You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13309 lines
541 KiB
13309 lines
541 KiB
%define distro redhat |
|
%define polyinstatiate n |
|
%define monolithic n |
|
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} |
|
%define BUILD_DOC 1 |
|
%endif |
|
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} |
|
%define BUILD_TARGETED 1 |
|
%endif |
|
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} |
|
%define BUILD_MINIMUM 1 |
|
%endif |
|
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} |
|
%define BUILD_MLS 1 |
|
%endif |
|
%define POLICYVER 31 |
|
%define POLICYCOREUTILSVER 2.5-24 |
|
%define CHECKPOLICYVER 2.5-8 |
|
%define LIBSEMANAGEVER 2.5-13 |
|
Summary: SELinux policy configuration |
|
Name: selinux-policy |
|
Version: 3.13.1 |
|
Release: 268%{?dist} |
|
License: GPLv2+ |
|
Group: System Environment/Base |
|
Source: serefpolicy-%{version}.tgz |
|
patch0: policy-rhel-7.9-base.patch |
|
patch1: policy-rhel-7.9-contrib.patch |
|
Source1: modules-targeted-base.conf |
|
Source31: modules-targeted-contrib.conf |
|
Source2: booleans-targeted.conf |
|
Source3: Makefile.devel |
|
Source4: setrans-targeted.conf |
|
Source5: modules-mls-base.conf |
|
Source32: modules-mls-contrib.conf |
|
Source6: booleans-mls.conf |
|
Source8: setrans-mls.conf |
|
Source14: securetty_types-targeted |
|
Source15: securetty_types-mls |
|
#Source16: modules-minimum.conf |
|
Source17: booleans-minimum.conf |
|
Source18: setrans-minimum.conf |
|
Source19: securetty_types-minimum |
|
Source20: customizable_types |
|
Source21: config.tgz |
|
Source22: users-mls |
|
Source23: users-targeted |
|
Source25: users-minimum |
|
Source26: file_contexts.subs_dist |
|
Source27: selinux-policy.conf |
|
Source28: permissivedomains.cil |
|
Source29: serefpolicy-contrib-%{version}.tgz |
|
Source30: booleans.subs_dist |
|
|
|
# Provide rpm macros for packages installing SELinux modules |
|
Source102: rpm.macros |
|
# Migrate local SELinux policy changes on first boot after update to new userspace |
|
# This is needed for systems which doesn't use rpm for updates |
|
Source110: selinux-policy-migrate-local-changes.sh |
|
Source111: selinux-policy-migrate-local-changes@.service |
|
|
|
Url: http://oss.tresys.com/repos/refpolicy/ |
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) |
|
BuildArch: noarch |
|
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 |
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} |
|
Requires(post): /bin/awk /usr/bin/sha512sum |
|
Requires: libsemanage >= %{LIBSEMANAGEVER} |
|
|
|
%files |
|
%defattr(-,root,root,-) |
|
%dir %{_usr}/share/selinux |
|
%dir %{_usr}/share/selinux/packages |
|
%dir %{_sysconfdir}/selinux |
|
%ghost %config(noreplace) %{_sysconfdir}/selinux/config |
|
%ghost %{_sysconfdir}/sysconfig/selinux |
|
%{_usr}/lib/tmpfiles.d/selinux-policy.conf |
|
%attr(0755, root, root) %dir %{_rpmconfigdir} |
|
%attr(0755, root, root) %dir %{_rpmconfigdir}/macros.d |
|
%{_rpmconfigdir}/macros.d/macros.selinux-policy |
|
|
|
%package sandbox |
|
Summary: SELinux policy sandbox |
|
Group: System Environment/Base |
|
Requires(pre): selinux-policy-base = %{version}-%{release} |
|
Requires(pre): selinux-policy-targeted = %{version}-%{release} |
|
|
|
%description sandbox |
|
SELinux sandbox policy used for the policycoreutils-sandbox package |
|
|
|
%files sandbox |
|
%defattr(-,root,root,-) |
|
%verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp |
|
|
|
%post sandbox |
|
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null |
|
rm -f %{_sysconfdir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null |
|
semodule -n -i /usr/share/selinux/packages/sandbox.pp |
|
if /usr/sbin/selinuxenabled ; then |
|
/usr/sbin/load_policy |
|
fi; |
|
exit 0 |
|
|
|
%preun sandbox |
|
if [ $1 -eq 0 ] ; then |
|
semodule -n -d sandbox 2>/dev/null |
|
if /usr/sbin/selinuxenabled ; then |
|
/usr/sbin/load_policy |
|
fi; |
|
fi; |
|
exit 0 |
|
|
|
%package devel |
|
Summary: SELinux policy devel |
|
Group: System Environment/Base |
|
Requires(pre): selinux-policy = %{version}-%{release} |
|
Requires: m4 checkpolicy >= %{CHECKPOLICYVER} |
|
Requires: /usr/bin/make |
|
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} |
|
|
|
%description devel |
|
SELinux policy development and man page package |
|
|
|
%files devel |
|
%defattr(-,root,root,-) |
|
%dir %{_usr}/share/selinux/devel |
|
%dir %{_usr}/share/selinux/devel/include |
|
%{_usr}/share/selinux/devel/include/* |
|
%dir %{_usr}/share/selinux/devel/html |
|
%{_usr}/share/selinux/devel/html/*html |
|
%{_usr}/share/selinux/devel/html/*css |
|
%{_usr}/share/selinux/devel/Makefile |
|
%{_usr}/share/selinux/devel/example.* |
|
%{_usr}/share/selinux/devel/policy.* |
|
%ghost %{_sharedstatedir}/sepolgen/interface_info |
|
|
|
%post devel |
|
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null |
|
exit 0 |
|
|
|
%package doc |
|
Summary: SELinux policy documentation |
|
Group: System Environment/Base |
|
Requires(pre): selinux-policy = %{version}-%{release} |
|
Requires: /usr/bin/xdg-open |
|
|
|
%description doc |
|
SELinux policy documentation package |
|
|
|
%files doc |
|
%defattr(-,root,root,-) |
|
%{_mandir}/man*/* |
|
%{_mandir}/ru/*/* |
|
%doc %{_usr}/share/doc/%{name} |
|
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp |
|
|
|
%define makeCmds() \ |
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ |
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ |
|
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ |
|
cp -f selinux_config/users-%1 ./policy/users \ |
|
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ |
|
|
|
%define makeModulesConf() \ |
|
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ |
|
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ |
|
if [ %3 == "contrib" ];then \ |
|
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ |
|
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ |
|
fi; \ |
|
|
|
%define installCmds() \ |
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \ |
|
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \ |
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ |
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ |
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \ |
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/active/modules/disabled \ |
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ |
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ |
|
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ |
|
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ |
|
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ |
|
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ |
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ |
|
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ |
|
sefcontext_compile -o %{buildroot}%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts.bin %{buildroot}%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts \ |
|
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ |
|
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ |
|
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ |
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ |
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ |
|
rm -f %{buildroot}%{_sysconfdir}/selinux/%1/active/*.linked \ |
|
%nil |
|
|
|
%define fileList() \ |
|
%defattr(-,root,root) \ |
|
%dir %{_usr}/share/selinux/%1 \ |
|
%dir %{_sysconfdir}/selinux/%1 \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ |
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ |
|
%dir %{_sysconfdir}/selinux/%1/logins \ |
|
%dir %{_sysconfdir}/selinux/%1/active \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/semanage.read.LOCK \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/semanage.trans.LOCK \ |
|
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/active/modules \ |
|
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/active/modules/100 \ |
|
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/active/modules/disabled \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/modules/100/base \ |
|
%dir %{_sysconfdir}/selinux/%1/policy/ \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ |
|
%{_sysconfdir}/selinux/%1/.policy.sha512 \ |
|
%dir %{_sysconfdir}/selinux/%1/contexts \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ |
|
%dir %{_sysconfdir}/selinux/%1/contexts/files \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/commit_num \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/users_extra \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/homedir_template \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/file_contexts \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/policy.kern \ |
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.local \ |
|
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.local.bin \ |
|
%ghost %{_sysconfdir}/selinux/%1/active/seusers \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ |
|
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ |
|
%{_sysconfdir}/selinux/%1/booleans.subs_dist \ |
|
%config %{_sysconfdir}/selinux/%1/contexts/files/media \ |
|
%dir %{_sysconfdir}/selinux/%1/contexts/users \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ |
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ |
|
%{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh \ |
|
%{_unitdir}/selinux-policy-migrate-local-changes@.service \ |
|
%{_unitdir}/basic.target.wants/selinux-policy-migrate-local-changes@%1.service \ |
|
%ghost %{_sysconfdir}/selinux/%1/active/policy.linked \ |
|
%ghost %{_sysconfdir}/selinux/%1/active/seusers.linked \ |
|
%ghost %{_sysconfdir}/selinux/%1/active/users_extra.linked \ |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/file_contexts.homedirs \ |
|
%nil |
|
|
|
|
|
%define relabel() \ |
|
. %{_sysconfdir}/selinux/config; \ |
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ |
|
/usr/sbin/selinuxenabled; \ |
|
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ |
|
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null; \ |
|
rm -f ${FILE_CONTEXT}.pre; \ |
|
fi; \ |
|
if /sbin/restorecon -e /run/media -R /root /var/log /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ |
|
continue; \ |
|
fi; \ |
|
|
|
%define preInstall() \ |
|
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ |
|
. %{_sysconfdir}/selinux/config; \ |
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ |
|
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ |
|
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ |
|
fi; \ |
|
touch /etc/selinux/%1/.rebuild; \ |
|
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \ |
|
POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \ |
|
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ |
|
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \ |
|
if [ "$sha512" == "$checksha512" ] ; then \ |
|
rm /etc/selinux/%1/.rebuild; \ |
|
fi; \ |
|
fi; \ |
|
fi; |
|
|
|
%define postInstall() \ |
|
. %{_sysconfdir}/selinux/config; \ |
|
#TODO: (cd /etc/selinux/%2/modules/active/modules; rm -f vbetool.pp l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp nsplugin.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qemu.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp pkcsslotd.pp smstools.pp ) \ |
|
if [ -e /etc/selinux/%2/.rebuild ]; then \ |
|
rm /etc/selinux/%2/.rebuild; \ |
|
/usr/sbin/semodule -B -n -s %2; \ |
|
fi; \ |
|
[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \ |
|
if [ %1 -eq 1 ]; then \ |
|
/sbin/restorecon -R /root /var/log /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ |
|
else \ |
|
%relabel %2 \ |
|
fi; |
|
|
|
%define modulesList() \ |
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ |
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \ |
|
if [ -e ./policy/modules-contrib.conf ];then \ |
|
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ |
|
fi; |
|
|
|
%define nonBaseModulesList() \ |
|
contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \ |
|
base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \ |
|
for i in $contrib_modules $base_modules; do \ |
|
if [ $i != "sandbox" ];then \ |
|
echo "%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \ |
|
fi; \ |
|
done \ |
|
if [ %1 != "mls" ];then \ |
|
echo "%ghost /etc/selinux/%1/modules/active/modules/docker.pp" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \ |
|
fi; |
|
|
|
%define installMigrateLocalChangesFiles() \ |
|
mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \ |
|
install -p -m 755 %{SOURCE110} %{buildroot}/%{_libexecdir}/selinux/ \ |
|
mkdir -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/ \ |
|
install -m 644 -p %{SOURCE111} %{buildroot}/%{_unitdir}/ \ |
|
ln -s ../selinux-policy-migrate-local-changes@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-policy-migrate-local-changes@%1.service \ |
|
%nil |
|
|
|
%description |
|
SELinux Reference Policy - modular. |
|
Based off of reference policy: Checked out revision 2.20091117 |
|
|
|
%build |
|
|
|
%prep |
|
%setup -n serefpolicy-contrib-%{version} -q -b 29 |
|
%patch1 -p1 |
|
contrib_path=`pwd` |
|
%setup -n serefpolicy-%{version} -q |
|
%patch0 -p1 |
|
refpolicy_path=`pwd` |
|
cp $contrib_path/* $refpolicy_path/policy/modules/contrib |
|
rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.* |
|
|
|
mkdir selinux_config |
|
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do |
|
cp $i selinux_config |
|
done |
|
tar zxvf selinux_config/config.tgz |
|
|
|
%install |
|
# Build targeted policy |
|
%{__rm} -fR %{buildroot} |
|
mkdir -p %{buildroot}%{_sysconfdir}/selinux |
|
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig |
|
touch %{buildroot}%{_sysconfdir}/selinux/config |
|
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux |
|
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ |
|
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ |
|
|
|
# Always create policy module package directories |
|
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ |
|
mkdir -p %{buildroot}%{_sysconfdir}/selinux/{targeted,mls,minimum,modules}/ |
|
|
|
mkdir -p %{buildroot}%{_usr}/share/selinux/packages |
|
|
|
# Install devel |
|
make clean |
|
%if %{BUILD_TARGETED} |
|
# Build targeted policy |
|
# Commented out because only targeted ref policy currently builds |
|
cp %{SOURCE28} %{buildroot}/ |
|
%makeCmds targeted mcs n allow |
|
%makeModulesConf targeted base contrib |
|
%installCmds targeted mcs n allow |
|
# install permissivedomains.cil |
|
semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil |
|
rm -rf %{buildroot}/permissivedomains.cil |
|
# recreate sandbox.pp |
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/targeted/active/modules/100/sandbox |
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp |
|
mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp |
|
%modulesList targeted |
|
%nonBaseModulesList targeted |
|
%installMigrateLocalChangesFiles targeted |
|
|
|
%endif |
|
|
|
%if %{BUILD_MINIMUM} |
|
# Build minimum policy |
|
# Commented out because only minimum ref policy currently builds |
|
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum |
|
# cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum |
|
%makeCmds minimum mcs n allow |
|
%makeModulesConf targeted base contrib |
|
%installCmds minimum mcs n allow |
|
rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp |
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/minimum/active/modules/100/sandbox |
|
%modulesList minimum |
|
%nonBaseModulesList minimum |
|
%installMigrateLocalChangesFiles minimum |
|
%endif |
|
|
|
%if %{BUILD_MLS} |
|
# Build mls policy |
|
%makeCmds mls mls n deny |
|
%makeModulesConf mls base contrib |
|
%installCmds mls mls n deny |
|
%modulesList mls |
|
%nonBaseModulesList mls |
|
%installMigrateLocalChangesFiles mls |
|
%endif |
|
|
|
mkdir -p %{buildroot}%{_mandir} |
|
cp -R man/* %{buildroot}%{_mandir} |
|
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs |
|
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers |
|
mkdir %{buildroot}%{_usr}/share/selinux/devel/ |
|
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include |
|
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile |
|
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ |
|
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ |
|
echo "xdg-open file:///usr/share/doc/selinux-policy/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp |
|
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp |
|
/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot} |
|
mkdir %{buildroot}%{_usr}/share/selinux/devel/html |
|
mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html |
|
mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html |
|
|
|
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d |
|
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy |
|
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy |
|
sed -i 's@SELINUXSTOREPATH@%{_sysconfdir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy |
|
|
|
|
|
rm -rf selinux_config |
|
%clean |
|
%{__rm} -fR %{buildroot} |
|
|
|
%post |
|
if [ ! -s /etc/selinux/config ]; then |
|
# |
|
# New install so we will default to targeted policy |
|
# |
|
echo " |
|
# This file controls the state of SELinux on the system. |
|
# SELINUX= can take one of these three values: |
|
# enforcing - SELinux security policy is enforced. |
|
# permissive - SELinux prints warnings instead of enforcing. |
|
# disabled - No SELinux policy is loaded. |
|
SELINUX=enforcing |
|
# SELINUXTYPE= can take one of three values: |
|
# targeted - Targeted processes are protected, |
|
# minimum - Modification of targeted policy. Only selected processes are protected. |
|
# mls - Multi Level Security protection. |
|
SELINUXTYPE=targeted |
|
|
|
" > /etc/selinux/config |
|
|
|
ln -sf ../selinux/config /etc/sysconfig/selinux |
|
restorecon /etc/selinux/config 2> /dev/null || : |
|
else |
|
. /etc/selinux/config |
|
fi |
|
exit 0 |
|
|
|
%postun |
|
if [ $1 = 0 ]; then |
|
setenforce 0 2> /dev/null |
|
if [ ! -s /etc/selinux/config ]; then |
|
echo "SELINUX=disabled" > /etc/selinux/config |
|
else |
|
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config |
|
fi |
|
fi |
|
exit 0 |
|
|
|
%if %{BUILD_TARGETED} |
|
%package targeted |
|
Summary: SELinux targeted base policy |
|
Provides: selinux-policy-base = %{version}-%{release} |
|
Group: System Environment/Base |
|
Obsoletes: selinux-policy-targeted-sources < 2 |
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} |
|
Requires(pre): coreutils |
|
Requires(pre): selinux-policy = %{version}-%{release} |
|
Requires: selinux-policy = %{version}-%{release} |
|
Conflicts: audispd-plugins <= 1.7.7-1 |
|
Obsoletes: mod_fcgid-selinux <= %{version}-%{release} |
|
Obsoletes: cachefilesd-selinux <= 0.10-1 |
|
Conflicts: seedit |
|
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 |
|
Conflicts: pki-selinux < 10.0.0-0.45.b1 |
|
Conflicts: freeipa-server-selinux < 3.2.2-1 |
|
|
|
%description targeted |
|
SELinux Reference policy targeted base module. |
|
|
|
%pre targeted |
|
%preInstall targeted |
|
|
|
%post targeted |
|
if [ -e /etc/selinux/targeted/modules/active/base.pp ]; then |
|
DONT_REBUILD=1 %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh targeted |
|
touch /etc/selinux/targeted/.rebuild |
|
systemctl daemon-reexec |
|
fi |
|
%postInstall $1 targeted |
|
exit 0 |
|
|
|
%triggerin -- pcre |
|
selinuxenabled && semodule -nB |
|
exit 0 |
|
|
|
%triggerin -- selinux-policy < 3.13.1-121 |
|
semodule -X 100 -d docker > /dev/null 2> /dev/null |
|
semodule -X 100 -d gear > /dev/null 2> /dev/null |
|
exit 0 |
|
|
|
%triggerpostun -- selinux-policy-targeted < 3.12.1-74 |
|
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null |
|
exit 0 |
|
|
|
%files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst |
|
%defattr(-,root,root,-) |
|
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u |
|
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u |
|
%fileList targeted |
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/targeted/active/modules/100/permissivedomains |
|
%{_usr}/share/selinux/targeted/base.lst |
|
%{_usr}/share/selinux/targeted/modules-base.lst |
|
%{_usr}/share/selinux/targeted/modules-contrib.lst |
|
%{_usr}/share/selinux/targeted/nonbasemodules.lst |
|
%endif |
|
|
|
%if %{BUILD_MINIMUM} |
|
%package minimum |
|
Summary: SELinux minimum base policy |
|
Provides: selinux-policy-base = %{version}-%{release} |
|
Group: System Environment/Base |
|
Requires(post): policycoreutils-python >= %{POLICYCOREUTILSVER} |
|
Requires(pre): coreutils |
|
Requires(pre): selinux-policy = %{version}-%{release} |
|
Requires: selinux-policy = %{version}-%{release} |
|
Conflicts: seedit |
|
|
|
%description minimum |
|
SELinux Reference policy minimum base module. |
|
|
|
%pre minimum |
|
%preInstall minimum |
|
if [ $1 -ne 1 ]; then |
|
/usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst |
|
fi |
|
|
|
%post minimum |
|
if [ -e /etc/selinux/minimum/modules/active/base.pp ]; then |
|
DONT_REBUILD=1 %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh minimum |
|
touch /etc/selinux/minimum/.rebuild |
|
systemctl daemon-reexec |
|
fi |
|
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` |
|
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` |
|
#TODO: (cd /etc/selinux/minimum/modules/active/modules; rm -f pkcsslotd.pp) |
|
if [ ! -d /etc/selinux/minimum/active/modules/disabled ]; then |
|
mkdir /etc/selinux/minimum/active/modules/disabled |
|
fi |
|
if [ $1 -eq 1 ]; then |
|
for p in $contribpackages; do |
|
touch /etc/selinux/minimum/active/modules/disabled/$p |
|
done |
|
for p in $basepackages apache dbus inetd kerberos mta nis; do |
|
rm -f /etc/selinux/minimum/active/modules/disabled/$p |
|
done |
|
/usr/sbin/semodule -B -s minimum |
|
/usr/sbin/semanage import -S minimum -f - << __eof |
|
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ |
|
login -m -s unconfined_u -r s0-s0:c0.c1023 root |
|
__eof |
|
/sbin/restorecon -R /root /var/log 2> /dev/null |
|
else |
|
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` |
|
for p in $contribpackages; do |
|
touch /etc/selinux/minimum/active/modules/disabled/$p |
|
done |
|
for p in $instpackages apache dbus inetd kerberos mta nis; do |
|
rm -f /etc/selinux/minimum/active/modules/disabled/$p |
|
done |
|
/usr/sbin/semodule -B -s minimum |
|
%relabel minimum |
|
fi |
|
exit 0 |
|
|
|
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-66 |
|
if [ `ls -A /etc/selinux/minimum/active/modules/disabled/` ]; then |
|
rm -f /etc/selinux/minimum/active/modules/disabled/* |
|
fi |
|
exit 0 |
|
|
|
%files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst |
|
%defattr(-,root,root,-) |
|
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u |
|
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u |
|
%fileList minimum |
|
# %verify(not md5 size mtime) %{_sysconfdir}/selinux/minimum/modules/active/modules/permissivedomains.pp |
|
%{_usr}/share/selinux/minimum/base.lst |
|
%{_usr}/share/selinux/minimum/modules-base.lst |
|
%{_usr}/share/selinux/minimum/modules-contrib.lst |
|
%{_usr}/share/selinux/minimum/nonbasemodules.lst |
|
%endif |
|
|
|
%if %{BUILD_MLS} |
|
%package mls |
|
Summary: SELinux mls base policy |
|
Group: System Environment/Base |
|
Provides: selinux-policy-base = %{version}-%{release} |
|
Obsoletes: selinux-policy-mls-sources < 2 |
|
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd |
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} |
|
Requires(pre): coreutils |
|
Requires(pre): selinux-policy = %{version}-%{release} |
|
Requires: selinux-policy = %{version}-%{release} |
|
Conflicts: seedit |
|
|
|
%description mls |
|
SELinux Reference policy mls base module. |
|
|
|
%pre mls |
|
%preInstall mls |
|
|
|
%post mls |
|
if [ -e /etc/selinux/mls/modules/active/base.pp ]; then |
|
DONT_REBUILD=1 %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh mls |
|
touch /etc/selinux/mls/.rebuild |
|
systemctl daemon-reexec |
|
fi |
|
%postInstall $1 mls |
|
|
|
|
|
%files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst |
|
%defattr(-,root,root,-) |
|
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u |
|
%fileList mls |
|
%{_usr}/share/selinux/mls/base.lst |
|
%{_usr}/share/selinux/mls/modules-base.lst |
|
%{_usr}/share/selinux/mls/modules-contrib.lst |
|
%{_usr}/share/selinux/mls/nonbasemodules.lst |
|
%endif |
|
|
|
%changelog |
|
* Tue May 12 2020 Zdenek Pytela <zpytela@redhat.com> - 3.13.1-268 |
|
- Allow rhsmd read process state of all domains and kernel threads |
|
Resolves: rhbz#1837461 |
|
- Allow ipa-adtrust-install restart sssd and dirsrv services |
|
Resolves: rhbz#1820298 |
|
- Allow nagios_plugin_domain execute programs in bin directories |
|
Resolves: rhbz#1824625 |
|
- selinux policy: add the right context for org.freeipa.server.trust-enable-agent |
|
Related: rhbz#1820298 |
|
|
|
* Mon Mar 23 2020 Zdenek Pytela <zpytela@redhat.com> - 3.13.1-267 |
|
- Allow chronyd_t domain to exec shell |
|
Resolves: rhbz#1775573 |
|
- Allow pmie daemon to send signal pcmd daemon |
|
Resolves: rhbz#1770123 |
|
- Allow auditd poweroff or switch to single mode |
|
Resolves: rhbz#1780332 |
|
|
|
* Wed Nov 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-266 |
|
- Dontaudit tmpreaper_t getting attributes from sysctl_type files |
|
Resolves: rhbz#1765063 |
|
|
|
* Thu Oct 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265 |
|
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t |
|
Resolves: rhbz#1765063 |
|
|
|
* Wed Oct 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264 |
|
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command |
|
Resolves: rhbz#1765063 |
|
|
|
* Wed Oct 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263 |
|
- Update tmpreaper_t policy due to fuser command |
|
Resolves: rhbz#1765063 |
|
|
|
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262 |
|
- Allow tmpreaper_t domain to read all domains state |
|
Resolves: rhbz#1765063 |
|
|
|
* Mon Oct 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261 |
|
- Update sudo_role_template() to allow caller domain to read syslog pid files |
|
Resolves: rhbz#1651253 |
|
|
|
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260 |
|
- Allow sbd_t domain to check presence of processes labeled as cluster_t |
|
Resolves: rhbz#1753623 |
|
|
|
* Wed Sep 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-259 |
|
- Allow ganesha_t domain to read system network state and connect to cyphesis_port_t |
|
Resolves: rhbz#1653857 |
|
- Label /var/log/collectd.log as collectd_log_t |
|
- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessions |
|
Resolves: rhbz#1688729 |
|
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label |
|
Resolves: rhbz#1658319 |
|
- Update sbd policy to allow manage cgroups |
|
Resolves: rhbz#1715136 |
|
- Allow sudo userdomain to run rpm related commands |
|
- Update rpm_run() interface to avoid duplicate role transition in sudo_role_template |
|
Resolves: rhbz#1651253 |
|
|
|
* Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258 |
|
- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessions |
|
Resolves: rhbz#1688729 |
|
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label |
|
Resolves: rhbz#1658319 |
|
|
|
* Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257 |
|
- Update sbd policy to allow manage cgroups |
|
Resolves: rhbz#1715136 |
|
|
|
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256 |
|
- Allow cupsd_t domain to manage cupsd_tmp_t temp link files |
|
Resolves: rhbz#1719754 |
|
- Allow svnserve_t domain to read /dev/random |
|
Resolves: rhbz#1727458 |
|
- Update sudodomains to make working confined users run sudo/su |
|
Resolves: rhbz#1699391 |
|
|
|
* Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255 |
|
- Allow virtlockd process read virtlockd.conf file |
|
Resolves: rhbz#1714896 |
|
|
|
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254 |
|
- Rebuild selinux-policy build because of broken RHEL-7.8 buildrood |
|
during build of selinux-policy-3.13.1-253 |
|
Resolves: rhbz#1727341 |
|
* Mon Jul 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253 |
|
- Label user cron spool file with user_cron_spool_t |
|
Resolves: rhbz#1727341 |
|
- Allow svnserve_t domain to read system state |
|
Resolves: rhbz#1727458 |
|
- Update svnserve_t policy to make working svnserve hooks |
|
Resolves: rhbz#1727458 |
|
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession |
|
Resolves: rhbz#1727379 |
|
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus |
|
Resolves: rhbz#1727379 |
|
- Allow userdomain gkeyringd domain to create stream socket with userdomain |
|
Resolves: rhbz#1727379 |
|
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634) |
|
Resolves: rhbz#1719754 |
|
- Allow mysqld_t domain to manage cluster pid files |
|
Resolves: rhbz#1715805 |
|
- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. |
|
Resolves: rhbz#1714896 |
|
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain |
|
Resolves: rhbz#1705599 |
|
- Allow rhsmcertd_t domain to send signull to all domains |
|
Resolves: rhbz#1701338 |
|
- Allow cloud_init_t domain to ccreate iptables files with correct SELinux label |
|
Resolves: rhbz#1699249 |
|
- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files |
|
- Allow certmonger to geattr of filesystems BZ(1578755) |
|
- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports Resolves: rhbz#1687497 |
|
- Allow lograte_t domain to manage collect_rw_content files and dirs |
|
Resolves: rhbz#1658319 |
|
- Add interface collectd_manage_rw_content() |
|
- Allow glusterd_t domain to setpgid |
|
Resolves: rhbz#1653857 |
|
- Allow sysadm_sudo_t to use SELinux tooling. |
|
Resolves: rhbz#1727341 |
|
- Allow sysadm_t domain to create netlink selinux sockets |
|
Resolves: rhbz#1727379 |
|
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t |
|
Resolves: rhbz#1723877 |
|
- Allow crack_t domain read /et/passwd files |
|
Resolves: rhbz#1721093 |
|
- Allow sysadm_t domain to dbus chat with rtkit daemon |
|
Resolves: rhbz#1720546 |
|
- Allow x_userdomains to nnp domain transition to thumb_t domain |
|
Resolves: rhbz#1712603 |
|
- Dontaudit writing to user home dirs by gnome-keyring-daemon |
|
Resolves: rhbz#1703959 |
|
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service |
|
Resolves: rhbz#1699391 |
|
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files |
|
Resolves: rhbz#1699063 |
|
- Add interface kernel_relabelfrom_usermodehelper() |
|
|
|
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-252.1 |
|
- Allow sbd_t domain to use nsswitch |
|
Resolves: rhbz#1728593 |
|
|
|
* Thu Jun 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-252 |
|
- Allow ganesha_t domain to connect to tcp portmap_port_t |
|
Resolves: rhbz#1715088 |
|
|
|
* Mon Jun 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-251 |
|
- Allow redis to creating tmp files with own label |
|
Resolves: rhbz#1646765 |
|
|
|
* Wed Jun 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-250 |
|
- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs |
|
Resolves: rhbz#1716400 |
|
|
|
* Wed May 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249 |
|
- Allow nrpe_t domain to read process state of systemd_logind_t |
|
- Add interface systemd_logind_read_state() |
|
Resolves: rhbz#1653309 |
|
|
|
* Tue May 21 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-248 |
|
- Label /etc/rhsm as rhsmcertd_config_t |
|
Resolves: rhbz#1703573 |
|
|
|
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-247 |
|
- Fix typo in gpg SELinux module |
|
- Update gpg policy to make ti working with confined users |
|
Resolves: rhbz#1535109 |
|
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on |
|
Resolves: rhbz#1653309 |
|
- Allow nrpe_t domain to be dbus cliennt |
|
Resolves: rhbz#1653309 |
|
- Add interface sssd_signull() |
|
Resolves: rhbz#1653309 |
|
- Update userdomains to allow confined users to create gpg keys |
|
Resolves: rhbz#1535109 |
|
|
|
* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246 |
|
- Allow ngaios to use chown capability |
|
Resolves: rhbz#1653309 |
|
- Dontaudit gpg_domain to create netlink_audit sockets |
|
Resolves: rhbz#1535109 |
|
- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files |
|
Resolves: rhbz#1558836 |
|
- Update domain_can_mmap_files() boolean to allow also mmap lnk files |
|
|
|
* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245 |
|
- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t |
|
Resolves: rhbz#1695342 |
|
|
|
* Tue Apr 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-244 |
|
- Update Nagios policy when sudo is used |
|
Resolves: rhbz#1653309 |
|
|
|
* Mon Apr 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-243 |
|
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t |
|
Resolves: rhbz#1676810 |
|
|
|
* Tue Mar 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-242 |
|
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t. |
|
Resolves: rhbz#1656814 |
|
|
|
* Wed Mar 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241 |
|
- Update vmtools policy Resolves: rhbz#1656814 Allow domain transition from vmtools_t to vmtools_unconfined_t when shell_exec_t is entrypoint. |
|
- Allow virt_qemu_ga_t domain to read udev_var_run_t files |
|
Resolves: rhbz#1663092 |
|
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd |
|
Resolves: rhbz#1653309 |
|
- Allow nfsd_t to read nvme block devices BZ(1562554) |
|
Resolves: rhbz#1655493 |
|
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t |
|
Resolves: rhbz#1650909 |
|
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes |
|
Resolves: rhbz#1656814 |
|
- Label /dev/pkey as crypt_device_t |
|
Resolves: rhbz#1623068 |
|
- Allow sudodomains to write to systemd_logind_sessions_t pipes. |
|
Resolves: rhbz#1687452 |
|
- Allow all user domains to read realmd_var_lib_t files and dirs to check if IPA is configured on the system |
|
Resolves: rhbz#1667962 |
|
- Fixes: xenconsole does not start |
|
Resolves: rhbz#1601525 |
|
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. |
|
Resolves: rhbz#1636197 |
|
- Create tangd_port_t with default label tcp/7406 |
|
Resolves: rhbz#1650909 |
|
|
|
* Tue Mar 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-240 |
|
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. |
|
Resolves: rhbz#1683754 |
|
- Allow sbd_t domain to bypass permission checks for sending signals |
|
Resolves: rhbz#1671132 |
|
- Allow sbd_t domain read/write all sysctls |
|
Resolves: rhbz#1671132 |
|
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus |
|
Resolves: rhbz#1602435 |
|
- Allow boltd_t to stream connect to sytem dbus |
|
Resolves: rhbz#1589086 |
|
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin |
|
Resolves: rhbz#1626115 |
|
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process. |
|
Resolves: rhbz#1589086 |
|
|
|
* Fri Mar 01 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-239 |
|
- Allow sbd_t domain read/write all sysctls |
|
Resolves: rhbz#1671132 |
|
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus |
|
Resolves: rhbz#1602435 |
|
- Allow boltd_t to stream connect to sytem dbus |
|
Resolves: rhbz#1589086 |
|
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process. |
|
Resolves: rhbz#1589086 |
|
|
|
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-238 |
|
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on |
|
Resolves: rhbz#1646765 |
|
|
|
* Tue Feb 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237 |
|
- Allow virtd_lxc_t domains use BPF |
|
Resolves: rhbz#1626115 |
|
- F29 NetworkManager implements a new code for IPv4 address conflict detection (RFC 5227) based on n-acd [1], which uses eBPF to process ARP packets from the network. |
|
Resolves: rhbz#1626115 |
|
- Allow unconfined user all perms under bpf class BZ(1565738 |
|
Resolves: rhbz#1626115 |
|
- Allow unconfined and sysadm users to use bpftool BZ(1591440) |
|
Resolves: rhbz#1626115 |
|
- Allow systemd to manage bpf dirs/files |
|
Resolves: rhbz#1626115 |
|
- Create new type bpf_t and label /sys/fs/bpf with this type |
|
Resolves:rhbz#1626115 |
|
- Add new interface init_prog_run_bpf() |
|
Resolves:rhbz#1626115 |
|
- add definition of bpf class and systemd perms |
|
Resolves: rhbz#1626115 |
|
|
|
* Sun Feb 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236 |
|
- Update policy with multiple allow rules to make working installing VM in MLS policy |
|
Resolves: rhbz#1558121 |
|
- Allow virt domain to use interited virtlogd domains fifo_file |
|
Resolves: rhbz#1558121 |
|
- Allow chonyc_t domain to rw userdomain pipes |
|
Resolves: rhbz#1618757 |
|
- Add file contexts in ganesha.fc file to label logging ganesha files properly. |
|
Resolves: rhbz#1628247 |
|
|
|
* Thu Jan 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235 |
|
- Allow sandbox_xserver_t domain write to user_tmp_t files |
|
Resolves: rhbz#1646521 |
|
- Allow virt_qemu_ga_t domain to read network state |
|
Resolves: rhbz#1630347 |
|
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes |
|
Resolves: rhbz#1589086 |
|
- Add boltd policy |
|
Resolves: rhbz#1589086 |
|
- Allow virt domains to read/write cephfs filesystems |
|
Resolves: rhbz#1558836 |
|
- Allow gpg_t to create own tmpfs dirs and sockets |
|
Resolves: rhbz#1535109 |
|
- Allow gpg_agent_t to send msgs to syslog/journal |
|
Resolves: rhbz#1535109 |
|
- Allow virtual machine to write to fixed_disk_device_t |
|
Resolves: rhbz#1499208 |
|
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain |
|
Resolves: rhbz#1491585 |
|
- Add kpatch policy |
|
Resolves: rhbz#1602435 |
|
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t |
|
Resolves: rhbz#1623942 |
|
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t |
|
Resolves: rhbz#1475271 |
|
- Allow systemd to mount boltd_var_run_t dirs |
|
Resolves: rhbz#1589086 |
|
- Allow systemd to mounont boltd lib dirs |
|
Resolves: rhbz#1589086 |
|
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain |
|
Resolves: rhbz#1602435 |
|
- Allow passwd_t domain chroot |
|
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block |
|
- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t |
|
Resolves: rhbz#1447278 |
|
- Allow staff_t user to systemctl iptables units. |
|
Resolves: rhbz#1360470 |
|
|
|
* Thu Jan 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234 |
|
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t |
|
Resolves: rhbz#1623942 |
|
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t |
|
Resolves: rhbz#1475271 |
|
- Allow passwd_t domain chroot |
|
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block |
|
- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t |
|
Resolves: rhbz#1447278 |
|
- Allow staff_t user to systemctl iptables units. |
|
Resolves: rhbz#1360470 |
|
|
|
* Thu Jan 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-233 |
|
- Allow gssd_t domain to manage kernel keyrings of every domain. |
|
Resolves: rhbz#1487350 |
|
- Add new interface domain_manage_all_domains_keyrings() |
|
Resolves: rhbz#1487350 |
|
|
|
* Sun Jan 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232 |
|
- Allow gssd_t domain to read/write kernel keyrings of every domain. |
|
Resolves: rhbz#1487350 |
|
- Add interface domain_rw_all_domains_keyrings() |
|
Resolves: rhbz#1487350 |
|
|
|
* Wed Dec 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231 |
|
- Update snapperd policy to allow snapperd manage all non security dirs. |
|
Resolves: rhbz#1619306 |
|
|
|
* Fri Nov 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-230 |
|
-Allow nova_t domain to use pam |
|
Resolves: rhbz:#1640528 |
|
- sysstat: grant sysstat_t the search_dir_perms set |
|
Resolves: rhbz#1637416 |
|
- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domain |
|
Resolves: rhbz#1630318 |
|
- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature 'io logging' |
|
Resolves: rhbz#1564470 |
|
- Make ganesha policy active again |
|
Resolves: rhbz#1511489 |
|
|
|
* Fri Oct 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.5 |
|
- Remove disabling ganesha module in pre install phase of installation new selinux-policy package where ganesha is again standalone module |
|
Resolves: rhbz#1638257 |
|
|
|
* Thu Oct 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.4 |
|
- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature 'io logging' |
|
Resolves: rhbz#1638427 |
|
|
|
* Thu Oct 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.3 |
|
- Run ganesha as ganesha_t domain again, revert changes where ganesha is running as nfsd_t |
|
Resolves: rhbz#1638257 |
|
|
|
* Wed Oct 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.2 |
|
- Fix missing patch in spec file |
|
Resolves: rhbz#1635704 |
|
|
|
* Fri Oct 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.1 |
|
- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domain |
|
Resolves: rhbz#1635704 |
|
|
|
* Wed Sep 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229 |
|
- Allow neutron domain to read/write /var/run/utmp |
|
Resolves: rhbz#1630318 |
|
|
|
* Tue Sep 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-228 |
|
- Allow tomcat_domain to read /dev/random |
|
Resolves: rhbz#1631666 |
|
- Allow neutron_t domain to use pam |
|
Resolves: rhbz#1630318 |
|
|
|
* Mon Sep 17 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227 |
|
- Add interface apache_read_tmp_dirs() |
|
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs |
|
Resolves: rhbz#1622602 |
|
|
|
* Sat Sep 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226 |
|
- Allow tomcat servers to manage usr_t files |
|
Resolves: rhbz#1625678 |
|
- Dontaudit tomcat serves to append to /dev/random device |
|
Resolves: rhbz#1625678 |
|
- Allow sys_nice capability to mysqld_t domain |
|
- Allow dirsrvadmin_script_t domain to read httpd tmp files |
|
Resolves: rhbz#1622602 |
|
- Allow syslogd_t domain to manage cert_t files |
|
Resolves: rhbz#1615995 |
|
|
|
* Wed Sep 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-225 |
|
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs |
|
Resolves: rhbz#1627114 |
|
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t |
|
Resolves: rhbz#1567753 |
|
|
|
* Fri Sep 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224 |
|
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. |
|
Resolves: rhbz#1625678 |
|
- Allow chronyd_t domain to read virt_var_lib_t files |
|
- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333) |
|
Resolves: rhbz#1625613 |
|
- Allow tomcat services create link file in /tmp |
|
Resolves: rhbz#1624289 |
|
- Add boolean: domain_can_mmap_files. |
|
Resolves: rhbz#1460322 |
|
|
|
* Sun Sep 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223 |
|
- Make working SELinux sandbox with Wayland. |
|
Resolves: rhbz#1624308 |
|
- Allow svirt_t domain to mmap svirt_image_t block files |
|
Resolves: rhbz#1624224 |
|
- Add caps dac_read_search and dav_override to pesign_t domain |
|
- Allow iscsid_t domain to mmap userio chr files |
|
Resolves: rhbz#1623589 |
|
- Add boolean: domain_can_mmap_files. |
|
Resolves: rhbz#1460322 |
|
- Add execute_no_trans permission to mmap_exec_file_perms pattern |
|
- Allow sudodomain to search caller domain proc info |
|
- Allow xdm_t domain to mmap and read cert_t files |
|
- Replace optional policy blocks to make dbus interfaces effective |
|
Resolves: rhbz#1624414 |
|
- Add interface dev_map_userio_dev() |
|
|
|
* Wed Aug 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-222 |
|
- Allow readhead_t domain to mmap own pid files |
|
Resolves: rhbz#1614169 |
|
|
|
* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-221 |
|
- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket |
|
- Allow httpd_t domain to mmap tmp files |
|
Resolves: rhbz#1608355 |
|
- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files |
|
- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks |
|
- Label /dev/tpmrm[0-9]* as tpm_device_t |
|
- Allow semanage_t domain mmap usr_t files |
|
Resolves: rhbz#1622607 |
|
- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t |
|
|
|
* Fri Aug 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-220 |
|
- Allow nagios_script_t domain to mmap nagios_log_t files |
|
Resolves: rhbz#1620013 |
|
- Allow nagios_script_t domain to mmap nagios_spool_t files |
|
Resolves: rhbz#1620013 |
|
- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl |
|
Resolves: rhbz#1622197 |
|
- Update selinux_validate_context() interface to allow caller domain to mmap security_t files |
|
Resolves: rhbz#1622061 |
|
|
|
* Wed Aug 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-219 |
|
- Allow virtd_t domain to create netlink_socket |
|
- Allow rpm_t domain to write to audit |
|
- Allow rpm domain to mmap rpm_var_lib_t files |
|
Resolves: rhbz#1619785 |
|
- Allow nagios_script_t domain to mmap nagios_etc_t files |
|
Resolves: rhbz#1620013 |
|
- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t |
|
Resolves: rhbz#1460715 |
|
- Allow secadm_t domain to mmap audit config and log files |
|
- Allow insmod_t domain to read iptables pid files |
|
- Allow systemd to mounton /etc |
|
Resolves: rhbz#1619785 |
|
|
|
* Tue Aug 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-218 |
|
- Allow kdumpctl_t domain to getattr fixed disk device in mls |
|
Resolves: rhbz#1615342 |
|
- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry |
|
Resolves: rhbz#1615342 |
|
|
|
* Tue Aug 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-217 |
|
- Allow virtlogd to execute itself |
|
Resolves: rhbz#1598392 |
|
|
|
* Mon Aug 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-216 |
|
- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files |
|
Resolves: rhbz#1615342 |
|
- Allow kdumpctl to write to files on all levels |
|
Resolves: rhbz#1615342 |
|
- Fix typo in radius policy |
|
Resolves: rhbz#1619197 |
|
- Allow httpd_t domain to mmap httpd_config_t files |
|
Resolves: rhbz#1615894 |
|
- Add interface dbus_acquire_svc_system_dbusd() |
|
- Allow sanlock_t domain to connectto to unix_stream_socket |
|
Resolves: rhbz#1614965 |
|
- Update nfsd_t policy because of ganesha features |
|
Resolves: rhbz#1511489 |
|
- Allow conman to getattr devpts_t |
|
Resolves: rhbz#1377915 |
|
- Allow tomcat_domain to connect to smtp ports |
|
Resolves: rhbz#1253502 |
|
- Allow tomcat_t domain to mmap tomcat_var_lib_t files |
|
Resolves: rhbz#1618519 |
|
- Allow slapd_t domain to mmap slapd_var_run_t files |
|
Resolves: rhbz#1615319 |
|
- Allow nagios_t domain to mmap nagios_log_t files |
|
Resolves: rhbz#1618675 |
|
- Allow nagios to exec itself and mmap nagios spool files BZ(1559683) |
|
- Allow nagios to mmap nagios config files BZ(1559683) |
|
- Allow kpropd_t domain to mmap krb5kdc_principal_t files |
|
Resolves: rhbz#1619252 |
|
- Update syslogd policy to make working elasticsearch |
|
- Label tcp and udp ports 9200 as wap_wsp_port |
|
- Allow few domains to rw inherited kdumpctl tmp pipes |
|
Resolves: rhbz#1615342 |
|
|
|
* Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-215 |
|
- Allow systemd_dbusd_t domain read/write to nvme devices |
|
Resolves: rhbz#1614236 |
|
- Allow mysqld_safe_t do execute itself |
|
- Allow smbd_t domain to chat via dbus with avahi daemon |
|
Resolves: rhbz#1600157 |
|
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t |
|
Resolves: rhbz#1452595 |
|
- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645) |
|
Resolves: rhbz#1452444 |
|
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain |
|
Resolves: rhbz#1384769 |
|
- Add alias httpd__script_t to _script_t to make sepolicy generate working |
|
Resolves: rhbz#1271324 |
|
- Allow kprop_t domain to read network state |
|
Resolves: rhbz#1600705 |
|
- Allow sysadm_t domain to accept socket |
|
Resolves: rhbz#1557299 |
|
- Allow sshd_t domain to mmap user_tmp_t files |
|
Resolves: rhbz#1613437 |
|
|
|
* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-214 |
|
- Allow sshd_t domain to mmap user_tmp_t files |
|
Resolves: rhbz#1613437 |
|
|
|
* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-213 |
|
- Allow kprop_t domain to read network state |
|
Resolves: rhbz#1600705 |
|
|
|
* Tue Aug 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-212 |
|
- Allow kpropd domain to exec itself |
|
Resolves: rhbz#1600705 |
|
- Allow ipmievd_t to mmap kernel modules BZ(1552535) |
|
- Allow hsqldb_t domain to mmap own temp files |
|
Resolves: rhbz#1612143 |
|
- Allow hsqldb_t domain to read cgroup files |
|
Resolves: rhbz#1612143 |
|
- Allow rngd_t domain to read generic certs |
|
Resolves: rhbz#1612456 |
|
- Allow innd_t domain to mmap own var_lib_t files |
|
Resolves: rhbz#1600591 |
|
- Update screen_role_temaplate interface |
|
Resolves: rhbz#1384769 |
|
- Allow cupsd_t to create cupsd_etc_t dirs |
|
Resolves: rhbz#1452595 |
|
- Allow chronyd_t domain to mmap own tmpfs files |
|
Resolves: rhbz#1596563 |
|
- Allow cyrus domain to mmap own var_lib_t and var_run files |
|
Resolves: rhbz#1610374 |
|
- Allow sysadm_t domain to create rawip sockets |
|
Resolves: rhbz#1571591 |
|
- Allow sysadm_t domain to listen on socket |
|
Resolves: rhbz#1557299 |
|
- Update sudo_role_template() to allow caller domain also setattr generic ptys |
|
Resolves: rhbz#1564470 |
|
- Allow netutils_t domain to create bluetooth sockets |
|
Resolves: rhbz#1600586 |
|
|
|
* Fri Aug 03 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-211 |
|
- Allow innd_t domain to mmap own var_lib_t files |
|
Resolves: rhbz#1600591 |
|
- Update screen_role_temaplate interface |
|
Resolves: rhbz#1384769 |
|
- Allow cupsd_t to create cupsd_etc_t dirs |
|
Resolves: rhbz#1452595 |
|
- Allow chronyd_t domain to mmap own tmpfs files |
|
Resolves: rhbz#1596563 |
|
- Allow cyrus domain to mmap own var_lib_t and var_run files |
|
Resolves: rhbz#1610374 |
|
- Allow sysadm_t domain to create rawip sockets |
|
Resolves: rhbz#1571591 |
|
- Allow sysadm_t domain to listen on socket |
|
Resolves: rhbz#1557299 |
|
- Update sudo_role_template() to allow caller domain also setattr generic ptys |
|
Resolves: rhbz#1564470 |
|
- Allow netutils_t domain to create bluetooth sockets |
|
Resolves: rhbz#1600586 |
|
|
|
* Tue Jul 31 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-210 |
|
- Allow virtlogd_t domain to chat via dbus with systemd_logind |
|
Resolves: rhbz#1593740 |
|
|
|
* Sun Jul 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-209 |
|
- Allow sblim_sfcbd_t domain to mmap own tmpfs files |
|
Resolves: rhbz#1609384 |
|
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles |
|
Resolves: rhbz#1592028 |
|
|
|
* Thu Jul 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-208 |
|
- Dontaudit oracleasm_t domain to request sys_admin capability |
|
- Allow iscsid_t domain to load kernel module |
|
Resolves: rhbz#1589295 |
|
- Update rhcs contexts to reflects the latest fenced changes |
|
- Allow httpd_t domain to rw user_tmp_t files |
|
Resolves: rhbz#1608355 |
|
- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t |
|
Resolves: rhbz#1521063 |
|
- Allow tangd_t dac_read_search |
|
Resolves: rhbz#1607810 |
|
- Allow glusterd_t domain to mmap user_tmp_t files |
|
- Allow mongodb_t domain to mmap own var_lib_t files |
|
Resolves: rhbz#1607729 |
|
- Allow iscsid_t domain to mmap sysfs_t files |
|
Resolves: rhbz#1602508 |
|
- Allow tomcat_domain to search cgroup dirs |
|
Resolves: rhbz#1600188 |
|
- Allow httpd_t domain to mmap own cache files |
|
Resolves: rhbz#1603505 |
|
- Allow cupsd_t domain to mmap cupsd_etc_t files |
|
Resolves: rhbz#1599694 |
|
- Allow kadmind_t domain to mmap krb5kdc_principal_t |
|
Resolves: rhbz#1601004 |
|
- Allow virtlogd_t domain to read virt_etc_t link files |
|
Resolves: rhbz#1598593 |
|
- Allow dirsrv_t domain to read crack db |
|
Resolves: rhbz#1599726 |
|
- Dontaudit pegasus_t to require sys_admin capability |
|
Resolves: rhbz#1374570 |
|
- Allow mysqld_t domain to exec mysqld_exec_t binary files |
|
- Allow abrt_t odmain to read rhsmcertd lib files |
|
Resolves: rhbz#1601389 |
|
- Allow winbind_t domain to request kernel module loads |
|
Resolves: rhbz#1599236 |
|
- Allow gpsd_t domain to getsession and mmap own tmpfs files |
|
Resolves: rhbz#1598388 |
|
- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791) |
|
Resolves: rhbz#1600157 |
|
- Allow tomcat_domain to read cgroup_t files |
|
Resolves: rhbz#1601151 |
|
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files |
|
Resolves: rhbz#1600704 |
|
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) |
|
Resolves: rhbz#1600692 |
|
- Fix ntp SELinux module |
|
- Allow innd_t domain to mmap news_spool_t files |
|
Resolves: rhbz#1600591 |
|
- Allow haproxy daemon to reexec itself. BZ(1447800) |
|
Resolves: rhbz#1600578 |
|
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t |
|
Resolves: rhbz#1559859 |
|
- Allow pkcs_slotd_t domain to mmap own tmpfs files |
|
Resolves: rhbz#1600434 |
|
- Allow fenced_t domain to reboot |
|
Resolves: rhbz#1293384 |
|
- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247) |
|
Resolves: rhbz#1557299 |
|
- Allow lircd to use nsswitch. BZ(1401375) |
|
- Allow targetd_t domain mmap lvm config files |
|
Resolves: rhbz#1546671 |
|
- Allow amanda_t domain to read network system state |
|
Resolves: rhbz#1452444 |
|
- Allow abrt_t domain to read rhsmcertd logs |
|
Resolves: rhbz#1492059 |
|
- Allow application_domain_type also mmap inherited user temp files BZ(1552765) |
|
Resolves: rhbz#1608421 |
|
- Allow ipsec_t domain to read l2tpd pid files |
|
Resolves: rhbz#1607994 |
|
- Allow systemd_tmpfiles_t do mmap system db files |
|
- Improve domain_transition_pattern to allow mmap entrypoint bin file. |
|
Resolves: rhbz#1460322 |
|
- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655) |
|
Resolves: rhbz#1600528 |
|
- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled |
|
Resolves: rhbz#1601928 |
|
- Allow ipsec_t can exec ipsec_exec_t |
|
Resolves: rhbz#1600684 |
|
- Allow netutils_t domain to mmap usmmon device |
|
Resolves: rhbz#1600586 |
|
- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) |
|
- Allow userdomain sudo domains to use generic ptys |
|
Resolves: rhbz#1564470 |
|
- Allow traceroute to create icmp packets |
|
Resolves: rhbz#1548350 |
|
- Allow systemd domain to mmap lvm config files BZ(1594584) |
|
- Add new interface lvm_map_config |
|
- refpolicy: Update for kernel sctp support Resolves: rhbz#1597111 Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16 |
|
|
|
* Fri Jun 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-207 |
|
- Update oddjob_domtrans_mkhomedir() interface to allow caller domain also mmap oddjob_mkhomedir_exec_t files |
|
Resolves: rhbz#1596306 |
|
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files |
|
Resolves: rhbz#1589257 |
|
- Allow radiusd_t domain to read network sysctls |
|
Resolves: rhbz#1516233 |
|
- Allow chronyc_t domain to use nscd shm |
|
Resolves: rhbz#1596563 |
|
- Label /var/lib/tomcats dir as tomcat_var_lib_t |
|
Resolves: rhbz#1596367 |
|
- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files |
|
Resolves: rhbz#bea0c8174 |
|
- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t |
|
Resolves: rhbz#1596509 |
|
- Update seutil_exec_loadpolicy() interface to allow caller domain to mmap load_policy_exec_t files |
|
Resolves: rhbz#1596072 |
|
- Allow xdm_t to read systemd hwdb |
|
Resolves: rhbz#1596720 |
|
- Allow dhcpc_t domain to mmap files labeled as ping_exec_t |
|
Resolves: rhbz#1596065 |
|
|
|
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-206 |
|
- Allow tangd_t domain to create tcp sockets |
|
Resolves: rhbz#1595775 |
|
- Update postfix policy to allow postfix_master_t domain to mmap all postfix* binaries |
|
Resolves: rhbz#1595328 |
|
- Allow amanda_t domain to have setgid capability |
|
Resolves: rhbz#1452444 |
|
- Update usermanage_domtrans_useradd() to allow caller domain to mmap useradd_exec_t files |
|
Resolves: rhbz#1595667 |
|
|
|
* Tue Jun 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-205 |
|
- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t |
|
Resolves: rhbz#1591191 |
|
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label |
|
Resolves: rhbz#1452595 |
|
- Allow abrt_t domain to write to rhsmcertd pid files |
|
Resolves: rhbz#1492059 |
|
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control |
|
Resolves: rhbz#1463470 |
|
- Add vhostmd_t domain to read/write to svirt images |
|
Resolves: rhbz#1465276 |
|
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets |
|
Resolves: rhbz#1460715 |
|
- Update openvswitch policy |
|
Resolves: rhbz#1594729 |
|
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files |
|
Resolves: rhbz#1583084 |
|
- Allow sssd_t and slpad_t domains to mmap generic certs |
|
Resolves: rhbz#1592016 |
|
Resolves: rhbz#1592019 |
|
- Allow oddjob_t domain to mmap binary files as oddjob_mkhomedir_exec_t files |
|
Resolves: rhbz#1592022 |
|
- Update dbus_system_domain() interface to allow system_dbusd_t domain to mmap binary file from second parameter |
|
Resolves: rhbz#1583080 |
|
- Allow chronyc_t domain use inherited user ttys |
|
Resolves: rhbz#1593267 |
|
- Allow stapserver_t domain to mmap own tmp files |
|
Resolves: rhbz#1593122 |
|
- Allow sssd_t domain to mmap files labeled as sssd_selinux_manager_exec_t |
|
Resolves: rhbz#1592026 |
|
- Update policy for ypserv_t domain |
|
Resolves: rhbz#1592032 |
|
- Allow abrt_dump_oops_t domain to mmap all non security files |
|
Resolves: rhbz#1593728 |
|
- Allow svirt_t domain mmap svirt_image_t files |
|
Resolves: rhbz#1592688 |
|
- Allow virtlogd_t domain to write inhibit systemd pipes. |
|
Resolves: rhbz#1593740 |
|
- Allow sysadm_t and staff_t domains to use sudo io logging |
|
Resolves: rhbz#1564470 |
|
- Allow sysadm_t domain create sctp sockets |
|
Resolves: rhbz#1571591 |
|
- Update mount_domtrans() interface to allow caller domain mmap mount_exec_t |
|
Resolves: rhbz#1592025 |
|
- Allow dhcpc_t to mmap all binaries with label hostname_exec_t, ifconfig_exec_t and netutils_exec_t |
|
Resolves: rhbz#1594661 |
|
|
|
* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-204 |
|
- Fix typo in logwatch interface file |
|
- Allow spamd_t to manage logwatch_cache_t files/dirs |
|
- Allow dnsmasw_t domain to create own tmp files and manage mnt files |
|
- Allow fail2ban_client_t to inherit rlimit information from parent process |
|
Resolves: rhbz#1513100 |
|
- Allow nscd_t to read kernel sysctls |
|
Resolves: rhbz#1512852 |
|
- Label /var/log/conman.d as conman_log_t |
|
Resolves: rhbz#1538363 |
|
- Add dac_override capability to tor_t domain |
|
Resolves: rhbz#1540711 |
|
- Allow certmonger_t to readwrite to user_tmp_t dirs |
|
Resolves: rhbz#1543382 |
|
- Allow abrt_upload_watch_t domain to read general certs |
|
Resolves: rhbz#1545098 |
|
- Update postfix_domtrans_master() interface to allow caller domain also mmap postfix_master_exec_t binary |
|
Resolves: rhbz#1583087 |
|
- Allow postfix_domain to mmap postfix_qmgr_exec_t binaries |
|
Resolves: rhbz#1583088 |
|
- Allow postfix_domain to mmap postfix_pickup_exec_t binaries |
|
Resolves: rhbz#1583091 |
|
- Allow chornyd_t read phc2sys_t shared memory |
|
Resolves: rhbz#1578883 |
|
- Allow virt_qemu_ga_t read utmp |
|
Resolves: rhbz#1571202 |
|
- Add several allow rules for pesign policy: Resolves: rhbz#1468744 - Allow pesign domain to read /dev/random - Allow pesign domain to create netlink_kobject_uevent_t sockets - Allow pesign domain create own tmp files |
|
- Add setgid and setuid capabilities to mysqlfd_safe_t domain |
|
Resolves: rhbz#1474440 |
|
- Add tomcat_can_network_connect_db boolean |
|
Resolves: rhbz#1477948 |
|
- Update virt_use_sanlock() boolean to read sanlock state |
|
Resolves: rhbz#1448799 |
|
- Add sanlock_read_state() interface |
|
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026) |
|
Resolves: rhbz#1563423 |
|
- Update abrt_domtrans and abrt_exec() interfaces to allow caller domain to mmap binary file |
|
Resolves:rhbz#1583080 |
|
- Update nscd_domtrans and nscd_exec interfaces to allow caller domain also mmap nscd binaries |
|
Resolves: rhbz#1583086 |
|
- Update snapperd_domtrans() interface to allow caller domain to mmap snapperd_exec_t file |
|
Resolves: rhbz#1583802 |
|
- Allow zoneminder_t to getattr of fs_t |
|
Resolves: rhbz#1585328 |
|
- Fix denials during ipa-server-install process on F27+ |
|
Resolves: rhbz#1586029 |
|
- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files |
|
Resolves: rhbz#1586033 |
|
- Allow rhsmcertd_t domain to send signull to postgresql_t domain |
|
Resolves: rhbz#1588119 |
|
- Allow policykit_t domain to dbus chat with dhcpc_t |
|
Resolves: rhbz#1364513 |
|
- Adding new boolean keepalived_connect_any() |
|
Resolves: rhbz#1443473 |
|
- Allow amanda to create own amanda_tmpfs_t files |
|
Resolves: rhbz#1452444 |
|
- Add amanda_tmpfs_t label. BZ(1243752) |
|
- Allow gdomap_t domain to connect to qdomap_port_t |
|
Resolves: rhbz#1551944 |
|
- Fix typos in sge |
|
- Fix typo in openvswitch policy |
|
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type |
|
- Allow sshd_keygen_t to execute plymouthd |
|
Resolves: rhbz#1583531 |
|
- Update seutil_domtrans_setfiles() interface to allow caller domain to do mmap on setfiles_exec_t binary |
|
Resolves: rhbz#1583090 |
|
- Allow systemd_networkd_t create and relabel tun sockets |
|
Resolves: rhbz#1583830 |
|
- Allow map audisp_exec_t files fordomains executing this binary |
|
Resolves: rhbz#1586042 |
|
- Add new interface postgresql_signull() |
|
- Add fs_read_xenfs_files() interface. |
|
|
|
* Mon Jun 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-203 |
|
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type |
|
- Allow dac override capability to mandb_t domain BZ(1529399) |
|
Resolves: rhbz#1423361 |
|
- Allow inetd_child process to chat via dbus with abrt |
|
Resolves: rhbz#1428805 |
|
- Allow zabbix_agent_t domain to connect to redis_port_t |
|
Resolves: rhbz#1418860 |
|
- Allow rhsmcertd_t domain to read xenfs_t files |
|
Resolves: rhbz#1405870 |
|
- Allow zabbix_agent_t to run zabbix scripts |
|
Resolves: rhbz#1380697 |
|
- Allow rabbitmq_t domain to create own tmp files/dirs |
|
Resolves: rhbz#1546897 |
|
- Allow policykit_t mmap policykit_auth_exec_t files |
|
Resolves: rhbz#1583082 |
|
- Allow ipmievd_t domain to read general certs |
|
Resolves: rhbz#1514591 |
|
- Add sys_ptrace capability to pcp_pmie_t domain |
|
- Allow squid domain to exec ldconfig |
|
Resolves: rhbz#1532017 |
|
- Make working gpg agent in gpg_agent_t domain |
|
Resolves: rhbz#1535109 |
|
- Update gpg SELinux policy module |
|
- Allow kexec to read kernel module files in /usr/lib/modules. |
|
Resolves: rhbz#1536690 |
|
- Allow mailman_domain to read system network state |
|
Resolves: rhbz#1413510 |
|
- Allow mailman_mail_t domain to search for apache configs |
|
Resolves: rhbz#1413510 |
|
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices |
|
Resolves: rhbz#1499208 |
|
- Allow antivirus_domain to read all domain system state |
|
Resolves: rhbz#1560986 |
|
- Allow targetd_t domain to red gconf_home_t files/dirs |
|
Resolves: rhbz#1546671 |
|
- Allow freeipmi domain to map sysfs_t files |
|
Resolves: rhbz#1575918 |
|
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t |
|
Resolves: rhbz#1351750 |
|
- Update rhcs SELinux module |
|
Resolves: rhbz#1589257 |
|
- Allow iscsid_t domain mmap kernel modules |
|
Resolves: rhbz#1589295 |
|
- Allow iscsid_t domain mmap own tmp files |
|
Resolves: rhbz#1589295 |
|
- Update iscsid_domtrans() interface to allow mmap iscsid_exec_t binary |
|
Resolves: rhbz#1589295 |
|
- Update nscd_socket_use interface to allow caller domain also mmap nscd_var_run_t files. |
|
Resolves: rhbz#1589271 |
|
- Allow nscd_t domain to mmap system_db_t files |
|
Resolves: rhbz#1589271 |
|
- Add interface nagios_unconfined_signull() |
|
- Allow lircd_t domain read sssd public files Add setgid capability to lircd_t domain |
|
Resolves: rhbz#1550700 |
|
- Add missing requires |
|
- Allow tomcat domain sends email |
|
Resolves: rhbz#1585184 |
|
- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867) |
|
Resolves: rhbz#1585714 |
|
- Allow kdump_t domain to map /boot files |
|
Resolves: rhbz#1588884 |
|
- Fix typo in netutils policy |
|
- Allow confined users get AFS tokens |
|
Resolves: rhbz#1417671 |
|
- Allow sysadm_t domain to chat via dbus |
|
Resolves: rhbz#1582146 |
|
- Associate sysctl_kernel_t type with filesystem attribute |
|
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets |
|
Resolves: rhbz#1557299 |
|
- Allow user_t and staff_t domains create netlink tcpdiag sockets |
|
Resolves: rhbz#1557281 |
|
- Add interface dev_map_sysfs |
|
- Allow xdm_t domain to execute xdm_var_lib_t files |
|
Resolves: rhbz#1589139 |
|
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t |
|
Resolves: rhbz#1569344 |
|
- Label /dev/vhost-vsock char device as vhost_device_t |
|
- Add files_map_boot_files() interface |
|
Resolves: rhbz#1588884 |
|
- Update traceroute_t domain to allow create dccp sockets |
|
Resolves: rhbz#1548350 |
|
|
|
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-202 |
|
- Update ctdb domain to support gNFS setup |
|
Resolves: rhbz#1576818 |
|
- Allow authconfig_t dbus chat with policykit |
|
Resolves: rhbz#1551241 |
|
- Allow lircd_t domain to read passwd_file_t |
|
Resolves: rhbz:#1550700 |
|
- Allow lircd_t domain to read system state |
|
Resolves: rhbz#1550700 |
|
- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) |
|
Resolves: rhbz#1574521 |
|
- Allow tangd_t domain read certs |
|
Resolves: rhbz#1509055 |
|
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on |
|
Resolves: rhbz:#1579219 |
|
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp |
|
Resolves: rhbz#1574418 |
|
- Allow ctdb_t domain modify ctdb_exec_t files |
|
Resolves: rhbz#1572584 |
|
- Allow chrome_sandbox_t to mmap tmp files |
|
Resolves: rhbz#1574392 |
|
- Allow ulogd_t to create netlink_netfilter sockets. |
|
Resolves: rhbz#1575924 |
|
- Update ulogd SELinux security policy |
|
- Allow rhsmcertd_t domain send signull to apache processes |
|
Resolves: rhbz#1576555 |
|
- Allow freeipmi domain to read sysfs_t files |
|
Resolves: rhbz#1575918 |
|
- Allow smbcontrol_t to create dirs with samba_var_t label |
|
Resolves: rhbz#1574521 |
|
- Allow swnserve_t domain to stream connect to sasl domain |
|
Resolves: rhbz#1574537 |
|
- Allow SELinux users (except guest and xguest) to using bluetooth sockets |
|
Resolves: rhbz#1557299 |
|
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets |
|
Resolves: rhbz#1557299 |
|
- Fix broken sysadm SELinux module |
|
Resolves: rhbz#1557311 |
|
- Allow user_t and staff_t domains create netlink tcpdiag sockets |
|
Resolves: rhbz#1557281 |
|
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file |
|
Resolves: rhbz#1583089 |
|
- Allow systemd_networkd_t to read/write tun tap devices |
|
Resolves: rhbz#1583830 |
|
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set |
|
Resolves: rhbz#1583771 |
|
- Allow audisp_t domain to mmap audisp_exec_t binary |
|
Resolves: rhbz#1583551 |
|
- Fix duplicates in sysadm.te file |
|
Resolves: rhbz#1307183 |
|
- Allow sysadm_u use xdm |
|
Resolves: rhbz#1307183 |
|
- Fix typo in sysnetwork.if file |
|
Resolves: rhbz#1581551 |
|
|
|
* Sun May 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-201 |
|
- Fix duplicates in sysadm.te file |
|
Resolves: rhbz#1307183 |
|
|
|
* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-200 |
|
- Allow sysadm_u use xdm |
|
Resolves: rhbz#1307183 |
|
|
|
* Fri May 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-199 |
|
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on |
|
Resolves: rhbz:#1579219 |
|
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp |
|
Resolves: rhbz#1574418 |
|
- Allow chrome_sandbox_t to mmap tmp files |
|
Resolves: rhbz#1574392 |
|
- Allow ulogd_t to create netlink_netfilter sockets. |
|
Resolves: rhbz#1575924 |
|
- Update ulogd SELinux security policy |
|
- Allow rhsmcertd_t domain send signull to apache processes |
|
Resolves: rhbz#1576555 |
|
- Allow freeipmi domain to read sysfs_t files |
|
Resolves: rhbz#1575918 |
|
- Allow smbcontrol_t to create dirs with samba_var_t label |
|
Resolves: rhbz#1574521 |
|
- Allow swnserve_t domain to stream connect to sasl domain |
|
Resolves: rhbz#1574537 |
|
- Fix typo in sysnetwork.if file |
|
Resolves: rhbz#1581551 |
|
|
|
* Fri May 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-198 |
|
- Fix typo in sysnetwork.if file |
|
Resolves: rhbz#1581551 |
|
|
|
* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-197 |
|
- Improve procmail_domtrans() to allow mmaping procmail_exec_t |
|
- Allow hypervvssd_t domain to read fixed disk devices |
|
Resolves: rhbz#1581225 |
|
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries |
|
Resolves: rhbz#1581551 |
|
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary |
|
Resolves: rhbz#1581551 |
|
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries |
|
Resolves: rhbz#1581551 |
|
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. |
|
Resolves: rhbz#1581551 |
|
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface |
|
|
|
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-196 |
|
- Add dbus_stream_connect_system_dbusd() interface. |
|
- Allow pegasus_t domain to mount tracefs_t filesystem |
|
Resolves:rhbz#1374570 |
|
- Allow psad_t domain to read all domains state |
|
Resolves: rhbz#1558439 |
|
- Add net_raw capability to named_t domain BZ(1545586) |
|
- Allow tomcat_t domain to connect to mongod_t tcp port |
|
Resolves:rhbz#1539748 |
|
- Allow dovecot and postfix to connect to systemd stream sockets |
|
Resolves: rhbz#1368642 |
|
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t |
|
Resolves:rhbz#1351750 |
|
- Rename tang policy to tangd |
|
- Add interface systemd_rfkill_domtrans() |
|
- Allow users staff and sysadm to run wireshark on own domain |
|
Resolves:rhbz#1546362 |
|
- Allow systemd-bootchart to create own tmpfs files |
|
Resolves:rhbz#1510412 |
|
|
|
* Wed Apr 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-195 |
|
- Rename tang policy to tangd |
|
- Allow virtd_t domain to relabel virt_var_lib_t files |
|
Resolves: rhbz#1558121 |
|
- Allow logrotate_t domain to stop services via systemd |
|
Resolves: rhbz#1527522 |
|
- Add tang policy |
|
Resolves: rhbz#1509055 |
|
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t |
|
Resolves: rhbz#1559859 |
|
- Improve snapperd SELinux policy |
|
Resolves: rhbz#1365555 |
|
- Allow snapperd_t daemon to create unlabeled dirs. |
|
Resolves: rhbz#1365555 |
|
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence |
|
Resolves: rhbz#1271324 |
|
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP |
|
Resolves: rhbz#1503835 |
|
- Add new Boolean tomcat_use_execmem |
|
Resolves: rhbz#1565226 |
|
- Allow domain transition from logrotate_t to chronyc_t |
|
Resolves: rhbz#1568281 |
|
- Allow nfsd_t domain to read/write sysctl fs files |
|
Resolves: rhbz#1516593 |
|
- Allow conman to read system state |
|
Resolves: rhbz#1377915 |
|
- Allow lircd_t to exec shell and add capabilities dac_read_search and dac_override |
|
Resolves: rhbz#1550700 |
|
- Allow usbmuxd to access /run/udev/data/+usb:*. |
|
Resolves: rhbz#1521054 |
|
- Allow abrt_t domain to manage kdump crash files |
|
Resolves: rhbz#1491585 |
|
- Allow systemd to use virtio console |
|
Resolves: rhbz#1558121 |
|
- Allow transition from sysadm role into mdadm_t domain. |
|
Resolves: rhbz#1551568 |
|
- Label /dev/op_panel and /dev/opal-prd as opal_device_t |
|
Resolves: rhbz#1537618 |
|
- Label /run/ebtables.lock as iptables_var_run_t |
|
Resolves: rhbz#1511437 |
|
- Allow udev_t domain to manage udev_rules_t char files. |
|
Resolves: rhbz#1545094 |
|
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. |
|
Resolves: rhbz#1567753 |
|
- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t |
|
Resolves: rhbz#1547700 |
|
- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels |
|
|
|
* Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-194 |
|
- Add new boolean redis_enable_notify() |
|
Resolves: rhbz#1421326 |
|
- Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t |
|
Resolves: rhbz#1549514 |
|
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ |
|
Resolves: rbhz#1463593 |
|
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t |
|
Resolves: rbhz#1463593 |
|
|
|
* Thu Apr 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-193 |
|
- Backport several changes for snapperdfrom Fedora Rawhide |
|
Resolves: rhbz#1556798 |
|
- Allow snapperd_t to set priority for kernel processes |
|
Resolves: rhbz#1556798 |
|
- Make ganesha nfs server. |
|
Resolves: rhbz#1511489 |
|
- Allow vxfs filesystem to use SELinux labels |
|
Resolves: rhbz#1482880 |
|
- Add map permission to selinux-policy |
|
Resolves: rhbz#1460322 |
|
|
|
* Tue Feb 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-192 |
|
- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. |
|
Resolves: rhbz#1546721 |
|
|
|
* Mon Feb 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-191 |
|
- Allow openvswitch_t stream connect svirt_t |
|
Resolves: rhbz#1540702 |
|
|
|
* Fri Feb 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-190 |
|
- Allow openvswitch domain to manage svirt_tmp_t sock files |
|
Resolves: rhbz#1540702 |
|
- Fix broken systemd_tmpfiles_run() interface |
|
|
|
* Wed Feb 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-189 |
|
- Allow dirsrv_t domain to create tmp link files |
|
Resolves: rhbz#1536011 |
|
- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t |
|
Resolves: rhbz#1428568 |
|
- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries |
|
- Allow ipsec_mgmt_t nnp domain transition to ifconfig_t |
|
Resolves: rhbz#1539416 |
|
|
|
* Wed Feb 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-188 |
|
- Allow svirt_domain to create socket files in /tmp with label svirt_tmp_t |
|
Resolves: rhbz#1540702 |
|
- Allow keepalived_t domain getattr proc filesystem |
|
Resolves: rhbz#1477542 |
|
- Rename svirt_sandbox_file_t to container_file_t and svirt_lxc_net_t to container_t |
|
Resolves: rhbz#1538544 |
|
- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t |
|
Resolves: rhbz:#1539416 |
|
- Allow systemd_logind_t domain to bind on dhcpd_port_t,pki_ca_port_t,flash_port_t |
|
Resolves: rhbz#1479350 |
|
|
|
* Tue Feb 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-187 |
|
- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets |
|
Resolves: rhbz#1535196 |
|
- Add new interface ppp_filetrans_named_content() |
|
Resolves: rhbz#1530601 |
|
- Allow keepalived_t read sysctl_net_t files |
|
Resolves: rhbz#1477542 |
|
- Allow puppetmaster_t domtran to puppetagent_t |
|
Resolves: rhbz#1376893 |
|
- Allow kdump_t domain to read kernel ring buffer |
|
Resolves: rhbz#1540004 |
|
- Allow ipsec_t domain to exec ifconfig_exec_t binaries. |
|
Resolves: rhbz#1539416 |
|
- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock |
|
Resolves: rhbz#1530601 |
|
- Allow updpwd_t domain to create files in /etc with shadow_t label |
|
Resolves: rhbz#1412838 |
|
- Allow iptables sysctl load list support with SELinux enforced |
|
Resolves: rhbz#1535572 |
|
|
|
* Wed Jan 17 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-186 |
|
- Allow virt_domains to acces infiniband pkeys. |
|
Resolves: rhbz#1533183 |
|
- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t |
|
Resolves: rhbz#1535133 |
|
- Allow audisp_remote_t domain write to files on all levels |
|
Resolves: rhbz#1534924 |
|
|
|
* Thu Jan 11 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-185 |
|
- Allow vmtools_t domain creating vmware_log_t files |
|
Resolves: rhbz#1507048 |
|
- Allow openvswitch_t domain to acces infiniband devices |
|
Resolves: rhbz#1532705 |
|
|
|
* Wed Jan 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-184 |
|
- Allow chronyc_t domain to manage chronyd_keys_t files. |
|
Resolves: rhbz#1530525 |
|
- Make virtlog_t domain system dbus client |
|
Resolves: rhbz#1481109 |
|
- Update openvswitch SELinux module |
|
Resolves: rhbz#1482682 |
|
- Allow virtd_t to create also sock_files with label virt_var_run_t |
|
Resolves: rhbz#1484075 |
|
|
|
* Mon Dec 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-183 |
|
- Allow domains that manage logfiles to man logdirs |
|
Resolves: rhbz#1523811 |
|
|
|
* Thu Dec 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-182 |
|
- Label /dev/drm_dp_aux* as xserver_misc_device_t |
|
Resolves: rhbz#1520897 |
|
- Allow sysadm_t to run puppet_exec_t binaries as puppet_t |
|
Resolves: rhbz#1255745 |
|
|
|
* Mon Dec 04 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-181 |
|
- Allow tomcat_t to manage pki_tomcat pid files |
|
Resolves: rhbz#1478371 |
|
- networkmanager: allow talking to openvswitch |
|
Resolves: rhbz#1517247 |
|
- Allow networkmanager_t and opensm_t to manage subned endports for IPoIB VLANs |
|
Resolves: rhbz#1517895 |
|
- Allow domains networkmanager_t and opensm_t to control IPoIB VLANs |
|
Resolves: rhbz#1517744 |
|
- Fix typo in guest interface file |
|
Resolves: rhbz#1468254 |
|
- Allow isnsd_t domain to accept tcp connections. |
|
Resolves: rhbz#1390208 |
|
|
|
* Mon Nov 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-180 |
|
- Allow getty to use usbttys |
|
Resolves: rhbz#1514235 |
|
|
|
* Mon Nov 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-179 |
|
- Allow ldap_t domain to manage also slapd_tmp_t lnk files |
|
Resolves: rhbz#1510883 |
|
- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t |
|
Resolves: rhbz:#1508360 |
|
- Add dac_read_search and dac_override capabilities to ganesha |
|
Resolves: rhbz#1483451 |
|
|
|
* Wed Nov 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-178 |
|
- Add dependency for policycoreutils-2.5.18 becuase of new cgroup_seclabel policy capability |
|
Resolves: rhbz#1510145 |
|
|
|
* Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-177 |
|
- Allow jabber domains to connect to postgresql ports |
|
Resolves: rhbz#1438489 |
|
- Dontaudit accountsd domain creating dirs in /root |
|
Resolves: rhbz#1456760 |
|
- Dontaudit slapd_t to block suspend system |
|
Resolves: rhbz: #1479759 |
|
- Allow spamc_t to stream connect to cyrus. |
|
Resolves: rhbz#1382955 |
|
- allow imapd to read /proc/net/unix file |
|
Resolves: rhbz#1393030 |
|
- Allow passenger to connect to mysqld_port_t |
|
Resolves: rhbz#1433464 |
|
|
|
* Mon Nov 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-176 |
|
- Allow chronyc_t domain to use user_ptys |
|
Resolves: rhbz#1470150 |
|
- allow ptp4l to read /proc/net/unix file |
|
- Allow conmand to use usb ttys. |
|
Resolves: rhbz#1505121 |
|
- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst |
|
Resolves: rhbz#1505845 |
|
- Allow chronyd daemon to execute chronyc. |
|
Resolves: rhbz#1508486 |
|
- Allow firewalld exec ldconfig. |
|
Resolves: rhbz#1375576 |
|
- Allow mozilla_plugin_t domain to dbus chat with devicekit |
|
Resolves: rhbz#1460477 |
|
- Dontaudit leaked logwatch pipes |
|
Resolves: rhbz#1450119 |
|
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. |
|
Resolves: rhbz#1507048 |
|
- Allow httpd_t domain to execute hugetlbfs_t files |
|
Resolves: rhbz#1507682 |
|
- Allow nfsd_t domain to read configfs_t files/dirs |
|
Resolves: rhbz#1439442 |
|
- Hide all allow rules with ptrace inside deny_ptrace boolean |
|
Resolves: rhbz#1421075 |
|
- Allow tgtd_t domain to read generic certs |
|
Resolves: rhbz#1438532 |
|
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains |
|
Resolves: rhbz#1429853 |
|
- Allow dirsrv_snmp_t to use inherited user ptys and read system state |
|
Resolves: rhbz#1428568 |
|
- Allow glusterd_t domain to create own tmpfs dirs/files |
|
Resolves: rhbz#1411310 |
|
- Allow keepalived stream connect to snmp |
|
Resolves: rhbz#1401556 |
|
- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy |
|
Resolves: rhbz#1507089 |
|
|
|
* Fri Oct 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-175 |
|
- Allow pegasus_openlmi_services_t to read generic certs |
|
Resolves: rhbz#1462292 |
|
- Allow ganesha_t domain to read random device |
|
Resolves: rhbz#1494382 |
|
- Allow zabbix_t domain to change its resource limits |
|
Resolves: rhbz:#1504074 |
|
- Add new boolean nagios_use_nfs |
|
Resolves: rhbz#1504826 |
|
- Allow system_mail_t to search network sysctls |
|
Resolves: rhbz#1505779 |
|
- Add samba_manage_var_dirs() interface |
|
- Fix typo bug in virt filecontext file |
|
- Allow nagios_script_t to read nagios_spool_t files |
|
Resolves: rhbz#1426824 |
|
- Allow samba to manage var dirs/files |
|
Resolves: rhbz#1415088 |
|
- Allow sbd_t to create own sbd_tmpfs_t dirs/files |
|
Resolves: rhbz#1380795 |
|
- Allow firewalld and networkmanager to chat with hypervkvp via dbus |
|
Resolves: rhbz#1377276 |
|
- Allow dmidecode to read rhsmcert_log_t files |
|
Resolves: rhbz#1300799 |
|
- Allow mail system to connect mariadb sockets. |
|
Resolves: rhbz#1368642 |
|
- Allow logrotate_t to change passwd and reloead services |
|
Resolves: rhbz#1450789 |
|
- Allow mail system to connect mariadb sockets. |
|
Resolves: rhbz#1368642 |
|
- Allow logrotate_t to change passwd and reloead services |
|
Resolves: rhbz#1450789 |
|
- Allow pegasus_openlmi_services_t to read generic certs |
|
Resolves: rhbz#1462292 |
|
- Allow ganesha_t domain to read random device |
|
Resolves: rhbz#1494382 |
|
- Allow zabbix_t domain to change its resource limits |
|
Resolves: rhbz:#1504074 |
|
- Add new boolean nagios_use_nfs |
|
Resolves: rhbz#1504826 |
|
- Allow system_mail_t to search network sysctls |
|
Resolves: rhbz#1505779 |
|
- Add samba_manage_var_dirs() interface |
|
- Fix typo bug in virt filecontext file |
|
- Allow nagios_script_t to read nagios_spool_t files |
|
Resolves: rhbz#1426824 |
|
- Allow samba to manage var dirs/files |
|
Resolves: rhbz#1415088 |
|
- Allow sbd_t to create own sbd_tmpfs_t dirs/files |
|
Resolves: rhbz#1380795 |
|
- Allow firewalld and networkmanager to chat with hypervkvp via dbus |
|
Resolves: rhbz#1377276 |
|
- Allow dmidecode to read rhsmcert_log_t files |
|
Resolves: rhbz#1300799 |
|
- Allow mail system to connect mariadb sockets. |
|
Resolves: rhbz#1368642 |
|
- Allow logrotate_t to change passwd and reloead services |
|
Resolves: rhbz#1450789 |
|
- Allow chronyd_t do request kernel module and block_suspend capability |
|
Resolves: rhbz#1350765 |
|
- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label |
|
Resolves: rhbz#1447278 |
|
- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables |
|
Resolves: rhbz#1491994 |
|
- Allow svnserve to use kerberos |
|
Resolves: rhbz#1475271 |
|
- Allow conman to use ptmx. Add conman_use_nfs boolean |
|
Resolves: rhbz#1377915 |
|
- Add nnp transition for services using: NoNewPrivileges systemd security feature |
|
Resolves: rhbz#1311430 |
|
- Add SELinux support for chronyc |
|
Resolves: rhbz#1470150 |
|
- Add dac_read_search capability to openvswitch_t domain |
|
Resolves: rhbz#1501336 |
|
- Allow svnserve to manage own svnserve_log_t files/dirs |
|
Resolves: rhbz#1480741 |
|
- Allow keepalived_t to search network sysctls |
|
Resolves: rhbz#1477542 |
|
- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain |
|
Resolves: rhbz#1446777 |
|
- Add dccp_socket into socker_class_set subset |
|
Resolves: rhbz#1459941 |
|
- Allow iptables_t to run setfiles to restore context on system |
|
Resolves: rhbz#1489118 |
|
- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t |
|
Resolves: rhbz:#1411400 |
|
- Make nnp transition Active |
|
Resolves: rhbz#1480518 |
|
- Label tcp 51954 as isns_port_t |
|
Resolves: rhbz#1390208 |
|
- Add dac_read_search capability chkpwd_t |
|
Resolves: rhbz#1376991 |
|
- Add support for running certbot(letsencrypt) in crontab |
|
Resolves: rhbz#1447278 |
|
- Add init_nnp_daemon_domain interface |
|
- Allow xdm_t to gettattr /dev/loop-control device |
|
Resolves: rhbz#1462925 |
|
- Allow nnp trasintion for unconfined_service_t |
|
Resolves: rhbz#1311430 |
|
- Allow unpriv user domains and unconfined_service_t to use chronyc |
|
Resolves: rhbz#1470150 |
|
- Allow iptables to exec plymouth. |
|
Resolves: rhbz#1480374 |
|
- Fix typo in fs_unmount_tracefs interface. |
|
Resolves: rhbz#1371057 |
|
- Label postgresql-check-db-dir as postgresql_exec_t |
|
Resolves: rhbz#1490956 |
|
|
|
* Tue Sep 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-174 |
|
- We should not ship selinux-policy with permissivedomains enabled. |
|
Resolves: rhbz#1494172 |
|
- Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox |
|
Resolves: rhbz#1492606 |
|
|
|
* Tue Sep 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-173 |
|
- Allow tomcat to setsched |
|
Resolves: rhbz#1492730 |
|
- Fix rules blocking ipa-server upgrade process |
|
Resolves: rhbz#1478371 |
|
- Add new boolean tomcat_read_rpm_db() |
|
Resolves: rhbz#1477887 |
|
- Allow tomcat to connect on mysqld tcp ports |
|
- Add ctdbd_t domain sys_source capability and allow setrlimit |
|
Resolves: rhbz#1491235 |
|
- Fix keepalived SELinux module |
|
- Allow automount domain to manage mount pid files |
|
Resolves: rhbz#1482381 |
|
- Allow stunnel_t domain setsched |
|
Resolves: rhbz#1479383 |
|
- Add keepalived domain setpgid capability |
|
Resolves: rhbz#1486638 |
|
- Allow tomcat domain to connect to mssql port |
|
Resolves: rhbz#1484572 |
|
- Remove snapperd_t from unconfined domaines |
|
Resolves: rhbz#1365555 |
|
- Fix typo bug in apache module |
|
Resolves: rhbz#1397311 |
|
- Dontaudit that system_mail_t is trying to read /root/ files |
|
Resolves: rhbz#1147945 |
|
- Make working webadm_t userdomain |
|
Resolves: rhbz#1323792 |
|
- Allow redis domain to execute shell scripts. |
|
Resolves: rhbz#1421326 |
|
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t |
|
Resolves: rhbz#1473303 |
|
- Add couple capabilities to keepalived domain and allow get attributes of all domains |
|
Resolves: rhbz#1429327 |
|
- Allow dmidecode read rhsmcertd lock files |
|
Resolves: rhbz#1300799 |
|
- Add new interface rhsmcertd_rw_lock_files() |
|
Resolves: rhbz#1300799 |
|
- Label all plymouthd archives as plymouthd_var_log_t |
|
Resolves: rhbz#1478323 |
|
- Allow cloud_init_t to dbus chat with systemd_timedated_t |
|
Resolves: rhbz#1440730 |
|
- Allow logrotate_t to write to kmsg |
|
Resolves: rhbz#1397744 |
|
- Add capability kill to rhsmcertd_t |
|
Resolves: rhbz#1398338 |
|
- Disable mysqld_safe_t secure mode environment cleansing. |
|
Resolves: rhbz#1464063 |
|
- Allow winbind to manage smbd_tmp_t files |
|
Resolves: rhbz#1475566 |
|
- Dontaudit that system_mail_t is trying to read /root/ files |
|
Resolves: rhbz#1147945 |
|
- Make working webadm_t userdomain |
|
Resolves: rhbz#1323792 |
|
- Allow redis domain to execute shell scripts. |
|
Resolves: rhbz#1421326 |
|
- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t |
|
Resolves: rhbz#1473303 |
|
- Add couple capabilities to keepalived domain and allow get attributes of all domains |
|
Resolves: rhbz#1429327 |
|
- Allow dmidecode read rhsmcertd lock files |
|
Resolves: rhbz#1300799 |
|
- Add new interface rhsmcertd_rw_lock_files() |
|
Resolves: rhbz#1300799 |
|
- Label all plymouthd archives as plymouthd_var_log_t |
|
Resolves: rhbz#1478323 |
|
- Allow cloud_init_t to dbus chat with systemd_timedated_t |
|
Resolves: rhbz#1440730 |
|
- Allow logrotate_t to write to kmsg |
|
Resolves: rhbz#1397744 |
|
- Add capability kill to rhsmcertd_t |
|
Resolves: rhbz#1398338 |
|
- Disable mysqld_safe_t secure mode environment cleansing. |
|
Resolves: rhbz#1464063 |
|
- Allow winbind to manage smbd_tmp_t files |
|
Resolves: rhbz#1475566 |
|
- Add interface systemd_tmpfiles_run |
|
- End of file cannot be in comment |
|
- Allow systemd-logind to use ypbind |
|
Resolves: rhbz#1479350 |
|
- Add creating opasswd file with shadow_t SELinux label in auth_manage_shadow() interface |
|
Resolves: rhbz#1412838 |
|
- Allow sysctl_irq_t assciate with proc_t |
|
Resolves: rhbz#1485909 |
|
- Enable cgourp sec labeling |
|
Resolves: rhbz#1485947 |
|
- Add cgroup_seclabel policycap. |
|
Resolves: rhbz#1485947 |
|
- Allow sshd_t domain to send signull to xdm_t processes |
|
Resolves: rhbz#1448959 |
|
- Allow updpwd_t domain auth file name trans |
|
Resolves: rhbz#1412838 |
|
- Allow sysadm user to run systemd-tmpfiles |
|
Resolves: rbhz#1325364 |
|
- Add support labeling for vmci and vsock device |
|
Resolves: rhbz#1451358 |
|
- Add userdom_dontaudit_manage_admin_files() interface |
|
Resolves: rhbz#1323792 |
|
- Allow iptables_t domain to read files with modules_conf_t label |
|
Resolves: rhbz#1373220 |
|
- init: Add NoNewPerms support for systemd. |
|
Resolves: rhbz#1480518 |
|
- Add nnp_nosuid_transition policycap and related class/perm definitions. |
|
Resolves: rhbz#1480518 |
|
- refpolicy: Infiniband pkeys and endports |
|
Resolves: rhbz#1464484 |
|
|
|
* Tue Aug 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-172 |
|
- Allow certmonger using systemctl on pki_tomcat unit files |
|
Resolves: rhbz#1481388 |
|
|
|
* Tue Aug 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-171 |
|
- Allow targetd_t to create own tmp files. |
|
- Dontaudit targetd_t to exec rpm binary file. |
|
Resolves: rhbz#1373860 |
|
Resolves: rhbz#1424621 |
|
|
|
* Thu Aug 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-170 |
|
- Add few rules to make working targetd daemon with SELinux |
|
Resolves: rhbz#1373860 |
|
- Allow ipmievd_t domain to load kernel modules |
|
Resolves: rhbz#1441081 |
|
- Allow logrotate to reload transient systemd unit |
|
Resolves: rhbz#1440515 |
|
- Add certwatch_t domain dac_override and dac_read_search capabilities |
|
Resolves: rhbz#1422000 |
|
- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain |
|
Resolves: rhbz#1412072 |
|
- Allow nscd_t domain to search network sysctls |
|
Resolves: rhbz#1432361 |
|
- Allow iscsid_t domain to read mount pid files |
|
Resolves: rhbz#1482097 |
|
- Allow ksmtuned_t domain manage sysfs_t files/dirs |
|
Resolves: rhbz#1413865 |
|
- Allow keepalived_t domain domtrans into iptables_t |
|
Resolves: rhbz#1477719 |
|
- Allow rshd_t domain reads net sysctls |
|
Resolves: rhbz#1477908 |
|
- Add interface seutil_dontaudit_read_module_store() |
|
- Update interface lvm_rw_pipes() by adding also open permission |
|
- Label /dev/clp device as vfio_device_t |
|
Resolves: rhbz#1477624 |
|
- Allow ifconfig_t domain unmount fs_t |
|
Resolves: rhbz#1477445 |
|
- Label /dev/gpiochip* devices as gpio_device_t |
|
Resolves: rhbz#1477618 |
|
- Add interface dev_manage_sysfs() |
|
Resolves: rhbz#1474989 |
|
|
|
* Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-169 |
|
- Label /usr/libexec/sudo/sesh as shell_exec_t |
|
Resolves: rhbz#1480791 |
|
|
|
* Fri Aug 11 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-168 |
|
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc |
|
Resolves: rhbz#1470735 |
|
|
|
* Wed Aug 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-167 |
|
- Allow llpdad send dgram to libvirt |
|
Resolves: rhbz#1472722 |
|
|
|
* Mon Jul 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-166 |
|
- Add new boolean gluster_use_execmem |
|
Resolves: rhbz#1469027 |
|
- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service |
|
Resolves: rhbz#1468581 |
|
|
|
* Mon Jun 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-165 |
|
- Dontaudit staff_t user read admin_home_t files. |
|
Resolves: rhbz#1290633 |
|
|
|
* Wed Jun 21 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-164 |
|
- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode |
|
Resolves: rhbz#1424621 |
|
- Add interface lvm_manage_metadata |
|
Resolves: rhbz#1424621 |
|
|
|
* Tue Jun 20 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-163 |
|
- Allow sssd_t to read realmd lib files. |
|
Resolves: rhbz#1436689 |
|
- Add permission open to files_read_inherited_tmp_files() interface |
|
Resolves: rhbz#1290633 |
|
Resolves: rhbz#1457106 |
|
|
|
* Thu Jun 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-162 |
|
- Allow unconfined_t user all user namespace capabilties. |
|
Resolves: rhbz#1461488 |
|
|
|
* Thu Jun 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-161 |
|
- Allow httpd_t to read realmd_var_lib_t files Resolves: rhbz#1436689 |
|
|
|
* Tue Jun 06 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-160 |
|
- Allow named_t to bind on udp 4321 port |
|
Resolves: rhbz#1312972 |
|
- Allow systemd-sysctl cap. sys_ptrace |
|
Resolves: rhbz#1458999 |
|
|
|
* Mon Jun 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-159 |
|
- Allow pki_tomcat_t execute ldconfig. |
|
Resolves: rhbz#1436689 |
|
|
|
* Fri Jun 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-158 |
|
- Allow iscsi domain load kernel module. |
|
Resolves: rhbz#1457874 |
|
- Allow keepalived domain connect to squid tcp port |
|
Resolves: rhbz#1457455 |
|
- Allow krb5kdc_t domain read realmd lib files. |
|
Resolves: rhbz#1436689 |
|
- xdm_t should view kernel keys |
|
Resolves: rhbz#1432645 |
|
|
|
* Thu Jun 01 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-157 |
|
- Allow tomcat to connect on all unreserved ports |
|
- Allow ganesha to connect to all rpc ports |
|
Resolves: rhbz#1448090 |
|
- Update ganesha with another fixes. |
|
Resolves: rhbz#1448090 |
|
- Update rpc_read_nfs_state_data() interface to allow read also lnk_files. |
|
Resolves: rhbz#1448090 |
|
- virt_use_glusterd boolean should be in optional block Update ganesha module to allow create tmp files |
|
Resolves: rhbz#1448090 |
|
- Hide broken symptoms when machine is configured with network bounding. |
|
|
|
* Wed May 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-156 |
|
- Add new boolean virt_use_glusterd |
|
Resolves: rhbz#1455994 |
|
- Add capability sys_boot for sbd_t domain |
|
- Allow sbd_t domain to create rpc sysctls. |
|
Resolves: rhbz#1455631 |
|
- Allow ganesha_t domain to manage glusterd_var_run_t pid files. |
|
Resolves: rhbz#1448090 |
|
|
|
* Tue May 30 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-155 |
|
- Create new interface: glusterd_read_lib_files() |
|
- Allow ganesha read glusterd lib files. |
|
- Allow ganesha read network sysctls |
|
Resolves: rhbz#1448090 |
|
|
|
* Mon May 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-154 |
|
- Add few allow rules to ganesha module |
|
Resolves: rhbz#1448090 |
|
- Allow condor_master_t to read sysctls. |
|
Resolves: rhbz#1277506 |
|
- Add dac_override cap to ctdbd_t domain |
|
Resolves: rhbz#1435708 |
|
- Label 8750 tcp/udp port as dey_keyneg_port_t |
|
Resolves: rhbz#1448090 |
|
|
|
* Mon May 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-153 |
|
- Add ganesha_use_fusefs boolean. |
|
Resolves: rhbz#1448090 |
|
|
|
* Wed May 24 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-152 |
|
- Allow httpd_t reading kerberos kdc config files |
|
Resolves: rhbz#1452215 |
|
- Allow tomcat_t domain connect to ibm_dt_2 tcp port. |
|
Resolves: rhbz#1447436 |
|
- Allow stream connect to initrc_t domains |
|
Resolves: rhbz#1447436 |
|
- Allow dnsmasq_t domain to read systemd-resolved pid files. |
|
Resolves: rhbz#1453114 |
|
- Allow tomcat domain name_bind on tcp bctp_port_t |
|
Resolves: rhbz#1451757 |
|
- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process. |
|
Resolves: rhbz#1447669 |
|
- Allow condor_master_t write to sysctl_net_t |
|
Resolves: rhbz#1277506 |
|
- Allow nagios check disk plugin read /sys/kernel/config/ |
|
Resolves: rhbz#1277718 |
|
- Allow pcp_pmie_t domain execute systemctl binary |
|
Resolves: rhbz#1271998 |
|
- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl |
|
Resolves: rhbz#1247635 |
|
- Label tcp/udp port 1792 as ibm_dt_2_port_t |
|
Resolves: rhbz#1447436 |
|
- Add interface fs_read_configfs_dirs() |
|
- Add interface fs_read_configfs_files() |
|
- Fix systemd_resolved_read_pid interface |
|
- Add interface systemd_resolved_read_pid() |
|
Resolves: rhbz#1453114 |
|
- Allow sshd_net_t domain read/write into crypto devices |
|
Resolves: rhbz#1452759 |
|
- Label 8999 tcp/udp as bctp_port_t |
|
Resolves: rhbz#1451757 |
|
|
|
* Thu May 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-151 |
|
- nmbd_t needs net_admin capability like smbd |
|
Resolves: rhbz#1431859 |
|
- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t |
|
Resolves: rhbz#1431859 |
|
- Allow rngd domain read sysfs_t |
|
Resolves: rhbz#1451735 |
|
- Add interface pki_manage_common_files() |
|
Resolves: rhbz#1447436 |
|
- Allow tomcat_t domain to manage pki_common_t files and dirs |
|
Resolves: rhbz#1447436 |
|
- Use stricter fc rules for sssd sockets in /var/run |
|
Resolves: rhbz#1448060 |
|
- Allow certmonger reads httpd_config_t files |
|
Resolves: rhbz#1436689 |
|
- Allow keepalived_t domain creating netlink_netfilter_socket. |
|
Resolves: rhbz#1451684 |
|
- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. |
|
Resolves: rhbz#1451318 |
|
- Make able deply overcloud via neutron_t to label nsfs as fs_t |
|
Resolves: rhbz#1373321 |
|
|
|
* Tue May 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-150 |
|
- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. |
|
Resolves: rhbz#1451318 |
|
- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ |
|
Resolves: rhbz#1448056 Resolves: rhbz#1448060 |
|
- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls |
|
Resolves: rhbz#1450819 |
|
- Make able deply overcloud via neutron_t to label nsfs as fs_t |
|
Resolves: rhbz#1373321 |
|
- Allow netutils setpcap capability |
|
Resolves:1444438 |
|
|
|
* Mon May 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-149 |
|
- Update targetd policy to accommodate changes in the service |
|
Resolves: rhbz#1424621 |
|
- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls |
|
Resolves: rhbz#1450819 |
|
- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. |
|
Resolves: rhbz#1415841 |
|
- Allow radius domain stream connec to postgresql |
|
Resolves: rhbz#1446145 |
|
- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit |
|
Resolves: rhbz#1449977 |
|
- Allow glusterd_t domain start ganesha service |
|
Resolves: rhbz#1448090 |
|
- Made few cosmetic changes in sssd SELinux module |
|
Resolves: rhbz#1448060 |
|
- sssd-kcm should not run as unconfined_service_t BZ(1447411) |
|
Resolves: rhbz#1448060 |
|
- Add sssd_secrets labeling Also add named_filetrans interface to make sure all labels are correct |
|
Resolves: rhbz#1448056 |
|
- Allow keepalived_t domain read usermodehelper_t |
|
Resolves: rhbz#1449769 |
|
- Allow tomcat_t domain read pki_common_t files |
|
Resolves: rhbz#1447436 |
|
- Add interface pki_read_common_files() |
|
Resolves: rhbz#1447436 |
|
|
|
* Tue May 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-148 |
|
- Allow hypervkvp_t domain execute hostname |
|
Resolves: rhbz#1449064 |
|
- Dontaudit sssd_selinux_manager_t use of net_admin capability |
|
Resolves: rhbz#1444955 |
|
- Allow tomcat_t stream connect to pki_common_t |
|
Resolves: rhbz#1447436 |
|
- Dontaudit xguest_t's attempts to listen to its tcp_socket |
|
- Allow sssd_selinux_manager_t to ioctl init_t sockets |
|
Resolves: rhbz#1436689 |
|
- Allow <role>_su_t to create netlink_selinux_socket |
|
Resolves rhbz#1146987 |
|
- Allow unconfined_t to module_load any file |
|
Resolves rhbz#1442994 |
|
|
|
* Sat Apr 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-147 |
|
- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. |
|
Resolves: rhbz#1436689 |
|
|
|
* Fri Apr 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-146 |
|
- Allow pki_tomcat_t domain read /etc/passwd. |
|
Resolves: rhbz#1436689 |
|
- Allow tomcat_t domain read ipa_tmp_t files |
|
Resolves: rhbz#1436689 |
|
- Label new path for ipa-otpd |
|
Resolves: rhbz#1446353 |
|
- Allow radiusd_t domain stream connect to postgresql_t |
|
Resolves: rhbz#1446145 |
|
- Allow rhsmcertd_t to execute hostname_exec_t binaries. |
|
Resolves: rhbz#1445494 |
|
- Allow virtlogd to append nfs_t files when virt_use_nfs=1 |
|
Resolves: rhbz#1402561 |
|
|
|
* Wed Apr 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-145 |
|
- Update tomcat policy to adjust for removing unconfined_domain attr. |
|
Resolves: rhbz#1432083 |
|
- Allow httpd_t domain read also httpd_user_content_type lnk_files. |
|
Resolves: rhbz#1383621 |
|
- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t |
|
Resolves: rhbz#1436689 |
|
- Dontaudit <user>_gkeyringd_t stream connect to system_dbusd_t |
|
Resolves: rhbz#1052880 |
|
- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t |
|
Resolves: rhbz#1425530 |
|
- Add interface ipa_filetrans_named_content() |
|
Resolves: rhbz#1432115 |
|
- Allow tomcat use nsswitch |
|
Resolves: rhbz#1436689 |
|
- Allow certmonger_t start/status generic services |
|
Resolves: rhbz#1436689 |
|
- Allow dirsrv read cgroup files. |
|
Resolves: rhbz#1436689 |
|
- Allow ganesha_t domain read/write infiniband devices. |
|
Resolves: rhbz#1383784 |
|
- Allow sendmail_t domain sysctl_net_t files |
|
Resolves: rhbz#1369376 |
|
- Allow targetd_t domain read network state and getattr on loop_control_device_t |
|
Resolves: rhbz#1373860 |
|
- Allow condor_schedd_t domain send mails. |
|
Resolves: rhbz#1277506 |
|
- Alow certmonger to create own systemd unit files. |
|
Resolves: rhbz#1436689 |
|
- Allow staff to systemctl virt server when staff_use_svirt=1 |
|
Resolves: rhbz#1415841 |
|
- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context |
|
Resolves: rhbz#1432115 |
|
- Label /sysroot/ostree/deploy/rhel-atomic-host/* as root_t |
|
Resolves: rhbz#1428112 |
|
|
|
* Wed Apr 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-144 |
|
- Alow certmonger to create own systemd unit files. |
|
Resolves: rhbz#1436689 |
|
|
|
* Tue Apr 18 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-143 |
|
- Hide broken symptoms when using kernel 3.10.0-514+ with network bonding. Postfix_picup_t domain requires NET_ADMIN capability which is not really needed. |
|
Resolves: rhbz#1431859 |
|
- Fix policy to reflect all changes in new IPA release |
|
Resolves: rhbz#1432115 |
|
Resolves: rhbz#1436689 |
|
|
|
* Wed Apr 12 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-142 |
|
- Allow sbd_t to read/write fixed disk devices |
|
Resolves: rhbz#1440165 |
|
- Add sys_ptrace capability to radiusd_t domain |
|
Resolves: rhbz#1426641 |
|
- Allow cockpit_session_t domain connects to ssh tcp ports. |
|
Resolves: rhbz#1413509 |
|
|
|
* Fri Apr 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-141 |
|
- Update tomcat policy to make working ipa install process |
|
Resolves: rhbz#1436689 |
|
|
|
* Wed Apr 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-140 |
|
- Allow pcp_pmcd_t net_admin capability. |
|
- Allow pcp_pmcd_t read net sysctls |
|
- Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t |
|
Resolves: rhbz#1336211 |
|
|
|
* Wed Apr 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-139 |
|
- Fix all AVC denials during pkispawn of CA |
|
Resolves: rhbz#1436383 |
|
- Update pki interfaces and tomcat module |
|
Resolves: rhbz#1436689 |
|
|
|
* Tue Apr 04 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-138 |
|
- Update pki interfaces and tomcat module |
|
Resolves: rhbz#1436689 |
|
|
|
* Tue Apr 04 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-137 |
|
- Dontaudit firewalld wants write to /root |
|
Resolves: rhbz#1438708 |
|
- Dontaudit firewalld to create dirs in /root/ |
|
Resolves: rhbz#1438708 |
|
- Allow sendmail to search network sysctls |
|
Resolves: rhbz#1369376 |
|
- Add interface gssd_noatsecure() |
|
Resolves: rhbz#1438036 |
|
- Add interface gssproxy_noatsecure() |
|
Resolves: rhbz#1438036 |
|
- Dontaudit pcp_pmlogger_t search for xserver logs. Allow pcp_pmlogger_t to send signals to unconfined doamins Allow pcp_pmlogger_t to send logs to journals |
|
Resolves: rhbz#1379371 |
|
- Allow chronyd_t net_admin capability to allow support HW timestamping. |
|
Resolves: rhbz#1416015 |
|
- Update tomcat policy |
|
Resolves: rhbz#1436689 |
|
Resolves: rhbz#1436383 |
|
- Allow certmonger to start haproxy service |
|
Resolves: rhbz#1349394 |
|
- Allow init noatsecure for gssd and gssproxy |
|
Resolves: rhbz#1438036 |
|
|
|
* Thu Mar 30 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-136 |
|
- geoclue wants to dbus chat with avahi |
|
Resolves: rhbz#1434286 |
|
- Allow iptables get list of kernel modules |
|
Resolves: rhbz#1367520 |
|
- Allow unconfined_domain_type to enable/disable transient unit |
|
Resolves: rhbz#1337041 |
|
- Add interfaces init_enable_transient_unit() and init_disable_transient_unit |
|
- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" |
|
Resolves: rhbz#1435264 |
|
- Label sysroot dir under ostree as root_t |
|
Resolves: rhbz#1428112 |
|
|
|
|
|
* Wed Mar 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-135 |
|
- Remove ganesha_t domain from permissive domains. |
|
Resolves: rhbz#1436988 |
|
|
|
* Tue Mar 28 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-134 |
|
- Allow named_t domain bind on several udp ports |
|
Resolves: rhbz#1312972 |
|
- Update nscd_use() interface |
|
Resolves: rhbz#1281716 |
|
- Allow radius_t domain ptrace |
|
Resolves: rhbz#1426641 |
|
- Update nagios to allos exec systemctl |
|
Resolves: rhbz#1247635 |
|
- Update pcp SELinux module to reflect all pcp changes |
|
Resolves: rhbz#1271998 |
|
- Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_t |
|
Resolves: rhbz#1325527 |
|
- Allow pcp_pmcd_t domain search for network sysctl Allow pcp_pmcd_t domain sys_ptrace capability Resolves: rhbz#1336211 |
|
|
|
* Mon Mar 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-133 |
|
- Allow drbd load modules |
|
Resolves: rhbz#1134883 |
|
- Revert "Add sys_module capability for drbd |
|
Resolves: rhbz#1134883" |
|
- Allow stapserver list kernel modules |
|
Resolves: rhbz#1325976 |
|
- Update targetd policy |
|
Resolves: rhbz#1373860 |
|
- Add sys_admin capability to amanda |
|
Resolves: rhbz#1371561 |
|
- Allow hypervvssd_t to read all dirs. |
|
Resolves: rhbz#1331309 |
|
- Label /run/haproxy.sock socket as haproxy_var_run_t |
|
Resolves: rhbz#1386233 |
|
- Allow oddjob_mkhomedir_t to mamange autofs_t dirs. |
|
Resolves: rhbz#1408819 |
|
- Allow tomcat to connect on http_cache_port_t |
|
Resolves: rhbz#1432083 |
|
- Allow geoclue to send msgs to syslog. |
|
Resolves: rhbz#1434286 |
|
- Allow condor_master_t domain capability chown. |
|
Resolves: rhbz#1277506 |
|
- Update mta_filetrans_named_content() interface to allow calling domain create files labeled as etc_aliases_t in dir labeled as etc_mail_t. |
|
Resolves: rhbz#1167468 |
|
- Allow nova domain search for httpd configuration. |
|
Resolves: rhbz#1190761 |
|
- Add sys_module capability for drbd |
|
Resolves: rhbz#1134883 |
|
- Allow user_u users stream connect to dirsrv, Allow sysadm_u and staff_u users to manage dirsrv files |
|
Resolves: rhbz#1286474 |
|
- Allow systemd_networkd_t communicate with systemd_networkd_t via dbus |
|
Resolves: rhbz#1278010 |
|
|
|
* Wed Mar 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-132 |
|
- Add haproxy_t domain fowner capability |
|
Resolves: rhbz#1386233 |
|
- Allow domain transition from ntpd_t to hwclock_t domains |
|
Resolves: rhbz#1375624 |
|
- Allow cockpit_session_t setrlimit and sys_resource |
|
Resolves: rhbz#1402316 |
|
- Dontaudit svirt_t read state of libvirtd domain |
|
Resolves: rhbz#1426106 |
|
- Update httpd and gssproxy modules to reflects latest changes in freeipa |
|
Resolves: rhbz#1432115 |
|
- Allow iptables read modules_conf_t |
|
Resolves: rhbz#1367520 |
|
|
|
* Wed Mar 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-131 |
|
- Remove tomcat_t domain from unconfined domains |
|
Resolves: rhbz#1432083 |
|
- Create new boolean: sanlock_enable_home_dirs() |
|
Resolves: rhbz#1432783 |
|
- Allow mdadm_t domain to read/write nvme_device_t |
|
Resolves: rhbz#1431617 |
|
- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content |
|
Resolves: rhbz#1383621 |
|
- Dontaudit domain to create any file in /proc. This is kernel bug. |
|
Resolves: rhbz#1412679 |
|
- Add interface dev_rw_nvme |
|
Resolves: rhbz#1431617 |
|
|
|
* Thu Mar 16 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-130 |
|
- Allow gssproxy to get attributes on all filesystem object types. |
|
Resolves: rhbz#1430295 |
|
- Allow ganesha to chat with unconfined domains via dbus |
|
Resolves: rhbz#1426554 |
|
- add the policy required for nextcloud |
|
Resolves: rhbz#1425530 |
|
- Add nmbd_t capability2 block_suspend |
|
Resolves: rhbz#1425357 |
|
- Label /var/run/chrony as chronyd_var_run_t |
|
Resolves: rhbz#1416015 |
|
- Add domain transition from sosreport_t to iptables_t |
|
Resolves: rhbz#1359789 |
|
- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd |
|
Resolves: rhbz:#1332803 |
|
|
|
* Tue Mar 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-129 |
|
- Update rpm macros |
|
Resolves: rhbz#1380854 |
|
|
|
* Mon Mar 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-128 |
|
- Add handling booleans via selinux-policy macros in custom policy spec files. |
|
Resolves: rhbz#1380854 |
|
|
|
* Thu Mar 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-127 |
|
- Allow openvswitch to load kernel modules |
|
Resolves: rhbz#1405479 |
|
|
|
* Thu Mar 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-126 |
|
- Allow openvswitch read script state. |
|
Resolves: rhbz#1405479 |
|
|
|
* Tue Mar 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-125 |
|
- Update ganesha policy |
|
Resolves: rhbz#1426554 |
|
Resolves: rhbz#1383784 |
|
- Allow chronyd to read adjtime |
|
Resolves: rhbz#1416015 |
|
- Fixes for chrony version 2.2 |
|
Resolves: rhbz#1416015 |
|
- Add interface virt_rw_stream_sockets_svirt() |
|
Resolves: rhbz#1415841 |
|
- Label /dev/ss0 as gpfs_device_t |
|
Resolves: rhbz#1383784 |
|
- Allow staff to rw svirt unix stream sockets. |
|
Resolves: rhbz#1415841 |
|
- Label /rhev/data-center/mnt as mnt_t |
|
Resolves: rhbz#1408275 |
|
- Associate sysctl_rpc_t with proc filesystems |
|
Resolves: rhbz#1350927 |
|
- Add new boolean: domain_can_write_kmsg |
|
Resolves: rhbz#1415715 |
|
|
|
* Thu Mar 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-124 |
|
- Allow rhsmcertd_t dbus chat with system_cronjob_t |
|
Resolves: rhbz#1405341 |
|
- Allow openvswitch exec hostname and readinitrc_t files |
|
Resolves: rhbz#1405479 |
|
- Improve SELinux context for mysql_db_t objects. |
|
Resolves: rhbz#1391521 |
|
- Allow postfix_postdrop to communicate with postfix_master via pipe. |
|
Resolves: rhbz#1379736 |
|
- Add radius_use_jit boolean |
|
Resolves: rhbz#1426205 |
|
- Label /var/lock/subsys/iptables as iptables_lock_t |
|
Resolves: rhbz#1405441 |
|
- Label /usr/lib64/erlang/erts-5.10.4/bin/epmd as lib_t |
|
Resolves: rhbz#1332803 |
|
- Allow can_load_kernmodule to load kernel modules. |
|
Resolves: rhbz#1423427 |
|
Resolves: rhbz#1424621 |
|
|
|
* Thu Feb 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-123 |
|
- Allow nfsd_t domain to create sysctls_rpc_t files |
|
Resolves: rhbz#1405304 |
|
- Allow openvswitch to create netlink generic sockets. |
|
Resolves: rhbz#1397974 |
|
- Create kernel_create_rpc_sysctls() interface |
|
Resolves: rhbz#1405304 |
|
|
|
* Fri Feb 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-122 |
|
- Allow nfsd_t domain rw sysctl_rpc_t dirs |
|
Resolves: rhbz#1405304 |
|
- Allow cgdcbxd_t to manage cgroup files. |
|
Resolves: rhbz#1358493 |
|
- Allow cmirrord_t domain to create netlink_connector sockets |
|
Resolves: rhbz#1412670 |
|
- Allow fcoemon to create netlink scsitransport sockets |
|
Resolves: rhbz#1362496 |
|
- Allow quota_nld_t create netlink_generic sockets |
|
Resolves: rhbz#1358679 |
|
- Allow cgred_t create netlink_connector sockets |
|
Resolves: rhbz#1376357 |
|
- Add dhcpd_t domain fowner capability |
|
Resolves: rhbz#1358485 |
|
- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. |
|
Resolves: rhbz#1358478 |
|
- Rename docker module to container module |
|
Resolves: rhbz#1386916 |
|
- Allow setflies to mount tracefs |
|
Resolves: rhbz#1376357 |
|
- Allow iptables to read nsfs files. |
|
Resolves: rhbz#1411316 |
|
- Allow systemd_bootchart_t domain create dgram sockets. |
|
Resolves: rhbz#1365953 |
|
- Rename docker interfaces to container |
|
Resolves: rhbz#1386916 |
|
|
|
* Wed Feb 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-120 |
|
- Allow initrc_t domain to run rhel-autorelabel script properly during boot process |
|
Resolves: rhbz#1379722 |
|
- Allow systemd_initctl_t to create and connect unix_dgram sockets |
|
Resolves: rhbz#1365947 |
|
- Allow ifconfig_t to mount/unmount nsfs_t filesystem |
|
Resolves: rhbz#1349814 |
|
- Add interfaces allowing mount/unmount nsfs_t filesystem |
|
Resolves: rhbz#1349814 |
|
|
|
* Mon Feb 13 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-119 |
|
- Add interface init_stream_connectto() |
|
Resolves:rhbz#1365947 |
|
- Allow rhsmcertd domain signull kernel. |
|
Resolves: rhbz#1379781 |
|
- Allow kdumpgui domain to read nvme device |
|
- Allow insmod_t to load kernel modules |
|
Resolves: rhbz#1421598 |
|
- Add interface files_load_kernel_modules() |
|
Resolves: rhbz#1421598 |
|
- Add SELinux support for systemd-initctl daemon |
|
Resolves:rhbz#1365947 |
|
- Add SELinux support for systemd-bootchart |
|
Resolves: rhbz#1365953 |
|
|
|
* Tue Feb 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-118 |
|
- Allow firewalld to getattr open search read modules_object_t:dir |
|
Resolves: rhbz#1418391 |
|
- Fix label for nagios plugins in nagios file conxtext file |
|
Resolves: rhbz#1277718 |
|
- Add sys_ptrace capability to pegasus domain |
|
Resolves: rhbz#1381238 |
|
- Allow sssd_t domain setpgid |
|
Resolves:rhbz#1416780 |
|
- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. |
|
Resolves: rhbz#1350927 |
|
- Allow kdumpgui domain to read nvme device |
|
Resolves: rhbz#1415084 |
|
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. |
|
Resolves: rhbz#1146987 |
|
- Add user namespace capability object classes. |
|
Resolves: rhbz#1368057 |
|
- Add module_load permission to class system |
|
Resolves:rhbz#1368057 |
|
- Add the validate_trans access vector to the security class |
|
Resolves: rhbz#1368057 |
|
- Add "binder" security class and access vectors |
|
Resolves: rhbz#1368057 |
|
- Allow ifconfig_t domain read nsfs_t |
|
Resolves: rhbz#1349814 |
|
- Allow ping_t domain to load kernel modules. |
|
Resolves: rhbz#1388363 |
|
|
|
* Mon Jan 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-117 |
|
- Allow systemd container to read/write usermodehelperstate |
|
Resolves: rhbz#1403254 |
|
- Label udp ports in range 24007-24027 as gluster_port_t |
|
Resolves: rhbz#1404152 |
|
|
|
* Tue Dec 20 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-116 |
|
- Allow glusterd_t to bind on glusterd_port_t udp ports. |
|
Resolves: rhbz#1404152 |
|
- Revert: Allow glusterd_t to bind on med_tlp port. |
|
|
|
* Mon Dec 19 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-115 |
|
- Allow glusterd_t to bind on med_tlp port. |
|
Resolves: rhbz#1404152 |
|
- Update ctdbd_t policy to reflect all changes. |
|
Resolves: rhbz#1402451 |
|
- Label tcp port 24009 as med_tlp_port_t |
|
Resolves: rhbz#1404152 |
|
- Issue appears during update directly from RHEL-7.0 to RHEL-7.3 or above. Modules pkcsslotd and vbetools missing in selinux-policy package for RHEL-7.3 which causing warnings during SELinux policy store migration process. Following patch fixes issue by skipping pkcsslotd and vbetools modules migration. |
|
|
|
* Thu Dec 15 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-114 |
|
- Allow ctdbd_t domain transition to rpcd_t |
|
Resolves:rhbz#1402451 |
|
|
|
* Thu Dec 15 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-113 |
|
- Fixes for containers Allow containers to attempt to write to unix_sysctls. Allow cotainers to use the FD's leaked to them from parent processes. |
|
Resolves: rhbz#1403254 |
|
|
|
* Tue Dec 13 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-112 |
|
- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t |
|
Resolves: rhbz#1404152 |
|
- Allow systemd to stop glusterd_t domains. |
|
Resolves: rhbz#1400493 |
|
|
|
* Fri Dec 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-111 |
|
- Make working CTDB:NFS: CTDB failover from selinux-policy POV |
|
Resolves: rhbz#1402451 |
|
|
|
* Fri Dec 02 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-110 |
|
- Add kdump_t domain sys_admin capability |
|
Resolves: rhbz#1375963 |
|
|
|
* Thu Dec 01 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-109 |
|
- Allow puppetagent_t to access timedated dbus. Use the systemd_dbus_chat_timedated interface to allow puppetagent_t the access. |
|
Resolves: rhbz#1399250 |
|
|
|
* Mon Nov 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-108 |
|
- Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients |
|
Resolves: rhbz#1393505 |
|
|
|
* Wed Nov 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-107 |
|
- Allow cluster_t communicate to fprintd_t via dbus |
|
Resolves: rhbz#1349798 |
|
|
|
* Tue Nov 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-106 |
|
- Fix error message during update from RHEL-7.2 to RHEL-7.3, when /usr/sbin/semanage command is not installed and selinux-policy-migrate-local-changes.sh script is executed in %post install phase of selinux-policy package |
|
Resolves: rhbz#1392010 |
|
|
|
* Tue Oct 18 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-105 |
|
- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. |
|
Resolves: rhbz#1384488 |
|
- Allow glusterd to get attributes on /sys/kernel/config directory. |
|
Resolves: rhbz#1384483 |
|
|
|
* Mon Oct 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-104 |
|
- Use selinux-policy-migrate-local-changes.sh instead of migrateStore* macros |
|
- Add selinux-policy-migrate-local-changes service |
|
Resolves: rhbz#1381588 |
|
|
|
* Fri Sep 30 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-103 |
|
- Allow sssd_selinux_manager_t to manage also dir class. |
|
Resolves: rhbz#1368097 |
|
- Add interface seutil_manage_default_contexts_dirs() |
|
Resolves: rhbz#1368097 |
|
|
|
* Tue Sep 27 2016 Dan Walsh <dwalsh@redhat.com> - 3.13.1-102 |
|
- Add virt_sandbox_use_nfs -> virt_use_nfs boolean substitution. |
|
Resolves: rhbz#1355783 |
|
|
|
* Tue Sep 27 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-101 |
|
- Allow pcp_pmcd_t domain transition to lvm_t Add capability kill and sys_ptrace to pcp_pmlogger_t |
|
Resolves: rhbz#1309883 |
|
|
|
* Wed Sep 21 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-100 |
|
- Allow ftp daemon to manage apache_user_content |
|
Resolves: rhbz#1097775 |
|
- Label /etc/sysconfig/oracleasm as oracleasm_conf_t |
|
Resolves: rhbz#1331383 |
|
- Allow oracleasm to rw inherited fixed disk device |
|
Resolves: rhbz#1331383 |
|
- Allow collectd to connect on unix_stream_socket |
|
Resolves: rhbz#1377259 |
|
|
|
* Wed Sep 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-99 |
|
- Allow iscsid create netlink iscsid sockets. |
|
Resolves: rhbz#1358266 |
|
- Improve regexp for power_unit_file_t files. To catch just systemd power unit files. |
|
Resolves: rhbz#1375462 |
|
|
|
* Tue Sep 13 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-98 |
|
- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. |
|
Resolves: rhbz#1331383 |
|
- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service |
|
Resolves: rhbz#1206525 |
|
|
|
* Tue Sep 06 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-97 |
|
- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm |
|
Resolves: rhbz#1331383 |
|
- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t |
|
Resolves: rhbz#1206525 |
|
- Allow mdadm_t to getattr all device nodes |
|
Resolves: rhbz#1365171 |
|
- Add interface dbus_dontaudit_stream_connect_system_dbusd() |
|
Resolves:rhbz#1052880 |
|
- Add virt_stub_* interfaces for docker policy which is no longer a part of our base policy. |
|
Resolves: rhbz#1372705 |
|
- Allow guest-set-user-passwd to set users password. |
|
Resolves: rhbz#1369693 |
|
- Allow samdbox domains to use msg class |
|
Resolves: rhbz#1372677 |
|
- Allow domains using kerberos to read also kerberos config dirs |
|
Resolves: rhbz#1368492 |
|
- Allow svirt_sandbox_domains to r/w onload sockets |
|
Resolves: rhbz#1342930 |
|
- Add interface fs_manage_oracleasm() |
|
Resolves: rhbz#1331383 |
|
- Label /dev/kfd as hsa_device_t |
|
Resolves: rhbz#1373488 |
|
- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs |
|
Resolves: rhbz#1368097 |
|
- Add interface to write to nsfs inodes |
|
Resolves: rhbz#1372705 |
|
- Allow systemd services to use PrivateNetwork feature |
|
Resolves: rhbz#1372705 |
|
- Add a type and genfscon for nsfs. |
|
Resolves: rhbz#1372705 |
|
- Allow run sulogin_t in range mls_systemlow-mls_systemhigh. |
|
Resolves: rhbz#1290400 |
|
|
|
* Wed Aug 31 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-96 |
|
- Allow arpwatch to create netlink netfilter sockets. Resolves: rhbz#1358261 |
|
- Fix file context for /etc/pki/pki-tomcat/ca/ |
|
- new interface oddjob_mkhomedir_entrypoint() |
|
- Move label for /var/lib/docker/vfs/ to proper SELinux module |
|
- Allow mdadm to get attributes from all devices. |
|
- Label /etc/puppetlabs as puppet_etc_t. |
|
- Allow systemd-machined to communicate to lxc container using dbus |
|
- Allow systemd_resolved to send dbus msgs to userdomains Resolves: rhbz#1236579 |
|
- Allow systemd-resolved to read network sysctls Resolves: rhbz#1236579 |
|
- Allow systemd_resolved to connect on system bus. Resolves: rhbz#1236579 |
|
- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t |
|
- Label all files in /dev/oracleasmfs/ as oracleasmfs_t Resolves: rhbz#1331383 |
|
|
|
* Tue Aug 23 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-95 |
|
- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t |
|
Resolves:rhbz#1366915 |
|
- Allow certmonger to manage all systemd unit files |
|
Resolves:rhbz#1366915 |
|
- Grant certmonger "chown" capability |
|
Resolves:rhbz#1366915 |
|
- Allow ipa_helper_t stream connect to dirsrv_t domain |
|
Resolves: rhbz#1368418 |
|
- Update oracleasm SELinux module |
|
Resolves: rhbz#1331383 |
|
- label /var/lib/kubelet as svirt_sandbox_file_t |
|
Resolves: rhbz#1369159 |
|
- Add few interfaces to cloudform.if file |
|
Resolves: rhbz#1367834 |
|
- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module |
|
Resolves: rhbz#1347514 |
|
- Allow krb5kdc_t to read krb4kdc_conf_t dirs. |
|
Resolves: rhbz#1368492 |
|
- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. |
|
Resolves: rhbz#1365653 |
|
- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. |
|
Resolves: rhbz#1365653 |
|
- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type |
|
Resolves: rhbz#1331383 |
|
- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. |
|
Resolves: rhbz#1367834 |
|
- Allow iptables to creating netlink generic sockets. |
|
Resolves: rhbz#1364359 |
|
|
|
* Wed Aug 17 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-94 |
|
- Allow ipmievd domain to create lock files in /var/lock/subsys/ |
|
Resolves:rhbz#1349058 |
|
- Update policy for ipmievd daemon. |
|
Resolves:rhbz#1349058 |
|
- Dontaudit hyperkvp to getattr on non security files. |
|
Resolves: rhbz#1349356 |
|
- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t |
|
Resolves: rhbz#1347514 |
|
- Fixed lsm SELinux module |
|
- Add sys_admin capability to sbd domain |
|
Resolves: rhbz#1322725 |
|
- Allow vdagent to comunnicate with systemd-logind via dbus |
|
Resolves: rhbz#1366731 |
|
- Allow lsmd_plugin_t domain to create fixed_disk device. |
|
Resolves: rhbz#1238066 |
|
- Allow opendnssec domain to create and manage own tmp dirs/files |
|
Resolves: rhbz#1366649 |
|
- Allow opendnssec domain to read system state |
|
Resolves: rhbz#1366649 |
|
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs |
|
Resolves: rhbz#1366649 |
|
- Allow rasdaemon to mount/unmount tracefs filesystem. |
|
Resolves: rhbz#1364380 |
|
- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ |
|
Resolves: rhbz#1367520 |
|
- Modify interface den_read_nvme() to allow also read nvme_device_t block files. |
|
Resolves: rhbz#1362564 |
|
- Label /var/run/storaged as lvm_var_run_t. |
|
Resolves: rhbz#1264390 |
|
- Allow unconfineduser to run ipa_helper_t. |
|
Resolves: rhbz#1361636 |
|
|
|
* Wed Aug 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-93 |
|
- Dontaudit mock to write to generic certs. |
|
Resolves: rhbz#1271209 |
|
- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t |
|
Resolves: rhbz#1347514 |
|
- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" |
|
- Allow modemmanager to write to systemd inhibit pipes |
|
Resolves: rhbz#1365214 |
|
- Label corosync-qnetd and corosync-qdevice as corosync_t domain |
|
Resolves: rhbz#1347514 |
|
- Allow ipa_helper to read network state |
|
Resolves: rhbz#1361636 |
|
- Label oddjob_reqiest as oddjob_exec_t |
|
Resolves: rhbz#1361636 |
|
- Add interface oddjob_run() |
|
Resolves: rhbz#1361636 |
|
- Allow modemmanager chat with systemd_logind via dbus |
|
Resolves: rhbz#1362273 |
|
- Allow NetworkManager chat with puppetagent via dbus |
|
Resolves: rhbz#1363989 |
|
- Allow NetworkManager chat with kdumpctl via dbus |
|
Resolves: rhbz#1363977 |
|
- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. |
|
Resolves: rhbz#1322725 |
|
- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t |
|
Resolves: rhbz#1349058 |
|
- Allow rasdaemon to use tracefs filesystem. |
|
Resolves: rhbz#1364380 |
|
- Fix typo bug in dirsrv policy |
|
- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. |
|
Resolves: rhbz#1283134 |
|
- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t |
|
Resolves: rhbz#1362688 |
|
- Allow dirsrv to read dirsrv_share_t content |
|
Resolves: rhbz#1363662 |
|
- Allow virtlogd_t to append svirt_image_t files. |
|
Resolves: rhbz#1358140 |
|
- Allow hypervkvp domain to read hugetlbfs dir/files. |
|
Resolves: rhbz#1349356 |
|
- Allow mdadm daemon to read nvme_device_t blk files |
|
Resolves: rhbz#1362564 |
|
- Allow selinuxusers and unconfineduser to run oddjob_request |
|
Resolves: rhbz#1361636 |
|
- Allow sshd server to acces to Crypto Express 4 (CEX4) devices. |
|
Resolves: rhbz#1362539 |
|
- Fix labeling issue in init.fc file. Path /usr/lib/systemd/fedora-* changed to /usr/lib/systemd/rhel-*. |
|
Resolves: rhbz#1363769 |
|
- Fix typo in device interfaces |
|
Resolves: rhbz#1349058 |
|
- Add interfaces for managing ipmi devices |
|
Resolves: rhbz#1349058 |
|
- Add interfaces to allow mounting/umounting tracefs filesystem |
|
Resolves: rhbz#1364380 |
|
- Add interfaces to allow rw tracefs filesystem |
|
Resolves: rhbz#1364380 |
|
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. |
|
Resolves: rhbz#1362564 |
|
- Label /sys/kernel/debug/tracing filesystem |
|
Resolves: rhbz#1364380 |
|
- Allow sshd setcap capability. This is needed due to latest changes in sshd |
|
Resolves: rhbz#1357857 |
|
|
|
* Thu Jul 28 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-92 |
|
- Dontaudit mock_build_t can list all ptys. |
|
Resolves: rhbz#1271209 |
|
- Allow ftpd_t to mamange userhome data without any boolean. |
|
Resolves: rhbz#1097775 |
|
- Add logrotate permissions for creating netlink selinux sockets. |
|
Resolves: rhbz#1283134 |
|
- Allow lsmd_plugin_t to exec ldconfig. |
|
Resolves: rhbz#1238066 |
|
- Allow vnstatd domain to read /sys/class/net/ files |
|
Resolves: rhbz#1358243 |
|
- Remove duplicate allow rules in spamassassin SELinux module |
|
Resolves:rhbz#1358175 |
|
- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs |
|
Resolves:rhbz#1358175 |
|
- Allow sshd setcap capability. This is needed due to latest changes in sshd |
|
Resolves: rhbz#1357857 |
|
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. |
|
Resolves: rhbz#1330464 |
|
- Allow gnome-keyring also manage user_tmp_t sockets. |
|
Resolves: rhbz#1257057 |
|
- corecmd: Remove fcontext for /etc/sysconfig/libvirtd |
|
Resolves:rhbz#1351382 |
|
|
|
* Tue Jul 19 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-91 |
|
- Allow ipa_dnskey domain to search cache dirs |
|
Resolves: rhbz#1350957 |
|
|
|
* Tue Jul 19 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-90 |
|
- Allow ipa-dnskey read system state. |
|
Reasolves: rhbz#1350957 |
|
- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file |
|
Resolves: rhbz#1350957 |
|
|
|
* Mon Jul 18 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-89 |
|
- Allow firewalld to manage net_conf_t files. |
|
Resolves:rhbz#1304723 |
|
- Allow logrotate read logs inside containers. |
|
Resolves: rhbz#1303514 |
|
- Allow sssd to getattr on fs_t |
|
Resolves: rhbz#1356082 |
|
- Allow opendnssec domain to manage bind chace files |
|
Resolves: rhbz#1350957 |
|
- Fix typo in rhsmcertd policy module |
|
Resolves: rhbz#1329475 |
|
- Allow systemd to get status of systemd-logind daemon |
|
Resolves: rhbz#1356141 |
|
- Label more ndctl devices not just ndctl0 |
|
Resolves: rhbz#1355809 |
|
|
|
* Thu Jul 14 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-88 |
|
- Allow rhsmcertd to copy certs into /etc/docker/cert.d |
|
- Add interface docker_rw_config() |
|
Resolves: rhbz#1344500 |
|
- Fix logrotate fc file to label also /var/lib/logrotate/ dir as logrotate_var_lib_t |
|
Resolves: rhbz#1355632 |
|
- Allow rhsmcertd to read network sysctls |
|
Resolves: rhbz#1329475 |
|
- Label /var/log/graphite-web dir as httpd_log_t |
|
Resolves: rhbz#1310898 |
|
- Allow mock to use generic ptys |
|
Resolves: rhbz#1271209 |
|
- Allow adcli running as sssd_t to write krb5.keytab file. |
|
Resolves: rhbz#1356082 |
|
- Allow openvswitch connect to openvswitch_port_t type. |
|
Resolves: rhbz#1335024 |
|
- Add SELinux policy for opendnssec service. |
|
Resolves: rhbz#1350957 |
|
- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd |
|
Resolves: rhbz#1350957 |
|
- label /dev/ndctl0 device as nvram_device_t |
|
Resolves: rhbz#1355809 |
|
|
|
* Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-87 |
|
- Allow lttng tools to block suspending |
|
Resolves: rhbz#1256374 |
|
- Allow creation of vpnaas in openstack |
|
Resolves: rhbz#1352710 |
|
- virt: add strict policy for virtlogd daemon |
|
Resolves:rhbz#1311606 |
|
- Update makefile to support snapperd_contexts file |
|
Resolves: rhbz#1352681 |
|
|
|
* Fri Jul 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-86 |
|
- Allow udev to manage systemd-hwdb files |
|
- Add interface systemd_hwdb_manage_config() |
|
Resolves: rhbz#1350756 |
|
- Fix paths to infiniband devices. This allows use more then two infiniband interfaces. |
|
Resolves: rhbz#1210263 |
|
|
|
* Thu Jul 07 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-85 |
|
- Allow virtual machines to rw infiniband devices. |
|
Resolves: rhbz#1210263 |
|
- Allow opensm daemon to rw infiniband_mgmt_device_t |
|
Resolves: rhbz#1210263 |
|
- Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file. |
|
Resolves: rhbz#1350756 |
|
- Make label for new infiniband_mgmt deivices |
|
Resolves: rhbz#1210263 |
|
|
|
* Tue Jul 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-84 |
|
- Fix typo in brltty SELinux module |
|
- Add new SELinux module sbd |
|
Resolves: rhbz#1322725 |
|
- Allow pcp dmcache metrics collection |
|
Resolves: rhbz#1309883 |
|
- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t |
|
Resolves: rhbz#1350782 |
|
- Allow openvpn to create sock files labeled as openvpn_var_run_t |
|
Resolves: rhbz#1328246 |
|
- Allow hypervkvp daemon to getattr on all filesystem types. |
|
Resolves: rhbz#1349356 |
|
- Allow firewalld to create net_conf_t files |
|
Resolves: rhbz#1304723 |
|
- Allow mock to use lvm |
|
Resolves: rhbz#1271209 |
|
- Allow keepalived to create netlink generic sockets. |
|
Resolves: rhbz#1349809 |
|
- Allow mirromanager creating log files in /tmp |
|
Resolves:rhbz#1328818 |
|
- Rename few modules to make it consistent with source files |
|
Resolves: rhbz#1351445 |
|
- Allow vmtools_t to transition to rpm_script domain |
|
Resolves: rhbz#1342119 |
|
- Allow nsd daemon to manage nsd_conf_t dirs and files |
|
Resolves: rhbz#1349791 |
|
- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t |
|
Resolves: rhbz#1346900 |
|
- Allow sssd read also sssd_conf_t dirs |
|
Resolves: rhbz#1350535 |
|
- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl |
|
Resolves: rhbz#1086240 |
|
- Add interface lvm_getattr_exec_files() |
|
Resolves: rhbz#1271209 |
|
- Fix typo Compliling vs. Compiling |
|
Resolves: rhbz#1351445 |
|
|
|
* Wed Jun 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-83 |
|
- Allow krb5kdc_t to communicate with sssd |
|
Resolves: rhbz#1319933 |
|
- Allow prosody to bind on prosody ports |
|
Resolves: rhbz#1304664 |
|
- Add dac_override caps for fail2ban-client |
|
Resolves: rhbz#1316678 |
|
- dontaudit read access for svirt_t on the file /var/db/nscd/group |
|
Resolves: rhbz#1301637 |
|
- Allow inetd child process to communicate via dbus with systemd-logind |
|
Resolves: rhbz#1333726 |
|
- Add label for brltty log file |
|
Resolves: rhbz#1328818 |
|
- Allow dspam to read the passwd file |
|
Resolves: rhbz#1286020 |
|
- Allow snort_t to communicate with sssd |
|
Resolves: rhbz#1284908 |
|
- svirt_sandbox_domains need to be able to execmod for badly built libraries. |
|
Resolves: rhbz#1206339 |
|
- Add policy for lttng-tools package. |
|
Resolves: rhbz#1256374 |
|
- Make mirrormanager as application domain. |
|
Resolves: rhbz#1328234 |
|
- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. |
|
- Add prosody ports |
|
Resolves: rhbz#1304664 |
|
- Allow sssd read also sssd_conf_t dirs |
|
Resolves: rhbz#1350535 |
|
|
|
* Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-82 |
|
- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. |
|
Resolves:rhbz#1331315 |
|
- Label named-pkcs11 binary as named_exec_t. |
|
Resolves: rhbz#1331315 |
|
- Allow glusterd daemon to get systemd status |
|
Resolves: rhbz#1321785 |
|
- Allow logrotate dbus-chat with system_logind daemon |
|
Resolves: rhbz#1283134 |
|
- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files |
|
Resolves: rhbz#1336211 |
|
- Add interface cron_read_pid_files() |
|
Resolves: rhbz#1336211 |
|
- Allow pcp_pmlogger to create unix dgram sockets |
|
Resolves: rhbz#1336211 |
|
- Add hwloc-dump-hwdata SELinux policy |
|
Resolves: rhbz#1344054 |
|
- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. |
|
Resolves: rhbz#1121171 |
|
- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() |
|
Resolves: rhbz#1259764 |
|
- Create label for openhpid log files. |
|
esolves: rhbz#1259764 |
|
- Label /var/lib/ganglia as httpd_var_lib_t |
|
Resolves: rhbz#1260536 |
|
- Allow firewalld_t to create entries in net_conf_t dirs. |
|
Resolves: rhbz#1304723 |
|
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals |
|
Resolves: rhbz#1288255 |
|
- Include patch from distgit repo: policy-RHEL-7.1-flask.patch. |
|
Resolves: rhbz#1329560 |
|
- Update refpolicy to handle hwloc |
|
Resolves: rhbz#1344054 |
|
- Label /etc/dhcp/scripts dir as bin_t |
|
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. |
|
Resolves: rhbz#1288255 |
|
|
|
* Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-81 |
|
- Allow firewalld_t to create entries in net_conf_t dirs. |
|
Resolves: rhbz#1304723 |
|
- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals |
|
Resolves: rhbz#1288255 |
|
- Allow mongod log to syslog. |
|
Resolves: rhbz#1306995 |
|
- Allow rhsmcertd connect to port tcp 9090 |
|
Resolves: rhbz#1337319 |
|
- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. |
|
Resolves: rhbz#1262483 |
|
Resolves: rhbz#1277506 |
|
- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. |
|
Resolves: rhbz#1301516 |
|
- Add new boolean spamd_update_can_network. |
|
Resolves: rhbz#1305469 |
|
- Allow rhsmcertd connect to tcp netport_port_t |
|
Resolves: rhbz#1329475 |
|
- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. |
|
Resolves: rhbz#1328234 |
|
- Allow prosody to bind to fac_restore tcp port. |
|
Resolves: rhbz#1321787 |
|
- Allow ninfod to read raw packets |
|
Resolves: rhbz#1317964 |
|
- Allow pegasus get attributes from qemu binary files. |
|
Resolves: rhbz#1260835 |
|
- Allow pegasus get attributes from qemu binary files. |
|
Resolves: rhbz#1271159 |
|
- Allow tuned to use policykit. This change is required by cockpit. |
|
Resolves: rhbz#1346464 |
|
- Allow conman_t to read dir with conman_unconfined_script_t binary files. |
|
Resolves: rhbz#1297323 |
|
- Allow pegasus to read /proc/sysinfo. |
|
Resolves: rhbz#1265883 |
|
- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. |
|
Resolves: rhbz#1288255 |
|
- Label tcp ports:16379, 26379 as redis_port_t |
|
Resolves: rhbz#1348471 |
|
- Allow systemd to relabel /var and /var/lib directories during boot. |
|
- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. |
|
- Add files_relabelto_var_lib_dirs() interface. |
|
- Label tcp port 2004 as mailbox_port_t. |
|
Resolves: rhbz#1332843 |
|
- Label tcp and udp port 5582 as fac_restore_port_t |
|
Resolves: rhbz#1321787 |
|
- Allow sysadm_t user to run postgresql-setup. |
|
Resolves: rhbz#1282543 |
|
- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. |
|
Resolves: rhbz#1297480 |
|
- Update netlink socket classes. |
|
|
|
* Thu Jun 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-80 |
|
- Allow conman to kill conman_unconfined_script. |
|
Resolves: rhbz#1297323 |
|
- Make conman_unconfined_script_t as init_system_domain. |
|
Resolves:rhbz#1297323 |
|
- Allow init dbus chat with apmd. |
|
Resolves:rhbz#995898 |
|
- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. |
|
Resolves: rhbz#1233252 |
|
- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t |
|
Resolves: rhbz#1052880 |
|
- Add mediawiki rules to proper scope |
|
Resolves: rhbz#1301186 |
|
- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t |
|
Resolves: rhbz#1052880 |
|
- Allow mysqld_safe to inherit rlimit information from mysqld |
|
Resolves: rhbz#1323673 |
|
- Allow collectd_t to stream connect to postgresql. |
|
Resolves: rhbz#1344056 |
|
- Allow mediawiki-script to read /etc/passwd file. |
|
Resolves: rhbz#1301186 |
|
- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. |
|
Resolves: rhbz#1344505 |
|
- Add labels for mediawiki123 |
|
Resolves: rhbz#1293872 |
|
- Fix label for all fence_scsi_check scripts |
|
- Allow ip netns to mounton root fs and unmount proc_t fs. |
|
Resolves: rhbz#1343776 |
|
Resolves: rhbz#1286851 |
|
- Allow sysadm_t to run newaliases command. |
|
Resolves: rhbz#1344828 |
|
- Add interface sysnet_filetrans_named_net_conf() |
|
Resolves: rhbz#1344505 |
|
|
|
* Mon Jun 13 2016 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-79 |
|
- Fix several issues related to the SELinux Userspace changes |
|
|
|
* Thu Jun 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-78 |
|
- Allow glusterd domain read krb5_keytab_t files. |
|
Resolves: rhbz#1343929 |
|
- Fix typo in files_setattr_non_security_dirs. |
|
Resolves: rhbz#1115987 |
|
|
|
* Thu Jun 09 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-77 |
|
- Allow tmpreaper_t to read/setattr all non_security_file_type dirs |
|
Resolves: rhbz#1115987 |
|
- Allow firewalld to create firewalld_var_run_t directory. |
|
Resolves: rhbz#1304723 |
|
- Add interface firewalld_read_pid_files() |
|
Resolves: rhbz#1304723 |
|
- Label /usr/libexec/rpm-ostreed as rpm_exec_t. |
|
Resolves: rhbz#1340542 |
|
- Allow sanlock service to read/write cephfs_t files. |
|
Resolves: rhbz#1315332 |
|
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) |
|
- Added missing docker interfaces: - docker_typebounds - docker_entrypoint |
|
Resolves: rhbz#1236580 |
|
- Add interface files_setattr_non_security_dirs() |
|
Resolves: rhbz#1115987 |
|
- Add support for onloadfs |
|
- Allow iptables to read firewalld pid files. |
|
Resolves: rhbz#1304723 |
|
- Add SELinux support for ceph filesystem. |
|
Resolves: rhbz#1315332 |
|
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) |
|
Resolves: rhbz#1236580 |
|
|
|
* Mon Jun 06 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-76 |
|
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) |
|
- Added missing docker interfaces: - docker_typebounds - docker_entrypoint |
|
Resolves: rhbz#1236580 |
|
- New interfaces needed for systemd-machinectl |
|
Resolves: rhbz#1236580 |
|
- New interfaces needed by systemd-machine |
|
Resolves: rhbz#1236580 |
|
- Add interface allowing sending and receiving messages from virt over dbus. |
|
Resolves: rhbz#1236580 |
|
- Backport docker policy from Fedora. |
|
Related: #1303123 |
|
Resolves: #1341257 |
|
- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. |
|
Resolves: rhbz#1236580 |
|
- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) |
|
- Added interfaces needed by new docker policy. |
|
Related: rhbz#1303123 |
|
- Add support for systemd-machined daemon |
|
Resolves: rhbz#1236580 |
|
- Allow rpm-ostree domain transition to install_t domain from init_t. |
|
Resolves: rhbz#1340542 |
|
|
|
* Tue May 31 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-75 |
|
- dnsmasq: allow NetworkManager to control dnsmasq via D-Bus |
|
Resolves: rhbz#1336722 |
|
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te |
|
Resolves: rhbz#1333198 |
|
- sftpd_* booleans are functionless these days. |
|
Resolves: rhbz#1335656 |
|
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. |
|
Resolves: rhbz#1335828 |
|
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. |
|
Resolves: rhbz#1336760 |
|
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. |
|
Resolves: rhbz#1336737 |
|
- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. |
|
Resolves: rhbz#1264390 |
|
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. |
|
Resolves: rhbz#1337061 |
|
- Revert "Allow all domains some process flags." |
|
Resolves: rhbz#1303644 |
|
- Revert "Remove setrlimit to all domains." |
|
Resolves: rhbz#1303644 |
|
- Label /usr/sbin/xrdp* files as bin_t |
|
Resolves: rhbz#1276777 |
|
- Add mls support for some db classes |
|
Resolves: rhbz#1303651 |
|
- Allow systemd_resolved_t to check if ipv6 is disabled. |
|
Resolves: rhbz#1236579 |
|
- Allow systemd_resolved to read systemd_networkd run files. |
|
Resolves: rhbz#1236579 |
|
|
|
* Mon May 23 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-74 |
|
- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. |
|
Resolves: rhbz#1336760 |
|
- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. |
|
Resolves: rhbz#1336737 |
|
|
|
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-73 |
|
- Allow logwatch to domtrans to postqueue |
|
Resolves: rhbz#1331542 |
|
- Label /var/log/ganesha.log as gluster_log_t |
|
- Allow glusterd_t domain to create glusterd_log_t files. |
|
- Label /var/run/ganesha.pid as gluster_var_run_t. |
|
Resolves: rhbz#1335828 |
|
- Allow zabbix to connect to postgresql port |
|
Resolves: rhbz#1330479 |
|
- Add userdom_destroy_unpriv_user_shared_mem() interface. |
|
Related: rhbz#1306403 |
|
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. |
|
Resolves: rhbz#1306403 |
|
|
|
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-72 |
|
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. |
|
Resolves: rhbz#1333952 |
|
|
|
* Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-71 |
|
- Add interface glusterd_dontaudit_read_lib_dirs() |
|
Resolves: rhbz#1295680 |
|
- Dontaudit Occasionally observing AVC's while running geo-rep automation |
|
Resolves: rhbz#1295680 |
|
- Allow glusterd to manage socket files labeled as glusterd_brick_t. |
|
Resolves: rhbz#1331561 |
|
- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content |
|
Resolves: rhbz#1246522 |
|
- Allow stunnel create log files. |
|
Resolves: rhbz#1296851 |
|
- Label tcp port 8181 as intermapper_port_t. |
|
Resolves: rhbz#1334783 |
|
- Label tcp/udp port 2024 as xinuexpansion4_port_t |
|
Resolves: rhbz#1334783 |
|
- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t |
|
Resolves: rhbz#1334783 |
|
- Dontaudit ldconfig read gluster lib files. |
|
Resolves: rhbz#1295680 |
|
- Add interface auth_use_nsswitch() to systemd_domain_template. |
|
Resolves: rhbz#1236579 |
|
|
|
* Tue May 03 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-70 |
|
- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. |
|
Resolves: rhbz#1312809 |
|
Resolves: rhbz#1323947 |
|
- Allow dbus chat between httpd_t and oddjob_t. Resolves: rhbz#1324144 |
|
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. |
|
Resolves: rhbz#1324144 |
|
- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. |
|
Resolves: rhbz#1324144 |
|
- Allow prosody to listen on port 5000 for mod_proxy65. |
|
Resolves: rhbz#1316918 |
|
- Allow pcp_pmcd_t domain to manage docker lib files. This rule is needed to allow pcp to collect container information when SELinux is enabled. |
|
Resolves: rhbz#1309454 |
|
|
|
* Wed Apr 27 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-69 |
|
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. |
|
Resolves: rhbz#1319442 |
|
- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. |
|
Resolves: rhbz#1296640 |
|
- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. |
|
Resolves: rhbz#1097775 |
|
- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. |
|
Resolves: rhbz#1262483 |
|
- Allow nsd daemon to create log file in /var/log as nsd_log_t |
|
Resolves: rhbz#1293140 |
|
- Sanlock policy update. - New sub-domain for sanlk-reset daemon |
|
Resolves: rhbz#1212324 |
|
- Label all run tgtd files, not just socket files |
|
Resolves: rhbz#1280280 |
|
- Label all run tgtd files, not just socket files. |
|
Resolves: rhbz#1280280 |
|
- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. |
|
Resolves: rhbz#1321049 |
|
- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. |
|
Resolves: rhbz#1318224 |
|
- Allow prosody to listen on port 5000 for mod_proxy65. |
|
Resolves: rhbz#1316918 |
|
- Allow targetd to read/write to /dev/mapper/control device. |
|
Resolves: rhbz#1063714 |
|
- Allow KDM to get status about power services. This change allow kdm to be able do shutdown. |
|
Resolves: rhbz#1316724 |
|
- Allow systemd-resolved daemon creating netlink_route sockets. |
|
Resolves:rhbz#1236579 |
|
- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used |
|
Resolves: rhbz#1065362 |
|
- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t |
|
Resolves: rhbz#1321943 |
|
- Label all nvidia binaries as xserver_exec_t |
|
Resolves: rhbz#1322283 |
|
|
|
* Wed Mar 23 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-68 |
|
- Create new permissivedomains CIL module and make it active. |
|
Resolves: rhbz#1320451 |
|
- Add support for new mock location - /usr/libexec/mock/mock. |
|
Resolves: rhbz#1271209 |
|
- Allow bitlee to create bitlee_var_t dirs. |
|
Resolves: rhbz#1268651 |
|
- Allow CIM provider to read sssd public files. |
|
Resolves: rhbz#1263339 |
|
- Fix some broken interfaces in distro policy. |
|
Resolves: rhbz#1121171 |
|
- Allow power button to shutdown the laptop. |
|
Resolves: rhbz#995898 |
|
- Allow lsm plugins to create named fixed disks. |
|
Resolves: rhbz#1238066 |
|
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.confResolves: rhbz#1278777 |
|
- Allow hyperv domains to rw hyperv devices. |
|
Resolves: rhbz#1309361 |
|
- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.Resolves: rhbz#1246780 |
|
- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ |
|
Resolves: rhbz#1297323 |
|
- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. |
|
- Add support for /dev/mptctl device used to check RAID status. |
|
Resolves: rhbz#1258029 |
|
- Create hyperv* devices and create rw interfaces for this devices. |
|
Resolves: rhbz#1309361 |
|
- Add fixes for selinux userspace moving the policy store to /var/lib/selinux. |
|
- Remove optional else block for dhcp ping |
|
|
|
* Thu Mar 17 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-67 |
|
- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. |
|
Resolves: rhbz#1263770 |
|
- Fix context of "/usr/share/nginx/html". |
|
Resolves: rhbz#1261857 |
|
- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics |
|
Resolves: rhbz#1270344 |
|
- Allow pmlogger to create pmlogger.primary.socket link file. |
|
Resolves: rhbz#1270344 |
|
- Label nagios scripts as httpd_sys_script_exec_t. |
|
Resolves: rhbz#1260306 |
|
- Add dontaudit interface for kdumpctl_tmp_t |
|
Resolves: rhbz#1156442 |
|
- Allow mdadm read files in EFI partition. |
|
Resolves: rhbz#1291801 |
|
- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. |
|
Resolves: rhbz#1293140 |
|
- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs |
|
Resolves: rhbz#1293140 |
|
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. |
|
Resolves: rhbz#1265102 |
|
- Add missing labeling for /usr/libexec/abrt-hook-ccpp. |
|
Resolves: rhbz#1213409 |
|
- Allow pcp_pmie and pcp_pmlogger to read all domains state. |
|
Resolves: rhbz#1206525 |
|
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. |
|
Resolves: rhbz#1275246 |
|
- cockpit has grown content in /var/run directory |
|
Resolves: rhbz#1279429 |
|
- Allow collectd setgid capability |
|
Resolves:#1310898 |
|
- Remove declaration of empty booleans in virt policy. |
|
Resolves: rhbz#1103153 |
|
- Fix typo in drbd policy |
|
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. Allow drbd_t create drbd_tmp_t files in /tmp. |
|
Resolves: rhbz#1134883 |
|
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. |
|
Resolves: rhbz#1293788 |
|
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. |
|
Resolves: rhbz#1254188 |
|
- Allow abrt_t to read sysctl_net_t files. |
|
Resolves: rhbz#1254188 |
|
- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. |
|
- Allow abrt-hook-ccpp to getattr on all executables. |
|
- Allow setuid/setgid capabilities for abrt-hook-ccpp. |
|
Resolves: rhbz#1254188 |
|
- abrt-hook-ccpp needs to have setfscreate access because it is SELinux aware and compute a target labeling. |
|
Resolves: rhbz#1254188 |
|
- Allow abrt-hook-ccpp to change SELinux user identity for created objects. |
|
Resolves: rhbz#1254188 |
|
- Dontaudit write access to inherited kdumpctl tmp files. |
|
Resolves: rbhz#1156442 |
|
- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) |
|
Resolves: rhbz#1291801 |
|
- Label 8952 tcp port as nsd_control. |
|
Resolves: rhbz#1293140 |
|
- Allow ipsec to use pam. |
|
Resolves: rhbz#1315700 |
|
- Allow to log out to gdm after screen was resized in session via vdagent. |
|
Resolves: rhbz#1249020 |
|
- Allow setrans daemon to read /proc/meminfo. |
|
Resolves: rhbz#1316804 |
|
- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg |
|
Resolves: rhbz#1298151 |
|
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution |
|
Resolves: rhbz#1236579 |
|
- Add new selinux policy for systemd-resolved dawmon. |
|
Resolves: rhbz#1236579 |
|
- Add interface ssh_getattr_server_keys() interface. |
|
Resolves: rhbz#1306197 |
|
- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 |
|
Resolves: rhbz#1306197 |
|
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. |
|
Resolves: rhbz#1309417 |
|
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. |
|
Resolves: rhbz#1293788 |
|
|
|
* Thu Mar 17 2016 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-66 |
|
- Prepare selinux-policy package for userspace release 2016-02-23. Resolves: rhbz#1305982 |
|
|
|
* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65 |
|
- Allow sending dbus msgs between firewalld and system_cronjob domains. Resolves: rhbz#1284902 |
|
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. |
|
Resolves: rhbz#1242506 |
|
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. |
|
Resolves: rhbz#1284972 |
|
- Add support for systemd-hwdb daemon. |
|
Resolves: rhbz#1257940 |
|
- Add interface fs_setattr_cifs_dirs(). |
|
Resolves: rhbz#1284972 |
|
|
|
* Mon Feb 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-64 |
|
- Add new SELinux policy fo targetd daemon. |
|
Resolves: rhbz#1063714 |
|
- Add new SELinux policy fo ipmievd daemon. |
|
Resolves: rhbz#1083031 |
|
- Add new SELinux policy fo hsqldb daemon. |
|
Resolves: rhbz#1083171 |
|
- Add new SELinux policy for blkmapd daemon. |
|
Resolves: rhbz#1072997 |
|
- Allow p11-child to connect to apache ports. |
|
- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. |
|
Resolves: rhbz#1278028 |
|
- Add interface "lvm_manage_lock" to lvm policy. |
|
Resolves: rhbz#1063714 |
|
|
|
* Wed Jan 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-63 |
|
- Allow openvswitch domain capability sys_rawio. |
|
Resolves: rhbz#1278495 |
|
|
|
* Tue Jan 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-62 |
|
- Allow openvswitch to manage hugetlfs files and dirs. |
|
Resolves: rhbz#1278495 |
|
- Add fs_manage_hugetlbfs_files() interface. |
|
Resolves: rhbz#1278495 |
|
|
|
* Tue Jan 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-61 |
|
- Allow smbcontrol domain to send sigchld to ctdbd domain. |
|
Resolves: #1293784 |
|
- Allow openvswitch read/write hugetlb filesystem. |
|
Resolves: #1278495 |
|
|
|
* Wed Oct 14 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-60 |
|
Allow hypervvssd to list all mountpoints to have VSS live backup working correctly. |
|
Resolves:#1247880 |
|
|
|
* Tue Oct 13 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-59 |
|
- Revert Add missing labeling for /usr/libexec/abrt-hook-ccpp patch |
|
Resolves: #1254188 |
|
|
|
* Thu Oct 8 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-58 |
|
- Allow search dirs in sysfs types in kernel_read_security_state. |
|
Resolves: #1254188 |
|
- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. |
|
Resolves: #1254188 |
|
|
|
* Wed Oct 7 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-57 |
|
- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs |
|
Resolves: #1254188 |
|
- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. |
|
Resolves:#1261938 |
|
|
|
* Fri Oct 2 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-56 |
|
- Remove labeling for modules_dep_t file contexts to have labeled them as modules_object_t. |
|
- Update files_read_kernel_modules() to contain modutils_read_module_deps_files() calling because module deps labeling could remain and it allows to avoid regressions. |
|
Resolves:#1266928 |
|
|
|
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-55 |
|
- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). |
|
Resolves: #1261938 |
|
- ipsec: The NM helper needs to read the SAs |
|
Resolves: #1259786 |
|
- ipsec: Allow ipsec management to create ptys |
|
Resolves: #1259786 |
|
|
|
* Tue Sep 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-54 |
|
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. |
|
Resolves:#1261938 |
|
- Allow abrt_t domain to write to kernel msg device. |
|
Resolves: #1257828 |
|
- Allow rpcbind_t domain to change file owner and group |
|
Resolves: #1265266 |
|
|
|
* Tue Sep 22 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-53 |
|
- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. |
|
Resolves: #1256459 |
|
|
|
* Fri Sep 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-52 |
|
- Allow dirsrv-admin script to read passwd file. Allow dirsrv-admin script to read httpd pid files. Label dirsrv-admin unit file and allow dirsrv-admin domains to use it. |
|
Resolves: #1230300 |
|
- Allow qpid daemon to connect on amqp tcp port. |
|
Resolves: #1261805 |
|
|
|
* Fri Sep 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-51 |
|
- Label /etc/ipa/nssdb dir as cert_t |
|
Resolves:#1262718 |
|
- Do not provide docker policy files which is shipped by docker-selinux.rpm |
|
Resolves:#1262812 |
|
|
|
* Thu Sep 17 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-50 |
|
- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager |
|
Resolves: #1192338 |
|
- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. |
|
Resolves: #1238079 |
|
- Allow rhsmcertd_t send signull to unconfined_service_t domains. |
|
Resolves: #1176078 |
|
- Remove file transition from snmp_manage_var_lib_dirs() interface which created snmp_var_lib_t dirs in var_lib_t. |
|
- Allow openhpid_t daemon to manage snmp files and dirs. |
|
Resolves: #1243902 |
|
- Allow mdadm_t domain read/write to general ptys and unallocated ttys. |
|
Resolves: #1073314 |
|
- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t |
|
Resolves: #1176078 |
|
|
|
* Fri Sep 11 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-49 |
|
- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. |
|
Resolves:#1250456 |
|
|
|
* Thu Sep 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-48 |
|
- Fix labeling for fence_scsi_check script |
|
Resolves: #1255020 |
|
- Allow openhpid to read system state Allow openhpid to connect to tcp http port. |
|
Resolves: #1244248 |
|
- Allow openhpid to read snmp var lib files. |
|
Resolves: #1243902 |
|
- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe |
|
- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t |
|
Resolves: #1243403 |
|
- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl |
|
Resolves: #1255020 |
|
|
|
* Wed Sep 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-47 |
|
- Fix regexp in chronyd.fc file |
|
Resolves: #1243764 |
|
- Allow passenger to getattr filesystem xattr |
|
Resolves: #1196555 |
|
- Label mdadm.conf.anackbak as mdadm_conf_t file. |
|
Resolves: #1088904 |
|
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." |
|
- Allow watchdog execute fenced python script. |
|
Resolves: #1255020 |
|
- Added inferface watchdog_unconfined_exec_read_lnk_files() |
|
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t. |
|
Resolves: #1230877 |
|
|
|
* Thu Aug 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-46 |
|
- Allow watchdog execute fenced python script. Resolves: #1255020 |
|
- Added inferface watchdog_unconfined_exec_read_lnk_files() |
|
- Label /var/run/chrony-helper dir as chronyd_var_run_t. Resolves: #1243764 |
|
- Allow dhcpc_t domain transition to chronyd_t Resolves: #1243764 |
|
|
|
* Fri Aug 21 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-45 |
|
- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. |
|
Resolves: #1252442 |
|
|
|
* Wed Aug 19 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-44 |
|
- Allow exec pidof under hypervkvp domain. |
|
Resolves: #1254870 |
|
- Allow hypervkvp daemon create connection to the system DBUS |
|
Resolves: #1254870 |
|
|
|
* Wed Aug 19 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-43 |
|
- Allow openhpid_t to read system state. |
|
Resolves: #1244248 |
|
- Added labels for files provided by rh-nginx18 collection |
|
Resolves: #1249945 |
|
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. |
|
Resolves: #1252968 |
|
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. |
|
Resolves: #1243431 |
|
- Allow abrt_dump_oops_t to read proc_security_t files. |
|
- Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains |
|
- Add interface abrt_dump_oops_domtrans() |
|
- Add mountpoint dontaudit access check in rhsmcertd policy. |
|
Resolves: #1243431 |
|
- Allow samba_net_t to manage samba_var_t sock files. |
|
Resolves: #1252937 |
|
- Allow chrome setcap to itself. |
|
Resolves: #1251996 |
|
- Allow httpd daemon to manage httpd_var_lib_t lnk_files. |
|
Resolves: #1253706 |
|
- Allow chronyd exec systemctl |
|
Resolves: #1243764 |
|
- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t. |
|
Resolves: #1243764 |
|
- Added interface fs_dontaudit_write_configfs_dirs |
|
- Add label for kernel module dep files in /usr/lib/modules |
|
Resolves:#916635 |
|
- Allow kernel_t domtrans to abrt_dump_oops_t |
|
- Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override. |
|
- Allow systemd-networkd to send logs to systemd-journald. |
|
Resolves: #1236616 |
|
|
|
* Wed Aug 12 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-42 |
|
- Fix label on /var/tmp/kiprop_0 |
|
Resolves:#1220763 |
|
- Allow lldpad_t to getattr tmpfs_t. |
|
Resolves: #1246220 |
|
- Label /dev/shm/lldpad.* as lldapd_tmpfs_t |
|
Resolves: #1246220 |
|
- Allow audisp client to read system state. |
|
|
|
* Tue Aug 11 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-41 |
|
- Allow pcp_domain to manage pcp_var_lib_t lnk_files. |
|
Resolves: #1252341 |
|
- Label /var/run/xtables.* as iptables_var_run_t |
|
Resolves: #1243403 |
|
|
|
* Mon Aug 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-40 |
|
- Add interface to read/write watchdog device |
|
- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde |
|
Resolves:#1210237 |
|
- Allow apcupsd_t to read /sys/devices |
|
Resolves:#1189185 |
|
- Allow logrotate to reload services. |
|
Resolves: #1242453 |
|
- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) |
|
Resolves: #1244260 |
|
- Allow openhpid liboa_soap plugin to read generic certs. |
|
Resolves: #1244248 |
|
- Allow openhpid liboa_soap plugin to read resolv.conf file. |
|
Resolves: #1244248 |
|
- Label /usr/libexec/chrony-helper as chronyd_exec_t |
|
- Allow chronyd_t to read dhcpc state. |
|
- Allow chronyd to execute mkdir command. |
|
|
|
* Fri Aug 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-39 |
|
- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. |
|
Resolves:#1073314 |
|
- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. |
|
- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. |
|
- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. |
|
- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. |
|
Resolves:#1183503 |
|
- Add support for /etc/sanlock which is writable by sanlock daemon. |
|
Resolves:#1231377 |
|
- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. |
|
Resolves:#1243775 |
|
- Allow snapperd to pass data (one way only) via pipe negotiated over dbus |
|
Resolves:#1250550 |
|
- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user. |
|
|
|
* Wed Aug 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-38 |
|
- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). |
|
Resolves: #1243902 |
|
- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device |
|
Resolves: #1238079 |
|
- Allow lsm_plugin_t to rw raw_fixed_disk. |
|
Resolves:#1238079 |
|
- Allow rhsmcertd to send signull to unconfined_service. |
|
|
|
* Thu Aug 03 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-37 |
|
- Allow httpd_suexec_t to read and write Apache stream sockets |
|
Resolves: #1243569 |
|
- Allow qpid to create lnk_files in qpid_var_lib_t |
|
Resolves: #1247279 |
|
* Thu Jul 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-36 |
|
- Allow drbd to get attributes from filesystems. |
|
- Allow redis to read kernel parameters. |
|
Resolves: #1209518 |
|
- Allow virt_qemu_ga_t domtrans to passwd_t |
|
- Allow audisp_remote_t to start power unit files domain to allow halt system. |
|
Resolves: #1186780 |
|
- Allow audisp_remote_t to read/write user domain pty. |
|
Resolves: #1186780 |
|
- Label /usr/sbin/chpasswd as passwd_exec_t. |
|
- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). |
|
Resolves:#1221121 |
|
|
|
* Mon Jul 27 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-35 |
|
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te |
|
- Allow pcp_pmcd daemon to read postfix config files. |
|
- Allow pcp_pmcd daemon to search postfix spool dirs. |
|
Resolves: #1213740 |
|
- Added Booleans: pcp_read_generic_logs. |
|
Resolves: #1213740 |
|
- Allow drbd to read configuration options used when loading modules. |
|
Resolves: #1134883 |
|
- Allow glusterd to manage nfsd and rpcd services. |
|
- Allow glusterd to communicate with cluster domains over stream socket. |
|
- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes. |
|
|
|
* Mon Jul 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-34 |
|
- Allow glusterd to manage nfsd and rpcd services. |
|
- Allow networkmanager to communicate via dbus with systemd_hostanmed. |
|
Resolves: #1234954 |
|
- Allow stream connect logrotate to prosody. |
|
- Add prosody_stream_connect() interface. |
|
- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. |
|
- Allow prosody to create own tmp files/dirs. |
|
Resolves:#1212498 |
|
|
|
* Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-33 |
|
- Allow networkmanager read rfcomm port. |
|
Resolves:#1212498 |
|
- Remove non exists label. |
|
- Fix *_admin intefaces where body is not consistent with header. |
|
- Label /usr/afs/ as afs_files_t, Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t, Allow afs_bosserver_t read kerberos config |
|
- Remove non exits nfsd_ro_t label. |
|
- Make all interfaces related to openshift_cache_t as deprecated. |
|
- Add rpm_var_run_t label to rpm_admin header |
|
- Add jabberd_lock_t label to jabberd_admin header. |
|
- Add samba_unconfined_script_exec_t to samba_admin header. |
|
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t |
|
- Fix ctdb policy |
|
- Add samba_signull_winbind() |
|
- Add samba_signull_unconfined_net() |
|
- Allow ctdbd_t send signull to samba_unconfined_net_t. |
|
- Allow openshift_initrc_t to communicate with firewalld over dbus |
|
Resolves:#1221326 |
|
|
|
* Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-32 |
|
- Allow gluster to connect to all ports. It is required by random services executed by gluster. |
|
- Add interfaces winbind_signull(), samba_unconfined_net_signull(). |
|
- Dontaudit smbd_t block_suspend capability. This is kernel bug. |
|
- Allow ctdbd sending signull to process winbind, samba_unconfined_net, to |
|
checking if processes exists. |
|
- Add tmpreaper booleans to use nfs_t and samba_share_t. |
|
- Fix path from /usr/sbin/redis-server to /usr/bin/redis-server |
|
- Allow connect ypserv to portmap_port_t |
|
- Fix paths in inn policy, Allow innd read innd_log_t dirs, Allow innd execute innd_etc_t files |
|
- Add support for openstack-nova-* packages |
|
- Allow NetworkManager_t send signull to dnssec_trigger_t. |
|
- Allow glusterd to execute showmount in the showmount domain. |
|
- Label swift-container-reconciler binary as swift_t. |
|
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. |
|
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" |
|
Resolves:#1213540 |
|
- Merge all nova_* labels under one nova_t. |
|
|
|
* Wed Jul 8 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-31 |
|
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins |
|
Resolves:#1233550 |
|
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ |
|
- Add support for oddjob based helper in FreeIPA. |
|
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. |
|
- Add nagios_domtrans_unconfined_plugins() interface. |
|
- Update mta_filetrans_named_content() interface to cover more db files. |
|
Resolves:#1167468 |
|
- Add back ftpd_use_passive_mode boolean with fixed description. |
|
- Allow pmcd daemon stream connect to mysqld. |
|
- Allow pcp domains to connect to own process using unix_stream_socket. |
|
Resolves:#1213709 |
|
- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. |
|
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. |
|
- Add support for oddjob based helper in FreeIPA. |
|
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ |
|
|
|
|
|
* Thu Jul 2 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-30 |
|
- Allow iptables to read ctdbd lib files. |
|
Resolves:#1224879 |
|
- Add systemd_networkd_t to nsswitch domains. |
|
- Allow drbd_t write to fixed_disk_device. Reason: drbdmeta needs write to fixed_disk_device during initialization. |
|
Resolves:#1130675 |
|
- Allow NetworkManager write to sysfs. |
|
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. |
|
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. |
|
- Allow NetworkManager write to sysfs. |
|
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. |
|
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. |
|
- Add interface snmp_dontaudit_manage_snmp_var_lib_files(). |
|
- Dontaudit mozilla_plugin_t cap. sys_ptrace. |
|
- Rename xodbc-connect port to xodbc_connect |
|
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. |
|
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. |
|
- Dontaudit chrome to read passwd file. |
|
- nrpe needs kill capability to make gluster moniterd nodes working. |
|
Resolves:#1235587 |
|
|
|
* Wed Jun 17 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-29 |
|
- We allow can_exec() on ssh_keygen on gluster. But there is a transition defined by init_initrc_domain() because we need to allow execute unconfined services by glusterd. So ssh-keygen ends up with ssh_keygen_t and we need to allow to manage /var/lib/glusterd/geo-replication/secret.pem. |
|
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. |
|
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. |
|
- Label gluster python hooks also as bin_t. |
|
- Allow glusterd to interact with gluster tools running in a user domain |
|
- Add glusterd_manage_lib_files() interface. |
|
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. |
|
- Allow samba_t net_admin capability to make CIFS mount working. |
|
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it. |
|
Resolves:#1224879 |
|
|
|
* Mon Jun 15 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-28 |
|
- Allow glusterd to send generic signals to systemd_passwd_agent processes. |
|
- Allow glusterd to access init scripts/units without defined policy |
|
- Allow glusterd to run init scripts. |
|
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. |
|
Resolves:#1224879 |
|
|
|
* Fri Jun 12 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-27 |
|
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. |
|
- Allow samba-net to access /var/lib/ctdbd dirs/files. |
|
- Allow glusterd to send a signal to smbd. |
|
- Make ctdbd as home manager to access also FUSE. |
|
- Allow glusterd to use geo-replication gluster tool. |
|
- Allow glusterd to execute ssh-keygen. |
|
- Allow glusterd to interact with cluster services. |
|
- Allow glusterd to connect to the system DBUS for service (acquire_svc). |
|
- Label /dev/log correctly. |
|
Resolves:#1230932 |
|
|
|
* Tue Jun 9 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-26 |
|
- Back port the latest F22 changes to RHEL7. It should fix most of RHEL7.2 bugs |
|
- Add cgdcbxd policy |
|
Resolves:#1072493 |
|
- Fix ftp_homedir boolean |
|
Resolve:#1097775 |
|
- Dontaudit ifconfig writing inhertited /var/log/pluto.log. |
|
- Allow cluster domain to dbus chat with systemd-logind. |
|
Resolves:#1145215 |
|
- Dontaudit write access to inherited kdumpctl tmp files |
|
Resolves:#1156442 |
|
- Allow isnsd_t to communicate with sssd |
|
Resolves:#1167702 |
|
- Allow rwho_t to communicate with sssd |
|
Resolves:#1167718 |
|
- Allow sblim_gatherd_t to communicate with sssd |
|
Resolves:#1167732 |
|
- Allow pkcs_slotd_t to communicate with sssd |
|
Resolves:#1167737 |
|
- Allow openvswitch_t to communicate with sssd |
|
Resolves:#1167816 |
|
- Allow mysqld_safe_t to communicate with sssd |
|
Resolves:#1167832 |
|
- Allow sshd_keygen_t to communicate with sssd |
|
Resolves:#1167840 |
|
- Add support for iprdbg logging files in /var/log. |
|
Resolves:#1174363 |
|
- Allow tmpreaper_t to manage ntp log content |
|
Resolves:#1176965 |
|
- Allow gssd_t to manage ssh keyring |
|
Resolves:#1184791 |
|
- Allow httpd_sys_script_t to send system log messages |
|
Resolves:#1185231 |
|
- Allow apcupsd_t to read /sys/devices |
|
Resolves:#1189185 |
|
- Allow dovecot_t sys_resource capability |
|
Resolves:#1191143 |
|
- Add support for mongod/mongos systemd unit files. |
|
Resolves:#1197038 |
|
- Add bacula fixes |
|
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. |
|
Resolves:#1203991 |
|
|
|
* Thu May 14 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-25 |
|
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. |
|
- Add more restriction on entrypoint for unconfined domains. |
|
- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface |
|
- Allow all domains to read /dev/urandom. It is needed by all apps/services linked to libgcrypt. There is no harm to allow it by default. |
|
- Update policy/mls for sockets related to access perm. Rules were contradictory. |
|
- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow r |
|
un sudo from NRPE utils scripts and allow run nagios in conjunction w |
|
ith PNP4Nagios. |
|
Resolves:#1201054 |
|
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead. |
|
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type |
|
- Label /var/lib/tftpboot/aarch64(/.*)? and /var/lib/tftpboot/images2(/.*)? |
|
- Add support for iprdbg logging files in /var/log. |
|
- Add fixes to rhsmcertd_t |
|
- Allow puppetagent_t to transfer firewalld messages over dbus |
|
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. |
|
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. |
|
- Add support for mongod/mongos systemd unit files. |
|
- cloudinit and rhsmcertd need to communicate with dbus |
|
- Allow dovecot_t sys_resource capability |
|
|
|
* Tue Mar 31 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-24 |
|
- ALlow mongod execmem by default. |
|
- Update policy/mls for sockets. Rules were contradictory. |
|
Resolves:#1207133 |
|
- Allow a user to login with different security level via ssh. |
|
|
|
* Wed Jan 30 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-23 |
|
- Update seutil_manage_config() interface. |
|
Resolves:#1185962 |
|
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t. |
|
- Turn on docker_transition_unconfined by default |
|
|
|
* Wed Jan 28 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-22 |
|
- Allow virtd to list all mountpoints. |
|
Resolves:#1180713 |
|
|
|
* Wed Jan 28 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-21 |
|
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. |
|
- Allow fowner capability for sssd because of selinux_child handling. |
|
- ALlow bind to read/write inherited ipsec pipes |
|
- Allow hypervkvp to read /dev/urandom and read addition states/config files. |
|
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. |
|
- Add glusterd_filetrans_named_pid() interface |
|
- Allow radiusd to connect to radsec ports. |
|
- Allow setuid/setgid for selinux_child |
|
- Allow lsmd plugin to connect to tcp/5988 by default. |
|
- Allow lsmd plugin to connect to tcp/5989 by default. |
|
- Update ipsec_manage_pid() interface. |
|
Resolves:#1184978 |
|
|
|
* Wed Jan 23 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-20 |
|
- Update ipsec_manage_pid() interface. |
|
Resolves:#1184978 |
|
|
|
* Wed Jan 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-19 |
|
- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom. |
|
|
|
* Wed Jan 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-18 |
|
- Add auditing support for ipsec. |
|
Resolves:#1182524 |
|
- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t |
|
- Allow netutils chown capability to make tcpdump working with -w |
|
|
|
* Tue Jan 20 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-17 |
|
- Allow ipsec to execute _updown.netkey script to run unbound-control. |
|
- Allow neutron to read rpm DB. |
|
- Add additional fixes for hyperkvp |
|
* creates new ifcfg-{name} file |
|
* Runs hv_set_ifconfig.sh, which does the following |
|
* Copies ifcfg-{name} to /etc/sysconfig/network-scripts |
|
- Allow svirt to read symbolic links in /sys/fs/cgroups labeled as tmpfs_t |
|
- Add labeling for pacemaker.log. |
|
- Allow radius to connect/bind radsec ports. |
|
- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log |
|
- Allow virt_qemu_ga to dbus chat with rpm. |
|
- Update virt_read_content() interface to allow read also char devices. |
|
- Allow glance-registry to connect to keystone port. |
|
Resolves:#1181818 |
|
|
|
* Mon Jan 12 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-16 |
|
- Allow sssd to send dbus all user domains. |
|
Resolves:#1172291 |
|
- Allow lsm plugin to read certificates. |
|
- Fix labeling for keystone CGI scripts. |
|
- Make snapperd back as unconfined domain. |
|
|
|
* Fri Jan 9 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-15 |
|
- Fix bugs in interfaces discovered by sepolicy. |
|
- Allow slapd to read /usr/share/cracklib/pw_dict.hwm. |
|
- Allow lsm plugins to connect to tcp/18700 by default. |
|
- Allow brltty mknod capability to allow create /var/run/brltty/vcsa. |
|
- Fix pcp_domain_template() interface. |
|
- Fix conman.te. |
|
- Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc |
|
- Allow glance-scrubber to connect tcp/9191. |
|
- Add missing setuid capability for sblim-sfcbd. |
|
- Allow pegasus ioctl() on providers. |
|
- Add conman_can_network. |
|
- Allow chronyd to read chrony conf files located in /run/timemaster/. |
|
- Allow radius to bind on tcp/1813 port. |
|
- dontaudit block suspend access for openvpn_t |
|
- Allow conman to create files/dirs in /tmp. |
|
- Update xserver_rw_xdm_keys() interface to have 'setattr'. |
|
Resolves:#1172291 |
|
- Allow sulogin to read /dev/urandom and /dev/random. |
|
- Update radius port definition to have also tcp/18121 |
|
- Label prandom as random_device_t. |
|
- Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t. |
|
|
|
* Fri Dec 12 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-14 |
|
- Allow virt_qemu_ga_t to execute kmod. |
|
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. |
|
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. |
|
Resolves:#1113725 |
|
- Enable OpenStack cinder policy |
|
- Add support for /usr/share/vdsm/daemonAdapter |
|
- Add support for /var/run/gluster |
|
|
|
* Tue Dec 2 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-13 |
|
- Remove old pkcsslotd.pp from minimum package |
|
- Allow rlogind to use also rlogin ports. |
|
- Add support for /usr/libexec/ntpdate-wrapper. Label it as ntpdate_exec_t. |
|
- Allow bacula to connect also to postgresql. |
|
- Label /usr/libexec/tomcat/server as tomcat_exec_t |
|
- Add support for /usr/sbin/ctdbd_wrapper |
|
- Add support for /usr/libexec/ppc64-diag/rtas_errd |
|
- Allow rpm_script_roles to access system_mail_t |
|
- Allow brltty to create /var/run/brltty |
|
- Allow lsmd plugin to access netlink_route_socket |
|
- Allow smbcontrol to read passwd |
|
- Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it |
|
Resolves:#1140106 |
|
- Allow osad to execute rhn_check |
|
- Allow load_policy to rw inherited sssd pipes because of selinux_child |
|
- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS |
|
- Add additional fixes for su_restricted_domain_template to make moving to sysadm_r and trying to su working correctly |
|
- Add additional booleans substitions |
|
|
|
* Tue Nov 25 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-12 |
|
- Add seutil_dontaudit_access_check_semanage_module_store() interface |
|
Resolves:#1140106 |
|
- Update to have all _systemctl() interface also init_reload_services(). |
|
- Dontaudit access check on SELinux module store for sssd. |
|
- Add labeling for /sbin/iw. |
|
- Allow named_filetrans_domain to create ibus directory with correct labeling. |
|
|
|
* Mon Nov 24 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-11 |
|
- Allow radius to bind tcp/1812 radius port. |
|
- Dontaudit list user_tmp files for system_mail_t. |
|
- Label virt-who as virtd_exec_t. |
|
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t. |
|
- Add missing alias for _content_rw_t. |
|
Resolves:#1089177 |
|
- Allow spamd to access razor-agent.log. |
|
- Add fixes for sfcb from libvirt-cim TestOnly bug. |
|
- Allow NetworkManager stream connect on openvpn. |
|
- Make /usr/bin/vncserver running as unconfined_service_t. |
|
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. |
|
- Label /etc/docker/certs.d as cert_t. |
|
|
|
* Tue Nov 18 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-10 |
|
- Label /etc/strongimcv as ipsec_conf_file_t. |
|
- Add support for /usr/bin/start-puppet-ca helper script |
|
Resolves:#1160727 |
|
- Allow rpm scripts to enable/disable transient systemd units. |
|
Resolves:#1154613 |
|
- Make kpropdas nsswitch domain |
|
Resolves:#1153561 |
|
- Make all glance domain as nsswitch domains |
|
Resolves:#1113281 |
|
- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active |
|
- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t |
|
Resolves:#1140106 |
|
|
|
* Mon Nov 10 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-9 |
|
- Dontaudit access check on setfiles/load_policy for sssd_t. |
|
Resolves:#1140106 |
|
- Add kdump_rw_inherited_kdumpctl_tmp_pipes() |
|
Resolves:#1156442 |
|
- Make linuxptp services as unconfined. |
|
- Added new policy linuxptp. |
|
Resolves:#1149693 |
|
- Label keystone cgi files as keystone_cgi_script_exec_t. |
|
Resolves:#1138424 |
|
- Make tuned as unconfined domain |
|
|
|
* Thu Nov 6 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-8 |
|
- Allow guest to connect to libvirt using unix_stream_socket. |
|
- Allow all bus client domains to dbus chat with unconfined_service_t. |
|
- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. |
|
- Make opensm as nsswitch domain to make it working with sssd. |
|
- Allow brctl to read meminfo. |
|
- Allow winbind-helper to execute ntlm_auth in the caller domain. |
|
Resolves:#1160339 |
|
- Make plymouthd as nsswitch domain to make it working with sssd. |
|
Resolves:#1160196 |
|
- Make drbd as nsswitch domain to make it working with sssd. |
|
- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. |
|
- Add support for /var/lib/sntp directory. |
|
- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc |
|
- Allow winbind to read usermodehelper |
|
- Allow telepathy domains to execute shells and bin_t |
|
- Allow gpgdomains to create netlink_kobject_uevent_sockets |
|
- Allow mongodb to bind to the mongo port and mongos to run as mongod_t |
|
- Allow abrt to read software raid state. |
|
- Allow nslcd to execute netstat. |
|
- Allow dovecot to create user's home directory when they log into IMAP. |
|
- Allow login domains to create kernel keyring with different level. |
|
|
|
* Mon Nov 3 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-7 |
|
- Allow modemmanger to connectto itself |
|
Resolves:#1120152 |
|
- Allow pki_tomcat to create link files in /var/lib/pki-ca. |
|
Resolves:#1121744 |
|
- varnishd needs to have fsetid capability |
|
Resolves:#1125165 |
|
- Allow snapperd to dbus chat with system cron jobs. |
|
Resolves:#1152447 |
|
- Allow dovecot to create user's home directory when they log into IMAP |
|
Resolves:#1152773 |
|
- Add labeling for /usr/sbin/haproxy-systemd-wrapper wrapper to make haproxy running haproxy_t. |
|
- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. |
|
- Allow nslcd to execute netstat. |
|
- Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. |
|
- Allow nslcd to read /dev/urandom. |
|
|
|
* Thu Oct 16 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-6 |
|
- Add back kill permisiion for system class |
|
Resolves:#1150011 |
|
|
|
* Wed Oct 15 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-5 |
|
- Add back kill permisiion for service class |
|
Resolves:#1150011 |
|
- Make rhsmcertd_t also as dbus domain. |
|
- Allow named to create DNS_25 with correct labeling. |
|
- Add cloudform_dontaudit_write_cloud_log() |
|
- Call auth_use_nsswitch to apache to read/write cloud-init keys. |
|
- Allow cloud-init to dbus chat with certmonger. |
|
- Fix path to mon_statd_initrc_t script. |
|
- Allow all RHCS services to read system state. |
|
- Allow dnssec_trigger_t to execute unbound-control in own domain. |
|
- kernel_read_system_state needs to be called with type. Moved it to antivirus.if. |
|
- Added policy for mon_statd and mon_procd services. BZ (1077821) |
|
- Allow opensm_t to read/write /dev/infiniband/umad1. |
|
- Allow mongodb to manage own log files. |
|
- Allow neutron connections to system dbus. |
|
- Add support for /var/lib/swiftdirectory. |
|
- Allow nova-scheduler to read certs. |
|
- Allow openvpn to access /sys/fs/cgroup dir. |
|
- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. |
|
- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. |
|
- Add auth_use_nsswitch for portreserve to make it working with sssd. |
|
- automount policy is non-base module so it needs to be called in optional block. |
|
- ALlow sensord to getattr on sysfs. |
|
- Label /usr/share/corosync/corosync as cluster_exec_t. |
|
- Allow lmsd_plugin to read passwd file. BZ(1093733) |
|
- Allow read antivirus domain all kernel sysctls. |
|
- Allow mandb to getattr on file systems |
|
- Allow nova-console to connect to mem_cache port. |
|
- Make sosreport as unconfined domain. |
|
- Allow mondogdb to 'accept' accesses on the tcp_socket port. |
|
- ALlow sanlock to send a signal to virtd_t. |
|
|
|
* Thu Oct 9 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-4 |
|
- Build also MLS policy |
|
Resolves:#1138424 |
|
|
|
* Thu Oct 9 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-3 |
|
- Add back kill permisiion for system class |
|
- Allow iptables read fail2ban logs. |
|
- Fix radius labeled ports |
|
- Add userdom_manage_user_tmpfs_files interface |
|
- Allow libreswan to connect to VPN via NM-libreswan. |
|
- Label 4101 tcp port as brlp port |
|
- fix dev_getattr_generic_usb_dev interface |
|
- Allow all domains to read fonts |
|
- Make sure /run/systemd/generator and system is labeled correctly on creation. |
|
- Dontaudit aicuu to search home config dir. |
|
- Make keystone_cgi_script_t domain. |
|
Resolves:#1138424 |
|
- Fix bug in drbd policy, |
|
- Added support for cpuplug. |
|
- ALlow sanlock_t to read sysfs_t. |
|
- Added sendmail_domtrans_unconfined interface |
|
- Fix broken interfaces |
|
- radiusd wants to write own log files. |
|
- Label /usr/libexec/rhsmd as rhsmcertd_exec_t |
|
- Allow rhsmcertd send signull to setroubleshoot. |
|
- Allow rhsmcertd manage rpm db. |
|
- Added policy for blrtty. |
|
- Fix keepalived policy |
|
- Allow rhev-agentd dbus chat with systemd-logind. |
|
- Allow keepalived manage snmp var lib sock files. |
|
- Add support for /var/lib/graphite-web |
|
- Allow NetworkManager to create Bluetooth SDP sockets |
|
- It's going to do the the discovery for DUN service for modems with Bluez 5. |
|
- Allow swift to connect to all ephemeral ports by default. |
|
- Allow sssd to read selinux config to add SELinux user mapping. |
|
- Allow lsmd to search own plguins. |
|
- Allow abrt to read /dev/memto generate an unique machine_id and uses sosuploader's algorithm based off dmidecode[1] fields. |
|
- ALlow zebra for user/group look-ups. |
|
- Allow nova domains to getattr on all filesystems. |
|
- Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes. |
|
- Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket. |
|
- Allow rhnsd_t to manage also rhnsd config symlinks. |
|
- ALlow user mail domains to create dead.letter. |
|
- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. |
|
- Allow pki-tomcat to change SELinux object identity. |
|
- Allow radious to connect to apache ports to do OCSP check |
|
- Allow git cgi scripts to create content in /tmp |
|
- Allow cockpit-session to do GSSAPI logins. |
|
- Allow sensord read in /proc |
|
- Additional access required by usbmuxd |
|
|
|
* Thu Sep 18 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-2 |
|
- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems |
|
- Label /usr/lib/erlang/erts.*/bin files as bin_t |
|
- Add files_dontaudit_access_check_home_dir() inteface. |
|
- Allow udev_t mounton udev_var_run_t dirs #(1128618) |
|
- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. |
|
- Add init_dontaudit_read_state() interface. |
|
- Add label for ~/.local/share/fonts |
|
- Allow unconfined_r to access unconfined_service_t. |
|
- Allow init to read all config files |
|
- Add new interface to allow creation of file with lib_t type |
|
- Assign rabbitmq port. |
|
- Allow unconfined_service_t to dbus chat with all dbus domains |
|
- Add new interfaces to access users keys. |
|
- Allow domains to are allowed to mounton proc to mount on files as well as dirs |
|
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. |
|
- Add a port definition for shellinaboxd |
|
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t |
|
- Allow userdomains to stream connect to pcscd for smart cards |
|
- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) |
|
- Update to rawhide-contrib changes |
|
Resolves:#1123844 |
|
|
|
* Thu Aug 21 2014 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-1 |
|
- Rebase to 3.13.1 which we have in Fedora21 |
|
Resolves:#1128284 |
|
|
|
* Fri Jun 13 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-156 |
|
- Back port fixes from Fedora. Mainly OpenStack and Docker fixes |
|
|
|
* Wed Jun 11 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-155 |
|
- Add policy-rhel-7.1-{base,contrib} patches |
|
|
|
* Mon May 5 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-154 |
|
- Add support for us_cli ports |
|
- Fix labeling for /var/run/user/<UID>/gvfs |
|
- add support for tcp/9697 |
|
- Additional rules required by openstack, needs backport to F20 and RHEL7 |
|
- Additional access required by docker |
|
- ALlow motion to use tcp/8082 port |
|
- Allow init_t to setattr/relabelfrom dhcp state files |
|
- Dontaudit antivirus domains read access on all security files by default |
|
- Add missing alias for old amavis_etc_t type |
|
- Allow block_suspend cap for haproxy |
|
- Additional fixes for instack overcloud |
|
- Allow OpenStack to read mysqld_db links and connect to MySQL |
|
- Remove dup filename rules in gnome.te |
|
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t |
|
- Allow iscsid to handle own unit files |
|
- Add iscsi_systemctl() |
|
- Allow mongod to create also sock_files in /run with correct labeling |
|
- Allow httpd to send signull to apache script domains and don't audit leaks |
|
- Allow rabbitmq_beam to connect to httpd port |
|
- Allow aiccu stream connect to pcscd |
|
- Allow dmesg to read hwdata and memory dev |
|
- Allow all freeipmi domains to read/write ipmi devices |
|
- Allow sblim_sfcbd to use also pegasus-https port |
|
- Allow rabbitmq_epmd to manage rabbit_var_log_t files |
|
- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input |
|
- Allow docker to status any unit file and allow it to start generic unit files |
|
|
|
* Mon Apr 7 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153 |
|
- Change hsperfdata_root to have as user_tmp_t |
|
Resolves:#1076523 |
|
|
|
* Fri Apr 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-152 |
|
- Fix Multiple same specifications for /var/named/chroot/dev/zero |
|
- Add labels for /var/named/chroot_sdb/dev devices |
|
- Add support for strongimcv |
|
- Use kerberos_keytab_domains in auth_use_nsswitch |
|
- Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to |
|
- Allow net_raw cap for neutron_t and send sigkill to dnsmasq |
|
- Fix ntp_filetrans_named_content for sntp-kod file |
|
- Add httpd_dbus_sssd boolean |
|
- Dontaudit exec insmod in boinc policy |
|
- Rename kerberos_keytab_domain to kerberos_keytab_domains |
|
- Add kerberos_keytab_domain() |
|
- Fix kerberos_keytab_template() |
|
- Make all domains which use kerberos as kerberos_keytab_domain |
|
Resolves:#1083670 |
|
- Allow kill capability to winbind_t |
|
|
|
* Wed Apr 2 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-151 |
|
- varnishd wants chown capability |
|
- update ntp_filetrans_named_content() interface |
|
- Add additional fixes for neutron_t. #1083335 |
|
- Dontaudit getattr on proc_kcore_t |
|
- Allow pki_tomcat_t to read ipa lib files |
|
- Allow named_filetrans_domain to create /var/cache/ibus with correct labelign |
|
- Allow init_t run /sbin/augenrules |
|
- Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces |
|
- Allow unpriv SELinux user to use sandbox |
|
- Add default label for /tmp/hsperfdata_root |
|
|
|
* Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-149 |
|
- Add file subs also for /var/home |
|
|
|
* Mon Mar 31 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-149 |
|
- Allow xauth_t to read user_home_dir_t lnk_file |
|
- Add labeling for lightdm-data |
|
- Allow certmonger to manage ipa lib files |
|
- Add support for /var/lib/ipa |
|
- Allow pegasus to getattr virt_content |
|
- Added some new rules to pcp policy |
|
- Allow chrome_sandbox to execute config_home_t |
|
- Add support for ABRT FAF |
|
|
|
* Fri Mar 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-148 |
|
- Allow kdm to send signull to remote_login_t process |
|
- Add gear policy |
|
- Turn on gear_port_t |
|
- Allow cgit to read gitosis lib files by default |
|
- Allow vdagent to read xdm state |
|
- Allow NM and fcoeadm to talk together over unix_dgram_socket |
|
|
|
* Thu Mar 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-147 |
|
- Back port fixes for pegasus_openlmi_admin_t from rawhide |
|
Resolves:#1080973 |
|
- Add labels for ostree |
|
- Add SELinux awareness for NM |
|
- Label /usr/sbin/pwhistory_helper as updpwd_exec_t |
|
|
|
* Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-146 |
|
- add gnome_append_home_config() |
|
- Allow thumb to append GNOME config home files |
|
- Allow rasdaemon to rw /dev/cpu//msr |
|
- fix /var/log/pki file spec |
|
- make bacula_t as auth_nsswitch domain |
|
- Identify pki_tomcat_cert_t as a cert_type |
|
- Define speech-dispater_exec_t as an application executable |
|
- Add a new file context for /var/named/chroot/run directory |
|
- update storage_filetrans_all_named_dev for sg* devices |
|
- Allow auditctl_t to getattr on all removeable devices |
|
- Allow nsswitch_domains to stream connect to nmbd |
|
- Allow unprivusers to connect to memcached |
|
- label /var/lib/dirsrv/scripts-INSTANCE as bin_t |
|
|
|
* Mon Mar 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-145 |
|
- Allow also unpriv user to run vmtools |
|
- Allow secadm to read /dev/urandom and meminfo |
|
Resolves:#1079250 |
|
- Add booleans to allow docker processes to use nfs and samba |
|
- Add mdadm_tmpfs support |
|
- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t |
|
- Allow vmware-user-sui to use user ttys |
|
- Allow talk 2 users logged via console too |
|
- Allow ftp services to manage xferlog_t |
|
- Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies |
|
- allow anaconda to dbus chat with systemd-localed |
|
|
|
* Fri Mar 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-144 |
|
- allow anaconda to dbus chat with systemd-localed |
|
- Add fixes for haproxy based on bperkins@redhat.com |
|
- Allow cmirrord to make dmsetup working |
|
- Allow NM to execute arping |
|
- Allow users to send messages through talk |
|
- Add userdom_tmp_role for secadm_t |
|
|
|
* Thu Mar 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-143 |
|
- Add additional fixes for rtas_errd |
|
- Fix transitions for tmp/tmpfs in rtas.te |
|
- Allow rtas_errd to readl all sysctls |
|
|
|
|
|
* Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-142 |
|
- Add support for /var/spool/rhsm/debug |
|
- Make virt_sandbox_use_audit as True by default |
|
- Allow svirt_sandbox_domains to ptrace themselves |
|
|
|
* Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-141 |
|
- Allow docker containers to manage /var/lib/docker content |
|
|
|
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-140 |
|
- Allow docker to read tmpfs_t symlinks |
|
- Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets |
|
|
|
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-139 |
|
- Allow collectd to talk to libvirt |
|
- Allow chrome_sandbox to use leaked unix_stream_sockets |
|
- Dontaudit leaks of sockets into chrome_sandbox_t |
|
- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t |
|
- Run vmtools as unconfined domains |
|
- Allow snort to manage its log files |
|
- Allow systemd_cronjob_t to be entered via bin_t |
|
- Allow procman to list doveconf_etc_t |
|
- allow keyring daemon to create content in tmpfs directories |
|
- Add proper labelling for icedtea-web |
|
- vpnc is creating content in networkmanager var run directory |
|
- Label sddm as xdm_exec_t to make KDE working again |
|
- Allow postgresql to read network state |
|
- Allow java running as pki_tomcat to read network sysctls |
|
- Fix cgroup.te to allow cgred to read cgconfig_etc_t |
|
- Allow beam.smp to use ephemeral ports |
|
- Allow winbind to use the nis to authenticate passwords |
|
|
|
* Fri Mar 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-138 |
|
- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least. |
|
- Allow net_admin cap for fence_virtd running as fenced_t |
|
- Make abrt-java-connector working |
|
- Make cimtest script 03_defineVS.py of ComputerSystem group working |
|
- Fix git_system_enable_homedirs boolean |
|
- Allow munin mail plugins to read network systcl |
|
|
|
* Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-137 |
|
- Allow vmtools_helper_t to execute bin_t |
|
- Add support for /usr/share/joomla |
|
- /var/lib/containers should be labeled as openshift content for now |
|
- Allow docker domains to talk to the login programs, to allow a process to login into the container |
|
- Allow install_t do dbus chat with NM |
|
- Fix interface names in anaconda.if |
|
- Add install_t for anaconda. A new type is a part of anaconda policy |
|
- sshd to read network sysctls |
|
|
|
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-136 |
|
- Allow zabbix to send system log msgs |
|
- Allow init_t to stream connect to ipsec |
|
Resolves:#1060775 |
|
|
|
* Tue Mar 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-135 |
|
- Add docker_connect_any boolean |
|
|
|
* Tue Mar 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-134 |
|
- Allow unpriv SELinux users to dbus chat with firewalld |
|
- Add lvm_write_metadata() |
|
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type |
|
- Allow pegasus_openlmi_storage_t to write lvm metadata |
|
- Add hide_broken_symptoms for kdumpgui because of systemd bug |
|
- Make kdumpgui_t as unconfined domain |
|
Resolves:#1044299 |
|
- Allow docker to connect to tcp/5000 |
|
|
|
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-133 |
|
- Allow numad to write scan_sleep_millisecs |
|
- Turn on entropyd_use_audio boolean by default |
|
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. |
|
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo |
|
- Fix label on irclogs in the homedir |
|
- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix |
|
- Allow postgresql to use ldap |
|
- Add missing syslog-conn port |
|
- Add support for /dev/vmcp and /dev/sclp |
|
Resolves:#1069310 |
|
|
|
* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-132 |
|
- Modify xdm_write_home to allow create files/links in /root with xdm_home_ |
|
- Allow virt domains to read network state |
|
Resolves:#1072019 |
|
|
|
* Thu Mar 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-131 |
|
- Added pcp rules |
|
- dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6 |
|
- clean up ctdb.te |
|
- Allow ctdbd to connect own ports |
|
- Fix samba_export_all_rw booleanto cover also non security dirs |
|
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs |
|
- Allow neutron to create /run/netns with correct labeling |
|
- Allow certmonger to list home dirs |
|
|
|
* Wed Mar 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-130 |
|
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask |
|
- Add sysnet_filetrans_named_content_ifconfig() interface |
|
- Allow ctdbd to connect own ports |
|
- Fix samba_export_all_rw booleanto cover also non security dirs |
|
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs |
|
- Allow neutron to create /run/netns with correct labeling |
|
- Allow kerberos keytab domains to manage sssd/userdomain keys" |
|
- Allow to run ip cmd in neutron_t domain |
|
|
|
* Mon Mar 3 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-129 |
|
- Allow block_suspend cap2 for systemd-logind and rw dri device |
|
- Add labeling for /usr/libexec/nm-libreswan-service |
|
- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working |
|
- Add xserver_rw_xdm_keys() |
|
- Allow rpm_script_t to dbus chat also with systemd-located |
|
- Fix ipa_stream_connect_otpd() |
|
- update lpd_manage_spool() interface |
|
- Allow krb5kdc to stream connect to ipa-otpd |
|
- Add ipa_stream_connect_otpd() interface |
|
- Allow vpnc to unlink NM pids |
|
- Add networkmanager_delete_pid_files() |
|
- Allow munin plugins to access unconfined plugins |
|
- update abrt_filetrans_named_content to cover /var/spool/debug |
|
- Label /var/spool/debug as abrt_var_cache_t |
|
- Allow rhsmcertd to connect to squid port |
|
- Make docker_transition_unconfined as optional boolean |
|
- Allow certmonger to list home dirs |
|
|
|
* Wed Feb 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-128 |
|
- Make snapperd as unconfined domain and add additional fixes for it |
|
- Remove nsplugin.pp module on upgrade |
|
|
|
* Tue Feb 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-127 |
|
- Add snapperd_home_t for HOME_DIR/.snapshots directory |
|
- Make sosreport as unconfined domain |
|
- Allow sosreport to execute grub2-probe |
|
- Allow NM to manage hostname config file |
|
- Allow systemd_timedated_t to dbus chat with rpm_script_t |
|
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default |
|
- Add lsmd_plugin_connect_any boolean |
|
- Allow mozilla_plugin to attempt to set capabilities |
|
- Allow lsdm_plugins to use tcp_socket |
|
- Dontaudit mozilla plugin from getattr on /proc or /sys |
|
- Dontaudit use of the keyring by the services in a sandbox |
|
- Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t |
|
- Allow rabbitmq_beam to connect to jabber_interserver_port |
|
- Allow logwatch_mail_t to transition to qmail_inject and queueu |
|
- Added new rules to pcp policy |
|
- Allow vmtools_helper_t to change role to system_r |
|
- Allow NM to dbus chat with vmtools |
|
- Fix couchdb_manage_files() to allow manage couchdb conf files |
|
- Add support for /var/run/redis.sock |
|
- dontaudit gpg trying to use audit |
|
- Allow consolekit to create log directories and files |
|
- Fix vmtools policy to allow user roles to access vmtools_helper_t |
|
- Allow block_suspend cap2 for ipa-otpd |
|
- Allow pkcsslotd to read users state |
|
- Add ioctl to init_dontaudit_rw_stream_socket |
|
- Add systemd_hostnamed_manage_config() interface |
|
- Remove transition for temp dirs created by init_t |
|
- gdm-simple-slave uses use setsockopt |
|
- sddm-greater is a xdm type program |
|
|
|
* Tue Feb 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-126 |
|
- Add lvm_read_metadata() |
|
- Allow auditadm to search /var/log/audit dir |
|
- Add lvm_read_metadata() interface |
|
- Allow confined users to run vmtools helpers |
|
- Fix userdom_common_user_template() |
|
- Generic systemd unit scripts do write check on / |
|
- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files |
|
- Add additional fixes needed for init_t and setup script running in generic unit files |
|
- Allow general users to create packet_sockets |
|
- added connlcli port |
|
- Add init_manage_transient_unit() interface |
|
- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t |
|
- Fix userdomain.te to require passwd class |
|
- devicekit_power sends out a signal to all processes on the message bus when power is going down |
|
- Dontaudit rendom domains listing /proc and hittping system_map_t |
|
- Dontauit leaks of var_t into ifconfig_t |
|
- Allow domains that transition to ssh_t to manipulate its keyring |
|
- Define oracleasm_t as a device node |
|
- Change to handle /root as a symbolic link for os-tree |
|
- Allow sysadm_t to create packet_socket, also move some rules to attributes |
|
- Add label for openvswitch port |
|
- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. |
|
- Allow postfix_local to read .forward in pcp lib files |
|
- Allow pegasus_openlmi_storage_t to read lvm metadata |
|
- Add additional fixes for pegasus_openlmi_storage_t |
|
- Allow bumblebee to manage debugfs |
|
- Make bumblebee as unconfined domain |
|
- Allow snmp to read etc_aliases_t |
|
- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem |
|
- Allow pegasus_openlmi_storage_t to read /proc/1/environ |
|
- Dontaudit read gconf files for cupsd_config_t |
|
- make vmtools as unconfined domain |
|
- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. |
|
- Allow collectd_t to use a mysql database |
|
- Allow ipa-otpd to perform DNS name resolution |
|
- Added new policy for keepalived |
|
- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd |
|
- Add additional fixes new pscs-lite+polkit support |
|
- Add labeling for /run/krb5kdc |
|
- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 |
|
- Allow pcscd to read users proc info |
|
- Dontaudit smbd_t sending out random signuls |
|
- Add boolean to allow openshift domains to use nfs |
|
- Allow w3c_validator to create content in /tmp |
|
- zabbix_agent uses nsswitch |
|
- Allow procmail and dovecot to work together to deliver mail |
|
- Allow spamd to execute files in homedir if boolean turned on |
|
- Allow openvswitch to listen on port 6634 |
|
- Add net_admin capability in collectd policy |
|
- Fixed snapperd policy |
|
- Fixed bugsfor pcp policy |
|
- Allow dbus_system_domains to be started by init |
|
- Fixed some interfaces |
|
- Add kerberos_keytab_domain attribute |
|
- Fix snapperd_conf_t def |
|
|
|
* Tue Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-125 |
|
- Addopt corenet rules for unbound-anchor to rpm_script_t |
|
- Allow runuser to send send audit messages. |
|
- Allow postfix-local to search .forward in munin lib dirs |
|
- Allow udisks to connect to D-Bus |
|
- Allow spamd to connect to spamd port |
|
- Fix syntax error in snapper.te |
|
- Dontaudit osad to search gconf home files |
|
- Allow rhsmcertd to manage /etc/sysconf/rhn director |
|
- Fix pcp labeling to accept /usr/bin for all daemon binaries |
|
- Fix mcelog_read_log() interface |
|
- Allow iscsid to manage iscsi lib files |
|
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. |
|
- Make tuned_t as unconfined domain for RHEL7.0 |
|
- Allow ABRT to read puppet certs |
|
- Add sys_time capability for virt-ga |
|
- Allow gemu-ga to domtrans to hwclock_t |
|
- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages |
|
- Fix some AVCs in pcp policy |
|
- Add to bacula capability setgid and setuid and allow to bind to bacula ports |
|
- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t |
|
- Add access rhnsd and osad to /etc/sysconfig/rhn |
|
- drbdadm executes drbdmeta |
|
- Fixes needed for docker |
|
- Allow epmd to manage /var/log/rabbitmq/startup_err file |
|
- Allow beam.smp connect to amqp port |
|
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true |
|
- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t |
|
- Allow systemd_tmpfiles_t to manage all non security files on the system |
|
- Added labels for bacula ports |
|
- Fix label on /dev/vfio/vfio |
|
- Add kernel_mounton_messages() interface |
|
- init wants to manage lock files for iscsi |
|
|
|
* Mon Feb 3 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-124 |
|
- Added osad policy |
|
- Allow postfix to deliver to procmail |
|
- Allow bumblebee to seng kill signal to xserver |
|
- Allow vmtools to execute /usr/bin/lsb_release |
|
- Allow docker to write system net ctrls |
|
- Add support for rhnsd unit file |
|
- Add dbus_chat_session_bus() interface |
|
- Add dbus_stream_connect_session_bus() interface |
|
- Fix pcp.te |
|
- Fix logrotate_use_nfs boolean |
|
- Add lot of pcp fixes found in RHEL7 |
|
- fix labeling for pmie for pcp pkg |
|
- Change thumb_t to be allowed to chat/connect with session bus type |
|
- Allow call renice in mlocate |
|
- Add logrotate_use_nfs boolean |
|
- Allow setroubleshootd to read rpc sysctl |
|
|
|
* Fri Jan 31 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-123 |
|
- Turn on bacula, rhnsd policy |
|
- Add support for rhnsd unit file |
|
- Add dbus_chat_session_bus() interface |
|
- Add dbus_stream_connect_session_bus() interface |
|
- Fix logrotate_use_nfs boolean |
|
- Add lot of pcp fixes found in RHEL7 |
|
- fix labeling for pmie for pcp pkg |
|
- Change thumb_t to be allowed to chat/connect with session bus type |
|
- Allow call renice in mlocate |
|
- Add logrotate_use_nfs boolean |
|
- Allow setroubleshootd to read rpc sysctl |
|
- Fixes for *_admin interfaces |
|
- Add pegasus_openlmi_storage_var_run_t type def |
|
- Add support for /var/run/openlmi-storage |
|
- Allow tuned to create syslog.conf with correct labeling |
|
- Add httpd_dontaudit_search_dirs boolean |
|
- Add support for winbind.service |
|
- ALlow also fail2ban-client to read apache logs |
|
- Allow vmtools to getattr on all fs |
|
- Add support for dey_sapi port |
|
- Add logging_filetrans_named_conf() |
|
- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring |
|
|
|
* Tue Jan 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-122 |
|
- Update snapper policy |
|
- Allow domains to append rkhunter lib files |
|
- Allow snapperd to getattr on all fs |
|
- Allow xdm to create /var/gdm with correct labeling |
|
- Add label for snapper.log |
|
- Allow fail2ban-client to read apache log files |
|
- Allow thumb_t to execute dbus-daemon in thumb_t |
|
|
|
* Mon Jan 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-121 |
|
- Allow gdm to create /var/gdm with correct labeling |
|
- Allow domains to append rkhunterl lib files. #1057982 |
|
- Allow systemd_tmpfiles_t net_admin to communicate with journald |
|
- Add interface to getattr on an isid_type for any type of file |
|
- Update libs_filetrans_named_content() to have support for /usr/lib/debug directory |
|
- Allow initrc_t domtrans to authconfig if unconfined is enabled |
|
- Allow docker and mount on devpts chr_file |
|
- Allow docker to transition to unconfined_t if boolean set |
|
- init calling needs to be optional in domain.te |
|
- Allow uncofined domain types to handle transient unit files |
|
- Fix labeling for vfio devices |
|
- Allow net_admin capability and send system log msgs |
|
- Allow lldpad send dgram to NM |
|
- Add networkmanager_dgram_send() |
|
- rkhunter_var_lib_t is correct type |
|
- Back port pcp policy from rawhide |
|
- Allow openlmi-storage to read removable devices |
|
- Allow system cron jobs to manage rkhunter lib files |
|
- Add rkhunter_manage_lib_files() |
|
- Fix ftpd_use_fusefs boolean to allow manage also symlinks |
|
- Allow smbcontrob block_suspend cap2 |
|
- Allow slpd to read network and system state info |
|
- Allow NM domtrans to iscsid_t if iscsiadm is executed |
|
- Allow slapd to send a signal itself |
|
- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. |
|
- Fix plymouthd_create_log() interface |
|
- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package |
|
- Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container |
|
- Allow postfix and cyrus-imapd to work out of box |
|
- Allow fcoemon to talk with unpriv user domain using unix_stream_socket |
|
- Dontaudit domains that are calling into journald to net_admin |
|
- Add rules to allow vmtools to do what it does |
|
- snapperd is D-Bus service |
|
- Allow OpenLMI PowerManagement to call 'systemctl --force reboot' |
|
- Add haproxy_connect_any boolean |
|
- Allow haproxy also to use http cache port by default |
|
Resolves:#1058248 |
|
|
|
* Tue Jan 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-120 |
|
- Allow apache to write to the owncloud data directory in /var/www/html... |
|
- Allow consolekit to create log dir |
|
- Add support for icinga CGI scripts |
|
- Add support for icinga |
|
- Allow kdumpctl_t to create kdump lock file |
|
Resolves:#1055634 |
|
- Allow kdump to create lnk lock file |
|
- Allow nscd_t block_suspen capability |
|
- Allow unconfined domain types to manage own transient unit file |
|
- Allow systemd domains to handle transient init unit files |
|
- Add interfaces to handle transient |
|
|
|
* Mon Jan 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-119 |
|
- Add cron unconfined role support for uncofined SELinux user |
|
- Call corenet_udp_bind_all_ports() in milter.te |
|
- Allow fence_virtd to connect to zented port |
|
- Fix header for mirrormanager_admin() |
|
- Allow dkim-milter to bind udp ports |
|
- Allow milter domains to send signull itself |
|
- Allow block_suspend for yum running as mock_t |
|
- Allow beam.smp to manage couchdb files |
|
- Add couchdb_manage_files() |
|
- Add labeling for /var/log/php_errors.log |
|
- Allow bumblebee to stream connect to xserver |
|
- Allow bumblebee to send a signal to xserver |
|
- gnome-thumbnail to stream connect to bumblebee |
|
- Allow xkbcomp running as bumblebee_t to execute bin_t |
|
- Allow logrotate to read squid.conf |
|
- Additional rules to get docker and lxc to play well with SELinux |
|
- Allow bumbleed to connect to xserver port |
|
- Allow pegasus_openlmi_storage_t to read hwdata |
|
|
|
* Thu Jan 16 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-118 |
|
- Allow init_t to work on transitient and snapshot unit files |
|
- Add logging_manage_syslog_config() |
|
- Update sysnet_dns_name_resolve() to allow connect to dnssec por |
|
- Allow pegasus_openlmi_storage_t to read hwdata |
|
Resolves:#1031721 |
|
- Fix rhcs_rw_cluster_tmpfs() |
|
- Allow fenced_t to bind on zented udp port |
|
- Added policy for vmtools |
|
- Fix mirrormanager_read_lib_files() |
|
- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files |
|
- Allow ctdb to create sock files in /var/run/ctdb |
|
- Add sblim_filetrans_named_content() interface |
|
- Allow rpm scritplets to create /run/gather with correct labeling |
|
- Allow gnome keyring domains to create gnome config dirs |
|
- Dontaudit read/write to init stream socket for lsmd_plugin_t |
|
- Allow automount to read nfs link files |
|
- Allow lsm plugins to read/write lsmd stream socket |
|
- Allow certmonger to connect ldap port to make IPA CA certificate renewal working. |
|
- Add also labeling for /var/run/ctdb |
|
- Add missing labeling for /var/lib/ctdb |
|
- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 |
|
- Dontaudit hypervkvp to search homedirs |
|
- Dontaudit hypervkvp to search admin homedirs |
|
- Allow hypervkvp to execute bin_t and ifconfig in the caller domain |
|
- Dontaudit xguest_t to read ABRT conf files |
|
- Add abrt_dontaudit_read_config() |
|
- Allow namespace-init to getattr on fs |
|
- Add thumb_role() also for xguest |
|
- Add filename transitions to create .spamassassin with correct labeling |
|
- Allow apache domain to read mirrormanager pid files |
|
- Allow domains to read/write shm and sem owned by mozilla_plugin_t |
|
- Allow alsactl to send a generic signal to kernel_t |
|
|
|
* Tue Jan 14 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-117 |
|
- Add back rpm_run() for unconfined user |
|
|
|
* Tue Jan 14 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-116 |
|
- Add missing files_create_var_lib_dirs() |
|
- Fix typo in ipsec.te |
|
- Allow passwd to create directory in /var/lib |
|
- Add filename trans also for event21 |
|
- Allow iptables command to read /dev/rand |
|
- Add sigkill capabilityfor ipsec_t |
|
- Add filename transitions for bcache devices |
|
- Add additional rules to create /var/log/cron by syslogd_t with correct labeling |
|
- Add give everyone full access to all key rings |
|
- Add default lvm_var_run_t label for /var/run/multipathd |
|
- Fix log labeling to have correct default label for them after logrotate |
|
- Labeled ~/.nv/GLCache as being gstreamer output |
|
- Allow nagios_system_plugin to read mrtg lib files |
|
- Add mrtg_read_lib_files() |
|
- Call rhcs_rw_cluster_tmpfs for dlm_controld |
|
- Make authconfing as named_filetrans domain |
|
- Allow virsh to connect to user process using stream socket |
|
- Allow rtas_errd to read rand/urand devices and add chown capability |
|
- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp |
|
Resolves:#1051497 |
|
- Add also chown cap for abrt_upload_watch_t. It already has dac_override |
|
- Allow sosreport to manage rhsmcertd pid files |
|
- Add rhsmcertd_manage_pid_files() |
|
- Allow also setgid cap for rpc.gssd |
|
- Dontaudit access check for abrt on cert_t |
|
- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind |
|
|
|
* Fri Jan 10 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-115 |
|
- Fix semanage import handling in spec file |
|
|
|
* Fri Jan 10 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-114 |
|
- Add default lvm_var_run_t label for /var/run/multipathd |
|
Resolves:#1051430 |
|
- Fix log labeling to have correct default label for them after logrotate |
|
- Add files_write_root_dirs |
|
- Add new openflow port label for 6653/tcp and 6633/tcp |
|
- Add xserver_manage_xkb_libs() |
|
- Label tcp/8891 as milter por |
|
- Allow gnome_manage_generic_cache_files also create cache_home_t files |
|
- Fix aide.log labeling |
|
- Fix log labeling to have correct default label for them after logrotate |
|
- Allow mysqld-safe write access on /root to make mysqld working |
|
- Allow sosreport domtrans to prelikn |
|
- Allow OpenvSwitch to connec to openflow ports |
|
- Allow NM send dgram to lldpad |
|
- Allow hyperv domains to execute shell |
|
- Allow lsmd plugins stream connect to lsmd/init |
|
- Allow sblim domains to create /run/gather with correct labeling |
|
- Allow httpd to read ldap certs |
|
- Allow cupsd to send dbus msgs to process with different MLS level |
|
- Allow bumblebee to stream connect to apmd |
|
- Allow bumblebee to run xkbcomp |
|
- Additional allow rules to get libvirt-lxc containers working with docker |
|
- Additional allow rules to get libvirt-lxc containers working with docker |
|
- Allow docker to getattr on itself |
|
- Additional rules needed for sandbox apps |
|
- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled |
|
- httpd should be able to send signal/signull to httpd_suexec_t |
|
- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain. |
|
|
|
* Wed Jan 8 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-113 |
|
- Add neutron fixes |
|
|
|
* Mon Jan 6 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-112 |
|
- Allow sshd to write to all process levels in order to change passwd when running at a level |
|
- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range |
|
- Allow apcuspd_t to status and start the power unit file |
|
- Allow udev to manage kdump unit file |
|
- Added new interface modutils_dontaudit_exec_insmod |
|
- Allow cobbler to search dhcp_etc_t directory |
|
- systemd_systemctl needs sys_admin capability |
|
- Allow sytemd_tmpfiles_t to delete all directories |
|
- passwd to create gnome-keyring passwd socket |
|
- Add missing zabbix_var_lib_t type |
|
- Fix filename trans for zabbixsrv in zabbix.te |
|
- Allow fprintd_t to send syslog messages |
|
- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port |
|
- Allow mozilla plugin to chat with policykit, needed for spice |
|
- Allow gssprozy to change user and gid, as well as read user keyrings |
|
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly |
|
- Allow polipo to connect to http_cache_ports |
|
- Allow cron jobs to manage apache var lib content |
|
- Allow yppassword to manage the passwd_file_t |
|
- Allow showall_t to send itself signals |
|
- Allow cobbler to restart dhcpc, dnsmasq and bind services |
|
- Allow certmonger to manage home cert files |
|
- Add userdom filename trans for user mail domains |
|
- Allow apcuspd_t to status and start the power unit file |
|
- Allow cgroupdrulesengd to create content in cgoups directories |
|
- Allow smbd_t to signull cluster |
|
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t |
|
- Add label for /var/spool/cron.aquota.user |
|
- Allow sandbox_x domains to use work with the mozilla plugin semaphore |
|
- Added new policy for speech-dispatcher |
|
- Added dontaudit rule for insmod_exec_t in rasdaemon policy |
|
- Updated rasdaemon policy |
|
- Allow system_mail_t to transition to postfix_postdrop_t |
|
- Clean up mirrormanager policy |
|
- Allow virt_domains to read cert files, needs backport to RHEL7 |
|
- Allow sssd to read systemd_login_var_run_t |
|
- Allow irc_t to execute shell and bin-t files: |
|
- Add new access for mythtv |
|
- Allow rsync_t to manage all non auth files |
|
- allow modemmanger to read /dev/urand |
|
- Allow sandbox apps to attempt to set and get capabilties |
|
|
|
* Thu Dec 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-111 |
|
- Add labeling for /var/lib/servicelog/servicelog.db-journal |
|
- Add support for freeipmi port |
|
- Add sysadm_u_default_contexts |
|
- Make new type to texlive files in homedir |
|
- Allow subscription-manager running as sosreport_t to manage rhsmcertd |
|
- Additional fixes for docker.te |
|
- Remove ability to do mount/sys_admin by default in virt_sandbox domains |
|
- New rules required to run docker images within libivrt |
|
- Add label for ~/.cvsignore |
|
- Change mirrormanager to be run by cron |
|
- Add mirrormanager policy |
|
- Fixed bumblebee_admin() and mip6d_admin() |
|
- Add log support for sensord |
|
- Fix typo in docker.te |
|
- Allow amanda to do backups over UDP |
|
- Allow bumblebee to read /etc/group and clean up bumblebee.te |
|
- type transitions with a filename not allowed inside conditionals |
|
- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 |
|
- Make new type to texlive files in homedir |
|
|
|
* Thu Dec 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-110 |
|
- Allow freeipmi_ipmidetectd_t to use freeipmi port |
|
- Update freeipmi_domain_template() |
|
- Allow journalctl running as ABRT to read /run/log/journal |
|
- Allow NM to read dispatcher.d directory |
|
- Update freeipmi policy |
|
- Type transitions with a filename not allowed inside conditionals |
|
- Allow tor to bind to hplip port |
|
- Make new type to texlive files in homedir |
|
- Allow zabbix_agent to transition to dmidecode |
|
- Add rules for docker |
|
- Allow sosreport to send signull to unconfined_t |
|
- Add virt_noatsecure and virt_rlimitinh interfaces |
|
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port |
|
- Add sysadm_u_default_contexts |
|
- Add logging_read_syslog_pid() |
|
- Fix userdom_manage_home_texlive() interface |
|
- Make new type to texlive files in homedir |
|
- Add filename transitions for /run and /lock links |
|
- Allow virtd to inherit rlimit information |
|
Resolves:#975358 |
|
|
|
* Tue Dec 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-109 |
|
- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t |
|
Resolves:#1039879 |
|
- Add labeling for /usr/lib/systemd/system/mariadb.service |
|
- Allow hyperv_domain to read sysfs |
|
- Fix ldap_read_certs() interface to allow acess also link files |
|
- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt |
|
- Allow tuned to run modprobe |
|
- Allow portreserve to search /var/lib/sss dir |
|
- Add SELinux support for the teamd package contains team network device control daemon. |
|
- Dontaudit access check on /proc for bumblebee |
|
- Bumblebee wants to load nvidia modules |
|
- Fix rpm_named_filetrans_log_files and wine.te |
|
- Add conman policy for rawhide |
|
- DRM master and input event devices are used by the TakeDevice API |
|
- Clean up bumblebee policy |
|
- Update pegasus_openlmi_storage_t policy |
|
- Add freeipmi_stream_connect() interface |
|
- Allow logwatch read madm.conf to support RAID setup |
|
- Add raid_read_conf_files() interface |
|
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling |
|
- add rpm_named_filetrans_log_files() interface |
|
- Allow dkim-milter to create files/dirs in /tmp |
|
- update freeipmi policy |
|
- Add policy for freeipmi services |
|
- Added rdisc_admin and rdisc_systemctl interfaces |
|
- opensm policy clean up |
|
- openwsman policy clean up |
|
- ninfod policy clean up |
|
- Added new policy for ninfod |
|
- Added new policy for openwsman |
|
- Added rdisc_admin and rdisc_systemctl interfaces |
|
- Fix kernel_dontaudit_access_check_proc() |
|
- Add support for /dev/uhid |
|
- Allow sulogin to get the attributes of initctl and sys_admin cap |
|
- Add kernel_dontaudit_access_check_proc() |
|
- Fix dev_rw_ipmi_dev() |
|
- Fix new interface in devices.if |
|
- DRM master and input event devices are used by the TakeDevice API |
|
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() |
|
- Added support for default conman port |
|
- Add interfaces for ipmi devices |
|
|
|
* Wed Dec 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-108 |
|
- Allow sosreport to send a signal to ABRT |
|
- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t |
|
- Label /usr/sbin/htcacheclean as httpd_exec_t |
|
Resolves:#1037529 |
|
- Added support for rdisc unit file |
|
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs |
|
- Allow runuser running as logrotate connections to system DBUS |
|
- Label bcache devices as fixed_disk_device_t |
|
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service |
|
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t |
|
|
|
* Mon Dec 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-107 |
|
- Add back setpgid/setsched for sosreport_t |
|
|
|
* Mon Dec 2 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-106 |
|
- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com) |
|
|
|
* Tue Nov 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-105 |
|
- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel. |
|
- Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on |
|
- Add lsmd_plugin_t for lsm plugins |
|
- Allow dovecot-deliver to search mountpoints |
|
- Add labeling for /etc/mdadm.conf |
|
- Allow opelmi admin providers to dbus chat with init_t |
|
- Allow sblim domain to read /dev/urandom and /dev/random |
|
- Allow apmd to request the kernel load modules |
|
- Add glusterd_brick_t type |
|
- label mate-keyring-daemon with gkeyringd_exec_t |
|
- Add plymouthd_create_log() |
|
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 |
|
- Allow sssd to request the kernel loads modules |
|
- Allow gpg_agent to use ssh-add |
|
- Allow gpg_agent to use ssh-add |
|
- Dontaudit access check on /root for myslqd_safe_t |
|
- Allow ctdb to getattr on al filesystems |
|
- Allow abrt to stream connect to syslog |
|
- Allow dnsmasq to list dnsmasq.d directory |
|
- Watchdog opens the raw socket |
|
- Allow watchdog to read network state info |
|
- Dontaudit access check on lvm lock dir |
|
- Allow sosreport to send signull to setroubleshootd |
|
- Add setroubleshoot_signull() interface |
|
- Fix ldap_read_certs() interface |
|
- Allow sosreport all signal perms |
|
- Allow sosreport to run systemctl |
|
- Allow sosreport to dbus chat with rpm |
|
- Add glusterd_brick_t files type |
|
- Allow zabbix_agentd to read all domain state |
|
- Clean up rtas.if |
|
- Allow smoltclient to execute ldconfig |
|
- Allow sosreport to request the kernel to load a module |
|
- Fix userdom_confined_admin_template() |
|
- Add back exec_content boolean for secadm, logadm, auditadm |
|
- Fix files_filetrans_system_db_named_files() interface |
|
- Allow sulogin to getattr on /proc/kcore |
|
- Add filename transition also for servicelog.db-journal |
|
- Add files_dontaudit_access_check_root() |
|
- Add lvm_dontaudit_access_check_lock() interface |
|
|
|
* Thu Nov 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-104 |
|
- Allow watchdog to read /etc/passwd |
|
- Allow browser plugins to connect to bumblebee |
|
- New policy for bumblebee and freqset |
|
- Add new policy for mip6d daemon |
|
- Add new policy for opensm daemon |
|
- Allow condor domains to read/write condor_master udp_socket |
|
- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift |
|
- Add back file_pid_filetrans for /var/run/dlm_controld |
|
- Allow smbd_t to use inherited tmpfs content |
|
- Allow mcelog to use the /dev/cpu device |
|
- sosreport runs rpcinfo |
|
- sosreport runs subscription-manager |
|
- Allow staff_t to run frequency command |
|
- Allow systemd_tmpfiles to relabel log directories |
|
- Allow staff_t to read xserver_log file |
|
- Label hsperfdata_root as tmp_t |
|
|
|
* Wed Nov 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-103 |
|
- More sosreport fixes to make ABRT working |
|
|
|
* Fri Nov 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-102 |
|
- Fix files_dontaudit_unmount_all_mountpoints() |
|
- Add support for 2608-2609 tcp/udp ports |
|
- Should allow domains to lock the terminal device |
|
- More fixes for user config files to make crond_t running in userdomain |
|
- Add back disable/reload/enable permissions for system class |
|
- Fix manage_service_perms macro |
|
- We need to require passwd rootok |
|
- Fix zebra.fc |
|
- Fix dnsmasq_filetrans_named_content() interface |
|
- Allow all sandbox domains create content in svirt_home_t |
|
- Allow zebra domains also create zebra_tmp_t files in /tmp |
|
- Add support for new zebra services:isisd,babeld. Add systemd support for zebra services. |
|
- Fix labeling on neutron and remove transition to iconfig_t |
|
- abrt needs to read mcelog log file |
|
- Fix labeling on dnsmasq content |
|
- Fix labeling on /etc/dnsmasq.d |
|
- Allow glusterd to relabel own lib files |
|
- Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd |
|
- Allow ipc_lock for abrt to run journalctl |
|
|
|
* Thu Nov 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-101 |
|
- Fix config.tgz |
|
|
|
* Tue Nov 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-100 |
|
- Fix passenger_stream_connect interface |
|
- setroubleshoot_fixit wants to read network state |
|
- Allow procmail_t to connect to dovecot stream sockets |
|
- Allow cimprovagt service providers to read network states |
|
- Add labeling for /var/run/mariadb |
|
- pwauth uses lastlog() to update system's lastlog |
|
- Allow account provider to read login records |
|
- Add support for texlive2013 |
|
- More fixes for user config files to make crond_t running in userdomain |
|
- Add back disable/reload/enable permissions for system class |
|
- Fix manage_service_perms macro |
|
- Allow passwd_t to connect to gnome keyring to change password |
|
- Update mls config files to have cronjobs in the user domains |
|
- Remove access checks that systemd does not actually do |
|
|
|
* Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99 |
|
- Add support for yubikey in homedir |
|
- Add support for upd/3052 port |
|
- Allow apcupsd to use PowerChute Network Shutdown |
|
- Allow lsmd to execute various lsmplugins |
|
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too |
|
- Update gluster_export_all_rw boolean to allow relabel all base file types |
|
- Allow x86_energy_perf tool to modify the MSR |
|
- Fix /var/lib/dspam/data labeling |
|
|
|
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-98 |
|
- Add files_relabel_base_file_types() interface |
|
- Allow netlabel-config to read passwd |
|
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() |
|
- Allow x86_energy_perf tool to modify the MSR |
|
- Fix /var/lib/dspam/data labeling |
|
- Allow pegasus to domtrans to mount_t |
|
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts |
|
- Add support for unconfined watchdog scripts |
|
- Allow watchdog to manage own log files |
|
|
|
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-97 |
|
- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. |
|
- Label /etc/yum.repos.d as system_conf_t |
|
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t |
|
- Allow dac_override for sysadm_screen_t |
|
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. |
|
- Allow netlabel-config to read meminfo |
|
- Add interface to allow docker to mounton file_t |
|
- Add new interface to exec unlabeled files |
|
- Allow lvm to use docker semaphores |
|
- Setup transitons for .xsessions-errors.old |
|
- Change labels of files in /var/lib/*/.ssh to transition properly |
|
- Allow staff_t and user_t to look at logs using journalctl |
|
- pluto wants to manage own log file |
|
- Allow pluto running as ipsec_t to create pluto.log |
|
- Fix alias decl in corenetwork.te.in |
|
- Add support for fuse.glusterfs |
|
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd |
|
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. |
|
- Additional access for docker |
|
- Added more rules to sblim policy |
|
- Fix kdumpgui_run_bootloader boolean |
|
- Allow dspam to connect to lmtp port |
|
- Included sfcbd service into sblim policy |
|
- rhsmcertd wants to manaage /etc/pki/consumer dir |
|
- Add kdumpgui_run_bootloader boolean |
|
- Add support for /var/cache/watchdog |
|
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t |
|
- Fixes for handling libvirt containes |
|
- Dontaudit attempts by mysql_safe to write content into / |
|
- Dontaudit attempts by system_mail to modify network config |
|
- Allow dspam to bind to lmtp ports |
|
- Add new policy to allow staff_t and user_t to look at logs using journalctl |
|
- Allow apache cgi scripts to list sysfs |
|
- Dontaudit attempts to write/delete user_tmp_t files |
|
- Allow all antivirus domains to manage also own log dirs |
|
- Allow pegasus_openlmi_services_t to stream connect to sssd_t |
|
|
|
* Fri Nov 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96 |
|
- Add missing permission checks for nscd |
|
|
|
* Wed Oct 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-95 |
|
- Fix alias decl in corenetwork.te.in |
|
- Add support for fuse.glusterfs |
|
- Add file transition rules for content created by f5link |
|
- Rename quantum_port information to neutron |
|
- Allow all antivirus domains to manage also own log dirs |
|
- Rename quantum_port information to neutron |
|
- Allow pegasus_openlmi_services_t to stream connect to sssd_t |
|
|
|
* Mon Oct 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94 |
|
- Allow sysadm_t to read login information |
|
- Allow systemd_tmpfiles to setattr on var_log_t directories |
|
- Udpdate Makefile to include systemd_contexts |
|
- Add systemd_contexts |
|
- Add fs_exec_hugetlbfs_files() interface |
|
- Add daemons_enable_cluster_mode boolean |
|
- Fix rsync_filetrans_named_content() |
|
- Add rhcs_read_cluster_pid_files() interface |
|
- Update rhcs.if with additional interfaces from RHEL6 |
|
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t |
|
- Allow glusterd_t to mounton glusterd_tmp_t |
|
- Allow glusterd to unmout al filesystems |
|
- Allow xenstored to read virt config |
|
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label |
|
- Allow mozilla_plugin_t to mmap hugepages as an executable |
|
|
|
* Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-94 |
|
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp |
|
|
|
* Tue Oct 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93 |
|
- Allow sshd_t to read openshift content, needs backport to RHEL6.5 |
|
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t |
|
- Make sur kdump lock is created with correct label if kdumpctl is executed |
|
- gnome interface calls should always be made within an optional_block |
|
- Allow syslogd_t to connect to the syslog_tls port |
|
- Add labeling for /var/run/charon.ctl socket |
|
- Add kdump_filetrans_named_content() |
|
- Allo setpgid for fenced_t |
|
- Allow setpgid and r/w cluster tmpfs for fenced_t |
|
- gnome calls should always be within optional blocks |
|
- wicd.pid should be labeled as networkmanager_var_run_t |
|
- Allow sys_resource for lldpad |
|
|
|
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-92 |
|
- Add rtas policy |
|
|
|
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-91 |
|
- Allow mailserver_domains to manage and transition to mailman data |
|
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands |
|
- Allow mailserver_domains to manage and transition to mailman data |
|
- Allow svirt_domains to read sysctl_net_t |
|
- Allow thumb_t to use tmpfs inherited from the user |
|
- Allow mozilla_plugin to bind to the vnc port if running with spice |
|
- Add new attribute to discover confined_admins and assign confined admin to it |
|
- Fix zabbix to handle attributes in interfaces |
|
- Fix zabbix to read system states for all zabbix domains |
|
- Fix piranha_domain_template() |
|
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. |
|
- Allow lldpad sys_rouserce cap due to #986870 |
|
- Allow dovecot-auth to read nologin |
|
- Allow openlmi-networking to read /proc/net/dev |
|
- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t |
|
- Add zabbix_domain attribute for zabbix domains to treat them together |
|
- Add labels for zabbix-poxy-* (#1018221) |
|
- Update openlmi-storage policy to reflect #1015067 |
|
- Back port piranha tmpfs fixes from RHEL6 |
|
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop |
|
- Add postfix_rw_spool_maildrop_files interface |
|
- Call new userdom_admin_user_templat() also for sysadm_secadm.pp |
|
- Fix typo in userdom_admin_user_template() |
|
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey |
|
- Add new attribute to discover confined_admins |
|
- Fix labeling for /etc/strongswan/ipsec.d |
|
- systemd_logind seems to pass fd to anyone who dbus communicates with it |
|
- Dontaudit leaked write descriptor to dmesg |
|
|
|
* Mon Oct 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-90 |
|
- Activate motion policy |
|
|
|
* Mon Oct 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-89 |
|
- Fix gnome_read_generic_data_home_files() |
|
- allow openshift_cgroup_t to read/write inherited openshift file types |
|
- Remove httpd_cobbler_content * from cobbler_admin interface |
|
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container |
|
- Allow httpd_t to read also git sys content symlinks |
|
- Allow init_t to read gnome home data |
|
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. |
|
- Allow virsh to execute systemctl |
|
- Fix for nagios_services plugins |
|
- add type defintion for ctdbd_var_t |
|
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file |
|
- Allow net_admin/netlink_socket all hyperv_domain domains |
|
- Add labeling for zarafa-search.log and zarafa-search.pid |
|
- Fix hypervkvp.te |
|
- Fix nscd_shm_use() |
|
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. |
|
- Add hypervkvp_unit_file_t type |
|
- Fix logging policy |
|
- Allow syslog to bind to tls ports |
|
- Update labeling for /dev/cdc-wdm |
|
- Allow to su_domain to read init states |
|
- Allow init_t to read gnome home data |
|
- Make sure if systemd_logind creates nologin file with the correct label |
|
- Clean up ipsec.te |
|
|
|
* Tue Oct 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-88 |
|
- Add auth_exec_chkpwd interface |
|
- Fix port definition for ctdb ports |
|
- Allow systemd domains to read /dev/urand |
|
- Dontaudit attempts for mozilla_plugin to append to /dev/random |
|
- Add label for /var/run/charon.* |
|
- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service |
|
- Fix for nagios_services plugins |
|
- Fix some bugs in zoneminder policy |
|
- add type defintion for ctdbd_var_t |
|
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file |
|
- Allow net_admin/netlink_socket all hyperv_domain domains |
|
- Add labeling for zarafa-search.log and zarafa-search.pid |
|
- glusterd binds to random unreserved ports |
|
- Additional allow rules found by testing glusterfs |
|
- apcupsd needs to send a message to all users on the system so needs to look them up |
|
- Fix the label on ~/.juniper_networks |
|
- Dontaudit attempts for mozilla_plugin to append to /dev/random |
|
- Allow polipo_daemon to connect to flash ports |
|
- Allow gssproxy_t to create replay caches |
|
- Fix nscd_shm_use() |
|
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. |
|
- Add hypervkvp_unit_file_t type |
|
|
|
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-87 |
|
- init reload from systemd_localed_t |
|
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd |
|
- Allow systemd_localed_t to ask systemd to reload the locale. |
|
- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory |
|
- Allow readahead to read /dev/urand |
|
- Fix lots of avcs about tuned |
|
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t |
|
- Allow tuned to inderact with hugepages |
|
- Allow condor domains to list etc rw dirs |
|
|
|
* Fri Oct 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-86 |
|
- Fix nscd_shm_use() |
|
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. |
|
- Add hypervkvp_unit_file_t type |
|
- Add additional fixes forpegasus_openlmi_account_t |
|
- Allow mdadm to read /dev/urand |
|
- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it |
|
- Add label/rules for /etc/mdadm.conf |
|
- Allow pegasus_openlmi_storage_t to transition to fsadm_t |
|
- Fixes for interface definition problems |
|
- Dontaudit dovecot-deliver to gettatr on all fs dirs |
|
- Allow domains to search data_home_t directories |
|
- Allow cobblerd to connect to mysql |
|
- Allow mdadm to r/w kdump lock files |
|
- Add support for kdump lock files |
|
- Label zarafa-search as zarafa-indexer |
|
- Openshift cgroup wants to read /etc/passwd |
|
- Add new sandbox domains for kvm |
|
- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on |
|
- Fix labeling for /usr/lib/systemd/system/lvm2.* |
|
- Add labeling for /usr/lib/systemd/system/lvm2.* |
|
- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules |
|
- Add sshd_keygen_t policy for sshd-keygen |
|
- Fix alsa_home_filetrans interface name and definition |
|
- Allow chown for ssh_keygen_t |
|
- Add fs_dontaudit_getattr_all_dirs() |
|
- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys |
|
- Fix up patch to allow systemd to manage home content |
|
- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled |
|
- Allow getty to exec hostname to get info |
|
- Add systemd_home_t for ~/.local/share/systemd directory |
|
|
|
* Wed Oct 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-85 |
|
- Fix lxc labels in config.tgz |
|
|
|
* Mon Sep 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-84 |
|
- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper |
|
- Allow tuned to search all file system directories |
|
- Allow alsa_t to sys_nice, to get top performance for sound management |
|
- Add support for MySQL/PostgreSQL for amavis |
|
- Allow openvpn_t to manage openvpn_var_log_t files. |
|
- Allow dirsrv_t to create tmpfs_t directories |
|
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label |
|
- Dontaudit leaked unix_stream_sockets into gnome keyring |
|
- Allow telepathy domains to inhibit pipes on telepathy domains |
|
- Allow cloud-init to domtrans to rpm |
|
- Allow abrt daemon to manage abrt-watch tmp files |
|
- Allow abrt-upload-watcher to search /var/spool directory |
|
- Allow nsswitch domains to manage own process key |
|
- Fix labeling for mgetty.* logs |
|
- Allow systemd to dbus chat with upower |
|
- Allow ipsec to send signull to itself |
|
- Allow setgid cap for ipsec_t |
|
- Match upstream labeling |
|
|
|
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83 |
|
- Do not build sanbox pkg on MLS |
|
|
|
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-82 |
|
- wine_tmp is no longer needed |
|
- Allow setroubleshoot to look at /proc |
|
- Allow telepathy domains to dbus with systemd logind |
|
- Fix handling of fifo files of rpm |
|
- Allow mozilla_plugin to transition to itself |
|
- Allow certwatch to write to cert_t directories |
|
- New abrt application |
|
- Allow NetworkManager to set the kernel scheduler |
|
- Make wine_domain shared by all wine domains |
|
- Allow mdadm_t to read images labeled svirt_image_t |
|
- Allow amanda to read /dev/urand |
|
- ALlow my_print_default to read /dev/urand |
|
- Allow mdadm to write to kdumpctl fifo files |
|
- Allow nslcd to send signull to itself |
|
- Allow yppasswd to read /dev/urandom |
|
- Fix zarafa_setrlimit |
|
- Add support for /var/lib/php/wsdlcache |
|
- Add zarafa_setrlimit boolean |
|
- Allow fetchmail to send mails |
|
- Add additional alias for user_tmp_t because wine_tmp_t is no longer used |
|
- More handling of ther kernel keyring required by kerberos |
|
- New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed |
|
|
|
* Thu Sep 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-81 |
|
- Dontaudit attempts by sosreport to read shadow_t |
|
- Allow browser sandbox plugins to connect to cups to print |
|
- Add new label mpd_home_t |
|
- Label /srv/www/logs as httpd_log_t |
|
- Add support for /var/lib/php/wsdlcache |
|
- Add zarafa_setrlimit boolean |
|
- Allow fetchmail to send mails |
|
- Add labels for apache logs under miq package |
|
- Allow irc_t to use tcp sockets |
|
- fix labels in puppet.if |
|
- Allow tcsd to read utmp file |
|
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys |
|
- Define svirt_socket_t as a domain_type |
|
- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t |
|
- Fix label on pam_krb5 helper apps |
|
|
|
* Thu Sep 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-80 |
|
- Allow ldconfig to write to kdumpctl fifo files |
|
- allow neutron to connect to amqp ports |
|
- Allow kdump_manage_crash to list the kdump_crash_t directory |
|
- Allow glance-api to connect to amqp port |
|
- Allow virt_qemu_ga_t to read meminfo |
|
- Add antivirus_home_t type for antivirus date in HOMEDIRS |
|
- Allow mpd setcap which is needed by pulseaudio |
|
- Allow smbcontrol to create content in /var/lib/samba |
|
- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec |
|
- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts |
|
- amanda_exec_t needs to be executable file |
|
- Allow block_suspend cap for samba-net |
|
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t |
|
- Allow init_t to run crash utility |
|
- Treat usr_t just like bin_t for transitions and executions |
|
- Add port definition of pka_ca to port 829 for openshift |
|
- Allow selinux_store to use symlinks |
|
|
|
* Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-79 |
|
- Allow block_suspend cap for samba-net |
|
- Allow t-mission-control to manage gabble cache files |
|
- Allow nslcd to read /sys/devices/system/cpu |
|
- Allow selinux_store to use symlinks |
|
|
|
* Mon Sep 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-78 |
|
- Allow xdm_t to transition to itself |
|
- Call neutron interfaces instead of quantum |
|
- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t |
|
- Make sure directories in /run get created with the correct label |
|
- Make sure /root/.pki gets created with the right label |
|
- try to remove labeling for motion from zoneminder_exec_t to bin_t |
|
- Allow inetd_t to execute shell scripts |
|
- Allow cloud-init to read all domainstate |
|
- Fix to use quantum port |
|
- Add interface netowrkmanager_initrc_domtrans |
|
- Fix boinc_execmem |
|
- Allow t-mission-control to read gabble cache home |
|
- Add labeling for ~/.cache/telepathy/avatars/gabble |
|
- Allow memcache to read sysfs data |
|
- Cleanup antivirus policy and add additional fixes |
|
- Add boolean boinc_enable_execstack |
|
- Add support for couchdb in rabbitmq policy |
|
- Add interface couchdb_search_pid_dirs |
|
- Allow firewalld to read NM state |
|
- Allow systemd running as git_systemd to bind git port |
|
- Fix mozilla_plugin_rw_tmpfs_files() |
|
|
|
* Thu Sep 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-77 |
|
- Split out rlogin ports from inetd |
|
- Treat files labeld as usr_t like bin_t when it comes to transitions |
|
- Allow staff_t to read login config |
|
- Allow ipsec_t to read .google authenticator data |
|
- Allow systemd running as git_systemd to bind git port |
|
- Fix mozilla_plugin_rw_tmpfs_files() |
|
- Call the correct interface - corenet_udp_bind_ktalkd_port() |
|
- Allow all domains that can read gnome_config to read kde config |
|
- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work |
|
- Allow mdadm to getattr any file system |
|
- Allow a confined domain to executes mozilla_exec_t via dbus |
|
- Allow cupsd_lpd_t to bind to the printer port |
|
- Dontaudit attempts to bind to ports < 1024 when nis is turned on |
|
- Allow apache domain to connect to gssproxy socket |
|
- Allow rlogind to bind to the rlogin_port |
|
- Allow telnetd to bind to the telnetd_port |
|
- Allow ktalkd to bind to the ktalkd_port |
|
- Allow cvs to bind to the cvs_port |
|
|
|
* Wed Sep 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-76 |
|
- Cleanup related to init_domain()+inetd_domain fixes |
|
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain |
|
- svirt domains neeed to create kobject_uevint_sockets |
|
- Lots of new access required for sosreport |
|
- Allow tgtd_t to connect to isns ports |
|
- Allow init_t to transition to all inetd domains: |
|
- openct needs to be able to create netlink_object_uevent_sockets |
|
- Dontaudit leaks into ldconfig_t |
|
- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls |
|
- Move kernel_stream_connect into all Xwindow using users |
|
- Dontaudit inherited lock files in ifconfig o dhcpc_t |
|
|
|
* Tue Sep 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-75 |
|
- Also sock_file trans rule is needed in lsm |
|
- Fix labeling for fetchmail pid files/dirs |
|
- Add additional fixes for abrt-upload-watch |
|
- Fix polipo.te |
|
- Fix transition rules in asterisk policy |
|
- Add fowner capability to networkmanager policy |
|
- Allow polipo to connect to tor ports |
|
- Cleanup lsmd.if |
|
- Cleanup openhpid policy |
|
- Fix kdump_read_crash() interface |
|
- Make more domains as init domain |
|
- Fix cupsd.te |
|
- Fix requires in rpm_rw_script_inherited_pipes |
|
- Fix interfaces in lsm.if |
|
- Allow munin service plugins to manage own tmpfs files/dirs |
|
- Allow virtd_t also relabel unix stream sockets for virt_image_type |
|
- Make ktalk as init domain |
|
- Fix to define ktalkd_unit_file_t correctly |
|
- Fix ktalk.fc |
|
- Add systemd support for talk-server |
|
- Allow glusterd to create sock_file in /run |
|
- Allow xdm_t to delete gkeyringd_tmp_t files on logout |
|
- Add fixes for hypervkvp policy |
|
- Add logwatch_can_sendmail boolean |
|
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb |
|
- Allow xdm_t to delete gkeyringd_tmp_t files on logout |
|
|
|
* Thu Aug 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74 |
|
- Add selinux-policy-sandbox pkg |
|
|
|
* Tue Aug 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-73 |
|
0 |
|
- Allow rhsmcertd to read init state |
|
- Allow fsetid for pkcsslotd |
|
- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service |
|
- Allow fetchmail to create own pid with correct labeling |
|
- Fix rhcs_domain_template() |
|
- Allow roles which can run mock to read mock lib files to view results |
|
- Allow rpcbind to use nsswitch |
|
- Fix lsm.if summary |
|
- Fix collectd_t can read /etc/passwd file |
|
- Label systemd unit files under dracut correctly |
|
- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh |
|
- Add support for .Xauthority-n |
|
- Label umount.crypt as lvm_exec_t |
|
- Allow syslogd to search psad lib files |
|
- Allow ssh_t to use /dev/ptmx |
|
- Make sure /run/pluto dir is created with correct labeling |
|
- Allow syslog to run shell and bin_t commands |
|
- Allow ip to relabel tun_sockets |
|
- Allow mount to create directories in files under /run |
|
- Allow processes to use inherited fifo files |
|
|
|
* Fri Aug 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-72 |
|
- Add policy for lsmd |
|
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory |
|
- Update condor_master rules to allow read system state info and allow logging |
|
- Add labeling for /etc/condor and allow condor domain to write it (bug) |
|
- Allow condor domains to manage own logs |
|
- Allow glusterd to read domains state |
|
- Fix initial hypervkvp policy |
|
- Add policy for hypervkvpd |
|
- Fix redis.if summary |
|
|
|
* Wed Aug 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-71 |
|
- Allow boinc to connect to @/tmp/.X11-unix/X0 |
|
- Allow beam.smp to connect to tcp/5984 |
|
- Allow named to manage own log files |
|
- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t |
|
- Add virt_transition_userdomain boolean decl |
|
- Allow httpd_t to sendto unix_dgram sockets on its children |
|
- Allow nova domains to execute ifconfig |
|
- bluetooth wants to create fifo_files in /tmp |
|
- exim needs to be able to manage mailman data |
|
- Allow sysstat to getattr on all file systems |
|
- Looks like bluetoothd has moved |
|
- Allow collectd to send ping packets |
|
- Allow svirt_lxc domains to getpgid |
|
- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff |
|
- Allow frpintd_t to read /dev/urandom |
|
- Allow asterisk_t to create sock_file in /var/run |
|
- Allow usbmuxd to use netlink_kobject |
|
- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket |
|
- More cleanup of svirt_lxc policy |
|
- virtd_lxc_t now talks to dbus |
|
- Dontaudit leaked ptmx_t |
|
- Allow processes to use inherited fifo files |
|
- Allow openvpn_t to connect to squid ports |
|
- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() |
|
- Allow ssh_t to use /dev/ptmx |
|
- Make sure /run/pluto dir is created with correct labeling |
|
- Allow syslog to run shell and bin_t commands |
|
- Allow ip to relabel tun_sockets |
|
- Allow mount to create directories in files under /run |
|
- Allow processes to use inherited fifo files |
|
- Allow user roles to connect to the journal socket |
|
|
|
* Thu Aug 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-70 |
|
- selinux_set_enforce_mode needs to be used with type |
|
- Add append to the dontaudit for unix_stream_socket of xdm_t leak |
|
- Allow xdm_t to create symlinks in log direcotries |
|
- Allow login programs to read afs config |
|
- Label 10933 as a pop port, for dovecot |
|
- New policy to allow selinux_server.py to run as semanage_t as a dbus service |
|
- Add fixes to make netlabelctl working on MLS |
|
- AVCs required for running sepolicy gui as staff_t |
|
- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC |
|
- New dbus server to be used with new gui |
|
- After modifying some files in /etc/mail, I saw this needed on the next boot |
|
- Loading a vm from /usr/tmp with virt-manager |
|
- Clean up oracleasm policy for Fedora |
|
- Add oracleasm policy written by rlopez@redhat.com |
|
- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache |
|
- Add label for /var/crash |
|
- Allow fenced to domtrans to sanclok_t |
|
- Allow nagios to manage nagios spool files |
|
- Make tfptd as home_manager |
|
- Allow kdump to read kcore on MLS system |
|
- Allow mysqld-safe sys_nice/sys_resource caps |
|
- Allow apache to search automount tmp dirs if http_use_nfs is enabled |
|
- Allow crond to transition to named_t, for use with unbound |
|
- Allow crond to look at named_conf_t, for unbound |
|
- Allow mozilla_plugin_t to transition its home content |
|
- Allow dovecot_domain to read all system and network state |
|
- Allow httpd_user_script_t to call getpw |
|
- Allow semanage to read pid files |
|
- Dontaudit leaked file descriptors from user domain into thumb |
|
- Make PAM authentication working if it is enabled in ejabberd |
|
- Add fixes for rabbit to fix ##992920,#992931 |
|
- Allow glusterd to mount filesystems |
|
- Loading a vm from /usr/tmp with virt-manager |
|
- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device |
|
- Add fix for pand service |
|
- shorewall touches own log |
|
- Allow nrpe to list /var |
|
- Mozilla_plugin_roles can not be passed into lpd_run_lpr |
|
- Allow afs domains to read afs_config files |
|
- Allow login programs to read afs config |
|
- Allow virt_domain to read virt_var_run_t symlinks |
|
- Allow smokeping to send its process signals |
|
- Allow fetchmail to setuid |
|
- Add kdump_manage_crash() interface |
|
- Allow abrt domain to write abrt.socket |
|
|
|
* Wed Jul 31 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-69 |
|
- Add more aliases in pegasus.te |
|
- Add more fixes for *_admin interfaces |
|
- Add interface fixes |
|
- Allow nscd to stream connect to nmbd |
|
- Allow gnupg apps to write to pcscd socket |
|
- Add more fixes for openlmi provides. Fix naming and support for additionals |
|
- Allow fetchmail to resolve host names |
|
- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t |
|
- Add labeling for cmpiLMI_Fan-cimprovagt |
|
- Allow net_admin for glusterd |
|
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ |
|
- Add pegasus_openlmi_system_t |
|
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te |
|
- Fix corecmd_exec_chroot() |
|
- Fix logging_relabel_syslog_pid_socket interface |
|
- Fix typo in unconfineduser.te |
|
- Allow system_r to access unconfined_dbusd_t to run hp_chec |
|
|
|
* Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68 |
|
- Allow xdm_t to act as a dbus client to itsel |
|
- Allow fetchmail to resolve host names |
|
- Allow gnupg apps to write to pcscd socket |
|
- Add labeling for cmpiLMI_Fan-cimprovagt |
|
- Allow net_admin for glusterd |
|
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ |
|
- Add pegasus_openlmi_system_t |
|
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te |
|
-httpd_t does access_check on certs |
|
|
|
* Fri Jul 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-67 |
|
- Add support for cmpiLMI_Service-cimprovagt |
|
- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t |
|
- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t |
|
- Add support for pycmpiLMI_Storage-cimprovagt |
|
- Add support for cmpiLMI_Networking-cimprovagt |
|
- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working |
|
- Allow virtual machines and containers to run as user doains, needed for virt-sandbox |
|
- Allow buglist.cgi to read cpu info |
|
|
|
* Mon Jul 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-66 |
|
- Allow systemd-tmpfile to handle tmp content in print spool dir |
|
- Allow systemd-sysctl to send system log messages |
|
- Add support for RTP media ports and fmpro-internal |
|
- Make auditd working if audit is configured to perform SINGLE action on disk error |
|
- Add interfaces to handle systemd units |
|
- Make systemd-notify working if pcsd is used |
|
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t |
|
- Instead of having all unconfined domains get all of the named transition rules, |
|
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. |
|
- Add definition for the salt ports |
|
- Allow xdm_t to create link files in xdm_var_run_t |
|
- Dontaudit reads of blk files or chr files leaked into ldconfig_t |
|
- Allow sys_chroot for useradd_t |
|
- Allow net_raw cap for ipsec_t |
|
- Allow sysadm_t to reload services |
|
- Add additional fixes to make strongswan working with a simple conf |
|
- Allow sysadm_t to enable/disable init_t services |
|
- Add additional glusterd perms |
|
- Allow apache to read lnk files in the /mnt directory |
|
- Allow glusterd to ask the kernel to load a module |
|
- Fix description of ftpd_use_fusefs boolean |
|
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t |
|
- Allow glusterds to request load a kernel module |
|
- Allow boinc to stream connect to xserver_t |
|
- Allow sblim domains to read /etc/passwd |
|
- Allow mdadm to read usb devices |
|
- Allow collectd to use ping plugin |
|
- Make foghorn working with SNMP |
|
- Allow sssd to read ldap certs |
|
- Allow haproxy to connect to RTP media ports |
|
- Add additional trans rules for aide_db |
|
- Add labeling for /usr/lib/pcsd/pcsd |
|
- Add labeling for /var/log/pcsd |
|
- Add support for pcs which is a corosync and pacemaker configuration tool |
|
|
|
* Wed Jul 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-65 |
|
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t |
|
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 |
|
- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown |
|
- consolekit needs to be able to shut down system |
|
- Move around interfaces |
|
- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything |
|
- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints |
|
- Allow gconf-defaults-m to read /etc/passwd |
|
- Fix pki_rw_tomcat_cert() interface to support lnk_files |
|
|
|
* Fri Jul 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-64 |
|
- Add support for gluster ports |
|
- Make sure that all keys located in /etc/ssh/ are labeled correctly |
|
- Make sure apcuspd lock files get created with the correct label |
|
- Use getcap in gluster.te |
|
- Fix gluster policy |
|
- add additional fixes to allow beam.smp to interact with couchdb files |
|
- Additional fix for #974149 |
|
- Allow gluster to user gluster ports |
|
- Allow glusterd to transition to rpcd_t and add additional fixes for #980683 |
|
- Allow tgtd working when accessing to the passthrough device |
|
- Fix labeling for mdadm unit files |
|
|
|
* Thu Jul 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-63 |
|
- Add mdadm fixes |
|
|
|
* Tue Jul 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-62 |
|
- Fix definition of sandbox.disabled to sandbox.pp.disabled |
|
|
|
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-61 |
|
- Allow mdamd to execute systemctl |
|
- Allow mdadm to read /dev/kvm |
|
- Allow ipsec_mgmt_t to read l2tpd pid content |
|
|
|
* Mon Jul 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-60 |
|
- Allow nsd_t to read /dev/urand |
|
- Allow mdadm_t to read framebuffer |
|
- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t |
|
- Allow mozilla_plugin_config_t to create tmp files |
|
- Cleanup openvswitch policy |
|
- Allow mozilla plugin to getattr on all executables |
|
- Allow l2tpd_t to create fifo_files in /var/run |
|
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory |
|
- Allow mdadm to connecto its own unix_stream_socket |
|
- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. |
|
- Allow apache to access smokeping pid files |
|
- Allow rabbitmq_beam_t to getattr on all filesystems |
|
- Add systemd support for iodined |
|
- Allow nup_upsdrvctl_t to execute its entrypoint |
|
- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch |
|
- add labeling for ~/.cache/libvirt-sandbox |
|
- Add interface to allow domains transitioned to by confined users to send sigchld to screen program |
|
- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab |
|
- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service |
|
- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. |
|
- Allow staff to getsched all domains, required to run htop |
|
- Add port definition for redis port |
|
- fix selinuxuser_use_ssh_chroot boolean |
|
|
|
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59 |
|
- Add prosody policy written by Michael Scherer |
|
- Allow nagios plugins to read /sys info |
|
- ntpd needs to manage own log files |
|
- Add support for HOME_DIR/.IBMERS |
|
- Allow iptables commands to read firewalld config |
|
- Allow consolekit_t to read utmp |
|
- Fix filename transitions on .razor directory |
|
- Add additional fixes to make DSPAM with LDA working |
|
- Allow snort to read /etc/passwd |
|
- Allow fail2ban to communicate with firewalld over dbus |
|
- Dontaudit openshift_cgreoup_file_t read/write leaked dev |
|
- Allow nfsd to use mountd port |
|
- Call th proper interface |
|
- Allow openvswitch to read sys and execute plymouth |
|
- Allow tmpwatch to read /var/spool/cups/tmp |
|
- Add support for /usr/libexec/telepathy-rakia |
|
- Add systemd support for zoneminder |
|
- Allow mysql to create files/directories under /var/log/mysql |
|
- Allow zoneminder apache scripts to rw zoneminder tmpfs |
|
- Allow httpd to manage zoneminder lib files |
|
- Add zoneminder_run_sudo boolean to allow to start zoneminder |
|
- Allow zoneminder to send mails |
|
- gssproxy_t sock_file can be under /var/lib |
|
- Allow web domains to connect to whois port. |
|
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. |
|
- We really need to add an interface to corenet to define what a web_client_domain is and |
|
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. |
|
- Add labeling for cmpiLMI_LogicalFile-cimprovagt |
|
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules |
|
- Update policy rules for pegasus_openlmi_logicalfile_t |
|
- Add initial types for logicalfile/unconfined OpenLMI providers |
|
- mailmanctl needs to read own log |
|
- Allow logwatch manage own lock files |
|
- Allow nrpe to read meminfo |
|
- Allow httpd to read certs located in pki-ca |
|
- Add pki_read_tomcat_cert() interface |
|
- Add support for nagios openshift plugins |
|
- Add port definition for redis port |
|
- fix selinuxuser_use_ssh_chroot boolean |
|
|
|
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58 |
|
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. |
|
- Allow bootloader to manage generic log files |
|
- Allow ftp to bind to port 989 |
|
- Fix label of new gear directory |
|
- Add support for new directory /var/lib/openshift/gears/ |
|
- Add openshift_manage_lib_dirs() |
|
- allow virtd domains to manage setrans_var_run_t |
|
- Allow useradd to manage all openshift content |
|
- Add support so that mozilla_plugin_t can use dri devices |
|
- Allow chronyd to change the scheduler |
|
- Allow apmd to shut downthe system |
|
- Devicekit_disk_t needs to manage /etc/fstab |
|
|
|
* Wed Jun 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-57 |
|
- Make DSPAM to act as a LDA working |
|
- Allow ntop to create netlink socket |
|
- Allow policykit to send a signal to policykit-auth |
|
- Allow stapserver to dbus chat with avahi/systemd-logind |
|
- Fix labeling on haproxy unit file |
|
- Clean up haproxy policy |
|
- A new policy for haproxy and placed it to rhcs.te |
|
- Add support for ldirectord and treat it with cluster_t |
|
- Make sure anaconda log dir is created with var_log_t |
|
|
|
* Mon Jun 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-56 |
|
- Allow lvm_t to create default targets for filesystem handling |
|
- Fix labeling for razor-lightdm binaries |
|
- Allow insmod_t to read any file labeled var_lib_t |
|
- Add policy for pesign |
|
- Activate policy for cmpiLMI_Account-cimprovagt |
|
- Allow isnsd syscall=listen |
|
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler |
|
- Allow ctdbd to use udp/4379 |
|
- gatherd wants sys_nice and setsched |
|
- Add support for texlive2012 |
|
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example) |
|
- Allow cobbler to execute apache with domain transition |
|
|
|
* Fri Jun 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-55 |
|
- condor_collector uses tcp/9000 |
|
- Label /usr/sbin/virtlockd as virtd_exec_t for now |
|
- Allow cobbler to execute ldconfig |
|
- Allow NM to execute ssh |
|
- Allow mdadm to read /dev/crash |
|
- Allow antivirus domains to connect to snmp port |
|
- Make amavisd-snmp working correctly |
|
- Allow nfsd_t to mounton nfsd_fs_t |
|
- Add initial snapper policy |
|
- We still need to have consolekit policy |
|
- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t |
|
- Dontaudit sandbox apps attempting to open user_devpts_t |
|
- Allow dirsrv to read network state |
|
- Fix pki_read_tomcat_lib_files |
|
- Add labeling for /usr/libexec/nm-ssh-service |
|
- Add label cert_t for /var/lib/ipa/pki-ca/publish |
|
- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant |
|
- Allow nfsd_t to mounton nfsd_fs_t |
|
- Dontaudit sandbox apps attempting to open user_devpts_t |
|
- Allow passwd_t to change role to system_r from unconfined_r |
|
|
|
* Wed Jun 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-54 |
|
- Don't audit access checks by sandbox xserver on xdb var_lib |
|
- Allow ntop to read usbmon devices |
|
- Add labeling for new polcykit authorizor |
|
- Dontaudit access checks from fail2ban_client |
|
- Don't audit access checks by sandbox xserver on xdb var_lib |
|
- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream |
|
- Fix labeling for all /usr/bim/razor-lightdm-* binaries |
|
- Add filename trans for /dev/md126p1 |
|
|
|
* Tue Jun 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-53 |
|
- Make vdagent able to request loading kernel module |
|
- Add support for cloud-init make it as unconfined domain |
|
- Allow snmpd to run smartctl in fsadm_t domain |
|
- remove duplicate openshift_search_lib() interface |
|
- Allow mysqld to search openshift lib files |
|
- Allow openshift cgroup to interact with passedin file descriptors |
|
- Allow colord to list directories inthe users homedir |
|
- aide executes prelink to check files |
|
- Make sure cupsd_t creates content in /etc/cups with the correct label |
|
- Lest dontaudit apache read all domains, so passenger will not cause this avc |
|
- Allow gssd to connect to gssproxy |
|
- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS |
|
- Allow systemd-tmpfiles to relabel also lock files |
|
- Allow useradd to add homdir in /var/lib/openshift |
|
- Allow setfiles and semanage to write output to /run/files |
|
|
|
* Fri Jun 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-52 |
|
- Add labeling for /dev/tgt |
|
- Dontaudit leak fd from firewalld for modprobe |
|
- Allow runuser running as rpm_script_t to create netlink_audit socket |
|
- Allow mdadm to read BIOS non-volatile RAM |
|
|
|
* Thu Jun 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-51 |
|
- accountservice watches when accounts come and go in wtmp |
|
- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket |
|
- Add httpd_use_sasl boolean |
|
- Allow net_admin for tuned_t |
|
- iscsid needs sys_module to auto-load kernel modules |
|
- Allow blueman to read bluetooth conf |
|
- Add nova_manage_lib_files() interface |
|
- Fix mplayer_filetrans_home_content() |
|
- Add mplayer_filetrans_home_content() |
|
- mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t |
|
- Revert "Allow thumb_t to append inherited xdm stream socket" |
|
- Add iscsi_filetrans_named_content() interface |
|
- Allow to create .mplayer with the correct labeling for unconfined |
|
- Allow iscsiadmin to create lock file with the correct labeling |
|
|
|
* Tue Jun 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-50 |
|
- Allow wine to manage wine home content |
|
- Make amanda working with socket actiovation |
|
- Add labeling for /usr/sbin/iscsiadm |
|
- Add support for /var/run/gssproxy.sock |
|
- dnsmasq_t needs to read sysctl_net_t |
|
|
|
* Fri Jun 7 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-49 |
|
- Fix courier_domain_template() interface |
|
- Allow blueman to write ip_forward |
|
- Allow mongodb to connect to mongodb port |
|
- Allow mongodb to connect to mongodb port |
|
- Allow java to bind jobss_debug port |
|
- Fixes for *_admin interfaces |
|
- Allow iscsid auto-load kernel modules needed for proper iSCSI functionality |
|
- Need to assign attribute for courier_domain to all courier_domains |
|
- Fail2ban reads /etc/passwd |
|
- postfix_virtual will create new files in postfix_spool_t |
|
- abrt triggers sys_ptrace by running pidof |
|
- Label ~/abc as mozilla_home_t, since java apps as plugin want to create it |
|
- Add passenger fixes needed by foreman |
|
- Remove dup interfaces |
|
- Add additional interfaces for quantum |
|
- Add new interfaces for dnsmasq |
|
- Allow passenger to read localization and send signull to itself |
|
- Allow dnsmasq to stream connect to quantum |
|
- Add quantum_stream_connect() |
|
- Make sure that mcollective starts the service with the correct labeling |
|
- Add labels for ~/.manpath |
|
- Dontaudit attempts by svirt_t to getpw* calls |
|
- sandbox domains are trying to look at parent process data |
|
- Allow courior auth to create its pid file in /var/spool/courier subdir |
|
- Add fixes for beam to have it working with couchdb |
|
- Add labeling for /run/nm-xl2tpd.con |
|
- Allow apache to stream connect to thin |
|
- Add systemd support for amand |
|
- Make public types usable for fs mount points |
|
- Call correct mandb interface in domain.te |
|
- Allow iptables to r/w quantum inherited pipes and send sigchld |
|
- Allow ifconfig domtrans to iptables and execute ldconfig |
|
- Add labels for ~/.manpath |
|
- Allow systemd to read iscsi lib files |
|
- seunshare is trying to look at parent process data |
|
|
|
* Mon Jun 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-48 |
|
- Fix openshift_search_lib |
|
- Add support for abrt-uefioops-oops |
|
- Allow colord to getattr any file system |
|
- Allow chrome processes to look at each other |
|
- Allow sys_ptrace for abrt_t |
|
- Add new policy for gssproxy |
|
- Dontaudit leaked file descriptor writes from firewalld |
|
- openshift_net_type is interface not template |
|
- Dontaudit pppd to search gnome config |
|
- Update openshift_search_lib() interface |
|
- Add fs_list_pstorefs() |
|
- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 |
|
- Better labels for raspberry pi devices |
|
- Allow init to create devpts_t directory |
|
- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 |
|
- Allow sysadm_t to build kernels |
|
- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 |
|
- Allow userdomains to stream connect to gssproxy |
|
- Dontaudit leaked file descriptor writes from firewalld |
|
- Allow xserver to read /dev/urandom |
|
- Add additional fixes for ipsec-mgmt |
|
- Make SSHing into an Openshift Enterprise Node working |
|
|
|
* Wed May 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-47 |
|
- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime |
|
- with the proper label. |
|
- Update files_filetrans_named_content() interface to get right labeling for pam.d conf files |
|
- Allow systemd-timedated to create adjtime |
|
- Add clock_create_adjtime() |
|
- Additional fix ifconfing for #966106 |
|
- Allow kernel_t to create boot.log with correct labeling |
|
- Remove unconfined_mplayer for which we don't have rules |
|
- Rename interfaces |
|
- Add userdom_manage_user_home_files/dirs interfaces |
|
- Fix files_dontaudit_read_all_non_security_files |
|
- Fix ipsec_manage_key_file() |
|
- Fix ipsec_filetrans_key_file() |
|
- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t |
|
- Fix labeling for ipse.secrets |
|
- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid |
|
- Add files_dontaudit_read_all_non_security_files() interface |
|
- /var/log/syslog-ng should be labeled var_log_t |
|
- Make ifconfig_var_run_t a mountpoint |
|
- Add transition from ifconfig to dnsmasq |
|
- Allow ifconfig to execute bin_t/shell_exec_t |
|
- We want to have hwdb.bin labeled as etc_t |
|
- update logging_filetrans_named_content() interface |
|
- Allow systemd_timedate_t to manage /etc/adjtime |
|
- Allow NM to send signals to l2tpd |
|
- Update antivirus_can_scan_system boolean |
|
- Allow devicekit_disk_t to sys_config_tty |
|
- Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories |
|
- Make printing from vmware working |
|
- Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes |
|
- Add virt_qemu_ga_data_t for qemu-ga |
|
- Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both |
|
- Fix typo in virt.te |
|
- Add virt_qemu_ga_unconfined_t for hook scripts |
|
- Make sure NetworkManager files get created with the correct label |
|
- Add mozilla_plugin_use_gps boolean |
|
- Fix cyrus to have support for net-snmp |
|
- Additional fixes for dnsmasq and quantum for #966106 |
|
- Add plymouthd_create_log() |
|
- remove httpd_use_oddjob for which we don't have rules |
|
- Add missing rules for httpd_can_network_connect_cobbler |
|
- Add missing cluster_use_execmem boolean |
|
- Call userdom_manage_all_user_home_type_files/dirs |
|
- Additional fix for ftp_home_dir |
|
- Fix ftp_home_dir boolean |
|
- Allow squit to recv/send client squid packet |
|
- Fix nut.te to have nut_domain attribute |
|
- Add support for ejabberd; TODO: revisit jabberd and rabbit policy |
|
- Fix amanda policy |
|
- Add more fixes for domains which use libusb |
|
- Make domains which use libusb working correctly |
|
- Allow l2tpd to create ipsec key files with correct labeling and manage them |
|
- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files |
|
- Allow rabbitmq-beam to bind generic node |
|
- Allow l2tpd to read ipse-mgmt pid files |
|
- more fixes for l2tpd, NM and pppd from #967072 |
|
|
|
* Wed May 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-46 |
|
- Dontaudit to getattr on dirs for dovecot-deliver |
|
- Allow raiudusd server connect to postgresql socket |
|
- Add kerberos support for radiusd |
|
- Allow saslauthd to connect to ldap port |
|
- Allow postfix to manage postfix_private_t files |
|
- Add chronyd support for #965457 |
|
- Fix labeling for HOME_DIR/\.icedtea |
|
- CHange squid and snmpd to be allowed also write own logs |
|
- Fix labeling for /usr/libexec/qemu-ga |
|
- Allow virtd_t to use virt_lock_t |
|
- Allow also sealert to read the policy from the kernel |
|
- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content |
|
- Dontaudit listing of users homedir by sendmail Seems like a leak |
|
- Allow passenger to transition to puppet master |
|
- Allow apache to connect to mythtv |
|
- Add definition for mythtv ports |
|
|
|
* Fri May 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-45 |
|
- Add additional fixes for #948073 bug |
|
- Allow sge_execd_t to also connect to sge ports |
|
- Allow openshift_cron_t to manage openshift_var_lib_t sym links |
|
- Allow openshift_cron_t to manage openshift_var_lib_t sym links |
|
- Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files |
|
- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files |
|
- Add networkmanager_stream_connect() |
|
- Make gnome-abrt wokring with staff_t |
|
- Fix openshift_manage_lib_files() interface |
|
- mdadm runs ps command which seems to getattr on random log files |
|
- Allow mozilla_plugin_t to create pulseaudit_home_t directories |
|
- Allow qemu-ga to shutdown virtual hosts |
|
- Add labelling for cupsd-browsed |
|
- Add web browser plugins to connect to aol ports |
|
- Allow nm-dhcp-helper to stream connect to NM |
|
- Add port definition for sge ports |
|
|
|
* Mon May 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-44 |
|
- Make sure users and unconfined domains create .hushlogin with the correct label |
|
- Allow pegaus to chat with realmd over DBus |
|
- Allow cobblerd to read network state |
|
- Allow boicn-client to stat on /dev/input/mice |
|
- Allow certwatch to read net_config_t when it executes apache |
|
- Allow readahead to create /run/systemd and then create its own directory with the correct label |
|
|
|
* Mon May 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43 |
|
- Transition directories and files when in a user_tmp_t directory |
|
- Change certwatch to domtrans to apache instead of just execute |
|
- Allow virsh_t to read xen lib files |
|
- update policy rules for pegasus_openlmi_account_t |
|
- Add support for svnserve_tmp_t |
|
- Activate account openlmi policy |
|
- pegasus_openlmi_domain_template needs also require pegasus_t |
|
- One more fix for policykit.te |
|
- Call fs_list_cgroups_dirs() in policykit.te |
|
- Allow nagios service plugin to read mysql config files |
|
- Add labeling for /var/svn |
|
- Fix chrome.te |
|
- Fix pegasus_openlmi_domain_template() interfaces |
|
- Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks |
|
- Fix location of google-chrome data |
|
- Add support for chome_sandbox to store content in the homedir |
|
- Allow policykit to watch for changes in cgroups file system |
|
- Add boolean to allow mozilla_plugin_t to use spice |
|
- Allow collectd to bind to udp port |
|
- Allow collected_t to read all of /proc |
|
- Should use netlink socket_perms |
|
- Should use netlink socket_perms |
|
- Allow glance domains to connect to apache ports |
|
- Allow apcupsd_t to manage its log files |
|
- Allow chrome objects to rw_inherited unix_stream_socket from callers |
|
- Allow staff_t to execute virtd_exec_t for running vms |
|
- nfsd_t needs to bind mountd port to make nfs-mountd.service working |
|
- Allow unbound net_admin capability because of setsockopt syscall |
|
- Fix fs_list_cgroup_dirs() |
|
- Label /usr/lib/nagios/plugins/utils.pm as bin_t |
|
- Remove uplicate definition of fs_read_cgroup_files() |
|
- Remove duplicate definition of fs_read_cgroup_files() |
|
- Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd |
|
- Additional interfaces needed to list and read cgroups config |
|
- Add port definition for collectd port |
|
- Add labels for /dev/ptp* |
|
- Allow staff_t to execute virtd_exec_t for running vms |
|
|
|
* Mon May 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-42 |
|
- Allow samba-net to also read realmd tmp files |
|
- Allow NUT to use serial ports |
|
- realmd can be started by systemctl now |
|
|
|
* Mon May 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-41 |
|
- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly |
|
- Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t |
|
- Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid |
|
- Allow virsh to read xen lock file |
|
- Allow qemu-ga to create files in /run with proper labeling |
|
- Allow glusterd to connect to own socket in /tmp |
|
- Allow glance-api to connect to http port to make glance image-create working |
|
- Allow keystonte_t to execute rpm |
|
|
|
* Fri May 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-40 |
|
- Fix realmd cache interfaces |
|
|
|
* Fri May 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-39 |
|
- Allow tcpd to execute leafnode |
|
- Allow samba-net to read realmd cache files |
|
- Dontaudit sys_tty_config for alsactl |
|
- Fix allow rules for postfix_var_run |
|
- Allow cobblerd to read /etc/passwd |
|
- Allow pegasus to read exports |
|
- Allow systemd-timedate to read xdm state |
|
- Allow mout to stream connect to rpcbind |
|
- Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki |
|
|
|
* Tue Apr 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-38 |
|
- Allow thumbnails to share memory with apps which run thumbnails |
|
- Allow postfix-postqueue block_suspend |
|
- Add lib interfaces for smsd |
|
- Add support for nginx |
|
- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t |
|
- Allow pki apache domain to create own tmp files and execute httpd_suexec |
|
- Allow procmail to manger user tmp files/dirs/lnk_files |
|
- Add virt_stream_connect_svirt() interface |
|
- Allow dovecot-auth to execute bin_t |
|
- Allow iscsid to request that kernel load a kernel module |
|
- Add labeling support for /var/lib/mod_security |
|
- Allow iw running as tuned_t to create netlink socket |
|
- Dontaudit sys_tty_config for thumb_t |
|
- Add labeling for nm-l2tp-service |
|
- Allow httpd running as certwatch_t to open tcp socket |
|
- Allow useradd to manager smsd lib files |
|
- Allow useradd_t to add homedirs in /var/lib |
|
- Fix typo in userdomain.te |
|
- Cleanup userdom_read_home_certs |
|
- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t |
|
- Allow staff to stream connect to svirt_t to make gnome-boxes working |
|
|
|
* Fri Apr 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-37 |
|
- Allow lvm to create its own unit files |
|
- Label /var/lib/sepolgen as selinux_config_t |
|
- Add filetrans rules for tw devices |
|
- Add transition from cupsd_config_t to cupsd_t |
|
|
|
* Wed Apr 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-36 |
|
- Add filetrans rules for tw devices |
|
- Cleanup bad transition lines |
|
|
|
* Tue Apr 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-35 |
|
- Fix lockdev_manage_files() |
|
- Allow setroubleshootd to read var_lib_t to make email_alert working |
|
- Add lockdev_manage_files() |
|
- Call proper interface in virt.te |
|
- Allow gkeyring_domain to create /var/run/UID/config/dbus file |
|
- system dbus seems to be blocking suspend |
|
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need |
|
- When you enter a container from root, you generate avcs with a leaked file descriptor |
|
- Allow mpd getattr on file system directories |
|
- Make sure realmd creates content with the correct label |
|
- Allow systemd-tty-ask to write kmsg |
|
- Allow mgetty to use lockdev library for device locking |
|
- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music |
|
- When you enter a container from root, you generate avcs with a leaked file descriptor |
|
- Make sure init.fc files are labeled correctly at creation |
|
- File name trans vconsole.conf |
|
- Fix labeling for nagios plugins |
|
- label shared libraries in /opt/google/chrome as testrel_shlib_t |
|
|
|
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-34 |
|
- Allow certmonger to dbus communicate with realmd |
|
- Make realmd working |
|
|
|
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-33 |
|
- Fix mozilla specification of homedir content |
|
- Allow certmonger to read network state |
|
- Allow tmpwatch to read tmp in /var/spool/{cups,lpd} |
|
- Label all nagios plugin as unconfined by default |
|
- Add httpd_serve_cobbler_files() |
|
- Allow mdadm to read /dev/sr0 and create tmp files |
|
- Allow certwatch to send mails |
|
- Fix labeling for nagios plugins |
|
- label shared libraries in /opt/google/chrome as testrel_shlib_t |
|
|
|
* Wed Apr 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-32 |
|
- Allow realmd to run ipa, really needs to be an unconfined_domain |
|
- Allow sandbox domains to use inherted terminals |
|
- Allow pscd to use devices labeled svirt_image_t in order to use cat cards. |
|
- Add label for new alsa pid |
|
- Alsa now uses a pid file and needs to setsched |
|
- Fix oracleasmfs_t definition |
|
- Add support for sshd_unit_file_t |
|
- Add oracleasmfs_t |
|
- Allow unlabeled_t files to be stored on unlabeled_t filesystems |
|
|
|
* Tue Apr 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-31 |
|
- Fix description of deny_ptrace boolean |
|
- Remove allow for execmod lib_t for now |
|
- Allow quantum to connect to keystone port |
|
- Allow nova-console to talk with mysql over unix stream socket |
|
- Allow dirsrv to stream connect to uuidd |
|
- thumb_t needs to be able to create ~/.cache if it does not exist |
|
- virtd needs to be able to sys_ptrace when starting and stoping containers |
|
|
|
* Mon Apr 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-30 |
|
- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... |
|
- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets |
|
- Fix deny_ptrace boolean, certain ptrace leaked into the system |
|
- Allow winbind to manage kerberos_rcache_host |
|
- Allow spamd to create spamd_var_lib_t directories |
|
- Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs |
|
- Add mising nslcd_dontaudit_write_sock_file() interface |
|
- one more fix |
|
- Fix pki_read_tomcat_lib_files() interface |
|
- Allow certmonger to read pki-tomcat lib files |
|
- Allow certwatch to execute bin_t |
|
- Allow snmp to manage /var/lib/net-snmp files |
|
- Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs |
|
- Fix vmware_role() interface |
|
- Fix cobbler_manage_lib_files() interface |
|
- Allow nagios check disk plugins to execute bin_t |
|
- Allow quantum to transition to openvswitch_t |
|
- Allow postdrop to stream connect to postfix-master |
|
- Allow quantum to stream connect to openvswitch |
|
- Add xserver_dontaudit_xdm_rw_stream_sockets() interface |
|
- Allow daemon to send dgrams to initrc_t |
|
- Allow kdm to start the power service to initiate a reboot or poweroff |
|
|
|
* Thu Apr 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-29 |
|
- Add mising nslcd_dontaudit_write_sock_file() interface |
|
- one more fix |
|
- Fix pki_read_tomcat_lib_files() interface |
|
- Allow certmonger to read pki-tomcat lib files |
|
- Allow certwatch to execute bin_t |
|
- Allow snmp to manage /var/lib/net-snmp files |
|
- Don't audit attempts to write to stream socket of nscld by thumbnailers |
|
- Allow git_system_t to read network state |
|
- Allow pegasas to execute mount command |
|
- Fix desc for drdb_admin |
|
- Fix condor_amin() |
|
- Interface fixes for uptime, vdagent, vnstatd |
|
- Fix labeling for moodle in /var/www/moodle/data |
|
- Add interface fixes |
|
- Allow bugzilla to read certs |
|
- /var/www/moodle needs to be writable by apache |
|
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest |
|
- Fix namespace_init_t to create content with proper labels, and allow it to manage all user content |
|
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean |
|
- Fixes for dlm_controld |
|
- Fix apache_read_sys_content_rw_dirs() interface |
|
- Allow logrotate to read /var/log/z-push dir |
|
- Fix sys_nice for cups_domain |
|
- Allow postfix_postdrop to acces postfix_public socket |
|
- Allow sched_setscheduler for cupsd_t |
|
- Add missing context for /usr/sbin/snmpd |
|
- Kernel_t needs mac_admin in order to support labeled NFS |
|
- Fix systemd_dontaudit_dbus_chat() interface |
|
- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest |
|
- Allow consolehelper domain to write Xauth files in /root |
|
- Add port definition for osapi_compute port |
|
- Allow unconfined to create /etc/hostname with correct labeling |
|
- Add systemd_filetrans_named_hostname() interface |
|
|
|
* Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28 |
|
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean |
|
- Fixes for dlm_controld |
|
- Fix apache_read_sys_content_rw_dirs() interface |
|
- Allow logrotate to read /var/log/z-push dir |
|
- Allow postfix_postdrop to acces postfix_public socket |
|
- Allow sched_setscheduler for cupsd_t |
|
- Add missing context for /usr/sbin/snmpd |
|
- Allow consolehelper more access discovered by Tom London |
|
- Allow fsdaemon to send signull to all domain |
|
- Add port definition for osapi_compute port |
|
- Allow unconfined to create /etc/hostname with correct labeling |
|
- Add systemd_filetrans_named_hostname() interface |
|
|
|
* Sat Apr 6 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-27 |
|
- Fix file_contexts.subs to label /run/lock correctly |
|
|
|
* Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26 |
|
- Try to label on controlC devices up to 30 correctly |
|
- Add mount_rw_pid_files() interface |
|
- Add additional mount/umount interfaces needed by mock |
|
- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk |
|
- Fix tabs |
|
- Allow initrc_domain to search rgmanager lib files |
|
- Add more fixes which make mock working together with confined users |
|
* Allow mock_t to manage rpm files |
|
* Allow mock_t to read rpm log files |
|
* Allow mock to setattr on tmpfs, devpts |
|
* Allow mount/umount filesystems |
|
- Add rpm_read_log() interface |
|
- yum-cron runs rpm from within it. |
|
- Allow tuned to transition to dmidecode |
|
- Allow firewalld to do net_admin |
|
- Allow mock to unmont tmpfs_t |
|
- Fix virt_sigkill() interface |
|
- Add additional fixes for mock. Mainly caused by mount running in mock_t |
|
- Allow mock to write sysfs_t and mount pid files |
|
- Add mailman_domain to mailman_template() |
|
- Allow openvswitch to execute shell |
|
- Allow qpidd to use kerberos |
|
- Allow mailman to use fusefs, needs back port to RHEL6 |
|
- Allow apache and its scripts to use anon_inodefs |
|
- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 |
|
- Realmd needs to connect to samba ports, needs back port to F18 also |
|
- Allow colord to read /run/initial-setup- |
|
- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock |
|
- Add virt_kill() interface |
|
- Add rgmanager_search_lib() interface |
|
- Allow wdmd to getattr on all filesystems. Back ported from RHEL6 |
|
|
|
* Tue Apr 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-25 |
|
- Allow realmd to create tmp files |
|
- FIx ircssi_home_t type to irssi_home_t |
|
- Allow adcli running as realmd_t to connect to ldap port |
|
- Allow NetworkManager to transition to ipsec_t, for running strongswan |
|
- Make openshift_initrc_t an lxc_domain |
|
- Allow gssd to manage user_tmp_t files |
|
- Fix handling of irclogs in users homedir |
|
- Fix labeling for drupal an wp-content in subdirs of /var/www/html |
|
- Allow abrt to read utmp_t file |
|
- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 |
|
- fix labeling for (oo|rhc)-restorer-wrapper.sh |
|
- firewalld needs to be able to write to network sysctls |
|
- Fix mozilla_plugin_dontaudit_rw_sem() interface |
|
- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains |
|
- Add mozilla_plugin_dontaudit_rw_sem() interface |
|
- Allow svirt_lxc_t to transition to openshift domains |
|
- Allow condor domains block_suspend and dac_override caps |
|
- Allow condor_master to read passd |
|
- Allow condor_master to read system state |
|
- Allow NetworkManager to transition to ipsec_t, for running strongswan |
|
- Lots of access required by lvm_t to created encrypted usb device |
|
- Allow xdm_t to dbus communicate with systemd_localed_t |
|
- Label strongswan content as ipsec_exec_mgmt_t for now |
|
- Allow users to dbus chat with systemd_localed |
|
- Fix handling of .xsession-errors in xserver.if, so kde will work |
|
- Might be a bug but we are seeing avc's about people status on init_t:service |
|
- Make sure we label content under /var/run/lock as <<none>> |
|
- Allow daemon and systemprocesses to search init_var_run_t directory |
|
- Add boolean to allow xdm to write xauth data to the home directory |
|
- Allow mount to write keys for the unconfined domain |
|
- Add unconfined_write_keys() interface |
|
|
|
* Tue Mar 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-24 |
|
- Add labeling for /usr/share/pki |
|
- Allow programs that read var_run_t symlinks also read var_t symlinks |
|
- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports |
|
- Fix labeling for /etc/dhcp directory |
|
- add missing systemd_stub_unit_file() interface |
|
- Add files_stub_var() interface |
|
- Add lables for cert_t directories |
|
- Make localectl set-x11-keymap working at all |
|
- Allow abrt to manage mock build environments to catch build problems. |
|
- Allow virt_domains to setsched for running gdb on itself |
|
- Allow thumb_t to execute user home content |
|
- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 |
|
- Allow certwatch to execut /usr/bin/httpd |
|
- Allow cgred to send signal perms to itself, needs back port to RHEL6 |
|
- Allow openshift_cron_t to look at quota |
|
- Allow cups_t to read inhered tmpfs_t from the kernel |
|
- Allow yppasswdd to use NIS |
|
- Tuned wants sys_rawio capability |
|
- Add ftpd_use_fusefs boolean |
|
- Allow dirsrvadmin_t to signal itself |
|
|
|
* Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23 |
|
- Allow localectl to read /etc/X11/xorg.conf.d directory |
|
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" |
|
- Allow mount to transition to systemd_passwd_agent |
|
- Make sure abrt directories are labeled correctly |
|
- Allow commands that are going to read mount pid files to search mount_var_run_t |
|
- label /usr/bin/repoquery as rpm_exec_t |
|
- Allow automount to block suspend |
|
- Add abrt_filetrans_named_content so that abrt directories get labeled correctly |
|
- Allow virt domains to setrlimit and read file_context |
|
|
|
* Mon Mar 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-22 |
|
- Allow nagios to manage nagios spool files |
|
- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 |
|
- Add swift_alias.* policy files which contain typealiases for swift types |
|
- Add support for /run/lock/opencryptoki |
|
- Allow pkcsslotd chown capability |
|
- Allow pkcsslotd to read passwd |
|
- Add rsync_stub() interface |
|
- Allow systemd_timedate also manage gnome config homedirs |
|
- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t |
|
- Fix filetrans rules for kdm creates .xsession-errors |
|
- Allow sytemd_tmpfiles to create wtmp file |
|
- Really should not label content under /var/lock, since it could have labels on it different from var_lock_t |
|
- Allow systemd to list all file system directories |
|
- Add some basic stub interfaces which will be used in PRODUCT policies |
|
|
|
* Wed Mar 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-21 |
|
- Fix log transition rule for cluster domains |
|
- Start to group all cluster log together |
|
- Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update |
|
- cups uses usbtty_device_t devices |
|
- These fixes were all required to build a MLS virtual Machine with single level desktops |
|
- Allow domains to transiton using httpd_exec_t |
|
- Allow svirt domains to manage kernel key rings |
|
- Allow setroubleshoot to execute ldconfig |
|
- Allow firewalld to read generate gnome data |
|
- Allow bluetooth to read machine-info |
|
- Allow boinc domain to send signal to itself |
|
- Fix gnome_filetrans_home_content() interface |
|
- Allow mozilla_plugins to list apache modules, for use with gxine |
|
- Fix labels for POkemon in the users homedir |
|
- Allow xguest to read mdstat |
|
- Dontaudit virt_domains getattr on /dev/* |
|
- These fixes were all required to build a MLS virtual Machine with single level desktops |
|
- Need to back port this to RHEL6 for openshift |
|
- Add tcp/8891 as milter port |
|
- Allow nsswitch domains to read sssd_var_lib_t files |
|
- Allow ping to read network state. |
|
- Fix typo |
|
- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them |
|
|
|
* Fri Mar 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-20 |
|
- Adopt swift changes from lhh@redhat.com |
|
- Add rhcs_manage_cluster_pid_files() interface |
|
- Allow screen domains to configure tty and setup sock_file in ~/.screen directory |
|
- ALlow setroubleshoot to read default_context_t, needed to backport to F18 |
|
- Label /etc/owncloud as being an apache writable directory |
|
- Allow sshd to stream connect to an lxc domain |
|
|
|
* Thu Mar 7 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-19 |
|
- Allow postgresql to manage rgmanager pid files |
|
- Allow postgresql to read ccs data |
|
- Allow systemd_domain to send dbus messages to policykit |
|
- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them |
|
- All systemd domains that create content are reading the file_context file and setfscreate |
|
- Systemd domains need to search through init_var_run_t |
|
- Allow sshd to communicate with libvirt to set containers labels |
|
- Add interface to manage pid files |
|
- Allow NetworkManger_t to read /etc/hostname |
|
- Dontaudit leaked locked files into openshift_domains |
|
- Add fixes for oo-cgroup-read - it nows creates tmp files |
|
- Allow gluster to manage all directories as well as files |
|
- Dontaudit chrome_sandbox_nacl_t using user terminals |
|
- Allow sysstat to manage its own log files |
|
- Allow virtual machines to setrlimit and send itself signals. |
|
- Add labeling for /var/run/hplip |
|
|
|
* Mon Mar 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-18 |
|
- Fix POSTIN scriptlet |
|
|
|
* Fri Mar 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-17 |
|
- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp |
|
|
|
* Wed Feb 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-16 |
|
- Fix authconfig.py labeling |
|
- Make any domains that write homedir content do it correctly |
|
- Allow glusterd to read/write anyhwere on the file system by default |
|
- Be a little more liberal with the rsync log files |
|
- Fix iscsi_admin interface |
|
- Allow iscsid_t to read /dev/urand |
|
- Fix up iscsi domain for use with unit files |
|
- Add filename transition support for spamassassin policy |
|
- Allow web plugins to use badly formated libraries |
|
- Allow nmbd_t to create samba_var_t directories |
|
- Add filename transition support for spamassassin policy |
|
- Add filename transition support for tvtime |
|
- Fix alsa_home_filetrans_alsa_home() interface |
|
- Move all userdom_filetrans_home_content() calling out of booleans |
|
- Allow logrotote to getattr on all file sytems |
|
- Remove duplicate userdom_filetrans_home_content() calling |
|
- Allow kadmind to read /etc/passwd |
|
- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth |
|
- Allow antivirus domain to manage antivirus db links |
|
- Allow logrotate to read /sys |
|
- Allow mandb to setattr on man dirs |
|
- Remove mozilla_plugin_enable_homedirs boolean |
|
- Fix ftp_home_dir boolean |
|
- homedir mozilla filetrans has been moved to userdom_home_manager |
|
- homedir telepathy filetrans has been moved to userdom_home_manager |
|
- Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() |
|
- Might want to eventually write a daemon on fusefsd. |
|
- Add policy fixes for sshd [net] child from plautrba@redhat.com |
|
- Tor uses a new port |
|
- Remove bin_t for authconfig.py |
|
- Fix so only one call to userdom_home_file_trans |
|
- Allow home_manager_types to create content with the correctl label |
|
- Fix all domains that write data into the homedir to do it with the correct label |
|
- Change the postgresql to use proper boolean names, which is causing httpd_t to |
|
- not get access to postgresql_var_run_t |
|
- Hostname needs to send syslog messages |
|
- Localectl needs to be able to send dbus signals to users |
|
- Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default |
|
- Allow user_home_manger domains to create spam* homedir content with correct labeling |
|
- Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling |
|
- Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working |
|
- Declare userdom_filetrans_type attribute |
|
- userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute |
|
- fusefsd is mounding a fuse file system on /run/user/UID/gvfs |
|
|
|
* Thu Feb 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-15 |
|
- Man pages are now generated in the build process |
|
- Allow cgred to list inotifyfs filesystem |
|
|
|
* Wed Feb 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-14 |
|
- Allow gluster to get attrs on all fs |
|
- New access required for virt-sandbox |
|
- Allow dnsmasq to execute bin_t |
|
- Allow dnsmasq to create content in /var/run/NetworkManager |
|
- Fix openshift_initrc_signal() interface |
|
- Dontaudit openshift domains doing getattr on other domains |
|
- Allow consolehelper domain to communicate with session bus |
|
- Mock should not be transitioning to any other domains, we should keep mock_t as mock_t |
|
- Update virt_qemu_ga_t policy |
|
- Allow authconfig running from realmd to restart oddjob service |
|
- Add systemd support for oddjob |
|
- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd |
|
- Add labeling for gnashpluginrc |
|
- Allow chrome_nacl to execute /dev/zero |
|
- Allow condor domains to read /proc |
|
- mozilla_plugin_t will getattr on /core if firefox crashes |
|
- Allow condor domains to read /etc/passwd |
|
- Allow dnsmasq to execute shell scripts, openstack requires this access |
|
- Fix glusterd labeling |
|
- Allow virtd_t to interact with the socket type |
|
- Allow nmbd_t to override dac if you turned on sharing all files |
|
- Allow tuned to created kobject_uevent socket |
|
- Allow guest user to run fusermount |
|
- Allow openshift to read /proc and locale |
|
- Allow realmd to dbus chat with rpm |
|
- Add new interface for virt |
|
- Remove depracated interfaces |
|
- Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket |
|
- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t |
|
- Remove some more unconfined_t process transitions, that I don't believe are necessary |
|
- Stop transitioning uncofnined_t to checkpc |
|
- dmraid creates /var/lock/dmraid |
|
- Allow systemd_localed to creatre unix_dgram_sockets |
|
- Allow systemd_localed to write kernel messages. |
|
- Also cleanup systemd definition a little. |
|
- Fix userdom_restricted_xwindows_user_template() interface |
|
- Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t |
|
- User accounts need to dbus chat with accountsd daemon |
|
- Gnome requires all users to be able to read /proc/1/ |
|
|
|
* Thu Feb 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-13 |
|
- virsh now does a setexeccon call |
|
- Additional rules required by openshift domains |
|
- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work |
|
- Allow spamd_update_t to search spamc_home_t |
|
- Avcs discovered by mounting an isci device under /mnt |
|
- Allow lspci running as logrotate to read pci.ids |
|
- Additional fix for networkmanager_read_pid_files() |
|
- Fix networkmanager_read_pid_files() interface |
|
- Allow all svirt domains to connect to svirt_socket_t |
|
- Allow virsh to set SELinux context for a process. |
|
- Allow tuned to create netlink_kobject_uevent_socket |
|
- Allow systemd-timestamp to set SELinux context |
|
- Add support for /var/lib/systemd/linger |
|
- Fix ssh_sysadm_login to be working on MLS as expected |
|
|
|
* Mon Feb 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-12 |
|
- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file |
|
- Add missing files_rw_inherited_tmp_files interface |
|
- Add additional interface for ecryptfs |
|
- ALlow nova-cert to connect to postgresql |
|
- Allow keystone to connect to postgresql |
|
- Allow all cups domains to getattr on filesystems |
|
- Allow pppd to send signull |
|
- Allow tuned to execute ldconfig |
|
- Allow gpg to read fips_enabled |
|
- Add additional fixes for ecryptfs |
|
- Allow httpd to work with posgresql |
|
- Allow keystone getsched and setsched |
|
|
|
* Fri Feb 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-11 |
|
- Allow gpg to read fips_enabled |
|
- Add support for /var/cache/realmd |
|
- Add support for /usr/sbin/blazer_usb and systemd support for nut |
|
- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t |
|
- bitlbee wants to read own log file |
|
- Allow glance domain to send a signal itself |
|
- Allow xend_t to request that the kernel load a kernel module |
|
- Allow pacemaker to execute heartbeat lib files |
|
- cleanup new swift policy |
|
|
|
* Tue Feb 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-10 |
|
- Fix smartmontools |
|
- Fix userdom_restricted_xwindows_user_template() interface |
|
- Add xserver_xdm_ioctl_log() interface |
|
- Allow Xusers to ioctl lxdm.log to make lxdm working |
|
- Add MLS fixes to make MLS boot/log-in working |
|
- Add mls_socket_write_all_levels() also for syslogd |
|
- fsck.xfs needs to read passwd |
|
- Fix ntp_filetrans_named_content calling in init.te |
|
- Allow postgresql to create pg_log dir |
|
- Allow sshd to read rsync_data_t to make rsync <backuphost> working |
|
- Change ntp.conf to be labeled net_conf_t |
|
- Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it |
|
- Allow xdm_t to execute gstreamer home content |
|
- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp |
|
- New policy for openstack swift domains |
|
- More access required for openshift_cron_t |
|
- Use cupsd_log_t instead of cupsd_var_log_t |
|
- rpm_script_roles should be used in rpm_run |
|
- Fix rpm_run() interface |
|
- Fix openshift_initrc_run() |
|
- Fix sssd_dontaudit_stream_connect() interface |
|
- Fix sssd_dontaudit_stream_connect() interface |
|
- Allow LDA's job to deliver mail to the mailbox |
|
- dontaudit block_suspend for mozilla_plugin_t |
|
- Allow l2tpd_t to all signal perms |
|
- Allow uuidgen to read /dev/random |
|
- Allow mozilla-plugin-config to read power_supply info |
|
- Implement cups_domain attribute for cups domains |
|
- We now need access to user terminals since we start by executing a command outside the tty |
|
- We now need access to user terminals since we start by executing a command outside the tty |
|
- svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen |
|
- Add containment of openshift cron jobs |
|
- Allow system cron jobs to create tmp directories |
|
- Make userhelp_conf_t a config file |
|
- Change rpm to use rpm_script_roles |
|
- More fixes for rsync to make rsync <backuphost> wokring |
|
- Allow logwatch to domtrans to mdadm |
|
- Allow pacemaker to domtrans to ifconfig |
|
- Allow pacemaker to setattr on corosync.log |
|
- Add pacemaker_use_execmem for memcheck-amd64 command |
|
- Allow block_suspend capability |
|
- Allow create fifo_file in /tmp with pacemaker_tmp_t |
|
- Allow systat to getattr on fixed disk |
|
- Relabel /etc/ntp.conf to be net_conf_t |
|
- ntp_admin should create files in /etc with the correct label |
|
- Add interface to create ntp_conf_t files in /etc |
|
- Add additional labeling for quantum |
|
- Allow quantum to execute dnsmasq with transition |
|
|
|
* Wed Jan 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-9 |
|
- boinc_cliean wants also execmem as boinc projecs have |
|
- Allow sa-update to search admin home for /root/.spamassassin |
|
- Allow sa-update to search admin home for /root/.spamassassin |
|
- Allow antivirus domain to read net sysctl |
|
- Dontaudit attempts from thumb_t to connect to ssd |
|
- Dontaudit attempts by readahead to read sock_files |
|
- Dontaudit attempts by readahead to read sock_files |
|
- Create tmpfs file while running as wine as user_tmpfs_t |
|
- Dontaudit attempts by readahead to read sock_files |
|
- libmpg ships badly created librarie |
|
|
|
* Mon Jan 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-8 |
|
- Change ssh_use_pts to use macro and only inherited sshd_devpts_t |
|
- Allow confined users to read systemd_logind seat information |
|
- libmpg ships badly created libraries |
|
- Add support for strongswan.service |
|
- Add labeling for strongswan |
|
- Allow l2tpd_t to read network manager content in /run directory |
|
- Allow rsync to getattr any file in rsync_data_t |
|
- Add labeling and filename transition for .grl-podcasts |
|
|
|
* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7 |
|
- mount.glusterfs executes glusterfsd binary |
|
- Allow systemd_hostnamed_t to stream connect to systemd |
|
- Dontaudit any user doing a access check |
|
- Allow obex-data-server to request the kernel to load a module |
|
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) |
|
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled |
|
- Add new types for antivirus.pp policy module |
|
- Allow gnomesystemmm_t caps because of ioprio_set |
|
- Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t |
|
- Allow gnomesystemmm_t caps because of ioprio_set |
|
- Allow NM rawip socket |
|
- files_relabel_non_security_files can not be used with boolean |
|
- Add interface to thumb_t dbus_chat to allow it to read remote process state |
|
- ALlow logrotate to domtrans to mdadm_t |
|
- kde gnomeclock wants to write content to /tmp |
|
|
|
* Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6 |
|
- kde gnomeclock wants to write content to /tmp |
|
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde |
|
- Allow blueman_t to rwx zero_device_t, for some kind of jre |
|
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre |
|
- Ftp full access should be allowed to create directories as well as files |
|
- Add boolean to allow rsync_full_acces, so that an rsync server can write all |
|
- over the local machine |
|
- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 |
|
- Add missing vpnc_roles type line |
|
- Allow stapserver to write content in /tmp |
|
- Allow gnome keyring to create keyrings dir in ~/.local/share |
|
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on |
|
- Add interface to colord_t dbus_chat to allow it to read remote process state |
|
- Allow colord_t to read cupsd_t state |
|
- Add mate-thumbnail-font as thumnailer |
|
- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. |
|
- Allow qpidd to list /tmp. Needed by ssl |
|
- Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 |
|
- - Added systemd support for ksmtuned |
|
- Added booleans |
|
ksmtuned_use_nfs |
|
ksmtuned_use_cifs |
|
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow |
|
- Looks like qpidd_t needs to read /dev/random |
|
- Lots of probing avc's caused by execugting gpg from staff_t |
|
- Dontaudit senmail triggering a net_admin avc |
|
- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port |
|
- Logwatch does access check on mdadm binary |
|
- Add raid_access_check_mdadm() iterface |
|
|
|
* Wed Jan 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-5 |
|
- Fix systemd_manage_unit_symlinks() interface |
|
- Call systemd_manage_unit_symlinks(() which is correct interface |
|
- Add filename transition for opasswd |
|
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock |
|
- Allow sytstemd-timedated to get status of init_t |
|
- Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t |
|
- colord needs to communicate with systemd and systemd_logind, also remove duplicate rules |
|
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock |
|
- Allow gpg_t to manage all gnome files |
|
- Stop using pcscd_read_pub_files |
|
- New rules for xguest, dontaudit attempts to dbus chat |
|
- Allow firewalld to create its mmap files in tmpfs and tmp directories |
|
- Allow firewalld to create its mmap files in tmpfs and tmp directories |
|
- run unbound-chkconf as named_t, so it can read dnssec |
|
- Colord is reading xdm process state, probably reads state of any apps that sends dbus message |
|
- Allow mdadm_t to change the kernel scheduler |
|
- mythtv policy |
|
- Update mandb_admin() interface |
|
- Allow dsspam to listen on own tpc_socket |
|
- seutil_filetrans_named_content needs to be optional |
|
- Allow sysadm_t to execute content in his homedir |
|
- Add attach_queue to tun_socket, new patch from Paul Moore |
|
- Change most of selinux configuration types to security_file_type. |
|
- Add filename transition rules for selinux configuration |
|
- ssh into a box with -X -Y requires ssh_use_ptys |
|
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on |
|
- Allow all unpriv userdomains to send dbus messages to hostnamed and timedated |
|
- New allow rules found by Tom London for systemd_hostnamed |
|
|
|
* Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4 |
|
- Allow systemd-tmpfiles to relabel lpd spool files |
|
- Ad labeling for texlive bash scripts |
|
- Add xserver_filetrans_fonts_cache_home_content() interface |
|
- Remove duplicate rules from *.te |
|
- Add support for /var/lock/man-db.lock |
|
- Add support for /var/tmp/abrt(/.*)? |
|
- Add additional labeling for munin cgi scripts |
|
- Allow httpd_t to read munin conf files |
|
- Allow certwatch to read meminfo |
|
- Fix nscd_dontaudit_write_sock_file() interfac |
|
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t |
|
- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling |
|
|
|
* Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3 |
|
- Allow gnomeclock to talk to puppet over dbus |
|
- Allow numad access discovered by Dominic |
|
- Add support for HOME_DIR/.maildir |
|
- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain |
|
- Allow udev to relabel udev_var_run_t lnk_files |
|
- New bin_t file in mcelog |
|
|
|
* Thu Jan 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-2 |
|
- Remove all mcs overrides and replace with t1 != mcs_constrained_types |
|
- Add attribute_role for iptables |
|
- mcs_process_set_categories needs to be called for type |
|
- Implement additional role_attribute statements |
|
- Sodo domain is attempting to get the additributes of proc_kcore_t |
|
- Unbound uses port 8953 |
|
- Allow svirt_t images to compromise_kernel when using pci-passthrough |
|
- Add label for dns lib files |
|
- Bluetooth aquires a dbus name |
|
- Remove redundant files_read_usr_file calling |
|
- Remove redundant files_read_etc_file calling |
|
- Fix mozilla_run_plugin() |
|
- Add role_attribute support for more domains |
|
|
|
* Wed Jan 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-1 |
|
- Mass merge with upstream |
|
|
|
* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> 3.11.1-69.1 |
|
- Bump the policy version to 28 to match selinux userspace |
|
- Rebuild versus latest libsepol |
|
|
|
* Wed Jan 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-69 |
|
- Add systemd_status_all_unit_files() interface |
|
- Add support for nshadow |
|
- Allow sysadm_t to administrate the postfix domains |
|
- Add interface to setattr on isid directories for use by tmpreaper |
|
- Allow sshd_t sys_admin for use with afs logins |
|
- Allow systemd to read/write all sysctls |
|
- Allow sshd_t sys_admin for use with afs logins |
|
- Allow systemd to read/write all sysctls |
|
- Add systemd_status_all_unit_files() interface |
|
- Add support for nshadow |
|
- Allow sysadm_t to administrate the postfix domains |
|
- Add interface to setattr on isid directories for use by tmpreaper |
|
- Allow sshd_t sys_admin for use with afs logins |
|
- Allow systemd to read/write all sysctls |
|
- Allow sshd_t sys_admin for use with afs logins |
|
- Add labeling for /var/named/chroot/etc/localtim |
|
|
|
* Thu Dec 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-68 |
|
- Allow setroubleshoot_fixit to execute rpm |
|
- zoneminder needs to connect to httpd ports where remote cameras are listening |
|
- Allow firewalld to execute content created in /run directory |
|
- Allow svirt_t to read generic certs |
|
- Dontaudit leaked ps content to mozilla plugin |
|
- Allow sshd_t sys_admin for use with afs logins |
|
- Allow systemd to read/write all sysctls |
|
- init scripts are creating systemd_unit_file_t directories |
|
|
|
* Fri Dec 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-67 |
|
- systemd_logind_t is looking at all files under /run/user/apache |
|
- Allow systemd to manage all user tmp files |
|
- Add labeling for /var/named/chroot/etc/localtime |
|
- Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 |
|
- Keystone is now using a differnt port |
|
- Allow xdm_t to use usbmuxd daemon to control sound |
|
- Allow passwd daemon to execute gnome_exec_keyringd |
|
- Fix chrome_sandbox policy |
|
- Add labeling for /var/run/checkquorum-timer |
|
- More fixes for the dspam domain, needs back port to RHEL6 |
|
- More fixes for the dspam domain, needs back port to RHEL6 |
|
- sssd needs to connect to kerberos password port if a user changes his password |
|
- Lots of fixes from RHEL testing of dspam web |
|
- Allow chrome and mozilla_plugin to create msgq and semaphores |
|
- Fixes for dspam cgi scripts |
|
- Fixes for dspam cgi scripts |
|
- Allow confine users to ptrace screen |
|
- Backport virt_qemu_ga_t changes from RHEL |
|
- Fix labeling for dspam.cgi needed for RHEL6 |
|
- We need to back port this policy to RHEL6, for lxc domains |
|
- Dontaudit attempts to set sys_resource of logrotate |
|
- Allow corosync to read/write wdmd's tmpfs files |
|
- I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set |
|
- Allow cron jobs to read bind config for unbound |
|
- libvirt needs to inhibit systemd |
|
- kdumpctl needs to delete boot_t files |
|
- Fix duplicate gnome_config_filetrans |
|
- virtd_lxc_t is using /dev/fuse |
|
- Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift |
|
- apcupsd can be setup to listen to snmp trafic |
|
- Allow transition from kdumpgui to kdumpctl |
|
- Add fixes for munin CGI scripts |
|
- Allow deltacloud to connect to openstack at the keystone port |
|
- Allow domains that transition to svirt domains to be able to signal them |
|
- Fix file context of gstreamer in .cache directory |
|
- libvirt is communicating with logind |
|
- NetworkManager writes to the systemd inhibit pipe |
|
|
|
* Mon Dec 17 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-66 |
|
- Allow munin disk plugins to get attributes of all directories |
|
- Allow munin disk plugins to get attributes of all directorie |
|
- Allow logwatch to get attributes of all directories |
|
- Fix networkmanager_manage_lib() interface |
|
- Fix gnome_manage_config() to allow to manage sock_file |
|
- Fix virtual_domain_context |
|
- Add support for dynamic DNS for DHCPv6 |
|
|
|
* Sat Dec 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-65 |
|
- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch |
|
- Add additional labeling for /var/www/openshift/broker |
|
- Fix rhev policy |
|
- Allow openshift_initrc domain to dbus chat with systemd_logind |
|
- Allow httpd to getattr passenger log file if run_stickshift |
|
- Allow consolehelper-gtk to connect to xserver |
|
- Add labeling for the tmp-inst directory defined in pam_namespace.conf |
|
- Add lvm_metadata_t labeling for /etc/multipath |
|
|
|
* Fri Dec 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-64 |
|
- consoletype is no longer used |
|
|
|
* Wed Dec 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-63 |
|
- Add label for efivarfs |
|
- Allow certmonger to send signal to itself |
|
- Allow plugin-config to read own process status |
|
- Add more fixes for pacemaker |
|
- apache/drupal can run clamscan on uploaded content |
|
- Allow chrome_sandbox_nacl_t to read pid 1 content |
|
|
|
* Tue Dec 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-62 |
|
- Fix MCS Constraints to control ingres and egres controls on the network. |
|
- Change name of svirt_nokvm_t to svirt_tcg_t |
|
- Allow tuned to request the kernel to load kernel modules |
|
|
|
* Mon Dec 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-61 |
|
- Label /var/lib/pgsql/.ssh as ssh_home_t |
|
- Add labeling for /usr/bin/pg_ctl |
|
- Allow systemd-logind to manage keyring user tmp dirs |
|
- Add support for 7389/tcp port |
|
- gems seems to be placed in lots of places |
|
- Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus |
|
- Add back tcp/8123 port as http_cache port |
|
- Add ovirt-guest-agent\.pid labeling |
|
- Allow xend to run scsi_id |
|
- Allow rhsmcertd-worker to read "physical_package_id" |
|
- Allow pki_tomcat to connect to ldap port |
|
- Allow lpr to read /usr/share/fonts |
|
- Allow open file from CD/DVD drive on domU |
|
- Allow munin services plugins to talk to SSSD |
|
- Allow all samba domains to create samba directory in var_t directories |
|
- Take away svirt_t ability to use nsswitch |
|
- Dontaudit attempts by openshift to read apache logs |
|
- Allow apache to create as well as append _ra_content_t |
|
- Dontaudit sendmail_t reading a leaked file descriptor |
|
- Add interface to have admin transition /etc/prelink.cache to the proper label |
|
- Add sntp support to ntp policy |
|
- Allow firewalld to dbus chat with devicekit_power |
|
- Allow tuned to call lsblk |
|
- Allow tor to read /proc/sys/kernel/random/uuid |
|
- Add tor_can_network_relay boolean |
|
|
|
* Wed Dec 5 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-60 |
|
- Add openshift_initrc_signal() interface |
|
- Fix typos |
|
- dspam port is treat as spamd_port_t |
|
- Allow setroubleshoot to getattr on all executables |
|
- Allow tuned to execute profiles scripts in /etc/tuned |
|
- Allow apache to create directories to store its log files |
|
- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t |
|
- Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 |
|
- Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM |
|
- Add filename transition for /etc/tuned/active_profile |
|
- Allow condor_master to send mails |
|
- Allow condor_master to read submit.cf |
|
- Allow condor_master to create /tmp files/dirs |
|
- Allow condor_mater to send sigkill to other condor domains |
|
- Allow condor_procd sigkill capability |
|
- tuned-adm wants to talk with tuned daemon |
|
- Allow kadmind and krb5kdc to also list sssd_public_t |
|
- Allow accountsd to dbus chat with init |
|
- Fix git_read_generic_system_content_files() interface |
|
- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" |
|
- Fix mozilla_plugin_can_network_connect to allow to connect to all ports |
|
- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t |
|
- dspam wants to search /var/spool for opendkim data |
|
- Revert "Add support for tcp/10026 port as dspam_port_t" |
|
- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 |
|
- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain |
|
- Allow systemd_tmpfiles_t to setattr on mandb_cache_t |
|
|
|
* Sat Dec 1 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-59 |
|
- consolekit.pp was not removed from the postinstall script |
|
|
|
* Fri Nov 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-58 |
|
- Add back consolekit policy |
|
- Silence bootloader trying to use inherited tty |
|
- Silence xdm_dbusd_t trying to execute telepathy apps |
|
- Fix shutdown avcs when machine has unconfined.pp disabled |
|
- The host and a virtual machine can share the same printer on a usb device |
|
- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob |
|
- Allow abrt_watch_log_t to execute bin_t |
|
- Allow chrome sandbox to write content in ~/.config/chromium |
|
- Dontaudit setattr on fontconfig dir for thumb_t |
|
- Allow lircd to request the kernel to load module |
|
- Make rsync as userdom_home_manager |
|
- Allow rsync to search automount filesystem |
|
- Add fixes for pacemaker |
|
|
|
* Wed Nov 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-57 |
|
- Add support for 4567/tcp port |
|
- Random fixes from Tuomo Soini |
|
- xdm wants to get init status |
|
- Allow programs to run in fips_mode |
|
- Add interface to allow the reading of all blk device nodes |
|
- Allow init to relabel rpcbind sock_file |
|
- Fix labeling for lastlog and faillog related to logrotate |
|
- ALlow aeolus_configserver to use TRAM port |
|
- Add fixes for aeolus_configserver |
|
- Allow snmpd to connect to snmp port |
|
- Allow spamd_update to create spamd_var_lib_t directories |
|
- Allow domains that can read sssd_public_t files to also list the directory |
|
- Remove miscfiles_read_localization, this is defined for all domains |
|
|
|
* Mon Nov 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-56 |
|
- Allow syslogd to request the kernel to load a module |
|
- Allow syslogd_t to read the network state information |
|
- Allow xdm_dbusd_t connect to the system DBUS |
|
- Add support for 7389/tcp port |
|
- Allow domains to read/write all inherited sockets |
|
- Allow staff_t to read kmsg |
|
- Add awstats_purge_apache_log boolean |
|
- Allow ksysguardproces to read /.config/Trolltech.conf |
|
- Allow passenger to create and append puppet log files |
|
- Add puppet_append_log and puppet_create_log interfaces |
|
- Add puppet_manage_log() interface |
|
- Allow tomcat domain to search tomcat_var_lib_t |
|
- Allow pki_tomcat_t to connect to pki_ca ports |
|
- Allow pegasus_t to have net_admin capability |
|
- Allow pegasus_t to write /sys/class/net/<interface>/flags |
|
- Allow mailserver_delivery to manage mail_home_rw_t lnk_files |
|
- Allow fetchmail to create log files |
|
- Allow gnomeclock to manage home config in .kde |
|
- Allow bittlebee to read kernel sysctls |
|
- Allow logrotate to list /root |
|
|
|
* Mon Nov 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-55 |
|
- Fix userhelper_console_role_template() |
|
- Allow enabling Network Access Point service using blueman |
|
- Make vmware_host_t as unconfined domain |
|
- Allow authenticate users in webaccess via squid, using mysql as backend |
|
- Allow gathers to get various metrics on mounted file systems |
|
- Allow firewalld to read /etc/hosts |
|
- Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t |
|
- Allow kdumpgui to read/write to zipl.conf |
|
- Commands needed to get mock to build from staff_t in enforcing mode |
|
- Allow mdadm_t to manage cgroup files |
|
- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files |
|
- dontaudit ifconfig_t looking at fifo_files that are leaked to it |
|
- Add lableing for Quest Authentication System |
|
|
|
* Thu Nov 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-54 |
|
- Fix filetrans interface definitions |
|
- Dontaudit xdm_t to getattr on BOINC lib files |
|
- Add systemd_reload_all_services() interface |
|
- Dontaudit write access on /var/lib/net-snmp/mib_indexes |
|
- Only stop mcsuntrustedproc from relableing files |
|
- Allow accountsd to dbus chat with gdm |
|
- Allow realmd to getattr on all fs |
|
- Allow logrotate to reload all services |
|
- Add systemd unit file for radiusd |
|
- Allow winbind to create samba pid dir |
|
- Add labeling for /var/nmbd/unexpected |
|
- Allow chrome and mozilla plugin to connect to msnp ports |
|
|
|
* Mon Nov 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-53 |
|
- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file |
|
- Dontaudit setfiles reading /dev/random |
|
- On initial boot gnomeclock is going to need to be set buy gdm |
|
- Fix tftp_read_content() interface |
|
- Random apps looking at kernel file systems |
|
- Testing virt with lxc requiers additional access for virsh_t |
|
- New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container |
|
- Allow MPD to read /dev/radnom |
|
- Allow sandbox_web_type to read logind files which needs to read pulseaudio |
|
- Allow mozilla plugins to read /dev/hpet |
|
- Add labeling for /var/lib/zarafa-webap |
|
- Allow BOINC client to use an HTTP proxy for all connections |
|
- Allow rhsmertd to domain transition to dmidecod |
|
- Allow setroubleshootd to send D-Bus msg to ABRT |
|
|
|
* Thu Nov 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-52 |
|
- Define usbtty_device_t as a term_tty |
|
- Allow svnserve to accept a connection |
|
- Allow xend manage default virt_image_t type |
|
- Allow prelink_cron_system_t to overide user componant when executing cp |
|
- Add labeling for z-push |
|
- Gnomeclock sets the realtime clock |
|
- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd |
|
- Allow lxc domains to use /dev/random and /dev/urandom |
|
|
|
* Wed Nov 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-51 |
|
- Add port defintion for tcp/9000 |
|
- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd |
|
- Add rules and labeling for $HOME/cache/\.gstreamer-.* directory |
|
- Add support for CIM provider openlmi-networking which uses NetworkManager dbus API |
|
- Allow shorewall_t to create netlink_socket |
|
- Allow krb5admind to block suspend |
|
- Fix labels on /var/run/dlm_controld /var/log/dlm_controld |
|
- Allow krb5kdc to block suspend |
|
- gnomessytemmm_t needs to read /etc/passwd |
|
- Allow cgred to read all sysctls |
|
|
|
* Tue Nov 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-50 |
|
- Allow all domains to read /proc/sys/vm/overcommit_memory |
|
- Make proc_numa_t an MLS Trusted Object |
|
- Add /proc/numactl support for confined users |
|
- Allow ssh_t to connect to any port > 1023 |
|
- Add openvswitch domain |
|
- Pulseaudio tries to create directories in gnome_home_t directories |
|
- New ypbind pkg wants to search /var/run which is caused by sd_notify |
|
- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans |
|
- Allow sanlock to read /dev/random |
|
- Treat php-fpm with httpd_t |
|
- Allow domains that can read named_conf_t to be able to list the directories |
|
- Allow winbind to create sock files in /var/run/samba |
|
|
|
* Thu Nov 1 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-49 |
|
- Add smsd policy |
|
- Add support for OpenShift sbin labelin |
|
- Add boolean to allow virt to use rawip |
|
- Allow mozilla_plugin to read all file systems with noxattrs support |
|
- Allow kerberos to write on anon_inodefs fs |
|
- Additional access required by fenced |
|
- Add filename transitions for passwd.lock/group.lock |
|
- UPdate man pages |
|
- Create coolkey directory in /var/cache with the correct label |
|
|
|
* Tue Oct 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-48 |
|
- Fix label on /etc/group.lock |
|
- Allow gnomeclock to create lnk_file in /etc |
|
- label /root/.pki as a home_cert_t |
|
- Add interface to make sure rpcbind.sock is created with the correct label |
|
- Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules |
|
- opendkim should be a part of milter |
|
- Allow libvirt to set the kernel sched algorythm |
|
- Allow mongod to read sysfs_t |
|
- Add authconfig policy |
|
- Remove calls to miscfiles_read_localization all domains get this |
|
- Allow virsh_t to read /root/.pki/ content |
|
- Add label for log directory under /var/www/stickshift |
|
|
|
* Mon Oct 29 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-47 |
|
- Allow getty to setattr on usb ttys |
|
- Allow sshd to search all directories for sshd_home_t content |
|
- Allow staff domains to send dbus messages to kdumpgui |
|
- Fix labels on /etc/.pwd.lock and friends to be passwd_file_t |
|
- Dontaudit setfiles reading urand |
|
- Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched |
|
- Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir |
|
- Allow systemd-timedated to read /dev/urandom |
|
- Allow entropyd_t to read proc_t (meminfo) |
|
- Add unconfined munin plugin |
|
- Fix networkmanager_read_conf() interface |
|
- Allow blueman to list /tmp which is needed by sys_nic/setsched |
|
- Fix label of /etc/mail/aliasesdb-stamp |
|
- numad is searching cgroups |
|
- realmd is communicating with networkmanager using dbus |
|
- Lots of fixes to try to get kdump to work |
|
|
|
* Fri Oct 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-46 |
|
- Allow loging programs to dbus chat with realmd |
|
- Make apache_content_template calling as optional |
|
- realmd is using policy kit |
|
|
|
* Fri Oct 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-45 |
|
- Add new selinuxuser_use_ssh_chroot boolean |
|
- dbus needs to be able to read/write inherited fixed disk device_t passed through it |
|
- Cleanup netutils process allow rule |
|
- Dontaudit leaked fifo files from openshift to ping |
|
- sanlock needs to read mnt_t lnk files |
|
- Fail2ban needs to setsched and sys_nice |
|
|
|
* Wed Oct 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-44 |
|
- Change default label of all files in /var/run/rpcbind |
|
- Allow sandbox domains (java) to read hugetlbfs_t |
|
- Allow awstats cgi content to create tmp files and read apache log files |
|
- Allow setuid/setgid for cupsd-config |
|
- Allow setsched/sys_nice pro cupsd-config |
|
- Fix /etc/localtime sym link to be labeled locale_t |
|
- Allow sshd to search postgresql db t since this is a homedir |
|
- Allow xwindows users to chat with realmd |
|
- Allow unconfined domains to configure all files and null_device_t service |
|
|
|
* Tue Oct 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-43 |
|
- Adopt pki-selinux policy |
|
|
|
* Mon Oct 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-42 |
|
- pki is leaking which we dontaudit until a pki code fix |
|
- Allow setcap for arping |
|
- Update man pages |
|
- Add labeling for /usr/sbin/mcollectived |
|
- pki fixes |
|
- Allow smokeping to execute fping in the netutils_t domain |
|
|
|
* Fri Oct 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-41 |
|
- Allow mount to relabelfrom unlabeled file systems |
|
- systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working |
|
- Add label to get bin files under libreoffice labeled correctly |
|
- Fix interface to allow executing of base_ro_file_type |
|
- Add fixes for realmd |
|
- Update pki policy |
|
- Add tftp_homedir boolean |
|
- Allow blueman sched_setscheduler |
|
- openshift user domains wants to r/w ssh tcp sockets |
|
|
|
* Wed Oct 17 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-40 |
|
- Additional requirements for disable unconfined module when booting |
|
- Fix label of systemd script files |
|
- semanage can use -F /dev/stdin to get input |
|
- syslog now uses kerberos keytabs |
|
- Allow xserver to compromise_kernel access |
|
- Allow nfsd to write to mount_var_run_t when running the mount command |
|
- Add filename transition rule for bin_t directories |
|
- Allow files to read usr_t lnk_files |
|
- dhcpc wants chown |
|
- Add support for new openshift labeling |
|
- Clean up for tunable+optional statements |
|
- Add labeling for /usr/sbin/mkhomedir_helper |
|
- Allow antivirus domain to managa amavis spool files |
|
- Allow rpcbind_t to read passwd |
|
- Allow pyzor running as spamc to manage amavis spool |
|
|
|
|
|
* Tue Oct 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-39 |
|
- Add interfaces to read kernel_t proc info |
|
- Missed this version of exec_all |
|
- Allow anyone who can load a kernel module to compromise kernel |
|
- Add oddjob_dbus_chat to openshift apache policy |
|
- Allow chrome_sandbox_nacl_t to send signals to itself |
|
- Add unit file support to usbmuxd_t |
|
- Allow all openshift domains to read sysfs info |
|
- Allow openshift domains to getattr on all domains |
|
|
|
* Fri Oct 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-38 |
|
- MLS fixes from Dan |
|
- Fix name of capability2 secure_firmware->compromise_kerne |
|
|
|
* Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-37 |
|
- Allow xdm to search all file systems |
|
- Add interface to allow the config of all files |
|
- Add rngd policy |
|
- Remove kgpg as a gpg_exec_t type |
|
- Allow plymouthd to block suspend |
|
- Allow systemd_dbus to config any file |
|
- Allow system_dbus_t to configure all services |
|
- Allow freshclam_t to read usr_files |
|
- varnishd requires execmem to load modules |
|
|
|
* Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-36 |
|
- Allow semanage to verify types |
|
- Allow sudo domain to execute user home files |
|
- Allow session_bus_type to transition to user_tmpfs_t |
|
- Add dontaudit caused by yum updates |
|
- Implement pki policy but not activated |
|
|
|
* Wed Oct 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-35 |
|
- tuned wants to getattr on all filesystems |
|
- tuned needs also setsched. The build is needed for test day |
|
|
|
* Wed Oct 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-34 |
|
- Add policy for qemu-qa |
|
- Allow razor to write own config files |
|
- Add an initial antivirus policy to collect all antivirus program |
|
- Allow qdisk to read usr_t |
|
- Add additional caps for vmware_host |
|
- Allow tmpfiles_t to setattr on mandb_cache_t |
|
- Dontaudit leaked files into mozilla_plugin_config_t |
|
- Allow wdmd to getattr on tmpfs |
|
- Allow realmd to use /dev/random |
|
- allow containers to send audit messages |
|
- Allow root mount any file via loop device with enforcing mls policy |
|
- Allow tmpfiles_t to setattr on mandb_cache_t |
|
- Allow tmpfiles_t to setattr on mandb_cache_t |
|
- Make userdom_dontaudit_write_all_ not allow open |
|
- Allow init scripts to read all unit files |
|
- Add support for saphostctrl ports |
|
|
|
* Mon Oct 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-33 |
|
- Add kernel_read_system_state to sandbox_client_t |
|
- Add some of the missing access to kdumpgui |
|
- Allow systemd_dbusd_t to status the init system |
|
- Allow vmnet-natd to request the kernel to load a module |
|
- Allow gsf-office-thum to append .cache/gdm/session.log |
|
- realmd wants to read .config/dconf/user |
|
- Firewalld wants sys_nice/setsched |
|
- Allow tmpreaper to delete mandb cache files |
|
- Firewalld wants sys_nice/setsched |
|
- Allow firewalld to perform a DNS name resolution |
|
- Allown winbind to read /usr/share/samba/codepages/lowcase.dat |
|
- Add support for HTTPProxy* in /etc/freshclam.conf |
|
- Fix authlogin_yubike boolean |
|
- Extend smbd_selinux man page to include samba booleans |
|
- Allow dhcpc to execute consoletype |
|
- Allow ping to use inherited tmp files created in init scripts |
|
- On full relabel with unconfined domain disabled, initrc was running some chcon's |
|
- Allow people who delete man pages to delete mandb cache files |
|
|
|
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-32 |
|
- Add missing permissive domains |
|
|
|
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-31 |
|
- Add new mandb policy |
|
- ALlow systemd-tmpfiles_t to relabel mandb_cache_t |
|
- Allow logrotate to start all unit files |
|
|
|
* Thu Oct 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-30 |
|
- Add fixes for ctbd |
|
- Allow nmbd to stream connect to ctbd |
|
- Make cglear_t as nsswitch_domain |
|
- Fix bogus in interfaces |
|
- Allow openshift to read/write postfix public pipe |
|
- Add postfix_manage_spool_maildrop_files() interface |
|
- stickshift paths have been renamed to openshift |
|
- gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes |
|
- Update man pages, adding ENTRYPOINTS |
|
|
|
* Tue Oct 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-29 |
|
- Add mei_device_t |
|
- Make sure gpg content in homedir created with correct label |
|
- Allow dmesg to write to abrt cache files |
|
- automount wants to search virtual memory sysctls |
|
- Add support for hplip logs stored in /var/log/hp/tmp |
|
- Add labeling for /etc/owncloud/config.php |
|
- Allow setroubleshoot to send analysys to syslogd-journal |
|
- Allow virsh_t to interact with new fenced daemon |
|
- Allow gpg to write to /etc/mail/spamassassiin directories |
|
- Make dovecot_deliver_t a mail server delivery type |
|
- Add label for /var/tmp/DNS25 |
|
|
|
* Thu Sep 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-28 |
|
- Fixes for tomcat_domain template interface |
|
|
|
* Thu Sep 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-27 |
|
- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes |
|
- Add attribute to all base os types. Allow all domains to read all ro base OS types |
|
|
|
* Wed Sep 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-26 |
|
- Additional unit files to be defined as power unit files |
|
- Fix more boolean names |
|
|
|
* Tue Sep 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-25 |
|
- Fix boolean name so subs will continue to work |
|
|
|
* Tue Sep 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-24 |
|
- dbus needs to start getty unit files |
|
- Add interface to allow system_dbusd_t to start the poweroff service |
|
- xdm wants to exec telepathy apps |
|
- Allow users to send messages to systemdlogind |
|
- Additional rules needed for systemd and other boot apps |
|
- systemd wants to list /home and /boot |
|
- Allow gkeyringd to write dbus/conf file |
|
- realmd needs to read /dev/urand |
|
- Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded |
|
|
|
* Thu Sep 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-23 |
|
- Fixes to safe more rules |
|
- Re-write tomcat_domain_template() |
|
- Fix passenger labeling |
|
- Allow all domains to read man pages |
|
- Add ephemeral_port_t to the 'generic' port interfaces |
|
- Fix the names of postgresql booleans |
|
|
|
* Tue Sep 18 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-22 |
|
- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer |
|
- Move netlable_peer check out of booleans |
|
- Remove call to recvfrom_netlabel for kerberos call |
|
- Remove use of attributes when calling syslog call |
|
- Move -miscfiles_read_localization to domain.te to save hundreds of allow rules |
|
- Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface |
|
- Allow rndc to block suspend |
|
- tuned needs to modify the schedule of the kernel |
|
- Allow svirt_t domains to read alsa configuration files |
|
- ighten security on irc domains and make sure they label content in homedir correctly |
|
- Add filetrans_home_content for irc files |
|
- Dontaudit all getattr access for devices and filesystems for sandbox domains |
|
- Allow stapserver to search cgroups directories |
|
- Allow all postfix domains to talk to spamd |
|
|
|
* Mon Sep 17 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-21 |
|
- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check |
|
- Change pam_t to pam_timestamp_t |
|
- Add dovecot_domain attribute and allow this attribute block_suspend capability2 |
|
- Add sanlock_use_fusefs boolean |
|
- numad wants send/recieve msg |
|
- Allow rhnsd to send syslog msgs |
|
- Make piranha-pulse as initrc domain |
|
- Update openshift instances to dontaudit setattr until the kernel is fixed. |
|
|
|
* Fri Sep 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-20 |
|
- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd |
|
- Remove pam_selinux.8 which conflicts with man page owned by the pam package |
|
- Allow glance-api to talk to mysql |
|
- ABRT wants to read Xorg.0.log if if it detects problem with Xorg |
|
- Fix gstreamer filename trans. interface |
|
|
|
* Thu Sep 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-19 |
|
- Man page fixes by Dan Walsh |
|
|
|
* Tue Sep 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-18 |
|
- Allow postalias to read postfix config files |
|
- Allow man2html to read man pages |
|
- Allow rhev-agentd to search all mountpoints |
|
- Allow rhsmcertd to read /dev/random |
|
- Add tgtd_stream_connect() interface |
|
- Add cyrus_write_data() interface |
|
- Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t |
|
- Add port definition for tcp/81 as http_port_t |
|
- Fix /dev/twa labeling |
|
- Allow systemd to read modules config |
|
|
|
* Mon Sep 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-17 |
|
- Merge openshift policy |
|
- Allow xauth to read /dev/urandom |
|
- systemd needs to relabel content in /run/systemd directories |
|
- Files unconfined should be able to perform all services on all files |
|
- Puppet tmp file can be leaked to all domains |
|
- Dontaudit rhsmcertd-worker to search /root/.local |
|
- Allow chown capability for zarafa domains |
|
- Allow system cronjobs to runcon into openshift domains |
|
- Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories |
|
|
|
* Fri Sep 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-16 |
|
- nmbd wants to create /var/nmbd |
|
- Stop transitioning out of anaconda and firstboot, just causes AVC messages |
|
- Allow clamscan to read /etc files |
|
- Allow bcfg2 to bind cyphesis port |
|
- heartbeat should be run as rgmanager_t instead of corosync_t |
|
- Add labeling for /etc/openldap/certs |
|
- Add labeling for /opt/sartest directory |
|
- Make crontab_t as userdom home reader |
|
- Allow tmpreaper to list admin_home dir |
|
- Add defition for imap_0 replay cache file |
|
- Add support for gitolite3 |
|
- Allow virsh_t to send syslog messages |
|
- allow domains that can read samba content to be able to list the directories also |
|
- Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd |
|
- Separate out sandbox from sandboxX policy so we can disable it by default |
|
- Run dmeventd as lvm_t |
|
- Mounting on any directory requires setattr and write permissions |
|
- Fix use_nfs_home_dirs() boolean |
|
- New labels for pam_krb5 |
|
- Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0 |
|
- Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd |
|
|
|
* Fri Aug 31 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-15 |
|
- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs |
|
- Allow domains that can read etc_t to read etc_runtime_t |
|
- Allow all domains to use inherited tmpfiles |
|
|
|
* Wed Aug 29 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-14 |
|
- Allow realmd to read resolv.conf |
|
- Add pegasus_cache_t type |
|
- Label /usr/sbin/fence_virtd as virsh_exec_t |
|
- Add policy for pkcsslotd |
|
- Add support for cpglockd |
|
- Allow polkit-agent-helper to read system-auth-ac |
|
- telepathy-idle wants to read gschemas.compiled |
|
- Allow plymouthd to getattr on fs_t |
|
- Add slpd policy |
|
- Allow ksysguardproces to read/write config_usr_t |
|
|
|
* Sat Aug 25 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-13 |
|
- Fix labeling substitution so rpm will label /lib/systemd content correctly |
|
|
|
* Fri Aug 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-12 |
|
- Add file name transitions for ttyACM0 |
|
- spice-vdagent(d)'s are going to log over to syslog |
|
- Add sensord policy |
|
- Add more fixes for passenger policy related to puppet |
|
- Allow wdmd to create wdmd_tmpfs_t |
|
- Fix labeling for /var/run/cachefilesd\.pid |
|
- Add thumb_tmpfs_t files type |
|
|
|
* Mon Aug 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-11 |
|
- Allow svirt domains to manage the network since this is containerized |
|
- Allow svirt_lxc_net_t to send audit messages |
|
|
|
* Mon Aug 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-10 |
|
- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working |
|
- Allow dlm_controld to execute dlm_stonith labeled as bin_t |
|
- Allow GFS2 working on F17 |
|
- Abrt needs to execute dmesg |
|
- Allow jockey to list the contents of modeprobe.d |
|
- Add policy for lightsquid as squid_cron_t |
|
- Mailscanner is creating files and directories in /tmp |
|
- dmesg is now reading /dev/kmsg |
|
- Allow xserver to communicate with secure_firmware |
|
- Allow fsadm tools (fsck) to read /run/mount contnet |
|
- Allow sysadm types to read /dev/kmsg |
|
- |
|
|
|
* Thu Aug 16 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-9 |
|
- Allow postfix, sssd, rpcd to block_suspend |
|
- udev seems to need secure_firmware capability |
|
- Allow virtd to send dbus messages to firewalld so it can configure the firewall |
|
|
|
* Thu Aug 16 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-8 |
|
- Fix labeling of content in /run created by virsh_t |
|
- Allow condor domains to read kernel sysctls |
|
- Allow condor_master to connect to amqp |
|
- Allow thumb drives to create shared memory and semaphores |
|
- Allow abrt to read mozilla_plugin config files |
|
- Add labels for lightsquid |
|
- Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow |
|
- dovecot_auth_t uses ldap for user auth |
|
- Allow domains that can read dhcp_etc_t to read lnk_files |
|
- Add more then one watchdog device |
|
- Allow useradd_t to manage etc_t files so it can rename it and edit them |
|
- Fix invalid class dir should be fifo_file |
|
- Move /run/blkid to fsadm and make sure labeling is correct |
|
|
|
* Tue Aug 14 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-7 |
|
- Fix bogus regex found by eparis |
|
- Fix manage run interface since lvm needs more access |
|
- syslogd is searching cgroups directory |
|
- Fixes to allow virt-sandbox-service to manage lxc var run content |
|
|
|
* Mon Aug 13 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-6 |
|
- Fix Boolean settings |
|
- Add new libjavascriptcoregtk as textrel_shlib_t |
|
- Allow xdm_t to create xdm_home_t directories |
|
- Additional access required for systemd |
|
- Dontaudit mozilla_plugin attempts to ipc_lock |
|
- Allow tmpreaper to delete unlabeled files |
|
- Eliminate screen_tmp_t and allow it to manage user_tmp_t |
|
- Dontaudit mozilla_plugin_config_t to append to leaked file descriptors |
|
- Allow web plugins to connect to the asterisk ports |
|
- Condor will recreate the lock directory if it does not exist |
|
- Oddjob mkhomedir needs to connectto user processes |
|
- Make oddjob_mkhomedir_t a userdom home manager |
|
|
|
* Thu Aug 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-5 |
|
- Put placeholder back in place for proper numbering of capabilities |
|
- Systemd also configures init scripts |
|
|
|
* Thu Aug 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-4 |
|
- Fix ecryptfs interfaces |
|
- Bootloader seems to be trolling around /dev/shm and /dev |
|
- init wants to create /etc/systemd/system-update.target.wants |
|
- Fix systemd_filetrans call to move it out of tunable |
|
- Fix up policy to work with systemd userspace manager |
|
- Add secure_firmware capability and remove bogus epolwakeup |
|
- Call seutil_*_login_config interfaces where should be needed |
|
- Allow rhsmcertd to send signal to itself |
|
- Allow thin domains to send signal to itself |
|
- Allow Chrome_ChildIO to read dosfs_t |
|
|
|
* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-3 |
|
- Add role rules for realmd, sambagui |
|
|
|
* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2 |
|
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/ |
|
- Additional fixes for seutil_manage_module_store() |
|
- dbus_system_domain() should be used with optional_policy |
|
- Fix svirt to be allowed to use fusefs file system |
|
- Allow login programs to read /run/ data created by systemd_login |
|
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module |
|
- Fix svirt to be allowed to use fusefs file system |
|
- Allow piranha domain to use nsswitch |
|
- Sanlock needs to send Kill Signals to non root processes |
|
- Pulseaudio wants to execute /run/user/PID/.orc |
|
|
|
* Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-1 |
|
- Fix saslauthd when it tries to read /etc/shadow |
|
- Label gnome-boxes as a virt homedir |
|
- Need to allow svirt_t ability to getattr on nfs_t file systems |
|
- Update sanlock policy to solve all AVC's |
|
- Change confined users can optionally manage virt content |
|
- Handle new directories under ~/.cache |
|
- Add block suspend to appropriate domains |
|
- More rules required for containers |
|
- Allow login programs to read /run/ data created by systemd_logind |
|
- Allow staff users to run svirt_t processes |
|
|
|
* Thu Aug 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-0 |
|
- Update to upstream |
|
|
|
* Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-15 |
|
- More fixes for systemd to make rawhide booting from Dan Walsh |
|
|
|
* Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-14 |
|
- Add systemd fixes to make rawhide booting |
|
|
|
* Fri Jul 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-13 |
|
- Add systemd_logind_inhibit_var_run_t attribute |
|
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type |
|
- Add interface for mysqld to dontaudit signull to all processes |
|
- Label new /var/run/journal directory correctly |
|
- Allow users to inhibit suspend via systemd |
|
- Add new type for the /var/run/inhibit directory |
|
- Add interface to send signull to systemd_login so avahi can send them |
|
- Allow systemd_passwd to send syslog messages |
|
- Remove corenet_all_recvfrom_unlabeled() calling fro policy files |
|
- Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group |
|
- Allow smbd to read cluster config |
|
- Add additional labeling for passenger |
|
- Allow dbus to inhibit suspend via systemd |
|
- Allow avahi to send signull to systemd_login |
|
|
|
* Mon Jul 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-12 |
|
- Add interface to dontaudit getattr access on sysctls |
|
- Allow sshd to execute /bin/login |
|
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login |
|
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald |
|
- Fix semanage to work with unconfined domain disabled on F18 |
|
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls |
|
- Virt seems to be using lock files |
|
- Dovecot seems to be searching directories of every mountpoint |
|
- Allow jockey to read random/urandom, execute shell and install third-party drivers |
|
- Add aditional params to allow cachedfiles to manage its content |
|
- gpg agent needs to read /dev/random |
|
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write |
|
- Add a bunch of dontaudit rules to quiet svirt_lxc domains |
|
- Additional perms needed to run svirt_lxc domains |
|
- Allow cgclear to read cgconfig |
|
- Allow sys_ptrace capability for snmp |
|
- Allow freshclam to read /proc |
|
- Allow procmail to manage /home/user/Maildir content |
|
- Allow NM to execute wpa_cli |
|
- Allow amavis to read clamd system state |
|
- Regenerate man pages |
|
|
|
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.11.0-11 |
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild |
|
|
|
* Mon Jul 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-10 |
|
- Add realmd and stapserver policies |
|
- Allow useradd to manage stap-server lib files |
|
- Tighten up capabilities for confined users |
|
- Label /etc/security/opasswd as shadow_t |
|
- Add label for /dev/ecryptfs |
|
- Allow condor_startd_t to start sshd with the ranged |
|
- Allow lpstat.cups to read fips_enabled file |
|
- Allow pyzor running as spamc_t to create /root/.pyzor directory |
|
- Add labelinf for amavisd-snmp init script |
|
- Add support for amavisd-snmp |
|
- Allow fprintd sigkill self |
|
- Allow xend (w/o libvirt) to start virtual machines |
|
- Allow aiccu to read /etc/passwd |
|
- Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes |
|
- Add condor_startd_ranged_domtrans_to() interface |
|
- Add ssd_conf_t for /etc/sssd |
|
- accountsd needs to fchown some files/directories |
|
- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content |
|
- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit |
|
- Allow xend_t to read the /etc/passwd file |
|
|
|
* Wed Jul 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-9 |
|
- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t |
|
- Add init_access_check() interface |
|
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t |
|
- Allow tcpdump to create a netlink_socket |
|
- Label newusers like useradd |
|
- Change xdm log files to be labeled xdm_log_t |
|
- Allow sshd_t with privsep to work in MLS |
|
- Allow freshclam to update databases thru HTTP proxy |
|
- Allow s-m-config to access check on systemd |
|
- Allow abrt to read public files by default |
|
- Fix amavis_create_pid_files() interface |
|
- Add labeling and filename transition for dbomatic.log |
|
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket |
|
- Allow amavisd to execute fsav |
|
- Allow tuned to use sys_admin and sys_nice capabilities |
|
- Add php-fpm policy from Bryan |
|
- Add labeling for aeolus-configserver-thinwrapper |
|
- Allow thin domains to execute shell |
|
- Fix gnome_role_gkeyringd() interface description |
|
- Lot of interface fixes |
|
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files |
|
- Allow OpenMPI job to use kerberos |
|
- Make deltacloudd_t as nsswitch_domain |
|
- Allow xend_t to run lsscsi |
|
- Allow qemu-dm running as xend_t to create tun_socket |
|
- Add labeling for /opt/brother/Printers(.*/)?inf |
|
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t |
|
- Fix clamscan_can_scan_system boolean |
|
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11 |
|
|
|
* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8 |
|
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files |
|
- Fixes for passenger running within openshift. |
|
- Add labeling for all tomcat6 dirs |
|
- Add support for tomcat6 |
|
- Allow cobblerd to read /etc/passwd |
|
- Allow jockey to read sysfs and and execute binaries with bin_t |
|
- Allow thum to use user terminals |
|
- Allow cgclear to read cgconfig config files |
|
- Fix bcf2g.fc |
|
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains |
|
- Allow dbomatic to execute ruby |
|
- abrt_watch_log should be abrt_domain |
|
- Allow mozilla_plugin to connect to gatekeeper port |
|
|
|
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7 |
|
- add ptrace_child access to process |
|
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith() |
|
- Allow boinc domains to manage boinc_lib_t lnk_files |
|
- Add support for boinc-client.service unit file |
|
- Add support for boinc.log |
|
- Allow mozilla_plugin execmod on mozilla home files if allow_ex |
|
- Allow dovecot_deliver_t to read dovecot_var_run_t |
|
- Allow ldconfig and insmod to manage kdumpctl tmp files |
|
- Move thin policy out from cloudform.pp and add a new thin poli |
|
- pacemaker needs to communicate with corosync streams |
|
- abrt is now started on demand by dbus |
|
- Allow certmonger to talk directly to Dogtag servers |
|
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c |
|
- Allow mozila_plugin to execute gstreamer home files |
|
- Allow useradd to delete all file types stored in the users hom |
|
- rhsmcertd reads the rpm database |
|
- Add support for lightdm |
|
|
|
|
|
* Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6 |
|
- Add tomcat policy |
|
- Remove pyzor/razor policy |
|
- rhsmcertd reads the rpm database |
|
- Dontaudit thumb to setattr on xdm_tmp dir |
|
- Allow wicd to execute ldconfig in the networkmanager_t domain |
|
- Add /var/run/cherokee\.pid labeling |
|
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too |
|
- Allow postfix-master to r/w pipes other postfix domains |
|
- Allow snort to create netlink_socket |
|
- Add kdumpctl policy |
|
- Allow firstboot to create tmp_t files/directories |
|
- /usr/bin/paster should not be labeled as piranha_exec_t |
|
- remove initrc_domain from tomcat |
|
- Allow ddclient to read /etc/passwd |
|
- Allow useradd to delete all file types stored in the users homedir |
|
- Allow ldconfig and insmod to manage kdumpctl tmp files |
|
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those |
|
- Transition xauth files within firstboot_tmp_t |
|
- Fix labeling of /run/media to match /media |
|
- Label all lxdm.log as xserver_log_t |
|
- Add port definition for mxi port |
|
- Allow local_login_t to execute tmux |
|
|
|
* Tue Jun 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-5 |
|
- apcupsd needs to read /etc/passwd |
|
- Sanlock allso sends sigkill |
|
- Allow glance_registry to connect to the mysqld port |
|
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl |
|
- Allow firefox plugins/flash to connect to port 1234 |
|
- Allow mozilla plugins to delete user_tmp_t files |
|
- Add transition name rule for printers.conf.O |
|
- Allow virt_lxc_t to read urand |
|
- Allow systemd_loigind to list gstreamer_home_dirs |
|
- Fix labeling for /usr/bin |
|
- Fixes for cloudform services |
|
* support FIPS |
|
- Allow polipo to work as web caching |
|
- Allow chfn to execute tmux |
|
|
|
* Fri Jun 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-4 |
|
- Add support for ecryptfs |
|
* ecryptfs does not support xattr |
|
* we need labeling for HOMEDIR |
|
- Add policy for (u)mount.ecryptfs* |
|
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache |
|
- Allow dovecot to manage Maildir content, fix transitions to Maildir |
|
- Allow postfix_local to transition to dovecot_deliver |
|
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code |
|
- Cleanup interface definitions |
|
- Allow apmd to change with the logind daemon |
|
- Changes required for sanlock in rhel6 |
|
- Label /run/user/apache as httpd_tmp_t |
|
- Allow thumb to use lib_t as execmod if boolean turned on |
|
- Allow squid to create the squid directory in /var with the correct labe |
|
- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) |
|
- Allow virtd to exec xend_exec_t without transition |
|
- Allow virtd_lxc_t to unmount all file systems |
|
|
|
* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3 |
|
- PolicyKit path has changed |
|
- Allow httpd connect to dirsrv socket |
|
- Allow tuned to write generic kernel sysctls |
|
- Dontaudit logwatch to gettr on /dev/dm-2 |
|
- Allow policykit-auth to manage kerberos files |
|
- Make condor_startd and rgmanager as initrc domain |
|
- Allow virsh to read /etc/passwd |
|
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs |
|
- xdm now needs to execute xsession_exec_t |
|
- Need labels for /var/lib/gdm |
|
- Fix files_filetrans_named_content() interface |
|
- Add new attribute - initrc_domain |
|
- Allow systemd_logind_t to signal, signull, sigkill all processes |
|
- Add filetrans rules for etc_runtime files |
|
|
|
* Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2 |
|
- Rename boolean names to remove allow_ |
|
|
|
* Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1 |
|
- Mass merge with upstream |
|
* new policy topology to include contrib policy modules |
|
* we have now two base policy patches |
|
|
|
* Wed May 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-128 |
|
- Fix description of authlogin_nsswitch_use_ldap |
|
- Fix transition rule for rhsmcertd_t needed for RHEL7 |
|
- Allow useradd to list nfs state data |
|
- Allow openvpn to manage its log file and directory |
|
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly |
|
- Allow thumb to use nvidia devices |
|
- Allow local_login to create user_tmp_t files for kerberos |
|
- Pulseaudio needs to read systemd_login /var/run content |
|
- virt should only transition named system_conf_t config files |
|
- Allow munin to execute its plugins |
|
- Allow nagios system plugin to read /etc/passwd |
|
- Allow plugin to connect to soundd port |
|
- Fix httpd_passwd to be able to ask passwords |
|
- Radius servers can use ldap for backing store |
|
- Seems to need to mount on /var/lib for xguest polyinstatiation to work. |
|
- Allow systemd_logind to list the contents of gnome keyring |
|
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL |
|
- Add policy for isns-utils |
|
|
|
* Mon May 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-127 |
|
- Add policy for subversion daemon |
|
- Allow boinc to read passwd |
|
- Allow pads to read kernel network state |
|
- Fix man2html interface for sepolgen-ifgen |
|
- Remove extra /usr/lib/systemd/system/smb |
|
- Remove all /lib/systemd and replace with /usr/lib/systemd |
|
- Add policy for man2html |
|
- Fix the label of kerberos_home_t to krb5_home_t |
|
- Allow mozilla plugins to use Citrix |
|
- Allow tuned to read /proc/sys/kernel/nmi_watchdog |
|
- Allow tune /sys options via systemd's tmpfiles.d "w" type |
|
|
|
* Wed May 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-126 |
|
- Dontaudit lpr_t to read/write leaked mozilla tmp files |
|
- Add file name transition for .grl-podcasts directory |
|
- Allow corosync to read user tmp files |
|
- Allow fenced to create snmp lib dirs/files |
|
- More fixes for sge policy |
|
- Allow mozilla_plugin_t to execute any application |
|
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain |
|
- Allow mongod to read system state information |
|
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t |
|
- Allow polipo to manage polipo_cache dirs |
|
- Add jabbar_client port to mozilla_plugin_t |
|
- Cleanup procmail policy |
|
- system bus will pass around open file descriptors on files that do not have labels on them |
|
- Allow l2tpd_t to read system state |
|
- Allow tuned to run ls /dev |
|
- Allow sudo domains to read usr_t files |
|
- Add label to machine-id |
|
- Fix corecmd_read_bin_symlinks cut and paste error |
|
|
|
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125 |
|
- Fix pulseaudio port definition |
|
- Add labeling for condor_starter |
|
- Allow chfn_t to creat user_tmp_files |
|
- Allow chfn_t to execute bin_t |
|
- Allow prelink_cron_system_t to getpw calls |
|
- Allow sudo domains to manage kerberos rcache files |
|
- Allow user_mail_domains to work with courie |
|
- Port definitions necessary for running jboss apps within openshift |
|
- Add support for openstack-nova-metadata-api |
|
- Add support for nova-console* |
|
- Add support for openstack-nova-xvpvncproxy |
|
- Fixes to make privsep+SELinux working if we try to use chage to change passwd |
|
- Fix auth_role() interface |
|
- Allow numad to read sysfs |
|
- Allow matahari-rpcd to execute shell |
|
- Add label for ~/.spicec |
|
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it |
|
- Devicekit_disk wants to read the logind sessions file when writing a cd |
|
- Add fixes for condor to make condor jobs working correctly |
|
- Change label of /var/log/rpmpkgs to cron_log_t |
|
- Access requires to allow systemd-tmpfiles --create to work. |
|
- Fix obex to be a user application started by the session bus. |
|
- Add additional filename trans rules for kerberos |
|
- Fix /var/run/heartbeat labeling |
|
- Allow apps that are managing rcache to file trans correctly |
|
- Allow openvpn to authenticate against ldap server |
|
- Containers need to listen to network starting and stopping events |
|
|
|
* Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124 |
|
- Make systemd unit files less specific |
|
|
|
* Tue May 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-123 |
|
- Fix zarafa labeling |
|
- Allow guest_t to fix labeling |
|
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean |
|
- add lxc_contexts |
|
- Allow accountsd to read /proc |
|
- Allow restorecond to getattr on all file sytems |
|
- tmpwatch now calls getpw |
|
- Allow apache daemon to transition to pwauth domain |
|
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t |
|
- The obex socket seems to be a stream socket |
|
- dd label for /var/run/nologin |
|
|
|
* Mon May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-122 |
|
- Allow jetty running as httpd_t to read hugetlbfs files |
|
- Allow sys_nice and setsched for rhsmcertd |
|
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports |
|
- Allow setfiles to append to xdm_tmp_t |
|
- Add labeling for /export as a usr_t directory |
|
- Add labels for .grl files created by gstreamer |
|
|
|
* Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-121 |
|
- Add labeling for /usr/share/jetty/bin/jetty.sh |
|
- Add jetty policy which contains file type definitios |
|
- Allow jockey to use its own fifo_file and make this the default for all domains |
|
- Allow mozilla_plugins to use spice (vnc_port/couchdb) |
|
- asterisk wants to read the network state |
|
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug |
|
- Allow mozilla_plugin_t to create ~/.pki directory and content |
|
|
|
* Wed May 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-120 |
|
- Add clamscan_can_scan_system boolean |
|
- Allow mysqld to read kernel network state |
|
- Allow sshd to read/write condor lib files |
|
- Allow sshd to read/write condor-startd tcp socket |
|
- Fix description on httpd_graceful_shutdown |
|
- Allow glance_registry to communicate with mysql |
|
- dbus_system_domain is using systemd to lauch applications |
|
- add interfaces to allow domains to send kill signals to user mail agents |
|
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t |
|
- Lots of new access required for secure containers |
|
- Corosync needs sys_admin capability |
|
- ALlow colord to create shm |
|
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific |
|
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir |
|
- Add new interface to allow domains to list msyql_db directories, needed for libra |
|
- shutdown has to be allowed to delete etc_runtime_t |
|
- Fail2ban needs to read /etc/passwd |
|
- Allow ldconfig to create /var/cache/ldconfig |
|
- Allow tgtd to read hardware state information |
|
- Allow collectd to create packet socket |
|
- Allow chronyd to send signal to itself |
|
- Allow collectd to read /dev/random |
|
- Allow collectd to send signal to itself |
|
- firewalld needs to execute restorecon |
|
- Allow restorecon and other login domains to execute restorecon |
|
|
|
* Tue Apr 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-119 |
|
- Allow logrotate to getattr on systemd unit files |
|
- Add support for tor systemd unit file |
|
- Allow apmd to create /var/run/pm-utils with the correct label |
|
- Allow l2tpd to send sigkill to pppd |
|
- Allow pppd to stream connect to l2tpd |
|
- Add label for scripts in /etc/gdm/ |
|
- Allow systemd_logind_t to ignore mcs constraints on sigkill |
|
- Fix files_filetrans_system_conf_named_files() interface |
|
- Add labels for /usr/share/wordpress/wp-includes/*.php |
|
- Allow cobbler to get SELinux mode and booleans |
|
|
|
* Mon Apr 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-118 |
|
- Add unconfined_execmem_exec_t as an alias to bin_t |
|
- Allow fenced to read snmp var lib files, also allow it to read usr_t |
|
- ontaudit access checks on all executables from mozilla_plugin |
|
- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode |
|
- Allow systemd_tmpfiles_t to getattr all pipes and sockets |
|
- Allow glance-registry to send system log messages |
|
- semanage needs to manage mock lib files/dirs |
|
|
|
* Sun Apr 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-117 |
|
- Add policy for abrt-watch-log |
|
- Add definitions for jboss_messaging ports |
|
- Allow systemd_tmpfiles to manage printer devices |
|
- Allow oddjob to use nsswitch |
|
- Fix labeling of log files for postgresql |
|
- Allow mozilla_plugin_t to execmem and execstack by default |
|
- Allow firewalld to execute shell |
|
- Fix /etc/wicd content files to get created with the correct label |
|
- Allow mcelog to exec shell |
|
- Add ~/.orc as a gstreamer_home_t |
|
- /var/spool/postfix/lib64 should be labeled lib_t |
|
- mpreaper should be able to list all file system labeled directories |
|
- Add support for apache to use openstack |
|
- Add labeling for /etc/zipl.conf and zipl binary |
|
- Turn on allow_execstack and turn off telepathy transition for final release |
|
|
|
* Mon Apr 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-116 |
|
- More access required for virt_qmf_t |
|
- Additional assess required for systemd-logind to support multi-seat |
|
- Allow mozilla_plugin to setrlimit |
|
- Revert changes to fuse file system to stop deadlock |
|
|
|
* Mon Apr 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-115 |
|
- Allow condor domains to connect to ephemeral ports |
|
- More fixes for condor policy |
|
- Allow keystone to stream connect to mysqld |
|
- Allow mozilla_plugin_t to read generic USB device to support GPS devices |
|
- Allow thum to file name transition gstreamer home content |
|
- Allow thum to read all non security files |
|
- Allow glance_api_t to connect to ephemeral ports |
|
- Allow nagios plugins to read /dev/urandom |
|
- Allow syslogd to search postfix spool to support postfix chroot env |
|
- Fix labeling for /var/spool/postfix/dev |
|
- Allow wdmd chown |
|
- Label .esd_auth as pulseaudio_home_t |
|
- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now |
|
|
|
* Fri Apr 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-114 |
|
- Add support for clamd+systemd |
|
- Allow fresclam to execute systemctl to handle clamd |
|
- Change labeling for /usr/sbin/rpc.ypasswd.env |
|
- Allow yppaswd_t to execute yppaswd_exec_t |
|
- Allow yppaswd_t to read /etc/passwd |
|
- Gnomekeyring socket has been moved to /run/user/USER/ |
|
- Allow samba-net to connect to ldap port |
|
- Allow signal for vhostmd |
|
- allow mozilla_plugin_t to read user_home_t socket |
|
- New access required for secure Linux Containers |
|
- zfs now supports xattrs |
|
- Allow quantum to execute sudo and list sysfs |
|
- Allow init to dbus chat with the firewalld |
|
- Allow zebra to read /etc/passwd |
|
|
|
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-113 |
|
- Allow svirt_t to create content in the users homedir under ~/.libvirt |
|
- Fix label on /var/lib/heartbeat |
|
- Allow systemd_logind_t to send kill signals to all processes started by a user |
|
- Fuse now supports Xattr Support |
|
|
|
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-112 |
|
- upowered needs to setsched on the kernel |
|
- Allow mpd_t to manage log files |
|
- Allow xdm_t to create /var/run/systemd/multi-session-x |
|
- Add rules for missedfont.log to be used by thumb.fc |
|
- Additional access required for virt_qmf_t |
|
- Allow dhclient to dbus chat with the firewalld |
|
- Add label for lvmetad |
|
- Allow systemd_logind_t to remove userdomain sock_files |
|
- Allow cups to execute usr_t files |
|
- Fix labeling on nvidia shared libraries |
|
- wdmd_t needs access to sssd and /etc/passwd |
|
- Add boolean to allow ftp servers to run in passive mode |
|
- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with |
|
- Fix using httpd_use_fusefs |
|
- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox |
|
|
|
* Fri Apr 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-111 |
|
- Rename rdate port to time port, and allow gnomeclock to connect to it |
|
- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda |
|
- /etc/auto.* should be labeled bin_t |
|
- Add httpd_use_fusefs boolean |
|
- Add fixes for heartbeat |
|
- Allow sshd_t to signal processes that it transitions to |
|
- Add condor policy |
|
- Allow svirt to create monitors in ~/.libvirt |
|
- Allow dovecot to domtrans sendmail to handle sieve scripts |
|
- Lot of fixes for cfengine |
|
|
|
* Tue Apr 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-110 |
|
- /var/run/postmaster.* labeling is no longer needed |
|
- Alllow drbdadmin to read /dev/urandom |
|
- l2tpd_t seems to use ptmx |
|
- group+ and passwd+ should be labeled as /etc/passwd |
|
- Zarafa-indexer is a socket |
|
|
|
* Fri Mar 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-109 |
|
- Ensure lastlog is labeled correctly |
|
- Allow accountsd to read /proc data about gdm |
|
- Add fixes for tuned |
|
- Add bcfg2 fixes which were discovered during RHEL6 testing |
|
- More fixes for gnome-keyring socket being moved |
|
- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown |
|
- Fix description for files_dontaudit_read_security_files() interface |
|
|
|
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-108 |
|
- Add new policy and man page for bcfg2 |
|
- cgconfig needs to use getpw calls |
|
- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt |
|
- gnome-keyring wants to create a directory in cache_home_t |
|
- sanlock calls getpw |
|
|
|
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-107 |
|
- Add numad policy and numad man page |
|
- Add fixes for interface bugs discovered by SEWatch |
|
- Add /tmp support for squid |
|
- Add fix for #799102 |
|
* change default labeling for /var/run/slapd.* sockets |
|
- Make thumb_t as userdom_home_reader |
|
- label /var/lib/sss/mc same as pubconf, so getpw domains can read it |
|
- Allow smbspool running as cups_t to stream connect to nmbd |
|
- accounts needs to be able to execute passwd on behalf of users |
|
- Allow systemd_tmpfiles_t to delete boot flags |
|
- Allow dnssec_trigger to connect to apache ports |
|
- Allow gnome keyring to create sock_files in ~/.cache |
|
- google_authenticator is using .google_authenticator |
|
- sandbox running from within firefox is exposing more leaks |
|
- Dontaudit thumb to read/write /dev/card0 |
|
- Dontaudit getattr on init_exec_t for gnomeclock_t |
|
- Allow certmonger to do a transition to certmonger_unconfined_t |
|
- Allow dhcpc setsched which is caused by nmcli |
|
- Add rpm_exec_t for /usr/sbin/bcfg2 |
|
- system cronjobs are sending dbus messages to systemd_logind |
|
- Thumnailers read /dev/urand |
|
|
|
* Thu Mar 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-106 |
|
- Allow auditctl getcap |
|
- Allow vdagent to use libsystemd-login |
|
- Allow abrt-dump-oops to search /etc/abrt |
|
- Got these avc's while trying to print a boarding pass from firefox |
|
- Devicekit is now putting the media directory under /run/media |
|
- Allow thumbnailers to create content in ~/.thumbails directory |
|
- Add support for proL2TPd by Dominick Grift |
|
- Allow all domains to call getcap |
|
- wdmd seems to get a random chown capability check that it does not need |
|
- Allow vhostmd to read kernel sysctls |
|
|
|
* Wed Mar 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-105 |
|
- Allow chronyd to read unix |
|
- Allow hpfax to read /etc/passwd |
|
- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them |
|
- Allow rpcd to read quota_db_t |
|
- Update to man pages to match latest policy |
|
- Fix bug in jockey interface for sepolgen-ifgen |
|
- Add initial svirt_prot_exec_t policy |
|
|
|
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-104 |
|
- More fixes for systemd from Dan Walsh |
|
|
|
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-103 |
|
- Add a new type for /etc/firewalld and allow firewalld to write to this directory |
|
- Add definition for ~/Maildir, and allow mail deliver domains to write there |
|
- Allow polipo to run from a cron job |
|
- Allow rtkit to schedule wine processes |
|
- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label |
|
- Allow users domains to send signals to consolehelper domains |
|
|
|
* Fri Mar 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-102 |
|
- More fixes for boinc policy |
|
- Allow polipo domain to create its own cache dir and pid file |
|
- Add systemctl support to httpd domain |
|
- Add systemctl support to polipo, allow NetworkManager to manage the service |
|
- Add policy for jockey-backend |
|
- Add support for motion daemon which is now covered by zoneminder policy |
|
- Allow colord to read/write motion tmpfs |
|
- Allow vnstat to search through var_lib_t directories |
|
- Stop transitioning to quota_t, from init an sysadm_t |
|
|
|
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-101 |
|
- Add svirt_lxc_file_t as a customizable type |
|
|
|
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-100 |
|
- Add additional fixes for icmp nagios plugin |
|
- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin |
|
- Add certmonger_unconfined_exec_t |
|
- Make sure tap22 device is created with the correct label |
|
- Allow staff users to read systemd unit files |
|
- Merge in previously built policy |
|
- Arpwatch needs to be able to start netlink sockets in order to start |
|
- Allow cgred_t to sys_ptrace to look at other DAC Processes |
|
|
|
* Mon Mar 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-99 |
|
- Back port some of the access that was allowed in nsplugin_t |
|
- Add definitiona for couchdb ports |
|
- Allow nagios to use inherited users ttys |
|
- Add git support for mock |
|
- Allow inetd to use rdate port |
|
- Add own type for rdate port |
|
- Allow samba to act as a portmapper |
|
- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev |
|
- New fixes needed for samba4 |
|
- Allow apps that use lib_t to read lib_t symlinks |
|
|
|
* Fri Mar 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-98 |
|
- Add policy for nove-cert |
|
- Add labeling for nova-openstack systemd unit files |
|
- Add policy for keystoke |
|
|
|
* Thu Mar 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-97 |
|
- Fix man pages fro domains |
|
- Add man pages for SELinux users and roles |
|
- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon |
|
- Add policy for matahari-rpcd |
|
- nfsd executes mount command on restart |
|
- Matahari domains execute renice and setsched |
|
- Dontaudit leaked tty in mozilla_plugin_config |
|
- mailman is changing to a per instance naming |
|
- Add 7600 and 4447 as jboss_management ports |
|
- Add fixes for nagios event handlers |
|
- Label httpd.event as httpd_exec_t, it is an apache daemon |
|
|
|
* Mon Mar 5 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-96 |
|
- Add labeling for /var/spool/postfix/dev/log |
|
- NM reads sysctl.conf |
|
- Iscsi log file context specification fix |
|
- Allow mozilla plugins to send dbus messages to user domains that transition to it |
|
- Allow mysql to read the passwd file |
|
- Allow mozilla_plugin_t to create mozilla home dirs in user homedir |
|
- Allow deltacloud to read kernel sysctl |
|
- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself |
|
- Allow postgresql_t to connectto itself |
|
- Add login_userdomain attribute for users which can log in using terminal |
|
|
|
* Tue Feb 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-95 |
|
- Allow sysadm_u to reach system_r by default #784011 |
|
- Allow nagios plugins to use inherited user terminals |
|
- Razor labeling is not used no longer |
|
- Add systemd support for matahari |
|
- Add port_types to man page, move booleans to the top, fix some english |
|
- Add support for matahari-sysconfig-console |
|
- Clean up matahari.fc |
|
- Fix matahari_admin() interfac |
|
- Add labels for/etc/ssh/ssh_host_*.pub keys |
|
|
|
* Mon Feb 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-94 |
|
- Allow ksysguardproces to send system log msgs |
|
- Allow boinc setpgid and signull |
|
- Allow xdm_t to sys_ptrace to run pidof command |
|
- Allow smtpd_t to manage spool files/directories and symbolic links |
|
- Add labeling for jetty |
|
- Needed changes to get unbound/dnssec to work with openswan |
|
|
|
* Thu Feb 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-93 |
|
- Add user_fonts_t alias xfs_tmp_t |
|
- Since depmod now runs as insmod_t we need to write to kernel_object_t |
|
- Allow firewalld to dbus chat with networkmanager |
|
- Allow qpidd to connect to matahari ports |
|
- policykit needs to read /proc for uses not owned by it |
|
- Allow systemctl apps to connecto the init stream |
|
|
|
* Wed Feb 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-92 |
|
- Turn on deny_ptrace boolean |
|
|
|
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-91 |
|
- Remove pam_selinux.8 man page. There was a conflict. |
|
|
|
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-90 |
|
- Add proxy class and read access for gssd_proxy |
|
- Separate out the sharing public content booleans |
|
- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate |
|
- Add label transition for gstream-0.10 and 12 |
|
- Add booleans to allow rsync to share nfs and cifs file sytems |
|
- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it |
|
- Fix filename transitions for cups files |
|
- Allow denyhosts to read "unix" |
|
- Add file name transition for locale.conf.new |
|
- Allow boinc projects to gconf config files |
|
- sssd needs to be able to increase the socket limit under certain loads |
|
- sge_execd needs to read /etc/passwd |
|
- Allow denyhost to check network state |
|
- NetworkManager needs to read sessions data |
|
- Allow denyhost to check network state |
|
- Allow xen to search virt images directories |
|
- Add label for /dev/megaraid_sas_ioctl_node |
|
- Add autogenerated man pages |
|
|
|
* Thu Feb 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-89 |
|
- Allow boinc project to getattr on fs |
|
- Allow init to execute initrc_state_t |
|
- rhev-agent package was rename to ovirt-guest-agent |
|
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly |
|
- sytemd writes content to /run/initramfs and executes it on shutdown |
|
- kdump_t needs to read /etc/mtab, should be back ported to F16 |
|
- udev needs to load kernel modules in early system boot |
|
|
|
* Tue Feb 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-88 |
|
- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses |
|
- Add additional systemd interfaces which are needed fro *_admin interfaces |
|
- Fix bind_admin() interface |
|
|
|
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-87 |
|
- Allow firewalld to read urand |
|
- Alias java, execmem_mono to bin_t to allow third parties |
|
- Add label for kmod |
|
- /etc/redhat-lsb contains binaries |
|
- Add boolean to allow gitosis to send mail |
|
- Add filename transition also for "event20" |
|
- Allow systemd_tmpfiles_t to delete all file types |
|
- Allow collectd to ipc_lock |
|
|
|
* Fri Feb 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-86 |
|
- make consoletype_exec optional, so we can remove consoletype policy |
|
- remove unconfined_permisive.patch |
|
- Allow openvpn_t to inherit user home content and tmp content |
|
- Fix dnssec-trigger labeling |
|
- Turn on obex policy for staff_t |
|
- Pem files should not be secret |
|
- Add lots of rules to fix AVC's when playing with containers |
|
- Fix policy for dnssec |
|
- Label ask-passwd directories correctly for systemd |
|
|
|
* Thu Feb 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85 |
|
- sshd fixes seem to be causing unconfined domains to dyntrans to themselves |
|
- fuse file system is now being mounted in /run/user |
|
- systemd_logind is sending signals to processes that are dbus messaging with it |
|
- Add support for winshadow port and allow iscsid to connect to this port |
|
- httpd should be allowed to bind to the http_port_t udp socket |
|
- zarafa_var_lib_t can be a lnk_file |
|
- A couple of new .xsession-errors files |
|
- Seems like user space and login programs need to read logind_sessions_files |
|
- Devicekit disk seems to be being launched by systemd |
|
- Cleanup handling of setfiles so most of rules in te file |
|
- Correct port number for dnssec |
|
- logcheck has the home dir set to its cache |
|
|
|
* Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84 |
|
- Add policy for grindengine MPI jobs |
|
|
|
* Mon Feb 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-83 |
|
- Add new sysadm_secadm.pp module |
|
* contains secadm definition for sysadm_t |
|
- Move user_mail_domain access out of the interface into the te file |
|
- Allow httpd_t to create httpd_var_lib_t directories as well as files |
|
- Allow snmpd to connect to the ricci_modcluster stream |
|
- Allow firewalld to read /etc/passwd |
|
- Add auth_use_nsswitch for colord |
|
- Allow smartd to read network state |
|
- smartdnotify needs to read /etc/group |
|
|
|
* Fri Feb 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-82 |
|
- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory |
|
- lxdm startup scripts should be labeled bin_t, so confined users will work |
|
- mcstransd now creates a pid, needs back port to F16 |
|
- qpidd should be allowed to connect to the amqp port |
|
- Label devices 010-029 as usb devices |
|
- ypserv packager says ypserv does not use tmp_t so removing selinux policy types |
|
- Remove all ptrace commands that I believe are caused by the kernel/ps avcs |
|
- Add initial Obex policy |
|
- Add logging_syslogd_use_tty boolean |
|
- Add polipo_connect_all_unreserved bolean |
|
- Allow zabbix to connect to ftp port |
|
- Allow systemd-logind to be able to switch VTs |
|
- Allow apache to communicate with memcached through a sock_file |
|
|
|
* Tue Jan 31 2012 Dan Walsh <dwalsh@redhat.com> 3.10.0-81.2 |
|
- Fix file_context.subs_dist for now to work with pre usrmove |
|
|
|
* Mon Jan 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-81 |
|
- More /usr move fixes |
|
|
|
* Thu Jan 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-80 |
|
- Add zabbix_can_network boolean |
|
- Add httpd_can_connect_zabbix boolean |
|
- Prepare file context labeling for usrmove functions |
|
- Allow system cronjobs to read kernel network state |
|
- Add support for selinux_avcstat munin plugin |
|
- Treat hearbeat with corosync policy |
|
- Allow corosync to read and write to qpidd shared mem |
|
- mozilla_plugin is trying to run pulseaudio |
|
- Fixes for new sshd patch for running priv sep domains as the users context |
|
- Turn off dontaudit rules when turning on allow_ypbind |
|
- udev now reads /etc/modules.d directory |
|
|
|
* Tue Jan 24 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-79 |
|
- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out |
|
- Cups exchanges dbus messages with init |
|
- udisk2 needs to send syslog messages |
|
- certwatch needs to read /etc/passwd |
|
|
|
* Mon Jan 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-78 |
|
- Add labeling for udisks2 |
|
- Allow fsadmin to communicate with the systemd process |
|
|
|
* Mon Jan 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-77 |
|
- Treat Bip with bitlbee policy |
|
* Bip is an IRC proxy |
|
- Add port definition for interwise port |
|
- Add support for ipa_memcached socket |
|
- systemd_jounald needs to getattr on all processes |
|
- mdadmin fixes |
|
* uses getpw |
|
- amavisd calls getpwnam() |
|
- denyhosts calls getpwall() |
|
|
|
* Fri Jan 20 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-76 |
|
- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there |
|
- bluetooth says they do not use /tmp and want to remove the type |
|
- Allow init to transition to colord |
|
- Mongod needs to read /proc/sys/vm/zone_reclaim_mode |
|
- Allow postfix_smtpd_t to connect to spamd |
|
- Add boolean to allow ftp to connect to all ports > 1023 |
|
- Allow sendmain to write to inherited dovecot tmp files |
|
- setroubleshoot needs to be able to execute rpm to see what version of packages |
|
* Mon Jan 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-75 |
|
- Merge systemd patch |
|
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online |
|
- Allow deltacloudd dac_override, setuid, setgid caps |
|
- Allow aisexec to execute shell |
|
- Add use_nfs_home_dirs boolean for ssh-keygen |
|
|
|
* Fri Jan 13 2012 Dan Walsh <dwalsh@redhat.com> 3.10.0-74.2 |
|
- Fixes to make rawhide boot in enforcing mode with latest systemd changes |
|
|
|
* Wed Jan 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-74 |
|
- Add labeling for /var/run/systemd/journal/syslog |
|
- libvirt sends signals to ifconfig |
|
- Allow domains that read logind session files to list them |
|
|
|
* Wed Jan 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-73 |
|
- Fixed destined form libvirt-sandbox |
|
- Allow apps that list sysfs to also read sympolicy links in this filesystem |
|
- Add ubac_constrained rules for chrome_sandbox |
|
- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra |
|
- Allow postgresql to be executed by the caller |
|
- Standardize interfaces of daemons |
|
- Add new labeling for mm-handler |
|
- Allow all matahari domains to read network state and etc_runtime_t files |
|
|
|
* Wed Jan 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-72 |
|
- New fix for seunshare, requires seunshare_domains to be able to mounton / |
|
- Allow systemctl running as logrotate_t to connect to private systemd socket |
|
- Allow tmpwatch to read meminfo |
|
- Allow rpc.svcgssd to read supported_krb5_enctype |
|
- Allow zarafa domains to read /dev/random and /dev/urandom |
|
- Allow snmpd to read dev_snmp6 |
|
- Allow procmail to talk with cyrus |
|
- Add fixes for check_disk and check_nagios plugins |
|
|
|
* Tue Dec 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-71 |
|
- default trans rules for Rawhide policy |
|
- Make sure sound_devices controlC* are labeled correctly on creation |
|
- sssd now needs sys_admin |
|
- Allow snmp to read all proc_type |
|
- Allow to setup users homedir with quota.group |
|
|
|
* Mon Dec 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-70 |
|
- Add httpd_can_connect_ldap() interface |
|
- apcupsd_t needs to use seriel ports connected to usb devices |
|
- Kde puts procmail mail directory under ~/.local/share |
|
- nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now |
|
- Add labeling for /sbin/iscsiuio |
|
|
|
* Wed Dec 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-69 |
|
- Add label for /var/lib/iscan/interpreter |
|
- Dont audit writes to leaked file descriptors or redirected output for nacl |
|
- NetworkManager needs to write to /sys/class/net/ib*/mode |
|
|
|
* Tue Dec 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-68 |
|
- Allow abrt to request the kernel to load a module |
|
- Make sure mozilla content is labeled correctly |
|
- Allow tgtd to read system state |
|
- More fixes for boinc |
|
* allow to resolve dns name |
|
* re-write boinc policy to use boinc_domain attribute |
|
- Allow munin services plugins to use NSCD services |
|
|
|
* Thu Dec 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-67 |
|
- Allow mozilla_plugin_t to manage mozilla_home_t |
|
- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain |
|
- Add label for tumblerd |
|
|
|
* Wed Dec 7 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-66 |
|
- Fixes for xguest package |
|
|
|
* Tue Dec 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-65 |
|
- Fixes related to /bin, /sbin |
|
- Allow abrt to getattr on blk files |
|
- Add type for rhev-agent log file |
|
- Fix labeling for /dev/dmfm |
|
- Dontaudit wicd leaking |
|
- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it |
|
- Label /etc/locale.conf correctly |
|
- Allow user_mail_t to read /dev/random |
|
- Allow postfix-smtpd to read MIMEDefang |
|
- Add label for /var/log/suphp.log |
|
- Allow swat_t to connect and read/write nmbd_t sock_file |
|
- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf |
|
- Allow systemd-tmpfiles to change user identity in object contexts |
|
- More fixes for rhev_agentd_t consolehelper policy |
|
|
|
* Thu Dec 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-64 |
|
- Use fs_use_xattr for squashf |
|
- Fix procs_type interface |
|
- Dovecot has a new fifo_file /var/run/dovecot/stats-mail |
|
- Dovecot has a new fifo_file /var/run/stats-mail |
|
- Colord does not need to connect to network |
|
- Allow system_cronjob to dbus chat with NetworkManager |
|
- Puppet manages content, want to make sure it labels everything correctly |
|
|
|
* Tue Nov 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-63 |
|
- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it |
|
- Allow all postfix domains to use the fifo_file |
|
- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t |
|
- Allow apmd_t to read grub.cfg |
|
- Let firewallgui read the selinux config |
|
- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp |
|
- Fix devicekit_manage_pid_files() interface |
|
- Allow squid to check the network state |
|
- Dontaudit colord getattr on file systems |
|
- Allow ping domains to read zabbix_tmp_t files |
|
|
|
* Wed Nov 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-59 |
|
- Allow mcelog_t to create dir and file in /var/run and label it correctly |
|
- Allow dbus to manage fusefs |
|
- Mount needs to read process state when mounting gluster file systems |
|
- Allow collectd-web to read collectd lib files |
|
- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr |
|
- Allow colord to get the attributes of tmpfs filesystem |
|
- Add sanlock_use_nfs and sanlock_use_samba booleans |
|
- Add bin_t label for /usr/lib/virtualbox/VBoxManage |
|
|
|
* Wed Nov 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-58 |
|
- Add ssh_dontaudit_search_home_dir |
|
- Changes to allow namespace_init_t to work |
|
- Add interface to allow exec of mongod, add port definition for mongod port, 27017 |
|
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t |
|
- Allow spamd and clamd to steam connect to each other |
|
- Add policy label for passwd.OLD |
|
- More fixes for postfix and postfix maildro |
|
- Add ftp support for mozilla plugins |
|
- Useradd now needs to manage policy since it calls libsemanage |
|
- Fix devicekit_manage_log_files() interface |
|
- Allow colord to execute ifconfig |
|
- Allow accountsd to read /sys |
|
- Allow mysqld-safe to execute shell |
|
- Allow openct to stream connect to pcscd |
|
- Add label for /var/run/nm-dns-dnsmasq\.conf |
|
- Allow networkmanager to chat with virtd_t |
|
|
|
* Fri Nov 11 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-57 |
|
- Pulseaudio changes |
|
- Merge patches |
|
|
|
* Thu Nov 10 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-56 |
|
- Merge patches back into git repository. |
|
|
|
* Tue Nov 8 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-55.2 |
|
- Remove allow_execmem boolean and replace with deny_execmem boolean |
|
|
|
* Tue Nov 8 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-55.1 |
|
- Turn back on allow_execmem boolean |
|
|
|
* Mon Nov 7 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-55 |
|
- Add more MCS fixes to make sandbox working |
|
- Make faillog MLS trusted to make sudo_$1_t working |
|
- Allow sandbox_web_client_t to read passwd_file_t |
|
- Add .mailrc file context |
|
- Remove execheap from openoffice domain |
|
- Allow chrome_sandbox_nacl_t to read cpu_info |
|
- Allow virtd to relabel generic usb which is need if USB device |
|
- Fixes for virt.if interfaces to consider chr_file as image file type |
|
|
|
* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-54.1 |
|
- Remove Open Office policy |
|
- Remove execmem policy |
|
|
|
* Fri Nov 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-54 |
|
- MCS fixes |
|
- quota fixes |
|
|
|
* Thu Nov 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-53.1 |
|
- Remove transitions to consoletype |
|
|
|
* Tue Nov 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-53 |
|
- Make nvidia* to be labeled correctly |
|
- Fix abrt_manage_cache() interface |
|
- Make filetrans rules optional so base policy will build |
|
- Dontaudit chkpwd_t access to inherited TTYS |
|
- Make sure postfix content gets created with the correct label |
|
- Allow gnomeclock to read cgroup |
|
- Fixes for cloudform policy |
|
|
|
* Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-52 |
|
- Check in fixed for Chrome nacl support |
|
|
|
* Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-51 |
|
- Begin removing qemu_t domain, we really no longer need this domain. |
|
- systemd_passwd needs dac_overide to communicate with users TTY's |
|
- Allow svirt_lxc domains to send kill signals within their container |
|
|
|
* Thu Oct 27 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-50.2 |
|
- Remove qemu.pp again without causing a crash |
|
|
|
* Wed Oct 26 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-50.1 |
|
- Remove qemu.pp, everything should use svirt_t or stay in its current domain |
|
|
|
* Wed Oct 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-50 |
|
- Allow policykit to talk to the systemd via dbus |
|
- Move chrome_sandbox_nacl_t to permissive domains |
|
- Additional rules for chrome_sandbox_nacl |
|
|
|
* Tue Oct 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-49 |
|
- Change bootstrap name to nacl |
|
- Chrome still needs execmem |
|
- Missing role for chrome_sandbox_bootstrap |
|
- Add boolean to remove execmem and execstack from virtual machines |
|
- Dontaudit xdm_t doing an access_check on etc_t directories |
|
|
|
* Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-48 |
|
- Allow named to connect to dirsrv by default |
|
- add ldapmap1_0 as a krb5_host_rcache_t file |
|
- Google chrome developers asked me to add bootstrap policy for nacl stuff |
|
- Allow rhev_agentd_t to getattr on mountpoints |
|
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets |
|
|
|
* Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-47 |
|
- Fixes for cloudform policies which need to connect to random ports |
|
- Make sure if an admin creates modules content it creates them with the correct label |
|
- Add port 8953 as a dns port used by unbound |
|
- Fix file name transition for alsa and confined users |
|
|
|
* Fri Oct 21 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-46.1 |
|
- Turn on mock_t and thumb_t for unconfined domains |
|
|
|
* Fri Oct 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-46 |
|
- Policy update should not modify local contexts |
|
|
|
* Thu Oct 20 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-45.1 |
|
- Remove ada policy |
|
|
|
* Thu Oct 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-45 |
|
- Remove tzdata policy |
|
- Add labeling for udev |
|
- Add cloudform policy |
|
- Fixes for bootloader policy |
|
|
|
* Wed Oct 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-43 |
|
- Add policies for nova openstack |
|
|
|
* Tue Oct 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-42 |
|
- Add fixes for nova-stack policy |
|
|
|
* Tue Oct 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-41 |
|
- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain |
|
- Allow init process to setrlimit on itself |
|
- Take away transition rules for users executing ssh-keygen |
|
- Allow setroubleshoot_fixit_t to read /dev/urand |
|
- Allow sshd to relbale tunnel sockets |
|
- Allow fail2ban domtrans to shorewall in the same way as with iptables |
|
- Add support for lnk files in the /var/lib/sssd directory |
|
- Allow system mail to connect to courier-authdaemon over an unix stream socket |
|
|
|
* Mon Oct 17 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-40.2 |
|
- Add passwd_file_t for /etc/ptmptmp |
|
|
|
* Fri Oct 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-40 |
|
- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) |
|
- Make corosync to be able to relabelto cluster lib fies |
|
- Allow samba domains to search /var/run/nmbd |
|
- Allow dirsrv to use pam |
|
- Allow thumb to call getuid |
|
- chrome less likely to get mmap_zero bug so removing dontaudit |
|
- gimp help-browser has built in javascript |
|
- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t |
|
- Re-write glance policy |
|
|
|
* Thu Oct 13 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-39.3 |
|
- Move dontaudit sys_ptrace line from permissive.te to domain.te |
|
- Remove policy for hal, it no longer exists |
|
|
|
* Wed Oct 12 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-39.2 |
|
- Don't check md5 size or mtime on certain config files |
|
|
|
* Tue Oct 11 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-39.1 |
|
- Remove allow_ptrace and replace it with deny_ptrace, which will remove all |
|
ptrace from the system |
|
- Remove 2000 dontaudit rules between confined domains on transition |
|
and replace with single |
|
dontaudit domain domain:process { noatsecure siginh rlimitinh } ; |
|
|
|
* Mon Oct 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-39 |
|
- Fixes for bootloader policy |
|
- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore |
|
- Allow nsplugin to read /usr/share/config |
|
- Allow sa-update to update rules |
|
- Add use_fusefs_home_dirs for chroot ssh option |
|
- Fixes for grub2 |
|
- Update systemd_exec_systemctl() interface |
|
- Allow gpg to read the mail spool |
|
- More fixes for sa-update running out of cron job |
|
- Allow ipsec_mgmt_t to read hardware state information |
|
- Allow pptp_t to connect to unreserved_port_t |
|
- Dontaudit getattr on initctl in /dev from chfn |
|
- Dontaudit getattr on kernel_core from chfn |
|
- Add systemd_list_unit_dirs to systemd_exec_systemctl call |
|
- Fixes for collectd policy |
|
- CHange sysadm_t to create content as user_tmp_t under /tmp |
|
|
|
* Thu Oct 6 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-38.1 |
|
- Shrink size of policy through use of attributes for userdomain and apache |
|
|
|
* Wed Oct 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-38 |
|
- Allow virsh to read xenstored pid file |
|
- Backport corenetwork fixes from upstream |
|
- Do not audit attempts by thumb to search config_home_t dirs (~/.config) |
|
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t |
|
- allow thumb to read generic data home files (mime.type) |
|
|
|
* Wed Oct 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-37 |
|
- Allow nmbd to manage sock file in /var/run/nmbd |
|
- ricci_modservice send syslog msgs |
|
- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly |
|
- Allow systemd_logind_t to manage /run/USER/dconf/user |
|
|
|
* Tue Oct 4 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.1 |
|
- Fix missing patch from F16 |
|
|
|
* Mon Oct 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-36 |
|
- Allow logrotate setuid and setgid since logrotate is supposed to do it |
|
- Fixes for thumb policy by grift |
|
- Add new nfsd ports |
|
- Added fix to allow confined apps to execmod on chrome |
|
- Add labeling for additional vdsm directories |
|
- Allow Exim and Dovecot SASL |
|
- Add label for /var/run/nmbd |
|
- Add fixes to make virsh and xen working together |
|
- Colord executes ls |
|
- /var/spool/cron is now labeled as user_cron_spool_t |
|
|
|
* Mon Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-35 |
|
- Stop complaining about leaked file descriptors during install |
|
|
|
* Fri Sep 30 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.7 |
|
- Remove java and mono module and merge into execmem |
|
|
|
* Fri Sep 30 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.6 |
|
- Fixes for thumb policy and passwd_file_t |
|
|
|
* Fri Sep 30 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4 |
|
- Fixes caused by the labeling of /etc/passwd |
|
- Add thumb.patch to transition unconfined_t to thumb_t for Rawhide |
|
|
|
* Thu Sep 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-34.3 |
|
- Add support for Clustered Samba commands |
|
- Allow ricci_modrpm_t to send log msgs |
|
- move permissive virt_qmf_t from virt.te to permissivedomains.te |
|
- Allow ssh_t to use kernel keyrings |
|
- Add policy for libvirt-qmf and more fixes for linux containers |
|
- Initial Polipo |
|
- Sanlock needs to run ranged in order to kill svirt processes |
|
- Allow smbcontrol to stream connect to ctdbd |
|
|
|
* Mon Sep 26 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.2 |
|
- Add label for /etc/passwd |
|
|
|
* Mon Sep 26 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.1 |
|
- Change unconfined_domains to permissive for Rawhide |
|
- Add definition for the ephemeral_ports |
|
|
|
* Mon Sep 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-34 |
|
- Make mta_role() active |
|
- Allow asterisk to connect to jabber client port |
|
- Allow procmail to read utmp |
|
- Add NIS support for systemd_logind_t |
|
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t |
|
- Fix systemd_manage_unit_dirs() interface |
|
- Allow ssh_t to manage directories passed into it |
|
- init needs to be able to create and delete unit file directories |
|
- Fix typo in apache_exec_sys_script |
|
- Add ability for logrotate to transition to awstat domain |
|
|
|
* Fri Sep 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-33 |
|
- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state |
|
- Add SELinux support for ssh pre-auth net process in F17 |
|
- Add logging_syslogd_can_sendmail boolean |
|
|
|
* Wed Sep 21 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-31.1 |
|
- Add definition for ephemeral ports |
|
- Define user_tty_device_t as a customizable_type |
|
|
|
* Tue Sep 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-31 |
|
- Needs to require a new version of checkpolicy |
|
- Interface fixes |
|
|
|
* Fri Sep 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-29 |
|
- Allow sanlock to manage virt lib files |
|
- Add virt_use_sanlock booelan |
|
- ksmtuned is trying to resolve uids |
|
- Make sure .gvfs is labeled user_home_t in the users home directory |
|
- Sanlock sends kill signals and needs the kill capability |
|
- Allow mockbuild to work on nfs homedirs |
|
- Fix kerberos_manage_host_rcache() interface |
|
- Allow exim to read system state |
|
|
|
* Tue Sep 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-28 |
|
- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files |
|
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t |
|
|
|
* Tue Sep 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-27 |
|
- Allow collectd to read hardware state information |
|
- Add loop_control_device_t |
|
- Allow mdadm to request kernel to load module |
|
- Allow domains that start other domains via systemctl to search unit dir |
|
- systemd_tmpfilses, needs to list any file systems mounted on /tmp |
|
- No one can explain why radius is listing the contents of /tmp, so we will dontaudit |
|
- If I can manage etc_runtime files, I should be able to read the links |
|
- Dontaudit hostname writing to mock library chr_files |
|
- Have gdm_t setup labeling correctly in users home dir |
|
- Label content unde /var/run/user/NAME/dconf as config_home_t |
|
- Allow sa-update to execute shell |
|
- Make ssh-keygen working with fips_enabled |
|
- Make mock work for staff_t user |
|
- Tighten security on mock_t |
|
|
|
* Fri Sep 9 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-26 |
|
- removing unconfined_notrans_t no longer necessary |
|
- Clean up handling of secure_mode_insmod and secure_mode_policyload |
|
- Remove unconfined_mount_t |
|
|
|
* Tue Sep 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-25 |
|
- Add exim_exec_t label for /usr/sbin/exim_tidydb |
|
- Call init_dontaudit_rw_stream_socket() interface in mta policy |
|
- sssd need to search /var/cache/krb5rcache directory |
|
- Allow corosync to relabel own tmp files |
|
- Allow zarafa domains to send system log messages |
|
- Allow ssh to do tunneling |
|
- Allow initrc scripts to sendto init_t unix_stream_socket |
|
- Changes to make sure dmsmasq and virt directories are labeled correctly |
|
- Changes needed to allow sysadm_t to manage systemd unit files |
|
- init is passing file descriptors to dbus and on to system daemons |
|
- Allow sulogin additional access Reported by dgrift and Jeremy Miller |
|
- Steve Grubb believes that wireshark does not need this access |
|
- Fix /var/run/initramfs to stop restorecon from looking at |
|
- pki needs another port |
|
- Add more labels for cluster scripts |
|
- Allow apps that manage cgroup_files to manage cgroup link files |
|
- Fix label on nfs-utils scripts directories |
|
- Allow gatherd to read /dev/rand and /dev/urand |
|
|
|
* Wed Aug 31 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-24 |
|
- pki needs another port |
|
- Add more labels for cluster scripts |
|
- Fix label on nfs-utils scripts directories |
|
- Fixes for cluster |
|
- Allow gatherd to read /dev/rand and /dev/urand |
|
- abrt leaks fifo files |
|
|
|
* Tue Aug 30 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-23 |
|
- Add glance policy |
|
- Allow mdadm setsched |
|
- /var/run/initramfs should not be relabeled with a restorecon run |
|
- memcache can be setup to override sys_resource |
|
- Allow httpd_t to read tetex data |
|
- Allow systemd_tmpfiles to delete kernel modules left in /tmp directory. |
|
|
|
* Mon Aug 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-22 |
|
- Allow Postfix to deliver to Dovecot LMTP socket |
|
- Ignore bogus sys_module for lldpad |
|
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock |
|
- systemd_logind_t sets the attributes on usb devices |
|
- Allow hddtemp_t to read etc_t files |
|
- Add permissivedomains module |
|
- Move all permissive domains calls to permissivedomain.te |
|
- Allow pegasis to send kill signals to other UIDs |
|
|
|
* Wed Aug 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-21 |
|
- Allow insmod_t to use fds leaked from devicekit |
|
- dontaudit getattr between insmod_t and init_t unix_stream_sockets |
|
- Change sysctl unit file interfaces to use systemctl |
|
- Add support for chronyd unit file |
|
- Allow mozilla_plugin to read gnome_usr_config |
|
- Add policy for new gpsd |
|
- Allow cups to create kerberos rhost cache files |
|
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly |
|
|
|
* Tue Aug 23 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-20 |
|
- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten |
|
|
|
* Tue Aug 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-19 |
|
- Add policy for sa-update being run out of cron jobs |
|
- Add create perms to postgresql_manage_db |
|
- ntpd using a gps has to be able to read/write generic tty_device_t |
|
- If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev |
|
- fix spec file |
|
- Remove qemu_domtrans_unconfined() interface |
|
- Make passenger working together with puppet |
|
- Add init_dontaudit_rw_stream_socket interface |
|
- Fixes for wordpress |
|
|
|
* Thu Aug 11 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-18 |
|
- Turn on allow_domain_fd_use boolean on F16 |
|
- Allow syslog to manage all log files |
|
- Add use_fusefs_home_dirs boolean for chrome |
|
- Make vdagent working with confined users |
|
- Add abrt_handle_event_t domain for ABRT event scripts |
|
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change |
|
- Allow httpd_git_script_t to read passwd data |
|
- Allow openvpn to set its process priority when the nice parameter is used |
|
|
|
* Wed Aug 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-17 |
|
- livecd fixes |
|
- spec file fixes |
|
|
|
* Thu Aug 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-16 |
|
- fetchmail can use kerberos |
|
- ksmtuned reads in shell programs |
|
- gnome_systemctl_t reads the process state of ntp |
|
- dnsmasq_t asks the kernel to load multiple kernel modules |
|
- Add rules for domains executing systemctl |
|
- Bogus text within fc file |
|
|
|
* Wed Aug 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-14 |
|
- Add cfengine policy |
|
|
|
* Tue Aug 2 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-13 |
|
- Add abrt_domain attribute |
|
- Allow corosync to manage cluster lib files |
|
- Allow corosync to connect to the system DBUS |
|
|
|
* Mon Aug 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-12 |
|
- Add sblim, uuidd policies |
|
- Allow kernel_t dyntrasition to init_t |
|
|
|
* Fri Jul 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-11 |
|
- init_t need setexec |
|
- More fixes of rules which cause an explosion in rules by Dan Walsh |
|
|
|
* Tue Jul 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-10 |
|
- Allow rcsmcertd to perform DNS name resolution |
|
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts |
|
- Allow tmux to run as screen |
|
- New policy for collectd |
|
- Allow gkeyring_t to interact with all user apps |
|
- Add rules to allow firstboot to run on machines with the unconfined.pp module removed |
|
|
|
* Sat Jul 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-9 |
|
- Allow systemd_logind to send dbus messages with users |
|
- allow accountsd to read wtmp file |
|
- Allow dhcpd to get and set capabilities |
|
|
|
* Fri Jul 22 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-8 |
|
- Fix oracledb_port definition |
|
- Allow mount to mounton the selinux file system |
|
- Allow users to list /var directories |
|
|
|
* Thu Jul 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-7 |
|
- systemd fixes |
|
|
|
* Tue Jul 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-6 |
|
- Add initial policy for abrt_dump_oops_t |
|
- xtables-multi wants to getattr of the proc fs |
|
- Smoltclient is connecting to abrt |
|
- Dontaudit leaked file descriptors to postdrop |
|
- Allow abrt_dump_oops to look at kernel sysctls |
|
- Abrt_dump_oops_t reads kernel ring buffer |
|
- Allow mysqld to request the kernel to load modules |
|
- systemd-login needs fowner |
|
- Allow postfix_cleanup_t to searh maildrop |
|
|
|
* Mon Jul 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-5 |
|
- Initial systemd_logind policy |
|
- Add policy for systemd_logger and additional proivs for systemd_logind |
|
- More fixes for systemd policies |
|
|
|
* Thu Jul 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-4 |
|
- Allow setsched for virsh |
|
- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories |
|
- iptables: the various /sbin/ip6?tables.* are now symlinks for |
|
/sbin/xtables-multi |
|
|
|
* Tue Jul 12 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-3 |
|
- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit |
|
- Allow colord to interact with the users through the tmpfs file system |
|
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files |
|
- Add label for /var/log/mcelog |
|
- Allow asterisk to read /dev/random if it uses TLS |
|
- Allow colord to read ini files which are labeled as bin_t |
|
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit |
|
- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. |
|
- Also lists /var and /var/spool directories |
|
- Add openl2tpd to l2tpd policy |
|
- qpidd is reading the sysfs file |
|
|
|
* Thu Jun 30 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-2 |
|
- Change usbmuxd_t to dontaudit attempts to read chr_file |
|
- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains |
|
- Allow pppd to search /var/lock dir |
|
- Add rhsmcertd policy |
|
|
|
* Mon Jun 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-1 |
|
- Update to upstream |
|
|
|
* Mon Jun 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-30 |
|
- More fixes |
|
* http://git.fedorahosted.org/git/?p=selinux-policy.git |
|
|
|
* Thu Jun 16 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-29.1 |
|
- Fix spec file to not report Verify errors |
|
|
|
* Thu Jun 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-29 |
|
- Add dspam policy |
|
- Add lldpad policy |
|
- dovecot auth wants to search statfs #713555 |
|
- Allow systemd passwd apps to read init fifo_file |
|
- Allow prelink to use inherited terminals |
|
- Run cherokee in the httpd_t domain |
|
- Allow mcs constraints on node connections |
|
- Implement pyicqt policy |
|
- Fixes for zarafa policy |
|
- Allow cobblerd to send syslog messages |
|
|
|
* Wed Jun 8 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-28.1 |
|
- Add policy.26 to the payload |
|
- Remove olpc stuff |
|
- Remove policygentool |
|
|
|
* Wed Jun 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-27 |
|
- Fixes for zabbix |
|
- init script needs to be able to manage sanlock_var_run_... |
|
- Allow sandlock and wdmd to create /var/run directories... |
|
- mixclip.so has been compiled correctly |
|
- Fix passenger policy module name |
|
|
|
* Tue Jun 7 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-26 |
|
- Add mailscanner policy from dgrift |
|
- Allow chrome to optionally be transitioned to |
|
- Zabbix needs these rules when starting the zabbix_server_mysql |
|
- Implement a type for freedesktop openicc standard (~/.local/share/icc) |
|
- Allow system_dbusd_t to read inherited icc_data_home_t files. |
|
- Allow colord_t to read icc_data_home_t content. #706975 |
|
- Label stuff under /usr/lib/debug as if it was labeled under / |
|
|
|
* Thu Jun 2 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-25 |
|
- Fixes for sanlock policy |
|
- Fixes for colord policy |
|
- Other fixes |
|
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log |
|
|
|
* Thu May 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-24 |
|
- Add rhev policy module to modules-targeted.conf |
|
|
|
* Tue May 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-23 |
|
- Lot of fixes |
|
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log |
|
|
|
* Thu May 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-22 |
|
- Allow logrotate to execute systemctl |
|
- Allow nsplugin_t to getattr on gpmctl |
|
- Fix dev_getattr_all_chr_files() interface |
|
- Allow shorewall to use inherited terms |
|
- Allow userhelper to getattr all chr_file devices |
|
- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t |
|
- Fix labeling for ABRT Retrace Server |
|
|
|
* Mon May 9 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-21 |
|
- Dontaudit sys_module for ifconfig |
|
- Make telepathy and gkeyringd daemon working with confined users |
|
- colord wants to read files in users homedir |
|
- Remote login should be creating user_tmp_t not its own tmp files |
|
|
|
* Thu May 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-20 |
|
- Fix label for /usr/share/munin/plugins/munin_* plugins |
|
- Add support for zarafa-indexer |
|
- Fix boolean description |
|
- Allow colord to getattr on /proc/scsi/scsi |
|
- Add label for /lib/upstart/init |
|
- Colord needs to list /mnt |
|
|
|
* Tue May 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-19 |
|
- Forard port changes from F15 for telepathy |
|
- NetworkManager should be allowed to use /dev/rfkill |
|
- Fix dontaudit messages to say Domain to not audit |
|
- Allow telepathy domains to read/write gnome_cache files |
|
- Allow telepathy domains to call getpw |
|
- Fixes for colord and vnstatd policy |
|
|
|
* Wed Apr 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-18 |
|
- Allow init_t getcap and setcap |
|
- Allow namespace_init_t to use nsswitch |
|
- aisexec will execute corosync |
|
- colord tries to read files off noxattr file systems |
|
- Allow init_t getcap and setcap |
|
|
|
* Thu Apr 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-17 |
|
- Add support for ABRT retrace server |
|
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners |
|
- Allow telepath_msn_t to read /proc/PARENT/cmdline |
|
- ftpd needs kill capability |
|
- Allow telepath_msn_t to connect to sip port |
|
- keyring daemon does not work on nfs homedirs |
|
- Allow $1_sudo_t to read default SELinux context |
|
- Add label for tgtd sock file in /var/run/ |
|
- Add apache_exec_rotatelogs interface |
|
- allow all zaraha domains to signal themselves, server writes to /tmp |
|
- Allow syslog to read the process state |
|
- Add label for /usr/lib/chromium-browser/chrome |
|
- Remove the telepathy transition from unconfined_t |
|
- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts |
|
- Allow initrc_t domain to manage abrt pid files |
|
- Add support for AEOLUS project |
|
- Virt_admin should be allowed to manage images and processes |
|
- Allow plymountd to send signals to init |
|
- Change labeling of fping6 |
|
|
|
* Tue Apr 19 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-16.1 |
|
- Add filename transitions |
|
|
|
* Tue Apr 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-16 |
|
- Fixes for zarafa policy |
|
- Add support for AEOLUS project |
|
- Change labeling of fping6 |
|
- Allow plymountd to send signals to init |
|
- Allow initrc_t domain to manage abrt pid files |
|
- Virt_admin should be allowed to manage images and processes |
|
|
|
* Fri Apr 15 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-15 |
|
- xdm_t needs getsession for switch user |
|
- Every app that used to exec init is now execing systemdctl |
|
- Allow squid to manage krb5_host_rcache_t files |
|
- Allow foghorn to connect to agentx port - Fixes for colord policy |
|
|
|
* Mon Apr 11 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-14 |
|
- Add Dan's patch to remove 64 bit variants |
|
- Allow colord to use unix_dgram_socket |
|
- Allow apps that search pids to read /var/run if it is a lnk_file |
|
- iscsid_t creates its own directory |
|
- Allow init to list var_lock_t dir |
|
- apm needs to verify user accounts auth_use_nsswitch |
|
- Add labeling for systemd unit files |
|
- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added |
|
- Add label for matahari-broker.pid file |
|
- We want to remove untrustedmcsprocess from ability to read /proc/pid |
|
- Fixes for matahari policy |
|
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir |
|
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on |
|
|
|
* Tue Apr 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-13 |
|
- Fix typo |
|
|
|
* Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-12 |
|
- Add /var/run/lock /var/lock definition to file_contexts.subs |
|
- nslcd_t is looking for kerberos cc files |
|
- SSH_USE_STRONG_RNG is 1 which requires /dev/random |
|
- Fix auth_rw_faillog definition |
|
- Allow sysadm_t to set attributes on fixed disks |
|
- allow user domains to execute lsof and look at application sockets |
|
- prelink_cron job calls telinit -u if init is rewritten |
|
- Fixes to run qemu_t from staff_t |
|
|
|
* Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-11 |
|
- Fix label for /var/run/udev to udev_var_run_t |
|
- Mock needs to be able to read network state |
|
|
|
* Fri Apr 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-10 |
|
- Add file_contexts.subs to handle /run and /run/lock |
|
- Add other fixes relating to /run changes from F15 policy |
|
|
|
* Fri Mar 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-7 |
|
- Allow $1_sudo_t and $1_su_t open access to user terminals |
|
- Allow initrc_t to use generic terminals |
|
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs |
|
-systemd is going to be useing /run and /run/lock for early bootup files. |
|
- Fix some comments in rlogin.if |
|
- Add policy for KDE backlighthelper |
|
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems |
|
- sssd wants to read .k5login file in users homedir |
|
- setroubleshoot reads executables to see if they have TEXTREL |
|
- Add /var/spool/audit support for new version of audit |
|
- Remove kerberos_connect_524() interface calling |
|
- Combine kerberos_master_port_t and kerberos_port_t |
|
- systemd has setup /dev/kmsg as stderr for apps it executes |
|
- Need these access so that init can impersonate sockets on unix_dgram_socket |
|
|
|
* Wed Mar 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-6 |
|
- Remove some unconfined domains |
|
- Remove permissive domains |
|
- Add policy-term.patch from Dan |
|
|
|
* Thu Mar 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-5 |
|
- Fix multiple specification for boot.log |
|
- devicekit leaks file descriptors to setfiles_t |
|
- Change all all_nodes to generic_node and all_if to generic_if |
|
- Should not use deprecated interface |
|
- Switch from using all_nodes to generic_node and from all_if to generic_if |
|
- Add support for xfce4-notifyd |
|
- Fix file context to show several labels as SystemHigh |
|
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs |
|
- Add etc_runtime_t label for /etc/securetty |
|
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly |
|
- login.krb needs to be able to write user_tmp_t |
|
- dirsrv needs to bind to port 7390 for dogtag |
|
- Fix a bug in gpg policy |
|
- gpg sends audit messages |
|
- Allow qpid to manage matahari files |
|
|
|
* Tue Mar 15 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-4 |
|
- Initial policy for matahari |
|
- Add dev_read_watchdog |
|
- Allow clamd to connect clamd port |
|
- Add support for kcmdatetimehelper |
|
- Allow shutdown to setrlimit and sys_nice |
|
- Allow systemd_passwd to talk to /dev/log before udev or syslog is running |
|
- Purge chr_file and blk files on /tmp |
|
- Fixes for pads |
|
- Fixes for piranha-pulse |
|
- gpg_t needs to be able to encyprt anything owned by the user |
|
|
|
* Thu Mar 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-3 |
|
- mozilla_plugin_tmp_t needs to be treated as user tmp files |
|
- More dontaudits of writes from readahead |
|
- Dontaudit readahead_t file_type:dir write, to cover up kernel bug |
|
- systemd_tmpfiles needs to relabel faillog directory as well as the file |
|
- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost |
|
|
|
* Thu Mar 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-2 |
|
- Add policykit fixes from Tim Waugh |
|
- dontaudit sandbox domains sandbox_file_t:dir mounton |
|
- Add new dontaudit rules for sysadm_dbusd_t |
|
- Change label for /var/run/faillock |
|
* other fixes which relate with this change |
|
|
|
* Tue Mar 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-1 |
|
- Update to upstream |
|
- Fixes for telepathy |
|
- Add port defition for ssdp port |
|
- add policy for /bin/systemd-notify from Dan |
|
- Mount command requires users read mount_var_run_t |
|
- colord needs to read konject_uevent_socket |
|
- User domains connect to the gkeyring socket |
|
- Add colord policy and allow user_t and staff_t to dbus chat with it |
|
- Add lvm_exec_t label for kpartx |
|
- Dontaudit reading the mail_spool_t link from sandbox -X |
|
- systemd is creating sockets in avahi_var_run and system_dbusd_var_run |
|
|
|
* Tue Mar 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.15-5 |
|
- gpg_t needs to talk to gnome-keyring |
|
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd |
|
- enforce MCS labeling on nodes |
|
- Allow arpwatch to read meminfo |
|
- Allow gnomeclock to send itself signals |
|
- init relabels /dev/.udev files on boot |
|
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t |
|
- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t |
|
- dnsmasq can run as a dbus service, needs acquire service |
|
- mysql_admin should be allowed to connect to mysql service |
|
- virt creates monitor sockets in the users home dir |
|
|
|
* Mon Feb 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.15-2 |
|
- Allow usbhid-ups to read hardware state information |
|
- systemd-tmpfiles has moved |
|
- Allo cgroup to sys_tty_config |
|
- For some reason prelink is attempting to read gconf settings |
|
- Add allow_daemons_use_tcp_wrapper boolean |
|
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode |
|
- Add label for char devices /dev/dasd* |
|
- Fix for apache_role |
|
- Allow amavis to talk to nslcd |
|
- allow all sandbox to read selinux poilcy config files |
|
- Allow cluster domains to use the system bus and send each other dbus messages |
|
|
|
* Wed Feb 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.15-1 |
|
- Update to upstream |
|
|
|
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.14-2 |
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
|
|
|
* Tue Feb 8 2011 Dan Walsh <dwalsh@redhat.com> 3.9.14-1 |
|
- Update to ref policy |
|
- cgred needs chown capability |
|
- Add /dev/crash crash_dev_t |
|
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability |
|
|
|
* Tue Feb 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-10 |
|
- New labeling for postfmulti #675654 |
|
- dontaudit xdm_t listing noxattr file systems |
|
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally |
|
- shutdown is passed stdout to a xdm_log_t file |
|
- smartd creates a fixed disk device |
|
- dovecot_etc_t contains a lnk_file that domains need to read |
|
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot |
|
|
|
* Thu Feb 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-9 |
|
- syslog_t needs syslog capability |
|
- dirsrv needs to be able to create /var/lib/snmp |
|
- Fix labeling for dirsrv |
|
- Fix for dirsrv policy missing manage_dirs_pattern |
|
- corosync needs to delete clvm_tmpfs_t files |
|
- qdiskd needs to list hugetlbfs |
|
- Move setsched to sandbox_x_domain, so firefox can run without network access |
|
- Allow hddtemp to read removable devices |
|
- Adding syslog and read_policy permissions to policy |
|
* syslog |
|
Allow unconfined, sysadm_t, secadm_t, logadm_t |
|
* read_policy |
|
allow unconfined, sysadm_t, secadm_t, staff_t on Targeted |
|
allow sysadm_t (optionally), secadm_t on MLS |
|
- mdadm application will write into /sys/.../uevent whenever arrays are |
|
assembled or disassembled. |
|
|
|
* Tue Feb 1 2011 Dan Walsh <dwalsh@redhat.com> 3.9.13-8 |
|
- Add tcsd policy |
|
|
|
* Tue Feb 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-7 |
|
- ricci_modclusterd_t needs to bind to rpc ports 500-1023 |
|
- Allow dbus to use setrlimit to increase resoueces |
|
- Mozilla_plugin is leaking to sandbox |
|
- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control |
|
- Allow awstats to read squid logs |
|
- seunshare needs to manage tmp_t |
|
- apcupsd cgi scripts have a new directory |
|
|
|
* Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6 |
|
- Fix xserver_dontaudit_read_xdm_pid |
|
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite |
|
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. |
|
* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t |
|
- Allow readahead to manage readahead pid dirs |
|
- Allow readahead to read all mcs levels |
|
- Allow mozilla_plugin_t to use nfs or samba homedirs |
|
|
|
* Tue Jan 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-5 |
|
- Allow nagios plugin to read /proc/meminfo |
|
- Fix for mozilla_plugin |
|
- Allow samba_net_t to create /etc/keytab |
|
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t |
|
- nslcd can read user credentials |
|
- Allow nsplugin to delete mozilla_plugin_tmpfs_t |
|
- abrt tries to create dir in rpm_var_lib_t |
|
- virt relabels fifo_files |
|
- sshd needs to manage content in fusefs homedir |
|
- mock manages link files in cache dir |
|
|
|
* Fri Jan 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-4 |
|
- nslcd needs setsched and to read /usr/tmp |
|
- Invalid call in likewise policy ends up creating a bogus role |
|
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write |
|
- Allow screen to create screen_home_t in /root |
|
- dirsrv sends syslog messages |
|
- pinentry reads stuff in .kde directory |
|
- Add labels for .kde directory in homedir |
|
- Treat irpinit, iprupdate, iprdump services with raid policy |
|
|
|
* Wed Jan 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-3 |
|
- NetworkManager wants to read consolekit_var_run_t |
|
- Allow readahead to create /dev/.systemd/readahead |
|
- Remove permissive domains |
|
- Allow newrole to run namespace_init |
|
|
|
* Tue Jan 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-2 |
|
- Add sepgsql_contexts file |
|
|
|
* Mon Jan 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-1 |
|
- Update to upstream |
|
|
|
* Mon Jan 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-8 |
|
- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on |
|
- Add puppetmaster_use_db boolean |
|
- Fixes for zarafa policy |
|
- Fixes for gnomeclock poliy |
|
- Fix systemd-tmpfiles to use auth_use_nsswitch |
|
|
|
* Fri Jan 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-7 |
|
- gnomeclock executes a shell |
|
- Update for screen policy to handle pipe in homedir |
|
- Fixes for polyinstatiated homedir |
|
- Fixes for namespace policy and other fixes related to polyinstantiation |
|
- Add namespace policy |
|
- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts |
|
- Fixes for init, psad policy which relate with confined users |
|
- Do not audit bootloader attempts to read devicekit pid files |
|
- Allow nagios service plugins to read /proc |
|
|
|
* Tue Jan 11 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-6 |
|
- Add firewalld policy |
|
- Allow vmware_host to read samba config |
|
- Kernel wants to read /proc Fix duplicate grub def in cobbler |
|
- Chrony sends mail, executes shell, uses fifo_file and reads /proc |
|
- devicekitdisk getattr all file systems |
|
- sambd daemon writes wtmp file |
|
- libvirt transitions to dmidecode |
|
|
|
* Wed Jan 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-5 |
|
- Add initial policy for system-setup-keyboard which is now daemon |
|
- Label /var/lock/subsys/shorewall as shorewall_lock_t |
|
- Allow users to communicate with the gpg_agent_t |
|
- Dontaudit mozilla_plugin_t using the inherited terminal |
|
- Allow sambagui to read files in /usr |
|
- webalizer manages squid log files |
|
- Allow unconfined domains to bind ports to raw_ip_sockets |
|
- Allow abrt to manage rpm logs when running yum |
|
- Need labels for /var/run/bittlebee |
|
- Label .ssh under amanda |
|
- Remove unused genrequires for virt_domain_template |
|
- Allow virt_domain to use fd inherited from virtd_t |
|
- Allow iptables to read shorewall config |
|
|
|
* Tue Dec 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-4 |
|
- Gnome apps list config_home_t |
|
- mpd creates lnk files in homedir |
|
- apache leaks write to mail apps on tmp files |
|
- /var/stockmaniac/templates_cache contains log files |
|
- Abrt list the connects of mount_tmp_t dirs |
|
- passwd agent reads files under /dev and reads utmp file |
|
- squid apache script connects to the squid port |
|
- fix name of plymouth log file |
|
- teamviewer is a wine app |
|
- allow dmesg to read system state |
|
- Stop labeling files under /var/lib/mock so restorecon will not go into this |
|
- nsplugin needs to read network state for google talk |
|
|
|
* Thu Dec 23 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-3 |
|
- Allow xdm and syslog to use /var/log/boot.log |
|
- Allow users to communicate with mozilla_plugin and kill it |
|
- Add labeling for ipv6 and dhcp |
|
|
|
* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-2 |
|
- New labels for ghc http content |
|
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev |
|
- pm-suspend now creates log file for append access so we remove devicekit_wri |
|
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap |
|
- Fixes for greylist_milter policy |
|
|
|
* Tue Dec 21 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-1 |
|
- Update to upstream |
|
- Fixes for systemd policy |
|
- Fixes for passenger policy |
|
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this |
|
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py |
|
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data |
|
- Dontaudit (xdm_t) gok attempting to list contents of /var/account |
|
- Telepathy domains need to read urand |
|
- Need interface to getattr all file classes in a mock library for setroubleshoot |
|
|
|
* Wed Dec 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.11-2 |
|
- Update selinux policy to handle new /usr/share/sandbox/start script |
|
|
|
* Wed Dec 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.11-1 |
|
- Update to upstream |
|
- Fix version of policy in spec file |
|
|
|
* Tue Dec 14 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-13 |
|
- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs |
|
- remove per sandbox domains devpts types |
|
- Allow dkim-milter sending signal to itself |
|
|
|
* Mon Dec 13 2010 Dan Walsh <dwalsh@redhat.com> 3.9.10-12 |
|
- Allow domains that transition to ping or traceroute, kill them |
|
- Allow user_t to conditionally transition to ping_t and traceroute_t |
|
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup |
|
|
|
* Mon Dec 13 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-11 |
|
- Turn on systemd policy |
|
- mozilla_plugin needs to read certs in the homedir. |
|
- Dontaudit leaked file descriptors from devicekit |
|
- Fix ircssi to use auth_use_nsswitch |
|
- Change to use interface without param in corenet to disable unlabelednet packets |
|
- Allow init to relabel sockets and fifo files in /dev |
|
- certmonger needs dac* capabilities to manage cert files not owned by root |
|
- dovecot needs fsetid to change group membership on mail |
|
- plymouthd removes /var/log/boot.log |
|
- systemd is creating symlinks in /dev |
|
- Change label on /etc/httpd/alias to be all cert_t |
|
|
|
* Fri Dec 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-10 |
|
- Fixes for clamscan and boinc policy |
|
- Add boinc_project_t setpgid |
|
- Allow alsa to create tmp files in /tmp |
|
|
|
* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-9 |
|
- Push fixes to allow disabling of unlabeled_t packet access |
|
- Enable unlabelednet policy |
|
|
|
* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-8 |
|
- Fixes for lvm to work with systemd |
|
|
|
* Mon Dec 6 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-7 |
|
- Fix the label for wicd log |
|
- plymouthd creates force-display-on-active-vt file |
|
- Allow avahi to request the kernel to load a module |
|
- Dontaudit hal leaks |
|
- Fix gnome_manage_data interface |
|
- Add new interface corenet_packet to define a type as being an packet_type. |
|
- Removed general access to packet_type from icecast and squid. |
|
- Allow mpd to read alsa config |
|
- Fix the label for wicd log |
|
- Add systemd policy |
|
|
|
* Fri Dec 3 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-6 |
|
- Fix gnome_manage_data interface |
|
- Dontaudit sys_ptrace capability for iscsid |
|
- Fixes for nagios plugin policy |
|
|
|
* Thu Dec 2 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-5 |
|
- Fix cron to run ranged when started by init |
|
- Fix devicekit to use log files |
|
- Dontaudit use of devicekit_var_run_t for fstools |
|
- Allow init to setattr on logfile directories |
|
- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t |
|
|
|
* Tue Nov 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.10-4 |
|
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network |
|
- Turn on sshd_forward_ports boolean by default |
|
- Allow sysadmin to dbus chat with rpm |
|
- Add interface for rw_tpm_dev |
|
- Allow cron to execute bin |
|
- fsadm needs to write sysfs |
|
- Dontaudit consoletype reading /var/run/pm-utils |
|
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin |
|
- certmonger needs to manage dirsrv data |
|
- /var/run/pm-utils should be labeled as devicekit_var_run_t |
|
|
|
* Tue Nov 30 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-3 |
|
- fixes to allow /var/run and /var/lock as tmpfs |
|
- Allow chrome sandbox to connect to web ports |
|
- Allow dovecot to listem on lmtp and sieve ports |
|
- Allov ddclient to search sysctl_net_t |
|
- Transition back to original domain if you execute the shell |
|
|
|
* Thu Nov 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-2 |
|
- Remove duplicate declaration |
|
|
|
* Thu Nov 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.10-1 |
|
- Update to upstream |
|
- Cleanup for sandbox |
|
- Add attribute to be able to select sandbox types |
|
|
|
* Mon Nov 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-4 |
|
- Allow ddclient to fix file mode bits of ddclient conf file |
|
- init leaks file descriptors to daemons |
|
- Add labels for /etc/lirc/ and |
|
- Allow amavis_t to exec shell |
|
- Add label for gssd_tmp_t for /var/tmp/nfs_0 |
|
|
|
* Thu Nov 18 2010 Dan Walsh <dwalsh@redhat.com> 3.9.9-3 |
|
- Put back in lircd_etc_t so policy will install |
|
|
|
* Thu Nov 18 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-2 |
|
- Turn on allow_postfix_local_write_mail_spool |
|
- Allow initrc_t to transition to shutdown_t |
|
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes |
|
- Allow wm to send signull to all applications and receive them from users |
|
- lircd patch from field |
|
- Login programs have to read /etc/samba |
|
- New programs under /lib/systemd |
|
- Abrt needs to read config files |
|
|
|
* Tue Nov 16 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-1 |
|
- Update to upstream |
|
- Dontaudit leaked sockets from userdomains to user domains |
|
- Fixes for mcelog to handle scripts |
|
- Apply patch from Ruben Kerkhof |
|
- Allow syslog to search spool dirs |
|
|
|
* Mon Nov 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-7 |
|
- Allow nagios plugins to read usr files |
|
- Allow mysqld-safe to send system log messages |
|
- Fixes fpr ddclient policy |
|
- Fix sasl_admin interface |
|
- Allow apache to search zarafa config |
|
- Allow munin plugins to search /var/lib directory |
|
- Allow gpsd to read sysfs_t |
|
- Fix labels on /etc/mcelog/triggers to bin_t |
|
|
|
* Fri Nov 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-6 |
|
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t |
|
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp |
|
- Fix xserver interface |
|
- Fix definition of /var/run/lxdm |
|
|
|
* Fri Nov 12 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-5 |
|
- Turn on mediawiki policy |
|
- kdump leaks kdump_etc_t to ifconfig, add dontaudit |
|
- uux needs to transition to uucpd_t |
|
- More init fixes relabels man,faillog |
|
- Remove maxima defs in libraries.fc |
|
- insmod needs to be able to create tmpfs_t files |
|
- ping needs setcap |
|
|
|
* Wed Nov 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-4 |
|
- Allow groupd transition to fenced domain when executes fence_node |
|
- Fixes for rchs policy |
|
- Allow mpd to be able to read samba/nfs files |
|
|
|
* Tue Nov 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-3 |
|
- Fix up corecommands.fc to match upstream |
|
- Make sure /lib/systemd/* is labeled init_exec_t |
|
- mount wants to setattr on all mountpoints |
|
- dovecot auth wants to read dovecot etc files |
|
- nscd daemon looks at the exe file of the comunicating daemon |
|
- openvpn wants to read utmp file |
|
- postfix apps now set sys_nice and lower limits |
|
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly |
|
- Also resolves nsswitch |
|
- Fix labels on /etc/hosts.* |
|
- Cleanup to make upsteam patch work |
|
- allow abrt to read etc_runtime_t |
|
|
|
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-2 |
|
- Add conflicts for dirsrv package |
|
|
|
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-1 |
|
- Update to upstream |
|
- Add vlock policy |
|
|
|
* Wed Nov 3 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-10 |
|
- Fix sandbox to work on nfs homedirs |
|
- Allow cdrecord to setrlimit |
|
- Allow mozilla_plugin to read xauth |
|
- Change label on systemd-logger to syslogd_exec_t |
|
- Install dirsrv policy from dirsrv package |
|
|
|
* Tue Nov 2 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-9 |
|
- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it |
|
- Udev needs to stream connect to init and kernel |
|
- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory |
|
|
|
* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-8 |
|
- Allow NetworkManager to read openvpn_etc_t |
|
- Dontaudit hplip to write of /usr dirs |
|
- Allow system_mail_t to create /root/dead.letter as mail_home_t |
|
- Add vdagent policy for spice agent daemon |
|
|
|
* Thu Oct 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-7 |
|
- Dontaudit sandbox sending sigkill to all user domains |
|
- Add policy for rssh_chroot_helper |
|
- Add missing flask definitions |
|
- Allow udev to relabelto removable_t |
|
- Fix label on /var/log/wicd.log |
|
- Transition to initrc_t from init when executing bin_t |
|
- Add audit_access permissions to file |
|
- Make removable_t a device_node |
|
- Fix label on /lib/systemd/* |
|
|
|
* Fri Oct 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-6 |
|
- Fixes for systemd to manage /var/run |
|
- Dontaudit leaks by firstboot |
|
|
|
* Tue Oct 19 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-5 |
|
- Allow chome to create netlink_route_socket |
|
- Add additional MATHLAB file context |
|
- Define nsplugin as an application_domain |
|
- Dontaudit sending signals from sandboxed domains to other domains |
|
- systemd requires init to build /tmp /var/auth and /var/lock dirs |
|
- mount wants to read devicekit_power /proc/ entries |
|
- mpd wants to connect to soundd port |
|
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit |
|
- Treat lib_t and textrel_shlib_t directories the same |
|
- Allow mount read access on virtual images |
|
|
|
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-4 |
|
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. |
|
- Allow devicekit_power to domtrans to mount |
|
- Allow dhcp to bind to udp ports > 1024 to do named stuff |
|
- Allow ssh_t to exec ssh_exec_t |
|
- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used |
|
- Fix clamav_append_log() intefaces |
|
- Fix 'psad_rw_fifo_file' interface |
|
|
|
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-3 |
|
- Allow cobblerd to list cobler appache content |
|
|
|
* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-2 |
|
- Fixup for the latest version of upowed |
|
- Dontaudit sandbox sending SIGNULL to desktop apps |
|
|
|
* Wed Oct 13 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-1 |
|
- Update to upstream |
|
|
|
* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3 |
|
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access |
|
- dovecot-auth_t needs ipc_lock |
|
- gpm needs to use the user terminal |
|
- Allow system_mail_t to append ~/dead.letter |
|
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf |
|
- Add pid file to vnstatd |
|
- Allow mount to communicate with gfs_controld |
|
- Dontaudit hal leaks in setfiles |
|
|
|
* Fri Oct 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-2 |
|
- Lots of fixes for systemd |
|
- systemd now executes readahead and tmpwatch type scripts |
|
- Needs to manage random seed |
|
|
|
* Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-1 |
|
- Allow smbd to use sys_admin |
|
- Remove duplicate file context for tcfmgr |
|
- Update to upstream |
|
|
|
* Wed Oct 6 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-11 |
|
- Fix fusefs handling |
|
- Do not allow sandbox to manage nsplugin_rw_t |
|
- Allow mozilla_plugin_t to connecto its parent |
|
- Allow init_t to connect to plymouthd running as kernel_t |
|
- Add mediawiki policy |
|
- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. |
|
- Disable transition from dbus_session_domain to telepathy for F14 |
|
- Allow boinc_project to use shm |
|
- Allow certmonger to search through directories that contain certs |
|
- Allow fail2ban the DAC Override so it can read log files owned by non root users |
|
|
|
* Mon Oct 4 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-10 |
|
- Start adding support for use_fusefs_home_dirs |
|
- Add /var/lib/syslog directory file context |
|
- Add /etc/localtime as locale file context |
|
|
|
* Thu Sep 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-9 |
|
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user |
|
- Turn off iptables from unconfined user |
|
- Allow sudo to send signals to any domains the user could have transitioned to. |
|
- Passwd in single user mode needs to talk to console_device_t |
|
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio |
|
- locate tried to read a symbolic link, will dontaudit |
|
- New labels for telepathy-sunshine content in homedir |
|
- Google is storing other binaries under /opt/google/talkplugin |
|
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug |
|
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 |
|
- modemmanger and bluetooth send dbus messages to devicekit_power |
|
- Samba needs to getquota on filesystems labeld samba_share_t |
|
|
|
* Wed Sep 29 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-8 |
|
- Dontaudit attempts by xdm_t to write to bin_t for kdm |
|
- Allow initrc_t to manage system_conf_t |
|
|
|
* Mon Sep 27 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-7 |
|
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory. |
|
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets |
|
- Allow confined users to read xdm_etc_t files |
|
- Allow xdm_t to transition to xauth_t for lxdm program |
|
|
|
* Sun Sep 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-6 |
|
- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home |
|
- Allow clamd to send signals to itself |
|
- Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. |
|
- Allow haze to connect to yahoo chat and messenger port tcp:5050. |
|
Bz #637339 |
|
- Allow guest to run ps command on its processes by allowing it to read /proc |
|
- Allow firewallgui to sys_rawio which seems to be required to setup masqerading |
|
- Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. |
|
- Add label for /var/log/slim.log |
|
|
|
* Fri Sep 24 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-5 |
|
- Pull in cleanups from dgrift |
|
- Allow mozilla_plugin_t to execute mozilla_home_t |
|
- Allow rpc.quota to do quotamod |
|
|
|
* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-4 |
|
- Cleanup policy via dgrift |
|
- Allow dovecot_deliver to append to inherited log files |
|
- Lots of fixes for consolehelper |
|
|
|
* Wed Sep 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-3 |
|
- Fix up Xguest policy |
|
|
|
* Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-2 |
|
- Add vnstat policy |
|
- allow libvirt to send audit messages |
|
- Allow chrome-sandbox to search nfs_t |
|
|
|
* Thu Sep 16 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-1 |
|
- Update to upstream |
|
|
|
* Wed Sep 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-3 |
|
- Add the ability to send audit messages to confined admin policies |
|
- Remove permissive domain from cmirrord and dontaudit sys_tty_config |
|
- Split out unconfined_domain() calls from other unconfined_ calls so we can d |
|
- virt needs to be able to read processes to clearance for MLS |
|
|
|
* Tue Sep 14 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-2 |
|
- Allow all domains that can use cgroups to search tmpfs_t directory |
|
- Allow init to send audit messages |
|
|
|
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.4-1 |
|
- Update to upstream |
|
|
|
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-4 |
|
- Allow mdadm_t to create files and sock files in /dev/md/ |
|
|
|
* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-3 |
|
- Add policy for ajaxterm |
|
|
|
* Wed Sep 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-2 |
|
- Handle /var/db/sudo |
|
- Allow pulseaudio to read alsa config |
|
- Allow init to send initrc_t dbus messages |
|
|
|
* Tue Sep 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-1 |
|
Allow iptables to read shorewall tmp files |
|
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr |
|
intd |
|
label vlc as an execmem_exec_t |
|
Lots of fixes for mozilla_plugin to run google vidio chat |
|
Allow telepath_msn to execute ldconfig and its own tmp files |
|
Fix labels on hugepages |
|
Allow mdadm to read files on /dev |
|
Remove permissive domains and change back to unconfined |
|
Allow freshclam to execute shell and bin_t |
|
Allow devicekit_power to transition to dhcpc |
|
Add boolean to allow icecast to connect to any port |
|
|
|
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.2-1 |
|
- Merge upstream fix of mmap_zero |
|
- Allow mount to write files in debugfs_t |
|
- Allow corosync to communicate with clvmd via tmpfs |
|
- Allow certmaster to read usr_t files |
|
- Allow dbus system services to search cgroup_t |
|
- Define rlogind_t as a login pgm |
|
|
|
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-3 |
|
- Allow mdadm_t to read/write hugetlbfs |
|
|
|
* Tue Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-2 |
|
- Dominic Grift Cleanup |
|
- Miroslav Grepl policy for jabberd |
|
- Various fixes for mount/livecd and prelink |
|
|
|
* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.1-1 |
|
- Merge with upstream |
|
|
|
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-2 |
|
- More access needed for devicekit |
|
- Add dbadm policy |
|
|
|
* Thu Aug 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.0-1 |
|
- Merge with upstream |
|
|
|
* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-21 |
|
- Allow seunshare to fowner |
|
|
|
* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-20 |
|
- Allow cron to look at user_cron_spool links |
|
- Lots of fixes for mozilla_plugin_t |
|
- Add sysv file system |
|
- Turn unconfined domains to permissive to find additional avcs |
|
|
|
* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-19 |
|
- Update policy for mozilla_plugin_t |
|
|
|
* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-18 |
|
- Allow clamscan to read proc_t |
|
- Allow mount_t to write to debufs_t dir |
|
- Dontaudit mount_t trying to write to security_t dir |
|
|
|
* Thu Aug 19 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-17 |
|
- Allow clamscan_t execmem if clamd_use_jit set |
|
- Add policy for firefox plugin-container |
|
|
|
* Wed Aug 18 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-16 |
|
- Fix /root/.forward definition |
|
|
|
* Tue Aug 17 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-15 |
|
- label dead.letter as mail_home_t |
|
|
|
* Fri Aug 13 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-14 |
|
- Allow login programs to search /cgroups |
|
|
|
* Thu Aug 12 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-13 |
|
- Fix cert handling |
|
|
|
* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12 |
|
- Fix devicekit_power bug |
|
- Allow policykit_auth_t more access. |
|
|
|
* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-11 |
|
- Fix nis calls to allow bind to ports 512-1024 |
|
- Fix smartmon |
|
|
|
* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-10 |
|
- Allow pcscd to read sysfs |
|
- systemd fixes |
|
- Fix wine_mmap_zero_ignore boolean |
|
|
|
* Tue Aug 3 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-9 |
|
- Apply Miroslav munin patch |
|
- Turn back on allow_execmem and allow_execmod booleans |
|
|
|
* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-8 |
|
- Merge in fixes from dgrift repository |
|
|
|
* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-7 |
|
- Update boinc policy |
|
- Fix sysstat policy to allow sys_admin |
|
- Change failsafe_context to unconfined_r:unconfined_t:s0 |
|
|
|
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-6 |
|
- New paths for upstart |
|
|
|
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-5 |
|
- New permissions for syslog |
|
- New labels for /lib/upstart |
|
|
|
* Fri Jul 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-4 |
|
- Add mojomojo policy |
|
|
|
* Thu Jul 22 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-3 |
|
- Allow systemd to setsockcon on sockets to immitate other services |
|
|
|
* Wed Jul 21 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-2 |
|
- Remove debugfs label |
|
|
|
* Tue Jul 20 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-1 |
|
- Update to latest policy |
|
|
|
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-3 |
|
- Fix eclipse labeling from IBMSupportAssasstant packageing |
|
|
|
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-2 |
|
- Make boot with systemd in enforcing mode |
|
|
|
* Wed Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-1 |
|
- Update to upstream |
|
|
|
* Mon Jul 12 2010 Dan Walsh <dwalsh@redhat.com> 3.8.6-3 |
|
- Add boolean to turn off port forwarding in sshd. |
|
|
|
* Fri Jul 9 2010 Miroslav Grepl <mgrepl@redhat.com> 3.8.6-2 |
|
- Add support for ebtables |
|
- Fixes for rhcs and corosync policy |
|
|
|
* Tue Jun 22 2010 Dan Walsh <dwalsh@redhat.com> 3.8.6-1 |
|
-Update to upstream |
|
|
|
* Mon Jun 21 2010 Dan Walsh <dwalsh@redhat.com> 3.8.5-1 |
|
-Update to upstream |
|
|
|
* Thu Jun 17 2010 Dan Walsh <dwalsh@redhat.com> 3.8.4-1 |
|
-Update to upstream |
|
|
|
* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-4 |
|
- Add Zarafa policy |
|
|
|
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-3 |
|
- Cleanup of aiccu policy |
|
- initial mock policy |
|
|
|
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2 |
|
- Lots of random fixes |
|
|
|
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-1 |
|
- Update to upstream |
|
|
|
* Fri Jun 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.2-1 |
|
- Update to upstream |
|
- Allow prelink script to signal itself |
|
- Cobbler fixes |
|
|
|
* Wed Jun 2 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-5 |
|
- Add xdm_var_run_t to xserver_stream_connect_xdm |
|
- Add cmorrord and mpd policy from Miroslav Grepl |
|
|
|
* Tue Jun 1 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-4 |
|
- Fix sshd creation of krb cc files for users to be user_tmp_t |
|
|
|
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-3 |
|
- Fixes for accountsdialog |
|
- Fixes for boinc |
|
|
|
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-2 |
|
- Fix label on /var/lib/dokwiki |
|
- Change permissive domains to enforcing |
|
- Fix libvirt policy to allow it to run on mls |
|
|
|
* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-1 |
|
- Update to upstream |
|
|
|
* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-22 |
|
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t |
|
- Fix /var/run/abrtd.lock label |
|
|
|
* Mon May 24 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-21 |
|
- Allow login programs to read krb5_home_t |
|
Resolves: 594833 |
|
- Add obsoletes for cachefilesfd-selinux package |
|
Resolves: #575084 |
|
|
|
* Thu May 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-20 |
|
- Allow mount to r/w abrt fifo file |
|
- Allow svirt_t to getattr on hugetlbfs |
|
- Allow abrt to create a directory under /var/spool |
|
|
|
* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-19 |
|
- Add labels for /sys |
|
- Allow sshd to getattr on shutdown |
|
- Fixes for munin |
|
- Allow sssd to use the kernel key ring |
|
- Allow tor to send syslog messages |
|
- Allow iptabels to read usr files |
|
- allow policykit to read all domains state |
|
|
|
* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-17 |
|
- Fix path for /var/spool/abrt |
|
- Allow nfs_t as an entrypoint for http_sys_script_t |
|
- Add policy for piranha |
|
- Lots of fixes for sosreport |
|
|
|
* Wed May 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-16 |
|
- Allow xm_t to read network state and get and set capabilities |
|
- Allow policykit to getattr all processes |
|
- Allow denyhosts to connect to tcp port 9911 |
|
- Allow pyranha to use raw ip sockets and ptrace itself |
|
- Allow unconfined_execmem_t and gconfsd mechanism to dbus |
|
- Allow staff to kill ping process |
|
- Add additional MLS rules |
|
|
|
* Mon May 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-15 |
|
- Allow gdm to edit ~/.gconf dir |
|
Resolves: #590677 |
|
- Allow dovecot to create directories in /var/lib/dovecot |
|
Partially resolves 590224 |
|
- Allow avahi to dbus chat with NetworkManager |
|
- Fix cobbler labels |
|
- Dontaudit iceauth_t leaks |
|
- fix /var/lib/lxdm file context |
|
- Allow aiccu to use tun tap devices |
|
- Dontaudit shutdown using xserver.log |
|
|
|
* Fri May 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-14 |
|
- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ |
|
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory |
|
- Add dontaudit interface for bluetooth dbus |
|
- Add chronyd_read_keys, append_keys for initrc_t |
|
- Add log support for ksmtuned |
|
Resolves: #586663 |
|
|
|
* Thu May 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-13 |
|
- Allow boinc to send mail |
|
|
|
* Wed May 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-12 |
|
- Allow initrc_t to remove dhcpc_state_t |
|
- Fix label on sa-update.cron |
|
- Allow dhcpc to restart chrony initrc |
|
- Don't allow sandbox to send signals to its parent processes |
|
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t |
|
Resolves: #589136 |
|
|
|
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-11 |
|
- Fix location of oddjob_mkhomedir |
|
Resolves: #587385 |
|
- fix labeling on /root/.shosts and ~/.shosts |
|
- Allow ipsec_mgmt_t to manage net_conf_t |
|
Resolves: #586760 |
|
|
|
* Fri Apr 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-10 |
|
- Dontaudit sandbox trying to connect to netlink sockets |
|
Resolves: #587609 |
|
- Add policy for piranha |
|
|
|
* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-9 |
|
- Fixups for xguest policy |
|
- Fixes for running sandbox firefox |
|
|
|
* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-8 |
|
- Allow ksmtuned to use terminals |
|
Resolves: #586663 |
|
- Allow lircd to write to generic usb devices |
|
|
|
* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-7 |
|
- Allow sandbox_xserver to connectto unconfined stream |
|
Resolves: #585171 |
|
|
|
* Mon Apr 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-6 |
|
- Allow initrc_t to read slapd_db_t |
|
Resolves: #585476 |
|
- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf |
|
Resolves: #585963 |
|
|
|
* Thu Apr 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-5 |
|
- Allow rlogind_t to search /root for .rhosts |
|
Resolves: #582760 |
|
- Fix path for cached_var_t |
|
- Fix prelink paths /var/lib/prelink |
|
- Allow confined users to direct_dri |
|
- Allow mls lvm/cryptosetup to work |
|
|
|
* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-4 |
|
- Allow virtd_t to manage firewall/iptables config |
|
Resolves: #573585 |
|
|
|
* Tue Apr 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-3 |
|
- Fix label on /root/.rhosts |
|
Resolves: #582760 |
|
- Add labels for Picasa |
|
- Allow openvpn to read home certs |
|
- Allow plymouthd_t to use tty_device_t |
|
- Run ncftool as iptables_t |
|
- Allow mount to unmount unlabeled_t |
|
- Dontaudit hal leaks |
|
|
|
* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-2 |
|
- Allow livecd to transition to mount |
|
|
|
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-1 |
|
- Update to upstream |
|
- Allow abrt to delete sosreport |
|
Resolves: #579998 |
|
- Allow snmp to setuid and gid |
|
Resolves: #582155 |
|
- Allow smartd to use generic scsi devices |
|
Resolves: #582145 |
|
|
|
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-3 |
|
- Allow ipsec_t to create /etc/resolv.conf with the correct label |
|
- Fix reserved port destination |
|
- Allow autofs to transition to showmount |
|
- Stop crashing tuned |
|
|
|
* Mon Apr 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-2 |
|
- Add telepathysofiasip policy |
|
|
|
* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-1 |
|
- Update to upstream |
|
- Fix label for /opt/google/chrome/chrome-sandbox |
|
- Allow modemmanager to dbus with policykit |
|
|
|
* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-6 |
|
- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) |
|
- Allow accountsd to read shadow file |
|
- Allow apache to send audit messages when using pam |
|
- Allow asterisk to bind and connect to sip tcp ports |
|
- Fixes for dovecot 2.0 |
|
- Allow initrc_t to setattr on milter directories |
|
- Add procmail_home_t for .procmailrc file |
|
|
|
|
|
* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-5 |
|
- Fixes for labels during install from livecd |
|
|
|
* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-4 |
|
- Fix /cgroup file context |
|
- Fix broken afs use of unlabled_t |
|
- Allow getty to use the console for s390 |
|
|
|
* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-3 |
|
- Fix cgroup handling adding policy for /cgroup |
|
- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set |
|
|
|
* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-2 |
|
- Merge patches from dgrift |
|
|
|
* Mon Mar 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-1 |
|
- Update upstream |
|
- Allow abrt to write to the /proc under any process |
|
|
|
* Fri Mar 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-2 |
|
- Fix ~/.fontconfig label |
|
- Add /root/.cert label |
|
- Allow reading of the fixed_file_disk_t:lnk_file if you can read file |
|
- Allow qemu_exec_t as an entrypoint to svirt_t |
|
|
|
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-1 |
|
- Update to upstream |
|
- Allow tmpreaper to delete sandbox sock files |
|
- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems |
|
- Fixes for gitosis |
|
- No transition on livecd to passwd or chfn |
|
- Fixes for denyhosts |
|
|
|
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-4 |
|
- Add label for /var/lib/upower |
|
- Allow logrotate to run sssd |
|
- dontaudit readahead on tmpfs blk files |
|
- Allow tmpreaper to setattr on sandbox files |
|
- Allow confined users to execute dos files |
|
- Allow sysadm_t to kill processes running within its clearance |
|
- Add accountsd policy |
|
- Fixes for corosync policy |
|
- Fixes from crontab policy |
|
- Allow svirt to manage svirt_image_t chr files |
|
- Fixes for qdisk policy |
|
- Fixes for sssd policy |
|
- Fixes for newrole policy |
|
|
|
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-3 |
|
- make libvirt work on an MLS platform |
|
|
|
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-2 |
|
- Add qpidd policy |
|
|
|
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-1 |
|
- Update to upstream |
|
|
|
* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-5 |
|
- Allow boinc to read kernel sysctl |
|
- Fix snmp port definitions |
|
- Allow apache to read anon_inodefs |
|
|
|
* Sun Mar 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-4 |
|
- Allow shutdown dac_override |
|
|
|
* Sat Mar 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-3 |
|
- Add device_t as a file system |
|
- Fix sysfs association |
|
|
|
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-2 |
|
- Dontaudit ipsec_mgmt sys_ptrace |
|
- Allow at to mail its spool files |
|
- Allow nsplugin to search in .pulse directory |
|
|
|
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-1 |
|
- Update to upstream |
|
|
|
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-4 |
|
- Allow users to dbus chat with xdm |
|
- Allow users to r/w wireless_device_t |
|
- Dontaudit reading of process states by ipsec_mgmt |
|
|
|
* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-3 |
|
- Fix openoffice from unconfined_t |
|
|
|
* Wed Mar 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-2 |
|
- Add shutdown policy so consolekit can shutdown system |
|
|
|
* Tue Mar 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-1 |
|
- Update to upstream |
|
|
|
* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.12-1 |
|
- Update to upstream |
|
|
|
* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.11-1 |
|
- Update to upstream - These are merges of my patches |
|
- Remove 389 labeling conflicts |
|
- Add MLS fixes found in RHEL6 testing |
|
- Allow pulseaudio to run as a service |
|
- Add label for mssql and allow apache to connect to this database port if boolean set |
|
- Dontaudit searches of debugfs mount point |
|
- Allow policykit_auth to send signals to itself |
|
- Allow modcluster to call getpwnam |
|
- Allow swat to signal winbind |
|
- Allow usbmux to run as a system role |
|
- Allow svirt to create and use devpts |
|
|
|
* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-5 |
|
- Add MLS fixes found in RHEL6 testing |
|
- Allow domains to append to rpm_tmp_t |
|
- Add cachefilesfd policy |
|
- Dontaudit leaks when transitioning |
|
|
|
* Wed Feb 24 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-4 |
|
- Change allow_execstack and allow_execmem booleans to on |
|
- dontaudit acct using console |
|
- Add label for fping |
|
- Allow tmpreaper to delete sandbox_file_t |
|
- Fix wine dontaudit mmap_zero |
|
- Allow abrt to read var_t symlinks |
|
|
|
* Tue Feb 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-3 |
|
- Additional policy for rgmanager |
|
|
|
* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-2 |
|
- Allow sshd to setattr on pseudo terms |
|
|
|
* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-1 |
|
- Update to upstream |
|
|
|
* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-4 |
|
- Allow policykit to send itself signals |
|
|
|
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-3 |
|
- Fix duplicate cobbler definition |
|
|
|
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-2 |
|
- Fix file context of /var/lib/avahi-autoipd |
|
|
|
* Fri Feb 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-1 |
|
- Merge with upstream |
|
|
|
* Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-11 |
|
- Allow sandbox to work with MLS |
|
|
|
* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9 |
|
- Make Chrome work with staff user |
|
|
|
* Thu Feb 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-8 |
|
- Add icecast policy |
|
- Cleanup spec file |
|
|
|
* Wed Feb 3 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-7 |
|
- Add mcelog policy |
|
|
|
* Mon Feb 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-6 |
|
- Lots of fixes found in F12 |
|
|
|
* Thu Jan 28 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-5 |
|
- Fix rpm_dontaudit_leaks |
|
|
|
* Wed Jan 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-4 |
|
- Add getsched to hald_t |
|
- Add file context for Fedora/Redhat Directory Server |
|
|
|
* Mon Jan 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-3 |
|
- Allow abrt_helper to getattr on all filesystems |
|
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so |
|
|
|
* Thu Jan 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-2 |
|
- Add gstreamer_home_t for ~/.gstreamer |
|
|
|
* Mon Jan 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-1 |
|
- Update to upstream |
|
|
|
* Fri Jan 15 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-3 |
|
- Fix git |
|
|
|
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-2 |
|
- Turn on puppet policy |
|
- Update to dgrift git policy |
|
|
|
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-1 |
|
- Move users file to selection by spec file. |
|
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t |
|
|
|
* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.6-1 |
|
- Update to upstream |
|
|
|
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-8 |
|
- Remove most of the permissive domains from F12. |
|
|
|
* Tue Jan 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-7 |
|
- Add cobbler policy from dgrift |
|
|
|
* Mon Jan 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.5-6 |
|
- add usbmon device |
|
- Add allow rulse for devicekit_disk |
|
|
|
* Wed Dec 30 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-5 |
|
- Lots of fixes found in F12, fixes from Tom London |
|
|
|
* Wed Dec 23 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-4 |
|
- Cleanups from dgrift |
|
|
|
* Tue Dec 22 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-3 |
|
- Add back xserver_manage_home_fonts |
|
|
|
* Mon Dec 21 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-2 |
|
- Dontaudit sandbox trying to read nscd and sssd |
|
|
|
* Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-1 |
|
- Update to upstream |
|
|
|
* Thu Dec 17 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-4 |
|
- Rename udisks-daemon back to devicekit_disk_t policy |
|
|
|
* Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-3 |
|
- Fixes for abrt calls |
|
|
|
* Fri Dec 11 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-2 |
|
- Add tgtd policy |
|
|
|
* Fri Dec 4 2009 Dan Walsh <dwalsh@redhat.com> 3.7.4-1 |
|
- Update to upstream release |
|
|
|
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.3-1 |
|
- Add asterisk policy back in |
|
- Update to upstream release 2.20091117 |
|
|
|
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.1-1 |
|
- Update to upstream release 2.20091117 |
|
|
|
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.33-2 |
|
- Fixup nut policy |
|
|
|
* Thu Nov 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.33-1 |
|
- Update to upstream |
|
|
|
* Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-17 |
|
- Allow vpnc request the kernel to load modules |
|
|
|
* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-16 |
|
- Fix minimum policy installs |
|
- Allow udev and rpcbind to request the kernel to load modules |
|
|
|
* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-15 |
|
- Add plymouth policy |
|
- Allow local_login to sys_admin |
|
|
|
* Tue Sep 29 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-13 |
|
- Allow cupsd_config to read user tmp |
|
- Allow snmpd_t to signal itself |
|
- Allow sysstat_t to makedir in sysstat_log_t |
|
|
|
* Fri Sep 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-12 |
|
- Update rhcs policy |
|
|
|
* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11 |
|
- Allow users to exec restorecond |
|
|
|
* Tue Sep 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10 |
|
- Allow sendmail to request kernel modules load |
|
|
|
* Mon Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-9 |
|
- Fix all kernel_request_load_module domains |
|
|
|
* Mon Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-8 |
|
- Fix all kernel_request_load_module domains |
|
|
|
* Sun Sep 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-7 |
|
- Remove allow_exec* booleans for confined users. Only available for unconfined_t |
|
|
|
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-6 |
|
- More fixes for sandbox_web_t |
|
|
|
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-5 |
|
- Allow sshd to create .ssh directory and content |
|
|
|
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-4 |
|
- Fix request_module line to module_request |
|
|
|
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-3 |
|
- Fix sandbox policy to allow it to run under firefox. |
|
- Dont audit leaks. |
|
|
|
* Thu Sep 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-2 |
|
- Fixes for sandbox |
|
|
|
* Wed Sep 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-1 |
|
- Update to upstream |
|
- Dontaudit nsplugin search /root |
|
- Dontaudit nsplugin sys_nice |
|
|
|
* Tue Sep 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-5 |
|
- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service |
|
- Remove policycoreutils-python requirement except for minimum |
|
|
|
* Mon Sep 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-4 |
|
- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files |
|
- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.) |
|
|
|
|
|
* Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-3 |
|
- Add wordpress/wp-content/uploads label |
|
- Fixes for sandbox when run from staff_t |
|
|
|
* Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-2 |
|
- Update to upstream |
|
- Fixes for devicekit_disk |
|
|
|
* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-6 |
|
- More fixes |
|
|
|
* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-5 |
|
- Lots of fixes for initrc and other unconfined domains |
|
|
|
* Fri Sep 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-4 |
|
- Allow xserver to use netlink_kobject_uevent_socket |
|
|
|
* Thu Sep 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-3 |
|
- Fixes for sandbox |
|
|
|
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-2 |
|
- Dontaudit setroubleshootfix looking at /root directory |
|
|
|
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-1 |
|
- Update to upsteam |
|
|
|
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-2 |
|
- Allow gssd to send signals to users |
|
- Fix duplicate label for apache content |
|
|
|
* Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-1 |
|
- Update to upstream |
|
|
|
* Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-9 |
|
- Remove polkit_auth on upgrades |
|
|
|
* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-8 |
|
- Add back in unconfined.pp and unconfineduser.pp |
|
- Add Sandbox unshare |
|
|
|
* Tue Aug 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-7 |
|
- Fixes for cdrecord, mdadm, and others |
|
|
|
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-6 |
|
- Add capability setting to dhcpc and gpm |
|
|
|
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-5 |
|
- Allow cronjobs to read exim_spool_t |
|
|
|
* Fri Aug 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-4 |
|
- Add ABRT policy |
|
|
|
* Thu Aug 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-3 |
|
- Fix system-config-services policy |
|
|
|
* Wed Aug 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-2 |
|
- Allow libvirt to change user componant of virt_domain |
|
|
|
* Tue Aug 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-1 |
|
- Allow cupsd_config_t to be started by dbus |
|
- Add smoltclient policy |
|
|
|
* Fri Aug 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.27-1 |
|
- Add policycoreutils-python to pre install |
|
|
|
* Thu Aug 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-11 |
|
- Make all unconfined_domains permissive so we can see what AVC's happen |
|
|
|
* Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-10 |
|
- Add pt_chown policy |
|
|
|
* Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-9 |
|
- Add kdump policy for Miroslav Grepl |
|
- Turn off execstack boolean |
|
|
|
* Fri Aug 7 2009 Bill Nottingham <notting@redhat.com> 3.6.26-8 |
|
- Turn on execstack on a temporary basis (#512845) |
|
|
|
* Thu Aug 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-7 |
|
- Allow nsplugin to connecto the session bus |
|
- Allow samba_net to write to coolkey data |
|
|
|
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-6 |
|
- Allow devicekit_disk to list inotify |
|
|
|
* Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-5 |
|
- Allow svirt images to create sock_file in svirt_var_run_t |
|
|
|
* Tue Aug 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-4 |
|
- Allow exim to getattr on mountpoints |
|
- Fixes for pulseaudio |
|
|
|
* Fri Jul 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-3 |
|
- Allow svirt_t to stream_connect to virtd_t |
|
|
|
* Fri Jul 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-2 |
|
- Allod hald_dccm_t to create sock_files in /tmp |
|
|
|
* Thu Jul 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-1 |
|
- More fixes from upstream |
|
|
|
* Tue Jul 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.25-1 |
|
- Fix polkit label |
|
- Remove hidebrokensymptoms for nss_ldap fix |
|
- Add modemmanager policy |
|
- Lots of merges from upstream |
|
- Begin removing textrel_shlib_t labels, from fixed libraries |
|
|
|
* Tue Jul 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.24-1 |
|
- Update to upstream |
|
|
|
* Mon Jul 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-2 |
|
- Allow certmaster to override dac permissions |
|
|
|
* Thu Jul 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-1 |
|
- Update to upstream |
|
|
|
* Tue Jul 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.22-3 |
|
- Fix context for VirtualBox |
|
|
|
* Tue Jul 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.22-1 |
|
- Update to upstream |
|
|
|
* Fri Jul 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-4 |
|
- Allow clamscan read amavis spool files |
|
|
|
* Wed Jul 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-3 |
|
- Fixes for xguest |
|
|
|
* Tue Jul 7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2 |
|
- fix multiple directory ownership of mandirs |
|
|
|
* Wed Jul 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-1 |
|
- Update to upstream |
|
|
|
* Tue Jun 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-2 |
|
- Add rules for rtkit-daemon |
|
|
|
* Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.20-1 |
|
- Update to upstream |
|
- Fix nlscd_stream_connect |
|
|
|
* Thu Jun 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-5 |
|
- Add rtkit policy |
|
|
|
* Wed Jun 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-4 |
|
- Allow rpcd_t to stream connect to rpcbind |
|
|
|
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-3 |
|
- Allow kpropd to create tmp files |
|
|
|
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-2 |
|
- Fix last duplicate /var/log/rpmpkgs |
|
|
|
* Mon Jun 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-1 |
|
- Update to upstream |
|
* add sssd |
|
|
|
* Sat Jun 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.18-1 |
|
- Update to upstream |
|
* cleanup |
|
* Fri Jun 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.17-1 |
|
- Update to upstream |
|
- Additional mail ports |
|
- Add virt_use_usb boolean for svirt |
|
|
|
* Thu Jun 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-4 |
|
- Fix mcs rules to include chr_file and blk_file |
|
|
|
* Tue Jun 16 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-3 |
|
- Add label for udev-acl |
|
|
|
* Mon Jun 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-2 |
|
- Additional rules for consolekit/udev, privoxy and various other fixes |
|
|
|
* Fri Jun 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.16-1 |
|
- New version for upstream |
|
|
|
* Thu Jun 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-3 |
|
- Allow NetworkManager to read inotifyfs |
|
|
|
* Wed Jun 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-2 |
|
- Allow setroubleshoot to run mlocate |
|
|
|
* Mon Jun 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-1 |
|
- Update to upstream |
|
|
|
* Tue Jun 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-3 |
|
- Add fish as a shell |
|
- Allow fprintd to list usbfs_t |
|
- Allow consolekit to search mountpoints |
|
- Add proper labeling for shorewall |
|
|
|
* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-2 |
|
- New log file for vmware |
|
- Allow xdm to setattr on user_tmp_t |
|
|
|
* Thu May 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-1 |
|
- Upgrade to upstream |
|
|
|
* Wed May 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-39 |
|
- Allow fprintd to access sys_ptrace |
|
- Add sandbox policy |
|
|
|
* Mon May 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-38 |
|
- Add varnishd policy |
|
|
|
* Thu May 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-37 |
|
- Fixes for kpropd |
|
|
|
* Tue May 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-36 |
|
- Allow brctl to r/w tun_tap_device_t |
|
|
|
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-35 |
|
- Add /usr/share/selinux/packages |
|
|
|
* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-34 |
|
- Allow rpcd_t to send signals to kernel threads |
|
|
|
* Fri May 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-33 |
|
- Fix upgrade for F10 to F11 |
|
|
|
* Thu May 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-31 |
|
- Add policy for /var/lib/fprint |
|
|
|
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-30 |
|
-Remove duplicate line |
|
|
|
* Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-29 |
|
- Allow svirt to manage pci and other sysfs device data |
|
|
|
* Mon May 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-28 |
|
- Fix package selection handling |
|
|
|
* Fri May 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-27 |
|
- Fix /sbin/ip6tables-save context |
|
- Allod udev to transition to mount |
|
- Fix loading of mls policy file |
|
|
|
* Thu Apr 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-26 |
|
- Add shorewall policy |
|
|
|
* Wed Apr 29 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25 |
|
- Additional rules for fprintd and sssd |
|
|
|
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24 |
|
- Allow nsplugin to unix_read unix_write sem for unconfined_java |
|
|
|
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-23 |
|
- Fix uml files to be owned by users |
|
|
|
* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-22 |
|
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less |
|
|
|
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-21 |
|
- Allow confined users to manage virt_content_t, since this is home dir content |
|
- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection |
|
|
|
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20 |
|
- Fix labeling on /var/lib/misc/prelink* |
|
- Allow xserver to rw_shm_perms with all x_clients |
|
- Allow prelink to execute files in the users home directory |
|
|
|
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-19 |
|
- Allow initrc_t to delete dev_null |
|
- Allow readahead to configure auditing |
|
- Fix milter policy |
|
- Add /var/lib/readahead |
|
|
|
* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-16 |
|
- Update to latest milter code from Paul Howarth |
|
|
|
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-15 |
|
- Additional perms for readahead |
|
|
|
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-14 |
|
- Allow pulseaudio to acquire_svc on session bus |
|
- Fix readahead labeling |
|
|
|
* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-13 |
|
- Allow sysadm_t to run rpm directly |
|
- libvirt needs fowner |
|
|
|
* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-12 |
|
- Allow sshd to read var_lib symlinks for freenx |
|
|
|
* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-11 |
|
- Allow nsplugin unix_read and write on users shm and sem |
|
- Allow sysadm_t to execute su |
|
|
|
* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-10 |
|
- Dontaudit attempts to getattr user_tmpfs_t by lvm |
|
- Allow nfs to share removable media |
|
|
|
* Mon Apr 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-9 |
|
- Add ability to run postdrop from confined users |
|
|
|
* Sat Apr 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-8 |
|
- Fixes for podsleuth |
|
|
|
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-7 |
|
- Turn off nsplugin transition |
|
- Remove Konsole leaked file descriptors for release |
|
|
|
* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-6 |
|
- Allow cupsd_t to create link files in print_spool_t |
|
- Fix iscsi_stream_connect typo |
|
- Fix labeling on /etc/acpi/actions |
|
- Don't reinstall unconfine and unconfineuser on upgrade if they are not installed |
|
|
|
* Tue Apr 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-5 |
|
- Allow audioentroy to read etc files |
|
|
|
* Mon Apr 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-4 |
|
- Add fail2ban_var_lib_t |
|
- Fixes for devicekit_power_t |
|
|
|
* Thu Apr 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-3 |
|
- Separate out the ucnonfined user from the unconfined.pp package |
|
|
|
* Wed Apr 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-2 |
|
- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t. |
|
|
|
* Tue Apr 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-1 |
|
- Upgrade to latest upstream |
|
- Allow devicekit_disk sys_rawio |
|
|
|
* Mon Apr 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.11-1 |
|
- Dontaudit binds to ports < 1024 for named |
|
- Upgrade to latest upstream |
|
|
|
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-9 |
|
- Allow podsleuth to use tmpfs files |
|
|
|
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-8 |
|
- Add customizable_types for svirt |
|
|
|
* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-7 |
|
- Allow setroubelshoot exec* privs to prevent crash from bad libraries |
|
- add cpufreqselector |
|
|
|
* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-6 |
|
- Dontaudit listing of /root directory for cron system jobs |
|
|
|
* Mon Mar 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-5 |
|
- Fix missing ld.so.cache label |
|
|
|
* Fri Mar 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-4 |
|
- Add label for ~/.forward and /root/.forward |
|
|
|
* Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3 |
|
- Fixes for svirt |
|
|
|
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2 |
|
- Fixes to allow svirt read iso files in homedir |
|
|
|
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-1 |
|
- Add xenner and wine fixes from mgrepl |
|
|
|
* Wed Mar 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-4 |
|
- Allow mdadm to read/write mls override |
|
|
|
* Tue Mar 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-3 |
|
- Change to svirt to only access svirt_image_t |
|
|
|
* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-2 |
|
- Fix libvirt policy |
|
|
|
* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.9-1 |
|
- Upgrade to latest upstream |
|
|
|
* Tue Mar 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-4 |
|
- Fixes for iscsid and sssd |
|
- More cleanups for upgrade from F10 to Rawhide. |
|
|
|
* Mon Mar 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-3 |
|
- Add pulseaudio, sssd policy |
|
- Allow networkmanager to exec udevadm |
|
|
|
* Sat Mar 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-2 |
|
- Add pulseaudio context |
|
|
|
* Thu Mar 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.8-1 |
|
- Upgrade to latest patches |
|
|
|
* Wed Mar 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-2 |
|
- Fixes for libvirt |
|
|
|
* Mon Mar 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.7-1 |
|
- Update to Latest upstream |
|
|
|
* Sat Feb 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-9 |
|
- Fix setrans.conf to show SystemLow for s0 |
|
|
|
* Fri Feb 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-8 |
|
- Further confinement of qemu images via svirt |
|
|
|
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.6.6-7 |
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
|
|
|
* Thu Feb 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-6 |
|
- Allow NetworkManager to manage /etc/NetworkManager/system-connections |
|
|
|
* Wed Feb 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-5 |
|
- add virtual_image_context and virtual_domain_context files |
|
|
|
* Tue Feb 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-4 |
|
- Allow rpcd_t to send signal to mount_t |
|
- Allow libvirtd to run ranged |
|
|
|
* Tue Feb 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-3 |
|
- Fix sysnet/net_conf_t |
|
|
|
* Tue Feb 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-2 |
|
- Fix squidGuard labeling |
|
|
|
* Wed Feb 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.6-1 |
|
- Re-add corenet_in_generic_if(unlabeled_t) |
|
|
|
* Wed Feb 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.5-3 |
|
|
|
* Tue Feb 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.5-2 |
|
- Add git web policy |
|
|
|
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.5-1 |
|
- Add setrans contains from upstream |
|
|
|
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-6 |
|
- Do transitions outside of the booleans |
|
|
|
* Sun Feb 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-5 |
|
- Allow xdm to create user_tmp_t sockets for switch user to work |
|
|
|
* Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-4 |
|
- Fix staff_t domain |
|
|
|
* Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-3 |
|
- Grab remainder of network_peer_controls patch |
|
|
|
* Wed Feb 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-2 |
|
- More fixes for devicekit |
|
|
|
* Tue Feb 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-1 |
|
- Upgrade to latest upstream |
|
|
|
* Mon Feb 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-13 |
|
- Add boolean to disallow unconfined_t login |
|
|
|
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-12 |
|
- Add back transition from xguest to mozilla |
|
|
|
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-11 |
|
- Add virt_content_ro_t and labeling for isos directory |
|
|
|
* Tue Jan 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-10 |
|
- Fixes for wicd daemon |
|
|
|
* Mon Jan 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-9 |
|
- More mls/rpm fixes |
|
|
|
* Fri Jan 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-8 |
|
- Add policy to make dbus/nm-applet work |
|
|
|
* Thu Jan 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-7 |
|
- Remove polgen-ifgen from post and add trigger to policycoreutils-python |
|
|
|
* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-6 |
|
- Add wm policy |
|
- Make mls work in graphics mode |
|
|
|
* Tue Jan 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-3 |
|
- Fixed for DeviceKit |
|
|
|
* Mon Jan 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-2 |
|
- Add devicekit policy |
|
|
|
* Mon Jan 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-1 |
|
- Update to upstream |
|
|
|
* Thu Jan 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-5 |
|
- Define openoffice as an x_domain |
|
|
|
* Mon Jan 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-4 |
|
- Fixes for reading xserver_tmp_t |
|
|
|
* Thu Jan 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-3 |
|
- Allow cups_pdf_t write to nfs_t |
|
|
|
* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-2 |
|
- Remove audio_entropy policy |
|
|
|
* Mon Jan 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-1 |
|
- Update to upstream |
|
|
|
* Sun Jan 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.1-15 |
|
- Allow hal_acl_t to getattr/setattr fixed_disk |
|
|
|
* Sat Dec 27 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-14 |
|
- Change userdom_read_all_users_state to include reading symbolic links in /proc |
|
|
|
* Mon Dec 22 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-13 |
|
- Fix dbus reading /proc information |
|
|
|
* Thu Dec 18 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-12 |
|
- Add missing alias for home directory content |
|
|
|
* Wed Dec 17 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-11 |
|
- Fixes for IBM java location |
|
|
|
* Thu Dec 11 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-10 |
|
- Allow unconfined_r unconfined_java_t |
|
|
|
* Tue Dec 9 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-9 |
|
- Add cron_role back to user domains |
|
|
|
* Mon Dec 8 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-8 |
|
- Fix sudo setting of user keys |
|
|
|
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-7 |
|
- Allow iptables to talk to terminals |
|
- Fixes for policy kit |
|
- lots of fixes for booting. |
|
|
|
* Wed Dec 3 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-4 |
|
- Cleanup policy |
|
|
|
* Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 3.6.1-2 |
|
- Rebuild for Python 2.6 |
|
|
|
* Fri Nov 7 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-19 |
|
- Fix labeling on /var/spool/rsyslog |
|
|
|
* Thu Nov 6 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-18 |
|
- Allow postgresl to bind to udp nodes |
|
|
|
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-17 |
|
- Allow lvm to dbus chat with hal |
|
- Allow rlogind to read nfs_t |
|
|
|
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-16 |
|
- Fix cyphesis file context |
|
|
|
* Tue Nov 4 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-15 |
|
- Allow hal/pm-utils to look at /var/run/video.rom |
|
- Add ulogd policy |
|
|
|
* Tue Nov 4 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-14 |
|
- Additional fixes for cyphesis |
|
- Fix certmaster file context |
|
- Add policy for system-config-samba |
|
- Allow hal to read /var/run/video.rom |
|
|
|
* Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13 |
|
- Allow dhcpc to restart ypbind |
|
- Fixup labeling in /var/run |
|
|
|
* Thu Oct 30 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-12 |
|
- Add certmaster policy |
|
|
|
* Wed Oct 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-11 |
|
- Fix confined users |
|
- Allow xguest to read/write xguest_dbusd_t |
|
|
|
* Mon Oct 27 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-9 |
|
- Allow openoffice execstack/execmem privs |
|
|
|
* Fri Oct 24 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-8 |
|
- Allow mozilla to run with unconfined_execmem_t |
|
|
|
* Thu Oct 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-7 |
|
- Dontaudit domains trying to write to .xsession-errors |
|
|
|
* Thu Oct 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-6 |
|
- Allow nsplugin to look at autofs_t directory |
|
|
|
* Wed Oct 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-5 |
|
- Allow kerneloops to create tmp files |
|
|
|
* Wed Oct 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-4 |
|
- More alias for fastcgi |
|
|
|
* Tue Oct 21 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-3 |
|
- Remove mod_fcgid-selinux package |
|
|
|
* Mon Oct 20 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-2 |
|
- Fix dovecot access |
|
|
|
* Fri Oct 17 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-1 |
|
- Policy cleanup |
|
|
|
* Thu Oct 16 2008 Dan Walsh <dwalsh@redhat.com> 3.5.12-3 |
|
- Remove Multiple spec |
|
- Add include |
|
- Fix makefile to not call per_role_expansion |
|
|
|
* Wed Oct 15 2008 Dan Walsh <dwalsh@redhat.com> 3.5.12-2 |
|
- Fix labeling of libGL |
|
|
|
* Fri Oct 10 2008 Dan Walsh <dwalsh@redhat.com> 3.5.12-1 |
|
- Update to upstream |
|
|
|
* Wed Oct 8 2008 Dan Walsh <dwalsh@redhat.com> 3.5.11-1 |
|
- Update to upstream policy |
|
|
|
* Mon Oct 6 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-3 |
|
- Fixes for confined xwindows and xdm_t |
|
|
|
* Fri Oct 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-2 |
|
- Allow confined users and xdm to exec wm |
|
- Allow nsplugin to talk to fifo files on nfs |
|
|
|
* Fri Oct 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-1 |
|
- Allow NetworkManager to transition to avahi and iptables |
|
- Allow domains to search other domains keys, coverup kernel bug |
|
|
|
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4 |
|
- Fix labeling for oracle |
|
|
|
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-3 |
|
- Allow nsplugin to comminicate with xdm_tmp_t sock_file |
|
|
|
* Mon Sep 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-2 |
|
- Change all user tmpfs_t files to be labeled user_tmpfs_t |
|
- Allow radiusd to create sock_files |
|
|
|
* Wed Sep 24 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-1 |
|
- Upgrade to upstream |
|
|
|
* Tue Sep 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-7 |
|
- Allow confined users to login with dbus |
|
|
|
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-6 |
|
- Fix transition to nsplugin |
|
|
|
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-5 |
|
- Add file context for /dev/mspblk.* |
|
|
|
* Sun Sep 21 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-4 |
|
- Fix transition to nsplugin |
|
' |
|
* Thu Sep 18 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-3 |
|
- Fix labeling on new pm*log |
|
- Allow ssh to bind to all nodes |
|
|
|
* Thu Sep 11 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-1 |
|
- Merge upstream changes |
|
- Add Xavier Toth patches |
|
|
|
* Wed Sep 10 2008 Dan Walsh <dwalsh@redhat.com> 3.5.7-2 |
|
- Add qemu_cache_t for /var/cache/libvirt |
|
|
|
* Fri Sep 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.7-1 |
|
- Remove gamin policy |
|
|
|
* Thu Sep 4 2008 Dan Walsh <dwalsh@redhat.com> 3.5.6-2 |
|
- Add tinyxs-max file system support |
|
|
|
* Wed Sep 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.6-1 |
|
- Update to upstream |
|
- New handling of init scripts |
|
|
|
* Fri Aug 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.5-4 |
|
- Allow pcsd to dbus |
|
- Add memcache policy |
|
|
|
* Fri Aug 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.5-3 |
|
- Allow audit dispatcher to kill his children |
|
|
|
* Tue Aug 26 2008 Dan Walsh <dwalsh@redhat.com> 3.5.5-2 |
|
- Update to upstream |
|
- Fix crontab use by unconfined user |
|
|
|
* Tue Aug 12 2008 Dan Walsh <dwalsh@redhat.com> 3.5.4-2 |
|
- Allow ifconfig_t to read dhcpc_state_t |
|
|
|
* Mon Aug 11 2008 Dan Walsh <dwalsh@redhat.com> 3.5.4-1 |
|
- Update to upstream |
|
|
|
* Thu Aug 7 2008 Dan Walsh <dwalsh@redhat.com> 3.5.3-1 |
|
- Update to upstream |
|
|
|
* Sat Aug 2 2008 Dan Walsh <dwalsh@redhat.com> 3.5.2-2 |
|
- Allow system-config-selinux to work with policykit |
|
|
|
* Fri Jul 25 2008 Dan Walsh <dwalsh@redhat.com> 3.5.1-5 |
|
- Fix novel labeling |
|
|
|
* Fri Jul 25 2008 Dan Walsh <dwalsh@redhat.com> 3.5.1-4 |
|
- Consolodate pyzor,spamassassin, razor into one security domain |
|
- Fix xdm requiring additional perms. |
|
|
|
* Fri Jul 25 2008 Dan Walsh <dwalsh@redhat.com> 3.5.1-3 |
|
- Fixes for logrotate, alsa |
|
|
|
* Thu Jul 24 2008 Dan Walsh <dwalsh@redhat.com> 3.5.1-2 |
|
- Eliminate vbetool duplicate entry |
|
|
|
* Wed Jul 16 2008 Dan Walsh <dwalsh@redhat.com> 3.5.1-1 |
|
- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t |
|
- Change dhclient to be able to red networkmanager_var_run |
|
|
|
* Tue Jul 15 2008 Dan Walsh <dwalsh@redhat.com> 3.5.0-1 |
|
- Update to latest refpolicy |
|
- Fix libsemanage initial install bug |
|
|
|
* Wed Jul 9 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-14 |
|
- Add inotify support to nscd |
|
|
|
* Tue Jul 8 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-13 |
|
- Allow unconfined_t to setfcap |
|
|
|
* Mon Jul 7 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-12 |
|
- Allow amanda to read tape |
|
- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi |
|
- Add support for netware file systems |
|
|
|
* Thu Jul 3 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-11 |
|
- Allow ypbind apps to net_bind_service |
|
|
|
* Wed Jul 2 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-10 |
|
- Allow all system domains and application domains to append to any log file |
|
|
|
* Sun Jun 29 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-9 |
|
- Allow gdm to read rpm database |
|
- Allow nsplugin to read mplayer config files |
|
|
|
* Thu Jun 26 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-8 |
|
- Allow vpnc to run ifconfig |
|
|
|
* Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7 |
|
- Allow confined users to use postgres |
|
- Allow system_mail_t to exec other mail clients |
|
- Label mogrel_rails as an apache server |
|
|
|
* Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-6 |
|
- Apply unconfined_execmem_exec_t to haskell programs |
|
|
|
* Sun Jun 22 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-5 |
|
- Fix prelude file context |
|
|
|
* Fri Jun 13 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-4 |
|
- allow hplip to talk dbus |
|
- Fix context on ~/.local dir |
|
|
|
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-3 |
|
- Prevent applications from reading x_device |
|
|
|
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-2 |
|
- Add /var/lib/selinux context |
|
|
|
* Wed Jun 11 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-1 |
|
- Update to upstream |
|
|
|
* Wed Jun 4 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-5 |
|
- Add livecd policy |
|
|
|
* Wed Jun 4 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-3 |
|
- Dontaudit search of admin_home for init_system_domain |
|
- Rewrite of xace interfaces |
|
- Lots of new fs_list_inotify |
|
- Allow livecd to transition to setfiles_mac |
|
|
|
* Fri May 9 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-2 |
|
- Begin XAce integration |
|
|
|
* Fri May 9 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-1 |
|
- Merge Upstream |
|
|
|
* Wed May 7 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-48 |
|
- Allow amanada to create data files |
|
|
|
* Wed May 7 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-47 |
|
- Fix initial install, semanage setup |
|
|
|
* Tue May 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-46 |
|
- Allow system_r for httpd_unconfined_script_t |
|
|
|
* Wed Apr 30 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-45 |
|
- Remove dmesg boolean |
|
- Allow user domains to read/write game data |
|
|
|
* Mon Apr 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-44 |
|
- Change unconfined_t to transition to unconfined_mono_t when running mono |
|
- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work |
|
|
|
* Mon Apr 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-43 |
|
- Remove old booleans from targeted-booleans.conf file |
|
|
|
* Fri Apr 25 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-42 |
|
- Add boolean to mmap_zero |
|
- allow tor setgid |
|
- Allow gnomeclock to set clock |
|
|
|
* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-41 |
|
- Don't run crontab from unconfined_t |
|
|
|
* Wed Apr 23 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-39 |
|
- Change etc files to config files to allow users to read them |
|
|
|
* Fri Apr 18 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-37 |
|
- Lots of fixes for confined domains on NFS_t homedir |
|
|
|
* Mon Apr 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-36 |
|
- dontaudit mrtg reading /proc |
|
- Allow iscsi to signal itself |
|
- Allow gnomeclock sys_ptrace |
|
|
|
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-33 |
|
- Allow dhcpd to read kernel network state |
|
|
|
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-32 |
|
- Label /var/run/gdm correctly |
|
- Fix unconfined_u user creation |
|
|
|
* Tue Apr 8 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-31 |
|
- Allow transition from initrc_t to getty_t |
|
|
|
* Tue Apr 8 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-30 |
|
- Allow passwd to communicate with user sockets to change gnome-keyring |
|
|
|
* Sat Apr 5 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-29 |
|
- Fix initial install |
|
|
|
* Fri Apr 4 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-28 |
|
- Allow radvd to use fifo_file |
|
- dontaudit setfiles reading links |
|
- allow semanage sys_resource |
|
- add allow_httpd_mod_auth_ntlm_winbind boolean |
|
- Allow privhome apps including dovecot read on nfs and cifs home |
|
dirs if the boolean is set |
|
|
|
* Tue Apr 1 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-27 |
|
- Allow nsplugin to read /etc/mozpluggerrc, user_fonts |
|
- Allow syslog to manage innd logs. |
|
- Allow procmail to ioctl spamd_exec_t |
|
|
|
* Sat Mar 29 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-26 |
|
- Allow initrc_t to dbus chat with consolekit. |
|
|
|
* Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-25 |
|
- Additional access for nsplugin |
|
- Allow xdm setcap/getcap until pulseaudio is fixed |
|
|
|
* Tue Mar 25 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-24 |
|
- Allow mount to mkdir on tmpfs |
|
- Allow ifconfig to search debugfs |
|
|
|
* Fri Mar 21 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-23 |
|
- Fix file context for MATLAB |
|
- Fixes for xace |
|
|
|
* Tue Mar 18 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-22 |
|
- Allow stunnel to transition to inetd children domains |
|
- Make unconfined_dbusd_t an unconfined domain |
|
|
|
* Mon Mar 17 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-21 |
|
- Fixes for qemu/virtd |
|
|
|
* Fri Mar 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-20 |
|
- Fix bug in mozilla policy to allow xguest transition |
|
- This will fix the |
|
|
|
libsemanage.dbase_llist_query: could not find record value |
|
libsemanage.dbase_llist_query: could not query record value (No such file or |
|
directory) |
|
bug in xguest |
|
|
|
* Fri Mar 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-19 |
|
- Allow nsplugin to run acroread |
|
|
|
* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-18 |
|
- Add cups_pdf policy |
|
- Add openoffice policy to run in xguest |
|
|
|
* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-17 |
|
- prewika needs to contact mysql |
|
- Allow syslog to read system_map files |
|
|
|
* Wed Mar 12 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-16 |
|
- Change init_t to an unconfined_domain |
|
|
|
* Tue Mar 11 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-15 |
|
- Allow init to transition to initrc_t on shell exec. |
|
- Fix init to be able to sendto init_t. |
|
- Allow syslog to connect to mysql |
|
- Allow lvm to manage its own fifo_files |
|
- Allow bugzilla to use ldap |
|
- More mls fixes |
|
|
|
* Tue Mar 11 2008 Bill Nottingham <notting@redhat.com> 3.3.1-14 |
|
- fixes for init policy (#436988) |
|
- fix build |
|
|
|
* Mon Mar 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-13 |
|
- Additional changes for MLS policy |
|
|
|
* Thu Mar 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-12 |
|
- Fix initrc_context generation for MLS |
|
|
|
* Mon Mar 3 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-11 |
|
- Fixes for libvirt |
|
|
|
* Mon Mar 3 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-10 |
|
- Allow bitlebee to read locale_t |
|
|
|
* Fri Feb 29 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-9 |
|
- More xselinux rules |
|
|
|
* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-8 |
|
- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t |
|
|
|
* Wed Feb 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-6 |
|
- Prepare policy for beta release |
|
- Change some of the system domains back to unconfined |
|
- Turn on some of the booleans |
|
|
|
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-5 |
|
- Allow nsplugin_config execstack/execmem |
|
- Allow nsplugin_t to read alsa config |
|
- Change apache to use user content |
|
|
|
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-4 |
|
- Add cyphesis policy |
|
|
|
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-2 |
|
- Fix Makefile.devel to build mls modules |
|
- Fix qemu to be more specific on labeling |
|
|
|
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-1 |
|
- Update to upstream fixes |
|
|
|
* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> 3.3.0-2 |
|
- Allow staff to mounton user_home_t |
|
|
|
* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> 3.3.0-1 |
|
- Add xace support |
|
|
|
* Thu Feb 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.9-2 |
|
- Add fusectl file system |
|
|
|
* Wed Feb 20 2008 Dan Walsh <dwalsh@redhat.com> 3.2.9-1 |
|
- Fixes from yum-cron |
|
- Update to latest upstream |
|
|
|
|
|
* Tue Feb 19 2008 Dan Walsh <dwalsh@redhat.com> 3.2.8-2 |
|
- Fix userdom_list_user_files |
|
|
|
|
|
* Fri Feb 15 2008 Dan Walsh <dwalsh@redhat.com> 3.2.8-1 |
|
- Merge with upstream |
|
|
|
* Thu Feb 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-6 |
|
- Allow udev to send audit messages |
|
|
|
* Thu Feb 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-5 |
|
- Add additional login users interfaces |
|
- userdom_admin_login_user_template(staff) |
|
|
|
* Thu Feb 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-3 |
|
- More fixes for polkit |
|
|
|
* Thu Feb 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-2 |
|
- Eliminate transition from unconfined_t to qemu by default |
|
- Fixes for gpg |
|
|
|
* Tue Feb 5 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-1 |
|
- Update to upstream |
|
|
|
* Tue Feb 5 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-7 |
|
- Fixes for staff_t |
|
|
|
* Tue Feb 5 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-6 |
|
- Add policy for kerneloops |
|
- Add policy for gnomeclock |
|
|
|
* Mon Feb 4 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-5 |
|
- Fixes for libvirt |
|
|
|
* Sun Feb 3 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-4 |
|
- Fixes for nsplugin |
|
|
|
* Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-3 |
|
- More fixes for qemu |
|
|
|
* Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-2 |
|
- Additional ports for vnc and allow qemu and libvirt to search all directories |
|
|
|
* Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-1 |
|
- Update to upstream |
|
- Add libvirt policy |
|
- add qemu policy |
|
|
|
* Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-25 |
|
- Allow fail2ban to create a socket in /var/run |
|
|
|
* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-24 |
|
- Allow allow_httpd_mod_auth_pam to work |
|
|
|
* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-22 |
|
- Add audisp policy and prelude |
|
|
|
* Mon Jan 28 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-21 |
|
- Allow all user roles to executae samba net command |
|
|
|
* Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-20 |
|
- Allow usertypes to read/write noxattr file systems |
|
|
|
* Thu Jan 24 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-19 |
|
- Fix nsplugin to allow flashplugin to work in enforcing mode |
|
|
|
* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-18 |
|
- Allow pam_selinux_permit to kill all processes |
|
|
|
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-17 |
|
- Allow ptrace or user processes by users of same type |
|
- Add boolean for transition to nsplugin |
|
|
|
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-16 |
|
- Allow nsplugin sys_nice, getsched, setsched |
|
|
|
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-15 |
|
- Allow login programs to talk dbus to oddjob |
|
|
|
* Thu Jan 17 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-14 |
|
- Add procmail_log support |
|
- Lots of fixes for munin |
|
|
|
* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-13 |
|
- Allow setroubleshoot to read policy config and send audit messages |
|
|
|
* Mon Jan 14 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-12 |
|
- Allow users to execute all files in homedir, if boolean set |
|
- Allow mount to read samba config |
|
|
|
* Sun Jan 13 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-11 |
|
- Fixes for xguest to run java plugin |
|
|
|
* Mon Jan 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-10 |
|
- dontaudit pam_t and dbusd writing to user_home_t |
|
|
|
* Mon Jan 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-9 |
|
- Update gpg to allow reading of inotify |
|
|
|
* Wed Jan 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-8 |
|
- Change user and staff roles to work correctly with varied perms |
|
|
|
* Mon Dec 31 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-7 |
|
- Fix munin log, |
|
- Eliminate duplicate mozilla file context |
|
- fix wpa_supplicant spec |
|
|
|
* Mon Dec 24 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-6 |
|
- Fix role transition from unconfined_r to system_r when running rpm |
|
- Allow unconfined_domains to communicate with user dbus instances |
|
|
|
* Sat Dec 22 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-5 |
|
- Fixes for xguest |
|
|
|
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-4 |
|
- Let all uncofined domains communicate with dbus unconfined |
|
|
|
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-3 |
|
- Run rpm in system_r |
|
|
|
* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-2 |
|
- Zero out customizable types |
|
|
|
* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-1 |
|
- Fix definiton of admin_home_t |
|
|
|
* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-5 |
|
- Fix munin file context |
|
|
|
* Tue Dec 18 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-4 |
|
- Allow cron to run unconfined apps |
|
|
|
* Mon Dec 17 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-3 |
|
- Modify default login to unconfined_u |
|
|
|
* Thu Dec 13 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-1 |
|
- Dontaudit dbus user client search of /root |
|
|
|
* Wed Dec 12 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-1 |
|
- Update to upstream |
|
|
|
* Tue Dec 11 2007 Dan Walsh <dwalsh@redhat.com> 3.2.3-2 |
|
- Fixes for polkit |
|
- Allow xserver to ptrace |
|
|
|
* Tue Dec 11 2007 Dan Walsh <dwalsh@redhat.com> 3.2.3-1 |
|
- Add polkit policy |
|
- Symplify userdom context, remove automatic per_role changes |
|
|
|
* Tue Dec 4 2007 Dan Walsh <dwalsh@redhat.com> 3.2.2-1 |
|
- Update to upstream |
|
- Allow httpd_sys_script_t to search users homedirs |
|
|
|
* Mon Dec 3 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-3 |
|
- Allow rpm_script to transition to unconfined_execmem_t |
|
|
|
* Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-1 |
|
- Remove user based home directory separation |
|
|
|
* Wed Nov 28 2007 Dan Walsh <dwalsh@redhat.com> 3.1.2-2 |
|
- Remove user specific crond_t |
|
|
|
* Mon Nov 19 2007 Dan Walsh <dwalhh@redhat.com> 3.1.2-1 |
|
- Merge with upstream |
|
- Allow xsever to read hwdata_t |
|
- Allow login programs to setkeycreate |
|
|
|
* Sat Nov 10 2007 Dan Walsh <dwalsh@redhat.com> 3.1.1-1 |
|
- Update to upstream |
|
|
|
* Mon Oct 22 2007 Dan Walsh <dwalsh@redhat.com> 3.1.0-1 |
|
- Update to upstream |
|
|
|
* Mon Oct 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-30 |
|
- Allow XServer to read /proc/self/cmdline |
|
- Fix unconfined cron jobs |
|
- Allow fetchmail to transition to procmail |
|
- Fixes for hald_mac |
|
- Allow system_mail to transition to exim |
|
- Allow tftpd to upload files |
|
- Allow xdm to manage unconfined_tmp |
|
- Allow udef to read alsa config |
|
- Fix xguest to be able to connect to sound port |
|
|
|
* Fri Oct 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-28 |
|
- Fixes for hald_mac |
|
- Treat unconfined_home_dir_t as a home dir |
|
- dontaudit rhgb writes to fonts and root |
|
|
|
* Fri Oct 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-27 |
|
- Fix dnsmasq |
|
- Allow rshd full login privs |
|
|
|
* Thu Oct 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-26 |
|
- Allow rshd to connect to ports > 1023 |
|
|
|
* Thu Oct 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-25 |
|
- Fix vpn to bind to port 4500 |
|
- Allow ssh to create shm |
|
- Add Kismet policy |
|
|
|
* Tue Oct 16 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-24 |
|
- Allow rpm to chat with networkmanager |
|
|
|
* Mon Oct 15 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-23 |
|
- Fixes for ipsec and exim mail |
|
- Change default to unconfined user |
|
|
|
* Fri Oct 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-22 |
|
- Pass the UNK_PERMS param to makefile |
|
- Fix gdm location |
|
|
|
* Wed Oct 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-21 |
|
- Make alsa work |
|
|
|
* Tue Oct 9 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-20 |
|
- Fixes for consolekit and startx sessions |
|
|
|
* Mon Oct 8 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-19 |
|
- Dontaudit consoletype talking to unconfined_t |
|
|
|
* Thu Oct 4 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-18 |
|
- Remove homedir_template |
|
|
|
* Tue Oct 2 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-17 |
|
- Check asound.state |
|
|
|
* Mon Oct 1 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-16 |
|
- Fix exim policy |
|
|
|
* Thu Sep 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-15 |
|
- Allow tmpreadper to read man_t |
|
- Allow racoon to bind to all nodes |
|
- Fixes for finger print reader |
|
|
|
* Tue Sep 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-14 |
|
- Allow xdm to talk to input device (fingerprint reader) |
|
- Allow octave to run as java |
|
|
|
* Tue Sep 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-13 |
|
- Allow login programs to set ioctl on /proc |
|
|
|
* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-12 |
|
- Allow nsswitch apps to read samba_var_t |
|
|
|
* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-11 |
|
- Fix maxima |
|
|
|
* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-10 |
|
- Eliminate rpm_t:fifo_file avcs |
|
- Fix dbus path for helper app |
|
|
|
* Sat Sep 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-9 |
|
- Fix service start stop terminal avc's |
|
|
|
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-8 |
|
- Allow also to search var_lib |
|
- New context for dbus launcher |
|
|
|
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-7 |
|
- Allow cupsd_config_t to read/write usb_device_t |
|
- Support for finger print reader, |
|
- Many fixes for clvmd |
|
- dbus starting networkmanager |
|
|
|
* Thu Sep 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-5 |
|
- Fix java and mono to run in xguest account |
|
|
|
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-4 |
|
- Fix to add xguest account when inititial install |
|
- Allow mono, java, wine to run in userdomains |
|
|
|
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-3 |
|
- Allow xserver to search devpts_t |
|
- Dontaudit ldconfig output to homedir |
|
|
|
* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-2 |
|
- Remove hplip_etc_t change back to etc_t. |
|
|
|
|
|
* Mon Sep 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-1 |
|
- Allow cron to search nfs and samba homedirs |
|
|
|
* Tue Sep 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-10 |
|
- Allow NetworkManager to dbus chat with yum-updated |
|
|
|
* Tue Sep 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-9 |
|
- Allow xfs to bind to port 7100 |
|
|
|
* Mon Sep 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-8 |
|
- Allow newalias/sendmail dac_override |
|
- Allow bind to bind to all udp ports |
|
|
|
* Fri Sep 7 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-7 |
|
- Turn off direct transition |
|
|
|
* Fri Sep 7 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-6 |
|
- Allow wine to run in system role |
|
|
|
* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-5 |
|
- Fix java labeling |
|
|
|
* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-4 |
|
- Define user_home_type as home_type |
|
|
|
* Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-3 |
|
- Allow sendmail to create etc_aliases_t |
|
|
|
* Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-2 |
|
- Allow login programs to read symlinks on homedirs |
|
|
|
* Mon Aug 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-1 |
|
- Update an readd modules |
|
|
|
* Fri Aug 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-3 |
|
- Cleanup spec file |
|
|
|
* Fri Aug 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-2 |
|
- Allow xserver to be started by unconfined process and talk to tty |
|
|
|
* Wed Aug 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-1 |
|
- Upgrade to upstream to grab postgressql changes |
|
|
|
* Tue Aug 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-11 |
|
- Add setransd for mls policy |
|
|
|
* Mon Aug 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-10 |
|
- Add ldconfig_cache_t |
|
|
|
* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-9 |
|
- Allow sshd to write to proc_t for afs login |
|
|
|
* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-8 |
|
- Allow xserver access to urand |
|
|
|
* Tue Aug 14 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-7 |
|
- allow dovecot to search mountpoints |
|
|
|
* Sat Aug 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-6 |
|
- Fix Makefile for building policy modules |
|
|
|
* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-5 |
|
- Fix dhcpc startup of service |
|
|
|
* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-4 |
|
- Fix dbus chat to not happen for xguest and guest users |
|
|
|
* Mon Aug 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-3 |
|
- Fix nagios cgi |
|
- allow squid to communicate with winbind |
|
|
|
* Mon Aug 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-2 |
|
- Fixes for ldconfig |
|
|
|
* Thu Aug 2 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-1 |
|
- Update from upstream |
|
|
|
* Wed Aug 1 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-6 |
|
- Add nasd support |
|
|
|
* Wed Aug 1 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-5 |
|
- Fix new usb devices and dmfm |
|
|
|
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-4 |
|
- Eliminate mount_ntfs_t policy, merge into mount_t |
|
|
|
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-3 |
|
- Allow xserver to write to ramfs mounted by rhgb |
|
|
|
* Tue Jul 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-2 |
|
- Add context for dbus machine id |
|
|
|
* Tue Jul 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-1 |
|
- Update with latest changes from upstream |
|
|
|
* Tue Jul 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-6 |
|
- Fix prelink to handle execmod |
|
|
|
* Mon Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-5 |
|
- Add ntpd_key_t to handle secret data |
|
|
|
* Fri Jul 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-4 |
|
- Add anon_inodefs |
|
- Allow unpriv user exec pam_exec_t |
|
- Fix trigger |
|
|
|
* Fri Jul 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-3 |
|
- Allow cups to use generic usb |
|
- fix inetd to be able to run random apps (git) |
|
|
|
* Thu Jul 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-2 |
|
- Add proper contexts for rsyslogd |
|
|
|
* Thu Jul 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-1 |
|
- Fixes for xguest policy |
|
|
|
* Tue Jul 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-9 |
|
- Allow execution of gconf |
|
|
|
* Sat Jul 14 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-8 |
|
- Fix moilscanner update problem |
|
|
|
* Thu Jul 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-7 |
|
- Begin adding policy to separate setsebool from semanage |
|
- Fix xserver.if definition to not break sepolgen.if |
|
|
|
* Wed Jul 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-5 |
|
- Add new devices |
|
|
|
* Tue Jul 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-4 |
|
- Add brctl policy |
|
|
|
* Fri Jul 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-3 |
|
- Fix root login to include system_r |
|
|
|
* Fri Jul 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-2 |
|
- Allow prelink to read kernel sysctls |
|
|
|
* Mon Jul 2 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-5 |
|
- Default to user_u:system_r:unconfined_t |
|
|
|
* Sun Jul 1 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-4 |
|
- fix squid |
|
- Fix rpm running as uid |
|
|
|
* Tue Jun 26 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-3 |
|
- Fix syslog declaration |
|
|
|
* Tue Jun 26 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-2 |
|
- Allow avahi to access inotify |
|
- Remove a lot of bogus security_t:filesystem avcs |
|
|
|
* Fri May 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-1 |
|
- Remove ifdef strict policy from upstream |
|
|
|
* Fri May 18 2007 Dan Walsh <dwalsh@redhat.com> 2.6.5-3 |
|
- Remove ifdef strict to allow user_u to login |
|
|
|
* Fri May 18 2007 Dan Walsh <dwalsh@redhat.com> 2.6.5-2 |
|
- Fix for amands |
|
- Allow semanage to read pp files |
|
- Allow rhgb to read xdm_xserver_tmp |
|
|
|
* Fri May 18 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-7 |
|
- Allow kerberos servers to use ldap for backing store |
|
|
|
* Thu May 17 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-6 |
|
- allow alsactl to read kernel state |
|
|
|
* Wed May 16 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-5 |
|
- More fixes for alsactl |
|
- Transition from hal and modutils |
|
- Fixes for suspend resume. |
|
- insmod domtrans to alsactl |
|
- insmod writes to hal log |
|
|
|
* Wed May 16 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-2 |
|
- Allow unconfined_t to transition to NetworkManager_t |
|
- Fix netlabel policy |
|
|
|
* Mon May 14 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-1 |
|
- Update to latest from upstream |
|
|
|
* Fri May 4 2007 Dan Walsh <dwalsh@redhat.com> 2.6.3-1 |
|
- Update to latest from upstream |
|
|
|
* Mon Apr 30 2007 Dan Walsh <dwalsh@redhat.com> 2.6.2-1 |
|
- Update to latest from upstream |
|
|
|
* Fri Apr 27 2007 Dan Walsh <dwalsh@redhat.com> 2.6.1-4 |
|
- Allow pcscd_t to send itself signals |
|
|
|
* Wed Apr 25 2007 Dan Walsh <dwalsh@redhat.com> 2.6.1-2 |
|
- Fixes for unix_update |
|
- Fix logwatch to be able to search all dirs |
|
|
|
* Mon Apr 23 2007 Dan Walsh <dwalsh@redhat.com> 2.6.1-1 |
|
- Upstream bumped the version |
|
|
|
* Thu Apr 19 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-12 |
|
- Allow consolekit to syslog |
|
- Allow ntfs to work with hal |
|
|
|
* Thu Apr 19 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-11 |
|
- Allow iptables to read etc_runtime_t |
|
|
|
* Thu Apr 19 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-10 |
|
- MLS Fixes |
|
|
|
* Wed Apr 18 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-8 |
|
- Fix path of /etc/lvm/cache directory |
|
- Fixes for alsactl and pppd_t |
|
- Fixes for consolekit |
|
|
|
* Tue Apr 17 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-5 |
|
- Allow insmod_t to mount kvmfs_t filesystems |
|
|
|
* Tue Apr 17 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-4 |
|
- Rwho policy |
|
- Fixes for consolekit |
|
|
|
* Fri Apr 13 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-3 |
|
- fixes for fusefs |
|
|
|
* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-2 |
|
- Fix samba_net to allow it to view samba_var_t |
|
|
|
* Tue Apr 10 2007 Dan Walsh <dwalsh@redhat.com> 2.5.12-1 |
|
- Update to upstream |
|
|
|
* Tue Apr 10 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-8 |
|
- Fix Sonypic backlight |
|
- Allow snmp to look at squid_conf_t |
|
|
|
* Mon Apr 9 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-7 |
|
- Fixes for pyzor, cyrus, consoletype on everything installs |
|
|
|
* Mon Apr 9 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-6 |
|
- Fix hald_acl_t to be able to getattr/setattr on usb devices |
|
- Dontaudit write to unconfined_pipes for load_policy |
|
|
|
* Thu Apr 5 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-5 |
|
- Allow bluetooth to read inotifyfs |
|
|
|
* Wed Apr 4 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-4 |
|
- Fixes for samba domain controller. |
|
- Allow ConsoleKit to look at ttys |
|
|
|
* Tue Apr 3 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-3 |
|
- Fix interface call |
|
|
|
* Tue Apr 3 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-2 |
|
- Allow syslog-ng to read /var |
|
- Allow locate to getattr on all filesystems |
|
- nscd needs setcap |
|
|
|
* Mon Mar 26 2007 Dan Walsh <dwalsh@redhat.com> 2.5.11-1 |
|
- Update to upstream |
|
|
|
* Fri Mar 23 2007 Dan Walsh <dwalsh@redhat.com> 2.5.10-2 |
|
- Allow samba to run groupadd |
|
|
|
* Thu Mar 22 2007 Dan Walsh <dwalsh@redhat.com> 2.5.10-1 |
|
- Update to upstream |
|
|
|
* Thu Mar 22 2007 Dan Walsh <dwalsh@redhat.com> 2.5.9-6 |
|
- Allow mdadm to access generic scsi devices |
|
|
|
* Wed Mar 21 2007 Dan Walsh <dwalsh@redhat.com> 2.5.9-5 |
|
- Fix labeling on udev.tbl dirs |
|
|
|
* Tue Mar 20 2007 Dan Walsh <dwalsh@redhat.com> 2.5.9-4 |
|
- Fixes for logwatch |
|
|
|
* Tue Mar 20 2007 Dan Walsh <dwalsh@redhat.com> 2.5.9-3 |
|
- Add fusermount and mount_ntfs policy |
|
|
|
* Tue Mar 20 2007 Dan Walsh <dwalsh@redhat.com> 2.5.9-2 |
|
- Update to upstream |
|
- Allow saslauthd to use kerberos keytabs |
|
|
|
* Mon Mar 19 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-8 |
|
- Fixes for samba_var_t |
|
|
|
* Mon Mar 19 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-7 |
|
- Allow networkmanager to setpgid |
|
- Fixes for hal_acl_t |
|
|
|
* Mon Mar 19 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-6 |
|
- Remove disable_trans booleans |
|
- hald_acl_t needs to talk to nscd |
|
|
|
* Thu Mar 15 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-5 |
|
- Fix prelink to be able to manage usr dirs. |
|
|
|
* Tue Mar 13 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-4 |
|
- Allow insmod to launch init scripts |
|
|
|
* Tue Mar 13 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-3 |
|
- Remove setsebool policy |
|
|
|
* Mon Mar 12 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-2 |
|
- Fix handling of unlabled_t packets |
|
|
|
* Thu Mar 8 2007 Dan Walsh <dwalsh@redhat.com> 2.5.8-1 |
|
- More of my patches from upstream |
|
|
|
* Thu Mar 1 2007 Dan Walsh <dwalsh@redhat.com> 2.5.7-1 |
|
- Update to latest from upstream |
|
- Add fail2ban policy |
|
|
|
* Wed Feb 28 2007 Dan Walsh <dwalsh@redhat.com> 2.5.6-1 |
|
- Update to remove security_t:filesystem getattr problems |
|
|
|
* Fri Feb 23 2007 Dan Walsh <dwalsh@redhat.com> 2.5.5-2 |
|
- Policy for consolekit |
|
|
|
* Fri Feb 23 2007 Dan Walsh <dwalsh@redhat.com> 2.5.5-1 |
|
- Update to latest from upstream |
|
|
|
* Wed Feb 21 2007 Dan Walsh <dwalsh@redhat.com> 2.5.4-2 |
|
- Revert Nemiver change |
|
- Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition. |
|
- Allow samba to execute useradd |
|
|
|
* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> 2.5.4-1 |
|
- Upgrade to the latest from upstream |
|
|
|
* Thu Feb 15 2007 Dan Walsh <dwalsh@redhat.com> 2.5.3-3 |
|
- Add sepolgen support |
|
- Add bugzilla policy |
|
|
|
* Wed Feb 14 2007 Dan Walsh <dwalsh@redhat.com> 2.5.3-2 |
|
- Fix file context for nemiver |
|
|
|
* Sun Feb 11 2007 Dan Walsh <dwalsh@redhat.com> 2.5.3-1 |
|
- Remove include sym link |
|
|
|
* Mon Feb 5 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-6 |
|
- Allow mozilla, evolution and thunderbird to read dev_random. |
|
Resolves: #227002 |
|
- Allow spamd to connect to smtp port |
|
Resolves: #227184 |
|
- Fixes to make ypxfr work |
|
Resolves: #227237 |
|
|
|
* Sun Feb 4 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-5 |
|
- Fix ssh_agent to be marked as an executable |
|
- Allow Hal to rw sound device |
|
|
|
* Thu Feb 1 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-4 |
|
- Fix spamassisin so crond can update spam files |
|
- Fixes to allow kpasswd to work |
|
- Fixes for bluetooth |
|
|
|
* Fri Jan 26 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-3 |
|
- Remove some targeted diffs in file context file |
|
|
|
* Thu Jan 25 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-2 |
|
- Fix squid cachemgr labeling |
|
|
|
* Thu Jan 25 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-1 |
|
- Add ability to generate webadm_t policy |
|
- Lots of new interfaces for httpd |
|
- Allow sshd to login as unconfined_t |
|
|
|
* Mon Jan 22 2007 Dan Walsh <dwalsh@redhat.com> 2.5.1-5 |
|
- Continue fixing, additional user domains |
|
|
|
* Wed Jan 10 2007 Dan Walsh <dwalsh@redhat.com> 2.5.1-4 |
|
- Begin adding user confinement to targeted policy |
|
|
|
* Wed Jan 10 2007 Dan Walsh <dwalsh@redhat.com> 2.5.1-2 |
|
- Fixes for prelink, ktalkd, netlabel |
|
|
|
* Mon Jan 8 2007 Dan Walsh <dwalsh@redhat.com> 2.5.1-1 |
|
- Allow prelink when run from rpm to create tmp files |
|
Resolves: #221865 |
|
- Remove file_context for exportfs |
|
Resolves: #221181 |
|
- Allow spamassassin to create ~/.spamassissin |
|
Resolves: #203290 |
|
- Allow ssh access to the krb tickets |
|
- Allow sshd to change passwd |
|
- Stop newrole -l from working on non securetty |
|
Resolves: #200110 |
|
- Fixes to run prelink in MLS machine |
|
Resolves: #221233 |
|
- Allow spamassassin to read var_lib_t dir |
|
Resolves: #219234 |
|
|
|
* Fri Dec 29 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-20 |
|
- fix mplayer to work under strict policy |
|
- Allow iptables to use nscd |
|
Resolves: #220794 |
|
|
|
* Thu Dec 28 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-19 |
|
- Add gconf policy and make it work with strict |
|
|
|
* Sat Dec 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-18 |
|
- Many fixes for strict policy and by extension mls. |
|
|
|
* Fri Dec 22 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-17 |
|
- Fix to allow ftp to bind to ports > 1024 |
|
Resolves: #219349 |
|
|
|
* Tue Dec 19 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-16 |
|
- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t |
|
Resolves: #219421 |
|
- Allow sysadm_lpr_t to manage other print spool jobs |
|
Resolves: #220080 |
|
|
|
* Mon Dec 18 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-15 |
|
- allow automount to setgid |
|
Resolves: #219999 |
|
|
|
* Thu Dec 14 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-14 |
|
- Allow cron to polyinstatiate |
|
- Fix creation of boot flags |
|
Resolves: #207433 |
|
|
|
* Thu Dec 14 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-13 |
|
- Fixes for irqbalance |
|
Resolves: #219606 |
|
|
|
* Thu Dec 14 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-12 |
|
- Fix vixie-cron to work on mls |
|
Resolves: #207433 |
|
|
|
* Wed Dec 13 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-11 |
|
Resolves: #218978 |
|
|
|
* Tue Dec 12 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-10 |
|
- Allow initrc to create files in /var directories |
|
Resolves: #219227 |
|
|
|
* Fri Dec 8 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-9 |
|
- More fixes for MLS |
|
Resolves: #181566 |
|
|
|
* Wed Dec 6 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-8 |
|
- More Fixes polyinstatiation |
|
Resolves: #216184 |
|
|
|
* Wed Dec 6 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-7 |
|
- More Fixes polyinstatiation |
|
- Fix handling of keyrings |
|
Resolves: #216184 |
|
|
|
* Mon Dec 4 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-6 |
|
- Fix polyinstatiation |
|
- Fix pcscd handling of terminal |
|
Resolves: #218149 |
|
Resolves: #218350 |
|
|
|
* Fri Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-5 |
|
- More fixes for quota |
|
Resolves: #212957 |
|
|
|
* Fri Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-4 |
|
- ncsd needs to use avahi sockets |
|
Resolves: #217640 |
|
Resolves: #218014 |
|
|
|
* Thu Nov 30 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-3 |
|
- Allow login programs to polyinstatiate homedirs |
|
Resolves: #216184 |
|
- Allow quotacheck to create database files |
|
Resolves: #212957 |
|
|
|
* Tue Nov 28 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-1 |
|
- Dontaudit appending hal_var_lib files |
|
Resolves: #217452 |
|
Resolves: #217571 |
|
Resolves: #217611 |
|
Resolves: #217640 |
|
Resolves: #217725 |
|
|
|
* Tue Nov 21 2006 Dan Walsh <dwalsh@redhat.com> 2.4.5-4 |
|
- Fix context for helix players file_context #216942 |
|
|
|
* Mon Nov 20 2006 Dan Walsh <dwalsh@redhat.com> 2.4.5-3 |
|
- Fix load_policy to be able to mls_write_down so it can talk to the terminal |
|
|
|
* Mon Nov 20 2006 Dan Walsh <dwalsh@redhat.com> 2.4.5-2 |
|
- Fixes for hwclock, clamav, ftp |
|
|
|
* Wed Nov 15 2006 Dan Walsh <dwalsh@redhat.com> 2.4.5-1 |
|
- Move to upstream version which accepted my patches |
|
|
|
* Wed Nov 15 2006 Dan Walsh <dwalsh@redhat.com> 2.4.4-2 |
|
- Fixes for nvidia driver |
|
|
|
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> 2.4.4-2 |
|
- Allow semanage to signal mcstrans |
|
|
|
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> 2.4.4-1 |
|
- Update to upstream |
|
|
|
* Mon Nov 13 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-13 |
|
- Allow modstorage to edit /etc/fstab file |
|
|
|
* Mon Nov 13 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-12 |
|
- Fix for qemu, /dev/ |
|
|
|
* Mon Nov 13 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-11 |
|
- Fix path to realplayer.bin |
|
|
|
* Fri Nov 10 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-10 |
|
- Allow xen to connect to xen port |
|
|
|
* Fri Nov 10 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-9 |
|
- Allow cups to search samba_etc_t directory |
|
- Allow xend_t to list auto_mountpoints |
|
|
|
* Thu Nov 9 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-8 |
|
- Allow xen to search automount |
|
|
|
* Thu Nov 9 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-7 |
|
- Fix spec of jre files |
|
|
|
* Wed Nov 8 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-6 |
|
- Fix unconfined access to shadow file |
|
|
|
* Wed Nov 8 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-5 |
|
- Allow xend to create files in xen_image_t directories |
|
|
|
* Wed Nov 8 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-4 |
|
- Fixes for /var/lib/hal |
|
|
|
* Tue Nov 7 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-3 |
|
- Remove ability for sysadm_t to look at audit.log |
|
|
|
* Tue Nov 7 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-2 |
|
- Fix rpc_port_types |
|
- Add aide policy for mls |
|
|
|
* Mon Nov 6 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-1 |
|
- Merge with upstream |
|
|
|
* Fri Nov 3 2006 Dan Walsh <dwalsh@redhat.com> 2.4.2-8 |
|
- Lots of fixes for ricci |
|
|
|
* Fri Nov 3 2006 Dan Walsh <dwalsh@redhat.com> 2.4.2-7 |
|
- Allow xen to read/write fixed devices with a boolean |
|
- Allow apache to search /var/log |
|
|
|
* Thu Nov 2 2006 James Antill <james.antill@redhat.com> 2.4.2-6 |
|
- Fix policygentool specfile problem. |
|
- Allow apache to send signals to it's logging helpers. |
|
- Resolves: rhbz#212731 |
|
|
|
* Wed Nov 1 2006 Dan Walsh <dwalsh@redhat.com> 2.4.2-5 |
|
- Add perms for swat |
|
|
|
* Tue Oct 31 2006 Dan Walsh <dwalsh@redhat.com> 2.4.2-4 |
|
- Add perms for swat |
|
|
|
* Mon Oct 30 2006 Dan Walsh <dwalsh@redhat.com> 2.4.2-3 |
|
- Allow daemons to dump core files to / |
|
|
|
* Fri Oct 27 2006 Dan Walsh <dwalsh@redhat.com> 2.4.2-2 |
|
- Fixes for ricci |
|
|
|
* Fri Oct 27 2006 Dan Walsh <dwalsh@redhat.com> 2.4.2-1 |
|
- Allow mount.nfs to work |
|
|
|
* Fri Oct 27 2006 Dan Walsh <dwalsh@redhat.com> 2.4.1-5 |
|
- Allow ricci-modstorage to look at lvm_etc_t |
|
|
|
* Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4.1-4 |
|
- Fixes for ricci using saslauthd |
|
|
|
* Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4.1-3 |
|
- Allow mountpoint on home_dir_t and home_t |
|
|
|
* Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4.1-2 |
|
- Update xen to read nfs files |
|
|
|
* Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4-4 |
|
- Allow noxattrfs to associate with other noxattrfs |
|
|
|
* Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4-3 |
|
- Allow hal to use power_device_t |
|
|
|
* Fri Oct 20 2006 Dan Walsh <dwalsh@redhat.com> 2.4-2 |
|
- Allow procemail to look at autofs_t |
|
- Allow xen_image_t to work as a fixed device |
|
|
|
* Thu Oct 19 2006 Dan Walsh <dwalsh@redhat.com> 2.4-1 |
|
- Refupdate from upstream |
|
|
|
* Thu Oct 19 2006 Dan Walsh <dwalsh@redhat.com> 2.3.19-4 |
|
- Add lots of fixes for mls cups |
|
|
|
* Wed Oct 18 2006 Dan Walsh <dwalsh@redhat.com> 2.3.19-3 |
|
- Lots of fixes for ricci |
|
|
|
|
|
* Mon Oct 16 2006 Dan Walsh <dwalsh@redhat.com> 2.3.19-2 |
|
- Fix number of cats |
|
|
|
* Mon Oct 16 2006 Dan Walsh <dwalsh@redhat.com> 2.3.19-1 |
|
- Update to upstream |
|
|
|
* Thu Oct 12 2006 James Antill <jantill@redhat.com> 2.3.18-10 |
|
- More iSCSI changes for #209854 |
|
|
|
* Tue Oct 10 2006 James Antill <jantill@redhat.com> 2.3.18-9 |
|
- Test ISCSI fixes for #209854 |
|
|
|
* Sun Oct 8 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-8 |
|
- allow semodule to rmdir selinux_config_t dir |
|
|
|
* Fri Oct 6 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-7 |
|
- Fix boot_runtime_t problem on ppc. Should not be creating these files. |
|
|
|
* Thu Oct 5 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-6 |
|
- Fix context mounts on reboot |
|
- Fix ccs creation of directory in /var/log |
|
|
|
* Thu Oct 5 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-5 |
|
- Update for tallylog |
|
|
|
* Thu Oct 5 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-4 |
|
- Allow xend to rewrite dhcp conf files |
|
- Allow mgetty sys_admin capability |
|
|
|
* Wed Oct 4 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-3 |
|
- Make xentapctrl work |
|
|
|
* Tue Oct 3 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-2 |
|
- Don't transition unconfined_t to bootloader_t |
|
- Fix label in /dev/xen/blktap |
|
|
|
* Tue Oct 3 2006 Dan Walsh <dwalsh@redhat.com> 2.3.18-1 |
|
- Patch for labeled networking |
|
|
|
* Mon Oct 2 2006 Dan Walsh <dwalsh@redhat.com> 2.3.17-2 |
|
- Fix crond handling for mls |
|
|
|
* Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> 2.3.17-1 |
|
- Update to upstream |
|
|
|
* Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-9 |
|
- Remove bluetooth-helper transition |
|
- Add selinux_validate for semanage |
|
- Require new version of libsemanage |
|
|
|
* Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-8 |
|
- Fix prelink |
|
|
|
* Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-7 |
|
- Fix rhgb |
|
|
|
* Thu Sep 28 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-6 |
|
- Fix setrans handling on MLS and useradd |
|
|
|
* Wed Sep 27 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-5 |
|
- Support for fuse |
|
- fix vigr |
|
|
|
* Wed Sep 27 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-4 |
|
- Fix dovecot, amanda |
|
- Fix mls |
|
|
|
* Mon Sep 25 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-2 |
|
- Allow java execheap for itanium |
|
|
|
* Mon Sep 25 2006 Dan Walsh <dwalsh@redhat.com> 2.3.16-1 |
|
- Update with upstream |
|
|
|
* Mon Sep 25 2006 Dan Walsh <dwalsh@redhat.com> 2.3.15-2 |
|
- mls fixes |
|
|
|
* Fri Sep 22 2006 Dan Walsh <dwalsh@redhat.com> 2.3.15-1 |
|
- Update from upstream |
|
|
|
* Fri Sep 22 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-8 |
|
- More fixes for mls |
|
- Revert change on automount transition to mount |
|
|
|
* Wed Sep 20 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-7 |
|
- Fix cron jobs to run under the correct context |
|
|
|
* Tue Sep 19 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-6 |
|
- Fixes to make pppd work |
|
|
|
* Mon Sep 18 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-4 |
|
- Multiple policy fixes |
|
- Change max categories to 1023 |
|
|
|
* Sat Sep 16 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-3 |
|
- Fix transition on mcstransd |
|
|
|
* Fri Sep 15 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-2 |
|
- Add /dev/em8300 defs |
|
|
|
* Fri Sep 15 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-1 |
|
- Upgrade to upstream |
|
|
|
* Thu Sep 14 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-6 |
|
- Fix ppp connections from network manager |
|
|
|
* Wed Sep 13 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-5 |
|
- Add tty access to all domains boolean |
|
- Fix gnome-pty-helper context for ia64 |
|
|
|
* Mon Sep 11 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-4 |
|
- Fixed typealias of firstboot_rw_t |
|
|
|
* Thu Sep 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-3 |
|
- Fix location of xel log files |
|
- Fix handling of sysadm_r -> rpm_exec_t |
|
|
|
* Thu Sep 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-2 |
|
- Fixes for autofs, lp |
|
|
|
* Wed Sep 6 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-1 |
|
- Update from upstream |
|
|
|
* Tue Sep 5 2006 Dan Walsh <dwalsh@redhat.com> 2.3.12-2 |
|
- Fixup for test6 |
|
|
|
* Tue Sep 5 2006 Dan Walsh <dwalsh@redhat.com> 2.3.12-1 |
|
- Update to upstream |
|
|
|
* Fri Sep 1 2006 Dan Walsh <dwalsh@redhat.com> 2.3.11-1 |
|
- Update to upstream |
|
|
|
* Fri Sep 1 2006 Dan Walsh <dwalsh@redhat.com> 2.3.10-7 |
|
- Fix suspend to disk problems |
|
|
|
* Thu Aug 31 2006 Dan Walsh <dwalsh@redhat.com> 2.3.10-6 |
|
- Lots of fixes for restarting daemons at the console. |
|
|
|
* Wed Aug 30 2006 Dan Walsh <dwalsh@redhat.com> 2.3.10-3 |
|
- Fix audit line |
|
- Fix requires line |
|
|
|
* Tue Aug 29 2006 Dan Walsh <dwalsh@redhat.com> 2.3.10-1 |
|
- Upgrade to upstream |
|
|
|
* Mon Aug 28 2006 Dan Walsh <dwalsh@redhat.com> 2.3.9-6 |
|
- Fix install problems |
|
|
|
* Fri Aug 25 2006 Dan Walsh <dwalsh@redhat.com> 2.3.9-5 |
|
- Allow setroubleshoot to getattr on all dirs to gather RPM data |
|
|
|
* Thu Aug 24 2006 Dan Walsh <dwalsh@redhat.com> 2.3.9-4 |
|
- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform |
|
- Fix spec for /dev/adsp |
|
|
|
* Thu Aug 24 2006 Dan Walsh <dwalsh@redhat.com> 2.3.9-3 |
|
- Fix xen tty devices |
|
|
|
* Thu Aug 24 2006 Dan Walsh <dwalsh@redhat.com> 2.3.9-2 |
|
- Fixes for setroubleshoot |
|
|
|
* Wed Aug 23 2006 Dan Walsh <dwalsh@redhat.com> 2.3.9-1 |
|
- Update to upstream |
|
|
|
* Tue Aug 22 2006 Dan Walsh <dwalsh@redhat.com> 2.3.8-2 |
|
- Fixes for stunnel and postgresql |
|
- Update from upstream |
|
|
|
* Sat Aug 12 2006 Dan Walsh <dwalsh@redhat.com> 2.3.7-1 |
|
- Update from upstream |
|
- More java fixes |
|
|
|
* Fri Aug 11 2006 Dan Walsh <dwalsh@redhat.com> 2.3.6-4 |
|
- Change allow_execstack to default to on, for RHEL5 Beta. |
|
This is required because of a Java compiler problem. |
|
Hope to turn off for next beta |
|
|
|
* Thu Aug 10 2006 Dan Walsh <dwalsh@redhat.com> 2.3.6-3 |
|
- Misc fixes |
|
|
|
* Wed Aug 9 2006 Dan Walsh <dwalsh@redhat.com> 2.3.6-2 |
|
- More fixes for strict policy |
|
|
|
* Tue Aug 8 2006 Dan Walsh <dwalsh@redhat.com> 2.3.6-1 |
|
- Quiet down anaconda audit messages |
|
|
|
* Mon Aug 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.5-1 |
|
- Fix setroubleshootd |
|
|
|
* Thu Aug 3 2006 Dan Walsh <dwalsh@redhat.com> 2.3.4-1 |
|
- Update to the latest from upstream |
|
|
|
* Thu Aug 3 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-20 |
|
- More fixes for xen |
|
|
|
* Thu Aug 3 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-19 |
|
- Fix anaconda transitions |
|
|
|
* Wed Aug 2 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-18 |
|
- yet more xen rules |
|
|
|
* Tue Aug 1 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-17 |
|
- more xen rules |
|
|
|
* Mon Jul 31 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-16 |
|
- Fixes for Samba |
|
|
|
* Sat Jul 29 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-15 |
|
- Fixes for xen |
|
|
|
* Fri Jul 28 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-14 |
|
- Allow setroubleshootd to send mail |
|
|
|
* Wed Jul 26 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-13 |
|
- Add nagios policy |
|
|
|
* Wed Jul 26 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-12 |
|
- fixes for setroubleshoot |
|
|
|
* Wed Jul 26 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-11 |
|
- Added Paul Howarth patch to only load policy packages shipped |
|
with this package |
|
- Allow pidof from initrc to ptrace higher level domains |
|
- Allow firstboot to communicate with hal via dbus |
|
|
|
* Mon Jul 24 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-10 |
|
- Add policy for /var/run/ldapi |
|
|
|
* Sat Jul 22 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-9 |
|
- Fix setroubleshoot policy |
|
|
|
* Fri Jul 21 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-8 |
|
- Fixes for mls use of ssh |
|
- named has a new conf file |
|
|
|
* Fri Jul 21 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-7 |
|
- Fixes to make setroubleshoot work |
|
|
|
* Wed Jul 19 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-6 |
|
- Cups needs to be able to read domain state off of printer client |
|
|
|
* Wed Jul 19 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-5 |
|
- add boolean to allow zebra to write config files |
|
|
|
* Tue Jul 18 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-4 |
|
- setroubleshootd fixes |
|
|
|
* Mon Jul 17 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-3 |
|
- Allow prelink to read bin_t symlink |
|
- allow xfs to read random devices |
|
- Change gfs to support xattr |
|
|
|
|
|
* Mon Jul 17 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-2 |
|
- Remove spamassassin_can_network boolean |
|
|
|
* Fri Jul 14 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-1 |
|
- Update to upstream |
|
- Fix lpr domain for mls |
|
|
|
* Fri Jul 14 2006 Dan Walsh <dwalsh@redhat.com> 2.3.2-4 |
|
- Add setroubleshoot policy |
|
|
|
* Fri Jul 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.2-3 |
|
- Turn off auditallow on setting booleans |
|
|
|
* Fri Jul 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.2-2 |
|
- Multiple fixes |
|
|
|
* Fri Jul 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.2-1 |
|
- Update to upstream |
|
|
|
* Thu Jun 22 2006 Dan Walsh <dwalsh@redhat.com> 2.3.1-1 |
|
- Update to upstream |
|
- Add new class for kernel key ring |
|
|
|
* Wed Jun 21 2006 Dan Walsh <dwalsh@redhat.com> 2.2.49-1 |
|
- Update to upstream |
|
|
|
* Tue Jun 20 2006 Dan Walsh <dwalsh@redhat.com> 2.2.48-1 |
|
- Update to upstream |
|
|
|
* Tue Jun 20 2006 Dan Walsh <dwalsh@redhat.com> 2.2.47-5 |
|
- Break out selinux-devel package |
|
|
|
* Fri Jun 16 2006 Dan Walsh <dwalsh@redhat.com> 2.2.47-4 |
|
- Add ibmasmfs |
|
|
|
* Thu Jun 15 2006 Dan Walsh <dwalsh@redhat.com> 2.2.47-3 |
|
- Fix policygentool gen_requires |
|
|
|
* Tue Jun 13 2006 Dan Walsh <dwalsh@redhat.com> 2.2.47-1 |
|
- Update from Upstream |
|
|
|
* Tue Jun 13 2006 Dan Walsh <dwalsh@redhat.com> 2.2.46-2 |
|
- Fix spec of realplay |
|
|
|
* Tue Jun 13 2006 Dan Walsh <dwalsh@redhat.com> 2.2.46-1 |
|
- Update to upstream |
|
|
|
* Mon Jun 12 2006 Dan Walsh <dwalsh@redhat.com> 2.2.45-3 |
|
- Fix semanage |
|
|
|
* Mon Jun 12 2006 Dan Walsh <dwalsh@redhat.com> 2.2.45-2 |
|
- Allow useradd to create_home_dir in MLS environment |
|
|
|
* Thu Jun 8 2006 Dan Walsh <dwalsh@redhat.com> 2.2.45-1 |
|
- Update from upstream |
|
|
|
* Tue Jun 6 2006 Dan Walsh <dwalsh@redhat.com> 2.2.44-1 |
|
- Update from upstream |
|
|
|
* Tue Jun 6 2006 Dan Walsh <dwalsh@redhat.com> 2.2.43-4 |
|
- Add oprofilefs |
|
|
|
* Sun May 28 2006 Dan Walsh <dwalsh@redhat.com> 2.2.43-3 |
|
- Fix for hplip and Picasus |
|
|
|
* Sat May 27 2006 Dan Walsh <dwalsh@redhat.com> 2.2.43-2 |
|
- Update to upstream |
|
|
|
* Fri May 26 2006 Dan Walsh <dwalsh@redhat.com> 2.2.43-1 |
|
- Update to upstream |
|
|
|
* Fri May 26 2006 Dan Walsh <dwalsh@redhat.com> 2.2.42-4 |
|
- fixes for spamd |
|
|
|
* Wed May 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.42-3 |
|
- fixes for java, openldap and webalizer |
|
|
|
* Mon May 22 2006 Dan Walsh <dwalsh@redhat.com> 2.2.42-2 |
|
- Xen fixes |
|
|
|
* Thu May 18 2006 Dan Walsh <dwalsh@redhat.com> 2.2.42-1 |
|
- Upgrade to upstream |
|
|
|
* Thu May 18 2006 Dan Walsh <dwalsh@redhat.com> 2.2.41-1 |
|
- allow hal to read boot_t files |
|
- Upgrade to upstream |
|
|
|
* Wed May 17 2006 Dan Walsh <dwalsh@redhat.com> 2.2.40-2 |
|
- allow hal to read boot_t files |
|
|
|
* Tue May 16 2006 Dan Walsh <dwalsh@redhat.com> 2.2.40-1 |
|
- Update from upstream |
|
|
|
* Mon May 15 2006 Dan Walsh <dwalsh@redhat.com> 2.2.39-2 |
|
- Fixes for amavis |
|
|
|
* Mon May 15 2006 Dan Walsh <dwalsh@redhat.com> 2.2.39-1 |
|
- Update from upstream |
|
|
|
* Fri May 12 2006 Dan Walsh <dwalsh@redhat.com> 2.2.38-6 |
|
- Allow auditctl to search all directories |
|
|
|
* Thu May 11 2006 Dan Walsh <dwalsh@redhat.com> 2.2.38-5 |
|
- Add acquire service for mono. |
|
|
|
* Thu May 11 2006 Dan Walsh <dwalsh@redhat.com> 2.2.38-4 |
|
- Turn off allow_execmem boolean |
|
- Allow ftp dac_override when allowed to access users homedirs |
|
|
|
* Wed May 10 2006 Dan Walsh <dwalsh@redhat.com> 2.2.38-3 |
|
- Clean up spec file |
|
- Transition from unconfined_t to prelink_t |
|
|
|
* Mon May 8 2006 Dan Walsh <dwalsh@redhat.com> 2.2.38-2 |
|
- Allow execution of cvs command |
|
|
|
* Fri May 5 2006 Dan Walsh <dwalsh@redhat.com> 2.2.38-1 |
|
- Update to upstream |
|
|
|
* Wed May 3 2006 Dan Walsh <dwalsh@redhat.com> 2.2.37-1 |
|
- Update to upstream |
|
|
|
* Mon May 1 2006 Dan Walsh <dwalsh@redhat.com> 2.2.36-2 |
|
- Fix libjvm spec |
|
|
|
* Tue Apr 25 2006 Dan Walsh <dwalsh@redhat.com> 2.2.36-1 |
|
- Update to upstream |
|
|
|
* Tue Apr 25 2006 James Antill <jantill@redhat.com> 2.2.35-2 |
|
- Add xm policy |
|
- Fix policygentool |
|
|
|
* Mon Apr 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.35-1 |
|
- Update to upstream |
|
- Fix postun to only disable selinux on full removal of the packages |
|
|
|
* Fri Apr 21 2006 Dan Walsh <dwalsh@redhat.com> 2.2.34-3 |
|
- Allow mono to chat with unconfined |
|
|
|
* Thu Apr 20 2006 Dan Walsh <dwalsh@redhat.com> 2.2.34-2 |
|
- Allow procmail to sendmail |
|
- Allow nfs to share dosfs |
|
|
|
* Thu Apr 20 2006 Dan Walsh <dwalsh@redhat.com> 2.2.34-1 |
|
- Update to latest from upstream |
|
- Allow selinux-policy to be removed and kernel not to crash |
|
|
|
* Tue Apr 18 2006 Dan Walsh <dwalsh@redhat.com> 2.2.33-1 |
|
- Update to latest from upstream |
|
- Add James Antill patch for xen |
|
- Many fixes for pegasus |
|
|
|
* Sat Apr 15 2006 Dan Walsh <dwalsh@redhat.com> 2.2.32-2 |
|
- Add unconfined_mount_t |
|
- Allow privoxy to connect to httpd_cache |
|
- fix cups labeleing on /var/cache/cups |
|
|
|
* Fri Apr 14 2006 Dan Walsh <dwalsh@redhat.com> 2.2.32-1 |
|
- Update to latest from upstream |
|
|
|
* Fri Apr 14 2006 Dan Walsh <dwalsh@redhat.com> 2.2.31-1 |
|
- Update to latest from upstream |
|
- Allow mono and unconfined to talk to initrc_t dbus objects |
|
|
|
* Tue Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 2.2.30-2 |
|
- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t |
|
|
|
* Tue Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 2.2.30-1 |
|
- Fix samba creating dirs in homedir |
|
- Fix NFS so its booleans would work |
|
|
|
* Mon Apr 10 2006 Dan Walsh <dwalsh@redhat.com> 2.2.29-6 |
|
- Allow secadm_t ability to relabel all files |
|
- Allow ftp to search xferlog_t directories |
|
- Allow mysql to communicate with ldap |
|
- Allow rsync to bind to rsync_port_t |
|
|
|
* Mon Apr 10 2006 Russell Coker <rcoker@redhat.com> 2.2.29-5 |
|
- Fixed mailman with Postfix #183928 |
|
- Allowed semanage to create file_context files. |
|
- Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t |
|
to bind to reserved ports. #149030 |
|
- Don't allow devpts_t to be associated with tmp_t. |
|
- Allow hald_t to stat all mountpoints. |
|
- Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. |
|
#169947 |
|
- Make mount run in mount_t domain from unconfined_t to prevent mislabeling of |
|
/etc/mtab. |
|
- Changed the file_contexts to not have a regex before the first ^/[a-z]/ |
|
whenever possible, makes restorecon slightly faster. |
|
- Correct the label of /etc/named.caching-nameserver.conf |
|
- Now label /usr/src/kernels/.+/lib(/.*)? as usr_t instead of |
|
/usr/src(/.*)?/lib(/.*)? - I don't think we need anything else under /usr/src |
|
hit by this. |
|
- Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed |
|
xenstored_t rw access to the xen device node. |
|
|
|
* Tue Apr 4 2006 Dan Walsh <dwalsh@redhat.com> 2.2.29-4 |
|
- More textrel_shlib_t file path fixes |
|
- Add ada support |
|
|
|
* Mon Apr 3 2006 Dan Walsh <dwalsh@redhat.com> 2.2.29-3 |
|
- Get auditctl working in MLS policy |
|
|
|
* Mon Apr 3 2006 Dan Walsh <dwalsh@redhat.com> 2.2.29-2 |
|
- Add mono dbus support |
|
- Lots of file_context fixes for textrel_shlib_t in FC5 |
|
- Turn off execmem auditallow since they are filling log files |
|
|
|
* Fri Mar 31 2006 Dan Walsh <dwalsh@redhat.com> 2.2.29-1 |
|
- Update to upstream |
|
|
|
* Thu Mar 30 2006 Dan Walsh <dwalsh@redhat.com> 2.2.28-3 |
|
- Allow automount and dbus to read cert files |
|
|
|
* Thu Mar 30 2006 Dan Walsh <dwalsh@redhat.com> 2.2.28-2 |
|
- Fix ftp policy |
|
- Fix secadm running of auditctl |
|
|
|
* Mon Mar 27 2006 Dan Walsh <dwalsh@redhat.com> 2.2.28-1 |
|
- Update to upstream |
|
|
|
* Wed Mar 22 2006 Dan Walsh <dwalsh@redhat.com> 2.2.27-1 |
|
- Update to upstream |
|
|
|
* Wed Mar 22 2006 Dan Walsh <dwalsh@redhat.com> 2.2.25-3 |
|
- Fix policyhelp |
|
|
|
* Wed Mar 22 2006 Dan Walsh <dwalsh@redhat.com> 2.2.25-2 |
|
- Fix pam_console handling of usb_device |
|
- dontaudit logwatch reading /mnt dir |
|
|
|
* Fri Mar 17 2006 Dan Walsh <dwalsh@redhat.com> 2.2.24-1 |
|
- Update to upstream |
|
|
|
* Wed Mar 15 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-19 |
|
- Get transition rules to create policy.20 at SystemHigh |
|
|
|
* Tue Mar 14 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-18 |
|
- Allow secadmin to shutdown system |
|
- Allow sendmail to exec newalias |
|
|
|
* Tue Mar 14 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-17 |
|
- MLS Fixes |
|
dmidecode needs mls_file_read_up |
|
- add ypxfr_t |
|
- run init needs access to nscd |
|
- udev needs setuid |
|
- another xen log file |
|
- Dontaudit mount getattr proc_kcore_t |
|
|
|
* Tue Mar 14 2006 Karsten Hopp <karsten@redhat.de> 2.2.23-16 |
|
- fix buildroot usage (#185391) |
|
|
|
* Thu Mar 9 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-15 |
|
- Get rid of mount/fsdisk scan of /dev messages |
|
- Additional fixes for suspend/resume |
|
|
|
* Thu Mar 9 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-14 |
|
- Fake make to rebuild enableaudit.pp |
|
|
|
* Thu Mar 9 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-13 |
|
- Get xen networking running. |
|
|
|
* Thu Mar 9 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-12 |
|
- Fixes for Xen |
|
- enableaudit should not be the same as base.pp |
|
- Allow ps to work for all process |
|
|
|
* Thu Mar 9 2006 Jeremy Katz <katzj@redhat.com> - 2.2.23-11 |
|
- more xen policy fixups |
|
|
|
* Wed Mar 8 2006 Jeremy Katz <katzj@redhat.com> - 2.2.23-10 |
|
- more xen fixage (#184393) |
|
|
|
* Wed Mar 8 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-9 |
|
- Fix blkid specification |
|
- Allow postfix to execute mailman_que |
|
|
|
* Wed Mar 8 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-8 |
|
- Blkid changes |
|
- Allow udev access to usb_device_t |
|
- Fix post script to create targeted policy config file |
|
|
|
* Wed Mar 8 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-7 |
|
- Allow lvm tools to create drevice dir |
|
|
|
* Tue Mar 7 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-5 |
|
- Add Xen support |
|
|
|
* Mon Mar 6 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-4 |
|
- Fixes for cups |
|
- Make cryptosetup work with hal |
|
|
|
* Sun Mar 5 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-3 |
|
- Load Policy needs translock |
|
|
|
* Sat Mar 4 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-2 |
|
- Fix cups html interface |
|
|
|
* Sat Mar 4 2006 Dan Walsh <dwalsh@redhat.com> 2.2.23-1 |
|
- Add hal changes suggested by Jeremy |
|
- add policyhelp to point at policy html pages |
|
|
|
* Mon Feb 27 2006 Dan Walsh <dwalsh@redhat.com> 2.2.22-2 |
|
- Additional fixes for nvidia and cups |
|
|
|
* Mon Feb 27 2006 Dan Walsh <dwalsh@redhat.com> 2.2.22-1 |
|
- Update to upstream |
|
- Merged my latest fixes |
|
- Fix cups policy to handle unix domain sockets |
|
|
|
* Sat Feb 25 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-9 |
|
- NSCD socket is in nscd_var_run_t needs to be able to search dir |
|
|
|
* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-8 |
|
- Fixes Apache interface file |
|
|
|
* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-7 |
|
- Fixes for new version of cups |
|
|
|
* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-6 |
|
- Turn off polyinstatiate util after FC5 |
|
|
|
* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-5 |
|
- Fix problem with privoxy talking to Tor |
|
|
|
* Thu Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-4 |
|
- Turn on polyinstatiation |
|
|
|
* Thu Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-3 |
|
- Don't transition from unconfined_t to fsadm_t |
|
|
|
* Thu Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-2 |
|
- Fix policy update model. |
|
|
|
* Thu Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-1 |
|
- Update to upstream |
|
|
|
* Wed Feb 22 2006 Dan Walsh <dwalsh@redhat.com> 2.2.20-1 |
|
- Fix load_policy to work on MLS |
|
- Fix cron_rw_system_pipes for postfix_postdrop_t |
|
- Allow audotmount to run showmount |
|
|
|
* Tue Feb 21 2006 Dan Walsh <dwalsh@redhat.com> 2.2.19-2 |
|
- Fix swapon |
|
- allow httpd_sys_script_t to be entered via a shell |
|
- Allow httpd_sys_script_t to read eventpolfs |
|
|
|
* Tue Feb 21 2006 Dan Walsh <dwalsh@redhat.com> 2.2.19-1 |
|
- Update from upstream |
|
|
|
* Tue Feb 21 2006 Dan Walsh <dwalsh@redhat.com> 2.2.18-2 |
|
- allow cron to read apache files |
|
|
|
* Tue Feb 21 2006 Dan Walsh <dwalsh@redhat.com> 2.2.18-1 |
|
- Fix vpnc policy to work from NetworkManager |
|
|
|
* Mon Feb 20 2006 Dan Walsh <dwalsh@redhat.com> 2.2.17-2 |
|
- Update to upstream |
|
- Fix semoudle polcy |
|
|
|
* Thu Feb 16 2006 Dan Walsh <dwalsh@redhat.com> 2.2.16-1 |
|
- Update to upstream |
|
- fix sysconfig/selinux link |
|
|
|
* Wed Feb 15 2006 Dan Walsh <dwalsh@redhat.com> 2.2.15-4 |
|
- Add router port for zebra |
|
- Add imaze port for spamd |
|
- Fixes for amanda and java |
|
|
|
* Tue Feb 14 2006 Dan Walsh <dwalsh@redhat.com> 2.2.15-3 |
|
- Fix bluetooth handling of usb devices |
|
- Fix spamd reading of ~/ |
|
- fix nvidia spec |
|
|
|
* Tue Feb 14 2006 Dan Walsh <dwalsh@redhat.com> 2.2.15-1 |
|
- Update to upsteam |
|
|
|
* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> 2.2.14-2 |
|
- Add users_extra files |
|
|
|
* Fri Feb 10 2006 Dan Walsh <dwalsh@redhat.com> 2.2.14-1 |
|
- Update to upstream |
|
|
|
* Fri Feb 10 2006 Dan Walsh <dwalsh@redhat.com> 2.2.13-1 |
|
- Add semodule policy |
|
|
|
* Tue Feb 7 2006 Dan Walsh <dwalsh@redhat.com> 2.2.12-1 |
|
- Update from upstream |
|
|
|
|
|
* Mon Feb 6 2006 Dan Walsh <dwalsh@redhat.com> 2.2.11-2 |
|
- Fix for spamd to use razor port |
|
|
|
* Fri Feb 3 2006 Dan Walsh <dwalsh@redhat.com> 2.2.11-1 |
|
- Fixes for mcs |
|
- Turn on mount and fsadm for unconfined_t |
|
|
|
* Wed Feb 1 2006 Dan Walsh <dwalsh@redhat.com> 2.2.10-1 |
|
- Fixes for the -devel package |
|
|
|
* Wed Feb 1 2006 Dan Walsh <dwalsh@redhat.com> 2.2.9-2 |
|
- Fix for spamd to use ldap |
|
|
|
* Fri Jan 27 2006 Dan Walsh <dwalsh@redhat.com> 2.2.9-1 |
|
- Update to upstream |
|
|
|
* Fri Jan 27 2006 Dan Walsh <dwalsh@redhat.com> 2.2.8-2 |
|
- Update to upstream |
|
- Fix rhgb, and other Xorg startups |
|
|
|
* Thu Jan 26 2006 Dan Walsh <dwalsh@redhat.com> 2.2.7-1 |
|
- Update to upstream |
|
|
|
* Thu Jan 26 2006 Dan Walsh <dwalsh@redhat.com> 2.2.6-3 |
|
- Separate out role of secadm for mls |
|
|
|
* Thu Jan 26 2006 Dan Walsh <dwalsh@redhat.com> 2.2.6-2 |
|
- Add inotifyfs handling |
|
|
|
* Thu Jan 26 2006 Dan Walsh <dwalsh@redhat.com> 2.2.6-1 |
|
- Update to upstream |
|
- Put back in changes for pup/zen |
|
|
|
* Tue Jan 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.5-1 |
|
- Many changes for MLS |
|
- Turn on strict policy |
|
|
|
* Mon Jan 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.4-1 |
|
- Update to upstream |
|
|
|
* Wed Jan 18 2006 Dan Walsh <dwalsh@redhat.com> 2.2.3-1 |
|
- Update to upstream |
|
- Fixes for booting and logging in on MLS machine |
|
|
|
* Wed Jan 18 2006 Dan Walsh <dwalsh@redhat.com> 2.2.2-1 |
|
- Update to upstream |
|
- Turn off execheap execstack for unconfined users |
|
- Add mono/wine policy to allow execheap and execstack for them |
|
- Add execheap for Xdm policy |
|
|
|
* Wed Jan 18 2006 Dan Walsh <dwalsh@redhat.com> 2.2.1-1 |
|
- Update to upstream |
|
- Fixes to fetchmail, |
|
|
|
* Tue Jan 17 2006 Dan Walsh <dwalsh@redhat.com> 2.1.13-1 |
|
- Update to upstream |
|
|
|
* Tue Jan 17 2006 Dan Walsh <dwalsh@redhat.com> 2.1.12-3 |
|
- Fix for procmail/spamassasin |
|
- Update to upstream |
|
- Add rules to allow rpcd to work with unlabeled_networks. |
|
|
|
* Sat Jan 14 2006 Dan Walsh <dwalsh@redhat.com> 2.1.11-1 |
|
- Update to upstream |
|
- Fix ftp Man page |
|
|
|
* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 2.1.10-1 |
|
- Update to upstream |
|
|
|
* Wed Jan 11 2006 Jeremy Katz <katzj@redhat.com> - 2.1.9-2 |
|
- fix pup transitions (#177262) |
|
- fix xen disks (#177599) |
|
|
|
* Tue Jan 10 2006 Dan Walsh <dwalsh@redhat.com> 2.1.9-1 |
|
- Update to upstream |
|
|
|
* Tue Jan 10 2006 Dan Walsh <dwalsh@redhat.com> 2.1.8-3 |
|
- More Fixes for hal and readahead |
|
|
|
* Mon Jan 9 2006 Dan Walsh <dwalsh@redhat.com> 2.1.8-2 |
|
- Fixes for hal and readahead |
|
|
|
* Mon Jan 9 2006 Dan Walsh <dwalsh@redhat.com> 2.1.8-1 |
|
- Update to upstream |
|
- Apply |
|
* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 2.1.7-4 |
|
- Add wine and fix hal problems |
|
|
|
* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 2.1.7-3 |
|
- Handle new location of hal scripts |
|
|
|
* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 2.1.7-2 |
|
- Allow su to read /etc/mtab |
|
|
|
* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 2.1.7-1 |
|
- Update to upstream |
|
|
|
* Tue Jan 3 2006 Dan Walsh <dwalsh@redhat.com> 2.1.6-24 |
|
- Fix "libsemanage.parse_module_headers: Data did not represent a module." problem |
|
|
|
* Tue Jan 3 2006 Dan Walsh <dwalsh@redhat.com> 2.1.6-23 |
|
- Allow load_policy to read /etc/mtab |
|
|
|
* Mon Jan 2 2006 Dan Walsh <dwalsh@redhat.com> 2.1.6-22 |
|
- Fix dovecot to allow dovecot_auth to look at /tmp |
|
|
|
* Mon Jan 2 2006 Dan Walsh <dwalsh@redhat.com> 2.1.6-21 |
|
- Allow restorecon to read unlabeled_t directories in order to fix labeling. |
|
|
|
* Fri Dec 30 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-20 |
|
- Add Logwatch policy |
|
|
|
* Wed Dec 28 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-18 |
|
- Fix /dev/ub[a-z] file context |
|
|
|
* Tue Dec 27 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-17 |
|
- Fix library specification |
|
- Give kudzu execmem privs |
|
|
|
* Thu Dec 22 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-16 |
|
- Fix hostname in targeted policy |
|
|
|
* Wed Dec 21 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-15 |
|
- Fix passwd command on mls |
|
|
|
* Wed Dec 21 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-14 |
|
- Lots of fixes to make mls policy work |
|
|
|
* Tue Dec 20 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-13 |
|
- Add dri libs to textrel_shlib_t |
|
- Add system_r role for java |
|
- Add unconfined_exec_t for vncserver |
|
- Allow slapd to use kerberos |
|
|
|
* Mon Dec 19 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-11 |
|
- Add man pages |
|
|
|
* Fri Dec 16 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-10 |
|
- Add enableaudit.pp |
|
|
|
* Fri Dec 16 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-9 |
|
- Fix mls policy |
|
|
|
* Fri Dec 16 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-8 |
|
- Update mls file from old version |
|
|
|
* Thu Dec 15 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-5 |
|
- Add sids back in |
|
- Rebuild with update checkpolicy |
|
|
|
* Thu Dec 15 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-4 |
|
- Fixes to allow automount to use portmap |
|
- Fixes to start kernel in s0-s15:c0.c255 |
|
|
|
* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-3 |
|
- Add java unconfined/execmem policy |
|
|
|
* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-2 |
|
- Add file context for /var/cvs |
|
- Dontaudit webalizer search of homedir |
|
|
|
* Tue Dec 13 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-1 |
|
- Update from upstream |
|
|
|
* Tue Dec 13 2005 Dan Walsh <dwalsh@redhat.com> 2.1.4-2 |
|
- Clean up spec |
|
- range_transition crond to SystemHigh |
|
|
|
* Mon Dec 12 2005 Dan Walsh <dwalsh@redhat.com> 2.1.4-1 |
|
- Fixes for hal |
|
- Update to upstream |
|
|
|
* Mon Dec 12 2005 Dan Walsh <dwalsh@redhat.com> 2.1.3-1 |
|
- Turn back on execmem since we need it for java, firefox, ooffice |
|
- Allow gpm to stream socket to itself |
|
|
|
* Mon Dec 12 2005 Jeremy Katz <katzj@redhat.com> - 2.1.2-3 |
|
- fix requirements to be on the actual packages so that policy can get |
|
created properly at install time |
|
|
|
* Sun Dec 11 2005 Dan Walsh <dwalsh@redhat.com> 2.1.2-2 |
|
- Allow unconfined_t to execmod texrel_shlib_t |
|
|
|
* Sat Dec 10 2005 Dan Walsh <dwalsh@redhat.com> 2.1.2-1 |
|
- Update to upstream |
|
- Turn off allow_execmem and allow_execmod booleans |
|
- Add tcpd and automount policies |
|
|
|
* Fri Dec 9 2005 Dan Walsh <dwalsh@redhat.com> 2.1.1-3 |
|
- Add two new httpd booleans, turned off by default |
|
* httpd_can_network_relay |
|
* httpd_can_network_connect_db |
|
|
|
* Fri Dec 9 2005 Dan Walsh <dwalsh@redhat.com> 2.1.1-2 |
|
- Add ghost for policy.20 |
|
|
|
* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 2.1.1-1 |
|
- Update to upstream |
|
- Turn off boolean allow_execstack |
|
|
|
* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 2.1.0-3 |
|
- Change setrans-mls to use new libsetrans |
|
- Add default_context rule for xdm |
|
|
|
* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 2.1.0-2. |
|
- Change Requires to PreReg for requiring of policycoreutils on install |
|
|
|
* Wed Dec 7 2005 Dan Walsh <dwalsh@redhat.com> 2.1.0-1. |
|
- New upstream release |
|
|
|
* Wed Dec 7 2005 Dan Walsh <dwalsh@redhat.com> 2.0.11-2. |
|
Add xdm policy |
|
|
|
* Tue Dec 6 2005 Dan Walsh <dwalsh@redhat.com> 2.0.11-1. |
|
Update from upstream |
|
|
|
* Fri Dec 2 2005 Dan Walsh <dwalsh@redhat.com> 2.0.9-1. |
|
Update from upstream |
|
|
|
* Fri Dec 2 2005 Dan Walsh <dwalsh@redhat.com> 2.0.8-1. |
|
Update from upstream |
|
|
|
* Fri Dec 2 2005 Dan Walsh <dwalsh@redhat.com> 2.0.7-3 |
|
- Also trigger to rebuild policy for versions up to 2.0.7. |
|
|
|
* Tue Nov 29 2005 Dan Walsh <dwalsh@redhat.com> 2.0.7-2 |
|
- No longer installing policy.20 file, anaconda handles the building of the app. |
|
|
|
* Tue Nov 29 2005 Dan Walsh <dwalsh@redhat.com> 2.0.6-2 |
|
- Fixes for dovecot and saslauthd |
|
|
|
* Wed Nov 23 2005 Dan Walsh <dwalsh@redhat.com> 2.0.5-4 |
|
- Cleanup pegasus and named |
|
- Fix spec file |
|
- Fix up passwd changing applications |
|
|
|
* Tue Nov 22 2005 Dan Walsh <dwalsh@redhat.com> 2.0.5-1 |
|
-Update to latest from upstream |
|
|
|
* Tue Nov 22 2005 Dan Walsh <dwalsh@redhat.com> 2.0.4-1 |
|
- Add rules for pegasus and avahi |
|
|
|
* Mon Nov 21 2005 Dan Walsh <dwalsh@redhat.com> 2.0.2-2 |
|
- Start building MLS Policy |
|
|
|
* Fri Nov 18 2005 Dan Walsh <dwalsh@redhat.com> 2.0.2-1 |
|
- Update to upstream |
|
|
|
* Wed Nov 9 2005 Dan Walsh <dwalsh@redhat.com> 2.0.1-2 |
|
- Turn on bash |
|
|
|
* Wed Nov 9 2005 Dan Walsh <dwalsh@redhat.com> 2.0.1-1 |
|
- Initial version
|
|
|