diff --git a/selinux-policy/container-selinux.tgz b/selinux-policy/container-selinux.tgz index 539c9a2df..9134ecf26 100644 Binary files a/selinux-policy/container-selinux.tgz and b/selinux-policy/container-selinux.tgz differ diff --git a/selinux-policy/file_contexts.subs_dist b/selinux-policy/file_contexts.subs_dist index 6afa41b37..1bf471051 100644 --- a/selinux-policy/file_contexts.subs_dist +++ b/selinux-policy/file_contexts.subs_dist @@ -1,8 +1,7 @@ -/var/run /run -/var/lock /run/lock +/run /var/run +/run/lock /var/lock /run/systemd/system /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system -/run/systemd/generator.early /usr/lib/systemd/system /run/systemd/generator.late /usr/lib/systemd/system /lib /usr/lib /lib64 /usr/lib @@ -21,4 +20,3 @@ /sysroot/tmp /tmp /var/usrlocal /usr/local /var/mnt /mnt -/bin /usr/bin diff --git a/selinux-policy/modules-targeted-contrib.conf b/selinux-policy/modules-targeted-contrib.conf index f5bb9065c..367f29df6 100644 --- a/selinux-policy/modules-targeted-contrib.conf +++ b/selinux-policy/modules-targeted-contrib.conf @@ -2712,73 +2712,3 @@ rshim = module # keyutils # keyutils = module - -# Layer: contrib -# Module: cifsutils -# -# cifsutils - Utilities for managing CIFS mounts -# -cifsutils = module - -# Layer: contrib -# Module: boothd -# -# boothd - Booth cluster ticket manager -# -boothd = module - -# Layer: contrib -# Module: kafs -# -# kafs - Tools for kAFS -# -kafs = module - -# Layer: contrib -# Module: bootupd -# -# bootupd - bootloader update daemon -# -bootupd = module - -# Layer: contrib -# Module: fdo -# -# fdo - fido device onboard protocol for IoT devices -# -fdo = module - -# Layer: contrib -# Module: qatlib -# -# qatlib - Intel QuickAssist technology library and resources management -# -qatlib = module - -# Layer: services -# Module: virt_supplementary -# -# non-libvirt virtualization libraries -# -virt_supplementary = module - -# Layer: contrib -# Module: nvme_stas -# -# nvme_stas -# -nvme_stas = module - -# Layer: contrib -# Module: coreos_installer -# -# coreos_installer -# -coreos_installer = module - -# Layer: contrib -# Module: afterburn -# -# afterburn -# -afterburn = module diff --git a/selinux-policy/selinux-policy-bc228bd.tar.gz b/selinux-policy/selinux-policy-bc228bd.tar.gz new file mode 100644 index 000000000..8eb80ca4c Binary files /dev/null and b/selinux-policy/selinux-policy-bc228bd.tar.gz differ diff --git a/selinux-policy/selinux-policy.spec b/selinux-policy/selinux-policy.spec index ce9ba89ff..901c9c55c 100644 --- a/selinux-policy/selinux-policy.spec +++ b/selinux-policy/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455 +%global commit bc228bd0c249a9e4aa3dcf238c2b1bb138943b07 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -23,8 +23,8 @@ %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 40.13 -Release: 1%{?dist} +Version: 38.8 +Release: 2%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf @@ -61,9 +61,6 @@ Source35: container-selinux.tgz Source36: selinux-check-proper-disable.service -# Script to convert /var/run file context entries to /run -Source37: varrun-convert.sh - # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros @@ -95,7 +92,6 @@ the policy has been adjusted to provide support for Fedora. %{_usr}/lib/tmpfiles.d/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy %{_unitdir}/selinux-check-proper-disable.service -%{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux sandbox policy @@ -172,7 +168,6 @@ This package contains manual pages and documentation of the policy modules. %files doc %{_mandir}/man*/* %{_mandir}/ru/*/* -%exclude %{_mandir}/man8/container_selinux.8.gz %doc %{_datadir}/doc/%{name} %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -281,7 +276,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ -%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %nil %define relabel() \ @@ -429,8 +423,6 @@ mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_bindir} install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ -mkdir -p %{buildroot}%{_libexecdir}/selinux -install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux # Always create policy module package directories mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ @@ -493,7 +485,7 @@ mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/de mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy -sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy mkdir -p %{buildroot}%{_unitdir} @@ -591,7 +583,6 @@ exit 0 %posttrans targeted %checkConfigConsistency targeted -%{_libexecdir}/selinux/varrun-convert.sh targeted %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun targeted @@ -705,7 +696,6 @@ exit 0 %posttrans minimum %checkConfigConsistency minimum -%{_libexecdir}/selinux/varrun-convert.sh minimum %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun minimum @@ -780,7 +770,6 @@ exit 0 %posttrans mls %checkConfigConsistency mls -%{_libexecdir}/selinux/varrun-convert.sh mls %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun mls @@ -824,497 +813,8 @@ exit 0 %endif %changelog -* Mon Feb 12 2024 Zdenek Pytela - 40.13-1 -- Only allow confined user domains to login locally without unconfined_login -- Add userdom_spec_domtrans_confined_admin_users interface -- Only allow admindomain to execute shell via ssh with ssh_sysadm_login -- Add userdom_spec_domtrans_admin_users interface -- Move ssh dyntrans to unconfined inside unconfined_login tunable policy -- Update ssh_role_template() for user ssh-agent type -- Allow init to inherit system DBus file descriptors -- Allow init to inherit fds from syslogd -- Allow any domain to inherit fds from rpm-ostree -- Update afterburn policy -- Allow init_t nnp domain transition to abrtd_t - -* Tue Feb 06 2024 Zdenek Pytela - 40.12-1 -- Rename all /var/lock file context entries to /run/lock -- Rename all /var/run file context entries to /run -- Invert the "/var/run = /run" equivalency - -* Mon Feb 05 2024 Zdenek Pytela - 40.11-1 -- Replace init domtrans rule for confined users to allow exec init -- Update dbus_role_template() to allow user service status -- Allow polkit status all systemd services -- Allow setroubleshootd create and use inherited io_uring -- Allow load_policy read and write generic ptys -- Allow gpg manage rpm cache -- Allow login_userdomain name_bind to howl and xmsg udp ports -- Allow rules for confined users logged in plasma -- Label /dev/iommu with iommu_device_t -- Remove duplicate file context entries in /run -- Dontaudit getty and plymouth the checkpoint_restore capability -- Allow su domains write login records -- Revert "Allow su domains write login records" -- Allow login_userdomain delete session dbusd tmp socket files -- Allow unix dgram sendto between exim processes -- Allow su domains write login records -- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on - -* Wed Jan 24 2024 Zdenek Pytela - 40.10-1 -- Allow chronyd-restricted read chronyd key files -- Allow conntrackd_t to use bpf capability2 -- Allow systemd-networkd manage its runtime socket files -- Allow init_t nnp domain transition to colord_t -- Allow polkit status systemd services -- nova: Fix duplicate declarations -- Allow httpd work with PrivateTmp -- Add interfaces for watching and reading ifconfig_var_run_t -- Allow collectd read raw fixed disk device -- Allow collectd read udev pid files -- Set correct label on /etc/pki/pki-tomcat/kra -- Allow systemd domains watch system dbus pid socket files -- Allow certmonger read network sysctls -- Allow mdadm list stratisd data directories -- Allow syslog to run unconfined scripts conditionally -- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t -- Allow qatlib set attributes of vfio device files - -* Tue Jan 09 2024 Zdenek Pytela - 40.9-1 -- Allow systemd-sleep set attributes of efivarfs files -- Allow samba-dcerpcd read public files -- Allow spamd_update_t the sys_ptrace capability in user namespace -- Allow bluetooth devices work with alsa -- Allow alsa get attributes filesystems with extended attributes - -* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 -- Limit %%selinux_requires to version, not release - -* Thu Dec 21 2023 Zdenek Pytela - 40.8-1 -- Allow hypervkvp_t write access to NetworkManager_etc_rw_t -- Add interface for write-only access to NetworkManager rw conf -- Allow systemd-sleep send a message to syslog over a unix dgram socket -- Allow init create and use netlink netfilter socket -- Allow qatlib load kernel modules -- Allow qatlib run lspci -- Allow qatlib manage its private runtime socket files -- Allow qatlib read/write vfio devices -- Label /etc/redis.conf with redis_conf_t -- Remove the lockdown-class rules from the policy -- Allow init read all non-security socket files -- Replace redundant dnsmasq pattern macros -- Remove unneeded symlink perms in dnsmasq.if -- Add additions to dnsmasq interface -- Allow nvme_stas_t create and use netlink kobject uevent socket -- Allow collectd connect to statsd port -- Allow keepalived_t to use sys_ptrace of cap_userns -- Allow dovecot_auth_t connect to postgresql using UNIX socket - -* Wed Dec 13 2023 Zdenek Pytela - 40.7-1 -- Make named_zone_t and named_var_run_t a part of the mountpoint attribute -- Allow sysadm execute traceroute in sysadm_t domain using sudo -- Allow sysadm execute tcpdump in sysadm_t domain using sudo -- Allow opafm search nfs directories -- Add support for syslogd unconfined scripts -- Allow gpsd use /dev/gnss devices -- Allow gpg read rpm cache -- Allow virtqemud additional permissions -- Allow virtqemud manage its private lock files -- Allow virtqemud use the io_uring api -- Allow ddclient send e-mail notifications -- Allow postfix_master_t map postfix data files -- Allow init create and use vsock sockets -- Allow thumb_t append to init unix domain stream sockets -- Label /dev/vas with vas_device_t -- Change domain_kernel_load_modules boolean to true -- Create interface selinux_watch_config and add it to SELinux users - -* Tue Nov 28 2023 Zdenek Pytela - 40.6-1 -- Add afterburn to modules-targeted-contrib.conf -- Update cifs interfaces to include fs_search_auto_mountpoints() -- Allow sudodomain read var auth files -- Allow spamd_update_t read hardware state information -- Allow virtnetworkd domain transition on tc command execution -- Allow sendmail MTA connect to sendmail LDA -- Allow auditd read all domains process state -- Allow rsync read network sysctls -- Add dhcpcd bpf capability to run bpf programs -- Dontaudit systemd-hwdb dac_override capability -- Allow systemd-sleep create efivarfs files - -* Tue Nov 14 2023 Zdenek Pytela - 40.5-1 -- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on -- Allow graphical applications work in Wayland -- Allow kdump work with PrivateTmp -- Allow dovecot-auth work with PrivateTmp -- Allow nfsd get attributes of all filesystems -- Allow unconfined_domain_type use io_uring cmd on domain -- ci: Only run Rawhide revdeps tests on the rawhide branch -- Label /var/run/auditd.state as auditd_var_run_t -- Allow fido-device-onboard (FDO) read the crack database -- Allow ip an explicit domain transition to other domains -- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t -- Allow winbind_rpcd_t processes access when samba_export_all_* is on -- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection -- Allow ntp to bind and connect to ntske port. -- Allow system_mail_t manage exim spool files and dirs -- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t -- Label /run/pcsd.socket with cluster_var_run_t -- ci: Run cockpit tests in PRs - -* Thu Oct 19 2023 Zdenek Pytela - 40.4-1 -- Add map_read map_write to kernel_prog_run_bpf -- Allow systemd-fstab-generator read all symlinks -- Allow systemd-fstab-generator the dac_override capability -- Allow rpcbind read network sysctls -- Support using systemd containers -- Allow sysadm_t to connect to iscsid using a unix domain stream socket -- Add policy for coreos installer -- Add coreos_installer to modules-targeted-contrib.conf - -* Tue Oct 17 2023 Zdenek Pytela - 40.3-1 -- Add policy for nvme-stas -- Confine systemd fstab,sysv,rc-local -- Label /etc/aliases.lmdb with etc_aliases_t -- Create policy for afterburn -- Add nvme_stas to modules-targeted-contrib.conf -- Add plans/tests.fmf - -* Tue Oct 10 2023 Zdenek Pytela - 40.2-1 -- Add the virt_supplementary module to modules-targeted-contrib.conf -- Make new virt drivers permissive -- Split virt policy, introduce virt_supplementary module -- Allow apcupsd cgi scripts read /sys -- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes -- Allow kernel_t to manage and relabel all files -- Add missing optional_policy() to files_relabel_all_files() - -* Tue Oct 03 2023 Zdenek Pytela - 40.1-1 -- Allow named and ndc use the io_uring api -- Deprecate common_anon_inode_perms usage -- Improve default file context(None) of /var/lib/authselect/backups -- Allow udev_t to search all directories with a filesystem type -- Implement proper anon_inode support -- Allow targetd write to the syslog pid sock_file -- Add ipa_pki_retrieve_key_exec() interface -- Allow kdumpctl_t to list all directories with a filesystem type -- Allow udev additional permissions -- Allow udev load kernel module -- Allow sysadm_t to mmap modules_object_t files -- Add the unconfined_read_files() and unconfined_list_dirs() interfaces -- Set default file context of HOME_DIR/tmp/.* to <> -- Allow kernel_generic_helper_t to execute mount(1) - -* Fri Sep 29 2023 Zdenek Pytela - 38.29-1 -- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t -- Allow systemd-localed create Xserver config dirs -- Allow sssd read symlinks in /etc/sssd -- Label /dev/gnss[0-9] with gnss_device_t -- Allow systemd-sleep read/write efivarfs variables -- ci: Fix version number of packit generated srpms -- Dontaudit rhsmcertd write memory device -- Allow ssh_agent_type create a sockfile in /run/user/USERID -- Set default file context of /var/lib/authselect/backups to <> -- Allow prosody read network sysctls -- Allow cupsd_t to use bpf capability - -* Fri Sep 15 2023 Zdenek Pytela - 38.28-1 -- Allow sssd domain transition on passkey_child execution conditionally -- Allow login_userdomain watch lnk_files in /usr -- Allow login_userdomain watch video4linux devices -- Change systemd-network-generator transition to include class file -- Revert "Change file transition for systemd-network-generator" -- Allow nm-dispatcher winbind plugin read/write samba var files -- Allow systemd-networkd write to cgroup files -- Allow kdump create and use its memfd: objects - -* Thu Aug 31 2023 Zdenek Pytela - 38.27-1 -- Allow fedora-third-party get generic filesystem attributes -- Allow sssd use usb devices conditionally -- Update policy for qatlib -- Allow ssh_agent_type manage generic cache home files - -* Thu Aug 24 2023 Zdenek Pytela - 38.26-1 -- Change file transition for systemd-network-generator -- Additional support for gnome-initial-setup -- Update gnome-initial-setup policy for geoclue -- Allow openconnect vpn open vhost net device -- Allow cifs.upcall to connect to SSSD also through the /var/run socket -- Grant cifs.upcall more required capabilities -- Allow xenstored map xenfs files -- Update policy for fdo -- Allow keepalived watch var_run dirs -- Allow svirt to rw /dev/udmabuf -- Allow qatlib to modify hardware state information. -- Allow key.dns_resolve connect to avahi over a unix stream socket -- Allow key.dns_resolve create and use unix datagram socket -- Use quay.io as the container image source for CI - -* Fri Aug 11 2023 Zdenek Pytela - 38.25-1 -- ci: Move srpm/rpm build to packit -- .copr: Avoid subshell and changing directory -- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file -- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t -- Make insights_client_t an unconfined domain -- Allow insights-client manage user temporary files -- Allow insights-client create all rpm logs with a correct label -- Allow insights-client manage generic logs -- Allow cloud_init create dhclient var files and init_t manage net_conf_t -- Allow insights-client read and write cluster tmpfs files -- Allow ipsec read nsfs files -- Make tuned work with mls policy -- Remove nsplugin_role from mozilla.if -- allow mon_procd_t self:cap_userns sys_ptrace -- Allow pdns name_bind and name_connect all ports -- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh -- ci: Move to actions/checkout@v3 version -- .copr: Replace chown call with standard workflow safe.directory setting -- .copr: Enable `set -u` for robustness -- .copr: Simplify root directory variable - -* Fri Aug 04 2023 Zdenek Pytela - 38.24-1 -- Allow rhsmcertd dbus chat with policykit -- Allow polkitd execute pkla-check-authorization with nnp transition -- Allow user_u and staff_u get attributes of non-security dirs -- Allow unconfined user filetrans chrome_sandbox_home_t -- Allow svnserve execute postdrop with a transition -- Do not make postfix_postdrop_t type an MTA executable file -- Allow samba-dcerpc service manage samba tmp files -- Add use_nfs_home_dirs boolean for mozilla_plugin -- Fix labeling for no-stub-resolv.conf - -* Wed Aug 02 2023 Zdenek Pytela - 38.23-1 -- Revert "Allow winbind-rpcd use its private tmp files" -- Allow upsmon execute upsmon via a helper script -- Allow openconnect vpn read/write inherited vhost net device -- Allow winbind-rpcd use its private tmp files -- Update samba-dcerpc policy for printing -- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty -- Allow nscd watch system db dirs -- Allow qatlib to read sssd public files -- Allow fedora-third-party read /sys and proc -- Allow systemd-gpt-generator mount a tmpfs filesystem -- Allow journald write to cgroup files -- Allow rpc.mountd read network sysctls -- Allow blueman read the contents of the sysfs filesystem -- Allow logrotate_t to map generic files in /etc -- Boolean: Allow virt_qemu_ga create ssh directory - -* Tue Jul 25 2023 Zdenek Pytela - 38.22-1 -- Allow systemd-network-generator send system log messages -- Dontaudit the execute permission on sock_file globally -- Allow fsadm_t the file mounton permission -- Allow named and ndc the io_uring sqpoll permission -- Allow sssd io_uring sqpoll permission -- Fix location for /run/nsd -- Allow qemu-ga get fixed disk devices attributes -- Update bitlbee policy -- Label /usr/sbin/sos with sosreport_exec_t -- Update policy for the sblim-sfcb service -- Add the files_getattr_non_auth_dirs() interface -- Fix the CI to work with DNF5 - -* Sat Jul 22 2023 Fedora Release Engineering - 38.21-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jul 13 2023 Zdenek Pytela - 38.21-1 -- Make systemd_tmpfiles_t MLS trusted for lowering the level of files -- Revert "Allow insights client map cache_home_t" -- Allow nfsidmapd connect to systemd-machined over a unix socket -- Allow snapperd connect to kernel over a unix domain stream socket -- Allow virt_qemu_ga_t create .ssh dir with correct label -- Allow targetd read network sysctls -- Set the abrt_handle_event boolean to on -- Permit kernel_t to change the user identity in object contexts -- Allow insights client map cache_home_t -- Label /usr/sbin/mariadbd with mysqld_exec_t -- Trim changelog so that it starts at F37 time -- Define equivalency for /run/systemd/generator.early - -* Thu Jun 29 2023 Zdenek Pytela - 38.20-1 -- Allow httpd tcp connect to redis port conditionally -- Label only /usr/sbin/ripd and ripngd with zebra_exec_t -- Dontaudit aide the execmem permission -- Remove permissive from fdo -- Allow sa-update manage spamc home files -- Allow sa-update connect to systemlog services -- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t -- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t -- Allow bootupd search EFI directory - -* Tue Jun 27 2023 Zdenek Pytela - 38.19-1 -- Change init_audit_control default value to true -- Allow nfsidmapd connect to systemd-userdbd with a unix socket -- Add the qatlib module -- Add the fdo module -- Add the bootupd module -- Set default ports for keylime policy -- Create policy for qatlib -- Add policy for FIDO Device Onboard -- Add policy for bootupd -- Add the qatlib module -- Add the fdo module -- Add the bootupd module - -* Sun Jun 25 2023 Zdenek Pytela - 38.18-1 -- Add support for kafs-dns requested by keyutils -- Allow insights-client execmem -- Add support for chronyd-restricted -- Add init_explicit_domain() interface -- Allow fsadm_t to get attributes of cgroup filesystems -- Add list_dir_perms to kerberos_read_keytab -- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t -- Allow sendmail manage its runtime files -- Allow keyutils_dns_resolver_exec_t be an entrypoint -- Allow collectd_t read network state symlinks -- Revert "Allow collectd_t read proc_net link files" -- Allow nfsd_t to list exports_t dirs -- Allow cupsd dbus chat with xdm -- Allow haproxy read hardware state information -- Add the kafs module - -* Thu Jun 15 2023 Zdenek Pytela - 38.17-1 -- Label /dev/userfaultfd with userfaultfd_t -- Allow blueman send general signals to unprivileged user domains -- Allow dkim-milter domain transition to sendmail -- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t -- Allow cifs-helper read sssd kerberos configuration files -- Allow rpm_t sys_admin capability -- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file -- Allow collectd_t read proc_net link files -- Allow insights-client getsession process permission -- Allow insights-client work with pipe and socket tmp files -- Allow insights-client map generic log files -- Update cyrus_stream_connect() to use sockets in /run -- Allow keyutils-dns-resolver read/view kernel key ring -- Label /var/log/kdump.log with kdump_log_t - -* Fri Jun 09 2023 Zdenek Pytela - 38.16-1 -- Add support for the systemd-pstore service -- Allow kdumpctl_t to execmem -- Update sendmail policy module for opensmtpd -- Allow nagios-mail-plugin exec postfix master -- Allow subscription-manager execute ip -- Allow ssh client connect with a user dbus instance -- Add support for ksshaskpass -- Allow rhsmcertd file transition in /run also for socket files -- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t -- Allow plymouthd read/write X server miscellaneous devices -- Allow systemd-sleep read udev pid files -- Allow exim read network sysctls -- Allow sendmail request load module -- Allow named map its conf files -- Allow squid map its cache files -- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition - -* Tue May 30 2023 Zdenek Pytela - 38.15-1 -- Update policy for systemd-sleep -- Remove permissive domain for rshim_t -- Remove permissive domain for mptcpd_t -- Allow systemd-bootchartd the sys_ptrace userns capability -- Allow sysadm_t read nsfs files -- Allow sysadm_t run kernel bpf programs -- Update ssh_role_template for ssh-agent -- Update ssh_role_template to allow read/write unallocated ttys -- Add the booth module to modules.conf -- Allow firewalld rw ica_tmpfs_t files - -* Fri May 26 2023 Zdenek Pytela - 38.14-1 -- Remove permissive domain for cifs_helper_t -- Update the cifs-helper policy -- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() -- Update pkcsslotd policy for sandboxing -- Allow abrt_t read kernel persistent storage files -- Dontaudit targetd search httpd config dirs -- Allow init_t nnp domain transition to policykit_t -- Allow rpcd_lsad setcap and use generic ptys -- Allow samba-dcerpcd connect to systemd_machined over a unix socket -- Allow wireguard to rw network sysctls -- Add policy for boothd -- Allow kernel to manage its own BPF objects -- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t - -* Mon May 22 2023 Zdenek Pytela - 38.13-1 -- Add initial policy for cifs-helper -- Label key.dns_resolver with keyutils_dns_resolver_exec_t -- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t -- Allow some systemd services write to cgroup files -- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files -- Allow systemd resolved to bind to arbitrary nodes -- Allow plymouthd_t bpf capability to run bpf programs -- Allow cupsd to create samba_var_t files -- Allow rhsmcert request the kernel to load a module -- Allow virsh name_connect virt_port_t -- Allow certmonger manage cluster library files -- Allow plymouthd read init process state -- Add chromium_sandbox_t setcap capability -- Allow snmpd read raw disk data -- Allow samba-rpcd work with passwords -- Allow unconfined service inherit signal state from init -- Allow cloud-init manage gpg admin home content -- Allow cluster_t dbus chat with various services -- Allow nfsidmapd work with systemd-userdbd and sssd -- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes -- Allow plymouthd map dri and framebuffer devices -- Allow rpmdb_migrate execute rpmdb -- Allow logrotate dbus chat with systemd-hostnamed -- Allow icecast connect to kernel using a unix stream socket -- Allow lldpad connect to systemd-userdbd over a unix socket -- Allow journalctl open user domain ptys and ttys -- Allow keepalived to manage its tmp files -- Allow ftpd read network sysctls -- Label /run/bgpd with zebra_var_run_t -- Allow gssproxy read network sysctls -- Add the cifsutils module - -* Tue Apr 25 2023 Zdenek Pytela - 38.12-1 -- Allow telnetd read network sysctls -- Allow munin system plugin read generic SSL certificates -- Allow munin system plugin create and use netlink generic socket -- Allow login_userdomain create user namespaces -- Allow request-key to send syslog messages -- Allow request-key to read/view any key -- Add fs_delete_pstore_files() interface -- Allow insights-client work with teamdctl -- Allow insights-client read unconfined service semaphores -- Allow insights-client get quotas of all filesystems -- Add fs_read_pstore_files() interface -- Allow generic kernel helper to read inherited kernel pipes - -* Fri Apr 14 2023 Zdenek Pytela - 38.11-1 -- Allow dovecot-deliver write to the main process runtime fifo files -- Allow dmidecode write to cloud-init tmp files -- Allow chronyd send a message to cloud-init over a datagram socket -- Allow cloud-init domain transition to insights-client domain -- Allow mongodb read filesystem sysctls -- Allow mongodb read network sysctls -- Allow accounts-daemon read generic systemd unit lnk files -- Allow blueman watch generic device dirs -- Allow nm-dispatcher tlp plugin create tlp dirs -- Allow systemd-coredump mounton /usr -- Allow rabbitmq to read network sysctls - -* Tue Apr 04 2023 Zdenek Pytela - 38.10-1 -- Allow certmonger dbus chat with the cron system domain -- Allow geoclue read network sysctls -- Allow geoclue watch the /etc directory -- Allow logwatch_mail_t read network sysctls -- Allow insights-client read all sysctls -- Allow passt manage qemu pid sock files - -* Fri Mar 24 2023 Zdenek Pytela - 38.9-1 -- Allow sssd read accountsd fifo files -- Add support for the passt_t domain -- Allow virtd_t and svirt_t work with passt -- Add new interfaces in the virt module -- Add passt interfaces defined conditionally -- Allow tshark the setsched capability -- Allow poweroff create connections to system dbus -- Allow wg load kernel modules, search debugfs dir -- Boolean: allow qemu-ga manage ssh home directory -- Label smtpd with sendmail_exec_t -- Label msmtp and msmtpd with sendmail_exec_t -- Allow dovecot to map files in /var/spool/dovecot +* Fri Mar 03 2023 Zdenek Pytela - 38.8-2 +- Update make-rhat-patches.sh file to use the f38 dist-git branch in F38 * Fri Mar 03 2023 Zdenek Pytela - 38.8-1 - Confine gnome-initial-setup @@ -1768,3 +1268,318 @@ exit 0 - Allow blueman read/write its private memfd: objects - Allow insights-client read rhnsd config files - Allow insights-client create_socket_perms for tcp/udp sockets + +* Tue Apr 26 2022 Zdenek Pytela - 36.8-1 +- Allow nm-dispatcher chronyc plugin append to init stream sockets +- Allow tmpreaper the sys_ptrace userns capability +- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t +- Allow nm-dispatcher tlp plugin read/write the wireless device +- Allow nm-dispatcher tlp plugin append to init socket +- Allow nm-dispatcher tlp plugin be client of a system bus +- Allow nm-dispatcher list its configuration directory +- Ecryptfs-private support +- Allow colord map /var/lib directories +- Allow ntlm_auth read the network state information +- Allow insights-client search rhnsd configuration directory + +* Thu Apr 21 2022 Zdenek Pytela - 36.7-3 +- Add support for nm-dispatcher tlp-rdw scripts +- Update github actions to satisfy git 2.36 stricter rules +- New policy for stalld +- Allow colord read generic files in /var/lib +- Allow xdm mounton user temporary socket files +- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket +- Allow sssd domtrans to pkcs_slotd_t +- Allow keepalived setsched and sys_nice +- Allow xdm map generic files in /var/lib +- Allow xdm read generic symbolic links in /var/lib +- Allow pppd create a file in the locks directory +- Add file map permission to lpd_manage_spool() interface +- Allow system dbus daemon watch generic directories in /var/lib +- Allow pcscd the sys_ptrace userns capability +- Add the corecmd_watch_bin_dirs() interface + +* Thu Apr 21 2022 Zdenek Pytela - 36.7-2 +- Relabel explicitly some dirs in %posttrans scriptlets + +* Thu Apr 21 2022 Zdenek Pytela - 36.7-1 +- Add stalld module to modules-targeted-contrib.conf + +* Mon Apr 04 2022 Zdenek Pytela - 36.6-1 +- Add support for systemd-network-generator +- Add the io_uring class +- Allow nm-dispatcher dhclient plugin append to init stream sockets +- Relax the naming pattern for systemd private shared libraries +- Allow nm-dispatcher iscsid plugin append to init socket +- Add the init_append_stream_sockets() interface +- Allow nm-dispatcher dnssec-trigger script to execute pidof +- Add support for nm-dispatcher dnssec-trigger scripts +- Allow chronyd talk with unconfined user over unix domain dgram socket +- Allow fenced read kerberos key tables +- Add support for nm-dispatcher ddclient scripts +- Add systemd_getattr_generic_unit_files() interface +- Allow fprintd read and write hardware state information +- Allow exim watch generic certificate directories +- Remove duplicate fc entries for corosync and corosync-notifyd +- Label corosync-cfgtool with cluster_exec_t +- Allow qemu-kvm create and use netlink rdma sockets +- Allow logrotate a domain transition to cluster administrative domain + +* Fri Mar 18 2022 Zdenek Pytela - 36.5-1 +- Add support for nm-dispatcher console helper scripts +- Allow nm-dispatcher plugins read its directory and sysfs +- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t +- devices: Add a comment about cardmgr_dev_t +- Add basic policy for BinderFS +- Label /var/run/ecblp0 pipe with cupsd_var_run_t +- Allow rpmdb create directory in /usr/lib/sysimage +- Allow rngd drop privileges via setuid/setgid/setcap +- Allow init watch and watch_reads user ttys +- Allow systemd-logind dbus chat with sosreport +- Allow chronyd send a message to sosreport over datagram socket +- Remove unnecessary /etc file transitions for insights-client +- Label all content in /var/lib/insights with insights_client_var_lib_t +- Update insights-client policy + +* Wed Feb 23 2022 Zdenek Pytela - 36.4-2 +- Add insights_client module to modules-targeted-contrib.conf + +* Wed Feb 23 2022 Zdenek Pytela - 36.4-1 +- Update NetworkManager-dispatcher cloud and chronyc policy +- Update insights-client: fc pattern, motd, writing to etc +- Allow systemd-sysctl read the security state information +- Allow init create and mounton to support PrivateDevices +- Allow sosreport dbus chat abrt systemd timedatex + +* Tue Feb 22 2022 Zdenek Pytela - 36.3-2 +- Update specfile to buildrequire policycoreutils-devel >= 3.3-4 +- Add modules_checksum to %files + +* Thu Feb 17 2022 Zdenek Pytela - 36.3-1 +- Update NetworkManager-dispatcher policy to use scripts +- Allow init mounton kernel messages device +- Revert "Make dbus-broker service working on s390x arch" +- Remove permissive domain for insights_client_t +- Allow userdomain read symlinks in /var/lib +- Allow iptables list cgroup directories +- Dontaudit mdadm list dirsrv tmpfs dirs +- Dontaudit dirsrv search filesystem sysctl directories +- Allow chage domtrans to sssd +- Allow postfix_domain read dovecot certificates +- Allow systemd-networkd create and use netlink netfilter socket +- Allow nm-dispatcher read nm-dispatcher-script symlinks +- filesystem.te: add genfscon rule for ntfs3 filesystem +- Allow rhsmcertd get attributes of cgroup filesystems +- Allow sandbox_web_client_t watch various dirs +- Exclude container.if from policy devel files +- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm + +* Fri Feb 11 2022 Zdenek Pytela - 36.2-1 +- Allow sysadm_passwd_t to relabel passwd and group files +- Allow confined sysadmin to use tool vipw +- Allow login_userdomain map /var/lib/directories +- Allow login_userdomain watch library and fonts dirs +- Allow login_userdomain watch system configuration dirs +- Allow login_userdomain read systemd runtime files +- Allow ctdb create cluster logs +- Allow alsa bind mixer controls to led triggers +- New policy for insight-client +- Add mctp_socket security class and access vectors +- Fix koji repo URL pattern +- Update chronyd_pid_filetrans() to allow create dirs +- Update NetworkManager-dispatcher policy +- Allow unconfined to run virtd bpf +- Allow nm-privhelper setsched permission and send system logs +- Add the map permission to common_anon_inode_perm permission set +- Rename userfaultfd_anon_inode_perms to common_inode_perms +- Allow confined users to use kinit,klist and etc. +- Allow rhsmcertd create rpm hawkey logs with correct label + +* Thu Feb 03 2022 Zdenek Pytela - 36.1-1 +- Label exFAT utilities at /usr/sbin +- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path +- Enable genfs_seclabel_symlinks policy capability +- Sync policy/policy_capabilities with refpolicy +- refpolicy: drop unused socket security classes +- Label new utility of NetworkManager nm-priv-helper +- Label NetworkManager-dispatcher service with separate context +- Allow sanlock get attributes of filesystems with extended attributes +- Associate stratisd_data_t with device filesystem +- Allow init read stratis data symlinks + +* Tue Feb 01 2022 Zdenek Pytela - 35.13-1 +- Allow systemd services watch dbusd pid directory and its parents +- Allow ModemManager connect to the unconfined user domain +- Label /dev/wwan.+ with modem_manager_t +- Allow alsactl set group Process ID of a process +- Allow domtrans to sssd_t and role access to sssd +- Creating interface sssd_run_sssd() +- Label utilities for exFAT filesystems with fsadm_exec_t +- Label /dev/nvme-fabrics with fixed_disk_device_t +- Allow init delete generic tmp named pipes +- Allow timedatex dbus chat with xdm + +* Wed Jan 26 2022 Zdenek Pytela - 35.12-1 +- Fix badly indented used interfaces +- Allow domain transition to sssd_t +- Dontaudit sfcbd sys_ptrace cap_userns +- Label /var/lib/plocate with locate_var_lib_t +- Allow hostapd talk with unconfined user over unix domain dgram socket +- Allow NetworkManager talk with unconfined user over unix domain dgram socket +- Allow system_mail_t read inherited apache system content rw files +- Add apache_read_inherited_sys_content_rw_files() interface +- Allow rhsm-service execute its private memfd: objects +- Allow dirsrv read configfs files and directories +- Label /run/stratisd with stratisd_var_run_t +- Allow tumblerd write to session_dbusd tmp socket files + +* Wed Jan 19 2022 Zdenek Pytela - 35.11-1 +- Revert "Label /etc/cockpit/ws-certs.d with cert_t" +- Allow login_userdomain write to session_dbusd tmp socket files +- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t + +* Mon Jan 17 2022 Zdenek Pytela - 35.10-1 +- Allow login_userdomain watch systemd-machined PID directories +- Allow login_userdomain watch systemd-logind PID directories +- Allow login_userdomain watch accountsd lib directories +- Allow login_userdomain watch localization directories +- Allow login_userdomain watch various files and dirs +- Allow login_userdomain watch generic directories in /tmp +- Allow rhsm-service read/write its private memfd: objects +- Allow radiusd connect to the radacct port +- Allow systemd-io-bridge ioctl rpm_script_t +- Allow systemd-coredump userns capabilities and root mounton +- Allow systemd-coredump read and write usermodehelper state +- Allow login_userdomain create session_dbusd tmp socket files +- Allow gkeyringd_domain write to session_dbusd tmp socket files +- Allow systemd-logind delete session_dbusd tmp socket files +- Allow gdm-x-session write to session dbus tmp sock files +- Label /etc/cockpit/ws-certs.d with cert_t +- Allow kpropd get attributes of cgroup filesystems +- Allow administrative users the bpf capability +- Allow sysadm_t start and stop transient services +- Connect triggerin to pcre2 instead of pcre + +* Wed Jan 12 2022 Zdenek Pytela - 35.9-1 +- Allow sshd read filesystem sysctl files +- Revert "Allow sshd read sysctl files" +- Allow tlp read its systemd unit +- Allow gssproxy access to various system files. +- Allow gssproxy read, write, and map ica tmpfs files +- Allow gssproxy read and write z90crypt device +- Allow sssd_kcm read and write z90crypt device +- Allow smbcontrol read the network state information +- Allow virt_domain map vhost devices +- Allow fcoemon request the kernel to load a module +- Allow sshd read sysctl files +- Ensure that `/run/systemd/*` are properly labeled +- Allow admin userdomains use socketpair() +- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling +- Allow lldpd connect to snmpd with a unix domain stream socket +- Dontaudit pkcsslotd sys_admin capability + +* Thu Dec 23 2021 Zdenek Pytela - 35.8-1 +- Allow haproxy get attributes of filesystems with extended attributes +- Allow haproxy get attributes of cgroup filesystems +- Allow sysadm execute sysadmctl in sysadm_t domain using sudo +- Allow userdomains use pam_ssh_agent_auth for passwordless sudo +- Allow sudodomains execute passwd in the passwd domain +- Allow braille printing in selinux +- Allow sandbox_xserver_t map sandbox_file_t +- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t +- Add hwtracing_device_t type for hardware-level tracing and debugging +- Label port 9528/tcp with openqa_liveview +- Label /var/lib/shorewall6-lite with shorewall_var_lib_t +- Document Security Flask model in the policy + +* Fri Dec 10 2021 Zdenek Pytela - 35.7-1 +- Allow systemd read unlabeled symbolic links +- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t +- Allow dnsmasq watch /etc/dnsmasq.d directories +- Allow rhsmcertd get attributes of tmpfs_t filesystems +- Allow lldpd use an snmp subagent over a tcp socket +- Allow xdm watch generic directories in /var/lib +- Allow login_userdomain open/read/map system journal +- Allow sysadm_t connect to cluster domains over a unix stream socket +- Allow sysadm_t read/write pkcs shared memory segments +- Allow sysadm_t connect to sanlock over a unix stream socket +- Allow sysadm_t dbus chat with sssd +- Allow sysadm_t set attributes on character device nodes +- Allow sysadm_t read and write watchdog devices +- Allow smbcontrol use additional socket types +- Allow cloud-init dbus chat with systemd-logind +- Allow svnserve send mail from the system +- Update userdom_exec_user_tmp_files() with an entrypoint rule +- Allow sudodomain send a null signal to sshd processes + +* Fri Nov 19 2021 Zdenek Pytela - 35.6-1 +- Allow PID 1 and dbus-broker IPC with a systemd user session +- Allow rpmdb read generic SSL certificates +- Allow rpmdb read admin home config files +- Report warning on duplicate definition of interface +- Allow redis get attributes of filesystems with extended attributes +- Allow sysadm_t dbus chat with realmd_t +- Make cupsd_lpd_t a daemon +- Allow tlp dbus-chat with NetworkManager +- filesystem: add fs_use_trans for ramfs +- Allow systemd-logind destroy unconfined user's IPC objects + +* Thu Nov 04 2021 Zdenek Pytela - 35.5-1 +- Support sanlock VG automated recovery on storage access loss 2/2 +- Support sanlock VG automated recovery on storage access loss 1/2 +- Revert "Support sanlock VG automated recovery on storage access loss" +- Allow tlp get service units status +- Allow fedora-third-party manage 3rd party repos +- Allow xdm_t nnp_transition to login_userdomain +- Add the auth_read_passwd_file() interface +- Allow redis-sentinel execute a notification script +- Allow fetchmail search cgroup directories +- Allow lvm_t to read/write devicekit disk semaphores +- Allow devicekit_disk_t to use /dev/mapper/control +- Allow devicekit_disk_t to get IPC info from the kernel +- Allow devicekit_disk_t to read systemd-logind pid files +- Allow devicekit_disk_t to mount filesystems on mnt_t directories +- Allow devicekit_disk_t to manage mount_var_run_t files +- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel +- Use $releasever in koji repo to reduce rawhide hardcoding +- authlogin: add fcontext for tcb +- Add erofs as a SELinux capable file system +- Allow systemd execute user bin files +- Support sanlock VG automated recovery on storage access loss +- Support new PING_CHECK health checker in keepalived + +* Wed Oct 20 2021 Zdenek Pytela - 35.4-1 +- Allow fedora-third-party map generic cache files +- Add gnome_map_generic_cache_files() interface +- Add files_manage_var_lib_dirs() interface +- Allow fedora-third party manage gpg keys +- Allow fedora-third-party run "flatpak remote-add --from flathub" + +* Tue Oct 19 2021 Zdenek Pytela - 35.3-1 +- Allow fedora-third-party run flatpak post-install actions +- Allow fedora-third-party set_setsched and sys_nice + +* Mon Oct 18 2021 Zdenek Pytela - 35.2-1 +- Allow fedora-third-party execute "flatpak remote-add" +- Add files_manage_var_lib_files() interface +- Add write permisson to userfaultfd_anon_inode_perms +- Allow proper function sosreport via iotop +- Allow proper function sosreport in sysadmin role +- Allow fedora-third-party to connect to the system log service +- Allow fedora-third-party dbus chat with policykit +- Allow chrony-wait service start with DynamicUser=yes +- Allow management of lnk_files if similar access to regular files +- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges +- Allow systemd-resolved watch /run/systemd +- Allow fedora-third-party create and use unix_dgram_socket +- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files +- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain + +* Thu Oct 07 2021 Zdenek Pytela - 35.1-1 +- Add fedoratp module +- Allow xdm_t domain transition to fedoratp_t +- Allow ModemManager create and use netlink route socket +- Add default file context for /run/gssproxy.default.sock +- Allow xdm_t watch fonts directories +- Allow xdm_t watch generic directories in /lib +- Allow xdm_t watch generic pid directories