Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: selinux-policy-sandbox | Distribution: openSUSE Tumbleweed |
Version: 20241105 | Vendor: openSUSE |
Release: 2.1 | Build date: Tue Nov 5 17:21:44 2024 |
Group: System/Management | Build host: reproducible |
Size: 87393 | Source RPM: selinux-policy-20241105-2.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://github.com/fedora-selinux/selinux-policy.git | |
Summary: SELinux policy sandbox |
SELinux sandbox policy used for the policycoreutils-sandbox package
GPL-2.0-or-later
* Tue Nov 05 2024 [email protected] - Update to version 20241105: * Allow virt_dbus_t to connect to virtd_t over unix_stream_socket (bsc#1232655) * Thu Oct 31 2024 [email protected] - Update to version 20241031: * Label /var/livepatches as lib_t for ULP on micro (bsc#1228879) * Mon Oct 21 2024 [email protected] - Update to version 20241021: * rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494) * Allow snapperd to execute systemctl (bsc#1231489) * Fri Oct 18 2024 [email protected] - Update to version 20241018: * Allow slpd to create TCPDIAG netlink socket (bsc#1231491) * Allow slpd to use sys_chroot (bsc#1231491) * Allow openvswitch-ipsec use strongswan (bsc#1231493) * Mon Sep 30 2024 [email protected] - Update to version 20240930: * Label yast binaries correctly * Wed Sep 25 2024 [email protected] - Update to version 20240925: * Allow snapperd to manage unlabeled_t files (bsc#1230966) * Tue Sep 24 2024 [email protected] - Update to version 20240924: * Revert "Allow virtstoraged to manage images (bsc#1228742)" * Label /etc/mdevctl.d with mdevctl_conf_t * Sync users with Fedora targeted users * Update policy for rpc-virtstorage * Allow virtstoraged get attributes of configfs dirs * Fix SELinux policy for sandbox X server to fix 'sandbox -X' command * Update bootupd policy when ESP is not mounted * Allow thumb_t map dri devices * Allow samba use the io_uring API * Allow the sysadm user use the secretmem API * Allow nut-upsmon read systemd-logind session files * Allow sysadm_t to create PF_KEY sockets * Update bootupd policy for the removing-state-file test * Tue Sep 24 2024 Cathy Hu <[email protected]> - Fix macros.selinux-policy (bsc#1230897) - %selinux_relabel_post should not relabel files in transactional systems in %post as the policy is not loaded into the kernel directly after install, instead the relabelling will happen on the next boot * Thu Sep 12 2024 [email protected] - Update to version 20240912: * Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011) * Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315) * Initial policy for udev-trigger-generator (bsc#1230315) * Tue Sep 10 2024 [email protected] - Update to version 20240910: * Allow init_t mount syslog socket (bsc#1230134) * Allow init_t create syslog files (bsc#1230134) * Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134) * Thu Sep 05 2024 [email protected] - Update to version 20240905: * Allow coreos-installer-generator manage mdadm_conf_t files * Allow setsebool_t relabel selinux data files * Allow virtqemud relabelfrom virtqemud_var_run_t dirs * Use better escape method for "interface" * Allow init and systemd-logind to inherit fds from sshd * Allow systemd-ssh-generator read sysctl files * Sync modules.conf with Fedora targeted modules * Allow virtqemud relabel user tmp files and socket files * Add missing sys_chroot capability to groupadd policy * Label /run/libvirt/qemu/channel with virtqemud_var_run_t * Allow virtqemud relabelfrom also for file and sock_file * Add virt_create_log() and virt_write_log() interfaces - Sync modules-targeted-contrib.conf with Fedora targeted modules.conf * Wed Sep 04 2024 Cathy Hu <[email protected]> - Fix macros.selinux-policy (bsc#1229132) - %selinux_modules_install and %selinux_modules_uninstall will now only execute load_policy if $TRANSACTIONAL_UPDATE is not set (aka only if they are not in a transactional system) - $TRANSACTIONAL_UPDATE is set here: https://github.com/openSUSE/transactional-update/blob/bd524d3ddfcd9aeebb7b90d3e0e8eed09b796a86/lib/Transaction.cpp#L428 * Tue Sep 03 2024 Johannes Segitz <[email protected]> - Disable build of the MLS policy. We currently don't know if it works and don't want to encourage users to apply it * Tue Sep 03 2024 [email protected] - Update to version 20240903: * allow sshd_t and sshd_net_t access to ssh vsockets (bsc#1228831) * Mon Sep 02 2024 [email protected] - Update to version 20240902: * Allow xen to use qemu as dom0 disk backend (bsc#1228540) * Label /var/lib/xen/xenstore as xenstored_var_lib_t (bsc#1228540) * Allow xl to access hypercall interfaces to xen hypervisor (bsc#1228540) * Fri Aug 30 2024 [email protected] - Update to version 20240830: * Allow virtstoraged to manage images (bsc#1228742) * Allow virtstoraged_t domtrans to udev (bsc#1228742) * Wed Aug 28 2024 [email protected] - Update to version 20240828: * Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766) * Mon Aug 26 2024 Cathy Hu <[email protected]> - Enable named_write_master_zones boolean by default (bsc#1229479) * Fri Aug 23 2024 [email protected] - Update to version 20240823: * Allow rasdaemon write access to sysfs (bsc#1229587) * Fri Aug 16 2024 [email protected] - Update to version 20240816: * Initial policy for syslog-ng (bsc#1229153) * Wed Aug 14 2024 [email protected] - Update to version 20240814: * Dontaudit dac_override of fstab generator (bsc#1229127) * Wed Aug 14 2024 Cathy Hu <[email protected]> - Drop varrun-convert.sh script as it causes issues with container-selinux update (bsc#1228951) * Mon Aug 12 2024 [email protected] - Update to version 20240812: * Update libvirt policy * Add port 80/udp and 443/udp to http_port_t definition * Additional updates stalld policy for bpf usage * Label systemd-pcrextend and systemd-pcrlock properly * Allow coreos_installer_t work with partitions * Revert "Allow coreos-installer-generator work with partitions" * Add policy for systemd-pcrextend * Update policy for systemd-getty-generator * Allow ip command write to ipsec's logs * Allow virt_driver_domain read virtd-lxc files in /proc * Revert "Allow svirt read virtqemud fifo files" * Update virtqemud policy for libguestfs usage * Allow virtproxyd create and use its private tmp files * Allow virtproxyd read network state * Allow virt_driver_domain create and use log files in /var/log * Allow samba-dcerpcd work with ctdb cluster * Allow NetworkManager_dispatcher_t send SIGKILL to plugins * Allow setroubleshootd execute sendmail with a domain transition * Allow key.dns_resolve set attributes on the kernel key ring * Update qatlib policy for v24.02 with new features * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t * Allow tlp status power services * Allow virtqemud domain transition on passt execution * Allow virt_driver_domain connect to systemd-userdbd over a unix socket * Allow boothd connect to systemd-userdbd over a unix socket * Update policy for awstats scripts * Allow bitlbee execute generic programs in system bin directories * Allow login_userdomain read aliases file * Allow login_userdomain read ipsec config files * Allow login_userdomain read all pid files * Allow rsyslog read systemd-logind session files * Allow libvirt-dbus stream connect to virtlxcd * Fri Aug 09 2024 [email protected] - Update to version 20240809: * Label /run/udev/rules.d as udev_rules_t * Provide type for sysstat lock files (bsc#1228247) * Allow snapper to delete unlabeled_t files (bsc#1228889) * Thu Aug 08 2024 [email protected] - Update to version 20240808: * Use new kanidm interfaces * Initial module for kanidm * Update bootupd policy * Allow rhsmcertd read/write access to /dev/papr-sysparm * Label /dev/papr-sysparm and /dev/papr-vpd * Allow abrt-dump-journal-core connect to winbindd * Allow systemd-hostnamed shut down nscd * Allow systemd-pstore send a message to syslogd over a unix domain * Allow postfix_domain map postfix_etc_t files * Allow microcode create /sys/devices/system/cpu/microcode/reload * Allow rhsmcertd read, write, and map ica tmpfs files * Support SGX devices * Allow initrc_t transition to passwd_t * Update fstab and cryptsetup generators policy * Allow xdm_t read and write the dma device * Update stalld policy for bpf usage * Allow systemd_gpt_generator to getattr on DOS directories * Make cgroup_memory_pressure_t a part of the file_type attribute * Allow ssh_t to change role to system_r * Update policy for coreos generators * Allow init_t nnp domain transition to firewalld_t * Label /run/modprobe.d with modules_conf_t * Allow virtnodedevd run udev with a domain transition * Allow virtnodedev_t create and use virtnodedev_lock_t * Allow virtstoraged manage files with virt_content_t type * Allow virtqemud unmount a filesystem with extended attributes * Allow svirt_t connect to unconfined_t over a unix domain socket * Update afterburn file transition policy * Allow systemd_generator read attributes of all filesystems * Allow fstab-generator read and write cryptsetup-generator unit file * Allow cryptsetup-generator read and write fstab-generator unit file * Allow systemd_generator map files in /etc * Allow systemd_generator read init's process state * Allow coreos-installer-generator read sssd public files * Allow coreos-installer-generator work with partitions * Label /etc/mdadm.conf.d with mdadm_conf_t * Confine coreos generators * Label /run/metadata with afterburn_runtime_t * Allow afterburn list ssh home directory * Label samba certificates with samba_cert_t * Label /run/coreos-installer-reboot with coreos_installer_var_run_t * Allow virtqemud read virt-dbus process state * Allow staff user dbus chat with virt-dbus * Allow staff use watch /run/systemd * Allow systemd_generator to write kmsg * Allow virtqemud connect to sanlock over a unix stream socket * Allow virtqemud relabel virt_var_run_t directories * Allow svirt_tcg_t read vm sysctls * Allow virtnodedevd connect to systemd-userdbd over a unix socket * Allow svirt read virtqemud fifo files * Allow svirt attach_queue to a virtqemud tun_socket * Allow virtqemud run ssh client with a transition * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket * Update keyutils policy * Allow sshd_keygen_t connect to userdbd over a unix stream socket * Allow postfix-smtpd read mysql config files * Allow locate stream connect to systemd-userdbd * Allow the staff user use wireshark * Allow updatedb connect to userdbd over a unix stream socket * Allow gpg_t set attributes of public-keys.d * Allow gpg_t get attributes of login_userdomain stream * Allow systemd_getty_generator_t read /proc/1/environ * Allow systemd_getty_generator_t to read and write to tty_device_t * Drop publicfile module * Remove permissive domain for systemd_nsresourced_t * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t * Allow to create and delete socket files created by rhsm.service * Allow virtnetworkd exec shell when virt_hooks_unconfined is on * Allow unconfined_service_t transition to passwd_t * Support /var is empty * Allow abrt-dump-journal read all non_security socket files * Allow timemaster write to sysfs files * Dontaudit domain write cgroup files * Label /usr/lib/node_modules/npm/bin with bin_t * Allow ip the setexec permission * Allow systemd-networkd write files in /var/lib/systemd/network * Fix typo in systemd_nsresourced_prog_run_bpf() * Fri Aug 02 2024 [email protected] - Update to version 20240802: * Dontaudit search of snapper grub plugin to nscd socket (bsc#1228745) * Wed Jul 31 2024 [email protected] - Update to version 20240731: * Initial policy for ibft-rule-generator (bsc#1228402) * Initial policy for systemd-status-mail (bsc#1228402) * Wed Jul 31 2024 [email protected] - Update to version 20240731: * Fix labels for bind/named (bsc#1228372) * Mon Jul 29 2024 [email protected] - Update to version 20240729: * Label /usr/libexec/netconfig/ppp/ip-up pppd_initrc_exec_t (bsc#1228385) * Allow pppd to manage sysnet directories (bsc#1228385) * Fri Jul 26 2024 [email protected] - Update to version 20240726: * Allow snapper grub plugin to manage unlabeled_t and read link files * Thu Jul 25 2024 [email protected] - Update to version 20240725: * Initial policy for grub2 snapper plugin (bsc#1228205) * Tue Jul 16 2024 [email protected] - Update to version 20240716: * Set microos autorelabel script to systemd_autorelabel_generator_t * Allow systemd_generator to write kmsg * Initial policy for systemd growpart-generator (bsc#1226824) * Mon Jul 15 2024 [email protected] - Update to version 20240715: * Allow systemd_getty_generator_t read /proc/1/environ * Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888) * Wed Jul 10 2024 [email protected] - Enable sap module - Add equivalency in file_contexts.subs_dist * /bin /usr/bin * /sbin /usr/bin * /usr/sbin /usr/bin - Update to version 20240710: * Change fc in rebootmgr module for /sbin -> /usr/bin * Change fc in rpm module for /sbin -> /usr/bin * Change fc in rsync module for /sbin -> /usr/bin * Change fc in wicked module for /sbin -> /usr/bin * Confine libvirt-dbus * Allow virtqemud the kill capability in user namespace * Allow rshim get options of the netlink class for KOBJECT_UEVENT family * Allow dhcpcd the kill capability * Allow systemd-networkd list /var/lib/systemd/network * Allow sysadm_t run systemd-nsresourced bpf programs * Update policy for systemd generators interactions * Allow create memory.pressure files with cgroup_memory_pressure_t * Add support for libvirt hooks * Allow certmonger read and write tpm devices * Allow all domains to connect to systemd-nsresourced over a unix socket * Allow systemd-machined read the vsock device * Update policy for systemd generators * Allow ptp4l_t request that the kernel load a kernel module * Allow sbd to trace processes in user namespace * Allow request-key execute scripts * Update policy for haproxyd * Update policy for systemd-nsresourced * Correct sbin-related file context entries * Allow login_userdomain execute systemd-tmpfiles in the caller domain * Allow virt_driver_domain read files labeled unconfined_t * Allow virt_driver_domain dbus chat with policykit * Allow virtqemud manage nfs files when virt_use_nfs boolean is on * Add rules for interactions between generators * Label memory.pressure files with cgroup_memory_pressure_t * Revert "Allow some systemd services write to cgroup files" * Update policy for systemd-nsresourced * Label /usr/bin/ntfsck with fsadm_exec_t * Allow systemd_fstab_generator_t read tmpfs files * Update policy for systemd-nsresourced * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin * Remove a few lines duplicated between {dkim,milter}.fc * Alias /bin → /usr/bin and remove redundant paths * Drop duplicate line for /usr/sbin/unix_chkpwd * Drop duplicate paths for /usr/sbin * Update systemd-generator policy * Remove permissive domain for bootupd_t * Remove permissive domain for coreos_installer_t * Remove permissive domain for afterburn_t * Add the sap module to modules.conf * Move unconfined_domain(sap_unconfined_t) to an optional block * Create the sap module * Allow systemd-coredumpd sys_admin and sys_resource capabilities * Allow systemd-coredump read nsfs files * Allow generators auto file transition only for plain files * Allow systemd-hwdb write to the kernel messages device * Escape "interface" as a file name in a virt filetrans pattern * Allow gnome-software work for login_userdomain * Allow systemd-machined manage runtime sockets * Revert "Allow systemd-machined manage runtime sockets" * Allow postfix_domain connect to postgresql over a unix socket * Dontaudit systemd-coredump sys_admin capability - Update container-selinux * Tue Jul 02 2024 [email protected] - Update to version 20240702: * Allow manage dosfs_t files to snapperd (bsc#1224120) * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records * Add auth_rw_wtmpdb_login_records to modules * Allow xdm_t to read-write to wtmpdb (bsc#1225984) * Introduce types for wtmpdb and rw interface * Introduce wtmp_file_type attribute * Revert "Add policy for wtmpdb (bsc#1210717)" * Mon Jun 17 2024 [email protected] - Update to version 20240617: * Allow gnome control center to set autologin (bsc#1222978) * Dontaudit xdm_t to getattr on root_t (bsc#1223145) * Thu Jun 13 2024 [email protected] - Update to version 20240613: * Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599) * Wed Jun 12 2024 [email protected] - Update to version 20240612: * Allow all domains read and write z90crypt device * Allow tpm2 generator setfscreate * Allow systemd (PID 1) manage systemd conf files * Allow pulseaudio map its runtime files * Update policy for getty-generator * Allow systemd-hwdb send messages to kernel unix datagram sockets * Allow systemd-machined manage runtime sockets * Allow fstab-generator create unit file symlinks * Update policy for cryptsetup-generator * Update policy for fstab-generator * Allow virtqemud read vm sysctls * Allow collectd to trace processes in user namespace * Allow bootupd search efivarfs dirs * Add policy for systemd-mountfsd * Add policy for systemd-nsresourced * Update policy generators * Add policy for anaconda-generator * Update policy for fstab and gpt generators * Add policy for kdump-dep-generator * Add policy for a generic generator * Add policy for tpm2 generator * Add policy for ssh-generator * Add policy for second batch of generators * Update policy for systemd generators * ci: Adjust Cockpit test plans * Allow journald read systemd config files and directories * Allow systemd_domain read systemd_conf_t dirs * Fix bad Python regexp escapes * Allow fido services connect to postgres database * Revert "Update the README.md file with the c10s branch information" * Update the README.md file with the c10s branch information * Allow postfix smtpd map aliases file * Ensure dbus communication is allowed bidirectionally * Label systemd configuration files with systemd_conf_t * Label /run/systemd/machine with systemd_machined_var_run_t * Allow systemd-hostnamed read the vsock device * Allow sysadm execute dmidecode using sudo * Allow sudodomain list files in /var * Allow setroubleshootd get attributes of all sysctls * Allow various services read and write z90crypt device * Allow nfsidmap connect to systemd-homed * Allow sandbox_x_client_t dbus chat with accountsd * Allow system_cronjob_t dbus chat with avahi_t * Allow staff_t the io_uring sqpoll permission * Allow staff_t use the io_uring API * Add support for secretmem anon inode * Allow virtqemud read vfio devices * Allow virtqemud get attributes of a tmpfs filesystem * Allow svirt_t read vm sysctls * Allow virtqemud create and unlink files in /etc/libvirt/ * Allow virtqemud get attributes of cifs files * Allow virtqemud get attributes of filesystems with extended attributes * Allow virtqemud get attributes of NFS filesystems * Allow virt_domain read and write usb devices conditionally * Allow virtstoraged use the io_uring API * Allow virtstoraged execute lvm programs in the lvm domain * Allow virtnodevd_t map /var/lib files * Allow svirt_tcg_t map svirt_image_t files * Allow abrt-dump-journal-core connect to systemd-homed * Allow abrt-dump-journal-core connect to systemd-machined * Allow sssd create and use io_uring * Allow selinux-relabel-generator create units dir * Allow dbus-broker read/write inherited user ttys * Define transitions for /run/libvirt/common and /run/libvirt/qemu * Allow systemd-sleep read raw disk data * Allow numad to trace processes in user namespace * Allow abrt-dump-journal-core connect to systemd-userdbd * Allow plymouthd read efivarfs files * Update the auth_dontaudit_read_passwd_file() interface * Label /dev/mmcblk0rpmb character device with removable_device_t * fix hibernate on btrfs swapfile (F40) * Allow nut to statfs() * Allow system dbusd service status systemd services * Allow systemd-timedated get the timemaster service status * Allow keyutils-dns-resolver connect to the system log service * Allow qemu-ga read vm sysctls * postfix: allow qmgr to delete mails in bounce/ directory * Mon Jun 03 2024 Johannes Segitz <[email protected]> - Remove "Reference" from the package description. It's not the reference policy, but the Fedora branch of the policy * Tue May 28 2024 Cathy Hu <[email protected]> - Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate python36 tooling * Wed May 08 2024 Johannes Segitz <[email protected]> - Fixed varrun-convert.sh script to not break because of duplicate entries * Mon May 06 2024 Johannes Segitz <[email protected]> - Move to %posttrans to ensure selinux-policy got updated before the commands run (bsc#1221720) * Mon Apr 15 2024 Cathy Hu <[email protected]> - Add file contexts "forwarding" to file_contexts.sub_dist to fix systemd-gpt-auto-generator and systemd-fstab-generator (bsc#1222736): * /run/systemd/generator.early /usr/lib/systemd/system * /run/systemd/generator.late /usr/lib/systemd/system * Thu Apr 11 2024 [email protected] - Update to version 20240411: * Remove duplicate in sysnetwork.fc * Rename /var/run/wicked* to /run/wicked* * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc * policy: support pidfs * Confine selinux-autorelabel-generator.sh * Allow logwatch_mail_t read/write to init over a unix stream socket * Allow logwatch read logind sessions files * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it * Allow NetworkManager the sys_ptrace capability in user namespace * dontaudit execmem for modemmanager * Allow dhcpcd use unix_stream_socket * Allow dhcpc read /run/netns files * Update mmap_rw_file_perms to include the lock permission * Allow plymouthd log during shutdown * Add logging_watch_all_log_dirs() and logging_watch_all_log_files() * Allow journalctl_t read filesystem sysctls * Allow cgred_t to get attributes of cgroup filesystems * Allow wdmd read hardware state information * Allow wdmd list the contents of the sysfs directories * Allow linuxptp configure phc2sys and chronyd over a unix domain socket * Allow sulogin relabel tty1 * Dontaudit sulogin the checkpoint_restore capability * Modify sudo_role_template() to allow getpgid * Allow userdomain get attributes of files on an nsfs filesystem * Allow opafm create NFS files and directories * Allow virtqemud create and unlink files in /etc/libvirt/ * Allow virtqemud domain transition on swtpm execution * Add the swtpm.if interface file for interactions with other domains * Allow samba to have dac_override capability * systemd: allow sys_admin capability for systemd_notify_t * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets * Allow thumb_t to watch and watch_reads mount_var_run_t * Allow krb5kdc_t map krb5kdc_principal_t files * Allow unprivileged confined user dbus chat with setroubleshoot * Allow login_userdomain map files in /var * Allow wireguard work with firewall-cmd * Differentiate between staff and sysadm when executing crontab with sudo * Add crontab_admin_domtrans interface * Allow abrt_t nnp domain transition to abrt_handle_event_t * Allow xdm_t to watch and watch_reads mount_var_run_t * Dontaudit subscription manager setfscreate and read file contexts * Don't audit crontab_domain write attempts to user home * Transition from sudodomains to crontab_t when executing crontab_exec_t * Add crontab_domtrans interface * Fix label of pseudoterminals created from sudodomain * Allow utempter_t use ptmx * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket * Allow admin user read/write on fixed_disk_device_t * Only allow confined user domains to login locally without unconfined_login * Add userdom_spec_domtrans_confined_admin_users interface * Only allow admindomain to execute shell via ssh with ssh_sysadm_login * Add userdom_spec_domtrans_admin_users interface * Move ssh dyntrans to unconfined inside unconfined_login tunable policy * Update ssh_role_template() for user ssh-agent type * Allow init to inherit system DBus file descriptors * Allow init to inherit fds from syslogd * Allow any domain to inherit fds from rpm-ostree * Update afterburn policy * Allow init_t nnp domain transition to abrtd_t * Rename all /var/lock file context entries to /run/lock * Rename all /var/run file context entries to /run - Add script varrun-convert.sh for locally existing modules to be able to cope with the /var/run -> /run change - Update embedded container-selinux to commit a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e * Thu Mar 21 2024 [email protected] - Update to version 20240321: * policy module for kiwi (bsc#1221109) * dontaudit execmem for modemmanager (bsc#1219363) * Wed Mar 13 2024 [email protected] - Update to version 20240313: * Assign alts_exec_t to files_type * Fri Mar 08 2024 [email protected] - Update to version 20240308: * Support /bin/alts in the policy (bsc#1217530) * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)" * Wed Mar 06 2024 [email protected] - Update to version 20240306: * Replace init domtrans rule for confined users to allow exec init * Update dbus_role_template() to allow user service status * Allow polkit status all systemd services * Allow setroubleshootd create and use inherited io_uring * Allow load_policy read and write generic ptys * Mon Mar 04 2024 [email protected] - Update to version 20240304: * Allow ssh-keygen to use the libica crypto module (bsc#1220373) * Mon Feb 05 2024 [email protected] - Update to version 20240205: * Allow gpg manage rpm cache * Allow login_userdomain name_bind to howl and xmsg udp ports * Allow rules for confined users logged in plasma * Label /dev/iommu with iommu_device_t * Remove duplicate file context entries in /run * Dontaudit getty and plymouth the checkpoint_restore capability * Allow su domains write login records * Revert "Allow su domains write login records" * Allow login_userdomain delete session dbusd tmp socket files * Allow unix dgram sendto between exim processes * Allow su domains write login records * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Allow chronyd-restricted read chronyd key files * Allow conntrackd_t to use bpf capability2 * Allow systemd-networkd manage its runtime socket files * Allow init_t nnp domain transition to colord_t * Allow polkit status systemd services * nova: Fix duplicate declarations * Allow httpd work with PrivateTmp * Add interfaces for watching and reading ifconfig_var_run_t * Allow collectd read raw fixed disk device * Allow collectd read udev pid files * Set correct label on /etc/pki/pki-tomcat/kra * Allow systemd domains watch system dbus pid socket files * Allow certmonger read network sysctls * Allow mdadm list stratisd data directories * Allow syslog to run unconfined scripts conditionally * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t * Allow qatlib set attributes of vfio device files * Allow systemd-sleep set attributes of efivarfs files * Allow samba-dcerpcd read public files * Allow spamd_update_t the sys_ptrace capability in user namespace * Allow bluetooth devices work with alsa * Allow alsa get attributes filesystems with extended attributes * Allow hypervkvp_t write access to NetworkManager_etc_rw_t * Add interface for write-only access to NetworkManager rw conf * Allow systemd-sleep send a message to syslog over a unix dgram socket * Allow init create and use netlink netfilter socket * Allow qatlib load kernel modules * Allow qatlib run lspci * Allow qatlib manage its private runtime socket files * Allow qatlib read/write vfio devices * Label /etc/redis.conf with redis_conf_t * Remove the lockdown-class rules from the policy * Allow init read all non-security socket files * Replace redundant dnsmasq pattern macros * Remove unneeded symlink perms in dnsmasq.if * Add additions to dnsmasq interface * Allow nvme_stas_t create and use netlink kobject uevent socket * Allow collectd connect to statsd port * Allow keepalived_t to use sys_ptrace of cap_userns * Allow dovecot_auth_t connect to postgresql using UNIX socket * Make named_zone_t and named_var_run_t a part of the mountpoint attribute * Allow sysadm execute traceroute in sysadm_t domain using sudo * Allow sysadm execute tcpdump in sysadm_t domain using sudo * Allow opafm search nfs directories * Add support for syslogd unconfined scripts * Allow gpsd use /dev/gnss devices * Allow gpg read rpm cache * Allow virtqemud additional permissions * Allow virtqemud manage its private lock files * Allow virtqemud use the io_uring api * Allow ddclient send e-mail notifications * Allow postfix_master_t map postfix data files * Allow init create and use vsock sockets * Allow thumb_t append to init unix domain stream sockets * Label /dev/vas with vas_device_t * Create interface selinux_watch_config and add it to SELinux users * Update cifs interfaces to include fs_search_auto_mountpoints() * Allow sudodomain read var auth files * Allow spamd_update_t read hardware state information * Allow virtnetworkd domain transition on tc command execution * Allow sendmail MTA connect to sendmail LDA * Allow auditd read all domains process state * Allow rsync read network sysctls * Add dhcpcd bpf capability to run bpf programs * Dontaudit systemd-hwdb dac_override capability * Allow systemd-sleep create efivarfs files * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on * Allow graphical applications work in Wayland * Allow kdump work with PrivateTmp * Allow dovecot-auth work with PrivateTmp * Allow nfsd get attributes of all filesystems * Allow unconfined_domain_type use io_uring cmd on domain * ci: Only run Rawhide revdeps tests on the rawhide branch * Label /var/run/auditd.state as auditd_var_run_t * Allow fido-device-onboard (FDO) read the crack database * Allow ip an explicit domain transition to other domains * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t * Allow winbind_rpcd_t processes access when samba_export_all_* is on * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection * Allow ntp to bind and connect to ntske port. * Tue Jan 16 2024 [email protected] - Update to version 20240116: * Fix gitolite homedir paths (bsc#1218826) * Tue Jan 09 2024 [email protected] - Update to version 20240104: * Allow keepalived_t read+write kernel_t pipes (bsc#1216060) * allow rebootmgr to read the system state (bsc#1205931) * Tue Nov 28 2023 Hu <[email protected]> - Trigger rebuild of the policy when pcre2 gets updated to avoid regex version mismatch errors (bsc#1216747). * Fri Nov 24 2023 [email protected] - Update to version 20231124: * Allow virtnetworkd_t to execute bin_t (bsc#1216903) * Wed Nov 22 2023 Hu <[email protected]> - Add new modules that were missed in the last update to modules-mls-contrib.conf * Wed Nov 22 2023 Hu <[email protected]> - Add new modules that were missed in the last update to modules-targeted-contrib.conf * Mon Oct 30 2023 [email protected] - Update to version 20231030: * Allow system_mail_t manage exim spool files and dirs * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t * Label /run/pcsd.socket with cluster_var_run_t * ci: Run cockpit tests in PRs * Add map_read map_write to kernel_prog_run_bpf * Allow systemd-fstab-generator read all symlinks * Allow systemd-fstab-generator the dac_override capability * Allow rpcbind read network sysctls * Support using systemd containers * Allow sysadm_t to connect to iscsid using a unix domain stream socket * Add policy for coreos installer * Add policy for nvme-stas * Confine systemd fstab,sysv,rc-local * Label /etc/aliases.lmdb with etc_aliases_t * Create policy for afterburn * Make new virt drivers permissive * Split virt policy, introduce virt_supplementary module * Allow apcupsd cgi scripts read /sys * Allow kernel_t to manage and relabel all files * Add missing optional_policy() to files_relabel_all_files() * Allow named and ndc use the io_uring api * Deprecate common_anon_inode_perms usage * Improve default file context(None) of /var/lib/authselect/backups * Allow udev_t to search all directories with a filesystem type * Implement proper anon_inode support * Allow targetd write to the syslog pid sock_file * Add ipa_pki_retrieve_key_exec() interface * Allow kdumpctl_t to list all directories with a filesystem type * Allow udev additional permissions * Allow udev load kernel module * Allow sysadm_t to mmap modules_object_t files * Add the unconfined_read_files() and unconfined_list_dirs() interfaces * Set default file context of HOME_DIR/tmp/.* to <<none>> * Allow kernel_generic_helper_t to execute mount(1) * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t * Allow systemd-localed create Xserver config dirs * Allow sssd read symlinks in /etc/sssd * Label /dev/gnss[0-9] with gnss_device_t * Allow systemd-sleep read/write efivarfs variables * ci: Fix version number of packit generated srpms * Dontaudit rhsmcertd write memory device * Allow ssh_agent_type create a sockfile in /run/user/USERID * Set default file context of /var/lib/authselect/backups to <<none>> * Allow prosody read network sysctls * Allow cupsd_t to use bpf capability * Allow sssd domain transition on passkey_child execution conditionally * Allow login_userdomain watch lnk_files in /usr * Allow login_userdomain watch video4linux devices * Change systemd-network-generator transition to include class file * Revert "Change file transition for systemd-network-generator" * Allow nm-dispatcher winbind plugin read/write samba var files * Allow systemd-networkd write to cgroup files * Allow kdump create and use its memfd: objects * Allow fedora-third-party get generic filesystem attributes * Allow sssd use usb devices conditionally * Update policy for qatlib * Allow ssh_agent_type manage generic cache home files * Change file transition for systemd-network-generator * Additional support for gnome-initial-setup * Update gnome-initial-setup policy for geoclue * Allow openconnect vpn open vhost net device * Allow cifs.upcall to connect to SSSD also through the /var/run socket * Grant cifs.upcall more required capabilities * Allow xenstored map xenfs files * Update policy for fdo * Allow keepalived watch var_run dirs * Allow svirt to rw /dev/udmabuf * Allow qatlib to modify hardware state information. * Allow key.dns_resolve connect to avahi over a unix stream socket * Allow key.dns_resolve create and use unix datagram socket * Use quay.io as the container image source for CI * ci: Move srpm/rpm build to packit * .copr: Avoid subshell and changing directory * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t * Make insights_client_t an unconfined domain * Allow insights-client manage user temporary files * Allow insights-client create all rpm logs with a correct label * Allow insights-client manage generic logs * Allow cloud_init create dhclient var files and init_t manage net_conf_t * Allow insights-client read and write cluster tmpfs files * Allow ipsec read nsfs files * Make tuned work with mls policy * Remove nsplugin_role from mozilla.if * allow mon_procd_t self:cap_userns sys_ptrace * Allow pdns name_bind and name_connect all ports * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh * ci: Move to actions/checkout@v3 version * .copr: Replace chown call with standard workflow safe.directory setting * .copr: Enable `set -u` for robustness * .copr: Simplify root directory variable * Allow rhsmcertd dbus chat with policykit * Allow polkitd execute pkla-check-authorization with nnp transition * Allow user_u and staff_u get attributes of non-security dirs * Allow unconfined user filetrans chrome_sandbox_home_t * Allow svnserve execute postdrop with a transition * Do not make postfix_postdrop_t type an MTA executable file * Allow samba-dcerpc service manage samba tmp files * Add use_nfs_home_dirs boolean for mozilla_plugin * Fix labeling for no-stub-resolv.conf * Revert "Allow winbind-rpcd use its private tmp files" * Allow upsmon execute upsmon via a helper script * Allow openconnect vpn read/write inherited vhost net device * Allow winbind-rpcd use its private tmp files * Update samba-dcerpc policy for printing * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty * Allow nscd watch system db dirs * Allow qatlib to read sssd public files * Allow fedora-third-party read /sys and proc * Allow systemd-gpt-generator mount a tmpfs filesystem * Allow journald write to cgroup files * Allow rpc.mountd read network sysctls * Allow blueman read the contents of the sysfs filesystem * Allow logrotate_t to map generic files in /etc * Boolean: Allow virt_qemu_ga create ssh directory * Allow systemd-network-generator send system log messages * Dontaudit the execute permission on sock_file globally * Allow fsadm_t the file mounton permission * Allow named and ndc the io_uring sqpoll permission * Allow sssd io_uring sqpoll permission * Fix location for /run/nsd * Allow qemu-ga get fixed disk devices attributes * Update bitlbee policy * Label /usr/sbin/sos with sosreport_exec_t * Update policy for the sblim-sfcb service * Add the files_getattr_non_auth_dirs() interface * Fix the CI to work with DNF5 * Make systemd_tmpfiles_t MLS trusted for lowering the level of files * Revert "Allow insights client map cache_home_t" * Allow nfsidmapd connect to systemd-machined over a unix socket * Allow snapperd connect to kernel over a unix domain stream socket * Allow virt_qemu_ga_t create .ssh dir with correct label * Allow targetd read network sysctls * Set the abrt_handle_event boolean to on * Permit kernel_t to change the user identity in object contexts * Allow insights client map cache_home_t * Label /usr/sbin/mariadbd with mysqld_exec_t * Allow httpd tcp connect to redis port conditionally * Label only /usr/sbin/ripd and ripngd with zebra_exec_t * Dontaudit aide the execmem permission * Remove permissive from fdo * Allow sa-update manage spamc home files * Allow sa-update connect to systemlog services * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t * Allow bootupd search EFI directory * Change init_audit_control default value to true * Allow nfsidmapd connect to systemd-userdbd with a unix socket * Add the qatlib module * Add the fdo module * Add the bootupd module * Set default ports for keylime policy * Create policy for qatlib * Add policy for FIDO Device Onboard * Add policy for bootupd * Add support for kafs-dns requested by keyutils * Allow insights-client execmem * Add support for chronyd-restricted * Add init_explicit_domain() interface * Allow fsadm_t to get attributes of cgroup filesystems * Add list_dir_perms to kerberos_read_keytab * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t * Allow sendmail manage its runtime files * Thu Oct 12 2023 [email protected] - Update to version 20231012: * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052) * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887 * Wed Oct 04 2023 Johannes Segitz <[email protected]> - Use /var/adm/update-scripts in macros.selinux-policy. The rpm state directory doesn't exist on SUSE systems (bsc#1213593) * Tue Sep 19 2023 Johannes Segitz <[email protected]> - Modified update.sh to require first parameter "full" to also update container-selinux. For maintenance updates you usually don't want it to be updated * Fri Jul 28 2023 [email protected] - Update to version 20230728: * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721) * allow haveged to manage tmpfs directories (bsc#1213594) * Thu Jun 22 2023 [email protected] - Update to version 20230622: * Allow keyutils_dns_resolver_exec_t be an entrypoint * Allow collectd_t read network state symlinks * Revert "Allow collectd_t read proc_net link files" * Allow nfsd_t to list exports_t dirs * Allow cupsd dbus chat with xdm * Allow haproxy read hardware state information * Label /dev/userfaultfd with userfaultfd_t * Allow blueman send general signals to unprivileged user domains * Allow dkim-milter domain transition to sendmail * Tue Apr 25 2023 [email protected] - Update to version 20230425: * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461) * Add policy for wtmpdb (bsc#1210717) * Tue Apr 25 2023 [email protected] - Update to version 20230425: * Add support for lastlog2 (bsc#1210461) * allow the chrony client to use unallocated ttys (bsc#1210672) * Thu Apr 20 2023 [email protected] - Update to version 20230420: * libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp * only use rsync_exec_t for the rsync server, not for the client (bsc#1209890) * properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation * Allow dovecot-deliver write to the main process runtime fifo files * Allow dmidecode write to cloud-init tmp files * Allow chronyd send a message to cloud-init over a datagram socket * Allow cloud-init domain transition to insights-client domain * Allow mongodb read filesystem sysctls * Allow mongodb read network sysctls * Allow accounts-daemon read generic systemd unit lnk files * Allow blueman watch generic device dirs * Allow nm-dispatcher tlp plugin create tlp dirs * Allow systemd-coredump mounton /usr * Allow rabbitmq to read network sysctls * Allow certmonger dbus chat with the cron system domain * Allow geoclue read network sysctls * Allow geoclue watch the /etc directory * Allow logwatch_mail_t read network sysctls * allow systemd_resolved_t to bind to all nodes (bsc#1200182) * Allow insights-client read all sysctls * Allow passt manage qemu pid sock files * Allow sssd read accountsd fifo files * Add support for the passt_t domain * Allow virtd_t and svirt_t work with passt * Add new interfaces in the virt module * Add passt interfaces defined conditionally * Allow tshark the setsched capability * Allow poweroff create connections to system dbus * Allow wg load kernel modules, search debugfs dir * Boolean: allow qemu-ga manage ssh home directory * Label smtpd with sendmail_exec_t * Label msmtp and msmtpd with sendmail_exec_t * Allow dovecot to map files in /var/spool/dovecot * Confine gnome-initial-setup * Allow qemu-guest-agent create and use vsock socket * Allow login_pgm setcap permission * Allow chronyc read network sysctls * Enhancement of the /usr/sbin/request-key helper policy * Fix opencryptoki file names in /dev/shm * Allow system_cronjob_t transition to rpm_script_t * Revert "Allow system_cronjob_t domtrans to rpm_script_t" * Add tunable to allow squid bind snmp port * Allow staff_t getattr init pid chr & blk files and read krb5 * Allow firewalld to rw z90crypt device * Allow httpd work with tokens in /dev/shm * Allow svirt to map svirt_image_t char files * Allow sysadm_t run initrc_t script and sysadm_r role access * Allow insights-client manage fsadm pid files * Allowing snapper to create snapshots of /home/ subvolume/partition * Add boolean qemu-ga to run unconfined script * Label systemd-journald feature LogNamespace * Add none file context for polyinstantiated tmp dirs * Allow certmonger read the contents of the sysfs filesystem * Add journalctl the sys_resource capability * Allow nm-dispatcher plugins read generic files in /proc * Tue Mar 28 2023 Hu <[email protected]> - Add debug-build.sh script to make debugging without committing easier * Tue Mar 21 2023 [email protected] - Update to version 20230321: * make kernel_t unconfined again * Thu Mar 16 2023 [email protected] - Update to version 20230316: * prevent labeling of overlayfs filesystems based on the /var/lib/overlay path * allow kernel_t to relabel etc_t files * allow kernel_t to relabel sysnet config files * allow kernel_t to relabel systemd hwdb etc files * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply to files and lnk_files. lnk_files are commonly used in SUSE to allow easy management of config files * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic interfaces to allow labeling on etc_t, not on the broader configfiles attribute * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The watch permissions reported are already fixed in a current policy. - Reinstate update.sh and remove container-selinux from the service. Having both repos in there causes issues and update.sh makes the update process easier in general. Updated README.Update * Tue Mar 07 2023 Johannes Segitz <[email protected]> - Remove erroneous SUSE man page. Will not be created with the 3.5 toolchain * Tue Feb 14 2023 Hu <[email protected]> - Complete packaging rework: Move policy to git repository and only use tar_scm obs service to refresh from there: https://gitlab.suse.de/selinux/selinux-policy Please use `osc service manualrun` to update this OBS package to the newest git version. * Added README.Update describing how to update this package * Added _service file that pulls from selinux-policy and upstream container-selinux and tars them * Adapted selinux-policy.spec to build selinux-policy with container-selinux * Removed update.sh as no longer needed * Removed suse specific modules as they are now covered by git commits * packagekit.te packagekit.if packagekit.fc * rebootmgr.te rebootmgr.if rebootmgr.fc * rtorrent.te rtorrent.if rtorrent.fc * wicked.te wicked.if wicked.fc * Removed *.patch as they are now covered by git commits: * distro_suse_to_distro_redhat.patch * dontaudit_interface_kmod_tmpfs.patch * fix_accountsd.patch * fix_alsa.patch * fix_apache.patch * fix_auditd.patch * fix_authlogin.patch * fix_automount.patch * fix_bitlbee.patch * fix_chronyd.patch * fix_cloudform.patch * fix_colord.patch * fix_corecommand.patch * fix_cron.patch * fix_dbus.patch * fix_djbdns.patch * fix_dnsmasq.patch * fix_dovecot.patch * fix_entropyd.patch * fix_firewalld.patch * fix_fwupd.patch * fix_geoclue.patch * fix_hypervkvp.patch * fix_init.patch * fix_ipsec.patch * fix_iptables.patch * fix_irqbalance.patch * fix_java.patch * fix_kernel.patch * fix_kernel_sysctl.patch * fix_libraries.patch * fix_locallogin.patch * fix_logging.patch * fix_logrotate.patch * fix_mcelog.patch * fix_miscfiles.patch * fix_nagios.patch * fix_networkmanager.patch * fix_nis.patch * fix_nscd.patch * fix_ntp.patch * fix_openvpn.patch * fix_postfix.patch * fix_rpm.patch * fix_rtkit.patch * fix_screen.patch * fix_selinuxutil.patch * fix_sendmail.patch * fix_smartmon.patch * fix_snapper.patch * fix_sslh.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_userdomain.patch * fix_usermanage.patch * fix_wine.patch * fix_xserver.patch * sedoctool.patch * systemd_domain_dyntrans_type.patch * Mon Feb 06 2023 Johannes Segitz <[email protected]> - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot * Mon Jan 16 2023 Johannes Segitz <[email protected]> - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files * Thu Jan 12 2023 Johannes Segitz <[email protected]> - Update fix_container.patch to allow privileged containers to use localectl (bsc#1207077) * Wed Jan 11 2023 Johannes Segitz <[email protected]> - Add fix_container.patch to allow privileged containers to use timedatectl (bsc#1207054) * Thu Dec 15 2022 Hu <[email protected]> - Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan (bnc#1206445) * Wed Dec 14 2022 Hu <[email protected]> - Added policy for wicked scripts under /etc/sysconfig/network/scripts (bnc#1205770) * Wed Dec 14 2022 Johannes Segitz <[email protected]> - Add fix_sendmail.patch * fix context of custom sendmail startup helper * fix context of /var/run/sendmail and add necessary rules to manage content in there * Tue Dec 13 2022 Johannes Segitz <[email protected]> - Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and nm-priv-helper until the packaging is adjusted (bsc#1206355) - Update fix_chronyd.patch to allow sendto towards NetworkManager_dispatcher_custom_t. Added new interface networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357) - Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895) * Tue Dec 06 2022 Johannes Segitz <[email protected]> - Updated fix_networkmanager.patch to allow NetworkManager to watch net_conf_t (bsc#1206109) * Wed Nov 30 2022 Filippo Bonazzi <[email protected]> - Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434) * Wed Nov 30 2022 Filippo Bonazzi <[email protected]> - Drop fix_irqbalance.patch: superseded by upstream * Thu Nov 24 2022 Hu <[email protected]> - fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for network interface definition instead of /etc/sysconfig/network-scripts/, modified sysnetwork.fc to reflect that (bsc#1205580). * Wed Oct 19 2022 Johannes Segitz <[email protected]> - Update to version 20221019. Refreshed: * distro_suse_to_distro_redhat.patch * fix_apache.patch * fix_chronyd.patch * fix_cron.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_rpm.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch - Dropped fix_cockpit.patch as this is now packaged with cockpit itself - Remove the ipa module, freeip ships their own module - Added fix_alsa.patch to allow reading of config files in home directories - Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus * Fri Sep 30 2022 Johannes Segitz <[email protected]> - Updated quilt couldn't unpack tarball. This will cause ongoing issues so drop the sed statement in the %prep section and add distro_suse_to_distro_redhat.patch to add the necessary changes via a patch * Thu Sep 29 2022 Johannes Segitz <[email protected]> - Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager. Also allow NetworkManager_dispatcher_custom_t to query systemd status (bsc#1203824) * Tue Sep 27 2022 Filippo Bonazzi <[email protected]> - Update fix_xserver.patch to add greetd support (bsc#1198559) * Mon Sep 12 2022 Johannes Segitz <[email protected]> - Revamped rtorrent module * Fri Aug 26 2022 Thorsten Kukuk <[email protected]> - Move SUSE directory from manual page section to html docu * Wed Jul 27 2022 Hu <[email protected]> - fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t and NetworkManager_dispatcher_custom_t to access nscd socket (bsc#1201741) * Tue Jul 26 2022 Zdenek Kubala <[email protected]> - Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper (bnc#1201015) * Thu Jul 14 2022 Johannes Segitz <[email protected]> - Update to version 20220714. Refreshed: * fix_init.patch * fix_systemd_watch.patch * Wed Jul 13 2022 Johannes Segitz <[email protected]> - Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for systemd_gpt_generator_t (bsc#1200911) * Mon Jul 11 2022 Johannes Segitz <[email protected]> - postfix: Label PID files and some helpers correctly (bsc#1197242) * Fri Jun 24 2022 Johannes Segitz <[email protected]> - Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984) * Fri Jun 24 2022 Johannes Segitz <[email protected]> - Update to version 20220624. Refreshed: * fix_init.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_networkmanager.patch * fix_unprivuser.patch Dropped fix_hadoop.patch, not necessary anymore * Updated fix_locallogin.patch to allow accesses for nss-systemd (bsc#1199630) * Fri May 20 2022 Johannes Segitz <[email protected]> - Update to version 20220520 to pass stricter 3.4 toolchain checks * Fri May 20 2022 Johannes Segitz <[email protected]> - Update to version 20220428. Refreshed: * fix_apache.patch * fix_hadoop.patch * fix_init.patch * fix_iptables.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unprivuser.patch * fix_usermanage.patch * fix_wine.patch * Thu May 19 2022 Johannes Segitz <[email protected]> - Add fix_dnsmasq.patch to fix problems with virtualization on Microos (bsc#1199518) * Tue May 03 2022 Johannes Segitz <[email protected]> - Modified fix_init.patch to allow init to setup contrained environment for accountsservice. This needs a better, more general solution (bsc#1197610) * Mon May 02 2022 Johannes Segitz <[email protected]> - Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. This happens in certain boot conditions (bsc#1182500) - Changed fix_unconfineduser.patch to not transition into ldconfig_t from unconfined_t (bsc#1197169) * Thu Feb 17 2022 Klaus Kämpf <[email protected]> - use %license tag for COPYING file * Thu Feb 10 2022 Johannes Segitz <[email protected]> - Updated fix_cron.patch. Adjust labeling for at (bsc#1195683) * Wed Feb 09 2022 Filippo Bonazzi <[email protected]> - Fix bitlbee runtime directory (bsc#1193230) * add fix_bitlbee.patch * Mon Jan 24 2022 Johannes Segitz <[email protected]> - Update to version 20220124. Refreshed: * fix_hadoop.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_systemd.patch * fix_systemd_watch.patch - Added fix_hypervkvp.patch to fix issues with hyperv labeling (bsc#1193987) * Fri Jan 14 2022 Johannes Segitz <[email protected]> - Allow colord to use systemd hardenings (bsc#1194631) * Thu Nov 11 2021 Johannes Segitz <[email protected]> - Update to version 20211111. Refreshed: * fix_dbus.patch * fix_systemd.patch * fix_authlogin.patch * fix_auditd.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_chronyd.patch * fix_unconfineduser.patch * fix_unconfined.patch * fix_firewalld.patch * fix_init.patch * fix_xserver.patch * fix_logging.patch * fix_hadoop.patch * Mon Oct 25 2021 Marcus Meissner <[email protected]> - fix_wine.patch: give Wine .dll same context as .so (bsc#1191976) * Tue Sep 28 2021 Enzo Matsumiya <[email protected]> - Fix auditd service start with systemd hardening directives (boo#1190918) * add fix_auditd.patch * Thu Sep 02 2021 Johannes Segitz <[email protected]> - Modified fix_systemd.patch to allow systemd gpt generator access to udev files (bsc#1189280) * Fri Aug 27 2021 Ales Kedroutek <[email protected]> - fix rebootmgr does not trigger the reboot properly (boo#1189878) * fix managing /etc/rebootmgr.conf * allow rebootmgr_t to cope with systemd and dbus messaging * Thu Aug 26 2021 Johannes Segitz <[email protected]> - Properly label cockpit files - Allow wicked to communicate with network manager on DBUS (bsc#1188331) * Mon Aug 23 2021 Ales Kedroutek <[email protected]> - Added policy module for rebootmgr (jsc#SMO-28) * Tue Aug 17 2021 Ludwig Nussel <[email protected]> - Allow systemd-sysctl to read kernel specific sysctl.conf (fix_kernel_sysctl.patch, boo#1184804) * Tue Aug 10 2021 Ludwig Nussel <[email protected]> - Fix quoting in postInstall macro * Fri Jul 16 2021 Johannes Segitz <[email protected]> - Update to version 20210716 - Remove interfaces for container module before building the package (bsc#1188184) - Updated * fix_init.patch * fix_systemd_watch.patch to adapt to upstream changes * Thu Jul 15 2021 Callum Farmer <[email protected]> - Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing here * Tue Jul 06 2021 Alberto Planas Dominguez <[email protected]> - Add tabrmd SELinux modules from upstream (bsc#1187925) https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux - Automatic spec-cleaner to fix ordering and misaligned spaces * Mon Jun 28 2021 Johannes Segitz <[email protected]> - Update to version 20210419 - Dropped fix_gift.patch, module was removed - Updated wicked.te to removed dropped interface - Refreshed: * fix_cockpit.patch * fix_hadoop.patch * fix_init.patch * fix_logging.patch * fix_logrotate.patch * fix_networkmanager.patch * fix_nscd.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch * Tue May 18 2021 Ludwig Nussel <[email protected]> - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there * Wed Apr 28 2021 Ludwig Nussel <[email protected]> - allow cockpit socket to bind nodes (fix_cockpit.patch) - use %autosetup to get rid of endless patch lines * Tue Apr 27 2021 Johannes Segitz <[email protected]> - Updated fix_networkmanager.patch to allow NetworkManager to watch its configuration directories - Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207) * Mon Apr 26 2021 Johannes Segitz <[email protected]> - Added Recommends for selinux-autorelabel (bsc#1181837) - Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch * Fri Apr 23 2021 Johannes Segitz <[email protected]> - Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch * Mon Apr 19 2021 Johannes Segitz <[email protected]> - Update to version 20210419 - Refreshed: * fix_dbus.patch * fix_hadoop.patch * fix_init.patch * fix_unprivuser.patch * Fri Mar 12 2021 Ales Kedroutek <[email protected]> - Adjust fix_init.patch to allow systemd to do sd-listen on tcp socket [bsc#1183177] * Tue Mar 09 2021 Johannes Segitz <[email protected]> - Update to version 20210309 - Refreshed * fix_systemd.patch * fix_selinuxutil.patch * fix_iptables.patch * fix_init.patch * fix_logging.patch * fix_nscd.patch * fix_hadoop.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * fix_cron.patch * fix_usermanage.patch * fix_unprivuser.patch * fix_rpm.patch - Ensure that /usr/etc is labeled according to /etc rules * Tue Feb 23 2021 Thorsten Kukuk <[email protected]> - Update to version 20210223 - Change name of tar file to a more common schema to allow parallel installation of several source versions - Adjust fix_init.patch * Mon Jan 11 2021 Thorsten Kukuk <[email protected]> - Update to version 20210111 - Drop fix_policykit.patch (integrated upstream) - Adjust fix_iptables.patch - update container policy
/usr/share/selinux/packages/sandbox.pp
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Dec 4 23:51:55 2024