- Update to version 20240411:
* Remove duplicate in sysnetwork.fc
* Rename /var/run/wicked* to /run/wicked*
* Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
* policy: support pidfs
* Confine selinux-autorelabel-generator.sh
* Allow logwatch_mail_t read/write to init over a unix stream socket
* Allow logwatch read logind sessions files
* files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
* files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
* Allow NetworkManager the sys_ptrace capability in user namespace
* dontaudit execmem for modemmanager
* Allow dhcpcd use unix_stream_socket
* Allow dhcpc read /run/netns files
* Update mmap_rw_file_perms to include the lock permission
* Allow plymouthd log during shutdown
* Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
* Allow journalctl_t read filesystem sysctls
* Allow cgred_t to get attributes of cgroup filesystems
* Allow wdmd read hardware state information
* Allow wdmd list the contents of the sysfs directories
* Allow linuxptp configure phc2sys and chronyd over a unix domain socket
* Allow sulogin relabel tty1
* Dontaudit sulogin the checkpoint_restore capability
* Modify sudo_role_template() to allow getpgid
* Allow userdomain get attributes of files on an nsfs filesystem
* Allow opafm create NFS files and directories
* Allow virtqemud create and unlink files in /etc/libvirt/
* Allow virtqemud domain transition on swtpm execution
* Add the swtpm.if interface file for interactions with other domains
* Allow samba to have dac_override capability
* systemd: allow sys_admin capability for systemd_notify_t
* systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
* Allow thumb_t to watch and watch_reads mount_var_run_t
* Allow krb5kdc_t map krb5kdc_principal_t files
* Allow unprivileged confined user dbus chat with setroubleshoot
* Allow login_userdomain map files in /var
* Allow wireguard work with firewall-cmd
* Differentiate between staff and sysadm when executing crontab with sudo
* Add crontab_admin_domtrans interface
* Allow abrt_t nnp domain transition to abrt_handle_event_t
* Allow xdm_t to watch and watch_reads mount_var_run_t
* Dontaudit subscription manager setfscreate and read file contexts
* Don't audit crontab_domain write attempts to user home
* Transition from sudodomains to crontab_t when executing crontab_exec_t
* Add crontab_domtrans interface
* Fix label of pseudoterminals created from sudodomain
* Allow utempter_t use ptmx
* Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
* Allow admin user read/write on fixed_disk_device_t
* Only allow confined user domains to login locally without unconfined_login
* Add userdom_spec_domtrans_confined_admin_users interface
* Only allow admindomain to execute shell via ssh with ssh_sysadm_login
* Add userdom_spec_domtrans_admin_users interface
* Move ssh dyntrans to unconfined inside unconfined_login tunable policy
* Update ssh_role_template() for user ssh-agent type
* Allow init to inherit system DBus file descriptors
* Allow init to inherit fds from syslogd
* Allow any domain to inherit fds from rpm-ostree
* Update afterburn policy
* Allow init_t nnp domain transition to abrtd_t
* Rename all /var/lock file context entries to /run/lock
* Rename all /var/run file context entries to /run
- Add script varrun-convert.sh for locally existing modules
to be able to cope with the /var/run -> /run change
- Update embedded container-selinux to commit
a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
OBS-URL: https://build.opensuse.org/request/show/1166915
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=217
- Update to version 20240205:
* Allow gpg manage rpm cache
* Allow login_userdomain name_bind to howl and xmsg udp ports
* Allow rules for confined users logged in plasma
* Label /dev/iommu with iommu_device_t
* Remove duplicate file context entries in /run
* Dontaudit getty and plymouth the checkpoint_restore capability
* Allow su domains write login records
* Revert "Allow su domains write login records"
* Allow login_userdomain delete session dbusd tmp socket files
* Allow unix dgram sendto between exim processes
* Allow su domains write login records
* Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
* Allow chronyd-restricted read chronyd key files
* Allow conntrackd_t to use bpf capability2
* Allow systemd-networkd manage its runtime socket files
* Allow init_t nnp domain transition to colord_t
* Allow polkit status systemd services
* nova: Fix duplicate declarations
* Allow httpd work with PrivateTmp
* Add interfaces for watching and reading ifconfig_var_run_t
* Allow collectd read raw fixed disk device
* Allow collectd read udev pid files
* Set correct label on /etc/pki/pki-tomcat/kra
* Allow systemd domains watch system dbus pid socket files
* Allow certmonger read network sysctls
* Allow mdadm list stratisd data directories
* Allow syslog to run unconfined scripts conditionally
* Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
* Allow qatlib set attributes of vfio device files
* Allow systemd-sleep set attributes of efivarfs files
* Allow samba-dcerpcd read public files
* Allow spamd_update_t the sys_ptrace capability in user namespace
* Allow bluetooth devices work with alsa
* Allow alsa get attributes filesystems with extended attributes
* Allow hypervkvp_t write access to NetworkManager_etc_rw_t
* Add interface for write-only access to NetworkManager rw conf
* Allow systemd-sleep send a message to syslog over a unix dgram socket
* Allow init create and use netlink netfilter socket
* Allow qatlib load kernel modules
* Allow qatlib run lspci
* Allow qatlib manage its private runtime socket files
* Allow qatlib read/write vfio devices
* Label /etc/redis.conf with redis_conf_t
* Remove the lockdown-class rules from the policy
* Allow init read all non-security socket files
* Replace redundant dnsmasq pattern macros
* Remove unneeded symlink perms in dnsmasq.if
* Add additions to dnsmasq interface
* Allow nvme_stas_t create and use netlink kobject uevent socket
* Allow collectd connect to statsd port
* Allow keepalived_t to use sys_ptrace of cap_userns
* Allow dovecot_auth_t connect to postgresql using UNIX socket
* Make named_zone_t and named_var_run_t a part of the mountpoint attribute
* Allow sysadm execute traceroute in sysadm_t domain using sudo
* Allow sysadm execute tcpdump in sysadm_t domain using sudo
* Allow opafm search nfs directories
* Add support for syslogd unconfined scripts
* Allow gpsd use /dev/gnss devices
* Allow gpg read rpm cache
* Allow virtqemud additional permissions
* Allow virtqemud manage its private lock files
* Allow virtqemud use the io_uring api
* Allow ddclient send e-mail notifications
* Allow postfix_master_t map postfix data files
* Allow init create and use vsock sockets
* Allow thumb_t append to init unix domain stream sockets
* Label /dev/vas with vas_device_t
* Create interface selinux_watch_config and add it to SELinux users
* Update cifs interfaces to include fs_search_auto_mountpoints()
* Allow sudodomain read var auth files
* Allow spamd_update_t read hardware state information
* Allow virtnetworkd domain transition on tc command execution
* Allow sendmail MTA connect to sendmail LDA
* Allow auditd read all domains process state
* Allow rsync read network sysctls
* Add dhcpcd bpf capability to run bpf programs
* Dontaudit systemd-hwdb dac_override capability
* Allow systemd-sleep create efivarfs files
* Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
* Allow graphical applications work in Wayland
* Allow kdump work with PrivateTmp
* Allow dovecot-auth work with PrivateTmp
* Allow nfsd get attributes of all filesystems
* Allow unconfined_domain_type use io_uring cmd on domain
* ci: Only run Rawhide revdeps tests on the rawhide branch
* Label /var/run/auditd.state as auditd_var_run_t
* Allow fido-device-onboard (FDO) read the crack database
* Allow ip an explicit domain transition to other domains
* Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
* Allow winbind_rpcd_t processes access when samba_export_all_* is on
* Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
* Allow ntp to bind and connect to ntske port.
OBS-URL: https://build.opensuse.org/request/show/1144343
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=208
- Update to version 20231030: Big policy sync with upstream policy
* Allow system_mail_t manage exim spool files and dirs
* Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
* Label /run/pcsd.socket with cluster_var_run_t
* ci: Run cockpit tests in PRs
* Add map_read map_write to kernel_prog_run_bpf
* Allow systemd-fstab-generator read all symlinks
* Allow systemd-fstab-generator the dac_override capability
* Allow rpcbind read network sysctls
* Support using systemd containers
* Allow sysadm_t to connect to iscsid using a unix domain stream socket
* Add policy for coreos installer
* Add policy for nvme-stas
* Confine systemd fstab,sysv,rc-local
* Label /etc/aliases.lmdb with etc_aliases_t
* Create policy for afterburn
* Make new virt drivers permissive
* Split virt policy, introduce virt_supplementary module
* Allow apcupsd cgi scripts read /sys
* Allow kernel_t to manage and relabel all files
* Add missing optional_policy() to files_relabel_all_files()
* Allow named and ndc use the io_uring api
* Deprecate common_anon_inode_perms usage
* Improve default file context(None) of /var/lib/authselect/backups
* Allow udev_t to search all directories with a filesystem type
* Implement proper anon_inode support
* Allow targetd write to the syslog pid sock_file
* Add ipa_pki_retrieve_key_exec() interface
* Allow kdumpctl_t to list all directories with a filesystem type
* Allow udev additional permissions
* Allow udev load kernel module
* Allow sysadm_t to mmap modules_object_t files
* Add the unconfined_read_files() and unconfined_list_dirs() interfaces
* Set default file context of HOME_DIR/tmp/.* to <<none>>
* Allow kernel_generic_helper_t to execute mount(1)
* Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
* Allow systemd-localed create Xserver config dirs
* Allow sssd read symlinks in /etc/sssd
* Label /dev/gnss[0-9] with gnss_device_t
* Allow systemd-sleep read/write efivarfs variables
* ci: Fix version number of packit generated srpms
* Dontaudit rhsmcertd write memory device
* Allow ssh_agent_type create a sockfile in /run/user/USERID
* Set default file context of /var/lib/authselect/backups to <<none>>
* Allow prosody read network sysctls
* Allow cupsd_t to use bpf capability
* Allow sssd domain transition on passkey_child execution conditionally
* Allow login_userdomain watch lnk_files in /usr
* Allow login_userdomain watch video4linux devices
* Change systemd-network-generator transition to include class file
* Revert "Change file transition for systemd-network-generator"
* Allow nm-dispatcher winbind plugin read/write samba var files
* Allow systemd-networkd write to cgroup files
* Allow kdump create and use its memfd: objects
* Allow fedora-third-party get generic filesystem attributes
* Allow sssd use usb devices conditionally
* Update policy for qatlib
* Allow ssh_agent_type manage generic cache home files
* Change file transition for systemd-network-generator
* Additional support for gnome-initial-setup
* Update gnome-initial-setup policy for geoclue
* Allow openconnect vpn open vhost net device
* Allow cifs.upcall to connect to SSSD also through the /var/run socket
* Grant cifs.upcall more required capabilities
* Allow xenstored map xenfs files
* Update policy for fdo
* Allow keepalived watch var_run dirs
* Allow svirt to rw /dev/udmabuf
* Allow qatlib to modify hardware state information.
* Allow key.dns_resolve connect to avahi over a unix stream socket
* Allow key.dns_resolve create and use unix datagram socket
* Use quay.io as the container image source for CI
* ci: Move srpm/rpm build to packit
* .copr: Avoid subshell and changing directory
* Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
* Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
* Make insights_client_t an unconfined domain
* Allow insights-client manage user temporary files
* Allow insights-client create all rpm logs with a correct label
* Allow insights-client manage generic logs
* Allow cloud_init create dhclient var files and init_t manage net_conf_t
* Allow insights-client read and write cluster tmpfs files
* Allow ipsec read nsfs files
* Make tuned work with mls policy
* Remove nsplugin_role from mozilla.if
* allow mon_procd_t self:cap_userns sys_ptrace
* Allow pdns name_bind and name_connect all ports
* Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
* ci: Move to actions/checkout@v3 version
* .copr: Replace chown call with standard workflow safe.directory setting
* .copr: Enable `set -u` for robustness
* .copr: Simplify root directory variable
* Allow rhsmcertd dbus chat with policykit
* Allow polkitd execute pkla-check-authorization with nnp transition
* Allow user_u and staff_u get attributes of non-security dirs
* Allow unconfined user filetrans chrome_sandbox_home_t
* Allow svnserve execute postdrop with a transition
* Do not make postfix_postdrop_t type an MTA executable file
* Allow samba-dcerpc service manage samba tmp files
* Add use_nfs_home_dirs boolean for mozilla_plugin
* Fix labeling for no-stub-resolv.conf
* Revert "Allow winbind-rpcd use its private tmp files"
* Allow upsmon execute upsmon via a helper script
* Allow openconnect vpn read/write inherited vhost net device
* Allow winbind-rpcd use its private tmp files
* Update samba-dcerpc policy for printing
* Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
* Allow nscd watch system db dirs
* Allow qatlib to read sssd public files
* Allow fedora-third-party read /sys and proc
* Allow systemd-gpt-generator mount a tmpfs filesystem
* Allow journald write to cgroup files
* Allow rpc.mountd read network sysctls
* Allow blueman read the contents of the sysfs filesystem
* Allow logrotate_t to map generic files in /etc
* Boolean: Allow virt_qemu_ga create ssh directory
* Allow systemd-network-generator send system log messages
* Dontaudit the execute permission on sock_file globally
* Allow fsadm_t the file mounton permission
* Allow named and ndc the io_uring sqpoll permission
* Allow sssd io_uring sqpoll permission
* Fix location for /run/nsd
* Allow qemu-ga get fixed disk devices attributes
* Update bitlbee policy
* Label /usr/sbin/sos with sosreport_exec_t
* Update policy for the sblim-sfcb service
* Add the files_getattr_non_auth_dirs() interface
* Fix the CI to work with DNF5
* Make systemd_tmpfiles_t MLS trusted for lowering the level of files
* Revert "Allow insights client map cache_home_t"
* Allow nfsidmapd connect to systemd-machined over a unix socket
* Allow snapperd connect to kernel over a unix domain stream socket
* Allow virt_qemu_ga_t create .ssh dir with correct label
* Allow targetd read network sysctls
* Set the abrt_handle_event boolean to on
* Permit kernel_t to change the user identity in object contexts
* Allow insights client map cache_home_t
* Label /usr/sbin/mariadbd with mysqld_exec_t
* Allow httpd tcp connect to redis port conditionally
* Label only /usr/sbin/ripd and ripngd with zebra_exec_t
* Dontaudit aide the execmem permission
* Remove permissive from fdo
* Allow sa-update manage spamc home files
* Allow sa-update connect to systemlog services
* Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
* Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
* Allow bootupd search EFI directory
* Change init_audit_control default value to true
* Allow nfsidmapd connect to systemd-userdbd with a unix socket
* Add the qatlib module
* Add the fdo module
* Add the bootupd module
* Set default ports for keylime policy
* Create policy for qatlib
* Add policy for FIDO Device Onboard
* Add policy for bootupd
* Add support for kafs-dns requested by keyutils
* Allow insights-client execmem
* Add support for chronyd-restricted
* Add init_explicit_domain() interface
* Allow fsadm_t to get attributes of cgroup filesystems
* Add list_dir_perms to kerberos_read_keytab
* Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
* Allow sendmail manage its runtime files
OBS-URL: https://build.opensuse.org/request/show/1121138
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=196
- Update to version 20230622:
* Allow keyutils_dns_resolver_exec_t be an entrypoint
* Allow collectd_t read network state symlinks
* Revert "Allow collectd_t read proc_net link files"
* Allow nfsd_t to list exports_t dirs
* Allow cupsd dbus chat with xdm
* Allow haproxy read hardware state information
* Label /dev/userfaultfd with userfaultfd_t
* Allow blueman send general signals to unprivileged user domains
* Allow dkim-milter domain transition to sendmail
OBS-URL: https://build.opensuse.org/request/show/1094792
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=187
- Update to version 20230420:
* libzypp creates temporary files in /var/adm/mount. Label it with
rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
* only use rsync_exec_t for the rsync server, not for the client
(bsc#1209890)
* properly label sshd-gen-keys-start to ensure ssh host keys have proper
labels after creation
* Allow dovecot-deliver write to the main process runtime fifo files
* Allow dmidecode write to cloud-init tmp files
* Allow chronyd send a message to cloud-init over a datagram socket
* Allow cloud-init domain transition to insights-client domain
* Allow mongodb read filesystem sysctls
* Allow mongodb read network sysctls
* Allow accounts-daemon read generic systemd unit lnk files
* Allow blueman watch generic device dirs
* Allow nm-dispatcher tlp plugin create tlp dirs
* Allow systemd-coredump mounton /usr
* Allow rabbitmq to read network sysctls
* Allow certmonger dbus chat with the cron system domain
* Allow geoclue read network sysctls
* Allow geoclue watch the /etc directory
* Allow logwatch_mail_t read network sysctls
* allow systemd_resolved_t to bind to all nodes (bsc#1200182)
* Allow insights-client read all sysctls
* Allow passt manage qemu pid sock files
* Allow sssd read accountsd fifo files
* Add support for the passt_t domain
* Allow virtd_t and svirt_t work with passt
* Add new interfaces in the virt module
* Add passt interfaces defined conditionally
OBS-URL: https://build.opensuse.org/request/show/1080814
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=181
- Update to version 20230125. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_dnsmasq.patch
* fix_init.patch
* fix_ipsec.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd_watch.patch
* fix_userdomain.patch
- More flexible lib(exec) matching in fix_fwupd.patch
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
- Dropped fix_container.patch, is now upstream
- Added fix_entropyd.patch
* Added new interface entropyd_semaphore_filetrans to properly transfer
semaphore created during early boot. That doesn't work yet, so work
around with next item
* Allow reading tempfs files
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
- Added fix_rtkit.patch to fix labeling of binary
- Modified fix_ntp.patch:
* Proper labeling for start-ntpd
* Fixed label rules for chroot path
* Temporarily allow dac_override for ntpd_t (bsc#1207577)
* Add interface ntp_manage_pid_files to allow management of pid
files
- Updated fix_networkmanager.patch to allow managing ntp pid files
OBS-URL: https://build.opensuse.org/request/show/1061575
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171
- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
nm-priv-helper until the packaging is adjusted (bsc#1206355)
- Update fix_chronyd.patch to allow sendto towards
NetworkManager_dispatcher_custom_t. Added new interface
networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
- Updated fix_networkmanager.patch to allow NetworkManager to watch
net_conf_t (bsc#1206109)
OBS-URL: https://build.opensuse.org/request/show/1042579
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=161
- Update to version 20221019. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_apache.patch
* fix_chronyd.patch
* fix_cron.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_rpm.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
OBS-URL: https://build.opensuse.org/request/show/1035580
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=155
- Update to version 20221019. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_apache.patch
* fix_chronyd.patch
* fix_cron.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_rpm.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
OBS-URL: https://build.opensuse.org/request/show/1030151
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=153