- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
Resolves: rhbz#1676810
* Tue Mar 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-242
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
Resolves: rhbz#1656814
* Wed Mar 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241
- Update vmtools policy Resolves: rhbz#1656814 Allow domain transition from vmtools_t to vmtools_unconfined_t when shell_exec_t is entrypoint.
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
Resolves: rhbz#1663092
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
Resolves: rhbz#1653309
- Allow nfsd_t to read nvme block devices BZ(1562554)
Resolves: rhbz#1655493
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
Resolves: rhbz#1650909
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
Resolves: rhbz#1656814
- Label /dev/pkey as crypt_device_t
Resolves: rhbz#1623068
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
Resolves: rhbz#1687452
- Allow all user domains to read realmd_var_lib_t files and dirs to check if IPA is configured on the system
Resolves: rhbz#1667962
- Fixes: xenconsole does not start
Resolves: rhbz#1601525
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
Resolves: rhbz#1636197
- Create tangd_port_t with default label tcp/7406
Resolves: rhbz#1650909
* Tue Mar 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-240
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range.
Resolves: rhbz#1683754
- Allow sbd_t domain to bypass permission checks for sending signals
Resolves: rhbz#1671132
- Allow sbd_t domain read/write all sysctls
Resolves: rhbz#1671132
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
Resolves: rhbz#1602435
- Allow boltd_t to stream connect to sytem dbus
Resolves: rhbz#1589086
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
Resolves: rhbz#1626115
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
Resolves: rhbz#1589086
* Fri Mar 01 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-239
- Allow sbd_t domain read/write all sysctls
Resolves: rhbz#1671132
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
Resolves: rhbz#1602435
- Allow boltd_t to stream connect to sytem dbus
Resolves: rhbz#1589086
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
Resolves: rhbz#1589086
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-238
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
Resolves: rhbz#1646765
* Tue Feb 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
- Allow virtd_lxc_t domains use BPF
Resolves: rhbz#1626115
- F29 NetworkManager implements a new code for IPv4 address conflict detection (RFC 5227) based on n-acd [1], which uses eBPF to process ARP packets from the network.
Resolves: rhbz#1626115
- Allow unconfined user all perms under bpf class BZ(1565738
Resolves: rhbz#1626115
- Allow unconfined and sysadm users to use bpftool BZ(1591440)
Resolves: rhbz#1626115
- Allow systemd to manage bpf dirs/files
Resolves: rhbz#1626115
- Create new type bpf_t and label /sys/fs/bpf with this type
Resolves:rhbz#1626115
- Add new interface init_prog_run_bpf()
Resolves:rhbz#1626115
- add definition of bpf class and systemd perms
Resolves: rhbz#1626115
* Sun Feb 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
- Update policy with multiple allow rules to make working installing VM in MLS policy
Resolves: rhbz#1558121
- Allow virt domain to use interited virtlogd domains fifo_file
Resolves: rhbz#1558121
- Allow chonyc_t domain to rw userdomain pipes
Resolves: rhbz#1618757
- Add file contexts in ganesha.fc file to label logging ganesha files properly.
Resolves: rhbz#1628247
* Thu Jan 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235
- Allow sandbox_xserver_t domain write to user_tmp_t files
Resolves: rhbz#1646521
- Allow virt_qemu_ga_t domain to read network state
Resolves: rhbz#1630347
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes
Resolves: rhbz#1589086
- Add boltd policy
Resolves: rhbz#1589086
- Allow virt domains to read/write cephfs filesystems
Resolves: rhbz#1558836
- Allow gpg_t to create own tmpfs dirs and sockets
Resolves: rhbz#1535109
- Allow gpg_agent_t to send msgs to syslog/journal
Resolves: rhbz#1535109
- Allow virtual machine to write to fixed_disk_device_t
Resolves: rhbz#1499208
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain
Resolves: rhbz#1491585
- Add kpatch policy
Resolves: rhbz#1602435
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t
Resolves: rhbz#1623942
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
Resolves: rhbz#1475271
- Allow systemd to mount boltd_var_run_t dirs
Resolves: rhbz#1589086
- Allow systemd to mounont boltd lib dirs
Resolves: rhbz#1589086
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
Resolves: rhbz#1602435
- Allow passwd_t domain chroot
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block
- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t
Resolves: rhbz#1447278
- Allow staff_t user to systemctl iptables units.
Resolves: rhbz#1360470
* Thu Jan 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t
Resolves: rhbz#1623942
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
Resolves: rhbz#1475271
- Allow passwd_t domain chroot
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block
- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t
Resolves: rhbz#1447278
- Allow staff_t user to systemctl iptables units.
Resolves: rhbz#1360470
* Thu Jan 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-233
- Allow gssd_t domain to manage kernel keyrings of every domain.
Resolves: rhbz#1487350
- Add new interface domain_manage_all_domains_keyrings()
Resolves: rhbz#1487350
* Sun Jan 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232
- Allow gssd_t domain to read/write kernel keyrings of every domain.
Resolves: rhbz#1487350
- Add interface domain_rw_all_domains_keyrings()
Resolves: rhbz#1487350
* Wed Dec 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231
- Update snapperd policy to allow snapperd manage all non security dirs.
Resolves: rhbz#1619306
* Fri Nov 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-230
- Dontaudit oracleasm_t domain to request sys_admin capability
- Allow iscsid_t domain to load kernel module
Resolves: rhbz#1589295
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
Resolves: rhbz#1608355
- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t
Resolves: rhbz#1521063
- Allow tangd_t dac_read_search
Resolves: rhbz#1607810
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
Resolves: rhbz#1607729
- Allow iscsid_t domain to mmap sysfs_t files
Resolves: rhbz#1602508
- Allow tomcat_domain to search cgroup dirs
Resolves: rhbz#1600188
- Allow httpd_t domain to mmap own cache files
Resolves: rhbz#1603505
- Allow cupsd_t domain to mmap cupsd_etc_t files
Resolves: rhbz#1599694
- Allow kadmind_t domain to mmap krb5kdc_principal_t
Resolves: rhbz#1601004
- Allow virtlogd_t domain to read virt_etc_t link files
Resolves: rhbz#1598593
- Allow dirsrv_t domain to read crack db
Resolves: rhbz#1599726
- Dontaudit pegasus_t to require sys_admin capability
Resolves: rhbz#1374570
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
Resolves: rhbz#1601389
- Allow winbind_t domain to request kernel module loads
Resolves: rhbz#1599236
- Allow gpsd_t domain to getsession and mmap own tmpfs files
Resolves: rhbz#1598388
- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)
Resolves: rhbz#1600157
- Allow tomcat_domain to read cgroup_t files
Resolves: rhbz#1601151
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
Resolves: rhbz#1600704
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
Resolves: rhbz#1600692
- Fix ntp SELinux module
- Allow innd_t domain to mmap news_spool_t files
Resolves: rhbz#1600591
- Allow haproxy daemon to reexec itself. BZ(1447800)
Resolves: rhbz#1600578
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
Resolves: rhbz#1559859
- Allow pkcs_slotd_t domain to mmap own tmpfs files
Resolves: rhbz#1600434
- Allow fenced_t domain to reboot
Resolves: rhbz#1293384
- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)
Resolves: rhbz#1557299
- Allow lircd to use nsswitch. BZ(1401375)
- Allow targetd_t domain mmap lvm config files
Resolves: rhbz#1546671
- Allow amanda_t domain to read network system state
Resolves: rhbz#1452444
- Allow abrt_t domain to read rhsmcertd logs
Resolves: rhbz#1492059
- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
Resolves: rhbz#1608421
- Allow ipsec_t domain to read l2tpd pid files
Resolves: rhbz#1607994
- Allow systemd_tmpfiles_t do mmap system db files
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
Resolves: rhbz#1460322
- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)
Resolves: rhbz#1600528
- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled
Resolves: rhbz#1601928
- Allow ipsec_t can exec ipsec_exec_t
Resolves: rhbz#1600684
- Allow netutils_t domain to mmap usmmon device
Resolves: rhbz#1600586
- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
- Allow userdomain sudo domains to use generic ptys
Resolves: rhbz#1564470
- Allow traceroute to create icmp packets
Resolves: rhbz#1548350
- Allow systemd domain to mmap lvm config files BZ(1594584)
- Add new interface lvm_map_config
- refpolicy: Update for kernel sctp support Resolves: rhbz#1597111 Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16
* Fri Jun 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-207
- Update oddjob_domtrans_mkhomedir() interface to allow caller domain also mmap oddjob_mkhomedir_exec_t files
Resolves: rhbz#1596306
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
Resolves: rhbz#1589257
- Allow radiusd_t domain to read network sysctls
Resolves: rhbz#1516233
- Allow chronyc_t domain to use nscd shm
Resolves: rhbz#1596563
- Label /var/lib/tomcats dir as tomcat_var_lib_t
Resolves: rhbz#1596367
- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files
Resolves: rhbz#bea0c8174
- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t
Resolves: rhbz#1596509
- Update seutil_exec_loadpolicy() interface to allow caller domain to mmap load_policy_exec_t files
Resolves: rhbz#1596072
- Allow xdm_t to read systemd hwdb
Resolves: rhbz#1596720
- Allow dhcpc_t domain to mmap files labeled as ping_exec_t
Resolves: rhbz#1596065
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-206
- Allow tangd_t domain to create tcp sockets
Resolves: rhbz#1595775
- Update postfix policy to allow postfix_master_t domain to mmap all postfix* binaries
Resolves: rhbz#1595328
- Allow amanda_t domain to have setgid capability
Resolves: rhbz#1452444
- Update usermanage_domtrans_useradd() to allow caller domain to mmap useradd_exec_t files
Resolves: rhbz#1595667
* Tue Jun 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-205
* Tue Feb 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled.
Resolves: rhbz#1546721
* Mon Feb 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-191
- Allow openvswitch_t stream connect svirt_t
Resolves: rhbz#1540702
* Fri Feb 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-190
- Allow openvswitch domain to manage svirt_tmp_t sock files
Resolves: rhbz#1540702
- Fix broken systemd_tmpfiles_run() interface
* Wed Feb 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-189
- Allow dirsrv_t domain to create tmp link files
Resolves: rhbz#1536011
- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t
- We should not ship selinux-policy with permissivedomains enabled.
Resolves: rhbz#1494172
- Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox
- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service
Resolves: rhbz#1468581
* Mon Jun 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-165
- Dontaudit staff_t user read admin_home_t files.
Resolves: rhbz#1290633
* Wed Jun 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-164
- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode
Resolves: rhbz#1424621
- Add interface lvm_manage_metadata
Resolves: rhbz#1424621
* Tue Jun 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-163
- Allow sssd_t to read realmd lib files.
Resolves: rhbz#1436689
- Add permission open to files_read_inherited_tmp_files() interface
Resolves: rhbz#1290633
Resolves: rhbz#1457106
* Thu Jun 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-162
- Allow unconfined_t user all user namespace capabilties.
Resolves: rhbz#1461488
* Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-161
- Allow httpd_t to read realmd_var_lib_t files Resolves: rhbz#1436689
* Tue Jun 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-160
- Allow named_t to bind on udp 4321 port
Resolves: rhbz#1312972
- Allow systemd-sysctl cap. sys_ptrace
Resolves: rhbz#1458999
* Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-159
- Allow pki_tomcat_t execute ldconfig.
Resolves: rhbz#1436689
* Fri Jun 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-158
- Allow iscsi domain load kernel module.
Resolves: rhbz#1457874
- Allow keepalived domain connect to squid tcp port
Resolves: rhbz#1457455
- Allow krb5kdc_t domain read realmd lib files.
Resolves: rhbz#1436689
- xdm_t should view kernel keys
Resolves: rhbz#1432645
* Thu Jun 01 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-157
- Allow tomcat to connect on all unreserved ports
- Allow ganesha to connect to all rpc ports
Resolves: rhbz#1448090
- Update ganesha with another fixes.
Resolves: rhbz#1448090
- Update rpc_read_nfs_state_data() interface to allow read also lnk_files.
Resolves: rhbz#1448090
- virt_use_glusterd boolean should be in optional block Update ganesha module to allow create tmp files
Resolves: rhbz#1448090
- Hide broken symptoms when machine is configured with network bounding.
* Wed May 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-156
- Add new boolean virt_use_glusterd
Resolves: rhbz#1455994
- Add capability sys_boot for sbd_t domain
- Allow sbd_t domain to create rpc sysctls.
Resolves: rhbz#1455631
- Allow ganesha_t domain to manage glusterd_var_run_t pid files.
Resolves: rhbz#1448090
* Tue May 30 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-155
- Create new interface: glusterd_read_lib_files()
- Allow ganesha read glusterd lib files.
- Allow ganesha read network sysctls
Resolves: rhbz#1448090
* Mon May 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-154
- Add few allow rules to ganesha module
Resolves: rhbz#1448090
- Allow condor_master_t to read sysctls.
Resolves: rhbz#1277506
- Add dac_override cap to ctdbd_t domain
Resolves: rhbz#1435708
- Label 8750 tcp/udp port as dey_keyneg_port_t
Resolves: rhbz#1448090
* Mon May 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-153
- Add ganesha_use_fusefs boolean.
Resolves: rhbz#1448090
* Wed May 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-152
- Allow httpd_t reading kerberos kdc config files
Resolves: rhbz#1452215
- Allow tomcat_t domain connect to ibm_dt_2 tcp port.
Resolves: rhbz#1447436
- Allow stream connect to initrc_t domains
Resolves: rhbz#1447436
- Allow dnsmasq_t domain to read systemd-resolved pid files.
Resolves: rhbz#1453114
- Allow tomcat domain name_bind on tcp bctp_port_t
Resolves: rhbz#1451757
- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
Resolves: rhbz#1447669
- Allow condor_master_t write to sysctl_net_t
Resolves: rhbz#1277506
- Allow nagios check disk plugin read /sys/kernel/config/
- Hide broken symptoms when using kernel 3.10.0-514+ with network bonding. Postfix_picup_t domain requires NET_ADMIN capability which is not really needed.
Resolves: rhbz#1431859
- Fix policy to reflect all changes in new IPA release
- Dontaudit pcp_pmlogger_t search for xserver logs. Allow pcp_pmlogger_t to send signals to unconfined doamins Allow pcp_pmlogger_t to send logs to journals
Resolves: rhbz#1379371
- Allow chronyd_t net_admin capability to allow support HW timestamping.
Resolves: rhbz#1416015
- Update tomcat policy
Resolves: rhbz#1436689
Resolves: rhbz#1436383
- Allow certmonger to start haproxy service
Resolves: rhbz#1349394
- Allow init noatsecure for gssd and gssproxy
Resolves: rhbz#1438036
* Thu Mar 30 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-136
- geoclue wants to dbus chat with avahi
Resolves: rhbz#1434286
- Allow iptables get list of kernel modules
Resolves: rhbz#1367520
- Allow unconfined_domain_type to enable/disable transient unit
Resolves: rhbz#1337041
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd"
Resolves: rhbz#1435264
- Label sysroot dir under ostree as root_t
Resolves: rhbz#1428112
* Wed Mar 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-135
- Remove ganesha_t domain from permissive domains.
Resolves: rhbz#1436988
* Tue Mar 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-134
- Allow named_t domain bind on several udp ports
Resolves: rhbz#1312972
- Update nscd_use() interface
Resolves: rhbz#1281716
- Allow radius_t domain ptrace
Resolves: rhbz#1426641
- Update nagios to allos exec systemctl
Resolves: rhbz#1247635
- Update pcp SELinux module to reflect all pcp changes
Resolves: rhbz#1271998
- Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_t
* Mon Mar 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-133
- Allow drbd load modules
Resolves: rhbz#1134883
- Revert "Add sys_module capability for drbd
Resolves: rhbz#1134883"
- Allow stapserver list kernel modules
Resolves: rhbz#1325976
- Update targetd policy
Resolves: rhbz#1373860
- Add sys_admin capability to amanda
Resolves: rhbz#1371561
- Allow hypervvssd_t to read all dirs.
Resolves: rhbz#1331309
- Label /run/haproxy.sock socket as haproxy_var_run_t
Resolves: rhbz#1386233
- Allow oddjob_mkhomedir_t to mamange autofs_t dirs.
Resolves: rhbz#1408819
- Allow tomcat to connect on http_cache_port_t
Resolves: rhbz#1432083
- Allow geoclue to send msgs to syslog.
Resolves: rhbz#1434286
- Allow condor_master_t domain capability chown.
Resolves: rhbz#1277506
- Update mta_filetrans_named_content() interface to allow calling domain create files labeled as etc_aliases_t in dir labeled as etc_mail_t.
Resolves: rhbz#1167468
- Allow nova domain search for httpd configuration.
Resolves: rhbz#1190761
- Add sys_module capability for drbd
Resolves: rhbz#1134883
- Allow user_u users stream connect to dirsrv, Allow sysadm_u and staff_u users to manage dirsrv files
Resolves: rhbz#1286474
- Allow systemd_networkd_t communicate with systemd_networkd_t via dbus
Resolves: rhbz#1278010
* Wed Mar 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-132
- Add haproxy_t domain fowner capability
Resolves: rhbz#1386233
- Allow domain transition from ntpd_t to hwclock_t domains
Resolves: rhbz#1375624
- Allow cockpit_session_t setrlimit and sys_resource
Resolves: rhbz#1402316
- Dontaudit svirt_t read state of libvirtd domain
Resolves: rhbz#1426106
- Update httpd and gssproxy modules to reflects latest changes in freeipa
Resolves: rhbz#1432115
- Allow iptables read modules_conf_t
Resolves: rhbz#1367520
* Wed Mar 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-131
- Remove tomcat_t domain from unconfined domains
Resolves: rhbz#1432083
- Create new boolean: sanlock_enable_home_dirs()
Resolves: rhbz#1432783
- Allow mdadm_t domain to read/write nvme_device_t
Resolves: rhbz#1431617
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content
Resolves: rhbz#1383621
- Dontaudit domain to create any file in /proc. This is kernel bug.
Resolves: rhbz#1412679
- Add interface dev_rw_nvme
Resolves: rhbz#1431617
* Thu Mar 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-130
- Allow gssproxy to get attributes on all filesystem object types.
Resolves: rhbz#1430295
- Allow ganesha to chat with unconfined domains via dbus
Resolves: rhbz#1426554
- add the policy required for nextcloud
Resolves: rhbz#1425530
- Add nmbd_t capability2 block_suspend
Resolves: rhbz#1425357
- Label /var/run/chrony as chronyd_var_run_t
Resolves: rhbz#1416015
- Add domain transition from sosreport_t to iptables_t
Resolves: rhbz#1359789
- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd
Resolves: rhbz:#1332803
* Tue Mar 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-129
- Update rpm macros
Resolves: rhbz#1380854
* Mon Mar 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-128
- Add handling booleans via selinux-policy macros in custom policy spec files.
Resolves: rhbz#1380854
* Thu Mar 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-127
- Allow openvswitch to load kernel modules
Resolves: rhbz#1405479
* Thu Mar 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-126
- Allow openvswitch read script state.
Resolves: rhbz#1405479
* Tue Mar 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-125
- Update ganesha policy
Resolves: rhbz#1426554
Resolves: rhbz#1383784
- Allow chronyd to read adjtime
Resolves: rhbz#1416015
- Fixes for chrony version 2.2
Resolves: rhbz#1416015
- Add interface virt_rw_stream_sockets_svirt()
Resolves: rhbz#1415841
- Label /dev/ss0 as gpfs_device_t
Resolves: rhbz#1383784
- Allow staff to rw svirt unix stream sockets.
Resolves: rhbz#1415841
- Label /rhev/data-center/mnt as mnt_t
Resolves: rhbz#1408275
- Associate sysctl_rpc_t with proc filesystems
Resolves: rhbz#1350927
- Add new boolean: domain_can_write_kmsg
Resolves: rhbz#1415715
* Thu Mar 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-124
- Allow rhsmcertd_t dbus chat with system_cronjob_t
Resolves: rhbz#1405341
- Allow openvswitch exec hostname and readinitrc_t files
Resolves: rhbz#1405479
- Improve SELinux context for mysql_db_t objects.
Resolves: rhbz#1391521
- Allow postfix_postdrop to communicate with postfix_master via pipe.
Resolves: rhbz#1379736
- Add radius_use_jit boolean
Resolves: rhbz#1426205
- Label /var/lock/subsys/iptables as iptables_lock_t
Resolves: rhbz#1405441
- Label /usr/lib64/erlang/erts-5.10.4/bin/epmd as lib_t
Resolves: rhbz#1332803
- Allow can_load_kernmodule to load kernel modules.
Resolves: rhbz#1423427
Resolves: rhbz#1424621
* Thu Feb 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-123
- Allow nfsd_t domain to create sysctls_rpc_t files
Resolves: rhbz#1405304
- Allow openvswitch to create netlink generic sockets.
Resolves: rhbz#1397974
- Create kernel_create_rpc_sysctls() interface
Resolves: rhbz#1405304
* Fri Feb 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-122
- Allow nfsd_t domain rw sysctl_rpc_t dirs
Resolves: rhbz#1405304
- Allow cgdcbxd_t to manage cgroup files.
Resolves: rhbz#1358493
- Allow cmirrord_t domain to create netlink_connector sockets
Resolves: rhbz#1412670
- Allow fcoemon to create netlink scsitransport sockets
* Mon Feb 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-119
- Add interface init_stream_connectto()
Resolves:rhbz#1365947
- Allow rhsmcertd domain signull kernel.
Resolves: rhbz#1379781
- Allow kdumpgui domain to read nvme device
- Allow insmod_t to load kernel modules
Resolves: rhbz#1421598
- Add interface files_load_kernel_modules()
Resolves: rhbz#1421598
- Add SELinux support for systemd-initctl daemon
Resolves:rhbz#1365947
- Add SELinux support for systemd-bootchart
Resolves: rhbz#1365953
* Tue Feb 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-118
- Allow firewalld to getattr open search read modules_object_t:dir
Resolves: rhbz#1418391
- Fix label for nagios plugins in nagios file conxtext file
Resolves: rhbz#1277718
- Add sys_ptrace capability to pegasus domain
Resolves: rhbz#1381238
- Allow sssd_t domain setpgid
Resolves:rhbz#1416780
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk.
Resolves: rhbz#1350927
- Allow kdumpgui domain to read nvme device
Resolves: rhbz#1415084
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization.
Resolves: rhbz#1146987
- Add user namespace capability object classes.
Resolves: rhbz#1368057
- Add module_load permission to class system
Resolves:rhbz#1368057
- Add the validate_trans access vector to the security class
Resolves: rhbz#1368057
- Add "binder" security class and access vectors
Resolves: rhbz#1368057
- Allow ifconfig_t domain read nsfs_t
Resolves: rhbz#1349814
- Allow ping_t domain to load kernel modules.
Resolves: rhbz#1388363
* Mon Jan 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-117
- Allow systemd container to read/write usermodehelperstate
Resolves: rhbz#1403254
- Label udp ports in range 24007-24027 as gluster_port_t
Resolves: rhbz#1404152
* Tue Dec 20 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-116
- Allow glusterd_t to bind on glusterd_port_t udp ports.
Resolves: rhbz#1404152
- Revert: Allow glusterd_t to bind on med_tlp port.
* Mon Dec 19 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-115
- Allow glusterd_t to bind on med_tlp port.
Resolves: rhbz#1404152
- Update ctdbd_t policy to reflect all changes.
Resolves: rhbz#1402451
- Label tcp port 24009 as med_tlp_port_t
Resolves: rhbz#1404152
- Issue appears during update directly from RHEL-7.0 to RHEL-7.3 or above. Modules pkcsslotd and vbetools missing in selinux-policy package for RHEL-7.3 which causing warnings during SELinux policy store migration process. Following patch fixes issue by skipping pkcsslotd and vbetools modules migration.
* Thu Dec 15 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-114
- Allow ctdbd_t domain transition to rpcd_t
Resolves:rhbz#1402451
* Thu Dec 15 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-113
- Fixes for containers Allow containers to attempt to write to unix_sysctls. Allow cotainers to use the FD's leaked to them from parent processes.
Resolves: rhbz#1403254
* Tue Dec 13 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-112
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
Resolves: rhbz#1404152
- Allow systemd to stop glusterd_t domains.
Resolves: rhbz#1400493
* Fri Dec 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-111
- Make working CTDB:NFS: CTDB failover from selinux-policy POV
Resolves: rhbz#1402451
* Fri Dec 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-110
- Add kdump_t domain sys_admin capability
Resolves: rhbz#1375963
* Thu Dec 01 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-109
- Allow puppetagent_t to access timedated dbus. Use the systemd_dbus_chat_timedated interface to allow puppetagent_t the access.
Resolves: rhbz#1399250
* Mon Nov 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-108
- Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients
Resolves: rhbz#1393505
* Wed Nov 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-107
- Allow cluster_t communicate to fprintd_t via dbus
Resolves: rhbz#1349798
* Tue Nov 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-106
- Fix error message during update from RHEL-7.2 to RHEL-7.3, when /usr/sbin/semanage command is not installed and selinux-policy-migrate-local-changes.sh script is executed in %post install phase of selinux-policy package
Resolves: rhbz#1392010
* Tue Oct 18 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-105
- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
Resolves: rhbz#1384488
- Allow glusterd to get attributes on /sys/kernel/config directory.
Resolves: rhbz#1384483
* Mon Oct 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-104
- Use selinux-policy-migrate-local-changes.sh instead of migrateStore* macros
- Add selinux-policy-migrate-local-changes service
- Add virt_stub_* interfaces for docker policy which is no longer a part of our base policy.
Resolves: rhbz#1372705
- Allow guest-set-user-passwd to set users password.
Resolves: rhbz#1369693
- Allow samdbox domains to use msg class
Resolves: rhbz#1372677
- Allow domains using kerberos to read also kerberos config dirs
Resolves: rhbz#1368492
- Allow svirt_sandbox_domains to r/w onload sockets
Resolves: rhbz#1342930
- Add interface fs_manage_oracleasm()
Resolves: rhbz#1331383
- Label /dev/kfd as hsa_device_t
Resolves: rhbz#1373488
- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs
Resolves: rhbz#1368097
- Add interface to write to nsfs inodes
Resolves: rhbz#1372705
- Allow systemd services to use PrivateNetwork feature
Resolves: rhbz#1372705
- Add a type and genfscon for nsfs.
Resolves: rhbz#1372705
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh.
Resolves: rhbz#1290400
* Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-96
- Allow arpwatch to create netlink netfilter sockets. Resolves: rhbz#1358261
- Fix file context for /etc/pki/pki-tomcat/ca/
- new interface oddjob_mkhomedir_entrypoint()
- Move label for /var/lib/docker/vfs/ to proper SELinux module
- Allow mdadm to get attributes from all devices.
- Label /etc/puppetlabs as puppet_etc_t.
- Allow systemd-machined to communicate to lxc container using dbus
- Allow systemd_resolved to send dbus msgs to userdomains Resolves: rhbz#1236579
- Allow systemd-resolved to read network sysctls Resolves: rhbz#1236579
- Allow systemd_resolved to connect on system bus. Resolves: rhbz#1236579
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t Resolves: rhbz#1331383
* Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-95
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t
Resolves:rhbz#1366915
- Allow certmonger to manage all systemd unit files
Resolves:rhbz#1366915
- Grant certmonger "chown" capability
Resolves:rhbz#1366915
- Allow ipa_helper_t stream connect to dirsrv_t domain
Resolves: rhbz#1368418
- Update oracleasm SELinux module
Resolves: rhbz#1331383
- label /var/lib/kubelet as svirt_sandbox_file_t
Resolves: rhbz#1369159
- Add few interfaces to cloudform.if file
Resolves: rhbz#1367834
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module
Resolves: rhbz#1347514
- Allow krb5kdc_t to read krb4kdc_conf_t dirs.
Resolves: rhbz#1368492
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run.
Resolves: rhbz#1365653
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together.
Resolves: rhbz#1365653
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type
Resolves: rhbz#1331383
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init.
Resolves: rhbz#1367834
- Allow iptables to creating netlink generic sockets.
Resolves: rhbz#1364359
* Wed Aug 17 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-94
- Allow ipmievd domain to create lock files in /var/lock/subsys/
Resolves:rhbz#1349058
- Update policy for ipmievd daemon.
Resolves:rhbz#1349058
- Dontaudit hyperkvp to getattr on non security files.
Resolves: rhbz#1349356
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
Resolves: rhbz#1347514
- Fixed lsm SELinux module
- Add sys_admin capability to sbd domain
Resolves: rhbz#1322725
- Allow vdagent to comunnicate with systemd-logind via dbus
Resolves: rhbz#1366731
- Allow lsmd_plugin_t domain to create fixed_disk device.
Resolves: rhbz#1238066
- Allow opendnssec domain to create and manage own tmp dirs/files
Resolves: rhbz#1366649
- Allow opendnssec domain to read system state
Resolves: rhbz#1366649
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
Resolves: rhbz#1366649
- Allow rasdaemon to mount/unmount tracefs filesystem.
Resolves: rhbz#1364380
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/
Resolves: rhbz#1367520
- Modify interface den_read_nvme() to allow also read nvme_device_t block files.
Resolves: rhbz#1362564
- Label /var/run/storaged as lvm_var_run_t.
Resolves: rhbz#1264390
- Allow unconfineduser to run ipa_helper_t.
Resolves: rhbz#1361636
* Wed Aug 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-93
- Dontaudit mock to write to generic certs.
Resolves: rhbz#1271209
- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
Resolves: rhbz#1347514
- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
- Allow modemmanager to write to systemd inhibit pipes
Resolves: rhbz#1365214
- Label corosync-qnetd and corosync-qdevice as corosync_t domain
Resolves: rhbz#1347514
- Allow ipa_helper to read network state
Resolves: rhbz#1361636
- Label oddjob_reqiest as oddjob_exec_t
Resolves: rhbz#1361636
- Add interface oddjob_run()
Resolves: rhbz#1361636
- Allow modemmanager chat with systemd_logind via dbus
Resolves: rhbz#1362273
- Allow NetworkManager chat with puppetagent via dbus
Resolves: rhbz#1363989
- Allow NetworkManager chat with kdumpctl via dbus
Resolves: rhbz#1363977
- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
Resolves: rhbz#1322725
- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
Resolves: rhbz#1349058
- Allow rasdaemon to use tracefs filesystem.
Resolves: rhbz#1364380
- Fix typo bug in dirsrv policy
- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
Resolves: rhbz#1283134
- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
Resolves: rhbz#1362688
- Allow dirsrv to read dirsrv_share_t content
Resolves: rhbz#1363662
- Allow virtlogd_t to append svirt_image_t files.
Resolves: rhbz#1358140
- Allow hypervkvp domain to read hugetlbfs dir/files.
Resolves: rhbz#1349356
- Allow mdadm daemon to read nvme_device_t blk files
Resolves: rhbz#1362564
- Allow selinuxusers and unconfineduser to run oddjob_request
Resolves: rhbz#1361636
- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
Resolves: rhbz#1362539
- Fix labeling issue in init.fc file. Path /usr/lib/systemd/fedora-* changed to /usr/lib/systemd/rhel-*.
Resolves: rhbz#1363769
- Fix typo in device interfaces
Resolves: rhbz#1349058
- Add interfaces for managing ipmi devices
Resolves: rhbz#1349058
- Add interfaces to allow mounting/umounting tracefs filesystem
- Allow ftpd_t to mamange userhome data without any boolean.
Resolves: rhbz#1097775
- Add logrotate permissions for creating netlink selinux sockets.
Resolves: rhbz#1283134
- Allow lsmd_plugin_t to exec ldconfig.
Resolves: rhbz#1238066
- Allow vnstatd domain to read /sys/class/net/ files
Resolves: rhbz#1358243
- Remove duplicate allow rules in spamassassin SELinux module
Resolves:rhbz#1358175
- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs
Resolves:rhbz#1358175
- Allow sshd setcap capability. This is needed due to latest changes in sshd
Resolves: rhbz#1357857
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
Resolves: rhbz#1330464
- Allow gnome-keyring also manage user_tmp_t sockets.
Resolves: rhbz#1257057
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
Resolves: rhbz#1306403
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-72
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed.
Resolves: rhbz#1333952
* Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-71
- Dontaudit Occasionally observing AVC's while running geo-rep automation
Resolves: rhbz#1295680
- Allow glusterd to manage socket files labeled as glusterd_brick_t.
Resolves: rhbz#1331561
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content
Resolves: rhbz#1246522
- Allow stunnel create log files.
Resolves: rhbz#1296851
- Label tcp port 8181 as intermapper_port_t.
Resolves: rhbz#1334783
- Label tcp/udp port 2024 as xinuexpansion4_port_t
Resolves: rhbz#1334783
- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t
Resolves: rhbz#1334783
- Dontaudit ldconfig read gluster lib files.
Resolves: rhbz#1295680
- Add interface auth_use_nsswitch() to systemd_domain_template.
Resolves: rhbz#1236579
* Tue May 03 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-70
- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs.
Resolves: rhbz#1312809
Resolves: rhbz#1323947
- Allow dbus chat between httpd_t and oddjob_t. Resolves: rhbz#1324144
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t.
Resolves: rhbz#1324144
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports.
Resolves: rhbz#1324144
- Allow prosody to listen on port 5000 for mod_proxy65.
Resolves: rhbz#1316918
- Allow pcp_pmcd_t domain to manage docker lib files. This rule is needed to allow pcp to collect container information when SELinux is enabled.
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs.
Resolves: rhbz#1319442
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap.
Resolves: rhbz#1296640
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits.
Resolves: rhbz#1097775
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t.
Resolves: rhbz#1262483
- Allow nsd daemon to create log file in /var/log as nsd_log_t
Resolves: rhbz#1293140
- Sanlock policy update. - New sub-domain for sanlk-reset daemon
Resolves: rhbz#1212324
- Label all run tgtd files, not just socket files
Resolves: rhbz#1280280
- Label all run tgtd files, not just socket files.
Resolves: rhbz#1280280
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody.
Resolves: rhbz#1321049
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.
Resolves: rhbz#1318224
- Allow prosody to listen on port 5000 for mod_proxy65.
Resolves: rhbz#1316918
- Allow targetd to read/write to /dev/mapper/control device.
Resolves: rhbz#1063714
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown.
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
Resolves: rhbz#1065362
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t
Resolves: rhbz#1321943
- Label all nvidia binaries as xserver_exec_t
Resolves: rhbz#1322283
* Wed Mar 23 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-68
- Create new permissivedomains CIL module and make it active.
Resolves: rhbz#1320451
- Add support for new mock location - /usr/libexec/mock/mock.
Resolves: rhbz#1271209
- Allow bitlee to create bitlee_var_t dirs.
Resolves: rhbz#1268651
- Allow CIM provider to read sssd public files.
Resolves: rhbz#1263339
- Fix some broken interfaces in distro policy.
Resolves: rhbz#1121171
- Allow power button to shutdown the laptop.
Resolves: rhbz#995898
- Allow lsm plugins to create named fixed disks.
Resolves: rhbz#1238066
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.confResolves: rhbz#1278777
- Allow hyperv domains to rw hyperv devices.
Resolves: rhbz#1309361
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.Resolves: rhbz#1246780
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/
Resolves: rhbz#1297323
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
- Add support for /dev/mptctl device used to check RAID status.
Resolves: rhbz#1258029
- Create hyperv* devices and create rw interfaces for this devices.
Resolves: rhbz#1309361
- Add fixes for selinux userspace moving the policy store to /var/lib/selinux.
- Remove optional else block for dhcp ping
* Thu Mar 17 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-67
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks.
Resolves: rhbz#1263770
- Fix context of "/usr/share/nginx/html".
Resolves: rhbz#1261857
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics
Resolves: rhbz#1270344
- Allow pmlogger to create pmlogger.primary.socket link file.
Resolves: rhbz#1270344
- Label nagios scripts as httpd_sys_script_exec_t.
Resolves: rhbz#1260306
- Add dontaudit interface for kdumpctl_tmp_t
Resolves: rhbz#1156442
- Allow mdadm read files in EFI partition.
Resolves: rhbz#1291801
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid.
Resolves: rhbz#1293140
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs
Resolves: rhbz#1293140
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
Resolves: rhbz#1265102
- Add missing labeling for /usr/libexec/abrt-hook-ccpp.
Resolves: rhbz#1213409
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
Resolves: rhbz#1206525
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
Resolves: rhbz#1275246
- cockpit has grown content in /var/run directory
Resolves: rhbz#1279429
- Allow collectd setgid capability
Resolves:#1310898
- Remove declaration of empty booleans in virt policy.
Resolves: rhbz#1103153
- Fix typo in drbd policy
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. Allow drbd_t create drbd_tmp_t files in /tmp.
Resolves: rhbz#1134883
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
Resolves: rhbz#1293788
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
Resolves: rhbz#1254188
- Allow abrt_t to read sysctl_net_t files.
Resolves: rhbz#1254188
- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system.
- Allow abrt-hook-ccpp to getattr on all executables.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
Resolves: rhbz#1254188
- abrt-hook-ccpp needs to have setfscreate access because it is SELinux aware and compute a target labeling.
Resolves: rhbz#1254188
- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
Resolves: rhbz#1254188
- Dontaudit write access to inherited kdumpctl tmp files.
Resolves: rbhz#1156442
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
Resolves: rhbz#1291801
- Label 8952 tcp port as nsd_control.
Resolves: rhbz#1293140
- Allow ipsec to use pam.
Resolves: rhbz#1315700
- Allow to log out to gdm after screen was resized in session via vdagent.
Resolves: rhbz#1249020
- Allow setrans daemon to read /proc/meminfo.
Resolves: rhbz#1316804
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg
Resolves: rhbz#1298151
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
Resolves: rhbz#1236579
- Add new selinux policy for systemd-resolved dawmon.
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106
Resolves: rhbz#1306197
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
Resolves: rhbz#1309417
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
Resolves: rhbz#1293788
* Thu Mar 17 2016 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-66
- Prepare selinux-policy package for userspace release 2016-02-23. Resolves: rhbz#1305982
* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65
- Allow sending dbus msgs between firewalld and system_cronjob domains. Resolves: rhbz#1284902
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols.
Resolves: rhbz#1242506
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
Resolves: rhbz#1284972
- Add support for systemd-hwdb daemon.
Resolves: rhbz#1257940
- Add interface fs_setattr_cifs_dirs().
Resolves: rhbz#1284972
* Mon Feb 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-64
- Add new SELinux policy fo targetd daemon.
Resolves: rhbz#1063714
- Add new SELinux policy fo ipmievd daemon.
Resolves: rhbz#1083031
- Add new SELinux policy fo hsqldb daemon.
Resolves: rhbz#1083171
- Add new SELinux policy for blkmapd daemon.
Resolves: rhbz#1072997
- Allow p11-child to connect to apache ports.
- Label /usr/sbin/lvmlockd binary file as lvm_exec_t.
Resolves: rhbz#1278028
- Add interface "lvm_manage_lock" to lvm policy.
Resolves: rhbz#1063714
* Wed Jan 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-63
- Allow openvswitch domain capability sys_rawio.
Resolves: rhbz#1278495
* Tue Jan 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-62
- Allow openvswitch to manage hugetlfs files and dirs.
Resolves: rhbz#1278495
- Add fs_manage_hugetlbfs_files() interface.
Resolves: rhbz#1278495
* Tue Jan 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-61
- Allow smbcontrol domain to send sigchld to ctdbd domain.
* Wed Oct 14 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-60
Allow hypervvssd to list all mountpoints to have VSS live backup working correctly.
Resolves:#1247880
* Tue Oct 13 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-59
- Revert Add missing labeling for /usr/libexec/abrt-hook-ccpp patch
Resolves: #1254188
* Thu Oct 8 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-58
- Allow search dirs in sysfs types in kernel_read_security_state.
Resolves: #1254188
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.
Resolves: #1254188
* Wed Oct 7 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-57
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs
Resolves: #1254188
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes.
Resolves:#1261938
* Fri Oct 2 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-56
- Remove labeling for modules_dep_t file contexts to have labeled them as modules_object_t.
- Update files_read_kernel_modules() to contain modutils_read_module_deps_files() calling because module deps labeling could remain and it allows to avoid regressions.
- Allow dirsrv-admin script to read passwd file. Allow dirsrv-admin script to read httpd pid files. Label dirsrv-admin unit file and allow dirsrv-admin domains to use it.
Resolves: #1230300
- Allow qpid daemon to connect on amqp tcp port.
Resolves: #1261805
* Fri Sep 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-51
- Label /etc/ipa/nssdb dir as cert_t
Resolves:#1262718
- Do not provide docker policy files which is shipped by docker-selinux.rpm
- Label /var/run/chrony-helper dir as chronyd_var_run_t. Resolves: #1243764
- Allow dhcpc_t domain transition to chronyd_t Resolves: #1243764
* Fri Aug 21 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-45
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
Resolves: #1252442
* Wed Aug 19 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-44
- Allow exec pidof under hypervkvp domain.
Resolves: #1254870
- Allow hypervkvp daemon create connection to the system DBUS
Resolves: #1254870
* Wed Aug 19 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-43
- Allow openhpid_t to read system state.
Resolves: #1244248
- Added labels for files provided by rh-nginx18 collection
Resolves: #1249945
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
Resolves: #1252968
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
Resolves: #1243431
- Allow abrt_dump_oops_t to read proc_security_t files.
- Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains
- Add interface abrt_dump_oops_domtrans()
- Add mountpoint dontaudit access check in rhsmcertd policy.
Resolves: #1243431
- Allow samba_net_t to manage samba_var_t sock files.
Resolves: #1252937
- Allow chrome setcap to itself.
Resolves: #1251996
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.
- Allow openhpid liboa_soap plugin to read generic certs.
Resolves: #1244248
- Allow openhpid liboa_soap plugin to read resolv.conf file.
Resolves: #1244248
- Label /usr/libexec/chrony-helper as chronyd_exec_t
- Allow chronyd_t to read dhcpc state.
- Allow chronyd to execute mkdir command.
* Fri Aug 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-39
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t.
Resolves:#1073314
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS.
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users.
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode.
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling.
Resolves:#1183503
- Add support for /etc/sanlock which is writable by sanlock daemon.
Resolves:#1231377
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet.
Resolves:#1243775
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus
Resolves:#1250550
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
* Wed Aug 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-38
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).
Resolves: #1243902
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
Resolves: #1238079
- Allow lsm_plugin_t to rw raw_fixed_disk.
Resolves:#1238079
- Allow rhsmcertd to send signull to unconfined_service.
* Thu Aug 03 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-37
- Allow httpd_suexec_t to read and write Apache stream sockets
Resolves: #1243569
- Allow qpid to create lnk_files in qpid_var_lib_t
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow pcp_pmcd daemon to read postfix config files.
- Allow pcp_pmcd daemon to search postfix spool dirs.
Resolves: #1213740
- Added Booleans: pcp_read_generic_logs.
Resolves: #1213740
- Allow drbd to read configuration options used when loading modules.
Resolves: #1134883
- Allow glusterd to manage nfsd and rpcd services.
- Allow glusterd to communicate with cluster domains over stream socket.
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.
- Update mta_filetrans_named_content() interface to cover more db files.
Resolves:#1167468
- Add back ftpd_use_passive_mode boolean with fixed description.
- Allow pmcd daemon stream connect to mysqld.
- Allow pcp domains to connect to own process using unix_stream_socket.
Resolves:#1213709
- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA.
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/
* Thu Jul 2 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-30
- Allow iptables to read ctdbd lib files.
Resolves:#1224879
- Add systemd_networkd_t to nsswitch domains.
- Allow drbd_t write to fixed_disk_device. Reason: drbdmeta needs write to fixed_disk_device during initialization.
Resolves:#1130675
- Allow NetworkManager write to sysfs.
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Allow NetworkManager write to sysfs.
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists.
- Dontaudit apache to manage snmpd_var_lib_t files/dirs.
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports.
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot.
- Dontaudit chrome to read passwd file.
- nrpe needs kill capability to make gluster moniterd nodes working.
Resolves:#1235587
* Wed Jun 17 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-29
- We allow can_exec() on ssh_keygen on gluster. But there is a transition defined by init_initrc_domain() because we need to allow execute unconfined services by glusterd. So ssh-keygen ends up with ssh_keygen_t and we need to allow to manage /var/lib/glusterd/geo-replication/secret.pem.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
- Label gluster python hooks also as bin_t.
- Allow glusterd to interact with gluster tools running in a user domain
- Add glusterd_manage_lib_files() interface.
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
Resolves:#1224879
* Mon Jun 15 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-28
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to access init scripts/units without defined policy
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
Resolves:#1224879
* Fri Jun 12 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-27
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Allow glusterd to connect to the system DBUS for service (acquire_svc).
- Label /dev/log correctly.
Resolves:#1230932
* Tue Jun 9 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-26
- Back port the latest F22 changes to RHEL7. It should fix most of RHEL7.2 bugs
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
* Thu Nov 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-104
- Allow watchdog to read /etc/passwd
- Allow browser plugins to connect to bumblebee
- New policy for bumblebee and freqset
- Add new policy for mip6d daemon
- Add new policy for opensm daemon
- Allow condor domains to read/write condor_master udp_socket
- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift
- Add back file_pid_filetrans for /var/run/dlm_controld
- Allow smbd_t to use inherited tmpfs content
- Allow mcelog to use the /dev/cpu device
- sosreport runs rpcinfo
- sosreport runs subscription-manager
- Allow staff_t to run frequency command
- Allow systemd_tmpfiles to relabel log directories
- Allow staff_t to read xserver_log file
- Label hsperfdata_root as tmp_t
* Wed Nov 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-103
- More sosreport fixes to make ABRT working
* Fri Nov 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-102
- Fix files_dontaudit_unmount_all_mountpoints()
- Add support for 2608-2609 tcp/udp ports
- Should allow domains to lock the terminal device
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- We need to require passwd rootok
- Fix zebra.fc
- Fix dnsmasq_filetrans_named_content() interface
- Allow all sandbox domains create content in svirt_home_t
- Allow zebra domains also create zebra_tmp_t files in /tmp
- Add support for new zebra services:isisd,babeld. Add systemd support for zebra services.
- Fix labeling on neutron and remove transition to iconfig_t
- abrt needs to read mcelog log file
- Fix labeling on dnsmasq content
- Fix labeling on /etc/dnsmasq.d
- Allow glusterd to relabel own lib files
- Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd
- Allow ipc_lock for abrt to run journalctl
* Thu Nov 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-101
- Fix config.tgz
* Tue Nov 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-100
- Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
* Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
- Add support for yubikey in homedir
- Add support for upd/3052 port
- Allow apcupsd to use PowerChute Network Shutdown
- Allow lsmd to execute various lsmplugins
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
- Update gluster_export_all_rw boolean to allow relabel all base file types
- Allow x86_energy_perf tool to modify the MSR
- Fix /var/lib/dspam/data labeling
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-98
- Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
- Allow x86_energy_perf tool to modify the MSR
- Fix /var/lib/dspam/data labeling
- Allow pegasus to domtrans to mount_t
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
- Add support for unconfined watchdog scripts
- Allow watchdog to manage own log files
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-97
- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
- Allow all antivirus domains to manage also own log dirs
- Allow pegasus_openlmi_services_t to stream connect to sssd_t
* Fri Nov 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd
* Wed Oct 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-95
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Add file transition rules for content created by f5link
- Rename quantum_port information to neutron
- Allow all antivirus domains to manage also own log dirs
- Rename quantum_port information to neutron
- Allow pegasus_openlmi_services_t to stream connect to sssd_t
* Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
- Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label
- Allow mozilla_plugin_t to mmap hugepages as an executable
* Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
* Tue Oct 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
- Allow sshd_t to read openshift content, needs backport to RHEL6.5
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
- Make sur kdump lock is created with correct label if kdumpctl is executed
- gnome interface calls should always be made within an optional_block
- Allow syslogd_t to connect to the syslog_tls port
- Add labeling for /var/run/charon.ctl socket
- Add kdump_filetrans_named_content()
- Allo setpgid for fenced_t
- Allow setpgid and r/w cluster tmpfs for fenced_t
- gnome calls should always be within optional blocks
- wicd.pid should be labeled as networkmanager_var_run_t
- Allow sys_resource for lldpad
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-92
- Add rtas policy
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-91
- Allow mailserver_domains to manage and transition to mailman data
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands
- Allow mailserver_domains to manage and transition to mailman data
- Allow svirt_domains to read sysctl_net_t
- Allow thumb_t to use tmpfs inherited from the user
- Allow mozilla_plugin to bind to the vnc port if running with spice
- Add new attribute to discover confined_admins and assign confined admin to it
- Fix zabbix to handle attributes in interfaces
- Fix zabbix to read system states for all zabbix domains
- Fix piranha_domain_template()
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
- Allow lldpad sys_rouserce cap due to #986870
- Allow dovecot-auth to read nologin
- Allow openlmi-networking to read /proc/net/dev
- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t
- Add zabbix_domain attribute for zabbix domains to treat them together
- Add labels for zabbix-poxy-* (#1018221)
- Update openlmi-storage policy to reflect #1015067
- Back port piranha tmpfs fixes from RHEL6
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop
- Add postfix_rw_spool_maildrop_files interface
- Call new userdom_admin_user_templat() also for sysadm_secadm.pp
- Fix typo in userdom_admin_user_template()
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
- Add new attribute to discover confined_admins
- Fix labeling for /etc/strongswan/ipsec.d
- systemd_logind seems to pass fd to anyone who dbus communicates with it
- Dontaudit leaked write descriptor to dmesg
* Mon Oct 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-90
- Activate motion policy
* Mon Oct 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-89
- Fix gnome_read_generic_data_home_files()
- allow openshift_cgroup_t to read/write inherited openshift file types
- Remove httpd_cobbler_content * from cobbler_admin interface
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container
- Allow httpd_t to read also git sys content symlinks
- Allow init_t to read gnome home data
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
- Allow virsh to execute systemctl
- Fix for nagios_services plugins
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- Fix hypervkvp.te
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
- Add hypervkvp_unit_file_t type
- Fix logging policy
- Allow syslog to bind to tls ports
- Update labeling for /dev/cdc-wdm
- Allow to su_domain to read init states
- Allow init_t to read gnome home data
- Make sure if systemd_logind creates nologin file with the correct label
- Clean up ipsec.te
* Tue Oct 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-88
- Add auth_exec_chkpwd interface
- Fix port definition for ctdb ports
- Allow systemd domains to read /dev/urand
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Add label for /var/run/charon.*
- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service
- Fix for nagios_services plugins
- Fix some bugs in zoneminder policy
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- glusterd binds to random unreserved ports
- Additional allow rules found by testing glusterfs
- apcupsd needs to send a message to all users on the system so needs to look them up
- Fix the label on ~/.juniper_networks
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Allow polipo_daemon to connect to flash ports
- Allow gssproxy_t to create replay caches
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
- Add hypervkvp_unit_file_t type
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-87
- init reload from systemd_localed_t
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
- Allow systemd_localed_t to ask systemd to reload the locale.
- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory
- Allow readahead to read /dev/urand
- Fix lots of avcs about tuned
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
- Allow tuned to inderact with hugepages
- Allow condor domains to list etc rw dirs
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-86
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.
- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it
- Add label/rules for /etc/mdadm.conf
- Allow pegasus_openlmi_storage_t to transition to fsadm_t
- Fixes for interface definition problems
- Dontaudit dovecot-deliver to gettatr on all fs dirs
- Allow domains to search data_home_t directories
- Allow cobblerd to connect to mysql
- Allow mdadm to r/w kdump lock files
- Add support for kdump lock files
- Label zarafa-search as zarafa-indexer
- Openshift cgroup wants to read /etc/passwd
- Add new sandbox domains for kvm
- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on
- Fix labeling for /usr/lib/systemd/system/lvm2.*
- Add labeling for /usr/lib/systemd/system/lvm2.*
- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules
- Add sshd_keygen_t policy for sshd-keygen
- Fix alsa_home_filetrans interface name and definition
- Allow chown for ssh_keygen_t
- Add fs_dontaudit_getattr_all_dirs()
- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys
- Fix up patch to allow systemd to manage home content
- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled
- Allow getty to exec hostname to get info
- Add systemd_home_t for ~/.local/share/systemd directory
* Wed Oct 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-85
- Fix lxc labels in config.tgz
* Mon Sep 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-84
- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Add support for MySQL/PostgreSQL for amavis
- Allow openvpn_t to manage openvpn_var_log_t files.
- Allow dirsrv_t to create tmpfs_t directories
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Allow nsswitch domains to manage own process key
- Fix labeling for mgetty.* logs
- Allow systemd to dbus chat with upower
- Allow ipsec to send signull to itself
- Allow setgid cap for ipsec_t
- Match upstream labeling
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83
- Do not build sanbox pkg on MLS
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-82
- wine_tmp is no longer needed
- Allow setroubleshoot to look at /proc
- Allow telepathy domains to dbus with systemd logind
- Fix handling of fifo files of rpm
- Allow mozilla_plugin to transition to itself
- Allow certwatch to write to cert_t directories
- New abrt application
- Allow NetworkManager to set the kernel scheduler
- Make wine_domain shared by all wine domains
- Allow mdadm_t to read images labeled svirt_image_t
- Allow amanda to read /dev/urand
- ALlow my_print_default to read /dev/urand
- Allow mdadm to write to kdumpctl fifo files
- Allow nslcd to send signull to itself
- Allow yppasswd to read /dev/urandom
- Fix zarafa_setrlimit
- Add support for /var/lib/php/wsdlcache
- Add zarafa_setrlimit boolean
- Allow fetchmail to send mails
- Add additional alias for user_tmp_t because wine_tmp_t is no longer used
- More handling of ther kernel keyring required by kerberos
- New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed
* Thu Sep 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-81
- Dontaudit attempts by sosreport to read shadow_t
- Allow browser sandbox plugins to connect to cups to print
- Add new label mpd_home_t
- Label /srv/www/logs as httpd_log_t
- Add support for /var/lib/php/wsdlcache
- Add zarafa_setrlimit boolean
- Allow fetchmail to send mails
- Add labels for apache logs under miq package
- Allow irc_t to use tcp sockets
- fix labels in puppet.if
- Allow tcsd to read utmp file
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
- Define svirt_socket_t as a domain_type
- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t
- Fix label on pam_krb5 helper apps
* Thu Sep 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-80
- Allow ldconfig to write to kdumpctl fifo files
- allow neutron to connect to amqp ports
- Allow kdump_manage_crash to list the kdump_crash_t directory
- Allow glance-api to connect to amqp port
- Allow virt_qemu_ga_t to read meminfo
- Add antivirus_home_t type for antivirus date in HOMEDIRS
- Allow mpd setcap which is needed by pulseaudio
- Allow smbcontrol to create content in /var/lib/samba
- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec
- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts
- amanda_exec_t needs to be executable file
- Allow block_suspend cap for samba-net
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
- Allow init_t to run crash utility
- Treat usr_t just like bin_t for transitions and executions
- Add port definition of pka_ca to port 829 for openshift
- Allow selinux_store to use symlinks
* Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-79
- Allow block_suspend cap for samba-net
- Allow t-mission-control to manage gabble cache files
- Allow nslcd to read /sys/devices/system/cpu
- Allow selinux_store to use symlinks
* Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-78
- Allow xdm_t to transition to itself
- Call neutron interfaces instead of quantum
- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t
- Make sure directories in /run get created with the correct label
- Make sure /root/.pki gets created with the right label
- try to remove labeling for motion from zoneminder_exec_t to bin_t
- Allow inetd_t to execute shell scripts
- Allow cloud-init to read all domainstate
- Fix to use quantum port
- Add interface netowrkmanager_initrc_domtrans
- Fix boinc_execmem
- Allow t-mission-control to read gabble cache home
- Add labeling for ~/.cache/telepathy/avatars/gabble
- Allow memcache to read sysfs data
- Cleanup antivirus policy and add additional fixes
- Add boolean boinc_enable_execstack
- Add support for couchdb in rabbitmq policy
- Add interface couchdb_search_pid_dirs
- Allow firewalld to read NM state
- Allow systemd running as git_systemd to bind git port
- Fix mozilla_plugin_rw_tmpfs_files()
* Thu Sep 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-77
- Split out rlogin ports from inetd
- Treat files labeld as usr_t like bin_t when it comes to transitions
- Allow staff_t to read login config
- Allow ipsec_t to read .google authenticator data
- Allow systemd running as git_systemd to bind git port
- Fix mozilla_plugin_rw_tmpfs_files()
- Call the correct interface - corenet_udp_bind_ktalkd_port()
- Allow all domains that can read gnome_config to read kde config
- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work
- Allow mdadm to getattr any file system
- Allow a confined domain to executes mozilla_exec_t via dbus
- Allow cupsd_lpd_t to bind to the printer port
- Dontaudit attempts to bind to ports < 1024 when nis is turned on
- Allow apache domain to connect to gssproxy socket
- Allow rlogind to bind to the rlogin_port
- Allow telnetd to bind to the telnetd_port
- Allow ktalkd to bind to the ktalkd_port
- Allow cvs to bind to the cvs_port
* Wed Sep 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-76
- Cleanup related to init_domain()+inetd_domain fixes
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
- svirt domains neeed to create kobject_uevint_sockets
- Lots of new access required for sosreport
- Allow tgtd_t to connect to isns ports
- Allow init_t to transition to all inetd domains:
- openct needs to be able to create netlink_object_uevent_sockets
- Dontaudit leaks into ldconfig_t
- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
- Move kernel_stream_connect into all Xwindow using users
- Dontaudit inherited lock files in ifconfig o dhcpc_t
* Tue Sep 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-75
- Also sock_file trans rule is needed in lsm
- Fix labeling for fetchmail pid files/dirs
- Add additional fixes for abrt-upload-watch
- Fix polipo.te
- Fix transition rules in asterisk policy
- Add fowner capability to networkmanager policy
- Allow polipo to connect to tor ports
- Cleanup lsmd.if
- Cleanup openhpid policy
- Fix kdump_read_crash() interface
- Make more domains as init domain
- Fix cupsd.te
- Fix requires in rpm_rw_script_inherited_pipes
- Fix interfaces in lsm.if
- Allow munin service plugins to manage own tmpfs files/dirs
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Make ktalk as init domain
- Fix to define ktalkd_unit_file_t correctly
- Fix ktalk.fc
- Add systemd support for talk-server
- Allow glusterd to create sock_file in /run
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Add fixes for hypervkvp policy
- Add logwatch_can_sendmail boolean
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
* Thu Aug 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74
- Add selinux-policy-sandbox pkg
* Tue Aug 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-73
0
- Allow rhsmcertd to read init state
- Allow fsetid for pkcsslotd
- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service
- Allow fetchmail to create own pid with correct labeling
- Fix rhcs_domain_template()
- Allow roles which can run mock to read mock lib files to view results
- Allow rpcbind to use nsswitch
- Fix lsm.if summary
- Fix collectd_t can read /etc/passwd file
- Label systemd unit files under dracut correctly
- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh
- Add support for .Xauthority-n
- Label umount.crypt as lvm_exec_t
- Allow syslogd to search psad lib files
- Allow ssh_t to use /dev/ptmx
- Make sure /run/pluto dir is created with correct labeling
- Allow syslog to run shell and bin_t commands
- Allow ip to relabel tun_sockets
- Allow mount to create directories in files under /run
- Allow processes to use inherited fifo files
* Fri Aug 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-72
- Add policy for lsmd
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
- Update condor_master rules to allow read system state info and allow logging
- Add labeling for /etc/condor and allow condor domain to write it (bug)
- Allow condor domains to manage own logs
- Allow glusterd to read domains state
- Fix initial hypervkvp policy
- Add policy for hypervkvpd
- Fix redis.if summary
* Wed Aug 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-71
- Allow boinc to connect to @/tmp/.X11-unix/X0
- Allow beam.smp to connect to tcp/5984
- Allow named to manage own log files
- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t
- Add virt_transition_userdomain boolean decl
- Allow httpd_t to sendto unix_dgram sockets on its children
- Allow nova domains to execute ifconfig
- bluetooth wants to create fifo_files in /tmp
- exim needs to be able to manage mailman data
- Allow sysstat to getattr on all file systems
- Looks like bluetoothd has moved
- Allow collectd to send ping packets
- Allow svirt_lxc domains to getpgid
- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff
- Allow frpintd_t to read /dev/urandom
- Allow asterisk_t to create sock_file in /var/run
- Allow usbmuxd to use netlink_kobject
- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket
- More cleanup of svirt_lxc policy
- virtd_lxc_t now talks to dbus
- Dontaudit leaked ptmx_t
- Allow processes to use inherited fifo files
- Allow openvpn_t to connect to squid ports
- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()
- Allow ssh_t to use /dev/ptmx
- Make sure /run/pluto dir is created with correct labeling
- Allow syslog to run shell and bin_t commands
- Allow ip to relabel tun_sockets
- Allow mount to create directories in files under /run
- Allow processes to use inherited fifo files
- Allow user roles to connect to the journal socket
* Thu Aug 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-70
- selinux_set_enforce_mode needs to be used with type
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
- Allow xdm_t to create symlinks in log direcotries
- Allow login programs to read afs config
- Label 10933 as a pop port, for dovecot
- New policy to allow selinux_server.py to run as semanage_t as a dbus service
- Add fixes to make netlabelctl working on MLS
- AVCs required for running sepolicy gui as staff_t
- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC
- New dbus server to be used with new gui
- After modifying some files in /etc/mail, I saw this needed on the next boot
- Loading a vm from /usr/tmp with virt-manager
- Clean up oracleasm policy for Fedora
- Add oracleasm policy written by rlopez@redhat.com
- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache
- Add label for /var/crash
- Allow fenced to domtrans to sanclok_t
- Allow nagios to manage nagios spool files
- Make tfptd as home_manager
- Allow kdump to read kcore on MLS system
- Allow mysqld-safe sys_nice/sys_resource caps
- Allow apache to search automount tmp dirs if http_use_nfs is enabled
- Allow crond to transition to named_t, for use with unbound
- Allow crond to look at named_conf_t, for unbound
- Allow mozilla_plugin_t to transition its home content
- Allow dovecot_domain to read all system and network state
- Allow httpd_user_script_t to call getpw
- Allow semanage to read pid files
- Dontaudit leaked file descriptors from user domain into thumb
- Make PAM authentication working if it is enabled in ejabberd
- Add fixes for rabbit to fix ##992920,#992931
- Allow glusterd to mount filesystems
- Loading a vm from /usr/tmp with virt-manager
- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device
- Add fix for pand service
- shorewall touches own log
- Allow nrpe to list /var
- Mozilla_plugin_roles can not be passed into lpd_run_lpr
- Allow afs domains to read afs_config files
- Allow login programs to read afs config
- Allow virt_domain to read virt_var_run_t symlinks
- Allow smokeping to send its process signals
- Allow fetchmail to setuid
- Add kdump_manage_crash() interface
- Allow abrt domain to write abrt.socket
* Wed Jul 31 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-69
- Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces
- Add interface fixes
- Allow nscd to stream connect to nmbd
- Allow gnupg apps to write to pcscd socket
- Add more fixes for openlmi provides. Fix naming and support for additionals
- Allow fetchmail to resolve host names
- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
- Fix corecmd_exec_chroot()
- Fix logging_relabel_syslog_pid_socket interface
- Fix typo in unconfineduser.te
- Allow system_r to access unconfined_dbusd_t to run hp_chec
* Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68
- Allow xdm_t to act as a dbus client to itsel
- Allow fetchmail to resolve host names
- Allow gnupg apps to write to pcscd socket
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
-httpd_t does access_check on certs
* Fri Jul 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-67
- Add support for cmpiLMI_Service-cimprovagt
- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t
- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t
- Add support for pycmpiLMI_Storage-cimprovagt
- Add support for cmpiLMI_Networking-cimprovagt
- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working
- Allow virtual machines and containers to run as user doains, needed for virt-sandbox
- Allow buglist.cgi to read cpu info
* Mon Jul 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-66
- Allow systemd-tmpfile to handle tmp content in print spool dir
- Allow systemd-sysctl to send system log messages
- Add support for RTP media ports and fmpro-internal
- Make auditd working if audit is configured to perform SINGLE action on disk error
- Add interfaces to handle systemd units
- Make systemd-notify working if pcsd is used
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
- Instead of having all unconfined domains get all of the named transition rules,
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
- Add definition for the salt ports
- Allow xdm_t to create link files in xdm_var_run_t
- Dontaudit reads of blk files or chr files leaked into ldconfig_t
- Allow sys_chroot for useradd_t
- Allow net_raw cap for ipsec_t
- Allow sysadm_t to reload services
- Add additional fixes to make strongswan working with a simple conf
- Allow sysadm_t to enable/disable init_t services
- Add additional glusterd perms
- Allow apache to read lnk files in the /mnt directory
- Allow glusterd to ask the kernel to load a module
- Fix description of ftpd_use_fusefs boolean
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t
- Allow glusterds to request load a kernel module
- Allow boinc to stream connect to xserver_t
- Allow sblim domains to read /etc/passwd
- Allow mdadm to read usb devices
- Allow collectd to use ping plugin
- Make foghorn working with SNMP
- Allow sssd to read ldap certs
- Allow haproxy to connect to RTP media ports
- Add additional trans rules for aide_db
- Add labeling for /usr/lib/pcsd/pcsd
- Add labeling for /var/log/pcsd
- Add support for pcs which is a corosync and pacemaker configuration tool
* Wed Jul 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-65
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown
- consolekit needs to be able to shut down system
- Move around interfaces
- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
- Allow gconf-defaults-m to read /etc/passwd
- Fix pki_rw_tomcat_cert() interface to support lnk_files
* Fri Jul 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-64
- Add support for gluster ports
- Make sure that all keys located in /etc/ssh/ are labeled correctly
- Make sure apcuspd lock files get created with the correct label
- Use getcap in gluster.te
- Fix gluster policy
- add additional fixes to allow beam.smp to interact with couchdb files
- Additional fix for #974149
- Allow gluster to user gluster ports
- Allow glusterd to transition to rpcd_t and add additional fixes for #980683
- Allow tgtd working when accessing to the passthrough device
- Fix labeling for mdadm unit files
* Thu Jul 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-63
- Add mdadm fixes
* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-61
- Allow mdamd to execute systemctl
- Allow mdadm to read /dev/kvm
- Allow ipsec_mgmt_t to read l2tpd pid content
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-60
- Allow nsd_t to read /dev/urand
- Allow mdadm_t to read framebuffer
- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
- Allow mozilla_plugin_config_t to create tmp files
- Cleanup openvswitch policy
- Allow mozilla plugin to getattr on all executables
- Allow l2tpd_t to create fifo_files in /var/run
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
- Allow mdadm to connecto its own unix_stream_socket
- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
- Allow apache to access smokeping pid files
- Allow rabbitmq_beam_t to getattr on all filesystems
- Add systemd support for iodined
- Allow nup_upsdrvctl_t to execute its entrypoint
- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
- add labeling for ~/.cache/libvirt-sandbox
- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs.
- Allow staff to getsched all domains, required to run htop
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain is and
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
- Allow bootloader to manage generic log files
- Allow ftp to bind to port 989
- Fix label of new gear directory
- Add support for new directory /var/lib/openshift/gears/
- Add openshift_manage_lib_dirs()
- allow virtd domains to manage setrans_var_run_t
- Allow useradd to manage all openshift content
- Add support so that mozilla_plugin_t can use dri devices
- Allow chronyd to change the scheduler
- Allow apmd to shut downthe system
- Devicekit_disk_t needs to manage /etc/fstab
* Wed Jun 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-57
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
* Mon Jun 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
- Allow cobbler to execute apache with domain transition
* Fri Jun 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-55
- condor_collector uses tcp/9000
- Label /usr/sbin/virtlockd as virtd_exec_t for now
- Allow cobbler to execute ldconfig
- Allow NM to execute ssh
- Allow mdadm to read /dev/crash
- Allow antivirus domains to connect to snmp port
- Make amavisd-snmp working correctly
- Allow nfsd_t to mounton nfsd_fs_t
- Add initial snapper policy
- We still need to have consolekit policy
- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow dirsrv to read network state
- Fix pki_read_tomcat_lib_files
- Add labeling for /usr/libexec/nm-ssh-service
- Add label cert_t for /var/lib/ipa/pki-ca/publish
- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
- Allow nfsd_t to mounton nfsd_fs_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow passwd_t to change role to system_r from unconfined_r
* Wed Jun 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-54
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow ntop to read usbmon devices
- Add labeling for new polcykit authorizor
- Dontaudit access checks from fail2ban_client
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
- Fix labeling for all /usr/bim/razor-lightdm-* binaries
- Add filename trans for /dev/md126p1
* Tue Jun 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-53
- Make vdagent able to request loading kernel module
- Add support for cloud-init make it as unconfined domain
- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler"
- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t
- dspam wants to search /var/spool for opendkim data
- Revert "Add support for tcp/10026 port as dspam_port_t"
- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6
- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain
- Allow systemd_tmpfiles_t to setattr on mandb_cache_t
* Sat Dec 1 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-59
- consolekit.pp was not removed from the postinstall script
* Fri Nov 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-58
- Add back consolekit policy
- Silence bootloader trying to use inherited tty
- Silence xdm_dbusd_t trying to execute telepathy apps
- Fix shutdown avcs when machine has unconfined.pp disabled
- The host and a virtual machine can share the same printer on a usb device
- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob
- Allow abrt_watch_log_t to execute bin_t
- Allow chrome sandbox to write content in ~/.config/chromium
- Dontaudit setattr on fontconfig dir for thumb_t
- Allow lircd to request the kernel to load module
- Make rsync as userdom_home_manager
- Allow rsync to search automount filesystem
- Add fixes for pacemaker
* Wed Nov 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-57
- Add support for 4567/tcp port
- Random fixes from Tuomo Soini
- xdm wants to get init status
- Allow programs to run in fips_mode
- Add interface to allow the reading of all blk device nodes
- Allow init to relabel rpcbind sock_file
- Fix labeling for lastlog and faillog related to logrotate
- ALlow aeolus_configserver to use TRAM port
- Add fixes for aeolus_configserver
- Allow snmpd to connect to snmp port
- Allow spamd_update to create spamd_var_lib_t directories
- Allow domains that can read sssd_public_t files to also list the directory
- Remove miscfiles_read_localization, this is defined for all domains
* Mon Nov 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-56
- Allow syslogd to request the kernel to load a module
- Allow syslogd_t to read the network state information
- Allow xdm_dbusd_t connect to the system DBUS
- Add support for 7389/tcp port
- Allow domains to read/write all inherited sockets
- Allow staff_t to read kmsg
- Add awstats_purge_apache_log boolean
- Allow ksysguardproces to read /.config/Trolltech.conf
- Allow passenger to create and append puppet log files
- Add puppet_append_log and puppet_create_log interfaces
- Add puppet_manage_log() interface
- Allow tomcat domain to search tomcat_var_lib_t
- Allow pki_tomcat_t to connect to pki_ca ports
- Allow pegasus_t to have net_admin capability
- Allow pegasus_t to write /sys/class/net/<interface>/flags
- Allow mailserver_delivery to manage mail_home_rw_t lnk_files
- Allow fetchmail to create log files
- Allow gnomeclock to manage home config in .kde
- Allow bittlebee to read kernel sysctls
- Allow logrotate to list /root
* Mon Nov 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-55
- Fix userhelper_console_role_template()
- Allow enabling Network Access Point service using blueman
- Make vmware_host_t as unconfined domain
- Allow authenticate users in webaccess via squid, using mysql as backend
- Allow gathers to get various metrics on mounted file systems
- Allow firewalld to read /etc/hosts
- Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t
- Allow kdumpgui to read/write to zipl.conf
- Commands needed to get mock to build from staff_t in enforcing mode
- Allow mdadm_t to manage cgroup files
- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files
- dontaudit ifconfig_t looking at fifo_files that are leaked to it
- Add lableing for Quest Authentication System
* Thu Nov 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-54
- Fix filetrans interface definitions
- Dontaudit xdm_t to getattr on BOINC lib files
- Add systemd_reload_all_services() interface
- Dontaudit write access on /var/lib/net-snmp/mib_indexes
- Only stop mcsuntrustedproc from relableing files
- Allow accountsd to dbus chat with gdm
- Allow realmd to getattr on all fs
- Allow logrotate to reload all services
- Add systemd unit file for radiusd
- Allow winbind to create samba pid dir
- Add labeling for /var/nmbd/unexpected
- Allow chrome and mozilla plugin to connect to msnp ports
* Mon Nov 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-53
- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file
- Dontaudit setfiles reading /dev/random
- On initial boot gnomeclock is going to need to be set buy gdm
- Fix tftp_read_content() interface
- Random apps looking at kernel file systems
- Testing virt with lxc requiers additional access for virsh_t
- New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container
- Allow MPD to read /dev/radnom
- Allow sandbox_web_type to read logind files which needs to read pulseaudio
- Allow mozilla plugins to read /dev/hpet
- Add labeling for /var/lib/zarafa-webap
- Allow BOINC client to use an HTTP proxy for all connections
- Allow rhsmertd to domain transition to dmidecod
- Allow setroubleshootd to send D-Bus msg to ABRT
* Thu Nov 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-52
- Define usbtty_device_t as a term_tty
- Allow svnserve to accept a connection
- Allow xend manage default virt_image_t type
- Allow prelink_cron_system_t to overide user componant when executing cp
- Add labeling for z-push
- Gnomeclock sets the realtime clock
- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd
- Allow lxc domains to use /dev/random and /dev/urandom
* Wed Nov 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-51
- Add port defintion for tcp/9000
- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd
- Add rules and labeling for $HOME/cache/\.gstreamer-.* directory
- Add support for CIM provider openlmi-networking which uses NetworkManager dbus API
- Allow shorewall_t to create netlink_socket
- Allow krb5admind to block suspend
- Fix labels on /var/run/dlm_controld /var/log/dlm_controld
- Allow krb5kdc to block suspend
- gnomessytemmm_t needs to read /etc/passwd
- Allow cgred to read all sysctls
* Tue Nov 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-50
- Allow all domains to read /proc/sys/vm/overcommit_memory
- Make proc_numa_t an MLS Trusted Object
- Add /proc/numactl support for confined users
- Allow ssh_t to connect to any port > 1023
- Add openvswitch domain
- Pulseaudio tries to create directories in gnome_home_t directories
- New ypbind pkg wants to search /var/run which is caused by sd_notify
- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans
- Allow sanlock to read /dev/random
- Treat php-fpm with httpd_t
- Allow domains that can read named_conf_t to be able to list the directories
- Allow winbind to create sock files in /var/run/samba
* Thu Nov 1 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-49
- Add smsd policy
- Add support for OpenShift sbin labelin
- Add boolean to allow virt to use rawip
- Allow mozilla_plugin to read all file systems with noxattrs support
- Allow kerberos to write on anon_inodefs fs
- Additional access required by fenced
- Add filename transitions for passwd.lock/group.lock
- UPdate man pages
- Create coolkey directory in /var/cache with the correct label
* Tue Oct 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-48
- Fix label on /etc/group.lock
- Allow gnomeclock to create lnk_file in /etc
- label /root/.pki as a home_cert_t
- Add interface to make sure rpcbind.sock is created with the correct label
- Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules
- opendkim should be a part of milter
- Allow libvirt to set the kernel sched algorythm
- Allow mongod to read sysfs_t
- Add authconfig policy
- Remove calls to miscfiles_read_localization all domains get this
- Allow virsh_t to read /root/.pki/ content
- Add label for log directory under /var/www/stickshift
* Mon Oct 29 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-47
- Allow getty to setattr on usb ttys
- Allow sshd to search all directories for sshd_home_t content
- Allow staff domains to send dbus messages to kdumpgui
- Fix labels on /etc/.pwd.lock and friends to be passwd_file_t
- Dontaudit setfiles reading urand
- Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched
- Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir
- Allow systemd-timedated to read /dev/urandom
- Allow entropyd_t to read proc_t (meminfo)
- Add unconfined munin plugin
- Fix networkmanager_read_conf() interface
- Allow blueman to list /tmp which is needed by sys_nic/setsched
- Fix label of /etc/mail/aliasesdb-stamp
- numad is searching cgroups
- realmd is communicating with networkmanager using dbus
- Lots of fixes to try to get kdump to work
* Fri Oct 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-46
- Allow loging programs to dbus chat with realmd
- Make apache_content_template calling as optional
- realmd is using policy kit
* Fri Oct 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-45
- Add new selinuxuser_use_ssh_chroot boolean
- dbus needs to be able to read/write inherited fixed disk device_t passed through it
- Cleanup netutils process allow rule
- Dontaudit leaked fifo files from openshift to ping
- sanlock needs to read mnt_t lnk files
- Fail2ban needs to setsched and sys_nice
* Wed Oct 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-44
- Change default label of all files in /var/run/rpcbind
- Allow sandbox domains (java) to read hugetlbfs_t
- Allow awstats cgi content to create tmp files and read apache log files
- Allow setuid/setgid for cupsd-config
- Allow setsched/sys_nice pro cupsd-config
- Fix /etc/localtime sym link to be labeled locale_t
- Allow sshd to search postgresql db t since this is a homedir
- Allow xwindows users to chat with realmd
- Allow unconfined domains to configure all files and null_device_t service
* Tue Oct 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-43
- Adopt pki-selinux policy
* Mon Oct 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-42
- pki is leaking which we dontaudit until a pki code fix
- Allow setcap for arping
- Update man pages
- Add labeling for /usr/sbin/mcollectived
- pki fixes
- Allow smokeping to execute fping in the netutils_t domain
* Fri Oct 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-41
- Allow mount to relabelfrom unlabeled file systems
- systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working
- Add label to get bin files under libreoffice labeled correctly
- Fix interface to allow executing of base_ro_file_type
- Add fixes for realmd
- Update pki policy
- Add tftp_homedir boolean
- Allow blueman sched_setscheduler
- openshift user domains wants to r/w ssh tcp sockets
* Wed Oct 17 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-40
- Additional requirements for disable unconfined module when booting
- Fix label of systemd script files
- semanage can use -F /dev/stdin to get input
- syslog now uses kerberos keytabs
- Allow xserver to compromise_kernel access
- Allow nfsd to write to mount_var_run_t when running the mount command
- Add filename transition rule for bin_t directories
- Allow files to read usr_t lnk_files
- dhcpc wants chown
- Add support for new openshift labeling
- Clean up for tunable+optional statements
- Add labeling for /usr/sbin/mkhomedir_helper
- Allow antivirus domain to managa amavis spool files
- Allow rpcbind_t to read passwd
- Allow pyzor running as spamc to manage amavis spool
* Tue Oct 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-39
- Add interfaces to read kernel_t proc info
- Missed this version of exec_all
- Allow anyone who can load a kernel module to compromise kernel
- Add oddjob_dbus_chat to openshift apache policy
- Allow chrome_sandbox_nacl_t to send signals to itself
- Add unit file support to usbmuxd_t
- Allow all openshift domains to read sysfs info
- Allow openshift domains to getattr on all domains
* Fri Oct 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-38
- MLS fixes from Dan
- Fix name of capability2 secure_firmware->compromise_kerne
* Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-37
- Allow xdm to search all file systems
- Add interface to allow the config of all files
- Add rngd policy
- Remove kgpg as a gpg_exec_t type
- Allow plymouthd to block suspend
- Allow systemd_dbus to config any file
- Allow system_dbus_t to configure all services
- Allow freshclam_t to read usr_files
- varnishd requires execmem to load modules
* Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-36
- Allow semanage to verify types
- Allow sudo domain to execute user home files
- Allow session_bus_type to transition to user_tmpfs_t
- Add dontaudit caused by yum updates
- Implement pki policy but not activated
* Wed Oct 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-35
- tuned wants to getattr on all filesystems
- tuned needs also setsched. The build is needed for test day
* Wed Oct 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-34
- Add policy for qemu-qa
- Allow razor to write own config files
- Add an initial antivirus policy to collect all antivirus program
- Allow qdisk to read usr_t
- Add additional caps for vmware_host
- Allow tmpfiles_t to setattr on mandb_cache_t
- Dontaudit leaked files into mozilla_plugin_config_t
- Allow wdmd to getattr on tmpfs
- Allow realmd to use /dev/random
- allow containers to send audit messages
- Allow root mount any file via loop device with enforcing mls policy
- Allow tmpfiles_t to setattr on mandb_cache_t
- Allow tmpfiles_t to setattr on mandb_cache_t
- Make userdom_dontaudit_write_all_ not allow open
- Allow init scripts to read all unit files
- Add support for saphostctrl ports
* Mon Oct 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-33
- Add kernel_read_system_state to sandbox_client_t
- Add some of the missing access to kdumpgui
- Allow systemd_dbusd_t to status the init system
- Allow vmnet-natd to request the kernel to load a module
- Allow gsf-office-thum to append .cache/gdm/session.log
- realmd wants to read .config/dconf/user
- Firewalld wants sys_nice/setsched
- Allow tmpreaper to delete mandb cache files
- Firewalld wants sys_nice/setsched
- Allow firewalld to perform a DNS name resolution
- Allown winbind to read /usr/share/samba/codepages/lowcase.dat
- Add support for HTTPProxy* in /etc/freshclam.conf
- Fix authlogin_yubike boolean
- Extend smbd_selinux man page to include samba booleans
- Allow dhcpc to execute consoletype
- Allow ping to use inherited tmp files created in init scripts
- On full relabel with unconfined domain disabled, initrc was running some chcon's
- Allow people who delete man pages to delete mandb cache files
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-32
- Add missing permissive domains
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-31
- Add new mandb policy
- ALlow systemd-tmpfiles_t to relabel mandb_cache_t
- Allow logrotate to start all unit files
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-30
- Add fixes for ctbd
- Allow nmbd to stream connect to ctbd
- Make cglear_t as nsswitch_domain
- Fix bogus in interfaces
- Allow openshift to read/write postfix public pipe
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
- add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- Add support for boinc.log
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Move thin policy out from cloudform.pp and add a new thin poli
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users hom
- rhsmcertd reads the rpm database
- Add support for lightdm
* Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy
- rhsmcertd reads the rpm database
- Dontaudit thumb to setattr on xdm_tmp dir
- Allow wicd to execute ldconfig in the networkmanager_t domain
- Add /var/run/cherokee\.pid labeling
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
- Allow postfix-master to r/w pipes other postfix domains
- Allow snort to create netlink_socket
- Add kdumpctl policy
- Allow firstboot to create tmp_t files/directories
- /usr/bin/paster should not be labeled as piranha_exec_t
- remove initrc_domain from tomcat
- Allow ddclient to read /etc/passwd
- Allow useradd to delete all file types stored in the users homedir
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Label all lxdm.log as xserver_log_t
- Add port definition for mxi port
- Allow local_login_t to execute tmux
* Tue Jun 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-5
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
* support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
* Fri Jun 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-4
- Add support for ecryptfs
* ecryptfs does not support xattr
* we need labeling for HOMEDIR
- Add policy for (u)mount.ecryptfs*
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct labe
- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com)
- Allow virtd to exec xend_exec_t without transition
- Allow virtd_lxc_t to unmount all file systems
* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
* Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_
* Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
- Mass merge with upstream
* new policy topology to include contrib policy modules
* we have now two base policy patches
* Wed May 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
- Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Tue May 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
* Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-121
- Add labeling for /usr/share/jetty/bin/jetty.sh
- Add jetty policy which contains file type definitios
- Allow jockey to use its own fifo_file and make this the default for all domains
- Allow mozilla_plugins to use spice (vnc_port/couchdb)
- asterisk wants to read the network state
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
- Allow mozilla_plugin_t to create ~/.pki directory and content
* Wed May 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-120
- Add clamscan_can_scan_system boolean
- Allow mysqld to read kernel network state
- Allow sshd to read/write condor lib files
- Allow sshd to read/write condor-startd tcp socket
- Fix description on httpd_graceful_shutdown
- Allow glance_registry to communicate with mysql
- dbus_system_domain is using systemd to lauch applications
- add interfaces to allow domains to send kill signals to user mail agents
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
- Lots of new access required for secure containers
- Corosync needs sys_admin capability
- ALlow colord to create shm
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
- Add new interface to allow domains to list msyql_db directories, needed for libra
- shutdown has to be allowed to delete etc_runtime_t
- Fail2ban needs to read /etc/passwd
- Allow ldconfig to create /var/cache/ldconfig
- Allow tgtd to read hardware state information
- Allow collectd to create packet socket
- Allow chronyd to send signal to itself
- Allow collectd to read /dev/random
- Allow collectd to send signal to itself
- firewalld needs to execute restorecon
- Allow restorecon and other login domains to execute restorecon
* Tue Apr 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-119
- Allow logrotate to getattr on systemd unit files
- Add support for tor systemd unit file
- Allow apmd to create /var/run/pm-utils with the correct label
- Allow l2tpd to send sigkill to pppd
- Allow pppd to stream connect to l2tpd
- Add label for scripts in /etc/gdm/
- Allow systemd_logind_t to ignore mcs constraints on sigkill
- Allow avahi to request the kernel to load a module
- Dontaudit hal leaks
- Fix gnome_manage_data interface
- Add new interface corenet_packet to define a type as being an packet_type.
- Removed general access to packet_type from icecast and squid.
- Allow mpd to read alsa config
- Fix the label for wicd log
- Add systemd policy
* Fri Dec 3 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-6
- Fix gnome_manage_data interface
- Dontaudit sys_ptrace capability for iscsid
- Fixes for nagios plugin policy
* Thu Dec 2 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-5
- Fix cron to run ranged when started by init
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t
* Tue Nov 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.10-4
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
* Tue Nov 30 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-3
- fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
* Thu Nov 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-2
- Remove duplicate declaration
* Thu Nov 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-1
- Update to upstream
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
* Mon Nov 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-4
- Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
* Thu Nov 18 2010 Dan Walsh <dwalsh@redhat.com> 3.9.9-3
- Put back in lircd_etc_t so policy will install
* Thu Nov 18 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-2
- Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
* Tue Nov 16 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-1
- Update to upstream
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
* Mon Nov 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-7
- Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
* Fri Nov 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-6
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
* Fri Nov 12 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-5
- Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
* Wed Nov 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-4
- Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
* Tue Nov 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-3
- Fix up corecommands.fc to match upstream
- Make sure /lib/systemd/* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-2
- Add conflicts for dirsrv package
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-1
- Update to upstream
- Add vlock policy
* Wed Nov 3 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-10
- Fix sandbox to work on nfs homedirs
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
* Tue Nov 2 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-9
- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it
- Udev needs to stream connect to init and kernel
- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory
* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-8
- Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
* Thu Oct 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-7
- Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
* Fri Oct 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-6
- Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
* Tue Oct 19 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-5
- Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-4
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
- Allow devicekit_power to domtrans to mount
- Allow dhcp to bind to udp ports > 1024 to do named stuff
- Allow ssh_t to exec ssh_exec_t
- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used
- Fix clamav_append_log() intefaces
- Fix 'psad_rw_fifo_file' interface
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-3
- Allow cobblerd to list cobler appache content
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-2
- Fixup for the latest version of upowed
- Dontaudit sandbox sending SIGNULL to desktop apps
* Wed Oct 13 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-1
- Update to upstream
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
* Fri Oct 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-2
- Lots of fixes for systemd
- systemd now executes readahead and tmpwatch type scripts
- Needs to manage random seed
* Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-1
- Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
* Wed Oct 6 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-11
- Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
* Mon Oct 4 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-10
- Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
* Thu Sep 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-9
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
* Wed Sep 29 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-8
- Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
* Mon Sep 27 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-7
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
* Sun Sep 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-6
- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home
- Allow clamd to send signals to itself
- Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm.
- Allow haze to connect to yahoo chat and messenger port tcp:5050.
Bz #637339
- Allow guest to run ps command on its processes by allowing it to read /proc
- Allow firewallgui to sys_rawio which seems to be required to setup masqerading
- Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba.
- Add label for /var/log/slim.log
* Fri Sep 24 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-5
- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-4
- Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
* Wed Sep 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-3
- Fix up Xguest policy
* Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-2
- Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
* Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-1
- Update to upstream
* Wed Sep 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-3
- Add the ability to send audit messages to confined admin policies
- Remove permissive domain from cmirrord and dontaudit sys_tty_config
- Split out unconfined_domain() calls from other unconfined_ calls so we can d
- virt needs to be able to read processes to clearance for MLS
* Tue Sep 14 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-2
- Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-1
- Update to upstream
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-4
- Allow mdadm_t to create files and sock files in /dev/md/
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-3
- Add policy for ajaxterm
* Wed Sep 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-2
- Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
* Tue Sep 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-1
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.2-1
- Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-3
- Allow mdadm_t to read/write hugetlbfs
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-2
- Dominic Grift Cleanup
- Miroslav Grepl policy for jabberd
- Various fixes for mount/livecd and prelink
* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-1
- Merge with upstream
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-2
- More access needed for devicekit
- Add dbadm policy
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-1
- Merge with upstream
* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-21
- Allow seunshare to fowner
* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-20
- Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-19
- Update policy for mozilla_plugin_t
* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-18
- Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
* Thu Aug 19 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-17
- Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
* Wed Aug 18 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-16
- Fix /root/.forward definition
* Tue Aug 17 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-15
- label dead.letter as mail_home_t
* Fri Aug 13 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-14
- Allow login programs to search /cgroups
* Thu Aug 12 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-13
- Fix cert handling
* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-11
- Fix nis calls to allow bind to ports 512-1024
- Fix smartmon
* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-10
- Allow pcscd to read sysfs
- systemd fixes
- Fix wine_mmap_zero_ignore boolean
* Tue Aug 3 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-9
- Apply Miroslav munin patch
- Turn back on allow_execmem and allow_execmod booleans
* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-8
- Merge in fixes from dgrift repository
* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-7
- Update boinc policy
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-6
- New paths for upstart
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-5
- New permissions for syslog
- New labels for /lib/upstart
* Fri Jul 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-4
- Add mojomojo policy
* Thu Jul 22 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-3
- Allow systemd to setsockcon on sockets to immitate other services
* Wed Jul 21 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-2
- Remove debugfs label
* Tue Jul 20 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-1
- Update to latest policy
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-3
- Fix eclipse labeling from IBMSupportAssasstant packageing
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-2
- Make boot with systemd in enforcing mode
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-1
- Update to upstream
* Mon Jul 12 2010 Dan Walsh <dwalsh@redhat.com> 3.8.6-3
- Add boolean to turn off port forwarding in sshd.
* Fri Jul 9 2010 Miroslav Grepl <mgrepl@redhat.com> 3.8.6-2
- Add support for ebtables
- Fixes for rhcs and corosync policy
* Tue Jun 22 2010 Dan Walsh <dwalsh@redhat.com> 3.8.6-1
-Update to upstream
* Mon Jun 21 2010 Dan Walsh <dwalsh@redhat.com> 3.8.5-1
-Update to upstream
* Thu Jun 17 2010 Dan Walsh <dwalsh@redhat.com> 3.8.4-1
-Update to upstream
* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-4
- Add Zarafa policy
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-3
- Cleanup of aiccu policy
- initial mock policy
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
- Lots of random fixes
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-1
- Update to upstream
* Fri Jun 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.2-1
- Update to upstream
- Allow prelink script to signal itself
- Cobbler fixes
* Wed Jun 2 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-5
- Add xdm_var_run_t to xserver_stream_connect_xdm
- Add cmorrord and mpd policy from Miroslav Grepl
* Tue Jun 1 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-4
- Fix sshd creation of krb cc files for users to be user_tmp_t
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-3
- Fixes for accountsdialog
- Fixes for boinc
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-2
- Fix label on /var/lib/dokwiki
- Change permissive domains to enforcing
- Fix libvirt policy to allow it to run on mls
* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-1
- Update to upstream
* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label
* Mon May 24 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: 594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
* Thu May 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-20
- Allow mount to r/w abrt fifo file
- Allow svirt_t to getattr on hugetlbfs
- Allow abrt to create a directory under /var/spool
* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-19
- Add labels for /sys
- Allow sshd to getattr on shutdown
- Fixes for munin
- Allow sssd to use the kernel key ring
- Allow tor to send syslog messages
- Allow iptabels to read usr files
- allow policykit to read all domains state
* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-17
- Fix path for /var/spool/abrt
- Allow nfs_t as an entrypoint for http_sys_script_t
- Add policy for piranha
- Lots of fixes for sosreport
* Wed May 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-16
- Allow xm_t to read network state and get and set capabilities
- Allow policykit to getattr all processes
- Allow denyhosts to connect to tcp port 9911
- Allow pyranha to use raw ip sockets and ptrace itself
- Allow unconfined_execmem_t and gconfsd mechanism to dbus
- Allow staff to kill ping process
- Add additional MLS rules
* Mon May 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-15
- Allow gdm to edit ~/.gconf dir
Resolves: #590677
- Allow dovecot to create directories in /var/lib/dovecot
Partially resolves 590224
- Allow avahi to dbus chat with NetworkManager
- Fix cobbler labels
- Dontaudit iceauth_t leaks
- fix /var/lib/lxdm file context
- Allow aiccu to use tun tap devices
- Dontaudit shutdown using xserver.log
* Fri May 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-14
- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
- Add dontaudit interface for bluetooth dbus
- Add chronyd_read_keys, append_keys for initrc_t
- Add log support for ksmtuned
Resolves: #586663
* Thu May 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-13
- Allow boinc to send mail
* Wed May 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-12
- Allow initrc_t to remove dhcpc_state_t
- Fix label on sa-update.cron
- Allow dhcpc to restart chrony initrc
- Don't allow sandbox to send signals to its parent processes
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
Resolves: #589136
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-11
- Fix location of oddjob_mkhomedir
Resolves: #587385
- fix labeling on /root/.shosts and ~/.shosts
- Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
* Fri Apr 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-10
- Dontaudit sandbox trying to connect to netlink sockets
Resolves: #587609
- Add policy for piranha
* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-9
- Fixups for xguest policy
- Fixes for running sandbox firefox
* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-8
- Allow ksmtuned to use terminals
Resolves: #586663
- Allow lircd to write to generic usb devices
* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-7
- Allow sandbox_xserver to connectto unconfined stream
Resolves: #585171
* Mon Apr 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-6
- Allow initrc_t to read slapd_db_t
Resolves: #585476
- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf
Resolves: #585963
* Thu Apr 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-5
- Allow rlogind_t to search /root for .rhosts
Resolves: #582760
- Fix path for cached_var_t
- Fix prelink paths /var/lib/prelink
- Allow confined users to direct_dri
- Allow mls lvm/cryptosetup to work
* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-4
- Allow virtd_t to manage firewall/iptables config
Resolves: #573585
* Tue Apr 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-3
- Fix label on /root/.rhosts
Resolves: #582760
- Add labels for Picasa
- Allow openvpn to read home certs
- Allow plymouthd_t to use tty_device_t
- Run ncftool as iptables_t
- Allow mount to unmount unlabeled_t
- Dontaudit hal leaks
* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-2
- Allow livecd to transition to mount
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-1
- Update to upstream
- Allow abrt to delete sosreport
Resolves: #579998
- Allow snmp to setuid and gid
Resolves: #582155
- Allow smartd to use generic scsi devices
Resolves: #582145
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-3
- Allow ipsec_t to create /etc/resolv.conf with the correct label
- Fix reserved port destination
- Allow autofs to transition to showmount
- Stop crashing tuned
* Mon Apr 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-2
- Add telepathysofiasip policy
* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-1
- Update to upstream
- Fix label for /opt/google/chrome/chrome-sandbox
- Allow modemmanager to dbus with policykit
* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-6
- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)
- Allow accountsd to read shadow file
- Allow apache to send audit messages when using pam
- Allow asterisk to bind and connect to sip tcp ports
- Fixes for dovecot 2.0
- Allow initrc_t to setattr on milter directories
- Add procmail_home_t for .procmailrc file
* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-5
- Fixes for labels during install from livecd
* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-4
- Fix /cgroup file context
- Fix broken afs use of unlabled_t
- Allow getty to use the console for s390
* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-3
- Fix cgroup handling adding policy for /cgroup
- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set
* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-2
- Merge patches from dgrift
* Mon Mar 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-1
- Update upstream
- Allow abrt to write to the /proc under any process
* Fri Mar 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-2
- Fix ~/.fontconfig label
- Add /root/.cert label
- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
- Allow qemu_exec_t as an entrypoint to svirt_t
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-1
- Update to upstream
- Allow tmpreaper to delete sandbox sock files
- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems
- Fixes for gitosis
- No transition on livecd to passwd or chfn
- Fixes for denyhosts
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-4
- Add label for /var/lib/upower
- Allow logrotate to run sssd
- dontaudit readahead on tmpfs blk files
- Allow tmpreaper to setattr on sandbox files
- Allow confined users to execute dos files
- Allow sysadm_t to kill processes running within its clearance
- Add accountsd policy
- Fixes for corosync policy
- Fixes from crontab policy
- Allow svirt to manage svirt_image_t chr files
- Fixes for qdisk policy
- Fixes for sssd policy
- Fixes for newrole policy
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-3
- make libvirt work on an MLS platform
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-2
- Add qpidd policy
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-1
- Update to upstream
* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-5
- Allow boinc to read kernel sysctl
- Fix snmp port definitions
- Allow apache to read anon_inodefs
* Sun Mar 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-4
- Allow shutdown dac_override
* Sat Mar 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-3
- Add device_t as a file system
- Fix sysfs association
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-2
- Dontaudit ipsec_mgmt sys_ptrace
- Allow at to mail its spool files
- Allow nsplugin to search in .pulse directory
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-1
- Update to upstream
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-4
- Allow users to dbus chat with xdm
- Allow users to r/w wireless_device_t
- Dontaudit reading of process states by ipsec_mgmt
* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-3
- Fix openoffice from unconfined_t
* Wed Mar 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-2
- Add shutdown policy so consolekit can shutdown system
* Tue Mar 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-1
- Update to upstream
* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.12-1
- Update to upstream
* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.11-1
- Update to upstream - These are merges of my patches
- Remove 389 labeling conflicts
- Add MLS fixes found in RHEL6 testing
- Allow pulseaudio to run as a service
- Add label for mssql and allow apache to connect to this database port if boolean set
- Dontaudit searches of debugfs mount point
- Allow policykit_auth to send signals to itself
- Allow modcluster to call getpwnam
- Allow swat to signal winbind
- Allow usbmux to run as a system role
- Allow svirt to create and use devpts
* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-5
- Add MLS fixes found in RHEL6 testing
- Allow domains to append to rpm_tmp_t
- Add cachefilesfd policy
- Dontaudit leaks when transitioning
* Wed Feb 24 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-4
- Change allow_execstack and allow_execmem booleans to on
- dontaudit acct using console
- Add label for fping
- Allow tmpreaper to delete sandbox_file_t
- Fix wine dontaudit mmap_zero
- Allow abrt to read var_t symlinks
* Tue Feb 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-3
- Additional policy for rgmanager
* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-2
- Allow sshd to setattr on pseudo terms
* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-1
- Update to upstream
* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-4
- Allow policykit to send itself signals
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-3
- Fix duplicate cobbler definition
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-2
- Fix file context of /var/lib/avahi-autoipd
* Fri Feb 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-1
- Merge with upstream
* Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-11
- Allow sandbox to work with MLS
* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
- Make Chrome work with staff user
* Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8
- Add icecast policy
- Cleanup spec file
* Wed Feb 3 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-7
- Add mcelog policy
* Mon Feb 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-6
- Lots of fixes found in F12
* Thu Jan 28 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-5
- Fix rpm_dontaudit_leaks
* Wed Jan 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-4
- Add getsched to hald_t
- Add file context for Fedora/Redhat Directory Server
* Mon Jan 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-3
- Allow abrt_helper to getattr on all filesystems
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so
* Thu Jan 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-2
- Add gstreamer_home_t for ~/.gstreamer
* Mon Jan 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-1
- Update to upstream
* Fri Jan 15 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-3
- Fix git
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-2
- Turn on puppet policy
- Update to dgrift git policy
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-1
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.6-1
- Update to upstream
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-8
- Remove most of the permissive domains from F12.
* Tue Jan 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-7
- Add cobbler policy from dgrift
* Mon Jan 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-6
- add usbmon device
- Add allow rulse for devicekit_disk
* Wed Dec 30 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-5
- Lots of fixes found in F12, fixes from Tom London
* Wed Dec 23 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-4
- Cleanups from dgrift
* Tue Dec 22 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-3
- Add back xserver_manage_home_fonts
* Mon Dec 21 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-2
- Dontaudit sandbox trying to read nscd and sssd
* Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-1
- Update to upstream
* Thu Dec 17 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-4
- Rename udisks-daemon back to devicekit_disk_t policy
* Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-3
- Fixes for abrt calls
* Fri Dec 11 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-2
- Add tgtd policy
* Fri Dec 4 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-1
- Update to upstream release
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.3-1
- Add asterisk policy back in
- Update to upstream release 2.20091117
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.1-1
- Update to upstream release 2.20091117
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.33-2
- Fixup nut policy
* Thu Nov 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.33-1
- Update to upstream
* Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-17
- Allow vpnc request the kernel to load modules
* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-16
- Fix minimum policy installs
- Allow udev and rpcbind to request the kernel to load modules
* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-15
- Add plymouth policy
- Allow local_login to sys_admin
* Tue Sep 29 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-13
- Allow cupsd_config to read user tmp
- Allow snmpd_t to signal itself
- Allow sysstat_t to makedir in sysstat_log_t
* Fri Sep 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-12
- Update rhcs policy
* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11
- Allow users to exec restorecond
* Tue Sep 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
- Allow sendmail to request kernel modules load
* Mon Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-9
- Fix all kernel_request_load_module domains
* Mon Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-8
- Fix all kernel_request_load_module domains
* Sun Sep 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-7
- Remove allow_exec* booleans for confined users. Only available for unconfined_t
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-6
- More fixes for sandbox_web_t
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-5
- Allow sshd to create .ssh directory and content
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-4
- Fix request_module line to module_request
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-3
- Fix sandbox policy to allow it to run under firefox.
- Dont audit leaks.
* Thu Sep 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-2
- Fixes for sandbox
* Wed Sep 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-1
- Update to upstream
- Dontaudit nsplugin search /root
- Dontaudit nsplugin sys_nice
* Tue Sep 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-5
- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service
- Remove policycoreutils-python requirement except for minimum
* Mon Sep 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-4
- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files
- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)
* Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-3
- Add wordpress/wp-content/uploads label
- Fixes for sandbox when run from staff_t
* Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-2
- Update to upstream
- Fixes for devicekit_disk
* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-6
- More fixes
* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-5
- Lots of fixes for initrc and other unconfined domains
* Fri Sep 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-4
- Allow xserver to use netlink_kobject_uevent_socket
* Thu Sep 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-3
- Fixes for sandbox
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-2
- Dontaudit setroubleshootfix looking at /root directory
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-1
- Update to upsteam
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-2
- Allow gssd to send signals to users
- Fix duplicate label for apache content
* Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-1
- Update to upstream
* Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-9
- Remove polkit_auth on upgrades
* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-8
- Add back in unconfined.pp and unconfineduser.pp
- Add Sandbox unshare
* Tue Aug 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-7
- Fixes for cdrecord, mdadm, and others
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-6
- Add capability setting to dhcpc and gpm
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-5
- Allow cronjobs to read exim_spool_t
* Fri Aug 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-4
- Add ABRT policy
* Thu Aug 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-3
- Fix system-config-services policy
* Wed Aug 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-2
- Allow libvirt to change user componant of virt_domain
* Tue Aug 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-1
- Allow cupsd_config_t to be started by dbus
- Add smoltclient policy
* Fri Aug 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.27-1
- Add policycoreutils-python to pre install
* Thu Aug 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-11
- Make all unconfined_domains permissive so we can see what AVC's happen
* Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-10
- Add pt_chown policy
* Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-9
- Add kdump policy for Miroslav Grepl
- Turn off execstack boolean
* Fri Aug 7 2009 Bill Nottingham <notting@redhat.com> 3.6.26-8
- Turn on execstack on a temporary basis (#512845)
* Thu Aug 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-7
- Allow nsplugin to connecto the session bus
- Allow samba_net to write to coolkey data
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-6
- Allow devicekit_disk to list inotify
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-5
- Allow svirt images to create sock_file in svirt_var_run_t
* Tue Aug 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-4
- Allow exim to getattr on mountpoints
- Fixes for pulseaudio
* Fri Jul 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-3
- Allow svirt_t to stream_connect to virtd_t
* Fri Jul 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-2
- Allod hald_dccm_t to create sock_files in /tmp
* Thu Jul 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-1
- More fixes from upstream
* Tue Jul 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.25-1
- Fix polkit label
- Remove hidebrokensymptoms for nss_ldap fix
- Add modemmanager policy
- Lots of merges from upstream
- Begin removing textrel_shlib_t labels, from fixed libraries
* Tue Jul 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.24-1
- Update to upstream
* Mon Jul 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-2
- Allow certmaster to override dac permissions
* Thu Jul 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-1
- Update to upstream
* Tue Jul 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.22-3
- Fix context for VirtualBox
* Tue Jul 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.22-1
- Update to upstream
* Fri Jul 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-4
- Allow clamscan read amavis spool files
* Wed Jul 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-3
- Fixes for xguest
* Tue Jul 7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2
- fix multiple directory ownership of mandirs
* Wed Jul 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-1
- Update to upstream
* Tue Jun 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-2
- Add rules for rtkit-daemon
* Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-1
- Update to upstream
- Fix nlscd_stream_connect
* Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-5
- Add rtkit policy
* Wed Jun 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-4
- Allow rpcd_t to stream connect to rpcbind
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-3
- Allow kpropd to create tmp files
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-2
- Fix last duplicate /var/log/rpmpkgs
* Mon Jun 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-1
- Update to upstream
* add sssd
* Sat Jun 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.18-1
- Update to upstream
* cleanup
* Fri Jun 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.17-1
- Update to upstream
- Additional mail ports
- Add virt_use_usb boolean for svirt
* Thu Jun 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-4
- Fix mcs rules to include chr_file and blk_file
* Tue Jun 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-3
- Add label for udev-acl
* Mon Jun 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-2
- Additional rules for consolekit/udev, privoxy and various other fixes
* Fri Jun 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-1
- New version for upstream
* Thu Jun 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-3
- Allow NetworkManager to read inotifyfs
* Wed Jun 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-2
- Allow setroubleshoot to run mlocate
* Mon Jun 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-1
- Update to upstream
* Tue Jun 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-3
- Add fish as a shell
- Allow fprintd to list usbfs_t
- Allow consolekit to search mountpoints
- Add proper labeling for shorewall
* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-2
- New log file for vmware
- Allow xdm to setattr on user_tmp_t
* Thu May 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-1
- Upgrade to upstream
* Wed May 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-39
- Allow fprintd to access sys_ptrace
- Add sandbox policy
* Mon May 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-38
- Add varnishd policy
* Thu May 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-37
- Fixes for kpropd
* Tue May 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-36
- Allow brctl to r/w tun_tap_device_t
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-35
- Add /usr/share/selinux/packages
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-34
- Allow rpcd_t to send signals to kernel threads
* Fri May 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-33
- Fix upgrade for F10 to F11
* Thu May 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-31
- Add policy for /var/lib/fprint
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-30
-Remove duplicate line
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-29
- Allow svirt to manage pci and other sysfs device data
* Mon May 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-28
- Fix package selection handling
* Fri May 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-27
- Fix /sbin/ip6tables-save context
- Allod udev to transition to mount
- Fix loading of mls policy file
* Thu Apr 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-26
- Add shorewall policy
* Wed Apr 29 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25
- Additional rules for fprintd and sssd
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
- Allow nsplugin to unix_read unix_write sem for unconfined_java
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-23
- Fix uml files to be owned by users
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-22
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-21
- Allow confined users to manage virt_content_t, since this is home dir content
- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
- Fix labeling on /var/lib/misc/prelink*
- Allow xserver to rw_shm_perms with all x_clients
- Allow prelink to execute files in the users home directory
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-19
- Allow initrc_t to delete dev_null
- Allow readahead to configure auditing
- Fix milter policy
- Add /var/lib/readahead
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-16
- Update to latest milter code from Paul Howarth
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-15
- Additional perms for readahead
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-14
- Allow pulseaudio to acquire_svc on session bus
- Fix readahead labeling
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-13
- Allow sysadm_t to run rpm directly
- libvirt needs fowner
* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-12
- Allow sshd to read var_lib symlinks for freenx
* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-11
- Allow nsplugin unix_read and write on users shm and sem
- Allow sysadm_t to execute su
* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-10
- Dontaudit attempts to getattr user_tmpfs_t by lvm
- Allow nfs to share removable media
* Mon Apr 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-9
- Add ability to run postdrop from confined users
* Sat Apr 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-8
- Fixes for podsleuth
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-7
- Turn off nsplugin transition
- Remove Konsole leaked file descriptors for release
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-6
- Allow cupsd_t to create link files in print_spool_t
- Fix iscsi_stream_connect typo
- Fix labeling on /etc/acpi/actions
- Don't reinstall unconfine and unconfineuser on upgrade if they are not installed
* Tue Apr 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-5
- Allow audioentroy to read etc files
* Mon Apr 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-4
- Add fail2ban_var_lib_t
- Fixes for devicekit_power_t
* Thu Apr 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-3
- Separate out the ucnonfined user from the unconfined.pp package
* Wed Apr 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-2
- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.
* Tue Apr 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-1
- Upgrade to latest upstream
- Allow devicekit_disk sys_rawio
* Mon Apr 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.11-1
- Dontaudit binds to ports < 1024 for named
- Upgrade to latest upstream
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-9
- Allow podsleuth to use tmpfs files
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-8
- Add customizable_types for svirt
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-7
- Allow setroubelshoot exec* privs to prevent crash from bad libraries
- add cpufreqselector
* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-6
- Dontaudit listing of /root directory for cron system jobs
* Mon Mar 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-5
- Fix missing ld.so.cache label
* Fri Mar 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-4
- Add label for ~/.forward and /root/.forward
* Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3
- Fixes for svirt
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2
- Fixes to allow svirt read iso files in homedir
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-1
- Add xenner and wine fixes from mgrepl
* Wed Mar 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-4
- Allow mdadm to read/write mls override
* Tue Mar 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-3
- Change to svirt to only access svirt_image_t
* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-2
- Fix libvirt policy
* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-1
- Upgrade to latest upstream
* Tue Mar 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-4
- Fixes for iscsid and sssd
- More cleanups for upgrade from F10 to Rawhide.
* Mon Mar 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-3
- Add pulseaudio, sssd policy
- Allow networkmanager to exec udevadm
* Sat Mar 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-2
- Add pulseaudio context
* Thu Mar 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-1
- Upgrade to latest patches
* Wed Mar 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-2
- Fixes for libvirt
* Mon Mar 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-1
- Update to Latest upstream
* Sat Feb 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-9
- Fix setrans.conf to show SystemLow for s0
* Fri Feb 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-8