Ondrej Mosnacek 548766
# github repo with selinux-policy sources
Ondrej Mosnacek 548766
%global giturl https://github.com/fedora-selinux/selinux-policy
Zdenek Pytela 1cd26e
%global commit 9a662e69d4fcbd46c6d1bb837b6f4d94c19f16aa
Ondrej Mosnacek 548766
%global shortcommit %(c=%{commit}; echo ${c:0:7})
Lukas Vrabec 51dc83
Daniel J Walsh 08b890
%define distro redhat
Daniel J Walsh 771686
%define polyinstatiate n
Daniel J Walsh 1580c8
%define monolithic n
Dan Walsh dc4ca7
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1}
Dan Walsh dc4ca7
%define BUILD_DOC 1
Dan Walsh dc4ca7
%endif
Daniel J Walsh bd3f0e
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
Daniel J Walsh bd3f0e
%define BUILD_TARGETED 1
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh 675bba
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
Daniel J Walsh 675bba
%define BUILD_MINIMUM 1
Daniel J Walsh 675bba
%endif
Daniel J Walsh bd3f0e
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
Miroslav Grepl 211fb9
%define BUILD_MLS 1
Daniel J Walsh bd3f0e
%endif
Petr Lautrbach e88945
%define POLICYVER 33
Zdenek Pytela e0b2bb
%define POLICYCOREUTILSVER 3.4-1
Petr Lautrbach f38b38
%define CHECKPOLICYVER 3.2
Daniel J Walsh 1580c8
Summary: SELinux policy configuration
Daniel J Walsh 1580c8
Name: selinux-policy
Zdenek Pytela 1cd26e
Version: 40.3
Zdenek Pytela 1969a7
Release: 1%{?dist}
Petr Lautrbach 4f5786
License: GPL-2.0-or-later
Ondrej Mosnacek 548766
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
Lukas Vrabec 51dc83
Source1: modules-targeted-base.conf
Miroslav Grepl a27009
Source31: modules-targeted-contrib.conf
Daniel J Walsh 504da9
Source2: booleans-targeted.conf
Daniel J Walsh 585f82
Source3: Makefile.devel
Daniel J Walsh 504da9
Source4: setrans-targeted.conf
Miroslav Grepl a27009
Source5: modules-mls-base.conf
Miroslav Grepl a27009
Source32: modules-mls-contrib.conf
Daniel J Walsh 487de6
Source6: booleans-mls.conf
Daniel J Walsh 504da9
Source8: setrans-mls.conf
Daniel J Walsh ee095f
Source14: securetty_types-targeted
Daniel J Walsh ee095f
Source15: securetty_types-mls
Miroslav Grepl a27009
#Source16: modules-minimum.conf
Daniel J Walsh 675bba
Source17: booleans-minimum.conf
Daniel J Walsh 675bba
Source18: setrans-minimum.conf
Daniel J Walsh 675bba
Source19: securetty_types-minimum
Daniel J Walsh 80beee
Source20: customizable_types
Daniel J Walsh fc05ac
Source22: users-mls
Daniel J Walsh fc05ac
Source23: users-targeted
Daniel J Walsh fc05ac
Source25: users-minimum
Dan Walsh 86354f
Source26: file_contexts.subs_dist
Dan Walsh bce4ec
Source27: selinux-policy.conf
Lukas Vrabec 7c8404
Source28: permissivedomains.cil
Dan Walsh c39563
Source30: booleans.subs_dist
Lukas Vrabec 8ad346
Lukas Vrabec 8ad346
# Tool helps during policy development, to expand system m4 macros to raw allow rules
Lukas Vrabec 8ad346
# Git repo: https://github.com/fedora-selinux/macro-expander.git
Lukas Vrabec 7d7414
Source33: macro-expander
Lukas Vrabec d395cb
Lukas Vrabec 8ad346
# Include SELinux policy for container from separate container-selinux repo
Lukas Vrabec 8ad346
# Git repo: https://github.com/containers/container-selinux.git
Lukas Vrabec ab3db2
Source35: container-selinux.tgz
Petr Lautrbach be68cc
Ondrej Mosnacek fd6943
Source36: selinux-check-proper-disable.service
Ondrej Mosnacek fd6943
Petr Lautrbach c49229
# Provide rpm macros for packages installing SELinux modules
Petr Lautrbach c49229
Source102: rpm.macros
Petr Lautrbach be68cc
Ondrej Mosnacek 548766
Url: %{giturl}
Daniel J Walsh 1580c8
BuildArch: noarch
Petr Lautrbach d89076
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
Petr Lautrbach 0f3b08
BuildRequires: make
Ondrej Mosnacek fd6943
BuildRequires: systemd-rpm-macros
Miroslav Grepl a27009
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Miroslav Grepl 4a27ed
Requires(post): /bin/awk /usr/bin/sha512sum
Petr Lautrbach 2a4b30
Requires(meta): rpm-plugin-selinux
Ondrej Mosnacek 4d9a7e
Requires: selinux-policy-any = %{version}-%{release}
Ondrej Mosnacek 4d9a7e
Provides: selinux-policy-base = %{version}-%{release}
Ondrej Mosnacek 4d9a7e
Suggests: selinux-policy-targeted
Daniel J Walsh 1580c8
fe2076
%description
Zdenek Pytela e99b0b
SELinux core policy package.
Zdenek Pytela e99b0b
Originally based off of reference policy,
Zdenek Pytela e99b0b
the policy has been adjusted to provide support for Fedora.
Daniel J Walsh 1335ee
fe2076
%files
Tom Callaway 4abfbc
%{!?_licensedir:%global license %%doc}
Tom Callaway 4abfbc
%license COPYING
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/packages
Dan Walsh b59d07
%dir %{_sysconfdir}/selinux
Daniel J Walsh 585f82
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
Daniel J Walsh 585f82
%ghost %{_sysconfdir}/sysconfig/selinux
Miroslav Grepl 4a27ed
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
Dan Walsh 26bb0a
%{_rpmconfigdir}/macros.d/macros.selinux-policy
Ondrej Mosnacek fd6943
%{_unitdir}/selinux-check-proper-disable.service
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%package sandbox
Zdenek Pytela e99b0b
Summary: SELinux sandbox policy
Dan Walsh 1b0e09
Requires(pre): selinux-policy-base = %{version}-%{release}
Lukas Vrabec c862e9
Requires(pre): selinux-policy-targeted = %{version}-%{release}
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%description sandbox
Zdenek Pytela e99b0b
SELinux sandbox policy for use with the sandbox utility.
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%files sandbox
Ondrej Mosnacek 2a989a
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%post sandbox
Ondrej Mosnacek 2a989a
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
Petr Lautrbach a345bb
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/load_policy
Dan Walsh 1b0e09
fi;
Dan Walsh 1b0e09
exit 0
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%preun sandbox
Michael Scherer c8b7cd
if [ $1 -eq 0 ] ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/semodule -n -d sandbox 2>/dev/null
Ondrej Mosnacek 2a989a
    if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Michael Scherer c8b7cd
    fi;
Michael Scherer c8b7cd
fi;
Michael Scherer c8b7cd
exit 0
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%package devel
Zdenek Pytela e99b0b
Summary: SELinux policy development files
Miroslav Grepl 4a27ed
Requires(pre): selinux-policy = %{version}-%{release}
Lukas Vrabec 610d03
Requires: selinux-policy = %{version}-%{release}
Miroslav Grepl a27009
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
Miroslav Grepl a27009
Requires: /usr/bin/make
Dan Walsh 9f52d7
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%description devel
Zdenek Pytela e99b0b
SELinux policy development package.
Zdenek Pytela e99b0b
This package contains:
Zdenek Pytela e99b0b
- interfaces, macros, and patterns for policy development
Zdenek Pytela e99b0b
- a policy example
Zdenek Pytela e99b0b
- the macro-expander utility
Zdenek Pytela e99b0b
and some additional files.
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%files devel
Lukas Vrabec 7d7414
%{_bindir}/macro-expander
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel/include
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/include/*
Zdenek Pytela 17a6cf
%exclude %{_datadir}/selinux/devel/include/contrib/container.if
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/html/*html
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/html/*css
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/Makefile
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/example.*
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/policy.*
193d30
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
Daniel J Walsh 412570
Dan Walsh 9f52d7
%post devel
Ondrej Mosnacek 2a989a
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
Dan Walsh 859a10
exit 0
Dan Walsh 9f52d7
Daniel J Walsh 412570
%package doc
Daniel J Walsh 412570
Summary: SELinux policy documentation
Daniel J Walsh 412570
Requires(pre): selinux-policy = %{version}-%{release}
Lukas Vrabec 610d03
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 412570
Daniel J Walsh 412570
%description doc
Zdenek Pytela e99b0b
SELinux policy documentation package.
Zdenek Pytela e99b0b
This package contains manual pages and documentation of the policy modules.
Daniel J Walsh 412570
Daniel J Walsh 412570
%files doc
Lukas Vrabec d6fa25
%{_mandir}/man*/*
Lukas Vrabec d6fa25
%{_mandir}/ru/*/*
Zdenek Pytela 995ad0
%exclude %{_mandir}/man8/container_selinux.8.gz
Ondrej Mosnacek 2a989a
%doc %{_datadir}/doc/%{name}
Daniel J Walsh 1335ee
Ondrej Mosnacek f76a9d
%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
Ondrej Mosnacek f76a9d
Daniel J Walsh 487de6
%define makeCmds() \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
Daniel J Walsh 487de6
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
Daniel J Walsh 487de6
cp -f selinux_config/users-%1 ./policy/users \
Miroslav Grepl a27009
#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
Miroslav Grepl a27009
Miroslav Grepl a27009
%define makeModulesConf() \
Miroslav Grepl a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules-base.conf \
Miroslav Grepl a27009
cp -f selinux_config/modules-%1-%2.conf  ./policy/modules.conf \
Miroslav Grepl a27009
if [ %3 == "contrib" ];then \
Miroslav Grepl a27009
	cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
Miroslav Grepl a27009
	cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
Miroslav Grepl a27009
fi; \
Daniel J Walsh 998737
Daniel J Walsh de82d8
%define installCmds() \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
Ondrej Mosnacek f76a9d
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
Ondrej Mosnacek f76a9d
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
Ondrej Mosnacek 2a989a
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
Ondrej Mosnacek 2a989a
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
Dan Walsh 86354f
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
Daniel J Walsh 487de6
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
Dan Walsh 86354f
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
Daniel J Walsh 487de6
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
Daniel J Walsh 487de6
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
Petr Lautrbach dba350
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
Petr Lautrbach a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
Lukas Vrabec 7c8404
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
Dan Walsh c39563
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
Ondrej Mosnacek 2a989a
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp*  \
Ondrej Mosnacek 2a989a
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
Miroslav Grepl 4a27ed
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
Dan Walsh 3fc099
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
Petr Lautrbach 3332d5
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
Daniel J Walsh 3e930b
%nil
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define fileList() \
Daniel J Walsh 1580c8
%defattr(-,root,root) \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1 \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
Dan Walsh 042e3a
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
Miroslav Grepl 4a27ed
%dir %{_sysconfdir}/selinux/%1/logins \
Petr Lautrbach a345bb
%dir %{_sharedstatedir}/selinux/%1/active \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
Petr Lautrbach a345bb
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/policy/ \
Dan Walsh 042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
Miroslav Grepl 4a27ed
%{_sysconfdir}/selinux/%1/.policy.sha512 \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts \
Daniel J Walsh d2c260
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
Daniel J Walsh ee095f
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
Daniel J Walsh 5ca2ff
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
Daniel J Walsh 7c94e8
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
Daniel J Walsh 487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
Daniel J Walsh 487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
Miroslav Grepl 4a27ed
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
Miroslav Grepl d4e55c
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
Miroslav Grepl a34c78
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
Dan Walsh f1ed4e
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
Lukas Vrabec c3183a
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts/files \
Dan Walsh 042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
Petr Lautrbach dba350
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
Lukas Vrabec dd88f3
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
Lukas Vrabec 673096
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
Lukas Vrabec ad3add
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
Lukas Vrabec 673096
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
Dan Walsh e1f17e
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
Dan Walsh c39563
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
Dan Walsh c39563
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
Daniel J Walsh d19b68
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
Daniel J Walsh da0829
%dir %{_sysconfdir}/selinux/%1/contexts/users \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
Daniel J Walsh a80e7a
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
Lukas Vrabec 2f9313
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
Michael Scherer a56317
%dir %{_datadir}/selinux/%1 \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/base.lst \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/modules-base.lst \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/modules-contrib.lst \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/nonbasemodules.lst \
Michael Scherer a56317
%dir %{_sharedstatedir}/selinux/%1 \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
Petr Lautrbach 9e91a2
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
Zdenek Pytela a3ac25
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
Lukas Vrabec 2f9313
%nil
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define relabel() \
Adam Williamson 69200e
if [ -s %{_sysconfdir}/selinux/config ]; then \
Adam Williamson 69200e
    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
Adam Williamson 69200e
fi; \
Daniel J Walsh 1580c8
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
Ondrej Mosnacek 2a989a
     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
Daniel J Walsh 487de6
     rm -f ${FILE_CONTEXT}.pre; \
Dan Walsh 5eea0f
fi; \
Zdenek Pytela 40faa1
# rebuilding the rpm database still can sometimes result in an incorrect context \
Zdenek Pytela b10879
%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
Ondrej Mosnacek 2a989a
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
Miroslav Grepl d61e0b
    continue; \
ee6e28
fi;
Dan Walsh 8a78e8
Dan Walsh 8a78e8
%define preInstall() \
Ondrej Mosnacek 2a989a
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
Zdenek Pytela 8bda53
     for MOD_NAME in ganesha ipa_custodia kdbus; do \
53368f
        if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
53368f
           %{_sbindir}/semodule -n -d $MOD_NAME; \
53368f
        fi; \
53368f
     done; \
Dan Walsh 8a78e8
     . %{_sysconfdir}/selinux/config; \
Dan Walsh 8a78e8
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Dan Walsh 8a78e8
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
Dan Walsh 8a78e8
        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
Dan Walsh 8a78e8
     fi; \
Ondrej Mosnacek 2a989a
     touch %{_sysconfdir}/selinux/%1/.rebuild; \
Ondrej Mosnacek 2a989a
     if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
Ondrej Mosnacek 2a989a
        POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
Dan Walsh 26bb0a
        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
Ondrej Mosnacek 2a989a
	checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
Miroslav Grepl 4a27ed
	if [ "$sha512" == "$checksha512" ] ; then \
Ondrej Mosnacek 2a989a
		rm %{_sysconfdir}/selinux/%1/.rebuild; \
Dan Walsh 8a78e8
	fi; \
Dan Walsh 8a78e8
   fi; \
Dan Walsh 8a78e8
fi;
Daniel J Walsh 1580c8
Dan Walsh 857c81
%define postInstall() \
Adam Williamson 69200e
if [ -s %{_sysconfdir}/selinux/config ]; then \
Adam Williamson 69200e
    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
Adam Williamson 69200e
fi; \
Ondrej Mosnacek 2a989a
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
Ondrej Mosnacek 2a989a
   rm %{_sysconfdir}/selinux/%2/.rebuild; \
Dan Walsh 857c81
fi; \
Zdenek Pytela cb08cc
%{_sbindir}/semodule -B -n -s %2; \
Ondrej Mosnacek 2a989a
[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
Dan Walsh 857c81
if [ %1 -eq 1 ]; then \
Ondrej Mosnacek 2a989a
   %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
Dan Walsh 857c81
else \
Dan Walsh 857c81
%relabel %2 \
Dan Walsh 857c81
fi;
Dan Walsh 857c81
Miroslav Grepl 50f07b
%define modulesList() \
Ondrej Mosnacek 2a989a
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
Ondrej Mosnacek 2a989a
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
Miroslav Grepl a27009
if [ -e ./policy/modules-contrib.conf ];then \
Ondrej Mosnacek 2a989a
	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
Miroslav Grepl a27009
fi;
Miroslav Grepl 50f07b
Miroslav Grepl c04c31
%define nonBaseModulesList() \
Ondrej Mosnacek 2a989a
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
Ondrej Mosnacek 2a989a
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
Miroslav Grepl c04c31
for i in $contrib_modules $base_modules; do \
Petr Lautrbach a345bb
    if [ $i != "sandbox" ];then \
Ondrej Mosnacek 2a989a
        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
Miroslav Grepl c04c31
    fi; \
Petr Lautrbach be68cc
done;
Petr Lautrbach be68cc
Lukas Vrabec 2e12c9
# Make sure the config is consistent with what packages are installed in the system
Lukas Vrabec 2e12c9
# this covers cases when system is installed with selinux-policy-{mls,minimal}
Lukas Vrabec 2e12c9
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
Lukas Vrabec 2e12c9
# been rebooted yet.
Lukas Vrabec 2e12c9
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
Lukas Vrabec 2e12c9
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
Lukas Vrabec 2e12c9
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
Lukas Vrabec 2e12c9
# Steps:
Lukas Vrabec 2e12c9
# * load values from config and its backup
Lukas Vrabec 2e12c9
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
Lukas Vrabec 2e12c9
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
Lukas Vrabec 2e12c9
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
Lukas Vrabec 2e12c9
%define checkConfigConsistency() \
Lukas Vrabec 2e12c9
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
ee6e28
    . %{_sysconfdir}/selinux/.config_backup; \
Lukas Vrabec 2e12c9
else \
ee6e28
    BACKUP_SELINUXTYPE=targeted; \
Lukas Vrabec 2e12c9
fi; \
ee6e28
if [ -s %{_sysconfdir}/selinux/config ]; then \
ee6e28
    . %{_sysconfdir}/selinux/config; \
ee6e28
    if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
ee6e28
        if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    elif [ "%1" = "targeted" ]; then \
ee6e28
        if [ "%1" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    elif ! ls  %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
ee6e28
        if [ "%1" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    fi; \
Lukas Vrabec 2e12c9
fi;
Lukas Vrabec 2e12c9
Lukas Vrabec 2e12c9
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
Lukas Vrabec 2e12c9
# of variables inside so that they are easy to use later
Lukas Vrabec 2e12c9
# This should be done in "pretrans" because config content can change during RPM operations
Lukas Vrabec 2e12c9
# The macro has to be used in a script slot with "-p <lua>"
Lukas Vrabec 2e12c9
%define backupConfigLua() \
Lukas Vrabec 2e12c9
local sysconfdir = rpm.expand("%{_sysconfdir}") \
Lukas Vrabec 2e12c9
local config_file = sysconfdir .. "/selinux/config" \
Lukas Vrabec 2e12c9
local config_backup = sysconfdir .. "/selinux/.config_backup" \
Lukas Vrabec 2e12c9
os.remove(config_backup) \
Lukas Vrabec 2e12c9
if posix.stat(config_file) then \
Lukas Vrabec 2e12c9
    local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
Lukas Vrabec 2e12c9
    local content = f:read("*all") \
Lukas Vrabec 2e12c9
    f:close() \
Lukas Vrabec 2e12c9
    local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
Lukas Vrabec 2e12c9
    local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
Lukas Vrabec 2e12c9
    bf:write(backup) \
Lukas Vrabec 2e12c9
    bf:close() \
Lukas Vrabec 2e12c9
end
Lukas Vrabec 2e12c9
Daniel J Walsh d83af2
%build
Daniel J Walsh d83af2
fe2076
%prep
Ondrej Mosnáček 66b983
%autosetup -p 1 -n %{name}-%{commit}
Ondrej Mosnacek 548766
tar -C policy/modules/contrib -xf %{SOURCE35}
Daniel J Walsh add957
Daniel J Walsh 487de6
mkdir selinux_config
Lukas Vrabec 5d84ad
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
Daniel J Walsh 487de6
 cp $i selinux_config
Daniel J Walsh 487de6
done
Petr Lautrbach a345bb
Petr Lautrbach a345bb
%install
Daniel J Walsh e56873
# Build targeted policy
Daniel J Walsh ca8bc2
%{__rm} -fR %{buildroot}
Daniel J Walsh ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/selinux
Daniel J Walsh ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
Daniel J Walsh ca8bc2
touch %{buildroot}%{_sysconfdir}/selinux/config
Daniel J Walsh ca8bc2
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
Dan Walsh bce4ec
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
Dan Walsh bce4ec
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
Lukas Vrabec 7d7414
mkdir -p %{buildroot}%{_bindir}
Lukas Vrabec 4a9509
install -m 755  %{SOURCE33} %{buildroot}%{_bindir}/
Daniel J Walsh 1335ee
Daniel J Walsh b4cab5
# Always create policy module package directories
Ondrej Mosnacek 2a989a
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
Petr Lautrbach a345bb
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
Petr Lautrbach a345bb
Ondrej Mosnacek 2a989a
mkdir -p %{buildroot}%{_datadir}/selinux/packages
Daniel J Walsh b4cab5
Daniel J Walsh d19b68
# Install devel
Daniel J Walsh d19b68
make clean
Daniel J Walsh bd3f0e
%if %{BUILD_TARGETED}
Daniel J Walsh 129ba1
# Build targeted policy
Ondrej Mosnacek f76a9d
%makeCmds targeted mcs allow
Miroslav Grepl a27009
%makeModulesConf targeted base contrib
Ondrej Mosnacek f76a9d
%installCmds targeted mcs allow
Lukas Vrabec 7c8404
# install permissivedomains.cil
Ondrej Mosnacek 167b05
%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
Petr Lautrbach a345bb
# recreate sandbox.pp
Petr Lautrbach a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
Ondrej Mosnacek 2a989a
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
Petr Lautrbach be68cc
%modulesList targeted
Miroslav Grepl c04c31
%nonBaseModulesList targeted
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh 3e930b
Daniel J Walsh 675bba
%if %{BUILD_MINIMUM}
Daniel J Walsh 675bba
# Build minimum policy
Ondrej Mosnacek f76a9d
%makeCmds minimum mcs allow
Miroslav Grepl a27009
%makeModulesConf targeted base contrib
Ondrej Mosnacek f76a9d
%installCmds minimum mcs allow
Petr Lautrbach a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
Miroslav Grepl 50f07b
%modulesList minimum
Miroslav Grepl c04c31
%nonBaseModulesList minimum
Daniel J Walsh 675bba
%endif
Daniel J Walsh 675bba
Daniel J Walsh bd3f0e
%if %{BUILD_MLS}
Daniel J Walsh 129ba1
# Build mls policy
Ondrej Mosnacek f76a9d
%makeCmds mls mls deny
Miroslav Grepl a27009
%makeModulesConf mls base contrib
Ondrej Mosnacek f76a9d
%installCmds mls mls deny
Miroslav Grepl a27009
%modulesList mls
Miroslav Grepl c04c31
%nonBaseModulesList mls
Daniel J Walsh a4ec9b
%endif
Daniel J Walsh a4ec9b
Petr Lautrbach b73fcb
# remove leftovers when save-previous=true (semanage.conf) is used
Petr Lautrbach b73fcb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
Petr Lautrbach b73fcb
Miroslav Grepl 4a27ed
mkdir -p %{buildroot}%{_mandir}
Miroslav Grepl 4a27ed
cp -R  man/* %{buildroot}%{_mandir}
Ondrej Mosnacek 7579dc
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
Ondrej Mosnacek 7579dc
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
Ondrej Mosnacek 2a989a
mkdir %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
Ondrej Mosnacek 2a989a
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
Ondrej Mosnacek 2a989a
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
Ondrej Mosnacek 2a989a
mkdir %{buildroot}%{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
Dan Walsh 1b0e09
Dan Walsh 1b0e09
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
Petr Lautrbach c49229
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Petr Lautrbach c49229
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Lukas Vrabec 42d22b
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Miroslav Grepl 4a27ed
Ondrej Mosnacek fd6943
mkdir -p %{buildroot}%{_unitdir}
Ondrej Mosnacek fd6943
install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
Petr Lautrbach a345bb
Daniel J Walsh 487de6
rm -rf selinux_config
Ondrej Mosnacek fd6943
Daniel J Walsh 9c64bb
%post
Ondrej Mosnacek fd6943
%systemd_post selinux-check-proper-disable.service
Ondrej Mosnacek 2a989a
if [ ! -s %{_sysconfdir}/selinux/config ]; then
Daniel J Walsh 487de6
#
Daniel J Walsh 487de6
#     New install so we will default to targeted policy
Daniel J Walsh 487de6
#
Daniel J Walsh 487de6
echo "
Nalin Dahyabhai af6090
# This file controls the state of SELinux on the system.
Nalin Dahyabhai af6090
# SELINUX= can take one of these three values:
Daniel J Walsh 487de6
#     enforcing - SELinux security policy is enforced.
Daniel J Walsh 487de6
#     permissive - SELinux prints warnings instead of enforcing.
Daniel J Walsh 487de6
#     disabled - No SELinux policy is loaded.
Ondrej Mosnacek 4cdd6f
# See also:
Ondrej Mosnacek 4cdd6f
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
Ondrej Mosnacek 4cdd6f
# fully disable SELinux during boot. If you need a system with SELinux
Ondrej Mosnacek 4cdd6f
# fully disabled instead of SELinux running with no policy loaded, you
Ondrej Mosnacek 4cdd6f
# need to pass selinux=0 to the kernel command line. You can use grubby
Ondrej Mosnacek 4cdd6f
# to persistently set the bootloader to boot with selinux=0:
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
#    grubby --update-kernel ALL --args selinux=0
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
# To revert back to SELinux enabled:
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
#    grubby --update-kernel ALL --remove-args selinux
Ondrej Mosnacek 4cdd6f
#
Nalin Dahyabhai af6090
SELINUX=enforcing
Miroslav Grepl 3dc79f
# SELINUXTYPE= can take one of these three values:
Daniel J Walsh 487de6
#     targeted - Targeted processes are protected,
fe2076
#     minimum - Modification of targeted policy. Only selected processes are protected.
Daniel J Walsh 487de6
#     mls - Multi Level Security protection.
Colin Walters 5fdac7
SELINUXTYPE=targeted
Nalin Dahyabhai af6090
Ondrej Mosnacek 2a989a
" > %{_sysconfdir}/selinux/config
Nalin Dahyabhai af6090
fe2076
     ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
Ondrej Mosnacek 2a989a
     %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
Nalin Dahyabhai af6090
else
Ondrej Mosnacek 2a989a
     . %{_sysconfdir}/selinux/config
Nalin Dahyabhai af6090
fi
Daniel J Walsh 081b6a
exit 0
Daniel J Walsh 9c64bb
Ondrej Mosnacek fd6943
%preun
Ondrej Mosnacek fd6943
%systemd_preun selinux-check-proper-disable.service
Ondrej Mosnacek fd6943
Daniel J Walsh 5ff36d
%postun
Ondrej Mosnacek fd6943
%systemd_postun selinux-check-proper-disable.service
Daniel J Walsh bbaa1f
if [ $1 = 0 ]; then
Ondrej Mosnacek 2a989a
     %{_sbindir}/setenforce 0 2> /dev/null
Ondrej Mosnacek 2a989a
     if [ ! -s %{_sysconfdir}/selinux/config ]; then
Ondrej Mosnacek 2a989a
          echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Daniel J Walsh 487de6
     else
Ondrej Mosnacek 2a989a
          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Daniel J Walsh 487de6
     fi
Daniel J Walsh 5ff36d
fi
Daniel J Walsh a4ec9b
exit 0
Daniel J Walsh 5ff36d
Daniel J Walsh bd3f0e
%if %{BUILD_TARGETED}
Daniel J Walsh bd3f0e
%package targeted
Zdenek Pytela e99b0b
Summary: SELinux targeted policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Daniel J Walsh d83af2
Obsoletes: selinux-policy-targeted-sources < 2
Daniel J Walsh 23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh d83af2
Requires(pre): coreutils
Daniel J Walsh d83af2
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh b4cab5
Conflicts:  audispd-plugins <= 1.7.7-1
Daniel J Walsh 487de6
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Daniel J Walsh bc4089
Obsoletes: cachefilesd-selinux <= 0.10-1
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Dan Walsh fc9bf2
Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
Lukas Vrabec ab3db2
Conflicts: container-selinux < 2:1.12.1-22
Daniel J Walsh bd3f0e
Daniel J Walsh bd3f0e
%description targeted
Zdenek Pytela e99b0b
SELinux targeted policy package.
Daniel J Walsh bd3f0e
Lukas Vrabec 2e12c9
%pretrans targeted -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
Daniel J Walsh bd3f0e
%pre targeted
Dan Walsh 8a78e8
%preInstall targeted
Daniel J Walsh bd3f0e
Daniel J Walsh 9c64bb
%post targeted
Lukas Vrabec 2e12c9
%checkConfigConsistency targeted
Dan Walsh 857c81
%postInstall $1 targeted
Daniel J Walsh e080bb
exit 0
Daniel J Walsh d83af2
Lukas Vrabec 2e12c9
%posttrans targeted
Lukas Vrabec 2e12c9
%checkConfigConsistency targeted
Zdenek Pytela 7104f7
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun targeted
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "targeted" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Petr Lautrbach 7f4032
Petr Lautrbach b15718
%triggerin -- pcre2
Ondrej Mosnacek 2a989a
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
Dan Walsh 7c810a
exit 0
Dan Walsh 7c810a
Dan Walsh 1b0e09
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
Ondrej Mosnacek 2a989a
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
Dan Walsh 1b0e09
exit 0
Dan Walsh 1b0e09
Miroslav Grepl 57b06e
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Petr Lautrbach a345bb
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Petr Lautrbach a345bb
done
Ondrej Mosnacek 2a989a
for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do
Ondrej Mosnacek 2a989a
    cp $i %{_sharedstatedir}/selinux/targeted/active
Miroslav Grepl 982e48
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Petr Lautrbach a345bb
exit 0
Petr Lautrbach a345bb
Ondrej Mosnacek 2a989a
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
Daniel J Walsh 4d59c2
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
fe2076
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
Daniel J Walsh 4d59c2
%fileList targeted
Lukas Vrabec 7c8404
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
Daniel J Walsh a4ec9b
%endif
Daniel J Walsh a4ec9b
Daniel J Walsh 675bba
%if %{BUILD_MINIMUM}
Daniel J Walsh 675bba
%package minimum
Zdenek Pytela e99b0b
Summary: SELinux minimum policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Miroslav Grepl 2fc3e7
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
Daniel J Walsh 675bba
Requires(pre): coreutils
Daniel J Walsh 675bba
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Lukas Vrabec ab3db2
Conflicts: container-selinux <= 1.9.0-9
Daniel J Walsh 675bba
Daniel J Walsh 675bba
%description minimum
Zdenek Pytela e99b0b
SELinux minimum policy package.
Daniel J Walsh 675bba
Lukas Vrabec 2e12c9
%pretrans minimum -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
Daniel J Walsh 675bba
%pre minimum
Dan Walsh 8a78e8
%preInstall minimum
Dan Walsh 857c81
if [ $1 -ne 1 ]; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
Dan Walsh 857c81
fi
Daniel J Walsh 675bba
Daniel J Walsh 675bba
%post minimum
Lukas Vrabec 2e12c9
%checkConfigConsistency minimum
Ondrej Mosnacek 2a989a
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
Ondrej Mosnacek 2a989a
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
Ondrej Mosnacek 2a989a
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
Ondrej Mosnacek 2a989a
    mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
Miroslav Grepl 57b06e
fi
Daniel J Walsh 0e31a0
if [ $1 -eq 1 ]; then
Miroslav Grepl a27009
for p in $contribpackages; do
Ondrej Mosnacek 2a989a
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Miroslav Grepl 57b06e
for p in $basepackages apache dbus inetd kerberos mta nis; do
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Ondrej Mosnacek 2a989a
%{_sbindir}/semanage import -S minimum -f - << __eof
Daniel J Walsh 675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
Daniel J Walsh 675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
Daniel J Walsh 675bba
__eof
Ondrej Mosnacek 2a989a
%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -B -s minimum
Daniel J Walsh 675bba
else
Ondrej Mosnacek 2a989a
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
Miroslav Grepl a27009
for p in $contribpackages; do
Ondrej Mosnacek 2a989a
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Miroslav Grepl a27009
for p in $instpackages apache dbus inetd kerberos mta nis; do
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -B -s minimum
Daniel J Walsh 675bba
%relabel minimum
Daniel J Walsh 675bba
fi
Daniel J Walsh 675bba
exit 0
Daniel J Walsh 675bba
Lukas Vrabec 2e12c9
%posttrans minimum
Lukas Vrabec 2e12c9
%checkConfigConsistency minimum
Zdenek Pytela 0f27d9
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun minimum
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "minimum" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Miroslav Grepl 57b06e
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
Ondrej Mosnacek 2a989a
if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/*
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Miroslav Grepl 57b06e
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Miroslav Grepl 57b06e
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
exit 0
Miroslav Grepl 57b06e
Ondrej Mosnacek 2a989a
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
Daniel J Walsh 675bba
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
fe2076
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
Daniel J Walsh 675bba
%fileList minimum
Daniel J Walsh 675bba
%endif
Daniel J Walsh 675bba
Daniel J Walsh bd3f0e
%if %{BUILD_MLS}
fe2076
%package mls
Zdenek Pytela e99b0b
Summary: SELinux MLS policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Daniel J Walsh d83af2
Obsoletes: selinux-policy-mls-sources < 2
Daniel J Walsh c77aca
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Daniel J Walsh 23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh d83af2
Requires(pre): coreutils
Daniel J Walsh d83af2
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Lukas Vrabec ab3db2
Conflicts: container-selinux <= 1.9.0-9
Daniel J Walsh 1580c8
fe2076
%description mls
Zdenek Pytela e99b0b
SELinux MLS (Multi Level Security) policy package.
Daniel J Walsh 1580c8
Lukas Vrabec 2e12c9
%pretrans mls -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
fe2076
%pre mls
Dan Walsh 8a78e8
%preInstall mls
Daniel J Walsh 1580c8
fe2076
%post mls
Lukas Vrabec 2e12c9
%checkConfigConsistency mls
Dan Walsh 857c81
%postInstall $1 mls
Lukas Vrabec 6a9935
exit 0
Miroslav Grepl 57b06e
Lukas Vrabec 2e12c9
%posttrans mls
Lukas Vrabec 2e12c9
%checkConfigConsistency mls
Zdenek Pytela 0f27d9
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun mls
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "mls" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Miroslav Grepl 57b06e
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Miroslav Grepl 57b06e
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Miroslav Grepl 57b06e
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
exit 0
Miroslav Grepl 57b06e
Miroslav Grepl 57b06e
Ondrej Mosnacek 2a989a
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
Daniel J Walsh 57ae10
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
Daniel J Walsh 504da9
%fileList mls
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh bd3f0e
Daniel J Walsh 56187c
%changelog
Zdenek Pytela 1cd26e
* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
Zdenek Pytela 1cd26e
- Add policy for nvme-stas
Zdenek Pytela 1cd26e
- Confine systemd fstab,sysv,rc-local
Zdenek Pytela 1cd26e
- Label /etc/aliases.lmdb with etc_aliases_t
Zdenek Pytela 1cd26e
- Create policy for afterburn
Zdenek Pytela 1cd26e
- Add nvme_stas to modules-targeted-contrib.conf
Zdenek Pytela 1cd26e
- Add plans/tests.fmf
Zdenek Pytela 1cd26e
Zdenek Pytela 2bde33
* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
Zdenek Pytela 6fbdf6
- Add the virt_supplementary module to modules-targeted-contrib.conf
Zdenek Pytela 2bde33
- Make new virt drivers permissive
Zdenek Pytela 2bde33
- Split virt policy, introduce virt_supplementary module
Zdenek Pytela 2bde33
- Allow apcupsd cgi scripts read /sys
Zdenek Pytela 2bde33
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
Zdenek Pytela 2bde33
- Allow kernel_t to manage and relabel all files
Zdenek Pytela 2bde33
- Add missing optional_policy() to files_relabel_all_files()
Zdenek Pytela 2bde33
Zdenek Pytela 995481
* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
Zdenek Pytela 995481
- Allow named and ndc use the io_uring api
Zdenek Pytela 995481
- Deprecate common_anon_inode_perms usage
Zdenek Pytela 995481
- Improve default file context(None) of /var/lib/authselect/backups
Zdenek Pytela 995481
- Allow udev_t to search all directories with a filesystem type
Zdenek Pytela 995481
- Implement proper anon_inode support
Zdenek Pytela 995481
- Allow targetd write to the syslog pid sock_file
Zdenek Pytela 995481
- Add ipa_pki_retrieve_key_exec() interface
Zdenek Pytela 995481
- Allow kdumpctl_t to list all directories with a filesystem type
Zdenek Pytela 995481
- Allow udev additional permissions
Zdenek Pytela 995481
- Allow udev load kernel module
Zdenek Pytela 995481
- Allow sysadm_t to mmap modules_object_t files
Zdenek Pytela 995481
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
Zdenek Pytela 995481
- Set default file context of HOME_DIR/tmp/.* to <<none>>
Zdenek Pytela 995481
- Allow kernel_generic_helper_t to execute mount(1)
Zdenek Pytela 995481
Zdenek Pytela 11c92f
* Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1
Zdenek Pytela 11c92f
- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
Zdenek Pytela 11c92f
- Allow systemd-localed create Xserver config dirs
Zdenek Pytela 11c92f
- Allow sssd read symlinks in /etc/sssd
Zdenek Pytela 11c92f
- Label /dev/gnss[0-9] with gnss_device_t
Zdenek Pytela 11c92f
- Allow systemd-sleep read/write efivarfs variables
Zdenek Pytela 11c92f
- ci: Fix version number of packit generated srpms
Zdenek Pytela 11c92f
- Dontaudit rhsmcertd write memory device
Zdenek Pytela 11c92f
- Allow ssh_agent_type create a sockfile in /run/user/USERID
Zdenek Pytela 11c92f
- Set default file context of /var/lib/authselect/backups to <<none>>
Zdenek Pytela 11c92f
- Allow prosody read network sysctls
Zdenek Pytela 11c92f
- Allow cupsd_t to use bpf capability
Zdenek Pytela 11c92f
Zdenek Pytela 4beb93
* Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1
Zdenek Pytela 4beb93
- Allow sssd domain transition on passkey_child execution conditionally
Zdenek Pytela 4beb93
- Allow login_userdomain watch lnk_files in /usr
Zdenek Pytela 4beb93
- Allow login_userdomain watch video4linux devices
Zdenek Pytela 4beb93
- Change systemd-network-generator transition to include class file
Zdenek Pytela 4beb93
- Revert "Change file transition for systemd-network-generator"
Zdenek Pytela 4beb93
- Allow nm-dispatcher winbind plugin read/write samba var files
Zdenek Pytela 4beb93
- Allow systemd-networkd write to cgroup files
Zdenek Pytela 4beb93
- Allow kdump create and use its memfd: objects
Zdenek Pytela 4beb93
Zdenek Pytela 16fcf3
* Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1
Zdenek Pytela 16fcf3
- Allow fedora-third-party get generic filesystem attributes
Zdenek Pytela 16fcf3
- Allow sssd use usb devices conditionally
Zdenek Pytela 16fcf3
- Update policy for qatlib
Zdenek Pytela 16fcf3
- Allow ssh_agent_type manage generic cache home files
Zdenek Pytela 16fcf3
Zdenek Pytela 429619
* Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1
Zdenek Pytela 429619
- Change file transition for systemd-network-generator
Zdenek Pytela 429619
- Additional support for gnome-initial-setup
Zdenek Pytela 429619
- Update gnome-initial-setup policy for geoclue
Zdenek Pytela 429619
- Allow openconnect vpn open vhost net device
Zdenek Pytela 429619
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
Zdenek Pytela 429619
- Grant cifs.upcall more required capabilities
Zdenek Pytela 429619
- Allow xenstored map xenfs files
Zdenek Pytela 429619
- Update policy for fdo
Zdenek Pytela 429619
- Allow keepalived watch var_run dirs
Zdenek Pytela 429619
- Allow svirt to rw /dev/udmabuf
Zdenek Pytela 429619
- Allow qatlib  to modify hardware state information.
Zdenek Pytela 429619
- Allow key.dns_resolve connect to avahi over a unix stream socket
Zdenek Pytela 429619
- Allow key.dns_resolve create and use unix datagram socket
Zdenek Pytela 429619
- Use quay.io as the container image source for CI
Zdenek Pytela 429619
Zdenek Pytela 314088
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1
Zdenek Pytela 314088
- ci: Move srpm/rpm build to packit
Zdenek Pytela 314088
- .copr: Avoid subshell and changing directory
Zdenek Pytela 314088
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
Zdenek Pytela 314088
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
Zdenek Pytela 314088
- Make insights_client_t an unconfined domain
Zdenek Pytela 314088
- Allow insights-client manage user temporary files
Zdenek Pytela 314088
- Allow insights-client create all rpm logs with a correct label
Zdenek Pytela 314088
- Allow insights-client manage generic logs
Zdenek Pytela 314088
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
Zdenek Pytela 314088
- Allow insights-client read and write cluster tmpfs files
Zdenek Pytela 314088
- Allow ipsec read nsfs files
Zdenek Pytela 314088
- Make tuned work with mls policy
Zdenek Pytela 314088
- Remove nsplugin_role from mozilla.if
Zdenek Pytela 314088
- allow mon_procd_t self:cap_userns sys_ptrace
Zdenek Pytela 314088
- Allow pdns name_bind and name_connect all ports
Zdenek Pytela 314088
- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
Zdenek Pytela 314088
- ci: Move to actions/checkout@v3 version
Zdenek Pytela 314088
- .copr: Replace chown call with standard workflow safe.directory setting
Zdenek Pytela 314088
- .copr: Enable `set -u` for robustness
Zdenek Pytela 314088
- .copr: Simplify root directory variable
Zdenek Pytela 314088
Zdenek Pytela 02754e
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1
Zdenek Pytela 02754e
- Allow rhsmcertd dbus chat with policykit
Zdenek Pytela 02754e
- Allow polkitd execute pkla-check-authorization with nnp transition
Zdenek Pytela 02754e
- Allow user_u and staff_u get attributes of non-security dirs
Zdenek Pytela 02754e
- Allow unconfined user filetrans chrome_sandbox_home_t
Zdenek Pytela 02754e
- Allow svnserve execute postdrop with a transition
Zdenek Pytela 02754e
- Do not make postfix_postdrop_t type an MTA executable file
Zdenek Pytela 02754e
- Allow samba-dcerpc service manage samba tmp files
Zdenek Pytela 02754e
- Add use_nfs_home_dirs boolean for mozilla_plugin
Zdenek Pytela 02754e
- Fix labeling for no-stub-resolv.conf
Zdenek Pytela 02754e
Zdenek Pytela c618bb
* Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1
Zdenek Pytela c618bb
- Revert "Allow winbind-rpcd use its private tmp files"
Zdenek Pytela c618bb
- Allow upsmon execute upsmon via a helper script
Zdenek Pytela c618bb
- Allow openconnect vpn read/write inherited vhost net device
Zdenek Pytela c618bb
- Allow winbind-rpcd use its private tmp files
Zdenek Pytela c618bb
- Update samba-dcerpc policy for printing
Zdenek Pytela c618bb
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
Zdenek Pytela c618bb
- Allow nscd watch system db dirs
Zdenek Pytela c618bb
- Allow qatlib to read sssd public files
Zdenek Pytela c618bb
- Allow fedora-third-party read /sys and proc
Zdenek Pytela c618bb
- Allow systemd-gpt-generator mount a tmpfs filesystem
Zdenek Pytela c618bb
- Allow journald write to cgroup files
Zdenek Pytela c618bb
- Allow rpc.mountd read network sysctls
Zdenek Pytela c618bb
- Allow blueman read the contents of the sysfs filesystem
Zdenek Pytela c618bb
- Allow logrotate_t to map generic files in /etc
Zdenek Pytela c618bb
- Boolean: Allow virt_qemu_ga create ssh directory
Zdenek Pytela c618bb
Zdenek Pytela 1969a7
* Tue Jul 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1
Zdenek Pytela 1969a7
- Allow systemd-network-generator send system log messages
Zdenek Pytela 1969a7
- Dontaudit the execute permission on sock_file globally
Zdenek Pytela 1969a7
- Allow fsadm_t the file mounton permission
Zdenek Pytela 1969a7
- Allow named and ndc the io_uring sqpoll permission
Zdenek Pytela 1969a7
- Allow sssd io_uring sqpoll permission
Zdenek Pytela 1969a7
- Fix location for /run/nsd
Zdenek Pytela 1969a7
- Allow qemu-ga get fixed disk devices attributes
Zdenek Pytela 1969a7
- Update bitlbee policy
Zdenek Pytela 1969a7
- Label /usr/sbin/sos with sosreport_exec_t
Zdenek Pytela 1969a7
- Update policy for the sblim-sfcb service
Zdenek Pytela 1969a7
- Add the files_getattr_non_auth_dirs() interface
Zdenek Pytela 1969a7
- Fix the CI to work with DNF5
Zdenek Pytela 1969a7
Fedora Release Engineering 4f8801
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.21-2
Fedora Release Engineering 4f8801
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Fedora Release Engineering 4f8801
Zdenek Pytela 3861cc
* Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1
Zdenek Pytela 3861cc
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
Zdenek Pytela 3861cc
- Revert "Allow insights client map cache_home_t"
Zdenek Pytela 3861cc
- Allow nfsidmapd connect to systemd-machined over a unix socket
Zdenek Pytela 3861cc
- Allow snapperd connect to kernel over a unix domain stream socket
Zdenek Pytela 3861cc
- Allow virt_qemu_ga_t create .ssh dir with correct label
Zdenek Pytela 3861cc
- Allow targetd read network sysctls
Zdenek Pytela 3861cc
- Set the abrt_handle_event boolean to on
Zdenek Pytela 3861cc
- Permit kernel_t to change the user identity in object contexts
Zdenek Pytela 3861cc
- Allow insights client map cache_home_t
Zdenek Pytela 3861cc
- Label /usr/sbin/mariadbd with mysqld_exec_t
Zdenek Pytela 3861cc
- Trim changelog so that it starts at F37 time
Zdenek Pytela 3861cc
- Define equivalency for /run/systemd/generator.early
Zdenek Pytela 3861cc
Zdenek Pytela 321795
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1
Zdenek Pytela 321795
- Allow httpd tcp connect to redis port conditionally
Zdenek Pytela 321795
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
Zdenek Pytela 321795
- Dontaudit aide the execmem permission
Zdenek Pytela 321795
- Remove permissive from fdo
Zdenek Pytela 321795
- Allow sa-update manage spamc home files
Zdenek Pytela 321795
- Allow sa-update connect to systemlog services
Zdenek Pytela 321795
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
Zdenek Pytela 321795
- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
Zdenek Pytela 321795
- Allow bootupd search EFI directory
Zdenek Pytela 321795
Zdenek Pytela 0a1d56
* Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1
Zdenek Pytela 0a1d56
- Change init_audit_control default value to true
Zdenek Pytela 0a1d56
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
Zdenek Pytela 0a1d56
- Add the qatlib  module
Zdenek Pytela 0a1d56
- Add the fdo module
Zdenek Pytela 0a1d56
- Add the bootupd module
Zdenek Pytela 0a1d56
- Set default ports for keylime policy
Zdenek Pytela 0a1d56
- Create policy for qatlib
Zdenek Pytela 0a1d56
- Add policy for FIDO Device Onboard
Zdenek Pytela 0a1d56
- Add policy for bootupd
Zdenek Pytela 0a1d56
- Add the qatlib module
Zdenek Pytela 0a1d56
- Add the fdo module
Zdenek Pytela 0a1d56
- Add the bootupd module
Zdenek Pytela 0a1d56
Zdenek Pytela ca2263
* Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1
Zdenek Pytela ca2263
- Add support for kafs-dns requested by keyutils
Zdenek Pytela ca2263
- Allow insights-client execmem
Zdenek Pytela ca2263
- Add support for chronyd-restricted
Zdenek Pytela ca2263
- Add init_explicit_domain() interface
Zdenek Pytela ca2263
- Allow fsadm_t to get attributes of cgroup filesystems
Zdenek Pytela ca2263
- Add list_dir_perms to kerberos_read_keytab
Zdenek Pytela ca2263
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
Zdenek Pytela ca2263
- Allow sendmail manage its runtime files
Zdenek Pytela ca2263
- Allow keyutils_dns_resolver_exec_t be an entrypoint
Zdenek Pytela ca2263
- Allow collectd_t read network state symlinks
Zdenek Pytela ca2263
- Revert "Allow collectd_t read proc_net link files"
Zdenek Pytela ca2263
- Allow nfsd_t to list exports_t dirs
Zdenek Pytela ca2263
- Allow cupsd dbus chat with xdm
Zdenek Pytela ca2263
- Allow haproxy read hardware state information
Zdenek Pytela ca2263
- Add the kafs module
Zdenek Pytela ca2263
Zdenek Pytela 38fd9a
* Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1
Zdenek Pytela 38fd9a
- Label /dev/userfaultfd with userfaultfd_t
Zdenek Pytela 38fd9a
- Allow blueman send general signals to unprivileged user domains
Zdenek Pytela 38fd9a
- Allow dkim-milter domain transition to sendmail
Zdenek Pytela 38fd9a
- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
Zdenek Pytela 38fd9a
- Allow cifs-helper read sssd kerberos configuration files
Zdenek Pytela 38fd9a
- Allow rpm_t sys_admin capability
Zdenek Pytela 38fd9a
- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
Zdenek Pytela 38fd9a
- Allow collectd_t read proc_net link files
Zdenek Pytela 38fd9a
- Allow insights-client getsession process permission
Zdenek Pytela 38fd9a
- Allow insights-client work with pipe and socket tmp files
Zdenek Pytela 38fd9a
- Allow insights-client map generic log files
Zdenek Pytela 38fd9a
- Update cyrus_stream_connect() to use sockets in /run
Zdenek Pytela 38fd9a
- Allow keyutils-dns-resolver read/view kernel key ring
Zdenek Pytela 38fd9a
- Label /var/log/kdump.log with kdump_log_t
Zdenek Pytela 38fd9a
Zdenek Pytela 37f102
* Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1
Zdenek Pytela 37f102
- Add support for the systemd-pstore service
Zdenek Pytela 37f102
- Allow kdumpctl_t to execmem
Zdenek Pytela 37f102
- Update sendmail policy module for opensmtpd
Zdenek Pytela 37f102
- Allow nagios-mail-plugin exec postfix master
Zdenek Pytela 37f102
- Allow subscription-manager execute ip
Zdenek Pytela 37f102
- Allow ssh client connect with a user dbus instance
Zdenek Pytela 37f102
- Add support for ksshaskpass
Zdenek Pytela 37f102
- Allow rhsmcertd file transition in /run also for socket files
Zdenek Pytela 37f102
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
Zdenek Pytela 37f102
- Allow plymouthd read/write X server miscellaneous devices
Zdenek Pytela 37f102
- Allow systemd-sleep read udev pid files
Zdenek Pytela 37f102
- Allow exim read network sysctls
Zdenek Pytela 37f102
- Allow sendmail request load module
Zdenek Pytela 37f102
- Allow named map its conf files
Zdenek Pytela 37f102
- Allow squid map its cache files
Zdenek Pytela 37f102
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
Zdenek Pytela 37f102
Zdenek Pytela 70fa3a
* Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1
Zdenek Pytela 70fa3a
- Update policy for systemd-sleep
Zdenek Pytela 70fa3a
- Remove permissive domain for rshim_t
Zdenek Pytela 70fa3a
- Remove permissive domain for mptcpd_t
Zdenek Pytela 70fa3a
- Allow systemd-bootchartd the sys_ptrace userns capability
Zdenek Pytela 70fa3a
- Allow sysadm_t read nsfs files
Zdenek Pytela 70fa3a
- Allow sysadm_t run kernel bpf programs
Zdenek Pytela 70fa3a
- Update ssh_role_template for ssh-agent
Zdenek Pytela 70fa3a
- Update ssh_role_template to allow read/write unallocated ttys
Zdenek Pytela 70fa3a
- Add the booth module to modules.conf
Zdenek Pytela 70fa3a
- Allow firewalld rw ica_tmpfs_t files
Zdenek Pytela 70fa3a
Zdenek Pytela f14863
* Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1
Zdenek Pytela f14863
- Remove permissive domain for cifs_helper_t
Zdenek Pytela f14863
- Update the cifs-helper policy
Zdenek Pytela f14863
- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
Zdenek Pytela f14863
- Update pkcsslotd policy for sandboxing
Zdenek Pytela f14863
- Allow abrt_t read kernel persistent storage files
Zdenek Pytela f14863
- Dontaudit targetd search httpd config dirs
Zdenek Pytela f14863
- Allow init_t nnp domain transition to policykit_t
Zdenek Pytela f14863
- Allow rpcd_lsad setcap and use generic ptys
Zdenek Pytela f14863
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
Zdenek Pytela f14863
- Allow wireguard to rw network sysctls
Zdenek Pytela f14863
- Add policy for boothd
Zdenek Pytela f14863
- Allow kernel to manage its own BPF objects
Zdenek Pytela f14863
- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t
Zdenek Pytela f14863
Zdenek Pytela dfde7d
* Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1
Zdenek Pytela dfde7d
- Add initial policy for cifs-helper
Zdenek Pytela dfde7d
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
Zdenek Pytela dfde7d
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
Zdenek Pytela dfde7d
- Allow some systemd services write to cgroup files
Zdenek Pytela dfde7d
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
Zdenek Pytela dfde7d
- Allow systemd resolved to bind to arbitrary nodes
Zdenek Pytela dfde7d
- Allow plymouthd_t bpf capability to run bpf programs
Zdenek Pytela dfde7d
- Allow cupsd to create samba_var_t files
Zdenek Pytela dfde7d
- Allow rhsmcert request the kernel to load a module
Zdenek Pytela dfde7d
- Allow virsh name_connect virt_port_t
Zdenek Pytela dfde7d
- Allow certmonger manage cluster library files
Zdenek Pytela dfde7d
- Allow plymouthd read init process state
Zdenek Pytela dfde7d
- Add chromium_sandbox_t setcap capability
Zdenek Pytela dfde7d
- Allow snmpd read raw disk data
Zdenek Pytela dfde7d
- Allow samba-rpcd work with passwords
Zdenek Pytela dfde7d
- Allow unconfined service inherit signal state from init
Zdenek Pytela dfde7d
- Allow cloud-init manage gpg admin home content
Zdenek Pytela dfde7d
- Allow cluster_t dbus chat with various services
Zdenek Pytela dfde7d
- Allow nfsidmapd work with systemd-userdbd and sssd
Zdenek Pytela dfde7d
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
Zdenek Pytela dfde7d
- Allow plymouthd map dri and framebuffer devices
Zdenek Pytela dfde7d
- Allow rpmdb_migrate execute rpmdb
Zdenek Pytela dfde7d
- Allow logrotate dbus chat with systemd-hostnamed
Zdenek Pytela dfde7d
- Allow icecast connect to kernel using a unix stream socket
Zdenek Pytela dfde7d
- Allow lldpad connect to systemd-userdbd over a unix socket
Zdenek Pytela dfde7d
- Allow journalctl open user domain ptys and ttys
Zdenek Pytela dfde7d
- Allow keepalived to manage its tmp files
Zdenek Pytela dfde7d
- Allow ftpd read network sysctls
Zdenek Pytela dfde7d
- Label /run/bgpd with zebra_var_run_t
Zdenek Pytela dfde7d
- Allow gssproxy read network sysctls
Zdenek Pytela dfde7d
- Add the cifsutils module
Zdenek Pytela dfde7d
Zdenek Pytela 9619eb
* Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1
Zdenek Pytela 9619eb
- Allow telnetd read network sysctls
Zdenek Pytela 9619eb
- Allow munin system plugin read generic SSL certificates
Zdenek Pytela 9619eb
- Allow munin system plugin create and use netlink generic socket
Zdenek Pytela 9619eb
- Allow login_userdomain create user namespaces
Zdenek Pytela 9619eb
- Allow request-key to send syslog messages
Zdenek Pytela 9619eb
- Allow request-key to read/view any key
Zdenek Pytela 9619eb
- Add fs_delete_pstore_files() interface
Zdenek Pytela 9619eb
- Allow insights-client work with teamdctl
Zdenek Pytela 9619eb
- Allow insights-client read unconfined service semaphores
Zdenek Pytela 9619eb
- Allow insights-client get quotas of all filesystems
Zdenek Pytela 9619eb
- Add fs_read_pstore_files() interface
Zdenek Pytela 9619eb
- Allow generic kernel helper to read inherited kernel pipes
Zdenek Pytela 9619eb
Zdenek Pytela 10fd83
* Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
Zdenek Pytela 10fd83
- Allow dovecot-deliver write to the main process runtime fifo files
Zdenek Pytela 10fd83
- Allow dmidecode write to cloud-init tmp files
Zdenek Pytela 10fd83
- Allow chronyd send a message to cloud-init over a datagram socket
Zdenek Pytela 10fd83
- Allow cloud-init domain transition to insights-client domain
Zdenek Pytela 10fd83
- Allow mongodb read filesystem sysctls
Zdenek Pytela 10fd83
- Allow mongodb read network sysctls
Zdenek Pytela 10fd83
- Allow accounts-daemon read generic systemd unit lnk files
Zdenek Pytela 10fd83
- Allow blueman watch generic device dirs
Zdenek Pytela 10fd83
- Allow nm-dispatcher tlp plugin create tlp dirs
Zdenek Pytela 10fd83
- Allow systemd-coredump mounton /usr
Zdenek Pytela 10fd83
- Allow rabbitmq to read network sysctls
Zdenek Pytela 10fd83
Zdenek Pytela 1c3d52
* Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
Zdenek Pytela 1c3d52
- Allow certmonger dbus chat with the cron system domain
Zdenek Pytela 1c3d52
- Allow geoclue read network sysctls
Zdenek Pytela 1c3d52
- Allow geoclue watch the /etc directory
Zdenek Pytela 1c3d52
- Allow logwatch_mail_t read network sysctls
Zdenek Pytela 1c3d52
- Allow insights-client read all sysctls
Zdenek Pytela 1c3d52
- Allow passt manage qemu pid sock files
Zdenek Pytela 1c3d52
Zdenek Pytela 737e19
* Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
Zdenek Pytela 737e19
- Allow sssd read accountsd fifo files
Zdenek Pytela 737e19
- Add support for the passt_t domain
Zdenek Pytela 737e19
- Allow virtd_t and svirt_t work with passt
Zdenek Pytela 737e19
- Add new interfaces in the virt module
Zdenek Pytela 737e19
- Add passt interfaces defined conditionally
Zdenek Pytela 737e19
- Allow tshark the setsched capability
Zdenek Pytela 737e19
- Allow poweroff create connections to system dbus
Zdenek Pytela 737e19
- Allow wg load kernel modules, search debugfs dir
Zdenek Pytela 737e19
- Boolean: allow qemu-ga manage ssh home directory
Zdenek Pytela 737e19
- Label smtpd with sendmail_exec_t
Zdenek Pytela 737e19
- Label msmtp and msmtpd with sendmail_exec_t
Zdenek Pytela 737e19
- Allow dovecot to map files in /var/spool/dovecot
Zdenek Pytela 737e19
Zdenek Pytela 4a6ce4
* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
Zdenek Pytela 4a6ce4
- Confine gnome-initial-setup
Zdenek Pytela 4a6ce4
- Allow qemu-guest-agent create and use vsock socket
Zdenek Pytela 4a6ce4
- Allow login_pgm setcap permission
Zdenek Pytela 4a6ce4
- Allow chronyc read network sysctls
Zdenek Pytela 4a6ce4
- Enhancement of the /usr/sbin/request-key helper policy
Zdenek Pytela 4a6ce4
- Fix opencryptoki file names in /dev/shm
Zdenek Pytela 4a6ce4
- Allow system_cronjob_t transition to rpm_script_t
Zdenek Pytela 4a6ce4
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
Zdenek Pytela 4a6ce4
- Add tunable to allow squid bind snmp port
Zdenek Pytela 4a6ce4
- Allow staff_t getattr init pid chr & blk files and read krb5
Zdenek Pytela 4a6ce4
- Allow firewalld to rw z90crypt device
Zdenek Pytela 4a6ce4
- Allow httpd work with tokens in /dev/shm
Zdenek Pytela 4a6ce4
- Allow svirt to map svirt_image_t char files
Zdenek Pytela 4a6ce4
- Allow sysadm_t run initrc_t script and sysadm_r role access
Zdenek Pytela 4a6ce4
- Allow insights-client manage fsadm pid files
Zdenek Pytela 4a6ce4
Zdenek Pytela 0d20c3
* Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1
Zdenek Pytela 0d20c3
- Allowing snapper to create snapshots of /home/ subvolume/partition
Zdenek Pytela 0d20c3
- Add boolean qemu-ga to run unconfined script
Zdenek Pytela 0d20c3
- Label systemd-journald feature LogNamespace
Zdenek Pytela 0d20c3
- Add none file context for polyinstantiated tmp dirs
Zdenek Pytela 0d20c3
- Allow certmonger read the contents of the sysfs filesystem
Zdenek Pytela 0d20c3
- Add journalctl the sys_resource capability
Zdenek Pytela 0d20c3
- Allow nm-dispatcher plugins read generic files in /proc
Zdenek Pytela 0d20c3
- Add initial policy for the /usr/sbin/request-key helper
Zdenek Pytela 0d20c3
- Additional support for rpmdb_migrate
Zdenek Pytela 0d20c3
- Add the keyutils module
Zdenek Pytela 0d20c3
Zdenek Pytela 232d13
* Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
Zdenek Pytela 232d13
- Boolean: allow qemu-ga read ssh home directory
Zdenek Pytela 232d13
- Allow kernel_t to read/write all sockets
Zdenek Pytela 232d13
- Allow kernel_t to UNIX-stream connect to all domains
Zdenek Pytela 232d13
- Allow systemd-resolved send a datagram to journald
Zdenek Pytela 232d13
- Allow kernel_t to manage and have "execute" access to all files
Zdenek Pytela 232d13
- Fix the files_manage_all_files() interface
Zdenek Pytela 232d13
- Allow rshim bpf cap2 and read sssd public files
Zdenek Pytela 232d13
- Allow insights-client work with su and lpstat
Zdenek Pytela 232d13
- Allow insights-client tcp connect to all ports
Zdenek Pytela 232d13
- Allow nm-cloud-setup dispatcher plugin restart nm services
Zdenek Pytela 232d13
- Allow unconfined user filetransition for sudo log files
Zdenek Pytela 232d13
- Allow modemmanager create hardware state information files
Zdenek Pytela 232d13
- Allow ModemManager all permissions for netlink route socket
Zdenek Pytela 232d13
- Allow wg to send msg to kernel, write to syslog and dbus connections
Zdenek Pytela 232d13
- Allow hostname_t to read network sysctls.
Zdenek Pytela 232d13
- Dontaudit ftpd the execmem permission
Zdenek Pytela 232d13
- Allow svirt request the kernel to load a module
Zdenek Pytela 232d13
- Allow icecast rename its log files
Zdenek Pytela 232d13
- Allow upsd to send signal to itself
Zdenek Pytela 232d13
- Allow wireguard to create udp sockets and read net_conf
Zdenek Pytela 4a6ce4
- Use '%autosetup' instead of '%setup'
Zdenek Pytela 4a6ce4
- Pass -p 1 to '%autosetup'
Zdenek Pytela 232d13
Fedora Release Engineering c11eb8
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.5-2
Fedora Release Engineering c11eb8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Fedora Release Engineering c11eb8
Zdenek Pytela 13e15d
* Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
Zdenek Pytela 13e15d
- Allow insights client work with gluster and pcp
Zdenek Pytela 13e15d
- Add insights additional capabilities
Zdenek Pytela 13e15d
- Add interfaces in domain, files, and unconfined modules
Zdenek Pytela 13e15d
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
Zdenek Pytela 13e15d
- Allow sudodomain use sudo.log as a logfile
Zdenek Pytela 13e15d
- Allow pdns server map its library files and bind to unreserved ports
Zdenek Pytela 13e15d
- Allow sysadm_t read/write ipmi devices
Zdenek Pytela 13e15d
- Allow prosody manage its runtime socket files
Zdenek Pytela 13e15d
- Allow kernel threads manage kernel keys
Zdenek Pytela 13e15d
- Allow systemd-userdbd the sys_resource capability
Zdenek Pytela 13e15d
- Allow systemd-journal list cgroup directories
Zdenek Pytela 13e15d
- Allow apcupsd dbus chat with systemd-logind
Zdenek Pytela 13e15d
- Allow nut_domain manage also files and sock_files in /var/run
Zdenek Pytela 13e15d
- Allow winbind-rpcd make a TCP connection to the ldap port
Zdenek Pytela 13e15d
- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
Zdenek Pytela 13e15d
- Allow tlp read generic SSL certificates
Zdenek Pytela 13e15d
- Allow systemd-resolved watch tmpfs directories
Zdenek Pytela 13e15d
- Revert "Allow systemd-resolved watch tmpfs directories"
Zdenek Pytela 13e15d
Zdenek Pytela 328d37
* Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
Zdenek Pytela 328d37
- Allow NetworkManager and wpa_supplicant the bpf capability
Zdenek Pytela 328d37
- Allow systemd-rfkill the bpf capability
Zdenek Pytela 328d37
- Allow winbind-rpcd manage samba_share_t files and dirs
Zdenek Pytela 328d37
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
Zdenek Pytela 328d37
- Allow gpsd the sys_ptrace userns capability
Zdenek Pytela 328d37
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
Zdenek Pytela 328d37
- Allow load_policy_t write to unallocated ttys
Zdenek Pytela 328d37
- Allow ndc read hardware state information
Zdenek Pytela 328d37
- Allow system mail service read inherited certmonger runtime files
Zdenek Pytela 328d37
- Add lpr_roles  to system_r roles
Zdenek Pytela 328d37
- Revert "Allow insights-client run lpr and allow the proper role"
Zdenek Pytela 328d37
- Allow stalld to read /sys/kernel/security/lockdown file
Zdenek Pytela 328d37
- Allow keepalived to set resource limits
Zdenek Pytela 328d37
- Add policy for mptcpd
Zdenek Pytela 328d37
- Add policy for rshim
Zdenek Pytela 328d37
- Allow admin users to create user namespaces
Zdenek Pytela 328d37
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
Zdenek Pytela 328d37
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
Zdenek Pytela 328d37
- Trim changelog so that it starts at F35 time
Zdenek Pytela 328d37
- Add mptcpd and rshim modules
Zdenek Pytela 328d37
Zdenek Pytela 5e55a1
* Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
Zdenek Pytela 5e55a1
- Allow insights-client dbus chat with various services
Zdenek Pytela 5e55a1
- Allow insights-client tcp connect to various ports
Zdenek Pytela 5e55a1
- Allow insights-client run lpr and allow the proper role
Zdenek Pytela 5e55a1
- Allow insights-client work with pcp and manage user config files
Zdenek Pytela 5e55a1
- Allow redis get user names
Zdenek Pytela 5e55a1
- Allow kernel threads to use fds from all domains
Zdenek Pytela 5e55a1
- Allow systemd-modules-load load kernel modules
Zdenek Pytela 5e55a1
- Allow login_userdomain watch systemd-passwd pid dirs
Zdenek Pytela 5e55a1
- Allow insights-client dbus chat with abrt
Zdenek Pytela 5e55a1
- Grant kernel_t certain permissions in the system class
Zdenek Pytela 5e55a1
- Allow systemd-resolved watch tmpfs directories
Zdenek Pytela 5e55a1
- Allow systemd-timedated watch init runtime dir
Zdenek Pytela 5e55a1
- Make `bootc` be `install_exec_t`
Zdenek Pytela 5e55a1
- Allow systemd-coredump create user_namespace
Zdenek Pytela 5e55a1
- Allow syslog the setpcap capability
Zdenek Pytela 5e55a1
- donaudit virtlogd and dnsmasq execmem
Zdenek Pytela 5e55a1
Zdenek Pytela 826337
* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
Zdenek Pytela 826337
- Don't make kernel_t an unconfined domain
Zdenek Pytela 826337
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
Zdenek Pytela 826337
- Allow kernel_t to execute systemctl to do a poweroff/reboot
Zdenek Pytela 826337
- Grant basic permissions to the domain created by systemd_systemctl_domain()
Zdenek Pytela 826337
- Allow kernel_t to request module loading
Zdenek Pytela 826337
- Allow kernel_t to do compute_create
Zdenek Pytela 826337
- Allow kernel_t to manage perf events
Zdenek Pytela 826337
- Grant almost all capabilities to kernel_t
Zdenek Pytela 826337
- Allow kernel_t to fully manage all devices
Zdenek Pytela 826337
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
Zdenek Pytela 826337
- Allow pulseaudio to write to session_dbusd tmp socket files
Zdenek Pytela 826337
- Allow systemd and unconfined_domain_type create user_namespace
Zdenek Pytela 826337
- Add the user_namespace security class
Zdenek Pytela 826337
- Reuse tmpfs_t also for the ramfs filesystem
Zdenek Pytela 826337
- Label udf tools with fsadm_exec_t
Zdenek Pytela 826337
- Allow networkmanager_dispatcher_plugin work with nscd
Zdenek Pytela 826337
- Watch_sb all file type directories.
Zdenek Pytela 826337
- Allow spamc read hardware state information files
Zdenek Pytela 826337
- Allow sysadm read ipmi devices
Zdenek Pytela 826337
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
Zdenek Pytela 826337
- Allow insights client read raw memory devices
Zdenek Pytela 826337
- Allow the spamd_update_t domain get generic filesystem attributes
Zdenek Pytela 826337
- Dontaudit systemd-gpt-generator the sys_admin capability
Zdenek Pytela 826337
- Allow ipsec_t only read tpm devices
Zdenek Pytela 826337
- Allow cups-pdf connect to the system log service
Zdenek Pytela 826337
- Allow postfix/smtpd read kerberos key table
Zdenek Pytela 826337
- Allow syslogd read network sysctls
Zdenek Pytela 826337
- Allow cdcc mmap dcc-client-map files
Zdenek Pytela 826337
- Add watch and watch_sb dosfs interface
Zdenek Pytela 826337
Zdenek Pytela 17a6cf
* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
Zdenek Pytela 17a6cf
- Revert "Allow sysadm_t read raw memory devices"
Zdenek Pytela 17a6cf
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
Zdenek Pytela 17a6cf
- Allow rpc.gssd read network sysctls
Zdenek Pytela 17a6cf
- Allow winbind-rpcd get attributes of device and pty filesystems
Zdenek Pytela 17a6cf
- Allow insights-client domain transition on semanage execution
Zdenek Pytela 17a6cf
- Allow insights-client create gluster log dir with a transition
Zdenek Pytela 17a6cf
- Allow insights-client manage generic locks
Zdenek Pytela 17a6cf
- Allow insights-client unix_read all domain semaphores
Zdenek Pytela 17a6cf
- Add domain_unix_read_all_semaphores() interface
Zdenek Pytela 17a6cf
- Allow winbind-rpcd use the terminal multiplexor
Zdenek Pytela 17a6cf
- Allow mrtg send mails
Zdenek Pytela 17a6cf
- Allow systemd-hostnamed dbus chat with init scripts
Zdenek Pytela 17a6cf
- Allow sssd dbus chat with system cronjobs
Zdenek Pytela 17a6cf
- Add interface to watch all filesystems
Zdenek Pytela 17a6cf
- Add watch_sb interfaces
Zdenek Pytela 17a6cf
- Add watch interfaces
Zdenek Pytela 17a6cf
- Allow dhcpd bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow netutils and traceroute bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow pkcs_slotd_t bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow xdm bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow pcscd bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow lldpad bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow keepalived bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow ipsec bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow fprintd bpf capability to run bpf programs
Zdenek Pytela 17a6cf
- Allow systemd-socket-proxyd get filesystems attributes
Zdenek Pytela 17a6cf
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
Zdenek Pytela 17a6cf
Zdenek Pytela 544896
* Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
Zdenek Pytela 544896
- Allow rotatelogs read httpd_log_t symlinks
Zdenek Pytela 544896
- Add winbind-rpcd to samba_enable_home_dirs boolean
Zdenek Pytela 544896
- Allow system cronjobs dbus chat with setroubleshoot
Zdenek Pytela 544896
- Allow setroubleshootd read device sysctls
Zdenek Pytela 544896
- Allow virt_domain read device sysctls
Zdenek Pytela 544896
- Allow rhcd compute selinux access vector
Zdenek Pytela 544896
- Allow insights-client manage samba var dirs
Zdenek Pytela 544896
- Label ports 10161-10162 tcp/udp with snmp
Zdenek Pytela 544896
- Allow aide to connect to systemd_machined with a unix socket.
Zdenek Pytela 544896
- Allow samba-dcerpcd use NSCD services over a unix stream socket
Zdenek Pytela 544896
- Allow vlock search the contents of the /dev/pts directory
Zdenek Pytela 544896
- Allow insights-client send null signal to rpm and system cronjob
Zdenek Pytela 544896
- Label port 15354/tcp and 15354/udp with opendnssec
Zdenek Pytela 544896
- Allow ftpd map ftpd_var_run files
Zdenek Pytela 544896
- Allow targetclid to manage tmp files
Zdenek Pytela 544896
- Allow insights-client connect to postgresql with a unix socket
Zdenek Pytela 544896
- Allow insights-client domtrans on unix_chkpwd execution
Zdenek Pytela 544896
- Add file context entries for insights-client and rhc
Zdenek Pytela 544896
- Allow pulseaudio create gnome content (~/.config)
Zdenek Pytela 544896
- Allow login_userdomain dbus chat with rhsmcertd
Zdenek Pytela 544896
- Allow sbd the sys_ptrace capability
Zdenek Pytela 544896
- Allow ptp4l_t name_bind ptp_event_port_t
Zdenek Pytela 544896
Zdenek Pytela c9f58f
* Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
Zdenek Pytela c9f58f
- Remove the ipa module
Zdenek Pytela c9f58f
- Allow sss daemons read/write unnamed pipes of cloud-init
Zdenek Pytela c9f58f
- Allow postfix_mailqueue create and use unix dgram sockets
Zdenek Pytela c9f58f
- Allow xdm watch user home directories
Zdenek Pytela c9f58f
- Allow nm-dispatcher ddclient plugin load a kernel module
Zdenek Pytela c9f58f
- Stop ignoring standalone interface files
Zdenek Pytela c9f58f
- Drop cockpit module
Zdenek Pytela c9f58f
- Allow init map its private tmp files
Zdenek Pytela c9f58f
- Allow xenstored change its hard resource limits
Zdenek Pytela c9f58f
- Allow system_mail-t read network sysctls
Zdenek Pytela c9f58f
- Add bgpd sys_chroot capability
Zdenek Pytela c9f58f
Zdenek Pytela dde90d
* Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
Zdenek Pytela dde90d
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
Zdenek Pytela dde90d
- Add numad the ipc_owner capability
Zdenek Pytela dde90d
- Allow gst-plugin-scanner read virtual memory sysctls
Zdenek Pytela dde90d
- Allow init read/write inherited user fifo files
Zdenek Pytela dde90d
- Update dnssec-trigger policy: setsched, module_request
Zdenek Pytela dde90d
- added policy for systemd-socket-proxyd
Zdenek Pytela dde90d
- Add the new 'cmd' permission to the 'io_uring' class
Zdenek Pytela dde90d
- Allow winbind-rpcd read and write its key ring
Zdenek Pytela dde90d
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
Zdenek Pytela dde90d
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
Zdenek Pytela dde90d
- pidof executed by abrt can readlink /proc/*/exe
Zdenek Pytela dde90d
- Fix typo in comment
Zdenek Pytela dde90d
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
Zdenek Pytela dde90d
Zdenek Pytela d02146
* Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
Zdenek Pytela d02146
- Allow tor get filesystem attributes
Zdenek Pytela d02146
- Allow utempter append to login_userdomain stream
Zdenek Pytela d02146
- Allow login_userdomain accept a stream connection to XDM
Zdenek Pytela d02146
- Allow login_userdomain write to boltd named pipes
Zdenek Pytela d02146
- Allow staff_u and user_u users write to bolt pipe
Zdenek Pytela d02146
- Allow login_userdomain watch various directories
Zdenek Pytela d02146
- Update rhcd policy for executing additional commands 5
Zdenek Pytela d02146
- Update rhcd policy for executing additional commands 4
Zdenek Pytela d02146
- Allow rhcd create rpm hawkey logs with correct label
Zdenek Pytela d02146
- Allow systemd-gpt-auto-generator to check for empty dirs
Zdenek Pytela d02146
- Update rhcd policy for executing additional commands 3
Zdenek Pytela d02146
- Allow journalctl read rhcd fifo files
Zdenek Pytela d02146
- Update insights-client policy for additional commands execution 5
Zdenek Pytela d02146
- Allow init remount all file_type filesystems
Zdenek Pytela d02146
- Confine insights-client systemd unit
Zdenek Pytela d02146
- Update insights-client policy for additional commands execution 4
Zdenek Pytela d02146
- Allow pcp pmcd search tracefs and acct_data dirs
Zdenek Pytela d02146
- Allow httpd read network sysctls
Zdenek Pytela d02146
- Dontaudit domain map permission on directories
Zdenek Pytela d02146
- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
Zdenek Pytela d02146
- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
Zdenek Pytela d02146
- Update insights-client policy for additional commands execution 3
Zdenek Pytela d02146
- Allow systemd permissions needed for sandboxed services
Zdenek Pytela d02146
- Add rhcd module
Zdenek Pytela d02146
- Make dependency on rpm-plugin-selinux unordered
Zdenek Pytela d02146
Zdenek Pytela 9a58e6
* Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
Zdenek Pytela 9a58e6
- Allow ipsec_t read/write tpm devices
Zdenek Pytela 9a58e6
- Allow rhcd execute all executables
Zdenek Pytela 9a58e6
- Update rhcd policy for executing additional commands 2
Zdenek Pytela 9a58e6
- Update insights-client policy for additional commands execution 2
Zdenek Pytela 9a58e6
- Allow sysadm_t read raw memory devices
Zdenek Pytela 9a58e6
- Allow chronyd send and receive chronyd/ntp client packets
Zdenek Pytela 9a58e6
- Allow ssh client read kerberos homedir config files
Zdenek Pytela 9a58e6
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
Zdenek Pytela 9a58e6
- Update insights-client policy (auditctl, gpg, journal)
Zdenek Pytela 9a58e6
- Allow system_cronjob_t domtrans to rpm_script_t
Zdenek Pytela 9a58e6
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
Zdenek Pytela 9a58e6
- Update tor_bind_all_unreserved_ports interface
Zdenek Pytela 9a58e6
- Allow chronyd bind UDP sockets to ptp_event ports.
Zdenek Pytela 9a58e6
- Allow unconfined and sysadm users transition for /root/.gnupg
Zdenek Pytela 9a58e6
- Add gpg_filetrans_admin_home_content() interface
Zdenek Pytela 9a58e6
- Update rhcd policy for executing additional commands
Zdenek Pytela 9a58e6
- Update insights-client policy for additional commands execution
Zdenek Pytela 9a58e6
- Add userdom_view_all_users_keys() interface
Zdenek Pytela 9a58e6
- Allow gpg read and write generic pty type
Zdenek Pytela 9a58e6
- Allow chronyc read and write generic pty type
Zdenek Pytela 9a58e6
- Allow system_dbusd ioctl kernel with a unix stream sockets
Zdenek Pytela 9a58e6
- Allow samba-bgqd to read a printer list
Zdenek Pytela 9a58e6
- Allow stalld get and set scheduling policy of all domains.
Zdenek Pytela 9a58e6
- Allow unconfined_t transition to targetclid_home_t
Zdenek Pytela 9a58e6
Zdenek Pytela 5ac843
* Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
Zdenek Pytela 5ac843
- Allow nm-dispatcher custom plugin dbus chat with nm
Zdenek Pytela 5ac843
- Allow nm-dispatcher sendmail plugin get status of systemd services
Zdenek Pytela 5ac843
- Allow xdm read the kernel key ring
Zdenek Pytela 5ac843
- Allow login_userdomain check status of mount units
Zdenek Pytela 5ac843
- Allow postfix/smtp and postfix/virtual read kerberos key table
Zdenek Pytela 5ac843
- Allow services execute systemd-notify
Zdenek Pytela 5ac843
- Do not allow login_userdomain use sd_notify()
Zdenek Pytela 5ac843
- Allow launch-xenstored read filesystem sysctls
Zdenek Pytela 5ac843
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
Zdenek Pytela 5ac843
- Allow openvswitch fsetid capability
Zdenek Pytela 5ac843
- Allow openvswitch use its private tmpfs files and dirs
Zdenek Pytela 5ac843
- Allow openvswitch search tracefs dirs
Zdenek Pytela 5ac843
- Allow pmdalinux read files on an nfsd filesystem
Zdenek Pytela 5ac843
- Allow winbind-rpcd write to winbind pid files
Zdenek Pytela 5ac843
- Allow networkmanager to signal unconfined process
Zdenek Pytela 5ac843
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
Zdenek Pytela 5ac843
- Allow samba-bgqd get a printer list
Zdenek Pytela 5ac843
- fix(init.fc): Fix section description
Zdenek Pytela 5ac843
- Allow fedora-third-party read the passwords file
Zdenek Pytela 5ac843
- Remove permissive domain for rhcd_t
Zdenek Pytela 5ac843
- Allow pmie read network state information and network sysctls
Zdenek Pytela 5ac843
- Revert "Dontaudit domain the fowner capability"
Zdenek Pytela 5ac843
- Allow sysadm_t to run bpftool on the userdomain attribute
Zdenek Pytela 5ac843
- Add the userdom_prog_run_bpf_userdomain() interface
Zdenek Pytela 5ac843
- Allow insights-client rpm named file transitions
Zdenek Pytela 5ac843
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
Zdenek Pytela 5ac843
Zdenek Pytela 1ccfff
* Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
Zdenek Pytela 1ccfff
- Allow sa-update to get init status and start systemd files
Zdenek Pytela 1ccfff
- Use insights_client_filetrans_named_content
Zdenek Pytela 1ccfff
- Make default file context match with named transitions
Zdenek Pytela 1ccfff
- Allow nm-dispatcher tlp plugin send system log messages
Zdenek Pytela 1ccfff
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
Zdenek Pytela 1ccfff
- Add permissions to manage lnk_files into gnome_manage_home_config
Zdenek Pytela 1ccfff
- Allow rhsmcertd to read insights config files
Zdenek Pytela 1ccfff
- Label /etc/insights-client/machine-id
Zdenek Pytela 1ccfff
- fix(devices.fc): Replace single quote in comment to solve parsing issues
Zdenek Pytela 1ccfff
- Make NetworkManager_dispatcher_custom_t an unconfined domain
Zdenek Pytela 1ccfff
Fedora Release Engineering 666bf0
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2
Fedora Release Engineering 666bf0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Fedora Release Engineering 666bf0
Zdenek Pytela 7ffa63
* Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
Zdenek Pytela 7ffa63
- Update winbind_rpcd_t
Zdenek Pytela 7ffa63
- Allow some domains use sd_notify()
Zdenek Pytela 7ffa63
- Revert "Allow rabbitmq to use systemd notify"
Zdenek Pytela 7ffa63
- fix(sedoctool.py): Fix syntax warning: "is not" with a literal
Zdenek Pytela 7ffa63
- Allow nm-dispatcher console plugin manage etc files
Zdenek Pytela 7ffa63
- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
Zdenek Pytela 7ffa63
- Allow nm-dispatcher console plugin setfscreate
Zdenek Pytela 7ffa63
- Support using systemd-update-helper in rpm scriptlets
Zdenek Pytela 7ffa63
- Allow nm-dispatcher winbind plugin read samba config files
Zdenek Pytela 7ffa63
- Allow domain use userfaultfd over all domains
Zdenek Pytela 7ffa63
- Allow cups-lpd read network sysctls
Zdenek Pytela 7ffa63
Zdenek Pytela 730af9
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
Zdenek Pytela 730af9
- Allow stalld set scheduling policy of kernel threads
Zdenek Pytela 730af9
- Allow targetclid read /var/target files
Zdenek Pytela 730af9
- Allow targetclid read generic SSL certificates (fixed)
Zdenek Pytela 730af9
- Allow firewalld read the contents of the sysfs filesystem
Zdenek Pytela 730af9
- Fix file context pattern for /var/target
Zdenek Pytela 730af9
- Use insights_client_etc_t in insights_search_config()
Zdenek Pytela 730af9
- Allow nm-dispatcher ddclient plugin handle systemd services
Zdenek Pytela 730af9
- Allow nm-dispatcher winbind plugin run smbcontrol
Zdenek Pytela 730af9
- Allow nm-dispatcher custom plugin create and use unix dgram socket
Zdenek Pytela 730af9
- Update samba-dcerpcd policy for kerberos usage 2
Zdenek Pytela 730af9
- Allow keepalived read the contents of the sysfs filesystem
Zdenek Pytela 730af9
- Allow amandad read network sysctls
Zdenek Pytela 730af9
- Allow cups-lpd read network sysctls
Zdenek Pytela 730af9
- Allow kpropd read network sysctls
Zdenek Pytela 730af9
- Update insights_client_filetrans_named_content()
Zdenek Pytela 730af9
- Allow rabbitmq to use systemd notify
Zdenek Pytela 730af9
- Label /var/target with targetd_var_t
Zdenek Pytela 730af9
- Allow targetclid read generic SSL certificates
Zdenek Pytela 730af9
- Update rhcd policy
Zdenek Pytela 730af9
- Allow rhcd search insights configuration directories
Zdenek Pytela 730af9
- Add the kernel_read_proc_files() interface
Zdenek Pytela 730af9
- Require policycoreutils >= 3.4-1
Zdenek Pytela 730af9
- Add a script for enclosing interfaces in ifndef statements
Zdenek Pytela 730af9
- Disable rpm verification on interface_info
Zdenek Pytela 730af9
Zdenek Pytela 53d2cb
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
Zdenek Pytela 53d2cb
- Allow transition to insights_client named content
Zdenek Pytela 53d2cb
- Add the insights_client_filetrans_named_content() interface
Zdenek Pytela 53d2cb
- Update policy for insights-client to run additional commands 3
Zdenek Pytela 53d2cb
- Allow dhclient manage pid files used by chronyd
Zdenek Pytela 53d2cb
- Allow stalld get scheduling policy of kernel threads
Zdenek Pytela 53d2cb
- Allow samba-dcerpcd work with sssd
Zdenek Pytela 53d2cb
- Allow dlm_controld send a null signal to a cluster daemon
Zdenek Pytela 53d2cb
- Allow ksmctl create hardware state information files
Zdenek Pytela 53d2cb
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
Zdenek Pytela 53d2cb
- Update samba-dcerpcd policy for kerberos usage
Zdenek Pytela 53d2cb
- Allow insights-client execute its private memfd: objects
Zdenek Pytela 53d2cb
- Update policy for insights-client to run additional commands 2
Zdenek Pytela 53d2cb
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
Zdenek Pytela 53d2cb
- Change space indentation to tab in insights-client
Zdenek Pytela 53d2cb
- Use socket permissions sets in insights-client
Zdenek Pytela 53d2cb
- Update policy for insights-client to run additional commands
Zdenek Pytela 53d2cb
- Change rpm_setattr_db_files() to use a pattern
Zdenek Pytela 53d2cb
- Allow init_t to rw insights_client unnamed pipe
Zdenek Pytela 53d2cb
- Add rpm setattr db files macro
Zdenek Pytela 53d2cb
- Fix insights client
Zdenek Pytela 53d2cb
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
Zdenek Pytela 53d2cb
- Allow rabbitmq to access its private memfd: objects
Zdenek Pytela 53d2cb
- Update policy for samba-dcerpcd
Zdenek Pytela 53d2cb
- Allow stalld setsched and sys_nice
Zdenek Pytela 53d2cb
Zdenek Pytela 75ed72
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
Zdenek Pytela 75ed72
- Allow auditd_t noatsecure for a transition to audisp_remote_t
Zdenek Pytela 75ed72
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
Zdenek Pytela 75ed72
- Allow pcp_domain execute its private memfd: objects
Zdenek Pytela 75ed72
- Add support for samba-dcerpcd
Zdenek Pytela 75ed72
- Add policy for wireguard
Zdenek Pytela 75ed72
- Confine targetcli
Zdenek Pytela 75ed72
- Allow systemd work with install_t unix stream sockets
Zdenek Pytela 75ed72
- Allow iscsid the sys_ptrace userns capability
Zdenek Pytela 75ed72
- Allow xdm connect to unconfined_service_t over a unix stream socket
Zdenek Pytela 75ed72
Zdenek Pytela f69f4a
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin execute systemctl
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin dbus chat with nm
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin create and use udp socket
Zdenek Pytela f69f4a
- Allow nm-dispatcher custom plugin create and use netlink_route_socket
Zdenek Pytela f69f4a
- Use create_netlink_socket_perms in netlink_route_socket class permissions
Zdenek Pytela f69f4a
- Add support for nm-dispatcher sendmail scripts
Zdenek Pytela f69f4a
- Allow sslh net_admin capability
Zdenek Pytela f69f4a
- Allow insights-client manage gpg admin home content
Zdenek Pytela f69f4a
- Add the gpg_manage_admin_home_content() interface
Zdenek Pytela f69f4a
- Allow rhsmcertd create generic log files
Zdenek Pytela f69f4a
- Update logging_create_generic_logs() to use create_files_pattern()
Zdenek Pytela f69f4a
- Label /var/cache/insights with insights_client_cache_t
Zdenek Pytela f69f4a
- Allow insights-client search gconf homedir
Zdenek Pytela f69f4a
- Allow insights-client create and use unix_dgram_socket
Zdenek Pytela f69f4a
- Allow blueman execute its private memfd: files
Zdenek Pytela f69f4a
- Move the chown call into make-srpm.sh
Zdenek Pytela f69f4a
Zdenek Pytela fccb37
* Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
Zdenek Pytela fccb37
- Use the networkmanager_dispatcher_plugin attribute in allow rules
Zdenek Pytela fccb37
- Make a custom nm-dispatcher plugin transition
Zdenek Pytela fccb37
- Label port 4784/tcp and 4784/udp with bfd_multi
Zdenek Pytela fccb37
- Allow systemd watch and watch_reads user ptys
Zdenek Pytela fccb37
- Allow sblim-gatherd the kill capability
Zdenek Pytela fccb37
- Label more vdsm utils with virtd_exec_t
Zdenek Pytela fccb37
- Add ksm service to ksmtuned
Zdenek Pytela fccb37
- Add rhcd policy
Zdenek Pytela fccb37
- Dontaudit guest attempts to dbus chat with systemd domains
Zdenek Pytela fccb37
- Dontaudit guest attempts to dbus chat with system bus types
Zdenek Pytela fccb37
- Use a named transition in systemd_hwdb_manage_config()
Zdenek Pytela fccb37
- Add default fc specifications for patterns in /opt
Zdenek Pytela fccb37
- Add the files_create_etc_files() interface
Zdenek Pytela fccb37
- Allow nm-dispatcher console plugin create and write files in /etc
Zdenek Pytela fccb37
- Allow nm-dispatcher console plugin transition to the setfiles domain
Zdenek Pytela fccb37
- Allow more nm-dispatcher plugins append to init stream sockets
Zdenek Pytela fccb37
- Allow nm-dispatcher tlp plugin dbus chat with nm
Zdenek Pytela fccb37
- Reorder networkmanager_dispatcher_plugin_template() calls
Zdenek Pytela fccb37
- Allow svirt connectto virtlogd
Zdenek Pytela fccb37
- Allow blueman map its private memfd: files
Zdenek Pytela fccb37
- Allow sysadm user execute init scripts with a transition
Zdenek Pytela fccb37
- Allow sblim-sfcbd connect to sblim-reposd stream
Zdenek Pytela fccb37
- Allow keepalived_unconfined_script_t dbus chat with init
Zdenek Pytela fccb37
- Run restorecon with "-i" not to report errors
Zdenek Pytela 59a2a4
Zdenek Pytela 0e9b08
* Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
Zdenek Pytela 0e9b08
- Fix users for SELinux userspace 3.4
Zdenek Pytela 0e9b08
- Label /var/run/machine-id as machineid_t
Zdenek Pytela 0e9b08
- Add stalld to modules.conf
Zdenek Pytela 0e9b08
- Use files_tmpfs_file() for rhsmcertd_tmpfs_t
Zdenek Pytela 0e9b08
- Allow blueman read/write its private memfd: objects
Zdenek Pytela 0e9b08
- Allow insights-client read rhnsd config files
Zdenek Pytela 0e9b08
- Allow insights-client create_socket_perms for tcp/udp sockets