Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: selinux-policy-sandbox | Distribution: openSUSE:Factory:zSystems |
Version: 20231124 | Vendor: openSUSE |
Release: 2.1 | Build date: Mon Dec 11 22:13:05 2023 |
Group: System/Management | Build host: s390zl29 |
Size: 87393 | Source RPM: selinux-policy-20231124-2.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://github.com/fedora-selinux/selinux-policy.git | |
Summary: SELinux policy sandbox |
SELinux sandbox policy used for the policycoreutils-sandbox package
GPL-2.0-or-later
* Tue Nov 28 2023 Hu <cathy.hu@suse.com> - Trigger rebuild of the policy when pcre2 gets updated to avoid regex version mismatch errors (bsc#1216747). * Fri Nov 24 2023 cathy.hu@suse.com - Update to version 20231124: * Allow virtnetworkd_t to execute bin_t (bsc#1216903) * Wed Nov 22 2023 Hu <cathy.hu@suse.com> - Add new modules that were missed in the last update to modules-mls-contrib.conf * Wed Nov 22 2023 Hu <cathy.hu@suse.com> - Add new modules that were missed in the last update to modules-targeted-contrib.conf * Mon Oct 30 2023 cathy.hu@suse.com - Update to version 20231030: * Allow system_mail_t manage exim spool files and dirs * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t * Label /run/pcsd.socket with cluster_var_run_t * ci: Run cockpit tests in PRs * Add map_read map_write to kernel_prog_run_bpf * Allow systemd-fstab-generator read all symlinks * Allow systemd-fstab-generator the dac_override capability * Allow rpcbind read network sysctls * Support using systemd containers * Allow sysadm_t to connect to iscsid using a unix domain stream socket * Add policy for coreos installer * Add policy for nvme-stas * Confine systemd fstab,sysv,rc-local * Label /etc/aliases.lmdb with etc_aliases_t * Create policy for afterburn * Make new virt drivers permissive * Split virt policy, introduce virt_supplementary module * Allow apcupsd cgi scripts read /sys * Allow kernel_t to manage and relabel all files * Add missing optional_policy() to files_relabel_all_files() * Allow named and ndc use the io_uring api * Deprecate common_anon_inode_perms usage * Improve default file context(None) of /var/lib/authselect/backups * Allow udev_t to search all directories with a filesystem type * Implement proper anon_inode support * Allow targetd write to the syslog pid sock_file * Add ipa_pki_retrieve_key_exec() interface * Allow kdumpctl_t to list all directories with a filesystem type * Allow udev additional permissions * Allow udev load kernel module * Allow sysadm_t to mmap modules_object_t files * Add the unconfined_read_files() and unconfined_list_dirs() interfaces * Set default file context of HOME_DIR/tmp/.* to <<none>> * Allow kernel_generic_helper_t to execute mount(1) * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t * Allow systemd-localed create Xserver config dirs * Allow sssd read symlinks in /etc/sssd * Label /dev/gnss[0-9] with gnss_device_t * Allow systemd-sleep read/write efivarfs variables * ci: Fix version number of packit generated srpms * Dontaudit rhsmcertd write memory device * Allow ssh_agent_type create a sockfile in /run/user/USERID * Set default file context of /var/lib/authselect/backups to <<none>> * Allow prosody read network sysctls * Allow cupsd_t to use bpf capability * Allow sssd domain transition on passkey_child execution conditionally * Allow login_userdomain watch lnk_files in /usr * Allow login_userdomain watch video4linux devices * Change systemd-network-generator transition to include class file * Revert "Change file transition for systemd-network-generator" * Allow nm-dispatcher winbind plugin read/write samba var files * Allow systemd-networkd write to cgroup files * Allow kdump create and use its memfd: objects * Allow fedora-third-party get generic filesystem attributes * Allow sssd use usb devices conditionally * Update policy for qatlib * Allow ssh_agent_type manage generic cache home files * Change file transition for systemd-network-generator * Additional support for gnome-initial-setup * Update gnome-initial-setup policy for geoclue * Allow openconnect vpn open vhost net device * Allow cifs.upcall to connect to SSSD also through the /var/run socket * Grant cifs.upcall more required capabilities * Allow xenstored map xenfs files * Update policy for fdo * Allow keepalived watch var_run dirs * Allow svirt to rw /dev/udmabuf * Allow qatlib to modify hardware state information. * Allow key.dns_resolve connect to avahi over a unix stream socket * Allow key.dns_resolve create and use unix datagram socket * Use quay.io as the container image source for CI * ci: Move srpm/rpm build to packit * .copr: Avoid subshell and changing directory * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t * Make insights_client_t an unconfined domain * Allow insights-client manage user temporary files * Allow insights-client create all rpm logs with a correct label * Allow insights-client manage generic logs * Allow cloud_init create dhclient var files and init_t manage net_conf_t * Allow insights-client read and write cluster tmpfs files * Allow ipsec read nsfs files * Make tuned work with mls policy * Remove nsplugin_role from mozilla.if * allow mon_procd_t self:cap_userns sys_ptrace * Allow pdns name_bind and name_connect all ports * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh * ci: Move to actions/checkout@v3 version * .copr: Replace chown call with standard workflow safe.directory setting * .copr: Enable `set -u` for robustness * .copr: Simplify root directory variable * Allow rhsmcertd dbus chat with policykit * Allow polkitd execute pkla-check-authorization with nnp transition * Allow user_u and staff_u get attributes of non-security dirs * Allow unconfined user filetrans chrome_sandbox_home_t * Allow svnserve execute postdrop with a transition * Do not make postfix_postdrop_t type an MTA executable file * Allow samba-dcerpc service manage samba tmp files * Add use_nfs_home_dirs boolean for mozilla_plugin * Fix labeling for no-stub-resolv.conf * Revert "Allow winbind-rpcd use its private tmp files" * Allow upsmon execute upsmon via a helper script * Allow openconnect vpn read/write inherited vhost net device * Allow winbind-rpcd use its private tmp files * Update samba-dcerpc policy for printing * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty * Allow nscd watch system db dirs * Allow qatlib to read sssd public files * Allow fedora-third-party read /sys and proc * Allow systemd-gpt-generator mount a tmpfs filesystem * Allow journald write to cgroup files * Allow rpc.mountd read network sysctls * Allow blueman read the contents of the sysfs filesystem * Allow logrotate_t to map generic files in /etc * Boolean: Allow virt_qemu_ga create ssh directory * Allow systemd-network-generator send system log messages * Dontaudit the execute permission on sock_file globally * Allow fsadm_t the file mounton permission * Allow named and ndc the io_uring sqpoll permission * Allow sssd io_uring sqpoll permission * Fix location for /run/nsd * Allow qemu-ga get fixed disk devices attributes * Update bitlbee policy * Label /usr/sbin/sos with sosreport_exec_t * Update policy for the sblim-sfcb service * Add the files_getattr_non_auth_dirs() interface * Fix the CI to work with DNF5 * Make systemd_tmpfiles_t MLS trusted for lowering the level of files * Revert "Allow insights client map cache_home_t" * Allow nfsidmapd connect to systemd-machined over a unix socket * Allow snapperd connect to kernel over a unix domain stream socket * Allow virt_qemu_ga_t create .ssh dir with correct label * Allow targetd read network sysctls * Set the abrt_handle_event boolean to on * Permit kernel_t to change the user identity in object contexts * Allow insights client map cache_home_t * Label /usr/sbin/mariadbd with mysqld_exec_t * Allow httpd tcp connect to redis port conditionally * Label only /usr/sbin/ripd and ripngd with zebra_exec_t * Dontaudit aide the execmem permission * Remove permissive from fdo * Allow sa-update manage spamc home files * Allow sa-update connect to systemlog services * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t * Allow bootupd search EFI directory * Change init_audit_control default value to true * Allow nfsidmapd connect to systemd-userdbd with a unix socket * Add the qatlib module * Add the fdo module * Add the bootupd module * Set default ports for keylime policy * Create policy for qatlib * Add policy for FIDO Device Onboard * Add policy for bootupd * Add support for kafs-dns requested by keyutils * Allow insights-client execmem * Add support for chronyd-restricted * Add init_explicit_domain() interface * Allow fsadm_t to get attributes of cgroup filesystems * Add list_dir_perms to kerberos_read_keytab * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t * Allow sendmail manage its runtime files * Thu Oct 12 2023 cathy.hu@suse.com - Update to version 20231012: * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052) * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887 * Wed Oct 04 2023 Johannes Segitz <jsegitz@suse.com> - Use /var/adm/update-scripts in macros.selinux-policy. The rpm state directory doesn't exist on SUSE systems (bsc#1213593) * Tue Sep 19 2023 Johannes Segitz <jsegitz@suse.com> - Modified update.sh to require first parameter "full" to also update container-selinux. For maintenance updates you usually don't want it to be updated * Fri Jul 28 2023 filippo.bonazzi@suse.com - Update to version 20230728: * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721) * allow haveged to manage tmpfs directories (bsc#1213594) * Thu Jun 22 2023 jsegitz@suse.com - Update to version 20230622: * Allow keyutils_dns_resolver_exec_t be an entrypoint * Allow collectd_t read network state symlinks * Revert "Allow collectd_t read proc_net link files" * Allow nfsd_t to list exports_t dirs * Allow cupsd dbus chat with xdm * Allow haproxy read hardware state information * Label /dev/userfaultfd with userfaultfd_t * Allow blueman send general signals to unprivileged user domains * Allow dkim-milter domain transition to sendmail * Tue Apr 25 2023 cathy.hu@suse.com - Update to version 20230425: * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461) * Add policy for wtmpdb (bsc#1210717) * Tue Apr 25 2023 cathy.hu@suse.com - Update to version 20230425: * Add support for lastlog2 (bsc#1210461) * allow the chrony client to use unallocated ttys (bsc#1210672) * Thu Apr 20 2023 jsegitz@suse.com - Update to version 20230420: * libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp * only use rsync_exec_t for the rsync server, not for the client (bsc#1209890) * properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation * Allow dovecot-deliver write to the main process runtime fifo files * Allow dmidecode write to cloud-init tmp files * Allow chronyd send a message to cloud-init over a datagram socket * Allow cloud-init domain transition to insights-client domain * Allow mongodb read filesystem sysctls * Allow mongodb read network sysctls * Allow accounts-daemon read generic systemd unit lnk files * Allow blueman watch generic device dirs * Allow nm-dispatcher tlp plugin create tlp dirs * Allow systemd-coredump mounton /usr * Allow rabbitmq to read network sysctls * Allow certmonger dbus chat with the cron system domain * Allow geoclue read network sysctls * Allow geoclue watch the /etc directory * Allow logwatch_mail_t read network sysctls * allow systemd_resolved_t to bind to all nodes (bsc#1200182) * Allow insights-client read all sysctls * Allow passt manage qemu pid sock files * Allow sssd read accountsd fifo files * Add support for the passt_t domain * Allow virtd_t and svirt_t work with passt * Add new interfaces in the virt module * Add passt interfaces defined conditionally * Allow tshark the setsched capability * Allow poweroff create connections to system dbus * Allow wg load kernel modules, search debugfs dir * Boolean: allow qemu-ga manage ssh home directory * Label smtpd with sendmail_exec_t * Label msmtp and msmtpd with sendmail_exec_t * Allow dovecot to map files in /var/spool/dovecot * Confine gnome-initial-setup * Allow qemu-guest-agent create and use vsock socket * Allow login_pgm setcap permission * Allow chronyc read network sysctls * Enhancement of the /usr/sbin/request-key helper policy * Fix opencryptoki file names in /dev/shm * Allow system_cronjob_t transition to rpm_script_t * Revert "Allow system_cronjob_t domtrans to rpm_script_t" * Add tunable to allow squid bind snmp port * Allow staff_t getattr init pid chr & blk files and read krb5 * Allow firewalld to rw z90crypt device * Allow httpd work with tokens in /dev/shm * Allow svirt to map svirt_image_t char files * Allow sysadm_t run initrc_t script and sysadm_r role access * Allow insights-client manage fsadm pid files * Allowing snapper to create snapshots of /home/ subvolume/partition * Add boolean qemu-ga to run unconfined script * Label systemd-journald feature LogNamespace * Add none file context for polyinstantiated tmp dirs * Allow certmonger read the contents of the sysfs filesystem * Add journalctl the sys_resource capability * Allow nm-dispatcher plugins read generic files in /proc * Tue Mar 28 2023 Hu <cathy.hu@suse.com> - Add debug-build.sh script to make debugging without committing easier * Tue Mar 21 2023 jsegitz@suse.com - Update to version 20230321: * make kernel_t unconfined again * Thu Mar 16 2023 jsegitz@suse.com - Update to version 20230316: * prevent labeling of overlayfs filesystems based on the /var/lib/overlay path * allow kernel_t to relabel etc_t files * allow kernel_t to relabel sysnet config files * allow kernel_t to relabel systemd hwdb etc files * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply to files and lnk_files. lnk_files are commonly used in SUSE to allow easy management of config files * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic interfaces to allow labeling on etc_t, not on the broader configfiles attribute * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The watch permissions reported are already fixed in a current policy. - Reinstate update.sh and remove container-selinux from the service. Having both repos in there causes issues and update.sh makes the update process easier in general. Updated README.Update * Tue Mar 07 2023 Johannes Segitz <jsegitz@suse.com> - Remove erroneous SUSE man page. Will not be created with the 3.5 toolchain * Tue Feb 14 2023 Hu <cathy.hu@suse.com> - Complete packaging rework: Move policy to git repository and only use tar_scm obs service to refresh from there: https://gitlab.suse.de/selinux/selinux-policy Please use `osc service manualrun` to update this OBS package to the newest git version. * Added README.Update describing how to update this package * Added _service file that pulls from selinux-policy and upstream container-selinux and tars them * Adapted selinux-policy.spec to build selinux-policy with container-selinux * Removed update.sh as no longer needed * Removed suse specific modules as they are now covered by git commits * packagekit.te packagekit.if packagekit.fc * rebootmgr.te rebootmgr.if rebootmgr.fc * rtorrent.te rtorrent.if rtorrent.fc * wicked.te wicked.if wicked.fc * Removed *.patch as they are now covered by git commits: * distro_suse_to_distro_redhat.patch * dontaudit_interface_kmod_tmpfs.patch * fix_accountsd.patch * fix_alsa.patch * fix_apache.patch * fix_auditd.patch * fix_authlogin.patch * fix_automount.patch * fix_bitlbee.patch * fix_chronyd.patch * fix_cloudform.patch * fix_colord.patch * fix_corecommand.patch * fix_cron.patch * fix_dbus.patch * fix_djbdns.patch * fix_dnsmasq.patch * fix_dovecot.patch * fix_entropyd.patch * fix_firewalld.patch * fix_fwupd.patch * fix_geoclue.patch * fix_hypervkvp.patch * fix_init.patch * fix_ipsec.patch * fix_iptables.patch * fix_irqbalance.patch * fix_java.patch * fix_kernel.patch * fix_kernel_sysctl.patch * fix_libraries.patch * fix_locallogin.patch * fix_logging.patch * fix_logrotate.patch * fix_mcelog.patch * fix_miscfiles.patch * fix_nagios.patch * fix_networkmanager.patch * fix_nis.patch * fix_nscd.patch * fix_ntp.patch * fix_openvpn.patch * fix_postfix.patch * fix_rpm.patch * fix_rtkit.patch * fix_screen.patch * fix_selinuxutil.patch * fix_sendmail.patch * fix_smartmon.patch * fix_snapper.patch * fix_sslh.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_userdomain.patch * fix_usermanage.patch * fix_wine.patch * fix_xserver.patch * sedoctool.patch * systemd_domain_dyntrans_type.patch * Mon Feb 06 2023 Johannes Segitz <jsegitz@suse.com> - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot * Mon Jan 16 2023 Johannes Segitz <jsegitz@suse.com> - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files * Thu Jan 12 2023 Johannes Segitz <jsegitz@suse.com> - Update fix_container.patch to allow privileged containers to use localectl (bsc#1207077) * Wed Jan 11 2023 Johannes Segitz <jsegitz@suse.com> - Add fix_container.patch to allow privileged containers to use timedatectl (bsc#1207054) * Thu Dec 15 2022 Hu <cathy.hu@suse.com> - Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan (bnc#1206445) * Wed Dec 14 2022 Hu <cathy.hu@suse.com> - Added policy for wicked scripts under /etc/sysconfig/network/scripts (bnc#1205770) * Wed Dec 14 2022 Johannes Segitz <jsegitz@suse.com> - Add fix_sendmail.patch * fix context of custom sendmail startup helper * fix context of /var/run/sendmail and add necessary rules to manage content in there * Tue Dec 13 2022 Johannes Segitz <jsegitz@suse.com> - Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and nm-priv-helper until the packaging is adjusted (bsc#1206355) - Update fix_chronyd.patch to allow sendto towards NetworkManager_dispatcher_custom_t. Added new interface networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357) - Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895) * Tue Dec 06 2022 Johannes Segitz <jsegitz@suse.com> - Updated fix_networkmanager.patch to allow NetworkManager to watch net_conf_t (bsc#1206109) * Wed Nov 30 2022 Filippo Bonazzi <filippo.bonazzi@suse.com> - Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434) * Wed Nov 30 2022 Filippo Bonazzi <filippo.bonazzi@suse.com> - Drop fix_irqbalance.patch: superseded by upstream * Thu Nov 24 2022 Hu <cathy.hu@suse.com> - fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for network interface definition instead of /etc/sysconfig/network-scripts/, modified sysnetwork.fc to reflect that (bsc#1205580). * Wed Oct 19 2022 Johannes Segitz <jsegitz@suse.com> - Update to version 20221019. Refreshed: * distro_suse_to_distro_redhat.patch * fix_apache.patch * fix_chronyd.patch * fix_cron.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_rpm.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch - Dropped fix_cockpit.patch as this is now packaged with cockpit itself - Remove the ipa module, freeip ships their own module - Added fix_alsa.patch to allow reading of config files in home directories - Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus * Fri Sep 30 2022 Johannes Segitz <jsegitz@suse.com> - Updated quilt couldn't unpack tarball. This will cause ongoing issues so drop the sed statement in the %prep section and add distro_suse_to_distro_redhat.patch to add the necessary changes via a patch * Thu Sep 29 2022 Johannes Segitz <jsegitz@suse.com> - Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager. Also allow NetworkManager_dispatcher_custom_t to query systemd status (bsc#1203824) * Tue Sep 27 2022 Filippo Bonazzi <filippo.bonazzi@suse.com> - Update fix_xserver.patch to add greetd support (bsc#1198559) * Mon Sep 12 2022 Johannes Segitz <jsegitz@suse.com> - Revamped rtorrent module * Fri Aug 26 2022 Thorsten Kukuk <kukuk@suse.com> - Move SUSE directory from manual page section to html docu * Wed Jul 27 2022 Hu <cathy.hu@suse.com> - fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t and NetworkManager_dispatcher_custom_t to access nscd socket (bsc#1201741) * Tue Jul 26 2022 Zdenek Kubala <zkubala@suse.com> - Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper (bnc#1201015) * Thu Jul 14 2022 Johannes Segitz <jsegitz@suse.com> - Update to version 20220714. Refreshed: * fix_init.patch * fix_systemd_watch.patch * Wed Jul 13 2022 Johannes Segitz <jsegitz@suse.com> - Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for systemd_gpt_generator_t (bsc#1200911) * Mon Jul 11 2022 Johannes Segitz <jsegitz@suse.com> - postfix: Label PID files and some helpers correctly (bsc#1197242) * Fri Jun 24 2022 Johannes Segitz <jsegitz@suse.com> - Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984) * Fri Jun 24 2022 Johannes Segitz <jsegitz@suse.com> - Update to version 20220624. Refreshed: * fix_init.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_networkmanager.patch * fix_unprivuser.patch Dropped fix_hadoop.patch, not necessary anymore * Updated fix_locallogin.patch to allow accesses for nss-systemd (bsc#1199630) * Fri May 20 2022 Johannes Segitz <jsegitz@suse.com> - Update to version 20220520 to pass stricter 3.4 toolchain checks * Fri May 20 2022 Johannes Segitz <jsegitz@suse.com> - Update to version 20220428. Refreshed: * fix_apache.patch * fix_hadoop.patch * fix_init.patch * fix_iptables.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unprivuser.patch * fix_usermanage.patch * fix_wine.patch * Thu May 19 2022 Johannes Segitz <jsegitz@suse.com> - Add fix_dnsmasq.patch to fix problems with virtualization on Microos (bsc#1199518) * Tue May 03 2022 Johannes Segitz <jsegitz@suse.com> - Modified fix_init.patch to allow init to setup contrained environment for accountsservice. This needs a better, more general solution (bsc#1197610) * Mon May 02 2022 Johannes Segitz <jsegitz@suse.com> - Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. This happens in certain boot conditions (bsc#1182500) - Changed fix_unconfineduser.patch to not transition into ldconfig_t from unconfined_t (bsc#1197169) * Thu Feb 17 2022 Klaus Kämpf <kkaempf@suse.com> - use %license tag for COPYING file * Thu Feb 10 2022 Johannes Segitz <jsegitz@suse.com> - Updated fix_cron.patch. Adjust labeling for at (bsc#1195683) * Wed Feb 09 2022 Filippo Bonazzi <filippo.bonazzi@suse.com> - Fix bitlbee runtime directory (bsc#1193230) * add fix_bitlbee.patch * Mon Jan 24 2022 Johannes Segitz <jsegitz@suse.com> - Update to version 20220124. Refreshed: * fix_hadoop.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_systemd.patch * fix_systemd_watch.patch - Added fix_hypervkvp.patch to fix issues with hyperv labeling (bsc#1193987) * Fri Jan 14 2022 Johannes Segitz <jsegitz@suse.com> - Allow colord to use systemd hardenings (bsc#1194631) * Thu Nov 11 2021 Johannes Segitz <jsegitz@suse.com> - Update to version 20211111. Refreshed: * fix_dbus.patch * fix_systemd.patch * fix_authlogin.patch * fix_auditd.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_chronyd.patch * fix_unconfineduser.patch * fix_unconfined.patch * fix_firewalld.patch * fix_init.patch * fix_xserver.patch * fix_logging.patch * fix_hadoop.patch * Mon Oct 25 2021 Marcus Meissner <meissner@suse.com> - fix_wine.patch: give Wine .dll same context as .so (bsc#1191976) * Tue Sep 28 2021 Enzo Matsumiya <ematsumiya@suse.com> - Fix auditd service start with systemd hardening directives (boo#1190918) * add fix_auditd.patch * Thu Sep 02 2021 Johannes Segitz <jsegitz@suse.com> - Modified fix_systemd.patch to allow systemd gpt generator access to udev files (bsc#1189280) * Fri Aug 27 2021 Ales Kedroutek <ales.kedroutek@suse.com> - fix rebootmgr does not trigger the reboot properly (boo#1189878) * fix managing /etc/rebootmgr.conf * allow rebootmgr_t to cope with systemd and dbus messaging * Thu Aug 26 2021 Johannes Segitz <jsegitz@suse.com> - Properly label cockpit files - Allow wicked to communicate with network manager on DBUS (bsc#1188331) * Mon Aug 23 2021 Ales Kedroutek <ales.kedroutek@suse.com> - Added policy module for rebootmgr (jsc#SMO-28) * Tue Aug 17 2021 Ludwig Nussel <lnussel@suse.de> - Allow systemd-sysctl to read kernel specific sysctl.conf (fix_kernel_sysctl.patch, boo#1184804) * Tue Aug 10 2021 Ludwig Nussel <lnussel@suse.de> - Fix quoting in postInstall macro * Fri Jul 16 2021 Johannes Segitz <jsegitz@suse.com> - Update to version 20210716 - Remove interfaces for container module before building the package (bsc#1188184) - Updated * fix_init.patch * fix_systemd_watch.patch to adapt to upstream changes * Thu Jul 15 2021 Callum Farmer <gmbr3@opensuse.org> - Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing here * Tue Jul 06 2021 Alberto Planas Dominguez <aplanas@suse.com> - Add tabrmd SELinux modules from upstream (bsc#1187925) https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux - Automatic spec-cleaner to fix ordering and misaligned spaces * Mon Jun 28 2021 Johannes Segitz <jsegitz@suse.com> - Update to version 20210419 - Dropped fix_gift.patch, module was removed - Updated wicked.te to removed dropped interface - Refreshed: * fix_cockpit.patch * fix_hadoop.patch * fix_init.patch * fix_logging.patch * fix_logrotate.patch * fix_networkmanager.patch * fix_nscd.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch * Tue May 18 2021 Ludwig Nussel <lnussel@suse.de> - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there * Wed Apr 28 2021 Ludwig Nussel <lnussel@suse.de> - allow cockpit socket to bind nodes (fix_cockpit.patch) - use %autosetup to get rid of endless patch lines * Tue Apr 27 2021 Johannes Segitz <jsegitz@suse.com> - Updated fix_networkmanager.patch to allow NetworkManager to watch its configuration directories - Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207) * Mon Apr 26 2021 Johannes Segitz <jsegitz@suse.com> - Added Recommends for selinux-autorelabel (bsc#1181837) - Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch * Fri Apr 23 2021 Johannes Segitz <jsegitz@suse.com> - Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch * Mon Apr 19 2021 Johannes Segitz <jsegitz@suse.com> - Update to version 20210419 - Refreshed: * fix_dbus.patch * fix_hadoop.patch * fix_init.patch * fix_unprivuser.patch * Fri Mar 12 2021 Ales Kedroutek <ales.kedroutek@suse.com> - Adjust fix_init.patch to allow systemd to do sd-listen on tcp socket [bsc#1183177] * Tue Mar 09 2021 Johannes Segitz <jsegitz@suse.com> - Update to version 20210309 - Refreshed * fix_systemd.patch * fix_selinuxutil.patch * fix_iptables.patch * fix_init.patch * fix_logging.patch * fix_nscd.patch * fix_hadoop.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * fix_cron.patch * fix_usermanage.patch * fix_unprivuser.patch * fix_rpm.patch - Ensure that /usr/etc is labeled according to /etc rules * Tue Feb 23 2021 Thorsten Kukuk <kukuk@suse.com> - Update to version 20210223 - Change name of tar file to a more common schema to allow parallel installation of several source versions - Adjust fix_init.patch * Mon Jan 11 2021 Thorsten Kukuk <kukuk@suse.com> - Update to version 20210111 - Drop fix_policykit.patch (integrated upstream) - Adjust fix_iptables.patch - update container policy * Tue Nov 10 2020 Johannes Segitz <jsegitz@suse.com> - Updated fix_corecommand.patch to set correct types for the OBS build tools * Thu Oct 29 2020 Thorsten Kukuk <kukuk@suse.com> - wicked.fc: add libexec directories - Update to version 20201029 - update container policy * Fri Oct 16 2020 Thorsten Kukuk <kukuk@suse.com> - Update to version 20201016 - Use python3 to build (fc_sort.c was replaced by fc_sort.py which uses python3) - Drop SELINUX=disabled, "selinux=0" kernel commandline option has to be used instead. New default is "permissive" [bsc#1176923]. * Thu Sep 10 2020 Johannes Segitz <jsegitz@suse.com> - Update to version 20200910. Refreshed * fix_authlogin.patch * fix_nagios.patch * fix_systemd.patch * fix_usermanage.patch - Delete suse_specific.patch, moved content into fix_selinuxutil.patch - Cleanup of booleans-* presets * Enabled user_rw_noexattrfile unconfined_chrome_sandbox_transition unconfined_mozilla_plugin_transition for the minimal policy * Disabled xserver_object_manager for the MLS policy * Disabled openvpn_enable_homedirs privoxy_connect_any selinuxuser_direct_dri_enabled selinuxuser_ping (aka user_ping) squid_connect_any telepathy_tcp_connect_generic_network_ports for the targeted policy Change your local config if you need them - Build HTML version of manpages for the -devel package * Thu Sep 03 2020 Johannes Segitz <jsegitz@suse.com> - Drop BuildRequires for python, python-xml. It's not needed anymore * Tue Sep 01 2020 Johannes Segitz <jsegitz@suse.com> - Drop fix_dbus.patch_orig, was included by accident - Drop segenxml_interpreter.patch, not used anymore * Tue Aug 11 2020 Thorsten Kukuk <kukuk@suse.com> - macros.selinux-policy: move rpm-state directory to /run and make sure it exists * Wed Aug 05 2020 Thorsten Kukuk <kukuk@suse.com> - Cleanup spec file and follow more closely Fedora - Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf - Move config to /etc/selinux/config and create during %post install to be compatible with upstream and documentation. - Add RPM macros for SELinux (macros.selinux-policy) - Install booleans.subs_dist - Remove unused macros - Sync make/install macros with Fedora spec file - Introduce sandbox sub-package * Wed Jul 29 2020 Thorsten Kukuk <kukuk@suse.com> - Add policycoreutils-devel as BuildRequires * Fri Jul 17 2020 Johannes Segitz <jsegitz@suse.com> - Update to version 20200717. Refreshed * fix_fwupd.patch * fix_hadoop.patch * fix_init.patch * fix_irqbalance.patch * fix_logrotate.patch * fix_nagios.patch * fix_networkmanager.patch * fix_postfix.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unprivuser.patch * selinux-policy.spec - Added update.sh to make updating easier * Tue Jul 14 2020 Johannes Segitz <jsegitz@suse.com> - Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access to accountsd dbus - New patch: * fix_nis.patch - Updated patches: * fix_postfix.patch: Transition is done in distribution specific script * Tue Jun 02 2020 Johannes Segitz <jsegitz@suse.de> - Added module for wicked - New patches: * fix_authlogin.patch * fix_screen.patch * fix_unprivuser.patch * fix_rpm.patch * fix_apache.patch * Thu Mar 26 2020 Johannes Segitz <jsegitz@suse.de> - Added module for rtorrent - Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot * Mon Mar 09 2020 Johannes Segitz <jsegitz@suse.de> - New patches: * fix_accountsd.patch * fix_automount.patch * fix_colord.patch * fix_mcelog.patch * fix_sslh.patch * fix_nagios.patch * fix_openvpn.patch * fix_cron.patch * fix_usermanage.patch * fix_smartmon.patch * fix_geoclue.patch * suse_specific.patch Default systems should now work without selinuxuser_execmod - Removed xdm_entrypoint_pam.patch, necessary change is in fix_unconfineduser.patch - Enable SUSE specific settings again * Wed Feb 19 2020 Johannes Segitz <jsegitz@suse.de> - Update to version 20200219 Refreshed fix_hadoop.patch Updated * fix_dbus.patch * fix_hadoop.patch * fix_nscd.patch * fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added * fix_init.patch * fix_locallogin.patch * fix_policykit.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * xdm_entrypoint_pam.patch - Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies - Reduced default module list of minimum policy by removing apache inetd nis postfix mta modules - Adding/removing necessary pam config automatically - Minimum and targeted policy: Enable domain_can_mmap_files by default - Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and selinuxuser_execstack to have safe defaults
/usr/share/selinux/packages/sandbox.pp
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Mar 9 12:39:58 2024