nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-refpolicy/Changelog

3795 lines
173 KiB
Plaintext
Raw Blame History

* Mon Feb 26 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240226
Chris PeBenito (174):
tests.yml: Pin ubuntu 20.04.
tests.yml: Pin ubuntu 20.04.
fstools: Move lines.
munin: Move munin_rw_tcp_sockets() implementation.
munin: Whitespace change.
systemd: Tmpfilesd can correct seusers on files.
iscsi: Read initiatorname.iscsi.
lvm: Add fc entry for /etc/multipath/*
sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
Define user_namespace object class.
chromium: Allow user namespace creation.
mozilla: Allow user namespace creation.
systemd: Allow user namespace creation.
container: Allow user namespace creation for all container engines.
Update eg25manager.te
switcheroo: Whitespace fix.
unconfined: Keys are linkable by systemd.
postgresql: Move lines
Add append to rw and manage lnk_file permission sets for consistency.
domain: Manage own fds.
systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.
kernel: hv_utils shutdown on systemd systems.
Container: Minor fixes from interactive container use.
systemd: Minor coredump fixes.
rpm: Minor fixes
init: Allow nnp/nosuid transitions from systemd initrc_t.
selinuxutil: Semanage reads policy for export.
sysnetwork: ifconfig searches debugfs.
usermanage: Add sysctl access for groupadd to get number of groups.
files: Handle symlinks for /media and /srv.
cloudinit: Add support for installing RPMs and setting passwords.
kdump: Fixes from testing kdumpctl.
usermanage: Handle symlinks in /usr/share/cracklib.
unconfined: Add remaining watch_* permissions.
chronyd: Read /dev/urandom.
cloud-init: Allow use of sudo in runcmd.
cloud-init: Add systemd permissions.
cloud-init: Change udev rules
systemd: Updates for systemd-locale.
cloudinit: Add permissions derived from sysadm.
Christian Göttsche (28):
git: add fcontext for default binary
init: only grant getattr in init_getattr_generic_units_files()
ci: bump SELint version to 1.5.0
SELint userspace class tweaks
systemd: reorder optional block
devicedisk: reorder optional block
access_vectors: define io_uring { cmd }
support/genhomedircon: support usr prefixed paths
fix misc typos
Support multi-line interface calls
policy_capabilities: remove estimated from released versions
Rules.monolithic: pre-compile fcontexts on install
Rules.modular: use temporary file to not ignore error
Makefile: use sepolgen-ifgen-attr-helper from test toolchain
Makefile: set PYTHONPATH for test toolchain
virt: label qemu configuration directory
selinuxutil: setfiles updates
selinuxutil: ignore getattr proc in newrole
userdom: permit reading PSI as admin
fs: mark memory pressure type as file
systemd: binfmt updates
vnstatd: update
fs: add support for virtiofs
systemd: generator updates
udev: update
systemd: logind update
consolesetup: update
libraries: drop space in empty line
Christian Schneider (1):
systemd-generator: systemd_generator_t load kernel modules used for e.g.
zram-generator
Corentin LABBE (20):
udev: permit to read hwdb
fstools: handle gentoo place for drivedb.h
mount: dbus interface must be optional
mcelog: add missing file context for triggers
munin: add file context for common functions file
rsyslog: add label for /var/empty/dev/log
munin: disk-plugin: transition to fsadm
munin: add fc for munin-node plugin state
usermanage: permit groupadd to read kernel sysctl
portage: Remove old binary location
portage: add go/hg source control files
portage: add new location for portage commands
portage: add missing go/hg context in new distfiles location
mandb: permit to read inherited cron files
selinuxutil: do not audit load_policy trying to use portage ptys
selinuxutil: permit run_init to read kernel sysctl
portage: add misc mising rules
smartmon: allow smartd to read fsadm_db_t files
smartmon: add domain for update-smart-drivedb
dovecot: add missing permissions
Dave Sugar (46):
rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
Allow local login to read /run/motd
Label pwhistory_helper
If domain can read system_dbusd_var_lib_t files, also allow symlinks
systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option.
To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
Allow iceauth write to xsession log
Allow system_dbusd_t to start/stop all units
Updates for utempter
Allow display manager to read hwdata
Allow search xdm_var_run_t directories along with reading files.
Solve issue with no keyboard/mouse on X login screen
separate label for /etc/security/opasswd
Fix some ssh agent denials
For systemd-hostnamed service to run
Allow rsyslog to drop capabilities
/var/lib/sddm should be xdm_var_lib_t
resolve lvm_t issues at shutdown with LUKS encrypted devices
Allow all users to (optionally) send syslog messages
Resolve some denials with colord
separate domain for journalctl during init
Use interface that already exists.
Separate label for /run/systemd/notify (#710)
Changes needed for dbus-broker-launch
Allow dbus-broker-launch to execute in same domain
dbus changes
Firewalld need to relabel direct.xml file
xguest ues systemd --user
Needed to allow environment variable to process started (for cockpit)
SELinux policy for cockpit
Fix denial while cleaning up pidfile symlink
allow system --user to execute systemd-tmpfiles in
<user>_systemd_tmpfiles_t domain
cockpit ssh as user
Allow sudo dbus chat w/sysemd-logind
The L+ tmpfiles option needs to read the symlink
Signal during logout
This seems important for administrative access
This works instead of allow exec on user_tmpfs_t!
admin can read/write web socket
Allow key manipulation
Add dontaudit to quiet down a bit
Add watches
Additional access for systemctl
Denial during cockpit use
Fix password changing from cockpit login screen
Resolve error when cockpit initiate shutdown
David Sommerseth (1):
openvpn: Allow netlink genl
Fabrice Fontaine (1):
policy/modules/services/smartmon.te: make fstools optional
Florian Schmidt (1):
Add label and interfaces for kernel PSI files
George Zenner (1):
Signed-off-by: George Zenner <zen@pyl.onl>
Grzegorz Filo (3):
Shell functions used during boot by initrc_t shall be bin_t and defined in
corecommands.fc
Dir transition goes with dir create perms.
Keep context of blkid file/dir when created by zpool.
Guido Trentalancia (53):
The pulseaudio daemon and client do not normally need to use the network
for most computer systems that need to play and record audio.
The kernel domain should be able to mounton runtime directories during
switch_root, otherwise parts of the boot process might fail on some
systems (for example, the udev daemon).
The kernel domain should be able to mounton default directories during
switch_root.
The pulseaudio module should be able to read alsa library directories.
Fix the pulseaudio module file transition for named sockets in tmp
directories.
Fix the dbus module so that automatic file type transitions are used not
only for files and directories, but also for named sockets.
Fix the dbus module so that temporary session named sockets can be read
and written in the role template and by system and session bus clients.
Update the dbus role template so that permissions to get the attributes of
the proc filesystem are included.
Let pulseaudio search debugfs directories, as currently done with other
modules.
Separate the tunable permissions to write xserver tmpfs files from the
tunable permissions to write X server shared memory.
Fix a security bug in the xserver module (interfaces) which was wrongly
allowing an interface to bypass existing tunable policy logic related
to X shared memory and xserver tmpfs files write permissions.
Add missing permissions to execute binary files for the evolution_alarm_t
domain.
Add the permissions to manage the fonts cache (fontconfig) to the window
manager role template.
Add permissions to watch libraries directories to the userdomain login
user template interface.
Update the xscreensaver module in order to work with the latest version
(tested with version 6.06).
Include the X server tmpfs rw permissions in the X shared memory write
access tunable policy under request from Christoper PeBenito.
Revert the following commit (ability to read /usr files), as it is no
longer needed, after the database file got its own label:
Update the kernel module to remove misplaced or at least really obsolete
permissions during kernel module loading.
Introduce a new "logging_syslog_can_network" boolean and make the
net_admin capability as well as all corenetwork permissions previously
granted to the syslog daemon conditional upon such boolean being true.
Let the openoffice domain manage fonts cache (fontconfig).
Update the openoffice module so that it can create Unix stream sockets
with its own label and use them both as a client and a server.
Let mplayer to act as a dbus session bus client (needed by the vlc media
player).
Add permissions to read device sysctls to mplayer.
Remove misplaced permission from mount interface mount_exec.
Remove a vulnerability introduced by a logging interface which allows to
execute log files.
Improved wording for the new xserver tunable policy booleans introduced
with the previous three commits.
Fix another security bug companion of the one fixed in the following
previous commit:
Fix another security bug similar to the ones that have been recently fixed
in the following two commits:
Remove duplicate permissions in the xserver module
xserver_restricted_role() interface.
Dbus creates Unix domain sockets (in addition to listening on and
connecting to them), so its policy module is modified accordingly.
Remove a logging interface from the userdomain module since it has now
been moved to the xscreensaver domain.
Create a new specific file label for the random seed file saved before
shutting down or rebooting the system and rework the interface needed
to manage such file.
Fix the shutdown policy in order to make use of the newly created file
label and interface needed to manage the random seed file.
Update the gpg module so that the application is able to fetch new keys
from the network.
Dbus creates Unix domain sockets not only for the system bus, but also for
the session bus (in addition to connecting to them), so its policy
module is modified accordingly.
Update the gnome module so that the gconf daemon is able to create Unix
domain sockets and accept or listen connections on them.
Fix the recently introduced "logging_syslog_can_network" tunable policy,
by including TCP/IP socket creation permissions.
Introduce a new interface in the mta module to manage the mail transport
agent configuration directories and files.
Add new gpg interfaces for gpg_agent execution and to avoid auditing
search operations on files and directories that are not strictly needed
and might pose a security risk.
Extend the scope of the "spamassassin_can_network" tunable policy boolean
to all network access (except the relative dontaudit rules).
Update the spamassassin module in order to better support the rules
updating script; this achieved by employing two distinct domains for
increased security and network isolation: a first domain is used for
fetching the updated rules from the network and second domain is used
for verifying the GPG signatures of the received rules.
Under request from Christopher PeBenito, merge the two spamassassin rules
updating SELinux domains introduced in the previous change in order to
reduce the non-swappable kernel memory used by the policy.
Introduce a new "dbus_can_network" boolean which controls whether or not
the dbus daemon can act as a server over TCP/IP networks and defaults
to false, as this is generally insecure, except when using the local
loopback interface.
Introduce two new booleans for the X server and X display manager domains
which control whether or not the respective domains allow the TCP/IP
server networking functionality.
The X display manager uses an authentication mechanism based on an
authorization file which is critical for X security.
Merge branch 'main' into x_fixes_pr2
Let openoffice perform temporary file transitions and manage link files.
Modify the gpg module so that gpg and the gpg_agent can manage
gpg_runtime_t socket files.
The LDAP server only needs to read generic certificate files, not manage
them.
Create new TLS Private Keys file contexts for the Apache HTTP server
according to the default locations:
Let the webadm role manage Private Keys and CSR for SSL Certificates used
by the HTTP daemon.
Let the certmonger module manage SSL Private Keys and CSR used for example
by the HTTP and/or Mail Transport daemons.
Additional file context fix for:
Kai Meng (1):
devices:Add genfscon context for functionfs to mount
Kenton Groombridge (106):
corenet: add portcon for kubernetes
kubernetes: initial policy module
sysadm: allow running kubernetes
crio: new policy module
crio, kubernetes: allow k8s admins to run CRI-O
container: add type for container plugins
various: fixes for kubernetes
kubernetes: add policy for kubectl
various: fixes for kubernetes
container, kernel: add tunable to allow spc to create NFS servers
container: add tunable to allow containers to use huge pages
container, kubernetes: add private type for generic container devices
container: add tunable to use dri devices
container, kubernetes: add rules for device plugins running as spc
various: allow using glusterfs as backing storage for k8s
container, miscfiles: transition to s0 for public content created by
containers
container: add tunable to allow spc to use tun-tap devices
container: correct admin_pattern() usage
systemd: add policy for systemd-pcrphase
hddtemp: add missing rules for interactive usage
netutils: minor fixes for nmap and traceroute
container: add rules required for metallb BGP speakers
filesystem, init: allow systemd to setattr on ramfs dirs
logging: allow domains sending syslog messages to connect to kernel unix
stream sockets
init, sysadm: allow sysadm to manage systemd runtime units
podman: allow podman to stop systemd transient units
userdom: allow admin users to use tcpdiag netlink sockets
container: allow container admins the sysadm capability in user namespaces
postfix: allow postfix master to map data files
sasl: add filecon for /etc/sasl2 keytab
obj_perm_sets: add mmap_manage_file_perms
various: use mmap_manage_file_perms
postfix, sasl: allow postfix smtp daemon to read SASL keytab
various: fixes for libvirtd and systemd-machined
portage: label eix cache as portage_cache_t
container: add missing filetrans and filecon for containerd/docker
container, init, systemd: add policy for quadlet
container: fixes for podman 4.4.0
container: fixes for podman run --log-driver=passthrough
node_exporter: various fixes
redis: add missing rules for runtime filetrans
podman, selinux: move lines, add missing rules for --network=host
netutils: fixes for iftop
kernel, zfs: add filetrans for kernel creating zpool cache file
zfs: allow sending signals to itself
zfs: add runtime filetrans for dirs
init: make init_runtime_t useable for systemd units
various: make /etc/machine-id etc_runtime_t
init, systemd: allow init to create userdb runtime symlinks
init: allow initrc_t to getcap
systemd: allow systemd-userdbd to getcap
logging: allow systemd-journald to list cgroups
fs, udev: allow systemd-udevd various cgroup perms
logging, systemd: allow relabelfrom,relabelto on systemd journal files by
systemd-journald
files, systemd: allow systemd-tmpfiles to relabel config file symlinks
systemd: add rules for systemd-zram-generator
systemd: allow systemd-pcrphase to read generic certs
fs, init: allow systemd-init to set the attributes of efivarfs files
init: allow systemd-init to set the attributes of unallocated terminals
systemd: allow systemd-resolved to bind to UDP port 5353
init: allow initrc_t to create netlink_kobject_uevent_sockets
raid: allow mdadm to read udev runtime files
raid: allow mdadm to create generic links in /dev/md
fstools: allow fsadm to read utab
glusterfs: allow glusterd to bind to all TCP unreserved ports
kubernetes: allow kubelet to read etc runtime files
chromium: allow chromium-naclhelper to create user namespaces
container: rework capabilities
container: allow watching FUSEFS dirs and files
glusterfs: add tunable to allow managing unlabeled files
sysadm: allow using networkctl
container: various fixes
container, kubernetes: add support for cilium
kubernetes: allow container engines to mount on DRI devices if enabled
init, systemd: label systemd-executor as init_exec_t
udev: allow reading kernel fs sysctls
init: allow all daemons to write to init runtime sockets
systemd: fixes for systemd-pcrphase
systemd: allow networkd to use netlink netfilter sockets
rpc: add filecon for /etc/exports.d
zed: allow managing /etc/exports.d/zfs.exports
zfs: dontaudit net_admin capability by zed
su: various fixes
kernel: allow delete and setattr on generic SCSI and USB devices
mount: make mount_runtime_t a kubernetes mountpoint
fstools: allow fsadm to ioctl cgroup dirs
fstools: allow reading container device blk files
container, kubernetes: add support for rook-ceph
kernel: dontaudit read fixed disk devices
container: add filecons for rook-ceph
init, systemd: allow systemd-pcrphase to write TPM measurements
systemd: add policy for systemd-machine-id-setup
container, kubernetes: allow kubernetes to use fuse-overlayfs
kubernetes: fix kubelet accounting
systemd: label systemd-pcrlock as systemd-pcrphase
zfs: allow zfs to write to exports
kernel: allow managing mouse devices
init: allow using system bus anon pidfs
systemd: label systemd-tpm2-setup as systemd-pcrphase
bootloader, init, udev: misc minor fixes
rpc: fix not labeling exports.d directory
dbus: allow the system bus to get the status of generic units
systemd: allow systemd generator to list exports
crio: allow reading container home content
container: allow spc to map kubernetes runtime files
kubernetes: allow kubelet to apply fsGroup to persistent volumes
Luca Boccassi (4):
Set label systemd-oomd
Add separate label for cgroup's memory.pressure files
systemd: also allow to mounton memory.pressure
systemd: allow daemons to access memory.pressure
Mathieu Tortuyaux (1):
container: fix cilium denial
Oleksii Miroshko (1):
Fix templates parsing in gentemplates.sh
Pat Riehecky (1):
container: set default context for local-path-provisioner
Renato Caldas (1):
kubernetes: allow kubelet to read /proc/sys/vm files.
Russell Coker (28):
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
eg25-manager (Debian package eg25-manager) is a daemon aimed at
configuring and monitoring the Quectel EG25 modem on a running system.
It is used on the PinePhone (Pro) and performs the following functions:
* power on/off * startup configuration using AT commands * AGPS
data upload * status monitoring (and restart if it becomes
unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager
iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus
proxy Industrial I/O subsystem is intended to provide support for
devices that in some sense are analog to digital or digital to analog
convertors . Devices that fall into this category are: * ADCs *
Accelerometers * Gyros * IMUs * Capacitance to Digital Converters
(CDCs) * Pressure Sensors * Color, Light and Proximity Sensors *
Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital
Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain
Amplifiers (VGA, PGA)
Fixed dependency on unconfined_t
Comment sysfs better
Daemon to control authentication for Thunderbolt.
Daemon to monitor memory pressure and notify applications and change …
(#670)
switcheroo is a daemon to manage discrete vs integrated GPU use for apps
policy for power profiles daemon, used to change power settings
some misc userdomain fixes
debian motd.d directory (#689)
policy for the Reliability Availability servicability daemon (#690)
policy patches for anti-spam daemons (#698)
Added tmpfs file type for postgresql Small mysql stuff including
anon_inode
small ntp and dns changes (#703)
small network patches (#707)
small storage changes (#706)
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
small systemd patches (#708)
misc small patches for cron policy (#701)
mon.te patches as well as some fstools patches related to it (#697)
misc small email changes (#704)
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
Label checkarray as mdadm_exec_t, allow it to read/write temp files
inherited from cron, and dontaudit ps type operations from it
Changes to eg25manager and modemmanager needed for firmware upload on
pinephonepro
patches for nspawn policy (#721)
Simple patch for Brother printer drivers as described in:
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Yi Zhao (15):
systemd: add capability sys_resource to systemd_userdbd_t
systemd: allow systemd-sysctl to search directories on ramfs
systemd: allow systemd-resolved to search directories on tmpfs and ramfs
mount: allow mount_t to get attributes for all directories
loadkeys: do not audit attempts to get attributes for all directories
systemd: allow systemd-networkd to create file in /run/systemd directory
systemd: allow journalctl to create /var/lib/systemd/catalog
bind: fix for named service
systemd: use init_daemon_domain instead of init_system_domain for
systemd-networkd and systemd-resolved
rpm: fixes for dnf
lvm: set context for /run/cryptsetup
container: set context for /run/crun
systemd: allow systemd-hostnamed to read machine-id and localization files
systemd: allow systemd-rfkill to getopt from uevent sockets
udev: fix for systemd-udevd
freedom1b2830 (1):
mplayer:vlc paths
* Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101
Chris PeBenito (46):
systemd: Drop systemd_detect_virt_t.
fstools: Handle resizes of the root filesystem.
mount: Get the attributes of all filesystems.
rpm: Add dnf and tdnf labeling.
logging: Change to systemd interface for tmpfilesd.
systemd: Remove systemd-run domain.
unconfined: Add missing capability2 perms.
lvm: Updates for multipath LVM.
locallogin: Use init file descriptors.
systemd: Misc fixes.
isns: Updates from testing.
container, docker: Fixes for containerd and kubernetes testing.
devices: Add type for SAS management devices.
devices: Add file context for /dev/vhost-vsock.
iptables: Ioctl cgroup dirs.
devices: Add type for infiniband devices.
storage: Add fc for /dev/ng*n* devices.
files: Add prerequisite access for files_mounton_non_security().
files: Make etc_runtime_t a config file.
systemd: Fixes for coredumps in containers.
container: Allow container engines to connect to http cache ports.
container: Getattr generic device nodes.
application: Allow apps to use init fds.
systemd: Misc updates.
filesystem: Move ecryptfs interface definitions.
mcs: Add additional SysV IPC constraints.
mcs: Collapse constraints.
mcs: Add additional socket constraints.
mcs: Add missing process permission constraints.
mcs: Remove duplicate node_bind constraint.
mcs: Reorganize file.
mls: Add setsockcreate constraint.
systemd: Add interface for systemctl exec.
Add cloud-init.
hypervkvp: Port updated module from Fedora policy.
init: Add tunable for systemd to create all its mountpoints.
Run Ci tests in parallel.
Revise userspace and SELint versions in CI
fapolicyd: Fix selint issue.
tests.yml: Remove irrelevant comment.
Drop audit_access allows.
sympa: Move lines.
sympa: Drop module version.
sympa, mta, exim: Revise interfaces.
sympa, logging; Fix lint errors.
container: Add missing UDP node bind access on container engines.
Christian Göttsche (3):
Replace deprecated egrep usage
ci: update dependencies
ci: build SELint from source
Daniel Burgener (1):
Drop explicit calls to seutil and kernel module interfaces in broad files
interfaces
Dave Sugar (20):
ssh: allow ssh_keygen to read /usr/share/crypto-policies/
chronyd: Allow to read fips_enabled sysctl
chronyd: allow chronyd to read /usr/share/crypto-policies
systemd: init_t creates systemd-logind 'linger' directory
systemd: systemd-update-done fix startup issue
usbguard: Allow to read fips_enabled sysctl
firewalld: read to read fips_enabled sysctl
firewalld: create netfilter socket
firewalld: allow to load kernel modules
firewalld: write tmpfs files
firewalld: firewalld-cmd uses dbus
tpm2-abrmd: allow to send syslog messages
domain: move kernel_read_crypto_sysctls to a common location
fapolicyd: Initial SELinux policy
networkmanager: allow watch etc_t and lib_t
firewalld: allow watch on firewalld files
Seeing long delay during shutdown saying: 'A stop job is running for
Restore /run/initramfs on shutdown'
fix: issue #550 - compile failed when DIRECT_INITRC=y
fapolicyd: fagenrules chgrp's the compiled.rules
Add 'DIRECT_INITRC' config to automated tests
Kenton Groombridge (95):
systemd: add separate type for user transient units
systemd: rename user runtime unit interfaces
docker, podman: use renamed user runtime unit status interface
systemd: rename status user mananger units interface
systemd: systemd-resolved is linked to libselinux
systemd: dontaudit systemd-generator getattr on all dirs
raid: allow mdadm to use user ptys
bootloader, files: allow bootloader to getattr on boot_t filesystems
matrixd: various fixes
container: add unconfined role
unconfined: use unconfined container role
podman: add interface to rangetrans when executing conmon
podman: rework conmon rules
podman: add file context for podman in /usr/libexec
container: rework combined role interfaces
podman: typealias podman_user_conmon_t to podman_conmon_user_t
fail2ban: allow fail2ban to getsched on its processes
modutils: allow kmod to write to kmsg
postfix: allow postfix-map to read certbot certs
postfix: allow postfix master to get the state of init
postfix: allow postfix master fsetid capability
bind: fixes for named working on dnssec files
sudo: allow sudo domains to create netlink selinux sockets
sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve
container: allow containers to manipulate own fds
container: allow container engines to manage tmp symlinks
ssh: add tunable to allow sshd to use remote port forwarding
systemd: minor fixes to systemd user domains
init, systemd: allow unpriv users to read the catalog
container: add separate type for container engine units
container, podman: allow podman to restart container units
spamassassin: add file context for rspamd log directory
term, init: allow systemd to watch and watch reads on unallocated ttys
certbot: various fixes
systemd: add file transition for systemd-networkd runtime
systemd: add missing file context for /run/systemd/network
systemd: add file contexts for systemd-network-generator
systemd, udev: allow udev to read systemd-networkd runtime
systemd: allow systemd-networkd to read init runtime files
podman: add alias for conmon executable
systemd: ensure connecting to resolved allows searching init runtime
ssh: allow sshd to run setfiles when polyinstantiation is enabled
sudo: allow sudo domains to access caller's /proc/pid/stat
container: add file contexts for docker home config
files, init: allow systemd to remount etc filesystems
systemd: allow systemd-logind to read localization
init: fix possible typo
corecmd: label dracut lib as bin_t
sudo: various fixes
udev: various fixes for udevadm
bootloader, init: various fixes for systemd-boot
systemd: allow systemd-generator to read etc runtime files
systemd: add interface to read userdb runtime files
logging: various fixes for auditctl
screen: add interface to dontaudit runtime sock file
systemd: dontaudit systemd-tmpfiles getattr on screen sock file
systemd: dontaudit systemd-tmpfiles getattr on all dirs
fstools: fixes for fsadm with nfs
various: fixes for nfs
init: dontaudit initrc creating /dev/console during initrd
storage: include chr_files in fixed_disk_dev interfaces
systemd: allow systemd-userdbd to search default contexts
logging, systemd: allow auditctl to list userdb runtime dirs
bootloader, userdom: minor fixes for systemd-boot
systemd: allow systemd-resolved to read generic certs
sysadm: allow sysadm to rw ipmi devices
zfs: initial policy module
fstools, mount: remove legacy zfs rules
files, mount: remove legacy ZFS file contexts
sysadm: allow admin access to zfs
kernel: allow kthreads to read and write the zpool cache
systemd, zfs: allow systemd-generator to read zfs config
udev: allow reading ZFS config
zfs: various fixes
mta: add support for nullmailer
devices: add interface to rw infiniband devices
xdg: add interface to dontaudit searching xdg data dirs
opensm: initial policy
sysadm: allow opensm access
corenet: add portcon for glusterfs
glusterfs: various fixes
glusterfs: add type for gluster bricks
mount: allow mounting glusterfs volumes
selinuxutil: allow semanage, setfiles to inherit gluster fds
glusterfs, selinuxutil: make modifying fcontexts a tunable
glusterfs: add type for glusterd hooks
usermanage: add file context for chpasswd in /usr/bin
node_exporter: add file context for node_exporter in /usr/bin
usbguard: add file context for usbguard in /usr/bin
init: add file context for systemd units in dracut modules
git: add file contexts for other git utilities
dbus, init, mount, rpc: minor fixes for mount.nfs
zfs: allow reading exports
systemd: allow systemd-generator to use dns resolution
rpc: allow rpc admins to rw nfsd fs
Pat Riehecky (2):
container: Boolean for ecryptfs
Clone `xguest_connect_network` for guest role
Russell Coker (1):
Sympa list server
Yi Zhao (16):
systemd: allow systemd user to watch /etc directories
logwatch: fixes for logwatch
postfix: allow postfix_local_t to search logwatch_cache_t
sysnetwork: allow systemd_networkd_t to read link file
logging: allow systemd-journal to manage syslogd_runtime_t sock_file
radius: fixes for freeradius
udev: allow udev_read_runtime_files to read link files
watchdog: allow watchdog to create /var/log/watchdog directory
systemd: allow systemd-resolved to manage link files
sysnetwork: fix privilege separation functionality of dhcpcd
sysnetwork: allow dhcpcd to send and receive messages from systemd
resolved
rpm: add label for dnf-automatic and dnf-3
systemd: allow systemd-backlight to read kernel sysctl settings
systemd: allow systemd-rfkill to get attributes of all fs
systemd: allow systemd-hostnamed to read selinux configuration files
systemd: add capability sys_admin to systemd_generator_t
* Fri May 20 2022 Chris PeBenito <pebenito@ieee.org> - 2.20220520
Björn Esser (1):
authlogin: add fcontext for tcb
Chris PeBenito (118):
0xC0ncord/bugfix/systemd-user-exec-apps-hookup
systemd, ssh, ntp: Read fips_enabled crypto sysctl.
systemd: Unit generator fixes.
systemd: Revise tmpfiles factory to allow writing all configs.
systemd: User runtime reads user cgroup files.
logging: Add audit_control for journald.
udev: Manage EFI variables.
ntp: Handle symlink to drift directory.
logging: Allow auditd to stat() dispatcher executables.
Drop module versioning.
tests.yml: Disable policy_module() selint checks.
systemd: Change journal file context to MLS system high.
Revert "users: remove MCS categories from default users"
systemd: Add systemd-homed and systemd-userdbd.
systemd, ssh: Crypto sysctl use.
systemd: Additional fixes for fs getattrs.
systemd: Updates for generators and kmod-static-nodes.service.
domain: Allow lockdown for all domains.
postfix, spamassassin: Fix missed type renames after alias removals.
cron, dbus, policykit, postfix: Minor style fixes.
Make hide_broken_symptoms unconditional.
puppet: Style fixes.
matrixd: Cleanups.
matrixd: SELint fixes.
mailmain: Fix check_fc_files issue.
mailmain: Fix SELint issues.
postfix: Move lines.
apache: Remove unnecessary require in apache_exec().
seusers: Remove sddm.
Add a vulnerability handling process.
Christian Goettsche (1):
check_fc_files: allow optional @ character
Christian Göttsche (11):
filesystem: add fs_use_trans for ramfs
Ignore umask on when installing headers
Revert "tests.yml: Disable policy_module() selint checks."
build.conf: bump policy version in comment
flask: add new kernel security classes
policy_capabilities: add ioctl_skip_cloexec
policy.dtd: more strict bool/tunable and infoflow validation
Makefile: invoke python with -bb
Rules.monolithic: add target to generate CIL policy
Makefile: use override for adding options
Rules.modular: add pure-load target
Dave Sugar (4):
Allow iscsid to request kernel module load
Allow iscsid to check fips_enabled
sshd: allow to run /usr/bin/fipscheck (to check fips state)
systemd: resolve error with systemd-sysctl
Fabrice Fontaine (2):
policy/modules/services/samba.te: make crack optional
policy/modules/services/wireguard.te: make iptables optional
Gao Xiang (1):
Add erofs as a SELinux capable file system
Henrik Grindal Bakken (1):
snmp: Fix typo in /var/net-snmp rule
Jonathan Davies (12):
chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access
net_admin capability, this is required for its `hwtimestamp` option,
which otherwise returns:
virt.te: Fixed typo in virtlogd_t virt_common_runtime_t
manage_files_pattern.
obfs4proxy: Added policy.
tor: Added interfaces and types for obfs4proxy support.
corenetwork.te.in: Added ntske port.
chronyd.te: Added support for bind/connect/recv/send NTS packets.
chronyd: Allow access to read certs.
obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.
policy/*: Replaced rw_netlink_socket_perms with
create_netlink_socket_perms.
node_exporter: Added initial policy.
systemd.te: Added boolean for allowing dhcpd server packets.
systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in
systemd_stream_connect_userdb().
Kenton Groombridge (174):
userdomain: add user exec domain attribute and interface
systemd: assign user exec attribute to systemd --user instances
systemd: add interface to support monitoring and output capturing of child
processes
wm: add user exec domain attribute to wm domains
ssh: add interface to execute and transition to ssh client
userdomain: add interface to allow mapping all user home content
git, roles: add policy for git client
apache, roles: use user exec domain attribute
screen, roles: use user exec domain attribute
git, roles: use user exec domain attribute
postgresql, roles: use user exec domain attribute
ssh, roles: use user exec domain attribute
sudo, roles: use user exec domain attribute
syncthing, roles: use user exec domain attribute
xscreensaver, roles: use user exec domain attribute
xserver, roles, various: use user exec domain attribute
authlogin, roles: use user exec domain attribute
bluetooth, roles: use user exec domain attribute
cdrecord, roles: use user exec domain attribute
chromium, roles: use user exec domain attribute
cron, roles: use user exec domain attribute
dirmngr, roles: use user exec domain attribute
evolution, roles: use user exec domain attribute
games, roles: use user exec domain attribute
gnome, roles: use user exec domain attribute
gpg, roles: use user exec domain attribute
irc, roles: use user exec domain attribute
java, roles: use user exec domain attribute
libmtp, roles: use user exec domain attribute
lpd, roles: use user exec domain attribute
mozilla, roles: use user exec domain attribute
mplayer, roles: use user exec domain attribute
mta, roles: use user exec domain attribute
openoffice, roles: use user exec domain attribute
pulseaudio, roles: use user exec domain attribute
pyzor, roles: use user exec domain attribute
razor, roles: use user exec domain attribute
rssh, roles: use user exec domain attribute
spamassassin, roles: use user exec domain attribute
su, roles: use user exec domain attribute
telepathy, roles: use user exec domain attribute
thunderbird, roles: use user exec domain attribute
tvtime, roles: use user exec domain attribute
uml, roles: use user exec domain attribute
userhelper, roles: use user exec domain attribute
vmware, roles: use user exec domain attribute
wireshark, roles: use user exec domain attribute
wm, roles: use user exec domain attribute
hadoop, roles: use user exec domain attribute
shutdown, roles: use user exec domain attribute
cryfs, roles: use user exec domain attribute
wine: use user exec domain attribute
mono: use user exec domain attribute
sudo: add tunable to control user exec domain access
su: add tunable to control user exec domain access
shutdown: add tunable to control user exec domain access
mpd, pulseaudio: split domtrans and client access
mcs: deprecate mcs overrides
mcs: restrict create, relabelto on mcs files
fs: add pseudofs attribute and interfaces
devices: make usbfs pseudofs instead of noxattrfs
git: fix typo in git hook exec access
dovecot, spamassassin: allow dovecot to execute spamc
mta, spamassassin: fixes for rspamd
certbot, various: allow various services to read certbot certs
usbguard, sysadm: misc fixes
ssh: fix for polyinstantiation
sysadm, systemd: fixes for systemd-networkd
asterisk: allow reading generic certs
bind: fixes for unbound
netutils: fix ping
policykit, systemd: allow policykit to watch systemd logins and sessions
spamassassin: fix file contexts for rspamd symlinks
mcs: add additional constraints to databases
mcs: constrain misc IPC objects
mcs: combine single-level object creation constraints
various: deprecate mcs override interfaces
corenet: make netlabel_peer_t mcs constrained
mcs: constrain context contain access
mcs: only constrain mcs_constrained_type for db accesses
guest, xguest: remove apache role access
wine: fix roleattribute statement
testing: accept '@' as a valid ending character in filecon checker
users: remove MCS categories from default users
various: remove various mcs ranged transitions
kernel: add various supporting interfaces for containers
kernel, rpc, systemd: deprecate kernel_mounton_proc
devices, kernel: deprecate dev_mounton_sysfs
devices: add interfaces to remount sysfs and device filesystems
init: add interface to run init bpf programs
systemd: add interface to dbus chat with systemd-machined
userdom: add interfaces to relabel generic user home content
init: add interface to setsched on init
init: allow systemd to renice all other domains
sysnetwork: add interfaces for /run/netns
container, virt: move svirt lxc domains to new container module
container: svirt_lxc_net_t is now container_t
container: fixup rules
container: add interface to identify container mountpoints
various: make various types a mountpoint for containers
container: add base attributes for containers and container engines
container: initial support for container engines
container, gpg, userdom: allow container engines to execute gpg
container: allow containers to use container ptys
container, mount: allow mount to getattr on container fs
various: various userns capability permissions
container: allow containers the chroot capability
container: allow containers various userns capabilities
container: allow containers to watch all container files
container, podman: initial support for podman
filesystem: add supporting FUSEFS interfaces
dbus: add supporting interfaces and rules for rootless podman
systemd: add private type for systemd user manager units
container: add role access templates
container, podman, systemd: initial support for rootless podman
container: add required admin rules
sysadm: allow container admin access
container: call podman access in container access
staff, unconfined: allow container user access
container: add policy for privileged containers
container: allow containers to read read-only container files
container: add tunable for containers to manage cgroups
container: add tunables for containers to use nfs and cifs
container: add tunable to allow engines to mounton non security
container, iptables: dontaudit iptables rw on /ptmx
xdg: add interface to search xdg data directories
container, podman: add policy for conmon
kernel: add filetrans interface for unlabeled dirs
container, docker: add initial support for docker
container: call docker access in container access
userdomain: add type for user bin files
systemd: allow systemd user managers to execute user bin files
systemd: use stream socket perms in systemd_user_app_status
systemd: add supporting interfaces for user daemons
rootlesskit: new policy module
container, docker, rootlesskit: add support for rootless docker
docker: call rootlesskit access in docker access
container: drop old commented rules
lxc_contexts: add ro_file and sandbox_lxc_process contexts
container: allow containers to getsession
docker: make rootlesskit optional
docker: add missing call to init_daemon_domain()
podman: add explicit range transition for conmon
init: split access for systemd runtime units
dbus: fixes for dbus-broker
dbus, policykit: add tunables for dbus-broker access
docker, podman: container units now have the runtime unit type
init: allow systemd to nnp_transition and nosuid_transition to daemon
domains
files, init: allow init to remount filesystems mounted on /boot
sudo: fixes for polyinstantiation
locallogin: fix for polyinstantiation
authlogin: dontaudit getcap chkpwd
systemd: various fixes
systemd: add support for systemd-resolved stubs
getty, locallogin: cgroup fixes
unconfined: fixes for bluetooth dbus chat and systemd
udev: allow udev to start the systemd system object
networkmanager: allow getting systemd system status
container, podman: allow podman to create and write config files
podman: allow system podman to interact with container transient units
podman: fix role associations
container, podman: allow containers to interact with conmon
podman: add rules for systemd container units
container, init: allow init to remount container filesystems
container: allow generic containers to read the vm_overcommit sysctl
container: add tunables to allow containers to access public content
container: add missing capabilities
container: also allow containers to watch public content
podman: allow podman to watch journal dirs
sysadm: allow sysadm to watch journal directories
git: add missing file contexts
udica-templates: initial commit of udica templates
makefile: add install target for udica templates
github: test install of udica templates
Laurent Bigonville (2):
docker: On debian dockerd and docker-proxy are in /usr/sbin
container: On Debian, runc is installed in /usr/sbin
Pedro (1):
File context for nginx cache files
Russell Coker (8):
remove aliases from 20210203
dontaudit net_admin without hide_broken_symptoms
puppet V3
matrixd-synapse policy V3
mailman3 V3
certbot V3
init dbus patch for GetDynamicUsers with systemd_use_nss() V2
new sddm V2
Vit Mojzis (1):
Improve error message on duplicate definition of interface
Yi Zhao (24):
rpc: remove obsolete comment line
secadm: allow secadm to read selinux policy
rpcbind: allow sysadm to run rpcinfo
samba: allow smbd_t to send and receive messages from avahi over dbus
rpc: add dac_read_search capability for rpcd_t
bluetooth: fixes for bluetoothd
avahi: allow avahi_t to watch /etc/avahi directory
udev: allow udev_t to watch udev_rules_t dir
rpc: allow rpc.mountd to list/watch NFS server directory
usermanage: do not audit attempts to getattr of proc for passwd_t and
useradd_t
selinuxutil: allow setfiles_t to read kernel sysctl
rngd: fixes for rngd
dbus: allow dbus-daemon to map SELinux status page
bind: fixes for bind
passwd: allow passwd to map SELinux status page
ipsec: fixes for strongswan
samba: fixes for smbd/nmbd
ntp: allow ntpd to set rlimit_memlock
ssh: do not audit attempts by ssh-keygen to read proc
acpid: allow acpid to watch the directories in /dev
bluetooth: allow bluetoothd to create alg_socket
systemd: allow systemd-hostnamed to read udev runtime files
su: allow su to map SELinux status page
modutils: allow kmod_t to write keys
* Wed Sep 08 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210908
Andreas Freimuth (2):
Prefer user_fonts_config_t over xdg_config_t
Set user_fonts_config_t for conf.d
Chris PeBenito (76):
rpc: Move lines.
selinux: Add a secure_mode_setbool Boolean.
Remove additional unused modules
Rules.modular/Rules.monolithic: Fix intdented labeling statement moves.
selinux: Change generic Boolean type to boolean_t.
selinux: Set regular file for labeled Booleans genfscons.
selinux: Add dontaudits when secure mode Booleans are enabled.
kernel: Add dontaudits when secure_mode_insmod is enabled.
authlogin: Add tunable for allowing shadow access on non-PAM systems.
authlogin: Remove redundant rule in auth_domtrans_chk_passwd().
Create stale.yml
stale.yml: Fix labels with spaces.
authlogin: Deprecate auth_domtrans_chk_passwd().
init: Add support for systemd StandardInputText.
.gitignore: Ignore vscode data dir.
.gitignore: Remove duplicate lines.
Revert "systemd.if minor fix"
systemd: Drop second parameter in systemd_tmpfilesd_managed().
staff, sysadm, unprivuser: Move lines.
xserver: Move fc lines.
radvd: Whitespace fix.
virt: Move lines.
Bump module versions for release.
Christian Göttsche (1):
Use correct interface or template declaration
Dave Sugar (2):
systemd.if minor fix
Resolve when building monolithic on RHEL7
Fabrice Fontaine (5):
policy/modules/services/minidlna.te: make xdg optional
policy/modules/services/ftp.te: make ssh optional
policy/modules/services/cvs.te: make inetd optional
policy/modules/services/ifplugd.te: make netutils optional
policy/modules/apps/wireshark.te: make xdg optional
Jonathan Davies (13):
staff.te: Allow staff access to the virt stream, needed for when the
sockets are access remotely over SSH.
logging.if: Added interfaces for watching all and audit logs.
roles: Added log watching permissions to secadm and sysadm.
irc.te: Allow irc_t access to unix_dgram_socket sendto to allow clients to
connect to a SOCKS proxy.
screen.if: Added interface to allow executing sock file.
irc.te: Allowed client access to screen runtime sock file.
dmesg.te: Added files_read_etc_files() as some distros store terminfo
files in /etc/.
devices.fc: Added missing Xen character files.
sysadm.te: Allow sysadm_t to read/write Xen character devices so userspace
tooling works.
sysnetwork: dhcpc_t: Added corenet_sendrecv_icmp_packets()
radvd.te: Added corenet_sendrecv_icmp_packets().
dhcp.te: Added corenet_sendrecv_icmp_packets().
virt: Defined a virt_common_runtime_t type for the new common/system.token
file and added permissions to virtd_t and virtlogd_t.
Kenton Groombridge (36):
dovecot, postfix: add missing accesses
various: systemd user fixes and additional support
systemd, fail2ban: allow fail2ban to watch journal
fail2ban: allow reading vm overcommit sysctl
usbguard: various fixes
redis: allow reading certs
rngd: allow reading sysfs
getty: various fixes
modutils: allow kmod to read src_t symlinks
devices, userdomain: dontaudit userdomain setattr on null device nodes
spamassassin: allow rspamd to read network sysctls
redis: allow reading net and vm overcommit sysctls
devices, userdomain: dontaudit userdomain setattr on null device nodes
files, init, systemd: various fixes
ssh: allow ssh_keygen_t to read localization
devicekit: allow devicekit_disk_t to setsched
udev: various fixes
init: modify interface to allow reading all pipes
iptables: allow reading initrc pipes
wireguard: allow running iptables
bootloader, filesystem: various fixes for grub
mount: allow getattr on dos filesystems
init, mount: allow systemd to watch utab
init, systemd: allow logind to watch utmp
logging: allow auditd to use nsswitch
logging: allow auditd to getattr on audisp-remote binary
systemd: allow systemd-resolved to manage its own sock files
systemd: add policy for systemd-sysctl
init, udev: various fixes for systemd
udev: allow systemd-vconsole-setup to sys_tty_config
various: several dontaudits
sysadm, systemd: various fixes
authlogin: add new type for pwd.lock and others
init: allow systemd to rw shadow lock files
filesystem, init: allow systemd to create pstore dirs
bootloader, devices: dontaudit grub writing on legacy efi variables
Krzysztof Nowicki (15):
Fix interface naming convention (plural predicates)
Allow systemd to relabel startup-important directories
Allow execution of shell-scripted systemd generators
Also grant directory permissions in sysnet_manage_config
Allow use of systemd UNIX sockets created at initrd execution
Fix systemd-journal-flush service
Allow systemd-tmpfilesd populating of /var/lib/dbus
When using systemd_tmpfilesd_managed also grant directory permissions
Enable factory directory support in systemd-tmpfilesd
Allow systemd-tmpfilesd to relabel generic files inside /etc
Allow systemd-tmpfilesd to set attributes of /var/lock
Mark lvm_lock_t as systemd_tmpfilesd-managed
Allow systemd-tmpfilesd handle faillog directory
Fix setting-up sandbox environment for systemd-networkd
Allow systemd-tmpfilesd to access nsswitch information
Markus Linnala (13):
policy: init: there is no enabled_mls, it is enable_mls
policy: files: files_spool_filetrans: doc: change param from file to
file_type
policy devices: dev_filetrans: doc: change param from file to file_type
policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of
role_prefix
policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param
documentation
policy gpg: doc: add documents for all *filterans parameters
policy seunshare: seunshare_role: parameters usage partially mixed
policy kismet: kismer_role: parameter order mixed in kismet_run
policy: interfaces: doc: indent param blocks consistently
policy avahi: avahi_filetrans_pid: doc: add missing params
policy: xserver: xserver_dbus_chat: fix require
policy:ssh: ssh_server_template: fix require
policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service:
fix require
Russell Coker (1):
blkmapd
Xiongwei Song (1):
Add ubifs to filesystem policy
Yi Zhao (1):
roles: move dbus_role_template to userdom_common_user_template
* Wed Feb 03 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210203
(GalaxyMaster) (1):
added policy for systemd-socket-proxyd
0xC0ncord (1):
userdomain, xserver: move xdg rules to userdom_xdg_user_template
Anthony PERARD (1):
xen: Allow xenstored to map /proc/xen/xsd_kva
Antoine Tenart (15):
udev: allow udevadm to retrieve xattrs
locallogin: allow login to get attributes of procfs
logging: allow systemd-journal to write messages to the audit socket
sysnetwork: allow to read network configuration files
dbus: add two interfaces to allow reading from directories and named
sockets
dbus: allow clients to list runtime dirs and named sockets
systemd: add extra systemd_generator_t rules
systemd: allow systemd-hwdb to search init runtime directories
systemd: allow systemd-network to get attributes of fs
systemd: allow systemd-resolve to read in tmpfs
corecommands: add entry for Busybox shell
systemd: allow systemd-getty-generator to read and write unallocated ttys
systemd: allow systemd-network to list the runtime directory
ntp: allow systemd-timesyn to watch dbus objects
ntp: allow systemd-timesyn to setfscreate
Chris PeBenito (117):
Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into
jpds-acpid_shutdown
.travis.yml: Point selint at only the policy dir.
corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module
version bump.
systemd: Move systemd-pstore block up in alphabetical order.
Switch to GitHub actions for CI actions.
systemd: Whitespace changes.
systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to
systemd_stream_connect_socket_proxyd().
Drop criteria on github actions.
userdomain: Fix error in calling userdom_xdg_user_template().
systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.
Makefile: Add -E to setfiles labeling targets.
udev: Drop udev_tbl_t.
udev: Systemd 246 merged udev and udevadm executables.
devicekit: Udisks uses udevadm, it does not exec udev.
Remove modules for programs that are deprecated or no longer supported.
chromium: Whitespace changes.
chromium: Move naclhelper lines.
certbot: Whitespace changes.
certbot: Drop aliases since they have never had the old names in
refpolicy.
certbot: Reorder fc lines.
miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files.
userdomain: Move lines.
certbot: Fix lint issues.
memlockd: Move lines.
memlockd: Whitespace fixes.
memlockd: Fix lint issue.
file_patterns.spt: Add a mmap_manage_files_pattern().
apache, mysql, postgrey, samba, squid: Apply new
mmap_manage_files_pattern().
devicekit, jabber, samba: Move lines.
cron: Make backup call for system_cronjob_t optional.
samba: Fix samba_runtime_t alias use.
samba: Move service interface definitions.
sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba
block.
samba: Add missing userspace class requirements in unit interfaces.
apache: Fix lint error.
apache: Really fix lint error.
aptcacher: Drop broken config interfaces.
samba: Fix lint error.
0xC0ncord/feature/sudodomain_http_connect_boolean
0xC0ncord/bugfix/systemd_system_custom_unit_fc
dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
apt, bootloader: Move lines.
systemd: Move lines.
systemd: Fix lint errors.
systemd: Rename systemd_use_machined_devpts().
Bump module versions for release.
Christian Göttsche (16):
postfixpolicyd: split multi-class rule
init/systemd: allow systemd to map the SELinux status page
selinux: add selinux_use_status_page and deprecate
selinux_map_security_files
genhomedircon: drop backwards compatibility section
genhomedircon: require match for home directory name
genhomedircon: drop unused functions
genhomedircon: generate file contexts for %{USERNAME} and %{USERID}
genhomedircon: misc pylint cleanup
genhomedircon: improve error messages for min uid search
Rules.monolithic: ignore version mismatch
gitignore: ignore monolithic generated files
Preset OUTPUT_POLICY to 32
Rules.monolithic: do not suppress load_policy warning messages
Rules.monolithic: tweak checkpolicy arguments
Rules.monolithic: drop dead variable
Rules.monolithic: add missing phony declarations
Daniel Burgener (4):
Allow init to mount over the system bus
Allow systemd-ask-password to watch files
Use self keyword when an AV rule source type matches destination
Fix typo in comment
Dannick Pomerleau (1):
access_vectors: Add new capabilities to cap2
Dave Sugar (9):
Looks like this got dropped in pull request #294
Allow snmpd to read hwdata
Updates for corosync to work in enforcing
To get pacemaker working in enforcing
pacemaker systemd permissions
Allow pacemaker to map/read/write corosync shared memory files
Allow systemd-modules-load to search kernel keys
pcs_snmpd_agent_t fix denials to allow it to read needed queues
Work with xdg module disabled
David Schadlich (1):
add policy for pcs_snmp_agent
Deepak Rawat (1):
Add selinux-policy for systemd-pstore service
Dominick Grift (1):
bind: add a few fc specs for unbound
Guido Trentalancia (1):
Add LVM module permissions needed to open cryptsetup devices.
Jason Zaman (5):
userdomain: Add watch on home dirs
getty: allow watching file /run/agetty.reload
Add transition on gentoo init_t to openrc
init: upstream fcontexts from gentoo policy
systemd: make remaining dbus_* optional
Jonathan Davies (8):
acpi.te: Allow acpid_t to shutdown the system - this is required to handle
shutdown calls from libvirt. Fixes #298.
acpi.te: Removed unnecessary init_write_initctl().
userdomain.if: Marked usbguard user modify tunable as optional so usbguard
may be excluded.
portage: Added /var/cache/distfiles path.
init: Added fcontext for openrc-init.
init: Added fcontext for openrc-shutdown.
apps/screen.fc: Added fcontext for tmux xdg directory.
apps/screen.te: Allow screen to search xdg directories.
Kenton Groombridge (11):
devices: add interface for IOCTL on input devices
virt: add boolean to allow evdev passthrough
stunnel: add log type and rules
fail2ban: allow reading systemd journal
spamassassin: add rspamd support and tunable
apache: add interface for list dir perms on httpd content
sudo: add tunable for HTTP connections
init: label systemd units in /etc
certbot: add support for acme.sh
lvm: add lvm_tmpfs_t type and rules
Various fixes
Peter Morrow (1):
selinux: add selinux_get_all_booleans() interface
Richard Haines (1):
Ensure correct monolithic binary policy is loaded
Russell Coker (11):
base chrome/chromium patch fixed
latest iteration of certbot policy as patch
yet more strict patches fixed
remove deprecated from 20190201
more Chrome stuff
latest memlockd patch
misc services patches with changes Dominick and Chris wanted
misc network patches with Dominick's changes*2
new version of filetrans patch
misc apps and admin patches
machined
Yi Zhao (1):
sysnet: allow dhcpcd to create socket file
bauen1 (4):
systemd: private type for /run/systemd/userdb
authlogin: connect to userdb
systemd-logind: utilize nsswitch
selint: fix S-010
* Tue Aug 18 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200818
Alexander Miroshnichenko (2):
openvpn: more versatile file context regex for ipp.txt
openvpn: update file context regex for ipp.txt
Chris PeBenito (153):
Makefile: Warn if policy.xml xmllint check does not run.
networkmanager: Fix interface commenting.
Makefile: Remove shell brace expansion in ctags target.
dbus: Rename tunable to dbus_pass_tuntap_fd.
spamassassin: Move systemd interfaces.
spamassassin: Rename systemd interfaces.
spamassassin: Add missing class requires in systemd interfaces.
spamassassin: Remove unnecessary brackets in type alias.
pulseaudio: Drop call to nonexistant interface.
genhomedircon: Drop Python 2 compatibility code.
systemd: Merge generator domains.
.travis.yml: Add CI tests with no unconfined.
Rename "pid" interfaces to "runtime" interfaces.
Update callers for "pid" to "runtime" interface rename.
Move user definitions to the right place during compilation.
Makefile: Give a value to build options so they can be used in ifelse.
init: Revise init_startstop_service() build option blocks.
kernel: Drop unlabeled_t as a files_mountpoint().
selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
files: Restore mounton access to files_mounton_all_mountpoints().
filesystem: Create a filesystem image concept.
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
Bump module versions for release.
Christian Göttsche (29):
Rules: allow the usage of class sets in context_defaults
Correct estimate kernel version for polcap genfs_seclabel_symlinks
Makefile: generate temporary documentation files in separate directory
Ignore temporary documentation file directory in git
Override old all_interfaces.conf.tmp file
samba: fix wrong interface context smbd_runtime_t
chromium: drop dead conditional block
example: use module name matching file name
consolesetup: drop unused requires
unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit()
portage: drop bizarre conditional TODO blocks
init/systemd: move systemd_manage_all_units to init_manage_all_units
tpm2: small fixes
files/logging: move var_run_t filecontext to defining module
files/miscfiles: move usr_t filecontext to defining module
chromium/libraries: move lib_t filecontext to defining module
apache: use correct content types in apache_manage_all_user_content()
can_exec(): move from misc_macros to misc_patterns
Makefile: remove obsolete .SUFFIXES
Makefile: add target build-interface-db
devices/storage: quote arguments to tunable_policy
apache: quote gen_tunable name argument
Correct some misspellings
Fix several misspellings
whitespace cleanup
travis-ci: add SELint
work on SELint issues
files/modutils: unify modules_object_t usage into files module
travis: resolve Linter tags
Daniel Burgener (10):
Add dnl to end of interface declaration. This reduces the number of blank
lines in intermediate files and matches the way templates are defined.
Allow systemd-coredump to stat mountpoints.
Change incorrect template definitions into interface definitions
Add divert to generated_definitions creation, and fix all_interfaces.conf
divert creation.
Fix mismatches between object class and permission macro.
Switch pipe reading on domtrans to inherited only
Simplify collection of ssh rules to domtrans_pattern macro
Fix a few places where command line applications were only granted one of
tty or pty permissions and could be used from either
Remove the second copy of a permission in instances where the exact same
permission is repeated twice in a row
Remove out of date "hack" from stunnel. The underlying problem needing a
require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.
Dave Sugar (8):
Add interface to read/write /dev/ipmi
Update labeling in /dev/
Setup generic generator attribute and change generator types.
fix require from 5b78c1c86bedf322fa6a08e5d68e7e8a6b85f026
Setup domain for tpm2_* binaries
Interfaces needed to support IMA/EVM keys
Resolve neverallow failure introduced in #273
Interfaces for tpm2
David Sommerseth (1):
dbus: Add tunable - dbus_can_pass_tuntap_fd
Florian Schmidt (1):
corenetwork: fix winshadow port number
Guido Trentalancia (5):
This patch improves a previous commit by restricting down the permissions
to write the wireless device in order to prevent a possible Denial of
Service (DoS) attack from an unprivileged process bringing down the
wireless interfaces.
mozilla: add watch perms
wm: add watch perms
getty: add watch perms
userdomain: add watch perms
Laurent Bigonville (5):
Add an interface to allow the specified domain to mmap the general network
configuration files
Add policy for apt-cacher-ng
Add policy for acngtool
Label bluetooth daemon as bluetooth_exec_t
Label /usr/libexec/packagekitd as apt_exec_t on debian
McSim85 (1):
add rule for the management socket file fixed comments from @bauen1
Nicolas Iooss (5):
Vagrantfile: remove older installed modules before "make install"
systemd: make systemd --user run generators without transition
systemd: allow sd-executor to manage its memfd files
devices: label /dev/sysdig0
sysnetwork: allow using "ip netns"
Russell Coker (2):
pulseaudio patch
latest ver of trivial mail server patch
Topi Miettinen (13):
Make raw memory access tunable
Add usbguard
Don't allow creating regular files in /dev
Python string fix
gennetfilter: generate nft tables with --nft
gennetfilter: handle port ranges
Allow systemd-networkd to handle ICMP and DHCP packets
gennetfilter: add rules for ICMP/ICMPv6 packets
wm: add KWin
Build and install Netfilter rules
bootloader: add rEFInd and systemd-boot
netutils: allow ping to send and receive ICMP packets
Remove unlabeled packet access
Vilgot (1):
Portage update
Vilgot Fredenberg (1):
Remove old exception
Yi Zhao (2):
Remove duplicated rules
xserver: allow xserver_t to connect to resmgrd
bauen1 (59):
logging: allow syslogd to remove stale socket file
systemd-user-runtime-dir: add required permissions
mozilla: allow firefox to use user namespaces for sandboxing
modutils: allow init to execute kmod with nnp
fix unescaped dot introduced by 47b44a0fc720cecf6df576e274f610514203a5da
allow init_t access to own keyring
allow init_t to link kernel_t key
allow normal users to use 'systemd-run'
ssh: fix for debian wrapper script
bird: fixes for bird 2.0
apache: add nginx to policy
ntpd: fixes for systemd-timesyncd after linux 5.4
define lockdown class and access
dirmngr: allow to probe for tor
dirmngr: also requires access to /dev/urandom
dirmngr: ~/.gnupg/crls.d might not exist
application: applications can be executed from ssh without pty
systemd: allow regular users to run systemd-analyze
quota: allow quota to modify /aquota even if immutable
init: read default context during boot
lvm: create /etc/lvm/archive if it doesn't exist
corecommands: fix atrild label
systemd-fstab-generator needs to know about all mountpoints
semanage: create directories for new policies
dnsmasq: watch for new dns resolvers
init: allow systemd to setup mount namespaces
init: make initrc_t a init_domain to simplify the policy
init: allow systemd to activate journald-audit.socket
setrans: allow label translation for all domains.
files: add files_watch_etc_symlinks interface
init: watch /etc/localtime even if it's a symlink
corecommands: proper label for unattended-upgrades helpers
filesystem: pathcon for matching tracefs mount
lvm-activation-generator also needs to execute lvm
systemd: allow systemd-user-runtime-dir to do its job
init: fix init_manage_pid_symlinks to grant more than just create
permissions
init: replace call to init_domtrans_script
systemd-sysusers: add policy
allow most common permissions for systemd sandboxing options
terminal: cleanup term_create interfaces
logrotate.service sandbox required permissions
udev.service sandbox required permissions
systemd-timesyncd.service sandbox requried permissions
systemd-logind.service sandbox required permissions
init: fix systemd boot
postfix: add filetrans for sendmail and postfix for aliases db operations
systemd: fixed systemd_rfkill_t denial spam
thunderbird: label files under /tmp
init: systemd will run chkpwd to start user@1000
authlogin: unix_chkpwd is linked to libselinux
systemd: maintain /memfd:systemd-state
dpkg: allow dpkg frontends to acquire lock by labeling it correctly
systemd: systemd --user add essential permissions
dpkg: dpkg scripts are part of dpkg and therefor also an application
domain
gpg: don't allow gpg-agent to read /proc/kcore
corecommands: correct label for debian ssh-agent helper script
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp
Remove the ada module, it is unecessary and not touched since ~2008
dpkg: domaintrans to sysusers if necessary
* Sat Feb 29 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200229
Alexander Miroshnichenko (1):
Add knot module
Chris PeBenito (174):
knot: Whitespace changes.
knot: Move lines.
devices, storage: Add fc entries for mtd char devices and ndctl devices.
devices: Add types for trusted execution environment interfaces.
ulogd: Rename ulogd_var_run_t to ulogd_runtime_t.
INSTALL: Fix build requirements.
fishilico/systemd-read-netlink_kobject_uevent_socket
Rename *_var_run_t types to *_runtime_t.
Reorder declarations based on *_runtime_t renaming.
Remove old aliases.
fishilico/filesystem-fs_rw_cgroup_files-follow-symlink
fc_sort.py: Use "==" for comparing integers.
xserver: Remove duplicate colord rule.
xserver: Move XDM dbus chats under main dbus optional.
Move open, audit_access, and execmod to file common.
Add file and filesystem watch access vectors.
Fix file common ordering and kernel version from previous commit.
init: Whitespace change.
unconfined: Add namespaced capabilities.
unconfined: Fix systemd --user rule.
Remove incorrect usages of "is" operator from Python scripts.
logging: Reorder lines.
systemd: Logind removes /run/user/* user temp files.
unconfined: Add watch permission for files.
systemd: Add filesystem watches.
dbus: Add directory watches.
udev: Watch devices.
init: Revise systemd bind mounts.
Add perf_event access vectors.
systemd: Whitespace fix.
logging: Whitespace fix.
Bump module versions for release.
Christian Göttsche (6):
fix Makefile for policy-module directories with same ending
segenxml.py: fix format usage in warning message
travis: force the use of python3.5
travis: run check_fc_files linter with python 3.7
re-implement fc_sort in python
Add genfs_seclabel_symlinks policy capability
Daniel Burgener (4):
Add requires to interfaces that reference types or attributes without
requiring them
Remove uneeded types from interfaces where types were added
Fix situations where require blocks in interfaces listed types not
actually referenced by that interface
Remove unneeded semicolons after interface and macro calls
Dominick Grift (2):
domain: unconfined access to bpf
Remove shell automatic domain transitions to unconfined_t from various pam
login programs
Guido Trentalancia (4):
Update the pulseaudio application module with a few user domain file read
and management permissions.
Allow userdomain to read and write the wireless devices (for example for
querying their state, enabling and/or disabling them using userspace
tools such as "rfkill" from util-linux).
Add an interface to allow watch permission on generic device directories.
Allow pulseaudio to watch generic device directories.
Jason Zaman (16):
udev: Allow udevadm access to udev_tbl_t
xserver: ICEauthority can be in /run/user
devicekit: udisks needs access to /run/mount/utab.lock
dirmngr: accept unix stream socket
chromium: allow dbus chat to inhibit power
virt: Add unix socket for virtlogd/virtlockd
virt: allow lvm_control access
fstools: add zfs-auto-snapshot
udev: Add watch perms
accountsd: Add watch perms
cron: watch cron spool
colord: add watch perms
policykit devicekit: Add watch perms
dbus: add watch perms
chromium: watch etc dirs
gpg: add watch perms for agent
Laurent Bigonville (9):
Makefile: Avoid regenerating the iftemplates at everyrun
Allow systemd_modules_load_t to module_request and map modules_object_t
files
Allow udevadm to read files in /run/udev/data
Allow udevadm_t to use dac_read_search capability
Allow the systemd dbus-daemon to talk to systemd
Allow geoclue to log in syslog
Allow realmd_t to read localization files
Allow alsa_t to create alsa_runtime_t file as well
Allow alsa_t to set scheduling priority and send signal to itself
Luca Boccassi (2):
journald: allow to remove /run/log/journal
logging: add interface to start/stop syslog units
Nicolas Iooss (75):
ulogd: add Debian's log directory
ulogd: allow creating a netlink-netfilter socket
ulogd: allow starting on a Debian system
entropyd: label the unit file of haveged
entropyd: allow haveged to create a Unix socket to received commands
ulogd: fix pattern for /run/ulog directory
monit: use s0 instead of s9
java: reduce the scope of the pattern in for java entry points
libraries: match a digit in Adobe Reader directories
drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd
rpcbind: remove redundant file context for /run/rpc.statd.pid
files: reduce the scope of the pattern matching /usr/include
Remove unescaped single dot from the policy
Fix use of buggy pattern (.*)?
libraries: drop a pattern specific to Python 2.4
systemd: introduce an interface for services using PrivateDevices=yes
Vagrantfile: upgrade VM to Fedora 30
Allow Debian to generate a dynamic motd when users log in
entropyd: haveged service uses PrivateDevices=yes
Check the .fc files for common typos
corecommands: no longer use \d
libraries: fix some misspellings in patterns
java: remove unnecessary parentheses in pattern
cups: add a slash to match /opt/brother/Printers/
Vagrantfile: build and install refpolicy on Fedora VM
Vagrantfile: add a Debian virtual machine
ntp: allow systemd-timesyncd to read network status
cups: use ([^/]+/)? to match a subdirectory of CUPS configuration
portage: really make consoletype module optional
Label programs in /usr/bin like /usr/sbin
apt: allow transition from apt_t to dpkg_t with NNP
apt: allow preventing shutdown by calling a systemd-logind D-Bus method
authlogin: label utempter correctly on Debian
irc: add WeeChat policy
systemd: allow systemd --user to receive messages from
netlink_kobject_uevent_socket
Add a policy module for WireGuard VPN
modutils: allow depmod to read /boot/System.map
modutils: allow depmod and modprobe to use the I/O provided by apt
systemd: allow systemd-modules-load.service to read sysfs
sudo: allow using use_pty flag
Allow using /([^/]+/)? and (/[^/]+)?/ in patterns
ulogd: adjust policy for Debian
bitlbee: allow using GetDynamicUser on Debian
chromium: remove distro-specific ifdef
systemd-networkd: allow creating a generic netlink socket
systemd-networkd: allow communicating with hostnamed
sudo: allow transmitting SIGWINCH to its child
sudo: allow using CAP_KILL for SIGWINCH
systemd: allow detecting Windows Subsystem for Linux
systemd: allow more accesses to systemd --user
systemd: remove unnecessary init_write_runtime_socket()
.travis.yml: update distro to Ubuntu 18.04 LTS (Bionic Beaver)
filesystem: allow following symlinks with fs_rw_cgroup_files()
systemd: allow user environment helpers to communicate with systemd --user
.travis.yml: check the .fc files in CI
systemd: make the kernel spawn systemd-coredump with a context transition
gpg: allow gpg-agent to read crypto.fips_enabled sysctl
testing/check_fc_files: allow @ character in file context patterns
mount: allow callers of mount to search /usr/bin
sysadm: allow using hostnamectl
init: allow systemd to mount over /dev/kmsg and /proc/kmsg
Add policy for CryFS, encfs and gocryptfs
Vagrantfile: fix configuration
Vagrantfile: remove sudo
Vagrantfile: add a specific SELinux policy module
systemd: allow reading options from EFI variable SystemdOptions
virt: allow more accesses to libvirt_leaseshelper
systemd-logind: allow using BootLoaderEntries DBUS property
storage: introduce storage_raw_read_fixed_disk_cond
Vagrantfile: allow unconfined and sysadm SSH login
Vagrant: allow VirtualBox provisionning to use dhclient and ip
Associate role unconfined_r to wine_t
systemd: add an interface to use nss-systemd
usermanage: allow groupadd to lookup dynamic users from systemd
mount: label fusermount3 like fusermount
Peter Morrow (1):
systemd_tmpfiles_t: Allow systemd_tempfiles_t to change permissions in
sysfs
Petr Lautrbach (1):
newrole: allow newrole to use setcap to drop capabilities
Stephen Smalley (4):
access_vectors: Remove unused permissions
access_vectors: Remove entrypoint and execute_no_trans from chr_file
access_vectors: remove flow_in and flow_out permissions from packet class
Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes
Sugar, David (13):
grant rpm permission to map rpm_var_lib_t
grant permission for rpm to write to audit log
grant rpm permissions to map locale_t
Allow rpm to map file contexts
Allow rpm scripts to alter systemd services
grant rpm_t permission to map security_t
Module for tpm2
Add missing gen_require for init_t in init_script_domain
resolve syslog imuxsock denial
Add interface to read efivarfs_t directory
Fix indent to match the rest of the file (space -> tab)
Allow systemd to getattr all files
audit daemon can halt system, allow this to happen.
Topi Miettinen (2):
Consider jitterentropy to belong to entropyd family
Consider iwd equivalent to NetworkManager etc.
Vilgot Fredenberg (1):
Remove obsolete gentoo specific rule
bauen1 (16):
fix: sudo can't determine default type for sysadm_r
fix ifupdown2 executable mislabeled as lib_t
added bpf_t filesystem label
netutils: allow mtr to communicate with mtr-packet
kernel/corecommands: fix the label of xfce4 helpers (on debian)
systemd: remove whitespace
init: add interfaces for managing /run/systemd
systemd: add policy for systemd-fstab-generator
udev: remove console-setup
consolesetup: add policy for console-setup
udev: run consolesetup
loadkeys: remove redundant ifdef
init: split init_create_pid_files interface
ntp: watch systemd networkd runtime dirs This is required for correct
function after linux 5.4
systemd-user-runtime-dir: add policy
sysadm: add sysadm_allow_rw_inherited_fifo tunable to allow writing to
fifo_files inherited from domains allowed to change role to sysadm_r.
* Sun Jun 09 2019 Chris PeBenito <pebenito@ieee.org> - 2.20190609
Chris PeBenito (70):
systemd: Module version bump.
Merge branch 'sysadm-dynamic-users' of
git://github.com/fishilico/selinux-refpolicy
sysadm: Module version bump.
Merge branch 'stubby-daemon' of
git://github.com/fishilico/selinux-refpolicy
corenetwork: Module version bump.
systemd: Remove unnecessary brackets.
init, systemd, cdrecord: Module version bump.
logging, miscfiles, authlogin: Module version bump.
Merge branch 'systemd-journald-signull' of
git://github.com/fishilico/selinux-refpolicy
Merge branch 'restorecond-no-read-all' of
git://github.com/fishilico/selinux-refpolicy
logging, selinuxutil: Module version bump.
Merge branch 'systemd-update-done' of
git://github.com/fishilico/selinux-refpolicy
systemd: Module version bump.
aide, clamav: Module version bump.
filesystem, cron, authlogin: Module version bump.
Remove incorrect comment about capability2:mac_admin.
usermanage: Move kernel_dgram_send(passwd_t) to systemd block.
systemd, udev, usermanage: Module version bump.
genhomedircon.py: Fix top-level exception handling.
udev: Whitespace fix.
udev: Move one line and remove a redundant line.
sysadm, udev: Module version bump.
Merge pull request #35 from pebenito/master
systemd: Drop unconfined kernel access for systemd_nspawn.
udev: Drop write by udev to its executable.
init: Remove duplicate setenforce rule for init scripts.
authlogin, dbus, ntp: Module version bump.
ntp, init, lvm: Module version bump.
Merge pull request #37 from pebenito/master
kernel, init, systemd, udev: Module version bump.
init: Revise conditions in init_startstop_service().
Merge pull request #39 from pebenito/revise-init-stopstart
init: Module version bump.
kernel: Module version bump.
Merge pull request #40 from gtrentalancia/master
xserver: Module version bump.
various: Module version bump
apache: Make MTA optional.
systemd: Remove unnecessary names in systemd-update-done filetrans.
Merge pull request #42 from dsugar100/master
kernel, devices, plymouthd, xserver: Module version bump.
storage: Label /dev/mmcblk* character nodes.
devices: Label /dev/tpmrm[0-9].
devices: Add type for GPIO chips, /dev/gpiochip[0-9]
devices: Change netcontrol devices to pmqos.
systemd: Add initial policy for systemd --user.
Merge pull request #43 from pebenito/various-device-labels
Merge pull request #44 from pebenito/http-mta-optional
Merge pull request #45 from pebenito/systemd-update-done-tweak
Merge pull request #46 from pebenito/systemd-user
various: Module version bump.
Merge pull request #47 from dsugar100/master
Merge pull request #48 from bigon/dovecot_lmtp
Merge pull request #49 from bigon/fail2ban_logrotate
dovecot, logrotate: Module version bump.
logrotate: Make MTA optional.
Merge pull request #51 from pebenito/logrotate-optional-mta
Merge pull request #53 from WOnder93/makefile-fix
logrotate: Module version bump.
init: Add systemd block to init_script_domain().
systemd: modules-load updates.
apache: Web content rules simplification.
storage: Add fc entry for /dev/pmem*
devices: Add type for /dev/daxX.Y.
Merge pull request #54 from pebenito/init-script-systemd
Merge pull request #55 from pebenito/modules-load
Merge pull request #56 from pebenito/apache-simplify
Merge pull request #57 from pebenito/pmem-dax
various: Module version bump.
Bump module versions for release.
Dave Sugar (3):
Allow xdm (lightdm) start plymouth
Changes to support plymouth working in enforcing
create interfaces for NetworkManager units
Guido Trentalancia (1):
The Qt library version 5 requires to write xserver_tmp_t files upon
starting up applications (tested on version 5.12.1).
Laurent Bigonville (2):
Add dovecot to listen to LMTP port
Allow logrotate to execute fail2ban-client
Lukas Vrabec (1):
Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
Nicolas Iooss (6):
sysadm: allow resolving dynamic users
Add policy for stubby DNS resolver
Allow systemd-journald to use kill(pid, 0) on its clients
Allow restorecond to read customizable_types
Remove a broad read-files rule for restorecond
Update systemd-update-done policy
Ondrej Mosnacek (1):
Fix find commands in Makefiles
Sugar, David (26):
Allow systemd-networkd to get IP address from dhcp server
Separate domain for systemd-modules-load
Allow init_t to read net_conf_t
Allow systemd-hostnamed to set the hostname
Add interface to run cdrecord in caller domain
Add interface to get status of rsyslog service
New interface to dontaudit access to cert_t
Fix incorrect type in clamav_enableddisable_clamd interface
Allow freshclam to read sysctl_crypto_t
Add interfaces to run freshclam
Allow AIDE to sendto kernel datagram socket
Allow AIDE to read kernel sysctl_crypto_t
Allow AIDE to mmap files
Add interface to allow relabeling of iso 9660 filesystems.
Update cron use to pam interface
Allow additional map permission when reading hwdb
Resolve denial while changing password
Separate out udevadm into a new domain
Add interface ntp_dbus_chat
Allow ntpd to update chronyd service
Allow ntpd to update timezone symlink
Resolve denial about logging to journal from chkpwd
Resolve denial about logging to journal from dbus
Allow ntpd to read unit files
Denial of cryptsetup reading cracklib database
Add kernel_dgram_send() into logging_send_syslog_msg()
* Fri Feb 01 2019 Chris PeBenito <pebenito@ieee.org> - 2.20190201
Alexander Miroshnichenko (16):
Add signal_perms setpgid setsched permissions to syncthing_t.
Add corecmd_exec_bin permissions to syncthing_t.
Allow syncthing_t to read network state.
Allow syncthing_t to execute ifconfig/iproute2.
Add required permissions for nsd_t to be able running.
Add nsd_admin interface to sysadm.te.
Add map permission to lvm_t on lvm_metadata_t.
Add comment for map on lvm_metadata_t.
Remove syncthing tunable_policy.
Remove unneeded braces from nsd.te.
Add new interface fs_rmw_hugetlbfs_files.
Add map permission for postgresql_t to postgresql_tmp_t files.
Add dovecot_can_connect_db boolean.
fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface
Add hostapd service module
minor updates redis module to be able to start the app
Chris PeBenito (85):
mozilla, devices, selinux, xserver, init, iptables: Module version bump.
devices: Module version bump.
misc_patterns.spt: Remove unnecessary brackets.
ipsec: Module version bump.
fstools: Module version bump.
corecommands: Module version bump.
xserver: Module version bump.
Merge pull request #1 from bigon/fix-sepolgen-ifgen
Remove unused translate permission in context userspace class.
logrotate: Module version bump.
miscfiles: Module version bump.
Merge pull request #3 from bigon/xdp-socket
obj_perm_sets.spt: Add xdp_socket to socket_class_set.
clamav, ssh, init: Module version bump.
amavis, apache, clamav, exim, mta, udev: Module version bump.
dnsmasq: Whitespace fix in file contexts.
dnsmasq: Reorder lines in file contexts.
Merge branch 'master' of https://github.com/bigon/refpolicy
Merge branch 'resolved' of https://github.com/bigon/refpolicy
Merge branch 'iscsi' of https://github.com/bigon/refpolicy
Various modules: Version bump.
dnsmasq: Module version bump.
Merge branch 'minissdpd' of https://github.com/bigon/refpolicy
cron, minissdpd, ntp, systemd: Module version bump.
dbus, xserver, init, logging, modutils: Module version bump.
Merge branch 'syncthing' of https://github.com/alexminder/refpolicy
syncthing: Whitespace change
Merge branch 'lvm' of https://github.com/alexminder/refpolicy
lvm, syncthing: Module version bump.
sigrok: Remove extra comments.
networkmanager: Add ICMPv6 comment
sysnetwork: Move optional block in sysnet_dns_name_resolve().
sysnetwork: Move lines.
dpkg: Rename dpkg_read_script_tmp_links().
apt, rpm: Remove and move lines to fix fc conflicts.
sudo: Whitespace fix.
many: Module version bumps for changes from Russell Coker.
systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime().
init: Remove inadvertent merge.
Merge branch 'nsd' of https://github.com/alexminder/refpolicy
nsd: Merge two rules into one.
Merge branch 'ssh_dac_read_search' of
git://github.com/fishilico/selinux-refpolicy
Merge branch 'restorecond_getattr_cgroupfs' of
git://github.com/fishilico/selinux-refpolicy
Merge branch 'systemd-logind-getutxent' of
git://github.com/fishilico/selinux-refpolicy
various: Module version bump.
iptables: Module version bump.
Add CONTRIBUTING file.
kernel, systemd: Move lines.
kernel, jabber, ntp, init, logging, systemd: Module version bump.
Merge branch 'systemd-journald_units_symlinks' of
git://github.com/fishilico/selinux-refpolicy
init, logging: Module version bump.
Merge branch 'services_single_usr_bin' of
git://github.com/fishilico/selinux-refpolicy
Merge branch 'init_rename_pid_interfaces' of
git://github.com/fishilico/selinux-refpolicy
various: Module name bump.
Merge branch 'systemd-rfkill' of
git://github.com/fishilico/selinux-refpolicy
systemd: Whitespace change
systemd: Module version bump.
Merge branch 'restorecond-symlinks' of
git://github.com/fishilico/selinux-refpolicy
Merge branch 'add_comment' of git://github.com/DefenSec/refpolicy
usermanage, cron, selinuxutil: Module version bump.
logging, sysnetwork, systemd: Module version bump.
Merge branch 'restorecond-dontaudit-symlinks' of
git://github.com/fishilico/selinux-refpolicy
selinuxutil: Module version bump.
Merge branch 'dbus-dynamic-uid' of
git://github.com/fishilico/selinux-refpolicy
xserver: Move line
systemd: Move interface implementation.
various: Module version bump.
dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans().
dpkg: Move interface implementations.
init: Rename init_read_generic_units_links() to
init_read_generic_units_symlinks().
init: Drop unnecessary userspace class dependence in
init_read_generic_units_symlinks().
chromium: Whitespace fixes.
chromium: Move line.
Merge branch 'dovecot' of git://github.com/alexminder/refpolicy
dovecot: Move lines.
various: Module version bump.
Merge branch 'postgres' of git://github.com/alexminder/refpolicy
filesystem, postgresql: Module version bump.
hostapd: Whitespace change.
hostapd: Move line.
various: Module version bump.
redis: Move line.
redis: Module version bump.
corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version
bump.
Bump module versions for release.
David Sugar (15):
Interface to allow reading of virus signature files.
Update CUSTOM_BUILDOPT
Add interface udev_run_domain
Allow clamd_t to read /proc/sys/crypt/fips_enabled
Interface to add domain allowed to be read by ClamAV for scanning.
Add interfaces to control clamav_unit_t systemd services
Allow clamd to use sent file descriptor
Add interfaces to control ntpd_unit_t systemd services
interface to enable/disable systemd_networkd service
Interface to read cron_system_spool_t
Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
Allow kmod to read /proc/sys/crypto/fips_enabled
Allow dbus to access /proc/sys/crypto/fips_enabled
Add missing require for 'daemon' attribute.
Allow auditctl_t to read bin_t symlinks.
Dominick Grift (1):
unconfined: add a note about DBUS
Guido Trentalancia (1):
Add sigrok contrib module
Jagannathan Raman (1):
vhost: Add /dev/vhost-scsi device of type vhost_device_t.
Jason Zaman (10):
selinux: compute_access_vector requires creating netlink_selinux_sockets
mozilla: xdg updates
xserver: label .cache/fontconfig as user_fonts_cache_t
Allow map xserver_misc_device_t for nvidia driver
iptables: fcontexts for 1.8.0
devices: introduce dev_dontaudit_read_sysfs
files: introduce files_dontaudit_read_etc_files
kernel: introduce kernel_dontaudit_read_kernel_sysctl
userdomain: introduce userdom_user_home_dir_filetrans_user_cert
Add chromium policy upstreamed from Gentoo
Laurent Bigonville (10):
policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to
make sepolgen-ifgen happy
Add xdp_socket security class and access vectors
irqbalance now creates an abstract socket
Allow semanage_t to connect to system D-Bus bus
Allow ntpd_t to read init state
Add systemd_dbus_chat_resolved() interface
Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names
Allow systemd_resolved_t to bind to port 53 and use net_raw
Allow iscsid_t to create a netlink_iscsi_socket
Allow minissdpd_t to create a unix_stream_socket
Luis Ressel (7):
corecommands: Fix /usr/share/apr* fc
xserver: Allow user fonts (and caches) to be mmap()ed.
Add fc for /var/lib/misc/logrotate.status
Realign logrotate.fc, remove an obvious comment
miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t
services/ssh: Don't audit accesses from ssh_t to /dev/random
system/init: Give init_spec_daemon_domain()s the "daemon" attribute
Lukas Vrabec (1):
Improve domain_transition_pattern to allow mmap entrypoint bin file.
Nicolas Iooss (11):
fstools: label e2mmpstatus as fsadm_exec_t
ssh: use dac_read_search instead of dac_override
selinuxutil: allow restorecond to try counting the number of files in
cgroup fs
systemd: allow systemd-logind to use getutxent()
Allow systemd-journald to read systemd unit symlinks
Label service binaries in /usr/bin like /usr/sbin
init: rename *_pid_* interfaces to use "runtime"
systemd: add policy for systemd-rfkill
selinuxutil: allow restorecond to read symlinks
selinuxutil: restorecond is buggy when it dereferencies symlinks
dbus: allow using dynamic UID
Petr Vorel (1):
dnsmasq: Require log files to have .log suffix
Russell Coker (19):
misc services patches
misc interfaces
last misc stuff
systemd related interfaces
systemd misc
missing from previous
cron trivial
mls stuff
logging
some little stuff
trivial system cronjob
another trivial
more tiny stuff
map systemd private dirs
tiny stuff for today
yet more tiny stuff
yet another little patch
chromium
more misc stuff
Sugar, David (9):
Allow greeter to start dbus
pam_faillock creates files in /run/faillock
Add interface to get status of iptables service
Add interface to start/stop iptables service
label journald configuraiton files syslog_conf_t
Interface with systemd_hostnamed over dbus to set hostname
Modify type for /etc/hostname
Add interface clamav_run
Add interface to read journal files
Yuli Khodorkovskiy (1):
ipsec: add missing permissions for pluto
* Sun Jul 01 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180701
Chris PeBenito (28):
Enable cgroup_seclabel and nnp_nosuid_transition.
Misc dbus fixes from Russell Coker.
Simple map patch from Russell Coker.
another trivial dbus patch from Russell Coker.
Merge branch 'xtable-proc' of https://github.com/bigon/refpolicy
iptables: Module version bump.
Update contrib.
.travis.yml: Change to master branch for sctp support.
corenetwork, init: Module version bump.
Module version bumps for patches from James Carter.
Update contrib.
init, logging, sysnetwork, systemd, udev: Module version bump.
sysnetwork: Move lines in sysnet_read_config().
sysnetwork: Module version bump.
init: Module version bump.
Remove deprecated flask.py script.
Switch all remaining Python references to the Python 3 interpreter.
systemd: Move lines.
corecommands: Module version bump.
Makefile: Tweak cli output.
XDG: Module version bump.
Remove refpolicy-contrib submodule.
Re-add policy modules from old refpolicy-contrib submodule.
Move all files out of the old contrib directory.
Changelog.contrib: Add note about refpolicy-contrib removal.
sysnetwork: Module version bump.
xdg, xserver, mplayer, games: Module version bump.
Bump module versions for release.
Christian Göttsche (1):
add definition of bpf class and systemd perms
Dave Sugar (8):
Fix problems booting with fips=1
Interface to read /run/systemd/resolve/resolv.conf
Allow systemd-resolved to read sysctl
Allow systemd_resolved to read systemd_networkd runtime files
Allow systemd-resolved to connect to system dbusd
systemd-resolved uses notify to indicate status
policy for systemd-update-done
policy for systemd-hwdb
James Carter (8):
Removed unnecessary semicolons
Mark unused parameters as unused
Move the use of var_log_t from authlogin.fc to logging.fc
Move the use of initrc_var_run_t from files.fc to init.fc
Move use of systemd_unit_t from systemd.fc to init.fc
Move use of user_devpts_t from terminal.fc to userdomain.fc
Remove undeclared identifiers from interfaces
Remove undeclared identifiers from xserver interface
Jason Zaman (9):
sysnetwork: put systemd_read_resolved_runtime in an ifdef
init: Add filetrans for /run/initctl
corecommands: adjust gcc fcontext to also work on musl
userdom: remove filetrans from userdom_user_content_access_template
xdg: Add map perms, also make lnk_file, dirs consistent
xdg: filetrans should not add filetrans from user_home_dir
xdg: Introduce xdg_search_cache_dirs
xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/
apps: rw mesa_shader_cache
Laurent Bigonville (1):
Label /etc/hosts.allow as net_conf_t
Miroslav Grepl (1):
xtables-multi wants to getattr of the proc fs
Richard Haines (1):
refpolicy: Update for kernel sctp support
Sven Vermeulen (7):
Add gentemplates.sh to extract template content
Update segenxml to include support for templated booleans and tunables
Generate template code and update genxml call for documentation generation
freedesktop location support
Allow X server users to manage all xdg resources
helper interfaces to read/manage all user content
tunable-managed user content access template
* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114
Adam Duskett (1):
fix regex escape sequence error.
Anthony PERARD (1):
Update for Xen 4.7
Chad Hanson (1):
Fix implementation of MLS file relabel attributes
Chris PeBenito (74):
Module version bump for patches from Guido Trentalancia and Anthony
PERARD.
Rules.modular: Fix file context verification.
Remove deprecated interfaces older than one year old.
.travis.yml: Use git tag instead of release tarball for selinux userspace.
kernel: Module version bump for patch from Nicolas Iooss.
Remove complement and wildcard in allow rules.
logging: Move line.
Module version bump for patches from Nicolas Iooss.
Module version bump for fixes from Nicolas Iooss.
Update contrib.
dbus: move comments out of the file context definitions
Update contrib.
systemd, udev: Module version bump.
systemd: Whitespace fix.
Module version bump for patches from Nicolas Iooss.
init: Move fc lines.
init: Module version bump for patch from Dave Sugar.
files: Move files_check_write_pid_dirs interface.
terminal: Rename term_create_devpts.
Several module version bumps.
init: Move init_spec_daemon_domain implementation.
Module version bumps.
init: Rename init_rlimit_inherit to init_inherit_rlimit.
init: Whitespace fix.
Module version bumps.
spamassassin: Fix build error.
init: Fix XML error.
spamassassin: Add missing requirement in spamassassin_admin().
sysadm,fstools: Module version bump.
authlogin, logging, udev: Module version bump.
init: Remove sm-notify.pid fc entry which collides with the rpc module.
corecommands, xserver, systemd, userdomain: Version bumps.
Update contrib.
Update contrib.
corecommands: Module version bump.
init: Module version bump.
Merge pull request #125 from lalozano/master
devices: Module version bump.
Module version bumps.
Merge branch 'master' of git://github.com/davidgraz/refpolicy
ipsec: Module version bump.
Merge branch 'master' of git://github.com/aduskett/refpolicy
init: Clean up line placement in init_systemd blocks.
files: Whitespace fix.
Merge branch 'systemd-networkd'
files, init, sysnetwork, systemd: Module version bumps.
Merge pull request #128 from williamcroberts/fc-sort-fixups
Update contrib.
files, netutils: Module version bump.
miscfiles: Module version bump.
Update contrib.
files, userdomain: Module version bump.
kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain:
Module version bumps.
Several module version bumps.
Module version bumps.
dmesg, locallogin, modutils: Module version bump.
loadable_module.spt: Add debugging comments for tunable_policy blocks.
networkmanager: Grant access to unlabeled PKeys
filesystem: Rename fs_relabel_cgroup_lnk_files.
corcmd, fs, xserver, init, systemd, userdomain: Module version bump.
xserver, sysnetwork, systemd: Module version bump.
xserver: Module version bump.
init: Module version bump.
Update contrib.
mls, xserver, systemd, userdomain: Module version bump.
storage, userdomain: Module version bump.
Add new mmap permission set and pattern support macros.
Add missing mmap_*_files_pattern macros.
Revise mmap_file_perms deprecation warning message.
Update contrib.
hostname: Module version bump.
Update contrib.
init: Module version bump.
Bump module versions for release.
Christian Göttsche (6):
update travis
rkhunter: add interfaces for var_run and lock dir access check
dphysswapfile: add interfaces and sysadm access
hostname: cmdline usage + signal perms sort
filesystem: add fs_rw_inherited_hugetlbfs_files for apache module
init: add init_rw_inherited_stream_socket
David Graziano (1):
system/ipsec: Add signull access for strongSwan
David Sugar (20):
Strip spaces from NAME
Separate read and write interface for tun_tap_device_t
Label RHEL specific systemd binaries
Label /etc/rsyslog.d as syslog_conf_t
Add init_spec_daemon_domain interface
Add status into init_startstop_service interface
Add int_rlimit_inherit interface
remove interface init_inherit_rlimit
Fix problem labeling /run/log/journal/*
Denial relabeling /run/systemd/private
policy for systemd-networkd
Label /var/lib/lightdm-data
Change label for ~/.xsession-errors
Work around systemd-logind patch not in RHEL 7.x yet
RHEL 7.4 has moved the location of /usr/libexec/sesh to
/usr/libexec/sudo/sesh
Create interfaces to write to inherited xserver log files.
label systemd-shutdown so shutdown works
Make an attribute for objects in /run/user/%{USERID}/*
Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t
(user_runtime_content_type)
Allow systemd_logind to delete user_runtime_content_type files
David Sugar via refpolicy (2):
label /etc/mcelog/mcelog.setup correctly (for RHEL)
Allow xdm_t to read /proc/sys/crypto/fips_enabled
Guido Trentalancia (4):
userdomain: allow netlink_kobject_uvent_socket creation
xserver: do not audit ioctl operations on log files
fc_sort: memory leakages
base: create a type for SSL private keys
Jason Zaman (8):
Allow sysadm to map all non auth files
userdomain: allow admin to rw tape storage
files: fcontext for /etc/zfs/zpool.cache
mls mcs: Add constraints for key class
Add key interfaces and perms
gssproxy: Allow others to stream connect
userdomain: Allow public content access
storage: Add fcontexts for NVMe disks
Jason Zaman via refpolicy (3):
udev: map module objects to load kernel modules
syslog: allow map persist file
sudo: add fcontext for /run/sudo/ts/USERNAME
Konrad Rzeszutek Wilk (2):
kernel/xen: Update for Xen 4.6
kernel/xen: Add map permission to the dev_rw_xen
Krzysztof Nowicki (2):
Add policy for systemd GPT generator
Allow systemd to relabel cgroupfs legacy symlinks
Laurent Bigonville (2):
Allow domains using sysnet_dns_name_resolve() interface to access NSS
mymachines files
Add private type for systemd logind inhibit files and pipes
Luis A. Lozano (1):
Avoid memory leak warning.
Luis Ressel (15):
modutils: libkmod mmap()s modules.dep and *.ko's
libraries: ldconfig maps its "aux-cache" during cache updates
userdomain: Add various interfaces granting the map permission
files: Create files_map_usr_files interface
selinuxutil: Add map permissions neccessary for semanage
kernel: Add map permission to the dev_{read, write}_sound* interfaces
miscfiles: Allow libfontconfig consumers to map the fonts cache
userdomain: man-db needs to map its 'index.db' cache
logging: Various audit tools (auditctl, ausearch, etc) map their config
and logs
Grant all permissions neccessary for Xorg and basic X clients
libraries: Add fc entry for musl's ld.so config
xserver: Allow xdm_t to map usr_t files
locallogin: Grant local_login_t the dac_read_search capability
dmesg: Grant read access to /usr/share/terminfo
modutils: Dontaudit CAP_SYS_ADMIN checks for modprobe
Luis Ressel via refpolicy (2):
kernel/files.if: files_list_kernel_modules should grant read perms for
symlinks
netutils: Grant netutils_t map perms for the packet_socket class
Nicolas Iooss (9):
Add module_load permission to self when loading modules is allowed
audit: allow reading /etc/localtime
corecommands: label dhcpcd hook scripts bin_t
Add "/usr/(.*/)?bin(/.*)?" pattern back
Allow dhcpcd to use generic netlink and raw IP sockets
corecommands: label Arch Linux pacman's scripts as bin_t
init: allow systemd to create /dev/pts as devpts_t
init: allow systemd to relabel /dev and /run
corecommands: label systemd script directories bin_t
Nicolas Iooss via refpolicy (1):
terminal: /dev/pts exists in /dev filesystem
Russell Coker (4):
systemd nspawn and backlight
udev and dhcpd
minor nspawn, dnsmasq, and mon patches
refpolicy and certs
William Roberts (1):
fc_sort: use calloc instead of malloc
* Sat Aug 05 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170805
Chris PeBenito (134):
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
usrmerge FC fixes from Russell Coker.
Systemd tmpfiles fix for kmod.conf from Russell Coker.
Update contrib.
mon policy from Russell Coker.
Fix contrib commit.
Revert "bootloader: stricter permissions and more tailored file contexts"
Module version bump for bootloader patch revert. Plus compat alias.
Update contrib.
Sort capabilities permissions from Russell Coker.
Update contrib.
Little misc patches from Russell Coker.
Implement WERROR build option to treat warnings as errors.
Fix Travis-CI WERROR support.
Travis-CI: Terminate build immediately on error.
mon: Fix deprecated interface usage.
Merge branch 'setfiles_getattr' of git://github.com/cgzones/refpolicy
Merge branch 'sysadm_fixes' of git://github.com/cgzones/refpolicy
Merge branch 'corecmd_module' of git://github.com/cgzones/refpolicy
Merge branch 'var_and_run' of git://github.com/cgzones/refpolicy
Module version bump for changes from cgzones.
Merge pull request #98 from cgzones/admin_process_pattern
Merge branch 'hostname_module' of git://github.com/cgzones/refpolicy
Module version bump for hostname fix from cgzones.
Only display the WERROR notice if there actually are errors.
Merge branch 'master' of github.com:TresysTechnology/refpolicy
dpkg: Updates from Russell Coker.
Monit policy from Russell Coker and cgzones.
monit: Fix build error.
fetchmail, mysql, tor: Misc fixes from Russell Coker.
Merge branch 'systemd_transient' of git://github.com/cgzones/refpolicy
Merge branch 'selinuxutil_module' of git://github.com/cgzones/refpolicy
Module version bump for selinuxutil and systmd changes from cgzones.
Merge branch 'cgroups_fix' of git://github.com/cgzones/refpolicy
Module version bump for cgroups systemd fix from cgzones.
alsa, vnstat: Updates from cgzones.
Merge branch 'init_ntp_interface' of git://github.com/cgzones/refpolicy
Module version bump for ntp fixes from cgzones.
Systemd fixes from Russell Coker.
Fix CI errors.
Module version bump for CI fixes.
Xen fixes from Russell Coker.
mailman: Fixes from Russell Coker.
init: Rename init_search_pid_dirs() to init_search_pids().
init: Move interface and whitespace change.
systemd: Further revisions from Russell Coker.
Fix typo in README.
Network daemon patches from Russell Coker.
apache: Fix CI error.
devices: Fix docs for dev_write_generic_sock_files().
Merge branch 'su_module' of git://github.com/cgzones/refpolicy
Merge branch 'newrole_fixes' of git://github.com/cgzones/refpolicy
auth: Move optional out of auth_use_pam_systemd() to callers.
Merge branch 'locallogin_module' of git://github.com/cgzones/refpolicy
Module version bump for patches from cgzones.
Merge branch 'userdom_terminals_permit_open' of
git://github.com/cgzones/refpolicy
Module version bump for user terminal improvments from cgzones.
Merge branch 'monit_depend' of git://github.com/cgzones/refpolicy
Module version bump for misc fixes from cgzones.
Merge pull request #103 from fishilico/validate_modular_fc
Merge branch 'getty_module' of git://github.com/cgzones/refpolicy
Module version bump for getty patch from cgzones.
Merge branch 'modutils_module' of git://github.com/cgzones/refpolicy
Merge branch 'fix_usr_bin_merge' of git://github.com/cgzones/refpolicy
Module version bumps for fixes from cgzones.
Merge branch 'lvm' of git://github.com/cgzones/refpolicy
Merge branch 'macros' of git://github.com/cgzones/refpolicy
Module version bump for fixes from cgzones.
Module version bump for fixes from cgzones.
dontaudit net_admin for SO_SNDBUFFORCE
/var/run -> /run again
Merge branch 'var_run' of git://github.com/cgzones/refpolicy
Module version bump from /var/run fixes from cgzones.
Merge branch 'monit' of git://github.com/cgzones/refpolicy
Module version bump for monit patch from cgzones
another version of systemd cgroups hostnamed and logind
Merge pull request #109 from cgzones/python3
systemd-resolvd, sessions, and tmpfiles take2
systemd-nspawn again
Merge pull request #112 from cgzones/remove_support/pyplate
Misc fc changes from Russell Coker.
Systemd-related changes from Russell Coker.
Merge pull request #115 from fishilico/python_raw_strings
Module version bump for misc fixes from Guido Trentalancia.
systemd init from Russell Coker
more systemd stuff from Russell Coker
misc daemons from Russell Coker.
bootloader from Russell Coker.
kmod, lvm, brctl patches from Russell Coker
devicekit, mount, xserver, and selinuxutil from Russell Coker
another bootloader patch from Russell Coker
some userdomain patches from Russell Coker
corecommands: Add fc escaping for previous patch.
Module version bump for patch from Guido Trentalancia
Module version bump from fixes from Guido Trentalancia.
xdm sigchld interface from Russell Coker.
Further strict systemd fixes from Russell Coker.
Update contrib.
locallogin: Move two sulogin lines.
Login take 4 from Russell Coker.
Rename apm to acpi from Russell Coker.
Module version bump for patches from Russell Coker and Guido Trentalancia.
some little misc things from Russell Coker.
apt/dpkg strict patches from Russell Coker.
little misc strict from Russell Coker.
locallogin: Move one line.
Module version bump for locallogin patch from Guido Trentalancia.
Module version bump for minor fixes from Guido Trentalancia.
Merge branch 'usr_bin_fc' of
git://github.com/fishilico/selinux-refpolicy-patched
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
Module version bump for changes from Jason Zaman and Luis Ressel.
init: add comment for ProtectSystem.
Module version bump for systemd fix from Krzysztof Nowicki.
Update contrib
Module version bump for libmtp from Guido Trentalancia.
corenet/sysadm: Move lines.
Module version bump for infiniband policy from Daniel Jurgens.
Module version bump for mmap fixes from Stephen Smalley.
Update contrib.
Module version bumps for patches from Jason Zaman.
filesystem: Fix error in fs_cgroup_filetrans().
Module version bumps for patches from Jason Zaman.
gpg: Module version bump for patch from Guido Trentalancia.
miscfiles: Module version bump for patch from Luis Ressel.
Module version bump for patches from cgzones.
Module version bump for patches from cgzones.
netutils: Module version bump for patch from Luis Ressel.
README: Update build requirements.
travis-ci: Update to 2.7 userspace release.
Enable extended_socket_class policy capability;
Add nnp_nosuid_transition policycap and related class/perm definitions.
Add cgroup_seclabel policycap.
init: Add NoNewPerms support for systemd.
Bump module versions for release.
Daniel Jurgens (1):
refpolicy: Infiniband pkeys and endports
Guido Trentalancia (8):
userdomain: do not audit netlink socket creation attempts
corecommands: new file contexts for Gnome applications
locallogin: fix the sulogin submodule (emergency shell!)
locallogin: fine tune DAC override permissions
kernel: low-priority update
init: smoother system boot
base: role changes for the new libmtp module
fc_sort: avoid compiler warning/error
Guido Trentalancia via refpolicy (1):
xserver: fix iceauth_home_t file context creation
Jason Zaman (6):
authlogin: put interface properly inside optional
libraries: update wildcard /usr/lib fcontext
appconfig: Add openrc_contexts file
corecommands: add consolekit fcontexts
dirmngr: add to roles
filesystem: introduce fs_cgroup_filetrans interface
Krzysztof Nowicki (1):
Enable /etc directory protection using ProtectSystem
Luis Ressel (5):
system/selinuxutil: Allow semanage to execute its tmp files
system/miscfiles: Generalize the man_t fc's
netutils: Mix nmap perms in with the other traceroute_t perms
netutils: Add some permissions required by nmap to traceroute_t
netutils: Allow tcpdump to reduce its capability bounding set
Nicolas Iooss (5):
Make "validate" target verify file contexts
devices: fix Debian file contexts
Use raw strings in regular expressions
Synchronize file patterns for /usr/bin/mount... and /usr/sbin/mount...
Support systems with a single /usr/bin directory
Russell Coker (4):
inherited file and fifo perms
tiny mon patch
rw_inherited_file_perms
new init interfaces for systemd
Stephen Smalley (3):
refpolicy: Define getrlimit permission for class process
refpolicy: Define smc_socket security class
refpolicy: Define and allow map permission
cgzones (40):
systemd: label /run/systemd/transient as systemd_unit_t
setfiles: allow getattr to kernel pseudo fs
sysadm: fix denials
hostname: small adjustments
selinuxutil: adjustments
corecommands: label some binaries as bin_t
files: no default types for /run and /var/lock
add admin_process_pattern macro
systemd_cgroups_t: fix denials
locallogin: adjustments
authlogin: introduce auth_use_pam_systemd
su: some adjustments
newrole: fix denials
add corecmd_check_exec_bin_files()
add fs_getattr_dos_dirs()
update init_ACTION_all_units
add init_daemon_lock_file()
improve documentation for user_user_(inherited_)?user_terminals
getty: overlook module
modutils: format filecontexts
modutils: adjust interfaces after recent binaries merge
systemd-tmpfiles: refactor runtime configs
corecommands: fix corecmd_*_bin() for usr merged systems
corecmd_read_bin_symlinks(): remove deprecated and redundant calls
modutils: adopt callers to new interfaces
m4 errprint: add __program__ info
domtrans_pattern: use inherited fifo perms
sysadm: add monit admin permissions
lvm: small adjustments
convert build scripts to python3
travis: run make xml, html and install(-.*)? targets
fix travis and genhomedircon
remove /var/run file context leftovers
travis: move after_success tests into script section
clean up python3 cache on make bare
rkhunter: add interfaces for rkhunter module and sysadm permit
iptables: align file contexts
chkrootkit: add interfaces and sysadm permit
netutils: update
iptables: update
* Sat Feb 04 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170204
Chris PeBenito (55):
Module version bumps for patches from Guido Trentalancia.
Update contrib.
Remove unneeded system_u seusers mapping.
Update contrib.
Merge pull request #45 from cgzones/travis2
Merge pull request #46 from cgzones/update_readme
Merge pull request #47 from cgzones/spelling
Module version bump for xserver patch from Guido Trentalancia
Update contrib.
Merge pull request #50 from cgzones/macros
Merge pull request #48 from cgzones/makefile
xserver: Rearrange lines
Module version bump for xserver changes from Guido Trentalancia.
Merge branch 'dhcp_avahi' of https://github.com/cgzones/refpolicy
Module version bumps for patches from cgzones.
Update contrib.
Merge branch 'syslogd' of git://github.com/cgzones/refpolicy
Module version bump for journald fixes from cgzones.
Merge pull request #57 from cgzones/trailing_whitespaces
modutils: Move lines.
Module version bumps for openoffice patches from Guido Trentalancia.
Module version bump for kernel sysctl patch from Luis Ressel
Update contrib.
Module version bump for netutils patch from Luis Ressel.
Module version bump for xserver patch from Guido Trentalancia.
Module version bumps for patches from Guido Trentalancia.
rtkit: enable dbus chat with xdm
xserver: Move interface definition.
Module version bump for patches from Guido Trentalancia.
Module version bump for xscreensaver patch from Guido Trentalancia.
Merge branch 'run_transition' of git://github.com/cgzones/refpolicy
Module version bumps for /run fc changes from cgzones.
Module version bump for patches from Guido Trentalancia.
Merge branch '2016-12-27_systemd' of
git://github.com/fishilico/selinux-refpolicy-patched
Module version bump for systemd patch from Nicolas Iooss.
Merge branch 'usr-fc' of
git://github.com/fishilico/selinux-refpolicy-patched
Module version bump for fc updates from Nicolas Iooss.
Module version bump for patches from Guido Trentalancia.
xserver: Update from Russell Coker for boinc.
Module version bump for patches from Guido Trentalancia.
Merge pull request #62 from cgzones/fix_permission_segenxml
Merge pull request #94 from cgzones/travis
Merge branch 'corenetork_module' of git://github.com/cgzones/refpolicy
Merge branch 'mount_module' of git://github.com/cgzones/refpolicy
Merge branch 'terminal_module' of git://github.com/cgzones/refpolicy
Merge branch 'files_search_src' of git://github.com/cgzones/refpolicy
Merge branch 'unconfined_module' of git://github.com/cgzones/refpolicy
Merge branch 'auditd_fixes' of git://github.com/cgzones/refpolicy
Module version bumps for patches from cgzones.
Module version bump for cpu_online genfscon from Laurent Bigonville.
Update contrib.
Fix contrib.
Module version bump for cups patch from Guido Trentalancia.
Module version bump for xkb fix from Jason Zaman.
Bump module versions for release.
Guido Trentalancia (19):
xserver: remove unneeded user content permissions
xserver: remove unneeded user content permissions
Apache OpenOffice module (base policy part)
xserver: enable dbus messaging with devicekit power
authlogin: indentation/whitespace fix
wm: update the window manager (wm) module and enable its role template
(v7)
userdomain: separate optional conditionals for gnome and wm role templates
udev: manage tmpfs files and directories
udev: always enable kernel module loading
base: enable the xscreensaver role
bootloader: stricter permissions and more tailored file contexts
modutils: update to run in confined mode
base: use new genhomedircon template for username
kernel: missing permissions for confined execution
xserver: introduce new fc and interface to manage X session logs
kernel: add missing plymouth interface
xserver: restrict executable memory permissions
init: support sysvinit
udev: execute HPLIP applications in their own domain
Guido Trentalancia via refpolicy (4):
Let users read/manage symlinks on fs that do not support xattr
Let unprivileged users list mounted filesystems
Let the user list noxattr fs directories
sysadm: add the shutdown role
Jason Zaman (1):
xserver: allow X roles to read xkb libs to set keymaps
Laurent Bigonville (1):
Use genfscon to label /sys/devices/system/cpu/online as cpu_online_t
Luis Ressel (3):
system/modutils: Add kernel_search_key(kmod_t)
kernel.if: Allow listing /proc/sys/net/unix
netutils: Label iptstate as netutils_t
Nicolas Iooss (4):
systemd: add systemd-backlight policy
systemd: add systemd-binfmt policy
Allow searching /proc/sys/fs when using /proc/sys/fs/binfmt_misc
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib
Russell Coker (1):
single binary modutils
Stephen Smalley (2):
refpolicy: Define extended_socket_class policy capability and socket
classes
refpolicy: drop unused socket security classes
cgzones (21):
update .travis.yml
update README
fix spelling
update Makefile
update policy/support macros
review
keep 2 empty lines in front of a new section
using intermediate target instead of splitting up conf files generation
define filecontext for /run/agetty.reload
allow dhcp_t to domtrans into avahi
fix syslogd audits
remove trailing whitespaces
transition file contexts to /run
fix permission of installed segenxml.py by install-headers
auditd / auditctl: fix audits
add files_search_src()
update unconfined module * grant capability2:wake_alarm * remove
deprecated interfaces
update terminal module
update corenetwork module
use travis cache
update mount module
* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
Chris PeBenito (94):
Module version bump for systemd-user-sessions fc entry from Dominick Grift
Module version bumps for 2 patches from Dominick Grift.
Module version bump for vm overcommit sysctl interfaces from Laurent
Bigonville.
Update contrib.
Module version bump for Xorg and SSH patches from Nicolas Iooss.
Add neverallow for mac_override capability. It is not used by SELinux.
Merge branch 'overcommit-1' of git://github.com/bigon/refpolicy into
bigon-overcommit-1
Merge branch 'bigon-overcommit-1'
Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into
bigon-systemd-1
Merge branch 'bigon-systemd-1'
Module version bump for syslog and systemd changes from Laurent Bigonville
Merge pull request #19 from shootingatshadow/fc_sort
Merge branch 'xorg-1' of git://github.com/bigon/refpolicy into
bigon-xorg-1
Merge branch 'bigon-xorg-1'
Module version bump for Debian Xorg fc fixes from Laurent Bigonville
Add a type and genfscon for nsfs.
Module version bump for systemd PrivateNetwork patch from Nicolas Iooss
Module version bump for systemd audit_read capability from Laurent
Bigonville
Merge pull request #21 from fishilico/typos
Module version bump for patches from Nicolas Iooss and Grant Ridder.
Update contrib.
Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and
Laurent Bigonville
Module version bump for ipset fc entry from Laurent Bigonville.
Update contrib.
Whitespace fix in iptables.fc.
Module version bump for iptables fc entries from Laurent Bigonville and
Lukas Vrabec.
Update contrib.
Module version bump for iptables/firewalld patch from Laurent Bigonville.
Merge pull request #29 from bigon/appconfig-lxc
Module version bump for getty patch from Luis Ressel.
Module version bump for tboot utils from Luis Ressel and systemd fix from
Jason Zaman.
Merge branch 'corecommands-archlinux' of
https://github.com/fishilico/selinux-refpolicy-patched
Merge branch 'dev_setattr_dlm_control-typo' of
https://github.com/fishilico/selinux-refpolicy-patched
Merge branch 'kdevtmpfs-unlink' of
https://github.com/fishilico/selinux-refpolicy-patched
Module version bump for several Arch fixes from Nicolas Iooss.
Update contrib.
Reduce broad entrypoints for unconfined domains.
Update Travis-CI build to newest SELinux userspace release.
Update su for libselinux-2.5 changes.
Merge branch 'selinux-1' of https://github.com/bigon/refpolicy
Module version bump for Debian fc entries from Laurent Bigonville.
Module version bump for patches from Dominick Grift and Lukas Vrabec.
Add user namespace capability object classes.
Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz
Andrejczuk.
Module version bump for nftables fc entry from Jason Zaman.
Update contrib.
Module version bump for LMNR port from Laurent Bigonville.
Module version bump for systemd-resolved patch from Laurent BIgonville.
Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master
Merge branch 'qqo-master'
Module version bump for mlstrustedsocket from qqo.
Module version bumps + contrib update for user_runtime from Jason Zaman.
Update contrib.
Module version bump for corecommands update from Garrett Holmstrom.
Module version bump for MLS relabeling patch from Lukas Vrabec.
Get attributes of generic ptys, from Russell Coker.
Module version bump for user_udp_server tunable from Russell Coker.
libraries: Move libsystemd fc entry.
libraries: Module version bump for libsystemd fc entry from Lukas Vrabec.
Update contrib.
Systemd units from Russell Coker.
corenetwork: Add port labeling for Global Catalog over LDAPS.
corenetwork: Missed version bump for previous commit.
Update contrib.
Allow the system user domains to chat over dbus with a few other domains
(e.g. gnome session).
Update alsa module use from Guido Trentalancia.
Update the sysnetwork module to add some permissions needed by the dhcp
client (another separate patch makes changes to the ifconfig part).
Ifconfig should be able to read firmware files in /lib (i.e. some network
cards need to load their firmware) and it should not audit attempts to
load kernel modules directly.
Remove redundant libs_read_lib_files() for ifconfig_t.
Module version bump for various patches from Guido Trentalancia.
Update contrib.
Update for the xserver module:
userdomain: Fix compile errors.
Update contrib.
Merge pull request #38 from fishilico/travis-nosudo
Module version bump for module_load perm use from Guido Trentalancia.
Update contrib.
Merge pull request #39 from rfkrocktk/feature/vagrant
Merge pull request #40 from jer-gentoo/patch-1
userdomain: Move enable_mls block in userdom_common_user_template().
Module version bumps for LVM and useromain patches from Guido
Trentalancia.
Update contrib.
Additional change from Guido Trentalancia related to evolution.
Module version bump for selinuxutil fix from Jason Zaman.
Update contrib.
Update contrib.
Merge branch 'feature/syncthing' of https://github.com/rfkrocktk/refpolicy
into rfkrocktk-feature/syncthing
Merge branch 'rfkrocktk-feature/syncthing'
Module version bumps for syncthing from Naftuli Tzvi Kay.
Merge pull request #41 from SeanPlacchetti/patch-1
Merge pull request #42 from SeanPlacchetti/patch-1
Merge pull request #43 from williamcroberts/google-patch
Update contrib.
Bump module versions for release.
Dan Walsh (1):
Add label for efivarfs
Dominick Grift (5):
systemd: add missing file context spec for systemd-user-sessions
executable file
authlogin: remove duplicate files_list_var_lib(nsswitch_domain)
kernel: implement sysctl_vm_overcommit_t for
/proc/sys/vm/overcommit_memory
systemd: Add support for --log-target
Update refpolicy to handle hwloc
Garrett Holmstrom (1):
corecmd: Remove fcontext for /etc/sysconfig/libvirtd
Grant Ridder (1):
Add redis-sentinel port to redis network_port def
Guido Trentalancia (6):
Add module_load permission to class system
Add module_load permission to can_load_kernmodule
Remove deprecated semodule options from Makefile
Update the lvm module
Improve tunable support for rw operations on noxattr fs / removable media
userdomain: introduce the user certificate file context (was miscfiles:
introduce the user certificate file context)
Jason Zaman (6):
system/init: move systemd_ interfaces into optional_policy
iptables: add fcontext for nftables
authlogin: remove fcontext for /var/run/user
userdomain: Introduce types for /run/user
userdomain: user_tmp requires searching /run/user
userdomain: introduce interfaces for user runtime
Jason Zaman via refpolicy (1):
selinuxutil: allow setfiles to read semanage store
Jeroen Roovers (1):
Use $(AWK) not plain awk
Laurent Bigonville (15):
Add interfaces to read/write /proc/sys/vm/overcommit_memory
Give some systemd domain access to /proc/sys/kernel/random/boot_id
On Debian, systemd binaries are installed in / not /usr
Allow syslogd_t to read sysctl_vm_overcommit_t
Label Xorg server binary correctly on Debian
Allow systemd the audit_read capability
Allow logind to read efivarfs files
Add label for /sbin/ipset
Label /var/run/ebtables.lock as iptables_var_run_t.
Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld
Add lxc_contexts config file
Add some labels for SELinux tools path in Debian
Add the validate_trans access vector to the security class
Add llmnr/5355 (Link-local Multicast Name Resolution)
Add policy for systemd-resolved
Luis Ressel (2):
Allow getty the sys_admin capability
Allow sysadm to run txt-stat.
Lukas Vrabec (4):
Label /var/run/xtables.lock as iptables_var_run_t.
SELinux support for cgroup2 filesystem.
Add new MLS attribute to allow relabeling objects higher than system low.
This exception is needed for package managers when processing sensitive
data.
Systemd by version 231 starts using shared library and systemd daemons
execute it. For this reason lib_t type is needed.
Mike Palmiotto (1):
Add mls support for some db classes
Naftuli Tzvi Kay (2):
Add Syncthing Support to Policy
Add Vagrant box for development.
Nicolas Iooss (18):
Label Xorg server binary correctly on Arch Linux
Label OpenSSH files correctly on Arch Linux
Label OpenSSH systemd unit files
Allow systemd services to use PrivateNetwork feature
Fix typo in init_dbus_chat requirements
Fix typos in comments from corenetwork module
man: Spelling fixes
Fix interface descriptions when duplicate ones are found
Label /sys/kernel/debug/tracing filesystem
Label TexLive scripts bin_t
Label system-config-printer applet properly on Arch Linux
Label gedit plugins properly on Arch Linux
Label some user session DBus services as bin_t
Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t
Fix typo in dev_setattr_dlm_control interface requirements
Allow kdevtmpfs to unlink fixed disk devices
Fix typo in module compilation message
Make Travis-CI build without using sudo
Rahul Chaudhry (1):
fc_sort: cleanup warnings caught by clang tidy / static analyzer.
Russell Coker (2):
user_udp_server tunable
getattr on unlabeled blk devs
Sean Placchetti (2):
Update to refpolicy spec file
Update specfile
Vit Mojzis (1):
Add interface to allow reading files in efivarfs - contains Linux Kernel
configuration options for UEFI systems (UEFI Runtime Variables)
William Roberts (1):
fc_sort: strip whitespace errors
qqo (1):
Adds attribute mlstrustedsocket, along with the interface.
* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
Alexander Wetzel (1):
adds vfio device support to base policy
Chris PeBenito (48):
Module version bump for optional else block removal from Steve Lawrence.
Add always_check_network policy capability.
Update contrib.
Fix domain_mmap_low() to be a proper tunable.
Add initial Travis CI configuration.
Travis CI already exports variables.
Add validate target for monolithic policy.
Update contrib.
Use matrix keyword to simplify travis-ci build definitions.
Undo last commit.
Simplify travis-ci build handling of SELinux toolchain.
Update contrib.
Module version bump for fstools blkid fix from Jason Zaman
Update contrib.
Module version bump for debufs mount point fc entry from Laurent
Bigonville.
Module version bump for updated netlink sockets from Stephen Smalley
Update contrib.
Module version bump for init_startstop_service from Jason Zaman.
Update contrib.
Change CI tests to drop DIRECT_INITRC.
Module version bumps for further init_startstop_service() changes from
Jason Zaman.
Module version bump for admin interface changes from Jason Zaman.
Update contrib.
Module version bumps for admin interfaces from Jason Zaman.
Module version bump for cron_admin for sysadm from Jason Zaman.
Module version bump for ssh-agent -k fix from Luis Ressel.
Module version bump for APR build script labeling from Luis Ressel.
Module version bump for vfio device from Alexander Wetzel.
Update contrib.
Rearrange lines in ipsec.te.
Module version bump for patches from Jason Zaman/Matthias Dahl.
Add systemd build option.
Add systemd access vectors.
Implement core systemd policy.
Add supporting rules for domains tightly-coupled with systemd.
Add rules for sysadm_r to manage the services.
Add systemd units for core refpolicy services.
Add sysfs_types attribute.
Add refpolicy core socket-activated services.
Change policy_config_t to a security file type.
Merge branch 'pebenito-master'
Module version bump for systemd additions.
Update contrib for dbus systemd fix.
Revise selinux module interfaces for perms protected by neverallows.
Remove bad interface in systemd.if.
Module version bump for utempter Debian helper from Laurent Bigonville.
Update contrib.
Bump module versions for release.
Jason Zaman (13):
fstools: add in filetrans for /run dir
Introduce init_startstop_service interface
logging: use init_startstop_service in _admin interface
postgresql: use init_startstop_service in _admin interface
Add openrc support to init_startstop_service
Introduce iptables_admin
Add all the missing _admin interfaces to sysadm
Introduce lvm_admin interface
Introduce ipsec_admin interface
Introduce setrans_admin interface
add new cron_admin interface to sysadm
Add overlayfs as an XATTR capable fs
system/ipsec: Add policy for StrongSwan
Laurent Bigonville (4):
Add fc for /sys/kernel/debug as debugfs_t
Add "binder" security class and access vectors
Properly label utempter helper on debian
Allow the user cronjobs to run in their userdomain
Luis Ressel (2):
Allow ssh-agent to send signals to itself
Mark APR build scripts as bin_t
Stephen Smalley (1):
Update netlink socket classes.
Steve Lawrence (1):
Remove optional else block for dhcp ping
* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
Artyom Smirnov (3):
New database object classes
Fixes for db_domain and db_exception
Renamed db_type to db_datatype, to avoid confusion with SELinux "type"
Chris PeBenito (69):
Whitespace fix in postgresql.fc
Module version bump for postgresql fc entries from Luis Ressel.
Add symlink to contrib Changelog for easy reference.
Move lightdm line in xserver.fc.
Whitespace fix in xserver.fc.
Update contrib.
Module version bump for userdomain kernel symbol table fix from Nicolas
Iooss.
Module version bump for 2 Gentoo patches from Sven Vermeulen.
Update contrib.
Module version bump for 2 patch sets from Laurent Bigonville.
Update contrib.
Module version bump for gnome keyring fix from Laurent Bigonville.
Update contrib.
Module version bump for /sys/fs/selinux support from Sven Vermeulen.
Module version bump for fixes from Laurent Bigonville.
Update contrib.
Module version bumps for fc fixes from Nicolas Iooss.
Update contrib.
Add file for placing default_* statements.
Fix error in default_user example.
Module version bump for unconfined->lvm transition from Nicolas Iooss.
Need the __future__ import for python2 if using print().
Module version bump for ifconfig fc entry from Sven Vermeulen.
Module version bump for deprecated interface usage removal from Nicolas
Iooss.
Update contrib.
Module version bump for rcs2log and xserver updates from Sven Vermeulen.
Module version bump for shutdown transitions from Luis Ressel.
Remove firstboot_rw_t as FC5 has been gone for a long time.
Module version bump for firstboot_rw_t alias removal.
Module version bump for dropbox port from Sven Vermeulen.
Module version bump for unconfined syslog cap from Nicolas Iooss.
Always use the unknown permissions handling build option.
Merge pull request #1 from artyom-smirnov/master
Module version bump for zram fc entry from Jason Zaman.
Update contrib.
Module version bump for init_daemon_pid_file from Sven Vermeulen.
Move tumblerd fc entry
Module version bump for tumblerd fc entry from Jason Zaman.
Module version bump for libraries fc fix from Nicolas Iooss.
Update contrib.
Module version bump for fstools fc entries from Luis Ressel.
Module version bump for missing unlabeled interfaces from Sven Vermeulen.
Module version bump for ping rawip socket fix from Luis Ressel.
Module version bump for full IRC ports from Luis Ressel.
Move losetup addition in fstools.
Module version bump for losetup fixes from Luis Ressel.
Update contrib.
Module version bump for postgres fc revisions from Luis Ressel.
Module version bump for FUSE fix for mount from Luis Ressel.
Module version bump for misc fixes from Nicolas Iooss.
Move systemd fc entry.
Whitespace change in logging.fc.
Add comment for journald ring buffer reading.
Module version bumps for systemd/journald patches from Nicolas Iooss.
Update contrib.
/dev/log symlinks are not labeled devlog_t.
Module version bump for CIL fixes from Yuli Khodorkovskiy.
Drop RHEL4 and RHEL5 support.
Merge pull request #3 from bigon/arping
Merge pull request #4 from fishilico/minor-typo
Module version bump for Debian arping fc entries from Laurent Bigonville.
Add comment for iw generic netlink socket usage
Module version bump for /sbin/iw support from Nicolas Iooss.
Merge pull request #5 from bigon/audit_read
Update contrib.
Module version bump for misc fixes from Sven Vermeulen.
Update contrib.
Module version bump for module store move from Steve Lawrence.
Bump module versions for release.
Elia Pinto (1):
Fix misspelling
Jason Zaman (2):
File contexts for zram
File Context for tumbler
Laurent Bigonville (14):
Properly label git-shell and other git commands for Debian
Label /usr/sbin/lightdm as xdm_exec_t
Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface
Associate the new xattrfs attribute to fs_t and some pseudo-fs
Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t
Add telepathy role for user_r and staff_r
Properly label the manpages installed by postgresql
Label /usr/local/share/ca-certificates(/.*)? as cert_t
Allow the xdm_t domain to enter all the gkeyringd ones
Label /etc/locale.alias as locale_t on Debian
Allow hugetlbfs_t to be associated to /dev
On Debian iputils-arping is installed in /usr/bin/arping
Debian also ship a different arping implementation
Add new audit_read access vector in capability2 class
Luis Ressel (13):
Add two postgresql file contexts from gentoo policy
Allow init to execute shutdown
Allow xdm_t to transition to shutdown_t domain
Some of the fsadm tools can also be in /usr/sbin instead of /sbin
Label /usr/sbin/{add, del}part as fsadm_exec_t
Grant ping_t getattr on rawip_socket
kernel/corenetwork.te: Add all registered IRC ports
system/mount.if: Add mount_rw_loopback_files interface
system/fstools.if: Add fstools_use_fds interface
Add neccessary permissions for losetup
Only label administrative postgres commands as postgresql_exec_t
Also apply the new postgres labeling scheme on Debian
Grant mount permission to access /dev/fuse
Nicolas Iooss (31):
Fix parallel build of the policy
fc_sort: fix typos in comments
fc_sort: initialize allocated memory to fix execution on an empty file
fc_sort: make outfile argument optional
userdomain: no longer allow unprivileged users to read kernel symbols
Label syslog-ng.pid as syslogd_var_run_t
filesystem: label cgroup symlinks
Label /usr/lib/getconf as bin_t
Label /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t
Make support/policyvers.py compatible with Python 3
Make unconfined user run lvm programs in confined domain
No longer use deprecated MLS interfaces
Allow unconfined domains to use syslog capability
Label /lib symlink as lib_t for every distro
Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
Add ioctl and lock to manage_lnk_file_perms
Label (/var)?/tmp/systemd-private-.../tmp like /tmp
Fix typo in fs_getattr_all_fs description
Label systemd files in init module
Introduce init_search_run interface
Label systemd-journald files and directories
Support logging with /run/systemd/journal/dev-log
Allow journald to read the kernel ring buffer and to use /dev/kmsg
Allow journald to access to the state of all processes
Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
Fix minor typo in init.if
Label /sbin/iw as ifconfig_exec_t
Allow iw to create generic netlink sockets
Use create_netlink_socket_perms when allowing netlink socket creation
Update Python requirement in INSTALL
Create tmp directory when compiling a .mod.fc file in a modular way
Steve Lawrence (1):
Update policy for selinux userspace moving the policy store to
/var/lib/selinux
Sven Vermeulen (24):
Hide getattr denials upon sudo invocation
Support /sys/devices/system/cpu/online
The security_t file system can be at /sys/fs/selinux
Dontaudit access on security_t file system at /sys/fs/selinux
ifconfig can also be in /bin
xserver_t needs to ender dirs labeled xdm_var_run_t
Enable rcs2log location for all distributions
Add dropbox_port_t support
Support initrc_t generated pid files with file transition
Deprecate init_daemon_run_dir interface
Use init_daemon_pid_file instead of init_daemon_run_dir
Introduce kernel_delete_unlabeled_symlinks
Introduce kernel_delete_unlabeled_pipes
Introduce kernel_delete_unlabeled_sockets
Introduce kernel_delete_unlabeled_blk_files
Introduce kernel_delete_unlabeled_chr_files
Run grub(2)-mkconfig in bootloader domain
Add auth_pid_filetrans_pam_var_run
New sudo manages timestamp directory in /var/run/sudo
xfce4-notifyd is an executable
Mark f2fs as a SELinux capable file system
Add in LightDM contexts
Add gfisk and efibootmgr as fsadm_exec_t
Add /var/lib/racoon as runtime directory for ipsec
Yuli Khodorkovskiy (1):
Remove duplicate role declarations
cgarst (1):
Updating submodule URL to github
* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
Chris PeBenito (96):
Update contrib to pull in minidlna.
Remove general unlabeled packet usage.
Update contrib.
Use python libselinux bindings to determine policy version.
Add MLS constraints for x_pointer and x_keyboard.
Add label for parted.
Fix support/policyvers.py not to error if building policy on a
SELinux-disabled system.
Module version bump for kerberos keytab changes for ssh from Dominick
Grift.
Module version bump for pstore filesystem support from Dominick Grift.
Module version bump for redis port from Dominick Grift.
Update contrib.
Add comment for setfiles using /dev/console when it needs to be relabeled.
Module version bump for xserver and selinuxutil updates from Dominick
Grift.
Module version bump for tmpfs associate to device_t from Dominick Grift.
Module version bump for syslog reading overcommit_memory from Dominick
Grift.
Module version bump for ethtool reading pm-powersave.lock from Dominick
Grift.
Module version bump for sysadm fix for git role usage from Dominick Grift.
Module version bump for lvm update from Dominick Grift.
Module version bump for fc fix in authlogin from Dominick Grift.
Module version bump for restricted x user template fix from Dominick
Grift.
Add comment for debian avahi-daemon-check-dns.sh usage by udev
Module version bump for udev Debian fixes from Dominick Grift.
Module version bump for selinuxfs location change from Dominick Grift.
Update contrib.
Module version bump for unconfined dbus fixes from Dominick Grift.
Whitespace fix in terminal.te.
Module version bump for virtio console from Dominick Grift.
Module version bump for init interface and corecommand fc from Dominick
Grift.
Module version bump for ping capabilities from Sven Vermeulen.
Module version bump for slim fc entries from Sven Vermeulen.
Module version bump for xdm dbus access from Dominick Grift.
Rearrange sysnet if blocks.
Module version bump for debian ifstate changes from Dominick Grift.
Module version bump for xserver console and fc fixes from Dominick Grift.
Module version bump for gdomap port from Dominick Grift.
Module version bumps for dhcpc leaked fds to hostname.
Module version bump for ssh server caps for Debian from Dominick Grift.
Move stray Debian rule in udev.
Update contrib
Module version bumps for Debian udev updates from Dominick Grift.
Module version bump for mount updates from Dominick Grift.
Silence symlink reading by setfiles since it doesn't follow symlinks
anyway.
Reorder dhcpc additions.
Module version bump for dhcpc fixes from Dominick Grift.
Add comments about new capabilities for syslogd_t.
Module version bumps for syslog-ng and semodule updates.
Update contrib.
Module version bump for first batch of patches from Dominick Grift.
Update contrib.
Rearrage userdom_delete_user_tmpfs_files() interface.
setrans: needs to be able to get attributes of selinuxfs, else fails to
start in Debian
Whitespace fix in fstools.
Add comment in policy for lvm sysfs write.
Module version bump for second lot of patches from Dominick Grift.
Whitespace fix in usermanage.
Whitespace fix in libraries.
Module version bump for patches from Dominick Grift.
Whitespace fix in init.te.
init: init_script_domain() allow system_r role the init script domain type
init: creates /run/utmp
Module version bump for 4 init patches from Dominick Grift.
Fix Debian compile issue.
Module version bump for 2 patches from Dominick Grift.
Module version bump for patch from Laurent Bigonville.
Update contrib.
Module version bump for patch from Laurent Bigonville.
Module version bump for xserver change from Dominick Grift.
Merge file_t into unlabeled_t, as they are security equivalent.
Update modules for file_t merge into unlabeled_t.
Make the QUIET build option apply to clean and bare targets.
Module version bump for direct initrc fixes from Dominick Grift.
Module version bump for module store labeling fixes from Laurent
Bigonville.
Remove ZFS symlink labeling.
Fix ZFS fc escaping in mount.
Rearrange ZFS fc entries.
Module version bump for ZFS tools fc entries from Matthew Thode.
Module version bump for unconfined transition to dpkg from Laurent
Bigonville.
Module version bump for logging fc patch from Laurent Bigonville.
Update contrib.
Module version bump for pid file directory from Russell Coker/Laurent
Bigonville.
Rename gpg_agent_connect to gpg_stream_connect_agent.
Rearrange gpg agent calls.
Module version bump for ssh use of gpg-agent from Luis Ressel.
Module version bump for files_dontaudit_list_var() interface from Luis
Ressel.
Move bin_t fc from couchdb to corecommands.
Update contrib.
Module version bump for sesh fc from Nicolas Iooss.
Move loop control interface definition.
Rename mount_read_mount_loopback() to mount_read_loopback_file().
Module version bump for loopback file mounting fixes from Luis Ressel.
Fix read loopback file interface.
Update contrib.
Module version bump for bootloader fc fixes from Luis Ressel.
Update contrib.
Update contrib.
Bump module versions for release.
Dominick Grift (58):
The kerberos_keytab_template() template is deprecated: Breaks monolithic
built (out-of-scope)
Initial pstore support
Support redis port tcp,6379
These regular expressions were not matched
Restorecon reads, and writes /dev/console before it is properly labeled
filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems
logging: syslog (rs:main Q:Reg) reading sysctl_vm files
(overcommit_memory) in Debian
sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock
sysadm: Doesnt work with direct_initrc = y
lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin
authlogin: Sudo file context specification did not catch paths (squash me)
userdomain: restricted xwindows user (squash me)
udev: This is specific to debian i think. Some how the
/usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain
selinux: selinuxfs is now mounted under /sys/fs/selinux instead of
/selinux, so we need to allow domains that use selinuxfs to interface
with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux
Unconfined domains have unconfined access to all of dbus rather than only
system bus
Initial virtio console device
init: create init_use_inherited_script_ptys() for tmpreaper (Debian)
corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh
xdm: is a system bus client and acquires service on the system bus xdm:
dbus chat with accounts-daemon
sysnetwork: Debian stores network interface configuration in /run/network
(ifstate), That directory is created by the /etc/init.d/networking
script.
xserver: catch /run/gdm3
xserver: associate xconsole_device_t (/dev/xconsole) to device_t
(devtmpfs)
corenetwork: Declare gdomap port, tcp/udp:538
hostname: do not audit attempts by hostname to read and write dhcpc udp
sockets (looks like a leaked fd)
ssh: Debian sshd is configured to use capabilities
udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and
compromises kernel
udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates
/run/avahi-daemon directory
mount: sets kernel thread priority mount: mount reads
/lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount
points
sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not
audit attempts by ifconfig to read, and write dhcpc udp sockets (looks
like a leaked fd)
mount: fs_list_auto_mountpoint() is now redundant because autofs_t is
covered by files_list_all_mountpoints()
udev: this fc spec does not make sense, as there is no corresponding file
type transition for it
udev: the avahi dns check script run by udev in Debian chmods
/run/avahi-daemon
authlogin: unix_chkpwd traverses / on sysfs device on Debian
setrans: mcstransd reads filesystems file in /proc
udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
fstools: hdparm append (what seems inherited from devicekit )
/var/log/pm-powersave.log fstools: hdparm reads
/run/pm-utils/locks/pm-powersave.lock
sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i
was able to confirm the need for
networkmanager_manage_lib_files(dhcpc_t) since dhclient reads
/var/lib/NetworkManager/dhclient-eth0.conf
sysbnetwork: dhclient searches /var/lib/ntp
sshd/setrans: make respective init scripts create pid dirs with proper
contexts
kernel: cryptomgr_test (kernel_t) requests kernel to load
cryptd(__driver-ecb-aes-aesni
xserver: already allowed by auth_login_pgm_domain(xdm_t)
unconfined: Do not domain transition to xserver_t (unconfined_t is
xserver_unconfined)
userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
These { read write } tty_device_t chr files on boot up in Debian
udev: udevd executable location changed
lvm: lvm writes read_ahead_kb
udev: in debian udevadm is located in /bin/udevadm
usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in
Debian
iptables: calls to firewalld interfaces from Fedora. The
firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
libraries: for now i can only confirm mmap, might need to be changed to
bin_t later if it turns out to need execute_no_trans
users: calls pulseaudio_role() for restricted xwindows users and
staff_t/user_t
init: for a specified automatic role transition to work. the source role
must be allowed to change manually to the target role
init: this is a bug in debian where tmpfs is mounted on /run, and so early
on in the boot process init creates /run/utmp and /run/initctl in a
tmpfs directory (/) tmpfs
init: exim init script runs various helper apps that create and manage
/var/lib/exim4/config.autogenerated.tmp file
init: the gdomap and minissdpd init scripts read the respective environ
files in /etc/default. We need to give them a private type so that we
can give the gdomap_admin() and minissdpd_admin() access to it, but it
seems overengineering to create private environ types for these files
xserver: These are no longer needed
Change behavior of init_run_daemon()
Apply direct_initrc to unconfined_r:unconfined_t
Laurent Bigonville (7):
Label /bin/fusermount like /usr/bin/fusermount
Allow udev to write in /etc/udev/rules.d
Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
Allow unconfined users to transition to dpkg_t domain
Add fcontext for rsyslog pidfile
Add fcontext for sshd pidfile and directory used for privsep
Move the ifdef at the end of the declaration block
Luis Ressel (10):
Conditionally allow ssh to use gpg-agent
kernel/files.if: Add files_dontaudit_list_var interface
kernel/devices.if: Add dev_rw_loop_control interface
system/mount.if: Add mount_read_mount_loopback interface
Allow mount_t usage of /dev/loop-control
Grant kernel_t necessary permissions for loopback mounts
Use xattr-labeling for squashfs.
Label fatsort as fsadm_exec_t.
Generalize grub2 pattern
Label grub2-install as bootloader_exec_t
Matthew Thode (1):
Extending support for SELinux on ZFS
Nicolas Iooss (2):
Label /usr/lib/sudo/sesh as shell_exec_t
Create .gitignore
Sven Vermeulen (7):
Add trivnet1 port (8200)
Get grub2-install to work properly
Support named file transition for fixed_disk_device_t
Allow ping to get/set capabilities
Extend slim /var/run expression
Allow semodule to create symlink in semanage_store_t
Allow capabilities for syslog-ng
* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
Chris PeBenito (78):
Mcelog update from Guido Trentalancia.
Add bird contrib module from Dominick Grift.
Minor whitespace fix in udev.fc
Module version bump for udev binary location update from Sven Vermeulen.
clarify the file_contexts.subs_dist configuration file usage from Guido
Trentalancia
Update contrib.
Remove trailing / from paths
Module version bump for fc substitutions optimizations from Sven
Vermeulen.
Update contrib.
Module version bump for /run/dhcpc directory creation by dhcp from Sven
Vermeulen.
Module version bump for fc fixes in devices module from Dominick Grift.
Update contrib.
Module version bump for /dev/mei type and label from Dominick Grift.
Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
Module version bump for lost+found labeling in /var/log from Guido
Trentalancia.
Module version bump for loop-control patch.
Turn off all tunables by default, from Guido Trentalancia.
Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
Module version bump for various changes from Sven Vermeulen.
Module version bump for ports update from Dominick Grift.
Module version bump for Debian file context updates from Laurent
Bigonville.
Update contrib.
Update contrib.
split kmod fc into two lines.
Module version bump for kmod fc from Laurent Bigonville.
Module version bump for cfengine fc change from Dominick Grift.
Module verision bump for Debian cert file fc update from Laurent
Bigonville.
Module version bump for ipsec net sysctls reading from Miroslav Grepl.
Module version bump for srvloc port definition from Dominick Grift.
Rename cachefiles_dev_t to cachefiles_device_t.
Module version bump for cachefiles core support.
Module version bump for changes from Dominick Grift and Sven Vermeulen.
Module version bump for modutils patch from Dominick Grift.
Module version bump for dhcp6 ports, from Russell Coker.
Rearrange new xserver interfaces.
Rename new xserver interfaces.
Module version bump for xserver interfaces from Dominick Grift.
Move kernel_stream_connect() declaration.
Module version bump for kernel_stream_connect() from Dominick Grift.
Rename logging_search_all_log_dirs to logging_search_all_logs
Module version bump for minor logging and sysnet changes from Sven
Vermeulen.
Module version bump for dovecot libs from Mika Pflueger.
Rearrange interfaces in files, clock, and udev.
Module version bump for interfaces used by virt from Dominick Grift.
Module version bump for arping setcap from Dominick Grift.
Rearrange devices interfaces.
Module version bump/contrib sync.
Rearrange lines.
Module version bump for user home content fixes from Dominick Grift.
Rearrange files interfaces.
Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
Update contrib.
Whitespace fix in miscfiles.fc.
Adjust man cache interface names.
Module version bump for man cache from Dominick Grift.
Module version bump for Debian ssh-keysign location from Laurent
Bigonville.
Module version bump for userdomain portion of XDG updates from Dominick
Grift.
Module version bump for iptables fc entry from Sven Vermeulen and inn log
from Dominick Grift.
Module version bump for logging and tcpdump fixes from Sven Vermeulen.
Move mcs_constrained() impementation.
Module version bump for mcs_constrained from Dominick Grift.
Update contrib.
Module version bump from Debian changes from Laurent Bigonville.
Module version bump for zfs labeling from Matthew Thode.
Module version bump for misc updates from Sven Vermeulen.
Update contrib.
Module version bump for fixes from Dominick Grift.
Module version bump for Debian updates from Laurent Bigonville.
Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
Update contrib
Fix fc_sort.c warning uncovered by recent gcc
Module version bump for chfn fixes from Sven Vermeulen.
Add swapoff fc entry.
Add conntrack fc entry.
Update contrib.
Update contrib
Archive old Changelog for log format change.
Bump module versions for release.
Dominick Grift (40):
There can be more than a single watchdog interface
Fix a suspected typo
Intel® Active Management Technology
Declare a loop control device node type and label /dev/loop-control
accordingly
Declare port types for ports used by Fedora but use /etc/services for port
names rather than using fedora port names. If /etc/services does not
have a port name for a port used by Fedora, skip for now.
Remove var_log_t file context spec
svrloc port type declaration from slpd policy module
Declare a cachfiles device node type
Implement files_create_all_files_as() for cachefilesd
Restricted Xwindows user domains run windows managers in the windows
managers domain
Declare a cslistener port type for phpfpm
Changes to the sysnetwork policy module
Changes to the userdomain policy module
Changes to the bootloader policy module
Changes to the modutils policy module
Changes to the xserver policy module
Changes to various policy modules
Changes to the kernel policy module
For svirt_lxc_domain
For svirt_lxc_domain
For svirt_lxc_domain
For virtd lxc
For virtd_lxc
For virtd_lxc
For virtd lxc
For virtd lxc
For virtd
Arping needs setcap to cap_set_proc
For virtd
Changes to the user domain policy module
Samhain_admin() now requires a role for the role_transition from $1 to
initrc_t via samhain_initrc_exec_t
Changes to the user domain policy module
Label /var/cache/man with a private man cache type for mandb
Create a attribute user_home_content_type and assign it to all types that
are classified userdom_user_home_content()
These two attribute are unused
System logger creates innd log files with a named file transition
Implement mcs_constrained_type
Changes to the init policy module
Changes to the userdomain policy module
NSCD related changes in various policy modules
Guido Trentalancia (1):
add lost+found filesystem labels to support NSA security guidelines
Laurent Bigonville (21):
Add Debian locations for GDM 3
Add Debian location for udisks helpers
Add insmod_exec_t label for kmod executable
Add Debian location for PKI files
Add Debian location for ssh-keysign
Properly label all the ssh host keys
Allow udev_t domain to read files labeled as consolekit_var_run_t
authlogin.if: Add auth_create_pam_console_data_dirs and
auth_pid_filetrans_pam_var_console interfaces
Label /etc/rc.d/init.d/x11-common as xdm_exec_t
Drop /etc/rc.d/init.d/xfree86-common filecontext definition
Label /var/run/shm as tmpfs_t for Debian
Label /var/run/motd.dynamic as initrc_var_run_t
Label /var/run/initctl as initctl_t
udev.if: Call files_search_pid instead of files_search_var_lib in
udev_manage_pid_files
Label executables in /usr/lib/NetworkManager/ as bin_t
Add support for rsyslog
Label var_lock_t as a mountpoint
Add mount_var_run_t type and allow mount_t domain to manage the files and
directories
Add initrc_t to use block_suspend capability
Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
Label nut drivers that are installed in /lib/nut on Debian as bin_t
Matthew Thode (1):
Implement zfs support
Mika Pflüger (2):
Debian locations of gvfs and kde4 libexec binaries in /usr/lib
Explicitly label dovecot libraries lib_t for debian
Miroslav Grepl (1):
Allow ipsec to read kernel sysctl
Paul Moore (1):
flask: add the attach_queue permission to the tun_socket object class
Russell Coker (1):
Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
client control
Sven Vermeulen (27):
New location for udevd binary
Use substititions for /usr/local/lib and /etc/init.d
DHCP client's hooks create /run/dhcpc directory
Introduce init_daemon_run_dir transformation
Use the init_daemon_run_dir interface for udev
Allow initrc_t to create run dirs for core modules
Puppet uses mount output for verification
Allow syslogd to create /var/lib/syslog and
/var/lib/misc/syslog-ng.persist
Gentoo's openrc does not require initrc_exec_t for runscripts anymore
Allow init scripts to read courier configuration
Allow search within postgresql var directory for the stream connect
interface
Introduce logging_getattr_all_logs interface
Introduce logging_search_all_log_dirs interface
Support flushing routing cache
Allow init to set attributes on device_t
Introduce files_manage_all_pids interface
Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
Update files_manage_generic_locks with directory permissions
Run ipset in iptables domain
tcpdump chroots into /var/lib/tcpdump
Remove generic log label for cron location
Postgresql 9.2 connects to its unix stream socket
lvscan creates the /run/lock/lvm directory if nonexisting (v2)
Allow syslogger to manage cron log files (v2)
Allow initrc_t to read stunnel configuration
Introduce exec-check interfaces for passwd binaries and useradd binaries
chfn_t reads in file context information and executes nscd
Reference in New Issue View Git Blame Copy Permalink