2015-12-08 14:53:02 +00:00
|
|
|
* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
|
|
|
|
Alexander Wetzel (1):
|
|
|
|
adds vfio device support to base policy
|
|
|
|
|
|
|
|
Chris PeBenito (48):
|
|
|
|
Module version bump for optional else block removal from Steve Lawrence.
|
|
|
|
Add always_check_network policy capability.
|
|
|
|
Update contrib.
|
|
|
|
Fix domain_mmap_low() to be a proper tunable.
|
|
|
|
Add initial Travis CI configuration.
|
|
|
|
Travis CI already exports variables.
|
|
|
|
Add validate target for monolithic policy.
|
|
|
|
Update contrib.
|
|
|
|
Use matrix keyword to simplify travis-ci build definitions.
|
|
|
|
Undo last commit.
|
|
|
|
Simplify travis-ci build handling of SELinux toolchain.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for fstools blkid fix from Jason Zaman
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for debufs mount point fc entry from Laurent
|
|
|
|
Bigonville.
|
|
|
|
Module version bump for updated netlink sockets from Stephen Smalley
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for init_startstop_service from Jason Zaman.
|
|
|
|
Update contrib.
|
|
|
|
Change CI tests to drop DIRECT_INITRC.
|
|
|
|
Module version bumps for further init_startstop_service() changes from
|
|
|
|
Jason Zaman.
|
|
|
|
Module version bump for admin interface changes from Jason Zaman.
|
|
|
|
Update contrib.
|
|
|
|
Module version bumps for admin interfaces from Jason Zaman.
|
|
|
|
Module version bump for cron_admin for sysadm from Jason Zaman.
|
|
|
|
Module version bump for ssh-agent -k fix from Luis Ressel.
|
|
|
|
Module version bump for APR build script labeling from Luis Ressel.
|
|
|
|
Module version bump for vfio device from Alexander Wetzel.
|
|
|
|
Update contrib.
|
|
|
|
Rearrange lines in ipsec.te.
|
|
|
|
Module version bump for patches from Jason Zaman/Matthias Dahl.
|
|
|
|
Add systemd build option.
|
|
|
|
Add systemd access vectors.
|
|
|
|
Implement core systemd policy.
|
|
|
|
Add supporting rules for domains tightly-coupled with systemd.
|
|
|
|
Add rules for sysadm_r to manage the services.
|
|
|
|
Add systemd units for core refpolicy services.
|
|
|
|
Add sysfs_types attribute.
|
|
|
|
Add refpolicy core socket-activated services.
|
|
|
|
Change policy_config_t to a security file type.
|
|
|
|
Merge branch 'pebenito-master'
|
|
|
|
Module version bump for systemd additions.
|
|
|
|
Update contrib for dbus systemd fix.
|
|
|
|
Revise selinux module interfaces for perms protected by neverallows.
|
|
|
|
Remove bad interface in systemd.if.
|
|
|
|
Module version bump for utempter Debian helper from Laurent Bigonville.
|
|
|
|
Update contrib.
|
|
|
|
Bump module versions for release.
|
|
|
|
|
|
|
|
Jason Zaman (13):
|
|
|
|
fstools: add in filetrans for /run dir
|
|
|
|
Introduce init_startstop_service interface
|
|
|
|
logging: use init_startstop_service in _admin interface
|
|
|
|
postgresql: use init_startstop_service in _admin interface
|
|
|
|
Add openrc support to init_startstop_service
|
|
|
|
Introduce iptables_admin
|
|
|
|
Add all the missing _admin interfaces to sysadm
|
|
|
|
Introduce lvm_admin interface
|
|
|
|
Introduce ipsec_admin interface
|
|
|
|
Introduce setrans_admin interface
|
|
|
|
add new cron_admin interface to sysadm
|
|
|
|
Add overlayfs as an XATTR capable fs
|
|
|
|
system/ipsec: Add policy for StrongSwan
|
|
|
|
|
|
|
|
Laurent Bigonville (4):
|
|
|
|
Add fc for /sys/kernel/debug as debugfs_t
|
|
|
|
Add "binder" security class and access vectors
|
|
|
|
Properly label utempter helper on debian
|
|
|
|
Allow the user cronjobs to run in their userdomain
|
|
|
|
|
|
|
|
Luis Ressel (2):
|
|
|
|
Allow ssh-agent to send signals to itself
|
|
|
|
Mark APR build scripts as bin_t
|
|
|
|
|
|
|
|
Stephen Smalley (1):
|
|
|
|
Update netlink socket classes.
|
|
|
|
|
|
|
|
Steve Lawrence (1):
|
|
|
|
Remove optional else block for dhcp ping
|
|
|
|
|
2014-12-03 18:37:38 +00:00
|
|
|
* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
|
|
|
|
Artyom Smirnov (3):
|
|
|
|
New database object classes
|
|
|
|
Fixes for db_domain and db_exception
|
|
|
|
Renamed db_type to db_datatype, to avoid confusion with SELinux "type"
|
|
|
|
|
|
|
|
Chris PeBenito (69):
|
|
|
|
Whitespace fix in postgresql.fc
|
|
|
|
Module version bump for postgresql fc entries from Luis Ressel.
|
|
|
|
Add symlink to contrib Changelog for easy reference.
|
|
|
|
Move lightdm line in xserver.fc.
|
|
|
|
Whitespace fix in xserver.fc.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for userdomain kernel symbol table fix from Nicolas
|
|
|
|
Iooss.
|
|
|
|
Module version bump for 2 Gentoo patches from Sven Vermeulen.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for 2 patch sets from Laurent Bigonville.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for gnome keyring fix from Laurent Bigonville.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for /sys/fs/selinux support from Sven Vermeulen.
|
|
|
|
Module version bump for fixes from Laurent Bigonville.
|
|
|
|
Update contrib.
|
|
|
|
Module version bumps for fc fixes from Nicolas Iooss.
|
|
|
|
Update contrib.
|
|
|
|
Add file for placing default_* statements.
|
|
|
|
Fix error in default_user example.
|
|
|
|
Module version bump for unconfined->lvm transition from Nicolas Iooss.
|
|
|
|
Need the __future__ import for python2 if using print().
|
|
|
|
Module version bump for ifconfig fc entry from Sven Vermeulen.
|
|
|
|
Module version bump for deprecated interface usage removal from Nicolas
|
|
|
|
Iooss.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for rcs2log and xserver updates from Sven Vermeulen.
|
|
|
|
Module version bump for shutdown transitions from Luis Ressel.
|
|
|
|
Remove firstboot_rw_t as FC5 has been gone for a long time.
|
|
|
|
Module version bump for firstboot_rw_t alias removal.
|
|
|
|
Module version bump for dropbox port from Sven Vermeulen.
|
|
|
|
Module version bump for unconfined syslog cap from Nicolas Iooss.
|
|
|
|
Always use the unknown permissions handling build option.
|
|
|
|
Merge pull request #1 from artyom-smirnov/master
|
|
|
|
Module version bump for zram fc entry from Jason Zaman.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for init_daemon_pid_file from Sven Vermeulen.
|
|
|
|
Move tumblerd fc entry
|
|
|
|
Module version bump for tumblerd fc entry from Jason Zaman.
|
|
|
|
Module version bump for libraries fc fix from Nicolas Iooss.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for fstools fc entries from Luis Ressel.
|
|
|
|
Module version bump for missing unlabeled interfaces from Sven Vermeulen.
|
|
|
|
Module version bump for ping rawip socket fix from Luis Ressel.
|
|
|
|
Module version bump for full IRC ports from Luis Ressel.
|
|
|
|
Move losetup addition in fstools.
|
|
|
|
Module version bump for losetup fixes from Luis Ressel.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for postgres fc revisions from Luis Ressel.
|
|
|
|
Module version bump for FUSE fix for mount from Luis Ressel.
|
|
|
|
Module version bump for misc fixes from Nicolas Iooss.
|
|
|
|
Move systemd fc entry.
|
|
|
|
Whitespace change in logging.fc.
|
|
|
|
Add comment for journald ring buffer reading.
|
|
|
|
Module version bumps for systemd/journald patches from Nicolas Iooss.
|
|
|
|
Update contrib.
|
|
|
|
/dev/log symlinks are not labeled devlog_t.
|
|
|
|
Module version bump for CIL fixes from Yuli Khodorkovskiy.
|
|
|
|
Drop RHEL4 and RHEL5 support.
|
|
|
|
Merge pull request #3 from bigon/arping
|
|
|
|
Merge pull request #4 from fishilico/minor-typo
|
|
|
|
Module version bump for Debian arping fc entries from Laurent Bigonville.
|
|
|
|
Add comment for iw generic netlink socket usage
|
|
|
|
Module version bump for /sbin/iw support from Nicolas Iooss.
|
|
|
|
Merge pull request #5 from bigon/audit_read
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for misc fixes from Sven Vermeulen.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for module store move from Steve Lawrence.
|
|
|
|
Bump module versions for release.
|
|
|
|
|
|
|
|
Elia Pinto (1):
|
|
|
|
Fix misspelling
|
|
|
|
|
|
|
|
Jason Zaman (2):
|
|
|
|
File contexts for zram
|
|
|
|
File Context for tumbler
|
|
|
|
|
|
|
|
Laurent Bigonville (14):
|
|
|
|
Properly label git-shell and other git commands for Debian
|
|
|
|
Label /usr/sbin/lightdm as xdm_exec_t
|
|
|
|
Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface
|
|
|
|
Associate the new xattrfs attribute to fs_t and some pseudo-fs
|
|
|
|
Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t
|
|
|
|
Add telepathy role for user_r and staff_r
|
|
|
|
Properly label the manpages installed by postgresql
|
|
|
|
Label /usr/local/share/ca-certificates(/.*)? as cert_t
|
|
|
|
Allow the xdm_t domain to enter all the gkeyringd ones
|
|
|
|
Label /etc/locale.alias as locale_t on Debian
|
|
|
|
Allow hugetlbfs_t to be associated to /dev
|
|
|
|
On Debian iputils-arping is installed in /usr/bin/arping
|
|
|
|
Debian also ship a different arping implementation
|
|
|
|
Add new audit_read access vector in capability2 class
|
|
|
|
|
|
|
|
Luis Ressel (13):
|
|
|
|
Add two postgresql file contexts from gentoo policy
|
|
|
|
Allow init to execute shutdown
|
|
|
|
Allow xdm_t to transition to shutdown_t domain
|
|
|
|
Some of the fsadm tools can also be in /usr/sbin instead of /sbin
|
|
|
|
Label /usr/sbin/{add, del}part as fsadm_exec_t
|
|
|
|
Grant ping_t getattr on rawip_socket
|
|
|
|
kernel/corenetwork.te: Add all registered IRC ports
|
|
|
|
system/mount.if: Add mount_rw_loopback_files interface
|
|
|
|
system/fstools.if: Add fstools_use_fds interface
|
|
|
|
Add neccessary permissions for losetup
|
|
|
|
Only label administrative postgres commands as postgresql_exec_t
|
|
|
|
Also apply the new postgres labeling scheme on Debian
|
|
|
|
Grant mount permission to access /dev/fuse
|
|
|
|
|
|
|
|
Nicolas Iooss (31):
|
|
|
|
Fix parallel build of the policy
|
|
|
|
fc_sort: fix typos in comments
|
|
|
|
fc_sort: initialize allocated memory to fix execution on an empty file
|
|
|
|
fc_sort: make outfile argument optional
|
|
|
|
userdomain: no longer allow unprivileged users to read kernel symbols
|
|
|
|
Label syslog-ng.pid as syslogd_var_run_t
|
|
|
|
filesystem: label cgroup symlinks
|
|
|
|
Label /usr/lib/getconf as bin_t
|
|
|
|
Label /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t
|
|
|
|
Make support/policyvers.py compatible with Python 3
|
|
|
|
Make unconfined user run lvm programs in confined domain
|
|
|
|
No longer use deprecated MLS interfaces
|
|
|
|
Allow unconfined domains to use syslog capability
|
|
|
|
Label /lib symlink as lib_t for every distro
|
|
|
|
Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
|
|
|
|
Add ioctl and lock to manage_lnk_file_perms
|
|
|
|
Label (/var)?/tmp/systemd-private-.../tmp like /tmp
|
|
|
|
Fix typo in fs_getattr_all_fs description
|
|
|
|
Label systemd files in init module
|
|
|
|
Introduce init_search_run interface
|
|
|
|
Label systemd-journald files and directories
|
|
|
|
Support logging with /run/systemd/journal/dev-log
|
|
|
|
Allow journald to read the kernel ring buffer and to use /dev/kmsg
|
|
|
|
Allow journald to access to the state of all processes
|
|
|
|
Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
|
|
|
|
Fix minor typo in init.if
|
|
|
|
Label /sbin/iw as ifconfig_exec_t
|
|
|
|
Allow iw to create generic netlink sockets
|
|
|
|
Use create_netlink_socket_perms when allowing netlink socket creation
|
|
|
|
Update Python requirement in INSTALL
|
|
|
|
Create tmp directory when compiling a .mod.fc file in a modular way
|
|
|
|
|
|
|
|
Steve Lawrence (1):
|
|
|
|
Update policy for selinux userspace moving the policy store to
|
|
|
|
/var/lib/selinux
|
|
|
|
|
|
|
|
Sven Vermeulen (24):
|
|
|
|
Hide getattr denials upon sudo invocation
|
|
|
|
Support /sys/devices/system/cpu/online
|
|
|
|
The security_t file system can be at /sys/fs/selinux
|
|
|
|
Dontaudit access on security_t file system at /sys/fs/selinux
|
|
|
|
ifconfig can also be in /bin
|
|
|
|
xserver_t needs to ender dirs labeled xdm_var_run_t
|
|
|
|
Enable rcs2log location for all distributions
|
|
|
|
Add dropbox_port_t support
|
|
|
|
Support initrc_t generated pid files with file transition
|
|
|
|
Deprecate init_daemon_run_dir interface
|
|
|
|
Use init_daemon_pid_file instead of init_daemon_run_dir
|
|
|
|
Introduce kernel_delete_unlabeled_symlinks
|
|
|
|
Introduce kernel_delete_unlabeled_pipes
|
|
|
|
Introduce kernel_delete_unlabeled_sockets
|
|
|
|
Introduce kernel_delete_unlabeled_blk_files
|
|
|
|
Introduce kernel_delete_unlabeled_chr_files
|
|
|
|
Run grub(2)-mkconfig in bootloader domain
|
|
|
|
Add auth_pid_filetrans_pam_var_run
|
|
|
|
New sudo manages timestamp directory in /var/run/sudo
|
|
|
|
xfce4-notifyd is an executable
|
|
|
|
Mark f2fs as a SELinux capable file system
|
|
|
|
Add in LightDM contexts
|
|
|
|
Add gfisk and efibootmgr as fsadm_exec_t
|
|
|
|
Add /var/lib/racoon as runtime directory for ipsec
|
|
|
|
|
|
|
|
Yuli Khodorkovskiy (1):
|
|
|
|
Remove duplicate role declarations
|
|
|
|
|
|
|
|
cgarst (1):
|
|
|
|
Updating submodule URL to github
|
|
|
|
|
2014-03-11 12:16:57 +00:00
|
|
|
* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
|
|
|
|
Chris PeBenito (96):
|
|
|
|
Update contrib to pull in minidlna.
|
|
|
|
Remove general unlabeled packet usage.
|
|
|
|
Update contrib.
|
|
|
|
Use python libselinux bindings to determine policy version.
|
|
|
|
Add MLS constraints for x_pointer and x_keyboard.
|
|
|
|
Add label for parted.
|
|
|
|
Fix support/policyvers.py not to error if building policy on a
|
|
|
|
SELinux-disabled system.
|
|
|
|
Module version bump for kerberos keytab changes for ssh from Dominick
|
|
|
|
Grift.
|
|
|
|
Module version bump for pstore filesystem support from Dominick Grift.
|
|
|
|
Module version bump for redis port from Dominick Grift.
|
|
|
|
Update contrib.
|
|
|
|
Add comment for setfiles using /dev/console when it needs to be relabeled.
|
|
|
|
Module version bump for xserver and selinuxutil updates from Dominick
|
|
|
|
Grift.
|
|
|
|
Module version bump for tmpfs associate to device_t from Dominick Grift.
|
|
|
|
Module version bump for syslog reading overcommit_memory from Dominick
|
|
|
|
Grift.
|
|
|
|
Module version bump for ethtool reading pm-powersave.lock from Dominick
|
|
|
|
Grift.
|
|
|
|
Module version bump for sysadm fix for git role usage from Dominick Grift.
|
|
|
|
Module version bump for lvm update from Dominick Grift.
|
|
|
|
Module version bump for fc fix in authlogin from Dominick Grift.
|
|
|
|
Module version bump for restricted x user template fix from Dominick
|
|
|
|
Grift.
|
|
|
|
Add comment for debian avahi-daemon-check-dns.sh usage by udev
|
|
|
|
Module version bump for udev Debian fixes from Dominick Grift.
|
|
|
|
Module version bump for selinuxfs location change from Dominick Grift.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for unconfined dbus fixes from Dominick Grift.
|
|
|
|
Whitespace fix in terminal.te.
|
|
|
|
Module version bump for virtio console from Dominick Grift.
|
|
|
|
Module version bump for init interface and corecommand fc from Dominick
|
|
|
|
Grift.
|
|
|
|
Module version bump for ping capabilities from Sven Vermeulen.
|
|
|
|
Module version bump for slim fc entries from Sven Vermeulen.
|
|
|
|
Module version bump for xdm dbus access from Dominick Grift.
|
|
|
|
Rearrange sysnet if blocks.
|
|
|
|
Module version bump for debian ifstate changes from Dominick Grift.
|
|
|
|
Module version bump for xserver console and fc fixes from Dominick Grift.
|
|
|
|
Module version bump for gdomap port from Dominick Grift.
|
|
|
|
Module version bumps for dhcpc leaked fds to hostname.
|
|
|
|
Module version bump for ssh server caps for Debian from Dominick Grift.
|
|
|
|
Move stray Debian rule in udev.
|
|
|
|
Update contrib
|
|
|
|
Module version bumps for Debian udev updates from Dominick Grift.
|
|
|
|
Module version bump for mount updates from Dominick Grift.
|
|
|
|
Silence symlink reading by setfiles since it doesn't follow symlinks
|
|
|
|
anyway.
|
|
|
|
Reorder dhcpc additions.
|
|
|
|
Module version bump for dhcpc fixes from Dominick Grift.
|
|
|
|
Add comments about new capabilities for syslogd_t.
|
|
|
|
Module version bumps for syslog-ng and semodule updates.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for first batch of patches from Dominick Grift.
|
|
|
|
Update contrib.
|
|
|
|
Rearrage userdom_delete_user_tmpfs_files() interface.
|
|
|
|
setrans: needs to be able to get attributes of selinuxfs, else fails to
|
|
|
|
start in Debian
|
|
|
|
Whitespace fix in fstools.
|
|
|
|
Add comment in policy for lvm sysfs write.
|
|
|
|
Module version bump for second lot of patches from Dominick Grift.
|
|
|
|
Whitespace fix in usermanage.
|
|
|
|
Whitespace fix in libraries.
|
|
|
|
Module version bump for patches from Dominick Grift.
|
|
|
|
Whitespace fix in init.te.
|
|
|
|
init: init_script_domain() allow system_r role the init script domain type
|
|
|
|
init: creates /run/utmp
|
|
|
|
Module version bump for 4 init patches from Dominick Grift.
|
|
|
|
Fix Debian compile issue.
|
|
|
|
Module version bump for 2 patches from Dominick Grift.
|
|
|
|
Module version bump for patch from Laurent Bigonville.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for patch from Laurent Bigonville.
|
|
|
|
Module version bump for xserver change from Dominick Grift.
|
|
|
|
Merge file_t into unlabeled_t, as they are security equivalent.
|
|
|
|
Update modules for file_t merge into unlabeled_t.
|
|
|
|
Make the QUIET build option apply to clean and bare targets.
|
|
|
|
Module version bump for direct initrc fixes from Dominick Grift.
|
|
|
|
Module version bump for module store labeling fixes from Laurent
|
|
|
|
Bigonville.
|
|
|
|
Remove ZFS symlink labeling.
|
|
|
|
Fix ZFS fc escaping in mount.
|
|
|
|
Rearrange ZFS fc entries.
|
|
|
|
Module version bump for ZFS tools fc entries from Matthew Thode.
|
|
|
|
Module version bump for unconfined transition to dpkg from Laurent
|
|
|
|
Bigonville.
|
|
|
|
Module version bump for logging fc patch from Laurent Bigonville.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for pid file directory from Russell Coker/Laurent
|
|
|
|
Bigonville.
|
|
|
|
Rename gpg_agent_connect to gpg_stream_connect_agent.
|
|
|
|
Rearrange gpg agent calls.
|
|
|
|
Module version bump for ssh use of gpg-agent from Luis Ressel.
|
|
|
|
Module version bump for files_dontaudit_list_var() interface from Luis
|
|
|
|
Ressel.
|
|
|
|
Move bin_t fc from couchdb to corecommands.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for sesh fc from Nicolas Iooss.
|
|
|
|
Move loop control interface definition.
|
|
|
|
Rename mount_read_mount_loopback() to mount_read_loopback_file().
|
|
|
|
Module version bump for loopback file mounting fixes from Luis Ressel.
|
|
|
|
Fix read loopback file interface.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for bootloader fc fixes from Luis Ressel.
|
|
|
|
Update contrib.
|
|
|
|
Update contrib.
|
|
|
|
Bump module versions for release.
|
|
|
|
|
|
|
|
Dominick Grift (58):
|
|
|
|
The kerberos_keytab_template() template is deprecated: Breaks monolithic
|
|
|
|
built (out-of-scope)
|
|
|
|
Initial pstore support
|
|
|
|
Support redis port tcp,6379
|
|
|
|
These regular expressions were not matched
|
|
|
|
Restorecon reads, and writes /dev/console before it is properly labeled
|
|
|
|
filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems
|
|
|
|
logging: syslog (rs:main Q:Reg) reading sysctl_vm files
|
|
|
|
(overcommit_memory) in Debian
|
|
|
|
sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock
|
|
|
|
sysadm: Doesnt work with direct_initrc = y
|
|
|
|
lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin
|
|
|
|
authlogin: Sudo file context specification did not catch paths (squash me)
|
|
|
|
userdomain: restricted xwindows user (squash me)
|
|
|
|
udev: This is specific to debian i think. Some how the
|
|
|
|
/usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain
|
|
|
|
selinux: selinuxfs is now mounted under /sys/fs/selinux instead of
|
|
|
|
/selinux, so we need to allow domains that use selinuxfs to interface
|
|
|
|
with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux
|
|
|
|
Unconfined domains have unconfined access to all of dbus rather than only
|
|
|
|
system bus
|
|
|
|
Initial virtio console device
|
|
|
|
init: create init_use_inherited_script_ptys() for tmpreaper (Debian)
|
|
|
|
corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh
|
|
|
|
xdm: is a system bus client and acquires service on the system bus xdm:
|
|
|
|
dbus chat with accounts-daemon
|
|
|
|
sysnetwork: Debian stores network interface configuration in /run/network
|
|
|
|
(ifstate), That directory is created by the /etc/init.d/networking
|
|
|
|
script.
|
|
|
|
xserver: catch /run/gdm3
|
|
|
|
xserver: associate xconsole_device_t (/dev/xconsole) to device_t
|
|
|
|
(devtmpfs)
|
|
|
|
corenetwork: Declare gdomap port, tcp/udp:538
|
|
|
|
hostname: do not audit attempts by hostname to read and write dhcpc udp
|
|
|
|
sockets (looks like a leaked fd)
|
|
|
|
ssh: Debian sshd is configured to use capabilities
|
|
|
|
udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and
|
|
|
|
compromises kernel
|
|
|
|
udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates
|
|
|
|
/run/avahi-daemon directory
|
|
|
|
mount: sets kernel thread priority mount: mount reads
|
|
|
|
/lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount
|
|
|
|
points
|
|
|
|
sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not
|
|
|
|
audit attempts by ifconfig to read, and write dhcpc udp sockets (looks
|
|
|
|
like a leaked fd)
|
|
|
|
mount: fs_list_auto_mountpoint() is now redundant because autofs_t is
|
|
|
|
covered by files_list_all_mountpoints()
|
|
|
|
udev: this fc spec does not make sense, as there is no corresponding file
|
|
|
|
type transition for it
|
|
|
|
udev: the avahi dns check script run by udev in Debian chmods
|
|
|
|
/run/avahi-daemon
|
|
|
|
authlogin: unix_chkpwd traverses / on sysfs device on Debian
|
|
|
|
setrans: mcstransd reads filesystems file in /proc
|
|
|
|
udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
|
|
|
|
fstools: hdparm append (what seems inherited from devicekit )
|
|
|
|
/var/log/pm-powersave.log fstools: hdparm reads
|
|
|
|
/run/pm-utils/locks/pm-powersave.lock
|
|
|
|
sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i
|
|
|
|
was able to confirm the need for
|
|
|
|
networkmanager_manage_lib_files(dhcpc_t) since dhclient reads
|
|
|
|
/var/lib/NetworkManager/dhclient-eth0.conf
|
|
|
|
sysbnetwork: dhclient searches /var/lib/ntp
|
|
|
|
sshd/setrans: make respective init scripts create pid dirs with proper
|
|
|
|
contexts
|
|
|
|
kernel: cryptomgr_test (kernel_t) requests kernel to load
|
|
|
|
cryptd(__driver-ecb-aes-aesni
|
|
|
|
xserver: already allowed by auth_login_pgm_domain(xdm_t)
|
|
|
|
unconfined: Do not domain transition to xserver_t (unconfined_t is
|
|
|
|
xserver_unconfined)
|
|
|
|
userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
|
|
|
|
These { read write } tty_device_t chr files on boot up in Debian
|
|
|
|
udev: udevd executable location changed
|
|
|
|
lvm: lvm writes read_ahead_kb
|
|
|
|
udev: in debian udevadm is located in /bin/udevadm
|
|
|
|
usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in
|
|
|
|
Debian
|
|
|
|
iptables: calls to firewalld interfaces from Fedora. The
|
|
|
|
firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
|
|
|
|
libraries: for now i can only confirm mmap, might need to be changed to
|
|
|
|
bin_t later if it turns out to need execute_no_trans
|
|
|
|
users: calls pulseaudio_role() for restricted xwindows users and
|
|
|
|
staff_t/user_t
|
|
|
|
init: for a specified automatic role transition to work. the source role
|
|
|
|
must be allowed to change manually to the target role
|
|
|
|
init: this is a bug in debian where tmpfs is mounted on /run, and so early
|
|
|
|
on in the boot process init creates /run/utmp and /run/initctl in a
|
|
|
|
tmpfs directory (/) tmpfs
|
|
|
|
init: exim init script runs various helper apps that create and manage
|
|
|
|
/var/lib/exim4/config.autogenerated.tmp file
|
|
|
|
init: the gdomap and minissdpd init scripts read the respective environ
|
|
|
|
files in /etc/default. We need to give them a private type so that we
|
|
|
|
can give the gdomap_admin() and minissdpd_admin() access to it, but it
|
|
|
|
seems overengineering to create private environ types for these files
|
|
|
|
xserver: These are no longer needed
|
|
|
|
Change behavior of init_run_daemon()
|
|
|
|
Apply direct_initrc to unconfined_r:unconfined_t
|
|
|
|
|
|
|
|
Laurent Bigonville (7):
|
|
|
|
Label /bin/fusermount like /usr/bin/fusermount
|
|
|
|
Allow udev to write in /etc/udev/rules.d
|
|
|
|
Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
|
|
|
|
Allow unconfined users to transition to dpkg_t domain
|
|
|
|
Add fcontext for rsyslog pidfile
|
|
|
|
Add fcontext for sshd pidfile and directory used for privsep
|
|
|
|
Move the ifdef at the end of the declaration block
|
|
|
|
|
|
|
|
Luis Ressel (10):
|
|
|
|
Conditionally allow ssh to use gpg-agent
|
|
|
|
kernel/files.if: Add files_dontaudit_list_var interface
|
|
|
|
kernel/devices.if: Add dev_rw_loop_control interface
|
|
|
|
system/mount.if: Add mount_read_mount_loopback interface
|
|
|
|
Allow mount_t usage of /dev/loop-control
|
|
|
|
Grant kernel_t necessary permissions for loopback mounts
|
|
|
|
Use xattr-labeling for squashfs.
|
|
|
|
Label fatsort as fsadm_exec_t.
|
|
|
|
Generalize grub2 pattern
|
|
|
|
Label grub2-install as bootloader_exec_t
|
|
|
|
|
|
|
|
Matthew Thode (1):
|
|
|
|
Extending support for SELinux on ZFS
|
|
|
|
|
|
|
|
Nicolas Iooss (2):
|
|
|
|
Label /usr/lib/sudo/sesh as shell_exec_t
|
|
|
|
Create .gitignore
|
|
|
|
|
|
|
|
Sven Vermeulen (7):
|
|
|
|
Add trivnet1 port (8200)
|
|
|
|
Get grub2-install to work properly
|
|
|
|
Support named file transition for fixed_disk_device_t
|
|
|
|
Allow ping to get/set capabilities
|
|
|
|
Extend slim /var/run expression
|
|
|
|
Allow semodule to create symlink in semanage_store_t
|
|
|
|
Allow capabilities for syslog-ng
|
|
|
|
|
2013-04-24 20:14:52 +00:00
|
|
|
* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
|
|
|
|
Chris PeBenito (78):
|
|
|
|
Mcelog update from Guido Trentalancia.
|
|
|
|
Add bird contrib module from Dominick Grift.
|
|
|
|
Minor whitespace fix in udev.fc
|
|
|
|
Module version bump for udev binary location update from Sven Vermeulen.
|
|
|
|
clarify the file_contexts.subs_dist configuration file usage from Guido
|
|
|
|
Trentalancia
|
|
|
|
Update contrib.
|
|
|
|
Remove trailing / from paths
|
|
|
|
Module version bump for fc substitutions optimizations from Sven
|
|
|
|
Vermeulen.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for /run/dhcpc directory creation by dhcp from Sven
|
|
|
|
Vermeulen.
|
|
|
|
Module version bump for fc fixes in devices module from Dominick Grift.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for /dev/mei type and label from Dominick Grift.
|
|
|
|
Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
|
|
|
|
Module version bump for lost+found labeling in /var/log from Guido
|
|
|
|
Trentalancia.
|
|
|
|
Module version bump for loop-control patch.
|
|
|
|
Turn off all tunables by default, from Guido Trentalancia.
|
|
|
|
Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
|
|
|
|
Module version bump for various changes from Sven Vermeulen.
|
|
|
|
Module version bump for ports update from Dominick Grift.
|
|
|
|
Module version bump for Debian file context updates from Laurent
|
|
|
|
Bigonville.
|
|
|
|
Update contrib.
|
|
|
|
Update contrib.
|
|
|
|
split kmod fc into two lines.
|
|
|
|
Module version bump for kmod fc from Laurent Bigonville.
|
|
|
|
Module version bump for cfengine fc change from Dominick Grift.
|
|
|
|
Module verision bump for Debian cert file fc update from Laurent
|
|
|
|
Bigonville.
|
|
|
|
Module version bump for ipsec net sysctls reading from Miroslav Grepl.
|
|
|
|
Module version bump for srvloc port definition from Dominick Grift.
|
|
|
|
Rename cachefiles_dev_t to cachefiles_device_t.
|
|
|
|
Module version bump for cachefiles core support.
|
|
|
|
Module version bump for changes from Dominick Grift and Sven Vermeulen.
|
|
|
|
Module version bump for modutils patch from Dominick Grift.
|
|
|
|
Module version bump for dhcp6 ports, from Russell Coker.
|
|
|
|
Rearrange new xserver interfaces.
|
|
|
|
Rename new xserver interfaces.
|
|
|
|
Module version bump for xserver interfaces from Dominick Grift.
|
|
|
|
Move kernel_stream_connect() declaration.
|
|
|
|
Module version bump for kernel_stream_connect() from Dominick Grift.
|
|
|
|
Rename logging_search_all_log_dirs to logging_search_all_logs
|
|
|
|
Module version bump for minor logging and sysnet changes from Sven
|
|
|
|
Vermeulen.
|
|
|
|
Module version bump for dovecot libs from Mika Pflueger.
|
|
|
|
Rearrange interfaces in files, clock, and udev.
|
|
|
|
Module version bump for interfaces used by virt from Dominick Grift.
|
|
|
|
Module version bump for arping setcap from Dominick Grift.
|
|
|
|
Rearrange devices interfaces.
|
|
|
|
Module version bump/contrib sync.
|
|
|
|
Rearrange lines.
|
|
|
|
Module version bump for user home content fixes from Dominick Grift.
|
|
|
|
Rearrange files interfaces.
|
|
|
|
Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
|
|
|
|
Update contrib.
|
|
|
|
Whitespace fix in miscfiles.fc.
|
|
|
|
Adjust man cache interface names.
|
|
|
|
Module version bump for man cache from Dominick Grift.
|
|
|
|
Module version bump for Debian ssh-keysign location from Laurent
|
|
|
|
Bigonville.
|
|
|
|
Module version bump for userdomain portion of XDG updates from Dominick
|
|
|
|
Grift.
|
|
|
|
Module version bump for iptables fc entry from Sven Vermeulen and inn log
|
|
|
|
from Dominick Grift.
|
|
|
|
Module version bump for logging and tcpdump fixes from Sven Vermeulen.
|
|
|
|
Move mcs_constrained() impementation.
|
|
|
|
Module version bump for mcs_constrained from Dominick Grift.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump from Debian changes from Laurent Bigonville.
|
|
|
|
Module version bump for zfs labeling from Matthew Thode.
|
|
|
|
Module version bump for misc updates from Sven Vermeulen.
|
|
|
|
Update contrib.
|
|
|
|
Module version bump for fixes from Dominick Grift.
|
|
|
|
Module version bump for Debian updates from Laurent Bigonville.
|
|
|
|
Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
|
|
|
|
Update contrib
|
|
|
|
Fix fc_sort.c warning uncovered by recent gcc
|
|
|
|
Module version bump for chfn fixes from Sven Vermeulen.
|
|
|
|
Add swapoff fc entry.
|
|
|
|
Add conntrack fc entry.
|
|
|
|
Update contrib.
|
|
|
|
Update contrib
|
|
|
|
Archive old Changelog for log format change.
|
|
|
|
Bump module versions for release.
|
|
|
|
|
|
|
|
Dominick Grift (40):
|
|
|
|
There can be more than a single watchdog interface
|
|
|
|
Fix a suspected typo
|
|
|
|
Intel® Active Management Technology
|
|
|
|
Declare a loop control device node type and label /dev/loop-control
|
|
|
|
accordingly
|
|
|
|
Declare port types for ports used by Fedora but use /etc/services for port
|
|
|
|
names rather than using fedora port names. If /etc/services does not
|
|
|
|
have a port name for a port used by Fedora, skip for now.
|
|
|
|
Remove var_log_t file context spec
|
|
|
|
svrloc port type declaration from slpd policy module
|
|
|
|
Declare a cachfiles device node type
|
|
|
|
Implement files_create_all_files_as() for cachefilesd
|
|
|
|
Restricted Xwindows user domains run windows managers in the windows
|
|
|
|
managers domain
|
|
|
|
Declare a cslistener port type for phpfpm
|
|
|
|
Changes to the sysnetwork policy module
|
|
|
|
Changes to the userdomain policy module
|
|
|
|
Changes to the bootloader policy module
|
|
|
|
Changes to the modutils policy module
|
|
|
|
Changes to the xserver policy module
|
|
|
|
Changes to various policy modules
|
|
|
|
Changes to the kernel policy module
|
|
|
|
For svirt_lxc_domain
|
|
|
|
For svirt_lxc_domain
|
|
|
|
For svirt_lxc_domain
|
|
|
|
For virtd lxc
|
|
|
|
For virtd_lxc
|
|
|
|
For virtd_lxc
|
|
|
|
For virtd lxc
|
|
|
|
For virtd lxc
|
|
|
|
For virtd
|
|
|
|
Arping needs setcap to cap_set_proc
|
|
|
|
For virtd
|
|
|
|
Changes to the user domain policy module
|
|
|
|
Samhain_admin() now requires a role for the role_transition from $1 to
|
|
|
|
initrc_t via samhain_initrc_exec_t
|
|
|
|
Changes to the user domain policy module
|
|
|
|
Label /var/cache/man with a private man cache type for mandb
|
|
|
|
Create a attribute user_home_content_type and assign it to all types that
|
|
|
|
are classified userdom_user_home_content()
|
|
|
|
These two attribute are unused
|
|
|
|
System logger creates innd log files with a named file transition
|
|
|
|
Implement mcs_constrained_type
|
|
|
|
Changes to the init policy module
|
|
|
|
Changes to the userdomain policy module
|
|
|
|
NSCD related changes in various policy modules
|
|
|
|
|
|
|
|
Guido Trentalancia (1):
|
|
|
|
add lost+found filesystem labels to support NSA security guidelines
|
|
|
|
|
|
|
|
Laurent Bigonville (21):
|
|
|
|
Add Debian locations for GDM 3
|
|
|
|
Add Debian location for udisks helpers
|
|
|
|
Add insmod_exec_t label for kmod executable
|
|
|
|
Add Debian location for PKI files
|
|
|
|
Add Debian location for ssh-keysign
|
|
|
|
Properly label all the ssh host keys
|
|
|
|
Allow udev_t domain to read files labeled as consolekit_var_run_t
|
|
|
|
authlogin.if: Add auth_create_pam_console_data_dirs and
|
|
|
|
auth_pid_filetrans_pam_var_console interfaces
|
|
|
|
Label /etc/rc.d/init.d/x11-common as xdm_exec_t
|
|
|
|
Drop /etc/rc.d/init.d/xfree86-common filecontext definition
|
|
|
|
Label /var/run/shm as tmpfs_t for Debian
|
|
|
|
Label /var/run/motd.dynamic as initrc_var_run_t
|
|
|
|
Label /var/run/initctl as initctl_t
|
|
|
|
udev.if: Call files_search_pid instead of files_search_var_lib in
|
|
|
|
udev_manage_pid_files
|
|
|
|
Label executables in /usr/lib/NetworkManager/ as bin_t
|
|
|
|
Add support for rsyslog
|
|
|
|
Label var_lock_t as a mountpoint
|
|
|
|
Add mount_var_run_t type and allow mount_t domain to manage the files and
|
|
|
|
directories
|
|
|
|
Add initrc_t to use block_suspend capability
|
|
|
|
Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
|
|
|
|
Label nut drivers that are installed in /lib/nut on Debian as bin_t
|
|
|
|
|
|
|
|
Matthew Thode (1):
|
|
|
|
Implement zfs support
|
|
|
|
|
|
|
|
Mika Pflüger (2):
|
|
|
|
Debian locations of gvfs and kde4 libexec binaries in /usr/lib
|
|
|
|
Explicitly label dovecot libraries lib_t for debian
|
|
|
|
|
|
|
|
Miroslav Grepl (1):
|
|
|
|
Allow ipsec to read kernel sysctl
|
|
|
|
|
|
|
|
Paul Moore (1):
|
|
|
|
flask: add the attach_queue permission to the tun_socket object class
|
|
|
|
|
|
|
|
Russell Coker (1):
|
|
|
|
Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
|
|
|
|
client control
|
|
|
|
|
|
|
|
Sven Vermeulen (27):
|
|
|
|
New location for udevd binary
|
|
|
|
Use substititions for /usr/local/lib and /etc/init.d
|
|
|
|
DHCP client's hooks create /run/dhcpc directory
|
|
|
|
Introduce init_daemon_run_dir transformation
|
|
|
|
Use the init_daemon_run_dir interface for udev
|
|
|
|
Allow initrc_t to create run dirs for core modules
|
|
|
|
Puppet uses mount output for verification
|
|
|
|
Allow syslogd to create /var/lib/syslog and
|
|
|
|
/var/lib/misc/syslog-ng.persist
|
|
|
|
Gentoo's openrc does not require initrc_exec_t for runscripts anymore
|
|
|
|
Allow init scripts to read courier configuration
|
|
|
|
Allow search within postgresql var directory for the stream connect
|
|
|
|
interface
|
|
|
|
Introduce logging_getattr_all_logs interface
|
|
|
|
Introduce logging_search_all_log_dirs interface
|
|
|
|
Support flushing routing cache
|
|
|
|
Allow init to set attributes on device_t
|
|
|
|
Introduce files_manage_all_pids interface
|
|
|
|
Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
|
|
|
|
Update files_manage_generic_locks with directory permissions
|
|
|
|
Run ipset in iptables domain
|
|
|
|
tcpdump chroots into /var/lib/tcpdump
|
|
|
|
Remove generic log label for cron location
|
|
|
|
Postgresql 9.2 connects to its unix stream socket
|
|
|
|
lvscan creates the /run/lock/lvm directory if nonexisting (v2)
|
|
|
|
Allow syslogger to manage cron log files (v2)
|
|
|
|
Allow initrc_t to read stunnel configuration
|
|
|
|
Introduce exec-check interfaces for passwd binaries and useradd binaries
|
|
|
|
chfn_t reads in file context information and executes nscd
|
|
|
|
|