Revisions of selinux-policy
Ana Guerrero (anag+factory)
accepted
request 1157662
from
Cathy Hu (cahu)
(revision 58)
- Update to version 20240313: * Assign alts_exec_t to files_type - Update to version 20240308: * Support /bin/alts in the policy (bsc#1217530) * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)" - Update to version 20240306: * Replace init domtrans rule for confined users to allow exec init * Update dbus_role_template() to allow user service status * Allow polkit status all systemd services * Allow setroubleshootd create and use inherited io_uring * Allow load_policy read and write generic ptys - Update to version 20240304: * Allow ssh-keygen to use the libica crypto module (bsc#1220373)
Ana Guerrero (anag+factory)
accepted
request 1145097
from
Cathy Hu (cahu)
(revision 57)
- Update to version 20240205: * Allow gpg manage rpm cache * Allow login_userdomain name_bind to howl and xmsg udp ports * Allow rules for confined users logged in plasma * Label /dev/iommu with iommu_device_t * Remove duplicate file context entries in /run * Dontaudit getty and plymouth the checkpoint_restore capability * Allow su domains write login records * Revert "Allow su domains write login records" * Allow login_userdomain delete session dbusd tmp socket files * Allow unix dgram sendto between exim processes * Allow su domains write login records * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Allow chronyd-restricted read chronyd key files * Allow conntrackd_t to use bpf capability2 * Allow systemd-networkd manage its runtime socket files * Allow init_t nnp domain transition to colord_t * Allow polkit status systemd services * nova: Fix duplicate declarations * Allow httpd work with PrivateTmp * Add interfaces for watching and reading ifconfig_var_run_t * Allow collectd read raw fixed disk device * Allow collectd read udev pid files * Set correct label on /etc/pki/pki-tomcat/kra * Allow systemd domains watch system dbus pid socket files * Allow certmonger read network sysctls * Allow mdadm list stratisd data directories * Allow syslog to run unconfined scripts conditionally * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t * Allow qatlib set attributes of vfio device files * Allow systemd-sleep set attributes of efivarfs files * Allow samba-dcerpcd read public files * Allow spamd_update_t the sys_ptrace capability in user namespace * Allow bluetooth devices work with alsa * Allow alsa get attributes filesystems with extended attributes * Allow hypervkvp_t write access to NetworkManager_etc_rw_t * Add interface for write-only access to NetworkManager rw conf * Allow systemd-sleep send a message to syslog over a unix dgram socket * Allow init create and use netlink netfilter socket * Allow qatlib load kernel modules * Allow qatlib run lspci * Allow qatlib manage its private runtime socket files * Allow qatlib read/write vfio devices * Label /etc/redis.conf with redis_conf_t * Remove the lockdown-class rules from the policy * Allow init read all non-security socket files * Replace redundant dnsmasq pattern macros * Remove unneeded symlink perms in dnsmasq.if * Add additions to dnsmasq interface * Allow nvme_stas_t create and use netlink kobject uevent socket * Allow collectd connect to statsd port * Allow keepalived_t to use sys_ptrace of cap_userns * Allow dovecot_auth_t connect to postgresql using UNIX socket * Make named_zone_t and named_var_run_t a part of the mountpoint attribute * Allow sysadm execute traceroute in sysadm_t domain using sudo * Allow sysadm execute tcpdump in sysadm_t domain using sudo * Allow opafm search nfs directories * Add support for syslogd unconfined scripts * Allow gpsd use /dev/gnss devices * Allow gpg read rpm cache * Allow virtqemud additional permissions * Allow virtqemud manage its private lock files * Allow virtqemud use the io_uring api * Allow ddclient send e-mail notifications * Allow postfix_master_t map postfix data files * Allow init create and use vsock sockets * Allow thumb_t append to init unix domain stream sockets * Label /dev/vas with vas_device_t * Create interface selinux_watch_config and add it to SELinux users * Update cifs interfaces to include fs_search_auto_mountpoints() * Allow sudodomain read var auth files * Allow spamd_update_t read hardware state information * Allow virtnetworkd domain transition on tc command execution * Allow sendmail MTA connect to sendmail LDA * Allow auditd read all domains process state * Allow rsync read network sysctls * Add dhcpcd bpf capability to run bpf programs * Dontaudit systemd-hwdb dac_override capability * Allow systemd-sleep create efivarfs files * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on * Allow graphical applications work in Wayland * Allow kdump work with PrivateTmp * Allow dovecot-auth work with PrivateTmp * Allow nfsd get attributes of all filesystems * Allow unconfined_domain_type use io_uring cmd on domain * ci: Only run Rawhide revdeps tests on the rawhide branch * Label /var/run/auditd.state as auditd_var_run_t * Allow fido-device-onboard (FDO) read the crack database * Allow ip an explicit domain transition to other domains * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t * Allow winbind_rpcd_t processes access when samba_export_all_* is on * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection * Allow ntp to bind and connect to ntske port.
Dominique Leuenberger (dimstar_suse)
accepted
request 1101215
from
Filippo Bonazzi (fbonazzi)
(revision 48)
Dominique Leuenberger (dimstar_suse)
accepted
request 1094793
from
Johannes Segitz (jsegitz)
(revision 47)
Dominique Leuenberger (dimstar_suse)
accepted
request 1082789
from
Johannes Segitz (jsegitz)
(revision 46)
Dominique Leuenberger (dimstar_suse)
accepted
request 1080824
from
Johannes Segitz (jsegitz)
(revision 45)
- Update to version 20230420: * libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp * only use rsync_exec_t for the rsync server, not for the client (bsc#1209890) * properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation * Allow dovecot-deliver write to the main process runtime fifo files * Allow dmidecode write to cloud-init tmp files * Allow chronyd send a message to cloud-init over a datagram socket * Allow cloud-init domain transition to insights-client domain * Allow mongodb read filesystem sysctls * Allow mongodb read network sysctls * Allow accounts-daemon read generic systemd unit lnk files * Allow blueman watch generic device dirs * Allow nm-dispatcher tlp plugin create tlp dirs * Allow systemd-coredump mounton /usr * Allow rabbitmq to read network sysctls * Allow certmonger dbus chat with the cron system domain * Allow geoclue read network sysctls * Allow geoclue watch the /etc directory * Allow logwatch_mail_t read network sysctls * allow systemd_resolved_t to bind to all nodes (bsc#1200182) * Allow insights-client read all sysctls * Allow passt manage qemu pid sock files * Allow sssd read accountsd fifo files * Add support for the passt_t domain * Allow virtd_t and svirt_t work with passt * Add new interfaces in the virt module * Add passt interfaces defined conditionally
Dominique Leuenberger (dimstar_suse)
accepted
request 1073587
from
Johannes Segitz (jsegitz)
(revision 44)
please stage this with the microos-tools changes. Should now be good since kernel_t is unconfined again
Dominique Leuenberger (dimstar_suse)
accepted
request 1069867
from
Johannes Segitz (jsegitz)
(revision 43)
- Remove erroneous SUSE man page. Will not be created with the 3.5 toolchain
Dominique Leuenberger (dimstar_suse)
accepted
request 1058006
from
Johannes Segitz (jsegitz)
(revision 42)
Dominique Leuenberger (dimstar_suse)
accepted
request 1043279
from
Johannes Segitz (jsegitz)
(revision 41)
Dominique Leuenberger (dimstar_suse)
accepted
request 1043074
from
Johannes Segitz (jsegitz)
(revision 40)
Displaying revisions 1 - 20 of 59