Revisions of selinux-policy
buildservice-autocommit
accepted
request 1178674
from
Cathy Hu (cahu)
(revision 224)
Cathy Hu (cahu)
(revision 224)
baserev update by copy to link target
Cathy Hu (cahu)
accepted
request 1177623
from
Cathy Hu (cahu)
(revision 223)
- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate python36 tooling
Johannes Segitz (jsegitz)
committed
(revision 222)
- Remove "Reference" from the package description. It's not the reference policy, but the Fedora branch of the policy
Johannes Segitz (jsegitz)
committed
(revision 221)
Johannes Segitz (jsegitz)
accepted
request 1172709
from
Johannes Segitz (jsegitz)
(revision 220)
- Fixed varrun-convert.sh script to not break because of duplicate entries
Johannes Segitz (jsegitz)
accepted
request 1172201
from
Johannes Segitz (jsegitz)
(revision 219)
- Move to %posttrans to ensure selinux-policy got updated before the commands run (bsc#1221720)
Cathy Hu (cahu)
accepted
request 1167823
from
Cathy Hu (cahu)
(revision 218)
- Add file contexts "forwarding" to file_contexts.sub_dist to fix systemd-gpt-auto-generator and systemd-fstab-generator (bsc#1222736): * /run/systemd/generator.early /usr/lib/systemd/system * /run/systemd/generator.late /usr/lib/systemd/system
Johannes Segitz (jsegitz)
accepted
request 1166915
from
Cathy Hu (cahu)
(revision 217)
- Update to version 20240411: * Remove duplicate in sysnetwork.fc * Rename /var/run/wicked* to /run/wicked* * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc * policy: support pidfs * Confine selinux-autorelabel-generator.sh * Allow logwatch_mail_t read/write to init over a unix stream socket * Allow logwatch read logind sessions files * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it * Allow NetworkManager the sys_ptrace capability in user namespace * dontaudit execmem for modemmanager * Allow dhcpcd use unix_stream_socket * Allow dhcpc read /run/netns files * Update mmap_rw_file_perms to include the lock permission * Allow plymouthd log during shutdown * Add logging_watch_all_log_dirs() and logging_watch_all_log_files() * Allow journalctl_t read filesystem sysctls * Allow cgred_t to get attributes of cgroup filesystems * Allow wdmd read hardware state information * Allow wdmd list the contents of the sysfs directories * Allow linuxptp configure phc2sys and chronyd over a unix domain socket * Allow sulogin relabel tty1 * Dontaudit sulogin the checkpoint_restore capability * Modify sudo_role_template() to allow getpgid * Allow userdomain get attributes of files on an nsfs filesystem * Allow opafm create NFS files and directories * Allow virtqemud create and unlink files in /etc/libvirt/ * Allow virtqemud domain transition on swtpm execution * Add the swtpm.if interface file for interactions with other domains * Allow samba to have dac_override capability * systemd: allow sys_admin capability for systemd_notify_t * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets * Allow thumb_t to watch and watch_reads mount_var_run_t * Allow krb5kdc_t map krb5kdc_principal_t files * Allow unprivileged confined user dbus chat with setroubleshoot * Allow login_userdomain map files in /var * Allow wireguard work with firewall-cmd * Differentiate between staff and sysadm when executing crontab with sudo * Add crontab_admin_domtrans interface * Allow abrt_t nnp domain transition to abrt_handle_event_t * Allow xdm_t to watch and watch_reads mount_var_run_t * Dontaudit subscription manager setfscreate and read file contexts * Don't audit crontab_domain write attempts to user home * Transition from sudodomains to crontab_t when executing crontab_exec_t * Add crontab_domtrans interface * Fix label of pseudoterminals created from sudodomain * Allow utempter_t use ptmx * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket * Allow admin user read/write on fixed_disk_device_t * Only allow confined user domains to login locally without unconfined_login * Add userdom_spec_domtrans_confined_admin_users interface * Only allow admindomain to execute shell via ssh with ssh_sysadm_login * Add userdom_spec_domtrans_admin_users interface * Move ssh dyntrans to unconfined inside unconfined_login tunable policy * Update ssh_role_template() for user ssh-agent type * Allow init to inherit system DBus file descriptors * Allow init to inherit fds from syslogd * Allow any domain to inherit fds from rpm-ostree * Update afterburn policy * Allow init_t nnp domain transition to abrtd_t * Rename all /var/lock file context entries to /run/lock * Rename all /var/run file context entries to /run - Add script varrun-convert.sh for locally existing modules to be able to cope with the /var/run -> /run change - Update embedded container-selinux to commit a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
buildservice-autocommit
accepted
request 1160077
from
Johannes Segitz (jsegitz)
(revision 216)
Johannes Segitz (jsegitz)
(revision 216)
baserev update by copy to link target
Johannes Segitz (jsegitz)
accepted
request 1160076
from
Johannes Segitz (jsegitz)
(revision 215)
- Update to version 20240321: * policy module for kiwi (bsc#1221109) * dontaudit execmem for modemmanager (bsc#1219363)
buildservice-autocommit
accepted
request 1157662
from
Cathy Hu (cahu)
(revision 214)
Cathy Hu (cahu)
(revision 214)
baserev update by copy to link target
Cathy Hu (cahu)
accepted
request 1157597
from
Cathy Hu (cahu)
(revision 213)
- Update to version 20240313: * Assign alts_exec_t to files_type
Cathy Hu (cahu)
accepted
request 1156292
from
Cathy Hu (cahu)
(revision 212)
- Update to version 20240308: * Support /bin/alts in the policy (bsc#1217530) * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)"
Cathy Hu (cahu)
accepted
request 1155628
from
Cathy Hu (cahu)
(revision 211)
- Update to version 20240306: * Replace init domtrans rule for confined users to allow exec init * Update dbus_role_template() to allow user service status * Allow polkit status all systemd services * Allow setroubleshootd create and use inherited io_uring * Allow load_policy read and write generic ptys
Cathy Hu (cahu)
accepted
request 1154878
from
Cathy Hu (cahu)
(revision 210)
- Update to version 20240304: * Allow ssh-keygen to use the libica crypto module (bsc#1220373)
buildservice-autocommit
accepted
request 1145097
from
Cathy Hu (cahu)
(revision 209)
Cathy Hu (cahu)
(revision 209)
baserev update by copy to link target
Cathy Hu (cahu)
accepted
request 1144343
from
Cathy Hu (cahu)
(revision 208)
- Update to version 20240205: * Allow gpg manage rpm cache * Allow login_userdomain name_bind to howl and xmsg udp ports * Allow rules for confined users logged in plasma * Label /dev/iommu with iommu_device_t * Remove duplicate file context entries in /run * Dontaudit getty and plymouth the checkpoint_restore capability * Allow su domains write login records * Revert "Allow su domains write login records" * Allow login_userdomain delete session dbusd tmp socket files * Allow unix dgram sendto between exim processes * Allow su domains write login records * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Allow chronyd-restricted read chronyd key files * Allow conntrackd_t to use bpf capability2 * Allow systemd-networkd manage its runtime socket files * Allow init_t nnp domain transition to colord_t * Allow polkit status systemd services * nova: Fix duplicate declarations * Allow httpd work with PrivateTmp * Add interfaces for watching and reading ifconfig_var_run_t * Allow collectd read raw fixed disk device * Allow collectd read udev pid files * Set correct label on /etc/pki/pki-tomcat/kra * Allow systemd domains watch system dbus pid socket files * Allow certmonger read network sysctls * Allow mdadm list stratisd data directories * Allow syslog to run unconfined scripts conditionally * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t * Allow qatlib set attributes of vfio device files * Allow systemd-sleep set attributes of efivarfs files * Allow samba-dcerpcd read public files * Allow spamd_update_t the sys_ptrace capability in user namespace * Allow bluetooth devices work with alsa * Allow alsa get attributes filesystems with extended attributes * Allow hypervkvp_t write access to NetworkManager_etc_rw_t * Add interface for write-only access to NetworkManager rw conf * Allow systemd-sleep send a message to syslog over a unix dgram socket * Allow init create and use netlink netfilter socket * Allow qatlib load kernel modules * Allow qatlib run lspci * Allow qatlib manage its private runtime socket files * Allow qatlib read/write vfio devices * Label /etc/redis.conf with redis_conf_t * Remove the lockdown-class rules from the policy * Allow init read all non-security socket files * Replace redundant dnsmasq pattern macros * Remove unneeded symlink perms in dnsmasq.if * Add additions to dnsmasq interface * Allow nvme_stas_t create and use netlink kobject uevent socket * Allow collectd connect to statsd port * Allow keepalived_t to use sys_ptrace of cap_userns * Allow dovecot_auth_t connect to postgresql using UNIX socket * Make named_zone_t and named_var_run_t a part of the mountpoint attribute * Allow sysadm execute traceroute in sysadm_t domain using sudo * Allow sysadm execute tcpdump in sysadm_t domain using sudo * Allow opafm search nfs directories * Add support for syslogd unconfined scripts * Allow gpsd use /dev/gnss devices * Allow gpg read rpm cache * Allow virtqemud additional permissions * Allow virtqemud manage its private lock files * Allow virtqemud use the io_uring api * Allow ddclient send e-mail notifications * Allow postfix_master_t map postfix data files * Allow init create and use vsock sockets * Allow thumb_t append to init unix domain stream sockets * Label /dev/vas with vas_device_t * Create interface selinux_watch_config and add it to SELinux users * Update cifs interfaces to include fs_search_auto_mountpoints() * Allow sudodomain read var auth files * Allow spamd_update_t read hardware state information * Allow virtnetworkd domain transition on tc command execution * Allow sendmail MTA connect to sendmail LDA * Allow auditd read all domains process state * Allow rsync read network sysctls * Add dhcpcd bpf capability to run bpf programs * Dontaudit systemd-hwdb dac_override capability * Allow systemd-sleep create efivarfs files * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on * Allow graphical applications work in Wayland * Allow kdump work with PrivateTmp * Allow dovecot-auth work with PrivateTmp * Allow nfsd get attributes of all filesystems * Allow unconfined_domain_type use io_uring cmd on domain * ci: Only run Rawhide revdeps tests on the rawhide branch * Label /var/run/auditd.state as auditd_var_run_t * Allow fido-device-onboard (FDO) read the crack database * Allow ip an explicit domain transition to other domains * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t * Allow winbind_rpcd_t processes access when samba_export_all_* is on * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection * Allow ntp to bind and connect to ntske port.
buildservice-autocommit
accepted
request 1139103
from
Cathy Hu (cahu)
(revision 207)
Cathy Hu (cahu)
(revision 207)
baserev update by copy to link target
Cathy Hu (cahu)
accepted
request 1139091
from
Cathy Hu (cahu)
(revision 206)
- Update to version 20240116: * Fix gitolite homedir paths (bsc#1218826)
buildservice-autocommit
accepted
request 1138076
from
Johannes Segitz (jsegitz)
(revision 205)
Johannes Segitz (jsegitz)
(revision 205)
baserev update by copy to link target
Displaying revisions 1 - 20 of 224
