* Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
- Make unconfined domains part of domain_named_attribute
- Label tcp ports 24816,24817 as pulp_port_t
- Remove duplicate entries for initrc_t in init.te
* Thu Nov 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-15
- Increase SELinux userspace version which should be required.
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-14
- Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-13
- Fix typo bugs in rtas_errd_read_lock() interface
- cockpit: Drop cockpit-cert-session
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Fix typo in dev_filetrans_all_named_dev()
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Fix typo in cachefiles device
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Allow cephfs to use xattrs for storing contexts
- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11
- Allow confined users to run newaliases
- Add interface mysql_dontaudit_rw_db()
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
- Allow tmpreaper_t domain to read all domains state
- Make httpd_var_lib_t label system mountdir attribute
- Update cockpit policy
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
- Dontaudit domains read/write leaked pipes
* Tue Oct 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-10
- Update timedatex policy to add macros, more detail below
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Allow Gluster mount client to mount files_type
- Dontaudit and disallow sys_admin capability for keepalived_t domain
- Update numad policy to allow signull, kill, nice and trace processes
- Allow ipmievd_t to RW watchdog devices
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
- Allow user domains to manage user session services
- Allow staff and user users to get status of user systemd session
- Update sudo_role_template() to allow caller domain to read syslog pid files
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-9
- Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-8
- Update apache and pkcs policies to make active opencryptoki rules
- Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-7
- Revert "nova.fc: fix duplicated slash"
- Introduce new bolean httpd_use_opencryptoki
- Add new interface apache_read_state()
- Allow setroubleshoot_fixit_t to read random_device_t
- Label /etc/named direcotory as named_conf_t BZ(1759495)
- nova.fc: fix duplicated slash
- Allow dkim to execute sendmail
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)
- Allow avahi_t to send msg to xdm_t
- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)
- Allow systemd_logind_t domain to read blk_files in domain removable_device_t
- Add new interface udev_getattr_rules_chr_files()
* Fri Oct 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-6
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Allow bitlbee_t domain map files in /usr
- Allow stratisd to getattr of fixed disk device nodes
- Add net_broadcast capability to openvswitch_t domain BZ(1716044)
- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
- Allow mysqld_t domain to manage cluster pid files
- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
- Allow dkim-milter to send e-mails BZ(1716937)
- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799)
- Update svnserve_t policy to make working svnserve hooks
- Allow varnishlog_t domain to check for presence of varnishd_t domains
- Update sandboxX policy to make working firefox inside SELinux sandbox
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
- Allow gssd_t domain to list tmpfs_t dirs
- Allow mdadm_t domain to read tmpfs_t files
- Allow sbd_t domain to check presence of processes labeled as cluster_t
- Dontaudit httpd_sys_script_t to read systemd unit files
- Allow blkmapd_t domain to read nvme devices
- Update cpucontrol_t domain to make working microcode service
- Allow domain transition from logwatch_t do postfix_postqueue_t
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
- Allow httpd_sys_script_t domain to mmap httpcontent
- Allow sbd_t to manage cgroups_t files
- Update wireshark policy to make working tshar labeled as wireshark_t
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources
- Allow sysadm_t domain to dbus chat with rtkit daemon
- Allow x_userdomains to nnp domain transition to thumb_t domain
- Allow unconfined_domain_type to setattr own process lnk files.
- Add interface files_write_generic_pid_sockets()
- Dontaudit writing to user home dirs by gnome-keyring-daemon
- Allow staff and admin domains to setpcap in user namespace
* Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6
- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
- Allow fail2ban execute journalctl BZ(1689034)
- Update sudodomains to make working confined users run sudo/su
- Introduce new boolean unconfined_dyntrans_all.
- Allow iptables_t domain to read NetworkManager state BZ(1690881)
* Tue Mar 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-5
- Update xen SELinux module
- Improve labeling for PCP plugins
- Allow varnishd_t domain to read sysfs_t files
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update file context for modutils rhbz#1689975
- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293
- Grant permissions for onloadfs files of all classes.
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
* Tue Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4
- Update vmtools policy
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Allow journalctl_t domain to mmap syslogd_var_run_t files
- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046
- Allow sbd_t domain to bypass permission checks for sending signals
- Allow sbd_t domain read/write all sysctls
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
- Allow boltd_t to stream connect to sytem dbus
- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
- Label /dev/pkey as crypt_device_t
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
- Allow ifconfig_t domain to read /dev/random BZ(1687516)
- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660
- Update travis CI to install selinux-policy dependencies without checking for gpg check
- Label /usr/sbin/nodm as xdm_exec_t same as other display managers
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
* Wed Feb 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-3
- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because "%pretrans" cannot use shell scripts.
Resolves: rhbz#1683365
* Tue Feb 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-2
- Merge insmod_t, depmod_t and update_modules_t do kmod_t
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-1
- Allow openvpn_t domain to set capability BZ(1680276)
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
- Allow chronyd_t domain to send data over dgram socket
- Add rolekit_dgram_send() interface
- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
* Thu Feb 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
- Allow dovecot_t domain to connect to mysql db
- Add dac_override capability for sbd_t SELinux domain
- Add dac_override capability for spamd_update_t domain
- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
- Allow ddclient_t to setcap Resolves: rhbz#1674298
- Add dac_override capability to vpnc_t domain
- Add dac_override capability to spamd_t domain
- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
- Allow read network state of system for processes labeled as ibacm_t
- Allow ibacm_t domain to send dgram sockets to kernel processes
- Allow dovecot_t to connect to MySQL UNIX socket
- Fix CI for use on forks
- Fix typo bug in sensord policy
- Update ibacm_t policy after testing lastest version of this component
- Allow sensord_t domain to mmap own log files
- Allow virt_doamin to read/write dev device
- Add dac_override capability for ipa_helper_t
- Update policy with multiple allow rules to make working installing VM in MLS policy
- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
* Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
- Allow sensord_t domain to use nsswitch and execute shell
- Allow opafm_t domain to execute lib_t files
- Allow opafm_t domain to manage kdump_crash_t files and dirs
- Allow virt domains to read/write cephfs filesystems
- Allow virtual machine to write to fixed_disk_device_t
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
* Tue Jan 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
- Add new xdp_socket class
- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains
- Allow boltd_t domain to read cache_home_t files BZ(1669911)
- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)
- Allow gpg_agent_t to create own tmpfs dirs and sockets
- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)
- Add multiple interfaces for vpnc interface file
- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)
- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).
- Allow gssd_t domain to manage kernel keyrings of every domain.
- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain."
- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
- Allow staff_t domain to read read_binfmt_misc filesystem
- Add interface fs_read_binfmt_misc()
- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
- Allow sensord_t to execute own binary files
- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)
- Allow virtd_lxc_t domains use BPF BZ(1662613)
- Allow openvpn_t domain to read systemd state BZ(1661065)
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Used correct renamed interface for imapd_t domain
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Specify recipients that will be notified about build CI results.
- Allow saslauthd_t domain to mmap own pid files BZ(1653024)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.
- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
- Specify recipients that will be notified about build CI results.
- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.
- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
* Sun Dec 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15
- Add macro-expander script to selinux-policy-devel package
* Thu Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
- Remove all ganesha bits from gluster and rpc policy
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
* Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain
- Create ibacm_tmpfs_t type for the ibacm policy
- Dontaudit capability sys_admin for dhcpd_t domain
- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.
- Allow abrt_t domain to mmap generic tmp_t files
- Label /usr/sbin/wpa_cli as wpa_cli_exec_t
- Allow sandbox_xserver_t domain write to user_tmp_t files
- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints
- Add interface files_map_generic_tmp_files()
- Add dac_override capability to the syslogd_t domain
- Create systemd_timedated_var_run_t label
- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Allow xdm_t domain to manage dosfs_t files BZ(1645770)
- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
- Add dac_override capability to ftpd_t domain
- Allow gpg_t to create own tmpfs dirs and sockets
- Allow rhsmcertd_t domain to relabel cert_t files
- Add SELinux policy for kpatch
- Allow nova_t domain to use pam
- sysstat: grant sysstat_t the search_dir_perms set
- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
- Allow systemd_logind_t to read fixed dist device BZ(1645631)
- Allow systemd_logind_t domain to read nvme devices BZ(1645567)
- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)
- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
- Allow X display manager to check status and reload services which are part of x_domain attribute
- Add interface miscfiles_relabel_generic_cert()
- Make kpatch policy active
- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
- Dontaudit sys_admin capability for netutils_t domain
- Label tcp and udp ports 2611 as qpasa_agent_port_t
* Tue Oct 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
* Mon Oct 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)
- Add interface cron_system_spool_entrypoint()
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
- Add interfaces for boltd SELinux module
- Add dac_override capability to modemmanager_t domain BZ(1636608)
- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
- Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-8
- ejabberd SELinux module removed, it's shipped by ejabberd-selinux package
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-7
- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros
* Tue Oct 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-6
- Allow boltd_t to be activated by init socket activation
- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)
- Update SELinux policy for libreswan based on the latest rebase 3.26
- Fix typo in init_named_socket_activation interface
* Thu Oct 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-5
- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
- Fix typo in boltd.te policy
- Allow fail2ban_t domain to mmap journal
- Add kill capability to named_t domain
- Allow neutron domain to read/write /var/run/utmp
- Create boltd_var_run_t type for boltd pid files
- Allow tomcat_domain to read /dev/random
- Allow neutron_t domain to use pam
- Add the port used by nsca (Nagios Service Check Acceptor)
- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
- Add interface files_map_non_security_files()
* Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
- Make working SELinux sandbox with Wayland. BZ(1474082)
- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)
- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)
- Allow collectd to connect to lmtp_port_t BZ(1304029)
- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)
- Allow thumb_t to mmap removable_t files. BZ(1522724)
- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
- Add interface fs_mmap_removable_files()
* Tue Dec 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-307
- Allow crond_t to read pcp lib files BZ(1525420)
- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)
- Allow certwatch_t to mmap generic certs. BZ(1527173)
- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)
- Add interface userdom_map_user_home_files()
- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)
- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)
- All domains accessing home_cert_t objects should also mmap it. BZ(1519810)
* Wed Dec 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-306
- Allow thumb_t domain to dosfs_t BZ(1517720)
- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)
- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)
- Allow git_script_t to mmap git_sys_content_t BZ(1517541)
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)
- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)
- Allow colord_t to mmap xdm pid files BZ(1518382)
- Allow arpwatch to mmap usbmon device BZ(152456)
- Allow mandb_t to read public sssd files BZ(1514093)
- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)
- Allow qpid to map files.
- Allow plymouthd_t to mmap firamebuf device BZ(1517405)
- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)
- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)
- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)
- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)
- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)
- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)
- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)
- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)
- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)
- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)
- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)
- Add interface fs_map_dos_files()
- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)
- Add interface xserver_map_xdm_pid() BZ(1518382)
- Add new interface dev_map_usbmon_dev() BZ(1524256)
- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)
- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)
- Fix typo in filesystem.if
- Add interface dev_map_framebuffer()
- Allow chkpwd command to mmap /etc/shadow BZ(1513704)
- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)
- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)
- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)
- Add interface fs_map_cifs_files()
- Merge pull request #207 from rhatdan/labels
- Merge pull request #208 from rhatdan/logdir
- Allow domains that manage logfiles to man logdirs
* Fri Nov 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-305
- Make ganesha nfs server
* Tue Nov 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-304
- Allow tomcat_t domain connect to ibm_dt_2 tcp port.
- Allow stream connect to initrc_t domains
- Add pki_exec_common_files() interface
- Allow dnsmasq_t domain to read systemd-resolved pid files.
- Allow tomcat domain name_bind on tcp bctp_port_t
- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
- Allow condor_master_t write to sysctl_net_t
- Allow nagios check disk plugin read /sys/kernel/config/
- Merge pull request #4 from lslebodn/sssd_socket_activated
- Remove /proc <<none>> from fedora policy, it's no longer necessary
- Allow iptables get list of kernel modules
- Allow unconfined_domain_type to enable/disable transient unit
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
- Label sysroot dir under ostree as root_t
* Mon Mar 27 2017 Adam Williamson <awilliam@redhat.com> - 3.13.1-248
- Put tomcat_t back in unconfined domains for now. BZ(1436434)
* Tue Mar 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-247
- Make fwupd_var_lib_t type mountpoint. BZ(1429341)
- Remove tomcat_t domain from unconfined domains
- Create new boolean: sanlock_enable_home_dirs()
- Allow mdadm_t domain to read/write nvme_device_t
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content
- Add interface dev_rw_nvme
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
* Sat Mar 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246
- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)
* Fri Mar 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245
- Allow vdagent domain to getattr cgroup filesystem
- Allow abrt_dump_oops_t stream connect to sssd_t domain
- Allow cyrus stream connect to gssproxy
- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules
- Allow colord_t to read systemd hwdb.bin file
- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t
- Allow certmonger to manage /etc/krb5kdc_conf_t
- Allow kdumpctl to getenforce
- Allow ptp4l wake_alarm capability
- Allow ganesha to chat with unconfined domains via dbus
- Add nmbd_t capability2 block_suspend
- Add domain transition from sosreport_t to iptables_t
* Fri Jan 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232
- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977)
- Allow tlp_t domain to read proc_net_t BZ(1403487)
- Merge pull request #179 from rhatdan/virt1
- Allow tlp_t domain to read/write cpu microcode BZ(1403103)
- Allow virt domain to use interited virtlogd domains fifo_file
- Fixes for containers
- Allow glusterd_t to bind on glusterd_port_t udp ports.
- Update ctdbd_t policy to reflect all changes.
- Allow ctdbd_t domain transition to rpcd_t
* Wed Dec 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231
- Allow pptp_t to read /dev/random BZ(1404248)
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
- Allow systemd to stop glusterd_t domains.
- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)
- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs."
* Thu Dec 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-230
- Label /usr/bin/rpcbind as rpcbind_exec_t
- Dontaudit mozilla plugin rawip socket creation. BZ(1275961)
- Merge pull request #174 from rhatdan/netlink
* Wed Dec 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229
- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
- Allot tlp domain to create unix_dgram sockets BZ(1401233)
- Allow antivirus domain to create lnk_files in /tmp
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
- Allow svnserve_t domain to read /dev/random BZ(1401827)
- Allow lircd to use nsswitch. BZ(1401375)
- Allow hostname_t domain to manage cluster_tmp_t files
* Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-228
- Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface
- Allow tgtd_t domain wake_alarm
- Merge pull request #172 from vinzent/allow_puppetagent_timedated
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow systemd_machined_t to start unit files labeled as init_var_run_t
- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
- Allow systemd to raise rlimit to all domains.BZ(1365435)
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines.
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
* Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
- Fix lsm SELinux module
- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
- Add sys_admin capability to sbd domain
- Allow vdagent to comunnicate with systemd-logind via dbus
- Allow lsmd_plugin_t domain to create fixed_disk device.
- Allow opendnssec domain to create and manage own tmp dirs/files
- Allow ftpd_t to mamange userhome data without any boolean.
- Add logrotate permissions for creating netlink selinux sockets.
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
- Allow systemd gpt generator to run fstools BZ(1353585)
- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716)
- Allow gnome-keyring also manage user_tmp_t sockets.
- Allow systemd to mounton /etc filesystem. BZ(1341753)
- Merge branch 'rawhide-base-modules-load' into rawhide-base
- Add new policy for systemd-modules-load
- Add systemd access vectors.
- Revert "Revert "Revert "Missed this version of exec_all"""
- Revert "Revert "Missed this version of exec_all""
- Revert "Missed this version of exec_all"
- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644.
- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48.
- Revert "Allow xserver to compromise_kernel access"BZ(1351624)
- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624)
- Revert "add ptrace_child access to process" (BZ1351624)
- Add user namespace capability object classes.
- Allow udev to manage systemd-hwdb files
- Add interface systemd_hwdb_manage_config()
- Fix paths to infiniband devices. This allows use more then two infiniband interfaces.
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
- Allow systemd to relabel /var and /var/lib directories during boot.
- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces.
- Add files_relabelto_var_lib_dirs() interface.
- Label tcp and udp port 5582 as fac_restore_port_t
- Allow sysadm_t user to run postgresql-setup.
- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script.
- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849)
- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd
* Thu Jun 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-197
- Allow conman to kill conman_unconfined_script.
- Make conman_unconfined_script_t as init_system_domain.
- Allow init dbus chat with apmd.
- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t.
- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t
- Allow collectd_t to stream connect to postgresql.
- Allow mysqld_safe to inherit rlimit information from mysqld
- Allow ip netns to mounton root fs and unmount proc_t fs.
- Allow sysadm_t to run newaliases command.
* Mon Jun 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-196
- Allow svirt_sandbox_domains to r/w onload sockets
- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.
- Add interface sysnet_filetrans_named_net_conf()
- Rawhide fails to boot, systemd-logind needs to config transient config files
- User Namespace is requires create on process domains
* Wed Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
- Add hwloc-dump-hwdata SELinux policy
- Add labels for mediawiki123
- Fix label for all fence_scsi_check scripts
- Allow setcap for fenced
- Allow glusterd domain read krb5_keytab_t files.
- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
- Update refpolicy to handle hwloc
- Fix typo in files_setattr_non_security_dirs.
- Add interface files_setattr_non_security_dirs()
* Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
- Add nrpe_dontaudit_write_pipes()
- Merge pull request #129 from rhatdan/onload
- Add support for onloadfs
- Merge pull request #127 from rhatdan/device-node
- Additional access required for unconfined domains
- Dontaudit ping attempts to write to nrpe unnamed pipes
- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)
* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
- Allow ipa_dnskey_t search httpd config files.
- Dontaudit certmonger to write to etc_runtime_t
- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
- Add interface ipa_delete_tmp()
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
* Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192
- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
- Add SELinux policy for opendnssec service. BZ(1333106)
* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
- Merge pull request #125 from rhatdan/typebounds
- Typebounds user domains
- Allow systemd_resolved_t to check if ipv6 is disabled.
- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port
- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)
- Allow systemd to read efivarfs. Resolve: #121
* Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-189
- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed
* Mon May 09 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-188
- Label tcp port 8181 as intermapper_port_t.
- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588)
- Label tcp/udp port 2024 as xinuexpansion4_port_t
- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t
* Thu May 05 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-187
- Allow stunnel create log files. BZ(1333033)
- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574)
- Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287)
- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs.
- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980)
- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927)
- Label /usr/sbin/xrdp* files as bin_t BZ(1258453)
- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895)
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970)
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448
- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
- Make virt_use_pcscd boolean off by default.
- Create boolean to allow virtual machine use smartcards. rhbz#1029297
- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754
- Allow mongod log to syslog.
- Allow nsd daemon to create log file in /var/log as nsd_log_t
- unlabeled_t can not be an entrypoint.
- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909
- Add new permissions stop/start to class system. rhbz#1324453
- Dontaudit tor daemon needs net_admin capability. rhbz#1311788
- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)
- Label all run tgtd files, not just socket files.
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815)
- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415)
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t.
- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921)
- New cgroup2 file system in Rawhide
* Wed Mar 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-180
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514
- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow sandbox domain to have entrypoint access only for executables and mountpoints.
- Allow bitlee to create bitlee_var_t dirs.
- Allow CIM provider to read sssd public files.
- Fix some broken interfaces in distro policy.
- Allow power button to shutdown the laptop.
- Allow lsm plugins to create named fixed disks. rhbz#1238066
- Allow hyperv domains to rw hyperv devices. rhbz#1241636
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics
- Label nagios scripts as httpd_sys_script_exec_t.
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.
- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576
- Merge pull request #104 from berrange/rawhide-contrib-virtlogd
- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336
- Dontaudit logrotate to setrlimit itself. rhbz#1309604
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446)
- Merge pull request #115 from rhatdan/nvidea
- Label all nvidia binaries as xserver_exec_t
- Add new systemd_hwdb_read_config() interface. rhbz#1316514
- Add back corecmd_read_all_executables() interface.
- Call files_type() instead of file_type() for unlabeled_t.
- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361
- Add neverallow assertion for unlabaled_t to increase policy security.
- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
- Label 8952 tcp port as nsd_control.
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
* Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
- Merge pull request #108 from rhatdan/rkt
- Merge pull request #109 from rhatdan/virt_sandbox
- Add new interface to define virt_sandbox_network domains
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
- Fix typo in drbd policy
- Remove declaration of empty booleans in virt policy.
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
- Additional rules to make rkt work in enforcing mode
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
- Allow ipsec to use pam. rhbz#1317988
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
- Allow setrans daemon to read /proc/meminfo.
- Merge pull request #107 from rhatdan/rkt-base
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
* Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
- Add support systemd-resolved.
* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
- Add support for systemd-gpt-auto-generator. rhbz#1314968
- Add support for systemd-hwdb daemon. rhbz#1306243
* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV
- Fix new rkt policy
- Remove some redundant rules.
- Fix cosmetic issues in interface file.
- Merge pull request #100 from rhatdan/rawhide-contrib
- Add interface fs_setattr_cifs_dirs().
- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
file_contexts is parsed in selabel_open().
Resolves: rhbz#1314372
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
- Add policy for rkt services
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-174
- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019"
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019
* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
- Allow keepalived to create netlink generic sockets. rhbz#1311756
- Allow modemmanager to read /etc/passwd file.
- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
* Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033
- Dontaudit leaded file descriptors from firewalld
- Add port for rkt services
- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.
* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files
* Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426
- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533
- Add interface to dontaudit leaked files from firewalld
- fwupd needs to dbus chat with policykit
- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531
- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967
- Allow prelink_cron_system_t domain set resource limits. BZ(1190364)
- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666)
- Fix wrong name for openqa_websockets tcp port.
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
- Allow keepalived to connect to 3306/tcp port - mysqld_port_t.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- Merge pull request #86 from rhatdan/rawhide-contrib
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146)
- Added interface logging_systemctl_syslogd
- Label rsyslog unit file
- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.
* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
* Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()
- Allow iptables to read firewalld pid files. BZ(1291243)
- Allow the user cronjobs to run in their userdomain
- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
- Merge pull request #81 from rhatdan/rawhide-base
- New access needed by systemd domains
* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
- Add ipsec_read_pid() interface
* Mon Dec 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-162
- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t.
- init_t domain should be running without unconfined_domain attribute.
- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill.
- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions.
- systemd needs to access /dev/rfkill on early boot.
- Allow dspam to read /etc/passwd
* Mon Nov 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-161
- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)
* Tue Nov 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-160
- Allow apcupsd sending mails about battery state. BZ(1274018)
- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779)
- Merge pull request #68 from rhatdan/rawhide-contrib
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785
- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092)
- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)
* Fri Nov 20 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-159
- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.
* Tue Nov 10 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-158
- Merge pull request #48 from lkundrak/contrib-openfortivpn
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
* Mon Nov 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-157
- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it.
- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.
* Tue Oct 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-156
- Allow fail2ban-client to execute ldconfig. #1268715
- Add interface virt_sandbox_domain()
- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift.
-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets().
- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets().
- Remove auth_login_pgm_domain(init_t) which has been added by accident.
- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files.
- Add interface auth_use_nsswitch() to systemd_domain_template.
- Revert "auth_use_nsswitch can be used with attribute systemd_domain."
- auth_use_nsswitch can be used with attribute systemd_domain.
- ipsec: fix stringSwan charon-nm
- docker is communicating with systemd-machined
- Add missing systemd_dbus_chat_machined, needed by docker
* Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-155
- Build including docker selinux interfaces.
* Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
- Allow winbindd to send signull to kernel. BZ(#1269193)
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Fixes for chrony version 2.2 BZ(#1259636)
* Allow chrony chown capability
* Allow sendto dgram_sockets to itself and to unconfined_t domains.
- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
- Add boolean allowing mysqld to connect to http port. #1262125
- Merge pull request #52 from 1dot75cm/rawhide-base
- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
- Fix attribute in corenetwork.if.in
* Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
- Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Add abrt_stub interface.
- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972)
- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633)
- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217)
- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200).
- Add samba_manage_var_dirs() interface.
- Allow pcp_pmlogger to exec bin_t BZ(#1258698)
- Allow spamd to read system network state. BZ(1260234)
- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882)
- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201)
- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916)
- Add fs_read_xenfs_files() interface.
- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly.
- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)
* Thu Oct 08 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-152
- Allow pcp_pmlogger to read system state. BZ(1258699)
- Allow cupsd to connect on socket. BZ(1258089)
- Allow named to bind on ephemeral ports. BZ(#1259766)
- Allow iscsid create netlink iscsid sockets.
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs.
- Allow search dirs in sysfs types in kernel_read_security_state.
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
- Clean up pkcs11proxyd policy.
- We need to require sandbox_web_type attribute in sandbox_x_domain_template().
- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t."
- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions.
- Update modules_filetrans_named_content() interface to cover more modules.* files.
- New policy for systemd-machined. #1255305
- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example.
- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)
- Merge pull request #42 from vmojzis/rawhide-base
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
- Allow rhsmcertd_t send signull to unconfined_service_t domains.
- Revert "Allow pcp to read docker lib files."
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993)
- Allow pcp to read docker lib files.
- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so"
- Add login_userdomain attribute also for unconfined_t.
- Add userdom_login_userdomain() interface.
- Label /etc/ipa/nssdb dir as cert_t
- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t
- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users.
- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350)
- Add init_entrypoint_exec() interface.
- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)
* Fri Aug 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-143
- Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
* Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow collectd stream connect to pdns.(BZ #1191044)
- Add interface pdns_stream_connect()
- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
- Allow chronyd exec systemctl
- Merge pull request #30 from vmojzis/rawhide-contrib
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus.
- Add snapper_read_inherited_pipe() interface.
- Add missing ";" in kerberos.te
- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t.
- Add support for /etc/sanlock which is writable by sanlock daemon.
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde
- Add interface to read/write watchdog device.
- Add transition rule for iptables_var_lib_t
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
- Revert "Allow grubby to manage and create /run/blkid with correct labeling"
- Allow grubby to manage and create /run/blkid with correct labeling
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
- arping running as netutils_t needs to access /etc/ld.so.cache in MLS.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces.
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).
* Wed Aug 05 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-140
- firewalld needs to relabel own config files. BZ(#1250537)
- Allow rhsmcertd to send signull to unconfined_service
- Allow lsm_plugin_t to rw raw_fixed_disk.
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
* Tue Aug 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-139
- Add header for sslh.if file
- Fix sslh_admin() interface
- Clean up sslh.if
- Fix typo in pdns.if
- Allow qpid to create lnk_files in qpid_var_lib_t.
- Allow httpd_suexec_t to read and write Apache stream sockets
- Merge pull request #21 from hogarthj/rawhide-contrib
- Allow virt_qemu_ga_t domtrans to passwd_t.
- use read and manage files_patterns and the description for the admin interface
- Merge pull request #17 from rubenk/pdns-policy
- Allow redis to read kernel parameters.
- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500)
- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343)
- Allow bumblebee to seng kill signal to xserver
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Allow drbd to get attributes from filesystems.
- Allow drbd to read configuration options used when loading modules.
- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface
- Added Booleans: pcp_read_generic_logs.
- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs.
- Allow glusterd to communicate with cluster domains over stream socket.
- fix copy paste error with writing the admin interface
- fix up the regex in sslh.fc, add sslh_admin() interface
- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs."
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.
- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp
- kdbusfs should not be accessible for now.
- Add support for /sys/fs/kdbus and allow login_pgm domain to access it.
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds).
- Label /usr/sbin/chpasswd as passwd_exec_t.
- Allow audisp_remote_t to read/write user domain pty.
- Allow audisp_remote_t to start power unit files domain to allow halt system.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Revert "Dontaudit ctbd_t sending signull to smbd_t."
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
- Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-129
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489)
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-128
- Add ipsec_rw_inherited_pipes() interface.
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket.
- Label /usr/libexec/Xorg.wrap as xserver_exec_t.
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file.
- Add fixes for selinux userspace moving the policy store to /var/lib/selinux.
- Remove optional else block for dhcp ping (needed by CIL)
- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly.
- Access required to run with unconfine.pp disabled
- Fix selinux_search_fs() interface.
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists.
- Add seutil_search_config() interface.
- Make ssh-keygen as nsswitch domain to access SSSD.
- Label ctdb events scripts as bin_t.
- Add support for /usr/sbin/lvmpolld.
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules.
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
- Allow hypervkvp to read /dev/urandom and read addition states/config files.
- Add cgdcbxd policy.
- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain.
- Add labeling for pacemaker.log.
- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.
- Allow lsmd plugin to connect to tcp/5989 by default.
- Allow lsmd plugin to connect to tcp/5988 by default.
- Allow setuid/setgid for selinux_child.
- Allow radiusd to connect to radsec ports.
- ALlow bind to read/write inherited ipsec pipes.
- Allow fowner capability for sssd because of selinux_child handling.
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.
- Allow cluster domain to dbus chat with systemd-logind.
- Allow tmpreaper_t to manage ntp log content
- Allow openvswitch_t to communicate with sssd.
- Allow isnsd_t to communicate with sssd.
- Allow rwho_t to communicate with sssd.
- Allow pkcs_slotd_t to communicate with sssd.
- Add httpd_var_lib_t label for roundcubemail
- Allow puppetagent_t to transfer firewalld messages over dbus.
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
- Update rules related to glusterd_brick_t.
- Allow glusterd to execute lvm tools in the lvm_t target domain.
- Allow glusterd to execute xfs_growfs in the target domain.
- Allow sysctl to have running under hypervkvp_t domain.
- Allow smartdnotify to use user terminals.
- Allow pcp domains to create root.socket in /var/lip/pcp directroy.
- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain.
- Allow rpcbind to create rpcbind.xdr as a temporary file.
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings.
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag.
- rsync server can be setup to send mail
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again.
- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.
- Fix samba_load_libgfapi decl in samba.te.
- Fix typo in nagios_run_sudo() boolean.
- remove duplicate declaration from hypervkvp.te.
- Move ctdd_domtrans() from ctdbd to gluster.
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
- Glusterd wants to manage samba config files if they are setup together.
- ALlow NM to do access check on /sys.
- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel.
- Allow NetworkManager nm-dispacher to read links.
- Allow gluster hooks scripts to transition to ctdbd_t.
- Allow glusterd to read/write samba config files.
- Update mysqld rules related to mysqld log files.
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
- Update netlink_route_socket for ptp4l.
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
- Allow glusterd to read /dev/random.
- Update nagios_run_sudo boolean to allow run chkpwd.
- Allow docker and container tools to control caps, don't rely on SELinux for now. Since there is no easy way for SELinux modification of policy as far as caps. docker run --cap-add will work now
- Allow sosreport to dbus chat with NM.
- Allow anaconda to run iscsid in own domain. BZ(1220948).
- Allow rhsmcetd to use the ypbind service to access NIS services.
- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios.
- Allow ctdb to create rawip socket.
- Allow ctdbd to bind smbd port.
- Make ctdbd as userdom_home_reader.
- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Allow antivirus_t to read system state info.
- Dontaudit use console for chrome-sandbox.
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot.
- Clamd needs to have fsetid capability.
- Allow cinder-backup to dbus chat with systemd-logind.
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
- Allow gssd to access kernel keyring for login_pgm domains.
- Add more fixes related to timemaster+ntp+ptp4l.
- Allow docker sandbox domains to search all mountpoiunts
- update winbind_t rules to allow IPC for winbind.
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
- Allow inet_gethost called by couchdb to access /proc/net/unix.
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so
- Label /usr/bin/yum-deprecated as rpm_exec_t.
* Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
- Add missing typealiases in apache_content_template() for script domain/executable.
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for new cobbler dir locations:
- Add support for iprdbg logging files in /var/log.
- Allow unconfined_service_t to dbus chat with all dbus domains
- Assign rabbitmq port. BZ#1135523
- Add new interface to allow creation of file with lib_t type
- Allow init to read all config files
- We want to remove openshift_t domains ability to look at /proc/net
- I guess lockdown is a file not a directory
- Label /var/bacula/ as bacula_store_t
- Allow rhsmcertd to seng signull to sosreport.
- Allow sending of snmp trap messages by radiusd.
- remove redundant rule fron nova.te.
- Add auth_use_nsswitch() for ctdbd.
- call nova_vncproxy_t instead of vncproxy.
- Allow nova-vncproxy to use varnishd port.
- Fix rhnsd_manage_config() to allow manage also symlinks.
- Allow bacula to create dirs/files in /tmp
- Allow nova-api to use nsswitch.
- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface.
- Allow usbmuxd connect to itself by stream socket. (#1135945)
- I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft
- Allow nswrapper_32_64.nppdf.so to be created with the proper label
- Assign rabbitmq port. BZ#1135523
- Dontaudit leaks of file descriptors from domains that transition to thumb_t
- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource
- Allow unconfined_service_t to dbus chat with all dbus domains
- Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way)
- Allow avahi_t communicate with pcp_pmproxy_t over dbus.
* Thu Aug 28 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-77
- Allow aide to read random number generator
- Allow pppd to connect to http port. (#1128947)
- sssd needs to be able write krb5.conf.
- Labeli initial-setup as install_exec_t.
- Allow domains to are allowed to mounton proc to mount on files as well as dirs
* Tue Aug 26 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-76
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Add a port definition for shellinaboxd
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
- Allow thumb_t to read/write video devices
- fail2ban 0.9 reads the journal by default.
- Allow sandbox net domains to bind to rawip socket
* Fri Aug 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-75
- Allow haproxy to read /dev/random and /dev/urandom.
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
- geoclue needs to connect to http and http_cache ports
- Allow passenger to use unix_stream_sockets leaked into it, from httpd
- Add SELinux policy for highly-available key value store for shared configuration.
- drbd executes modinfo.
- Add glance_api_can_network boolean since glance-api uses huge range port.
- Fix glance_api_can_network() definition.
- Allow smoltclient to connect on http_cache port. (#982199)
- Allow userdomains to stream connect to pcscd for smart cards
- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix)
- Added MLS fixes to support labeled socket activation which is going to be done by systemd
- Add kernel_signull() interface.
- sulogin_t executes plymouth commands
- lvm needs to be able to accept connections on stream generic sockets
* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 3.13.1-74
- Rebuild for rpm bug 1131960
* Mon Aug 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-73
- Allow ssytemd_logind_t to list tmpfs directories
- Allow lvm_t to create undefined sockets
- Allow passwd_t to read/write stream sockets
- Allow docker lots more access.
- Fix label for ports
- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
- Label tcp port 4194 as kubernetes port.
- Additional access required for passenger_t
- sandbox domains should be allowed to use libraries which require execmod
- Allow qpid to read passwd files BZ (#1130086)
- Remove cockpit port, it is now going to use websm port
- Add getattr to the list of access to dontaudit on unix_stream_sockets
- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
* Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-72
- docker needs to be able to look at everything in /dev
- Allow all processes to send themselves signals
- Allow sysadm_t to create netlink_tcpdiag socket
- sysadm_t should be allowed to communicate with networkmanager
- These are required for bluejeans to work on a unconfined.pp disabled machine
- docker needs setfcap
- Allow svirt domains to manage chr files and blk files for mknod commands
- Allow fail2ban to read audit logs
- Allow cachefilesd_t to send itself signals
- Allow smokeping cgi script to send syslog messages
- Allow svirt sandbox domains to relabel content
- Since apache content can be placed anywhere, we should just allow apache to search through any directory
- These are required for bluejeans to work on a unconfined.pp disabled machin
* Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-71
- shell_exec_t should not be in cockip.fc
* Mon Aug 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-70
- Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t.
- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
- Dontaudit write access on generic cert files. We don't audit also access check.
- Add support for arptables.
- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
* Mon Aug 4 2014 Tom Callaway <spot@fedoraproject.org> 3.13.1-69
- fix license handling
* Thu Jul 31 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-68
- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow users to use these plugins properly using this boolean. (#1109681)
- Allow smokeping cgi scripts to accept connection on httpd stream socket.
- docker does a getattr on all file systems
- Label all abort-dump programs
- Allow alsa to create lock file to see if it fixes.
- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running without unconfined domains. The default location of these scripts is /usr/lib/zabbix/externalscripts. If a user change DATADIR in CONFIG_EXTERNALSCRIPTS then he needs to set labeling for this new location.
- Add interface for journalctl_exec
- Add labels also for glusterd sockets.
- Change virt.te to match default docker capabilies
- Add additional booleans for turning on mknod or all caps.
- Also add interface to allow users to write policy that matches docker defaults
- for capabilies.
- Label dhcpd6 unit file.
- Add support also for dhcp IPv6 services.
- Added support for dhcrelay service
- Additional access for bluejeans
- docker needs more access, need back port to RHEL7
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
- Allow bacula manage bacula_log_t dirs
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
- Fix mistakes keystone and quantum
- Label neutron var run dir
- Label keystone var run dir
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
- Dontaudit attempts to access check cert dirs/files for sssd.
- Allow sensord to send a signal.
- Allow certmonger to stream connect to dirsrv to make ipa-server-install working.
- Label zabbix_var_lib_t directories
- Label conmans pid file as conman_var_run_t
- Label also /var/run/glusterd.socket file as gluster_var_run_t
- Fix policy for pkcsslotd from opencryptoki
- Update cockpik policy from cockpit usptream.
- Allow certmonger to exec ldconfig to make ipa-server-install working.
- Added support for Naemon policy
- Allow keepalived manage snmp files
- Add setpgid process to mip6d
- remove duplicate rule
- Allow postfix_smtpd to stream connect to antivirus
- Add rhcs_stream_connect_haproxy interface, Allow neutron stream connect to rhcs
- Add fsetid caps for mandb. #1116165
- Allow all nut domains to read /dev/(u)?random.
- Allow deltacloudd_t to read network state BZ #1116940
- Add support for KVM virtual machines to use NUMA pre-placement
- Allow utilize winbind for authentication to AD
- Allow chrome sandbox to use udp_sockets leaked in by its parent
- Allow gfs_controld_t to getattr on all file systems
- Allow logrotate to manage virt_cache
- varnishd needs to have fsetid capability
- Allow dovecot domains to send signal perms to themselves
- Allow apache to manage pid sock files
- Allow nut_upsmon_t to create sock_file in /run dir
- Add capability sys_ptrace to stapserver
- Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof
- Added support for vdsm
* Fri Jul 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-63
- If I can create a socket I need to be able to set the attributes
- Add tcp/8775 port as neutron port
- Add additional ports for swift ports
- Added changes to fedora from bug bz#1082183
- Add support for tcp/6200 port
- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
- Update neutron_manage_lib_files() interface
- Allow glustered to connect to ephemeral ports
- Allow apache to search ipa lib files by default
- Allow neutron to domtrans to haproxy
- Add rhcs_domtrans_haproxy()
- Add support for openstack-glance-* unit files
- Add initial support for /usr/bin/glance-scrubber
- Allow swift to connect to keystone and memcache ports.
- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
- Add policies for openstack-cinder
- Add support for /usr/bin/nova-conductor
- Add neutron_can_network boolean
- Allow neutron to connet to neutron port
- Allow glance domain to use syslog
- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
* Wed Jun 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-62
- Allow swift to use tcp/6200 swift port
- ALlow swift to search apache configs
- Remove duplicate .fc entry for Grilo plugin bookmarks
- Remove duplicate .fc entry for telepathy-gabble
- Additional allow rules for docker sandbox processes
- Allow keepalived connect to agentx port
- Allow neutron-ns-metadata to connectto own unix stream socket
- Add support for tcp/6200 port
- Remove ability for confined users to run xinit
- New tool for managing wireless /usr/sbin/iw
* Fri Jun 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-61
- Add back MLS policy
* Thu Jun 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-60
- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy
* Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-59
- Allow system_bus_types to use stream_sockets inherited from system_dbusd
- Allow journalctl to call getpw
- New access needed by dbus to talk to kernel stream
- Label sm-notifypid files correctly
- contrib: Add KMSCon policy module
* Wed Jun 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-58
- Add mozilla_plugin_use_bluejeans boolean
- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
* Mon Jun 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-57
- Allow staff_t to communicate and run docker
- Fix *_ecryptfs_home_dirs booleans
- Allow ldconfig_t to read/write inherited user tmp pipes
- Allow storaged to dbus chat with lvm_t
- Add support for storaged and storaged-lvm-helper. Labeled it as lvm_exec_t.
- Use proper calling in ssh.te for userdom_home_manager attribute
- Use userdom_home_manager_type() also for ssh_keygen_t
- Allow locate to list directories without labels
- Allow bitlbee to use tcp/7778 port
- /etc/cron.daily/logrotate to execute fail2ban-client.
- Allow keepalives to connect to SNMP port. Support to do SNMP stuff
- Allow staff_t to communicate and run docker
- Dontaudit search mgrepl/.local for cobblerd_t
- Allow neutron to execute kmod in insmod_t
- Allow neutron to execute udevadm in udev_t
- Allow also fowner cap for varnishd
- Allow keepalived to execute bin_t/shell_exec_t
- rhsmcertd seems to need these accesses. We need this backported to RHEL7 and perhaps RHEL6 policy
- Add cups_execmem boolean
- Allow gear to manage gear service
- New requires for gear to use systemctl and init var_run_t
- Allow cups to execute its rw_etc_t files, for brothers printers
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs.
- Allow swift to execute bin_t
- Allow swift to bind http_cache
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.1-56
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue May 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-55
- Add decl for cockip port
- Allow sysadm_t to read all kernel proc
- Allow logrotate to execute all executables
- Allow lircd_t to use tty_device_t for use withmythtv
- Make sure all zabbix files direcories in /var/log have the correct label
- Allow bittlebee to create directories and files in /var/log with the correct label
- Label /var/log/horizon as an apache log
- Add squid directory in /var/run
- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label
- Wronly labeled avahi_var_lib_t as a pid file
- Fix labels on rabbitmq_var_run_t on file/dir creation
- Allow neutron to create sock files
- Allow postfix domains to getattr on all file systems
- Label swift-proxy-server as swift_exec_t
- Tighten SELinux capabilities to match docker capabilities
- Add fixes for squid which is configured to run with more than one worker.
- Allow cockpit to bind to its port
* Tue May 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-54
- geard seems to do a lot of relabeling
- Allow system_mail_t to append to munin_var_lib_t
- Allow mozilla_plugin to read alsa_rw_ content
- Allow asterisk to connect to the apache ports
- Dontaudit attempts to read fixed disk
- Dontaudit search gconf_home_t
- Allow rsync to create swift_server.lock with swift.log labeling
- Add labeling for swift lock files
- Use swift_virt_lock in swift.te
- Allow openwsman to getattr on sblim_sfcbd executable
- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
- Allow openwsman_t to read/write sblim-sfcb shared mem
- Allow openwsman to stream connec to sblim-sfcbd
- Allow openwsman to create tmpfs files/dirs
- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t
- Allow sblim_sfcbd to execute shell
- Allow swift to create lock file
- Allow openwsman to use tcp/80
- Allow neutron to create also dirs in /tmp
- Allow seunshare domains to getattr on all executables
- Allow ssh-keygen to create temporary files/dirs needed by OpenStack
- Allow named_filetrans_domain to create /run/netns
- Allow ifconfig to create /run/netns
* Tue May 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-53
- Add missing dyntransition for sandbox_x_domain
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-52
- More rules for gears and openshift
- Added iotop policy. Thanks William Brown
- Allow spamc to read .pyzor located in /var/spool/spampd
- Allow spamc to create home content with correct labeling
- Allow logwatch_mail_t to create dead.letter with correct labelign
- Add labeling for min-cloud-agent
- Allow geoclue to read unix in proc.
- Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
- add support for min-cloud-agent
- Allow ulogd to request the kernel to load a module
- remove unconfined_domain for openwsman_t
- Add openwsman_tmp_t rules
- Allow openwsman to execute chkpwd and make this domain as unconfined for F20.
- Allow nova-scheduler to read passwd file
- Allow neutron execute arping in neutron_t
- Dontaudit logrotate executing systemctl command attempting to net_admin
- Allow mozilla plugins to use /dev/sr0
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
- Any app that executes systemctl will attempt a net_admin
- Fix path to mmap_min_addr
* Wed May 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-51
- Add gear fixes from dwalsh
* Tue May 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-50
- selinux_unconfined_type should not be able to set booleans if the securemode is set
- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
* Mon May 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-49
- Fix labeling for /root/\.yubico
- userdom_search_admin_dir() calling needs to be optional in kernel.te
- Dontaudit leaked xserver_misc_device_t into plugins
- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Bootloader wants to look at init state
- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm
- init reads kdbump etc files
- Add support for tcp/9697
- Fix labeling for /var/run/user/<UID>/gvfs
- Add support for us_cli ports
- fix sysnet_use_ldap
- Allow mysql to execute ifconfig if Red Hat OpenStack
- ALlow stap-server to get attr on all fs
- Fix mail_pool_t to mail_spool_t
- Dontaudit leaked xserver_misc_device_t into plugins
- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains
- Add new labeling for /var/spool/smtpd
- Allow httpd_t to kill passenger
- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
- Allow nova-scheduler to read passwd/utmp files
- Additional rules required by openstack, needs backport to F20 and RHEL7
- Additional access required by docker
- ALlow motion to use tcp/8082 port
* Fri Apr 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-48
- Fix virt_use_samba boolean
- Looks like all domains that use dbus libraries are now reading /dev/urand
- Add glance_use_fusefs() boolean
- Allow tgtd to read /proc/net/psched
- Additional access required for gear management of openshift directories
- Allow sys_ptrace for mock-build
- Fix mock_read_lib_files() interface
- Allow mock-build to write all inherited ttys and ptys
- Allow spamd to create razor home dirs with correct labeling
- Clean up sysnet_use_ldap()
- systemd calling needs to be optional
- Allow init_t to setattr/relabelfrom dhcp state files
* Wed Apr 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-47
- mongod should not be a part of cloudforms.pp
- Fix labeling in snapper.fc
- Allow docker to read unconfined_t process state
- geoclue dbus chats with NetworkManager
- Add cockpit policy
- Add interface to allow tools to check the processes state of bind/named
- Allow myslqd to use the tram port for Galera/MariaDB
* Fri Apr 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-46
- Allow init_t to setattr/relabelfrom dhcp state files
- Allow dmesg to read hwdata and memory dev
- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan
- Dontaudit antivirus domains read access on all security files by default
- Add missing alias for old amavis_etc_t type
- Additional fixes for instack overcloud
- Allow block_suspend cap for haproxy
- Allow OpenStack to read mysqld_db links and connect to MySQL
- Remove dup filename rules in gnome.te
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
- Add labeling for /lib/systemd/system/thttpd.service
- Allow iscsid to handle own unit files
- Add iscsi_systemctl()
- Allow mongod also create sock_file with correct labeling in /run
- Allow aiccu stream connect to pcscd
- Allow rabbitmq_beam to connect to httpd port
- Allow httpd to send signull to apache script domains and don't audit leaks
- Fix labeling in drbd.fc
- Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7
- Allow all freeipmi domains to read/write ipmi devices
- Allow rabbitmq_epmd to manage rabbit_var_log_t files
- Allow sblim_sfcbd to use also pegasus-https port
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input
- Add httpd_run_preupgrade boolean
- Add interfaces to access preupgrade_data_t
- Add preupgrade policy
- Add labeling for puppet helper scripts
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-44
- Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access
- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm
- Allow conman to resolve DNS and use user ptys
- update pegasus_openlmi_admin_t policy
- nslcd wants chown capability
- Dontaudit exec insmod in boinc policy
* Fri Apr 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-43
- Add labels for /var/named/chroot_sdb/dev devices
- Add support for strongimcv
- Add additional fixes for yubikeys based on william@firstyear.id.au
- Allow init_t run /sbin/augenrules
- Remove dup decl for dev_unmount_sysfs_fs
- Allow unpriv SELinux user to use sandbox
- Fix ntp_filetrans_named_content for sntp-kod file
- Add httpd_dbus_sssd boolean
- Dontaudit exec insmod in boinc policy
- Add dbus_filetrans_named_content_system()
- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
- varnishd wants chown capability
- update ntp_filetrans_named_content() interface
- Add additional fixes for neutron_t. #1083335
- Dontaudit sandbox_t getattr on proc_kcore_t
- Allow pki_tomcat_t to read ipa lib files
* Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
* Thu Mar 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-41
- Turn on gear_port_t
- Add gear policy and remove permissive domains.
- Add labels for ostree
- Add SELinux awareness for NM
- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
* Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-40
- update storage_filetrans_all_named_dev for sg* devices
- Allow auditctl_t to getattr on all removeable devices
- Allow nsswitch_domains to stream connect to nmbd
- Allow rasdaemon to rw /dev/cpu//msr
- fix /var/log/pki file spec
- make bacula_t as auth_nsswitch domain
- Allow certmonger to manage ipa lib files
- Add support for /var/lib/ipa
* Tue Mar 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-39
- Manage_service_perms should include enable and disable, need backport to RHEL7
- Allow also unpriv user to run vmtools
- Allow secadm to read /dev/urandom and meminfo
- Add userdom_tmp_role for secadm_t
- Allow postgresql to read network state
- Add a new file context for /var/named/chroot/run directory
- Add booleans to allow docker processes to use nfs and samba
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t
- Allow puppet stream connect to mysql
- Fixed some rules related to puppet policy
- Allow vmware-user-sui to use user ttys
- Allow talk 2 users logged via console too
- Additional avcs for docker when running tests
- allow anaconda to dbus chat with systemd-localed
- clean up rhcs.te
- remove dup rules from haproxy.te
- Add fixes for haproxy based on bperkins@redhat.com
- Allow cmirrord to make dmsetup working
- Allow NM to execute arping
- Allow users to send messages through talk
- update rtas_errd policy
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
- Allow svirt_sandbox_domains to ptrace themselves
- Allow snmpd to getattr on removeable and fixed disks
- Allow docker containers to manage /var/lib/docker content
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
- Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state
- Allow java running as pki_tomcat to read network sysctls
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
- Allow beam.smp to use ephemeral ports
- Allow winbind to use the nis to authenticate passwords
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-37
- Allow collectd to talk to libvirt
- Allow chrome_sandbox to use leaked unix_stream_sockets
- Dontaudit leaks of sockets into chrome_sandbox_t
- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
- Run vmtools as unconfined domains
- Allow snort to manage its log files
- Allow systemd_cronjob_t to be entered via bin_t
- Allow procman to list doveconf_etc_t
- allow keyring daemon to create content in tmpfs directories
- Add proper labelling for icedtea-web
- vpnc is creating content in networkmanager var run directory
- unconfined_service should be allowed to transition to rpm_script_t
- Allow couchdb to listen on port 6984
- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command
- Allow systemd-logind to setup user tmpfs directories
- Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
* Fri Mar 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-36
- Add additional fixes for systemd_networkd_t
- Allow systemd-logind to manage user_tmpfs_t
- Allow systemd-logind to mount /run/user/1000 to get gdm working
- Dontaudit attempts to setsched on the kernel_t threads
- Allow munin mail plugins to read network systcl
- Fix git_system_enable_homedirs boolean
- Make cimtest script 03_defineVS.py of ComputerSystem group working
- Make abrt-java-connector working
- Allow net_admin cap for fence_virtd running as fenced_t
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
* Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-35
- sshd to read network sysctls
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
- /var/lib/containers should be labeled as openshift content for now
- Allow docker domains to talk to the login programs, to allow a process to login into the container
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-34
- Add install_t for anaconda
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-33
- Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-31
- Modify xdm_write_home to allow create files/links in /root with xdm_home_t
- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
- Allow mount to manage mount_var_run_t files/dirs
* Tue Dec 3 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-8
- Add back fixes for gnome_role_template()
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Add missing alias for pegasus_openlmi_service_exec_t
- Added support for rdisc unit file
- Added new policy for ninfod
- Added new policy for openwsman
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Add connectto perm for NM unix stream socket
- Allow watchdog to be executed from cron
- Allow cloud_init to transition to rpm_script_t
- Allow lsmd_plugin_t send system log messages
- Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT policy for sosreport running as abrt_t
- Added new capabilities for mip6d policy
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
* Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-7
- Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Add back exec_content boolean for secadm, logadm, auditadm
- Allow sulogin to getattr on /proc/kcore
* Tue Nov 26 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-6
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
- Allow mount to manage mount_var_run_t files/dirs
- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level
- Make sure boot.log is created with the correct label
- call logging_relabel_all_log_dirs() in systemd.te
- Allow systemd_tmpfiles to relabel log directories
- Allow staff_t to run frequency command
- Allow staff_t to read xserver_log file
- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f.
- Label hsperfdata_root as tmp_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Add glusterd_brick_t files type
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Allow zabbix_agentd to read all domain state
- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Clean up rtas.if
- Clean up docker.if
- drop /var/lib/glpi/files labeling in cron.fc
- Added new policy for rasdaemon
- Add apache labeling for glpi
- Allow pegasus to transition to dmidecode
- Make sure boot.log is created with the correct label
- Fix typo in openshift.te
- remove dup bumblebee_systemctl()
- Allow watchdog to read /etc/passwd
- Allow condor domains to read/write condor_master udp_socket
- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift
- Add back file_pid_filetrans for /var/run/dlm_controld
- Allow smbd_t to use inherited tmpfs content
- Allow mcelog to use the /dev/cpu device
- sosreport runs rpcinfo
- sosreport runs subscription-manager
- Allow setpgid for sosreport
- Allow browser plugins to connect to bumblebee
- New policy for bumblebee and freqset
- Add new policy for mip6d daemon
- Add new policy for opensm daemon
* Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-5
- Add back /dev/shm labeling
* Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-4
- Fix gnome_role_template() interface
* Thu Nov 14 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-3
- Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh
* Thu Nov 14 2013 Dan Walsh<dwalsh@redhat.com> 3.13.1-2
- Fix config.tgz to include lxc_contexts and systemd_contexts
* Wed Nov 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-1
- Update to upstream
* Tue Nov 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-100
- Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
* Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
- Add support for yubikey in homedir
- Add support for upd/3052 port
- Allow apcupsd to use PowerChute Network Shutdown
- Allow lsmd to execute various lsmplugins
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
- Update gluster_export_all_rw boolean to allow relabel all base file types
- Allow x86_energy_perf tool to modify the MSR
- Fix /var/lib/dspam/data labeling
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-98
- Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
- Allow x86_energy_perf tool to modify the MSR
- Fix /var/lib/dspam/data labeling
- Allow pegasus to domtrans to mount_t
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
- Add support for unconfined watchdog scripts
- Allow watchdog to manage own log files
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-97
- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
- Allow all antivirus domains to manage also own log dirs
- Allow pegasus_openlmi_services_t to stream connect to sssd_t
* Fri Nov 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd
* Wed Oct 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-95
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Add file transition rules for content created by f5link
- Rename quantum_port information to neutron
- Allow all antivirus domains to manage also own log dirs
- Rename quantum_port information to neutron
- Allow pegasus_openlmi_services_t to stream connect to sssd_t
* Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
- Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label
- Allow mozilla_plugin_t to mmap hugepages as an executable
* Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
* Tue Oct 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-92
- Allow sshd_t to read openshift content, needs backport to RHEL6.5
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
- Make sur kdump lock is created with correct label if kdumpctl is executed
- gnome interface calls should always be made within an optional_block
- Allow syslogd_t to connect to the syslog_tls port
- Add labeling for /var/run/charon.ctl socket
- Add kdump_filetrans_named_content()
- Allo setpgid for fenced_t
- Allow setpgid and r/w cluster tmpfs for fenced_t
- gnome calls should always be within optional blocks
- wicd.pid should be labeled as networkmanager_var_run_t
- Allow sys_resource for lldpad
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-91
- Add rtas policy
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-90
- Allow mailserver_domains to manage and transition to mailman data
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands
- Allow mailserver_domains to manage and transition to mailman data
- Allow svirt_domains to read sysctl_net_t
- Allow thumb_t to use tmpfs inherited from the user
- Allow mozilla_plugin to bind to the vnc port if running with spice
- Add new attribute to discover confined_admins and assign confined admin to it
- Fix zabbix to handle attributes in interfaces
- Fix zabbix to read system states for all zabbix domains
- Fix piranha_domain_template()
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
- Allow lldpad sys_rouserce cap due to #986870
- Allow dovecot-auth to read nologin
- Allow openlmi-networking to read /proc/net/dev
- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t
- Add zabbix_domain attribute for zabbix domains to treat them together
- Add labels for zabbix-poxy-* (#1018221)
- Update openlmi-storage policy to reflect #1015067
- Back port piranha tmpfs fixes from RHEL6
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop
- Add postfix_rw_spool_maildrop_files interface
- Call new userdom_admin_user_templat() also for sysadm_secadm.pp
- Fix typo in userdom_admin_user_template()
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
- Add new attribute to discover confined_admins
- Fix labeling for /etc/strongswan/ipsec.d
- systemd_logind seems to pass fd to anyone who dbus communicates with it
- Dontaudit leaked write descriptor to dmesg
* Mon Oct 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-89
- Fix gnome_read_generic_data_home_files()
- allow openshift_cgroup_t to read/write inherited openshift file types
- Remove httpd_cobbler_content * from cobbler_admin interface
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container
- Allow httpd_t to read also git sys content symlinks
- Allow init_t to read gnome home data
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
- Allow virsh to execute systemctl
- Fix for nagios_services plugins
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- Fix hypervkvp.te
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
- Add hypervkvp_unit_file_t type
- Fix logging policy
- Allow syslog to bind to tls ports
- Update labeling for /dev/cdc-wdm
- Allow to su_domain to read init states
- Allow init_t to read gnome home data
- Make sure if systemd_logind creates nologin file with the correct label
- Clean up ipsec.te
* Tue Oct 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-88
- Add auth_exec_chkpwd interface
- Fix port definition for ctdb ports
- Allow systemd domains to read /dev/urand
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Add label for /var/run/charon.*
- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service
- Fix for nagios_services plugins
- Fix some bugs in zoneminder policy
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- glusterd binds to random unreserved ports
- Additional allow rules found by testing glusterfs
- apcupsd needs to send a message to all users on the system so needs to look them up
- Fix the label on ~/.juniper_networks
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Allow polipo_daemon to connect to flash ports
- Allow gssproxy_t to create replay caches
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
- Add hypervkvp_unit_file_t type
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-87
- init reload from systemd_localed_t
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
- Allow systemd_localed_t to ask systemd to reload the locale.
- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory
- Allow readahead to read /dev/urand
- Fix lots of avcs about tuned
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
- Allow tuned to inderact with hugepages
- Allow condor domains to list etc rw dirs
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-86
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it
- Add label/rules for /etc/mdadm.conf
- Allow pegasus_openlmi_storage_t to transition to fsadm_t
- Fixes for interface definition problems
- Dontaudit dovecot-deliver to gettatr on all fs dirs
- Allow domains to search data_home_t directories
- Allow cobblerd to connect to mysql
- Allow mdadm to r/w kdump lock files
- Add support for kdump lock files
- Label zarafa-search as zarafa-indexer
- Openshift cgroup wants to read /etc/passwd
- Add new sandbox domains for kvm
- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on
- Fix labeling for /usr/lib/systemd/system/lvm2.*
- Add labeling for /usr/lib/systemd/system/lvm2.*
- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules
- Add sshd_keygen_t policy for sshd-keygen
- Fix alsa_home_filetrans interface name and definition
- Allow chown for ssh_keygen_t
- Add fs_dontaudit_getattr_all_dirs()
- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys
- Fix up patch to allow systemd to manage home content
- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled
- Allow getty to exec hostname to get info
- Add systemd_home_t for ~/.local/share/systemd directory
* Wed Oct 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-85
- Fix lxc labeling in config.tgz
* Mon Sep 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-84
- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Add support for MySQL/PostgreSQL for amavis
- Allow openvpn_t to manage openvpn_var_log_t files.
- Allow dirsrv_t to create tmpfs_t directories
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Allow nsswitch domains to manage own process key
- Fix labeling for mgetty.* logs
- Allow systemd to dbus chat with upower
- Allow ipsec to send signull to itself
- Allow setgid cap for ipsec_t
- Match upstream labeling
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83
- Do not build sanbox pkg on MLS
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-82
- wine_tmp is no longer needed
- Allow setroubleshoot to look at /proc
- Allow telepathy domains to dbus with systemd logind
- Fix handling of fifo files of rpm
- Allow mozilla_plugin to transition to itself
- Allow certwatch to write to cert_t directories
- New abrt application
- Allow NetworkManager to set the kernel scheduler
- Make wine_domain shared by all wine domains
- Allow mdadm_t to read images labeled svirt_image_t
- Allow amanda to read /dev/urand
- ALlow my_print_default to read /dev/urand
- Allow mdadm to write to kdumpctl fifo files
- Allow nslcd to send signull to itself
- Allow yppasswd to read /dev/urandom
- Fix zarafa_setrlimit
- Add support for /var/lib/php/wsdlcache
- Add zarafa_setrlimit boolean
- Allow fetchmail to send mails
- Add additional alias for user_tmp_t because wine_tmp_t is no longer used
- More handling of ther kernel keyring required by kerberos
- New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed
* Thu Sep 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-81
- Dontaudit attempts by sosreport to read shadow_t
- Allow browser sandbox plugins to connect to cups to print
- Add new label mpd_home_t
- Label /srv/www/logs as httpd_log_t
- Add support for /var/lib/php/wsdlcache
- Add zarafa_setrlimit boolean
- Allow fetchmail to send mails
- Add labels for apache logs under miq package
- Allow irc_t to use tcp sockets
- fix labels in puppet.if
- Allow tcsd to read utmp file
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
- Define svirt_socket_t as a domain_type
- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t
- Fix label on pam_krb5 helper apps
* Thu Sep 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-80
- Allow ldconfig to write to kdumpctl fifo files
- allow neutron to connect to amqp ports
- Allow kdump_manage_crash to list the kdump_crash_t directory
- Allow glance-api to connect to amqp port
- Allow virt_qemu_ga_t to read meminfo
- Add antivirus_home_t type for antivirus date in HOMEDIRS
- Allow mpd setcap which is needed by pulseaudio
- Allow smbcontrol to create content in /var/lib/samba
- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec
- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts
- amanda_exec_t needs to be executable file
- Allow block_suspend cap for samba-net
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
- Allow init_t to run crash utility
- Treat usr_t just like bin_t for transitions and executions
- Add port definition of pka_ca to port 829 for openshift
- Allow selinux_store to use symlinks
* Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-79
- Allow block_suspend cap for samba-net
- Allow t-mission-control to manage gabble cache files
- Allow nslcd to read /sys/devices/system/cpu
- Allow selinux_store to use symlinks
* Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-78
- Allow xdm_t to transition to itself
- Call neutron interfaces instead of quantum
- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t
- Make sure directories in /run get created with the correct label
- Make sure /root/.pki gets created with the right label
- try to remove labeling for motion from zoneminder_exec_t to bin_t
- Allow inetd_t to execute shell scripts
- Allow cloud-init to read all domainstate
- Fix to use quantum port
- Add interface netowrkmanager_initrc_domtrans
- Fix boinc_execmem
- Allow t-mission-control to read gabble cache home
- Add labeling for ~/.cache/telepathy/avatars/gabble
- Allow memcache to read sysfs data
- Cleanup antivirus policy and add additional fixes
- Add boolean boinc_enable_execstack
- Add support for couchdb in rabbitmq policy
- Add interface couchdb_search_pid_dirs
- Allow firewalld to read NM state
- Allow systemd running as git_systemd to bind git port
- Fix mozilla_plugin_rw_tmpfs_files()
* Thu Sep 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-77
- Split out rlogin ports from inetd
- Treat files labeld as usr_t like bin_t when it comes to transitions
- Allow staff_t to read login config
- Allow ipsec_t to read .google authenticator data
- Allow systemd running as git_systemd to bind git port
- Fix mozilla_plugin_rw_tmpfs_files()
- Call the correct interface - corenet_udp_bind_ktalkd_port()
- Allow all domains that can read gnome_config to read kde config
- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work
- Allow mdadm to getattr any file system
- Allow a confined domain to executes mozilla_exec_t via dbus
- Allow cupsd_lpd_t to bind to the printer port
- Dontaudit attempts to bind to ports < 1024 when nis is turned on
- Allow apache domain to connect to gssproxy socket
- Allow rlogind to bind to the rlogin_port
- Allow telnetd to bind to the telnetd_port
- Allow ktalkd to bind to the ktalkd_port
- Allow cvs to bind to the cvs_port
* Wed Sep 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-76
- Cleanup related to init_domain()+inetd_domain fixes
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
- svirt domains neeed to create kobject_uevint_sockets
- Lots of new access required for sosreport
- Allow tgtd_t to connect to isns ports
- Allow init_t to transition to all inetd domains:
- openct needs to be able to create netlink_object_uevent_sockets
- Dontaudit leaks into ldconfig_t
- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
- Move kernel_stream_connect into all Xwindow using users
- Dontaudit inherited lock files in ifconfig o dhcpc_t
* Tue Sep 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-75
- Also sock_file trans rule is needed in lsm
- Fix labeling for fetchmail pid files/dirs
- Add additional fixes for abrt-upload-watch
- Fix polipo.te
- Fix transition rules in asterisk policy
- Add fowner capability to networkmanager policy
- Allow polipo to connect to tor ports
- Cleanup lsmd.if
- Cleanup openhpid policy
- Fix kdump_read_crash() interface
- Make more domains as init domain
- Fix cupsd.te
- Fix requires in rpm_rw_script_inherited_pipes
- Fix interfaces in lsm.if
- Allow munin service plugins to manage own tmpfs files/dirs
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Make ktalk as init domain
- Fix to define ktalkd_unit_file_t correctly
- Fix ktalk.fc
- Add systemd support for talk-server
- Allow glusterd to create sock_file in /run
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Add fixes for hypervkvp policy
- Add logwatch_can_sendmail boolean
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
* Thu Aug 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74
- Add selinux-policy-sandbox pkg
* Tue Aug 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-73
0
- Allow rhsmcertd to read init state
- Allow fsetid for pkcsslotd
- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service
- Allow fetchmail to create own pid with correct labeling
- Fix rhcs_domain_template()
- Allow roles which can run mock to read mock lib files to view results
- Allow rpcbind to use nsswitch
- Fix lsm.if summary
- Fix collectd_t can read /etc/passwd file
- Label systemd unit files under dracut correctly
- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh
- Add support for .Xauthority-n
- Label umount.crypt as lvm_exec_t
- Allow syslogd to search psad lib files
- Allow ssh_t to use /dev/ptmx
- Make sure /run/pluto dir is created with correct labeling
- Allow syslog to run shell and bin_t commands
- Allow ip to relabel tun_sockets
- Allow mount to create directories in files under /run
- Allow processes to use inherited fifo files
* Fri Aug 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-72
- Add policy for lsmd
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
- Update condor_master rules to allow read system state info and allow logging
- Add labeling for /etc/condor and allow condor domain to write it (bug)
- Allow condor domains to manage own logs
- Allow glusterd to read domains state
- Fix initial hypervkvp policy
- Add policy for hypervkvpd
- Fix redis.if summary
* Wed Aug 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-71
- Allow boinc to connect to @/tmp/.X11-unix/X0
- Allow beam.smp to connect to tcp/5984
- Allow named to manage own log files
- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t
- Add virt_transition_userdomain boolean decl
- Allow httpd_t to sendto unix_dgram sockets on its children
- Allow nova domains to execute ifconfig
- bluetooth wants to create fifo_files in /tmp
- exim needs to be able to manage mailman data
- Allow sysstat to getattr on all file systems
- Looks like bluetoothd has moved
- Allow collectd to send ping packets
- Allow svirt_lxc domains to getpgid
- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff
- Allow frpintd_t to read /dev/urandom
- Allow asterisk_t to create sock_file in /var/run
- Allow usbmuxd to use netlink_kobject
- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket
- More cleanup of svirt_lxc policy
- virtd_lxc_t now talks to dbus
- Dontaudit leaked ptmx_t
- Allow processes to use inherited fifo files
- Allow openvpn_t to connect to squid ports
- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()
- Allow ssh_t to use /dev/ptmx
- Make sure /run/pluto dir is created with correct labeling
- Allow syslog to run shell and bin_t commands
- Allow ip to relabel tun_sockets
- Allow mount to create directories in files under /run
- Allow processes to use inherited fifo files
- Allow user roles to connect to the journal socket
* Thu Aug 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-70
- selinux_set_enforce_mode needs to be used with type
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
- Allow xdm_t to create symlinks in log direcotries
- Allow login programs to read afs config
- Label 10933 as a pop port, for dovecot
- New policy to allow selinux_server.py to run as semanage_t as a dbus service
- Add fixes to make netlabelctl working on MLS
- AVCs required for running sepolicy gui as staff_t
- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC
- New dbus server to be used with new gui
- After modifying some files in /etc/mail, I saw this needed on the next boot
- Loading a vm from /usr/tmp with virt-manager
- Clean up oracleasm policy for Fedora
- Add oracleasm policy written by rlopez@redhat.com
- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache
- Add label for /var/crash
- Allow fenced to domtrans to sanclok_t
- Allow nagios to manage nagios spool files
- Make tfptd as home_manager
- Allow kdump to read kcore on MLS system
- Allow mysqld-safe sys_nice/sys_resource caps
- Allow apache to search automount tmp dirs if http_use_nfs is enabled
- Allow crond to transition to named_t, for use with unbound
- Allow crond to look at named_conf_t, for unbound
- Allow mozilla_plugin_t to transition its home content
- Allow dovecot_domain to read all system and network state
- Allow httpd_user_script_t to call getpw
- Allow semanage to read pid files
- Dontaudit leaked file descriptors from user domain into thumb
- Make PAM authentication working if it is enabled in ejabberd
- Add fixes for rabbit to fix ##992920,#992931
- Allow glusterd to mount filesystems
- Loading a vm from /usr/tmp with virt-manager
- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device
- Add fix for pand service
- shorewall touches own log
- Allow nrpe to list /var
- Mozilla_plugin_roles can not be passed into lpd_run_lpr
- Allow afs domains to read afs_config files
- Allow login programs to read afs config
- Allow virt_domain to read virt_var_run_t symlinks
- Allow smokeping to send its process signals
- Allow fetchmail to setuid
- Add kdump_manage_crash() interface
- Allow abrt domain to write abrt.socket
* Wed Jul 31 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-69
- Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces
- Add interface fixes
- Allow nscd to stream connect to nmbd
- Allow gnupg apps to write to pcscd socket
- Add more fixes for openlmi provides. Fix naming and support for additionals
- Allow fetchmail to resolve host names
- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
- Fix corecmd_exec_chroot()
- Fix logging_relabel_syslog_pid_socket interface
- Fix typo in unconfineduser.te
- Allow system_r to access unconfined_dbusd_t to run hp_chec
* Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68
- Allow xdm_t to act as a dbus client to itsel
- Allow fetchmail to resolve host names
- Allow gnupg apps to write to pcscd socket
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
-httpd_t does access_check on certs
* Fri Jul 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-67
- Add support for cmpiLMI_Service-cimprovagt
- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t
- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t
- Add support for pycmpiLMI_Storage-cimprovagt
- Add support for cmpiLMI_Networking-cimprovagt
- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working
- Allow virtual machines and containers to run as user doains, needed for virt-sandbox
- Allow buglist.cgi to read cpu info
* Mon Jul 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-66
- Allow systemd-tmpfile to handle tmp content in print spool dir
- Allow systemd-sysctl to send system log messages
- Add support for RTP media ports and fmpro-internal
- Make auditd working if audit is configured to perform SINGLE action on disk error
- Add interfaces to handle systemd units
- Make systemd-notify working if pcsd is used
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
- Instead of having all unconfined domains get all of the named transition rules,
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
- Add definition for the salt ports
- Allow xdm_t to create link files in xdm_var_run_t
- Dontaudit reads of blk files or chr files leaked into ldconfig_t
- Allow sys_chroot for useradd_t
- Allow net_raw cap for ipsec_t
- Allow sysadm_t to reload services
- Add additional fixes to make strongswan working with a simple conf
- Allow sysadm_t to enable/disable init_t services
- Add additional glusterd perms
- Allow apache to read lnk files in the /mnt directory
- Allow glusterd to ask the kernel to load a module
- Fix description of ftpd_use_fusefs boolean
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t
- Allow glusterds to request load a kernel module
- Allow boinc to stream connect to xserver_t
- Allow sblim domains to read /etc/passwd
- Allow mdadm to read usb devices
- Allow collectd to use ping plugin
- Make foghorn working with SNMP
- Allow sssd to read ldap certs
- Allow haproxy to connect to RTP media ports
- Add additional trans rules for aide_db
- Add labeling for /usr/lib/pcsd/pcsd
- Add labeling for /var/log/pcsd
- Add support for pcs which is a corosync and pacemaker configuration tool
* Wed Jul 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-65
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown
- consolekit needs to be able to shut down system
- Move around interfaces
- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
- Allow gconf-defaults-m to read /etc/passwd
- Fix pki_rw_tomcat_cert() interface to support lnk_files
* Fri Jul 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-64
- Add support for gluster ports
- Make sure that all keys located in /etc/ssh/ are labeled correctly
- Make sure apcuspd lock files get created with the correct label
- Use getcap in gluster.te
- Fix gluster policy
- add additional fixes to allow beam.smp to interact with couchdb files
- Additional fix for #974149
- Allow gluster to user gluster ports
- Allow glusterd to transition to rpcd_t and add additional fixes for #980683
- Allow tgtd working when accessing to the passthrough device
- Fix labeling for mdadm unit files
* Thu Jul 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-63
- Add mdadm fixes
* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-61
- Allow mdamd to execute systemctl
- Allow mdadm to read /dev/kvm
- Allow ipsec_mgmt_t to read l2tpd pid content
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-60
- Allow nsd_t to read /dev/urand
- Allow mdadm_t to read framebuffer
- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
- Allow mozilla_plugin_config_t to create tmp files
- Cleanup openvswitch policy
- Allow mozilla plugin to getattr on all executables
- Allow l2tpd_t to create fifo_files in /var/run
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
- Allow mdadm to connecto its own unix_stream_socket
- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
- Allow apache to access smokeping pid files
- Allow rabbitmq_beam_t to getattr on all filesystems
- Add systemd support for iodined
- Allow nup_upsdrvctl_t to execute its entrypoint
- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
- add labeling for ~/.cache/libvirt-sandbox
- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.
- Allow staff to getsched all domains, required to run htop
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain is and
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
- Allow bootloader to manage generic log files
- Allow ftp to bind to port 989
- Fix label of new gear directory
- Add support for new directory /var/lib/openshift/gears/
- Add openshift_manage_lib_dirs()
- allow virtd domains to manage setrans_var_run_t
- Allow useradd to manage all openshift content
- Add support so that mozilla_plugin_t can use dri devices
- Allow chronyd to change the scheduler
- Allow apmd to shut downthe system
- Devicekit_disk_t needs to manage /etc/fstab
* Wed Jun 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-57
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
* Mon Jun 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
- Allow cobbler to execute apache with domain transition
* Fri Jun 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-55
- condor_collector uses tcp/9000
- Label /usr/sbin/virtlockd as virtd_exec_t for now
- Allow cobbler to execute ldconfig
- Allow NM to execute ssh
- Allow mdadm to read /dev/crash
- Allow antivirus domains to connect to snmp port
- Make amavisd-snmp working correctly
- Allow nfsd_t to mounton nfsd_fs_t
- Add initial snapper policy
- We still need to have consolekit policy
- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow dirsrv to read network state
- Fix pki_read_tomcat_lib_files
- Add labeling for /usr/libexec/nm-ssh-service
- Add label cert_t for /var/lib/ipa/pki-ca/publish
- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
- Allow nfsd_t to mounton nfsd_fs_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow passwd_t to change role to system_r from unconfined_r
* Wed Jun 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-54
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow ntop to read usbmon devices
- Add labeling for new polcykit authorizor
- Dontaudit access checks from fail2ban_client
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
- Fix labeling for all /usr/bim/razor-lightdm-* binaries
- Add filename trans for /dev/md126p1
* Tue Jun 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-53
- Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain
- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler"
- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t
- dspam wants to search /var/spool for opendkim data
- Revert "Add support for tcp/10026 port as dspam_port_t"
- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6
- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain
- Allow systemd_tmpfiles_t to setattr on mandb_cache_t
* Sat Dec 1 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-59
- consolekit.pp was not removed from the postinstall script
* Fri Nov 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-58
- Add back consolekit policy
- Silence bootloader trying to use inherited tty
- Silence xdm_dbusd_t trying to execute telepathy apps
- Fix shutdown avcs when machine has unconfined.pp disabled
- The host and a virtual machine can share the same printer on a usb device
- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob
- Allow abrt_watch_log_t to execute bin_t
- Allow chrome sandbox to write content in ~/.config/chromium
- Dontaudit setattr on fontconfig dir for thumb_t
- Allow lircd to request the kernel to load module
- Make rsync as userdom_home_manager
- Allow rsync to search automount filesystem
- Add fixes for pacemaker
* Wed Nov 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-57
- Add support for 4567/tcp port
- Random fixes from Tuomo Soini
- xdm wants to get init status
- Allow programs to run in fips_mode
- Add interface to allow the reading of all blk device nodes
- Allow init to relabel rpcbind sock_file
- Fix labeling for lastlog and faillog related to logrotate
- ALlow aeolus_configserver to use TRAM port
- Add fixes for aeolus_configserver
- Allow snmpd to connect to snmp port
- Allow spamd_update to create spamd_var_lib_t directories
- Allow domains that can read sssd_public_t files to also list the directory
- Remove miscfiles_read_localization, this is defined for all domains
* Mon Nov 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-56
- Allow syslogd to request the kernel to load a module
- Allow syslogd_t to read the network state information
- Allow xdm_dbusd_t connect to the system DBUS
- Add support for 7389/tcp port
- Allow domains to read/write all inherited sockets
- Allow staff_t to read kmsg
- Add awstats_purge_apache_log boolean
- Allow ksysguardproces to read /.config/Trolltech.conf
- Allow passenger to create and append puppet log files
- Add puppet_append_log and puppet_create_log interfaces
- Add puppet_manage_log() interface
- Allow tomcat domain to search tomcat_var_lib_t
- Allow pki_tomcat_t to connect to pki_ca ports
- Allow pegasus_t to have net_admin capability
- Allow pegasus_t to write /sys/class/net/<interface>/flags
- Allow mailserver_delivery to manage mail_home_rw_t lnk_files
- Allow fetchmail to create log files
- Allow gnomeclock to manage home config in .kde
- Allow bittlebee to read kernel sysctls
- Allow logrotate to list /root
* Mon Nov 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-55
- Fix userhelper_console_role_template()
- Allow enabling Network Access Point service using blueman
- Make vmware_host_t as unconfined domain
- Allow authenticate users in webaccess via squid, using mysql as backend
- Allow gathers to get various metrics on mounted file systems
- Allow firewalld to read /etc/hosts
- Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t
- Allow kdumpgui to read/write to zipl.conf
- Commands needed to get mock to build from staff_t in enforcing mode
- Allow mdadm_t to manage cgroup files
- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files
- dontaudit ifconfig_t looking at fifo_files that are leaked to it
- Add lableing for Quest Authentication System
* Thu Nov 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-54
- Fix filetrans interface definitions
- Dontaudit xdm_t to getattr on BOINC lib files
- Add systemd_reload_all_services() interface
- Dontaudit write access on /var/lib/net-snmp/mib_indexes
- Only stop mcsuntrustedproc from relableing files
- Allow accountsd to dbus chat with gdm
- Allow realmd to getattr on all fs
- Allow logrotate to reload all services
- Add systemd unit file for radiusd
- Allow winbind to create samba pid dir
- Add labeling for /var/nmbd/unexpected
- Allow chrome and mozilla plugin to connect to msnp ports
* Mon Nov 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-53
- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file
- Dontaudit setfiles reading /dev/random
- On initial boot gnomeclock is going to need to be set buy gdm
- Fix tftp_read_content() interface
- Random apps looking at kernel file systems
- Testing virt with lxc requiers additional access for virsh_t
- New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container
- Allow MPD to read /dev/radnom
- Allow sandbox_web_type to read logind files which needs to read pulseaudio
- Allow mozilla plugins to read /dev/hpet
- Add labeling for /var/lib/zarafa-webap
- Allow BOINC client to use an HTTP proxy for all connections
- Allow rhsmertd to domain transition to dmidecod
- Allow setroubleshootd to send D-Bus msg to ABRT
* Thu Nov 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-52
- Define usbtty_device_t as a term_tty
- Allow svnserve to accept a connection
- Allow xend manage default virt_image_t type
- Allow prelink_cron_system_t to overide user componant when executing cp
- Add labeling for z-push
- Gnomeclock sets the realtime clock
- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd
- Allow lxc domains to use /dev/random and /dev/urandom
* Wed Nov 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-51
- Add port defintion for tcp/9000
- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd
- Add rules and labeling for $HOME/cache/\.gstreamer-.* directory
- Add support for CIM provider openlmi-networking which uses NetworkManager dbus API
- Allow shorewall_t to create netlink_socket
- Allow krb5admind to block suspend
- Fix labels on /var/run/dlm_controld /var/log/dlm_controld
- Allow krb5kdc to block suspend
- gnomessytemmm_t needs to read /etc/passwd
- Allow cgred to read all sysctls
* Tue Nov 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-50
- Allow all domains to read /proc/sys/vm/overcommit_memory
- Make proc_numa_t an MLS Trusted Object
- Add /proc/numactl support for confined users
- Allow ssh_t to connect to any port > 1023
- Add openvswitch domain
- Pulseaudio tries to create directories in gnome_home_t directories
- New ypbind pkg wants to search /var/run which is caused by sd_notify
- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans
- Allow sanlock to read /dev/random
- Treat php-fpm with httpd_t
- Allow domains that can read named_conf_t to be able to list the directories
- Allow winbind to create sock files in /var/run/samba
* Thu Nov 1 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-49
- Add smsd policy
- Add support for OpenShift sbin labelin
- Add boolean to allow virt to use rawip
- Allow mozilla_plugin to read all file systems with noxattrs support
- Allow kerberos to write on anon_inodefs fs
- Additional access required by fenced
- Add filename transitions for passwd.lock/group.lock
- UPdate man pages
- Create coolkey directory in /var/cache with the correct label
* Tue Oct 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-48
- Fix label on /etc/group.lock
- Allow gnomeclock to create lnk_file in /etc
- label /root/.pki as a home_cert_t
- Add interface to make sure rpcbind.sock is created with the correct label
- Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules
- opendkim should be a part of milter
- Allow libvirt to set the kernel sched algorythm
- Allow mongod to read sysfs_t
- Add authconfig policy
- Remove calls to miscfiles_read_localization all domains get this
- Allow virsh_t to read /root/.pki/ content
- Add label for log directory under /var/www/stickshift
* Mon Oct 29 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-47
- Allow getty to setattr on usb ttys
- Allow sshd to search all directories for sshd_home_t content
- Allow staff domains to send dbus messages to kdumpgui
- Fix labels on /etc/.pwd.lock and friends to be passwd_file_t
- Dontaudit setfiles reading urand
- Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched
- Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir
- Allow systemd-timedated to read /dev/urandom
- Allow entropyd_t to read proc_t (meminfo)
- Add unconfined munin plugin
- Fix networkmanager_read_conf() interface
- Allow blueman to list /tmp which is needed by sys_nic/setsched
- Fix label of /etc/mail/aliasesdb-stamp
- numad is searching cgroups
- realmd is communicating with networkmanager using dbus
- Lots of fixes to try to get kdump to work
* Fri Oct 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-46
- Allow loging programs to dbus chat with realmd
- Make apache_content_template calling as optional
- realmd is using policy kit
* Fri Oct 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-45
- Add new selinuxuser_use_ssh_chroot boolean
- dbus needs to be able to read/write inherited fixed disk device_t passed through it
- Cleanup netutils process allow rule
- Dontaudit leaked fifo files from openshift to ping
- sanlock needs to read mnt_t lnk files
- Fail2ban needs to setsched and sys_nice
* Wed Oct 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-44
- Change default label of all files in /var/run/rpcbind
- Allow sandbox domains (java) to read hugetlbfs_t
- Allow awstats cgi content to create tmp files and read apache log files
- Allow setuid/setgid for cupsd-config
- Allow setsched/sys_nice pro cupsd-config
- Fix /etc/localtime sym link to be labeled locale_t
- Allow sshd to search postgresql db t since this is a homedir
- Allow xwindows users to chat with realmd
- Allow unconfined domains to configure all files and null_device_t service
* Tue Oct 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-43
- Adopt pki-selinux policy
* Mon Oct 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-42
- pki is leaking which we dontaudit until a pki code fix
- Allow setcap for arping
- Update man pages
- Add labeling for /usr/sbin/mcollectived
- pki fixes
- Allow smokeping to execute fping in the netutils_t domain
* Fri Oct 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-41
- Allow mount to relabelfrom unlabeled file systems
- systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working
- Add label to get bin files under libreoffice labeled correctly
- Fix interface to allow executing of base_ro_file_type
- Add fixes for realmd
- Update pki policy
- Add tftp_homedir boolean
- Allow blueman sched_setscheduler
- openshift user domains wants to r/w ssh tcp sockets
* Wed Oct 17 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-40
- Additional requirements for disable unconfined module when booting
- Fix label of systemd script files
- semanage can use -F /dev/stdin to get input
- syslog now uses kerberos keytabs
- Allow xserver to compromise_kernel access
- Allow nfsd to write to mount_var_run_t when running the mount command
- Add filename transition rule for bin_t directories
- Allow files to read usr_t lnk_files
- dhcpc wants chown
- Add support for new openshift labeling
- Clean up for tunable+optional statements
- Add labeling for /usr/sbin/mkhomedir_helper
- Allow antivirus domain to managa amavis spool files
- Allow rpcbind_t to read passwd
- Allow pyzor running as spamc to manage amavis spool
* Tue Oct 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-39
- Add interfaces to read kernel_t proc info
- Missed this version of exec_all
- Allow anyone who can load a kernel module to compromise kernel
- Add oddjob_dbus_chat to openshift apache policy
- Allow chrome_sandbox_nacl_t to send signals to itself
- Add unit file support to usbmuxd_t
- Allow all openshift domains to read sysfs info
- Allow openshift domains to getattr on all domains
* Fri Oct 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-38
- MLS fixes from Dan
- Fix name of capability2 secure_firmware->compromise_kerne
* Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-37
- Allow xdm to search all file systems
- Add interface to allow the config of all files
- Add rngd policy
- Remove kgpg as a gpg_exec_t type
- Allow plymouthd to block suspend
- Allow systemd_dbus to config any file
- Allow system_dbus_t to configure all services
- Allow freshclam_t to read usr_files
- varnishd requires execmem to load modules
* Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-36
- Allow semanage to verify types
- Allow sudo domain to execute user home files
- Allow session_bus_type to transition to user_tmpfs_t
- Add dontaudit caused by yum updates
- Implement pki policy but not activated
* Wed Oct 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-35
- tuned wants to getattr on all filesystems
- tuned needs also setsched. The build is needed for test day
* Wed Oct 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-34
- Add policy for qemu-qa
- Allow razor to write own config files
- Add an initial antivirus policy to collect all antivirus program
- Allow qdisk to read usr_t
- Add additional caps for vmware_host
- Allow tmpfiles_t to setattr on mandb_cache_t
- Dontaudit leaked files into mozilla_plugin_config_t
- Allow wdmd to getattr on tmpfs
- Allow realmd to use /dev/random
- allow containers to send audit messages
- Allow root mount any file via loop device with enforcing mls policy
- Allow tmpfiles_t to setattr on mandb_cache_t
- Allow tmpfiles_t to setattr on mandb_cache_t
- Make userdom_dontaudit_write_all_ not allow open
- Allow init scripts to read all unit files
- Add support for saphostctrl ports
* Mon Oct 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-33
- Add kernel_read_system_state to sandbox_client_t
- Add some of the missing access to kdumpgui
- Allow systemd_dbusd_t to status the init system
- Allow vmnet-natd to request the kernel to load a module
- Allow gsf-office-thum to append .cache/gdm/session.log
- realmd wants to read .config/dconf/user
- Firewalld wants sys_nice/setsched
- Allow tmpreaper to delete mandb cache files
- Firewalld wants sys_nice/setsched
- Allow firewalld to perform a DNS name resolution
- Allown winbind to read /usr/share/samba/codepages/lowcase.dat
- Add support for HTTPProxy* in /etc/freshclam.conf
- Fix authlogin_yubike boolean
- Extend smbd_selinux man page to include samba booleans
- Allow dhcpc to execute consoletype
- Allow ping to use inherited tmp files created in init scripts
- On full relabel with unconfined domain disabled, initrc was running some chcon's
- Allow people who delete man pages to delete mandb cache files
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-32
- Add missing permissive domains
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-31
- Add new mandb policy
- ALlow systemd-tmpfiles_t to relabel mandb_cache_t
- Allow logrotate to start all unit files
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-30
- Add fixes for ctbd
- Allow nmbd to stream connect to ctbd
- Make cglear_t as nsswitch_domain
- Fix bogus in interfaces
- Allow openshift to read/write postfix public pipe
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
- add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- Add support for boinc.log
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Move thin policy out from cloudform.pp and add a new thin poli
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users hom
- rhsmcertd reads the rpm database
- Add support for lightdm
* Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy
- rhsmcertd reads the rpm database
- Dontaudit thumb to setattr on xdm_tmp dir
- Allow wicd to execute ldconfig in the networkmanager_t domain
- Add /var/run/cherokee\.pid labeling
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
- Allow postfix-master to r/w pipes other postfix domains
- Allow snort to create netlink_socket
- Add kdumpctl policy
- Allow firstboot to create tmp_t files/directories
- /usr/bin/paster should not be labeled as piranha_exec_t
- remove initrc_domain from tomcat
- Allow ddclient to read /etc/passwd
- Allow useradd to delete all file types stored in the users homedir
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Label all lxdm.log as xserver_log_t
- Add port definition for mxi port
- Allow local_login_t to execute tmux
* Tue Jun 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-5
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
* support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
* Fri Jun 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-4
- Add support for ecryptfs
* ecryptfs does not support xattr
* we need labeling for HOMEDIR
- Add policy for (u)mount.ecryptfs*
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct labe
- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com)
- Allow virtd to exec xend_exec_t without transition
- Allow virtd_lxc_t to unmount all file systems
* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
* Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_
* Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
- Mass merge with upstream
* new policy topology to include contrib policy modules
* we have now two base policy patches
* Wed May 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
- Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Tue May 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
* Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-121
- Add labeling for /usr/share/jetty/bin/jetty.sh
- Add jetty policy which contains file type definitios
- Allow jockey to use its own fifo_file and make this the default for all domains
- Allow mozilla_plugins to use spice (vnc_port/couchdb)
- asterisk wants to read the network state
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
- Allow mozilla_plugin_t to create ~/.pki directory and content
* Wed May 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-120
- Add clamscan_can_scan_system boolean
- Allow mysqld to read kernel network state
- Allow sshd to read/write condor lib files
- Allow sshd to read/write condor-startd tcp socket
- Fix description on httpd_graceful_shutdown
- Allow glance_registry to communicate with mysql
- dbus_system_domain is using systemd to lauch applications
- add interfaces to allow domains to send kill signals to user mail agents
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
- Lots of new access required for secure containers
- Corosync needs sys_admin capability
- ALlow colord to create shm
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
- Add new interface to allow domains to list msyql_db directories, needed for libra
- shutdown has to be allowed to delete etc_runtime_t
- Fail2ban needs to read /etc/passwd
- Allow ldconfig to create /var/cache/ldconfig
- Allow tgtd to read hardware state information
- Allow collectd to create packet socket
- Allow chronyd to send signal to itself
- Allow collectd to read /dev/random
- Allow collectd to send signal to itself
- firewalld needs to execute restorecon
- Allow restorecon and other login domains to execute restorecon
* Tue Apr 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-119
- Allow logrotate to getattr on systemd unit files
- Add support for tor systemd unit file
- Allow apmd to create /var/run/pm-utils with the correct label
- Allow l2tpd to send sigkill to pppd
- Allow pppd to stream connect to l2tpd
- Add label for scripts in /etc/gdm/
- Allow systemd_logind_t to ignore mcs constraints on sigkill
- Allow avahi to request the kernel to load a module
- Dontaudit hal leaks
- Fix gnome_manage_data interface
- Add new interface corenet_packet to define a type as being an packet_type.
- Removed general access to packet_type from icecast and squid.
- Allow mpd to read alsa config
- Fix the label for wicd log
- Add systemd policy
* Fri Dec 3 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-6
- Fix gnome_manage_data interface
- Dontaudit sys_ptrace capability for iscsid
- Fixes for nagios plugin policy
* Thu Dec 2 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-5
- Fix cron to run ranged when started by init
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t
* Tue Nov 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.10-4
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
* Tue Nov 30 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-3
- fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
* Thu Nov 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-2
- Remove duplicate declaration
* Thu Nov 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-1
- Update to upstream
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
* Mon Nov 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-4
- Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
* Thu Nov 18 2010 Dan Walsh <dwalsh@redhat.com> 3.9.9-3
- Put back in lircd_etc_t so policy will install
* Thu Nov 18 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-2
- Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
* Tue Nov 16 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-1
- Update to upstream
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
* Mon Nov 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-7
- Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
* Fri Nov 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-6
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
* Fri Nov 12 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-5
- Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
* Wed Nov 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-4
- Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
* Tue Nov 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-3
- Fix up corecommands.fc to match upstream
- Make sure /lib/systemd/* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-2
- Add conflicts for dirsrv package
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-1
- Update to upstream
- Add vlock policy
* Wed Nov 3 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-10
- Fix sandbox to work on nfs homedirs
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
* Tue Nov 2 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-9
- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it
- Udev needs to stream connect to init and kernel
- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory
* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-8
- Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
* Thu Oct 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-7
- Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
* Fri Oct 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-6
- Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
* Tue Oct 19 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-5
- Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-4
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
- Allow devicekit_power to domtrans to mount
- Allow dhcp to bind to udp ports > 1024 to do named stuff
- Allow ssh_t to exec ssh_exec_t
- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used
- Fix clamav_append_log() intefaces
- Fix 'psad_rw_fifo_file' interface
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-3
- Allow cobblerd to list cobler appache content
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-2
- Fixup for the latest version of upowed
- Dontaudit sandbox sending SIGNULL to desktop apps
* Wed Oct 13 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-1
- Update to upstream
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
* Fri Oct 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-2
- Lots of fixes for systemd
- systemd now executes readahead and tmpwatch type scripts
- Needs to manage random seed
* Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-1
- Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
* Wed Oct 6 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-11
- Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
* Mon Oct 4 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-10
- Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
* Thu Sep 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-9
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
* Wed Sep 29 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-8
- Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
* Mon Sep 27 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-7
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
* Sun Sep 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-6
- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home
- Allow clamd to send signals to itself
- Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm.
- Allow haze to connect to yahoo chat and messenger port tcp:5050.
Bz #637339
- Allow guest to run ps command on its processes by allowing it to read /proc
- Allow firewallgui to sys_rawio which seems to be required to setup masqerading
- Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba.
- Add label for /var/log/slim.log
* Fri Sep 24 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-5
- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-4
- Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
* Wed Sep 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-3
- Fix up Xguest policy
* Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-2
- Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
* Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-1
- Update to upstream
* Wed Sep 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-3
- Add the ability to send audit messages to confined admin policies
- Remove permissive domain from cmirrord and dontaudit sys_tty_config
- Split out unconfined_domain() calls from other unconfined_ calls so we can d
- virt needs to be able to read processes to clearance for MLS
* Tue Sep 14 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-2
- Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-1
- Update to upstream
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-4
- Allow mdadm_t to create files and sock files in /dev/md/
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-3
- Add policy for ajaxterm
* Wed Sep 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-2
- Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
* Tue Sep 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-1
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.2-1
- Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-3
- Allow mdadm_t to read/write hugetlbfs
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-2
- Dominic Grift Cleanup
- Miroslav Grepl policy for jabberd
- Various fixes for mount/livecd and prelink
* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-1
- Merge with upstream
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-2
- More access needed for devicekit
- Add dbadm policy
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-1
- Merge with upstream
* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-21
- Allow seunshare to fowner
* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-20
- Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-19
- Update policy for mozilla_plugin_t
* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-18
- Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
* Thu Aug 19 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-17
- Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
* Wed Aug 18 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-16
- Fix /root/.forward definition
* Tue Aug 17 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-15
- label dead.letter as mail_home_t
* Fri Aug 13 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-14
- Allow login programs to search /cgroups
* Thu Aug 12 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-13
- Fix cert handling
* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-11
- Fix nis calls to allow bind to ports 512-1024
- Fix smartmon
* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-10
- Allow pcscd to read sysfs
- systemd fixes
- Fix wine_mmap_zero_ignore boolean
* Tue Aug 3 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-9
- Apply Miroslav munin patch
- Turn back on allow_execmem and allow_execmod booleans
* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-8
- Merge in fixes from dgrift repository
* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-7
- Update boinc policy
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-6
- New paths for upstart
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-5
- New permissions for syslog
- New labels for /lib/upstart
* Fri Jul 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-4
- Add mojomojo policy
* Thu Jul 22 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-3
- Allow systemd to setsockcon on sockets to immitate other services
* Wed Jul 21 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-2
- Remove debugfs label
* Tue Jul 20 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-1
- Update to latest policy
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-3
- Fix eclipse labeling from IBMSupportAssasstant packageing
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-2
- Make boot with systemd in enforcing mode
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-1
- Update to upstream
* Mon Jul 12 2010 Dan Walsh <dwalsh@redhat.com> 3.8.6-3
- Add boolean to turn off port forwarding in sshd.
* Fri Jul 9 2010 Miroslav Grepl <mgrepl@redhat.com> 3.8.6-2
- Add support for ebtables
- Fixes for rhcs and corosync policy
* Tue Jun 22 2010 Dan Walsh <dwalsh@redhat.com> 3.8.6-1
-Update to upstream
* Mon Jun 21 2010 Dan Walsh <dwalsh@redhat.com> 3.8.5-1
-Update to upstream
* Thu Jun 17 2010 Dan Walsh <dwalsh@redhat.com> 3.8.4-1
-Update to upstream
* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-4
- Add Zarafa policy
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-3
- Cleanup of aiccu policy
- initial mock policy
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
- Lots of random fixes
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-1
- Update to upstream
* Fri Jun 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.2-1
- Update to upstream
- Allow prelink script to signal itself
- Cobbler fixes
* Wed Jun 2 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-5
- Add xdm_var_run_t to xserver_stream_connect_xdm
- Add cmorrord and mpd policy from Miroslav Grepl
* Tue Jun 1 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-4
- Fix sshd creation of krb cc files for users to be user_tmp_t
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-3
- Fixes for accountsdialog
- Fixes for boinc
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-2
- Fix label on /var/lib/dokwiki
- Change permissive domains to enforcing
- Fix libvirt policy to allow it to run on mls
* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-1
- Update to upstream
* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label
* Mon May 24 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: 594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
* Thu May 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-20
- Allow mount to r/w abrt fifo file
- Allow svirt_t to getattr on hugetlbfs
- Allow abrt to create a directory under /var/spool
* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-19
- Add labels for /sys
- Allow sshd to getattr on shutdown
- Fixes for munin
- Allow sssd to use the kernel key ring
- Allow tor to send syslog messages
- Allow iptabels to read usr files
- allow policykit to read all domains state
* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-17
- Fix path for /var/spool/abrt
- Allow nfs_t as an entrypoint for http_sys_script_t
- Add policy for piranha
- Lots of fixes for sosreport
* Wed May 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-16
- Allow xm_t to read network state and get and set capabilities
- Allow policykit to getattr all processes
- Allow denyhosts to connect to tcp port 9911
- Allow pyranha to use raw ip sockets and ptrace itself
- Allow unconfined_execmem_t and gconfsd mechanism to dbus
- Allow staff to kill ping process
- Add additional MLS rules
* Mon May 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-15
- Allow gdm to edit ~/.gconf dir
Resolves: #590677
- Allow dovecot to create directories in /var/lib/dovecot
Partially resolves 590224
- Allow avahi to dbus chat with NetworkManager
- Fix cobbler labels
- Dontaudit iceauth_t leaks
- fix /var/lib/lxdm file context
- Allow aiccu to use tun tap devices
- Dontaudit shutdown using xserver.log
* Fri May 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-14
- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
- Add dontaudit interface for bluetooth dbus
- Add chronyd_read_keys, append_keys for initrc_t
- Add log support for ksmtuned
Resolves: #586663
* Thu May 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-13
- Allow boinc to send mail
* Wed May 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-12
- Allow initrc_t to remove dhcpc_state_t
- Fix label on sa-update.cron
- Allow dhcpc to restart chrony initrc
- Don't allow sandbox to send signals to its parent processes
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
Resolves: #589136
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-11
- Fix location of oddjob_mkhomedir
Resolves: #587385
- fix labeling on /root/.shosts and ~/.shosts
- Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
* Fri Apr 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-10
- Dontaudit sandbox trying to connect to netlink sockets
Resolves: #587609
- Add policy for piranha
* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-9
- Fixups for xguest policy
- Fixes for running sandbox firefox
* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-8
- Allow ksmtuned to use terminals
Resolves: #586663
- Allow lircd to write to generic usb devices
* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-7
- Allow sandbox_xserver to connectto unconfined stream
Resolves: #585171
* Mon Apr 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-6
- Allow initrc_t to read slapd_db_t
Resolves: #585476
- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf
Resolves: #585963
* Thu Apr 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-5
- Allow rlogind_t to search /root for .rhosts
Resolves: #582760
- Fix path for cached_var_t
- Fix prelink paths /var/lib/prelink
- Allow confined users to direct_dri
- Allow mls lvm/cryptosetup to work
* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-4
- Allow virtd_t to manage firewall/iptables config
Resolves: #573585
* Tue Apr 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-3
- Fix label on /root/.rhosts
Resolves: #582760
- Add labels for Picasa
- Allow openvpn to read home certs
- Allow plymouthd_t to use tty_device_t
- Run ncftool as iptables_t
- Allow mount to unmount unlabeled_t
- Dontaudit hal leaks
* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-2
- Allow livecd to transition to mount
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-1
- Update to upstream
- Allow abrt to delete sosreport
Resolves: #579998
- Allow snmp to setuid and gid
Resolves: #582155
- Allow smartd to use generic scsi devices
Resolves: #582145
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-3
- Allow ipsec_t to create /etc/resolv.conf with the correct label
- Fix reserved port destination
- Allow autofs to transition to showmount
- Stop crashing tuned
* Mon Apr 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-2
- Add telepathysofiasip policy
* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-1
- Update to upstream
- Fix label for /opt/google/chrome/chrome-sandbox
- Allow modemmanager to dbus with policykit
* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-6
- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)
- Allow accountsd to read shadow file
- Allow apache to send audit messages when using pam
- Allow asterisk to bind and connect to sip tcp ports
- Fixes for dovecot 2.0
- Allow initrc_t to setattr on milter directories
- Add procmail_home_t for .procmailrc file
* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-5
- Fixes for labels during install from livecd
* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-4
- Fix /cgroup file context
- Fix broken afs use of unlabled_t
- Allow getty to use the console for s390
* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-3
- Fix cgroup handling adding policy for /cgroup
- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set
* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-2
- Merge patches from dgrift
* Mon Mar 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-1
- Update upstream
- Allow abrt to write to the /proc under any process
* Fri Mar 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-2
- Fix ~/.fontconfig label
- Add /root/.cert label
- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
- Allow qemu_exec_t as an entrypoint to svirt_t
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-1
- Update to upstream
- Allow tmpreaper to delete sandbox sock files
- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems
- Fixes for gitosis
- No transition on livecd to passwd or chfn
- Fixes for denyhosts
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-4
- Add label for /var/lib/upower
- Allow logrotate to run sssd
- dontaudit readahead on tmpfs blk files
- Allow tmpreaper to setattr on sandbox files
- Allow confined users to execute dos files
- Allow sysadm_t to kill processes running within its clearance
- Add accountsd policy
- Fixes for corosync policy
- Fixes from crontab policy
- Allow svirt to manage svirt_image_t chr files
- Fixes for qdisk policy
- Fixes for sssd policy
- Fixes for newrole policy
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-3
- make libvirt work on an MLS platform
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-2
- Add qpidd policy
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-1
- Update to upstream
* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-5
- Allow boinc to read kernel sysctl
- Fix snmp port definitions
- Allow apache to read anon_inodefs
* Sun Mar 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-4
- Allow shutdown dac_override
* Sat Mar 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-3
- Add device_t as a file system
- Fix sysfs association
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-2
- Dontaudit ipsec_mgmt sys_ptrace
- Allow at to mail its spool files
- Allow nsplugin to search in .pulse directory
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-1
- Update to upstream
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-4
- Allow users to dbus chat with xdm
- Allow users to r/w wireless_device_t
- Dontaudit reading of process states by ipsec_mgmt
* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-3
- Fix openoffice from unconfined_t
* Wed Mar 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-2
- Add shutdown policy so consolekit can shutdown system
* Tue Mar 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-1
- Update to upstream
* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.12-1
- Update to upstream
* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.11-1
- Update to upstream - These are merges of my patches
- Remove 389 labeling conflicts
- Add MLS fixes found in RHEL6 testing
- Allow pulseaudio to run as a service
- Add label for mssql and allow apache to connect to this database port if boolean set
- Dontaudit searches of debugfs mount point
- Allow policykit_auth to send signals to itself
- Allow modcluster to call getpwnam
- Allow swat to signal winbind
- Allow usbmux to run as a system role
- Allow svirt to create and use devpts
* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-5
- Add MLS fixes found in RHEL6 testing
- Allow domains to append to rpm_tmp_t
- Add cachefilesfd policy
- Dontaudit leaks when transitioning
* Wed Feb 24 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-4
- Change allow_execstack and allow_execmem booleans to on
- dontaudit acct using console
- Add label for fping
- Allow tmpreaper to delete sandbox_file_t
- Fix wine dontaudit mmap_zero
- Allow abrt to read var_t symlinks
* Tue Feb 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-3
- Additional policy for rgmanager
* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-2
- Allow sshd to setattr on pseudo terms
* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-1
- Update to upstream
* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-4
- Allow policykit to send itself signals
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-3
- Fix duplicate cobbler definition
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-2
- Fix file context of /var/lib/avahi-autoipd
* Fri Feb 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-1
- Merge with upstream
* Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-11
- Allow sandbox to work with MLS
* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
- Make Chrome work with staff user
* Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8
- Add icecast policy
- Cleanup spec file
* Wed Feb 3 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-7
- Add mcelog policy
* Mon Feb 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-6
- Lots of fixes found in F12
* Thu Jan 28 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-5
- Fix rpm_dontaudit_leaks
* Wed Jan 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-4
- Add getsched to hald_t
- Add file context for Fedora/Redhat Directory Server
* Mon Jan 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-3
- Allow abrt_helper to getattr on all filesystems
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so
* Thu Jan 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-2
- Add gstreamer_home_t for ~/.gstreamer
* Mon Jan 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-1
- Update to upstream
* Fri Jan 15 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-3
- Fix git
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-2
- Turn on puppet policy
- Update to dgrift git policy
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-1
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.6-1
- Update to upstream
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-8
- Remove most of the permissive domains from F12.
* Tue Jan 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-7
- Add cobbler policy from dgrift
* Mon Jan 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-6
- add usbmon device
- Add allow rulse for devicekit_disk
* Wed Dec 30 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-5
- Lots of fixes found in F12, fixes from Tom London
* Wed Dec 23 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-4
- Cleanups from dgrift
* Tue Dec 22 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-3
- Add back xserver_manage_home_fonts
* Mon Dec 21 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-2
- Dontaudit sandbox trying to read nscd and sssd
* Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-1
- Update to upstream
* Thu Dec 17 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-4
- Rename udisks-daemon back to devicekit_disk_t policy
* Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-3
- Fixes for abrt calls
* Fri Dec 11 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-2
- Add tgtd policy
* Fri Dec 4 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-1
- Update to upstream release
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.3-1
- Add asterisk policy back in
- Update to upstream release 2.20091117
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.1-1
- Update to upstream release 2.20091117
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.33-2
- Fixup nut policy
* Thu Nov 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.33-1
- Update to upstream
* Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-17
- Allow vpnc request the kernel to load modules
* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-16
- Fix minimum policy installs
- Allow udev and rpcbind to request the kernel to load modules
* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-15
- Add plymouth policy
- Allow local_login to sys_admin
* Tue Sep 29 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-13
- Allow cupsd_config to read user tmp
- Allow snmpd_t to signal itself
- Allow sysstat_t to makedir in sysstat_log_t
* Fri Sep 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-12
- Update rhcs policy
* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11
- Allow users to exec restorecond
* Tue Sep 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
- Allow sendmail to request kernel modules load
* Mon Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-9
- Fix all kernel_request_load_module domains
* Mon Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-8
- Fix all kernel_request_load_module domains
* Sun Sep 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-7
- Remove allow_exec* booleans for confined users. Only available for unconfined_t
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-6
- More fixes for sandbox_web_t
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-5
- Allow sshd to create .ssh directory and content
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-4
- Fix request_module line to module_request
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-3
- Fix sandbox policy to allow it to run under firefox.
- Dont audit leaks.
* Thu Sep 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-2
- Fixes for sandbox
* Wed Sep 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-1
- Update to upstream
- Dontaudit nsplugin search /root
- Dontaudit nsplugin sys_nice
* Tue Sep 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-5
- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service
- Remove policycoreutils-python requirement except for minimum
* Mon Sep 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-4
- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files
- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)
* Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-3
- Add wordpress/wp-content/uploads label
- Fixes for sandbox when run from staff_t
* Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-2
- Update to upstream
- Fixes for devicekit_disk
* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-6
- More fixes
* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-5
- Lots of fixes for initrc and other unconfined domains
* Fri Sep 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-4
- Allow xserver to use netlink_kobject_uevent_socket
* Thu Sep 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-3
- Fixes for sandbox
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-2
- Dontaudit setroubleshootfix looking at /root directory
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-1
- Update to upsteam
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-2
- Allow gssd to send signals to users
- Fix duplicate label for apache content
* Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-1
- Update to upstream
* Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-9
- Remove polkit_auth on upgrades
* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-8
- Add back in unconfined.pp and unconfineduser.pp
- Add Sandbox unshare
* Tue Aug 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-7
- Fixes for cdrecord, mdadm, and others
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-6
- Add capability setting to dhcpc and gpm
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-5
- Allow cronjobs to read exim_spool_t
* Fri Aug 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-4
- Add ABRT policy
* Thu Aug 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-3
- Fix system-config-services policy
* Wed Aug 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-2
- Allow libvirt to change user componant of virt_domain
* Tue Aug 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-1
- Allow cupsd_config_t to be started by dbus
- Add smoltclient policy
* Fri Aug 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.27-1
- Add policycoreutils-python to pre install
* Thu Aug 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-11
- Make all unconfined_domains permissive so we can see what AVC's happen
* Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-10
- Add pt_chown policy
* Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-9
- Add kdump policy for Miroslav Grepl
- Turn off execstack boolean
* Fri Aug 7 2009 Bill Nottingham <notting@redhat.com> 3.6.26-8
- Turn on execstack on a temporary basis (#512845)
* Thu Aug 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-7
- Allow nsplugin to connecto the session bus
- Allow samba_net to write to coolkey data
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-6
- Allow devicekit_disk to list inotify
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-5
- Allow svirt images to create sock_file in svirt_var_run_t
* Tue Aug 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-4
- Allow exim to getattr on mountpoints
- Fixes for pulseaudio
* Fri Jul 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-3
- Allow svirt_t to stream_connect to virtd_t
* Fri Jul 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-2
- Allod hald_dccm_t to create sock_files in /tmp
* Thu Jul 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-1
- More fixes from upstream
* Tue Jul 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.25-1
- Fix polkit label
- Remove hidebrokensymptoms for nss_ldap fix
- Add modemmanager policy
- Lots of merges from upstream
- Begin removing textrel_shlib_t labels, from fixed libraries
* Tue Jul 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.24-1
- Update to upstream
* Mon Jul 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-2
- Allow certmaster to override dac permissions
* Thu Jul 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-1
- Update to upstream
* Tue Jul 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.22-3
- Fix context for VirtualBox
* Tue Jul 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.22-1
- Update to upstream
* Fri Jul 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-4
- Allow clamscan read amavis spool files
* Wed Jul 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-3
- Fixes for xguest
* Tue Jul 7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2
- fix multiple directory ownership of mandirs
* Wed Jul 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-1
- Update to upstream
* Tue Jun 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-2
- Add rules for rtkit-daemon
* Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-1
- Update to upstream
- Fix nlscd_stream_connect
* Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-5
- Add rtkit policy
* Wed Jun 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-4
- Allow rpcd_t to stream connect to rpcbind
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-3
- Allow kpropd to create tmp files
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-2
- Fix last duplicate /var/log/rpmpkgs
* Mon Jun 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-1
- Update to upstream
* add sssd
* Sat Jun 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.18-1
- Update to upstream
* cleanup
* Fri Jun 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.17-1
- Update to upstream
- Additional mail ports
- Add virt_use_usb boolean for svirt
* Thu Jun 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-4
- Fix mcs rules to include chr_file and blk_file
* Tue Jun 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-3
- Add label for udev-acl
* Mon Jun 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-2
- Additional rules for consolekit/udev, privoxy and various other fixes
* Fri Jun 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-1
- New version for upstream
* Thu Jun 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-3
- Allow NetworkManager to read inotifyfs
* Wed Jun 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-2
- Allow setroubleshoot to run mlocate
* Mon Jun 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-1
- Update to upstream
* Tue Jun 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-3
- Add fish as a shell
- Allow fprintd to list usbfs_t
- Allow consolekit to search mountpoints
- Add proper labeling for shorewall
* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-2
- New log file for vmware
- Allow xdm to setattr on user_tmp_t
* Thu May 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-1
- Upgrade to upstream
* Wed May 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-39
- Allow fprintd to access sys_ptrace
- Add sandbox policy
* Mon May 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-38
- Add varnishd policy
* Thu May 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-37
- Fixes for kpropd
* Tue May 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-36
- Allow brctl to r/w tun_tap_device_t
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-35
- Add /usr/share/selinux/packages
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-34
- Allow rpcd_t to send signals to kernel threads
* Fri May 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-33
- Fix upgrade for F10 to F11
* Thu May 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-31
- Add policy for /var/lib/fprint
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-30
-Remove duplicate line
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-29
- Allow svirt to manage pci and other sysfs device data
* Mon May 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-28
- Fix package selection handling
* Fri May 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-27
- Fix /sbin/ip6tables-save context
- Allod udev to transition to mount
- Fix loading of mls policy file
* Thu Apr 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-26
- Add shorewall policy
* Wed Apr 29 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25
- Additional rules for fprintd and sssd
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
- Allow nsplugin to unix_read unix_write sem for unconfined_java
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-23
- Fix uml files to be owned by users
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-22
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-21
- Allow confined users to manage virt_content_t, since this is home dir content
- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
- Fix labeling on /var/lib/misc/prelink*
- Allow xserver to rw_shm_perms with all x_clients
- Allow prelink to execute files in the users home directory
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-19
- Allow initrc_t to delete dev_null
- Allow readahead to configure auditing
- Fix milter policy
- Add /var/lib/readahead
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-16
- Update to latest milter code from Paul Howarth
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-15
- Additional perms for readahead
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-14
- Allow pulseaudio to acquire_svc on session bus
- Fix readahead labeling
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-13
- Allow sysadm_t to run rpm directly
- libvirt needs fowner
* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-12
- Allow sshd to read var_lib symlinks for freenx
* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-11
- Allow nsplugin unix_read and write on users shm and sem
- Allow sysadm_t to execute su
* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-10
- Dontaudit attempts to getattr user_tmpfs_t by lvm
- Allow nfs to share removable media
* Mon Apr 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-9
- Add ability to run postdrop from confined users
* Sat Apr 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-8
- Fixes for podsleuth
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-7
- Turn off nsplugin transition
- Remove Konsole leaked file descriptors for release
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-6
- Allow cupsd_t to create link files in print_spool_t
- Fix iscsi_stream_connect typo
- Fix labeling on /etc/acpi/actions
- Don't reinstall unconfine and unconfineuser on upgrade if they are not installed
* Tue Apr 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-5
- Allow audioentroy to read etc files
* Mon Apr 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-4
- Add fail2ban_var_lib_t
- Fixes for devicekit_power_t
* Thu Apr 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-3
- Separate out the ucnonfined user from the unconfined.pp package
* Wed Apr 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-2
- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.
* Tue Apr 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-1
- Upgrade to latest upstream
- Allow devicekit_disk sys_rawio
* Mon Apr 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.11-1
- Dontaudit binds to ports < 1024 for named
- Upgrade to latest upstream
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-9
- Allow podsleuth to use tmpfs files
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-8
- Add customizable_types for svirt
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-7
- Allow setroubelshoot exec* privs to prevent crash from bad libraries
- add cpufreqselector
* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-6
- Dontaudit listing of /root directory for cron system jobs
* Mon Mar 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-5
- Fix missing ld.so.cache label
* Fri Mar 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-4
- Add label for ~/.forward and /root/.forward
* Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3
- Fixes for svirt
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2
- Fixes to allow svirt read iso files in homedir
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-1
- Add xenner and wine fixes from mgrepl
* Wed Mar 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-4
- Allow mdadm to read/write mls override
* Tue Mar 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-3
- Change to svirt to only access svirt_image_t
* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-2
- Fix libvirt policy
* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-1
- Upgrade to latest upstream
* Tue Mar 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-4
- Fixes for iscsid and sssd
- More cleanups for upgrade from F10 to Rawhide.
* Mon Mar 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-3
- Add pulseaudio, sssd policy
- Allow networkmanager to exec udevadm
* Sat Mar 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-2
- Add pulseaudio context
* Thu Mar 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-1
- Upgrade to latest patches
* Wed Mar 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-2
- Fixes for libvirt
* Mon Mar 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-1
- Update to Latest upstream
* Sat Feb 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-9
- Fix setrans.conf to show SystemLow for s0
* Fri Feb 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-8
