1
0
Commit Graph

3 Commits

Author SHA256 Message Date
Johannes Segitz
2eaa3b6b79 Accepting request 1166915 from home:cahu:security:SELinux:policytest
- Update to version 20240411:
  * Remove duplicate in sysnetwork.fc
  * Rename /var/run/wicked* to /run/wicked*
  * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
  * policy: support pidfs
  * Confine selinux-autorelabel-generator.sh
  * Allow logwatch_mail_t read/write to init over a unix stream socket
  * Allow logwatch read logind sessions files
  * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
  * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
  * Allow NetworkManager the sys_ptrace capability in user namespace
  * dontaudit execmem for modemmanager
  * Allow dhcpcd use unix_stream_socket
  * Allow dhcpc read /run/netns files
  * Update mmap_rw_file_perms to include the lock permission
  * Allow plymouthd log during shutdown
  * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
  * Allow journalctl_t read filesystem sysctls
  * Allow cgred_t to get attributes of cgroup filesystems
  * Allow wdmd read hardware state information
  * Allow wdmd list the contents of the sysfs directories
  * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  * Allow sulogin relabel tty1
  * Dontaudit sulogin the checkpoint_restore capability
  * Modify sudo_role_template() to allow getpgid
  * Allow userdomain get attributes of files on an nsfs filesystem
  * Allow opafm create NFS files and directories
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud domain transition on swtpm execution
  * Add the swtpm.if interface file for interactions with other domains
  * Allow samba to have dac_override capability
  * systemd: allow sys_admin capability for systemd_notify_t
  * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  * Allow thumb_t to watch and watch_reads mount_var_run_t
  * Allow krb5kdc_t map krb5kdc_principal_t files
  * Allow unprivileged confined user dbus chat with setroubleshoot
  * Allow login_userdomain map files in /var
  * Allow wireguard work with firewall-cmd
  * Differentiate between staff and sysadm when executing crontab with sudo
  * Add crontab_admin_domtrans interface
  * Allow abrt_t nnp domain transition to abrt_handle_event_t
  * Allow xdm_t to watch and watch_reads mount_var_run_t
  * Dontaudit subscription manager setfscreate and read file contexts
  * Don't audit crontab_domain write attempts to user home
  * Transition from sudodomains to crontab_t when executing crontab_exec_t
  * Add crontab_domtrans interface
  * Fix label of pseudoterminals created from sudodomain
  * Allow utempter_t use ptmx
  * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
  * Allow admin user read/write on fixed_disk_device_t
  * Only allow confined user domains to login locally without unconfined_login
  * Add userdom_spec_domtrans_confined_admin_users interface
  * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  * Add userdom_spec_domtrans_admin_users interface
  * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  * Update ssh_role_template() for user ssh-agent type
  * Allow init to inherit system DBus file descriptors
  * Allow init to inherit fds from syslogd
  * Allow any domain to inherit fds from rpm-ostree
  * Update afterburn policy
  * Allow init_t nnp domain transition to abrtd_t
  * Rename all /var/lock file context entries to /run/lock
  * Rename all /var/run file context entries to /run
- Add script varrun-convert.sh for locally existing modules
  to be able to cope with the /var/run -> /run change
- Update embedded container-selinux to commit
  a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e

OBS-URL: https://build.opensuse.org/request/show/1166915
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=217
2024-04-12 07:02:14 +00:00
Johannes Segitz
3c8840090d Accepting request 1094792 from home:jsegitz:branches:security:SELinux
- Update to version 20230622:
  * Allow keyutils_dns_resolver_exec_t be an entrypoint
  * Allow collectd_t read network state symlinks
  * Revert "Allow collectd_t read proc_net link files"
  * Allow nfsd_t to list exports_t dirs
  * Allow cupsd dbus chat with xdm
  * Allow haproxy read hardware state information
  * Label /dev/userfaultfd with userfaultfd_t
  * Allow blueman send general signals to unprivileged user domains
  * Allow dkim-milter domain transition to sendmail

OBS-URL: https://build.opensuse.org/request/show/1094792
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=187
2023-06-23 08:08:16 +00:00
Johannes Segitz
00949e479d Accepting request 1072556 from home:jsegitz:branches:security:SELinux_final
OBS-URL: https://build.opensuse.org/request/show/1072556
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=175
2023-03-17 10:46:53 +00:00