aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <pebenito@ieee.org>2018-06-23 10:38:58 -0400
committerJason Zaman <jason@perfinion.com>2018-06-24 16:33:24 +0800
commit751926c0fbba4bf7105622ee65888b66740847a0 (patch)
tree6bbdd39cd5becdddc8e4cbc41332c383874c7972 /Changelog.contrib
parentxdg: move compat interfaces to upstream xdg module (diff)
downloadhardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.gz
hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.bz2
hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.zip
Move all files out of the old contrib directory.
Diffstat (limited to 'Changelog.contrib')
-rw-r--r--[l---------]Changelog.contrib2211
1 files changed, 2210 insertions, 1 deletions
diff --git a/Changelog.contrib b/Changelog.contrib
index 452cbbb1..1596ba77 120000..100644
--- a/Changelog.contrib
+++ b/Changelog.contrib
@@ -1 +1,2210 @@
-policy/modules/contrib/Changelog \ No newline at end of file
+* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114
+Chad Hanson (1):
+ Allow rpm to relabel files at all levels
+
+Chris PeBenito (46):
+ Remove deprecated interfaces more than one year old.
+ Remove complement and wildcard in allow rules.
+ Merge branch 'master' of git://github.com/teg/refpolicy-contrib
+ dbus: Module version bump for dbus-broker patch from Tom Gundersen.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bumps for patches from David Sugar.
+ dhcp, logrotate: Module version bump.
+ Module version bumps for chkrootkit, dkim, dmidecode, portage, and
+ rkhunter.
+ Module version bumps.
+ spamassassin: Move lines.
+ mandb, spamassassin: Module version bumps.
+ spamassassin: Fix build error.
+ spamassassin: Add missing requirement in spamassassin_admin().
+ dphysswapfile: Module version bump.
+ gpg, pulseaudio, rpc: Module version bump.
+ dnsmasq, gnome, mon, mta, openoffice, pulseaudio, wm: Version bumps.
+ Revert "postfix: Some table drivers (notably cdb) need to mmap() their
+ databases"
+ java, mozilla, mta, postfix: Module version bump.
+ portage: Fix usr_t map interface usage.
+ apache, portage: Module version bump.
+ dbus, policykit, wm: Module version bump.
+ dbus: Add comment.
+ Merge branch 'nm_audit' of git://github.com/bigon/refpolicy-contrib
+ networkmanager: Module version bump.
+ virt: Move a line.
+ alsa, mon, virt: Module version bump.
+ gpg, mozilla, rpc: Module version bump.
+ Several module version bumps.
+ blueman, evolution, gpg, mozilla, openoffice, thunderbird, wireshark, wm:
+ Module version bump.
+ wm: Module version bump.
+ networkmanager: Move line.
+ networkmanager: Module version bump.
+ Merge branch 'pkcs' of https://github.com/dodys/refpolicy-contrib
+ pkcs: Rename pkcs_slotd_unit_file_t.
+ pkcs: Module version bump.
+ accountsd, policykit: Module version bump.
+ dbus, devicekit, modemmanager, networkmanager, virt: Module version bump.
+ modemmanager: Move lines.
+ rpm: Module version bump.
+ cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump.
+ Replace deprecated mmap perm sets and pattern usage.
+ gssproxy: Module version bump.
+ monit: Module version bump.
+ apache, dkim, monit: Module version bump.
+ spamassassin: Module version bump.
+ Bump module versions for release.
+
+Christian Göttsche (20):
+ dkim: align filecontexts
+ dkim: update
+ milter: align filecontexts
+ apache: align filecontexts
+ dmidecode: use userdom_use_inherited_user_terminals
+ spamassassin: align filecontexts
+ chkrootkit: update
+ rkhunter: add several missing permission
+ fakehwclock: update
+ milter: update
+ mandb: fixes for systemd timer and /usr/local/man label
+ spamassassin: update
+ dphysswapfile: fix swapfile creation
+ apache: update
+ monit: update
+ dkim: align file contexts
+ dkim: update
+ apache: update
+ monit: read /usr/share/ca-certificates for cert verification
+ spamassassin: fix missing perms
+
+Daniel Jurgens (1):
+ networkmanager: Grant access to unlabeled PKeys
+
+David Sugar (5):
+ mon: move rpc_* into optional
+ wm: consolidate networkmanger interface calls into single optional
+ cron: optional_policy for mta_* interfaces
+ Label /usr/bin/mutter
+ Allow to read /proc/sys/crypto/fips_enabled
+
+Eduardo Barretto (2):
+ Update pkcs policy to include pkccsslotd.service
+ Update missing permissions for pkcs
+
+Guido Trentalancia (13):
+ libmtp: read symlinks in user home directories
+ spamassassin: update rules for the Bayesian classifier trainer
+ wm: let gnome-shell start properly
+ gnome: keyring daemon dbus policy update
+ gnome: keyring daemon read SELinux config
+ openoffice: improve temporary directories' operations
+ pulseaudio: general update
+ wm: gnome-shell SELinux integration
+ mozilla: run Java Web Start applications
+ wm: run PolicyKit
+ dbus: read user home content files
+ mozilla: read generic SSL certificates
+ contrib: use the new SSL private keys type (was: "let the mozilla and
+ other domains read generic SSL certificates")
+
+Jason Zaman (12):
+ cgmanager: Apply auth_use_nsswitch interface
+ alsa: needs to map its tmpfs files
+ virt: add policy for virtlogd
+ virt: updated perms for starting guests
+ gssproxy: add policy
+ rpc: Allow stream connect to gssproxy
+ gpg: search dir when connecting to agent socket
+ dirmngr: allow filetrans in gpg_runtime_t
+ gpg: Add gpg_agent_use_card boolean for OpenPGP cards
+ cachefilesd: make cachefilesd_cache_t a mountpoint
+ Set user_runtime_content_type for all remaining types in /run/user/%{UID}/
+ gssproxy: allow writing kerberos rcache
+
+Jason Zaman via refpolicy (3):
+ pulseaudio: Add neccessary map permissions
+ gpg: add fcontexts for user runtime sockets
+ rpc: add sm-notify pid fcontext
+
+Laurent Bigonville (2):
+ Allow NetworkManager to write to audit
+ Call systemd_write_inherited_logind_inhibit_pipes() where needed
+
+Luis Ressel (12):
+ portage: Allow portage_t and portage_sandbox_t to access locale_t
+ postfix: Some table drivers (notably cdb) need to mmap() their databases
+ portage: Grant the map permissions neccessary for git and install
+ alsa: alsactl needs to map its configuration
+ mozilla: Add neccessary map permissions
+ mandb: man-db needs to map its 'index.db' cache
+ portage: Remove nonsensical dontaudit of an allowed permission
+ portage: Transition to ldconfig_t when calling ldconfig
+ postfix: Some table drivers (notably cdb) need to mmap() their databases
+ postfix: Silence cap_dac_read_search denials
+ portage: Grant portage the map permission on usr_t
+ Allow gtk apps to map usr_t files
+
+Nicolas Iooss (2):
+ dbus: move comments out of the file context definitions
+ logrotate: allow systemd to start logrotate
+
+Russell Coker (3):
+ udev and dhcpd
+ minor nspawn, dnsmasq, and mon patches
+ refpolicy and certs
+
+Tom Gundersen (1):
+ dbus: add policy for dbus-broker
+
+* Sat Aug 05 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170805
+Chris PeBenito (82):
+ Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
+ Module version bump for usrmerge FC fixes from Jason Zaman.
+ mon policy from Russell Coker.
+ Module version bump for cups patches from Guido Trentalancia.
+ Module version bump for tbird and mozilla printing from Guido
+ Trentalancia.
+ Revert "cups/lpd: read permission for cupsd_var_run_t socket files"
+ Module version bump for cups revert.
+ Sort capabilities permissions from Russell Coker.
+ Little misc patch from Russell Coker.
+ mon: Fix deprecated interface usage.
+ dpkg: Updates from Russell Coker.
+ Monit policy from Russell Coker and cgzones.
+ monit: Fix build error.
+ fetchmail, mysql, tor: Misc fixes from Russell Coker.
+ Merge branch 'alsa_module' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'vnstat_module' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for alsa and vnstatd fixes from cgzones.
+ Merge branch 'ntp_module' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for ntp fixes from cgzones.
+ samba: A few line moves.
+ Module version bump for samba patch from Russell Coker.
+ Systemd fixes from Russell Coker.
+ Xen fixes from Russell Coker.
+ mailman: Fixes from Russell Coker.
+ MTA fixes from Russell Coker.
+ Network daemon patches from Russell Coker.
+ apache: Fix CI error.
+ Merge branch 'modutils_adapt_interfaces' of
+ git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'corecmd_read_bin_symlinks' of
+ git://github.com/cgzones/refpolicy-contrib
+ Module version bumps for fixes from cgzones.
+ Merge branch 'mandb' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'dphysswapfile' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for dphysswapfile and mandb fixes from cgzones.
+ Merge branch 'var_run_filecontext' of
+ git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'vnstatd' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for fixes from cgzones.
+ dontaudit net_admin for SO_SNDBUFFORCE
+ /var/run -> /run again
+ Merge branch 'monit' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for monit patch from cgzones.
+ systemd-resolvd, sessions, and tmpfiles take2
+ Misc fc changes from Russell Coker.
+ Systemd-related changes from Russell Coker.
+ networkmanager: adjust interface docs format.
+ wm: interface docs adjustment.
+ Module version bump for misc fixes from Guido Trentalancia.
+ systemd init from Russell Coker
+ misc daemons from Russell Coker.
+ logging patches from Russell Coker
+ kmod, lvm, brctl patches from Russell Coker
+ devicekit, mount, xserver, and selinuxutil from Russell Coker
+ some userdomain patches from Russell Coker
+ Module version bump for gnome fix from Guido Trentalancia.
+ apache: Move blocks. No rule changes.
+ Module version bump for changes from Sven Vermeulen and Guido
+ Trentalancia.
+ login take 4 from Russell Coker.
+ Rename apm to acpi from Russell Coker.
+ Module version bump for patches from Russell Coker.
+ some little misc things from Russell Coker.
+ apt/dpkg strict patches from Russell Coker.
+ Module version bump for minor fixes from Guido Trentalancia.
+ Merge branch 'usr_bin_fc' of
+ git://github.com/fishilico/selinux-refpolicy-contrib
+ Module version bump for /usr/bin fc fixes from Nicolas Iooss.
+ Module version bump for chronyd changes from Luis Ressel.
+ openoffice: Move ooffice_rw_tmp_files() implementation.
+ Module version bump for openoffice fix from Guido Trentalancia.
+ libmtp: move lines
+ Module version bump for fixes from Guido Trentalancia.
+ Module version bump for mmap fixes from Stephen Smalley.
+ Module version bump for misc patches from Guido Trentalancia.
+ gpg: Fix overspecified dependencies in gpg_agent_tmp_filetrans.
+ dirmngr: Whitespace fixes.
+ Module version bumps for patches from Jason Zaman.
+ cgmanager: Move lines
+ Module version bumps for patches from Jason Zaman.
+ gpg: Module version bump for patch from Guido Trentalancia.
+ mozilla: Module version bump for patch from Luis Ressel.
+ rkhunter: Fix module version and move lines.
+ Module version bump for patches from cgzones.
+ chkrootkit: Fix module version.
+ Module version bump for patches from cgzones.
+ Bump module versions for release.
+
+Guido Trentalancia (28):
+ cups: read permission for cupsd_var_run_t socket files in
+ cups_stream_connect()
+ cups/lpd: read permission for cupsd_var_run_t socket files
+ thunderbird: allow stream connections to cups so that it can print
+ mozilla: allow stream connections to cups so that it can print
+ java: enable interactive use
+ evolution: add dbus acquire service permission
+ evolution: do not audit kernel read state
+ evolution: add some critical permissions
+ mozilla: read hardware state information
+ mozilla: add a permission
+ wm: load the NetworkManager applet
+ wm: interactive start
+ Gnome and Evolution dbus chat permissions
+ openoffice: support starting it from the window manager
+ evolution: minor fixes and updates
+ java: error messages terminal printout
+ loadkeys: use init fds (system bootup)
+ plymouth: pid interface usability
+ shutdown: send msg to syslog
+ openoffice: open files retrieved using mozilla
+ contrib: new libmtp module
+ openoffice: minor update
+ gnome: improved integration with openoffice
+ cups: let hplip read udev pid files
+ dbus: let session bus daemon manage user runtime dirs
+ zabbix: Grant zabbix_agent_t to call setrlimit on self
+ ntp: fix the drift file context and transition
+ gpg: manage user runtime socket files and directories
+
+Jason Zaman (12):
+ usrmerge: Add missed /usr fcontexts
+ java: update fcontexts for new versions of icedtea
+ dirmngr: add to roles and allow gpg to domtrans
+ gpg dirmngr: create and connect to socket
+ dirmngr: fcontext for ~/.gnupg/crls.d/
+ dirmngr: Network rules to connect to keyserver
+ cgmanager: add policy from gentoo
+ consolekit: Add support for consolekit2
+ consolekit: allow purging tmp
+ consolekit: introduce consolekit_use_inhibit_lock interface
+ dbus: use consolekit inhibit locks
+ networkmanager: use consolekit inhibit locks
+
+Luis Ressel (3):
+ chronyd: Re-align fc file
+ chronyd: Allow init scripts to create /run/chrony
+ mozilla: Add fc for the files used by the firefox addon "vimperator"
+
+Nicolas Iooss (1):
+ Support systems with a single /usr/bin directory
+
+Russell Coker (1):
+ patch for samba
+
+Stephen Smalley (1):
+ contrib: allow map permission where needed
+
+Sven Vermeulen (1):
+ rpc_* interfaces should be wrapped by optional_policy()
+
+cgzones (16):
+ update ntp module
+ update alsa module
+ vnstatd: update module
+ corecmd_read_bin_symlinks(): remove deprecated and redundant calls
+ modutils: adopt calls to new interfaces
+ vnstatd: update
+ dphysswapfile: update
+ monit: update
+ mandb: update
+ logrotate: reload monit after log rotation
+ remove /var/run file context lefovers, add dbus exception
+ monit: add syslog access and support for monit systemd service
+ rkhunter: add policy module
+ arpwatch: align file contexts
+ chkrootkit: add policy module
+ arpwatch: update
+
+* Sat Feb 04 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170204
+Chris PeBenito (41):
+ Module version bump for patches from Jason Zaman.
+ authbind: Remove dead policy.
+ Module version bump for cups patch from Guido Trentalancia.
+ Merge pull request #29 from cgzones/deprecated_macros
+ Module version bump for Debian fprintd fc entry from Laurent Bigonville.
+ Module version bumps for openoffice patches from Guido Trentalancia.
+ Module version bumps for patches from Guido Trentalancia.
+ Merge pull request #30 from cgzones/trailing_whitespaces
+ Module version bumps for mozilla and gpg patches from Luis Ressel.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for patches from Guido Trentalancia.
+ rtkit, wm: Remove calls to nonexistant interfaces.
+ Module version bumps for patches from Guido Trentalancia.
+ rtkit: enable dbus chat with xdm
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for xscreensaver patch from Guido Trentalancia.
+ Merge branch 'run_transition' of
+ git://github.com/cgzones/refpolicy-contrib
+ Module version bumps for /run fc changes from cgzones.
+ Module version bump for openoffice and wm patches from Guido Trentalancia.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for wm patch from Guido Trentalancia.
+ Merge branch 'usr-fc' of
+ git://github.com/fishilico/selinux-refpolicy-contrib
+ Module version bump for fc updates from Nicolas Iooss.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for capability2 fixes from Guido Trentalancia.
+ Module version bump for plymouth fix from Guido Trentalancia.
+ boinc: Update from Russell Coker.
+ Module version bump for mozilla update from Guido Trentalancia.
+ Merge pull request #47 from cgzones/dphysswap_module
+ Merge pull request #40 from cgzones/fakehwclock_module
+ Merge branch 'gpg_module' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'irqbalance_module' of
+ git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'loadkeys_module' of
+ git://github.com/cgzones/refpolicy-contrib
+ Module version bumps for patches from cgzones.
+ Merge branch 'exim_module' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'screen_module' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for screen and exim changes from cgzones.
+ screen: Revert broken interface call.
+ cups: Move hplip_domtrans interface.
+ Module version bump for cups patch from Guido Trentalancia.
+ Bump module versions for release.
+
+Dominick Grift (1):
+ Re-add raid fc spec that must have been removed earlier by mistake
+
+Guido Trentalancia (29):
+ cups: descend "rw" directories when reading configuration files
+ Apache OpenOffice module (contrib policy part)
+ openoffice: rename two interfaces in openoffice and evolution
+ mozilla: extend dbus connection permissions
+ openoffice: permission to read user temporary files
+ xguest: restrict ability to execute files on noxattr filesystems
+ pulseaudio: update server and client permissions
+ mozilla: remove redundant pulseaudio interface calls
+ networkmanager: read user certs not user content (was enable
+ userdom_read_user_certs() throughout the policy)
+ Make several calls to mta interfaces optional
+ wm: update the window manager (wm) module and enable its role template
+ (v7)
+ rtkit: enable dbus chat with xdm
+ networkmanager: enable dbus chat with xdm
+ policykit: enable dbus chat with xdm
+ games: general update and improved pulseaudio integration
+ wm: improved integration with games
+ xscreensaver: update the module so that it can be effectively used
+ wm: properly set domain entrypoint in wm_application_domain()
+ openoffice: add writer support for sending email directly to multiple
+ recipients
+ contrib: use new genhomedircon template for username
+ contrib: extend wm ability to launch confined graphical applications
+ contrib: support the new interface to manage X session logs
+ networkmanager: dbus chat with cups
+ cups: add cups-browsed executable fc
+ devicekit: add new wake_alarm permission (capability2)
+ networkmanager: add new wake_alarm permission (capability2)
+ plymouth: use the correct running domain for the client
+ mozilla: execute evolution to send emails
+ cups: new interface to execute HPLIP applications in their own domain
+
+Jason Zaman (4):
+ pcscd: dbus and domain lookup
+ devicekit: fcontext for udisks2
+ gnome: add gkeyring rules and fcontext
+ gpg: add new socket paths
+
+Laurent Bigonville (1):
+ Add debian path for fprintd daemon
+
+Luis Ressel (3):
+ gpg: Add filetrans for scdaemon socket and gpg-agent extra sockets
+ gpg.fc: Adjust whitespace
+ mozilla: Add miscfiles_dontaudit_setattr_fonts_cache_dirs()
+
+Nicolas Iooss (1):
+ Add file contexts for files in /usr/{lib,sbin}
+
+cgzones (10):
+ use domain_auto_transition_pattern instead of domain_auto_trans
+ remove trailing whitespaces
+ transition file contexts to /run
+ update loadkeys module
+ add fakehwclock module
+ add dphysswapfile module
+ update gpg module
+ update screen module
+ update irqbalance module
+ update exim module
+
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Adam Tkac (2):
+ varnishncsa (varnishlog_t) reads localization files
+ Grant certmonger "chown" capability
+
+Chris PeBenito (42):
+ Merge branch 'bigon-geoclue'
+ Add additional comments in geoclue.
+ Merge branch 'bigon-virt-1'
+ Merge branch 'nm-1' of git://github.com/bigon/refpolicy-contrib into
+ bigon-nm-1
+ Merge branch 'bigon-nm-1'
+ Module version bump for virt and networkmanager patches from Laurent
+ Bigonville.
+ Merge branch 'master' of git://github.com/bigon/refpolicy-contrib
+ Module version bump for firewalld updates from Laurent Bigonville.
+ Module version bump for collectd update from Jason Zaman.
+ Module version bumps for user runtime fixes from Jason Zaman.
+ Boinc updates from Russell Coker.
+ rpcbind: Read /sys/devices/system/cpu/online from Russell Coker.
+ watchdog: Move line.
+ Module version bump for watchdog pidfile option from Russell Coker.
+ Systemd units from Russell Coker.
+ Module version bump for pulseaudio fc fix from Jason Zaman.
+ cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia.
+ Module version bumps for patches from Guido Trentalancia.
+ Update the telepathy module:
+ Update the alsa module so that the alsa_etc_t file context (previously
+ alsa_etc_rw_t) is widened to the whole alsa share directory, instead of
+ just a couple of files.
+ alsa: Add compatibility alias for alsa_etc_rw_t.
+ Update the sysnetwork module to add some permissions needed by the dhcp
+ client (another separate patch makes changes to the ifconfig part).
+ Module version bump for various patches from Guido Trentalancia.
+ pulseaudio: Fix compile errors.
+ Merge branch 'master' of
+ https://github.com/SeanPlacchetti/refpolicy-contrib
+ Module version bump for webalizer dead type removal from Sean Placchetti.
+ Module version bump for Evolution SSL fix from Guido Trentalancia.
+ evolution: Read user certs from Guido Trentalancia.
+ cups: Move can_exec() line.
+ cups: Module version bump for hplip patch from Guido Trentalancia
+ pulseaudio: Move interface definitions.
+ Module version bump for mozilla patch from Guido Trentalancia.
+ Module version bump for gnome patch from Guido Trentalancia.
+ Module version bump for evolution patch from Guido Trentalancia.
+ gpg: Whitespace fix.
+ Merge branch 'feature/fix-networkmanager-varrun-macro' of
+ https://github.com/rfkrocktk/refpolicy-contrib
+ Module version bump for networkmanager fix from Naftuli Tzvi Kay.
+ Merge branch 'rfkrocktk-feature/syncthing'
+ Rearrange lines in syncthing.
+ webalizer: Rearrange a couple lines.
+ Module version bump for webalizer patch from Russell Coker.
+ Bump module versions for release.
+
+Dominick Grift (18):
+ Module version bump for changes to the geoclue module by Laurent
+ Bigonville.
+ Module version bump for changes to various modules from Laurent
+ Bigonville.
+ geoclue: move kernel interface call to the appropriate position
+ Actually associate mailmain_domain attribute with mailman domains
+ Module version bumps for changes to various modules by Nicolas Iooss
+ Module version bump for changes to the cron module by Jason Zaman
+ Module version bump for changes to the redis module by Grant Ridder
+ Module version bump for changes to the raid module by Laurent Bigonville
+ Module version bump for changes to the networkmanager module by Laurent
+ Bigonville.
+ Module version bump for changes to the redis module by Grant Ridder.
+ Module version bump for changes to the mozilla module by Laurent
+ Bigonville.
+ Module version bump for changes to the geoclue module by Nicolas Iooss.
+ Add hwloc-dump-hwdata SELinux policy
+ Module version bump for changes to the varnishd module by Robert Moucha
+ Module version bump for changes to the puppet module by Thomas Mueller
+ Module version bump for changes to the varnishd module by Adam Tkac
+ Module version bump for changes to the certmonger module by Adam Tkac
+ Revert "dbus: allow system, and session bus clients to answer to dbus
+ unconfined domains"
+
+Grant Ridder (2):
+ Add read/write perms for redis-sentinel
+ Allow tcp_connect to redis_port_t for redis_t
+
+Guido Trentalancia (7):
+ Policykit module: add fs_getattr_xattr_fs()
+ Update the policy for module apm
+ Let gpg disable core dumps
+ Update the rtkit module
+ Update the pulseaudio module for usability and ORC support
+ cups: update permissions for HP printers (load firmware)
+ gpg: public key signature verification in evolution
+
+Guido Trentalancia via refpolicy (3):
+ evolution: read SSL certificates
+ mozilla: let mozilla play audio
+ gnome: add support for the OIL Runtime Compiler (ORC) optimized code
+ execution
+
+Jason Zaman (10):
+ cron: Allow locks to be lnk_files
+ collectd: update policy for 5.5
+ consolekit: allow managing user runtime
+ pulseaudio: fcontext and filetrans for runtime
+ ftp: Add filetrans from user_runtime
+ gnome: Add filetrans from user_runtime
+ mplayer: Add filetrans from user_runtime
+ userhelper: Add filetrans from user_runtime
+ wm: Add filetrans from user_runtime
+ pulseaudio: fix user runtime fcontext
+
+Laurent Bigonville (13):
+ Add initial geoclue 2 module
+ Properly escape dot in the path to the geoclue daemon
+ Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf
+ virt.fc: Add some debian contexts
+ networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher
+ Allow some domain to read sysctl_vm_overcommit_t
+ Allow mdadm read efivarfs files
+ Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t
+ Add an interface to allow a domain to read firewalld_var_run_t files
+ Allow firewalld to create firewalld_var_run_t directory.
+ dontaudit firewalld attempt to relabel its own config files
+ Allow NM to execute arping
+ Debian now ships firefox-esr, properly label the executable
+
+Luis Ressel (1):
+ New policy for tboot utilities
+
+Naftuli Tzvi Kay (2):
+ Fix NetworkManager Read Pid Files Macro
+ Syncthing Policy
+
+Nicolas Iooss (3):
+ Describe _initrc_domtrans interfaces differently from the _domtrans ones
+ Fix typos in several interfaces
+ Add Arch Linux path for geoclue module
+
+Robert Moucha (1):
+ Fix trivial typo in varnishncsa name
+
+Russell Coker (2):
+ watchdog reads pid files
+ named reads vm sysctls
+
+Russell Coker via refpolicy (1):
+ webalizer patch for inclusion
+
+Sean Placchetti (1):
+ -Remove unused declarations from webalizer type enforcement file
+
+Thomas Mueller (1):
+ Allow puppet_t transtition to shorewall_t
+
+doverride (3):
+ Merge pull request #8 from bigon/geoclue
+ Merge pull request #11 from bigon/overcommit-1
+ Merge pull request #12 from fishilico/typos
+
+* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
+Alexander Wetzel (1):
+ add vfio support for libvirt
+
+Chas Williams - CONTRACTOR (1):
+ afs: update labels, file contexts and allow access to urandom
+
+Chris PeBenito (14):
+ Module version bump for hadoop_admin() fix from Jazon Zaman.
+ Module version bump for fc typo in radius from Sven Vermeulen.
+ Module version bump for patches from Jason Zaman.
+ Module version bump for init_startstop_service from Jason Zaman.
+ Module version bump for cron_admin interface from Jason Zaman.
+ Comment/whitespace fix in virt.te.
+ Module version bump for vfio support for libvirt from Alexander Wetzel.
+ Add systemd unit types.
+ Add systemd socket activations.
+ Merge branch 'pebenito-master'
+ Module version bump for systemd additions.
+ Merge branch 'bigon-systemd'
+ Module version bump for dbus systemd patch from Laurent Bigonville.
+ Bump module versions for release.
+
+Dominick Grift (16):
+ Module version bump for courier fixes from Sven Vermeulen.
+ Module version bump for afs fixes from Chas Williams.
+ Redundant rules and afs_files_t is not a filesystem type
+ Various samhain fixes
+ Cachefilesd module updates
+ Module version bump for changes to the dnsmasq policy module by Jason
+ Zaman
+ Module version bump for changes to the snmp policy module by Jason Zaman
+ Module version bump for changes to the pulseaudio policy module by Jason
+ Zaman
+ cachefiles: It is cachefilesd_cache_t
+ Module version bump for update to the networkmanager policy module by
+ Stephen Smalley.
+ Module version bumps for "Remove run interface calls from admin
+ interfaces" changes by Jason Zaman.
+ Module version bump for changes to the pulseaudio module by Niklas Haas.
+ Changes to the git, hadoop and rsync modules by Jason Zaman.
+ Module version bump for changes to the virt module by Jason Zaman
+ Module version bump for changes to the mozilla module from Laurent
+ Bigonville.
+ Module version bump for changes to the wine module by Nicolas Iooss
+
+Jason Zaman (19):
+ hadoop: remove _role from _admin interface
+ rpcbind: typo fix
+ git: make inetd interface optional
+ rpc: introduce allow_gssd_write_tmp boolean
+ rpc: allow setgid capability
+ virt: add virt_tmpfs_t type and permissions
+ introduce virt_leaseshelper_t
+ dnsmasq: allow exec shell for scripts
+ snmp: missing fcontext for snmpd
+ pulseaudio: filetrans for autospawn.lock
+ Use init_startstop_service in admin interfaces A-M
+ Use init_startstop_service in admin interfaces N-Z
+ Remove _run() interfaces from _admin()
+ Introduce cron_admin interface
+ rsync: remove rsync_run from admin interface
+ git: allow git_system_t to listen on tcp_sockets
+ hadoop: init_startstop_service() can not take attributes
+ virt: Allow creating qemu guest agent socket
+ virt: Add policy for virtlockd the Virtual machine lock manager
+
+Laurent Bigonville (2):
+ Transition D-Bus system service out of the init_t domain when PID1 is
+ systemd
+ Label iceweasel plugin-container executable as mozilla_plugin_exec_t
+
+Nicolas Iooss (1):
+ wine: remove use of nonexisting interface
+
+Niklas Haas (1):
+ pulse: don't give pulseaudio_client full access to user_home_t
+
+Stephen Smalley (1):
+ contrib: networkmanager: allow netlink_generic_socket access
+
+Sven Vermeulen (6):
+ Locate authdaemon socket and communicate with authdaemon
+ Allow authdaemon to access selinux fs to check SELinux state
+ Grant setuid/setgid to courier_pop_t
+ Execute courier helper script after authentication
+ Courier IMAP needs to manage the users' maildir
+ Fix typo for radiusd /var/lib location
+
+doverride (2):
+ Merge pull request #3 from haasn/pulse-nohome
+ Merge pull request #6 from bigon/mozilla-1
+
+* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
+Chris PeBenito (26):
+ Whitespace fix in ntp.fc.
+ Module version bump for ntp fc entries from Laurent Bigonville.
+ Whitespace fix in shibboleth.te.
+ Module version bump for new shibboleth module from Martin Lang.
+ Module version bump for apt fix from Nicolas Iooss.
+ Module version bump for dnsmasq MTU fix from Sven Vermeulen.
+ Module version bump for apache content interfaces from Sven Vermeulen.
+ Module version bump for gitweb fc entry on Debian and ArchLinux from
+ Nicolas Iooss.
+ Module version bump for fc regex fixes from Nicolas Iooss.
+ Module version bump for various fixes from Laurent Bigonville.
+ Module version bump for ModemManager fc entry from Laurent Bigonville.
+ Add missing cron_admin_role() dependency.
+ Move sock_file filetrans to fcron_crond conditional.
+ Module version bump for cron and snort updates from Sven Vermeulen.
+ Module version bump for java icedtea fc entries from Sven Vermeulen.
+ Module version bump for apache/mlogc patch from Elia Pinto.
+ Remove name from ntp-kod ntp_drift_t filetrans.
+ Module version bump for ntp-kod file support from Jason Zaman.
+ Module version bump for init_daemon_pid_file use from Sven Vermeulen.
+ Module version bump for alsa and hiawatha fixes from Sven Vermeulen.
+ Module version bump for ftp and tftp fixes from Nicolas Iooss.
+ Move irc exec lines.
+ Module version bump for irc re-exec itself patch from Luis Ressel.
+ Module version bump for NetworkManager fc fix for ArchLinux from Nicolas
+ Iooss.
+ Module version bump for _admin fixes from Jason Zaman.
+ Bump module versions for release.
+
+Dominick Grift (3):
+ Module version bump for changes to the loadkeys module by Nicolas Iooss
+ cron: that boolean identifier does not exist also require it
+ Module version bump for changes to the networkmanager modules by Lubomir
+ Rintel
+
+Elia Pinto (1):
+ apache.te: Add labelling support for /var/log/mlogc
+
+Jason Zaman (20):
+ Add filetrans for ntp-kod file
+ ccs: syntax errors in ccs_admin interface
+ condor: syntax error in condor_admin
+ distcc: syntax error in distcc_admin
+ ftp: syntax error in ftp_admin
+ kerberos: syntax error in kerberos_admin
+ kismet: syntax error in kismet_admin
+ nut: syntax error in nut_admin
+ prelude: syntax error in prelude_admin
+ psad: syntax error in psad_admin
+ quota: syntax error in quota_admin
+ rpcbind: syntax error in rpcbind_admin
+ rpm: syntax error in rpm_admin
+ systemtap: syntax error in stapserver_admin
+ svnserve: syntax error in svnserve_admin
+ uptime: syntax error in uptime_admin
+ zabbix: syntax error in zabbix_admin
+ remove pyzor_role() from pyzor_admin()
+ remove spamassassin_role() from spamassassin_admin()
+ rsync: syntax error in rsync_admin
+
+Laurent Bigonville (7):
+ Add several fcontext for debian specific paths for ntp
+ Fix dbus_all_session_domain(), session_bus_type is an attribute
+ Allow gconfd to be started by the session bus
+ Fix the usage of dbus_spec_session_domain() interface
+ Properly label exim4 initscript under Debian
+ Add new gnome_spec_domtrans_all_gkeyringd() interface
+ Label /usr/sbin/ModemManager as modemmanager_exec_t
+
+Lubomir Rintel (1):
+ Allow NetworkManager to create Bluetooth SDP sockets
+
+Luis Ressel (1):
+ irc.te: Allow irssi to re-execute itself
+
+Martin Lang (1):
+ Add a policy module for shibboleth authentication
+
+Nicolas Iooss (7):
+ apt: remove non-existing permission set write_dir_perms
+ Label /usr/share/gitweb/static as httpd_git_content_t
+ Fix strange file patterns
+ ftp: fix labels in /var/lock/subsys/
+ Label /usr/bin/tftpd as tftpd_exec_t
+ Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
+ Allow loadkeys to read usr_t files
+
+Sven Vermeulen (17):
+ dnsmasq reads MTU sysctl
+ Support read/append/manage functions for various httpd content
+ Snort policy updates
+ fcron socket support
+ Fix typo in dnsmasq.if
+ Mark icedtea binaries as java_exec_t
+ Use init_daemon_pid_file for contrib modules
+ Enable asound.state.lock support
+ Add support for Hiawatha web server
+ Use logging_search_logs, not logging_search_log
+ Use logging_search_logs, not logging_search_log
+ Use files_search_etc, not logging_search_etc
+ Use files_search_etc, not logging_search_etc
+ Use files_search_etc, not files_search_config
+ Use corecmd_search_bin, not corecmd_searh_bin
+ Use fs_search_tmpfs, not files_search_tmpfs
+ Use domain_auto_trans, not auto_trans
+
+* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
+Chris PeBenito (17):
+ Minor rearrangement of minidlna lines.
+ Module version bump for openvpn tmp files from Sven Vermeulen.
+ Update modules for file_t merge into unlabeled_t.
+ Module version bump for postfix showq fc from Laurent Bigonville.
+ Rename gpg_agent_connect to gpg_stream_connect_agent.
+ Module version bump for gpg agent interface from Luis Ressel.
+ Whitespace fixes in git.fc.
+ Module version bump for debian git fc entries from Laurent Bigonville.
+ Move bin_t fc to corecommands.
+ Move exec/transition lines in couchdb.
+ Add comment about couchdb_js policy.
+ Module version bump for couchdb updates from Luis Ressel.
+ Module version bump for pcscd fix from Luis Ressel.
+ Move screen dontaudit rule.
+ Module version bump for screen fix from Luis Ressel.
+ Module version bump for git fc fix from Nicolas Iooss.
+ Bump module versions for release.
+
+Dan Walsh (28):
+ Allow irc_t to use tcp sockets
+ Add labels for apache logs under miq package
+ Allow smbcontrol to create content in /var/lib/samba
+ Allow ktalkd to bind to the ktalkd_port
+ Allow memcache to read sysfs data
+ Allow mdadm to getattr any file system
+ Allow cupsd_lpd_t to bind to the printer port
+ Allow rlogind to bind to the rlogin_port
+ Allow cvs to bind to the cvs_port
+ svirt domains neeed to create kobject_uevint_sockets
+ Lots of new access required for sosreport
+ Allow tgtd_t to connect to isns ports
+ openct needs to be able to create netlink_object_uevent_sockets
+ Allow glusterd to create sock_file in /run
+ Add support for tmp directories to openvswitch
+ Allow virt_domain with USB devices to look at dos file systems
+ Additional access for MLS
+ Additional access for MLS window manager
+ Additional access for MLS window manager
+ Additional access for MLS window manager
+ Allow rpcbind to use nsswitch
+ Allow gpg_agent to use ssh-add
+ Add apache labeling for glpi
+ Allow pegasus to transition to dmidecode
+ Allow mcelog to use the /dev/cpu device
+ Allow apmd to request the kernel load modules
+ Allow postfix programs to getattr on all executables
+ label mate-keyring-daemon with gkeyringd_exec_t
+
+Dominick Grift (126):
+ Typo fix in ksmtuned_admin() by Shintaro Fujiwara
+ Fix monolithic built
+ Change file context spec for aide log files to catch suffixes
+ Module version bumps for changes in various policy modules by Sven
+ Vermeulen
+ Squid: Use a single pattern for brevity
+ Irc was already allowed to create tcp sockets, it only needed an
+ additional accept, and listen to be able to act as a proxy
+ Its probably a better idea to use the httpd_sys_ra_content_t type sid
+ for logs in these locations
+ Module version bump for changes to the tcsd policy module by Lukas
+ Vrabec
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Module version bump for changes to the samba policy module by Dan Walsh
+ Module version bump for changes to the telepathy policy module by
+ Miroslav Grepl
+ We do not have a boinc domain type attribute Change boolean
+ description a bit
+ Additional rabbitmq couchdb support
+ Module version bumps for changes to various policy modules by Miroslav
+ Grepl
+ Additional git tcp networking rules
+ Additional ktalkd udp networking rules
+ Module version bump for changes to various policy modules by Dan Walsh
+ Addtional cups ldp tcp networking rules
+ Should be server packets because it is binding, and not connecting
+ Clean up telnet, and rlogin networking rules
+ Additional cvs tcp networking rules
+ Module version bump for changes to various policy modules by Dan Walsh
+ Addtional tgtd tcp networking rules
+ Additional polipo tcp networking rules
+ Fix asterisk files_spool_filetrans()
+ Module version bump for changes to the networkmanager policy module by
+ Lukas Vrabec
+ Additional fs_tmpfs_filetrans() for munin service plugin content on
+ tmpfs
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Support rlogind, and telnetd as init daemon domains ( i think fedora is
+ campaigning to get rid of (x)?inetd )
+ Support mariadb logging, file context specification for mariadb specific
+ config location
+ Change logwatch boolean identifier to something more self-documenting.
+ Additional tcp networking rules
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Fix inconsistencies in the pkcs policy module
+ Fix fetchmail inconsistencies
+ Module version bump for changes in various policy modules by Dan Walsh
+ Support for window managers to stream socket connect to pulseaudio
+ Logwatch does not need to be able to bind tcp sockets to generic nodes
+ since its only connecting
+ Adds userhelper_exec_consolehelper for window managers
+ Remove duplicate rules due to addition of auth_use_nsswitch()
+ We dont use the arbt domain types template. Use a more uniform boolean
+ discription
+ Clean up libstoragemngmt policy module We do not yet support systemd
+ Change type from etc_rw to conf for readability admin access to
+ condor_conf_t
+ Hit by a nasty optional policy nesting issue
+ We will find another way to run pa as a system server
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Clean up hypervkvp policy module (seems incomplete)
+ Clean up initial redis policy module
+ Additional openvpn tcp networking rules
+ redis: allow redis to bind tcp sockets to redis_port_t type ports
+ bluetooth: bluetooth_t acquires org.bluez service on dbus system bus
+ wm: associate wm_exec_t to core command executable files so that initrc_t
+ (/sbin/start-stop-daemon) can access it (metacity)
+ logrotate restarts syslogd via init script in Debian
+ This file is called just man-db in Debian.
+ exim: exim owns directory /var/lib/exim4
+ accountsd: accounts-daemon lists /var/log
+ alsa: alsactl listing /dev/shm alsa: alsactl reading /dev/urandom alsa:
+ alsactl getting attributes of devtmpfs / (/dev) alsa: alsactl maintains
+ a pulseaudio tmpfs file
+ Cron: /sbin/runlevel reads /run/utmp cron: anacron (system_cronjob_t)
+ reading, writing inherited random crond tmp files (/tmp/tmpfk1VT2O)
+ dbus: allow system, and session bus clients to answer to dbus unconfined
+ domains
+ apt: Run apt system cronjobs in the apt_t domain apt: apt system cronjob
+ creates dpkg.status.* files in /var/backup
+ devicekit: upowerd reads own unix stream socket devicekit:
+ devicekit_power_t (runlevel) read /run/utmp
+ mandb: Make the man-db cronjob work on Debian
+ rtkit: traverse /proc to get to process state files
+ networkmanager: NetworkManager reads /run/udev/data/n2 file
+ avahi: create a avahi_initrc_domtrans for udev_t: udev runs a avahi dns
+ check script which does, i guess, a dns check. If needed it starts, or
+ stops avahi via its init script. I also created a
+ avahi_manage_pid_files() for udev_t because the script manages a file
+ called "checked_nameservers.*" in /run/avahi-daemon
+ Cleanups of various modules with regard to regular expressions and white
+ space
+ apt: As it turns out the /var/backups directory is labeled in the backup
+ module (which i incidentally did not have installed earlier). Instead
+ of creating this file with a file type transition to
+ apt_var_cache_t, allow apt_t to manage backup_store files
+ mta: this needs to be verified again, it should just have been running
+ in exim_t. I might have taken this from old logs
+ mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian
+ slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on
+ Debian
+ dpkg: catch /etc/cron.daily/dpkg on Debian dpkg: allow
+ /etc/cron.daily/dpkg to manage backup store files on Debian
+ cron: consistent usage of regular expressions cron: prelink no longer
+ runs in the system cronjob domain
+ alsa: alsactl wants to associate pulse-shm-.* to device_t type
+ filesystems. This happens early on but i do not understand how that
+ (/dev) relates to /dev/shm in this regard
+ devicekit: reads udev pid files modemmanager: reads udev pid files
+ vdagent: spice-vdagentd uses /dev/vport1p1 virtio console
+ tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes
+ /dev/pts/0 inherited from init script
+ revert regular expressions
+ wm: allow $1_wm_t to stream connect to $1_gkeyringd_t
+ mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and
+ to read exim var lib files.
+ mta: These are duplicates because system_mail_t is a user_mail_domain,
+ as it is based off of the mta_base_mail_template() which assigns that
+ type attribute
+ locate: extra rules needed by debian /etc/cron.daily/locate script
+ backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to
+ /var/backups
+ avahi: create interfaces that will allow calles to create avahi pid dirs
+ and create specifc avahi pid objects with a type transition (for
+ udev, which runs: /usr/lib/avahi/avahi-daemon-check-dns.sh in
+ Debian
+ Initial gdomap policy module
+ Initial minissdpd policy module
+ alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of
+ weird things related to pulseaudio
+ various: revert regex fixes: fcsort does not want this now
+ gdomap: gdomap_port_t is now available, gdomap binds tcp, and udp socket
+ to it
+ alsa: make alsa_t and pulseaudio_client so that pulseaudio_client rules
+ apply to it. alsactl does not actually run pulseaudio it seems though.
+ pulseaudio: allow all pulseaudio_client to send null signals to
+ unconfined_t, since unconfined_t is not actually a pulseaudio_client (
+ unconfined_t runs pulseaudio without a domain transition)
+ avahi: create avahi_setattr_pid_dirs() for udev (avahi dns check script
+ run by udev in Debian)
+ These { read write } tty_device_t chr files on boot up in Debian
+ colord: colord executable file locations in Debian
+ colord: reads /proc/1, reads /run/udev files
+ vdagent: read/write mtrr file
+ mandb: dpkg running in the mandb_t domain in Debian (mandb cronjob)
+ traverses /root
+ exim: traverses sysfs, uses system cronjob file descriptors (/dev/null) in
+ Debian (/etc/cron.daily/exim)
+ minissdpd fixes
+ devicekit: disk reads /proc/sys/vm/overcommit_memory
+ devicekit: edit devicekit_append_inherited_log_files to include get
+ attribute permission so that it can be also used for fsadm
+ devicekit: 95hdparm-apm (devicekit_power_t) gets attributes of /dev/sda
+ (fixed_disk_device_t)
+ networkmanager: added interfaces that fedora calls for dhcpc. In Debian it
+ was confirmed that at least dhclient manages
+ /var/lib/NetworkManager/dhclient-eth0.conf
+ firewalld: various fixes that i borrowed from Fedora but that also apply
+ to Debian (confirmed)
+ firewalld: interfaces created for iptables
+ irqbalance: getsched from Debian
+ colord: colord reads /proc/3412/cmdline (cupsd state files)
+ virt: libvirtd reads /run/udev/data/+input:input3
+ firewalld: traverses / on sysfs
+ rngd: needs ipc_lock capability, maintains /run/rngd.pid
+ tmpreaper: mountall-bootcl executes /bin/plymouth on Debian
+ minissdpd: deal with assertion violation (sys_module)
+ gdomap: missing networking rules, it traverses /tmp for some reason
+ ntp: create ntp_read_drift_files() for dhclient
+ dpkg: allow dpkg, and dpkg script to domain transition to initrc_t on any
+ init script file type rather than only the generic initrc_exec_t init
+ script file type
+ exim: exim4 reads online
+ apt: apt runs /usr/bin/apt-get apt: on_ac_power (apt_t) lists
+ /sys/class/power_supply
+ exim: exim_manage_var_lib_files created for init: init script runs helper
+ apps that create/manage /var/lib/exim4/config.autogenerated.tmp
+ gdomap/minissdpd: create read_config interfaces for initrc_t
+ exim: make exim init script create /var/run/exim4 with a proper context
+ pulseaudio: pulsaudio_t needs to be able to read user_tmpfs_files
+ (/run/shm/pulse-shm-.*)
+ dnsmasq: add support for /etc/dnsmasq.d/
+ Module version bumps for various policy modules
+ Module version bump for changes to the logrotate module by Luis Ressel
+ Git: git daemons can list and read git personal repositories
+ Module version bumps for changes to various policy modules by Fedora
+ redis, lsm: typo fixes
+ userhelper: append newline
+
+James Carter (8):
+ - Fixed typo in contrib/avahi.if
+ - Fixed typo in contrib/glusterfs.te
+ - Fixed typo in contrib/jabber.if
+ - Fixed typo in contrib/keystone.if
+ - Fixed typo in contrib/mailscanner.if
+ - Fixed typo in contrib/qpid.if
+ - Fixed typo in contrib/readahead.fc.
+ - Fixed typo in contrib/rpm.if.
+
+Laurent Bigonville (2):
+ Label /usr/lib/postfix/showq as postfix_showq_exec_t
+ Properly label git-daemon and gitweb.cgi on Debian
+
+Luis Ressel (10):
+ Allow initrc_t to create /var/run/opendkim
+ Label /etc/cron.daily/logrotate correctly.
+ gpg: Create gpg_agent_connect interface
+ Minor updates to couchdb policy
+ couchdb: Add separate domain for couchjs
+ couchdb: Dontaudit denials caused by Erlang's disksup
+ Reformat couchdb.fc
+ pcscd.if: Permit access to pid files inside /var/run/pcscd/.
+ Allow gpg-agent's scdaemon to connect to pcscd.
+ Dontaudit screen asking for the sys_tty_config capability
+
+Lukas Vrabec (8):
+ Allow tcsd to read utmp file
+ fix boinc policy
+ Add support for couchdb in rabbitmq policy
+ Fix transition rules in asterisk policy
+ Add fowner capability to networkmanager policy
+ Add policy for lsmd
+ Add policy for hypervkvpd
+ Add policy for redis-server
+
+Mika Pflüger (1):
+ Correct typo in passenger module name
+
+Miroslav Grepl (40):
+ Allow passenger to execute ifconfig
+ Allow mpd setcap which is needed by pulseaudio
+ Allow block_suspend cap for samba-net
+ Allow t-mission-control to manage gabble cache files
+ Allow nslcd to read /sys/devices/system/cpu
+ Add labeling for ~/.cache/telepathy/avatars/gabble
+ Allow firewalld to read NM state
+ Allow systemd running as git_systemd to bind git port
+ Fix labeling for fetchmail pid files/dirs
+ Fix polipo.te
+ Fix cupsd.te
+ Allow munin service plugins to manage own tmpfs files/dirs
+ Make ktalk as init domain
+ Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
+ Add logwatch_can_sendmail boolean
+ Allow rhsmcertd to read init state
+ Allow fsetid for pkcsslotd
+ Allow fetchmail to create own pid with correct labeling
+ Fix rhcs_domain_template()
+ Add support for abrt-upload-watch
+ Allow virtd to relabel unix stream socket
+ Fix lsm.fc for pid files
+ Also sock_file trans rule is needed in lsm
+ Update condor_master rules to allow read system state info and allow
+ logging
+ Add labeling for /etc/condor and allow condor domain to write it (bug)
+ Allow condor domains to manage own logs
+ Allow glusterd to read domains state
+ Add openvpn_can_network_connect() boolean
+ Fix minissdpd_admin()
+ Allow ctdb to getattr on al filesystems
+ Watchdog opens the raw socket
+ Allow watchdog to read network state info
+ Add setroubleshoot_signull() interface
+ Allow sosreport to send signull to setroubleshootd
+ Allow sosreport all signal perms
+ Allow sosreport to dbus chat with rpm
+ Allow zabbix_agentd to read all domain state
+ Allow smoltclient to execute ldconfig
+ Allow sosreport to request the kernel to load a module
+ Allow setpgid for sosreport
+
+Nicolas Iooss (1):
+ git: fix file pattern after whitespace fixes
+
+Sven Vermeulen (6):
+ Add minidlna policy
+ Allow openvpn temporary files
+ Add aide bin /usr/bin and mark /var/lib/aide
+ Provide alsa_write_lib interface
+ Run dmidecode after newrole or on terminals
+ Grant write privileges to squid on its log files
+
+* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
+Chris PeBenito (18):
+ Rewrite of mcelog module from Guido Trentalancia
+ Remove unnecessary lines in mcelog.te.
+ Slight rearrangement in mcelog.te.
+ Module version bump for mcelog update from Guido Trentalancia.
+ Module version bump for ntp module fixes from Dominick Grift.
+ Module version bump for fc substitutions optimizations from Sven
+ Vermeulen.
+ Module version bump for postfix/mta misc fixes from Sven Vermeulen.
+ Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
+ Turn off all tunables by default, from Guido Trentalancia.
+ Module version bump for tunable default change.
+ Module version bump for saslauthd tcp mysql connections from Mika Flueger.
+ Move kernel request line in quota.
+ Module version bump for quota kernel module request from Mika Pflueger.
+ Module version bump for djbdns ports fixes from Russell Coker.
+ Remove stray + in keystone.te.
+ Whitespace fixes in cron.fc.
+ Module version bump for pulseaudio type_transition conflict fix from Sven
+ Vermeulen.
+ Bump module versions for release.
+
+Dominick Grift (889):
+ Initial BIRD Internet Routing Daemon policy
+ oident daemon fixes
+ Introduce ntp_conf_t
+ Allow ntp_admin() to manage ntp_drift_t content.
+ List etc_t directories
+ Use "Role allowed access." for consistency
+ Use permissions sets for compatibility.
+ Remove getattr permision from ntp_admin()
+ Initial Sensord policy module
+ Various block_suspend capability2 support from Fedora
+ Gitolite3 support from Fedora
+ /var/lib/sqlgrey is greylist milter data from Fedora
+ Terminal related fixes for plymouthd from Fedora Support block_suspend
+ capability2 for plymouth
+ Support minimal polkit in new location
+ Support ldap for user authentication from Fedora
+ Sanlock sends kill signals to non-root processes from Fedora Various
+ other capabilities for sanlock from Fedora
+ Initial support for sqlgrey from Fedora
+ Tor reads network sysctls from Fedora
+ GPG agent reads /dev/random from Fedora
+ Freshclam reads system and network state from Fedora
+ Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora
+ lpstat.cups reads fips_enabled from Fedora
+ Initial system tap compile server policy module
+ Systemtap server admin manages stapserver_var_lib_t content
+ Telepathy Idle reads gschemas.compiled from Fedora
+ Initial slpd policy module
+ Initial lightsquid policy module
+ Initial wdmd policy module
+ Initial mailscanner policy module and some depencies.
+ Support slpd log rotation
+ Initial numad policy module
+ Open log files for append only
+ CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup
+ policy module File contexts of cgroup app executables files in
+ /sbin also apply to /usr/sbin Make cgroup_admin() a bit more
+ compact
+ Initial svnserve policy module
+ Various small changes to ucspitcp
+ Initial fcoe policy module
+ Initial lldpad policy module
+ fcoemon sends to lldpad with a dgram socket
+ Initial quantum policy module
+ Initial dspam policy module
+ Module version bump for Telepathy file context spec fixes from Laurent
+ Bigonville.
+ Initial isns policy module
+ Various changes to tcs policy module
+ Initial ctdb policy module
+ Various changes to the sblim policy module and its dependencies
+ Initial polipo policy module
+ Module version bump for networkmanager fixes
+ Fixes to the polipo policy module
+ Module version bump for smartmon fixes from Laurent Bigonville.
+ Module version bump for accountsd file context spec fix from Laurent
+ Bigonville.
+ Various changes to the raid module
+ Module version bump for rtkit file context spec fix from Laurent
+ Bigonville
+ Initial couchdb policy module
+ Changes to the bind policy module
+ Initial dnssectrigger policy module
+ Initial man2html policy module
+ Initial openhpi policy module
+ Bind sends/receives http server instead of client packets conditionally
+ Two file context regular expression fixes by Eric Paris
+ Type mdadm_t is no longer a unconfined type
+ Initial pkcs policy module
+ Initial cfengine policy module
+ Initial keystone policy module
+ Initial l2tp policy module
+ Initial mongodb policy module
+ cfengine whitespace cleanup
+ Changes to the accountsservice policy module
+ Changes to the acct policy module
+ Changes to the ada policy module
+ changes to the afs policy module
+ Changes to the accountsservice policy module
+ Changes to the aiccu policy module
+ Changes to the aide policy module
+ Syntax error in afs_admin()
+ Changes to the aisexec policy module
+ Changes to the alsa policy module
+ Changes to the amanda policy module
+ Changes to the amavisd policy module and relevant dependencies
+ Changes to the amtu policy module
+ Changes to the anaconda policy module
+ Changes to the abrt policy module and relevant dependencies
+ numad sends/receives msgs from Fedora
+ Amtu executable file in installed in /usr/sbin in Fedora
+ The (usr/)? expression does not work consistently so better not use it
+ at all
+ Changes to the httpd policy module
+ Merge branch 'master' of
+ ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib
+ Fixes to the apache policy module and dependencies
+ Changes to the apcupsd policy module
+ Role attributes for lightsquid application domain
+ Changes to the mailscanner module
+ Changes to the svnserve policy module
+ Changes to the quantum policy module
+ Changes to the dspam module
+ Changes to the ctdb policy module
+ Changes to the couchdb policy module
+ Changes to the openhpid policy module
+ Changes to the keystone policy module
+ Changes to the l2tp policy module
+ Changes to the apm module and relevant dependencies
+ Changes to the arpwatch policy module
+ Changes to the apcupsd policy module
+ Changes to the abrt policy module
+ Changes to the apache policy module
+ Changes to the asterisk policy module and dependencies
+ Changes to the authbind policy module
+ Changes to the automount policy module
+ Change acpid lock file context spec
+ Changes to the avahi policy module and dependencies
+ Changes to the awstats policy module
+ Changes to the bacula policy module
+ Changes to the bcfg2 policy module
+ Changes to the apt policy module
+ Changes to the apache policy module
+ Changes to the backup module
+ Changes to the bind policy module
+ Bird module clean up
+ Fix arpwatch connected_stream_socket_perms
+ Changes to the bitlbee policy module
+ Changes to the blueman policy module
+ Changes to the bluetooth policy module
+ Changes to the brctl policy module
+ Changes to the apache policy module
+ Changes to the bugzilla policy module
+ Changes to the calamaris policy module
+ Implement lightsquid_admin()
+ Changes to the apache policy module and dependencies
+ Initial boinc policy module
+ Initial callweaver policy module
+ Changes to the canna policy module
+ Changes to the ccs policy module
+ Changes to the cdrecord policy module
+ Changes to the certmaster policy module and various role attribute fixes
+ cdrecord needs to read and write callers unix domain stream socket not
+ create it
+ Changes to the certmonger policy module and its dependencies
+ Initial cachefilesd policy module
+ Changes to the certwatch policy module
+ Changes to the chronyd policy module
+ Changes to the cipe policy module
+ Changes to the clamav policy module
+ Various network clean up
+ Add dev_rw_cachefiles() to cachefilesd policy module
+ Changes to the clockspeed policy module
+ Changes to the clogd policy module
+ Changes to the cmirrord policy module
+ Changes to the cobbler policy module
+ Changes to the colord policy module
+ Changes to the comsat policy module
+ Initial collectd policy module
+ Initial condor policy module and relevant dependencies
+ Changes to the consolekit policy module and relevant dependencies
+ Changes to the corosync policy module and relevant dependencies
+ Clean up couchdb network rules
+ Changes to the courier policy module
+ Changes to the cpucontrol policy module
+ Changes to the cpufreqselector policy module
+ Changes to the cron policy module and relevant dependencies
+ Changes to the cups policy module and relevant dependencies
+ Changes to the cvs policy module
+ Remove redundant connect avperms
+ Changes to the cyphesis policy module
+ Remove redundant rules from apache_admin()
+ Changes to the cyrus policy module
+ Changes to the daemontools policy module
+ Changes to the dante policy module
+ Modify dbadm boolean descriptions
+ Changes to the dbus policy module and its dependencies
+ Changes to the dcc policy module
+ Changes to the ddclient policy module
+ Changes to the ddcprobe policy module
+ Changes to the denyhosts policy module
+ Changes to the devicekit policy module and relevant dependencies
+ Changes to the dhcpd policy module
+ Changes tothe dictd policy module
+ Changes to the discc policy module
+ Changes to the djbdns policy module
+ Changes to the dkim policy module
+ Changes to the dmidecode policy module
+ Module bump for Laurent Bigonville trousers init script file context
+ specification fix
+ Module bump for Laurent Bigonville libvirt init script file context
+ specification fix
+ Changes to the dnsmasq policy module and relevant dependencies
+ Changes to the dovecot policy module
+ Changes to the dpkg policy module
+ Changes to the entropyd policy module
+ Changes to the evolution policy module
+ Changes to the exim policy module and relevant dependencies
+ Changes to the cron policy module
+ Changes to the fail2ban policy module
+ fcoemon XML clean up
+ Changes to the fetchmail policy module
+ Changes to the fingerd policy module
+ Initial firewalld policy module
+ Changes to the firstboot policy module
+ Changes to the fprint policy module and relevant dependencies
+ Changes to the ftp module
+ Changes to the games policy module
+ Clean up evolution and cdrecord XML
+ Changes to the gatekeeper policy module
+ Changes to the gift policy module
+ Changes to the git policy module
+ Changes to the gitosis policy module
+ Changes to the glance policy module
+ Initial glusterfs policy module
+ Add gatekeeper newline
+ Deprecate glusterd_admin() use glusterfs_admin() instead
+ Portage module version bump for autofs support by Matthew Thode and
+ clean up
+ cfengine: This location is now labeled with a cfengine private type
+ Changes to the slpd policy module
+ Changes to the gnomeclock policy module and relevant dependencies
+ Changes to the gpg policy module
+ Changes to the gpm policy module
+ Changes to the gpsd policy module and relevant dependencies
+ changes to the guest policy module
+ Changes to the gnomeclock policy module
+ Deprecate various DBUS interfaces and relevant dependencies
+ Changes to the cachefilesd policy module
+ Remove file context specification for kgpg which is a GUI frontend to
+ GPG. Domain transition to gpg_t will happen when kgpg runs gpg.
+ (rhbz#862229)
+ Initial mandb policy module
+ Changes to the hadoop policy module
+ Changes to the hald policy module
+ Changes to the hddtemp policy module
+ Changes to the howl policy module
+ changes to the mandb policy module
+ Changes to the dbus policy module
+ Changes to the rpm policy module
+ Changes to the i18n_input policy module
+ Changes to the icecast policy module
+ Changes to the ifplugd policy module
+ Changes to the imaze policy module
+ Changes to the inetd policy module and relevant dependencies
+ Changes to the innd policy module
+ Changes to the irc policy module
+ Changes to the ircd policy module
+ Changes to the irc policy module
+ Changes to the dbus policy module
+ Changes to the avahi policy module
+ Changes to the bluetooth policy module
+ Changes to the aiccu policy module
+ Changes to the bacula policy module
+ Changes to the boinc policy module
+ Changes to the bugzilla policy module
+ Changes to the ccs policy module
+ Changes to the clamav policy module
+ Changes to the cobbler policy module
+ Changes to the cyphesis policy module
+ Changes to the dante policy module
+ Changes to the dbskk policy module
+ Changes to the ddclient policy module
+ Changes to the denyhosts policy module
+ Changes to the dnssectrigger policy module
+ Changes to the dovecot policy module
+ Changes to the drbd policy module
+ Changes to the evolution policy module
+ Changes to the fail2ban policy module
+ Changes to the firewalld policy module
+ Changes to the firstboot policy module
+ Changes to the games policy module
+ Changes to the gift policy module
+ Changes to the glance policy module
+ Changes to the hald policy module
+ Changes to the dbus policy module
+ Changes to the git policy module
+ Changes to the polipo policy module
+ Changes to the firewalld policy module
+ Changes to the gpg policy module
+ Tab clean up in ircbalance file context file
+ Changes to the irqbalance policy module
+ Tab clean up in iscsi file context file
+ Changes to the iscsi policy module
+ Tab clean up in jabber file context file
+ Changes to the jabberd policy module
+ Changes to the pyicqt policy module
+ Tab clean up in java file context file
+ Changes to the java policy module
+ Changes to the dbus policy module
+ Changes to the gnome policy module
+ Changes to the apache policy module
+ Changes to the accountsd policy module
+ Changes to the alsa policy module
+ Changes to the evolution policy module
+ Changes to the bluetooth policy module
+ Changes to the games policy module
+ Changes to the gift policy module
+ Changes to the gpg policy module
+ Changes to the hadoop policy module
+ Tab clean up in kdump file context file
+ Changes to the kdump policy module
+ Changes to the gpg policy module
+ Changes to the dbus policy module
+ Changes to the evolution policy module
+ Changes to the gpm policy module
+ Version bump for evolution file context fixes by Laurent Bigonville
+ Version bump for nut file context fixes by Laurent Bigonville
+ Changes to the kdumpgui policy module
+ Tab clean up in kerberos file context file
+ Changes to the kerberos policy module and relevant dependencies
+ Changes to the kerneloops policy module
+ Tab clean up in kerberos file context file
+ Changes to the kismet policy module
+ Clean up amavis XML header
+ Initial keyboardd policy module
+ Tab clean up in ksmtuned file context file
+ Changes to the ksmtuned policy module
+ Tab clean up in ktalk file context file
+ Changes to the ktalk policy module
+ Changes to the kudzu policy module
+ Initial iodine policy module
+ Initial dirmngr policy module
+ Changes to the iodine policy module
+ Changes to the kerberos policy module
+ Changes to the kdumpgui policy module
+ Update deprecated interface calls ( gnome_read_config ->
+ gnome_read_generic_home_content )
+ Changes to the mozilla policy module
+ Changes to the thunderbird policy module
+ Changes to the l2tp policy module
+ Tab clean up in ldap file context file
+ Changes to the ldap policy module
+ Tab clean up in likewise file context file
+ Changes to the likewise policy module
+ Tab clean up in lircd file context file
+ Changes to the lircd policy module
+ Changes to the livecd policy module
+ Tab clean up in loadkeys file context file
+ Changes to the loadkeys policy module and relevant dependencies
+ Tab clean up in lockdev file context file
+ Changes to the lockdev policy module
+ Tab clean up in logrotate file context file
+ Changes to the logrotate policy module and relevant dependencies
+ Tab clean up in logwatch file context file
+ Changes to the logrotate policy module
+ Changes to the logwatch policy module
+ Tab clean up in lpd file context file
+ Changes to the lpd policy module
+ Tab clean up in cron policy module
+ Changes to the lpd policy module
+ Changes to the consolekit policy module
+ Tab fix in cron policy module
+ Tab clean up in mailman file context file
+ Changes to the mailman policy module and relevant dependencies
+ Tab clean up in mcelog file context file
+ Changes to the mcelog policy module
+ Tab clean up in mediawiki file context file
+ Mediawiki XML clean up
+ Tab clean up in memcached file context file
+ Changes to the memcached policy module
+ Changes to the apache policy module
+ Tab clean up in milter file context file
+ Changes to the milter policy module and relevant dependencies
+ Changes to the modemmanager policy module
+ Tab clean up in mojomojo file context file
+ Changes to the mojomojo policy module and relevant dependencies
+ Changes to the gpg policy module
+ Changes to the mongodb policy module
+ Changes to the mono policy module
+ Changes to the monop policy module
+ Tab clean up in mozilla file context file
+ Changes to the mozilla policy module and relevant dependencies
+ Changes to the mozilla policy module
+ Changes to the apache policy module
+ Tab clean up in mpd file context file
+ Changes to the mpd policy module
+ Tab clean up in mplayer file context file
+ Changes to the evolution policy module
+ Changes to the mplayer policy module
+ Changes to the irc policy module
+ Tab clean up in mrtg file context file
+ Changes to the mrtg policy module
+ Tab clean up in mta file context file
+ Changes to the mta policy module and relevant dependencies
+ Changes to the mta policy module and relevant dependencies
+ Get rid of mozilla_conf_t as it is unused
+ Changes to the logrotate policy module
+ Changes to the logwatch policy module
+ Changes to the java policy module
+ Changes to the apache module and relevant dependencies
+ Tab clean up in munin file context file
+ Changes to the munin policy module and relevant dependencies
+ Tab clean up in mysql file context file
+ Changes to mysqld policy module
+ Changes to various policy modules
+ Changes to the munin policy module
+ Changes to the dovecot policy module
+ Changes to various policy modules
+ Changes to the mta policy module
+ Changes to the certmonger policy module and relavant dependencies
+ Tab clean up in nagios file context file
+ Changes to the nagios policy module and relevant dependencies
+ Changes to the modutils policy module
+ Tab cleanup in the nessus file context file
+ Changes to the nessus policy module
+ Tab clean up in the network manager file context file
+ Changes to the networkmanager policy module and relevant dependencies
+ Changes to the mozilla policy module
+ Changes to the cobbler policy module
+ Initial rngd policy module
+ Tab clean up in the nis file context file
+ Changes to the nis policy module
+ Tab clean up in the nscd file context file
+ Changes to the nscd policy module
+ Tab clean up in the nsd file context file
+ Changes to the nsd policy module
+ Tab clean up in the nslcd file context file
+ Changes to the nslcd policy module
+ Tab clean up in the ntop file context file
+ Changes to the ntop policy module
+ Tab clean up in the ntp file context file
+ Changes to the ntp policy module
+ Changes to the numad policy module
+ Tab clean up in the nut file context file
+ Changes to the nut policy module
+ Tab clean up in the nx file context file
+ Changes to the nx policy module
+ Changes to the oav policy module
+ Initial obex policy module
+ Tab clean up in the oddjob file context file
+ Tab clean up in gpg policy module
+ Changes to the oddjob policy module
+ Changes to the mozilla policy module
+ Initial pacemaker policy module
+ Tab clean up in the oidentd file context file
+ Changes to the oident policy module
+ Tab clean up in the openca file context file
+ Changes to the openca policy module
+ Tab clean up in the openct file context file
+ Changes to the openct policy module
+ Tab clean up in the openvpn file context file
+ Changes to the openvpn policy module
+ Tab clean up in the pads file context file
+ Changes to the pads policy module
+ Tab clean up in the passenger file context file
+ Changes to the passenger policy module and relevant dependencies
+ Tab clean up in the pcmcia file context file
+ Changes to the pcmcia policy module
+ Tab clean up in the pcscd file context file
+ Changes to the pcscd policy module and relevant dependencies
+ Tab clean up in the pegasus file context file
+ Changes to the pegasus policy module
+ Tab clean up in the perdition file context file
+ Changes to the perdition policy module
+ Tab clean up in the pingd file context file
+ Changes to the pingd policy module
+ Changes to the plymouthd policy module
+ Changes to the mozilla policy module
+ Changes to the plymouth policy module
+ Tab clean up in the podsleuth file context file
+ Changes to the podsleuth policy module
+ Tab clean up in the policykit file context file
+ Changes to the policykit policy module and relevant dependencies
+ Tab clean up in the portage file context file
+ Changes to the portage policy module
+ Tab clean up in the portmap file context file
+ Changes to the portmap policy module
+ Tab clean up in the portreserve file context file
+ Changes to the portreserve policy module
+ Tab clean up in the portslave file context file
+ Changes to the portslave policy module and relevant dependencies
+ Tab clean up in the postfix file context file
+ Changes to the postfix policy module and relevant dependencies
+ Fixes to various policy modules
+ Tab clean up in the postfixpolicyd file context file
+ Changes to the postfixpolicyd policy module
+ Tab clean up in the postgrey file context file
+ Changes to the postgrey policy module
+ Tab clean up in the ppp file context file
+ Changes to the ppp policy module and relevant dependencies
+ Tab clean up in the prelink file context file
+ Changes to the prelink policy module and relevant dependencies
+ Tab clean up in the prelude file context file
+ Changes to the prelude policy module
+ Tab clean up in the privoxy file context file
+ Changes to the privoxy policy module
+ Tab clean up in the procmail file context file
+ Changes to the procmail policy module
+ Tab clean up in the psad file context file
+ Changes to the psad policy module
+ Changes to the ptchown policy module
+ Tab clean up in the publicfile file context file
+ Changes to the publicfile policy module
+ Fix a fatal syntax error in mozilla_plugin_role()
+ Changes to the plymouth policy module
+ Changes to the policykit policy module
+ Module version bump for fixes in shorewall, fail2ban and portage policy
+ modules by Sven Vermeulen
+ Tab clean up in the puppet file context file
+ Changes to ther puppet policy module and relevant dependencies
+ Initial pwauth policy module
+ Tab clean up in the pxe file context file
+ Changes to the pxe policy module
+ Tab clean up in the pyzor file context file
+ Changes to the pyzor policy module
+ Tab clean up in the qemu file context file
+ Changes to the qemu policy module
+ Tab clean up in the virt file context file
+ Changes to the virt policy module and relevant depedencies
+ Changes to the virt policy module
+ Changes to the cron policy module
+ Changes to the qemu policy module
+ Changes to the virt policy module
+ Epylog wants sys_nice and setsched
+ Tab clean up in the qmail file context file
+ Changes to the qmail policy module
+ Tab clean up in the qpid file context file
+ Changes to the qpid policy module
+ Tab clean up in the quota file context file
+ Changes to the quota policy module and relevant dependencies
+ Initial rabbitmq policy module
+ Tab clean up in the radius file context file
+ Changes to the radius policy module
+ Tab clean up in the radvd file context file
+ Changes to the radvd policy module
+ Changes to the raid policy module
+ Tab clean up in the razor file context file
+ Changes to the razor policy module and relevant dependencies
+ Smokeping cgi needs to run ping with a domain transition Remove
+ redundant socket create already provided by
+ sysnet_dns_name_resolve()
+ Changes to the virt policy module
+ Changes to the apache policy module
+ Changes to the gnome policy module
+ Changes to the rdisc policy mpdule
+ Changes to the readahead policy module
+ Changes to the remotelogin policy module
+ Tab clean up in the resmgr file context file
+ Changes to the resmgr policy module
+ Tab clean up in the rgmanager file context file
+ Changes to the rgmanager policy module
+ Initial Realmd policy module and relevant dependencies
+ Fix resmgrd init script file context specification
+ Changes to the cups policy module
+ automount reads overcommit_memory
+ Changes to the networkmanager policy module
+ Freshclam manages amavis spool content
+ Changes to the tftp policy module
+ Changes to the cobbler policy module
+ Tab clean up in the rhcs file context file
+ Changes to the rhcs policy module and relevant dependencies
+ Tab clean up in the rhgb file context file
+ Changes to the rhgb policy module
+ Tab clean up in the rhsmcertd file context file
+ Changes to the rhsmcertd policy module
+ Tab clean up in the ricci file context file
+ Changes to the ricci policy module
+ Tab clean up in the rlogin file context file
+ Changes to the rlogin policy module
+ Tab clean up in the roundup file context file
+ Changes to the roundup policy module
+ Changes to the remotelogin policy module
+ Changes to the apache policy module
+ Changes to the awstats policy module
+ fix puppet_admin() need to require types that it uses
+ Replace wrong type in puppet_admin()
+ Fix a syntax error in ricci_domtrans()
+ Catch all rpcbind content in /var/run
+ Changes to the cups policy module
+ Tab clean up in the rpc file context file
+ Changes to the rpc policy module
+ Tab clean up in the rpcbind file context file
+ Changes to the rpcbind policy module
+ Tab clean up in the rpm file context file
+ Changes to the rpm policy module and depedencies
+ Changes to the rshd policy module
+ Changes to the virt policy module
+ Changes to the rssh policy module
+ Tab clean up in the rsync file context file
+ Fix a typo in apache XML
+ Changes to the rsync policy module
+ Changes to the rtkit policy module
+ Tab clean up in the rwho file context file
+ Changes to the rwho policy module
+ Reads /proc/sys/kernel/random/poolsize
+ Tab clean up in the samba file context file
+ Changes to the samba policy module and relevant dependencies
+ Tab clean up in the sambagui file context file
+ Changes to the sambagui policy module
+ Initial firewallgui policy module
+ Tab clean up in the samhain file context file
+ Changes to the samhain policy module
+ Tab clean up in the sanlock file context file
+ Changes to the sanlock policy module and relevant dependencies
+ Tab clean up in the sasl file context file
+ Changes to the sasl policy module
+ Chnages to the sblim policy module
+ Tab clean up in the screen file context file
+ Changes to the screen policy module
+ Tab clean up in the sectoolm file context file
+ Changes to firewallgui policy module
+ Changes to the sectoolm policy module
+ Tab clean up in the sendmail file context file
+ Changes to the sendmail policy module and relevant dependencies
+ Tab clean up in the setroubleshoot file context file
+ Changes to the setroubleshoot policy module
+ Tab clean up in the shorewall file context file
+ Changes to the shorewall policy module
+ Tab clean up in the shutdown file context file
+ Changes to the shutdown policy module and relevant dependencies
+ Tab clean up in the slocate file context file
+ Changes to the slocate policy module and relevant dependencies
+ These domains transition to shutdown domain now so they no longer need
+ direct access
+ Re-add missing network rule in screen policy module
+ fail2ban server sets scheduler
+ shutdown XML clean up
+ libvirtd sets kernel scheduler
+ mongod reads cpuinfo_max_freq
+ Changes to the slrnpull policy module
+ Tab clean up in the smartmon file context file
+ Changes to the smartmon policy module
+ Tab clean up in the smokeping file context file
+ Changes to the smokeping policy module
+ Tab clean up in the smoltclient file context file
+ Changes to the smoltclient policy module
+ Tab clean up in the snmp file context file
+ Changes to the snmp policy module
+ Tab clean up in the snort file context file
+ Changes to the snort policy module
+ Changes to the sosreport policy module and relevant dependencies
+ Tab clean up in the soundserver file context file
+ Changes to the soundserver policy module
+ Tab clean up in the spamassassin file context file
+ Changes to the spamassassin policy module and relevant dependendies
+ spamassassin_role callers create ~/.spamd with the spamd_home_t user
+ home type instead
+ Re-add sys_admin capability that was lost with porting from Fedora
+ Move mailscanner content to mailscanner module
+ Changes to the speedtouch policy module
+ Tab clean up in the squid file context file
+ Changes to the squid policy module
+ Changes to the sssd policy module
+ Tab clean up in the stunnel file context file
+ Changes to the stunnel policy module
+ Tab clean up in the sxid file context file
+ Changes to the sxid policy module
+ Tab clean up in the sysstat file context file
+ Changes to the sysstat policy module
+ Tab clean up in the tcpd file context file
+ Changes to the tcpd policy module
+ Changes to the tcsd policy module
+ Tab clean up in the telepathy file context file
+ Changes to the telepathy policy module
+ Tab clean up in the telnet file context file
+ Changes to the telnet policy module
+ Tab clean up in the tftp file context file
+ Changes to the tftp policy module
+ Tab clean up in the tgtd file context file
+ Changes to the tgtd policy module
+ Tab clean up in the thunderbird file context file
+ Changes to the thunderbird policy module
+ Catch /var/log/cron directory as well
+ Dovecot module version bump for fixes by Sven Vermeulen
+ Portage module version bump for fixes by Sven Vermeulen
+ Cron module version bump for fixes by Sven Vermeulen
+ Changes to the exim policy module
+ Entropyd reads /proc/meminfo
+ Blueman reads tmp_t directories
+ Do not audit attempts by cups config to read tmp_t directories
+ Do not audit attempts by fail2ban to read tmp_t directories
+ Do not audit attempts by firewalld to read tmp_t directories
+ Gnomeclock reads urandom and realtime clock
+ Kdumpctl needs sys_chroot capability
+ Various kdumpgui fixes from Fedora
+ Do not audit attempts by logwatch to read tmp_t directories
+ Catch all alias files
+ Refine aliases file transition with names
+ Realmd dbus chat policykit and networkmanager from Fedora
+ Do not audit attempts by tuned to read tmp_t directories
+ Changes to the timidity policy module
+ Tab clean up in the tmpreaper file context file
+ Changes to the tmpreaper policy module and relevant dependencies
+ Tab clean up in the tor file context file
+ Changes to the tor policy module
+ Changes to the transproxy policy module
+ Tab clean up in the tripwire file context file
+ Changes to the tripwire policy module
+ Tab clean up in the tuned file context file
+ Changes to the tuned policy module
+ Tab clean up in the tvtime file context file
+ Changes to the tvtime policy module
+ Changes to the tzdata policy module
+ Changes to the ucspitcp policy module
+ Tab clean up in the ulogd file context file
+ Changes to the ulogd policy module
+ Tab clean up in the uml file context file
+ Changes to the uml policy module
+ Make it so that irc clients can also get attributes of cifs, nfs, fuse
+ and other file systems
+ Changes to the updfstab policy module
+ Changes to the uptime policy module
+ Tab clean up in the usbmodules file context file
+ Changes to the usbmodule policy module
+ Changes to the usbmuxd policy module
+ Tab clean up in the userhelper file context file
+ Screen sends child terminated signals to all interactive fd domains
+ Changes to the userhelper policy module and relevant dependencies
+ Changes to the virt policy module
+ Module version bump for fail2ban changes by Sven Vermeulen
+ Changes to the rpm policy module
+ fix smartmon init script file context specification
+ Changes to the usernetctl policy module
+ Tab clean up in the uucp file context file
+ Changes to the uucp policy module
+ Changes to the virt policy module
+ Tab clean up in the uuid file context file
+ Changes to the uuidd policy module
+ Tab clean up in the uwimap file context file
+ Changes to the uwimap policy module
+ Tab clean up in the varnishd file context file
+ Changes to the varnishd policy module
+ Changes to the vbetool policy module
+ Tab clean up in the vdagent file context file
+ Changes to the vdagent policy module
+ Tab clean up in the vhostmd file context file
+ Changes to the vhostmd policy module
+ Changes to the vlock policy module
+ Tab clean up in the vmware file context file
+ Changes to the vmware policy module
+ Tab clean up in the vnstatd file context file
+ Changes to the vnstatd policy module
+ Tab clean up in the vpn file context file
+ Changes to the vpnc policy module
+ Tab clean up in the w3c file context file
+ Changes to the w3c policy module
+ Tab clean up in the watchdog file context file
+ Changes to the watchdog policy module
+ Changes to the wdmd policy module
+ Changes to the webadm policy modules
+ Changes to the webalizer policy module
+ White space fix in apache policy module
+ Changes to the wine policy module
+ Tab clean up in the wireshark file context file
+ Changes to the wireshark policy module
+ Tab clean up in the wm file context file
+ Changes to the wm policy module
+ Changes to the inn policy module
+ Move man cache file type to miscfiles
+ Changes to the inn policy module
+ More accurate dbadm boolean descriptions
+ mysql_admin() has access to ~/.my.cnf files
+ Tab clean up in the xen file context file
+ Changes to the xen policy module and relevant dependencies
+ Tab clean up in the xfs file context file
+ Changes to the xfs policy module
+ Changes to the xguest policy module and relevant dependencies
+ Changes to the xprint policy module
+ Changes to the xscreensaver policy module
+ Tab clean up in the yam file context file
+ Changes to the yam policy module
+ Tab clean up in the zabbix file context file
+ Changes to the zabbix policy module
+ Tab clean up in the zarafa file context file
+ Changes to the zarafa policy module
+ Tab clean up in the zebra file context file
+ Changes to the zebra policy module
+ Changes to the zosremote policy module
+ Changes to the mysql policy module
+ Tab clean up in the pulseaudio file context file
+ Changes to the pulseaudio policy module and relevant dependencies
+ Changes to the pulseaudio policy module
+ One chown too many
+ Changes to the mplayer policy module
+ The prelink cron script now runs in its own domain
+ Initial smstools policy module
+ Initial openvswitch policy module and relevant dependencies
+ Reads pcsd pid files
+ Reads random device
+ winbind manages smbd pid sock files from Fedora
+ Changes to the bind policy module
+ CG rules daemon reads all sysctls
+ Runs consoletype and searches nfs state data from Fedora
+ Support munin unbound plugin from Fedora
+ Zabbix sends signals from Fedora
+ Blueman sets scheduler and sends signals from Fedora
+ pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead
+ Module version bumps for fixes in portage and virt modules by Sven
+ Vermeulen
+ Policy module version bumps for various changes by Sven Vermeulen
+ Changes to the openvpn policy module
+ Module version bumps for various fixes by Sven Vermeulen
+ Changes to the mandb policy module
+ Changes to the tmpreaper policy module
+ Changes to the munin policy module
+ Changes to the rngd policy module
+ Changes to the awstats policy module and relevant dependencies
+ Changes to the apache policy module
+ Changes to various policy modules
+ Changes to the abrt policy module
+ Changes to the passenger policy module and relevant depedencies
+ Changes to the pegagus policy module
+ Changes to the mta policy module
+ Changes to the fetchmail policy module
+ Changes to the bitlbee policy module
+ Changes to the blueman policy module and relevant dependencies
+ Changes to the amavis policy module
+ Changes to the userhelper policy module
+ Changes to the blueman policy module
+ Changes to the squid policy module
+ Changes to the sblim policy module
+ Changes to the kdumpgui policy module
+ Changes to the mailman policy module
+ Changes to the realmd policy module
+ Changes to the raid policy module
+ Changes to the samba policy module
+ Changes to the various policy modules
+ Changes to the snmp policy module
+ Changes to the spamassassin policy module
+ Changes to the sssd policy module
+ Changes to the l2tpd policy module
+ Changes to the shorewall policy module
+ Changes to the xen policy module
+ Changes to the tftp policy modules
+ Changes to the accountsd policy module
+ Changes to the tgtd policy module
+ Changes to the corosync policy module
+ Changes to the kdump policy module
+ Changes to the openvswitch policy module
+ Changes to the mpd policy module
+ Changes to the mozilla policy module
+ Changes to the zarafa policy module
+ Changes to the boinc policy module
+ Changes to the setroubleshoot policy module
+ Changes to the dspam policy module
+ Changes to the rgrmanager policy module and relevant dependencies
+ Changes to the svnserve policy module
+ Changes to the virt policy module
+ Changes to the prelink policy module
+ Changes to the apache policy module
+ Changes to the gnomeclock policy module
+ Changes to various policy modules
+ Changes to the pegagus policy module
+ Changes to the shorewall policy module
+ Changes to the kerberos policy module
+ Changes to the rhcs policy module
+ Changes to the irc policy module
+ Changes to the clamav policy module
+ Changes to the mrtg policy module
+ Changes to the munin policy module
+ Changes to the amavis policy module
+ Changes to the ppp policy module
+ Initial jockey policy module
+ Module version bumps for "several named transition for directories
+ created in /var/run by initscripts" in various modules by Laurent
+ Bigonville
+ Module version bumps for fixes in various modules by Laurent Bigonville
+ Module version bump for changes to the consolekit policy module by
+ Laurent Bigonville
+ Changes to the stunnel policy module
+ Module version bumps for fixes in various modules by Sven Vermeulen
+ Changes to the virt policy module
+ Changes to the apache policy module
+ Changes to the wm policy module
+ Changes to the samba policy module
+ Changes to the certmonger policy module
+ Changes to the mozilla policy module
+ Changes to the corosync policy module
+ Changes to the pacemaker policy module
+ Changes to the tuned policy module
+ Changes to the cups module and relevant dependencies
+ Changes to the rhsmcertd policy module
+ Changes to the lpd policy module
+ Changes to the munin policy module
+ Changes to the ntp policy module
+ Changes to the tor policy module
+ Changes to the firewalld policy module
+ Changes to the dspam policy module
+ Changes to the setroubleshoot policy module
+ Changes to the condor policy module
+ Changes to the kerberos policy module
+ Changes to the passenger policy module
+ Changes to the ppp policy module
+ Changes to the the dkim policy module
+ Changes to the abrt policy module
+ Changes to the lircd policy module
+ Changes to the dkim policy module
+ Changes to the virt policy module
+ Changes to the munin policy module
+ Changes to the dovecot policy module
+ Changes to the cobbler policy module
+ Changes to the userhelper policy module
+ Changes to the logwatch policy module
+ Changes to the wdmd policy module and relevant dependencies
+ Changes to the nscd policy module and relevant dependencies
+ Changes to the dbus policy module
+ Module version bumps for fixes in various policy modules by Laurent
+ Bigonville
+ Changes to the cups policy module
+ Changes to the dbus policy module
+ Changes to the apcupsd policy module
+ Remove redundant net_bind_service capabilities in various modules
+ Changes to the virt policy module
+ Changes to the puppet policy module
+ Module version bumps for fixes in various policy module by Sven
+ Vermeulen
+ Module version bumps for file context fixes in various policy modules by
+ Laurent Bigonville
+ Make httpd_manage_all_user_content() do what it advertises
+ Add more networking rules to mplayer policy module for compatibility
+ Fix fcronsighup file context. Should be crontab_exec_t as per previous
+ spec
+ Module version bumps for changes in various modules by Sven Vermeulen
+ Move asterisk_exec() and modify XML header
+ Consolekit creates /var/run/console directories with a type transition
+ unconditionally
+ Module version bump in consolekit policy module for changes by Sven
+ Vermeulen
+ The imaplogin executable file should be courier_pop_exec_t according to
+ existing file context specification
+ Module version bump for changes to the fail2ban policy module by Sven
+ Vermeulen
+ Modules version bumps for changes in various policy modules by Sven
+ Vermeulen
+
+Laurent Bigonville (28):
+ Add Debian locations for Telepathy connection managers
+ Label telepathy-rakia as telepathy-sofiasip
+ Allow smartd daemon to write in /var/lib/smartmontools directory
+ Add Debian location for smartd daemon initscript
+ Add Debian location for accounts-daemon daemon
+ Add Debian location for rtkit-daemon daemon
+ Add Debian location for tcsd init script
+ Add Debian location for libvirtd init script
+ Add Debian location for evolution executables
+ Add Debian locationis for nut executables and configuration files
+ Add several named transition for directories created in /var/run by
+ initscripts
+ Run packagekit under apt_t context on Debian distribution
+ Add proper label for colord daemon in debian
+ Allow the system dbus to search cgroup directories
+ Allow virtd_t context to read sysctl_crypto_t
+ Allow colord_t context to read sysctl_crypto_t
+ Add proper label for gconfd-2 daemon in Debian
+ Ensure that consolekit can create /var/run/console directory on Debian
+ Properly label nm-dispatcher.action on Debian
+ policykit.fc: Properly label polkit-agent-helper-1 on Debian
+ cups.fc: Properly label cups-pk-helper-mechanism on Debian
+ Allow pcscd the fsetid capability
+ Allow networkmanager_t to read crypto_sysctl_t
+ Allow virsh_t context to read sysctl_crypto_t
+ Allow cupsd_t to read cupsd_log_t
+ gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian
+ ptchown.fc: Properly label pt_chown executable in Debian
+ Label /usr/bin/kvm as qemu_exec_t
+
+Matthew Thode (2):
+ added autofs support and nsswitch support
+ removing refrences to named_var_lib_t as it doesn't exist anymore for
+ bind.if
+
+Mika Pflüger (3):
+ Allow saslauthd_t to talk to mysqld via TCP
+ Quota policy adjustments: * Allow quota_t to load kernel modules
+ Debian locations for dovecot deliver and dovecot auth.
+
+Russell Coker (1):
+ Fix djbdns ports
+
+Sven Vermeulen (75):
+ Update with new substitutions
+ Mark the pid directory as a pid directory
+ Add in transitions for queue types when the queues are created
+ Fix typo in interface postfix_exec_postqueue
+ Allow maildelivery to use dotlock files in the mail spool
+ Allow postfix local to change ownership of mailfiles
+ Use libexec location for postfix binaries
+ Allow initrc_t to create run dirs for contrib modules
+ Update logwatch location in file context
+ Sandbox is an inherent part of the portage inner workings
+ Fix startup issue with fail2ban-client
+ Be able to get output from fail2ban-client
+ Ignore searches when ran from the user home directory
+ Shorewall admins execute shorewall too
+ Shorewall needs sys_admin capability for manipulating network stack
+ Be able to display dovecot errors
+ Remove transition to ldconfig
+ Adding interfaces for handling cron log files
+ Fail2ban client checks state of log files before telling the server
+ Support mysql init script
+ Support initial creation of mysql database files
+ Portage fetch domain needs to access certificates
+ Make samba domtrans optional in virt
+ Fix typo in tunable declaration for fcron_crond
+ Introducing cron_manage_log_files interface
+ Introduce dontaudit interfaces for leaked fd and unix stream sockets
+ Dontaudit attempts by system_mail_t to use leaked fd or stream sockets
+ Support at service
+ Additional postfix admin requirements
+ Reintroduce postfix_var_run_t for pid directory and fowner capability
+ Postfix deferred queue should not mark mails as postfix_spool_maildrop_t
+ Running qemu with SDL support requires more xserver-related privileges
+ Fix typo in clockspeed comment
+ Support openvpn status file
+ Asterisk voicemail messages are generated from tmp
+ Make rtkit calls optional
+ Gentoo installs dovecot certs in /etc/ssl/dovecot
+ Moving sandbox code to sandbox section (v2)
+ Allow sandbox to log violations
+ Use rw_fifo_file_perms
+ Apache should not depend on gpg
+ Named init script creates rundir
+ Add ~/.maildir as a valid maildir destination
+ Support stunnel_read_config for startup
+ Updates on stunnel policy
+ More .maildir fixes
+ Mark make.profile entry as portage_conf_t (v2)
+ Move mta call (coding style)
+ Changes to puppet domain
+ Allow rpc admin to run exportfs
+ Grant sys_admin capability to puppet
+ Puppet module helper scripts are puppet_var_lib_t
+ Support netlink_route_socket creation for puppet
+ Puppet initscript creates /run/puppet
+ Puppet runs statfs against selinuxfs
+ mplayer streams HTTP resources
+ fcron and fcronsighup binaries are moved
+ Asterisk needs to search through logs
+ Denial in mail log on node bind
+ Fix typo in mcelog_admin (missing bracket)
+ Add in contexts for fcron rm.systab and systab.tmp
+ Remove pulseaudio filename_trans conflict
+ Allow asterisk admins to execute asterisk binary directly
+ Support tagfiles for consolekit
+ ConsoleKit needs to read the dbus machine-id
+ File context updates for courier-imap
+ Update on file contexts for OpenLDAP
+ Update on file contexts for wpa_supplicant
+ Allow IRC clients to read certificates
+ Allow reading /proc/self for fail2ban due to FAM support
+ Update file contexts for puppet
+ Support ~/.tmux.conf as tmux configuration file
+ Add setuid/setgid capability to ulogd_t
+ Support tmux control socket
+ Postfix creates defer(red) queue locations
+