selinux-policy/file_contexts.subs_dist

/var/run /run
/var/lock /run/lock
/var/run/lock /var/lock
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
/usr/local /usr
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/run/systemd/generator.early /usr/lib/systemd/system
/run/systemd/generator.late /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/run/netconfig /etc
/var/adm/netconfig/md5/etc /etc
/var/adm/netconfig/md5/var /var
/usr/etc /etc
Accepting request 1166915 from home:cahu:security:SELinux:policytest - Update to version 20240411: * Remove duplicate in sysnetwork.fc * Rename /var/run/wicked* to /run/wicked* * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc * policy: support pidfs * Confine selinux-autorelabel-generator.sh * Allow logwatch_mail_t read/write to init over a unix stream socket * Allow logwatch read logind sessions files * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it * Allow NetworkManager the sys_ptrace capability in user namespace * dontaudit execmem for modemmanager * Allow dhcpcd use unix_stream_socket * Allow dhcpc read /run/netns files * Update mmap_rw_file_perms to include the lock permission * Allow plymouthd log during shutdown * Add logging_watch_all_log_dirs() and logging_watch_all_log_files() * Allow journalctl_t read filesystem sysctls * Allow cgred_t to get attributes of cgroup filesystems * Allow wdmd read hardware state information * Allow wdmd list the contents of the sysfs directories * Allow linuxptp configure phc2sys and chronyd over a unix domain socket * Allow sulogin relabel tty1 * Dontaudit sulogin the checkpoint_restore capability * Modify sudo_role_template() to allow getpgid * Allow userdomain get attributes of files on an nsfs filesystem * Allow opafm create NFS files and directories * Allow virtqemud create and unlink files in /etc/libvirt/ * Allow virtqemud domain transition on swtpm execution * Add the swtpm.if interface file for interactions with other domains * Allow samba to have dac_override capability * systemd: allow sys_admin capability for systemd_notify_t * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets * Allow thumb_t to watch and watch_reads mount_var_run_t * Allow krb5kdc_t map krb5kdc_principal_t files * Allow unprivileged confined user dbus chat with setroubleshoot * Allow login_userdomain map files in /var * Allow wireguard work with firewall-cmd * Differentiate between staff and sysadm when executing crontab with sudo * Add crontab_admin_domtrans interface * Allow abrt_t nnp domain transition to abrt_handle_event_t * Allow xdm_t to watch and watch_reads mount_var_run_t * Dontaudit subscription manager setfscreate and read file contexts * Don't audit crontab_domain write attempts to user home * Transition from sudodomains to crontab_t when executing crontab_exec_t * Add crontab_domtrans interface * Fix label of pseudoterminals created from sudodomain * Allow utempter_t use ptmx * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket * Allow admin user read/write on fixed_disk_device_t * Only allow confined user domains to login locally without unconfined_login * Add userdom_spec_domtrans_confined_admin_users interface * Only allow admindomain to execute shell via ssh with ssh_sysadm_login * Add userdom_spec_domtrans_admin_users interface * Move ssh dyntrans to unconfined inside unconfined_login tunable policy * Update ssh_role_template() for user ssh-agent type * Allow init to inherit system DBus file descriptors * Allow init to inherit fds from syslogd * Allow any domain to inherit fds from rpm-ostree * Update afterburn policy * Allow init_t nnp domain transition to abrtd_t * Rename all /var/lock file context entries to /run/lock * Rename all /var/run file context entries to /run - Add script varrun-convert.sh for locally existing modules to be able to cope with the /var/run -> /run change - Update embedded container-selinux to commit a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e OBS-URL: https://build.opensuse.org/request/show/1166915 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=217 2024-04-12 09:02:14 +02:00			`/var/run /run`
			`/var/lock /run/lock`
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=68 2018-11-27 10:16:35 +01:00			`/var/run/lock /var/lock`
			`/lib /usr/lib`
			`/lib64 /usr/lib`
			`/usr/lib64 /usr/lib`
			`/usr/local /usr`
			`/usr/local/lib64 /usr/lib`
			`/usr/local/lib32 /usr/lib`
			`/etc/systemd/system /usr/lib/systemd/system`
			`/run/systemd/system /usr/lib/systemd/system`
			`/run/systemd/generator /usr/lib/systemd/system`
Accepting request 1167823 from home:cahu:security:SELinux:policytest - Add file contexts "forwarding" to file_contexts.sub_dist to fix systemd-gpt-auto-generator and systemd-fstab-generator (bsc#1222736): * /run/systemd/generator.early /usr/lib/systemd/system * /run/systemd/generator.late /usr/lib/systemd/system OBS-URL: https://build.opensuse.org/request/show/1167823 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=218 2024-04-15 16:47:23 +02:00			`/run/systemd/generator.early /usr/lib/systemd/system`
			`/run/systemd/generator.late /usr/lib/systemd/system`
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=68 2018-11-27 10:16:35 +01:00			`/var/lib/xguest/home /home`
Accepting request 781805 from home:jsegitz:branches:security:SELinux - Update to version 20200219 Refreshed fix_hadoop.patch Updated * fix_dbus.patch * fix_hadoop.patch * fix_nscd.patch * fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added * fix_init.patch * fix_locallogin.patch * fix_policykit.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * xdm_entrypoint_pam.patch - Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies - Reduced default module list of minimum policy by removing OBS-URL: https://build.opensuse.org/request/show/781805 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=74 2020-03-05 11:13:59 +01:00			`/var/run/netconfig /etc`
Accepting request 810877 from home:jsegitz:branches:security:SELinux - Added module for wicked - New patches: * fix_authlogin.patch * fix_screen.patch * fix_unprivuser.patch * fix_rpm.patch * fix_apache.patch - Added module for rtorrent - Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot OBS-URL: https://build.opensuse.org/request/show/810877 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=76 2020-06-02 17:31:08 +02:00			`/var/adm/netconfig/md5/etc /etc`
			`/var/adm/netconfig/md5/var /var`
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=96 2021-03-12 08:59:19 +01:00			`/usr/etc /etc`