forked from pool/selinux-policy
Hu
64c9b9378c
* Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011) * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315) * Initial policy for udev-trigger-generator (bsc#1230315) OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=274
2304 lines
92 KiB
Plaintext
2304 lines
92 KiB
Plaintext
-------------------------------------------------------------------
|
|
Thu Sep 12 07:34:20 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240912:
|
|
* Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011)
|
|
* Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315)
|
|
* Initial policy for udev-trigger-generator (bsc#1230315)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 10 13:33:53 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240910:
|
|
* Allow init_t mount syslog socket (bsc#1230134)
|
|
* Allow init_t create syslog files (bsc#1230134)
|
|
* Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 05 14:12:24 UTC 2024 - filippo.bonazzi@suse.com
|
|
|
|
- Update to version 20240905:
|
|
* Allow coreos-installer-generator manage mdadm_conf_t files
|
|
* Allow setsebool_t relabel selinux data files
|
|
* Allow virtqemud relabelfrom virtqemud_var_run_t dirs
|
|
* Use better escape method for "interface"
|
|
* Allow init and systemd-logind to inherit fds from sshd
|
|
* Allow systemd-ssh-generator read sysctl files
|
|
* Sync modules.conf with Fedora targeted modules
|
|
* Allow virtqemud relabel user tmp files and socket files
|
|
* Add missing sys_chroot capability to groupadd policy
|
|
* Label /run/libvirt/qemu/channel with virtqemud_var_run_t
|
|
* Allow virtqemud relabelfrom also for file and sock_file
|
|
* Add virt_create_log() and virt_write_log() interfaces
|
|
|
|
- Sync modules-targeted-contrib.conf with Fedora targeted modules.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 4 13:07:52 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
|
|
|
- Fix macros.selinux-policy (bsc#1229132)
|
|
- %selinux_modules_install and %selinux_modules_uninstall will
|
|
now only execute load_policy if $TRANSACTIONAL_UPDATE is not set
|
|
(aka only if they are not in a transactional system)
|
|
- $TRANSACTIONAL_UPDATE is set here:
|
|
https://github.com/openSUSE/transactional-update/blob/bd524d3ddfcd9aeebb7b90d3e0e8eed09b796a86/lib/Transaction.cpp#L428
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 3 09:45:12 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Disable build of the MLS policy. We currently don't know if it works
|
|
and don't want to encourage users to apply it
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 03 07:57:18 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240903:
|
|
* allow sshd_t and sshd_net_t access to ssh vsockets (bsc#1228831)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 02 08:30:34 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240902:
|
|
* Allow xen to use qemu as dom0 disk backend (bsc#1228540)
|
|
* Label /var/lib/xen/xenstore as xenstored_var_lib_t (bsc#1228540)
|
|
* Allow xl to access hypercall interfaces to xen hypervisor (bsc#1228540)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 30 11:45:10 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240830:
|
|
* Allow virtstoraged to manage images (bsc#1228742)
|
|
* Allow virtstoraged_t domtrans to udev (bsc#1228742)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 28 08:11:06 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240828:
|
|
* Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 26 14:28:40 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
|
|
|
- Enable named_write_master_zones boolean by default (bsc#1229479)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 23 08:42:06 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240823:
|
|
* Allow rasdaemon write access to sysfs (bsc#1229587)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 16 12:27:10 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240816:
|
|
* Initial policy for syslog-ng (bsc#1229153)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 14 12:11:13 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240814:
|
|
* Dontaudit dac_override of fstab generator (bsc#1229127)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
|
|
|
- Drop varrun-convert.sh script as it causes issues with
|
|
container-selinux update (bsc#1228951)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 12 15:30:47 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240812:
|
|
* Update libvirt policy
|
|
* Add port 80/udp and 443/udp to http_port_t definition
|
|
* Additional updates stalld policy for bpf usage
|
|
* Label systemd-pcrextend and systemd-pcrlock properly
|
|
* Allow coreos_installer_t work with partitions
|
|
* Revert "Allow coreos-installer-generator work with partitions"
|
|
* Add policy for systemd-pcrextend
|
|
* Update policy for systemd-getty-generator
|
|
* Allow ip command write to ipsec's logs
|
|
* Allow virt_driver_domain read virtd-lxc files in /proc
|
|
* Revert "Allow svirt read virtqemud fifo files"
|
|
* Update virtqemud policy for libguestfs usage
|
|
* Allow virtproxyd create and use its private tmp files
|
|
* Allow virtproxyd read network state
|
|
* Allow virt_driver_domain create and use log files in /var/log
|
|
* Allow samba-dcerpcd work with ctdb cluster
|
|
* Allow NetworkManager_dispatcher_t send SIGKILL to plugins
|
|
* Allow setroubleshootd execute sendmail with a domain transition
|
|
* Allow key.dns_resolve set attributes on the kernel key ring
|
|
* Update qatlib policy for v24.02 with new features
|
|
* Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t
|
|
* Allow tlp status power services
|
|
* Allow virtqemud domain transition on passt execution
|
|
* Allow virt_driver_domain connect to systemd-userdbd over a unix socket
|
|
* Allow boothd connect to systemd-userdbd over a unix socket
|
|
* Update policy for awstats scripts
|
|
* Allow bitlbee execute generic programs in system bin directories
|
|
* Allow login_userdomain read aliases file
|
|
* Allow login_userdomain read ipsec config files
|
|
* Allow login_userdomain read all pid files
|
|
* Allow rsyslog read systemd-logind session files
|
|
* Allow libvirt-dbus stream connect to virtlxcd
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 09 12:35:40 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240809:
|
|
* Label /run/udev/rules.d as udev_rules_t
|
|
* Provide type for sysstat lock files (bsc#1228247)
|
|
* Allow snapper to delete unlabeled_t files (bsc#1228889)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 08 12:24:12 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240808:
|
|
* Use new kanidm interfaces
|
|
* Initial module for kanidm
|
|
* Update bootupd policy
|
|
* Allow rhsmcertd read/write access to /dev/papr-sysparm
|
|
* Label /dev/papr-sysparm and /dev/papr-vpd
|
|
* Allow abrt-dump-journal-core connect to winbindd
|
|
* Allow systemd-hostnamed shut down nscd
|
|
* Allow systemd-pstore send a message to syslogd over a unix domain
|
|
* Allow postfix_domain map postfix_etc_t files
|
|
* Allow microcode create /sys/devices/system/cpu/microcode/reload
|
|
* Allow rhsmcertd read, write, and map ica tmpfs files
|
|
* Support SGX devices
|
|
* Allow initrc_t transition to passwd_t
|
|
* Update fstab and cryptsetup generators policy
|
|
* Allow xdm_t read and write the dma device
|
|
* Update stalld policy for bpf usage
|
|
* Allow systemd_gpt_generator to getattr on DOS directories
|
|
* Make cgroup_memory_pressure_t a part of the file_type attribute
|
|
* Allow ssh_t to change role to system_r
|
|
* Update policy for coreos generators
|
|
* Allow init_t nnp domain transition to firewalld_t
|
|
* Label /run/modprobe.d with modules_conf_t
|
|
* Allow virtnodedevd run udev with a domain transition
|
|
* Allow virtnodedev_t create and use virtnodedev_lock_t
|
|
* Allow virtstoraged manage files with virt_content_t type
|
|
* Allow virtqemud unmount a filesystem with extended attributes
|
|
* Allow svirt_t connect to unconfined_t over a unix domain socket
|
|
* Update afterburn file transition policy
|
|
* Allow systemd_generator read attributes of all filesystems
|
|
* Allow fstab-generator read and write cryptsetup-generator unit file
|
|
* Allow cryptsetup-generator read and write fstab-generator unit file
|
|
* Allow systemd_generator map files in /etc
|
|
* Allow systemd_generator read init's process state
|
|
* Allow coreos-installer-generator read sssd public files
|
|
* Allow coreos-installer-generator work with partitions
|
|
* Label /etc/mdadm.conf.d with mdadm_conf_t
|
|
* Confine coreos generators
|
|
* Label /run/metadata with afterburn_runtime_t
|
|
* Allow afterburn list ssh home directory
|
|
* Label samba certificates with samba_cert_t
|
|
* Label /run/coreos-installer-reboot with coreos_installer_var_run_t
|
|
* Allow virtqemud read virt-dbus process state
|
|
* Allow staff user dbus chat with virt-dbus
|
|
* Allow staff use watch /run/systemd
|
|
* Allow systemd_generator to write kmsg
|
|
* Allow virtqemud connect to sanlock over a unix stream socket
|
|
* Allow virtqemud relabel virt_var_run_t directories
|
|
* Allow svirt_tcg_t read vm sysctls
|
|
* Allow virtnodedevd connect to systemd-userdbd over a unix socket
|
|
* Allow svirt read virtqemud fifo files
|
|
* Allow svirt attach_queue to a virtqemud tun_socket
|
|
* Allow virtqemud run ssh client with a transition
|
|
* Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
|
|
* Update keyutils policy
|
|
* Allow sshd_keygen_t connect to userdbd over a unix stream socket
|
|
* Allow postfix-smtpd read mysql config files
|
|
* Allow locate stream connect to systemd-userdbd
|
|
* Allow the staff user use wireshark
|
|
* Allow updatedb connect to userdbd over a unix stream socket
|
|
* Allow gpg_t set attributes of public-keys.d
|
|
* Allow gpg_t get attributes of login_userdomain stream
|
|
* Allow systemd_getty_generator_t read /proc/1/environ
|
|
* Allow systemd_getty_generator_t to read and write to tty_device_t
|
|
* Drop publicfile module
|
|
* Remove permissive domain for systemd_nsresourced_t
|
|
* Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
|
|
* Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
|
|
* Allow to create and delete socket files created by rhsm.service
|
|
* Allow virtnetworkd exec shell when virt_hooks_unconfined is on
|
|
* Allow unconfined_service_t transition to passwd_t
|
|
* Support /var is empty
|
|
* Allow abrt-dump-journal read all non_security socket files
|
|
* Allow timemaster write to sysfs files
|
|
* Dontaudit domain write cgroup files
|
|
* Label /usr/lib/node_modules/npm/bin with bin_t
|
|
* Allow ip the setexec permission
|
|
* Allow systemd-networkd write files in /var/lib/systemd/network
|
|
* Fix typo in systemd_nsresourced_prog_run_bpf()
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 02 13:27:55 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240802:
|
|
* Dontaudit search of snapper grub plugin to nscd socket (bsc#1228745)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 31 16:18:29 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240731:
|
|
* Initial policy for ibft-rule-generator (bsc#1228402)
|
|
* Initial policy for systemd-status-mail (bsc#1228402)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 31 12:55:19 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240731:
|
|
* Fix labels for bind/named (bsc#1228372)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 29 15:50:11 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240729:
|
|
* Label /usr/libexec/netconfig/ppp/ip-up pppd_initrc_exec_t (bsc#1228385)
|
|
* Allow pppd to manage sysnet directories (bsc#1228385)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 26 13:38:26 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240726:
|
|
* Allow snapper grub plugin to manage unlabeled_t and read link files
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 25 07:43:52 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240725:
|
|
* Initial policy for grub2 snapper plugin (bsc#1228205)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 16 10:57:07 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240716:
|
|
* Set microos autorelabel script to systemd_autorelabel_generator_t
|
|
* Allow systemd_generator to write kmsg
|
|
* Initial policy for systemd growpart-generator (bsc#1226824)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 15 11:55:43 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240715:
|
|
* Allow systemd_getty_generator_t read /proc/1/environ
|
|
* Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 10 07:45:13 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Enable sap module
|
|
- Add equivalency in file_contexts.subs_dist
|
|
* /bin /usr/bin
|
|
* /sbin /usr/bin
|
|
* /usr/sbin /usr/bin
|
|
- Update to version 20240710:
|
|
* Change fc in rebootmgr module for /sbin -> /usr/bin
|
|
* Change fc in rpm module for /sbin -> /usr/bin
|
|
* Change fc in rsync module for /sbin -> /usr/bin
|
|
* Change fc in wicked module for /sbin -> /usr/bin
|
|
* Confine libvirt-dbus
|
|
* Allow virtqemud the kill capability in user namespace
|
|
* Allow rshim get options of the netlink class for KOBJECT_UEVENT family
|
|
* Allow dhcpcd the kill capability
|
|
* Allow systemd-networkd list /var/lib/systemd/network
|
|
* Allow sysadm_t run systemd-nsresourced bpf programs
|
|
* Update policy for systemd generators interactions
|
|
* Allow create memory.pressure files with cgroup_memory_pressure_t
|
|
* Add support for libvirt hooks
|
|
* Allow certmonger read and write tpm devices
|
|
* Allow all domains to connect to systemd-nsresourced over a unix socket
|
|
* Allow systemd-machined read the vsock device
|
|
* Update policy for systemd generators
|
|
* Allow ptp4l_t request that the kernel load a kernel module
|
|
* Allow sbd to trace processes in user namespace
|
|
* Allow request-key execute scripts
|
|
* Update policy for haproxyd
|
|
* Update policy for systemd-nsresourced
|
|
* Correct sbin-related file context entries
|
|
* Allow login_userdomain execute systemd-tmpfiles in the caller domain
|
|
* Allow virt_driver_domain read files labeled unconfined_t
|
|
* Allow virt_driver_domain dbus chat with policykit
|
|
* Allow virtqemud manage nfs files when virt_use_nfs boolean is on
|
|
* Add rules for interactions between generators
|
|
* Label memory.pressure files with cgroup_memory_pressure_t
|
|
* Revert "Allow some systemd services write to cgroup files"
|
|
* Update policy for systemd-nsresourced
|
|
* Label /usr/bin/ntfsck with fsadm_exec_t
|
|
* Allow systemd_fstab_generator_t read tmpfs files
|
|
* Update policy for systemd-nsresourced
|
|
* Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
|
|
* Remove a few lines duplicated between {dkim,milter}.fc
|
|
* Alias /bin → /usr/bin and remove redundant paths
|
|
* Drop duplicate line for /usr/sbin/unix_chkpwd
|
|
* Drop duplicate paths for /usr/sbin
|
|
* Update systemd-generator policy
|
|
* Remove permissive domain for bootupd_t
|
|
* Remove permissive domain for coreos_installer_t
|
|
* Remove permissive domain for afterburn_t
|
|
* Add the sap module to modules.conf
|
|
* Move unconfined_domain(sap_unconfined_t) to an optional block
|
|
* Create the sap module
|
|
* Allow systemd-coredumpd sys_admin and sys_resource capabilities
|
|
* Allow systemd-coredump read nsfs files
|
|
* Allow generators auto file transition only for plain files
|
|
* Allow systemd-hwdb write to the kernel messages device
|
|
* Escape "interface" as a file name in a virt filetrans pattern
|
|
* Allow gnome-software work for login_userdomain
|
|
* Allow systemd-machined manage runtime sockets
|
|
* Revert "Allow systemd-machined manage runtime sockets"
|
|
* Allow postfix_domain connect to postgresql over a unix socket
|
|
* Dontaudit systemd-coredump sys_admin capability
|
|
- Update container-selinux
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 02 10:03:44 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240702:
|
|
* Allow manage dosfs_t files to snapperd (bsc#1224120)
|
|
* Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
|
|
* Add auth_rw_wtmpdb_login_records to modules
|
|
* Allow xdm_t to read-write to wtmpdb (bsc#1225984)
|
|
* Introduce types for wtmpdb and rw interface
|
|
* Introduce wtmp_file_type attribute
|
|
* Revert "Add policy for wtmpdb (bsc#1210717)"
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 17 14:36:01 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240617:
|
|
* Allow gnome control center to set autologin (bsc#1222978)
|
|
* Dontaudit xdm_t to getattr on root_t (bsc#1223145)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 13 08:12:47 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240613:
|
|
* Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 12 08:43:02 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240612:
|
|
* Allow all domains read and write z90crypt device
|
|
* Allow tpm2 generator setfscreate
|
|
* Allow systemd (PID 1) manage systemd conf files
|
|
* Allow pulseaudio map its runtime files
|
|
* Update policy for getty-generator
|
|
* Allow systemd-hwdb send messages to kernel unix datagram sockets
|
|
* Allow systemd-machined manage runtime sockets
|
|
* Allow fstab-generator create unit file symlinks
|
|
* Update policy for cryptsetup-generator
|
|
* Update policy for fstab-generator
|
|
* Allow virtqemud read vm sysctls
|
|
* Allow collectd to trace processes in user namespace
|
|
* Allow bootupd search efivarfs dirs
|
|
* Add policy for systemd-mountfsd
|
|
* Add policy for systemd-nsresourced
|
|
* Update policy generators
|
|
* Add policy for anaconda-generator
|
|
* Update policy for fstab and gpt generators
|
|
* Add policy for kdump-dep-generator
|
|
* Add policy for a generic generator
|
|
* Add policy for tpm2 generator
|
|
* Add policy for ssh-generator
|
|
* Add policy for second batch of generators
|
|
* Update policy for systemd generators
|
|
* ci: Adjust Cockpit test plans
|
|
* Allow journald read systemd config files and directories
|
|
* Allow systemd_domain read systemd_conf_t dirs
|
|
* Fix bad Python regexp escapes
|
|
* Allow fido services connect to postgres database
|
|
* Revert "Update the README.md file with the c10s branch information"
|
|
* Update the README.md file with the c10s branch information
|
|
* Allow postfix smtpd map aliases file
|
|
* Ensure dbus communication is allowed bidirectionally
|
|
* Label systemd configuration files with systemd_conf_t
|
|
* Label /run/systemd/machine with systemd_machined_var_run_t
|
|
* Allow systemd-hostnamed read the vsock device
|
|
* Allow sysadm execute dmidecode using sudo
|
|
* Allow sudodomain list files in /var
|
|
* Allow setroubleshootd get attributes of all sysctls
|
|
* Allow various services read and write z90crypt device
|
|
* Allow nfsidmap connect to systemd-homed
|
|
* Allow sandbox_x_client_t dbus chat with accountsd
|
|
* Allow system_cronjob_t dbus chat with avahi_t
|
|
* Allow staff_t the io_uring sqpoll permission
|
|
* Allow staff_t use the io_uring API
|
|
* Add support for secretmem anon inode
|
|
* Allow virtqemud read vfio devices
|
|
* Allow virtqemud get attributes of a tmpfs filesystem
|
|
* Allow svirt_t read vm sysctls
|
|
* Allow virtqemud create and unlink files in /etc/libvirt/
|
|
* Allow virtqemud get attributes of cifs files
|
|
* Allow virtqemud get attributes of filesystems with extended attributes
|
|
* Allow virtqemud get attributes of NFS filesystems
|
|
* Allow virt_domain read and write usb devices conditionally
|
|
* Allow virtstoraged use the io_uring API
|
|
* Allow virtstoraged execute lvm programs in the lvm domain
|
|
* Allow virtnodevd_t map /var/lib files
|
|
* Allow svirt_tcg_t map svirt_image_t files
|
|
* Allow abrt-dump-journal-core connect to systemd-homed
|
|
* Allow abrt-dump-journal-core connect to systemd-machined
|
|
* Allow sssd create and use io_uring
|
|
* Allow selinux-relabel-generator create units dir
|
|
* Allow dbus-broker read/write inherited user ttys
|
|
* Define transitions for /run/libvirt/common and /run/libvirt/qemu
|
|
* Allow systemd-sleep read raw disk data
|
|
* Allow numad to trace processes in user namespace
|
|
* Allow abrt-dump-journal-core connect to systemd-userdbd
|
|
* Allow plymouthd read efivarfs files
|
|
* Update the auth_dontaudit_read_passwd_file() interface
|
|
* Label /dev/mmcblk0rpmb character device with removable_device_t
|
|
* fix hibernate on btrfs swapfile (F40)
|
|
* Allow nut to statfs()
|
|
* Allow system dbusd service status systemd services
|
|
* Allow systemd-timedated get the timemaster service status
|
|
* Allow keyutils-dns-resolver connect to the system log service
|
|
* Allow qemu-ga read vm sysctls
|
|
* postfix: allow qmgr to delete mails in bounce/ directory
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 3 13:42:13 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Remove "Reference" from the package description. It's not the
|
|
reference policy, but the Fedora branch of the policy
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 28 11:12:57 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
|
|
|
- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate
|
|
python36 tooling
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 8 11:06:43 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Fixed varrun-convert.sh script to not break because of duplicate
|
|
entries
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 6 07:44:20 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Move to %posttrans to ensure selinux-policy got updated before
|
|
the commands run (bsc#1221720)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 15 13:23:40 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
|
|
|
- Add file contexts "forwarding" to file_contexts.sub_dist
|
|
to fix systemd-gpt-auto-generator and systemd-fstab-generator
|
|
(bsc#1222736):
|
|
* /run/systemd/generator.early /usr/lib/systemd/system
|
|
* /run/systemd/generator.late /usr/lib/systemd/system
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 11 15:13:31 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240411:
|
|
* Remove duplicate in sysnetwork.fc
|
|
* Rename /var/run/wicked* to /run/wicked*
|
|
* Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
|
|
* policy: support pidfs
|
|
* Confine selinux-autorelabel-generator.sh
|
|
* Allow logwatch_mail_t read/write to init over a unix stream socket
|
|
* Allow logwatch read logind sessions files
|
|
* files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
|
|
* files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
|
|
* Allow NetworkManager the sys_ptrace capability in user namespace
|
|
* dontaudit execmem for modemmanager
|
|
* Allow dhcpcd use unix_stream_socket
|
|
* Allow dhcpc read /run/netns files
|
|
* Update mmap_rw_file_perms to include the lock permission
|
|
* Allow plymouthd log during shutdown
|
|
* Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
|
|
* Allow journalctl_t read filesystem sysctls
|
|
* Allow cgred_t to get attributes of cgroup filesystems
|
|
* Allow wdmd read hardware state information
|
|
* Allow wdmd list the contents of the sysfs directories
|
|
* Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
|
* Allow sulogin relabel tty1
|
|
* Dontaudit sulogin the checkpoint_restore capability
|
|
* Modify sudo_role_template() to allow getpgid
|
|
* Allow userdomain get attributes of files on an nsfs filesystem
|
|
* Allow opafm create NFS files and directories
|
|
* Allow virtqemud create and unlink files in /etc/libvirt/
|
|
* Allow virtqemud domain transition on swtpm execution
|
|
* Add the swtpm.if interface file for interactions with other domains
|
|
* Allow samba to have dac_override capability
|
|
* systemd: allow sys_admin capability for systemd_notify_t
|
|
* systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
|
|
* Allow thumb_t to watch and watch_reads mount_var_run_t
|
|
* Allow krb5kdc_t map krb5kdc_principal_t files
|
|
* Allow unprivileged confined user dbus chat with setroubleshoot
|
|
* Allow login_userdomain map files in /var
|
|
* Allow wireguard work with firewall-cmd
|
|
* Differentiate between staff and sysadm when executing crontab with sudo
|
|
* Add crontab_admin_domtrans interface
|
|
* Allow abrt_t nnp domain transition to abrt_handle_event_t
|
|
* Allow xdm_t to watch and watch_reads mount_var_run_t
|
|
* Dontaudit subscription manager setfscreate and read file contexts
|
|
* Don't audit crontab_domain write attempts to user home
|
|
* Transition from sudodomains to crontab_t when executing crontab_exec_t
|
|
* Add crontab_domtrans interface
|
|
* Fix label of pseudoterminals created from sudodomain
|
|
* Allow utempter_t use ptmx
|
|
* Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
|
|
* Allow admin user read/write on fixed_disk_device_t
|
|
* Only allow confined user domains to login locally without unconfined_login
|
|
* Add userdom_spec_domtrans_confined_admin_users interface
|
|
* Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
|
* Add userdom_spec_domtrans_admin_users interface
|
|
* Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
|
* Update ssh_role_template() for user ssh-agent type
|
|
* Allow init to inherit system DBus file descriptors
|
|
* Allow init to inherit fds from syslogd
|
|
* Allow any domain to inherit fds from rpm-ostree
|
|
* Update afterburn policy
|
|
* Allow init_t nnp domain transition to abrtd_t
|
|
* Rename all /var/lock file context entries to /run/lock
|
|
* Rename all /var/run file context entries to /run
|
|
- Add script varrun-convert.sh for locally existing modules
|
|
to be able to cope with the /var/run -> /run change
|
|
- Update embedded container-selinux to commit
|
|
a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com
|
|
|
|
- Update to version 20240321:
|
|
* policy module for kiwi (bsc#1221109)
|
|
* dontaudit execmem for modemmanager (bsc#1219363)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 13 11:02:43 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240313:
|
|
* Assign alts_exec_t to files_type
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 08 09:05:08 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240308:
|
|
* Support /bin/alts in the policy (bsc#1217530)
|
|
* Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 06 15:41:20 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240306:
|
|
* Replace init domtrans rule for confined users to allow exec init
|
|
* Update dbus_role_template() to allow user service status
|
|
* Allow polkit status all systemd services
|
|
* Allow setroubleshootd create and use inherited io_uring
|
|
* Allow load_policy read and write generic ptys
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 04 16:19:28 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240304:
|
|
* Allow ssh-keygen to use the libica crypto module (bsc#1220373)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 05 15:48:02 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240205:
|
|
* Allow gpg manage rpm cache
|
|
* Allow login_userdomain name_bind to howl and xmsg udp ports
|
|
* Allow rules for confined users logged in plasma
|
|
* Label /dev/iommu with iommu_device_t
|
|
* Remove duplicate file context entries in /run
|
|
* Dontaudit getty and plymouth the checkpoint_restore capability
|
|
* Allow su domains write login records
|
|
* Revert "Allow su domains write login records"
|
|
* Allow login_userdomain delete session dbusd tmp socket files
|
|
* Allow unix dgram sendto between exim processes
|
|
* Allow su domains write login records
|
|
* Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
|
|
* Allow chronyd-restricted read chronyd key files
|
|
* Allow conntrackd_t to use bpf capability2
|
|
* Allow systemd-networkd manage its runtime socket files
|
|
* Allow init_t nnp domain transition to colord_t
|
|
* Allow polkit status systemd services
|
|
* nova: Fix duplicate declarations
|
|
* Allow httpd work with PrivateTmp
|
|
* Add interfaces for watching and reading ifconfig_var_run_t
|
|
* Allow collectd read raw fixed disk device
|
|
* Allow collectd read udev pid files
|
|
* Set correct label on /etc/pki/pki-tomcat/kra
|
|
* Allow systemd domains watch system dbus pid socket files
|
|
* Allow certmonger read network sysctls
|
|
* Allow mdadm list stratisd data directories
|
|
* Allow syslog to run unconfined scripts conditionally
|
|
* Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
|
* Allow qatlib set attributes of vfio device files
|
|
* Allow systemd-sleep set attributes of efivarfs files
|
|
* Allow samba-dcerpcd read public files
|
|
* Allow spamd_update_t the sys_ptrace capability in user namespace
|
|
* Allow bluetooth devices work with alsa
|
|
* Allow alsa get attributes filesystems with extended attributes
|
|
* Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
|
* Add interface for write-only access to NetworkManager rw conf
|
|
* Allow systemd-sleep send a message to syslog over a unix dgram socket
|
|
* Allow init create and use netlink netfilter socket
|
|
* Allow qatlib load kernel modules
|
|
* Allow qatlib run lspci
|
|
* Allow qatlib manage its private runtime socket files
|
|
* Allow qatlib read/write vfio devices
|
|
* Label /etc/redis.conf with redis_conf_t
|
|
* Remove the lockdown-class rules from the policy
|
|
* Allow init read all non-security socket files
|
|
* Replace redundant dnsmasq pattern macros
|
|
* Remove unneeded symlink perms in dnsmasq.if
|
|
* Add additions to dnsmasq interface
|
|
* Allow nvme_stas_t create and use netlink kobject uevent socket
|
|
* Allow collectd connect to statsd port
|
|
* Allow keepalived_t to use sys_ptrace of cap_userns
|
|
* Allow dovecot_auth_t connect to postgresql using UNIX socket
|
|
* Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
|
* Allow sysadm execute traceroute in sysadm_t domain using sudo
|
|
* Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
|
* Allow opafm search nfs directories
|
|
* Add support for syslogd unconfined scripts
|
|
* Allow gpsd use /dev/gnss devices
|
|
* Allow gpg read rpm cache
|
|
* Allow virtqemud additional permissions
|
|
* Allow virtqemud manage its private lock files
|
|
* Allow virtqemud use the io_uring api
|
|
* Allow ddclient send e-mail notifications
|
|
* Allow postfix_master_t map postfix data files
|
|
* Allow init create and use vsock sockets
|
|
* Allow thumb_t append to init unix domain stream sockets
|
|
* Label /dev/vas with vas_device_t
|
|
* Create interface selinux_watch_config and add it to SELinux users
|
|
* Update cifs interfaces to include fs_search_auto_mountpoints()
|
|
* Allow sudodomain read var auth files
|
|
* Allow spamd_update_t read hardware state information
|
|
* Allow virtnetworkd domain transition on tc command execution
|
|
* Allow sendmail MTA connect to sendmail LDA
|
|
* Allow auditd read all domains process state
|
|
* Allow rsync read network sysctls
|
|
* Add dhcpcd bpf capability to run bpf programs
|
|
* Dontaudit systemd-hwdb dac_override capability
|
|
* Allow systemd-sleep create efivarfs files
|
|
* Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
|
|
* Allow graphical applications work in Wayland
|
|
* Allow kdump work with PrivateTmp
|
|
* Allow dovecot-auth work with PrivateTmp
|
|
* Allow nfsd get attributes of all filesystems
|
|
* Allow unconfined_domain_type use io_uring cmd on domain
|
|
* ci: Only run Rawhide revdeps tests on the rawhide branch
|
|
* Label /var/run/auditd.state as auditd_var_run_t
|
|
* Allow fido-device-onboard (FDO) read the crack database
|
|
* Allow ip an explicit domain transition to other domains
|
|
* Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
|
|
* Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
|
* Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
|
|
* Allow ntp to bind and connect to ntske port.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 16 08:54:51 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240116:
|
|
* Fix gitolite homedir paths (bsc#1218826)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 09 09:14:44 UTC 2024 - cathy.hu@suse.com
|
|
|
|
- Update to version 20240104:
|
|
* Allow keepalived_t read+write kernel_t pipes (bsc#1216060)
|
|
* allow rebootmgr to read the system state (bsc#1205931)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 28 14:40:23 UTC 2023 - Hu <cathy.hu@suse.com>
|
|
|
|
- Trigger rebuild of the policy when pcre2 gets updated to avoid
|
|
regex version mismatch errors (bsc#1216747).
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 24 09:34:20 UTC 2023 - cathy.hu@suse.com
|
|
|
|
- Update to version 20231124:
|
|
* Allow virtnetworkd_t to execute bin_t (bsc#1216903)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 22 14:37:56 UTC 2023 - Hu <cathy.hu@suse.com>
|
|
|
|
- Add new modules that were missed in the last update to
|
|
modules-mls-contrib.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 22 13:49:14 UTC 2023 - Hu <cathy.hu@suse.com>
|
|
|
|
- Add new modules that were missed in the last update to
|
|
modules-targeted-contrib.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 30 10:28:10 UTC 2023 - cathy.hu@suse.com
|
|
|
|
- Update to version 20231030:
|
|
* Allow system_mail_t manage exim spool files and dirs
|
|
* Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
|
|
* Label /run/pcsd.socket with cluster_var_run_t
|
|
* ci: Run cockpit tests in PRs
|
|
* Add map_read map_write to kernel_prog_run_bpf
|
|
* Allow systemd-fstab-generator read all symlinks
|
|
* Allow systemd-fstab-generator the dac_override capability
|
|
* Allow rpcbind read network sysctls
|
|
* Support using systemd containers
|
|
* Allow sysadm_t to connect to iscsid using a unix domain stream socket
|
|
* Add policy for coreos installer
|
|
* Add policy for nvme-stas
|
|
* Confine systemd fstab,sysv,rc-local
|
|
* Label /etc/aliases.lmdb with etc_aliases_t
|
|
* Create policy for afterburn
|
|
* Make new virt drivers permissive
|
|
* Split virt policy, introduce virt_supplementary module
|
|
* Allow apcupsd cgi scripts read /sys
|
|
* Allow kernel_t to manage and relabel all files
|
|
* Add missing optional_policy() to files_relabel_all_files()
|
|
* Allow named and ndc use the io_uring api
|
|
* Deprecate common_anon_inode_perms usage
|
|
* Improve default file context(None) of /var/lib/authselect/backups
|
|
* Allow udev_t to search all directories with a filesystem type
|
|
* Implement proper anon_inode support
|
|
* Allow targetd write to the syslog pid sock_file
|
|
* Add ipa_pki_retrieve_key_exec() interface
|
|
* Allow kdumpctl_t to list all directories with a filesystem type
|
|
* Allow udev additional permissions
|
|
* Allow udev load kernel module
|
|
* Allow sysadm_t to mmap modules_object_t files
|
|
* Add the unconfined_read_files() and unconfined_list_dirs() interfaces
|
|
* Set default file context of HOME_DIR/tmp/.* to <<none>>
|
|
* Allow kernel_generic_helper_t to execute mount(1)
|
|
* Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
|
|
* Allow systemd-localed create Xserver config dirs
|
|
* Allow sssd read symlinks in /etc/sssd
|
|
* Label /dev/gnss[0-9] with gnss_device_t
|
|
* Allow systemd-sleep read/write efivarfs variables
|
|
* ci: Fix version number of packit generated srpms
|
|
* Dontaudit rhsmcertd write memory device
|
|
* Allow ssh_agent_type create a sockfile in /run/user/USERID
|
|
* Set default file context of /var/lib/authselect/backups to <<none>>
|
|
* Allow prosody read network sysctls
|
|
* Allow cupsd_t to use bpf capability
|
|
* Allow sssd domain transition on passkey_child execution conditionally
|
|
* Allow login_userdomain watch lnk_files in /usr
|
|
* Allow login_userdomain watch video4linux devices
|
|
* Change systemd-network-generator transition to include class file
|
|
* Revert "Change file transition for systemd-network-generator"
|
|
* Allow nm-dispatcher winbind plugin read/write samba var files
|
|
* Allow systemd-networkd write to cgroup files
|
|
* Allow kdump create and use its memfd: objects
|
|
* Allow fedora-third-party get generic filesystem attributes
|
|
* Allow sssd use usb devices conditionally
|
|
* Update policy for qatlib
|
|
* Allow ssh_agent_type manage generic cache home files
|
|
* Change file transition for systemd-network-generator
|
|
* Additional support for gnome-initial-setup
|
|
* Update gnome-initial-setup policy for geoclue
|
|
* Allow openconnect vpn open vhost net device
|
|
* Allow cifs.upcall to connect to SSSD also through the /var/run socket
|
|
* Grant cifs.upcall more required capabilities
|
|
* Allow xenstored map xenfs files
|
|
* Update policy for fdo
|
|
* Allow keepalived watch var_run dirs
|
|
* Allow svirt to rw /dev/udmabuf
|
|
* Allow qatlib to modify hardware state information.
|
|
* Allow key.dns_resolve connect to avahi over a unix stream socket
|
|
* Allow key.dns_resolve create and use unix datagram socket
|
|
* Use quay.io as the container image source for CI
|
|
* ci: Move srpm/rpm build to packit
|
|
* .copr: Avoid subshell and changing directory
|
|
* Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
|
|
* Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
|
* Make insights_client_t an unconfined domain
|
|
* Allow insights-client manage user temporary files
|
|
* Allow insights-client create all rpm logs with a correct label
|
|
* Allow insights-client manage generic logs
|
|
* Allow cloud_init create dhclient var files and init_t manage net_conf_t
|
|
* Allow insights-client read and write cluster tmpfs files
|
|
* Allow ipsec read nsfs files
|
|
* Make tuned work with mls policy
|
|
* Remove nsplugin_role from mozilla.if
|
|
* allow mon_procd_t self:cap_userns sys_ptrace
|
|
* Allow pdns name_bind and name_connect all ports
|
|
* Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
|
|
* ci: Move to actions/checkout@v3 version
|
|
* .copr: Replace chown call with standard workflow safe.directory setting
|
|
* .copr: Enable `set -u` for robustness
|
|
* .copr: Simplify root directory variable
|
|
* Allow rhsmcertd dbus chat with policykit
|
|
* Allow polkitd execute pkla-check-authorization with nnp transition
|
|
* Allow user_u and staff_u get attributes of non-security dirs
|
|
* Allow unconfined user filetrans chrome_sandbox_home_t
|
|
* Allow svnserve execute postdrop with a transition
|
|
* Do not make postfix_postdrop_t type an MTA executable file
|
|
* Allow samba-dcerpc service manage samba tmp files
|
|
* Add use_nfs_home_dirs boolean for mozilla_plugin
|
|
* Fix labeling for no-stub-resolv.conf
|
|
* Revert "Allow winbind-rpcd use its private tmp files"
|
|
* Allow upsmon execute upsmon via a helper script
|
|
* Allow openconnect vpn read/write inherited vhost net device
|
|
* Allow winbind-rpcd use its private tmp files
|
|
* Update samba-dcerpc policy for printing
|
|
* Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
|
|
* Allow nscd watch system db dirs
|
|
* Allow qatlib to read sssd public files
|
|
* Allow fedora-third-party read /sys and proc
|
|
* Allow systemd-gpt-generator mount a tmpfs filesystem
|
|
* Allow journald write to cgroup files
|
|
* Allow rpc.mountd read network sysctls
|
|
* Allow blueman read the contents of the sysfs filesystem
|
|
* Allow logrotate_t to map generic files in /etc
|
|
* Boolean: Allow virt_qemu_ga create ssh directory
|
|
* Allow systemd-network-generator send system log messages
|
|
* Dontaudit the execute permission on sock_file globally
|
|
* Allow fsadm_t the file mounton permission
|
|
* Allow named and ndc the io_uring sqpoll permission
|
|
* Allow sssd io_uring sqpoll permission
|
|
* Fix location for /run/nsd
|
|
* Allow qemu-ga get fixed disk devices attributes
|
|
* Update bitlbee policy
|
|
* Label /usr/sbin/sos with sosreport_exec_t
|
|
* Update policy for the sblim-sfcb service
|
|
* Add the files_getattr_non_auth_dirs() interface
|
|
* Fix the CI to work with DNF5
|
|
* Make systemd_tmpfiles_t MLS trusted for lowering the level of files
|
|
* Revert "Allow insights client map cache_home_t"
|
|
* Allow nfsidmapd connect to systemd-machined over a unix socket
|
|
* Allow snapperd connect to kernel over a unix domain stream socket
|
|
* Allow virt_qemu_ga_t create .ssh dir with correct label
|
|
* Allow targetd read network sysctls
|
|
* Set the abrt_handle_event boolean to on
|
|
* Permit kernel_t to change the user identity in object contexts
|
|
* Allow insights client map cache_home_t
|
|
* Label /usr/sbin/mariadbd with mysqld_exec_t
|
|
* Allow httpd tcp connect to redis port conditionally
|
|
* Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
|
* Dontaudit aide the execmem permission
|
|
* Remove permissive from fdo
|
|
* Allow sa-update manage spamc home files
|
|
* Allow sa-update connect to systemlog services
|
|
* Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
|
* Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
|
|
* Allow bootupd search EFI directory
|
|
* Change init_audit_control default value to true
|
|
* Allow nfsidmapd connect to systemd-userdbd with a unix socket
|
|
* Add the qatlib module
|
|
* Add the fdo module
|
|
* Add the bootupd module
|
|
* Set default ports for keylime policy
|
|
* Create policy for qatlib
|
|
* Add policy for FIDO Device Onboard
|
|
* Add policy for bootupd
|
|
* Add support for kafs-dns requested by keyutils
|
|
* Allow insights-client execmem
|
|
* Add support for chronyd-restricted
|
|
* Add init_explicit_domain() interface
|
|
* Allow fsadm_t to get attributes of cgroup filesystems
|
|
* Add list_dir_perms to kerberos_read_keytab
|
|
* Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
|
|
* Allow sendmail manage its runtime files
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 12 07:59:22 UTC 2023 - cathy.hu@suse.com
|
|
|
|
- Update to version 20231012:
|
|
* Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
|
|
* Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 4 14:40:03 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
|
|
directory doesn't exist on SUSE systems (bsc#1213593)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 19 07:57:02 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Modified update.sh to require first parameter "full" to also
|
|
update container-selinux. For maintenance updates you usually
|
|
don't want it to be updated
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 28 14:49:04 UTC 2023 - filippo.bonazzi@suse.com
|
|
|
|
- Update to version 20230728:
|
|
* Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
|
|
* allow haveged to manage tmpfs directories (bsc#1213594)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 22 12:14:15 UTC 2023 - jsegitz@suse.com
|
|
|
|
- Update to version 20230622:
|
|
* Allow keyutils_dns_resolver_exec_t be an entrypoint
|
|
* Allow collectd_t read network state symlinks
|
|
* Revert "Allow collectd_t read proc_net link files"
|
|
* Allow nfsd_t to list exports_t dirs
|
|
* Allow cupsd dbus chat with xdm
|
|
* Allow haproxy read hardware state information
|
|
* Label /dev/userfaultfd with userfaultfd_t
|
|
* Allow blueman send general signals to unprivileged user domains
|
|
* Allow dkim-milter domain transition to sendmail
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 25 15:12:47 UTC 2023 - cathy.hu@suse.com
|
|
|
|
- Update to version 20230425:
|
|
* Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
|
|
* Add policy for wtmpdb (bsc#1210717)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 25 11:29:59 UTC 2023 - cathy.hu@suse.com
|
|
|
|
- Update to version 20230425:
|
|
* Add support for lastlog2 (bsc#1210461)
|
|
* allow the chrony client to use unallocated ttys (bsc#1210672)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 20 10:47:16 UTC 2023 - jsegitz@suse.com
|
|
|
|
- Update to version 20230420:
|
|
* libzypp creates temporary files in /var/adm/mount. Label it with
|
|
rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
|
|
* only use rsync_exec_t for the rsync server, not for the client
|
|
(bsc#1209890)
|
|
* properly label sshd-gen-keys-start to ensure ssh host keys have proper
|
|
labels after creation
|
|
* Allow dovecot-deliver write to the main process runtime fifo files
|
|
* Allow dmidecode write to cloud-init tmp files
|
|
* Allow chronyd send a message to cloud-init over a datagram socket
|
|
* Allow cloud-init domain transition to insights-client domain
|
|
* Allow mongodb read filesystem sysctls
|
|
* Allow mongodb read network sysctls
|
|
* Allow accounts-daemon read generic systemd unit lnk files
|
|
* Allow blueman watch generic device dirs
|
|
* Allow nm-dispatcher tlp plugin create tlp dirs
|
|
* Allow systemd-coredump mounton /usr
|
|
* Allow rabbitmq to read network sysctls
|
|
* Allow certmonger dbus chat with the cron system domain
|
|
* Allow geoclue read network sysctls
|
|
* Allow geoclue watch the /etc directory
|
|
* Allow logwatch_mail_t read network sysctls
|
|
* allow systemd_resolved_t to bind to all nodes (bsc#1200182)
|
|
* Allow insights-client read all sysctls
|
|
* Allow passt manage qemu pid sock files
|
|
* Allow sssd read accountsd fifo files
|
|
* Add support for the passt_t domain
|
|
* Allow virtd_t and svirt_t work with passt
|
|
* Add new interfaces in the virt module
|
|
* Add passt interfaces defined conditionally
|
|
* Allow tshark the setsched capability
|
|
* Allow poweroff create connections to system dbus
|
|
* Allow wg load kernel modules, search debugfs dir
|
|
* Boolean: allow qemu-ga manage ssh home directory
|
|
* Label smtpd with sendmail_exec_t
|
|
* Label msmtp and msmtpd with sendmail_exec_t
|
|
* Allow dovecot to map files in /var/spool/dovecot
|
|
* Confine gnome-initial-setup
|
|
* Allow qemu-guest-agent create and use vsock socket
|
|
* Allow login_pgm setcap permission
|
|
* Allow chronyc read network sysctls
|
|
* Enhancement of the /usr/sbin/request-key helper policy
|
|
* Fix opencryptoki file names in /dev/shm
|
|
* Allow system_cronjob_t transition to rpm_script_t
|
|
* Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
|
* Add tunable to allow squid bind snmp port
|
|
* Allow staff_t getattr init pid chr & blk files and read krb5
|
|
* Allow firewalld to rw z90crypt device
|
|
* Allow httpd work with tokens in /dev/shm
|
|
* Allow svirt to map svirt_image_t char files
|
|
* Allow sysadm_t run initrc_t script and sysadm_r role access
|
|
* Allow insights-client manage fsadm pid files
|
|
* Allowing snapper to create snapshots of /home/ subvolume/partition
|
|
* Add boolean qemu-ga to run unconfined script
|
|
* Label systemd-journald feature LogNamespace
|
|
* Add none file context for polyinstantiated tmp dirs
|
|
* Allow certmonger read the contents of the sysfs filesystem
|
|
* Add journalctl the sys_resource capability
|
|
* Allow nm-dispatcher plugins read generic files in /proc
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 28 12:27:47 UTC 2023 - Hu <cathy.hu@suse.com>
|
|
|
|
- Add debug-build.sh script to make debugging without committing easier
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com
|
|
|
|
- Update to version 20230321:
|
|
* make kernel_t unconfined again
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com
|
|
|
|
- Update to version 20230316:
|
|
* prevent labeling of overlayfs filesystems based on the /var/lib/overlay
|
|
path
|
|
* allow kernel_t to relabel etc_t files
|
|
* allow kernel_t to relabel sysnet config files
|
|
* allow kernel_t to relabel systemd hwdb etc files
|
|
* add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
|
|
* change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
|
|
to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
|
|
management of config files
|
|
* add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
|
|
interfaces to allow labeling on etc_t, not on the broader configfiles
|
|
attribute
|
|
* Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
|
|
watch permissions reported are already fixed in a current policy.
|
|
- Reinstate update.sh and remove container-selinux from the service.
|
|
Having both repos in there causes issues and update.sh makes the update
|
|
process easier in general. Updated README.Update
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 7 08:49:05 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Remove erroneous SUSE man page. Will not be created with the
|
|
3.5 toolchain
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 14 21:41:54 UTC 2023 - Hu <cathy.hu@suse.com>
|
|
|
|
- Complete packaging rework: Move policy to git repository and
|
|
only use tar_scm obs service to refresh from there:
|
|
https://gitlab.suse.de/selinux/selinux-policy
|
|
|
|
Please use `osc service manualrun` to update this OBS package to the
|
|
newest git version.
|
|
|
|
* Added README.Update describing how to update this package
|
|
* Added _service file that pulls from selinux-policy and
|
|
upstream container-selinux and tars them
|
|
* Adapted selinux-policy.spec to build selinux-policy with
|
|
container-selinux
|
|
* Removed update.sh as no longer needed
|
|
* Removed suse specific modules as they are now covered by git commits
|
|
* packagekit.te packagekit.if packagekit.fc
|
|
* rebootmgr.te rebootmgr.if rebootmgr.fc
|
|
* rtorrent.te rtorrent.if rtorrent.fc
|
|
* wicked.te wicked.if wicked.fc
|
|
* Removed *.patch as they are now covered by git commits:
|
|
* distro_suse_to_distro_redhat.patch
|
|
* dontaudit_interface_kmod_tmpfs.patch
|
|
* fix_accountsd.patch
|
|
* fix_alsa.patch
|
|
* fix_apache.patch
|
|
* fix_auditd.patch
|
|
* fix_authlogin.patch
|
|
* fix_automount.patch
|
|
* fix_bitlbee.patch
|
|
* fix_chronyd.patch
|
|
* fix_cloudform.patch
|
|
* fix_colord.patch
|
|
* fix_corecommand.patch
|
|
* fix_cron.patch
|
|
* fix_dbus.patch
|
|
* fix_djbdns.patch
|
|
* fix_dnsmasq.patch
|
|
* fix_dovecot.patch
|
|
* fix_entropyd.patch
|
|
* fix_firewalld.patch
|
|
* fix_fwupd.patch
|
|
* fix_geoclue.patch
|
|
* fix_hypervkvp.patch
|
|
* fix_init.patch
|
|
* fix_ipsec.patch
|
|
* fix_iptables.patch
|
|
* fix_irqbalance.patch
|
|
* fix_java.patch
|
|
* fix_kernel.patch
|
|
* fix_kernel_sysctl.patch
|
|
* fix_libraries.patch
|
|
* fix_locallogin.patch
|
|
* fix_logging.patch
|
|
* fix_logrotate.patch
|
|
* fix_mcelog.patch
|
|
* fix_miscfiles.patch
|
|
* fix_nagios.patch
|
|
* fix_networkmanager.patch
|
|
* fix_nis.patch
|
|
* fix_nscd.patch
|
|
* fix_ntp.patch
|
|
* fix_openvpn.patch
|
|
* fix_postfix.patch
|
|
* fix_rpm.patch
|
|
* fix_rtkit.patch
|
|
* fix_screen.patch
|
|
* fix_selinuxutil.patch
|
|
* fix_sendmail.patch
|
|
* fix_smartmon.patch
|
|
* fix_snapper.patch
|
|
* fix_sslh.patch
|
|
* fix_sysnetwork.patch
|
|
* fix_systemd.patch
|
|
* fix_systemd_watch.patch
|
|
* fix_thunderbird.patch
|
|
* fix_unconfined.patch
|
|
* fix_unconfineduser.patch
|
|
* fix_unprivuser.patch
|
|
* fix_userdomain.patch
|
|
* fix_usermanage.patch
|
|
* fix_wine.patch
|
|
* fix_xserver.patch
|
|
* sedoctool.patch
|
|
* systemd_domain_dyntrans_type.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20230206. Refreshed:
|
|
* fix_entropyd.patch
|
|
* fix_networkmanager.patch
|
|
* fix_systemd_watch.patch
|
|
* fix_unconfineduser.patch
|
|
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
|
|
necessary as plymouth doesn't run in it's own domain in early boot
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20230125. Refreshed:
|
|
* distro_suse_to_distro_redhat.patch
|
|
* fix_dnsmasq.patch
|
|
* fix_init.patch
|
|
* fix_ipsec.patch
|
|
* fix_kernel_sysctl.patch
|
|
* fix_logging.patch
|
|
* fix_rpm.patch
|
|
* fix_selinuxutil.patch
|
|
* fix_systemd_watch.patch
|
|
* fix_userdomain.patch
|
|
- More flexible lib(exec) matching in fix_fwupd.patch
|
|
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
|
|
- Dropped fix_container.patch, is now upstream
|
|
- Added fix_entropyd.patch
|
|
* Added new interface entropyd_semaphore_filetrans to properly transfer
|
|
semaphore created during early boot. That doesn't work yet, so work
|
|
around with next item
|
|
* Allow reading tempfs files
|
|
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
|
|
to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
|
|
- Added fix_rtkit.patch to fix labeling of binary
|
|
- Modified fix_ntp.patch:
|
|
* Proper labeling for start-ntpd
|
|
* Fixed label rules for chroot path
|
|
* Temporarily allow dac_override for ntpd_t (bsc#1207577)
|
|
* Add interface ntp_manage_pid_files to allow management of pid
|
|
files
|
|
- Updated fix_networkmanager.patch to allow managing ntp pid files
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 12 13:01:47 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update fix_container.patch to allow privileged containers to use
|
|
localectl (bsc#1207077)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 11 14:17:02 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Add fix_container.patch to allow privileged containers to use
|
|
timedatectl (bsc#1207054)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 15 16:11:15 UTC 2022 - Hu <cathy.hu@suse.com>
|
|
|
|
- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
|
|
(bnc#1206445)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 14 15:40:12 UTC 2022 - Hu <cathy.hu@suse.com>
|
|
|
|
- Added policy for wicked scripts under /etc/sysconfig/network/scripts
|
|
(bnc#1205770)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Add fix_sendmail.patch
|
|
* fix context of custom sendmail startup helper
|
|
* fix context of /var/run/sendmail and add necessary rules to manage
|
|
content in there
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
|
|
nm-priv-helper until the packaging is adjusted (bsc#1206355)
|
|
- Update fix_chronyd.patch to allow sendto towards
|
|
NetworkManager_dispatcher_custom_t. Added new interface
|
|
networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
|
|
- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 6 15:02:42 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated fix_networkmanager.patch to allow NetworkManager to watch
|
|
net_conf_t (bsc#1206109)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 30 19:28:58 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
|
|
|
|
- Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 30 19:08:33 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
|
|
|
|
- Drop fix_irqbalance.patch: superseded by upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 24 13:40:16 UTC 2022 - Hu <cathy.hu@suse.com>
|
|
|
|
- fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for
|
|
network interface definition instead of /etc/sysconfig/network-scripts/,
|
|
modified sysnetwork.fc to reflect that (bsc#1205580).
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20221019. Refreshed:
|
|
* distro_suse_to_distro_redhat.patch
|
|
* fix_apache.patch
|
|
* fix_chronyd.patch
|
|
* fix_cron.patch
|
|
* fix_init.patch
|
|
* fix_kernel_sysctl.patch
|
|
* fix_networkmanager.patch
|
|
* fix_rpm.patch
|
|
* fix_sysnetwork.patch
|
|
* fix_systemd.patch
|
|
* fix_systemd_watch.patch
|
|
* fix_unconfined.patch
|
|
* fix_unconfineduser.patch
|
|
* fix_unprivuser.patch
|
|
* fix_xserver.patch
|
|
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
|
|
- Remove the ipa module, freeip ships their own module
|
|
- Added fix_alsa.patch to allow reading of config files in home directories
|
|
- Extended fix_networkmanager.patch and fix_postfix.patch to account
|
|
for SUSE systems
|
|
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
|
|
queries the running processes
|
|
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated quilt couldn't unpack tarball. This will cause ongoing issues
|
|
so drop the sed statement in the %prep section and add
|
|
distro_suse_to_distro_redhat.patch to add the necessary changes
|
|
via a patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update fix_networkmanager.patch to ensure NetworkManager chrony
|
|
dispatcher is properly labled and update fix_chronyd.patch to ensure
|
|
chrony helper script has proper label to be used by NetworkManager.
|
|
Also allow NetworkManager_dispatcher_custom_t to query systemd status
|
|
(bsc#1203824)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
|
|
|
|
- Update fix_xserver.patch to add greetd support (bsc#1198559)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Revamped rtorrent module
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- Move SUSE directory from manual page section to html docu
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 27 14:00:55 UTC 2022 - Hu <cathy.hu@suse.com>
|
|
|
|
- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t
|
|
and NetworkManager_dispatcher_custom_t to access nscd socket
|
|
(bsc#1201741)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala <zkubala@suse.com>
|
|
|
|
- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper
|
|
(bnc#1201015)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20220714. Refreshed:
|
|
* fix_init.patch
|
|
* fix_systemd_watch.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
|
|
systemd_gpt_generator_t (bsc#1200911)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- postfix: Label PID files and some helpers correctly (bsc#1197242)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20220624. Refreshed:
|
|
* fix_init.patch
|
|
* fix_kernel_sysctl.patch
|
|
* fix_logging.patch
|
|
* fix_networkmanager.patch
|
|
* fix_unprivuser.patch
|
|
Dropped fix_hadoop.patch, not necessary anymore
|
|
* Updated fix_locallogin.patch to allow accesses for nss-systemd
|
|
(bsc#1199630)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 20 13:46:47 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20220520 to pass stricter 3.4 toolchain checks
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 20 09:14:58 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20220428. Refreshed:
|
|
* fix_apache.patch
|
|
* fix_hadoop.patch
|
|
* fix_init.patch
|
|
* fix_iptables.patch
|
|
* fix_kernel_sysctl.patch
|
|
* fix_networkmanager.patch
|
|
* fix_systemd.patch
|
|
* fix_systemd_watch.patch
|
|
* fix_unprivuser.patch
|
|
* fix_usermanage.patch
|
|
* fix_wine.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 19 12:25:31 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
- Add fix_dnsmasq.patch to fix problems with virtualization on Microos
|
|
(bsc#1199518)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 3 13:18:38 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Modified fix_init.patch to allow init to setup contrained environment
|
|
for accountsservice. This needs a better, more general solution
|
|
(bsc#1197610)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 2 11:27:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
|
|
This happens in certain boot conditions (bsc#1182500)
|
|
- Changed fix_unconfineduser.patch to not transition into ldconfig_t
|
|
from unconfined_t (bsc#1197169)
|
|
-------------------------------------------------------------------
|
|
Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf <kkaempf@suse.com>
|
|
|
|
- use %license tag for COPYING file
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 9 16:04:09 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
|
|
|
|
- Fix bitlbee runtime directory (bsc#1193230)
|
|
* add fix_bitlbee.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20220124. Refreshed:
|
|
* fix_hadoop.patch
|
|
* fix_init.patch
|
|
* fix_kernel_sysctl.patch
|
|
* fix_systemd.patch
|
|
* fix_systemd_watch.patch
|
|
- Added fix_hypervkvp.patch to fix issues with hyperv labeling
|
|
(bsc#1193987)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Allow colord to use systemd hardenings (bsc#1194631)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20211111. Refreshed:
|
|
* fix_dbus.patch
|
|
* fix_systemd.patch
|
|
* fix_authlogin.patch
|
|
* fix_auditd.patch
|
|
* fix_kernel_sysctl.patch
|
|
* fix_networkmanager.patch
|
|
* fix_chronyd.patch
|
|
* fix_unconfineduser.patch
|
|
* fix_unconfined.patch
|
|
* fix_firewalld.patch
|
|
* fix_init.patch
|
|
* fix_xserver.patch
|
|
* fix_logging.patch
|
|
* fix_hadoop.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
|
|
|
- Fix auditd service start with systemd hardening directives (boo#1190918)
|
|
* add fix_auditd.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Modified fix_systemd.patch to allow systemd gpt generator access to
|
|
udev files (bsc#1189280)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
|
|
|
|
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
|
|
* fix managing /etc/rebootmgr.conf
|
|
* allow rebootmgr_t to cope with systemd and dbus messaging
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Properly label cockpit files
|
|
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
|
|
|
|
- Added policy module for rebootmgr (jsc#SMO-28)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
|
|
|
- Allow systemd-sysctl to read kernel specific sysctl.conf
|
|
(fix_kernel_sysctl.patch, boo#1184804)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 10 08:31:16 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
|
|
|
- Fix quoting in postInstall macro
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20210716
|
|
- Remove interfaces for container module before building the package
|
|
(bsc#1188184)
|
|
- Updated
|
|
* fix_init.patch
|
|
* fix_systemd_watch.patch
|
|
to adapt to upstream changes
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 15 15:45:57 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
|
|
|
- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
|
|
here
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
|
|
|
|
- Add tabrmd SELinux modules from upstream (bsc#1187925)
|
|
https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
|
|
- Automatic spec-cleaner to fix ordering and misaligned spaces
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 28 08:11:25 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20210419
|
|
- Dropped fix_gift.patch, module was removed
|
|
- Updated wicked.te to removed dropped interface
|
|
- Refreshed:
|
|
* fix_cockpit.patch
|
|
* fix_hadoop.patch
|
|
* fix_init.patch
|
|
* fix_logging.patch
|
|
* fix_logrotate.patch
|
|
* fix_networkmanager.patch
|
|
* fix_nscd.patch
|
|
* fix_rpm.patch
|
|
* fix_selinuxutil.patch
|
|
* fix_systemd.patch
|
|
* fix_systemd_watch.patch
|
|
* fix_thunderbird.patch
|
|
* fix_unconfined.patch
|
|
* fix_unconfineduser.patch
|
|
* fix_unprivuser.patch
|
|
* fix_xserver.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
|
|
|
- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
|
|
that trigger on changes in those.
|
|
Added fix_systemd_watch.patch
|
|
- own /usr/share/selinux/packages/$SELINUXTYPE/ and
|
|
/var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
|
|
files there
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
|
|
|
- allow cockpit socket to bind nodes (fix_cockpit.patch)
|
|
- use %autosetup to get rid of endless patch lines
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated fix_networkmanager.patch to allow NetworkManager to watch
|
|
its configuration directories
|
|
- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Added Recommends for selinux-autorelabel (bsc#1181837)
|
|
- Prevent libreoffice fonts from changing types on every relabel
|
|
(bsc#1185265). Added fix_libraries.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Transition unconfined users to ldconfig type (bsc#1183121).
|
|
Extended fix_unconfineduser.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20210419
|
|
- Refreshed:
|
|
* fix_dbus.patch
|
|
* fix_hadoop.patch
|
|
* fix_init.patch
|
|
* fix_unprivuser.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
|
|
|
|
- Adjust fix_init.patch to allow systemd to do sd-listen on
|
|
tcp socket [bsc#1183177]
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 9 13:39:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20210309
|
|
- Refreshed
|
|
* fix_systemd.patch
|
|
* fix_selinuxutil.patch
|
|
* fix_iptables.patch
|
|
* fix_init.patch
|
|
* fix_logging.patch
|
|
* fix_nscd.patch
|
|
* fix_hadoop.patch
|
|
* fix_unconfineduser.patch
|
|
* fix_chronyd.patch
|
|
* fix_networkmanager.patch
|
|
* fix_cron.patch
|
|
* fix_usermanage.patch
|
|
* fix_unprivuser.patch
|
|
* fix_rpm.patch
|
|
- Ensure that /usr/etc is labeled according to /etc rules
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- Update to version 20210223
|
|
- Change name of tar file to a more common schema to allow
|
|
parallel installation of several source versions
|
|
- Adjust fix_init.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- Update to version 20210111
|
|
- Drop fix_policykit.patch (integrated upstream)
|
|
- Adjust fix_iptables.patch
|
|
- update container policy
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated fix_corecommand.patch to set correct types for the OBS
|
|
build tools
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- wicked.fc: add libexec directories
|
|
- Update to version 20201029
|
|
- update container policy
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- Update to version 20201016
|
|
- Use python3 to build (fc_sort.c was replaced by fc_sort.py which
|
|
uses python3)
|
|
- Drop SELINUX=disabled, "selinux=0" kernel commandline option has
|
|
to be used instead. New default is "permissive" [bsc#1176923].
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20200910. Refreshed
|
|
* fix_authlogin.patch
|
|
* fix_nagios.patch
|
|
* fix_systemd.patch
|
|
* fix_usermanage.patch
|
|
- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
|
|
- Cleanup of booleans-* presets
|
|
* Enabled
|
|
user_rw_noexattrfile
|
|
unconfined_chrome_sandbox_transition
|
|
unconfined_mozilla_plugin_transition
|
|
for the minimal policy
|
|
* Disabled
|
|
xserver_object_manager
|
|
for the MLS policy
|
|
* Disabled
|
|
openvpn_enable_homedirs
|
|
privoxy_connect_any
|
|
selinuxuser_direct_dri_enabled
|
|
selinuxuser_ping (aka user_ping)
|
|
squid_connect_any
|
|
telepathy_tcp_connect_generic_network_ports
|
|
for the targeted policy
|
|
Change your local config if you need them
|
|
- Build HTML version of manpages for the -devel package
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 3 07:47:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Drop BuildRequires for python, python-xml. It's not needed anymore
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 1 12:31:17 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Drop fix_dbus.patch_orig, was included by accident
|
|
- Drop segenxml_interpreter.patch, not used anymore
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 11 14:25:58 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- macros.selinux-policy: move rpm-state directory to /run and
|
|
make sure it exists
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 5 11:29:05 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- Cleanup spec file and follow more closely Fedora
|
|
- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf
|
|
- Move config to /etc/selinux/config and create during %post install
|
|
to be compatible with upstream and documentation.
|
|
- Add RPM macros for SELinux (macros.selinux-policy)
|
|
- Install booleans.subs_dist
|
|
- Remove unused macros
|
|
- Sync make/install macros with Fedora spec file
|
|
- Introduce sandbox sub-package
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 29 13:47:57 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
- Add policycoreutils-devel as BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 17 08:30:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Update to version 20200717. Refreshed
|
|
* fix_fwupd.patch
|
|
* fix_hadoop.patch
|
|
* fix_init.patch
|
|
* fix_irqbalance.patch
|
|
* fix_logrotate.patch
|
|
* fix_nagios.patch
|
|
* fix_networkmanager.patch
|
|
* fix_postfix.patch
|
|
* fix_sysnetwork.patch
|
|
* fix_systemd.patch
|
|
* fix_thunderbird.patch
|
|
* fix_unconfined.patch
|
|
* fix_unprivuser.patch
|
|
* selinux-policy.spec
|
|
- Added update.sh to make updating easier
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 14 13:18:43 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access
|
|
to accountsd dbus
|
|
- New patch:
|
|
* fix_nis.patch
|
|
- Updated patches:
|
|
* fix_postfix.patch: Transition is done in distribution specific script
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 2 14:45:37 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
- Added module for wicked
|
|
- New patches:
|
|
* fix_authlogin.patch
|
|
* fix_screen.patch
|
|
* fix_unprivuser.patch
|
|
* fix_rpm.patch
|
|
* fix_apache.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 26 09:51:45 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
- Added module for rtorrent
|
|
- Enable snapper module in minimum policy to reduce issues on BTRFS
|
|
Updated fix_snapper.patch to prevent relabling of snapshot
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 9 09:01:22 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
- New patches:
|
|
* fix_accountsd.patch
|
|
* fix_automount.patch
|
|
* fix_colord.patch
|
|
* fix_mcelog.patch
|
|
* fix_sslh.patch
|
|
* fix_nagios.patch
|
|
* fix_openvpn.patch
|
|
* fix_cron.patch
|
|
* fix_usermanage.patch
|
|
* fix_smartmon.patch
|
|
* fix_geoclue.patch
|
|
* suse_specific.patch
|
|
Default systems should now work without selinuxuser_execmod
|
|
- Removed xdm_entrypoint_pam.patch, necessary change is in
|
|
fix_unconfineduser.patch
|
|
- Enable SUSE specific settings again
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 19 09:21:24 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
- Update to version 20200219
|
|
Refreshed fix_hadoop.patch
|
|
Updated
|
|
* fix_dbus.patch
|
|
* fix_hadoop.patch
|
|
* fix_nscd.patch
|
|
* fix_xserver.patch
|
|
Renamed postfix_paths.patch to fix_postfix.patch
|
|
Added
|
|
* fix_init.patch
|
|
* fix_locallogin.patch
|
|
* fix_policykit.patch
|
|
* fix_iptables.patch
|
|
* fix_irqbalance.patch
|
|
* fix_ntp.patch
|
|
* fix_fwupd.patch
|
|
* fix_firewalld.patch
|
|
* fix_logrotate.patch
|
|
* fix_selinuxutil.patch
|
|
* fix_corecommand.patch
|
|
* fix_snapper.patch
|
|
* fix_systemd.patch
|
|
* fix_unconfined.patch
|
|
* fix_unconfineduser.patch
|
|
* fix_chronyd.patch
|
|
* fix_networkmanager.patch
|
|
* xdm_entrypoint_pam.patch
|
|
- Removed modules minimum_temp_fixes and targeted_temp_fixes
|
|
from the corresponding policies
|
|
- Reduced default module list of minimum policy by removing
|
|
apache inetd nis postfix mta modules
|
|
- Adding/removing necessary pam config automatically
|
|
- Minimum and targeted policy: Enable domain_can_mmap_files by default
|
|
- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and
|
|
selinuxuser_execstack to have safe defaults
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 9 12:11:28 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
- Moved back to fedora policy (20190802)
|
|
- Removed spec file conditionals for old SELinux userland
|
|
- Removed config.tgz
|
|
- Removed patches:
|
|
* label_sysconfig.selinux.patch
|
|
* label_var_run_rsyslog.patch
|
|
* suse_additions_obs.patch
|
|
* suse_additions_sslh.patch
|
|
* suse_modifications_apache.patch
|
|
* suse_modifications_cron.patch
|
|
* suse_modifications_getty.patch
|
|
* suse_modifications_logging.patch
|
|
* suse_modifications_ntp.patch
|
|
* suse_modifications_usermanage.patch
|
|
* suse_modifications_virt.patch
|
|
* suse_modifications_xserver.patch
|
|
* sysconfig_network_scripts.patch
|
|
* segenxml_interpreter.patch
|
|
- Added patches:
|
|
* fix_djbdns.patch
|
|
* fix_dbus.patch
|
|
* fix_gift.patch
|
|
* fix_java.patch
|
|
* fix_hadoop.patch
|
|
* fix_thunderbird.patch
|
|
* postfix_paths.patch
|
|
* fix_nscd.patch
|
|
* fix_sysnetwork.patch
|
|
* fix_logging.patch
|
|
* fix_xserver.patch
|
|
* fix_miscfiles.patch
|
|
to fix problems with the coresponding modules
|
|
- Added sedoctool.patch to prevent build failures
|
|
- This also adds three modules:
|
|
* packagekit.(te|if|fc)
|
|
Basic (currently permissive) module for packagekit
|
|
* minimum_temp_fixes.(te|if|fc)
|
|
and
|
|
* targeted_temp_fixes.(te|if|fc)
|
|
both are currently necessary to get the systems to boot in
|
|
enforcing mode. Most of them obviosly stem from mislabeled
|
|
files, so this needs to be worked through and then removed
|
|
eventually
|
|
Also selinuxuser_execstack, selinuxuser_execmod and
|
|
domain_can_mmap_files need to be enabled. Especially the first
|
|
two are bad and should be removed ASAP
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 11 12:29:29 UTC 2019 - <jsegitz@suse.com>
|
|
|
|
- Update to refpolicy 20190609. New modules for stubby and several
|
|
systemd updates, including initial support for systemd --user
|
|
sessions.
|
|
Refreshed
|
|
* label_var_run_rsyslog.patch
|
|
* suse_modifications_cron.patch
|
|
* suse_modifications_logging.patch
|
|
* suse_modifications_ntp.patch
|
|
* suse_modifications_usermanage.patch
|
|
* suse_modifications_xserver.patch
|
|
* sysconfig_network_scripts.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 4 07:59:49 UTC 2019 - jsegitz@suse.com
|
|
|
|
- Update to refpolicy 20190201. New modules for chromium, hostapd,
|
|
and sigrok and minor fixes for existing modules.
|
|
Refreshed suse_modifications_usermanage.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 28 15:18:28 UTC 2018 - jsegitz@suse.com
|
|
|
|
- Change default state to disabled and disable SELinux after
|
|
uninstallation of policy to prevent unbootable system
|
|
(bsc#1108949, bsc#1109590)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 27 15:20:03 UTC 2018 - jsegitz@suse.com
|
|
|
|
- Use refpolicy 20180701 as a base
|
|
- Dropped patches
|
|
* allow-local_login_t-read-shadow.patch
|
|
* dont_use_xmllint_in_make_conf.patch
|
|
* label_sysconfig.selinux-policy.patch
|
|
* policy-rawhide-base.patch
|
|
* policy-rawhide-contrib.patch
|
|
* suse_modifications_authlogin.patch
|
|
* suse_modifications_dbus.patch
|
|
* suse_modifications_glusterfs.patch
|
|
* suse_modifications_ipsec.patch
|
|
* suse_modifications_passenger.patch
|
|
* suse_modifications_policykit.patch
|
|
* suse_modifications_postfix.patch
|
|
* suse_modifications_rtkit.patch
|
|
* suse_modifications_selinuxutil.patch
|
|
* suse_modifications_ssh.patch
|
|
* suse_modifications_staff.patch
|
|
* suse_modifications_stapserver.patch
|
|
* suse_modifications_systemd.patch
|
|
* suse_modifications_unconfined.patch
|
|
* suse_modifications_unconfineduser.patch
|
|
* suse_modifications_unprivuser.patch
|
|
* systemd-tmpfiles.patch
|
|
* type_transition_contrib.patch
|
|
* type_transition_file_class.patch
|
|
* useradd-netlink_selinux_socket.patch
|
|
* xconsole.patch
|
|
Rebased the other patches to apply to refpolicy
|
|
- Added segenxml_interpreter.patch to not use env in shebang
|
|
- Added rpmlintrc to surpress duplicate file warnings
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 26 13:18:34 UTC 2018 - rgoldwyn@suse.com
|
|
|
|
- Add overlayfs as xattr capable (bsc#1073741)
|
|
* add-overlayfs-as-xattr-capable.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 12 09:07:31 UTC 2017 - jsegitz@suse.com
|
|
|
|
- Added
|
|
* suse_modifications_glusterfs.patch
|
|
* suse_modifications_passenger.patch
|
|
* suse_modifications_stapserver.patch
|
|
to modify module name to make the current tools happy
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 29 13:20:22 UTC 2017 - rbrown@suse.com
|
|
|
|
- Repair erroneous changes introduced with %_fillupdir macro
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 23 13:53:09 UTC 2017 - rbrown@suse.com
|
|
|
|
- Replace references to /var/adm/fillup-templates with new
|
|
%_fillupdir macro (boo#1069468)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 15 21:50:32 UTC 2017 - mwilck@suse.com
|
|
|
|
- POLCYVER depends both on the libsemanage/policycoreutils version
|
|
and the kernel. The former is more important for us, kernel seems
|
|
to have all necessary features in Leap 42.1 already.
|
|
|
|
- Replaced = runtime dependencies on checkpolicy/policycoreutils
|
|
with "=". 2.5 policy is not supposed to work with 2.3 tools,
|
|
The runtime policy tools need to be same the policy was built with.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 15 15:16:20 UTC 2017 - mwilck@suse.com
|
|
|
|
- Changes required by policycoreutils update to 2.5
|
|
* lots of spec file content needs to be conditional on
|
|
policycoreutils version.
|
|
|
|
- Specific policycoreutils 2.5 related changes:
|
|
* modules moved from /etc/selinux to /var/lib/selinux
|
|
(https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration)
|
|
* module path now includes includes priority. Users override default
|
|
policies by setting higher priority. Thus installed policy modules can be
|
|
fully verified by RPM.
|
|
* Installed modules have a different format and path.
|
|
Raw bzip2 doesn't suffice to create them any more, but we can process them
|
|
all in a single semodule -i command.
|
|
|
|
- Policy version depends on kernel / distro version
|
|
* do not touch policy.<version>, rather fail if it's not created
|
|
|
|
- Enabled building mls policy for Leap (not for SLES)
|
|
|
|
- Other
|
|
* Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils
|
|
* Bug: (minimum) additional modules that need to be activated: postfix
|
|
(required by apache), plymouthd (required by getty)
|
|
* Cleanup: /etc -> %{sysconfdir} etc.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 13 08:14:34 UTC 2015 - jsegitz@novell.com
|
|
|
|
- fixed missing role assignment in cron_unconfined_role
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 11 08:36:17 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Updated suse_modifications_ipsec.patch, removed dontaudits for
|
|
ipsec_mgmt_t and granted matching permissions
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 5 11:31:24 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Added suse_modifications_ipsec.patch to grant additional privileges
|
|
to ipsec_mgmt_t
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 21 14:56:07 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Minor changes for CC evaluation. Allow reading of /dev/random
|
|
and ipc_lock for dbus and dhcp
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 24 08:27:30 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Transition from unconfined user to cron admin type
|
|
- Allow systemd_timedated_t to talk to unconfined dbus for minimal
|
|
policy (bsc#932826)
|
|
- Allow hostnamectl to set the hostname (bsc#933764)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 20 14:05:04 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Removed ability of staff_t and user_t to use svirt. Will reenable
|
|
this later on with a policy upgrade
|
|
Added suse_modifications_staff.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 25 11:38:44 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage
|
|
in make conf. This currently breaks manual builds.
|
|
- Added BuildRequires for libxml2-tools to enable xmllint checks
|
|
once the issue mentioned above is solved
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 29 09:56:40 UTC 2015 - jsegitz@novell.com
|
|
|
|
- adjusted suse_modifications_ntp to match SUSE chroot paths
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 28 09:37:06 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Added
|
|
* suse_additions_obs.patch to allow local builds by OBS
|
|
* suse_additions_sslh.patch to confine sslh
|
|
- Added suse_modifications_cron.patch to adjust crontabs contexts
|
|
- Modified suse_modifications_postfix.patch to match SUSE paths
|
|
- Modified suse_modifications_ssh.patch to bring boolean
|
|
sshd_forward_ports back
|
|
- Modified
|
|
* suse_modifications_dbus.patch
|
|
* suse_modifications_unprivuser.patch
|
|
* suse_modifications_xserver.patch
|
|
to allow users to be confined
|
|
- Added
|
|
* suse_modifications_apache.patch
|
|
* suse_modifications_ntp.patch
|
|
and modified
|
|
* suse_modifications_xserver.patch
|
|
to fix labels on startup scripts used by systemd
|
|
- Removed unused and incorrect interface dev_create_all_dev_nodes
|
|
from systemd-tmpfiles.patch
|
|
- Removed BuildRequire for selinux-policy-devel
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 23 15:52:02 UTC 2015 - jsegitz@novell.com
|
|
|
|
- Major cleanup of the spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 23 11:44:52 UTC 2015 - jsegitz@novell.com
|
|
|
|
- removed suse_minimal_cc.patch and splitted them into
|
|
* suse_modifications_dbus.patch
|
|
* suse_modifications_policykit.patch
|
|
* suse_modifications_postfix.patch
|
|
* suse_modifications_rtkit.patch
|
|
* suse_modifications_unconfined.patch
|
|
* suse_modifications_systemd.patch
|
|
* suse_modifications_unconfineduser.patch
|
|
* suse_modifications_selinuxutil.patch
|
|
* suse_modifications_logging.patch
|
|
* suse_modifications_getty.patch
|
|
* suse_modifications_authlogin.patch
|
|
* suse_modifications_xserver.patch
|
|
* suse_modifications_ssh.patch
|
|
* suse_modifications_usermanage.patch
|
|
- Added suse_modifications_virt.patch to enable svirt on s390x
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 08 19:17:00 UTC 2014 - Led <ledest@gmail.com>
|
|
|
|
- fix bashism in post script
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 18 09:06:09 UTC 2014 - jsegitz@suse.com
|
|
|
|
Redid changes done by vcizek@suse.com in SLE12 package
|
|
|
|
- disable build of MLS policy
|
|
- removed outdated description files
|
|
* Alan_Rouse-openSUSE_with_SELinux.txt
|
|
* Alan_Rouse-Policy_Development_Process.txt
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 8 09:08:19 UTC 2014 - jsegitz@suse.com
|
|
|
|
- removed remove_duplicate_filetrans_pattern_rules.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 5 11:22:02 UTC 2014 - jsegitz@suse.com
|
|
|
|
- Updated policy to include everything up until 20140730 (refpolicy and
|
|
fedora rawhide improvements). Rebased all patches that are still
|
|
necessary
|
|
- Removed permissivedomains.pp. Doesn't work with the new policy
|
|
- modified spec file so that all modifications for distro=redhat and
|
|
distro=suse will be used.
|
|
- added selinux-policy-rpmlintrc to suppress some warnings that aren't
|
|
valid for this package
|
|
- added suse_minimal_cc.patch to create a suse specific module to prevent
|
|
errors while using the minimum policy. Will rework them in the proper
|
|
places once the minimum policy is reworked to really only confine a
|
|
minimal set of domains.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 2 13:31:58 UTC 2014 - vcizek@suse.com
|
|
|
|
- removed source files which were not used
|
|
* modules-minimum.conf, modules-mls.conf, modules-targeted.conf,
|
|
permissivedomains.fc, permissivedomains.if, permissivedomains.te,
|
|
seusers, seusers-mls, seusers-targeted, users_extra-mls,
|
|
users_extra-targeted
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 2 12:08:40 UTC 2014 - vcizek@suse.com
|
|
|
|
- remove duplicate filetrans_pattern rules
|
|
* fixes build with libsepol-2.3
|
|
* added remove_duplicate_filetrans_pattern_rules.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 9 13:57:18 UTC 2013 - vcizek@suse.com
|
|
|
|
- enable build of mls and targeted policies
|
|
- fixes to the minimum policy:
|
|
- label /var/run/rsyslog correctly
|
|
* label_var_run_rsyslog.patch
|
|
- allow systemd-tmpfiles to create devices
|
|
* systemd-tmpfiles.patch
|
|
- add rules for sysconfig
|
|
* correctly label /dev/.sysconfig/network
|
|
* added sysconfig_network_scripts.patch
|
|
- run restorecon and fixfiles only if if selinux is enabled
|
|
- fix console login
|
|
* allow-local_login_t-read-shadow.patch
|
|
- allow rsyslog to write to xconsole
|
|
* xconsole.patch
|
|
- useradd needs to call selinux_check_access (via pam_rootok)
|
|
* useradd-netlink_selinux_socket.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 12 02:08:15 CEST 2013 - ro@suse.de
|
|
|
|
- fix build on factory: newer rpm does not allow to mark
|
|
non-directories as dir anymore (like symlinks in this case)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 11 11:00:14 UTC 2013 - coolo@suse.com
|
|
|
|
- install COPYING
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 22 11:52:43 UTC 2013 - vcizek@suse.com
|
|
|
|
- switch to Fedora as upstream
|
|
- added patches:
|
|
* policy-rawhide-base.patch
|
|
* policy-rawhide-contrib.patch
|
|
* type_transition_file_class.patch
|
|
* type_transition_contrib.patch
|
|
* label_sysconfig.selinux-policy.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 11 13:40:27 UTC 2012 - vcizek@suse.com
|
|
|
|
- bump up policy version to 27, due to recent libsepol update
|
|
- dropped currently unused policy-rawhide.patch
|
|
- fix installing of file_contexts (this enables restorecond to run properly)
|
|
- Recommends: audit and setools
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 10 15:47:13 UTC 2012 - meissner@suse.com
|
|
|
|
- mark included files in source
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 22 18:47:00 UTC 2012 - vcizek@suse.com
|
|
|
|
- update to 2.20120725
|
|
- added selinux-policy-run_sepolgen_during_build.patch
|
|
- renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch
|
|
- dropped policygentool and OLPC stuff
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 9 10:01:26 UTC 2012 - coolo@suse.com
|
|
|
|
- patch license to be in spdx.org format
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 21 16:05:49 CEST 2010 - prusnak@suse.cz
|
|
|
|
- use policy created by Alan Rouse
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 10 23:45:17 PDT 2010 - justinmattock@gmail.com
|
|
|
|
- Adjust selinux-policy.spec so that the policy
|
|
source tree is put in /usr/share/doc/packages/selinux-*
|
|
so users can build the policy [bnc#582404]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 7 09:59:43 UTC 2010 - thomas@novell.com
|
|
|
|
- fixed fileperms of /etc/selinux/config to be 644 to allow
|
|
libselinux to read from it (bnc#582399)
|
|
this is also the default file mode in fedora 12
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 26 12:19:07 CEST 2009 - thomas@novell.com
|
|
|
|
- added config file for /etc/selinux/
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 14 14:20:23 CET 2009 - prusnak@suse.cz
|
|
|
|
- updated to version 2008.12.10
|
|
* Fix consistency of audioentropy and iscsi module naming.
|
|
* Debian file context fix for xen from Russell Coker.
|
|
* Xserver MLS fix from Eamon Walsh.
|
|
* Add omapi port for dhcpcd.
|
|
* Deprecate per-role templates and rolemap support.
|
|
* Implement user-based access control for use as role separations.
|
|
* Move shared library calls from individual modules to the domain module.
|
|
* Enable open permission checks policy capability.
|
|
* Remove hierarchy from portage module as it is not a good example of hieararchy.
|
|
* Remove enableaudit target from modular build as semodule -DB supplants it.
|
|
* Added modules:
|
|
- milter (Paul Howarth)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 16 16:08:32 CEST 2008 - prusnak@suse.cz
|
|
|
|
- updated to version 2008.10.14
|
|
* Debian update for NetworkManager/wpa_supplicant from Martin Orr.
|
|
* Logrotate and Bind updates from Vaclav Ovsik.
|
|
* Init script file and domain support.
|
|
* Glibc 2.7 fix from Vaclav Ovsik.
|
|
* Samba/winbind update from Mike Edenfield.
|
|
* Policy size optimization with a non-security file attribute from James Carter.
|
|
* Database labeled networking update from KaiGai Kohei.
|
|
* Several misc changes from the Fedora policy, cherry picked by David Hardeman.
|
|
* Large whitespace fix from Dominick Grift.
|
|
* Pam_mount fix for local login from Stefan Schulze Frielinghaus.
|
|
* Issuing commands to upstart is over a datagram socket, not the initctl named pipe.
|
|
* Updated init_telinit() to match.
|
|
* Added modules:
|
|
- cyphesis (Dan Walsh)
|
|
- memcached (Dan Walsh)
|
|
- oident (Dominick Grift)
|
|
- w3c (Dan Walsh)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 22 11:57:34 CEST 2008 - prusnak@suse.cz
|
|
|
|
- initial version 2008.07.02 from tresys
|
|
|