diff options
Diffstat (limited to 'Changelog.contrib')
| -rw-r--r--[l---------] | Changelog.contrib | 2211 |
1 files changed, 2210 insertions, 1 deletions
diff --git a/Changelog.contrib b/Changelog.contrib index 452cbbb1..1596ba77 120000..100644 --- a/Changelog.contrib +++ b/Changelog.contrib @@ -1 +1,2210 @@ -policy/modules/contrib/Changelog
\ No newline at end of file +* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114 +Chad Hanson (1): + Allow rpm to relabel files at all levels + +Chris PeBenito (46): + Remove deprecated interfaces more than one year old. + Remove complement and wildcard in allow rules. + Merge branch 'master' of git://github.com/teg/refpolicy-contrib + dbus: Module version bump for dbus-broker patch from Tom Gundersen. + Module version bump for patches from Guido Trentalancia. + Module version bumps for patches from David Sugar. + dhcp, logrotate: Module version bump. + Module version bumps for chkrootkit, dkim, dmidecode, portage, and + rkhunter. + Module version bumps. + spamassassin: Move lines. + mandb, spamassassin: Module version bumps. + spamassassin: Fix build error. + spamassassin: Add missing requirement in spamassassin_admin(). + dphysswapfile: Module version bump. + gpg, pulseaudio, rpc: Module version bump. + dnsmasq, gnome, mon, mta, openoffice, pulseaudio, wm: Version bumps. + Revert "postfix: Some table drivers (notably cdb) need to mmap() their + databases" + java, mozilla, mta, postfix: Module version bump. + portage: Fix usr_t map interface usage. + apache, portage: Module version bump. + dbus, policykit, wm: Module version bump. + dbus: Add comment. + Merge branch 'nm_audit' of git://github.com/bigon/refpolicy-contrib + networkmanager: Module version bump. + virt: Move a line. + alsa, mon, virt: Module version bump. + gpg, mozilla, rpc: Module version bump. + Several module version bumps. + blueman, evolution, gpg, mozilla, openoffice, thunderbird, wireshark, wm: + Module version bump. + wm: Module version bump. + networkmanager: Move line. + networkmanager: Module version bump. + Merge branch 'pkcs' of https://github.com/dodys/refpolicy-contrib + pkcs: Rename pkcs_slotd_unit_file_t. + pkcs: Module version bump. + accountsd, policykit: Module version bump. + dbus, devicekit, modemmanager, networkmanager, virt: Module version bump. + modemmanager: Move lines. + rpm: Module version bump. + cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump. + Replace deprecated mmap perm sets and pattern usage. + gssproxy: Module version bump. + monit: Module version bump. + apache, dkim, monit: Module version bump. + spamassassin: Module version bump. + Bump module versions for release. + +Christian Göttsche (20): + dkim: align filecontexts + dkim: update + milter: align filecontexts + apache: align filecontexts + dmidecode: use userdom_use_inherited_user_terminals + spamassassin: align filecontexts + chkrootkit: update + rkhunter: add several missing permission + fakehwclock: update + milter: update + mandb: fixes for systemd timer and /usr/local/man label + spamassassin: update + dphysswapfile: fix swapfile creation + apache: update + monit: update + dkim: align file contexts + dkim: update + apache: update + monit: read /usr/share/ca-certificates for cert verification + spamassassin: fix missing perms + +Daniel Jurgens (1): + networkmanager: Grant access to unlabeled PKeys + +David Sugar (5): + mon: move rpc_* into optional + wm: consolidate networkmanger interface calls into single optional + cron: optional_policy for mta_* interfaces + Label /usr/bin/mutter + Allow to read /proc/sys/crypto/fips_enabled + +Eduardo Barretto (2): + Update pkcs policy to include pkccsslotd.service + Update missing permissions for pkcs + +Guido Trentalancia (13): + libmtp: read symlinks in user home directories + spamassassin: update rules for the Bayesian classifier trainer + wm: let gnome-shell start properly + gnome: keyring daemon dbus policy update + gnome: keyring daemon read SELinux config + openoffice: improve temporary directories' operations + pulseaudio: general update + wm: gnome-shell SELinux integration + mozilla: run Java Web Start applications + wm: run PolicyKit + dbus: read user home content files + mozilla: read generic SSL certificates + contrib: use the new SSL private keys type (was: "let the mozilla and + other domains read generic SSL certificates") + +Jason Zaman (12): + cgmanager: Apply auth_use_nsswitch interface + alsa: needs to map its tmpfs files + virt: add policy for virtlogd + virt: updated perms for starting guests + gssproxy: add policy + rpc: Allow stream connect to gssproxy + gpg: search dir when connecting to agent socket + dirmngr: allow filetrans in gpg_runtime_t + gpg: Add gpg_agent_use_card boolean for OpenPGP cards + cachefilesd: make cachefilesd_cache_t a mountpoint + Set user_runtime_content_type for all remaining types in /run/user/%{UID}/ + gssproxy: allow writing kerberos rcache + +Jason Zaman via refpolicy (3): + pulseaudio: Add neccessary map permissions + gpg: add fcontexts for user runtime sockets + rpc: add sm-notify pid fcontext + +Laurent Bigonville (2): + Allow NetworkManager to write to audit + Call systemd_write_inherited_logind_inhibit_pipes() where needed + +Luis Ressel (12): + portage: Allow portage_t and portage_sandbox_t to access locale_t + postfix: Some table drivers (notably cdb) need to mmap() their databases + portage: Grant the map permissions neccessary for git and install + alsa: alsactl needs to map its configuration + mozilla: Add neccessary map permissions + mandb: man-db needs to map its 'index.db' cache + portage: Remove nonsensical dontaudit of an allowed permission + portage: Transition to ldconfig_t when calling ldconfig + postfix: Some table drivers (notably cdb) need to mmap() their databases + postfix: Silence cap_dac_read_search denials + portage: Grant portage the map permission on usr_t + Allow gtk apps to map usr_t files + +Nicolas Iooss (2): + dbus: move comments out of the file context definitions + logrotate: allow systemd to start logrotate + +Russell Coker (3): + udev and dhcpd + minor nspawn, dnsmasq, and mon patches + refpolicy and certs + +Tom Gundersen (1): + dbus: add policy for dbus-broker + +* Sat Aug 05 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170805 +Chris PeBenito (82): + Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. + Module version bump for usrmerge FC fixes from Jason Zaman. + mon policy from Russell Coker. + Module version bump for cups patches from Guido Trentalancia. + Module version bump for tbird and mozilla printing from Guido + Trentalancia. + Revert "cups/lpd: read permission for cupsd_var_run_t socket files" + Module version bump for cups revert. + Sort capabilities permissions from Russell Coker. + Little misc patch from Russell Coker. + mon: Fix deprecated interface usage. + dpkg: Updates from Russell Coker. + Monit policy from Russell Coker and cgzones. + monit: Fix build error. + fetchmail, mysql, tor: Misc fixes from Russell Coker. + Merge branch 'alsa_module' of git://github.com/cgzones/refpolicy-contrib + Merge branch 'vnstat_module' of git://github.com/cgzones/refpolicy-contrib + Module version bump for alsa and vnstatd fixes from cgzones. + Merge branch 'ntp_module' of git://github.com/cgzones/refpolicy-contrib + Module version bump for ntp fixes from cgzones. + samba: A few line moves. + Module version bump for samba patch from Russell Coker. + Systemd fixes from Russell Coker. + Xen fixes from Russell Coker. + mailman: Fixes from Russell Coker. + MTA fixes from Russell Coker. + Network daemon patches from Russell Coker. + apache: Fix CI error. + Merge branch 'modutils_adapt_interfaces' of + git://github.com/cgzones/refpolicy-contrib + Merge branch 'corecmd_read_bin_symlinks' of + git://github.com/cgzones/refpolicy-contrib + Module version bumps for fixes from cgzones. + Merge branch 'mandb' of git://github.com/cgzones/refpolicy-contrib + Merge branch 'dphysswapfile' of git://github.com/cgzones/refpolicy-contrib + Module version bump for dphysswapfile and mandb fixes from cgzones. + Merge branch 'var_run_filecontext' of + git://github.com/cgzones/refpolicy-contrib + Merge branch 'vnstatd' of git://github.com/cgzones/refpolicy-contrib + Module version bump for fixes from cgzones. + dontaudit net_admin for SO_SNDBUFFORCE + /var/run -> /run again + Merge branch 'monit' of git://github.com/cgzones/refpolicy-contrib + Module version bump for monit patch from cgzones. + systemd-resolvd, sessions, and tmpfiles take2 + Misc fc changes from Russell Coker. + Systemd-related changes from Russell Coker. + networkmanager: adjust interface docs format. + wm: interface docs adjustment. + Module version bump for misc fixes from Guido Trentalancia. + systemd init from Russell Coker + misc daemons from Russell Coker. + logging patches from Russell Coker + kmod, lvm, brctl patches from Russell Coker + devicekit, mount, xserver, and selinuxutil from Russell Coker + some userdomain patches from Russell Coker + Module version bump for gnome fix from Guido Trentalancia. + apache: Move blocks. No rule changes. + Module version bump for changes from Sven Vermeulen and Guido + Trentalancia. + login take 4 from Russell Coker. + Rename apm to acpi from Russell Coker. + Module version bump for patches from Russell Coker. + some little misc things from Russell Coker. + apt/dpkg strict patches from Russell Coker. + Module version bump for minor fixes from Guido Trentalancia. + Merge branch 'usr_bin_fc' of + git://github.com/fishilico/selinux-refpolicy-contrib + Module version bump for /usr/bin fc fixes from Nicolas Iooss. + Module version bump for chronyd changes from Luis Ressel. + openoffice: Move ooffice_rw_tmp_files() implementation. + Module version bump for openoffice fix from Guido Trentalancia. + libmtp: move lines + Module version bump for fixes from Guido Trentalancia. + Module version bump for mmap fixes from Stephen Smalley. + Module version bump for misc patches from Guido Trentalancia. + gpg: Fix overspecified dependencies in gpg_agent_tmp_filetrans. + dirmngr: Whitespace fixes. + Module version bumps for patches from Jason Zaman. + cgmanager: Move lines + Module version bumps for patches from Jason Zaman. + gpg: Module version bump for patch from Guido Trentalancia. + mozilla: Module version bump for patch from Luis Ressel. + rkhunter: Fix module version and move lines. + Module version bump for patches from cgzones. + chkrootkit: Fix module version. + Module version bump for patches from cgzones. + Bump module versions for release. + +Guido Trentalancia (28): + cups: read permission for cupsd_var_run_t socket files in + cups_stream_connect() + cups/lpd: read permission for cupsd_var_run_t socket files + thunderbird: allow stream connections to cups so that it can print + mozilla: allow stream connections to cups so that it can print + java: enable interactive use + evolution: add dbus acquire service permission + evolution: do not audit kernel read state + evolution: add some critical permissions + mozilla: read hardware state information + mozilla: add a permission + wm: load the NetworkManager applet + wm: interactive start + Gnome and Evolution dbus chat permissions + openoffice: support starting it from the window manager + evolution: minor fixes and updates + java: error messages terminal printout + loadkeys: use init fds (system bootup) + plymouth: pid interface usability + shutdown: send msg to syslog + openoffice: open files retrieved using mozilla + contrib: new libmtp module + openoffice: minor update + gnome: improved integration with openoffice + cups: let hplip read udev pid files + dbus: let session bus daemon manage user runtime dirs + zabbix: Grant zabbix_agent_t to call setrlimit on self + ntp: fix the drift file context and transition + gpg: manage user runtime socket files and directories + +Jason Zaman (12): + usrmerge: Add missed /usr fcontexts + java: update fcontexts for new versions of icedtea + dirmngr: add to roles and allow gpg to domtrans + gpg dirmngr: create and connect to socket + dirmngr: fcontext for ~/.gnupg/crls.d/ + dirmngr: Network rules to connect to keyserver + cgmanager: add policy from gentoo + consolekit: Add support for consolekit2 + consolekit: allow purging tmp + consolekit: introduce consolekit_use_inhibit_lock interface + dbus: use consolekit inhibit locks + networkmanager: use consolekit inhibit locks + +Luis Ressel (3): + chronyd: Re-align fc file + chronyd: Allow init scripts to create /run/chrony + mozilla: Add fc for the files used by the firefox addon "vimperator" + +Nicolas Iooss (1): + Support systems with a single /usr/bin directory + +Russell Coker (1): + patch for samba + +Stephen Smalley (1): + contrib: allow map permission where needed + +Sven Vermeulen (1): + rpc_* interfaces should be wrapped by optional_policy() + +cgzones (16): + update ntp module + update alsa module + vnstatd: update module + corecmd_read_bin_symlinks(): remove deprecated and redundant calls + modutils: adopt calls to new interfaces + vnstatd: update + dphysswapfile: update + monit: update + mandb: update + logrotate: reload monit after log rotation + remove /var/run file context lefovers, add dbus exception + monit: add syslog access and support for monit systemd service + rkhunter: add policy module + arpwatch: align file contexts + chkrootkit: add policy module + arpwatch: update + +* Sat Feb 04 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170204 +Chris PeBenito (41): + Module version bump for patches from Jason Zaman. + authbind: Remove dead policy. + Module version bump for cups patch from Guido Trentalancia. + Merge pull request #29 from cgzones/deprecated_macros + Module version bump for Debian fprintd fc entry from Laurent Bigonville. + Module version bumps for openoffice patches from Guido Trentalancia. + Module version bumps for patches from Guido Trentalancia. + Merge pull request #30 from cgzones/trailing_whitespaces + Module version bumps for mozilla and gpg patches from Luis Ressel. + Module version bump for patches from Guido Trentalancia. + Module version bump for patches from Guido Trentalancia. + rtkit, wm: Remove calls to nonexistant interfaces. + Module version bumps for patches from Guido Trentalancia. + rtkit: enable dbus chat with xdm + Module version bump for patches from Guido Trentalancia. + Module version bump for xscreensaver patch from Guido Trentalancia. + Merge branch 'run_transition' of + git://github.com/cgzones/refpolicy-contrib + Module version bumps for /run fc changes from cgzones. + Module version bump for openoffice and wm patches from Guido Trentalancia. + Module version bump for patches from Guido Trentalancia. + Module version bump for wm patch from Guido Trentalancia. + Merge branch 'usr-fc' of + git://github.com/fishilico/selinux-refpolicy-contrib + Module version bump for fc updates from Nicolas Iooss. + Module version bump for patches from Guido Trentalancia. + Module version bump for capability2 fixes from Guido Trentalancia. + Module version bump for plymouth fix from Guido Trentalancia. + boinc: Update from Russell Coker. + Module version bump for mozilla update from Guido Trentalancia. + Merge pull request #47 from cgzones/dphysswap_module + Merge pull request #40 from cgzones/fakehwclock_module + Merge branch 'gpg_module' of git://github.com/cgzones/refpolicy-contrib + Merge branch 'irqbalance_module' of + git://github.com/cgzones/refpolicy-contrib + Merge branch 'loadkeys_module' of + git://github.com/cgzones/refpolicy-contrib + Module version bumps for patches from cgzones. + Merge branch 'exim_module' of git://github.com/cgzones/refpolicy-contrib + Merge branch 'screen_module' of git://github.com/cgzones/refpolicy-contrib + Module version bump for screen and exim changes from cgzones. + screen: Revert broken interface call. + cups: Move hplip_domtrans interface. + Module version bump for cups patch from Guido Trentalancia. + Bump module versions for release. + +Dominick Grift (1): + Re-add raid fc spec that must have been removed earlier by mistake + +Guido Trentalancia (29): + cups: descend "rw" directories when reading configuration files + Apache OpenOffice module (contrib policy part) + openoffice: rename two interfaces in openoffice and evolution + mozilla: extend dbus connection permissions + openoffice: permission to read user temporary files + xguest: restrict ability to execute files on noxattr filesystems + pulseaudio: update server and client permissions + mozilla: remove redundant pulseaudio interface calls + networkmanager: read user certs not user content (was enable + userdom_read_user_certs() throughout the policy) + Make several calls to mta interfaces optional + wm: update the window manager (wm) module and enable its role template + (v7) + rtkit: enable dbus chat with xdm + networkmanager: enable dbus chat with xdm + policykit: enable dbus chat with xdm + games: general update and improved pulseaudio integration + wm: improved integration with games + xscreensaver: update the module so that it can be effectively used + wm: properly set domain entrypoint in wm_application_domain() + openoffice: add writer support for sending email directly to multiple + recipients + contrib: use new genhomedircon template for username + contrib: extend wm ability to launch confined graphical applications + contrib: support the new interface to manage X session logs + networkmanager: dbus chat with cups + cups: add cups-browsed executable fc + devicekit: add new wake_alarm permission (capability2) + networkmanager: add new wake_alarm permission (capability2) + plymouth: use the correct running domain for the client + mozilla: execute evolution to send emails + cups: new interface to execute HPLIP applications in their own domain + +Jason Zaman (4): + pcscd: dbus and domain lookup + devicekit: fcontext for udisks2 + gnome: add gkeyring rules and fcontext + gpg: add new socket paths + +Laurent Bigonville (1): + Add debian path for fprintd daemon + +Luis Ressel (3): + gpg: Add filetrans for scdaemon socket and gpg-agent extra sockets + gpg.fc: Adjust whitespace + mozilla: Add miscfiles_dontaudit_setattr_fonts_cache_dirs() + +Nicolas Iooss (1): + Add file contexts for files in /usr/{lib,sbin} + +cgzones (10): + use domain_auto_transition_pattern instead of domain_auto_trans + remove trailing whitespaces + transition file contexts to /run + update loadkeys module + add fakehwclock module + add dphysswapfile module + update gpg module + update screen module + update irqbalance module + update exim module + +* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023 +Adam Tkac (2): + varnishncsa (varnishlog_t) reads localization files + Grant certmonger "chown" capability + +Chris PeBenito (42): + Merge branch 'bigon-geoclue' + Add additional comments in geoclue. + Merge branch 'bigon-virt-1' + Merge branch 'nm-1' of git://github.com/bigon/refpolicy-contrib into + bigon-nm-1 + Merge branch 'bigon-nm-1' + Module version bump for virt and networkmanager patches from Laurent + Bigonville. + Merge branch 'master' of git://github.com/bigon/refpolicy-contrib + Module version bump for firewalld updates from Laurent Bigonville. + Module version bump for collectd update from Jason Zaman. + Module version bumps for user runtime fixes from Jason Zaman. + Boinc updates from Russell Coker. + rpcbind: Read /sys/devices/system/cpu/online from Russell Coker. + watchdog: Move line. + Module version bump for watchdog pidfile option from Russell Coker. + Systemd units from Russell Coker. + Module version bump for pulseaudio fc fix from Jason Zaman. + cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia. + Module version bumps for patches from Guido Trentalancia. + Update the telepathy module: + Update the alsa module so that the alsa_etc_t file context (previously + alsa_etc_rw_t) is widened to the whole alsa share directory, instead of + just a couple of files. + alsa: Add compatibility alias for alsa_etc_rw_t. + Update the sysnetwork module to add some permissions needed by the dhcp + client (another separate patch makes changes to the ifconfig part). + Module version bump for various patches from Guido Trentalancia. + pulseaudio: Fix compile errors. + Merge branch 'master' of + https://github.com/SeanPlacchetti/refpolicy-contrib + Module version bump for webalizer dead type removal from Sean Placchetti. + Module version bump for Evolution SSL fix from Guido Trentalancia. + evolution: Read user certs from Guido Trentalancia. + cups: Move can_exec() line. + cups: Module version bump for hplip patch from Guido Trentalancia + pulseaudio: Move interface definitions. + Module version bump for mozilla patch from Guido Trentalancia. + Module version bump for gnome patch from Guido Trentalancia. + Module version bump for evolution patch from Guido Trentalancia. + gpg: Whitespace fix. + Merge branch 'feature/fix-networkmanager-varrun-macro' of + https://github.com/rfkrocktk/refpolicy-contrib + Module version bump for networkmanager fix from Naftuli Tzvi Kay. + Merge branch 'rfkrocktk-feature/syncthing' + Rearrange lines in syncthing. + webalizer: Rearrange a couple lines. + Module version bump for webalizer patch from Russell Coker. + Bump module versions for release. + +Dominick Grift (18): + Module version bump for changes to the geoclue module by Laurent + Bigonville. + Module version bump for changes to various modules from Laurent + Bigonville. + geoclue: move kernel interface call to the appropriate position + Actually associate mailmain_domain attribute with mailman domains + Module version bumps for changes to various modules by Nicolas Iooss + Module version bump for changes to the cron module by Jason Zaman + Module version bump for changes to the redis module by Grant Ridder + Module version bump for changes to the raid module by Laurent Bigonville + Module version bump for changes to the networkmanager module by Laurent + Bigonville. + Module version bump for changes to the redis module by Grant Ridder. + Module version bump for changes to the mozilla module by Laurent + Bigonville. + Module version bump for changes to the geoclue module by Nicolas Iooss. + Add hwloc-dump-hwdata SELinux policy + Module version bump for changes to the varnishd module by Robert Moucha + Module version bump for changes to the puppet module by Thomas Mueller + Module version bump for changes to the varnishd module by Adam Tkac + Module version bump for changes to the certmonger module by Adam Tkac + Revert "dbus: allow system, and session bus clients to answer to dbus + unconfined domains" + +Grant Ridder (2): + Add read/write perms for redis-sentinel + Allow tcp_connect to redis_port_t for redis_t + +Guido Trentalancia (7): + Policykit module: add fs_getattr_xattr_fs() + Update the policy for module apm + Let gpg disable core dumps + Update the rtkit module + Update the pulseaudio module for usability and ORC support + cups: update permissions for HP printers (load firmware) + gpg: public key signature verification in evolution + +Guido Trentalancia via refpolicy (3): + evolution: read SSL certificates + mozilla: let mozilla play audio + gnome: add support for the OIL Runtime Compiler (ORC) optimized code + execution + +Jason Zaman (10): + cron: Allow locks to be lnk_files + collectd: update policy for 5.5 + consolekit: allow managing user runtime + pulseaudio: fcontext and filetrans for runtime + ftp: Add filetrans from user_runtime + gnome: Add filetrans from user_runtime + mplayer: Add filetrans from user_runtime + userhelper: Add filetrans from user_runtime + wm: Add filetrans from user_runtime + pulseaudio: fix user runtime fcontext + +Laurent Bigonville (13): + Add initial geoclue 2 module + Properly escape dot in the path to the geoclue daemon + Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf + virt.fc: Add some debian contexts + networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher + Allow some domain to read sysctl_vm_overcommit_t + Allow mdadm read efivarfs files + Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t + Add an interface to allow a domain to read firewalld_var_run_t files + Allow firewalld to create firewalld_var_run_t directory. + dontaudit firewalld attempt to relabel its own config files + Allow NM to execute arping + Debian now ships firefox-esr, properly label the executable + +Luis Ressel (1): + New policy for tboot utilities + +Naftuli Tzvi Kay (2): + Fix NetworkManager Read Pid Files Macro + Syncthing Policy + +Nicolas Iooss (3): + Describe _initrc_domtrans interfaces differently from the _domtrans ones + Fix typos in several interfaces + Add Arch Linux path for geoclue module + +Robert Moucha (1): + Fix trivial typo in varnishncsa name + +Russell Coker (2): + watchdog reads pid files + named reads vm sysctls + +Russell Coker via refpolicy (1): + webalizer patch for inclusion + +Sean Placchetti (1): + -Remove unused declarations from webalizer type enforcement file + +Thomas Mueller (1): + Allow puppet_t transtition to shorewall_t + +doverride (3): + Merge pull request #8 from bigon/geoclue + Merge pull request #11 from bigon/overcommit-1 + Merge pull request #12 from fishilico/typos + +* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208 +Alexander Wetzel (1): + add vfio support for libvirt + +Chas Williams - CONTRACTOR (1): + afs: update labels, file contexts and allow access to urandom + +Chris PeBenito (14): + Module version bump for hadoop_admin() fix from Jazon Zaman. + Module version bump for fc typo in radius from Sven Vermeulen. + Module version bump for patches from Jason Zaman. + Module version bump for init_startstop_service from Jason Zaman. + Module version bump for cron_admin interface from Jason Zaman. + Comment/whitespace fix in virt.te. + Module version bump for vfio support for libvirt from Alexander Wetzel. + Add systemd unit types. + Add systemd socket activations. + Merge branch 'pebenito-master' + Module version bump for systemd additions. + Merge branch 'bigon-systemd' + Module version bump for dbus systemd patch from Laurent Bigonville. + Bump module versions for release. + +Dominick Grift (16): + Module version bump for courier fixes from Sven Vermeulen. + Module version bump for afs fixes from Chas Williams. + Redundant rules and afs_files_t is not a filesystem type + Various samhain fixes + Cachefilesd module updates + Module version bump for changes to the dnsmasq policy module by Jason + Zaman + Module version bump for changes to the snmp policy module by Jason Zaman + Module version bump for changes to the pulseaudio policy module by Jason + Zaman + cachefiles: It is cachefilesd_cache_t + Module version bump for update to the networkmanager policy module by + Stephen Smalley. + Module version bumps for "Remove run interface calls from admin + interfaces" changes by Jason Zaman. + Module version bump for changes to the pulseaudio module by Niklas Haas. + Changes to the git, hadoop and rsync modules by Jason Zaman. + Module version bump for changes to the virt module by Jason Zaman + Module version bump for changes to the mozilla module from Laurent + Bigonville. + Module version bump for changes to the wine module by Nicolas Iooss + +Jason Zaman (19): + hadoop: remove _role from _admin interface + rpcbind: typo fix + git: make inetd interface optional + rpc: introduce allow_gssd_write_tmp boolean + rpc: allow setgid capability + virt: add virt_tmpfs_t type and permissions + introduce virt_leaseshelper_t + dnsmasq: allow exec shell for scripts + snmp: missing fcontext for snmpd + pulseaudio: filetrans for autospawn.lock + Use init_startstop_service in admin interfaces A-M + Use init_startstop_service in admin interfaces N-Z + Remove _run() interfaces from _admin() + Introduce cron_admin interface + rsync: remove rsync_run from admin interface + git: allow git_system_t to listen on tcp_sockets + hadoop: init_startstop_service() can not take attributes + virt: Allow creating qemu guest agent socket + virt: Add policy for virtlockd the Virtual machine lock manager + +Laurent Bigonville (2): + Transition D-Bus system service out of the init_t domain when PID1 is + systemd + Label iceweasel plugin-container executable as mozilla_plugin_exec_t + +Nicolas Iooss (1): + wine: remove use of nonexisting interface + +Niklas Haas (1): + pulse: don't give pulseaudio_client full access to user_home_t + +Stephen Smalley (1): + contrib: networkmanager: allow netlink_generic_socket access + +Sven Vermeulen (6): + Locate authdaemon socket and communicate with authdaemon + Allow authdaemon to access selinux fs to check SELinux state + Grant setuid/setgid to courier_pop_t + Execute courier helper script after authentication + Courier IMAP needs to manage the users' maildir + Fix typo for radiusd /var/lib location + +doverride (2): + Merge pull request #3 from haasn/pulse-nohome + Merge pull request #6 from bigon/mozilla-1 + +* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203 +Chris PeBenito (26): + Whitespace fix in ntp.fc. + Module version bump for ntp fc entries from Laurent Bigonville. + Whitespace fix in shibboleth.te. + Module version bump for new shibboleth module from Martin Lang. + Module version bump for apt fix from Nicolas Iooss. + Module version bump for dnsmasq MTU fix from Sven Vermeulen. + Module version bump for apache content interfaces from Sven Vermeulen. + Module version bump for gitweb fc entry on Debian and ArchLinux from + Nicolas Iooss. + Module version bump for fc regex fixes from Nicolas Iooss. + Module version bump for various fixes from Laurent Bigonville. + Module version bump for ModemManager fc entry from Laurent Bigonville. + Add missing cron_admin_role() dependency. + Move sock_file filetrans to fcron_crond conditional. + Module version bump for cron and snort updates from Sven Vermeulen. + Module version bump for java icedtea fc entries from Sven Vermeulen. + Module version bump for apache/mlogc patch from Elia Pinto. + Remove name from ntp-kod ntp_drift_t filetrans. + Module version bump for ntp-kod file support from Jason Zaman. + Module version bump for init_daemon_pid_file use from Sven Vermeulen. + Module version bump for alsa and hiawatha fixes from Sven Vermeulen. + Module version bump for ftp and tftp fixes from Nicolas Iooss. + Move irc exec lines. + Module version bump for irc re-exec itself patch from Luis Ressel. + Module version bump for NetworkManager fc fix for ArchLinux from Nicolas + Iooss. + Module version bump for _admin fixes from Jason Zaman. + Bump module versions for release. + +Dominick Grift (3): + Module version bump for changes to the loadkeys module by Nicolas Iooss + cron: that boolean identifier does not exist also require it + Module version bump for changes to the networkmanager modules by Lubomir + Rintel + +Elia Pinto (1): + apache.te: Add labelling support for /var/log/mlogc + +Jason Zaman (20): + Add filetrans for ntp-kod file + ccs: syntax errors in ccs_admin interface + condor: syntax error in condor_admin + distcc: syntax error in distcc_admin + ftp: syntax error in ftp_admin + kerberos: syntax error in kerberos_admin + kismet: syntax error in kismet_admin + nut: syntax error in nut_admin + prelude: syntax error in prelude_admin + psad: syntax error in psad_admin + quota: syntax error in quota_admin + rpcbind: syntax error in rpcbind_admin + rpm: syntax error in rpm_admin + systemtap: syntax error in stapserver_admin + svnserve: syntax error in svnserve_admin + uptime: syntax error in uptime_admin + zabbix: syntax error in zabbix_admin + remove pyzor_role() from pyzor_admin() + remove spamassassin_role() from spamassassin_admin() + rsync: syntax error in rsync_admin + +Laurent Bigonville (7): + Add several fcontext for debian specific paths for ntp + Fix dbus_all_session_domain(), session_bus_type is an attribute + Allow gconfd to be started by the session bus + Fix the usage of dbus_spec_session_domain() interface + Properly label exim4 initscript under Debian + Add new gnome_spec_domtrans_all_gkeyringd() interface + Label /usr/sbin/ModemManager as modemmanager_exec_t + +Lubomir Rintel (1): + Allow NetworkManager to create Bluetooth SDP sockets + +Luis Ressel (1): + irc.te: Allow irssi to re-execute itself + +Martin Lang (1): + Add a policy module for shibboleth authentication + +Nicolas Iooss (7): + apt: remove non-existing permission set write_dir_perms + Label /usr/share/gitweb/static as httpd_git_content_t + Fix strange file patterns + ftp: fix labels in /var/lock/subsys/ + Label /usr/bin/tftpd as tftpd_exec_t + Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ + Allow loadkeys to read usr_t files + +Sven Vermeulen (17): + dnsmasq reads MTU sysctl + Support read/append/manage functions for various httpd content + Snort policy updates + fcron socket support + Fix typo in dnsmasq.if + Mark icedtea binaries as java_exec_t + Use init_daemon_pid_file for contrib modules + Enable asound.state.lock support + Add support for Hiawatha web server + Use logging_search_logs, not logging_search_log + Use logging_search_logs, not logging_search_log + Use files_search_etc, not logging_search_etc + Use files_search_etc, not logging_search_etc + Use files_search_etc, not files_search_config + Use corecmd_search_bin, not corecmd_searh_bin + Use fs_search_tmpfs, not files_search_tmpfs + Use domain_auto_trans, not auto_trans + +* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311 +Chris PeBenito (17): + Minor rearrangement of minidlna lines. + Module version bump for openvpn tmp files from Sven Vermeulen. + Update modules for file_t merge into unlabeled_t. + Module version bump for postfix showq fc from Laurent Bigonville. + Rename gpg_agent_connect to gpg_stream_connect_agent. + Module version bump for gpg agent interface from Luis Ressel. + Whitespace fixes in git.fc. + Module version bump for debian git fc entries from Laurent Bigonville. + Move bin_t fc to corecommands. + Move exec/transition lines in couchdb. + Add comment about couchdb_js policy. + Module version bump for couchdb updates from Luis Ressel. + Module version bump for pcscd fix from Luis Ressel. + Move screen dontaudit rule. + Module version bump for screen fix from Luis Ressel. + Module version bump for git fc fix from Nicolas Iooss. + Bump module versions for release. + +Dan Walsh (28): + Allow irc_t to use tcp sockets + Add labels for apache logs under miq package + Allow smbcontrol to create content in /var/lib/samba + Allow ktalkd to bind to the ktalkd_port + Allow memcache to read sysfs data + Allow mdadm to getattr any file system + Allow cupsd_lpd_t to bind to the printer port + Allow rlogind to bind to the rlogin_port + Allow cvs to bind to the cvs_port + svirt domains neeed to create kobject_uevint_sockets + Lots of new access required for sosreport + Allow tgtd_t to connect to isns ports + openct needs to be able to create netlink_object_uevent_sockets + Allow glusterd to create sock_file in /run + Add support for tmp directories to openvswitch + Allow virt_domain with USB devices to look at dos file systems + Additional access for MLS + Additional access for MLS window manager + Additional access for MLS window manager + Additional access for MLS window manager + Allow rpcbind to use nsswitch + Allow gpg_agent to use ssh-add + Add apache labeling for glpi + Allow pegasus to transition to dmidecode + Allow mcelog to use the /dev/cpu device + Allow apmd to request the kernel load modules + Allow postfix programs to getattr on all executables + label mate-keyring-daemon with gkeyringd_exec_t + +Dominick Grift (126): + Typo fix in ksmtuned_admin() by Shintaro Fujiwara + Fix monolithic built + Change file context spec for aide log files to catch suffixes + Module version bumps for changes in various policy modules by Sven + Vermeulen + Squid: Use a single pattern for brevity + Irc was already allowed to create tcp sockets, it only needed an + additional accept, and listen to be able to act as a proxy + Its probably a better idea to use the httpd_sys_ra_content_t type sid + for logs in these locations + Module version bump for changes to the tcsd policy module by Lukas + Vrabec + Module version bump for changes to various policy modules by Miroslav + Grepl + Module version bump for changes to the samba policy module by Dan Walsh + Module version bump for changes to the telepathy policy module by + Miroslav Grepl + We do not have a boinc domain type attribute Change boolean + description a bit + Additional rabbitmq couchdb support + Module version bumps for changes to various policy modules by Miroslav + Grepl + Additional git tcp networking rules + Additional ktalkd udp networking rules + Module version bump for changes to various policy modules by Dan Walsh + Addtional cups ldp tcp networking rules + Should be server packets because it is binding, and not connecting + Clean up telnet, and rlogin networking rules + Additional cvs tcp networking rules + Module version bump for changes to various policy modules by Dan Walsh + Addtional tgtd tcp networking rules + Additional polipo tcp networking rules + Fix asterisk files_spool_filetrans() + Module version bump for changes to the networkmanager policy module by + Lukas Vrabec + Additional fs_tmpfs_filetrans() for munin service plugin content on + tmpfs + Module version bump for changes to various policy modules by Miroslav + Grepl + Support rlogind, and telnetd as init daemon domains ( i think fedora is + campaigning to get rid of (x)?inetd ) + Support mariadb logging, file context specification for mariadb specific + config location + Change logwatch boolean identifier to something more self-documenting. + Additional tcp networking rules + Module version bump for changes to various policy modules by Miroslav + Grepl + Fix inconsistencies in the pkcs policy module + Fix fetchmail inconsistencies + Module version bump for changes in various policy modules by Dan Walsh + Support for window managers to stream socket connect to pulseaudio + Logwatch does not need to be able to bind tcp sockets to generic nodes + since its only connecting + Adds userhelper_exec_consolehelper for window managers + Remove duplicate rules due to addition of auth_use_nsswitch() + We dont use the arbt domain types template. Use a more uniform boolean + discription + Clean up libstoragemngmt policy module We do not yet support systemd + Change type from etc_rw to conf for readability admin access to + condor_conf_t + Hit by a nasty optional policy nesting issue + We will find another way to run pa as a system server + Module version bump for changes to various policy modules by Miroslav + Grepl + Clean up hypervkvp policy module (seems incomplete) + Clean up initial redis policy module + Additional openvpn tcp networking rules + redis: allow redis to bind tcp sockets to redis_port_t type ports + bluetooth: bluetooth_t acquires org.bluez service on dbus system bus + wm: associate wm_exec_t to core command executable files so that initrc_t + (/sbin/start-stop-daemon) can access it (metacity) + logrotate restarts syslogd via init script in Debian + This file is called just man-db in Debian. + exim: exim owns directory /var/lib/exim4 + accountsd: accounts-daemon lists /var/log + alsa: alsactl listing /dev/shm alsa: alsactl reading /dev/urandom alsa: + alsactl getting attributes of devtmpfs / (/dev) alsa: alsactl maintains + a pulseaudio tmpfs file + Cron: /sbin/runlevel reads /run/utmp cron: anacron (system_cronjob_t) + reading, writing inherited random crond tmp files (/tmp/tmpfk1VT2O) + dbus: allow system, and session bus clients to answer to dbus unconfined + domains + apt: Run apt system cronjobs in the apt_t domain apt: apt system cronjob + creates dpkg.status.* files in /var/backup + devicekit: upowerd reads own unix stream socket devicekit: + devicekit_power_t (runlevel) read /run/utmp + mandb: Make the man-db cronjob work on Debian + rtkit: traverse /proc to get to process state files + networkmanager: NetworkManager reads /run/udev/data/n2 file + avahi: create a avahi_initrc_domtrans for udev_t: udev runs a avahi dns + check script which does, i guess, a dns check. If needed it starts, or + stops avahi via its init script. I also created a + avahi_manage_pid_files() for udev_t because the script manages a file + called "checked_nameservers.*" in /run/avahi-daemon + Cleanups of various modules with regard to regular expressions and white + space + apt: As it turns out the /var/backups directory is labeled in the backup + module (which i incidentally did not have installed earlier). Instead + of creating this file with a file type transition to + apt_var_cache_t, allow apt_t to manage backup_store files + mta: this needs to be verified again, it should just have been running + in exim_t. I might have taken this from old logs + mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian + slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on + Debian + dpkg: catch /etc/cron.daily/dpkg on Debian dpkg: allow + /etc/cron.daily/dpkg to manage backup store files on Debian + cron: consistent usage of regular expressions cron: prelink no longer + runs in the system cronjob domain + alsa: alsactl wants to associate pulse-shm-.* to device_t type + filesystems. This happens early on but i do not understand how that + (/dev) relates to /dev/shm in this regard + devicekit: reads udev pid files modemmanager: reads udev pid files + vdagent: spice-vdagentd uses /dev/vport1p1 virtio console + tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes + /dev/pts/0 inherited from init script + revert regular expressions + wm: allow $1_wm_t to stream connect to $1_gkeyringd_t + mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and + to read exim var lib files. + mta: These are duplicates because system_mail_t is a user_mail_domain, + as it is based off of the mta_base_mail_template() which assigns that + type attribute + locate: extra rules needed by debian /etc/cron.daily/locate script + backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to + /var/backups + avahi: create interfaces that will allow calles to create avahi pid dirs + and create specifc avahi pid objects with a type transition (for + udev, which runs: /usr/lib/avahi/avahi-daemon-check-dns.sh in + Debian + Initial gdomap policy module + Initial minissdpd policy module + alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of + weird things related to pulseaudio + various: revert regex fixes: fcsort does not want this now + gdomap: gdomap_port_t is now available, gdomap binds tcp, and udp socket + to it + alsa: make alsa_t and pulseaudio_client so that pulseaudio_client rules + apply to it. alsactl does not actually run pulseaudio it seems though. + pulseaudio: allow all pulseaudio_client to send null signals to + unconfined_t, since unconfined_t is not actually a pulseaudio_client ( + unconfined_t runs pulseaudio without a domain transition) + avahi: create avahi_setattr_pid_dirs() for udev (avahi dns check script + run by udev in Debian) + These { read write } tty_device_t chr files on boot up in Debian + colord: colord executable file locations in Debian + colord: reads /proc/1, reads /run/udev files + vdagent: read/write mtrr file + mandb: dpkg running in the mandb_t domain in Debian (mandb cronjob) + traverses /root + exim: traverses sysfs, uses system cronjob file descriptors (/dev/null) in + Debian (/etc/cron.daily/exim) + minissdpd fixes + devicekit: disk reads /proc/sys/vm/overcommit_memory + devicekit: edit devicekit_append_inherited_log_files to include get + attribute permission so that it can be also used for fsadm + devicekit: 95hdparm-apm (devicekit_power_t) gets attributes of /dev/sda + (fixed_disk_device_t) + networkmanager: added interfaces that fedora calls for dhcpc. In Debian it + was confirmed that at least dhclient manages + /var/lib/NetworkManager/dhclient-eth0.conf + firewalld: various fixes that i borrowed from Fedora but that also apply + to Debian (confirmed) + firewalld: interfaces created for iptables + irqbalance: getsched from Debian + colord: colord reads /proc/3412/cmdline (cupsd state files) + virt: libvirtd reads /run/udev/data/+input:input3 + firewalld: traverses / on sysfs + rngd: needs ipc_lock capability, maintains /run/rngd.pid + tmpreaper: mountall-bootcl executes /bin/plymouth on Debian + minissdpd: deal with assertion violation (sys_module) + gdomap: missing networking rules, it traverses /tmp for some reason + ntp: create ntp_read_drift_files() for dhclient + dpkg: allow dpkg, and dpkg script to domain transition to initrc_t on any + init script file type rather than only the generic initrc_exec_t init + script file type + exim: exim4 reads online + apt: apt runs /usr/bin/apt-get apt: on_ac_power (apt_t) lists + /sys/class/power_supply + exim: exim_manage_var_lib_files created for init: init script runs helper + apps that create/manage /var/lib/exim4/config.autogenerated.tmp + gdomap/minissdpd: create read_config interfaces for initrc_t + exim: make exim init script create /var/run/exim4 with a proper context + pulseaudio: pulsaudio_t needs to be able to read user_tmpfs_files + (/run/shm/pulse-shm-.*) + dnsmasq: add support for /etc/dnsmasq.d/ + Module version bumps for various policy modules + Module version bump for changes to the logrotate module by Luis Ressel + Git: git daemons can list and read git personal repositories + Module version bumps for changes to various policy modules by Fedora + redis, lsm: typo fixes + userhelper: append newline + +James Carter (8): + - Fixed typo in contrib/avahi.if + - Fixed typo in contrib/glusterfs.te + - Fixed typo in contrib/jabber.if + - Fixed typo in contrib/keystone.if + - Fixed typo in contrib/mailscanner.if + - Fixed typo in contrib/qpid.if + - Fixed typo in contrib/readahead.fc. + - Fixed typo in contrib/rpm.if. + +Laurent Bigonville (2): + Label /usr/lib/postfix/showq as postfix_showq_exec_t + Properly label git-daemon and gitweb.cgi on Debian + +Luis Ressel (10): + Allow initrc_t to create /var/run/opendkim + Label /etc/cron.daily/logrotate correctly. + gpg: Create gpg_agent_connect interface + Minor updates to couchdb policy + couchdb: Add separate domain for couchjs + couchdb: Dontaudit denials caused by Erlang's disksup + Reformat couchdb.fc + pcscd.if: Permit access to pid files inside /var/run/pcscd/. + Allow gpg-agent's scdaemon to connect to pcscd. + Dontaudit screen asking for the sys_tty_config capability + +Lukas Vrabec (8): + Allow tcsd to read utmp file + fix boinc policy + Add support for couchdb in rabbitmq policy + Fix transition rules in asterisk policy + Add fowner capability to networkmanager policy + Add policy for lsmd + Add policy for hypervkvpd + Add policy for redis-server + +Mika Pflüger (1): + Correct typo in passenger module name + +Miroslav Grepl (40): + Allow passenger to execute ifconfig + Allow mpd setcap which is needed by pulseaudio + Allow block_suspend cap for samba-net + Allow t-mission-control to manage gabble cache files + Allow nslcd to read /sys/devices/system/cpu + Add labeling for ~/.cache/telepathy/avatars/gabble + Allow firewalld to read NM state + Allow systemd running as git_systemd to bind git port + Fix labeling for fetchmail pid files/dirs + Fix polipo.te + Fix cupsd.te + Allow munin service plugins to manage own tmpfs files/dirs + Make ktalk as init domain + Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb + Add logwatch_can_sendmail boolean + Allow rhsmcertd to read init state + Allow fsetid for pkcsslotd + Allow fetchmail to create own pid with correct labeling + Fix rhcs_domain_template() + Add support for abrt-upload-watch + Allow virtd to relabel unix stream socket + Fix lsm.fc for pid files + Also sock_file trans rule is needed in lsm + Update condor_master rules to allow read system state info and allow + logging + Add labeling for /etc/condor and allow condor domain to write it (bug) + Allow condor domains to manage own logs + Allow glusterd to read domains state + Add openvpn_can_network_connect() boolean + Fix minissdpd_admin() + Allow ctdb to getattr on al filesystems + Watchdog opens the raw socket + Allow watchdog to read network state info + Add setroubleshoot_signull() interface + Allow sosreport to send signull to setroubleshootd + Allow sosreport all signal perms + Allow sosreport to dbus chat with rpm + Allow zabbix_agentd to read all domain state + Allow smoltclient to execute ldconfig + Allow sosreport to request the kernel to load a module + Allow setpgid for sosreport + +Nicolas Iooss (1): + git: fix file pattern after whitespace fixes + +Sven Vermeulen (6): + Add minidlna policy + Allow openvpn temporary files + Add aide bin /usr/bin and mark /var/lib/aide + Provide alsa_write_lib interface + Run dmidecode after newrole or on terminals + Grant write privileges to squid on its log files + +* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424 +Chris PeBenito (18): + Rewrite of mcelog module from Guido Trentalancia + Remove unnecessary lines in mcelog.te. + Slight rearrangement in mcelog.te. + Module version bump for mcelog update from Guido Trentalancia. + Module version bump for ntp module fixes from Dominick Grift. + Module version bump for fc substitutions optimizations from Sven + Vermeulen. + Module version bump for postfix/mta misc fixes from Sven Vermeulen. + Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. + Turn off all tunables by default, from Guido Trentalancia. + Module version bump for tunable default change. + Module version bump for saslauthd tcp mysql connections from Mika Flueger. + Move kernel request line in quota. + Module version bump for quota kernel module request from Mika Pflueger. + Module version bump for djbdns ports fixes from Russell Coker. + Remove stray + in keystone.te. + Whitespace fixes in cron.fc. + Module version bump for pulseaudio type_transition conflict fix from Sven + Vermeulen. + Bump module versions for release. + +Dominick Grift (889): + Initial BIRD Internet Routing Daemon policy + oident daemon fixes + Introduce ntp_conf_t + Allow ntp_admin() to manage ntp_drift_t content. + List etc_t directories + Use "Role allowed access." for consistency + Use permissions sets for compatibility. + Remove getattr permision from ntp_admin() + Initial Sensord policy module + Various block_suspend capability2 support from Fedora + Gitolite3 support from Fedora + /var/lib/sqlgrey is greylist milter data from Fedora + Terminal related fixes for plymouthd from Fedora Support block_suspend + capability2 for plymouth + Support minimal polkit in new location + Support ldap for user authentication from Fedora + Sanlock sends kill signals to non-root processes from Fedora Various + other capabilities for sanlock from Fedora + Initial support for sqlgrey from Fedora + Tor reads network sysctls from Fedora + GPG agent reads /dev/random from Fedora + Freshclam reads system and network state from Fedora + Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora + lpstat.cups reads fips_enabled from Fedora + Initial system tap compile server policy module + Systemtap server admin manages stapserver_var_lib_t content + Telepathy Idle reads gschemas.compiled from Fedora + Initial slpd policy module + Initial lightsquid policy module + Initial wdmd policy module + Initial mailscanner policy module and some depencies. + Support slpd log rotation + Initial numad policy module + Open log files for append only + CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup + policy module File contexts of cgroup app executables files in + /sbin also apply to /usr/sbin Make cgroup_admin() a bit more + compact + Initial svnserve policy module + Various small changes to ucspitcp + Initial fcoe policy module + Initial lldpad policy module + fcoemon sends to lldpad with a dgram socket + Initial quantum policy module + Initial dspam policy module + Module version bump for Telepathy file context spec fixes from Laurent + Bigonville. + Initial isns policy module + Various changes to tcs policy module + Initial ctdb policy module + Various changes to the sblim policy module and its dependencies + Initial polipo policy module + Module version bump for networkmanager fixes + Fixes to the polipo policy module + Module version bump for smartmon fixes from Laurent Bigonville. + Module version bump for accountsd file context spec fix from Laurent + Bigonville. + Various changes to the raid module + Module version bump for rtkit file context spec fix from Laurent + Bigonville + Initial couchdb policy module + Changes to the bind policy module + Initial dnssectrigger policy module + Initial man2html policy module + Initial openhpi policy module + Bind sends/receives http server instead of client packets conditionally + Two file context regular expression fixes by Eric Paris + Type mdadm_t is no longer a unconfined type + Initial pkcs policy module + Initial cfengine policy module + Initial keystone policy module + Initial l2tp policy module + Initial mongodb policy module + cfengine whitespace cleanup + Changes to the accountsservice policy module + Changes to the acct policy module + Changes to the ada policy module + changes to the afs policy module + Changes to the accountsservice policy module + Changes to the aiccu policy module + Changes to the aide policy module + Syntax error in afs_admin() + Changes to the aisexec policy module + Changes to the alsa policy module + Changes to the amanda policy module + Changes to the amavisd policy module and relevant dependencies + Changes to the amtu policy module + Changes to the anaconda policy module + Changes to the abrt policy module and relevant dependencies + numad sends/receives msgs from Fedora + Amtu executable file in installed in /usr/sbin in Fedora + The (usr/)? expression does not work consistently so better not use it + at all + Changes to the httpd policy module + Merge branch 'master' of + ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib + Fixes to the apache policy module and dependencies + Changes to the apcupsd policy module + Role attributes for lightsquid application domain + Changes to the mailscanner module + Changes to the svnserve policy module + Changes to the quantum policy module + Changes to the dspam module + Changes to the ctdb policy module + Changes to the couchdb policy module + Changes to the openhpid policy module + Changes to the keystone policy module + Changes to the l2tp policy module + Changes to the apm module and relevant dependencies + Changes to the arpwatch policy module + Changes to the apcupsd policy module + Changes to the abrt policy module + Changes to the apache policy module + Changes to the asterisk policy module and dependencies + Changes to the authbind policy module + Changes to the automount policy module + Change acpid lock file context spec + Changes to the avahi policy module and dependencies + Changes to the awstats policy module + Changes to the bacula policy module + Changes to the bcfg2 policy module + Changes to the apt policy module + Changes to the apache policy module + Changes to the backup module + Changes to the bind policy module + Bird module clean up + Fix arpwatch connected_stream_socket_perms + Changes to the bitlbee policy module + Changes to the blueman policy module + Changes to the bluetooth policy module + Changes to the brctl policy module + Changes to the apache policy module + Changes to the bugzilla policy module + Changes to the calamaris policy module + Implement lightsquid_admin() + Changes to the apache policy module and dependencies + Initial boinc policy module + Initial callweaver policy module + Changes to the canna policy module + Changes to the ccs policy module + Changes to the cdrecord policy module + Changes to the certmaster policy module and various role attribute fixes + cdrecord needs to read and write callers unix domain stream socket not + create it + Changes to the certmonger policy module and its dependencies + Initial cachefilesd policy module + Changes to the certwatch policy module + Changes to the chronyd policy module + Changes to the cipe policy module + Changes to the clamav policy module + Various network clean up + Add dev_rw_cachefiles() to cachefilesd policy module + Changes to the clockspeed policy module + Changes to the clogd policy module + Changes to the cmirrord policy module + Changes to the cobbler policy module + Changes to the colord policy module + Changes to the comsat policy module + Initial collectd policy module + Initial condor policy module and relevant dependencies + Changes to the consolekit policy module and relevant dependencies + Changes to the corosync policy module and relevant dependencies + Clean up couchdb network rules + Changes to the courier policy module + Changes to the cpucontrol policy module + Changes to the cpufreqselector policy module + Changes to the cron policy module and relevant dependencies + Changes to the cups policy module and relevant dependencies + Changes to the cvs policy module + Remove redundant connect avperms + Changes to the cyphesis policy module + Remove redundant rules from apache_admin() + Changes to the cyrus policy module + Changes to the daemontools policy module + Changes to the dante policy module + Modify dbadm boolean descriptions + Changes to the dbus policy module and its dependencies + Changes to the dcc policy module + Changes to the ddclient policy module + Changes to the ddcprobe policy module + Changes to the denyhosts policy module + Changes to the devicekit policy module and relevant dependencies + Changes to the dhcpd policy module + Changes tothe dictd policy module + Changes to the discc policy module + Changes to the djbdns policy module + Changes to the dkim policy module + Changes to the dmidecode policy module + Module bump for Laurent Bigonville trousers init script file context + specification fix + Module bump for Laurent Bigonville libvirt init script file context + specification fix + Changes to the dnsmasq policy module and relevant dependencies + Changes to the dovecot policy module + Changes to the dpkg policy module + Changes to the entropyd policy module + Changes to the evolution policy module + Changes to the exim policy module and relevant dependencies + Changes to the cron policy module + Changes to the fail2ban policy module + fcoemon XML clean up + Changes to the fetchmail policy module + Changes to the fingerd policy module + Initial firewalld policy module + Changes to the firstboot policy module + Changes to the fprint policy module and relevant dependencies + Changes to the ftp module + Changes to the games policy module + Clean up evolution and cdrecord XML + Changes to the gatekeeper policy module + Changes to the gift policy module + Changes to the git policy module + Changes to the gitosis policy module + Changes to the glance policy module + Initial glusterfs policy module + Add gatekeeper newline + Deprecate glusterd_admin() use glusterfs_admin() instead + Portage module version bump for autofs support by Matthew Thode and + clean up + cfengine: This location is now labeled with a cfengine private type + Changes to the slpd policy module + Changes to the gnomeclock policy module and relevant dependencies + Changes to the gpg policy module + Changes to the gpm policy module + Changes to the gpsd policy module and relevant dependencies + changes to the guest policy module + Changes to the gnomeclock policy module + Deprecate various DBUS interfaces and relevant dependencies + Changes to the cachefilesd policy module + Remove file context specification for kgpg which is a GUI frontend to + GPG. Domain transition to gpg_t will happen when kgpg runs gpg. + (rhbz#862229) + Initial mandb policy module + Changes to the hadoop policy module + Changes to the hald policy module + Changes to the hddtemp policy module + Changes to the howl policy module + changes to the mandb policy module + Changes to the dbus policy module + Changes to the rpm policy module + Changes to the i18n_input policy module + Changes to the icecast policy module + Changes to the ifplugd policy module + Changes to the imaze policy module + Changes to the inetd policy module and relevant dependencies + Changes to the innd policy module + Changes to the irc policy module + Changes to the ircd policy module + Changes to the irc policy module + Changes to the dbus policy module + Changes to the avahi policy module + Changes to the bluetooth policy module + Changes to the aiccu policy module + Changes to the bacula policy module + Changes to the boinc policy module + Changes to the bugzilla policy module + Changes to the ccs policy module + Changes to the clamav policy module + Changes to the cobbler policy module + Changes to the cyphesis policy module + Changes to the dante policy module + Changes to the dbskk policy module + Changes to the ddclient policy module + Changes to the denyhosts policy module + Changes to the dnssectrigger policy module + Changes to the dovecot policy module + Changes to the drbd policy module + Changes to the evolution policy module + Changes to the fail2ban policy module + Changes to the firewalld policy module + Changes to the firstboot policy module + Changes to the games policy module + Changes to the gift policy module + Changes to the glance policy module + Changes to the hald policy module + Changes to the dbus policy module + Changes to the git policy module + Changes to the polipo policy module + Changes to the firewalld policy module + Changes to the gpg policy module + Tab clean up in ircbalance file context file + Changes to the irqbalance policy module + Tab clean up in iscsi file context file + Changes to the iscsi policy module + Tab clean up in jabber file context file + Changes to the jabberd policy module + Changes to the pyicqt policy module + Tab clean up in java file context file + Changes to the java policy module + Changes to the dbus policy module + Changes to the gnome policy module + Changes to the apache policy module + Changes to the accountsd policy module + Changes to the alsa policy module + Changes to the evolution policy module + Changes to the bluetooth policy module + Changes to the games policy module + Changes to the gift policy module + Changes to the gpg policy module + Changes to the hadoop policy module + Tab clean up in kdump file context file + Changes to the kdump policy module + Changes to the gpg policy module + Changes to the dbus policy module + Changes to the evolution policy module + Changes to the gpm policy module + Version bump for evolution file context fixes by Laurent Bigonville + Version bump for nut file context fixes by Laurent Bigonville + Changes to the kdumpgui policy module + Tab clean up in kerberos file context file + Changes to the kerberos policy module and relevant dependencies + Changes to the kerneloops policy module + Tab clean up in kerberos file context file + Changes to the kismet policy module + Clean up amavis XML header + Initial keyboardd policy module + Tab clean up in ksmtuned file context file + Changes to the ksmtuned policy module + Tab clean up in ktalk file context file + Changes to the ktalk policy module + Changes to the kudzu policy module + Initial iodine policy module + Initial dirmngr policy module + Changes to the iodine policy module + Changes to the kerberos policy module + Changes to the kdumpgui policy module + Update deprecated interface calls ( gnome_read_config -> + gnome_read_generic_home_content ) + Changes to the mozilla policy module + Changes to the thunderbird policy module + Changes to the l2tp policy module + Tab clean up in ldap file context file + Changes to the ldap policy module + Tab clean up in likewise file context file + Changes to the likewise policy module + Tab clean up in lircd file context file + Changes to the lircd policy module + Changes to the livecd policy module + Tab clean up in loadkeys file context file + Changes to the loadkeys policy module and relevant dependencies + Tab clean up in lockdev file context file + Changes to the lockdev policy module + Tab clean up in logrotate file context file + Changes to the logrotate policy module and relevant dependencies + Tab clean up in logwatch file context file + Changes to the logrotate policy module + Changes to the logwatch policy module + Tab clean up in lpd file context file + Changes to the lpd policy module + Tab clean up in cron policy module + Changes to the lpd policy module + Changes to the consolekit policy module + Tab fix in cron policy module + Tab clean up in mailman file context file + Changes to the mailman policy module and relevant dependencies + Tab clean up in mcelog file context file + Changes to the mcelog policy module + Tab clean up in mediawiki file context file + Mediawiki XML clean up + Tab clean up in memcached file context file + Changes to the memcached policy module + Changes to the apache policy module + Tab clean up in milter file context file + Changes to the milter policy module and relevant dependencies + Changes to the modemmanager policy module + Tab clean up in mojomojo file context file + Changes to the mojomojo policy module and relevant dependencies + Changes to the gpg policy module + Changes to the mongodb policy module + Changes to the mono policy module + Changes to the monop policy module + Tab clean up in mozilla file context file + Changes to the mozilla policy module and relevant dependencies + Changes to the mozilla policy module + Changes to the apache policy module + Tab clean up in mpd file context file + Changes to the mpd policy module + Tab clean up in mplayer file context file + Changes to the evolution policy module + Changes to the mplayer policy module + Changes to the irc policy module + Tab clean up in mrtg file context file + Changes to the mrtg policy module + Tab clean up in mta file context file + Changes to the mta policy module and relevant dependencies + Changes to the mta policy module and relevant dependencies + Get rid of mozilla_conf_t as it is unused + Changes to the logrotate policy module + Changes to the logwatch policy module + Changes to the java policy module + Changes to the apache module and relevant dependencies + Tab clean up in munin file context file + Changes to the munin policy module and relevant dependencies + Tab clean up in mysql file context file + Changes to mysqld policy module + Changes to various policy modules + Changes to the munin policy module + Changes to the dovecot policy module + Changes to various policy modules + Changes to the mta policy module + Changes to the certmonger policy module and relavant dependencies + Tab clean up in nagios file context file + Changes to the nagios policy module and relevant dependencies + Changes to the modutils policy module + Tab cleanup in the nessus file context file + Changes to the nessus policy module + Tab clean up in the network manager file context file + Changes to the networkmanager policy module and relevant dependencies + Changes to the mozilla policy module + Changes to the cobbler policy module + Initial rngd policy module + Tab clean up in the nis file context file + Changes to the nis policy module + Tab clean up in the nscd file context file + Changes to the nscd policy module + Tab clean up in the nsd file context file + Changes to the nsd policy module + Tab clean up in the nslcd file context file + Changes to the nslcd policy module + Tab clean up in the ntop file context file + Changes to the ntop policy module + Tab clean up in the ntp file context file + Changes to the ntp policy module + Changes to the numad policy module + Tab clean up in the nut file context file + Changes to the nut policy module + Tab clean up in the nx file context file + Changes to the nx policy module + Changes to the oav policy module + Initial obex policy module + Tab clean up in the oddjob file context file + Tab clean up in gpg policy module + Changes to the oddjob policy module + Changes to the mozilla policy module + Initial pacemaker policy module + Tab clean up in the oidentd file context file + Changes to the oident policy module + Tab clean up in the openca file context file + Changes to the openca policy module + Tab clean up in the openct file context file + Changes to the openct policy module + Tab clean up in the openvpn file context file + Changes to the openvpn policy module + Tab clean up in the pads file context file + Changes to the pads policy module + Tab clean up in the passenger file context file + Changes to the passenger policy module and relevant dependencies + Tab clean up in the pcmcia file context file + Changes to the pcmcia policy module + Tab clean up in the pcscd file context file + Changes to the pcscd policy module and relevant dependencies + Tab clean up in the pegasus file context file + Changes to the pegasus policy module + Tab clean up in the perdition file context file + Changes to the perdition policy module + Tab clean up in the pingd file context file + Changes to the pingd policy module + Changes to the plymouthd policy module + Changes to the mozilla policy module + Changes to the plymouth policy module + Tab clean up in the podsleuth file context file + Changes to the podsleuth policy module + Tab clean up in the policykit file context file + Changes to the policykit policy module and relevant dependencies + Tab clean up in the portage file context file + Changes to the portage policy module + Tab clean up in the portmap file context file + Changes to the portmap policy module + Tab clean up in the portreserve file context file + Changes to the portreserve policy module + Tab clean up in the portslave file context file + Changes to the portslave policy module and relevant dependencies + Tab clean up in the postfix file context file + Changes to the postfix policy module and relevant dependencies + Fixes to various policy modules + Tab clean up in the postfixpolicyd file context file + Changes to the postfixpolicyd policy module + Tab clean up in the postgrey file context file + Changes to the postgrey policy module + Tab clean up in the ppp file context file + Changes to the ppp policy module and relevant dependencies + Tab clean up in the prelink file context file + Changes to the prelink policy module and relevant dependencies + Tab clean up in the prelude file context file + Changes to the prelude policy module + Tab clean up in the privoxy file context file + Changes to the privoxy policy module + Tab clean up in the procmail file context file + Changes to the procmail policy module + Tab clean up in the psad file context file + Changes to the psad policy module + Changes to the ptchown policy module + Tab clean up in the publicfile file context file + Changes to the publicfile policy module + Fix a fatal syntax error in mozilla_plugin_role() + Changes to the plymouth policy module + Changes to the policykit policy module + Module version bump for fixes in shorewall, fail2ban and portage policy + modules by Sven Vermeulen + Tab clean up in the puppet file context file + Changes to ther puppet policy module and relevant dependencies + Initial pwauth policy module + Tab clean up in the pxe file context file + Changes to the pxe policy module + Tab clean up in the pyzor file context file + Changes to the pyzor policy module + Tab clean up in the qemu file context file + Changes to the qemu policy module + Tab clean up in the virt file context file + Changes to the virt policy module and relevant depedencies + Changes to the virt policy module + Changes to the cron policy module + Changes to the qemu policy module + Changes to the virt policy module + Epylog wants sys_nice and setsched + Tab clean up in the qmail file context file + Changes to the qmail policy module + Tab clean up in the qpid file context file + Changes to the qpid policy module + Tab clean up in the quota file context file + Changes to the quota policy module and relevant dependencies + Initial rabbitmq policy module + Tab clean up in the radius file context file + Changes to the radius policy module + Tab clean up in the radvd file context file + Changes to the radvd policy module + Changes to the raid policy module + Tab clean up in the razor file context file + Changes to the razor policy module and relevant dependencies + Smokeping cgi needs to run ping with a domain transition Remove + redundant socket create already provided by + sysnet_dns_name_resolve() + Changes to the virt policy module + Changes to the apache policy module + Changes to the gnome policy module + Changes to the rdisc policy mpdule + Changes to the readahead policy module + Changes to the remotelogin policy module + Tab clean up in the resmgr file context file + Changes to the resmgr policy module + Tab clean up in the rgmanager file context file + Changes to the rgmanager policy module + Initial Realmd policy module and relevant dependencies + Fix resmgrd init script file context specification + Changes to the cups policy module + automount reads overcommit_memory + Changes to the networkmanager policy module + Freshclam manages amavis spool content + Changes to the tftp policy module + Changes to the cobbler policy module + Tab clean up in the rhcs file context file + Changes to the rhcs policy module and relevant dependencies + Tab clean up in the rhgb file context file + Changes to the rhgb policy module + Tab clean up in the rhsmcertd file context file + Changes to the rhsmcertd policy module + Tab clean up in the ricci file context file + Changes to the ricci policy module + Tab clean up in the rlogin file context file + Changes to the rlogin policy module + Tab clean up in the roundup file context file + Changes to the roundup policy module + Changes to the remotelogin policy module + Changes to the apache policy module + Changes to the awstats policy module + fix puppet_admin() need to require types that it uses + Replace wrong type in puppet_admin() + Fix a syntax error in ricci_domtrans() + Catch all rpcbind content in /var/run + Changes to the cups policy module + Tab clean up in the rpc file context file + Changes to the rpc policy module + Tab clean up in the rpcbind file context file + Changes to the rpcbind policy module + Tab clean up in the rpm file context file + Changes to the rpm policy module and depedencies + Changes to the rshd policy module + Changes to the virt policy module + Changes to the rssh policy module + Tab clean up in the rsync file context file + Fix a typo in apache XML + Changes to the rsync policy module + Changes to the rtkit policy module + Tab clean up in the rwho file context file + Changes to the rwho policy module + Reads /proc/sys/kernel/random/poolsize + Tab clean up in the samba file context file + Changes to the samba policy module and relevant dependencies + Tab clean up in the sambagui file context file + Changes to the sambagui policy module + Initial firewallgui policy module + Tab clean up in the samhain file context file + Changes to the samhain policy module + Tab clean up in the sanlock file context file + Changes to the sanlock policy module and relevant dependencies + Tab clean up in the sasl file context file + Changes to the sasl policy module + Chnages to the sblim policy module + Tab clean up in the screen file context file + Changes to the screen policy module + Tab clean up in the sectoolm file context file + Changes to firewallgui policy module + Changes to the sectoolm policy module + Tab clean up in the sendmail file context file + Changes to the sendmail policy module and relevant dependencies + Tab clean up in the setroubleshoot file context file + Changes to the setroubleshoot policy module + Tab clean up in the shorewall file context file + Changes to the shorewall policy module + Tab clean up in the shutdown file context file + Changes to the shutdown policy module and relevant dependencies + Tab clean up in the slocate file context file + Changes to the slocate policy module and relevant dependencies + These domains transition to shutdown domain now so they no longer need + direct access + Re-add missing network rule in screen policy module + fail2ban server sets scheduler + shutdown XML clean up + libvirtd sets kernel scheduler + mongod reads cpuinfo_max_freq + Changes to the slrnpull policy module + Tab clean up in the smartmon file context file + Changes to the smartmon policy module + Tab clean up in the smokeping file context file + Changes to the smokeping policy module + Tab clean up in the smoltclient file context file + Changes to the smoltclient policy module + Tab clean up in the snmp file context file + Changes to the snmp policy module + Tab clean up in the snort file context file + Changes to the snort policy module + Changes to the sosreport policy module and relevant dependencies + Tab clean up in the soundserver file context file + Changes to the soundserver policy module + Tab clean up in the spamassassin file context file + Changes to the spamassassin policy module and relevant dependendies + spamassassin_role callers create ~/.spamd with the spamd_home_t user + home type instead + Re-add sys_admin capability that was lost with porting from Fedora + Move mailscanner content to mailscanner module + Changes to the speedtouch policy module + Tab clean up in the squid file context file + Changes to the squid policy module + Changes to the sssd policy module + Tab clean up in the stunnel file context file + Changes to the stunnel policy module + Tab clean up in the sxid file context file + Changes to the sxid policy module + Tab clean up in the sysstat file context file + Changes to the sysstat policy module + Tab clean up in the tcpd file context file + Changes to the tcpd policy module + Changes to the tcsd policy module + Tab clean up in the telepathy file context file + Changes to the telepathy policy module + Tab clean up in the telnet file context file + Changes to the telnet policy module + Tab clean up in the tftp file context file + Changes to the tftp policy module + Tab clean up in the tgtd file context file + Changes to the tgtd policy module + Tab clean up in the thunderbird file context file + Changes to the thunderbird policy module + Catch /var/log/cron directory as well + Dovecot module version bump for fixes by Sven Vermeulen + Portage module version bump for fixes by Sven Vermeulen + Cron module version bump for fixes by Sven Vermeulen + Changes to the exim policy module + Entropyd reads /proc/meminfo + Blueman reads tmp_t directories + Do not audit attempts by cups config to read tmp_t directories + Do not audit attempts by fail2ban to read tmp_t directories + Do not audit attempts by firewalld to read tmp_t directories + Gnomeclock reads urandom and realtime clock + Kdumpctl needs sys_chroot capability + Various kdumpgui fixes from Fedora + Do not audit attempts by logwatch to read tmp_t directories + Catch all alias files + Refine aliases file transition with names + Realmd dbus chat policykit and networkmanager from Fedora + Do not audit attempts by tuned to read tmp_t directories + Changes to the timidity policy module + Tab clean up in the tmpreaper file context file + Changes to the tmpreaper policy module and relevant dependencies + Tab clean up in the tor file context file + Changes to the tor policy module + Changes to the transproxy policy module + Tab clean up in the tripwire file context file + Changes to the tripwire policy module + Tab clean up in the tuned file context file + Changes to the tuned policy module + Tab clean up in the tvtime file context file + Changes to the tvtime policy module + Changes to the tzdata policy module + Changes to the ucspitcp policy module + Tab clean up in the ulogd file context file + Changes to the ulogd policy module + Tab clean up in the uml file context file + Changes to the uml policy module + Make it so that irc clients can also get attributes of cifs, nfs, fuse + and other file systems + Changes to the updfstab policy module + Changes to the uptime policy module + Tab clean up in the usbmodules file context file + Changes to the usbmodule policy module + Changes to the usbmuxd policy module + Tab clean up in the userhelper file context file + Screen sends child terminated signals to all interactive fd domains + Changes to the userhelper policy module and relevant dependencies + Changes to the virt policy module + Module version bump for fail2ban changes by Sven Vermeulen + Changes to the rpm policy module + fix smartmon init script file context specification + Changes to the usernetctl policy module + Tab clean up in the uucp file context file + Changes to the uucp policy module + Changes to the virt policy module + Tab clean up in the uuid file context file + Changes to the uuidd policy module + Tab clean up in the uwimap file context file + Changes to the uwimap policy module + Tab clean up in the varnishd file context file + Changes to the varnishd policy module + Changes to the vbetool policy module + Tab clean up in the vdagent file context file + Changes to the vdagent policy module + Tab clean up in the vhostmd file context file + Changes to the vhostmd policy module + Changes to the vlock policy module + Tab clean up in the vmware file context file + Changes to the vmware policy module + Tab clean up in the vnstatd file context file + Changes to the vnstatd policy module + Tab clean up in the vpn file context file + Changes to the vpnc policy module + Tab clean up in the w3c file context file + Changes to the w3c policy module + Tab clean up in the watchdog file context file + Changes to the watchdog policy module + Changes to the wdmd policy module + Changes to the webadm policy modules + Changes to the webalizer policy module + White space fix in apache policy module + Changes to the wine policy module + Tab clean up in the wireshark file context file + Changes to the wireshark policy module + Tab clean up in the wm file context file + Changes to the wm policy module + Changes to the inn policy module + Move man cache file type to miscfiles + Changes to the inn policy module + More accurate dbadm boolean descriptions + mysql_admin() has access to ~/.my.cnf files + Tab clean up in the xen file context file + Changes to the xen policy module and relevant dependencies + Tab clean up in the xfs file context file + Changes to the xfs policy module + Changes to the xguest policy module and relevant dependencies + Changes to the xprint policy module + Changes to the xscreensaver policy module + Tab clean up in the yam file context file + Changes to the yam policy module + Tab clean up in the zabbix file context file + Changes to the zabbix policy module + Tab clean up in the zarafa file context file + Changes to the zarafa policy module + Tab clean up in the zebra file context file + Changes to the zebra policy module + Changes to the zosremote policy module + Changes to the mysql policy module + Tab clean up in the pulseaudio file context file + Changes to the pulseaudio policy module and relevant dependencies + Changes to the pulseaudio policy module + One chown too many + Changes to the mplayer policy module + The prelink cron script now runs in its own domain + Initial smstools policy module + Initial openvswitch policy module and relevant dependencies + Reads pcsd pid files + Reads random device + winbind manages smbd pid sock files from Fedora + Changes to the bind policy module + CG rules daemon reads all sysctls + Runs consoletype and searches nfs state data from Fedora + Support munin unbound plugin from Fedora + Zabbix sends signals from Fedora + Blueman sets scheduler and sends signals from Fedora + pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead + Module version bumps for fixes in portage and virt modules by Sven + Vermeulen + Policy module version bumps for various changes by Sven Vermeulen + Changes to the openvpn policy module + Module version bumps for various fixes by Sven Vermeulen + Changes to the mandb policy module + Changes to the tmpreaper policy module + Changes to the munin policy module + Changes to the rngd policy module + Changes to the awstats policy module and relevant dependencies + Changes to the apache policy module + Changes to various policy modules + Changes to the abrt policy module + Changes to the passenger policy module and relevant depedencies + Changes to the pegagus policy module + Changes to the mta policy module + Changes to the fetchmail policy module + Changes to the bitlbee policy module + Changes to the blueman policy module and relevant dependencies + Changes to the amavis policy module + Changes to the userhelper policy module + Changes to the blueman policy module + Changes to the squid policy module + Changes to the sblim policy module + Changes to the kdumpgui policy module + Changes to the mailman policy module + Changes to the realmd policy module + Changes to the raid policy module + Changes to the samba policy module + Changes to the various policy modules + Changes to the snmp policy module + Changes to the spamassassin policy module + Changes to the sssd policy module + Changes to the l2tpd policy module + Changes to the shorewall policy module + Changes to the xen policy module + Changes to the tftp policy modules + Changes to the accountsd policy module + Changes to the tgtd policy module + Changes to the corosync policy module + Changes to the kdump policy module + Changes to the openvswitch policy module + Changes to the mpd policy module + Changes to the mozilla policy module + Changes to the zarafa policy module + Changes to the boinc policy module + Changes to the setroubleshoot policy module + Changes to the dspam policy module + Changes to the rgrmanager policy module and relevant dependencies + Changes to the svnserve policy module + Changes to the virt policy module + Changes to the prelink policy module + Changes to the apache policy module + Changes to the gnomeclock policy module + Changes to various policy modules + Changes to the pegagus policy module + Changes to the shorewall policy module + Changes to the kerberos policy module + Changes to the rhcs policy module + Changes to the irc policy module + Changes to the clamav policy module + Changes to the mrtg policy module + Changes to the munin policy module + Changes to the amavis policy module + Changes to the ppp policy module + Initial jockey policy module + Module version bumps for "several named transition for directories + created in /var/run by initscripts" in various modules by Laurent + Bigonville + Module version bumps for fixes in various modules by Laurent Bigonville + Module version bump for changes to the consolekit policy module by + Laurent Bigonville + Changes to the stunnel policy module + Module version bumps for fixes in various modules by Sven Vermeulen + Changes to the virt policy module + Changes to the apache policy module + Changes to the wm policy module + Changes to the samba policy module + Changes to the certmonger policy module + Changes to the mozilla policy module + Changes to the corosync policy module + Changes to the pacemaker policy module + Changes to the tuned policy module + Changes to the cups module and relevant dependencies + Changes to the rhsmcertd policy module + Changes to the lpd policy module + Changes to the munin policy module + Changes to the ntp policy module + Changes to the tor policy module + Changes to the firewalld policy module + Changes to the dspam policy module + Changes to the setroubleshoot policy module + Changes to the condor policy module + Changes to the kerberos policy module + Changes to the passenger policy module + Changes to the ppp policy module + Changes to the the dkim policy module + Changes to the abrt policy module + Changes to the lircd policy module + Changes to the dkim policy module + Changes to the virt policy module + Changes to the munin policy module + Changes to the dovecot policy module + Changes to the cobbler policy module + Changes to the userhelper policy module + Changes to the logwatch policy module + Changes to the wdmd policy module and relevant dependencies + Changes to the nscd policy module and relevant dependencies + Changes to the dbus policy module + Module version bumps for fixes in various policy modules by Laurent + Bigonville + Changes to the cups policy module + Changes to the dbus policy module + Changes to the apcupsd policy module + Remove redundant net_bind_service capabilities in various modules + Changes to the virt policy module + Changes to the puppet policy module + Module version bumps for fixes in various policy module by Sven + Vermeulen + Module version bumps for file context fixes in various policy modules by + Laurent Bigonville + Make httpd_manage_all_user_content() do what it advertises + Add more networking rules to mplayer policy module for compatibility + Fix fcronsighup file context. Should be crontab_exec_t as per previous + spec + Module version bumps for changes in various modules by Sven Vermeulen + Move asterisk_exec() and modify XML header + Consolekit creates /var/run/console directories with a type transition + unconditionally + Module version bump in consolekit policy module for changes by Sven + Vermeulen + The imaplogin executable file should be courier_pop_exec_t according to + existing file context specification + Module version bump for changes to the fail2ban policy module by Sven + Vermeulen + Modules version bumps for changes in various policy modules by Sven + Vermeulen + +Laurent Bigonville (28): + Add Debian locations for Telepathy connection managers + Label telepathy-rakia as telepathy-sofiasip + Allow smartd daemon to write in /var/lib/smartmontools directory + Add Debian location for smartd daemon initscript + Add Debian location for accounts-daemon daemon + Add Debian location for rtkit-daemon daemon + Add Debian location for tcsd init script + Add Debian location for libvirtd init script + Add Debian location for evolution executables + Add Debian locationis for nut executables and configuration files + Add several named transition for directories created in /var/run by + initscripts + Run packagekit under apt_t context on Debian distribution + Add proper label for colord daemon in debian + Allow the system dbus to search cgroup directories + Allow virtd_t context to read sysctl_crypto_t + Allow colord_t context to read sysctl_crypto_t + Add proper label for gconfd-2 daemon in Debian + Ensure that consolekit can create /var/run/console directory on Debian + Properly label nm-dispatcher.action on Debian + policykit.fc: Properly label polkit-agent-helper-1 on Debian + cups.fc: Properly label cups-pk-helper-mechanism on Debian + Allow pcscd the fsetid capability + Allow networkmanager_t to read crypto_sysctl_t + Allow virsh_t context to read sysctl_crypto_t + Allow cupsd_t to read cupsd_log_t + gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian + ptchown.fc: Properly label pt_chown executable in Debian + Label /usr/bin/kvm as qemu_exec_t + +Matthew Thode (2): + added autofs support and nsswitch support + removing refrences to named_var_lib_t as it doesn't exist anymore for + bind.if + +Mika Pflüger (3): + Allow saslauthd_t to talk to mysqld via TCP + Quota policy adjustments: * Allow quota_t to load kernel modules + Debian locations for dovecot deliver and dovecot auth. + +Russell Coker (1): + Fix djbdns ports + +Sven Vermeulen (75): + Update with new substitutions + Mark the pid directory as a pid directory + Add in transitions for queue types when the queues are created + Fix typo in interface postfix_exec_postqueue + Allow maildelivery to use dotlock files in the mail spool + Allow postfix local to change ownership of mailfiles + Use libexec location for postfix binaries + Allow initrc_t to create run dirs for contrib modules + Update logwatch location in file context + Sandbox is an inherent part of the portage inner workings + Fix startup issue with fail2ban-client + Be able to get output from fail2ban-client + Ignore searches when ran from the user home directory + Shorewall admins execute shorewall too + Shorewall needs sys_admin capability for manipulating network stack + Be able to display dovecot errors + Remove transition to ldconfig + Adding interfaces for handling cron log files + Fail2ban client checks state of log files before telling the server + Support mysql init script + Support initial creation of mysql database files + Portage fetch domain needs to access certificates + Make samba domtrans optional in virt + Fix typo in tunable declaration for fcron_crond + Introducing cron_manage_log_files interface + Introduce dontaudit interfaces for leaked fd and unix stream sockets + Dontaudit attempts by system_mail_t to use leaked fd or stream sockets + Support at service + Additional postfix admin requirements + Reintroduce postfix_var_run_t for pid directory and fowner capability + Postfix deferred queue should not mark mails as postfix_spool_maildrop_t + Running qemu with SDL support requires more xserver-related privileges + Fix typo in clockspeed comment + Support openvpn status file + Asterisk voicemail messages are generated from tmp + Make rtkit calls optional + Gentoo installs dovecot certs in /etc/ssl/dovecot + Moving sandbox code to sandbox section (v2) + Allow sandbox to log violations + Use rw_fifo_file_perms + Apache should not depend on gpg + Named init script creates rundir + Add ~/.maildir as a valid maildir destination + Support stunnel_read_config for startup + Updates on stunnel policy + More .maildir fixes + Mark make.profile entry as portage_conf_t (v2) + Move mta call (coding style) + Changes to puppet domain + Allow rpc admin to run exportfs + Grant sys_admin capability to puppet + Puppet module helper scripts are puppet_var_lib_t + Support netlink_route_socket creation for puppet + Puppet initscript creates /run/puppet + Puppet runs statfs against selinuxfs + mplayer streams HTTP resources + fcron and fcronsighup binaries are moved + Asterisk needs to search through logs + Denial in mail log on node bind + Fix typo in mcelog_admin (missing bracket) + Add in contexts for fcron rm.systab and systab.tmp + Remove pulseaudio filename_trans conflict + Allow asterisk admins to execute asterisk binary directly + Support tagfiles for consolekit + ConsoleKit needs to read the dbus machine-id + File context updates for courier-imap + Update on file contexts for OpenLDAP + Update on file contexts for wpa_supplicant + Allow IRC clients to read certificates + Allow reading /proc/self for fail2ban due to FAM support + Update file contexts for puppet + Support ~/.tmux.conf as tmux configuration file + Add setuid/setgid capability to ulogd_t + Support tmux control socket + Postfix creates defer(red) queue locations + |