diff --git a/selinux-policy.spec b/selinux-policy.spec index cb668c8..4e28e2c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1451,318 +1451,3 @@ exit 0 - Allow blueman read/write its private memfd: objects - Allow insights-client read rhnsd config files - Allow insights-client create_socket_perms for tcp/udp sockets - -* Tue Apr 26 2022 Zdenek Pytela - 36.8-1 -- Allow nm-dispatcher chronyc plugin append to init stream sockets -- Allow tmpreaper the sys_ptrace userns capability -- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t -- Allow nm-dispatcher tlp plugin read/write the wireless device -- Allow nm-dispatcher tlp plugin append to init socket -- Allow nm-dispatcher tlp plugin be client of a system bus -- Allow nm-dispatcher list its configuration directory -- Ecryptfs-private support -- Allow colord map /var/lib directories -- Allow ntlm_auth read the network state information -- Allow insights-client search rhnsd configuration directory - -* Thu Apr 21 2022 Zdenek Pytela - 36.7-3 -- Add support for nm-dispatcher tlp-rdw scripts -- Update github actions to satisfy git 2.36 stricter rules -- New policy for stalld -- Allow colord read generic files in /var/lib -- Allow xdm mounton user temporary socket files -- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket -- Allow sssd domtrans to pkcs_slotd_t -- Allow keepalived setsched and sys_nice -- Allow xdm map generic files in /var/lib -- Allow xdm read generic symbolic links in /var/lib -- Allow pppd create a file in the locks directory -- Add file map permission to lpd_manage_spool() interface -- Allow system dbus daemon watch generic directories in /var/lib -- Allow pcscd the sys_ptrace userns capability -- Add the corecmd_watch_bin_dirs() interface - -* Thu Apr 21 2022 Zdenek Pytela - 36.7-2 -- Relabel explicitly some dirs in %posttrans scriptlets - -* Thu Apr 21 2022 Zdenek Pytela - 36.7-1 -- Add stalld module to modules-targeted-contrib.conf - -* Mon Apr 04 2022 Zdenek Pytela - 36.6-1 -- Add support for systemd-network-generator -- Add the io_uring class -- Allow nm-dispatcher dhclient plugin append to init stream sockets -- Relax the naming pattern for systemd private shared libraries -- Allow nm-dispatcher iscsid plugin append to init socket -- Add the init_append_stream_sockets() interface -- Allow nm-dispatcher dnssec-trigger script to execute pidof -- Add support for nm-dispatcher dnssec-trigger scripts -- Allow chronyd talk with unconfined user over unix domain dgram socket -- Allow fenced read kerberos key tables -- Add support for nm-dispatcher ddclient scripts -- Add systemd_getattr_generic_unit_files() interface -- Allow fprintd read and write hardware state information -- Allow exim watch generic certificate directories -- Remove duplicate fc entries for corosync and corosync-notifyd -- Label corosync-cfgtool with cluster_exec_t -- Allow qemu-kvm create and use netlink rdma sockets -- Allow logrotate a domain transition to cluster administrative domain - -* Fri Mar 18 2022 Zdenek Pytela - 36.5-1 -- Add support for nm-dispatcher console helper scripts -- Allow nm-dispatcher plugins read its directory and sysfs -- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t -- devices: Add a comment about cardmgr_dev_t -- Add basic policy for BinderFS -- Label /var/run/ecblp0 pipe with cupsd_var_run_t -- Allow rpmdb create directory in /usr/lib/sysimage -- Allow rngd drop privileges via setuid/setgid/setcap -- Allow init watch and watch_reads user ttys -- Allow systemd-logind dbus chat with sosreport -- Allow chronyd send a message to sosreport over datagram socket -- Remove unnecessary /etc file transitions for insights-client -- Label all content in /var/lib/insights with insights_client_var_lib_t -- Update insights-client policy - -* Wed Feb 23 2022 Zdenek Pytela - 36.4-2 -- Add insights_client module to modules-targeted-contrib.conf - -* Wed Feb 23 2022 Zdenek Pytela - 36.4-1 -- Update NetworkManager-dispatcher cloud and chronyc policy -- Update insights-client: fc pattern, motd, writing to etc -- Allow systemd-sysctl read the security state information -- Allow init create and mounton to support PrivateDevices -- Allow sosreport dbus chat abrt systemd timedatex - -* Tue Feb 22 2022 Zdenek Pytela - 36.3-2 -- Update specfile to buildrequire policycoreutils-devel >= 3.3-4 -- Add modules_checksum to %files - -* Thu Feb 17 2022 Zdenek Pytela - 36.3-1 -- Update NetworkManager-dispatcher policy to use scripts -- Allow init mounton kernel messages device -- Revert "Make dbus-broker service working on s390x arch" -- Remove permissive domain for insights_client_t -- Allow userdomain read symlinks in /var/lib -- Allow iptables list cgroup directories -- Dontaudit mdadm list dirsrv tmpfs dirs -- Dontaudit dirsrv search filesystem sysctl directories -- Allow chage domtrans to sssd -- Allow postfix_domain read dovecot certificates -- Allow systemd-networkd create and use netlink netfilter socket -- Allow nm-dispatcher read nm-dispatcher-script symlinks -- filesystem.te: add genfscon rule for ntfs3 filesystem -- Allow rhsmcertd get attributes of cgroup filesystems -- Allow sandbox_web_client_t watch various dirs -- Exclude container.if from policy devel files -- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm - -* Fri Feb 11 2022 Zdenek Pytela - 36.2-1 -- Allow sysadm_passwd_t to relabel passwd and group files -- Allow confined sysadmin to use tool vipw -- Allow login_userdomain map /var/lib/directories -- Allow login_userdomain watch library and fonts dirs -- Allow login_userdomain watch system configuration dirs -- Allow login_userdomain read systemd runtime files -- Allow ctdb create cluster logs -- Allow alsa bind mixer controls to led triggers -- New policy for insight-client -- Add mctp_socket security class and access vectors -- Fix koji repo URL pattern -- Update chronyd_pid_filetrans() to allow create dirs -- Update NetworkManager-dispatcher policy -- Allow unconfined to run virtd bpf -- Allow nm-privhelper setsched permission and send system logs -- Add the map permission to common_anon_inode_perm permission set -- Rename userfaultfd_anon_inode_perms to common_inode_perms -- Allow confined users to use kinit,klist and etc. -- Allow rhsmcertd create rpm hawkey logs with correct label - -* Thu Feb 03 2022 Zdenek Pytela - 36.1-1 -- Label exFAT utilities at /usr/sbin -- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path -- Enable genfs_seclabel_symlinks policy capability -- Sync policy/policy_capabilities with refpolicy -- refpolicy: drop unused socket security classes -- Label new utility of NetworkManager nm-priv-helper -- Label NetworkManager-dispatcher service with separate context -- Allow sanlock get attributes of filesystems with extended attributes -- Associate stratisd_data_t with device filesystem -- Allow init read stratis data symlinks - -* Tue Feb 01 2022 Zdenek Pytela - 35.13-1 -- Allow systemd services watch dbusd pid directory and its parents -- Allow ModemManager connect to the unconfined user domain -- Label /dev/wwan.+ with modem_manager_t -- Allow alsactl set group Process ID of a process -- Allow domtrans to sssd_t and role access to sssd -- Creating interface sssd_run_sssd() -- Label utilities for exFAT filesystems with fsadm_exec_t -- Label /dev/nvme-fabrics with fixed_disk_device_t -- Allow init delete generic tmp named pipes -- Allow timedatex dbus chat with xdm - -* Wed Jan 26 2022 Zdenek Pytela - 35.12-1 -- Fix badly indented used interfaces -- Allow domain transition to sssd_t -- Dontaudit sfcbd sys_ptrace cap_userns -- Label /var/lib/plocate with locate_var_lib_t -- Allow hostapd talk with unconfined user over unix domain dgram socket -- Allow NetworkManager talk with unconfined user over unix domain dgram socket -- Allow system_mail_t read inherited apache system content rw files -- Add apache_read_inherited_sys_content_rw_files() interface -- Allow rhsm-service execute its private memfd: objects -- Allow dirsrv read configfs files and directories -- Label /run/stratisd with stratisd_var_run_t -- Allow tumblerd write to session_dbusd tmp socket files - -* Wed Jan 19 2022 Zdenek Pytela - 35.11-1 -- Revert "Label /etc/cockpit/ws-certs.d with cert_t" -- Allow login_userdomain write to session_dbusd tmp socket files -- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t - -* Mon Jan 17 2022 Zdenek Pytela - 35.10-1 -- Allow login_userdomain watch systemd-machined PID directories -- Allow login_userdomain watch systemd-logind PID directories -- Allow login_userdomain watch accountsd lib directories -- Allow login_userdomain watch localization directories -- Allow login_userdomain watch various files and dirs -- Allow login_userdomain watch generic directories in /tmp -- Allow rhsm-service read/write its private memfd: objects -- Allow radiusd connect to the radacct port -- Allow systemd-io-bridge ioctl rpm_script_t -- Allow systemd-coredump userns capabilities and root mounton -- Allow systemd-coredump read and write usermodehelper state -- Allow login_userdomain create session_dbusd tmp socket files -- Allow gkeyringd_domain write to session_dbusd tmp socket files -- Allow systemd-logind delete session_dbusd tmp socket files -- Allow gdm-x-session write to session dbus tmp sock files -- Label /etc/cockpit/ws-certs.d with cert_t -- Allow kpropd get attributes of cgroup filesystems -- Allow administrative users the bpf capability -- Allow sysadm_t start and stop transient services -- Connect triggerin to pcre2 instead of pcre - -* Wed Jan 12 2022 Zdenek Pytela - 35.9-1 -- Allow sshd read filesystem sysctl files -- Revert "Allow sshd read sysctl files" -- Allow tlp read its systemd unit -- Allow gssproxy access to various system files. -- Allow gssproxy read, write, and map ica tmpfs files -- Allow gssproxy read and write z90crypt device -- Allow sssd_kcm read and write z90crypt device -- Allow smbcontrol read the network state information -- Allow virt_domain map vhost devices -- Allow fcoemon request the kernel to load a module -- Allow sshd read sysctl files -- Ensure that `/run/systemd/*` are properly labeled -- Allow admin userdomains use socketpair() -- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling -- Allow lldpd connect to snmpd with a unix domain stream socket -- Dontaudit pkcsslotd sys_admin capability - -* Thu Dec 23 2021 Zdenek Pytela - 35.8-1 -- Allow haproxy get attributes of filesystems with extended attributes -- Allow haproxy get attributes of cgroup filesystems -- Allow sysadm execute sysadmctl in sysadm_t domain using sudo -- Allow userdomains use pam_ssh_agent_auth for passwordless sudo -- Allow sudodomains execute passwd in the passwd domain -- Allow braille printing in selinux -- Allow sandbox_xserver_t map sandbox_file_t -- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t -- Add hwtracing_device_t type for hardware-level tracing and debugging -- Label port 9528/tcp with openqa_liveview -- Label /var/lib/shorewall6-lite with shorewall_var_lib_t -- Document Security Flask model in the policy - -* Fri Dec 10 2021 Zdenek Pytela - 35.7-1 -- Allow systemd read unlabeled symbolic links -- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t -- Allow dnsmasq watch /etc/dnsmasq.d directories -- Allow rhsmcertd get attributes of tmpfs_t filesystems -- Allow lldpd use an snmp subagent over a tcp socket -- Allow xdm watch generic directories in /var/lib -- Allow login_userdomain open/read/map system journal -- Allow sysadm_t connect to cluster domains over a unix stream socket -- Allow sysadm_t read/write pkcs shared memory segments -- Allow sysadm_t connect to sanlock over a unix stream socket -- Allow sysadm_t dbus chat with sssd -- Allow sysadm_t set attributes on character device nodes -- Allow sysadm_t read and write watchdog devices -- Allow smbcontrol use additional socket types -- Allow cloud-init dbus chat with systemd-logind -- Allow svnserve send mail from the system -- Update userdom_exec_user_tmp_files() with an entrypoint rule -- Allow sudodomain send a null signal to sshd processes - -* Fri Nov 19 2021 Zdenek Pytela - 35.6-1 -- Allow PID 1 and dbus-broker IPC with a systemd user session -- Allow rpmdb read generic SSL certificates -- Allow rpmdb read admin home config files -- Report warning on duplicate definition of interface -- Allow redis get attributes of filesystems with extended attributes -- Allow sysadm_t dbus chat with realmd_t -- Make cupsd_lpd_t a daemon -- Allow tlp dbus-chat with NetworkManager -- filesystem: add fs_use_trans for ramfs -- Allow systemd-logind destroy unconfined user's IPC objects - -* Thu Nov 04 2021 Zdenek Pytela - 35.5-1 -- Support sanlock VG automated recovery on storage access loss 2/2 -- Support sanlock VG automated recovery on storage access loss 1/2 -- Revert "Support sanlock VG automated recovery on storage access loss" -- Allow tlp get service units status -- Allow fedora-third-party manage 3rd party repos -- Allow xdm_t nnp_transition to login_userdomain -- Add the auth_read_passwd_file() interface -- Allow redis-sentinel execute a notification script -- Allow fetchmail search cgroup directories -- Allow lvm_t to read/write devicekit disk semaphores -- Allow devicekit_disk_t to use /dev/mapper/control -- Allow devicekit_disk_t to get IPC info from the kernel -- Allow devicekit_disk_t to read systemd-logind pid files -- Allow devicekit_disk_t to mount filesystems on mnt_t directories -- Allow devicekit_disk_t to manage mount_var_run_t files -- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel -- Use $releasever in koji repo to reduce rawhide hardcoding -- authlogin: add fcontext for tcb -- Add erofs as a SELinux capable file system -- Allow systemd execute user bin files -- Support sanlock VG automated recovery on storage access loss -- Support new PING_CHECK health checker in keepalived - -* Wed Oct 20 2021 Zdenek Pytela - 35.4-1 -- Allow fedora-third-party map generic cache files -- Add gnome_map_generic_cache_files() interface -- Add files_manage_var_lib_dirs() interface -- Allow fedora-third party manage gpg keys -- Allow fedora-third-party run "flatpak remote-add --from flathub" - -* Tue Oct 19 2021 Zdenek Pytela - 35.3-1 -- Allow fedora-third-party run flatpak post-install actions -- Allow fedora-third-party set_setsched and sys_nice - -* Mon Oct 18 2021 Zdenek Pytela - 35.2-1 -- Allow fedora-third-party execute "flatpak remote-add" -- Add files_manage_var_lib_files() interface -- Add write permisson to userfaultfd_anon_inode_perms -- Allow proper function sosreport via iotop -- Allow proper function sosreport in sysadmin role -- Allow fedora-third-party to connect to the system log service -- Allow fedora-third-party dbus chat with policykit -- Allow chrony-wait service start with DynamicUser=yes -- Allow management of lnk_files if similar access to regular files -- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges -- Allow systemd-resolved watch /run/systemd -- Allow fedora-third-party create and use unix_dgram_socket -- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files -- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain - -* Thu Oct 07 2021 Zdenek Pytela - 35.1-1 -- Add fedoratp module -- Allow xdm_t domain transition to fedoratp_t -- Allow ModemManager create and use netlink route socket -- Add default file context for /run/gssproxy.default.sock -- Allow xdm_t watch fonts directories -- Allow xdm_t watch generic directories in /lib -- Allow xdm_t watch generic pid directories