasq pattern macros
|
||||
- Remove unneeded symlink perms in dnsmasq.if
|
||||
- Add additions to dnsmasq interface
|
||||
- Allow nvme_stas_t create and use netlink kobject uevent socket
|
||||
- Allow collectd connect to statsd port
|
||||
- Allow keepalived_t to use sys_ptrace of cap_userns
|
||||
- Allow dovecot_auth_t connect to postgresql using UNIX socket
|
||||
|
||||
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
|
||||
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
||||
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
||||
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
||||
- Allow opafm search nfs directories
|
||||
- Add support for syslogd unconfined scripts
|
||||
- Allow gpsd use /dev/gnss devices
|
||||
- Allow gpg read rpm cache
|
||||
- Allow virtqemud additional permissions
|
||||
- Allow virtqemud manage its private lock files
|
||||
- Allow virtqemud use the io_uring api
|
||||
- Allow ddclient send e-mail notifications
|
||||
- Allow postfix_master_t map postfix data files
|
||||
- Allow init create and use vsock sockets
|
||||
- Allow thumb_t append to init unix domain stream sockets
|
||||
- Label /dev/vas with vas_device_t
|
||||
- Change domain_kernel_load_modules boolean to true
|
||||
- Create interface selinux_watch_config and add it to SELinux users
|
||||
|
||||
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
|
||||
- Add afterburn to modules-targeted-contrib.conf
|
||||
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
||||
- Allow sudodomain read var auth files
|
||||
- Allow spamd_update_t read hardware state information
|
||||
- Allow virtnetworkd domain transition on tc command execution
|
||||
- Allow sendmail MTA connect to sendmail LDA
|
||||
- Allow auditd read all domains process state
|
||||
- Allow rsync read network sysctls
|
||||
- Add dhcpcd bpf capability to run bpf programs
|
||||
- Dontaudit systemd-hwdb dac_override capability
|
||||
- Allow systemd-sleep create efivarfs files
|
||||
|
||||
* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
|
||||
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
|
||||
- Allow graphical applications work in Wayland
|
||||
- Allow kdump work with PrivateTmp
|
||||
- Allow dovecot-auth work with PrivateTmp
|
||||
- Allow nfsd get attributes of all filesystems
|
||||
- Allow unconfined_domain_type use io_uring cmd on domain
|
||||
- ci: Only run Rawhide revdeps tests on the rawhide branch
|
||||
- Label /var/run/auditd.state as auditd_var_run_t
|
||||
- Allow fido-device-onboard (FDO) read the crack database
|
||||
- Allow ip an explicit domain transition to other domains
|
||||
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
|
||||
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
||||
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
|
||||
- Allow ntp to bind and connect to ntske port.
|
||||
- Allow system_mail_t manage exim spool files and dirs
|
||||
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
|
||||
- Label /run/pcsd.socket with cluster_var_run_t
|
||||
- ci: Run cockpit tests in PRs
|
||||
|
||||
* Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
|
||||
- Add map_read map_write to kernel_prog_run_bpf
|
||||
- Allow systemd-fstab-generator read all symlinks
|
||||
- Allow systemd-fstab-generator the dac_override capability
|
||||
- Allow rpcbind read network sysctls
|
||||
- Support using systemd containers
|
||||
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
|
||||
- Add policy for coreos installer
|
||||
- Add coreos_installer to modules-targeted-contrib.conf
|
||||
|
||||
* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
|
||||
- Add policy for nvme-stas
|
||||
- Confine systemd fstab,sysv,rc-local
|
||||
- Label /etc/aliases.lmdb with etc_aliases_t
|
||||
- Create policy for afterburn
|
||||
- Add nvme_stas to modules-targeted-contrib.conf
|
||||
- Add plans/tests.fmf
|
||||
|
||||
* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
|
||||
- Add the virt_supplementary module to modules-targeted-contrib.conf
|
||||
- Make new virt drivers permissive
|
||||
- Split virt policy, introduce virt_supplementary module
|
||||
- Allow apcupsd cgi scripts read /sys
|
||||
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
|
||||
- Allow kernel_t to manage and relabel all files
|
||||
- Add missing optional_policy() to files_relabel_all_files()
|
||||
|
||||
* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
|
||||
- Allow named and ndc use the io_uring api
|
||||
- Deprecate common_anon_inode_perms usage
|
||||
- Improve default file context(None) of /var/lib/authselect/backups
|
||||
- Allow udev_t to search all directories with a filesystem type
|
||||
- Implement proper anon_inode support
|
||||
- Allow targetd write to the syslog pid sock_file
|
||||
- Add ipa_pki_retrieve_key_exec() interface
|
||||
- Allow kdumpctl_t to list all directories with a filesystem type
|
||||
- Allow udev additional permissions
|
||||
- Allow udev load kernel module
|
||||
- Allow sysadm_t to mmap modules_object_t files
|
||||
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
|
||||
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
||||
- Allow kernel_generic_helper_t to execute mount(1)
|
||||
|
||||
* Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1
|
||||
- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
|
||||
- Allow systemd-localed create Xserver config dirs
|
||||
- Allow sssd read symlinks in /etc/sssd
|
||||
- Label /dev/gnss[0-9] with gnss_device_t
|
||||
- Allow systemd-sleep read/write efivarfs variables
|
||||
- ci: Fix version number of packit generated srpms
|
||||
- Dontaudit rhsmcertd write memory device
|
||||
- Allow ssh_agent_type create a sockfile in /run/user/USERID
|
||||
- Set default file context of /var/lib/authselect/backups to <<none>>
|
||||
- Allow prosody read network sysctls
|
||||
- Allow cupsd_t to use bpf capability
|
||||
|
||||
* Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1
|
||||
- Allow sssd domain transition on passkey_child execution conditionally
|
||||
- Allow login_userdomain watch lnk_files in /usr
|
||||
- Allow login_userdomain watch video4linux devices
|
||||
- Change systemd-network-generator transition to include class file
|
||||
- Revert "Change file transition for systemd-network-generator"
|
||||
- Allow nm-dispatcher winbind plugin read/write samba var files
|
||||
- Allow systemd-networkd write to cgroup files
|
||||
- Allow kdump create and use its memfd: objects
|
||||
|
||||
* Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1
|
||||
- Allow fedora-third-party get generic filesystem attributes
|
||||
- Allow sssd use usb devices conditionally
|
||||
- Update policy for qatlib
|
||||
- Allow ssh_agent_type manage generic cache home files
|
||||
|
||||
* Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1
|
||||
- Change file transition for systemd-network-generator
|
||||
- Additional support for gnome-initial-setup
|
||||
- Update gnome-initial-setup policy for geoclue
|
||||
- Allow openconnect vpn open vhost net device
|
||||
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
|
||||
- Grant cifs.upcall more required capabilities
|
||||
- Allow xenstored map xenfs files
|
||||
- Update policy for fdo
|
||||
- Allow keepalived watch var_run dirs
|
||||
- Allow svirt to rw /dev/udmabuf
|
||||
- Allow qatlib to modify hardware state information.
|
||||
- Allow key.dns_resolve connect to avahi over a unix stream socket
|
||||
- Allow key.dns_resolve create and use unix datagram socket
|
||||
- Use quay.io as the container image source for CI
|
||||
|
||||
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1
|
||||
- ci: Move srpm/rpm build to packit
|
||||
- .copr: Avoid subshell and changing directory
|
||||
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
|
||||
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
||||
- Make insights_client_t an unconfined domain
|
||||
- Allow insights-client manage user temporary files
|
||||
- Allow insights-client create all rpm logs with a correct label
|
||||
- Allow insights-client manage generic logs
|
||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
|
||||
- Allow insights-client read and write cluster tmpfs files
|
||||
- Allow ipsec read nsfs files
|
||||
- Make tuned work with mls policy
|
||||
- Remove nsplugin_role from mozilla.if
|
||||
- allow mon_procd_t self:cap_userns sys_ptrace
|
||||
- Allow pdns name_bind and name_connect all ports
|
||||
- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
|
||||
- ci: Move to actions/checkout@v3 version
|
||||
- .copr: Replace chown call with standard workflow safe.directory setting
|
||||
- .copr: Enable `set -u` for robustness
|
||||
- .copr: Simplify root directory variable
|
||||
|
||||
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1
|
||||
- Allow rhsmcertd dbus chat with policykit
|
||||
- Allow polkitd execute pkla-check-authorization with nnp transition
|
||||
- Allow user_u and staff_u get attributes of non-security dirs
|
||||
- Allow unconfined user filetrans chrome_sandbox_home_t
|
||||
- Allow svnserve execute postdrop with a transition
|
||||
- Do not make postfix_postdrop_t type an MTA executable file
|
||||
- Allow samba-dcerpc service manage samba tmp files
|
||||
- Add use_nfs_home_dirs boolean for mozilla_plugin
|
||||
- Fix labeling for no-stub-resolv.conf
|
||||
|
||||
* Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1
|
||||
- Revert "Allow winbind-rpcd use its private tmp files"
|
||||
- Allow upsmon execute upsmon via a helper script
|
||||
- Allow openconnect vpn read/write inherited vhost net device
|
||||
- Allow winbind-rpcd use its private tmp files
|
||||
- Update samba-dcerpc policy for printing
|
||||
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
|
||||
- Allow nscd watch system db dirs
|
||||
- Allow qatlib to read sssd public files
|
||||
- Allow fedora-third-party read /sys and proc
|
||||
- Allow systemd-gpt-generator mount a tmpfs filesystem
|
||||
- Allow journald write to cgroup files
|
||||
- Allow rpc.mountd read network sysctls
|
||||
- Allow blueman read the contents of the sysfs filesystem
|
||||
- Allow logrotate_t to map generic files in /etc
|
||||
- Boolean: Allow virt_qemu_ga create ssh directory
|
||||
|
||||
* Tue Jul 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1
|
||||
- Allow systemd-network-generator send system log messages
|
||||
- Dontaudit the execute permission on sock_file globally
|
||||
- Allow fsadm_t the file mounton permission
|
||||
- Allow named and ndc the io_uring sqpoll permission
|
||||
- Allow sssd io_uring sqpoll permission
|
||||
- Fix location for /run/nsd
|
||||
- Allow qemu-ga get fixed disk devices attributes
|
||||
- Update bitlbee policy
|
||||
- Label /usr/sbin/sos with sosreport_exec_t
|
||||
- Update policy for the sblim-sfcb service
|
||||
- Add the files_getattr_non_auth_dirs() interface
|
||||
- Fix the CI to work with DNF5
|
||||
|
||||
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.21-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1
|
||||
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
|
||||
- Revert "Allow insights client map cache_home_t"
|
||||
- Allow nfsidmapd connect to systemd-machined over a unix socket
|
||||
- Allow snapperd connect to kernel over a unix domain stream socket
|
||||
- Allow virt_qemu_ga_t create .ssh dir with correct label
|
||||
- Allow targetd read network sysctls
|
||||
- Set the abrt_handle_event boolean to on
|
||||
- Permit kernel_t to change the user identity in object contexts
|
||||
- Allow insights client map cache_home_t
|
||||
- Label /usr/sbin/mariadbd with mysqld_exec_t
|
||||
- Trim changelog so that it starts at F37 time
|
||||
- Define equivalency for /run/systemd/generator.early
|
||||
|
||||
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1
|
||||
- Allow httpd tcp connect to redis port conditionally
|
||||
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
||||
- Dontaudit aide the execmem permission
|
||||
- Remove permissive from fdo
|
||||
- Allow sa-update manage spamc home files
|
||||
- Allow sa-update connect to systemlog services
|
||||
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
||||
- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
|
||||
- Allow bootupd search EFI directory
|
||||
|
||||
* Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1
|
||||
- Change init_audit_control default value to true
|
||||
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
|
||||
- Add the qatlib module
|
||||
- Add the fdo module
|
||||
- Add the bootupd module
|
||||
- Set default ports for keylime policy
|
||||
- Create policy for qatlib
|
||||
- Add policy for FIDO Device Onboard
|
||||
- Add policy for bootupd
|
||||
- Add the qatlib module
|
||||
- Add the fdo module
|
||||
- Add the bootupd module
|
||||
|
||||
* Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
|
||||
- Add support for kafs-dns requested by keyutils
|
||||
- Allow insights-client execmem
|
||||
- Add support for chronyd-restricted
|
||||
- Add init_explicit_domain() interface
|
||||
- Allow fsadm_t to get attributes of cgroup filesystems
|
||||
- Add list_dir_perms to kerberos_read_keytab
|
||||
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
|
||||
- Allow sendmail manage its runtime files
|
||||
- Allow keyutils_dns_resolver_exec_t be an entrypoint
|
||||
- Allow collectd_t read network state symlinks
|
||||
- Revert "Allow collectd_t read proc_net link files"
|
||||
- Allow nfsd_t to list exports_t dirs
|
||||
- Allow cupsd dbus chat with xdm
|
||||
- Allow haproxy read hardware state information
|
||||
- Add the kafs module
|
||||
|
||||
* Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
|
||||
- Label /dev/userfaultfd with userfaultfd_t
|
||||
- Allow blueman send general signals to unprivileged user domains
|
||||
- Allow dkim-milter domain transition to sendmail
|
||||
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
|
||||
- Allow cifs-helper read sssd kerberos configuration files
|
||||
- Allow rpm_t sys_admin capability
|
||||
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
|
||||
- Allow collectd_t read proc_net link files
|
||||
- Allow insights-client getsession process permission
|
||||
- Allow insights-client work with pipe and socket tmp files
|
||||
- Allow insights-client map generic log files
|
||||
- Update cyrus_stream_connect() to use sockets in /run
|
||||
- Allow keyutils-dns-resolver read/view kernel key ring
|
||||
- Label /var/log/kdump.log with kdump_log_t
|
||||
|
||||
* Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
|
||||
- Add support for the systemd-pstore service
|
||||
- Allow kdumpctl_t to execmem
|
||||
- Update sendmail policy module for opensmtpd
|
||||
- Allow nagios-mail-plugin exec postfix master
|
||||
- Allow subscription-manager execute ip
|
||||
- Allow ssh client connect with a user dbus instance
|
||||
- Add support for ksshaskpass
|
||||
- Allow rhsmcertd file transition in /run also for socket files
|
||||
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
|
||||
- Allow plymouthd read/write X server miscellaneous devices
|
||||
- Allow systemd-sleep read udev pid files
|
||||
- Allow exim read network sysctls
|
||||
- Allow sendmail request load module
|
||||
- Allow named map its conf files
|
||||
- Allow squid map its cache files
|
||||
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
|
||||
|
||||
* Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
|
||||
- Update policy for systemd-sleep
|
||||
- Remove permissive domain for rshim_t
|
||||
- Remove permissive domain for mptcpd_t
|
||||
- Allow systemd-bootchartd the sys_ptrace userns capability
|
||||
- Allow sysadm_t read nsfs files
|
||||
- Allow sysadm_t run kernel bpf programs
|
||||
- Update ssh_role_template for ssh-agent
|
||||
- Update ssh_role_template to allow read/write unallocated ttys
|
||||
- Add the booth module to modules.conf
|
||||
- Allow firewalld rw ica_tmpfs_t files
|
||||
|
||||
* Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
|
||||
- Remove permissive domain for cifs_helper_t
|
||||
- Update the cifs-helper policy
|
||||
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
|
||||
- Update pkcsslotd policy for sandboxing
|
||||
- Allow abrt_t read kernel persistent storage files
|
||||
- Dontaudit targetd search httpd config dirs
|
||||
- Allow init_t nnp domain transition to policykit_t
|
||||
- Allow rpcd_lsad setcap and use generic ptys
|
||||
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
|
||||
- Allow wireguard to rw network sysctls
|
||||
- Add policy for boothd
|
||||
- Allow kernel to manage its own BPF objects
|
||||
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
|
||||
|
||||
* Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
|
||||
- Add initial policy for cifs-helper
|
||||
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
|
||||
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
|
||||
- Allow some systemd services write to cgroup files
|
||||
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
|
||||
- Allow systemd resolved to bind to arbitrary nodes
|
||||
- Allow plymouthd_t bpf capability to run bpf programs
|
||||
- Allow cupsd to create samba_var_t files
|
||||
- Allow rhsmcert request the kernel to load a module
|
||||
- Allow virsh name_connect virt_port_t
|
||||
- Allow certmonger manage cluster library files
|
||||
- Allow plymouthd read init process state
|
||||
- Add chromium_sandbox_t setcap capability
|
||||
- Allow snmpd read raw disk data
|
||||
- Allow samba-rpcd work with passwords
|
||||
- Allow unconfined service inherit signal state from init
|
||||
- Allow cloud-init manage gpg admin home content
|
||||
- Allow cluster_t dbus chat with various services
|
||||
- Allow nfsidmapd work with systemd-userdbd and sssd
|
||||
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
|
||||
- Allow plymouthd map dri and framebuffer devices
|
||||
- Allow rpmdb_migrate execute rpmdb
|
||||
- Allow logrotate dbus chat with systemd-hostnamed
|
||||
- Allow icecast connect to kernel using a unix stream socket
|
||||
- Allow lldpad connect to systemd-userdbd over a unix socket
|
||||
- Allow journalctl open user domain ptys and ttys
|
||||
- Allow keepalived to manage its tmp files
|
||||
- Allow ftpd read network sysctls
|
||||
- Label /run/bgpd with zebra_var_run_t
|
||||
- Allow gssproxy read network sysctls
|
||||
- Add the cifsutils module
|
||||
|
||||
* Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1
|
||||
- Allow telnetd read network sysctls
|
||||
- Allow munin system plugin read generic SSL certificates
|
||||
- Allow munin system plugin create and use netlink generic socket
|
||||
- Allow login_userdomain create user namespaces
|
||||
- Allow request-key to send syslog messages
|
||||
- Allow request-key to read/view any key
|
||||
- Add fs_delete_pstore_files() interface
|
||||
- Allow insights-client work with teamdctl
|
||||
- Allow insights-client read unconfined service semaphores
|
||||
- Allow insights-client get quotas of all filesystems
|
||||
- Add fs_read_pstore_files() interface
|
||||
- Allow generic kernel helper to read inherited kernel pipes
|
||||
|
||||
* Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
|
||||
- Allow dovecot-deliver write to the main process runtime fifo files
|
||||
- Allow dmidecode write to cloud-init tmp files
|
||||
- Allow chronyd send a message to cloud-init over a datagram socket
|
||||
- Allow cloud-init domain transition to insights-client domain
|
||||
- Allow mongodb read filesystem sysctls
|
||||
- Allow mongodb read network sysctls
|
||||
- Allow accounts-daemon read generic systemd unit lnk files
|
||||
- Allow blueman watch generic device dirs
|
||||
- Allow nm-dispatcher tlp plugin create tlp dirs
|
||||
- Allow systemd-coredump mounton /usr
|
||||
- Allow rabbitmq to read network sysctls
|
||||
|
||||
* Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
|
||||
- Allow certmonger dbus chat with the cron system domain
|
||||
- Allow geoclue read network sysctls
|
||||
- Allow geoclue watch the /etc directory
|
||||
- Allow logwatch_mail_t read network sysctls
|
||||
- Allow insights-client read all sysctls
|
||||
- Allow passt manage qemu pid sock files
|
||||
|
||||
* Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
|
||||
- Allow sssd read accountsd fifo files
|
||||
- Add support for the passt_t domain
|
||||
- Allow virtd_t and svirt_t work with passt
|
||||
- Add new interfaces in the virt module
|
||||
- Add passt interfaces defined conditionally
|
||||
- Allow tshark the setsched capability
|
||||
- Allow poweroff create connections to system dbus
|
||||
- Allow wg load kernel modules, search debugfs dir
|
||||
- Boolean: allow qemu-ga manage ssh home directory
|
||||
- Label smtpd with sendmail_exec_t
|
||||
- Label msmtp and msmtpd with sendmail_exec_t
|
||||
- Allow dovecot to map files in /var/spool/dovecot
|
||||
* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-2
|
||||
- Update make-rhat-patches.sh file to use the f38 dist-git branch in F38
|
||||
|
||||
* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
|
||||
- Confine gnome-initial-setup
|
||||
|
|
@ -1768,3 +1268,318 @@ exit 0
|
|||
- Allow blueman read/write its private memfd: objects
|
||||
- Allow insights-client read rhnsd config files
|
||||
- Allow insights-client create_socket_perms for tcp/udp sockets
|
||||
|
||||
* Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1
|
||||
- Allow nm-dispatcher chronyc plugin append to init stream sockets
|
||||
- Allow tmpreaper the sys_ptrace userns capability
|
||||
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
|
||||
- Allow nm-dispatcher tlp plugin read/write the wireless device
|
||||
- Allow nm-dispatcher tlp plugin append to init socket
|
||||
- Allow nm-dispatcher tlp plugin be client of a system bus
|
||||
- Allow nm-dispatcher list its configuration directory
|
||||
- Ecryptfs-private support
|
||||
- Allow colord map /var/lib directories
|
||||
- Allow ntlm_auth read the network state information
|
||||
- Allow insights-client search rhnsd configuration directory
|
||||
|
||||
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3
|
||||
- Add support for nm-dispatcher tlp-rdw scripts
|
||||
- Update github actions to satisfy git 2.36 stricter rules
|
||||
- New policy for stalld
|
||||
- Allow colord read generic files in /var/lib
|
||||
- Allow xdm mounton user temporary socket files
|
||||
- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket
|
||||
- Allow sssd domtrans to pkcs_slotd_t
|
||||
- Allow keepalived setsched and sys_nice
|
||||
- Allow xdm map generic files in /var/lib
|
||||
- Allow xdm read generic symbolic links in /var/lib
|
||||
- Allow pppd create a file in the locks directory
|
||||
- Add file map permission to lpd_manage_spool() interface
|
||||
- Allow system dbus daemon watch generic directories in /var/lib
|
||||
- Allow pcscd the sys_ptrace userns capability
|
||||
- Add the corecmd_watch_bin_dirs() interface
|
||||
|
||||
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-2
|
||||
- Relabel explicitly some dirs in %posttrans scriptlets
|
||||
|
||||
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-1
|
||||
- Add stalld module to modules-targeted-contrib.conf
|
||||
|
||||
* Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1
|
||||
- Add support for systemd-network-generator
|
||||
- Add the io_uring class
|
||||
- Allow nm-dispatcher dhclient plugin append to init stream sockets
|
||||
- Relax the naming pattern for systemd private shared libraries
|
||||
- Allow nm-dispatcher iscsid plugin append to init socket
|
||||
- Add the init_append_stream_sockets() interface
|
||||
- Allow nm-dispatcher dnssec-trigger script to execute pidof
|
||||
- Add support for nm-dispatcher dnssec-trigger scripts
|
||||
- Allow chronyd talk with unconfined user over unix domain dgram socket
|
||||
- Allow fenced read kerberos key tables
|
||||
- Add support for nm-dispatcher ddclient scripts
|
||||
- Add systemd_getattr_generic_unit_files() interface
|
||||
- Allow fprintd read and write hardware state information
|
||||
- Allow exim watch generic certificate directories
|
||||
- Remove duplicate fc entries for corosync and corosync-notifyd
|
||||
- Label corosync-cfgtool with cluster_exec_t
|
||||
- Allow qemu-kvm create and use netlink rdma sockets
|
||||
- Allow logrotate a domain transition to cluster administrative domain
|
||||
|
||||
* Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1
|
||||
- Add support for nm-dispatcher console helper scripts
|
||||
- Allow nm-dispatcher plugins read its directory and sysfs
|
||||
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
|
||||
- devices: Add a comment about cardmgr_dev_t
|
||||
- Add basic policy for BinderFS
|
||||
- Label /var/run/ecblp0 pipe with cupsd_var_run_t
|
||||
- Allow rpmdb create directory in /usr/lib/sysimage
|
||||
- Allow rngd drop privileges via setuid/setgid/setcap
|
||||
- Allow init watch and watch_reads user ttys
|
||||
- Allow systemd-logind dbus chat with sosreport
|
||||
- Allow chronyd send a message to sosreport over datagram socket
|
||||
- Remove unnecessary /etc file transitions for insights-client
|
||||
- Label all content in /var/lib/insights with insights_client_var_lib_t
|
||||
- Update insights-client policy
|
||||
|
||||
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-2
|
||||
- Add insights_client module to modules-targeted-contrib.conf
|
||||
|
||||
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1
|
||||
- Update NetworkManager-dispatcher cloud and chronyc policy
|
||||
- Update insights-client: fc pattern, motd, writing to etc
|
||||
- Allow systemd-sysctl read the security state information
|
||||
- Allow init create and mounton to support PrivateDevices
|
||||
- Allow sosreport dbus chat abrt systemd timedatex
|
||||
|
||||
* Tue Feb 22 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-2
|
||||
- Update specfile to buildrequire policycoreutils-devel >= 3.3-4
|
||||
- Add modules_checksum to %files
|
||||
|
||||
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
|
||||
- Update NetworkManager-dispatcher policy to use scripts
|
||||
- Allow init mounton kernel messages device
|
||||
- Revert "Make dbus-broker service working on s390x arch"
|
||||
- Remove permissive domain for insights_client_t
|
||||
- Allow userdomain read symlinks in /var/lib
|
||||
- Allow iptables list cgroup directories
|
||||
- Dontaudit mdadm list dirsrv tmpfs dirs
|
||||
- Dontaudit dirsrv search filesystem sysctl directories
|
||||
- Allow chage domtrans to sssd
|
||||
- Allow postfix_domain read dovecot certificates
|
||||
- Allow systemd-networkd create and use netlink netfilter socket
|
||||
- Allow nm-dispatcher read nm-dispatcher-script symlinks
|
||||
- filesystem.te: add genfscon rule for ntfs3 filesystem
|
||||
- Allow rhsmcertd get attributes of cgroup filesystems
|
||||
- Allow sandbox_web_client_t watch various dirs
|
||||
- Exclude container.if from policy devel files
|
||||
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
|
||||
|
||||
* Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
|
||||
- Allow sysadm_passwd_t to relabel passwd and group files
|
||||
- Allow confined sysadmin to use tool vipw
|
||||
- Allow login_userdomain map /var/lib/directories
|
||||
- Allow login_userdomain watch library and fonts dirs
|
||||
- Allow login_userdomain watch system configuration dirs
|
||||
- Allow login_userdomain read systemd runtime files
|
||||
- Allow ctdb create cluster logs
|
||||
- Allow alsa bind mixer controls to led triggers
|
||||
- New policy for insight-client
|
||||
- Add mctp_socket security class and access vectors
|
||||
- Fix koji repo URL pattern
|
||||
- Update chronyd_pid_filetrans() to allow create dirs
|
||||
- Update NetworkManager-dispatcher policy
|
||||
- Allow unconfined to run virtd bpf
|
||||
- Allow nm-privhelper setsched permission and send system logs
|
||||
- Add the map permission to common_anon_inode_perm permission set
|
||||
- Rename userfaultfd_anon_inode_perms to common_inode_perms
|
||||
- Allow confined users to use kinit,klist and etc.
|
||||
- Allow rhsmcertd create rpm hawkey logs with correct label
|
||||
|
||||
* Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
|
||||
- Label exFAT utilities at /usr/sbin
|
||||
- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
|
||||
- Enable genfs_seclabel_symlinks policy capability
|
||||
- Sync policy/policy_capabilities with refpolicy
|
||||
- refpolicy: drop unused socket security classes
|
||||
- Label new utility of NetworkManager nm-priv-helper
|
||||
- Label NetworkManager-dispatcher service with separate context
|
||||
- Allow sanlock get attributes of filesystems with extended attributes
|
||||
- Associate stratisd_data_t with device filesystem
|
||||
- Allow init read stratis data symlinks
|
||||
|
||||
* Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
|
||||
- Allow systemd services watch dbusd pid directory and its parents
|
||||
- Allow ModemManager connect to the unconfined user domain
|
||||
- Label /dev/wwan.+ with modem_manager_t
|
||||
- Allow alsactl set group Process ID of a process
|
||||
- Allow domtrans to sssd_t and role access to sssd
|
||||
- Creating interface sssd_run_sssd()
|
||||
- Label utilities for exFAT filesystems with fsadm_exec_t
|
||||
- Label /dev/nvme-fabrics with fixed_disk_device_t
|
||||
- Allow init delete generic tmp named pipes
|
||||
- Allow timedatex dbus chat with xdm
|
||||
|
||||
* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
|
||||
- Fix badly indented used interfaces
|
||||
- Allow domain transition to sssd_t
|
||||
- Dontaudit sfcbd sys_ptrace cap_userns
|
||||
- Label /var/lib/plocate with locate_var_lib_t
|
||||
- Allow hostapd talk with unconfined user over unix domain dgram socket
|
||||
- Allow NetworkManager talk with unconfined user over unix domain dgram socket
|
||||
- Allow system_mail_t read inherited apache system content rw files
|
||||
- Add apache_read_inherited_sys_content_rw_files() interface
|
||||
- Allow rhsm-service execute its private memfd: objects
|
||||
- Allow dirsrv read configfs files and directories
|
||||
- Label /run/stratisd with stratisd_var_run_t
|
||||
- Allow tumblerd write to session_dbusd tmp socket files
|
||||
|
||||
* Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
|
||||
- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
|
||||
- Allow login_userdomain write to session_dbusd tmp socket files
|
||||
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
|
||||
|
||||
* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
|
||||
- Allow login_userdomain watch systemd-machined PID directories
|
||||
- Allow login_userdomain watch systemd-logind PID directories
|
||||
- Allow login_userdomain watch accountsd lib directories
|
||||
- Allow login_userdomain watch localization directories
|
||||
- Allow login_userdomain watch various files and dirs
|
||||
- Allow login_userdomain watch generic directories in /tmp
|
||||
- Allow rhsm-service read/write its private memfd: objects
|
||||
- Allow radiusd connect to the radacct port
|
||||
- Allow systemd-io-bridge ioctl rpm_script_t
|
||||
- Allow systemd-coredump userns capabilities and root mounton
|
||||
- Allow systemd-coredump read and write usermodehelper state
|
||||
- Allow login_userdomain create session_dbusd tmp socket files
|
||||
- Allow gkeyringd_domain write to session_dbusd tmp socket files
|
||||
- Allow systemd-logind delete session_dbusd tmp socket files
|
||||
- Allow gdm-x-session write to session dbus tmp sock files
|
||||
- Label /etc/cockpit/ws-certs.d with cert_t
|
||||
- Allow kpropd get attributes of cgroup filesystems
|
||||
- Allow administrative users the bpf capability
|
||||
- Allow sysadm_t start and stop transient services
|
||||
- Connect triggerin to pcre2 instead of pcre
|
||||
|
||||
* Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
|
||||
- Allow sshd read filesystem sysctl files
|
||||
- Revert "Allow sshd read sysctl files"
|
||||
- Allow tlp read its systemd unit
|
||||
- Allow gssproxy access to various system files.
|
||||
- Allow gssproxy read, write, and map ica tmpfs files
|
||||
- Allow gssproxy read and write z90crypt device
|
||||
- Allow sssd_kcm read and write z90crypt device
|
||||
- Allow smbcontrol read the network state information
|
||||
- Allow virt_domain map vhost devices
|
||||
- Allow fcoemon request the kernel to load a module
|
||||
- Allow sshd read sysctl files
|
||||
- Ensure that `/run/systemd/*` are properly labeled
|
||||
- Allow admin userdomains use socketpair()
|
||||
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
|
||||
- Allow lldpd connect to snmpd with a unix domain stream socket
|
||||
- Dontaudit pkcsslotd sys_admin capability
|
||||
|
||||
* Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
|
||||
- Allow haproxy get attributes of filesystems with extended attributes
|
||||
- Allow haproxy get attributes of cgroup filesystems
|
||||
- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
|
||||
- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
|
||||
- Allow sudodomains execute passwd in the passwd domain
|
||||
- Allow braille printing in selinux
|
||||
- Allow sandbox_xserver_t map sandbox_file_t
|
||||
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
|
||||
- Add hwtracing_device_t type for hardware-level tracing and debugging
|
||||
- Label port 9528/tcp with openqa_liveview
|
||||
- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
|
||||
- Document Security Flask model in the policy
|
||||
|
||||
* Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
|
||||
- Allow systemd read unlabeled symbolic links
|
||||
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
|
||||
- Allow dnsmasq watch /etc/dnsmasq.d directories
|
||||
- Allow rhsmcertd get attributes of tmpfs_t filesystems
|
||||
- Allow lldpd use an snmp subagent over a tcp socket
|
||||
- Allow xdm watch generic directories in /var/lib
|
||||
- Allow login_userdomain open/read/map system journal
|
||||
- Allow sysadm_t connect to cluster domains over a unix stream socket
|
||||
- Allow sysadm_t read/write pkcs shared memory segments
|
||||
- Allow sysadm_t connect to sanlock over a unix stream socket
|
||||
- Allow sysadm_t dbus chat with sssd
|
||||
- Allow sysadm_t set attributes on character device nodes
|
||||
- Allow sysadm_t read and write watchdog devices
|
||||
- Allow smbcontrol use additional socket types
|
||||
- Allow cloud-init dbus chat with systemd-logind
|
||||
- Allow svnserve send mail from the system
|
||||
- Update userdom_exec_user_tmp_files() with an entrypoint rule
|
||||
- Allow sudodomain send a null signal to sshd processes
|
||||
|
||||
* Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
|
||||
- Allow PID 1 and dbus-broker IPC with a systemd user session
|
||||
- Allow rpmdb read generic SSL certificates
|
||||
- Allow rpmdb read admin home config files
|
||||
- Report warning on duplicate definition of interface
|
||||
- Allow redis get attributes of filesystems with extended attributes
|
||||
- Allow sysadm_t dbus chat with realmd_t
|
||||
- Make cupsd_lpd_t a daemon
|
||||
- Allow tlp dbus-chat with NetworkManager
|
||||
- filesystem: add fs_use_trans for ramfs
|
||||
- Allow systemd-logind destroy unconfined user's IPC objects
|
||||
|
||||
* Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
|
||||
- Support sanlock VG automated recovery on storage access loss 2/2
|
||||
- Support sanlock VG automated recovery on storage access loss 1/2
|
||||
- Revert "Support sanlock VG automated recovery on storage access loss"
|
||||
- Allow tlp get service units status
|
||||
- Allow fedora-third-party manage 3rd party repos
|
||||
- Allow xdm_t nnp_transition to login_userdomain
|
||||
- Add the auth_read_passwd_file() interface
|
||||
- Allow redis-sentinel execute a notification script
|
||||
- Allow fetchmail search cgroup directories
|
||||
- Allow lvm_t to read/write devicekit disk semaphores
|
||||
- Allow devicekit_disk_t to use /dev/mapper/control
|
||||
- Allow devicekit_disk_t to get IPC info from the kernel
|
||||
- Allow devicekit_disk_t to read systemd-logind pid files
|
||||
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
|
||||
- Allow devicekit_disk_t to manage mount_var_run_t files
|
||||
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
|
||||
- Use $releasever in koji repo to reduce rawhide hardcoding
|
||||
- authlogin: add fcontext for tcb
|
||||
- Add erofs as a SELinux capable file system
|
||||
- Allow systemd execute user bin files
|
||||
- Support sanlock VG automated recovery on storage access loss
|
||||
- Support new PING_CHECK health checker in keepalived
|
||||
|
||||
* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1
|
||||
- Allow fedora-third-party map generic cache files
|
||||
- Add gnome_map_generic_cache_files() interface
|
||||
- Add files_manage_var_lib_dirs() interface
|
||||
- Allow fedora-third party manage gpg keys
|
||||
- Allow fedora-third-party run "flatpak remote-add --from flathub"
|
||||
|
||||
* Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1
|
||||
- Allow fedora-third-party run flatpak post-install actions
|
||||
- Allow fedora-third-party set_setsched and sys_nice
|
||||
|
||||
* Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
|
||||
- Allow fedora-third-party execute "flatpak remote-add"
|
||||
- Add files_manage_var_lib_files() interface
|
||||
- Add write permisson to userfaultfd_anon_inode_perms
|
||||
- Allow proper function sosreport via iotop
|
||||
- Allow proper function sosreport in sysadmin role
|
||||
- Allow fedora-third-party to connect to the system log service
|
||||
- Allow fedora-third-party dbus chat with policykit
|
||||
- Allow chrony-wait service start with DynamicUser=yes
|
||||
- Allow management of lnk_files if similar access to regular files
|
||||
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
|
||||
- Allow systemd-resolved watch /run/systemd
|
||||
- Allow fedora-third-party create and use unix_dgram_socket
|
||||
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
|
||||
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
|
||||
|
||||
* Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
|
||||
- Add fedoratp module
|
||||
- Allow xdm_t domain transition to fedoratp_t
|
||||
- Allow ModemManager create and use netlink route socket
|
||||
- Add default file context for /run/gssproxy.default.sock
|
||||
- Allow xdm_t watch fonts directories
|
||||
- Allow xdm_t watch generic directories in /lib
|
||||
- Allow xdm_t watch generic pid directories
|
||||
|
|
|
|||
Loading…
Reference in a new issue