| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: selinux-policy | Distribution: openSUSE:Factory:zSystems |
| Version: 20231124 | Vendor: openSUSE |
| Release: 2.1 | Build date: Mon Dec 11 22:13:05 2023 |
| Group: System/Management | Build host: s390zl29 |
| Size: 25347 | Source RPM: selinux-policy-20231124-2.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/fedora-selinux/selinux-policy.git | |
| Summary: SELinux policy configuration | |
SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies.
GPL-2.0-or-later
* Tue Nov 28 2023 Hu <cathy.hu@suse.com>
- Trigger rebuild of the policy when pcre2 gets updated to avoid
regex version mismatch errors (bsc#1216747).
* Fri Nov 24 2023 cathy.hu@suse.com
- Update to version 20231124:
* Allow virtnetworkd_t to execute bin_t (bsc#1216903)
* Wed Nov 22 2023 Hu <cathy.hu@suse.com>
- Add new modules that were missed in the last update to
modules-mls-contrib.conf
* Wed Nov 22 2023 Hu <cathy.hu@suse.com>
- Add new modules that were missed in the last update to
modules-targeted-contrib.conf
* Mon Oct 30 2023 cathy.hu@suse.com
- Update to version 20231030:
* Allow system_mail_t manage exim spool files and dirs
* Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
* Label /run/pcsd.socket with cluster_var_run_t
* ci: Run cockpit tests in PRs
* Add map_read map_write to kernel_prog_run_bpf
* Allow systemd-fstab-generator read all symlinks
* Allow systemd-fstab-generator the dac_override capability
* Allow rpcbind read network sysctls
* Support using systemd containers
* Allow sysadm_t to connect to iscsid using a unix domain stream socket
* Add policy for coreos installer
* Add policy for nvme-stas
* Confine systemd fstab,sysv,rc-local
* Label /etc/aliases.lmdb with etc_aliases_t
* Create policy for afterburn
* Make new virt drivers permissive
* Split virt policy, introduce virt_supplementary module
* Allow apcupsd cgi scripts read /sys
* Allow kernel_t to manage and relabel all files
* Add missing optional_policy() to files_relabel_all_files()
* Allow named and ndc use the io_uring api
* Deprecate common_anon_inode_perms usage
* Improve default file context(None) of /var/lib/authselect/backups
* Allow udev_t to search all directories with a filesystem type
* Implement proper anon_inode support
* Allow targetd write to the syslog pid sock_file
* Add ipa_pki_retrieve_key_exec() interface
* Allow kdumpctl_t to list all directories with a filesystem type
* Allow udev additional permissions
* Allow udev load kernel module
* Allow sysadm_t to mmap modules_object_t files
* Add the unconfined_read_files() and unconfined_list_dirs() interfaces
* Set default file context of HOME_DIR/tmp/.* to <<none>>
* Allow kernel_generic_helper_t to execute mount(1)
* Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
* Allow systemd-localed create Xserver config dirs
* Allow sssd read symlinks in /etc/sssd
* Label /dev/gnss[0-9] with gnss_device_t
* Allow systemd-sleep read/write efivarfs variables
* ci: Fix version number of packit generated srpms
* Dontaudit rhsmcertd write memory device
* Allow ssh_agent_type create a sockfile in /run/user/USERID
* Set default file context of /var/lib/authselect/backups to <<none>>
* Allow prosody read network sysctls
* Allow cupsd_t to use bpf capability
* Allow sssd domain transition on passkey_child execution conditionally
* Allow login_userdomain watch lnk_files in /usr
* Allow login_userdomain watch video4linux devices
* Change systemd-network-generator transition to include class file
* Revert "Change file transition for systemd-network-generator"
* Allow nm-dispatcher winbind plugin read/write samba var files
* Allow systemd-networkd write to cgroup files
* Allow kdump create and use its memfd: objects
* Allow fedora-third-party get generic filesystem attributes
* Allow sssd use usb devices conditionally
* Update policy for qatlib
* Allow ssh_agent_type manage generic cache home files
* Change file transition for systemd-network-generator
* Additional support for gnome-initial-setup
* Update gnome-initial-setup policy for geoclue
* Allow openconnect vpn open vhost net device
* Allow cifs.upcall to connect to SSSD also through the /var/run socket
* Grant cifs.upcall more required capabilities
* Allow xenstored map xenfs files
* Update policy for fdo
* Allow keepalived watch var_run dirs
* Allow svirt to rw /dev/udmabuf
* Allow qatlib to modify hardware state information.
* Allow key.dns_resolve connect to avahi over a unix stream socket
* Allow key.dns_resolve create and use unix datagram socket
* Use quay.io as the container image source for CI
* ci: Move srpm/rpm build to packit
* .copr: Avoid subshell and changing directory
* Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
* Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
* Make insights_client_t an unconfined domain
* Allow insights-client manage user temporary files
* Allow insights-client create all rpm logs with a correct label
* Allow insights-client manage generic logs
* Allow cloud_init create dhclient var files and init_t manage net_conf_t
* Allow insights-client read and write cluster tmpfs files
* Allow ipsec read nsfs files
* Make tuned work with mls policy
* Remove nsplugin_role from mozilla.if
* allow mon_procd_t self:cap_userns sys_ptrace
* Allow pdns name_bind and name_connect all ports
* Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
* ci: Move to actions/checkout@v3 version
* .copr: Replace chown call with standard workflow safe.directory setting
* .copr: Enable `set -u` for robustness
* .copr: Simplify root directory variable
* Allow rhsmcertd dbus chat with policykit
* Allow polkitd execute pkla-check-authorization with nnp transition
* Allow user_u and staff_u get attributes of non-security dirs
* Allow unconfined user filetrans chrome_sandbox_home_t
* Allow svnserve execute postdrop with a transition
* Do not make postfix_postdrop_t type an MTA executable file
* Allow samba-dcerpc service manage samba tmp files
* Add use_nfs_home_dirs boolean for mozilla_plugin
* Fix labeling for no-stub-resolv.conf
* Revert "Allow winbind-rpcd use its private tmp files"
* Allow upsmon execute upsmon via a helper script
* Allow openconnect vpn read/write inherited vhost net device
* Allow winbind-rpcd use its private tmp files
* Update samba-dcerpc policy for printing
* Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
* Allow nscd watch system db dirs
* Allow qatlib to read sssd public files
* Allow fedora-third-party read /sys and proc
* Allow systemd-gpt-generator mount a tmpfs filesystem
* Allow journald write to cgroup files
* Allow rpc.mountd read network sysctls
* Allow blueman read the contents of the sysfs filesystem
* Allow logrotate_t to map generic files in /etc
* Boolean: Allow virt_qemu_ga create ssh directory
* Allow systemd-network-generator send system log messages
* Dontaudit the execute permission on sock_file globally
* Allow fsadm_t the file mounton permission
* Allow named and ndc the io_uring sqpoll permission
* Allow sssd io_uring sqpoll permission
* Fix location for /run/nsd
* Allow qemu-ga get fixed disk devices attributes
* Update bitlbee policy
* Label /usr/sbin/sos with sosreport_exec_t
* Update policy for the sblim-sfcb service
* Add the files_getattr_non_auth_dirs() interface
* Fix the CI to work with DNF5
* Make systemd_tmpfiles_t MLS trusted for lowering the level of files
* Revert "Allow insights client map cache_home_t"
* Allow nfsidmapd connect to systemd-machined over a unix socket
* Allow snapperd connect to kernel over a unix domain stream socket
* Allow virt_qemu_ga_t create .ssh dir with correct label
* Allow targetd read network sysctls
* Set the abrt_handle_event boolean to on
* Permit kernel_t to change the user identity in object contexts
* Allow insights client map cache_home_t
* Label /usr/sbin/mariadbd with mysqld_exec_t
* Allow httpd tcp connect to redis port conditionally
* Label only /usr/sbin/ripd and ripngd with zebra_exec_t
* Dontaudit aide the execmem permission
* Remove permissive from fdo
* Allow sa-update manage spamc home files
* Allow sa-update connect to systemlog services
* Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
* Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
* Allow bootupd search EFI directory
* Change init_audit_control default value to true
* Allow nfsidmapd connect to systemd-userdbd with a unix socket
* Add the qatlib module
* Add the fdo module
* Add the bootupd module
* Set default ports for keylime policy
* Create policy for qatlib
* Add policy for FIDO Device Onboard
* Add policy for bootupd
* Add support for kafs-dns requested by keyutils
* Allow insights-client execmem
* Add support for chronyd-restricted
* Add init_explicit_domain() interface
* Allow fsadm_t to get attributes of cgroup filesystems
* Add list_dir_perms to kerberos_read_keytab
* Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
* Allow sendmail manage its runtime files
* Thu Oct 12 2023 cathy.hu@suse.com
- Update to version 20231012:
* Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052)
* Revert fix for bsc#1205770 since it causes a regression for bsc#1214887
* Wed Oct 04 2023 Johannes Segitz <jsegitz@suse.com>
- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state
directory doesn't exist on SUSE systems (bsc#1213593)
* Tue Sep 19 2023 Johannes Segitz <jsegitz@suse.com>
- Modified update.sh to require first parameter "full" to also
update container-selinux. For maintenance updates you usually
don't want it to be updated
* Fri Jul 28 2023 filippo.bonazzi@suse.com
- Update to version 20230728:
* Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721)
* allow haveged to manage tmpfs directories (bsc#1213594)
* Thu Jun 22 2023 jsegitz@suse.com
- Update to version 20230622:
* Allow keyutils_dns_resolver_exec_t be an entrypoint
* Allow collectd_t read network state symlinks
* Revert "Allow collectd_t read proc_net link files"
* Allow nfsd_t to list exports_t dirs
* Allow cupsd dbus chat with xdm
* Allow haproxy read hardware state information
* Label /dev/userfaultfd with userfaultfd_t
* Allow blueman send general signals to unprivileged user domains
* Allow dkim-milter domain transition to sendmail
* Tue Apr 25 2023 cathy.hu@suse.com
- Update to version 20230425:
* Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461)
* Add policy for wtmpdb (bsc#1210717)
* Tue Apr 25 2023 cathy.hu@suse.com
- Update to version 20230425:
* Add support for lastlog2 (bsc#1210461)
* allow the chrony client to use unallocated ttys (bsc#1210672)
* Thu Apr 20 2023 jsegitz@suse.com
- Update to version 20230420:
* libzypp creates temporary files in /var/adm/mount. Label it with
rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
* only use rsync_exec_t for the rsync server, not for the client
(bsc#1209890)
* properly label sshd-gen-keys-start to ensure ssh host keys have proper
labels after creation
* Allow dovecot-deliver write to the main process runtime fifo files
* Allow dmidecode write to cloud-init tmp files
* Allow chronyd send a message to cloud-init over a datagram socket
* Allow cloud-init domain transition to insights-client domain
* Allow mongodb read filesystem sysctls
* Allow mongodb read network sysctls
* Allow accounts-daemon read generic systemd unit lnk files
* Allow blueman watch generic device dirs
* Allow nm-dispatcher tlp plugin create tlp dirs
* Allow systemd-coredump mounton /usr
* Allow rabbitmq to read network sysctls
* Allow certmonger dbus chat with the cron system domain
* Allow geoclue read network sysctls
* Allow geoclue watch the /etc directory
* Allow logwatch_mail_t read network sysctls
* allow systemd_resolved_t to bind to all nodes (bsc#1200182)
* Allow insights-client read all sysctls
* Allow passt manage qemu pid sock files
* Allow sssd read accountsd fifo files
* Add support for the passt_t domain
* Allow virtd_t and svirt_t work with passt
* Add new interfaces in the virt module
* Add passt interfaces defined conditionally
* Allow tshark the setsched capability
* Allow poweroff create connections to system dbus
* Allow wg load kernel modules, search debugfs dir
* Boolean: allow qemu-ga manage ssh home directory
* Label smtpd with sendmail_exec_t
* Label msmtp and msmtpd with sendmail_exec_t
* Allow dovecot to map files in /var/spool/dovecot
* Confine gnome-initial-setup
* Allow qemu-guest-agent create and use vsock socket
* Allow login_pgm setcap permission
* Allow chronyc read network sysctls
* Enhancement of the /usr/sbin/request-key helper policy
* Fix opencryptoki file names in /dev/shm
* Allow system_cronjob_t transition to rpm_script_t
* Revert "Allow system_cronjob_t domtrans to rpm_script_t"
* Add tunable to allow squid bind snmp port
* Allow staff_t getattr init pid chr & blk files and read krb5
* Allow firewalld to rw z90crypt device
* Allow httpd work with tokens in /dev/shm
* Allow svirt to map svirt_image_t char files
* Allow sysadm_t run initrc_t script and sysadm_r role access
* Allow insights-client manage fsadm pid files
* Allowing snapper to create snapshots of /home/ subvolume/partition
* Add boolean qemu-ga to run unconfined script
* Label systemd-journald feature LogNamespace
* Add none file context for polyinstantiated tmp dirs
* Allow certmonger read the contents of the sysfs filesystem
* Add journalctl the sys_resource capability
* Allow nm-dispatcher plugins read generic files in /proc
* Tue Mar 28 2023 Hu <cathy.hu@suse.com>
- Add debug-build.sh script to make debugging without committing easier
* Tue Mar 21 2023 jsegitz@suse.com
- Update to version 20230321:
* make kernel_t unconfined again
* Thu Mar 16 2023 jsegitz@suse.com
- Update to version 20230316:
* prevent labeling of overlayfs filesystems based on the /var/lib/overlay
path
* allow kernel_t to relabel etc_t files
* allow kernel_t to relabel sysnet config files
* allow kernel_t to relabel systemd hwdb etc files
* add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files
* change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply
to files and lnk_files. lnk_files are commonly used in SUSE to allow easy
management of config files
* add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic
interfaces to allow labeling on etc_t, not on the broader configfiles
attribute
* Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The
watch permissions reported are already fixed in a current policy.
- Reinstate update.sh and remove container-selinux from the service.
Having both repos in there causes issues and update.sh makes the update
process easier in general. Updated README.Update
* Tue Mar 07 2023 Johannes Segitz <jsegitz@suse.com>
- Remove erroneous SUSE man page. Will not be created with the
3.5 toolchain
* Tue Feb 14 2023 Hu <cathy.hu@suse.com>
- Complete packaging rework: Move policy to git repository and
only use tar_scm obs service to refresh from there:
https://gitlab.suse.de/selinux/selinux-policy
Please use `osc service manualrun` to update this OBS package to the
newest git version.
* Added README.Update describing how to update this package
* Added _service file that pulls from selinux-policy and
upstream container-selinux and tars them
* Adapted selinux-policy.spec to build selinux-policy with
container-selinux
* Removed update.sh as no longer needed
* Removed suse specific modules as they are now covered by git commits
* packagekit.te packagekit.if packagekit.fc
* rebootmgr.te rebootmgr.if rebootmgr.fc
* rtorrent.te rtorrent.if rtorrent.fc
* wicked.te wicked.if wicked.fc
* Removed *.patch as they are now covered by git commits:
* distro_suse_to_distro_redhat.patch
* dontaudit_interface_kmod_tmpfs.patch
* fix_accountsd.patch
* fix_alsa.patch
* fix_apache.patch
* fix_auditd.patch
* fix_authlogin.patch
* fix_automount.patch
* fix_bitlbee.patch
* fix_chronyd.patch
* fix_cloudform.patch
* fix_colord.patch
* fix_corecommand.patch
* fix_cron.patch
* fix_dbus.patch
* fix_djbdns.patch
* fix_dnsmasq.patch
* fix_dovecot.patch
* fix_entropyd.patch
* fix_firewalld.patch
* fix_fwupd.patch
* fix_geoclue.patch
* fix_hypervkvp.patch
* fix_init.patch
* fix_ipsec.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_java.patch
* fix_kernel.patch
* fix_kernel_sysctl.patch
* fix_libraries.patch
* fix_locallogin.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_mcelog.patch
* fix_miscfiles.patch
* fix_nagios.patch
* fix_networkmanager.patch
* fix_nis.patch
* fix_nscd.patch
* fix_ntp.patch
* fix_openvpn.patch
* fix_postfix.patch
* fix_rpm.patch
* fix_rtkit.patch
* fix_screen.patch
* fix_selinuxutil.patch
* fix_sendmail.patch
* fix_smartmon.patch
* fix_snapper.patch
* fix_sslh.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_userdomain.patch
* fix_usermanage.patch
* fix_wine.patch
* fix_xserver.patch
* sedoctool.patch
* systemd_domain_dyntrans_type.patch
* Mon Feb 06 2023 Johannes Segitz <jsegitz@suse.com>
- Update to version 20230206. Refreshed:
* fix_entropyd.patch
* fix_networkmanager.patch
* fix_systemd_watch.patch
* fix_unconfineduser.patch
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
necessary as plymouth doesn't run in it's own domain in early boot
* Mon Jan 16 2023 Johannes Segitz <jsegitz@suse.com>
- Update to version 20230125. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_dnsmasq.patch
* fix_init.patch
* fix_ipsec.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd_watch.patch
* fix_userdomain.patch
- More flexible lib(exec) matching in fix_fwupd.patch
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
- Dropped fix_container.patch, is now upstream
- Added fix_entropyd.patch
* Added new interface entropyd_semaphore_filetrans to properly transfer
semaphore created during early boot. That doesn't work yet, so work
around with next item
* Allow reading tempfs files
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
- Added fix_rtkit.patch to fix labeling of binary
- Modified fix_ntp.patch:
* Proper labeling for start-ntpd
* Fixed label rules for chroot path
* Temporarily allow dac_override for ntpd_t (bsc#1207577)
* Add interface ntp_manage_pid_files to allow management of pid
files
- Updated fix_networkmanager.patch to allow managing ntp pid files
* Thu Jan 12 2023 Johannes Segitz <jsegitz@suse.com>
- Update fix_container.patch to allow privileged containers to use
localectl (bsc#1207077)
* Wed Jan 11 2023 Johannes Segitz <jsegitz@suse.com>
- Add fix_container.patch to allow privileged containers to use
timedatectl (bsc#1207054)
* Thu Dec 15 2022 Hu <cathy.hu@suse.com>
- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan
(bnc#1206445)
* Wed Dec 14 2022 Hu <cathy.hu@suse.com>
- Added policy for wicked scripts under /etc/sysconfig/network/scripts
(bnc#1205770)
* Wed Dec 14 2022 Johannes Segitz <jsegitz@suse.com>
- Add fix_sendmail.patch
* fix context of custom sendmail startup helper
* fix context of /var/run/sendmail and add necessary rules to manage
content in there
* Tue Dec 13 2022 Johannes Segitz <jsegitz@suse.com>
- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
nm-priv-helper until the packaging is adjusted (bsc#1206355)
- Update fix_chronyd.patch to allow sendto towards
NetworkManager_dispatcher_custom_t. Added new interface
networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
* Tue Dec 06 2022 Johannes Segitz <jsegitz@suse.com>
- Updated fix_networkmanager.patch to allow NetworkManager to watch
net_conf_t (bsc#1206109)
* Wed Nov 30 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
- Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434)
* Wed Nov 30 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
- Drop fix_irqbalance.patch: superseded by upstream
* Thu Nov 24 2022 Hu <cathy.hu@suse.com>
- fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for
network interface definition instead of /etc/sysconfig/network-scripts/,
modified sysnetwork.fc to reflect that (bsc#1205580).
* Wed Oct 19 2022 Johannes Segitz <jsegitz@suse.com>
- Update to version 20221019. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_apache.patch
* fix_chronyd.patch
* fix_cron.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_rpm.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
* Fri Sep 30 2022 Johannes Segitz <jsegitz@suse.com>
- Updated quilt couldn't unpack tarball. This will cause ongoing issues
so drop the sed statement in the %prep section and add
distro_suse_to_distro_redhat.patch to add the necessary changes
via a patch
* Thu Sep 29 2022 Johannes Segitz <jsegitz@suse.com>
- Update fix_networkmanager.patch to ensure NetworkManager chrony
dispatcher is properly labled and update fix_chronyd.patch to ensure
chrony helper script has proper label to be used by NetworkManager.
Also allow NetworkManager_dispatcher_custom_t to query systemd status
(bsc#1203824)
* Tue Sep 27 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
- Update fix_xserver.patch to add greetd support (bsc#1198559)
* Mon Sep 12 2022 Johannes Segitz <jsegitz@suse.com>
- Revamped rtorrent module
* Fri Aug 26 2022 Thorsten Kukuk <kukuk@suse.com>
- Move SUSE directory from manual page section to html docu
* Wed Jul 27 2022 Hu <cathy.hu@suse.com>
- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t
and NetworkManager_dispatcher_custom_t to access nscd socket
(bsc#1201741)
* Tue Jul 26 2022 Zdenek Kubala <zkubala@suse.com>
- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper
(bnc#1201015)
* Thu Jul 14 2022 Johannes Segitz <jsegitz@suse.com>
- Update to version 20220714. Refreshed:
* fix_init.patch
* fix_systemd_watch.patch
* Wed Jul 13 2022 Johannes Segitz <jsegitz@suse.com>
- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
systemd_gpt_generator_t (bsc#1200911)
* Mon Jul 11 2022 Johannes Segitz <jsegitz@suse.com>
- postfix: Label PID files and some helpers correctly (bsc#1197242)
* Fri Jun 24 2022 Johannes Segitz <jsegitz@suse.com>
- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
* Fri Jun 24 2022 Johannes Segitz <jsegitz@suse.com>
- Update to version 20220624. Refreshed:
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_networkmanager.patch
* fix_unprivuser.patch
Dropped fix_hadoop.patch, not necessary anymore
* Updated fix_locallogin.patch to allow accesses for nss-systemd
(bsc#1199630)
* Fri May 20 2022 Johannes Segitz <jsegitz@suse.com>
- Update to version 20220520 to pass stricter 3.4 toolchain checks
* Fri May 20 2022 Johannes Segitz <jsegitz@suse.com>
- Update to version 20220428. Refreshed:
* fix_apache.patch
* fix_hadoop.patch
* fix_init.patch
* fix_iptables.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_unprivuser.patch
* fix_usermanage.patch
* fix_wine.patch
* Thu May 19 2022 Johannes Segitz <jsegitz@suse.com>
- Add fix_dnsmasq.patch to fix problems with virtualization on Microos
(bsc#1199518)
* Tue May 03 2022 Johannes Segitz <jsegitz@suse.com>
- Modified fix_init.patch to allow init to setup contrained environment
for accountsservice. This needs a better, more general solution
(bsc#1197610)
* Mon May 02 2022 Johannes Segitz <jsegitz@suse.com>
- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
This happens in certain boot conditions (bsc#1182500)
- Changed fix_unconfineduser.patch to not transition into ldconfig_t
from unconfined_t (bsc#1197169)
* Thu Feb 17 2022 Klaus Kämpf <kkaempf@suse.com>
- use %license tag for COPYING file
* Thu Feb 10 2022 Johannes Segitz <jsegitz@suse.com>
- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
* Wed Feb 09 2022 Filippo Bonazzi <filippo.bonazzi@suse.com>
- Fix bitlbee runtime directory (bsc#1193230)
* add fix_bitlbee.patch
* Mon Jan 24 2022 Johannes Segitz <jsegitz@suse.com>
- Update to version 20220124. Refreshed:
* fix_hadoop.patch
* fix_init.patch
* fix_kernel_sysctl.patch
* fix_systemd.patch
* fix_systemd_watch.patch
- Added fix_hypervkvp.patch to fix issues with hyperv labeling
(bsc#1193987)
* Fri Jan 14 2022 Johannes Segitz <jsegitz@suse.com>
- Allow colord to use systemd hardenings (bsc#1194631)
* Thu Nov 11 2021 Johannes Segitz <jsegitz@suse.com>
- Update to version 20211111. Refreshed:
* fix_dbus.patch
* fix_systemd.patch
* fix_authlogin.patch
* fix_auditd.patch
* fix_kernel_sysctl.patch
* fix_networkmanager.patch
* fix_chronyd.patch
* fix_unconfineduser.patch
* fix_unconfined.patch
* fix_firewalld.patch
* fix_init.patch
* fix_xserver.patch
* fix_logging.patch
* fix_hadoop.patch
* Mon Oct 25 2021 Marcus Meissner <meissner@suse.com>
- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
* Tue Sep 28 2021 Enzo Matsumiya <ematsumiya@suse.com>
- Fix auditd service start with systemd hardening directives (boo#1190918)
* add fix_auditd.patch
* Thu Sep 02 2021 Johannes Segitz <jsegitz@suse.com>
- Modified fix_systemd.patch to allow systemd gpt generator access to
udev files (bsc#1189280)
* Fri Aug 27 2021 Ales Kedroutek <ales.kedroutek@suse.com>
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
* fix managing /etc/rebootmgr.conf
* allow rebootmgr_t to cope with systemd and dbus messaging
* Thu Aug 26 2021 Johannes Segitz <jsegitz@suse.com>
- Properly label cockpit files
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
* Mon Aug 23 2021 Ales Kedroutek <ales.kedroutek@suse.com>
- Added policy module for rebootmgr (jsc#SMO-28)
* Tue Aug 17 2021 Ludwig Nussel <lnussel@suse.de>
- Allow systemd-sysctl to read kernel specific sysctl.conf
(fix_kernel_sysctl.patch, boo#1184804)
* Tue Aug 10 2021 Ludwig Nussel <lnussel@suse.de>
- Fix quoting in postInstall macro
* Fri Jul 16 2021 Johannes Segitz <jsegitz@suse.com>
- Update to version 20210716
- Remove interfaces for container module before building the package
(bsc#1188184)
- Updated
* fix_init.patch
* fix_systemd_watch.patch
to adapt to upstream changes
* Thu Jul 15 2021 Callum Farmer <gmbr3@opensuse.org>
- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
here
* Tue Jul 06 2021 Alberto Planas Dominguez <aplanas@suse.com>
- Add tabrmd SELinux modules from upstream (bsc#1187925)
https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
- Automatic spec-cleaner to fix ordering and misaligned spaces
* Mon Jun 28 2021 Johannes Segitz <jsegitz@suse.com>
- Update to version 20210419
- Dropped fix_gift.patch, module was removed
- Updated wicked.te to removed dropped interface
- Refreshed:
* fix_cockpit.patch
* fix_hadoop.patch
* fix_init.patch
* fix_logging.patch
* fix_logrotate.patch
* fix_networkmanager.patch
* fix_nscd.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd.patch
* fix_systemd_watch.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_unprivuser.patch
* fix_xserver.patch
* Tue May 18 2021 Ludwig Nussel <lnussel@suse.de>
- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
that trigger on changes in those.
Added fix_systemd_watch.patch
- own /usr/share/selinux/packages/$SELINUXTYPE/ and
/var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
files there
* Wed Apr 28 2021 Ludwig Nussel <lnussel@suse.de>
- allow cockpit socket to bind nodes (fix_cockpit.patch)
- use %autosetup to get rid of endless patch lines
* Tue Apr 27 2021 Johannes Segitz <jsegitz@suse.com>
- Updated fix_networkmanager.patch to allow NetworkManager to watch
its configuration directories
- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
* Mon Apr 26 2021 Johannes Segitz <jsegitz@suse.com>
- Added Recommends for selinux-autorelabel (bsc#1181837)
- Prevent libreoffice fonts from changing types on every relabel
(bsc#1185265). Added fix_libraries.patch
* Fri Apr 23 2021 Johannes Segitz <jsegitz@suse.com>
- Transition unconfined users to ldconfig type (bsc#1183121).
Extended fix_unconfineduser.patch
* Mon Apr 19 2021 Johannes Segitz <jsegitz@suse.com>
- Update to version 20210419
- Refreshed:
* fix_dbus.patch
* fix_hadoop.patch
* fix_init.patch
* fix_unprivuser.patch
* Fri Mar 12 2021 Ales Kedroutek <ales.kedroutek@suse.com>
- Adjust fix_init.patch to allow systemd to do sd-listen on
tcp socket [bsc#1183177]
* Tue Mar 09 2021 Johannes Segitz <jsegitz@suse.com>
- Update to version 20210309
- Refreshed
* fix_systemd.patch
* fix_selinuxutil.patch
* fix_iptables.patch
* fix_init.patch
* fix_logging.patch
* fix_nscd.patch
* fix_hadoop.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_unprivuser.patch
* fix_rpm.patch
- Ensure that /usr/etc is labeled according to /etc rules
* Tue Feb 23 2021 Thorsten Kukuk <kukuk@suse.com>
- Update to version 20210223
- Change name of tar file to a more common schema to allow
parallel installation of several source versions
- Adjust fix_init.patch
* Mon Jan 11 2021 Thorsten Kukuk <kukuk@suse.com>
- Update to version 20210111
- Drop fix_policykit.patch (integrated upstream)
- Adjust fix_iptables.patch
- update container policy
* Tue Nov 10 2020 Johannes Segitz <jsegitz@suse.com>
- Updated fix_corecommand.patch to set correct types for the OBS
build tools
* Thu Oct 29 2020 Thorsten Kukuk <kukuk@suse.com>
- wicked.fc: add libexec directories
- Update to version 20201029
- update container policy
* Fri Oct 16 2020 Thorsten Kukuk <kukuk@suse.com>
- Update to version 20201016
- Use python3 to build (fc_sort.c was replaced by fc_sort.py which
uses python3)
- Drop SELINUX=disabled, "selinux=0" kernel commandline option has
to be used instead. New default is "permissive" [bsc#1176923].
* Thu Sep 10 2020 Johannes Segitz <jsegitz@suse.com>
- Update to version 20200910. Refreshed
* fix_authlogin.patch
* fix_nagios.patch
* fix_systemd.patch
* fix_usermanage.patch
- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
- Cleanup of booleans-* presets
* Enabled
user_rw_noexattrfile
unconfined_chrome_sandbox_transition
unconfined_mozilla_plugin_transition
for the minimal policy
* Disabled
xserver_object_manager
for the MLS policy
* Disabled
openvpn_enable_homedirs
privoxy_connect_any
selinuxuser_direct_dri_enabled
selinuxuser_ping (aka user_ping)
squid_connect_any
telepathy_tcp_connect_generic_network_ports
for the targeted policy
Change your local config if you need them
- Build HTML version of manpages for the -devel package
* Thu Sep 03 2020 Johannes Segitz <jsegitz@suse.com>
- Drop BuildRequires for python, python-xml. It's not needed anymore
* Tue Sep 01 2020 Johannes Segitz <jsegitz@suse.com>
- Drop fix_dbus.patch_orig, was included by accident
- Drop segenxml_interpreter.patch, not used anymore
* Tue Aug 11 2020 Thorsten Kukuk <kukuk@suse.com>
- macros.selinux-policy: move rpm-state directory to /run and
make sure it exists
* Wed Aug 05 2020 Thorsten Kukuk <kukuk@suse.com>
- Cleanup spec file and follow more closely Fedora
- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf
- Move config to /etc/selinux/config and create during %post install
to be compatible with upstream and documentation.
- Add RPM macros for SELinux (macros.selinux-policy)
- Install booleans.subs_dist
- Remove unused macros
- Sync make/install macros with Fedora spec file
- Introduce sandbox sub-package
* Wed Jul 29 2020 Thorsten Kukuk <kukuk@suse.com>
- Add policycoreutils-devel as BuildRequires
* Fri Jul 17 2020 Johannes Segitz <jsegitz@suse.com>
- Update to version 20200717. Refreshed
* fix_fwupd.patch
* fix_hadoop.patch
* fix_init.patch
* fix_irqbalance.patch
* fix_logrotate.patch
* fix_nagios.patch
* fix_networkmanager.patch
* fix_postfix.patch
* fix_sysnetwork.patch
* fix_systemd.patch
* fix_thunderbird.patch
* fix_unconfined.patch
* fix_unprivuser.patch
* selinux-policy.spec
- Added update.sh to make updating easier
* Tue Jul 14 2020 Johannes Segitz <jsegitz@suse.com>
- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access
to accountsd dbus
- New patch:
* fix_nis.patch
- Updated patches:
* fix_postfix.patch: Transition is done in distribution specific script
* Tue Jun 02 2020 Johannes Segitz <jsegitz@suse.de>
- Added module for wicked
- New patches:
* fix_authlogin.patch
* fix_screen.patch
* fix_unprivuser.patch
* fix_rpm.patch
* fix_apache.patch
* Thu Mar 26 2020 Johannes Segitz <jsegitz@suse.de>
- Added module for rtorrent
- Enable snapper module in minimum policy to reduce issues on BTRFS
Updated fix_snapper.patch to prevent relabling of snapshot
* Mon Mar 09 2020 Johannes Segitz <jsegitz@suse.de>
- New patches:
* fix_accountsd.patch
* fix_automount.patch
* fix_colord.patch
* fix_mcelog.patch
* fix_sslh.patch
* fix_nagios.patch
* fix_openvpn.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_smartmon.patch
* fix_geoclue.patch
* suse_specific.patch
Default systems should now work without selinuxuser_execmod
- Removed xdm_entrypoint_pam.patch, necessary change is in
fix_unconfineduser.patch
- Enable SUSE specific settings again
* Wed Feb 19 2020 Johannes Segitz <jsegitz@suse.de>
- Update to version 20200219
Refreshed fix_hadoop.patch
Updated
* fix_dbus.patch
* fix_hadoop.patch
* fix_nscd.patch
* fix_xserver.patch
Renamed postfix_paths.patch to fix_postfix.patch
Added
* fix_init.patch
* fix_locallogin.patch
* fix_policykit.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_ntp.patch
* fix_fwupd.patch
* fix_firewalld.patch
* fix_logrotate.patch
* fix_selinuxutil.patch
* fix_corecommand.patch
* fix_snapper.patch
* fix_systemd.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* xdm_entrypoint_pam.patch
- Removed modules minimum_temp_fixes and targeted_temp_fixes
from the corresponding policies
- Reduced default module list of minimum policy by removing
apache inetd nis postfix mta modules
- Adding/removing necessary pam config automatically
- Minimum and targeted policy: Enable domain_can_mmap_files by default
- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and
selinuxuser_execstack to have safe defaults
/etc/selinux /etc/selinux/config /usr/lib/rpm/macros.d/macros.selinux-policy /usr/lib/tmpfiles.d/selinux-policy.conf /usr/share/licenses/selinux-policy /usr/share/licenses/selinux-policy/COPYING /usr/share/selinux /usr/share/selinux/packages
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Mar 9 12:39:58 2024