1
0
Commit Graph

222 Commits

Author SHA256 Message Date
Ana Guerrero
229039d5a3 Accepting request 1178674 from security:SELinux
ATTENTION! Please accept this into factory at a similar time as the cockpit update to avoid issues with the cockpit-selinux module:
https://build.opensuse.org/request/show/1178504

OBS-URL: https://build.opensuse.org/request/show/1178674
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=60
2024-06-06 10:30:52 +00:00
Hu
9e5280b8c1 Accepting request 1177623 from home:cahu:security:SELinux:fixleapbuild
- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate
  python36 tooling

OBS-URL: https://build.opensuse.org/request/show/1177623
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=223
2024-06-03 13:58:44 +00:00
Johannes Segitz
9f031f9f4b - Remove "Reference" from the package description. It's not the
reference policy, but the Fedora branch of the policy

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=222
2024-06-03 13:43:00 +00:00
Johannes Segitz
73def1f385 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=221 2024-05-13 13:45:21 +00:00
Johannes Segitz
70cb8675a3 Accepting request 1172709 from home:jsegitz:branches:security:SELinux_varrun
- Fixed varrun-convert.sh script to not break because of duplicate
  entries

OBS-URL: https://build.opensuse.org/request/show/1172709
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=220
2024-05-08 11:46:50 +00:00
Johannes Segitz
a50eda674e Accepting request 1172201 from home:jsegitz:branches:security:SELinux_6
- Move to %posttrans to ensure selinux-policy got updated before
  the commands run (bsc#1221720)

OBS-URL: https://build.opensuse.org/request/show/1172201
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=219
2024-05-06 14:44:10 +00:00
Hu
55bd7d562d Accepting request 1167823 from home:cahu:security:SELinux:policytest
- Add file contexts "forwarding" to file_contexts.sub_dist
  to fix systemd-gpt-auto-generator and systemd-fstab-generator
  (bsc#1222736):
  * /run/systemd/generator.early /usr/lib/systemd/system
  * /run/systemd/generator.late /usr/lib/systemd/system

OBS-URL: https://build.opensuse.org/request/show/1167823
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=218
2024-04-15 14:47:23 +00:00
Johannes Segitz
2eaa3b6b79 Accepting request 1166915 from home:cahu:security:SELinux:policytest
- Update to version 20240411:
  * Remove duplicate in sysnetwork.fc
  * Rename /var/run/wicked* to /run/wicked*
  * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
  * policy: support pidfs
  * Confine selinux-autorelabel-generator.sh
  * Allow logwatch_mail_t read/write to init over a unix stream socket
  * Allow logwatch read logind sessions files
  * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
  * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
  * Allow NetworkManager the sys_ptrace capability in user namespace
  * dontaudit execmem for modemmanager
  * Allow dhcpcd use unix_stream_socket
  * Allow dhcpc read /run/netns files
  * Update mmap_rw_file_perms to include the lock permission
  * Allow plymouthd log during shutdown
  * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
  * Allow journalctl_t read filesystem sysctls
  * Allow cgred_t to get attributes of cgroup filesystems
  * Allow wdmd read hardware state information
  * Allow wdmd list the contents of the sysfs directories
  * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  * Allow sulogin relabel tty1
  * Dontaudit sulogin the checkpoint_restore capability
  * Modify sudo_role_template() to allow getpgid
  * Allow userdomain get attributes of files on an nsfs filesystem
  * Allow opafm create NFS files and directories
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud domain transition on swtpm execution
  * Add the swtpm.if interface file for interactions with other domains
  * Allow samba to have dac_override capability
  * systemd: allow sys_admin capability for systemd_notify_t
  * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  * Allow thumb_t to watch and watch_reads mount_var_run_t
  * Allow krb5kdc_t map krb5kdc_principal_t files
  * Allow unprivileged confined user dbus chat with setroubleshoot
  * Allow login_userdomain map files in /var
  * Allow wireguard work with firewall-cmd
  * Differentiate between staff and sysadm when executing crontab with sudo
  * Add crontab_admin_domtrans interface
  * Allow abrt_t nnp domain transition to abrt_handle_event_t
  * Allow xdm_t to watch and watch_reads mount_var_run_t
  * Dontaudit subscription manager setfscreate and read file contexts
  * Don't audit crontab_domain write attempts to user home
  * Transition from sudodomains to crontab_t when executing crontab_exec_t
  * Add crontab_domtrans interface
  * Fix label of pseudoterminals created from sudodomain
  * Allow utempter_t use ptmx
  * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
  * Allow admin user read/write on fixed_disk_device_t
  * Only allow confined user domains to login locally without unconfined_login
  * Add userdom_spec_domtrans_confined_admin_users interface
  * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  * Add userdom_spec_domtrans_admin_users interface
  * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  * Update ssh_role_template() for user ssh-agent type
  * Allow init to inherit system DBus file descriptors
  * Allow init to inherit fds from syslogd
  * Allow any domain to inherit fds from rpm-ostree
  * Update afterburn policy
  * Allow init_t nnp domain transition to abrtd_t
  * Rename all /var/lock file context entries to /run/lock
  * Rename all /var/run file context entries to /run
- Add script varrun-convert.sh for locally existing modules
  to be able to cope with the /var/run -> /run change
- Update embedded container-selinux to commit
  a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e

OBS-URL: https://build.opensuse.org/request/show/1166915
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=217
2024-04-12 07:02:14 +00:00
Ana Guerrero
b602490be5 Accepting request 1160077 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1160077
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=59
2024-03-22 14:18:04 +00:00
Johannes Segitz
7842134f14 Accepting request 1160076 from home:jsegitz:branches:security:SELinux_4
- Update to version 20240321:
  * policy module for kiwi (bsc#1221109)
  * dontaudit execmem for modemmanager (bsc#1219363)

OBS-URL: https://build.opensuse.org/request/show/1160076
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=215
2024-03-21 11:06:40 +00:00
Ana Guerrero
e202670cf7 Accepting request 1157662 from security:SELinux
- Update to version 20240313:
  * Assign alts_exec_t to files_type
- Update to version 20240308:
  * Support /bin/alts in the policy (bsc#1217530)
  * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
- Update to version 20240306:
  * Replace init domtrans rule for confined users to allow exec init
  * Update dbus_role_template() to allow user service status
  * Allow polkit status all systemd services
  * Allow setroubleshootd create and use inherited io_uring
  * Allow load_policy read and write generic ptys
- Update to version 20240304:
  * Allow ssh-keygen to use the libica crypto module (bsc#1220373)

OBS-URL: https://build.opensuse.org/request/show/1157662
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=58
2024-03-14 16:42:42 +00:00
Hu
46446abef7 Accepting request 1157597 from home:cahu:branches:security:SELinux
- Update to version 20240313:
  * Assign alts_exec_t to files_type

OBS-URL: https://build.opensuse.org/request/show/1157597
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=213
2024-03-13 11:09:43 +00:00
Hu
12c8b54f47 Accepting request 1156292 from home:cahu:branches:security:SELinux
- Update to version 20240308:
  * Support /bin/alts in the policy (bsc#1217530)
  * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"

OBS-URL: https://build.opensuse.org/request/show/1156292
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=212
2024-03-08 09:17:10 +00:00
Hu
00cf593a94 Accepting request 1155628 from home:cahu:branches:security:SELinux
- Update to version 20240306:
  * Replace init domtrans rule for confined users to allow exec init
  * Update dbus_role_template() to allow user service status
  * Allow polkit status all systemd services
  * Allow setroubleshootd create and use inherited io_uring
  * Allow load_policy read and write generic ptys

OBS-URL: https://build.opensuse.org/request/show/1155628
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=211
2024-03-07 09:31:38 +00:00
Hu
a8b7954413 Accepting request 1154878 from home:cahu:branches:security:SELinux
- Update to version 20240304:
  * Allow ssh-keygen to use the libica crypto module (bsc#1220373)

OBS-URL: https://build.opensuse.org/request/show/1154878
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=210
2024-03-06 10:50:11 +00:00
Ana Guerrero
01446f5c9f Accepting request 1145097 from security:SELinux
- Update to version 20240205:
  * Allow gpg manage rpm cache
  * Allow login_userdomain name_bind to howl and xmsg udp ports
  * Allow rules for confined users logged in plasma
  * Label /dev/iommu with iommu_device_t
  * Remove duplicate file context entries in /run
  * Dontaudit getty and plymouth the checkpoint_restore capability
  * Allow su domains write login records
  * Revert "Allow su domains write login records"
  * Allow login_userdomain delete session dbusd tmp socket files
  * Allow unix dgram sendto between exim processes
  * Allow su domains write login records
  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
  * Allow chronyd-restricted read chronyd key files
  * Allow conntrackd_t to use bpf capability2
  * Allow systemd-networkd manage its runtime socket files
  * Allow init_t nnp domain transition to colord_t
  * Allow polkit status systemd services
  * nova: Fix duplicate declarations
  * Allow httpd work with PrivateTmp
  * Add interfaces for watching and reading ifconfig_var_run_t
  * Allow collectd read raw fixed disk device
  * Allow collectd read udev pid files
  * Set correct label on /etc/pki/pki-tomcat/kra
  * Allow systemd domains watch system dbus pid socket files
  * Allow certmonger read network sysctls
  * Allow mdadm list stratisd data directories
  * Allow syslog to run unconfined scripts conditionally
  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  * Allow qatlib set attributes of vfio device files
  * Allow systemd-sleep set attributes of efivarfs files
  * Allow samba-dcerpcd read public files
  * Allow spamd_update_t the sys_ptrace capability in user namespace
  * Allow bluetooth devices work with alsa
  * Allow alsa get attributes filesystems with extended attributes
  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  * Add interface for write-only access to NetworkManager rw conf
  * Allow systemd-sleep send a message to syslog over a unix dgram socket
  * Allow init create and use netlink netfilter socket
  * Allow qatlib load kernel modules
  * Allow qatlib run lspci
  * Allow qatlib manage its private runtime socket files
  * Allow qatlib read/write vfio devices
  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
  * Allow init read all non-security socket files
  * Replace redundant dnsmasq pattern macros
  * Remove unneeded symlink perms in dnsmasq.if
  * Add additions to dnsmasq interface
  * Allow nvme_stas_t create and use netlink kobject uevent socket
  * Allow collectd connect to statsd port
  * Allow keepalived_t to use sys_ptrace of cap_userns
  * Allow dovecot_auth_t connect to postgresql using UNIX socket
  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  * Allow sysadm execute traceroute in sysadm_t domain using sudo
  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
  * Allow opafm search nfs directories
  * Add support for syslogd unconfined scripts
  * Allow gpsd use /dev/gnss devices
  * Allow gpg read rpm cache
  * Allow virtqemud additional permissions
  * Allow virtqemud manage its private lock files
  * Allow virtqemud use the io_uring api
  * Allow ddclient send e-mail notifications
  * Allow postfix_master_t map postfix data files
  * Allow init create and use vsock sockets
  * Allow thumb_t append to init unix domain stream sockets
  * Label /dev/vas with vas_device_t
  * Create interface selinux_watch_config and add it to SELinux users
  * Update cifs interfaces to include fs_search_auto_mountpoints()
  * Allow sudodomain read var auth files
  * Allow spamd_update_t read hardware state information
  * Allow virtnetworkd domain transition on tc command execution
  * Allow sendmail MTA connect to sendmail LDA
  * Allow auditd read all domains process state
  * Allow rsync read network sysctls
  * Add dhcpcd bpf capability to run bpf programs
  * Dontaudit systemd-hwdb dac_override capability
  * Allow systemd-sleep create efivarfs files
  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  * Allow graphical applications work in Wayland
  * Allow kdump work with PrivateTmp
  * Allow dovecot-auth work with PrivateTmp
  * Allow nfsd get attributes of all filesystems
  * Allow unconfined_domain_type use io_uring cmd on domain
  * ci: Only run Rawhide revdeps tests on the rawhide branch
  * Label /var/run/auditd.state as auditd_var_run_t
  * Allow fido-device-onboard (FDO) read the crack database
  * Allow ip an explicit domain transition to other domains
  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  * Allow ntp to bind and connect to ntske port.

OBS-URL: https://build.opensuse.org/request/show/1145097
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=57
2024-02-09 22:51:35 +00:00
Hu
4b3ec21f85 Accepting request 1144343 from home:cahu:branches:security:SELinux
- Update to version 20240205:
  * Allow gpg manage rpm cache
  * Allow login_userdomain name_bind to howl and xmsg udp ports
  * Allow rules for confined users logged in plasma
  * Label /dev/iommu with iommu_device_t
  * Remove duplicate file context entries in /run
  * Dontaudit getty and plymouth the checkpoint_restore capability
  * Allow su domains write login records
  * Revert "Allow su domains write login records"
  * Allow login_userdomain delete session dbusd tmp socket files
  * Allow unix dgram sendto between exim processes
  * Allow su domains write login records
  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
  * Allow chronyd-restricted read chronyd key files
  * Allow conntrackd_t to use bpf capability2
  * Allow systemd-networkd manage its runtime socket files
  * Allow init_t nnp domain transition to colord_t
  * Allow polkit status systemd services
  * nova: Fix duplicate declarations
  * Allow httpd work with PrivateTmp
  * Add interfaces for watching and reading ifconfig_var_run_t
  * Allow collectd read raw fixed disk device
  * Allow collectd read udev pid files
  * Set correct label on /etc/pki/pki-tomcat/kra
  * Allow systemd domains watch system dbus pid socket files
  * Allow certmonger read network sysctls
  * Allow mdadm list stratisd data directories
  * Allow syslog to run unconfined scripts conditionally
  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  * Allow qatlib set attributes of vfio device files
  * Allow systemd-sleep set attributes of efivarfs files
  * Allow samba-dcerpcd read public files
  * Allow spamd_update_t the sys_ptrace capability in user namespace
  * Allow bluetooth devices work with alsa
  * Allow alsa get attributes filesystems with extended attributes
  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  * Add interface for write-only access to NetworkManager rw conf
  * Allow systemd-sleep send a message to syslog over a unix dgram socket
  * Allow init create and use netlink netfilter socket
  * Allow qatlib load kernel modules
  * Allow qatlib run lspci
  * Allow qatlib manage its private runtime socket files
  * Allow qatlib read/write vfio devices
  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
  * Allow init read all non-security socket files
  * Replace redundant dnsmasq pattern macros
  * Remove unneeded symlink perms in dnsmasq.if
  * Add additions to dnsmasq interface
  * Allow nvme_stas_t create and use netlink kobject uevent socket
  * Allow collectd connect to statsd port
  * Allow keepalived_t to use sys_ptrace of cap_userns
  * Allow dovecot_auth_t connect to postgresql using UNIX socket
  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  * Allow sysadm execute traceroute in sysadm_t domain using sudo
  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
  * Allow opafm search nfs directories
  * Add support for syslogd unconfined scripts
  * Allow gpsd use /dev/gnss devices
  * Allow gpg read rpm cache
  * Allow virtqemud additional permissions
  * Allow virtqemud manage its private lock files
  * Allow virtqemud use the io_uring api
  * Allow ddclient send e-mail notifications
  * Allow postfix_master_t map postfix data files
  * Allow init create and use vsock sockets
  * Allow thumb_t append to init unix domain stream sockets
  * Label /dev/vas with vas_device_t
  * Create interface selinux_watch_config and add it to SELinux users
  * Update cifs interfaces to include fs_search_auto_mountpoints()
  * Allow sudodomain read var auth files
  * Allow spamd_update_t read hardware state information
  * Allow virtnetworkd domain transition on tc command execution
  * Allow sendmail MTA connect to sendmail LDA
  * Allow auditd read all domains process state
  * Allow rsync read network sysctls
  * Add dhcpcd bpf capability to run bpf programs
  * Dontaudit systemd-hwdb dac_override capability
  * Allow systemd-sleep create efivarfs files
  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  * Allow graphical applications work in Wayland
  * Allow kdump work with PrivateTmp
  * Allow dovecot-auth work with PrivateTmp
  * Allow nfsd get attributes of all filesystems
  * Allow unconfined_domain_type use io_uring cmd on domain
  * ci: Only run Rawhide revdeps tests on the rawhide branch
  * Label /var/run/auditd.state as auditd_var_run_t
  * Allow fido-device-onboard (FDO) read the crack database
  * Allow ip an explicit domain transition to other domains
  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  * Allow ntp to bind and connect to ntske port.

OBS-URL: https://build.opensuse.org/request/show/1144343
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=208
2024-02-06 08:12:43 +00:00
Ana Guerrero
fcf37560b3 Accepting request 1139103 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1139103
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=56
2024-01-16 20:36:51 +00:00
Hu
ceb3fcfaa1 Accepting request 1139091 from home:cahu:branches:security:SELinux
- Update to version 20240116:
  * Fix gitolite homedir paths (bsc#1218826)

OBS-URL: https://build.opensuse.org/request/show/1139091
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=206
2024-01-16 09:21:41 +00:00
Ana Guerrero
241ac5cad9 Accepting request 1138076 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1138076
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=55
2024-01-12 22:44:13 +00:00
Johannes Segitz
4479aef3ce Accepting request 1137686 from home:cahu:branches:security:SELinux
- Update to version 20240104:
  * Allow keepalived_t read+write kernel_t pipes (bsc#1216060)
  * allow rebootmgr to read the system state (bsc#1205931)

OBS-URL: https://build.opensuse.org/request/show/1137686
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=204
2024-01-11 08:53:15 +00:00
Ana Guerrero
579406ef8f Accepting request 1132428 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1132428
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=54
2023-12-11 20:49:43 +00:00
Johannes Segitz
23185a5570 Accepting request 1129970 from home:cahu:branches:security:SELinux
- Trigger rebuild of the policy when pcre2 gets updated to avoid
  regex version mismatch errors (bsc#1216747).

OBS-URL: https://build.opensuse.org/request/show/1129970
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=202
2023-12-11 08:07:24 +00:00
Ana Guerrero
099adb46e0 Accepting request 1128521 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1128521
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=53
2023-11-26 18:36:32 +00:00
Hu
bd548fda37 Accepting request 1128519 from home:cahu:branches:security:SELinux
- Update to version 20231124:
  * Allow virtnetworkd_t to execute bin_t (bsc#1216903)
- Add new modules that were missed in the last update to 
  modules-mls-contrib.conf

OBS-URL: https://build.opensuse.org/request/show/1128519
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=200
2023-11-24 09:58:31 +00:00
Ana Guerrero
08ee9472e5 Accepting request 1128144 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1128144
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=52
2023-11-23 20:38:57 +00:00
Hu
0a269ab03e Accepting request 1128143 from home:cahu:branches:security:SELinux
- Add new modules that were missed in the last update to 
  modules-targeted-contrib.conf

OBS-URL: https://build.opensuse.org/request/show/1128143
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=198
2023-11-22 13:59:55 +00:00
Dominique Leuenberger
70af96a242 Accepting request 1121154 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1121154
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=51
2023-11-01 21:09:22 +00:00
Hu
043e5338e1 Accepting request 1121138 from home:cahu:branches:security:SELinux
- Update to version 20231030: Big policy sync with upstream policy
  * Allow system_mail_t manage exim spool files and dirs
  * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
  * Label /run/pcsd.socket with cluster_var_run_t
  * ci: Run cockpit tests in PRs
  * Add map_read map_write to kernel_prog_run_bpf
  * Allow systemd-fstab-generator read all symlinks
  * Allow systemd-fstab-generator the dac_override capability
  * Allow rpcbind read network sysctls
  * Support using systemd containers
  * Allow sysadm_t to connect to iscsid using a unix domain stream socket
  * Add policy for coreos installer
  * Add policy for nvme-stas
  * Confine systemd fstab,sysv,rc-local
  * Label /etc/aliases.lmdb with etc_aliases_t
  * Create policy for afterburn
  * Make new virt drivers permissive
  * Split virt policy, introduce virt_supplementary module
  * Allow apcupsd cgi scripts read /sys
  * Allow kernel_t to manage and relabel all files
  * Add missing optional_policy() to files_relabel_all_files()
  * Allow named and ndc use the io_uring api
  * Deprecate common_anon_inode_perms usage
  * Improve default file context(None) of /var/lib/authselect/backups
  * Allow udev_t to search all directories with a filesystem type
  * Implement proper anon_inode support
  * Allow targetd write to the syslog pid sock_file
  * Add ipa_pki_retrieve_key_exec() interface
  * Allow kdumpctl_t to list all directories with a filesystem type
  * Allow udev additional permissions
  * Allow udev load kernel module
  * Allow sysadm_t to mmap modules_object_t files
  * Add the unconfined_read_files() and unconfined_list_dirs() interfaces
  * Set default file context of HOME_DIR/tmp/.* to <<none>>
  * Allow kernel_generic_helper_t to execute mount(1)
  * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
  * Allow systemd-localed create Xserver config dirs
  * Allow sssd read symlinks in /etc/sssd
  * Label /dev/gnss[0-9] with gnss_device_t
  * Allow systemd-sleep read/write efivarfs variables
  * ci: Fix version number of packit generated srpms
  * Dontaudit rhsmcertd write memory device
  * Allow ssh_agent_type create a sockfile in /run/user/USERID
  * Set default file context of /var/lib/authselect/backups to <<none>>
  * Allow prosody read network sysctls
  * Allow cupsd_t to use bpf capability
  * Allow sssd domain transition on passkey_child execution conditionally
  * Allow login_userdomain watch lnk_files in /usr
  * Allow login_userdomain watch video4linux devices
  * Change systemd-network-generator transition to include class file
  * Revert "Change file transition for systemd-network-generator"
  * Allow nm-dispatcher winbind plugin read/write samba var files
  * Allow systemd-networkd write to cgroup files
  * Allow kdump create and use its memfd: objects
  * Allow fedora-third-party get generic filesystem attributes
  * Allow sssd use usb devices conditionally
  * Update policy for qatlib
  * Allow ssh_agent_type manage generic cache home files
  * Change file transition for systemd-network-generator
  * Additional support for gnome-initial-setup
  * Update gnome-initial-setup policy for geoclue
  * Allow openconnect vpn open vhost net device
  * Allow cifs.upcall to connect to SSSD also through the /var/run socket
  * Grant cifs.upcall more required capabilities
  * Allow xenstored map xenfs files
  * Update policy for fdo
  * Allow keepalived watch var_run dirs
  * Allow svirt to rw /dev/udmabuf
  * Allow qatlib  to modify hardware state information.
  * Allow key.dns_resolve connect to avahi over a unix stream socket
  * Allow key.dns_resolve create and use unix datagram socket
  * Use quay.io as the container image source for CI
  * ci: Move srpm/rpm build to packit
  * .copr: Avoid subshell and changing directory
  * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
  * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
  * Make insights_client_t an unconfined domain
  * Allow insights-client manage user temporary files
  * Allow insights-client create all rpm logs with a correct label
  * Allow insights-client manage generic logs
  * Allow cloud_init create dhclient var files and init_t manage net_conf_t
  * Allow insights-client read and write cluster tmpfs files
  * Allow ipsec read nsfs files
  * Make tuned work with mls policy
  * Remove nsplugin_role from mozilla.if
  * allow mon_procd_t self:cap_userns sys_ptrace
  * Allow pdns name_bind and name_connect all ports
  * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
  * ci: Move to actions/checkout@v3 version
  * .copr: Replace chown call with standard workflow safe.directory setting
  * .copr: Enable `set -u` for robustness
  * .copr: Simplify root directory variable
  * Allow rhsmcertd dbus chat with policykit
  * Allow polkitd execute pkla-check-authorization with nnp transition
  * Allow user_u and staff_u get attributes of non-security dirs
  * Allow unconfined user filetrans chrome_sandbox_home_t
  * Allow svnserve execute postdrop with a transition
  * Do not make postfix_postdrop_t type an MTA executable file
  * Allow samba-dcerpc service manage samba tmp files
  * Add use_nfs_home_dirs boolean for mozilla_plugin
  * Fix labeling for no-stub-resolv.conf
  * Revert "Allow winbind-rpcd use its private tmp files"
  * Allow upsmon execute upsmon via a helper script
  * Allow openconnect vpn read/write inherited vhost net device
  * Allow winbind-rpcd use its private tmp files
  * Update samba-dcerpc policy for printing
  * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
  * Allow nscd watch system db dirs
  * Allow qatlib to read sssd public files
  * Allow fedora-third-party read /sys and proc
  * Allow systemd-gpt-generator mount a tmpfs filesystem
  * Allow journald write to cgroup files
  * Allow rpc.mountd read network sysctls
  * Allow blueman read the contents of the sysfs filesystem
  * Allow logrotate_t to map generic files in /etc
  * Boolean: Allow virt_qemu_ga create ssh directory
  * Allow systemd-network-generator send system log messages
  * Dontaudit the execute permission on sock_file globally
  * Allow fsadm_t the file mounton permission
  * Allow named and ndc the io_uring sqpoll permission
  * Allow sssd io_uring sqpoll permission
  * Fix location for /run/nsd
  * Allow qemu-ga get fixed disk devices attributes
  * Update bitlbee policy
  * Label /usr/sbin/sos with sosreport_exec_t
  * Update policy for the sblim-sfcb service
  * Add the files_getattr_non_auth_dirs() interface
  * Fix the CI to work with DNF5
  * Make systemd_tmpfiles_t MLS trusted for lowering the level of files
  * Revert "Allow insights client map cache_home_t"
  * Allow nfsidmapd connect to systemd-machined over a unix socket
  * Allow snapperd connect to kernel over a unix domain stream socket
  * Allow virt_qemu_ga_t create .ssh dir with correct label
  * Allow targetd read network sysctls
  * Set the abrt_handle_event boolean to on
  * Permit kernel_t to change the user identity in object contexts
  * Allow insights client map cache_home_t
  * Label /usr/sbin/mariadbd with mysqld_exec_t
  * Allow httpd tcp connect to redis port conditionally
  * Label only /usr/sbin/ripd and ripngd with zebra_exec_t
  * Dontaudit aide the execmem permission
  * Remove permissive from fdo
  * Allow sa-update manage spamc home files
  * Allow sa-update connect to systemlog services
  * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
  * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
  * Allow bootupd search EFI directory
  * Change init_audit_control default value to true
  * Allow nfsidmapd connect to systemd-userdbd with a unix socket
  * Add the qatlib  module
  * Add the fdo module
  * Add the bootupd module
  * Set default ports for keylime policy
  * Create policy for qatlib
  * Add policy for FIDO Device Onboard
  * Add policy for bootupd
  * Add support for kafs-dns requested by keyutils
  * Allow insights-client execmem
  * Add support for chronyd-restricted
  * Add init_explicit_domain() interface
  * Allow fsadm_t to get attributes of cgroup filesystems
  * Add list_dir_perms to kerberos_read_keytab
  * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
  * Allow sendmail manage its runtime files

OBS-URL: https://build.opensuse.org/request/show/1121138
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=196
2023-10-30 11:05:50 +00:00
Ana Guerrero
66edf948ab Accepting request 1117140 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1117140
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=50
2023-10-13 21:13:48 +00:00
Hu
af77709c80 Accepting request 1117134 from home:cahu:branches:security:SELinux
- Update to version 20231012:
  * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
  * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887

OBS-URL: https://build.opensuse.org/request/show/1117134
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=194
2023-10-12 08:42:29 +00:00
Ana Guerrero
62c76c5b39 Accepting request 1115652 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1115652
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=49
2023-10-05 18:03:04 +00:00
Hu
ecba8b0d6b Accepting request 1115645 from home:jsegitz:branches:security:SELinux_3
- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
  directory doesn't exist on SUSE systems (bsc#1213593)

OBS-URL: https://build.opensuse.org/request/show/1115645
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=192
2023-10-04 15:03:23 +00:00
Johannes Segitz
fe4723a538 Accepting request 1112155 from home:jsegitz:branches:security:SELinux_2
- Modified update.sh to require first parameter "full" to also
  update container-selinux. For maintenance updates you usually
  don't want it to be updated

OBS-URL: https://build.opensuse.org/request/show/1112155
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=191
2023-09-20 14:15:21 +00:00
Dominique Leuenberger
d54cf0dbee Accepting request 1101215 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1101215
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=48
2023-07-29 18:09:48 +00:00
a975c36105 Accepting request 1101214 from home:fbonazzi:branches:security:SELinux
- Update to version 20230728:
  * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
  * allow haveged to manage tmpfs directories (bsc#1213594)

OBS-URL: https://build.opensuse.org/request/show/1101214
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=189
2023-07-28 15:00:26 +00:00
Dominique Leuenberger
ad88690b85 Accepting request 1094793 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1094793
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=47
2023-06-24 18:13:34 +00:00
Johannes Segitz
3c8840090d Accepting request 1094792 from home:jsegitz:branches:security:SELinux
- Update to version 20230622:
  * Allow keyutils_dns_resolver_exec_t be an entrypoint
  * Allow collectd_t read network state symlinks
  * Revert "Allow collectd_t read proc_net link files"
  * Allow nfsd_t to list exports_t dirs
  * Allow cupsd dbus chat with xdm
  * Allow haproxy read hardware state information
  * Label /dev/userfaultfd with userfaultfd_t
  * Allow blueman send general signals to unprivileged user domains
  * Allow dkim-milter domain transition to sendmail

OBS-URL: https://build.opensuse.org/request/show/1094792
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=187
2023-06-23 08:08:16 +00:00
Dominique Leuenberger
8f295d331c Accepting request 1082789 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/1082789
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=46
2023-04-26 15:24:28 +00:00
Johannes Segitz
ebe0d17ed3 Accepting request 1082788 from home:cahu:branches:security:SELinux
- Update to version 20230425:
  * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
  * Add policy for wtmpdb (bsc#1210717)

OBS-URL: https://build.opensuse.org/request/show/1082788
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=185
2023-04-25 15:21:22 +00:00
Johannes Segitz
f366bc7fbe Accepting request 1082736 from home:cahu:branches:security:SELinux
- Update to version 20230425:
  * Add support for lastlog2 (bsc#1210461)
  * allow the chrony client to use unallocated ttys (bsc#1210672)

OBS-URL: https://build.opensuse.org/request/show/1082736
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=184
2023-04-25 11:41:50 +00:00
Dominique Leuenberger
ae7e61e582 Accepting request 1080824 from security:SELinux
- Update to version 20230420:
  * libzypp creates temporary files in /var/adm/mount. Label it with
    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
  * only use rsync_exec_t for the rsync server, not for the client
    (bsc#1209890)
  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
    labels after creation
  * Allow dovecot-deliver write to the main process runtime fifo files
  * Allow dmidecode write to cloud-init tmp files
  * Allow chronyd send a message to cloud-init over a datagram socket
  * Allow cloud-init domain transition to insights-client domain
  * Allow mongodb read filesystem sysctls
  * Allow mongodb read network sysctls
  * Allow accounts-daemon read generic systemd unit lnk files
  * Allow blueman watch generic device dirs
  * Allow nm-dispatcher tlp plugin create tlp dirs
  * Allow systemd-coredump mounton /usr
  * Allow rabbitmq to read network sysctls
  * Allow certmonger dbus chat with the cron system domain
  * Allow geoclue read network sysctls
  * Allow geoclue watch the /etc directory
  * Allow logwatch_mail_t read network sysctls
  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
  * Allow insights-client read all sysctls
  * Allow passt manage qemu pid sock files
  * Allow sssd read accountsd fifo files
  * Add support for the passt_t domain
  * Allow virtd_t and svirt_t work with passt
  * Add new interfaces in the virt module
  * Add passt interfaces defined conditionally

OBS-URL: https://build.opensuse.org/request/show/1080824
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=45
2023-04-21 12:15:52 +00:00
Johannes Segitz
d97aac754e OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=182 2023-04-20 11:18:16 +00:00
Johannes Segitz
572a533f73 Accepting request 1080814 from home:jsegitz:branches:security:SELinux
- Update to version 20230420:
  * libzypp creates temporary files in /var/adm/mount. Label it with
    rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
  * only use rsync_exec_t for the rsync server, not for the client
    (bsc#1209890)
  * properly label sshd-gen-keys-start to ensure ssh host keys have proper
    labels after creation
  * Allow dovecot-deliver write to the main process runtime fifo files
  * Allow dmidecode write to cloud-init tmp files
  * Allow chronyd send a message to cloud-init over a datagram socket
  * Allow cloud-init domain transition to insights-client domain
  * Allow mongodb read filesystem sysctls
  * Allow mongodb read network sysctls
  * Allow accounts-daemon read generic systemd unit lnk files
  * Allow blueman watch generic device dirs
  * Allow nm-dispatcher tlp plugin create tlp dirs
  * Allow systemd-coredump mounton /usr
  * Allow rabbitmq to read network sysctls
  * Allow certmonger dbus chat with the cron system domain
  * Allow geoclue read network sysctls
  * Allow geoclue watch the /etc directory
  * Allow logwatch_mail_t read network sysctls
  * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
  * Allow insights-client read all sysctls
  * Allow passt manage qemu pid sock files
  * Allow sssd read accountsd fifo files
  * Add support for the passt_t domain
  * Allow virtd_t and svirt_t work with passt
  * Add new interfaces in the virt module
  * Add passt interfaces defined conditionally

OBS-URL: https://build.opensuse.org/request/show/1080814
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=181
2023-04-20 11:04:43 +00:00
Johannes Segitz
2c0b161ac5 Accepting request 1075010 from home:cahu:branches:security:SELinux
- Add debug-build.sh script to make debugging without committing easier

OBS-URL: https://build.opensuse.org/request/show/1075010
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=180
2023-03-28 12:44:26 +00:00
Dominique Leuenberger
b73764daca Accepting request 1073587 from security:SELinux
please stage this with the microos-tools changes. Should now be good since kernel_t is unconfined again

OBS-URL: https://build.opensuse.org/request/show/1073587
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=44
2023-03-22 21:29:18 +00:00
Johannes Segitz
4bd800106f Accepting request 1073586 from home:jsegitz:branches:security:SELinux
- Update to version 20230321:
  * make kernel_t unconfined again

OBS-URL: https://build.opensuse.org/request/show/1073586
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=178
2023-03-21 15:56:46 +00:00
Johannes Segitz
0f3ba0a5f9 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=177 2023-03-17 11:20:02 +00:00
Johannes Segitz
a019d5e5d8 process easier in general. Updated README.Update
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=176
2023-03-17 11:19:42 +00:00
Johannes Segitz
00949e479d Accepting request 1072556 from home:jsegitz:branches:security:SELinux_final
OBS-URL: https://build.opensuse.org/request/show/1072556
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=175
2023-03-17 10:46:53 +00:00