Ondrej Mosnacek 548766
# github repo with selinux-policy sources
Ondrej Mosnacek 548766
%global giturl https://github.com/fedora-selinux/selinux-policy
Zdenek Pytela 232d13
%global commit 98619aa5ab8e1adf058c1d17c562750d2e7a1e36
Ondrej Mosnacek 548766
%global shortcommit %(c=%{commit}; echo ${c:0:7})
Lukas Vrabec 51dc83
Daniel J Walsh 08b890
%define distro redhat
Daniel J Walsh 771686
%define polyinstatiate n
Daniel J Walsh 1580c8
%define monolithic n
Dan Walsh dc4ca7
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1}
Dan Walsh dc4ca7
%define BUILD_DOC 1
Dan Walsh dc4ca7
%endif
Daniel J Walsh bd3f0e
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
Daniel J Walsh bd3f0e
%define BUILD_TARGETED 1
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh 675bba
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
Daniel J Walsh 675bba
%define BUILD_MINIMUM 1
Daniel J Walsh 675bba
%endif
Daniel J Walsh bd3f0e
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
Miroslav Grepl 211fb9
%define BUILD_MLS 1
Daniel J Walsh bd3f0e
%endif
Petr Lautrbach e88945
%define POLICYVER 33
Zdenek Pytela e0b2bb
%define POLICYCOREUTILSVER 3.4-1
Petr Lautrbach f38b38
%define CHECKPOLICYVER 3.2
Daniel J Walsh 1580c8
Summary: SELinux policy configuration
Daniel J Walsh 1580c8
Name: selinux-policy
Zdenek Pytela 232d13
Version: 38.6
Zdenek Pytela 232d13
Release: 1%{?dist}
Petr Lautrbach 4f5786
License: GPL-2.0-or-later
Ondrej Mosnacek 548766
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
Lukas Vrabec 51dc83
Source1: modules-targeted-base.conf
Miroslav Grepl a27009
Source31: modules-targeted-contrib.conf
Daniel J Walsh 504da9
Source2: booleans-targeted.conf
Daniel J Walsh 585f82
Source3: Makefile.devel
Daniel J Walsh 504da9
Source4: setrans-targeted.conf
Miroslav Grepl a27009
Source5: modules-mls-base.conf
Miroslav Grepl a27009
Source32: modules-mls-contrib.conf
Daniel J Walsh 487de6
Source6: booleans-mls.conf
Daniel J Walsh 504da9
Source8: setrans-mls.conf
Daniel J Walsh ee095f
Source14: securetty_types-targeted
Daniel J Walsh ee095f
Source15: securetty_types-mls
Miroslav Grepl a27009
#Source16: modules-minimum.conf
Daniel J Walsh 675bba
Source17: booleans-minimum.conf
Daniel J Walsh 675bba
Source18: setrans-minimum.conf
Daniel J Walsh 675bba
Source19: securetty_types-minimum
Daniel J Walsh 80beee
Source20: customizable_types
Daniel J Walsh fc05ac
Source22: users-mls
Daniel J Walsh fc05ac
Source23: users-targeted
Daniel J Walsh fc05ac
Source25: users-minimum
Dan Walsh 86354f
Source26: file_contexts.subs_dist
Dan Walsh bce4ec
Source27: selinux-policy.conf
Lukas Vrabec 7c8404
Source28: permissivedomains.cil
Dan Walsh c39563
Source30: booleans.subs_dist
Lukas Vrabec 8ad346
Lukas Vrabec 8ad346
# Tool helps during policy development, to expand system m4 macros to raw allow rules
Lukas Vrabec 8ad346
# Git repo: https://github.com/fedora-selinux/macro-expander.git
Lukas Vrabec 7d7414
Source33: macro-expander
Lukas Vrabec d395cb
Lukas Vrabec 8ad346
# Include SELinux policy for container from separate container-selinux repo
Lukas Vrabec 8ad346
# Git repo: https://github.com/containers/container-selinux.git
Lukas Vrabec ab3db2
Source35: container-selinux.tgz
Petr Lautrbach be68cc
Ondrej Mosnacek fd6943
Source36: selinux-check-proper-disable.service
Ondrej Mosnacek fd6943
Petr Lautrbach c49229
# Provide rpm macros for packages installing SELinux modules
Petr Lautrbach c49229
Source102: rpm.macros
Petr Lautrbach be68cc
Ondrej Mosnacek 548766
Url: %{giturl}
Daniel J Walsh 1580c8
BuildArch: noarch
Petr Lautrbach d89076
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
Petr Lautrbach 0f3b08
BuildRequires: make
Ondrej Mosnacek fd6943
BuildRequires: systemd-rpm-macros
Miroslav Grepl a27009
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Miroslav Grepl 4a27ed
Requires(post): /bin/awk /usr/bin/sha512sum
Petr Lautrbach 2a4b30
Requires(meta): rpm-plugin-selinux
Ondrej Mosnacek 4d9a7e
Requires: selinux-policy-any = %{version}-%{release}
Ondrej Mosnacek 4d9a7e
Provides: selinux-policy-base = %{version}-%{release}
Ondrej Mosnacek 4d9a7e
Suggests: selinux-policy-targeted
Daniel J Walsh 1580c8
fe2076
%description
Zdenek Pytela e99b0b
SELinux core policy package.
Zdenek Pytela e99b0b
Originally based off of reference policy,
Zdenek Pytela e99b0b
the policy has been adjusted to provide support for Fedora.
Daniel J Walsh 1335ee
fe2076
%files
Tom Callaway 4abfbc
%{!?_licensedir:%global license %%doc}
Tom Callaway 4abfbc
%license COPYING
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/packages
Dan Walsh b59d07
%dir %{_sysconfdir}/selinux
Daniel J Walsh 585f82
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
Daniel J Walsh 585f82
%ghost %{_sysconfdir}/sysconfig/selinux
Miroslav Grepl 4a27ed
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
Dan Walsh 26bb0a
%{_rpmconfigdir}/macros.d/macros.selinux-policy
Ondrej Mosnacek fd6943
%{_unitdir}/selinux-check-proper-disable.service
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%package sandbox
Zdenek Pytela e99b0b
Summary: SELinux sandbox policy
Dan Walsh 1b0e09
Requires(pre): selinux-policy-base = %{version}-%{release}
Lukas Vrabec c862e9
Requires(pre): selinux-policy-targeted = %{version}-%{release}
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%description sandbox
Zdenek Pytela e99b0b
SELinux sandbox policy for use with the sandbox utility.
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%files sandbox
Ondrej Mosnacek 2a989a
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%post sandbox
Ondrej Mosnacek 2a989a
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
Petr Lautrbach a345bb
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/load_policy
Dan Walsh 1b0e09
fi;
Dan Walsh 1b0e09
exit 0
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%preun sandbox
Michael Scherer c8b7cd
if [ $1 -eq 0 ] ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/semodule -n -d sandbox 2>/dev/null
Ondrej Mosnacek 2a989a
    if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Michael Scherer c8b7cd
    fi;
Michael Scherer c8b7cd
fi;
Michael Scherer c8b7cd
exit 0
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%package devel
Zdenek Pytela e99b0b
Summary: SELinux policy development files
Miroslav Grepl 4a27ed
Requires(pre): selinux-policy = %{version}-%{release}
Lukas Vrabec 610d03
Requires: selinux-policy = %{version}-%{release}
Miroslav Grepl a27009
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
Miroslav Grepl a27009
Requires: /usr/bin/make
Dan Walsh 9f52d7
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%description devel
Zdenek Pytela e99b0b
SELinux policy development package.
Zdenek Pytela e99b0b
This package contains:
Zdenek Pytela e99b0b
- interfaces, macros, and patterns for policy development
Zdenek Pytela e99b0b
- a policy example
Zdenek Pytela e99b0b
- the macro-expander utility
Zdenek Pytela e99b0b
and some additional files.
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%files devel
Lukas Vrabec 7d7414
%{_bindir}/macro-expander
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel/include
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/include/*
Zdenek Pytela 17a6cf
%exclude %{_datadir}/selinux/devel/include/contrib/container.if
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/html/*html
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/html/*css
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/Makefile
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/example.*
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/policy.*
193d30
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
Daniel J Walsh 412570
Dan Walsh 9f52d7
%post devel
Ondrej Mosnacek 2a989a
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
Dan Walsh 859a10
exit 0
Dan Walsh 9f52d7
Daniel J Walsh 412570
%package doc
Daniel J Walsh 412570
Summary: SELinux policy documentation
Daniel J Walsh 412570
Requires(pre): selinux-policy = %{version}-%{release}
Lukas Vrabec 610d03
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 412570
Daniel J Walsh 412570
%description doc
Zdenek Pytela e99b0b
SELinux policy documentation package.
Zdenek Pytela e99b0b
This package contains manual pages and documentation of the policy modules.
Daniel J Walsh 412570
Daniel J Walsh 412570
%files doc
Lukas Vrabec d6fa25
%{_mandir}/man*/*
Lukas Vrabec d6fa25
%{_mandir}/ru/*/*
Ondrej Mosnacek 2a989a
%doc %{_datadir}/doc/%{name}
Daniel J Walsh 1335ee
Ondrej Mosnacek f76a9d
%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
Ondrej Mosnacek f76a9d
Daniel J Walsh 487de6
%define makeCmds() \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
Daniel J Walsh 487de6
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
Daniel J Walsh 487de6
cp -f selinux_config/users-%1 ./policy/users \
Miroslav Grepl a27009
#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
Miroslav Grepl a27009
Miroslav Grepl a27009
%define makeModulesConf() \
Miroslav Grepl a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules-base.conf \
Miroslav Grepl a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules.conf \
Miroslav Grepl a27009
if [ %3 == "contrib" ];then \
Miroslav Grepl a27009
	cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
Miroslav Grepl a27009
	cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
Miroslav Grepl a27009
fi; \
Daniel J Walsh 998737
Daniel J Walsh de82d8
%define installCmds() \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
Ondrej Mosnacek f76a9d
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
Ondrej Mosnacek f76a9d
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
Ondrej Mosnacek 2a989a
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
Ondrej Mosnacek 2a989a
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
Dan Walsh 86354f
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
Daniel J Walsh 487de6
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
Dan Walsh 86354f
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
Daniel J Walsh 487de6
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
Daniel J Walsh 487de6
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
Petr Lautrbach dba350
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
Petr Lautrbach a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
Lukas Vrabec 7c8404
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
Dan Walsh c39563
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
Ondrej Mosnacek 2a989a
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp*  \
Ondrej Mosnacek 2a989a
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
Miroslav Grepl 4a27ed
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
Dan Walsh 3fc099
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
Petr Lautrbach 3332d5
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
Daniel J Walsh 3e930b
%nil
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define fileList() \
Daniel J Walsh 1580c8
%defattr(-,root,root) \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1 \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
Dan Walsh 042e3a
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
Miroslav Grepl 4a27ed
%dir %{_sysconfdir}/selinux/%1/logins \
Petr Lautrbach a345bb
%dir %{_sharedstatedir}/selinux/%1/active \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
Petr Lautrbach a345bb
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/policy/ \
Dan Walsh 042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
Miroslav Grepl 4a27ed
%{_sysconfdir}/selinux/%1/.policy.sha512 \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts \
Daniel J Walsh d2c260
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
Daniel J Walsh ee095f
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
Daniel J Walsh 5ca2ff
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
Daniel J Walsh 7c94e8
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
Daniel J Walsh 487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
Daniel J Walsh 487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
Miroslav Grepl 4a27ed
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
Miroslav Grepl d4e55c
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
Miroslav Grepl a34c78
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
Dan Walsh f1ed4e
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
Lukas Vrabec c3183a
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts/files \
Dan Walsh 042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
Petr Lautrbach dba350
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
Lukas Vrabec dd88f3
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
Lukas Vrabec 673096
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
Lukas Vrabec ad3add
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
Lukas Vrabec 673096
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
Dan Walsh e1f17e
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
Dan Walsh c39563
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
Dan Walsh c39563
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
Daniel J Walsh d19b68
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
Daniel J Walsh da0829
%dir %{_sysconfdir}/selinux/%1/contexts/users \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
Daniel J Walsh a80e7a
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
Lukas Vrabec 2f9313
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
Michael Scherer a56317
%dir %{_datadir}/selinux/%1 \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/base.lst \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/modules-base.lst \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/modules-contrib.lst \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/nonbasemodules.lst \
Michael Scherer a56317
%dir %{_sharedstatedir}/selinux/%1 \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
Petr Lautrbach 9e91a2
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
Zdenek Pytela a3ac25
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
Lukas Vrabec 2f9313
%nil
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define relabel() \
Adam Williamson 69200e
if [ -s %{_sysconfdir}/selinux/config ]; then \
Adam Williamson 69200e
    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
Adam Williamson 69200e
fi; \
Daniel J Walsh 1580c8
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
Ondrej Mosnacek 2a989a
     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
Daniel J Walsh 487de6
     rm -f ${FILE_CONTEXT}.pre; \
Dan Walsh 5eea0f
fi; \
Zdenek Pytela 40faa1
# rebuilding the rpm database still can sometimes result in an incorrect context \
Zdenek Pytela b10879
%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
Ondrej Mosnacek 2a989a
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
Miroslav Grepl d61e0b
    continue; \
ee6e28
fi;
Dan Walsh 8a78e8
Dan Walsh 8a78e8
%define preInstall() \
Ondrej Mosnacek 2a989a
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
Zdenek Pytela 8bda53
     for MOD_NAME in ganesha ipa_custodia kdbus; do \
53368f
        if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
53368f
           %{_sbindir}/semodule -n -d $MOD_NAME; \
53368f
        fi; \
53368f
     done; \
Dan Walsh 8a78e8
     . %{_sysconfdir}/selinux/config; \
Dan Walsh 8a78e8
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Dan Walsh 8a78e8
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
Dan Walsh 8a78e8
        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
Dan Walsh 8a78e8
     fi; \
Ondrej Mosnacek 2a989a
     touch %{_sysconfdir}/selinux/%1/.rebuild; \
Ondrej Mosnacek 2a989a
     if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
Ondrej Mosnacek 2a989a
        POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
Dan Walsh 26bb0a
        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
Ondrej Mosnacek 2a989a
	checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
Miroslav Grepl 4a27ed
	if [ "$sha512" == "$checksha512" ] ; then \
Ondrej Mosnacek 2a989a
		rm %{_sysconfdir}/selinux/%1/.rebuild; \
Dan Walsh 8a78e8
	fi; \
Dan Walsh 8a78e8
   fi; \
Dan Walsh 8a78e8
fi;
Daniel J Walsh 1580c8
Dan Walsh 857c81
%define postInstall() \
Adam Williamson 69200e
if [ -s %{_sysconfdir}/selinux/config ]; then \
Adam Williamson 69200e
    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
Adam Williamson 69200e
fi; \
Ondrej Mosnacek 2a989a
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
Ondrej Mosnacek 2a989a
   rm %{_sysconfdir}/selinux/%2/.rebuild; \
Dan Walsh 857c81
fi; \
Zdenek Pytela cb08cc
%{_sbindir}/semodule -B -n -s %2; \
Ondrej Mosnacek 2a989a
[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
Dan Walsh 857c81
if [ %1 -eq 1 ]; then \
Ondrej Mosnacek 2a989a
   %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
Dan Walsh 857c81
else \
Dan Walsh 857c81
%relabel %2 \
Dan Walsh 857c81
fi;
Dan Walsh 857c81
Miroslav Grepl 50f07b
%define modulesList() \
Ondrej Mosnacek 2a989a
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
Ondrej Mosnacek 2a989a
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
Miroslav Grepl a27009
if [ -e ./policy/modules-contrib.conf ];then \
Ondrej Mosnacek 2a989a
	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
Miroslav Grepl a27009
fi;
Miroslav Grepl 50f07b
Miroslav Grepl c04c31
%define nonBaseModulesList() \
Ondrej Mosnacek 2a989a
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
Ondrej Mosnacek 2a989a
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
Miroslav Grepl c04c31
for i in $contrib_modules $base_modules; do \
Petr Lautrbach a345bb
    if [ $i != "sandbox" ];then \
Ondrej Mosnacek 2a989a
        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
Miroslav Grepl c04c31
    fi; \
Petr Lautrbach be68cc
done;
Petr Lautrbach be68cc
Lukas Vrabec 2e12c9
# Make sure the config is consistent with what packages are installed in the system
Lukas Vrabec 2e12c9
# this covers cases when system is installed with selinux-policy-{mls,minimal}
Lukas Vrabec 2e12c9
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
Lukas Vrabec 2e12c9
# been rebooted yet.
Lukas Vrabec 2e12c9
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
Lukas Vrabec 2e12c9
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
Lukas Vrabec 2e12c9
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
Lukas Vrabec 2e12c9
# Steps:
Lukas Vrabec 2e12c9
# * load values from config and its backup
Lukas Vrabec 2e12c9
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
Lukas Vrabec 2e12c9
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
Lukas Vrabec 2e12c9
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
Lukas Vrabec 2e12c9
%define checkConfigConsistency() \
Lukas Vrabec 2e12c9
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
ee6e28
    . %{_sysconfdir}/selinux/.config_backup; \
Lukas Vrabec 2e12c9
else \
ee6e28
    BACKUP_SELINUXTYPE=targeted; \
Lukas Vrabec 2e12c9
fi; \
ee6e28
if [ -s %{_sysconfdir}/selinux/config ]; then \
ee6e28
    . %{_sysconfdir}/selinux/config; \
ee6e28
    if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
ee6e28
        if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    elif [ "%1" = "targeted" ]; then \
ee6e28
        if [ "%1" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    elif ! ls  %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
ee6e28
        if [ "%1" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    fi; \
Lukas Vrabec 2e12c9
fi;
Lukas Vrabec 2e12c9
Lukas Vrabec 2e12c9
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
Lukas Vrabec 2e12c9
# of variables inside so that they are easy to use later
Lukas Vrabec 2e12c9
# This should be done in "pretrans" because config content can change during RPM operations
Lukas Vrabec 2e12c9
# The macro has to be used in a script slot with "-p <lua>"
Lukas Vrabec 2e12c9
%define backupConfigLua() \
Lukas Vrabec 2e12c9
local sysconfdir = rpm.expand("%{_sysconfdir}") \
Lukas Vrabec 2e12c9
local config_file = sysconfdir .. "/selinux/config" \
Lukas Vrabec 2e12c9
local config_backup = sysconfdir .. "/selinux/.config_backup" \
Lukas Vrabec 2e12c9
os.remove(config_backup) \
Lukas Vrabec 2e12c9
if posix.stat(config_file) then \
Lukas Vrabec 2e12c9
    local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
Lukas Vrabec 2e12c9
    local content = f:read("*all") \
Lukas Vrabec 2e12c9
    f:close() \
Lukas Vrabec 2e12c9
    local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
Lukas Vrabec 2e12c9
    local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
Lukas Vrabec 2e12c9
    bf:write(backup) \
Lukas Vrabec 2e12c9
    bf:close() \
Lukas Vrabec 2e12c9
end
Lukas Vrabec 2e12c9
Daniel J Walsh d83af2
%build
Daniel J Walsh d83af2
fe2076
%prep
Ondrej Mosnáček 66b983
%autosetup -p 1 -n %{name}-%{commit}
Ondrej Mosnacek 548766
tar -C policy/modules/contrib -xf %{SOURCE35}
Daniel J Walsh add957
Daniel J Walsh 487de6
mkdir selinux_config
Lukas Vrabec 5d84ad
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
Daniel J Walsh 487de6
 cp $i selinux_config
Daniel J Walsh 487de6
done
Petr Lautrbach a345bb
Petr Lautrbach a345bb
%install
Daniel J Walsh e56873
# Build targeted policy
Daniel J Walsh ca8bc2
%{__rm} -fR %{buildroot}
Daniel J Walsh ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/selinux
Daniel J Walsh ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
Daniel J Walsh ca8bc2
touch %{buildroot}%{_sysconfdir}/selinux/config
Daniel J Walsh ca8bc2
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
Dan Walsh bce4ec
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
Dan Walsh bce4ec
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
Lukas Vrabec 7d7414
mkdir -p %{buildroot}%{_bindir}
Lukas Vrabec 4a9509
install -m 755  %{SOURCE33} %{buildroot}%{_bindir}/
Daniel J Walsh 1335ee
Daniel J Walsh b4cab5
# Always create policy module package directories
Ondrej Mosnacek 2a989a
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
Petr Lautrbach a345bb
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
Petr Lautrbach a345bb
Ondrej Mosnacek 2a989a
mkdir -p %{buildroot}%{_datadir}/selinux/packages
Daniel J Walsh b4cab5
Daniel J Walsh d19b68
# Install devel
Daniel J Walsh d19b68
make clean
Daniel J Walsh bd3f0e
%if %{BUILD_TARGETED}
Daniel J Walsh 129ba1
# Build targeted policy
Ondrej Mosnacek f76a9d
%makeCmds targeted mcs allow
Miroslav Grepl a27009
%makeModulesConf targeted base contrib
Ondrej Mosnacek f76a9d
%installCmds targeted mcs allow
Lukas Vrabec 7c8404
# install permissivedomains.cil
Ondrej Mosnacek 167b05
%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
Petr Lautrbach a345bb
# recreate sandbox.pp
Petr Lautrbach a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
Ondrej Mosnacek 2a989a
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
Petr Lautrbach be68cc
%modulesList targeted
Miroslav Grepl c04c31
%nonBaseModulesList targeted
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh 3e930b
Daniel J Walsh 675bba
%if %{BUILD_MINIMUM}
Daniel J Walsh 675bba
# Build minimum policy
Ondrej Mosnacek f76a9d
%makeCmds minimum mcs allow
Miroslav Grepl a27009
%makeModulesConf targeted base contrib
Ondrej Mosnacek f76a9d
%installCmds minimum mcs allow
Petr Lautrbach a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
Miroslav Grepl 50f07b
%modulesList minimum
Miroslav Grepl c04c31
%nonBaseModulesList minimum
Daniel J Walsh 675bba
%endif
Daniel J Walsh 675bba
Daniel J Walsh bd3f0e
%if %{BUILD_MLS}
Daniel J Walsh 129ba1
# Build mls policy
Ondrej Mosnacek f76a9d
%makeCmds mls mls deny
Miroslav Grepl a27009
%makeModulesConf mls base contrib
Ondrej Mosnacek f76a9d
%installCmds mls mls deny
Miroslav Grepl a27009
%modulesList mls
Miroslav Grepl c04c31
%nonBaseModulesList mls
Daniel J Walsh a4ec9b
%endif
Daniel J Walsh a4ec9b
Petr Lautrbach b73fcb
# remove leftovers when save-previous=true (semanage.conf) is used
Petr Lautrbach b73fcb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
Petr Lautrbach b73fcb
Miroslav Grepl 4a27ed
mkdir -p %{buildroot}%{_mandir}
Miroslav Grepl 4a27ed
cp -R  man/* %{buildroot}%{_mandir}
Ondrej Mosnacek 7579dc
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
Ondrej Mosnacek 7579dc
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
Ondrej Mosnacek 2a989a
mkdir %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
Ondrej Mosnacek 2a989a
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
Ondrej Mosnacek 2a989a
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
Ondrej Mosnacek 2a989a
mkdir %{buildroot}%{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
Dan Walsh 1b0e09
Dan Walsh 1b0e09
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
Petr Lautrbach c49229
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Petr Lautrbach c49229
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Lukas Vrabec 42d22b
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Miroslav Grepl 4a27ed
Ondrej Mosnacek fd6943
mkdir -p %{buildroot}%{_unitdir}
Ondrej Mosnacek fd6943
install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
Petr Lautrbach a345bb
Daniel J Walsh 487de6
rm -rf selinux_config
Ondrej Mosnacek fd6943
Daniel J Walsh 9c64bb
%post
Ondrej Mosnacek fd6943
%systemd_post selinux-check-proper-disable.service
Ondrej Mosnacek 2a989a
if [ ! -s %{_sysconfdir}/selinux/config ]; then
Daniel J Walsh 487de6
#
Daniel J Walsh 487de6
#     New install so we will default to targeted policy
Daniel J Walsh 487de6
#
Daniel J Walsh 487de6
echo "
Nalin Dahyabhai af6090
# This file controls the state of SELinux on the system.
Nalin Dahyabhai af6090
# SELINUX= can take one of these three values:
Daniel J Walsh 487de6
#     enforcing - SELinux security policy is enforced.
Daniel J Walsh 487de6
#     permissive - SELinux prints warnings instead of enforcing.
Daniel J Walsh 487de6
#     disabled - No SELinux policy is loaded.
Ondrej Mosnacek 4cdd6f
# See also:
Ondrej Mosnacek 4cdd6f
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
Ondrej Mosnacek 4cdd6f
# fully disable SELinux during boot. If you need a system with SELinux
Ondrej Mosnacek 4cdd6f
# fully disabled instead of SELinux running with no policy loaded, you
Ondrej Mosnacek 4cdd6f
# need to pass selinux=0 to the kernel command line. You can use grubby
Ondrej Mosnacek 4cdd6f
# to persistently set the bootloader to boot with selinux=0:
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
#    grubby --update-kernel ALL --args selinux=0
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
# To revert back to SELinux enabled:
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
#    grubby --update-kernel ALL --remove-args selinux
Ondrej Mosnacek 4cdd6f
#
Nalin Dahyabhai af6090
SELINUX=enforcing
Miroslav Grepl 3dc79f
# SELINUXTYPE= can take one of these three values:
Daniel J Walsh 487de6
#     targeted - Targeted processes are protected,
fe2076
#     minimum - Modification of targeted policy. Only selected processes are protected.
Daniel J Walsh 487de6
#     mls - Multi Level Security protection.
Colin Walters 5fdac7
SELINUXTYPE=targeted
Nalin Dahyabhai af6090
Ondrej Mosnacek 2a989a
" > %{_sysconfdir}/selinux/config
Nalin Dahyabhai af6090
fe2076
     ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
Ondrej Mosnacek 2a989a
     %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
Nalin Dahyabhai af6090
else
Ondrej Mosnacek 2a989a
     . %{_sysconfdir}/selinux/config
Nalin Dahyabhai af6090
fi
Daniel J Walsh 081b6a
exit 0
Daniel J Walsh 9c64bb
Ondrej Mosnacek fd6943
%preun
Ondrej Mosnacek fd6943
%systemd_preun selinux-check-proper-disable.service
Ondrej Mosnacek fd6943
Daniel J Walsh 5ff36d
%postun
Ondrej Mosnacek fd6943
%systemd_postun selinux-check-proper-disable.service
Daniel J Walsh bbaa1f
if [ $1 = 0 ]; then
Ondrej Mosnacek 2a989a
     %{_sbindir}/setenforce 0 2> /dev/null
Ondrej Mosnacek 2a989a
     if [ ! -s %{_sysconfdir}/selinux/config ]; then
Ondrej Mosnacek 2a989a
          echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Daniel J Walsh 487de6
     else
Ondrej Mosnacek 2a989a
          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Daniel J Walsh 487de6
     fi
Daniel J Walsh 5ff36d
fi
Daniel J Walsh a4ec9b
exit 0
Daniel J Walsh 5ff36d
Daniel J Walsh bd3f0e
%if %{BUILD_TARGETED}
Daniel J Walsh bd3f0e
%package targeted
Zdenek Pytela e99b0b
Summary: SELinux targeted policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Daniel J Walsh d83af2
Obsoletes: selinux-policy-targeted-sources < 2
Daniel J Walsh 23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh d83af2
Requires(pre): coreutils
Daniel J Walsh d83af2
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh b4cab5
Conflicts:  audispd-plugins <= 1.7.7-1
Daniel J Walsh 487de6
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Daniel J Walsh bc4089
Obsoletes: cachefilesd-selinux <= 0.10-1
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Dan Walsh fc9bf2
Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
Lukas Vrabec ab3db2
Conflicts: container-selinux < 2:1.12.1-22
Daniel J Walsh bd3f0e
Daniel J Walsh bd3f0e
%description targeted
Zdenek Pytela e99b0b
SELinux targeted policy package.
Daniel J Walsh bd3f0e
Lukas Vrabec 2e12c9
%pretrans targeted -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
Daniel J Walsh bd3f0e
%pre targeted
Dan Walsh 8a78e8
%preInstall targeted
Daniel J Walsh bd3f0e
Daniel J Walsh 9c64bb
%post targeted
Lukas Vrabec 2e12c9
%checkConfigConsistency targeted
Dan Walsh 857c81
%postInstall $1 targeted
Daniel J Walsh e080bb
exit 0
Daniel J Walsh d83af2
Lukas Vrabec 2e12c9
%posttrans targeted
Lukas Vrabec 2e12c9
%checkConfigConsistency targeted
Zdenek Pytela 7104f7
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun targeted
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "targeted" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Petr Lautrbach 7f4032
Petr Lautrbach b15718
%triggerin -- pcre2
Ondrej Mosnacek 2a989a
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
Dan Walsh 7c810a
exit 0
Dan Walsh 7c810a
Dan Walsh 1b0e09
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
Ondrej Mosnacek 2a989a
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
Dan Walsh 1b0e09
exit 0
Dan Walsh 1b0e09
Miroslav Grepl 57b06e
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Petr Lautrbach a345bb
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Petr Lautrbach a345bb
done
Ondrej Mosnacek 2a989a
for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do
Ondrej Mosnacek 2a989a
    cp $i %{_sharedstatedir}/selinux/targeted/active
Miroslav Grepl 982e48
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Petr Lautrbach a345bb
exit 0
Petr Lautrbach a345bb
Ondrej Mosnacek 2a989a
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
Daniel J Walsh 4d59c2
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
fe2076
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
Daniel J Walsh 4d59c2
%fileList targeted
Lukas Vrabec 7c8404
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
Daniel J Walsh a4ec9b
%endif
Daniel J Walsh a4ec9b
Daniel J Walsh 675bba
%if %{BUILD_MINIMUM}
Daniel J Walsh 675bba
%package minimum
Zdenek Pytela e99b0b
Summary: SELinux minimum policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Miroslav Grepl 2fc3e7
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
Daniel J Walsh 675bba
Requires(pre): coreutils
Daniel J Walsh 675bba
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Lukas Vrabec ab3db2
Conflicts: container-selinux <= 1.9.0-9
Daniel J Walsh 675bba
Daniel J Walsh 675bba
%description minimum
Zdenek Pytela e99b0b
SELinux minimum policy package.
Daniel J Walsh 675bba
Lukas Vrabec 2e12c9
%pretrans minimum -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
Daniel J Walsh 675bba
%pre minimum
Dan Walsh 8a78e8
%preInstall minimum
Dan Walsh 857c81
if [ $1 -ne 1 ]; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
Dan Walsh 857c81
fi
Daniel J Walsh 675bba
Daniel J Walsh 675bba
%post minimum
Lukas Vrabec 2e12c9
%checkConfigConsistency minimum
Ondrej Mosnacek 2a989a
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
Ondrej Mosnacek 2a989a
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
Ondrej Mosnacek 2a989a
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
Ondrej Mosnacek 2a989a
    mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
Miroslav Grepl 57b06e
fi
Daniel J Walsh 0e31a0
if [ $1 -eq 1 ]; then
Miroslav Grepl a27009
for p in $contribpackages; do
Ondrej Mosnacek 2a989a
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Miroslav Grepl 57b06e
for p in $basepackages apache dbus inetd kerberos mta nis; do
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Ondrej Mosnacek 2a989a
%{_sbindir}/semanage import -S minimum -f - << __eof
Daniel J Walsh 675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
Daniel J Walsh 675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
Daniel J Walsh 675bba
__eof
Ondrej Mosnacek 2a989a
%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -B -s minimum
Daniel J Walsh 675bba
else
Ondrej Mosnacek 2a989a
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
Miroslav Grepl a27009
for p in $contribpackages; do
Ondrej Mosnacek 2a989a
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Miroslav Grepl a27009
for p in $instpackages apache dbus inetd kerberos mta nis; do
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -B -s minimum
Daniel J Walsh 675bba
%relabel minimum
Daniel J Walsh 675bba
fi
Daniel J Walsh 675bba
exit 0
Daniel J Walsh 675bba
Lukas Vrabec 2e12c9
%posttrans minimum
Lukas Vrabec 2e12c9
%checkConfigConsistency minimum
Zdenek Pytela 0f27d9
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun minimum
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "minimum" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Miroslav Grepl 57b06e
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
Ondrej Mosnacek 2a989a
if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/*
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Miroslav Grepl 57b06e
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Miroslav Grepl 57b06e
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
exit 0
Miroslav Grepl 57b06e
Ondrej Mosnacek 2a989a
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
Daniel J Walsh 675bba
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
fe2076
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
Daniel J Walsh 675bba
%fileList minimum
Daniel J Walsh 675bba
%endif
Daniel J Walsh 675bba
Daniel J Walsh bd3f0e
%if %{BUILD_MLS}
fe2076
%package mls
Zdenek Pytela e99b0b
Summary: SELinux MLS policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Daniel J Walsh d83af2
Obsoletes: selinux-policy-mls-sources < 2
Daniel J Walsh c77aca
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Daniel J Walsh 23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh d83af2
Requires(pre): coreutils
Daniel J Walsh d83af2
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Lukas Vrabec ab3db2
Conflicts: container-selinux <= 1.9.0-9
Daniel J Walsh 1580c8
fe2076
%description mls
Zdenek Pytela e99b0b
SELinux MLS (Multi Level Security) policy package.
Daniel J Walsh 1580c8
Lukas Vrabec 2e12c9
%pretrans mls -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
fe2076
%pre mls
Dan Walsh 8a78e8
%preInstall mls
Daniel J Walsh 1580c8
fe2076
%post mls
Lukas Vrabec 2e12c9
%checkConfigConsistency mls
Dan Walsh 857c81
%postInstall $1 mls
Lukas Vrabec 6a9935
exit 0
Miroslav Grepl 57b06e
Lukas Vrabec 2e12c9
%posttrans mls
Lukas Vrabec 2e12c9
%checkConfigConsistency mls
Zdenek Pytela 0f27d9
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun mls
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "mls" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Miroslav Grepl 57b06e
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Miroslav Grepl 57b06e
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Miroslav Grepl 57b06e
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
exit 0
Miroslav Grepl 57b06e
Miroslav Grepl 57b06e
Ondrej Mosnacek 2a989a
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
Daniel J Walsh 57ae10
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
Daniel J Walsh 504da9
%fileList mls
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh bd3f0e
Daniel J Walsh 56187c
%changelog
Zdenek Pytela 232d13
* Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
Zdenek Pytela 232d13
- Boolean: allow qemu-ga read ssh home directory
Zdenek Pytela 232d13
- Allow kernel_t to read/write all sockets
Zdenek Pytela 232d13
- Allow kernel_t to UNIX-stream connect to all domains
Zdenek Pytela 232d13
- Allow systemd-resolved send a datagram to journald
Zdenek Pytela 232d13
- Allow kernel_t to manage and have "execute" access to all files
Zdenek Pytela 232d13
- Fix the files_manage_all_files() interface
Zdenek Pytela 232d13
- Allow rshim bpf cap2 and read sssd public files
Zdenek Pytela 232d13
- Allow insights-client work with su and lpstat
Zdenek Pytela 232d13
- Allow insights-client tcp connect to all ports
Zdenek Pytela 232d13
- Allow nm-cloud-setup dispatcher plugin restart nm services
Zdenek Pytela 232d13
- Allow unconfined user filetransition for sudo log files
Zdenek Pytela 232d13
- Allow modemmanager create hardware state information files
Zdenek Pytela 232d13
- Allow ModemManager all permissions for netlink route socket
Zdenek Pytela 232d13
- Allow wg to send msg to kernel, write to syslog and dbus connections
Zdenek Pytela 232d13
- Allow hostname_t to read network sysctls.
Zdenek Pytela 232d13
- Dontaudit ftpd the execmem permission
Zdenek Pytela 232d13
- Allow svirt request the kernel to load a module
Zdenek Pytela 232d13
- Allow icecast rename its log files
Zdenek Pytela 232d13
- Allow upsd to send signal to itself
Zdenek Pytela 232d13
- Allow wireguard to create udp sockets and read net_conf
Zdenek Pytela 232d13
- Use %autosetup instead of %setup
Zdenek Pytela 232d13
- Pass -p 1 to %autosetup
Zdenek Pytela 232d13
Fedora Release Engineering c11eb8
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.5-2
Fedora Release Engineering c11eb8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Fedora Release Engineering c11eb8
Zdenek Pytela 13e15d
* Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
Zdenek Pytela 13e15d
- Allow insights client work with gluster and pcp
Zdenek Pytela 13e15d
- Add insights additional capabilities
Zdenek Pytela 13e15d
- Add interfaces in domain, files, and unconfined modules
Zdenek Pytela 13e15d
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
Zdenek Pytela 13e15d
- Allow sudodomain use sudo.log as a logfile
Zdenek Pytela 13e15d
- Allow pdns server map its library files and bind to unreserved ports
Zdenek Pytela 13e15d
- Allow sysadm_t read/write ipmi devices
Zdenek Pytela 13e15d
- Allow prosody manage its runtime socket files
Zdenek Pytela 13e15d
- Allow kernel threads manage kernel keys
Zdenek Pytela 13e15d
- Allow systemd-userdbd the sys_resource capability
Zdenek Pytela 13e15d
- Allow systemd-journal list cgroup directories
Zdenek Pytela 13e15d
- Allow apcupsd dbus chat with systemd-logind
Zdenek Pytela 13e15d
- Allow nut_domain manage also files and sock_files in /var/run
Zdenek Pytela 13e15d
- Allow winbind-rpcd make a TCP connection to the ldap port
Zdenek Pytela 13e15d
- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
Zdenek Pytela 13e15d
- Allow tlp read generic SSL certificates
Zdenek Pytela 13e15d
- Allow systemd-resolved watch tmpfs directories
Zdenek Pytela 13e15d
- Revert "Allow systemd-resolved watch tmpfs directories"
Zdenek Pytela 13e15d
Zdenek Pytela 328d37
* Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
Zdenek Pytela 328d37
- Allow NetworkManager and wpa_supplicant the bpf capability
Zdenek Pytela 328d37
- Allow systemd-rfkill the bpf capability
Zdenek Pytela 328d37
- Allow winbind-rpcd manage samba_share_t files and dirs
Zdenek Pytela 328d37
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
Zdenek Pytela 328d37
- Allow gpsd the sys_ptrace userns capability
Zdenek Pytela 328d37
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
Zdenek Pytela 328d37
- Allow load_policy_t write to unallocated ttys
Zdenek Pytela 328d37
- Allow ndc read hardware state information
Zdenek Pytela 328d37
- Allow system mail service read inherited certmonger runtime files
Zdenek Pytela 328d37
- Add lpr_roles  to system_r roles
Zdenek Pytela 328d37
- Revert "Allow insights-client run lpr and allow the proper role"
Zdenek Pytela 328d37
- Allow stalld to read /sys/kernel/security/lockdown file
Zdenek Pytela 328d37
- Allow keepalived to set resource limits
Zdenek Pytela 328d37
- Add policy for mptcpd
Zdenek Pytela 328d37
- Add policy for rshim
Zdenek Pytela 328d37
- Allow admin users to create user namespaces
Zdenek Pytela 328d37
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
Zdenek Pytela 328d37
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
Zdenek Pytela 328d37
- Trim changelog so that it starts at F35 time
Zdenek Pytela 328d37
- Add mptcpd and rshim modules
Zdenek Pytela 328d37
Zdenek Pytela 5e55a1
* Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
Zdenek Pytela 5e55a1
- Allow insights-client dbus chat with various services
Zdenek Pytela 5e55a1
- Allow insights-client tcp connect to various ports
Zdenek Pytela 5e55a1
- Allow insights-client run lpr and allow the proper role
Zdenek Pytela 5e55a1
- Allow insights-client work with pcp and manage user config files
Zdenek Pytela 5e55a1
- Allow redis get user names
Zdenek Pytela 5e55a1
- Allow kernel threads to use fds from all domains
Zdenek Pytela 5e55a1
- Allow systemd-modules-load load kernel modules
Zdenek Pytela 5e55a1
- Allow login_userdomain watch systemd-passwd pid dirs
Zdenek Pytela 5e55a1
- Allow insights-client dbus chat with abrt
Zdenek Pytela 5e55a1
- Grant kernel_t certain permissions in the system class
Zdenek Pytela 5e55a1
- Allow systemd-resolved watch tmpfs directories
Zdenek Pytela 5e55a1
- Allow systemd-timedated watch init runtime dir
Zdenek Pytela 5e55a1
- Make `bootc` be `install_exec_t`
Zdenek Pytela 5e55a1
- Allow systemd-coredump create user_namespace
Zdenek Pytela 5e55a1
- Allow syslog the setpcap capability
Zdenek Pytela 5e55a1
- donaudit virtlogd and dnsmasq execmem
Zdenek Pytela 5e55a1
Zdenek Pytela 826337
* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
Zdenek Pytela 826337
- Don't make kernel_t an unconfined domain
Zdenek Pytela 826337
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
Zdenek Pytela 826337
- Allow kernel_t to execute systemctl to do a poweroff/reboot
Zdenek Pytela 826337
- Grant basic permissions to the domain created by systemd_systemctl_domain()
Zdenek Pytela 826337
- Allow kernel_t to request module loading
Zdenek Pytela 826337
- Allow kernel_t to do compute_create
Zdenek Pytela 826337
- Allow kernel_t to manage perf events
Zdenek Pytela 826337
- Grant almost all capabilities to kernel_t
Zdenek Pytela 826337
- Allow kernel_t to fully manage all devices
Zdenek Pytela 826337
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
Zdenek Pytela 826337
- Allow pulseaudio to write to session_dbusd tmp socket files
Zdenek Pytela 826337
- Allow systemd and unconfined_domain_type create user_namespace
Zdenek Pytela 826337
- Add the user_namespace security class
Zdenek Pytela 826337
- Reuse tmpfs_t also for the ramfs filesystem
Zdenek Pytela 826337
- Label udf tools with fsadm_exec_t
Zdenek Pytela 826337
- Allow networkmanager_dispatcher_plugin work with nscd
Zdenek Pytela 826337
- Watch_sb all file type directories.
Zdenek Pytela 826337
- Allow spamc read hardware state information files
Zdenek Pytela 826337
- Allow sysadm read ipmi devices
Zdenek Pytela 826337
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
Zdenek Pytela 826337
- Allow insights client read raw memory devices
Zdenek Pytela 826337
- Allow the spamd_update_t domain get generic filesystem attributes
Zdenek Pytela 826337
- Dontaudit systemd-gpt-generator the sys_admin capability
Zdenek Pytela 826337
- Allow ipsec_t only read tpm devices
Zdenek Pytela 826337
- Allow cups-pdf connect to the system log service
Zdenek Pytela 826337
- Allow postfix/smtpd read kerberos key table
Zdenek Pytela 826337
- Allow syslogd read network sysctls
Zdenek Pytela 826337
- Allow cdcc mmap dcc-client-map files
Zdenek Pytela 826337
- Add watch and watch_sb dosfs interface
Zdenek Pytela 826337
Zdenek Pytela 17a6cf
* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
Zdenek Pytela 17a6cf
- Revert "Allow sysadm_t read raw memory devices"
Zdenek Pytela 17a6cf
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
Zdenek Pytela 17a6cf
- Allow rpc.gssd read network sysctls
Zdenek Pytela 17a6cf
- Allow winbind-rpcd get attributes of device and pty filesystems
Zdenek Pytela 17a6cf
- Allow insights-client domain transition on semanage execution
Zdenek Pytela 17a6cf
- Allow insights-client create gluster log dir with a transition
Zdenek Pytela 17a6cf
- Allow insights-client manage generic locks
Zdenek Pytela 17a6cf
- Allow insights-client unix_read all domain semaphores
Zdenek Pytela 17a6cf
- Add domain_unix_read_all_semaphores() interface
Zdenek Pytela 17a6cf
- Allow winbind-rpcd use the terminal multiplexor
Zdenek Pytela 17a6cf
- Allow mrtg send mails
Zdenek Pytela 17a6cf
- Allow systemd-hostnamed dbus chat with init scripts
Zdenek Pytela 17a6cf
- Allow sssd dbus chat with system cronjobs
Zdenek Pytela 17a6cf
- Add interface to watch all filesystems
Zdenek Pytela 17a6cf
- Add watch_sb interfaces
Zdenek Pytela 17a6cf
- Add watch interfaces
Zdenek Pytela 17a6cf
- Allow dhcpd bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow netutils and traceroute bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow pkcs_slotd_t bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow xdm bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow pcscd bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow lldpad bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow keepalived bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow ipsec bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow fprintd bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow systemd-socket-proxyd get filesystems attributes
Zdenek Pytela 17a6cf
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
Zdenek Pytela 17a6cf
Zdenek Pytela 544896
* Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
Zdenek Pytela 544896
- Allow rotatelogs read httpd_log_t symlinks
Zdenek Pytela 544896
- Add winbind-rpcd to samba_enable_home_dirs boolean
Zdenek Pytela 544896
- Allow system cronjobs dbus chat with setroubleshoot
Zdenek Pytela 544896
- Allow setroubleshootd read device sysctls
Zdenek Pytela 544896
- Allow virt_domain read device sysctls
Zdenek Pytela 544896
- Allow rhcd compute selinux access vector
Zdenek Pytela 544896
- Allow insights-client manage samba var dirs
Zdenek Pytela 544896
- Label ports 10161-10162 tcp/udp with snmp
Zdenek Pytela 544896
- Allow aide to connect to systemd_machined with a unix socket.
Zdenek Pytela 544896
- Allow samba-dcerpcd use NSCD services over a unix stream socket
Zdenek Pytela 544896
- Allow vlock search the contents of the /dev/pts directory
Zdenek Pytela 544896
- Allow insights-client send null signal to rpm and system cronjob
Zdenek Pytela 544896
- Label port 15354/tcp and 15354/udp with opendnssec
Zdenek Pytela 544896
- Allow ftpd map ftpd_var_run files
Zdenek Pytela 544896
- Allow targetclid to manage tmp files
Zdenek Pytela 544896
- Allow insights-client connect to postgresql with a unix socket
Zdenek Pytela 544896
- Allow insights-client domtrans on unix_chkpwd execution
Zdenek Pytela 544896
- Add file context entries for insights-client and rhc
Zdenek Pytela 544896
- Allow pulseaudio create gnome content (~/.config)
Zdenek Pytela 544896
- Allow login_userdomain dbus chat with rhsmcertd
Zdenek Pytela 544896
- Allow sbd the sys_ptrace capability
Zdenek Pytela 544896
- Allow ptp4l_t name_bind ptp_event_port_t
Zdenek Pytela 544896
Zdenek Pytela c9f58f
* Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
Zdenek Pytela c9f58f
- Remove the ipa module
Zdenek Pytela c9f58f
- Allow sss daemons read/write unnamed pipes of cloud-init
Zdenek Pytela c9f58f
- Allow postfix_mailqueue create and use unix dgram sockets
Zdenek Pytela c9f58f
- Allow xdm watch user home directories
Zdenek Pytela c9f58f
- Allow nm-dispatcher ddclient plugin load a kernel module
Zdenek Pytela c9f58f
- Stop ignoring standalone interface files
Zdenek Pytela c9f58f
- Drop cockpit module
Zdenek Pytela c9f58f
- Allow init map its private tmp files
Zdenek Pytela c9f58f
- Allow xenstored change its hard resource limits
Zdenek Pytela c9f58f
- Allow system_mail-t read network sysctls
Zdenek Pytela c9f58f
- Add bgpd sys_chroot capability
Zdenek Pytela c9f58f
Zdenek Pytela dde90d
* Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
Zdenek Pytela dde90d
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
Zdenek Pytela dde90d
- Add numad the ipc_owner capability
Zdenek Pytela dde90d
- Allow gst-plugin-scanner read virtual memory sysctls
Zdenek Pytela dde90d
- Allow init read/write inherited user fifo files
Zdenek Pytela dde90d
- Update dnssec-trigger policy: setsched, module_request
Zdenek Pytela dde90d
- added policy for systemd-socket-proxyd
Zdenek Pytela dde90d
- Add the new 'cmd' permission to the 'io_uring' class
Zdenek Pytela dde90d
- Allow winbind-rpcd read and write its key ring
Zdenek Pytela dde90d
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
Zdenek Pytela dde90d
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
Zdenek Pytela dde90d
- pidof executed by abrt can readlink /proc/*/exe
Zdenek Pytela dde90d
- Fix typo in comment
Zdenek Pytela dde90d
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
Zdenek Pytela dde90d
Zdenek Pytela d02146
* Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
Zdenek Pytela d02146
- Allow tor get filesystem attributes
Zdenek Pytela d02146
- Allow utempter append to login_userdomain stream
Zdenek Pytela d02146
- Allow login_userdomain accept a stream connection to XDM
Zdenek Pytela d02146
- Allow login_userdomain write to boltd named pipes
Zdenek Pytela d02146
- Allow staff_u and user_u users write to bolt pipe
Zdenek Pytela d02146
- Allow login_userdomain watch various directories
Zdenek Pytela d02146
- Update rhcd policy for executing additional commands 5
Zdenek Pytela d02146
- Update rhcd policy for executing additional commands 4
Zdenek Pytela d02146
- Allow rhcd create rpm hawkey logs with correct label
Zdenek Pytela d02146
- Allow systemd-gpt-auto-generator to check for empty dirs
Zdenek Pytela d02146
- Update rhcd policy for executing additional commands 3
Zdenek Pytela d02146
- Allow journalctl read rhcd fifo files
Zdenek Pytela d02146
- Update insights-client policy for additional commands execution 5
Zdenek Pytela d02146
- Allow init remount all file_type filesystems
Zdenek Pytela d02146
- Confine insights-client systemd unit
Zdenek Pytela d02146
- Update insights-client policy for additional commands execution 4
Zdenek Pytela d02146
- Allow pcp pmcd search tracefs and acct_data dirs
Zdenek Pytela d02146
- Allow httpd read network sysctls
Zdenek Pytela d02146
- Dontaudit domain map permission on directories
Zdenek Pytela d02146
- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
Zdenek Pytela d02146
- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
Zdenek Pytela d02146
- Update insights-client policy for additional commands execution 3
Zdenek Pytela d02146
- Allow systemd permissions needed for sandboxed services
Zdenek Pytela d02146
- Add rhcd module
Zdenek Pytela d02146
- Make dependency on rpm-plugin-selinux unordered
Zdenek Pytela d02146
Zdenek Pytela 9a58e6
* Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
Zdenek Pytela 9a58e6
- Allow ipsec_t read/write tpm devices
Zdenek Pytela 9a58e6
- Allow rhcd execute all executables
Zdenek Pytela 9a58e6
- Update rhcd policy for executing additional commands 2
Zdenek Pytela 9a58e6
- Update insights-client policy for additional commands execution 2
Zdenek Pytela 9a58e6
- Allow sysadm_t read raw memory devices
Zdenek Pytela 9a58e6
- Allow chronyd send and receive chronyd/ntp client packets
Zdenek Pytela 9a58e6
- Allow ssh client read kerberos homedir config files
Zdenek Pytela 9a58e6
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
Zdenek Pytela 9a58e6
- Update insights-client policy (auditctl, gpg, journal)
Zdenek Pytela 9a58e6
- Allow system_cronjob_t domtrans to rpm_script_t
Zdenek Pytela 9a58e6
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
Zdenek Pytela 9a58e6
- Update tor_bind_all_unreserved_ports interface
Zdenek Pytela 9a58e6
- Allow chronyd bind UDP sockets to ptp_event ports.
Zdenek Pytela 9a58e6
- Allow unconfined and sysadm users transition for /root/.gnupg
Zdenek Pytela 9a58e6
- Add gpg_filetrans_admin_home_content() interface
Zdenek Pytela 9a58e6
- Update rhcd policy for executing additional commands
Zdenek Pytela 9a58e6
- Update insights-client policy for additional commands execution
Zdenek Pytela 9a58e6
- Add userdom_view_all_users_keys() interface
Zdenek Pytela 9a58e6
- Allow gpg read and write generic pty type
Zdenek Pytela 9a58e6
- Allow chronyc read and write generic pty type
Zdenek Pytela 9a58e6
- Allow system_dbusd ioctl kernel with a unix stream sockets
Zdenek Pytela 9a58e6
- Allow samba-bgqd to read a printer list
Zdenek Pytela 9a58e6
- Allow stalld get and set scheduling policy of all domains.
Zdenek Pytela 9a58e6
- Allow unconfined_t transition to targetclid_home_t
Zdenek Pytela 9a58e6
Zdenek Pytela 5ac843
* Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
Zdenek Pytela 5ac843
- Allow nm-dispatcher custom plugin dbus chat with nm
Zdenek Pytela 5ac843
- Allow nm-dispatcher sendmail plugin get status of systemd services
Zdenek Pytela 5ac843
- Allow xdm read the kernel key ring
Zdenek Pytela 5ac843
- Allow login_userdomain check status of mount units
Zdenek Pytela 5ac843
- Allow postfix/smtp and postfix/virtual read kerberos key table
Zdenek Pytela 5ac843
- Allow services execute systemd-notify
Zdenek Pytela 5ac843
- Do not allow login_userdomain use sd_notify()
Zdenek Pytela 5ac843
- Allow launch-xenstored read filesystem sysctls
Zdenek Pytela 5ac843
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
Zdenek Pytela 5ac843
- Allow openvswitch fsetid capability
Zdenek Pytela 5ac843
- Allow openvswitch use its private tmpfs files and dirs
Zdenek Pytela 5ac843
- Allow openvswitch search tracefs dirs
Zdenek Pytela 5ac843
- Allow pmdalinux read files on an nfsd filesystem
Zdenek Pytela 5ac843
- Allow winbind-rpcd write to winbind pid files
Zdenek Pytela 5ac843
- Allow networkmanager to signal unconfined process
Zdenek Pytela 5ac843
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
Zdenek Pytela 5ac843
- Allow samba-bgqd get a printer list
Zdenek Pytela 5ac843
- fix(init.fc): Fix section description
Zdenek Pytela 5ac843
- Allow fedora-third-party read the passwords file
Zdenek Pytela 5ac843
- Remove permissive domain for rhcd_t
Zdenek Pytela 5ac843
- Allow pmie read network state information and network sysctls
Zdenek Pytela 5ac843
- Revert "Dontaudit domain the fowner capability"
Zdenek Pytela 5ac843
- Allow sysadm_t to run bpftool on the userdomain attribute
Zdenek Pytela 5ac843
- Add the userdom_prog_run_bpf_userdomain() interface
Zdenek Pytela 5ac843
- Allow insights-client rpm named file transitions
Zdenek Pytela 5ac843
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
Zdenek Pytela 5ac843
Zdenek Pytela 1ccfff
* Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
Zdenek Pytela 1ccfff
- Allow sa-update to get init status and start systemd files
Zdenek Pytela 1ccfff
- Use insights_client_filetrans_named_content
Zdenek Pytela 1ccfff
- Make default file context match with named transitions
Zdenek Pytela 1ccfff
- Allow nm-dispatcher tlp plugin send system log messages
Zdenek Pytela 1ccfff
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
Zdenek Pytela 1ccfff
- Add permissions to manage lnk_files into gnome_manage_home_config
Zdenek Pytela 1ccfff
- Allow rhsmcertd to read insights config files
Zdenek Pytela 1ccfff
- Label /etc/insights-client/machine-id
Zdenek Pytela 1ccfff
- fix(devices.fc): Replace single quote in comment to solve parsing issues
Zdenek Pytela 1ccfff
- Make NetworkManager_dispatcher_custom_t an unconfined domain
Zdenek Pytela 1ccfff
Fedora Release Engineering 666bf0
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2
Fedora Release Engineering 666bf0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Fedora Release Engineering 666bf0
Zdenek Pytela 7ffa63
* Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
Zdenek Pytela 7ffa63
- Update winbind_rpcd_t
Zdenek Pytela 7ffa63
- Allow some domains use sd_notify()
Zdenek Pytela 7ffa63
- Revert "Allow rabbitmq to use systemd notify"
Zdenek Pytela 7ffa63
- fix(sedoctool.py): Fix syntax warning: "is not" with a literal
Zdenek Pytela 7ffa63
- Allow nm-dispatcher console plugin manage etc files
Zdenek Pytela 7ffa63
- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
Zdenek Pytela 7ffa63
- Allow nm-dispatcher console plugin setfscreate
Zdenek Pytela 7ffa63
- Support using systemd-update-helper in rpm scriptlets
Zdenek Pytela 7ffa63
- Allow nm-dispatcher winbind plugin read samba config files
Zdenek Pytela 7ffa63
- Allow domain use userfaultfd over all domains
Zdenek Pytela 7ffa63
- Allow cups-lpd read network sysctls
Zdenek Pytela 7ffa63
Zdenek Pytela 730af9
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
Zdenek Pytela 730af9
- Allow stalld set scheduling policy of kernel threads
Zdenek Pytela 730af9
- Allow targetclid read /var/target files
Zdenek Pytela 730af9
- Allow targetclid read generic SSL certificates (fixed)
Zdenek Pytela 730af9
- Allow firewalld read the contents of the sysfs filesystem
Zdenek Pytela 730af9
- Fix file context pattern for /var/target
Zdenek Pytela 730af9
- Use insights_client_etc_t in insights_search_config()
Zdenek Pytela 730af9
- Allow nm-dispatcher ddclient plugin handle systemd services
Zdenek Pytela 730af9
- Allow nm-dispatcher winbind plugin run smbcontrol
Zdenek Pytela 730af9
- Allow nm-dispatcher custom plugin create and use unix dgram socket
Zdenek Pytela 730af9
- Update samba-dcerpcd policy for kerberos usage 2
Zdenek Pytela 730af9
- Allow keepalived read the contents of the sysfs filesystem
Zdenek Pytela 730af9
- Allow amandad read network sysctls
Zdenek Pytela 730af9
- Allow cups-lpd read network sysctls
Zdenek Pytela 730af9
- Allow kpropd read network sysctls
Zdenek Pytela 730af9
- Update insights_client_filetrans_named_content()
Zdenek Pytela 730af9
- Allow rabbitmq to use systemd notify
Zdenek Pytela 730af9
- Label /var/target with targetd_var_t
Zdenek Pytela 730af9
- Allow targetclid read generic SSL certificates
Zdenek Pytela 730af9
- Update rhcd policy
Zdenek Pytela 730af9
- Allow rhcd search insights configuration directories
Zdenek Pytela 730af9
- Add the kernel_read_proc_files() interface
Zdenek Pytela 730af9
- Require policycoreutils >= 3.4-1
Zdenek Pytela 730af9
- Add a script for enclosing interfaces in ifndef statements
Zdenek Pytela 730af9
- Disable rpm verification on interface_info
Zdenek Pytela 730af9
Zdenek Pytela 53d2cb
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
Zdenek Pytela 53d2cb
- Allow transition to insights_client named content
Zdenek Pytela 53d2cb
- Add the insights_client_filetrans_named_content() interface
Zdenek Pytela 53d2cb
- Update policy for insights-client to run additional commands 3
Zdenek Pytela 53d2cb
- Allow dhclient manage pid files used by chronyd
Zdenek Pytela 53d2cb
- Allow stalld get scheduling policy of kernel threads
Zdenek Pytela 53d2cb
- Allow samba-dcerpcd work with sssd
Zdenek Pytela 53d2cb
- Allow dlm_controld send a null signal to a cluster daemon
Zdenek Pytela 53d2cb
- Allow ksmctl create hardware state information files
Zdenek Pytela 53d2cb
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
Zdenek Pytela 53d2cb
- Update samba-dcerpcd policy for kerberos usage
Zdenek Pytela 53d2cb
- Allow insights-client execute its private memfd: objects
Zdenek Pytela 53d2cb
- Update policy for insights-client to run additional commands 2
Zdenek Pytela 53d2cb
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
Zdenek Pytela 53d2cb
- Change space indentation to tab in insights-client
Zdenek Pytela 53d2cb
- Use socket permissions sets in insights-client
Zdenek Pytela 53d2cb
- Update policy for insights-client to run additional commands
Zdenek Pytela 53d2cb
- Change rpm_setattr_db_files() to use a pattern
Zdenek Pytela 53d2cb
- Allow init_t to rw insights_client unnamed pipe
Zdenek Pytela 53d2cb
- Add rpm setattr db files macro
Zdenek Pytela 53d2cb
- Fix insights client
Zdenek Pytela 53d2cb
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
Zdenek Pytela 53d2cb
- Allow rabbitmq to access its private memfd: objects
Zdenek Pytela 53d2cb
- Update policy for samba-dcerpcd
Zdenek Pytela 53d2cb
- Allow stalld setsched and sys_nice
Zdenek Pytela 53d2cb
Zdenek Pytela 75ed72
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
Zdenek Pytela 75ed72
- Allow auditd_t noatsecure for a transition to audisp_remote_t
Zdenek Pytela 75ed72
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
Zdenek Pytela 75ed72
- Allow pcp_domain execute its private memfd: objects
Zdenek Pytela 75ed72
- Add support for samba-dcerpcd
Zdenek Pytela 75ed72
- Add policy for wireguard
Zdenek Pytela 75ed72
- Confine targetcli
Zdenek Pytela 75ed72
- Allow systemd work with install_t unix stream sockets
Zdenek Pytela 75ed72
- Allow iscsid the sys_ptrace userns capability
Zdenek Pytela 75ed72
- Allow xdm connect to unconfined_service_t over a unix stream socket
Zdenek Pytela 75ed72
Zdenek Pytela f69f4a
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin execute systemctl
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin dbus chat with nm
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin create and use udp socket
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin create and use netlink_route_socket
Zdenek Pytela f69f4a
- Use create_netlink_socket_perms in netlink_route_socket class permissions
Zdenek Pytela f69f4a
- Add support for nm-dispatcher sendmail scripts
Zdenek Pytela f69f4a
- Allow sslh net_admin capability
Zdenek Pytela f69f4a
- Allow insights-client manage gpg admin home content
Zdenek Pytela f69f4a
- Add the gpg_manage_admin_home_content() interface
Zdenek Pytela f69f4a
- Allow rhsmcertd create generic log files
Zdenek Pytela f69f4a
- Update logging_create_generic_logs() to use create_files_pattern()
Zdenek Pytela f69f4a
- Label /var/cache/insights with insights_client_cache_t
Zdenek Pytela f69f4a
- Allow insights-client search gconf homedir
Zdenek Pytela f69f4a
- Allow insights-client create and use unix_dgram_socket
Zdenek Pytela f69f4a
- Allow blueman execute its private memfd: files
Zdenek Pytela f69f4a
- Move the chown call into make-srpm.sh
Zdenek Pytela f69f4a
Zdenek Pytela fccb37
* Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
Zdenek Pytela fccb37
- Use the networkmanager_dispatcher_plugin attribute in allow rules
Zdenek Pytela fccb37
- Make a custom nm-dispatcher plugin transition
Zdenek Pytela fccb37
- Label port 4784/tcp and 4784/udp with bfd_multi
Zdenek Pytela fccb37
- Allow systemd watch and watch_reads user ptys
Zdenek Pytela fccb37
- Allow sblim-gatherd the kill capability
Zdenek Pytela fccb37
- Label more vdsm utils with virtd_exec_t
Zdenek Pytela fccb37
- Add ksm service to ksmtuned
Zdenek Pytela fccb37
- Add rhcd policy
Zdenek Pytela fccb37
- Dontaudit guest attempts to dbus chat with systemd domains
Zdenek Pytela fccb37
- Dontaudit guest attempts to dbus chat with system bus types
Zdenek Pytela fccb37
- Use a named transition in systemd_hwdb_manage_config()
Zdenek Pytela fccb37
- Add default fc specifications for patterns in /opt
Zdenek Pytela fccb37
- Add the files_create_etc_files() interface
Zdenek Pytela fccb37
- Allow nm-dispatcher console plugin create and write files in /etc
Zdenek Pytela fccb37
- Allow nm-dispatcher console plugin transition to the setfiles domain
Zdenek Pytela fccb37
- Allow more nm-dispatcher plugins append to init stream sockets
Zdenek Pytela fccb37
- Allow nm-dispatcher tlp plugin dbus chat with nm
Zdenek Pytela fccb37
- Reorder networkmanager_dispatcher_plugin_template() calls
Zdenek Pytela fccb37
- Allow svirt connectto virtlogd
Zdenek Pytela fccb37
- Allow blueman map its private memfd: files
Zdenek Pytela fccb37
- Allow sysadm user execute init scripts with a transition
Zdenek Pytela fccb37
- Allow sblim-sfcbd connect to sblim-reposd stream
Zdenek Pytela fccb37
- Allow keepalived_unconfined_script_t dbus chat with init
Zdenek Pytela fccb37
- Run restorecon with "-i" not to report errors
Zdenek Pytela 59a2a4
Zdenek Pytela 0e9b08
* Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
Zdenek Pytela 0e9b08
- Fix users for SELinux userspace 3.4
Zdenek Pytela 0e9b08
- Label /var/run/machine-id as machineid_t
Zdenek Pytela 0e9b08
- Add stalld to modules.conf
Zdenek Pytela 0e9b08
- Use files_tmpfs_file() for rhsmcertd_tmpfs_t
Zdenek Pytela 0e9b08
- Allow blueman read/write its private memfd: objects
Zdenek Pytela 0e9b08
- Allow insights-client read rhnsd config files
Zdenek Pytela 0e9b08
- Allow insights-client create_socket_perms for tcp/udp sockets
Zdenek Pytela 0e9b08
Zdenek Pytela af1a50
* Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1
Zdenek Pytela af1a50
- Allow nm-dispatcher chronyc plugin append to init stream sockets
Zdenek Pytela af1a50
- Allow tmpreaper the sys_ptrace userns capability
Zdenek Pytela af1a50
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
Zdenek Pytela af1a50
- Allow nm-dispatcher tlp plugin read/write the wireless device
Zdenek Pytela af1a50
- Allow nm-dispatcher tlp plugin append to init socket
Zdenek Pytela af1a50
- Allow nm-dispatcher tlp plugin be client of a system bus
Zdenek Pytela af1a50
- Allow nm-dispatcher list its configuration directory
Zdenek Pytela af1a50
- Ecryptfs-private support
Zdenek Pytela af1a50
- Allow colord map /var/lib directories
Zdenek Pytela af1a50
- Allow ntlm_auth read the network state information
Zdenek Pytela af1a50
- Allow insights-client search rhnsd configuration directory
Zdenek Pytela af1a50
Zdenek Pytela 23fa4e
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3
Zdenek Pytela 23fa4e
- Add support for nm-dispatcher tlp-rdw scripts
Zdenek Pytela 23fa4e
- Update github actions to satisfy git 2.36 stricter rules
Zdenek Pytela 23fa4e
- New policy for stalld
Zdenek Pytela 23fa4e
- Allow colord read generic files in /var/lib
Zdenek Pytela 23fa4e
- Allow xdm mounton user temporary socket files
Zdenek Pytela 23fa4e
- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket
Zdenek Pytela 23fa4e
- Allow sssd domtrans to pkcs_slotd_t
Zdenek Pytela 23fa4e
- Allow keepalived setsched and sys_nice
Zdenek Pytela 23fa4e
- Allow xdm map generic files in /var/lib
Zdenek Pytela 23fa4e
- Allow xdm read generic symbolic links in /var/lib
Zdenek Pytela 23fa4e
- Allow pppd create a file in the locks directory
Zdenek Pytela 23fa4e
- Add file map permission to lpd_manage_spool() interface
Zdenek Pytela 23fa4e
- Allow system dbus daemon watch generic directories in /var/lib
Zdenek Pytela 23fa4e
- Allow pcscd the sys_ptrace userns capability
Zdenek Pytela 23fa4e
- Add the corecmd_watch_bin_dirs() interface
Zdenek Pytela 23fa4e
Zdenek Pytela 489937
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-2
Zdenek Pytela 489937
- Relabel explicitly some dirs in %posttrans scriptlets
Zdenek Pytela 489937
Zdenek Pytela 8e3435
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-1
Zdenek Pytela 8e3435
- Add stalld module to modules-targeted-contrib.conf
Zdenek Pytela 8e3435
Zdenek Pytela f3ea95
* Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1
Zdenek Pytela f3ea95
- Add support for systemd-network-generator
Zdenek Pytela f3ea95
- Add the io_uring class
Zdenek Pytela f3ea95
- Allow nm-dispatcher dhclient plugin append to init stream sockets
Zdenek Pytela f3ea95
- Relax the naming pattern for systemd private shared libraries
Zdenek Pytela f3ea95
- Allow nm-dispatcher iscsid plugin append to init socket
Zdenek Pytela f3ea95
- Add the init_append_stream_sockets() interface
Zdenek Pytela f3ea95
- Allow nm-dispatcher dnssec-trigger script to execute pidof
Zdenek Pytela f3ea95
- Add support for nm-dispatcher dnssec-trigger scripts
Zdenek Pytela f3ea95
- Allow chronyd talk with unconfined user over unix domain dgram socket
Zdenek Pytela f3ea95
- Allow fenced read kerberos key tables
Zdenek Pytela f3ea95
- Add support for nm-dispatcher ddclient scripts
Zdenek Pytela f3ea95
- Add systemd_getattr_generic_unit_files() interface
Zdenek Pytela f3ea95
- Allow fprintd read and write hardware state information
Zdenek Pytela f3ea95
- Allow exim watch generic certificate directories
Zdenek Pytela f3ea95
- Remove duplicate fc entries for corosync and corosync-notifyd
Zdenek Pytela f3ea95
- Label corosync-cfgtool with cluster_exec_t
Zdenek Pytela f3ea95
- Allow qemu-kvm create and use netlink rdma sockets
Zdenek Pytela f3ea95
- Allow logrotate a domain transition to cluster administrative domain
Zdenek Pytela f3ea95
Zdenek Pytela 46273b
* Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1
Zdenek Pytela 46273b
- Add support for nm-dispatcher console helper scripts
Zdenek Pytela 46273b
- Allow nm-dispatcher plugins read its directory and sysfs
Zdenek Pytela 46273b
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
Zdenek Pytela 46273b
- devices: Add a comment about cardmgr_dev_t
Zdenek Pytela 46273b
- Add basic policy for BinderFS
Zdenek Pytela 46273b
- Label /var/run/ecblp0 pipe with cupsd_var_run_t
Zdenek Pytela 46273b
- Allow rpmdb create directory in /usr/lib/sysimage
Zdenek Pytela 46273b
- Allow rngd drop privileges via setuid/setgid/setcap
Zdenek Pytela 46273b
- Allow init watch and watch_reads user ttys
Zdenek Pytela 46273b
- Allow systemd-logind dbus chat with sosreport
Zdenek Pytela 46273b
- Allow chronyd send a message to sosreport over datagram socket
Zdenek Pytela 46273b
- Remove unnecessary /etc file transitions for insights-client
Zdenek Pytela 46273b
- Label all content in /var/lib/insights with insights_client_var_lib_t
Zdenek Pytela 46273b
- Update insights-client policy
Zdenek Pytela 46273b
Zdenek Pytela e42de7
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-2
Zdenek Pytela e42de7
- Add insights_client module to modules-targeted-contrib.conf
Zdenek Pytela e42de7
Zdenek Pytela 20d8d1
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1
Zdenek Pytela 20d8d1
- Update NetworkManager-dispatcher cloud and chronyc policy
Zdenek Pytela 20d8d1
- Update insights-client: fc pattern, motd, writing to etc
Zdenek Pytela 20d8d1
- Allow systemd-sysctl read the security state information
Zdenek Pytela 20d8d1
- Allow init create and mounton to support PrivateDevices
Zdenek Pytela 20d8d1
- Allow sosreport dbus chat abrt systemd timedatex
Zdenek Pytela 20d8d1
Zdenek Pytela a3ac25
* Tue Feb 22 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-2
Zdenek Pytela a3ac25
- Update specfile to buildrequire policycoreutils-devel >= 3.3-4
Zdenek Pytela a3ac25
- Add modules_checksum to %files
Zdenek Pytela a3ac25
Zdenek Pytela b10879
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
Zdenek Pytela b10879
- Update NetworkManager-dispatcher policy to use scripts
Zdenek Pytela b10879
- Allow init mounton kernel messages device
Zdenek Pytela b10879
- Revert "Make dbus-broker service working on s390x arch"
Zdenek Pytela b10879
- Remove permissive domain for insights_client_t
Zdenek Pytela b10879
- Allow userdomain read symlinks in /var/lib
Zdenek Pytela b10879
- Allow iptables list cgroup directories
Zdenek Pytela b10879
- Dontaudit mdadm list dirsrv tmpfs dirs
Zdenek Pytela b10879
- Dontaudit dirsrv search filesystem sysctl directories
Zdenek Pytela b10879
- Allow chage domtrans to sssd
Zdenek Pytela b10879
- Allow postfix_domain read dovecot certificates
Zdenek Pytela b10879
- Allow systemd-networkd create and use netlink netfilter socket
Zdenek Pytela b10879
- Allow nm-dispatcher read nm-dispatcher-script symlinks
Zdenek Pytela b10879
- filesystem.te: add genfscon rule for ntfs3 filesystem
Zdenek Pytela b10879
- Allow rhsmcertd get attributes of cgroup filesystems
Zdenek Pytela b10879
- Allow sandbox_web_client_t watch various dirs
Zdenek Pytela b10879
- Exclude container.if from policy devel files
Zdenek Pytela b10879
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
Zdenek Pytela b10879
Zdenek Pytela 652ddc
* Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
Zdenek Pytela 652ddc
- Allow sysadm_passwd_t to relabel passwd and group files
Zdenek Pytela 652ddc
- Allow confined sysadmin to use tool vipw
Zdenek Pytela 652ddc
- Allow login_userdomain map /var/lib/directories
Zdenek Pytela 652ddc
- Allow login_userdomain watch library and fonts dirs
Zdenek Pytela 652ddc
- Allow login_userdomain watch system configuration dirs
Zdenek Pytela 652ddc
- Allow login_userdomain read systemd runtime files
Zdenek Pytela 652ddc
- Allow ctdb create cluster logs
Zdenek Pytela 652ddc
- Allow alsa bind mixer controls to led triggers
Zdenek Pytela 652ddc
- New policy for insight-client
Zdenek Pytela 652ddc
- Add mctp_socket security class and access vectors
Zdenek Pytela 652ddc
- Fix koji repo URL pattern
Zdenek Pytela 652ddc
- Update chronyd_pid_filetrans() to allow create dirs
Zdenek Pytela 652ddc
- Update NetworkManager-dispatcher policy
Zdenek Pytela 652ddc
- Allow unconfined to run virtd bpf
Zdenek Pytela 652ddc
- Allow nm-privhelper setsched permission and send system logs
Zdenek Pytela 652ddc
- Add the map permission to common_anon_inode_perm permission set
Zdenek Pytela 652ddc
- Rename userfaultfd_anon_inode_perms to common_inode_perms
Zdenek Pytela 652ddc
- Allow confined users to use kinit,klist and etc.
Zdenek Pytela 652ddc
- Allow rhsmcertd create rpm hawkey logs with correct label
Zdenek Pytela 652ddc
Zdenek Pytela a2b5a0
* Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
Zdenek Pytela a2b5a0
- Label exFAT utilities at /usr/sbin
Zdenek Pytela a2b5a0
- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
Zdenek Pytela a2b5a0
- Enable genfs_seclabel_symlinks policy capability
Zdenek Pytela a2b5a0
- Sync policy/policy_capabilities with refpolicy
Zdenek Pytela a2b5a0
- refpolicy: drop unused socket security classes
Zdenek Pytela a2b5a0
- Label new utility of NetworkManager nm-priv-helper
Zdenek Pytela a2b5a0
- Label NetworkManager-dispatcher service with separate context
Zdenek Pytela a2b5a0
- Allow sanlock get attributes of filesystems with extended attributes
Zdenek Pytela a2b5a0
- Associate stratisd_data_t with device filesystem
Zdenek Pytela a2b5a0
- Allow init read stratis data symlinks
Zdenek Pytela a2b5a0
Zdenek Pytela 7774d2
* Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
Zdenek Pytela 7774d2
- Allow systemd services watch dbusd pid directory and its parents
Zdenek Pytela 7774d2
- Allow ModemManager connect to the unconfined user domain
Zdenek Pytela 7774d2
- Label /dev/wwan.+ with modem_manager_t
Zdenek Pytela 7774d2
- Allow alsactl set group Process ID of a process
Zdenek Pytela 7774d2
- Allow domtrans to sssd_t and role access to sssd
Zdenek Pytela 7774d2
- Creating interface sssd_run_sssd()
Zdenek Pytela 7774d2
- Label utilities for exFAT filesystems with fsadm_exec_t
Zdenek Pytela 7774d2
- Label /dev/nvme-fabrics with fixed_disk_device_t
Zdenek Pytela 7774d2
- Allow init delete generic tmp named pipes
Zdenek Pytela 7774d2
- Allow timedatex dbus chat with xdm
Zdenek Pytela 7774d2
Zdenek Pytela 742db0
* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
Zdenek Pytela 742db0
- Fix badly indented used interfaces
Zdenek Pytela 742db0
- Allow domain transition to sssd_t
Zdenek Pytela 742db0
- Dontaudit sfcbd sys_ptrace cap_userns
Zdenek Pytela 742db0
- Label /var/lib/plocate with locate_var_lib_t
Zdenek Pytela 742db0
- Allow hostapd talk with unconfined user over unix domain dgram socket
Zdenek Pytela 742db0
- Allow NetworkManager talk with unconfined user over unix domain dgram socket
Zdenek Pytela 742db0
- Allow system_mail_t read inherited apache system content rw files
Zdenek Pytela 742db0
- Add apache_read_inherited_sys_content_rw_files() interface
Zdenek Pytela 742db0
- Allow rhsm-service execute its private memfd: objects
Zdenek Pytela 742db0
- Allow dirsrv read configfs files and directories
Zdenek Pytela 742db0
- Label /run/stratisd with stratisd_var_run_t
Zdenek Pytela 742db0
- Allow tumblerd write to session_dbusd tmp socket files
Zdenek Pytela 742db0
Zdenek Pytela 500380
* Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
Zdenek Pytela 500380
- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
Zdenek Pytela 500380
- Allow login_userdomain write to session_dbusd tmp socket files
Zdenek Pytela 500380
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
Zdenek Pytela 500380
Zdenek Pytela b8cfdb
* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
Zdenek Pytela b8cfdb
- Allow login_userdomain watch systemd-machined PID directories
Zdenek Pytela b8cfdb
- Allow login_userdomain watch systemd-logind PID directories
Zdenek Pytela b8cfdb
- Allow login_userdomain watch accountsd lib directories
Zdenek Pytela b8cfdb
- Allow login_userdomain watch localization directories
Zdenek Pytela b8cfdb
- Allow login_userdomain watch various files and dirs
Zdenek Pytela b8cfdb
- Allow login_userdomain watch generic directories in /tmp
Zdenek Pytela b8cfdb
- Allow rhsm-service read/write its private memfd: objects
Zdenek Pytela b8cfdb
- Allow radiusd connect to the radacct port
Zdenek Pytela b8cfdb
- Allow systemd-io-bridge ioctl rpm_script_t
Zdenek Pytela b8cfdb
- Allow systemd-coredump userns capabilities and root mounton
Zdenek Pytela b8cfdb
- Allow systemd-coredump read and write usermodehelper state
Zdenek Pytela b8cfdb
- Allow login_userdomain create session_dbusd tmp socket files
Zdenek Pytela b8cfdb
- Allow gkeyringd_domain write to session_dbusd tmp socket files
Zdenek Pytela b8cfdb
- Allow systemd-logind delete session_dbusd tmp socket files
Zdenek Pytela b8cfdb
- Allow gdm-x-session write to session dbus tmp sock files
Zdenek Pytela b8cfdb
- Label /etc/cockpit/ws-certs.d with cert_t
Zdenek Pytela b8cfdb
- Allow kpropd get attributes of cgroup filesystems
Zdenek Pytela b8cfdb
- Allow administrative users the bpf capability
Zdenek Pytela b8cfdb
- Allow sysadm_t start and stop transient services
Zdenek Pytela b8cfdb
- Connect triggerin to pcre2 instead of pcre
Zdenek Pytela b8cfdb
Zdenek Pytela b3c781
* Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
Zdenek Pytela b3c781
- Allow sshd read filesystem sysctl files
Zdenek Pytela b3c781
- Revert "Allow sshd read sysctl files"
Zdenek Pytela b3c781
- Allow tlp read its systemd unit
Zdenek Pytela b3c781
- Allow gssproxy access to various system files.
Zdenek Pytela b3c781
- Allow gssproxy read, write, and map ica tmpfs files
Zdenek Pytela b3c781
- Allow gssproxy read and write z90crypt device
Zdenek Pytela b3c781
- Allow sssd_kcm read and write z90crypt device
Zdenek Pytela b3c781
- Allow smbcontrol read the network state information
Zdenek Pytela b3c781
- Allow virt_domain map vhost devices
Zdenek Pytela b3c781
- Allow fcoemon request the kernel to load a module
Zdenek Pytela b3c781
- Allow sshd read sysctl files
Zdenek Pytela b3c781
- Ensure that `/run/systemd/*` are properly labeled
Zdenek Pytela b3c781
- Allow admin userdomains use socketpair()
Zdenek Pytela b3c781
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
Zdenek Pytela b3c781
- Allow lldpd connect to snmpd with a unix domain stream socket
Zdenek Pytela b3c781
- Dontaudit pkcsslotd sys_admin capability
Zdenek Pytela b3c781
Zdenek Pytela d0828e
* Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
Zdenek Pytela d0828e
- Allow haproxy get attributes of filesystems with extended attributes
Zdenek Pytela d0828e
- Allow haproxy get attributes of cgroup filesystems
Zdenek Pytela d0828e
- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
Zdenek Pytela d0828e
- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
Zdenek Pytela d0828e
- Allow sudodomains execute passwd in the passwd domain
Zdenek Pytela d0828e
- Allow braille printing in selinux
Zdenek Pytela d0828e
- Allow sandbox_xserver_t map sandbox_file_t
Zdenek Pytela d0828e
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
Zdenek Pytela d0828e
- Add hwtracing_device_t type for hardware-level tracing and debugging
Zdenek Pytela d0828e
- Label port 9528/tcp with openqa_liveview
Zdenek Pytela d0828e
- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
Zdenek Pytela d0828e
- Document Security Flask model in the policy
Zdenek Pytela d0828e
Zdenek Pytela 4bbbba
* Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
Zdenek Pytela 4bbbba
- Allow systemd read unlabeled symbolic links
Zdenek Pytela 4bbbba
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
Zdenek Pytela 4bbbba
- Allow dnsmasq watch /etc/dnsmasq.d directories
Zdenek Pytela 4bbbba
- Allow rhsmcertd get attributes of tmpfs_t filesystems
Zdenek Pytela 4bbbba
- Allow lldpd use an snmp subagent over a tcp socket
Zdenek Pytela 4bbbba
- Allow xdm watch generic directories in /var/lib
Zdenek Pytela 4bbbba
- Allow login_userdomain open/read/map system journal
Zdenek Pytela 4bbbba
- Allow sysadm_t connect to cluster domains over a unix stream socket
Zdenek Pytela 4bbbba
- Allow sysadm_t read/write pkcs shared memory segments
Zdenek Pytela 4bbbba
- Allow sysadm_t connect to sanlock over a unix stream socket
Zdenek Pytela 4bbbba
- Allow sysadm_t dbus chat with sssd
Zdenek Pytela 4bbbba
- Allow sysadm_t set attributes on character device nodes
Zdenek Pytela 4bbbba
- Allow sysadm_t read and write watchdog devices
Zdenek Pytela 4bbbba
- Allow smbcontrol use additional socket types
Zdenek Pytela 4bbbba
- Allow cloud-init dbus chat with systemd-logind
Zdenek Pytela 4bbbba
- Allow svnserve send mail from the system
Zdenek Pytela 4bbbba
- Update userdom_exec_user_tmp_files() with an entrypoint rule
Zdenek Pytela 4bbbba
- Allow sudodomain send a null signal to sshd processes
Zdenek Pytela 4bbbba
Zdenek Pytela 16445d
* Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
Zdenek Pytela 16445d
- Allow PID 1 and dbus-broker IPC with a systemd user session
Zdenek Pytela 16445d
- Allow rpmdb read generic SSL certificates
Zdenek Pytela 16445d
- Allow rpmdb read admin home config files
Zdenek Pytela 16445d
- Report warning on duplicate definition of interface
Zdenek Pytela 16445d
- Allow redis get attributes of filesystems with extended attributes
Zdenek Pytela 16445d
- Allow sysadm_t dbus chat with realmd_t
Zdenek Pytela 16445d
- Make cupsd_lpd_t a daemon
Zdenek Pytela 16445d
- Allow tlp dbus-chat with NetworkManager
Zdenek Pytela 16445d
- filesystem: add fs_use_trans for ramfs
Zdenek Pytela 16445d
- Allow systemd-logind destroy unconfined user's IPC objects
Zdenek Pytela 16445d
Zdenek Pytela bc5db6
* Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
Zdenek Pytela bc5db6
- Support sanlock VG automated recovery on storage access loss 2/2
Zdenek Pytela bc5db6
- Support sanlock VG automated recovery on storage access loss 1/2
Zdenek Pytela bc5db6
- Revert "Support sanlock VG automated recovery on storage access loss"
Zdenek Pytela bc5db6
- Allow tlp get service units status
Zdenek Pytela bc5db6
- Allow fedora-third-party manage 3rd party repos
Zdenek Pytela bc5db6
- Allow xdm_t nnp_transition to login_userdomain
Zdenek Pytela bc5db6
- Add the auth_read_passwd_file() interface
Zdenek Pytela bc5db6
- Allow redis-sentinel execute a notification script
Zdenek Pytela bc5db6
- Allow fetchmail search cgroup directories
Zdenek Pytela bc5db6
- Allow lvm_t to read/write devicekit disk semaphores
Zdenek Pytela bc5db6
- Allow devicekit_disk_t to use /dev/mapper/control
Zdenek Pytela bc5db6
- Allow devicekit_disk_t to get IPC info from the kernel
Zdenek Pytela bc5db6
- Allow devicekit_disk_t to read systemd-logind pid files
Zdenek Pytela bc5db6
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
Zdenek Pytela bc5db6
- Allow devicekit_disk_t to manage mount_var_run_t files
Zdenek Pytela bc5db6
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
Zdenek Pytela bc5db6
- Use $releasever in koji repo to reduce rawhide hardcoding
Zdenek Pytela bc5db6
- authlogin: add fcontext for tcb
Zdenek Pytela bc5db6
- Add erofs as a SELinux capable file system
Zdenek Pytela bc5db6
- Allow systemd execute user bin files
Zdenek Pytela bc5db6
- Support sanlock VG automated recovery on storage access loss
Zdenek Pytela bc5db6
- Support new PING_CHECK health checker in keepalived
Zdenek Pytela bc5db6
Zdenek Pytela bc5db6
* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1
Zdenek Pytela bc5db6
- Allow fedora-third-party map generic cache files
Zdenek Pytela bc5db6
- Add gnome_map_generic_cache_files() interface
Zdenek Pytela bc5db6
- Add files_manage_var_lib_dirs() interface
Zdenek Pytela bc5db6
- Allow fedora-third party manage gpg keys
Zdenek Pytela bc5db6
- Allow fedora-third-party run "flatpak remote-add --from flathub"
Zdenek Pytela bc5db6
Zdenek Pytela bc5db6
* Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1
Zdenek Pytela bc5db6
- Allow fedora-third-party run flatpak post-install actions
Zdenek Pytela bc5db6
- Allow fedora-third-party set_setsched and sys_nice
Zdenek Pytela bc5db6
Zdenek Pytela 510d46
* Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
Zdenek Pytela 510d46
- Allow fedora-third-party execute "flatpak remote-add"
Zdenek Pytela 510d46
- Add files_manage_var_lib_files() interface
Zdenek Pytela 510d46
- Add write permisson to userfaultfd_anon_inode_perms
Zdenek Pytela 510d46
- Allow proper function sosreport via iotop
Zdenek Pytela 510d46
- Allow proper function sosreport in sysadmin role
Zdenek Pytela 510d46
- Allow fedora-third-party to connect to the system log service
Zdenek Pytela 510d46
- Allow fedora-third-party dbus chat with policykit
Zdenek Pytela 510d46
- Allow chrony-wait service start with DynamicUser=yes
Zdenek Pytela 510d46
- Allow management of lnk_files if similar access to regular files
Zdenek Pytela 510d46
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
Zdenek Pytela 510d46
- Allow systemd-resolved watch /run/systemd
Zdenek Pytela 510d46
- Allow fedora-third-party create and use unix_dgram_socket
Zdenek Pytela 510d46
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
Zdenek Pytela 510d46
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
Zdenek Pytela 510d46
Zdenek Pytela a38b01
* Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
Zdenek Pytela a38b01
- Add fedoratp module
Zdenek Pytela a38b01
- Allow xdm_t domain transition to fedoratp_t
Zdenek Pytela a38b01
- Allow ModemManager create and use netlink route socket
Zdenek Pytela a38b01
- Add default file context for /run/gssproxy.default.sock
Zdenek Pytela a38b01
- Allow xdm_t watch fonts directories
Zdenek Pytela a38b01
- Allow xdm_t watch generic directories in /lib
Zdenek Pytela a38b01
- Allow xdm_t watch generic pid directories