f1d354 * Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3

Authored and Committed by Lukas Vrabec 5 years ago
    * Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3
    - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
    - Allow gssproxy_t domain read state of all processes on system
    - Fix typo in cachefilesd module
    - Allow cachefilesd_t domain to read/write cachefiles_device_t devices
    - Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
    - Add sys_admin capability for keepalived_t labeled processes
    - Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
    - Create new type ipmievd_helper_t domain for loading kernel modules.
    - Run stratisd service as stratisd_t
    - Fix abrt_upload_watch_t in abrt policy
    - Update keepalived policy
    - Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
    - Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
    - Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
    - Allow amanda_t to manage its var lib files and read random_device_t
    - Create admin_crontab_t and admin_crontab_tmp_t types
    - Add setgid and setuid capabilities to keepalived_t domain
    - Update cron_role() template to accept third parameter with SELinux domain prefix
    - Allow psad_t domain to create tcp diag sockets BZ(1750324)
    - Allow systemd to mount fwupd_cache_t BZ(1750288)
    - Allow chronyc_t domain to append to all non_security files
    - Update zebra SELinux policy to make it work also with frr service
    - Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
    - Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
    - Label /var/run/mysql as mysqld_var_run_t
    - Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
    - Update timedatex policy to manage localization
    - Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
    - Update gnome_dontaudit_read_config
    - Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
    - Allow systemd labeled as init_t domain to remount rootfs filesystem
    - Add interface files_remount_rootfs()
    - Dontaudit sys_admin capability for iptables_t SELinux domain
    - Label /dev/cachefilesd as cachefiles_device_t
    - Make stratisd policy active
    - Allow userdomains to dbus chat with policykit daemon
    - Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
    - New interface files_append_non_security_files()
    - Label 2618/tcp and 2618/udp as priority_e_com_port_t
    - Label 2616/tcp and 2616/udp as appswitch_emp_port_t
    - Label 2615/tcp and 2615/udp as firepower_port_t
    - Label 2610/tcp and 2610/udp as versa_tek_port_t
    - Label 2613/tcp and 2613/udp as smntubootstrap_port_t
    - Label 3784/tcp and 3784/udp as bfd_control_port_t
    - Remove rule allowing all processes to stream connect to unconfined domains
    
        
file modified
+2 -0
file modified
+50 -3
file modified
+3 -3