Commit Graph

97 Commits

Author SHA256 Message Date
Hu
bd548fda37 Accepting request 1128519 from home:cahu:branches:security:SELinux
- Update to version 20231124:
  * Allow virtnetworkd_t to execute bin_t (bsc#1216903)
- Add new modules that were missed in the last update to 
  modules-mls-contrib.conf

OBS-URL: https://build.opensuse.org/request/show/1128519
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=200
2023-11-24 09:58:31 +00:00
Hu
0a269ab03e Accepting request 1128143 from home:cahu:branches:security:SELinux
- Add new modules that were missed in the last update to 
  modules-targeted-contrib.conf

OBS-URL: https://build.opensuse.org/request/show/1128143
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=198
2023-11-22 13:59:55 +00:00
Hu
043e5338e1 Accepting request 1121138 from home:cahu:branches:security:SELinux
- Update to version 20231030: Big policy sync with upstream policy
  * Allow system_mail_t manage exim spool files and dirs
  * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
  * Label /run/pcsd.socket with cluster_var_run_t
  * ci: Run cockpit tests in PRs
  * Add map_read map_write to kernel_prog_run_bpf
  * Allow systemd-fstab-generator read all symlinks
  * Allow systemd-fstab-generator the dac_override capability
  * Allow rpcbind read network sysctls
  * Support using systemd containers
  * Allow sysadm_t to connect to iscsid using a unix domain stream socket
  * Add policy for coreos installer
  * Add policy for nvme-stas
  * Confine systemd fstab,sysv,rc-local
  * Label /etc/aliases.lmdb with etc_aliases_t
  * Create policy for afterburn
  * Make new virt drivers permissive
  * Split virt policy, introduce virt_supplementary module
  * Allow apcupsd cgi scripts read /sys
  * Allow kernel_t to manage and relabel all files
  * Add missing optional_policy() to files_relabel_all_files()
  * Allow named and ndc use the io_uring api
  * Deprecate common_anon_inode_perms usage
  * Improve default file context(None) of /var/lib/authselect/backups
  * Allow udev_t to search all directories with a filesystem type
  * Implement proper anon_inode support
  * Allow targetd write to the syslog pid sock_file
  * Add ipa_pki_retrieve_key_exec() interface
  * Allow kdumpctl_t to list all directories with a filesystem type
  * Allow udev additional permissions
  * Allow udev load kernel module
  * Allow sysadm_t to mmap modules_object_t files
  * Add the unconfined_read_files() and unconfined_list_dirs() interfaces
  * Set default file context of HOME_DIR/tmp/.* to <<none>>
  * Allow kernel_generic_helper_t to execute mount(1)
  * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
  * Allow systemd-localed create Xserver config dirs
  * Allow sssd read symlinks in /etc/sssd
  * Label /dev/gnss[0-9] with gnss_device_t
  * Allow systemd-sleep read/write efivarfs variables
  * ci: Fix version number of packit generated srpms
  * Dontaudit rhsmcertd write memory device
  * Allow ssh_agent_type create a sockfile in /run/user/USERID
  * Set default file context of /var/lib/authselect/backups to <<none>>
  * Allow prosody read network sysctls
  * Allow cupsd_t to use bpf capability
  * Allow sssd domain transition on passkey_child execution conditionally
  * Allow login_userdomain watch lnk_files in /usr
  * Allow login_userdomain watch video4linux devices
  * Change systemd-network-generator transition to include class file
  * Revert "Change file transition for systemd-network-generator"
  * Allow nm-dispatcher winbind plugin read/write samba var files
  * Allow systemd-networkd write to cgroup files
  * Allow kdump create and use its memfd: objects
  * Allow fedora-third-party get generic filesystem attributes
  * Allow sssd use usb devices conditionally
  * Update policy for qatlib
  * Allow ssh_agent_type manage generic cache home files
  * Change file transition for systemd-network-generator
  * Additional support for gnome-initial-setup
  * Update gnome-initial-setup policy for geoclue
  * Allow openconnect vpn open vhost net device
  * Allow cifs.upcall to connect to SSSD also through the /var/run socket
  * Grant cifs.upcall more required capabilities
  * Allow xenstored map xenfs files
  * Update policy for fdo
  * Allow keepalived watch var_run dirs
  * Allow svirt to rw /dev/udmabuf
  * Allow qatlib  to modify hardware state information.
  * Allow key.dns_resolve connect to avahi over a unix stream socket
  * Allow key.dns_resolve create and use unix datagram socket
  * Use quay.io as the container image source for CI
  * ci: Move srpm/rpm build to packit
  * .copr: Avoid subshell and changing directory
  * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
  * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
  * Make insights_client_t an unconfined domain
  * Allow insights-client manage user temporary files
  * Allow insights-client create all rpm logs with a correct label
  * Allow insights-client manage generic logs
  * Allow cloud_init create dhclient var files and init_t manage net_conf_t
  * Allow insights-client read and write cluster tmpfs files
  * Allow ipsec read nsfs files
  * Make tuned work with mls policy
  * Remove nsplugin_role from mozilla.if
  * allow mon_procd_t self:cap_userns sys_ptrace
  * Allow pdns name_bind and name_connect all ports
  * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
  * ci: Move to actions/checkout@v3 version
  * .copr: Replace chown call with standard workflow safe.directory setting
  * .copr: Enable `set -u` for robustness
  * .copr: Simplify root directory variable
  * Allow rhsmcertd dbus chat with policykit
  * Allow polkitd execute pkla-check-authorization with nnp transition
  * Allow user_u and staff_u get attributes of non-security dirs
  * Allow unconfined user filetrans chrome_sandbox_home_t
  * Allow svnserve execute postdrop with a transition
  * Do not make postfix_postdrop_t type an MTA executable file
  * Allow samba-dcerpc service manage samba tmp files
  * Add use_nfs_home_dirs boolean for mozilla_plugin
  * Fix labeling for no-stub-resolv.conf
  * Revert "Allow winbind-rpcd use its private tmp files"
  * Allow upsmon execute upsmon via a helper script
  * Allow openconnect vpn read/write inherited vhost net device
  * Allow winbind-rpcd use its private tmp files
  * Update samba-dcerpc policy for printing
  * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
  * Allow nscd watch system db dirs
  * Allow qatlib to read sssd public files
  * Allow fedora-third-party read /sys and proc
  * Allow systemd-gpt-generator mount a tmpfs filesystem
  * Allow journald write to cgroup files
  * Allow rpc.mountd read network sysctls
  * Allow blueman read the contents of the sysfs filesystem
  * Allow logrotate_t to map generic files in /etc
  * Boolean: Allow virt_qemu_ga create ssh directory
  * Allow systemd-network-generator send system log messages
  * Dontaudit the execute permission on sock_file globally
  * Allow fsadm_t the file mounton permission
  * Allow named and ndc the io_uring sqpoll permission
  * Allow sssd io_uring sqpoll permission
  * Fix location for /run/nsd
  * Allow qemu-ga get fixed disk devices attributes
  * Update bitlbee policy
  * Label /usr/sbin/sos with sosreport_exec_t
  * Update policy for the sblim-sfcb service
  * Add the files_getattr_non_auth_dirs() interface
  * Fix the CI to work with DNF5
  * Make systemd_tmpfiles_t MLS trusted for lowering the level of files
  * Revert "Allow insights client map cache_home_t"
  * Allow nfsidmapd connect to systemd-machined over a unix socket
  * Allow snapperd connect to kernel over a unix domain stream socket
  * Allow virt_qemu_ga_t create .ssh dir with correct label
  * Allow targetd read network sysctls
  * Set the abrt_handle_event boolean to on
  * Permit kernel_t to change the user identity in object contexts
  * Allow insights client map cache_home_t
  * Label /usr/sbin/mariadbd with mysqld_exec_t
  * Allow httpd tcp connect to redis port conditionally
  * Label only /usr/sbin/ripd and ripngd with zebra_exec_t
  * Dontaudit aide the execmem permission
  * Remove permissive from fdo
  * Allow sa-update manage spamc home files
  * Allow sa-update connect to systemlog services
  * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
  * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
  * Allow bootupd search EFI directory
  * Change init_audit_control default value to true
  * Allow nfsidmapd connect to systemd-userdbd with a unix socket
  * Add the qatlib  module
  * Add the fdo module
  * Add the bootupd module
  * Set default ports for keylime policy
  * Create policy for qatlib
  * Add policy for FIDO Device Onboard
  * Add policy for bootupd
  * Add support for kafs-dns requested by keyutils
  * Allow insights-client execmem
  * Add support for chronyd-restricted
  * Add init_explicit_domain() interface
  * Allow fsadm_t to get attributes of cgroup filesystems
  * Add list_dir_perms to kerberos_read_keytab
  * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
  * Allow sendmail manage its runtime files

OBS-URL: https://build.opensuse.org/request/show/1121138
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=196
2023-10-30 11:05:50 +00:00
Hu
af77709c80 Accepting request 1117134 from home:cahu:branches:security:SELinux
- Update to version 20231012:
  * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
  * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887

OBS-URL: https://build.opensuse.org/request/show/1117134
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=194
2023-10-12 08:42:29 +00:00
Hu
ecba8b0d6b Accepting request 1115645 from home:jsegitz:branches:security:SELinux_3
- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
  directory doesn't exist on SUSE systems (bsc#1213593)

OBS-URL: https://build.opensuse.org/request/show/1115645
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=192
2023-10-04 15:03:23 +00:00
Johannes Segitz
fe4723a538 Accepting request 1112155 from home:jsegitz:branches:security:SELinux_2
- Modified update.sh to require first parameter "full" to also
  update container-selinux. For maintenance updates you usually
  don't want it to be updated

OBS-URL: https://build.opensuse.org/request/show/1112155
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=191
2023-09-20 14:15:21 +00:00
a975c36105 Accepting request 1101214 from home:fbonazzi:branches:security:SELinux
- Update to version 20230728:
  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
  * allow haveged to manage tmpfs directories (bsc#1213594)

OBS-URL: https://build.opensuse.org/request/show/1101214
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=189
2023-07-28 15:00:26 +00:00
Johannes Segitz
3c8840090d Accepting request 1094792 from home:jsegitz:branches:security:SELinux
- Update to version 20230622:
  * Allow keyutils_dns_resolver_exec_t be an entrypoint
  * Allow collectd_t read network state symlinks
  * Revert "Allow collectd_t read proc_net link files"
  * Allow nfsd_t to list exports_t dirs
  * Allow cupsd dbus chat with xdm
  * Allow haproxy read hardware state information
  * Label /dev/userfaultfd with userfaultfd_t
  * Allow blueman send general signals to unprivileged user domains
  * Allow dkim-milter domain transition to sendmail

OBS-URL: https://build.opensuse.org/request/show/1094792
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=187
2023-06-23 08:08:16 +00:00
Johannes Segitz
ebe0d17ed3 Accepting request 1082788 from home:cahu:branches:security:SELinux
- Update to version 20230425:
  * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
  * Add policy for wtmpdb (bsc#1210717)

OBS-URL: https://build.opensuse.org/request/show/1082788
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=185
2023-04-25 15:21:22 +00:00
Johannes Segitz
f366bc7fbe Accepting request 1082736 from home:cahu:branches:security:SELinux
- Update to version 20230425:
  * Add support for lastlog2 (bsc#1210461)
  * allow the chrony client to use unallocated ttys (bsc#1210672)

OBS-URL: https://build.opensuse.org/request/show/1082736
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=184
2023-04-25 11:41:50 +00:00
Johannes Segitz
572a533f73 Accepting request 1080814 from home:jsegitz:branches:security:SELinux
- Update to version 20230420:
  * libzypp creates temporary files in /var/adm/mount. Label it with
    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
  * only use rsync_exec_t for the rsync server, not for the client
    (bsc#1209890)
  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
    labels after creation
  * Allow dovecot-deliver write to the main process runtime fifo files
  * Allow dmidecode write to cloud-init tmp files
  * Allow chronyd send a message to cloud-init over a datagram socket
  * Allow cloud-init domain transition to insights-client domain
  * Allow mongodb read filesystem sysctls
  * Allow mongodb read network sysctls
  * Allow accounts-daemon read generic systemd unit lnk files
  * Allow blueman watch generic device dirs
  * Allow nm-dispatcher tlp plugin create tlp dirs
  * Allow systemd-coredump mounton /usr
  * Allow rabbitmq to read network sysctls
  * Allow certmonger dbus chat with the cron system domain
  * Allow geoclue read network sysctls
  * Allow geoclue watch the /etc directory
  * Allow logwatch_mail_t read network sysctls
  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
  * Allow insights-client read all sysctls
  * Allow passt manage qemu pid sock files
  * Allow sssd read accountsd fifo files
  * Add support for the passt_t domain
  * Allow virtd_t and svirt_t work with passt
  * Add new interfaces in the virt module
  * Add passt interfaces defined conditionally

OBS-URL: https://build.opensuse.org/request/show/1080814
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=181
2023-04-20 11:04:43 +00:00
Johannes Segitz
2c0b161ac5 Accepting request 1075010 from home:cahu:branches:security:SELinux
- Add debug-build.sh script to make debugging without committing easier

OBS-URL: https://build.opensuse.org/request/show/1075010
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=180
2023-03-28 12:44:26 +00:00
Johannes Segitz
4bd800106f Accepting request 1073586 from home:jsegitz:branches:security:SELinux
- Update to version 20230321:
  * make kernel_t unconfined again

OBS-URL: https://build.opensuse.org/request/show/1073586
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=178
2023-03-21 15:56:46 +00:00
Johannes Segitz
a019d5e5d8 process easier in general. Updated README.Update
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=176
2023-03-17 11:19:42 +00:00
Johannes Segitz
00949e479d Accepting request 1072556 from home:jsegitz:branches:security:SELinux_final
OBS-URL: https://build.opensuse.org/request/show/1072556
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=175
2023-03-17 10:46:53 +00:00
Johannes Segitz
330c32dde1 Accepting request 1065970 from home:cahu:branches:security:SELinux
- Complete packaging rework: Move policy to git repository and
  only use tar_scm obs service to refresh from there: 
  https://gitlab.suse.de/selinux/selinux-policy
  Please use `osc service manualrun` to update this OBS package to the 
  newest git version.
  * Added README.Update describing how to update this package
  * Added _service file that pulls from selinux-policy and 
    upstream container-selinux and tars them
  * Adapted selinux-policy.spec to build selinux-policy with
    container-selinux
  * Removed update.sh as no longer needed
  * Removed suse specific modules as they are now covered by git commits
    * packagekit.te packagekit.if packagekit.fc
    * rebootmgr.te rebootmgr.if rebootmgr.fc
    * rtorrent.te rtorrent.if rtorrent.fc
    * wicked.te wicked.if wicked.fc
  * Removed *.patch as they are now covered by git commits:
    * distro_suse_to_distro_redhat.patch
    * dontaudit_interface_kmod_tmpfs.patch
    * fix_accountsd.patch
    * fix_alsa.patch
    * fix_apache.patch
    * fix_auditd.patch
    * fix_authlogin.patch
    * fix_automount.patch
    * fix_bitlbee.patch
    * fix_chronyd.patch
    * fix_cloudform.patch
    * fix_colord.patch
    * fix_corecommand.patch
    * fix_cron.patch
    * fix_dbus.patch
    * fix_djbdns.patch
    * fix_dnsmasq.patch
    * fix_dovecot.patch
    * fix_entropyd.patch
    * fix_firewalld.patch
    * fix_fwupd.patch
    * fix_geoclue.patch
    * fix_hypervkvp.patch
    * fix_init.patch
    * fix_ipsec.patch
    * fix_iptables.patch
    * fix_irqbalance.patch
    * fix_java.patch
    * fix_kernel.patch
    * fix_kernel_sysctl.patch
    * fix_libraries.patch
    * fix_locallogin.patch
    * fix_logging.patch
    * fix_logrotate.patch
    * fix_mcelog.patch
    * fix_miscfiles.patch
    * fix_nagios.patch
    * fix_networkmanager.patch
    * fix_nis.patch
    * fix_nscd.patch
    * fix_ntp.patch
    * fix_openvpn.patch
    * fix_postfix.patch
    * fix_rpm.patch
    * fix_rtkit.patch
    * fix_screen.patch
    * fix_selinuxutil.patch
    * fix_sendmail.patch
    * fix_smartmon.patch
    * fix_snapper.patch
    * fix_sslh.patch
    * fix_sysnetwork.patch
    * fix_systemd.patch
    * fix_systemd_watch.patch
    * fix_thunderbird.patch
    * fix_unconfined.patch
    * fix_unconfineduser.patch
    * fix_unprivuser.patch
    * fix_userdomain.patch
    * fix_usermanage.patch
    * fix_wine.patch
    * fix_xserver.patch
    * sedoctool.patch
    * systemd_domain_dyntrans_type.patch

OBS-URL: https://build.opensuse.org/request/show/1065970
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=173
2023-02-16 07:31:19 +00:00
Johannes Segitz
2c0c138859 Accepting request 1063441 from home:jsegitz:branches:security:SELinux
- Update to version 20230206. Refreshed:
  * fix_entropyd.patch
  * fix_networkmanager.patch
  * fix_systemd_watch.patch
  * fix_unconfineduser.patch
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
  necessary as plymouth doesn't run in it's own domain in early boot

OBS-URL: https://build.opensuse.org/request/show/1063441
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172
2023-02-06 15:32:26 +00:00
Johannes Segitz
c4556003bf Accepting request 1061575 from home:jsegitz:branches:security:SELinux
- Update to version 20230125. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_dnsmasq.patch
  * fix_init.patch
  * fix_ipsec.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_rpm.patch
  * fix_selinuxutil.patch
  * fix_systemd_watch.patch
  * fix_userdomain.patch
- More flexible lib(exec) matching in fix_fwupd.patch
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
- Dropped fix_container.patch, is now upstream
- Added fix_entropyd.patch
  * Added new interface entropyd_semaphore_filetrans to properly transfer
    semaphore created during early boot. That doesn't work yet, so work
    around with next item
  * Allow reading tempfs files
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
  to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
- Added fix_rtkit.patch to fix labeling of binary
- Modified fix_ntp.patch:
  * Proper labeling for start-ntpd
  * Fixed label rules for chroot path
  * Temporarily allow dac_override for ntpd_t (bsc#1207577)
  * Add interface ntp_manage_pid_files to allow management of pid
    files
- Updated fix_networkmanager.patch to allow managing ntp pid files

OBS-URL: https://build.opensuse.org/request/show/1061575
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171
2023-01-27 14:51:33 +00:00
Johannes Segitz
5b345f822c Accepting request 1058003 from home:jsegitz:branches:security:SELinux
- Update fix_container.patch to allow privileged containers to use
  localectl (bsc#1207077)

OBS-URL: https://build.opensuse.org/request/show/1058003
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=169
2023-01-12 13:57:34 +00:00
Johannes Segitz
8beb2b3f3b Accepting request 1057912 from home:jsegitz:branches:security:SELinux
- Add fix_container.patch to allow privileged containers to use
  timedatectl (bsc#1207054)

OBS-URL: https://build.opensuse.org/request/show/1057912
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=168
2023-01-12 07:15:59 +00:00
Johannes Segitz
411b89e9ec Accepting request 1043182 from home:cahu:branches:security:SELinux
- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
  (bnc#1206445)

OBS-URL: https://build.opensuse.org/request/show/1043182
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=166
2022-12-16 07:55:17 +00:00
Johannes Segitz
60d1d0d29a Accepting request 1042962 from home:cahu:branches:security:SELinux
- Added policy for wicked scripts under /etc/sysconfig/network/scripts
  (bnc#1205770)

OBS-URL: https://build.opensuse.org/request/show/1042962
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=164
2022-12-15 09:32:29 +00:00
Johannes Segitz
48d925e070 Accepting request 1042948 from home:jsegitz:branches:security:SELinux
- Add fix_sendmail.patch 
  * fix context of custom sendmail startup helper
  * fix context of /var/run/sendmail and add necessary rules to manage
    content in there

OBS-URL: https://build.opensuse.org/request/show/1042948
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=163
2022-12-14 15:43:48 +00:00
Johannes Segitz
9deff280f8 Accepting request 1042579 from home:jsegitz:branches:security:SELinux
- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
  nm-priv-helper until the packaging is adjusted (bsc#1206355)
- Update fix_chronyd.patch to allow  sendto towards
  NetworkManager_dispatcher_custom_t. Added new interface
  networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)

- Updated fix_networkmanager.patch to allow NetworkManager to watch
  net_conf_t (bsc#1206109)

OBS-URL: https://build.opensuse.org/request/show/1042579
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=161
2022-12-13 09:20:16 +00:00
Johannes Segitz
f46ad9aabe Accepting request 1039192 from home:fbonazzi:branches:security:SELinux
- Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
- Drop fix_irqbalance.patch: superseded by upstream

OBS-URL: https://build.opensuse.org/request/show/1039192
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=159
2022-12-01 07:07:05 +00:00
Johannes Segitz
7cbab402c1 Accepting request 1037928 from home:cahu:branches:security:SELinux
- fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for
  network interface definition instead of /etc/sysconfig/network-scripts/,
  modified sysnetwork.fc to reflect that (bsc#1205580).

OBS-URL: https://build.opensuse.org/request/show/1037928
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=157
2022-11-25 08:00:09 +00:00
Johannes Segitz
b66c2b8ce6 Accepting request 1035580 from home:jsegitz:branches:security:SELinux
- Update to version 20221019. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_apache.patch
  * fix_chronyd.patch
  * fix_cron.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_rpm.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
  for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
  queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus

OBS-URL: https://build.opensuse.org/request/show/1035580
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=155
2022-11-14 08:27:42 +00:00
OBS User buildservice-autocommit
124e8026e4 Updating link to change in openSUSE:Factory/selinux-policy revision 35
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=74bbc58f85e33fdb068953a18504e591
2022-10-24 09:13:01 +00:00
Johannes Segitz
71b9302857 Accepting request 1030151 from home:jsegitz:branches:security:SELinux
- Update to version 20221019. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_apache.patch
  * fix_chronyd.patch
  * fix_cron.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_rpm.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
  for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
  queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus

OBS-URL: https://build.opensuse.org/request/show/1030151
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=153
2022-10-20 12:00:31 +00:00
Johannes Segitz
46df3a4a90 Accepting request 1007183 from home:jsegitz:branches:security:SELinux
- Updated quilt couldn't unpack tarball. This will cause ongoing issues
  so drop the sed statement in the %prep section and add 
  distro_suse_to_distro_redhat.patch to add the necessary changes
  via a patch

OBS-URL: https://build.opensuse.org/request/show/1007183
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=150
2022-09-30 08:11:19 +00:00
Johannes Segitz
7954ef729d OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=149 2022-09-29 15:53:47 +00:00
Johannes Segitz
e785903b85 Accepting request 1007013 from home:jsegitz:branches:security:SELinux
chrony helper script has proper label to be used by NetworkManager.
  Also allow NetworkManager_dispatcher_custom_t to query systemd status

OBS-URL: https://build.opensuse.org/request/show/1007013
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=148
2022-09-29 15:51:37 +00:00
Johannes Segitz
d25433c6c5 Accepting request 1006965 from home:jsegitz:branches:security:SELinux
- Update fix_networkmanager.patch to ensure NetworkManager chrony
  dispatcher is properly labled and update fix_chronyd.patch to ensure
  chrony helper script has proper label to be used by NetworkManager
  (bsc#1203824)

>>>>>>> ./selinux-policy.changes.new
- Revamped rtorrent module

OBS-URL: https://build.opensuse.org/request/show/1006965
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=147
2022-09-29 14:06:49 +00:00
Johannes Segitz
31bb56f011 Accepting request 1006413 from home:fbonazzi:branches:security:SELinux
- Update fix_xserver.patch to add greetd support (bsc#1198559)

OBS-URL: https://build.opensuse.org/request/show/1006413
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=146
2022-09-28 07:58:24 +00:00
Johannes Segitz
f2882ce2e3 Accepting request 999336 from home:kukuk:branches:security:SELinux
- Move SUSE directory from manual page section to html docu

OBS-URL: https://build.opensuse.org/request/show/999336
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=144
2022-09-02 07:11:53 +00:00
33f33589cc Accepting request 999189 from home:djz88:branches:security:SELinux
Corrected wrong bnc in changelog (correct is bnc#1201015)

OBS-URL: https://build.opensuse.org/request/show/999189
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=142
2022-08-25 10:10:46 +00:00
Johannes Segitz
bb74e8e79e Accepting request 991528 from home:djz88:branches:security:SELinux
OBS-URL: https://build.opensuse.org/request/show/991528
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=140
2022-07-28 13:16:02 +00:00
Johannes Segitz
2c8b63a3f9 Accepting request 991423 from home:cahu:branches:security:SELinux
- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t 
  and NetworkManager_dispatcher_custom_t to access nscd socket 
  (bsc#1201741)

OBS-URL: https://build.opensuse.org/request/show/991423
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=139
2022-07-27 15:24:55 +00:00
Johannes Segitz
c45601e60c Accepting request 989142 from home:jsegitz:branches:security:SELinux
- Update to version 20220714. Refreshed:
  * fix_init.patch
  * fix_systemd_watch.patch

OBS-URL: https://build.opensuse.org/request/show/989142
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=137
2022-07-14 11:30:19 +00:00
Johannes Segitz
08dba4d639 Accepting request 988934 from home:jsegitz:branches:security:SELinux
- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
  systemd_gpt_generator_t (bsc#1200911)

OBS-URL: https://build.opensuse.org/request/show/988934
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=135
2022-07-13 08:54:50 +00:00
Johannes Segitz
80bdcc2619 Accepting request 988924 from home:jsegitz:branches:security:SELinux
- Update fix_systemd.patch to add sys_admin systemd_gpt_generator_t
  (bsc#1200911)

- postfix: Label PID files and some helpers correctly (bsc#1197242)

- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)

OBS-URL: https://build.opensuse.org/request/show/988924
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=134
2022-07-13 08:15:29 +00:00
Johannes Segitz
a7283c99d6 Accepting request 984855 from home:jsegitz:branches:security:SELinux
- Update to version 20220624. Refreshed:
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_networkmanager.patch
  * fix_unprivuser.patch
  Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd 
  (bsc#1199630)

OBS-URL: https://build.opensuse.org/request/show/984855
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=132
2022-06-24 09:40:15 +00:00
Johannes Segitz
11a4df6bd1 Accepting request 978296 from home:jsegitz:branches:security:SELinux
- Update to version 20220520 to pass stricter 3.4 toolchain checks

OBS-URL: https://build.opensuse.org/request/show/978296
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=130
2022-05-20 14:53:12 +00:00
Johannes Segitz
0ae8014c7e Accepting request 978251 from home:jsegitz:branches:security:SELinux_3.3
- Update to version 20220428. Refreshed:
  * fix_apache.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_iptables.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unprivuser.patch
  * fix_usermanage.patch
  * fix_wine.patch

OBS-URL: https://build.opensuse.org/request/show/978251
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=129
2022-05-20 09:46:20 +00:00
Johannes Segitz
c6e85fecc6 Accepting request 978218 from home:jsegitz:branches:security:SELinux_3.3
- Add fix_dnsmasq.patch to fix problems with virtualization on Microos
  (bsc#1199518)

- Modified fix_init.patch to allow init to setup contrained environment
  for accountsservice. This needs a better, more general solution
  (bsc#1197610)

- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
  This happens in certain boot conditions (bsc#1182500)
- Changed fix_unconfineduser.patch to not transition into ldconfig_t
  from unconfined_t (bsc#1197169)

OBS-URL: https://build.opensuse.org/request/show/978218
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=128
2022-05-20 07:36:43 +00:00
Johannes Segitz
d6ac89f53f Accepting request 955626 from home:kwk:branches:security:SELinux
- use %license tag for COPYING file

OBS-URL: https://build.opensuse.org/request/show/955626
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=127
2022-02-17 13:51:31 +00:00
Johannes Segitz
62d16518b2 Accepting request 953125 from home:jsegitz:branches:security:SELinux
- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)

OBS-URL: https://build.opensuse.org/request/show/953125
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=126
2022-02-10 10:25:04 +00:00
Johannes Segitz
863e94abf1 Accepting request 953118 from home:fbonazzi:branches:security:SELinux
- Fix bitlbee runtime directory (bsc#1193230)
  * add fix_bitlbee.patch

OBS-URL: https://build.opensuse.org/request/show/953118
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=125
2022-02-10 10:24:00 +00:00
Johannes Segitz
321f539d0b Accepting request 948331 from home:jsegitz:branches:security:SELinux
- Update to version 20220124. Refreshed:
  * fix_hadoop.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
- Added fix_hypervkvp.patch to fix issues with hyperv labeling 
  (bsc#1193987)

OBS-URL: https://build.opensuse.org/request/show/948331
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=124
2022-01-24 08:43:41 +00:00
Johannes Segitz
445c681f20 Accepting request 947457 from home:jsegitz:branches:security:SELinux
- Allow colord to use systemd hardenings (bsc#1194631)

OBS-URL: https://build.opensuse.org/request/show/947457
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=123
2022-01-19 15:57:54 +00:00