-
Notifications
You must be signed in to change notification settings - Fork 143
/
Changelog
3930 lines (3675 loc) · 178 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
* Mon Sep 16 2024 Chris PeBenito <[email protected]> - 2.20240916
Amisha Jain (1):
Sepolicy changes for bluez to access uhid
Chris PeBenito (54):
uml: Remove excessive access from user domains on uml_exec_t.
cron: Use raw entrypoint rule for system_cronjob_t.
docker: Fix dockerc typo in container_engine_executable_file
minissdpd: Revoke kernel module loading permissions.
xen: Revoke kernel module loading permissions.
cups: Remove PTAL.
xen: Drop xend/xm stack.
certbot: Drop execmem.
cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.
tests.yml: Add sechecker testing.
systemd: Add basic systemd-analyze rules.
cloudinit: Add support for cloud-init-growpart.
filesystem/systemd: memory.pressure fixes.
init: Add homectl dbus access.
device: Move dev_rw_uhid definition.
devices: Change dev_rw_uhid() to use a policy pattern.
tests.yml: Divide into reusable workflows.
tests.yml: Add policy diff on PRs.
bluetooth: Move line.
Christian Göttsche (4):
getty: grant checkpoint_restore
quote: read localization
systemd: allow notify client to stat socket
Makefile: drop duplicate quotes
Dave Sugar (4):
Setup domain for dbus selinux interface
Update SOS report to work on RHEL9
Need map perm for cockpit 300.4
Additional permissions when fapolicyd.conf more strict
Dmitry Sharshakov (1):
filesystem, devices: move gadgetfs to usbfs_t
Grzegorz Filo (1):
files context for merged-usr profile on gentoo
Guido Trentalancia (1):
Allow interactive user terminal output for the NetLabel management tool.
Kenton Groombridge (46):
init: allow systemd to use sshd pidfds
fail2ban: allow reading net sysctls
dovecot: allow dovecot-auth to read SASL keytab
userdom: allow users to read user home dir symlinks
postgres: add a standalone execmem tunable
asterisk: allow binding to all unreserved UDP ports
bootloader: allow systemd-boot to manage EFI binaries
matrixd: add tunable for binding to all unreserved ports
container: allow system container engines to mmap runtime files
container: allow containers to getcap
systemd: allow systemd-sysctl to search tmpfs
container, podman: various fixes
container, crio, kubernetes: minor fixes
various: various fixes
systemd: allow systemd-logind to use sshd pidfds
sysnetwork: allow ifconfig to read usr files
postfix: allow smtpd to mmap SASL keytab files
sudo: allow systemd-logind to read cgroup state of sudo
su, sudo: allow sudo to signal all su domains
asterisk: allow watching spool dirs
dbus, init: add interface for pidfd usage
init: use pidfds from local login
haproxy: initial policy
sysadm: make haproxy admin
container: allow containers to execute tmpfs files
node_exporter: allow reading localization
netutils: allow ping to read net sysctls
postfix: allow postfix pipe to watch mail spool
asterisk: allow reading certbot lib
node_exporter: allow reading RPC sysctls
systemd: allow logind to use locallogin pidfds
sshd: label sshd-session as sshd_exec_t
iptables: allow reading usr files
podman: allow managing init runtime units
haproxy: allow interactive usage
kubernetes: allow kubelet to create unlabeled dirs
container: allow super privileged containers to manage BPF dirs
dbus: dontaudit session bus domains the netadmin capability
container, kubernetes: add supporting rules for kubevirt and multus
container: allow spc various rules for kubevirt
iptables: allow reading container engine tmp files
container: add container_kvm_t and supporting kubevirt rules
various: rules required for DV manipulation in kubevirt
testing: add container_kvm_t to net admin exempt list
container: allow reading generic certs
kubernetes: allow kubelet to connect all TCP ports
Matt Sheets (1):
Allow systemd to pass down sig mask
Naga Bhavani Akella (3):
Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix
stream sockets.
Setting bluetooth helper domain for bluetoothctl
Adding SE Policy rules to allow usage of unix stream sockets by dbus and
bluetooth contexts when Gatt notifications are turned on by remote.
Raghavender Reddy Bujala (1):
Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
Rick Alther (2):
fix: minor correction in MCS_CATS range comment
Set the type on /etc/machine-info to net_conf_t so hostnamectl can
manipulate it (CRUD)
Yi Zhao (12):
sysnetwork: fixes for dhcpcd
newrole: allow newrole to search faillock runtime directory
selinuxutil: make policykit optional
userdomain: allow administrative user to get attributes of shadow history
file
systemd: make xdg optional
systemd: set context to systemd_networkd_var_lib_t for
/var/lib/systemd/network
systemd: allow systemd-networkd to manage sock files under
/run/systemd/netif
systemd: allow system --user to create netlink_route_socket
systemd: add policy for systemd-nsresourced
devices: add label vsock_device_t for /dev/vsock
systemd: fix policy for systemd-ssh-generator
systemd: allow systemd-hostnamed to read vsock device
freedom1b2830 (2):
Reorder perms and classes
Reorder perms and classes
nisbet-hubbard (1):
Update mysql.fc
* Mon Feb 26 2024 Chris PeBenito <[email protected]> - 2.20240226
Chris PeBenito (174):
tests.yml: Pin ubuntu 20.04.
tests.yml: Pin ubuntu 20.04.
fstools: Move lines.
munin: Move munin_rw_tcp_sockets() implementation.
munin: Whitespace change.
systemd: Tmpfilesd can correct seusers on files.
iscsi: Read initiatorname.iscsi.
lvm: Add fc entry for /etc/multipath/*
sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
Define user_namespace object class.
chromium: Allow user namespace creation.
mozilla: Allow user namespace creation.
systemd: Allow user namespace creation.
container: Allow user namespace creation for all container engines.
Update eg25manager.te
switcheroo: Whitespace fix.
unconfined: Keys are linkable by systemd.
postgresql: Move lines
Add append to rw and manage lnk_file permission sets for consistency.
domain: Manage own fds.
systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.
kernel: hv_utils shutdown on systemd systems.
Container: Minor fixes from interactive container use.
systemd: Minor coredump fixes.
rpm: Minor fixes
init: Allow nnp/nosuid transitions from systemd initrc_t.
selinuxutil: Semanage reads policy for export.
sysnetwork: ifconfig searches debugfs.
usermanage: Add sysctl access for groupadd to get number of groups.
files: Handle symlinks for /media and /srv.
cloudinit: Add support for installing RPMs and setting passwords.
kdump: Fixes from testing kdumpctl.
usermanage: Handle symlinks in /usr/share/cracklib.
unconfined: Add remaining watch_* permissions.
chronyd: Read /dev/urandom.
cloud-init: Allow use of sudo in runcmd.
cloud-init: Add systemd permissions.
cloud-init: Change udev rules
systemd: Updates for systemd-locale.
cloudinit: Add permissions derived from sysadm.
Christian Göttsche (28):
git: add fcontext for default binary
init: only grant getattr in init_getattr_generic_units_files()
ci: bump SELint version to 1.5.0
SELint userspace class tweaks
systemd: reorder optional block
devicedisk: reorder optional block
access_vectors: define io_uring { cmd }
support/genhomedircon: support usr prefixed paths
fix misc typos
Support multi-line interface calls
policy_capabilities: remove estimated from released versions
Rules.monolithic: pre-compile fcontexts on install
Rules.modular: use temporary file to not ignore error
Makefile: use sepolgen-ifgen-attr-helper from test toolchain
Makefile: set PYTHONPATH for test toolchain
virt: label qemu configuration directory
selinuxutil: setfiles updates
selinuxutil: ignore getattr proc in newrole
userdom: permit reading PSI as admin
fs: mark memory pressure type as file
systemd: binfmt updates
vnstatd: update
fs: add support for virtiofs
systemd: generator updates
udev: update
systemd: logind update
consolesetup: update
libraries: drop space in empty line
Christian Schneider (1):
systemd-generator: systemd_generator_t load kernel modules used for e.g.
zram-generator
Corentin LABBE (20):
udev: permit to read hwdb
fstools: handle gentoo place for drivedb.h
mount: dbus interface must be optional
mcelog: add missing file context for triggers
munin: add file context for common functions file
rsyslog: add label for /var/empty/dev/log
munin: disk-plugin: transition to fsadm
munin: add fc for munin-node plugin state
usermanage: permit groupadd to read kernel sysctl
portage: Remove old binary location
portage: add go/hg source control files
portage: add new location for portage commands
portage: add missing go/hg context in new distfiles location
mandb: permit to read inherited cron files
selinuxutil: do not audit load_policy trying to use portage ptys
selinuxutil: permit run_init to read kernel sysctl
portage: add misc mising rules
smartmon: allow smartd to read fsadm_db_t files
smartmon: add domain for update-smart-drivedb
dovecot: add missing permissions
Dave Sugar (46):
rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
Allow local login to read /run/motd
Label pwhistory_helper
If domain can read system_dbusd_var_lib_t files, also allow symlinks
systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option.
To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
Allow iceauth write to xsession log
Allow system_dbusd_t to start/stop all units
Updates for utempter
Allow display manager to read hwdata
Allow search xdm_var_run_t directories along with reading files.
Solve issue with no keyboard/mouse on X login screen
separate label for /etc/security/opasswd
Fix some ssh agent denials
For systemd-hostnamed service to run
Allow rsyslog to drop capabilities
/var/lib/sddm should be xdm_var_lib_t
resolve lvm_t issues at shutdown with LUKS encrypted devices
Allow all users to (optionally) send syslog messages
Resolve some denials with colord
separate domain for journalctl during init
Use interface that already exists.
Separate label for /run/systemd/notify (#710)
Changes needed for dbus-broker-launch
Allow dbus-broker-launch to execute in same domain
dbus changes
Firewalld need to relabel direct.xml file
xguest ues systemd --user
Needed to allow environment variable to process started (for cockpit)
SELinux policy for cockpit
Fix denial while cleaning up pidfile symlink
allow system --user to execute systemd-tmpfiles in
<user>_systemd_tmpfiles_t domain
cockpit ssh as user
Allow sudo dbus chat w/sysemd-logind
The L+ tmpfiles option needs to read the symlink
Signal during logout
This seems important for administrative access
This works instead of allow exec on user_tmpfs_t!
admin can read/write web socket
Allow key manipulation
Add dontaudit to quiet down a bit
Add watches
Additional access for systemctl
Denial during cockpit use
Fix password changing from cockpit login screen
Resolve error when cockpit initiate shutdown
David Sommerseth (1):
openvpn: Allow netlink genl
Fabrice Fontaine (1):
policy/modules/services/smartmon.te: make fstools optional
Florian Schmidt (1):
Add label and interfaces for kernel PSI files
George Zenner (1):
Signed-off-by: George Zenner <[email protected]>
Grzegorz Filo (3):
Shell functions used during boot by initrc_t shall be bin_t and defined in
corecommands.fc
Dir transition goes with dir create perms.
Keep context of blkid file/dir when created by zpool.
Guido Trentalancia (53):
The pulseaudio daemon and client do not normally need to use the network
for most computer systems that need to play and record audio.
The kernel domain should be able to mounton runtime directories during
switch_root, otherwise parts of the boot process might fail on some
systems (for example, the udev daemon).
The kernel domain should be able to mounton default directories during
switch_root.
The pulseaudio module should be able to read alsa library directories.
Fix the pulseaudio module file transition for named sockets in tmp
directories.
Fix the dbus module so that automatic file type transitions are used not
only for files and directories, but also for named sockets.
Fix the dbus module so that temporary session named sockets can be read
and written in the role template and by system and session bus clients.
Update the dbus role template so that permissions to get the attributes of
the proc filesystem are included.
Let pulseaudio search debugfs directories, as currently done with other
modules.
Separate the tunable permissions to write xserver tmpfs files from the
tunable permissions to write X server shared memory.
Fix a security bug in the xserver module (interfaces) which was wrongly
allowing an interface to bypass existing tunable policy logic related
to X shared memory and xserver tmpfs files write permissions.
Add missing permissions to execute binary files for the evolution_alarm_t
domain.
Add the permissions to manage the fonts cache (fontconfig) to the window
manager role template.
Add permissions to watch libraries directories to the userdomain login
user template interface.
Update the xscreensaver module in order to work with the latest version
(tested with version 6.06).
Include the X server tmpfs rw permissions in the X shared memory write
access tunable policy under request from Christoper PeBenito.
Revert the following commit (ability to read /usr files), as it is no
longer needed, after the database file got its own label:
Update the kernel module to remove misplaced or at least really obsolete
permissions during kernel module loading.
Introduce a new "logging_syslog_can_network" boolean and make the
net_admin capability as well as all corenetwork permissions previously
granted to the syslog daemon conditional upon such boolean being true.
Let the openoffice domain manage fonts cache (fontconfig).
Update the openoffice module so that it can create Unix stream sockets
with its own label and use them both as a client and a server.
Let mplayer to act as a dbus session bus client (needed by the vlc media
player).
Add permissions to read device sysctls to mplayer.
Remove misplaced permission from mount interface mount_exec.
Remove a vulnerability introduced by a logging interface which allows to
execute log files.
Improved wording for the new xserver tunable policy booleans introduced
with the previous three commits.
Fix another security bug companion of the one fixed in the following
previous commit:
Fix another security bug similar to the ones that have been recently fixed
in the following two commits:
Remove duplicate permissions in the xserver module
xserver_restricted_role() interface.
Dbus creates Unix domain sockets (in addition to listening on and
connecting to them), so its policy module is modified accordingly.
Remove a logging interface from the userdomain module since it has now
been moved to the xscreensaver domain.
Create a new specific file label for the random seed file saved before
shutting down or rebooting the system and rework the interface needed
to manage such file.
Fix the shutdown policy in order to make use of the newly created file
label and interface needed to manage the random seed file.
Update the gpg module so that the application is able to fetch new keys
from the network.
Dbus creates Unix domain sockets not only for the system bus, but also for
the session bus (in addition to connecting to them), so its policy
module is modified accordingly.
Update the gnome module so that the gconf daemon is able to create Unix
domain sockets and accept or listen connections on them.
Fix the recently introduced "logging_syslog_can_network" tunable policy,
by including TCP/IP socket creation permissions.
Introduce a new interface in the mta module to manage the mail transport
agent configuration directories and files.
Add new gpg interfaces for gpg_agent execution and to avoid auditing
search operations on files and directories that are not strictly needed
and might pose a security risk.
Extend the scope of the "spamassassin_can_network" tunable policy boolean
to all network access (except the relative dontaudit rules).
Update the spamassassin module in order to better support the rules
updating script; this achieved by employing two distinct domains for
increased security and network isolation: a first domain is used for
fetching the updated rules from the network and second domain is used
for verifying the GPG signatures of the received rules.
Under request from Christopher PeBenito, merge the two spamassassin rules
updating SELinux domains introduced in the previous change in order to
reduce the non-swappable kernel memory used by the policy.
Introduce a new "dbus_can_network" boolean which controls whether or not
the dbus daemon can act as a server over TCP/IP networks and defaults
to false, as this is generally insecure, except when using the local
loopback interface.
Introduce two new booleans for the X server and X display manager domains
which control whether or not the respective domains allow the TCP/IP
server networking functionality.
The X display manager uses an authentication mechanism based on an
authorization file which is critical for X security.
Merge branch 'main' into x_fixes_pr2
Let openoffice perform temporary file transitions and manage link files.
Modify the gpg module so that gpg and the gpg_agent can manage
gpg_runtime_t socket files.
The LDAP server only needs to read generic certificate files, not manage
them.
Create new TLS Private Keys file contexts for the Apache HTTP server
according to the default locations:
Let the webadm role manage Private Keys and CSR for SSL Certificates used
by the HTTP daemon.
Let the certmonger module manage SSL Private Keys and CSR used for example
by the HTTP and/or Mail Transport daemons.
Additional file context fix for:
Kai Meng (1):
devices:Add genfscon context for functionfs to mount
Kenton Groombridge (106):
corenet: add portcon for kubernetes
kubernetes: initial policy module
sysadm: allow running kubernetes
crio: new policy module
crio, kubernetes: allow k8s admins to run CRI-O
container: add type for container plugins
various: fixes for kubernetes
kubernetes: add policy for kubectl
various: fixes for kubernetes
container, kernel: add tunable to allow spc to create NFS servers
container: add tunable to allow containers to use huge pages
container, kubernetes: add private type for generic container devices
container: add tunable to use dri devices
container, kubernetes: add rules for device plugins running as spc
various: allow using glusterfs as backing storage for k8s
container, miscfiles: transition to s0 for public content created by
containers
container: add tunable to allow spc to use tun-tap devices
container: correct admin_pattern() usage
systemd: add policy for systemd-pcrphase
hddtemp: add missing rules for interactive usage
netutils: minor fixes for nmap and traceroute
container: add rules required for metallb BGP speakers
filesystem, init: allow systemd to setattr on ramfs dirs
logging: allow domains sending syslog messages to connect to kernel unix
stream sockets
init, sysadm: allow sysadm to manage systemd runtime units
podman: allow podman to stop systemd transient units
userdom: allow admin users to use tcpdiag netlink sockets
container: allow container admins the sysadm capability in user namespaces
postfix: allow postfix master to map data files
sasl: add filecon for /etc/sasl2 keytab
obj_perm_sets: add mmap_manage_file_perms
various: use mmap_manage_file_perms
postfix, sasl: allow postfix smtp daemon to read SASL keytab
various: fixes for libvirtd and systemd-machined
portage: label eix cache as portage_cache_t
container: add missing filetrans and filecon for containerd/docker
container, init, systemd: add policy for quadlet
container: fixes for podman 4.4.0
container: fixes for podman run --log-driver=passthrough
node_exporter: various fixes
redis: add missing rules for runtime filetrans
podman, selinux: move lines, add missing rules for --network=host
netutils: fixes for iftop
kernel, zfs: add filetrans for kernel creating zpool cache file
zfs: allow sending signals to itself
zfs: add runtime filetrans for dirs
init: make init_runtime_t useable for systemd units
various: make /etc/machine-id etc_runtime_t
init, systemd: allow init to create userdb runtime symlinks
init: allow initrc_t to getcap
systemd: allow systemd-userdbd to getcap
logging: allow systemd-journald to list cgroups
fs, udev: allow systemd-udevd various cgroup perms
logging, systemd: allow relabelfrom,relabelto on systemd journal files by
systemd-journald
files, systemd: allow systemd-tmpfiles to relabel config file symlinks
systemd: add rules for systemd-zram-generator
systemd: allow systemd-pcrphase to read generic certs
fs, init: allow systemd-init to set the attributes of efivarfs files
init: allow systemd-init to set the attributes of unallocated terminals
systemd: allow systemd-resolved to bind to UDP port 5353
init: allow initrc_t to create netlink_kobject_uevent_sockets
raid: allow mdadm to read udev runtime files
raid: allow mdadm to create generic links in /dev/md
fstools: allow fsadm to read utab
glusterfs: allow glusterd to bind to all TCP unreserved ports
kubernetes: allow kubelet to read etc runtime files
chromium: allow chromium-naclhelper to create user namespaces
container: rework capabilities
container: allow watching FUSEFS dirs and files
glusterfs: add tunable to allow managing unlabeled files
sysadm: allow using networkctl
container: various fixes
container, kubernetes: add support for cilium
kubernetes: allow container engines to mount on DRI devices if enabled
init, systemd: label systemd-executor as init_exec_t
udev: allow reading kernel fs sysctls
init: allow all daemons to write to init runtime sockets
systemd: fixes for systemd-pcrphase
systemd: allow networkd to use netlink netfilter sockets
rpc: add filecon for /etc/exports.d
zed: allow managing /etc/exports.d/zfs.exports
zfs: dontaudit net_admin capability by zed
su: various fixes
kernel: allow delete and setattr on generic SCSI and USB devices
mount: make mount_runtime_t a kubernetes mountpoint
fstools: allow fsadm to ioctl cgroup dirs
fstools: allow reading container device blk files
container, kubernetes: add support for rook-ceph
kernel: dontaudit read fixed disk devices
container: add filecons for rook-ceph
init, systemd: allow systemd-pcrphase to write TPM measurements
systemd: add policy for systemd-machine-id-setup
container, kubernetes: allow kubernetes to use fuse-overlayfs
kubernetes: fix kubelet accounting
systemd: label systemd-pcrlock as systemd-pcrphase
zfs: allow zfs to write to exports
kernel: allow managing mouse devices
init: allow using system bus anon pidfs
systemd: label systemd-tpm2-setup as systemd-pcrphase
bootloader, init, udev: misc minor fixes
rpc: fix not labeling exports.d directory
dbus: allow the system bus to get the status of generic units
systemd: allow systemd generator to list exports
crio: allow reading container home content
container: allow spc to map kubernetes runtime files
kubernetes: allow kubelet to apply fsGroup to persistent volumes
Luca Boccassi (4):
Set label systemd-oomd
Add separate label for cgroup's memory.pressure files
systemd: also allow to mounton memory.pressure
systemd: allow daemons to access memory.pressure
Mathieu Tortuyaux (1):
container: fix cilium denial
Oleksii Miroshko (1):
Fix templates parsing in gentemplates.sh
Pat Riehecky (1):
container: set default context for local-path-provisioner
Renato Caldas (1):
kubernetes: allow kubelet to read /proc/sys/vm files.
Russell Coker (28):
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
eg25-manager (Debian package eg25-manager) is a daemon aimed at
configuring and monitoring the Quectel EG25 modem on a running system.
It is used on the PinePhone (Pro) and performs the following functions:
* power on/off * startup configuration using AT commands * AGPS
data upload * status monitoring (and restart if it becomes
unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager
iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus
proxy Industrial I/O subsystem is intended to provide support for
devices that in some sense are analog to digital or digital to analog
convertors . Devices that fall into this category are: * ADCs *
Accelerometers * Gyros * IMUs * Capacitance to Digital Converters
(CDCs) * Pressure Sensors * Color, Light and Proximity Sensors *
Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital
Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain
Amplifiers (VGA, PGA)
Fixed dependency on unconfined_t
Comment sysfs better
Daemon to control authentication for Thunderbolt.
Daemon to monitor memory pressure and notify applications and change …
(#670)
switcheroo is a daemon to manage discrete vs integrated GPU use for apps
policy for power profiles daemon, used to change power settings
some misc userdomain fixes
debian motd.d directory (#689)
policy for the Reliability Availability servicability daemon (#690)
policy patches for anti-spam daemons (#698)
Added tmpfs file type for postgresql Small mysql stuff including
anon_inode
small ntp and dns changes (#703)
small network patches (#707)
small storage changes (#706)
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
small systemd patches (#708)
misc small patches for cron policy (#701)
mon.te patches as well as some fstools patches related to it (#697)
misc small email changes (#704)
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
Label checkarray as mdadm_exec_t, allow it to read/write temp files
inherited from cron, and dontaudit ps type operations from it
Changes to eg25manager and modemmanager needed for firmware upload on
pinephonepro
patches for nspawn policy (#721)
Simple patch for Brother printer drivers as described in:
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Yi Zhao (15):
systemd: add capability sys_resource to systemd_userdbd_t
systemd: allow systemd-sysctl to search directories on ramfs
systemd: allow systemd-resolved to search directories on tmpfs and ramfs
mount: allow mount_t to get attributes for all directories
loadkeys: do not audit attempts to get attributes for all directories
systemd: allow systemd-networkd to create file in /run/systemd directory
systemd: allow journalctl to create /var/lib/systemd/catalog
bind: fix for named service
systemd: use init_daemon_domain instead of init_system_domain for
systemd-networkd and systemd-resolved
rpm: fixes for dnf
lvm: set context for /run/cryptsetup
container: set context for /run/crun
systemd: allow systemd-hostnamed to read machine-id and localization files
systemd: allow systemd-rfkill to getopt from uevent sockets
udev: fix for systemd-udevd
freedom1b2830 (1):
mplayer:vlc paths
* Tue Nov 01 2022 Chris PeBenito <[email protected]> - 2.20221101
Chris PeBenito (46):
systemd: Drop systemd_detect_virt_t.
fstools: Handle resizes of the root filesystem.
mount: Get the attributes of all filesystems.
rpm: Add dnf and tdnf labeling.
logging: Change to systemd interface for tmpfilesd.
systemd: Remove systemd-run domain.
unconfined: Add missing capability2 perms.
lvm: Updates for multipath LVM.
locallogin: Use init file descriptors.
systemd: Misc fixes.
isns: Updates from testing.
container, docker: Fixes for containerd and kubernetes testing.
devices: Add type for SAS management devices.
devices: Add file context for /dev/vhost-vsock.
iptables: Ioctl cgroup dirs.
devices: Add type for infiniband devices.
storage: Add fc for /dev/ng*n* devices.
files: Add prerequisite access for files_mounton_non_security().
files: Make etc_runtime_t a config file.
systemd: Fixes for coredumps in containers.
container: Allow container engines to connect to http cache ports.
container: Getattr generic device nodes.
application: Allow apps to use init fds.
systemd: Misc updates.
filesystem: Move ecryptfs interface definitions.
mcs: Add additional SysV IPC constraints.
mcs: Collapse constraints.
mcs: Add additional socket constraints.
mcs: Add missing process permission constraints.
mcs: Remove duplicate node_bind constraint.
mcs: Reorganize file.
mls: Add setsockcreate constraint.
systemd: Add interface for systemctl exec.
Add cloud-init.
hypervkvp: Port updated module from Fedora policy.
init: Add tunable for systemd to create all its mountpoints.
Run Ci tests in parallel.
Revise userspace and SELint versions in CI
fapolicyd: Fix selint issue.
tests.yml: Remove irrelevant comment.
Drop audit_access allows.
sympa: Move lines.
sympa: Drop module version.
sympa, mta, exim: Revise interfaces.
sympa, logging; Fix lint errors.
container: Add missing UDP node bind access on container engines.
Christian Göttsche (3):
Replace deprecated egrep usage
ci: update dependencies
ci: build SELint from source
Daniel Burgener (1):
Drop explicit calls to seutil and kernel module interfaces in broad files
interfaces
Dave Sugar (20):
ssh: allow ssh_keygen to read /usr/share/crypto-policies/
chronyd: Allow to read fips_enabled sysctl
chronyd: allow chronyd to read /usr/share/crypto-policies
systemd: init_t creates systemd-logind 'linger' directory
systemd: systemd-update-done fix startup issue
usbguard: Allow to read fips_enabled sysctl
firewalld: read to read fips_enabled sysctl
firewalld: create netfilter socket
firewalld: allow to load kernel modules
firewalld: write tmpfs files
firewalld: firewalld-cmd uses dbus
tpm2-abrmd: allow to send syslog messages
domain: move kernel_read_crypto_sysctls to a common location
fapolicyd: Initial SELinux policy
networkmanager: allow watch etc_t and lib_t
firewalld: allow watch on firewalld files
Seeing long delay during shutdown saying: 'A stop job is running for
Restore /run/initramfs on shutdown'
fix: issue #550 - compile failed when DIRECT_INITRC=y
fapolicyd: fagenrules chgrp's the compiled.rules
Add 'DIRECT_INITRC' config to automated tests
Kenton Groombridge (95):
systemd: add separate type for user transient units
systemd: rename user runtime unit interfaces
docker, podman: use renamed user runtime unit status interface
systemd: rename status user mananger units interface
systemd: systemd-resolved is linked to libselinux
systemd: dontaudit systemd-generator getattr on all dirs
raid: allow mdadm to use user ptys
bootloader, files: allow bootloader to getattr on boot_t filesystems
matrixd: various fixes
container: add unconfined role
unconfined: use unconfined container role
podman: add interface to rangetrans when executing conmon
podman: rework conmon rules
podman: add file context for podman in /usr/libexec
container: rework combined role interfaces
podman: typealias podman_user_conmon_t to podman_conmon_user_t
fail2ban: allow fail2ban to getsched on its processes
modutils: allow kmod to write to kmsg
postfix: allow postfix-map to read certbot certs
postfix: allow postfix master to get the state of init
postfix: allow postfix master fsetid capability
bind: fixes for named working on dnssec files
sudo: allow sudo domains to create netlink selinux sockets
sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve
container: allow containers to manipulate own fds
container: allow container engines to manage tmp symlinks
ssh: add tunable to allow sshd to use remote port forwarding
systemd: minor fixes to systemd user domains
init, systemd: allow unpriv users to read the catalog
container: add separate type for container engine units
container, podman: allow podman to restart container units
spamassassin: add file context for rspamd log directory
term, init: allow systemd to watch and watch reads on unallocated ttys
certbot: various fixes
systemd: add file transition for systemd-networkd runtime
systemd: add missing file context for /run/systemd/network
systemd: add file contexts for systemd-network-generator
systemd, udev: allow udev to read systemd-networkd runtime
systemd: allow systemd-networkd to read init runtime files
podman: add alias for conmon executable
systemd: ensure connecting to resolved allows searching init runtime
ssh: allow sshd to run setfiles when polyinstantiation is enabled
sudo: allow sudo domains to access caller's /proc/pid/stat
container: add file contexts for docker home config
files, init: allow systemd to remount etc filesystems
systemd: allow systemd-logind to read localization
init: fix possible typo
corecmd: label dracut lib as bin_t
sudo: various fixes
udev: various fixes for udevadm
bootloader, init: various fixes for systemd-boot
systemd: allow systemd-generator to read etc runtime files
systemd: add interface to read userdb runtime files
logging: various fixes for auditctl
screen: add interface to dontaudit runtime sock file
systemd: dontaudit systemd-tmpfiles getattr on screen sock file
systemd: dontaudit systemd-tmpfiles getattr on all dirs
fstools: fixes for fsadm with nfs
various: fixes for nfs
init: dontaudit initrc creating /dev/console during initrd
storage: include chr_files in fixed_disk_dev interfaces
systemd: allow systemd-userdbd to search default contexts
logging, systemd: allow auditctl to list userdb runtime dirs
bootloader, userdom: minor fixes for systemd-boot
systemd: allow systemd-resolved to read generic certs
sysadm: allow sysadm to rw ipmi devices
zfs: initial policy module
fstools, mount: remove legacy zfs rules
files, mount: remove legacy ZFS file contexts
sysadm: allow admin access to zfs
kernel: allow kthreads to read and write the zpool cache
systemd, zfs: allow systemd-generator to read zfs config
udev: allow reading ZFS config
zfs: various fixes
mta: add support for nullmailer
devices: add interface to rw infiniband devices
xdg: add interface to dontaudit searching xdg data dirs
opensm: initial policy
sysadm: allow opensm access
corenet: add portcon for glusterfs
glusterfs: various fixes
glusterfs: add type for gluster bricks
mount: allow mounting glusterfs volumes
selinuxutil: allow semanage, setfiles to inherit gluster fds
glusterfs, selinuxutil: make modifying fcontexts a tunable
glusterfs: add type for glusterd hooks
usermanage: add file context for chpasswd in /usr/bin
node_exporter: add file context for node_exporter in /usr/bin
usbguard: add file context for usbguard in /usr/bin
init: add file context for systemd units in dracut modules
git: add file contexts for other git utilities
dbus, init, mount, rpc: minor fixes for mount.nfs
zfs: allow reading exports
systemd: allow systemd-generator to use dns resolution
rpc: allow rpc admins to rw nfsd fs
Pat Riehecky (2):
container: Boolean for ecryptfs
Clone `xguest_connect_network` for guest role
Russell Coker (1):
Sympa list server
Yi Zhao (16):
systemd: allow systemd user to watch /etc directories
logwatch: fixes for logwatch
postfix: allow postfix_local_t to search logwatch_cache_t
sysnetwork: allow systemd_networkd_t to read link file
logging: allow systemd-journal to manage syslogd_runtime_t sock_file
radius: fixes for freeradius
udev: allow udev_read_runtime_files to read link files
watchdog: allow watchdog to create /var/log/watchdog directory
systemd: allow systemd-resolved to manage link files
sysnetwork: fix privilege separation functionality of dhcpcd
sysnetwork: allow dhcpcd to send and receive messages from systemd
resolved
rpm: add label for dnf-automatic and dnf-3
systemd: allow systemd-backlight to read kernel sysctl settings
systemd: allow systemd-rfkill to get attributes of all fs
systemd: allow systemd-hostnamed to read selinux configuration files
systemd: add capability sys_admin to systemd_generator_t
* Fri May 20 2022 Chris PeBenito <[email protected]> - 2.20220520
Björn Esser (1):
authlogin: add fcontext for tcb
Chris PeBenito (118):
0xC0ncord/bugfix/systemd-user-exec-apps-hookup
systemd, ssh, ntp: Read fips_enabled crypto sysctl.
systemd: Unit generator fixes.
systemd: Revise tmpfiles factory to allow writing all configs.
systemd: User runtime reads user cgroup files.
logging: Add audit_control for journald.
udev: Manage EFI variables.
ntp: Handle symlink to drift directory.
logging: Allow auditd to stat() dispatcher executables.
Drop module versioning.
tests.yml: Disable policy_module() selint checks.
systemd: Change journal file context to MLS system high.
Revert "users: remove MCS categories from default users"
systemd: Add systemd-homed and systemd-userdbd.
systemd, ssh: Crypto sysctl use.
systemd: Additional fixes for fs getattrs.
systemd: Updates for generators and kmod-static-nodes.service.
domain: Allow lockdown for all domains.
postfix, spamassassin: Fix missed type renames after alias removals.
cron, dbus, policykit, postfix: Minor style fixes.
Make hide_broken_symptoms unconditional.
puppet: Style fixes.
matrixd: Cleanups.
matrixd: SELint fixes.
mailmain: Fix check_fc_files issue.
mailmain: Fix SELint issues.
postfix: Move lines.
apache: Remove unnecessary require in apache_exec().
seusers: Remove sddm.
Add a vulnerability handling process.
Christian Goettsche (1):
check_fc_files: allow optional @ character
Christian Göttsche (11):
filesystem: add fs_use_trans for ramfs
Ignore umask on when installing headers
Revert "tests.yml: Disable policy_module() selint checks."
build.conf: bump policy version in comment
flask: add new kernel security classes
policy_capabilities: add ioctl_skip_cloexec
policy.dtd: more strict bool/tunable and infoflow validation
Makefile: invoke python with -bb
Rules.monolithic: add target to generate CIL policy
Makefile: use override for adding options
Rules.modular: add pure-load target
Dave Sugar (4):
Allow iscsid to request kernel module load
Allow iscsid to check fips_enabled
sshd: allow to run /usr/bin/fipscheck (to check fips state)
systemd: resolve error with systemd-sysctl
Fabrice Fontaine (2):
policy/modules/services/samba.te: make crack optional
policy/modules/services/wireguard.te: make iptables optional
Gao Xiang (1):
Add erofs as a SELinux capable file system
Henrik Grindal Bakken (1):
snmp: Fix typo in /var/net-snmp rule
Jonathan Davies (12):
chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access
net_admin capability, this is required for its `hwtimestamp` option,
which otherwise returns:
virt.te: Fixed typo in virtlogd_t virt_common_runtime_t
manage_files_pattern.
obfs4proxy: Added policy.
tor: Added interfaces and types for obfs4proxy support.
corenetwork.te.in: Added ntske port.
chronyd.te: Added support for bind/connect/recv/send NTS packets.
chronyd: Allow access to read certs.
obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.
policy/*: Replaced rw_netlink_socket_perms with
create_netlink_socket_perms.
node_exporter: Added initial policy.
systemd.te: Added boolean for allowing dhcpd server packets.
systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in
systemd_stream_connect_userdb().
Kenton Groombridge (174):
userdomain: add user exec domain attribute and interface
systemd: assign user exec attribute to systemd --user instances
systemd: add interface to support monitoring and output capturing of child
processes
wm: add user exec domain attribute to wm domains
ssh: add interface to execute and transition to ssh client
userdomain: add interface to allow mapping all user home content
git, roles: add policy for git client
apache, roles: use user exec domain attribute
screen, roles: use user exec domain attribute
git, roles: use user exec domain attribute
postgresql, roles: use user exec domain attribute
ssh, roles: use user exec domain attribute
sudo, roles: use user exec domain attribute
syncthing, roles: use user exec domain attribute
xscreensaver, roles: use user exec domain attribute
xserver, roles, various: use user exec domain attribute
authlogin, roles: use user exec domain attribute
bluetooth, roles: use user exec domain attribute
cdrecord, roles: use user exec domain attribute
chromium, roles: use user exec domain attribute
cron, roles: use user exec domain attribute
dirmngr, roles: use user exec domain attribute
evolution, roles: use user exec domain attribute
games, roles: use user exec domain attribute
gnome, roles: use user exec domain attribute
gpg, roles: use user exec domain attribute
irc, roles: use user exec domain attribute
java, roles: use user exec domain attribute
libmtp, roles: use user exec domain attribute
lpd, roles: use user exec domain attribute
mozilla, roles: use user exec domain attribute
mplayer, roles: use user exec domain attribute
mta, roles: use user exec domain attribute
openoffice, roles: use user exec domain attribute
pulseaudio, roles: use user exec domain attribute
pyzor, roles: use user exec domain attribute
razor, roles: use user exec domain attribute
rssh, roles: use user exec domain attribute
spamassassin, roles: use user exec domain attribute
su, roles: use user exec domain attribute
telepathy, roles: use user exec domain attribute
thunderbird, roles: use user exec domain attribute
tvtime, roles: use user exec domain attribute
uml, roles: use user exec domain attribute
userhelper, roles: use user exec domain attribute
vmware, roles: use user exec domain attribute
wireshark, roles: use user exec domain attribute
wm, roles: use user exec domain attribute
hadoop, roles: use user exec domain attribute
shutdown, roles: use user exec domain attribute
cryfs, roles: use user exec domain attribute
wine: use user exec domain attribute
mono: use user exec domain attribute
sudo: add tunable to control user exec domain access
su: add tunable to control user exec domain access
shutdown: add tunable to control user exec domain access
mpd, pulseaudio: split domtrans and client access
mcs: deprecate mcs overrides
mcs: restrict create, relabelto on mcs files
fs: add pseudofs attribute and interfaces
devices: make usbfs pseudofs instead of noxattrfs
git: fix typo in git hook exec access
dovecot, spamassassin: allow dovecot to execute spamc
mta, spamassassin: fixes for rspamd
certbot, various: allow various services to read certbot certs
usbguard, sysadm: misc fixes
ssh: fix for polyinstantiation
sysadm, systemd: fixes for systemd-networkd
asterisk: allow reading generic certs
bind: fixes for unbound
netutils: fix ping
policykit, systemd: allow policykit to watch systemd logins and sessions
spamassassin: fix file contexts for rspamd symlinks
mcs: add additional constraints to databases
mcs: constrain misc IPC objects
mcs: combine single-level object creation constraints
various: deprecate mcs override interfaces
corenet: make netlabel_peer_t mcs constrained
mcs: constrain context contain access
mcs: only constrain mcs_constrained_type for db accesses
guest, xguest: remove apache role access
wine: fix roleattribute statement
testing: accept '@' as a valid ending character in filecon checker
users: remove MCS categories from default users