diff options
Diffstat (limited to 'policy/modules/contrib/Changelog')
| -rw-r--r-- | policy/modules/contrib/Changelog | 2210 |
1 files changed, 0 insertions, 2210 deletions
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog deleted file mode 100644 index 1596ba777..000000000 --- a/policy/modules/contrib/Changelog +++ /dev/null @@ -1,2210 +0,0 @@ -* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114 -Chad Hanson (1): - Allow rpm to relabel files at all levels - -Chris PeBenito (46): - Remove deprecated interfaces more than one year old. - Remove complement and wildcard in allow rules. - Merge branch 'master' of git://github.com/teg/refpolicy-contrib - dbus: Module version bump for dbus-broker patch from Tom Gundersen. - Module version bump for patches from Guido Trentalancia. - Module version bumps for patches from David Sugar. - dhcp, logrotate: Module version bump. - Module version bumps for chkrootkit, dkim, dmidecode, portage, and - rkhunter. - Module version bumps. - spamassassin: Move lines. - mandb, spamassassin: Module version bumps. - spamassassin: Fix build error. - spamassassin: Add missing requirement in spamassassin_admin(). - dphysswapfile: Module version bump. - gpg, pulseaudio, rpc: Module version bump. - dnsmasq, gnome, mon, mta, openoffice, pulseaudio, wm: Version bumps. - Revert "postfix: Some table drivers (notably cdb) need to mmap() their - databases" - java, mozilla, mta, postfix: Module version bump. - portage: Fix usr_t map interface usage. - apache, portage: Module version bump. - dbus, policykit, wm: Module version bump. - dbus: Add comment. - Merge branch 'nm_audit' of git://github.com/bigon/refpolicy-contrib - networkmanager: Module version bump. - virt: Move a line. - alsa, mon, virt: Module version bump. - gpg, mozilla, rpc: Module version bump. - Several module version bumps. - blueman, evolution, gpg, mozilla, openoffice, thunderbird, wireshark, wm: - Module version bump. - wm: Module version bump. - networkmanager: Move line. - networkmanager: Module version bump. - Merge branch 'pkcs' of https://github.com/dodys/refpolicy-contrib - pkcs: Rename pkcs_slotd_unit_file_t. - pkcs: Module version bump. - accountsd, policykit: Module version bump. - dbus, devicekit, modemmanager, networkmanager, virt: Module version bump. - modemmanager: Move lines. - rpm: Module version bump. - cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump. - Replace deprecated mmap perm sets and pattern usage. - gssproxy: Module version bump. - monit: Module version bump. - apache, dkim, monit: Module version bump. - spamassassin: Module version bump. - Bump module versions for release. - -Christian Göttsche (20): - dkim: align filecontexts - dkim: update - milter: align filecontexts - apache: align filecontexts - dmidecode: use userdom_use_inherited_user_terminals - spamassassin: align filecontexts - chkrootkit: update - rkhunter: add several missing permission - fakehwclock: update - milter: update - mandb: fixes for systemd timer and /usr/local/man label - spamassassin: update - dphysswapfile: fix swapfile creation - apache: update - monit: update - dkim: align file contexts - dkim: update - apache: update - monit: read /usr/share/ca-certificates for cert verification - spamassassin: fix missing perms - -Daniel Jurgens (1): - networkmanager: Grant access to unlabeled PKeys - -David Sugar (5): - mon: move rpc_* into optional - wm: consolidate networkmanger interface calls into single optional - cron: optional_policy for mta_* interfaces - Label /usr/bin/mutter - Allow to read /proc/sys/crypto/fips_enabled - -Eduardo Barretto (2): - Update pkcs policy to include pkccsslotd.service - Update missing permissions for pkcs - -Guido Trentalancia (13): - libmtp: read symlinks in user home directories - spamassassin: update rules for the Bayesian classifier trainer - wm: let gnome-shell start properly - gnome: keyring daemon dbus policy update - gnome: keyring daemon read SELinux config - openoffice: improve temporary directories' operations - pulseaudio: general update - wm: gnome-shell SELinux integration - mozilla: run Java Web Start applications - wm: run PolicyKit - dbus: read user home content files - mozilla: read generic SSL certificates - contrib: use the new SSL private keys type (was: "let the mozilla and - other domains read generic SSL certificates") - -Jason Zaman (12): - cgmanager: Apply auth_use_nsswitch interface - alsa: needs to map its tmpfs files - virt: add policy for virtlogd - virt: updated perms for starting guests - gssproxy: add policy - rpc: Allow stream connect to gssproxy - gpg: search dir when connecting to agent socket - dirmngr: allow filetrans in gpg_runtime_t - gpg: Add gpg_agent_use_card boolean for OpenPGP cards - cachefilesd: make cachefilesd_cache_t a mountpoint - Set user_runtime_content_type for all remaining types in /run/user/%{UID}/ - gssproxy: allow writing kerberos rcache - -Jason Zaman via refpolicy (3): - pulseaudio: Add neccessary map permissions - gpg: add fcontexts for user runtime sockets - rpc: add sm-notify pid fcontext - -Laurent Bigonville (2): - Allow NetworkManager to write to audit - Call systemd_write_inherited_logind_inhibit_pipes() where needed - -Luis Ressel (12): - portage: Allow portage_t and portage_sandbox_t to access locale_t - postfix: Some table drivers (notably cdb) need to mmap() their databases - portage: Grant the map permissions neccessary for git and install - alsa: alsactl needs to map its configuration - mozilla: Add neccessary map permissions - mandb: man-db needs to map its 'index.db' cache - portage: Remove nonsensical dontaudit of an allowed permission - portage: Transition to ldconfig_t when calling ldconfig - postfix: Some table drivers (notably cdb) need to mmap() their databases - postfix: Silence cap_dac_read_search denials - portage: Grant portage the map permission on usr_t - Allow gtk apps to map usr_t files - -Nicolas Iooss (2): - dbus: move comments out of the file context definitions - logrotate: allow systemd to start logrotate - -Russell Coker (3): - udev and dhcpd - minor nspawn, dnsmasq, and mon patches - refpolicy and certs - -Tom Gundersen (1): - dbus: add policy for dbus-broker - -* Sat Aug 05 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170805 -Chris PeBenito (82): - Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. - Module version bump for usrmerge FC fixes from Jason Zaman. - mon policy from Russell Coker. - Module version bump for cups patches from Guido Trentalancia. - Module version bump for tbird and mozilla printing from Guido - Trentalancia. - Revert "cups/lpd: read permission for cupsd_var_run_t socket files" - Module version bump for cups revert. - Sort capabilities permissions from Russell Coker. - Little misc patch from Russell Coker. - mon: Fix deprecated interface usage. - dpkg: Updates from Russell Coker. - Monit policy from Russell Coker and cgzones. - monit: Fix build error. - fetchmail, mysql, tor: Misc fixes from Russell Coker. - Merge branch 'alsa_module' of git://github.com/cgzones/refpolicy-contrib - Merge branch 'vnstat_module' of git://github.com/cgzones/refpolicy-contrib - Module version bump for alsa and vnstatd fixes from cgzones. - Merge branch 'ntp_module' of git://github.com/cgzones/refpolicy-contrib - Module version bump for ntp fixes from cgzones. - samba: A few line moves. - Module version bump for samba patch from Russell Coker. - Systemd fixes from Russell Coker. - Xen fixes from Russell Coker. - mailman: Fixes from Russell Coker. - MTA fixes from Russell Coker. - Network daemon patches from Russell Coker. - apache: Fix CI error. - Merge branch 'modutils_adapt_interfaces' of - git://github.com/cgzones/refpolicy-contrib - Merge branch 'corecmd_read_bin_symlinks' of - git://github.com/cgzones/refpolicy-contrib - Module version bumps for fixes from cgzones. - Merge branch 'mandb' of git://github.com/cgzones/refpolicy-contrib - Merge branch 'dphysswapfile' of git://github.com/cgzones/refpolicy-contrib - Module version bump for dphysswapfile and mandb fixes from cgzones. - Merge branch 'var_run_filecontext' of - git://github.com/cgzones/refpolicy-contrib - Merge branch 'vnstatd' of git://github.com/cgzones/refpolicy-contrib - Module version bump for fixes from cgzones. - dontaudit net_admin for SO_SNDBUFFORCE - /var/run -> /run again - Merge branch 'monit' of git://github.com/cgzones/refpolicy-contrib - Module version bump for monit patch from cgzones. - systemd-resolvd, sessions, and tmpfiles take2 - Misc fc changes from Russell Coker. - Systemd-related changes from Russell Coker. - networkmanager: adjust interface docs format. - wm: interface docs adjustment. - Module version bump for misc fixes from Guido Trentalancia. - systemd init from Russell Coker - misc daemons from Russell Coker. - logging patches from Russell Coker - kmod, lvm, brctl patches from Russell Coker - devicekit, mount, xserver, and selinuxutil from Russell Coker - some userdomain patches from Russell Coker - Module version bump for gnome fix from Guido Trentalancia. - apache: Move blocks. No rule changes. - Module version bump for changes from Sven Vermeulen and Guido - Trentalancia. - login take 4 from Russell Coker. - Rename apm to acpi from Russell Coker. - Module version bump for patches from Russell Coker. - some little misc things from Russell Coker. - apt/dpkg strict patches from Russell Coker. - Module version bump for minor fixes from Guido Trentalancia. - Merge branch 'usr_bin_fc' of - git://github.com/fishilico/selinux-refpolicy-contrib - Module version bump for /usr/bin fc fixes from Nicolas Iooss. - Module version bump for chronyd changes from Luis Ressel. - openoffice: Move ooffice_rw_tmp_files() implementation. - Module version bump for openoffice fix from Guido Trentalancia. - libmtp: move lines - Module version bump for fixes from Guido Trentalancia. - Module version bump for mmap fixes from Stephen Smalley. - Module version bump for misc patches from Guido Trentalancia. - gpg: Fix overspecified dependencies in gpg_agent_tmp_filetrans. - dirmngr: Whitespace fixes. - Module version bumps for patches from Jason Zaman. - cgmanager: Move lines - Module version bumps for patches from Jason Zaman. - gpg: Module version bump for patch from Guido Trentalancia. - mozilla: Module version bump for patch from Luis Ressel. - rkhunter: Fix module version and move lines. - Module version bump for patches from cgzones. - chkrootkit: Fix module version. - Module version bump for patches from cgzones. - Bump module versions for release. - -Guido Trentalancia (28): - cups: read permission for cupsd_var_run_t socket files in - cups_stream_connect() - cups/lpd: read permission for cupsd_var_run_t socket files - thunderbird: allow stream connections to cups so that it can print - mozilla: allow stream connections to cups so that it can print - java: enable interactive use - evolution: add dbus acquire service permission - evolution: do not audit kernel read state - evolution: add some critical permissions - mozilla: read hardware state information - mozilla: add a permission - wm: load the NetworkManager applet - wm: interactive start - Gnome and Evolution dbus chat permissions - openoffice: support starting it from the window manager - evolution: minor fixes and updates - java: error messages terminal printout - loadkeys: use init fds (system bootup) - plymouth: pid interface usability - shutdown: send msg to syslog - openoffice: open files retrieved using mozilla - contrib: new libmtp module - openoffice: minor update - gnome: improved integration with openoffice - cups: let hplip read udev pid files - dbus: let session bus daemon manage user runtime dirs - zabbix: Grant zabbix_agent_t to call setrlimit on self - ntp: fix the drift file context and transition - gpg: manage user runtime socket files and directories - -Jason Zaman (12): - usrmerge: Add missed /usr fcontexts - java: update fcontexts for new versions of icedtea - dirmngr: add to roles and allow gpg to domtrans - gpg dirmngr: create and connect to socket - dirmngr: fcontext for ~/.gnupg/crls.d/ - dirmngr: Network rules to connect to keyserver - cgmanager: add policy from gentoo - consolekit: Add support for consolekit2 - consolekit: allow purging tmp - consolekit: introduce consolekit_use_inhibit_lock interface - dbus: use consolekit inhibit locks - networkmanager: use consolekit inhibit locks - -Luis Ressel (3): - chronyd: Re-align fc file - chronyd: Allow init scripts to create /run/chrony - mozilla: Add fc for the files used by the firefox addon "vimperator" - -Nicolas Iooss (1): - Support systems with a single /usr/bin directory - -Russell Coker (1): - patch for samba - -Stephen Smalley (1): - contrib: allow map permission where needed - -Sven Vermeulen (1): - rpc_* interfaces should be wrapped by optional_policy() - -cgzones (16): - update ntp module - update alsa module - vnstatd: update module - corecmd_read_bin_symlinks(): remove deprecated and redundant calls - modutils: adopt calls to new interfaces - vnstatd: update - dphysswapfile: update - monit: update - mandb: update - logrotate: reload monit after log rotation - remove /var/run file context lefovers, add dbus exception - monit: add syslog access and support for monit systemd service - rkhunter: add policy module - arpwatch: align file contexts - chkrootkit: add policy module - arpwatch: update - -* Sat Feb 04 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170204 -Chris PeBenito (41): - Module version bump for patches from Jason Zaman. - authbind: Remove dead policy. - Module version bump for cups patch from Guido Trentalancia. - Merge pull request #29 from cgzones/deprecated_macros - Module version bump for Debian fprintd fc entry from Laurent Bigonville. - Module version bumps for openoffice patches from Guido Trentalancia. - Module version bumps for patches from Guido Trentalancia. - Merge pull request #30 from cgzones/trailing_whitespaces - Module version bumps for mozilla and gpg patches from Luis Ressel. - Module version bump for patches from Guido Trentalancia. - Module version bump for patches from Guido Trentalancia. - rtkit, wm: Remove calls to nonexistant interfaces. - Module version bumps for patches from Guido Trentalancia. - rtkit: enable dbus chat with xdm - Module version bump for patches from Guido Trentalancia. - Module version bump for xscreensaver patch from Guido Trentalancia. - Merge branch 'run_transition' of - git://github.com/cgzones/refpolicy-contrib - Module version bumps for /run fc changes from cgzones. - Module version bump for openoffice and wm patches from Guido Trentalancia. - Module version bump for patches from Guido Trentalancia. - Module version bump for wm patch from Guido Trentalancia. - Merge branch 'usr-fc' of - git://github.com/fishilico/selinux-refpolicy-contrib - Module version bump for fc updates from Nicolas Iooss. - Module version bump for patches from Guido Trentalancia. - Module version bump for capability2 fixes from Guido Trentalancia. - Module version bump for plymouth fix from Guido Trentalancia. - boinc: Update from Russell Coker. - Module version bump for mozilla update from Guido Trentalancia. - Merge pull request #47 from cgzones/dphysswap_module - Merge pull request #40 from cgzones/fakehwclock_module - Merge branch 'gpg_module' of git://github.com/cgzones/refpolicy-contrib - Merge branch 'irqbalance_module' of - git://github.com/cgzones/refpolicy-contrib - Merge branch 'loadkeys_module' of - git://github.com/cgzones/refpolicy-contrib - Module version bumps for patches from cgzones. - Merge branch 'exim_module' of git://github.com/cgzones/refpolicy-contrib - Merge branch 'screen_module' of git://github.com/cgzones/refpolicy-contrib - Module version bump for screen and exim changes from cgzones. - screen: Revert broken interface call. - cups: Move hplip_domtrans interface. - Module version bump for cups patch from Guido Trentalancia. - Bump module versions for release. - -Dominick Grift (1): - Re-add raid fc spec that must have been removed earlier by mistake - -Guido Trentalancia (29): - cups: descend "rw" directories when reading configuration files - Apache OpenOffice module (contrib policy part) - openoffice: rename two interfaces in openoffice and evolution - mozilla: extend dbus connection permissions - openoffice: permission to read user temporary files - xguest: restrict ability to execute files on noxattr filesystems - pulseaudio: update server and client permissions - mozilla: remove redundant pulseaudio interface calls - networkmanager: read user certs not user content (was enable - userdom_read_user_certs() throughout the policy) - Make several calls to mta interfaces optional - wm: update the window manager (wm) module and enable its role template - (v7) - rtkit: enable dbus chat with xdm - networkmanager: enable dbus chat with xdm - policykit: enable dbus chat with xdm - games: general update and improved pulseaudio integration - wm: improved integration with games - xscreensaver: update the module so that it can be effectively used - wm: properly set domain entrypoint in wm_application_domain() - openoffice: add writer support for sending email directly to multiple - recipients - contrib: use new genhomedircon template for username - contrib: extend wm ability to launch confined graphical applications - contrib: support the new interface to manage X session logs - networkmanager: dbus chat with cups - cups: add cups-browsed executable fc - devicekit: add new wake_alarm permission (capability2) - networkmanager: add new wake_alarm permission (capability2) - plymouth: use the correct running domain for the client - mozilla: execute evolution to send emails - cups: new interface to execute HPLIP applications in their own domain - -Jason Zaman (4): - pcscd: dbus and domain lookup - devicekit: fcontext for udisks2 - gnome: add gkeyring rules and fcontext - gpg: add new socket paths - -Laurent Bigonville (1): - Add debian path for fprintd daemon - -Luis Ressel (3): - gpg: Add filetrans for scdaemon socket and gpg-agent extra sockets - gpg.fc: Adjust whitespace - mozilla: Add miscfiles_dontaudit_setattr_fonts_cache_dirs() - -Nicolas Iooss (1): - Add file contexts for files in /usr/{lib,sbin} - -cgzones (10): - use domain_auto_transition_pattern instead of domain_auto_trans - remove trailing whitespaces - transition file contexts to /run - update loadkeys module - add fakehwclock module - add dphysswapfile module - update gpg module - update screen module - update irqbalance module - update exim module - -* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023 -Adam Tkac (2): - varnishncsa (varnishlog_t) reads localization files - Grant certmonger "chown" capability - -Chris PeBenito (42): - Merge branch 'bigon-geoclue' - Add additional comments in geoclue. - Merge branch 'bigon-virt-1' - Merge branch 'nm-1' of git://github.com/bigon/refpolicy-contrib into - bigon-nm-1 - Merge branch 'bigon-nm-1' - Module version bump for virt and networkmanager patches from Laurent - Bigonville. - Merge branch 'master' of git://github.com/bigon/refpolicy-contrib - Module version bump for firewalld updates from Laurent Bigonville. - Module version bump for collectd update from Jason Zaman. - Module version bumps for user runtime fixes from Jason Zaman. - Boinc updates from Russell Coker. - rpcbind: Read /sys/devices/system/cpu/online from Russell Coker. - watchdog: Move line. - Module version bump for watchdog pidfile option from Russell Coker. - Systemd units from Russell Coker. - Module version bump for pulseaudio fc fix from Jason Zaman. - cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia. - Module version bumps for patches from Guido Trentalancia. - Update the telepathy module: - Update the alsa module so that the alsa_etc_t file context (previously - alsa_etc_rw_t) is widened to the whole alsa share directory, instead of - just a couple of files. - alsa: Add compatibility alias for alsa_etc_rw_t. - Update the sysnetwork module to add some permissions needed by the dhcp - client (another separate patch makes changes to the ifconfig part). - Module version bump for various patches from Guido Trentalancia. - pulseaudio: Fix compile errors. - Merge branch 'master' of - https://github.com/SeanPlacchetti/refpolicy-contrib - Module version bump for webalizer dead type removal from Sean Placchetti. - Module version bump for Evolution SSL fix from Guido Trentalancia. - evolution: Read user certs from Guido Trentalancia. - cups: Move can_exec() line. - cups: Module version bump for hplip patch from Guido Trentalancia - pulseaudio: Move interface definitions. - Module version bump for mozilla patch from Guido Trentalancia. - Module version bump for gnome patch from Guido Trentalancia. - Module version bump for evolution patch from Guido Trentalancia. - gpg: Whitespace fix. - Merge branch 'feature/fix-networkmanager-varrun-macro' of - https://github.com/rfkrocktk/refpolicy-contrib - Module version bump for networkmanager fix from Naftuli Tzvi Kay. - Merge branch 'rfkrocktk-feature/syncthing' - Rearrange lines in syncthing. - webalizer: Rearrange a couple lines. - Module version bump for webalizer patch from Russell Coker. - Bump module versions for release. - -Dominick Grift (18): - Module version bump for changes to the geoclue module by Laurent - Bigonville. - Module version bump for changes to various modules from Laurent - Bigonville. - geoclue: move kernel interface call to the appropriate position - Actually associate mailmain_domain attribute with mailman domains - Module version bumps for changes to various modules by Nicolas Iooss - Module version bump for changes to the cron module by Jason Zaman - Module version bump for changes to the redis module by Grant Ridder - Module version bump for changes to the raid module by Laurent Bigonville - Module version bump for changes to the networkmanager module by Laurent - Bigonville. - Module version bump for changes to the redis module by Grant Ridder. - Module version bump for changes to the mozilla module by Laurent - Bigonville. - Module version bump for changes to the geoclue module by Nicolas Iooss. - Add hwloc-dump-hwdata SELinux policy - Module version bump for changes to the varnishd module by Robert Moucha - Module version bump for changes to the puppet module by Thomas Mueller - Module version bump for changes to the varnishd module by Adam Tkac - Module version bump for changes to the certmonger module by Adam Tkac - Revert "dbus: allow system, and session bus clients to answer to dbus - unconfined domains" - -Grant Ridder (2): - Add read/write perms for redis-sentinel - Allow tcp_connect to redis_port_t for redis_t - -Guido Trentalancia (7): - Policykit module: add fs_getattr_xattr_fs() - Update the policy for module apm - Let gpg disable core dumps - Update the rtkit module - Update the pulseaudio module for usability and ORC support - cups: update permissions for HP printers (load firmware) - gpg: public key signature verification in evolution - -Guido Trentalancia via refpolicy (3): - evolution: read SSL certificates - mozilla: let mozilla play audio - gnome: add support for the OIL Runtime Compiler (ORC) optimized code - execution - -Jason Zaman (10): - cron: Allow locks to be lnk_files - collectd: update policy for 5.5 - consolekit: allow managing user runtime - pulseaudio: fcontext and filetrans for runtime - ftp: Add filetrans from user_runtime - gnome: Add filetrans from user_runtime - mplayer: Add filetrans from user_runtime - userhelper: Add filetrans from user_runtime - wm: Add filetrans from user_runtime - pulseaudio: fix user runtime fcontext - -Laurent Bigonville (13): - Add initial geoclue 2 module - Properly escape dot in the path to the geoclue daemon - Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf - virt.fc: Add some debian contexts - networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher - Allow some domain to read sysctl_vm_overcommit_t - Allow mdadm read efivarfs files - Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t - Add an interface to allow a domain to read firewalld_var_run_t files - Allow firewalld to create firewalld_var_run_t directory. - dontaudit firewalld attempt to relabel its own config files - Allow NM to execute arping - Debian now ships firefox-esr, properly label the executable - -Luis Ressel (1): - New policy for tboot utilities - -Naftuli Tzvi Kay (2): - Fix NetworkManager Read Pid Files Macro - Syncthing Policy - -Nicolas Iooss (3): - Describe _initrc_domtrans interfaces differently from the _domtrans ones - Fix typos in several interfaces - Add Arch Linux path for geoclue module - -Robert Moucha (1): - Fix trivial typo in varnishncsa name - -Russell Coker (2): - watchdog reads pid files - named reads vm sysctls - -Russell Coker via refpolicy (1): - webalizer patch for inclusion - -Sean Placchetti (1): - -Remove unused declarations from webalizer type enforcement file - -Thomas Mueller (1): - Allow puppet_t transtition to shorewall_t - -doverride (3): - Merge pull request #8 from bigon/geoclue - Merge pull request #11 from bigon/overcommit-1 - Merge pull request #12 from fishilico/typos - -* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208 -Alexander Wetzel (1): - add vfio support for libvirt - -Chas Williams - CONTRACTOR (1): - afs: update labels, file contexts and allow access to urandom - -Chris PeBenito (14): - Module version bump for hadoop_admin() fix from Jazon Zaman. - Module version bump for fc typo in radius from Sven Vermeulen. - Module version bump for patches from Jason Zaman. - Module version bump for init_startstop_service from Jason Zaman. - Module version bump for cron_admin interface from Jason Zaman. - Comment/whitespace fix in virt.te. - Module version bump for vfio support for libvirt from Alexander Wetzel. - Add systemd unit types. - Add systemd socket activations. - Merge branch 'pebenito-master' - Module version bump for systemd additions. - Merge branch 'bigon-systemd' - Module version bump for dbus systemd patch from Laurent Bigonville. - Bump module versions for release. - -Dominick Grift (16): - Module version bump for courier fixes from Sven Vermeulen. - Module version bump for afs fixes from Chas Williams. - Redundant rules and afs_files_t is not a filesystem type - Various samhain fixes - Cachefilesd module updates - Module version bump for changes to the dnsmasq policy module by Jason - Zaman - Module version bump for changes to the snmp policy module by Jason Zaman - Module version bump for changes to the pulseaudio policy module by Jason - Zaman - cachefiles: It is cachefilesd_cache_t - Module version bump for update to the networkmanager policy module by - Stephen Smalley. - Module version bumps for "Remove run interface calls from admin - interfaces" changes by Jason Zaman. - Module version bump for changes to the pulseaudio module by Niklas Haas. - Changes to the git, hadoop and rsync modules by Jason Zaman. - Module version bump for changes to the virt module by Jason Zaman - Module version bump for changes to the mozilla module from Laurent - Bigonville. - Module version bump for changes to the wine module by Nicolas Iooss - -Jason Zaman (19): - hadoop: remove _role from _admin interface - rpcbind: typo fix - git: make inetd interface optional - rpc: introduce allow_gssd_write_tmp boolean - rpc: allow setgid capability - virt: add virt_tmpfs_t type and permissions - introduce virt_leaseshelper_t - dnsmasq: allow exec shell for scripts - snmp: missing fcontext for snmpd - pulseaudio: filetrans for autospawn.lock - Use init_startstop_service in admin interfaces A-M - Use init_startstop_service in admin interfaces N-Z - Remove _run() interfaces from _admin() - Introduce cron_admin interface - rsync: remove rsync_run from admin interface - git: allow git_system_t to listen on tcp_sockets - hadoop: init_startstop_service() can not take attributes - virt: Allow creating qemu guest agent socket - virt: Add policy for virtlockd the Virtual machine lock manager - -Laurent Bigonville (2): - Transition D-Bus system service out of the init_t domain when PID1 is - systemd - Label iceweasel plugin-container executable as mozilla_plugin_exec_t - -Nicolas Iooss (1): - wine: remove use of nonexisting interface - -Niklas Haas (1): - pulse: don't give pulseaudio_client full access to user_home_t - -Stephen Smalley (1): - contrib: networkmanager: allow netlink_generic_socket access - -Sven Vermeulen (6): - Locate authdaemon socket and communicate with authdaemon - Allow authdaemon to access selinux fs to check SELinux state - Grant setuid/setgid to courier_pop_t - Execute courier helper script after authentication - Courier IMAP needs to manage the users' maildir - Fix typo for radiusd /var/lib location - -doverride (2): - Merge pull request #3 from haasn/pulse-nohome - Merge pull request #6 from bigon/mozilla-1 - -* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203 -Chris PeBenito (26): - Whitespace fix in ntp.fc. - Module version bump for ntp fc entries from Laurent Bigonville. - Whitespace fix in shibboleth.te. - Module version bump for new shibboleth module from Martin Lang. - Module version bump for apt fix from Nicolas Iooss. - Module version bump for dnsmasq MTU fix from Sven Vermeulen. - Module version bump for apache content interfaces from Sven Vermeulen. - Module version bump for gitweb fc entry on Debian and ArchLinux from - Nicolas Iooss. - Module version bump for fc regex fixes from Nicolas Iooss. - Module version bump for various fixes from Laurent Bigonville. - Module version bump for ModemManager fc entry from Laurent Bigonville. - Add missing cron_admin_role() dependency. - Move sock_file filetrans to fcron_crond conditional. - Module version bump for cron and snort updates from Sven Vermeulen. - Module version bump for java icedtea fc entries from Sven Vermeulen. - Module version bump for apache/mlogc patch from Elia Pinto. - Remove name from ntp-kod ntp_drift_t filetrans. - Module version bump for ntp-kod file support from Jason Zaman. - Module version bump for init_daemon_pid_file use from Sven Vermeulen. - Module version bump for alsa and hiawatha fixes from Sven Vermeulen. - Module version bump for ftp and tftp fixes from Nicolas Iooss. - Move irc exec lines. - Module version bump for irc re-exec itself patch from Luis Ressel. - Module version bump for NetworkManager fc fix for ArchLinux from Nicolas - Iooss. - Module version bump for _admin fixes from Jason Zaman. - Bump module versions for release. - -Dominick Grift (3): - Module version bump for changes to the loadkeys module by Nicolas Iooss - cron: that boolean identifier does not exist also require it - Module version bump for changes to the networkmanager modules by Lubomir - Rintel - -Elia Pinto (1): - apache.te: Add labelling support for /var/log/mlogc - -Jason Zaman (20): - Add filetrans for ntp-kod file - ccs: syntax errors in ccs_admin interface - condor: syntax error in condor_admin - distcc: syntax error in distcc_admin - ftp: syntax error in ftp_admin - kerberos: syntax error in kerberos_admin - kismet: syntax error in kismet_admin - nut: syntax error in nut_admin - prelude: syntax error in prelude_admin - psad: syntax error in psad_admin - quota: syntax error in quota_admin - rpcbind: syntax error in rpcbind_admin - rpm: syntax error in rpm_admin - systemtap: syntax error in stapserver_admin - svnserve: syntax error in svnserve_admin - uptime: syntax error in uptime_admin - zabbix: syntax error in zabbix_admin - remove pyzor_role() from pyzor_admin() - remove spamassassin_role() from spamassassin_admin() - rsync: syntax error in rsync_admin - -Laurent Bigonville (7): - Add several fcontext for debian specific paths for ntp - Fix dbus_all_session_domain(), session_bus_type is an attribute - Allow gconfd to be started by the session bus - Fix the usage of dbus_spec_session_domain() interface - Properly label exim4 initscript under Debian - Add new gnome_spec_domtrans_all_gkeyringd() interface - Label /usr/sbin/ModemManager as modemmanager_exec_t - -Lubomir Rintel (1): - Allow NetworkManager to create Bluetooth SDP sockets - -Luis Ressel (1): - irc.te: Allow irssi to re-execute itself - -Martin Lang (1): - Add a policy module for shibboleth authentication - -Nicolas Iooss (7): - apt: remove non-existing permission set write_dir_perms - Label /usr/share/gitweb/static as httpd_git_content_t - Fix strange file patterns - ftp: fix labels in /var/lock/subsys/ - Label /usr/bin/tftpd as tftpd_exec_t - Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ - Allow loadkeys to read usr_t files - -Sven Vermeulen (17): - dnsmasq reads MTU sysctl - Support read/append/manage functions for various httpd content - Snort policy updates - fcron socket support - Fix typo in dnsmasq.if - Mark icedtea binaries as java_exec_t - Use init_daemon_pid_file for contrib modules - Enable asound.state.lock support - Add support for Hiawatha web server - Use logging_search_logs, not logging_search_log - Use logging_search_logs, not logging_search_log - Use files_search_etc, not logging_search_etc - Use files_search_etc, not logging_search_etc - Use files_search_etc, not files_search_config - Use corecmd_search_bin, not corecmd_searh_bin - Use fs_search_tmpfs, not files_search_tmpfs - Use domain_auto_trans, not auto_trans - -* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311 -Chris PeBenito (17): - Minor rearrangement of minidlna lines. - Module version bump for openvpn tmp files from Sven Vermeulen. - Update modules for file_t merge into unlabeled_t. - Module version bump for postfix showq fc from Laurent Bigonville. - Rename gpg_agent_connect to gpg_stream_connect_agent. - Module version bump for gpg agent interface from Luis Ressel. - Whitespace fixes in git.fc. - Module version bump for debian git fc entries from Laurent Bigonville. - Move bin_t fc to corecommands. - Move exec/transition lines in couchdb. - Add comment about couchdb_js policy. - Module version bump for couchdb updates from Luis Ressel. - Module version bump for pcscd fix from Luis Ressel. - Move screen dontaudit rule. - Module version bump for screen fix from Luis Ressel. - Module version bump for git fc fix from Nicolas Iooss. - Bump module versions for release. - -Dan Walsh (28): - Allow irc_t to use tcp sockets - Add labels for apache logs under miq package - Allow smbcontrol to create content in /var/lib/samba - Allow ktalkd to bind to the ktalkd_port - Allow memcache to read sysfs data - Allow mdadm to getattr any file system - Allow cupsd_lpd_t to bind to the printer port - Allow rlogind to bind to the rlogin_port - Allow cvs to bind to the cvs_port - svirt domains neeed to create kobject_uevint_sockets - Lots of new access required for sosreport - Allow tgtd_t to connect to isns ports - openct needs to be able to create netlink_object_uevent_sockets - Allow glusterd to create sock_file in /run - Add support for tmp directories to openvswitch - Allow virt_domain with USB devices to look at dos file systems - Additional access for MLS - Additional access for MLS window manager - Additional access for MLS window manager - Additional access for MLS window manager - Allow rpcbind to use nsswitch - Allow gpg_agent to use ssh-add - Add apache labeling for glpi - Allow pegasus to transition to dmidecode - Allow mcelog to use the /dev/cpu device - Allow apmd to request the kernel load modules - Allow postfix programs to getattr on all executables - label mate-keyring-daemon with gkeyringd_exec_t - -Dominick Grift (126): - Typo fix in ksmtuned_admin() by Shintaro Fujiwara - Fix monolithic built - Change file context spec for aide log files to catch suffixes - Module version bumps for changes in various policy modules by Sven - Vermeulen - Squid: Use a single pattern for brevity - Irc was already allowed to create tcp sockets, it only needed an - additional accept, and listen to be able to act as a proxy - Its probably a better idea to use the httpd_sys_ra_content_t type sid - for logs in these locations - Module version bump for changes to the tcsd policy module by Lukas - Vrabec - Module version bump for changes to various policy modules by Miroslav - Grepl - Module version bump for changes to the samba policy module by Dan Walsh - Module version bump for changes to the telepathy policy module by - Miroslav Grepl - We do not have a boinc domain type attribute Change boolean - description a bit - Additional rabbitmq couchdb support - Module version bumps for changes to various policy modules by Miroslav - Grepl - Additional git tcp networking rules - Additional ktalkd udp networking rules - Module version bump for changes to various policy modules by Dan Walsh - Addtional cups ldp tcp networking rules - Should be server packets because it is binding, and not connecting - Clean up telnet, and rlogin networking rules - Additional cvs tcp networking rules - Module version bump for changes to various policy modules by Dan Walsh - Addtional tgtd tcp networking rules - Additional polipo tcp networking rules - Fix asterisk files_spool_filetrans() - Module version bump for changes to the networkmanager policy module by - Lukas Vrabec - Additional fs_tmpfs_filetrans() for munin service plugin content on - tmpfs - Module version bump for changes to various policy modules by Miroslav - Grepl - Support rlogind, and telnetd as init daemon domains ( i think fedora is - campaigning to get rid of (x)?inetd ) - Support mariadb logging, file context specification for mariadb specific - config location - Change logwatch boolean identifier to something more self-documenting. - Additional tcp networking rules - Module version bump for changes to various policy modules by Miroslav - Grepl - Fix inconsistencies in the pkcs policy module - Fix fetchmail inconsistencies - Module version bump for changes in various policy modules by Dan Walsh - Support for window managers to stream socket connect to pulseaudio - Logwatch does not need to be able to bind tcp sockets to generic nodes - since its only connecting - Adds userhelper_exec_consolehelper for window managers - Remove duplicate rules due to addition of auth_use_nsswitch() - We dont use the arbt domain types template. Use a more uniform boolean - discription - Clean up libstoragemngmt policy module We do not yet support systemd - Change type from etc_rw to conf for readability admin access to - condor_conf_t - Hit by a nasty optional policy nesting issue - We will find another way to run pa as a system server - Module version bump for changes to various policy modules by Miroslav - Grepl - Clean up hypervkvp policy module (seems incomplete) - Clean up initial redis policy module - Additional openvpn tcp networking rules - redis: allow redis to bind tcp sockets to redis_port_t type ports - bluetooth: bluetooth_t acquires org.bluez service on dbus system bus - wm: associate wm_exec_t to core command executable files so that initrc_t - (/sbin/start-stop-daemon) can access it (metacity) - logrotate restarts syslogd via init script in Debian - This file is called just man-db in Debian. - exim: exim owns directory /var/lib/exim4 - accountsd: accounts-daemon lists /var/log - alsa: alsactl listing /dev/shm alsa: alsactl reading /dev/urandom alsa: - alsactl getting attributes of devtmpfs / (/dev) alsa: alsactl maintains - a pulseaudio tmpfs file - Cron: /sbin/runlevel reads /run/utmp cron: anacron (system_cronjob_t) - reading, writing inherited random crond tmp files (/tmp/tmpfk1VT2O) - dbus: allow system, and session bus clients to answer to dbus unconfined - domains - apt: Run apt system cronjobs in the apt_t domain apt: apt system cronjob - creates dpkg.status.* files in /var/backup - devicekit: upowerd reads own unix stream socket devicekit: - devicekit_power_t (runlevel) read /run/utmp - mandb: Make the man-db cronjob work on Debian - rtkit: traverse /proc to get to process state files - networkmanager: NetworkManager reads /run/udev/data/n2 file - avahi: create a avahi_initrc_domtrans for udev_t: udev runs a avahi dns - check script which does, i guess, a dns check. If needed it starts, or - stops avahi via its init script. I also created a - avahi_manage_pid_files() for udev_t because the script manages a file - called "checked_nameservers.*" in /run/avahi-daemon - Cleanups of various modules with regard to regular expressions and white - space - apt: As it turns out the /var/backups directory is labeled in the backup - module (which i incidentally did not have installed earlier). Instead - of creating this file with a file type transition to - apt_var_cache_t, allow apt_t to manage backup_store files - mta: this needs to be verified again, it should just have been running - in exim_t. I might have taken this from old logs - mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian - slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on - Debian - dpkg: catch /etc/cron.daily/dpkg on Debian dpkg: allow - /etc/cron.daily/dpkg to manage backup store files on Debian - cron: consistent usage of regular expressions cron: prelink no longer - runs in the system cronjob domain - alsa: alsactl wants to associate pulse-shm-.* to device_t type - filesystems. This happens early on but i do not understand how that - (/dev) relates to /dev/shm in this regard - devicekit: reads udev pid files modemmanager: reads udev pid files - vdagent: spice-vdagentd uses /dev/vport1p1 virtio console - tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes - /dev/pts/0 inherited from init script - revert regular expressions - wm: allow $1_wm_t to stream connect to $1_gkeyringd_t - mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and - to read exim var lib files. - mta: These are duplicates because system_mail_t is a user_mail_domain, - as it is based off of the mta_base_mail_template() which assigns that - type attribute - locate: extra rules needed by debian /etc/cron.daily/locate script - backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to - /var/backups - avahi: create interfaces that will allow calles to create avahi pid dirs - and create specifc avahi pid objects with a type transition (for - udev, which runs: /usr/lib/avahi/avahi-daemon-check-dns.sh in - Debian - Initial gdomap policy module - Initial minissdpd policy module - alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of - weird things related to pulseaudio - various: revert regex fixes: fcsort does not want this now - gdomap: gdomap_port_t is now available, gdomap binds tcp, and udp socket - to it - alsa: make alsa_t and pulseaudio_client so that pulseaudio_client rules - apply to it. alsactl does not actually run pulseaudio it seems though. - pulseaudio: allow all pulseaudio_client to send null signals to - unconfined_t, since unconfined_t is not actually a pulseaudio_client ( - unconfined_t runs pulseaudio without a domain transition) - avahi: create avahi_setattr_pid_dirs() for udev (avahi dns check script - run by udev in Debian) - These { read write } tty_device_t chr files on boot up in Debian - colord: colord executable file locations in Debian - colord: reads /proc/1, reads /run/udev files - vdagent: read/write mtrr file - mandb: dpkg running in the mandb_t domain in Debian (mandb cronjob) - traverses /root - exim: traverses sysfs, uses system cronjob file descriptors (/dev/null) in - Debian (/etc/cron.daily/exim) - minissdpd fixes - devicekit: disk reads /proc/sys/vm/overcommit_memory - devicekit: edit devicekit_append_inherited_log_files to include get - attribute permission so that it can be also used for fsadm - devicekit: 95hdparm-apm (devicekit_power_t) gets attributes of /dev/sda - (fixed_disk_device_t) - networkmanager: added interfaces that fedora calls for dhcpc. In Debian it - was confirmed that at least dhclient manages - /var/lib/NetworkManager/dhclient-eth0.conf - firewalld: various fixes that i borrowed from Fedora but that also apply - to Debian (confirmed) - firewalld: interfaces created for iptables - irqbalance: getsched from Debian - colord: colord reads /proc/3412/cmdline (cupsd state files) - virt: libvirtd reads /run/udev/data/+input:input3 - firewalld: traverses / on sysfs - rngd: needs ipc_lock capability, maintains /run/rngd.pid - tmpreaper: mountall-bootcl executes /bin/plymouth on Debian - minissdpd: deal with assertion violation (sys_module) - gdomap: missing networking rules, it traverses /tmp for some reason - ntp: create ntp_read_drift_files() for dhclient - dpkg: allow dpkg, and dpkg script to domain transition to initrc_t on any - init script file type rather than only the generic initrc_exec_t init - script file type - exim: exim4 reads online - apt: apt runs /usr/bin/apt-get apt: on_ac_power (apt_t) lists - /sys/class/power_supply - exim: exim_manage_var_lib_files created for init: init script runs helper - apps that create/manage /var/lib/exim4/config.autogenerated.tmp - gdomap/minissdpd: create read_config interfaces for initrc_t - exim: make exim init script create /var/run/exim4 with a proper context - pulseaudio: pulsaudio_t needs to be able to read user_tmpfs_files - (/run/shm/pulse-shm-.*) - dnsmasq: add support for /etc/dnsmasq.d/ - Module version bumps for various policy modules - Module version bump for changes to the logrotate module by Luis Ressel - Git: git daemons can list and read git personal repositories - Module version bumps for changes to various policy modules by Fedora - redis, lsm: typo fixes - userhelper: append newline - -James Carter (8): - - Fixed typo in contrib/avahi.if - - Fixed typo in contrib/glusterfs.te - - Fixed typo in contrib/jabber.if - - Fixed typo in contrib/keystone.if - - Fixed typo in contrib/mailscanner.if - - Fixed typo in contrib/qpid.if - - Fixed typo in contrib/readahead.fc. - - Fixed typo in contrib/rpm.if. - -Laurent Bigonville (2): - Label /usr/lib/postfix/showq as postfix_showq_exec_t - Properly label git-daemon and gitweb.cgi on Debian - -Luis Ressel (10): - Allow initrc_t to create /var/run/opendkim - Label /etc/cron.daily/logrotate correctly. - gpg: Create gpg_agent_connect interface - Minor updates to couchdb policy - couchdb: Add separate domain for couchjs - couchdb: Dontaudit denials caused by Erlang's disksup - Reformat couchdb.fc - pcscd.if: Permit access to pid files inside /var/run/pcscd/. - Allow gpg-agent's scdaemon to connect to pcscd. - Dontaudit screen asking for the sys_tty_config capability - -Lukas Vrabec (8): - Allow tcsd to read utmp file - fix boinc policy - Add support for couchdb in rabbitmq policy - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Add policy for lsmd - Add policy for hypervkvpd - Add policy for redis-server - -Mika Pflüger (1): - Correct typo in passenger module name - -Miroslav Grepl (40): - Allow passenger to execute ifconfig - Allow mpd setcap which is needed by pulseaudio - Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files - Allow nslcd to read /sys/devices/system/cpu - Add labeling for ~/.cache/telepathy/avatars/gabble - Allow firewalld to read NM state - Allow systemd running as git_systemd to bind git port - Fix labeling for fetchmail pid files/dirs - Fix polipo.te - Fix cupsd.te - Allow munin service plugins to manage own tmpfs files/dirs - Make ktalk as init domain - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Add logwatch_can_sendmail boolean - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Add support for abrt-upload-watch - Allow virtd to relabel unix stream socket - Fix lsm.fc for pid files - Also sock_file trans rule is needed in lsm - Update condor_master rules to allow read system state info and allow - logging - Add labeling for /etc/condor and allow condor domain to write it (bug) - Allow condor domains to manage own logs - Allow glusterd to read domains state - Add openvpn_can_network_connect() boolean - Fix minissdpd_admin() - Allow ctdb to getattr on al filesystems - Watchdog opens the raw socket - Allow watchdog to read network state info - Add setroubleshoot_signull() interface - Allow sosreport to send signull to setroubleshootd - Allow sosreport all signal perms - Allow sosreport to dbus chat with rpm - Allow zabbix_agentd to read all domain state - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Allow setpgid for sosreport - -Nicolas Iooss (1): - git: fix file pattern after whitespace fixes - -Sven Vermeulen (6): - Add minidlna policy - Allow openvpn temporary files - Add aide bin /usr/bin and mark /var/lib/aide - Provide alsa_write_lib interface - Run dmidecode after newrole or on terminals - Grant write privileges to squid on its log files - -* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424 -Chris PeBenito (18): - Rewrite of mcelog module from Guido Trentalancia - Remove unnecessary lines in mcelog.te. - Slight rearrangement in mcelog.te. - Module version bump for mcelog update from Guido Trentalancia. - Module version bump for ntp module fixes from Dominick Grift. - Module version bump for fc substitutions optimizations from Sven - Vermeulen. - Module version bump for postfix/mta misc fixes from Sven Vermeulen. - Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. - Turn off all tunables by default, from Guido Trentalancia. - Module version bump for tunable default change. - Module version bump for saslauthd tcp mysql connections from Mika Flueger. - Move kernel request line in quota. - Module version bump for quota kernel module request from Mika Pflueger. - Module version bump for djbdns ports fixes from Russell Coker. - Remove stray + in keystone.te. - Whitespace fixes in cron.fc. - Module version bump for pulseaudio type_transition conflict fix from Sven - Vermeulen. - Bump module versions for release. - -Dominick Grift (889): - Initial BIRD Internet Routing Daemon policy - oident daemon fixes - Introduce ntp_conf_t - Allow ntp_admin() to manage ntp_drift_t content. - List etc_t directories - Use "Role allowed access." for consistency - Use permissions sets for compatibility. - Remove getattr permision from ntp_admin() - Initial Sensord policy module - Various block_suspend capability2 support from Fedora - Gitolite3 support from Fedora - /var/lib/sqlgrey is greylist milter data from Fedora - Terminal related fixes for plymouthd from Fedora Support block_suspend - capability2 for plymouth - Support minimal polkit in new location - Support ldap for user authentication from Fedora - Sanlock sends kill signals to non-root processes from Fedora Various - other capabilities for sanlock from Fedora - Initial support for sqlgrey from Fedora - Tor reads network sysctls from Fedora - GPG agent reads /dev/random from Fedora - Freshclam reads system and network state from Fedora - Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora - lpstat.cups reads fips_enabled from Fedora - Initial system tap compile server policy module - Systemtap server admin manages stapserver_var_lib_t content - Telepathy Idle reads gschemas.compiled from Fedora - Initial slpd policy module - Initial lightsquid policy module - Initial wdmd policy module - Initial mailscanner policy module and some depencies. - Support slpd log rotation - Initial numad policy module - Open log files for append only - CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup - policy module File contexts of cgroup app executables files in - /sbin also apply to /usr/sbin Make cgroup_admin() a bit more - compact - Initial svnserve policy module - Various small changes to ucspitcp - Initial fcoe policy module - Initial lldpad policy module - fcoemon sends to lldpad with a dgram socket - Initial quantum policy module - Initial dspam policy module - Module version bump for Telepathy file context spec fixes from Laurent - Bigonville. - Initial isns policy module - Various changes to tcs policy module - Initial ctdb policy module - Various changes to the sblim policy module and its dependencies - Initial polipo policy module - Module version bump for networkmanager fixes - Fixes to the polipo policy module - Module version bump for smartmon fixes from Laurent Bigonville. - Module version bump for accountsd file context spec fix from Laurent - Bigonville. - Various changes to the raid module - Module version bump for rtkit file context spec fix from Laurent - Bigonville - Initial couchdb policy module - Changes to the bind policy module - Initial dnssectrigger policy module - Initial man2html policy module - Initial openhpi policy module - Bind sends/receives http server instead of client packets conditionally - Two file context regular expression fixes by Eric Paris - Type mdadm_t is no longer a unconfined type - Initial pkcs policy module - Initial cfengine policy module - Initial keystone policy module - Initial l2tp policy module - Initial mongodb policy module - cfengine whitespace cleanup - Changes to the accountsservice policy module - Changes to the acct policy module - Changes to the ada policy module - changes to the afs policy module - Changes to the accountsservice policy module - Changes to the aiccu policy module - Changes to the aide policy module - Syntax error in afs_admin() - Changes to the aisexec policy module - Changes to the alsa policy module - Changes to the amanda policy module - Changes to the amavisd policy module and relevant dependencies - Changes to the amtu policy module - Changes to the anaconda policy module - Changes to the abrt policy module and relevant dependencies - numad sends/receives msgs from Fedora - Amtu executable file in installed in /usr/sbin in Fedora - The (usr/)? expression does not work consistently so better not use it - at all - Changes to the httpd policy module - Merge branch 'master' of - ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib - Fixes to the apache policy module and dependencies - Changes to the apcupsd policy module - Role attributes for lightsquid application domain - Changes to the mailscanner module - Changes to the svnserve policy module - Changes to the quantum policy module - Changes to the dspam module - Changes to the ctdb policy module - Changes to the couchdb policy module - Changes to the openhpid policy module - Changes to the keystone policy module - Changes to the l2tp policy module - Changes to the apm module and relevant dependencies - Changes to the arpwatch policy module - Changes to the apcupsd policy module - Changes to the abrt policy module - Changes to the apache policy module - Changes to the asterisk policy module and dependencies - Changes to the authbind policy module - Changes to the automount policy module - Change acpid lock file context spec - Changes to the avahi policy module and dependencies - Changes to the awstats policy module - Changes to the bacula policy module - Changes to the bcfg2 policy module - Changes to the apt policy module - Changes to the apache policy module - Changes to the backup module - Changes to the bind policy module - Bird module clean up - Fix arpwatch connected_stream_socket_perms - Changes to the bitlbee policy module - Changes to the blueman policy module - Changes to the bluetooth policy module - Changes to the brctl policy module - Changes to the apache policy module - Changes to the bugzilla policy module - Changes to the calamaris policy module - Implement lightsquid_admin() - Changes to the apache policy module and dependencies - Initial boinc policy module - Initial callweaver policy module - Changes to the canna policy module - Changes to the ccs policy module - Changes to the cdrecord policy module - Changes to the certmaster policy module and various role attribute fixes - cdrecord needs to read and write callers unix domain stream socket not - create it - Changes to the certmonger policy module and its dependencies - Initial cachefilesd policy module - Changes to the certwatch policy module - Changes to the chronyd policy module - Changes to the cipe policy module - Changes to the clamav policy module - Various network clean up - Add dev_rw_cachefiles() to cachefilesd policy module - Changes to the clockspeed policy module - Changes to the clogd policy module - Changes to the cmirrord policy module - Changes to the cobbler policy module - Changes to the colord policy module - Changes to the comsat policy module - Initial collectd policy module - Initial condor policy module and relevant dependencies - Changes to the consolekit policy module and relevant dependencies - Changes to the corosync policy module and relevant dependencies - Clean up couchdb network rules - Changes to the courier policy module - Changes to the cpucontrol policy module - Changes to the cpufreqselector policy module - Changes to the cron policy module and relevant dependencies - Changes to the cups policy module and relevant dependencies - Changes to the cvs policy module - Remove redundant connect avperms - Changes to the cyphesis policy module - Remove redundant rules from apache_admin() - Changes to the cyrus policy module - Changes to the daemontools policy module - Changes to the dante policy module - Modify dbadm boolean descriptions - Changes to the dbus policy module and its dependencies - Changes to the dcc policy module - Changes to the ddclient policy module - Changes to the ddcprobe policy module - Changes to the denyhosts policy module - Changes to the devicekit policy module and relevant dependencies - Changes to the dhcpd policy module - Changes tothe dictd policy module - Changes to the discc policy module - Changes to the djbdns policy module - Changes to the dkim policy module - Changes to the dmidecode policy module - Module bump for Laurent Bigonville trousers init script file context - specification fix - Module bump for Laurent Bigonville libvirt init script file context - specification fix - Changes to the dnsmasq policy module and relevant dependencies - Changes to the dovecot policy module - Changes to the dpkg policy module - Changes to the entropyd policy module - Changes to the evolution policy module - Changes to the exim policy module and relevant dependencies - Changes to the cron policy module - Changes to the fail2ban policy module - fcoemon XML clean up - Changes to the fetchmail policy module - Changes to the fingerd policy module - Initial firewalld policy module - Changes to the firstboot policy module - Changes to the fprint policy module and relevant dependencies - Changes to the ftp module - Changes to the games policy module - Clean up evolution and cdrecord XML - Changes to the gatekeeper policy module - Changes to the gift policy module - Changes to the git policy module - Changes to the gitosis policy module - Changes to the glance policy module - Initial glusterfs policy module - Add gatekeeper newline - Deprecate glusterd_admin() use glusterfs_admin() instead - Portage module version bump for autofs support by Matthew Thode and - clean up - cfengine: This location is now labeled with a cfengine private type - Changes to the slpd policy module - Changes to the gnomeclock policy module and relevant dependencies - Changes to the gpg policy module - Changes to the gpm policy module - Changes to the gpsd policy module and relevant dependencies - changes to the guest policy module - Changes to the gnomeclock policy module - Deprecate various DBUS interfaces and relevant dependencies - Changes to the cachefilesd policy module - Remove file context specification for kgpg which is a GUI frontend to - GPG. Domain transition to gpg_t will happen when kgpg runs gpg. - (rhbz#862229) - Initial mandb policy module - Changes to the hadoop policy module - Changes to the hald policy module - Changes to the hddtemp policy module - Changes to the howl policy module - changes to the mandb policy module - Changes to the dbus policy module - Changes to the rpm policy module - Changes to the i18n_input policy module - Changes to the icecast policy module - Changes to the ifplugd policy module - Changes to the imaze policy module - Changes to the inetd policy module and relevant dependencies - Changes to the innd policy module - Changes to the irc policy module - Changes to the ircd policy module - Changes to the irc policy module - Changes to the dbus policy module - Changes to the avahi policy module - Changes to the bluetooth policy module - Changes to the aiccu policy module - Changes to the bacula policy module - Changes to the boinc policy module - Changes to the bugzilla policy module - Changes to the ccs policy module - Changes to the clamav policy module - Changes to the cobbler policy module - Changes to the cyphesis policy module - Changes to the dante policy module - Changes to the dbskk policy module - Changes to the ddclient policy module - Changes to the denyhosts policy module - Changes to the dnssectrigger policy module - Changes to the dovecot policy module - Changes to the drbd policy module - Changes to the evolution policy module - Changes to the fail2ban policy module - Changes to the firewalld policy module - Changes to the firstboot policy module - Changes to the games policy module - Changes to the gift policy module - Changes to the glance policy module - Changes to the hald policy module - Changes to the dbus policy module - Changes to the git policy module - Changes to the polipo policy module - Changes to the firewalld policy module - Changes to the gpg policy module - Tab clean up in ircbalance file context file - Changes to the irqbalance policy module - Tab clean up in iscsi file context file - Changes to the iscsi policy module - Tab clean up in jabber file context file - Changes to the jabberd policy module - Changes to the pyicqt policy module - Tab clean up in java file context file - Changes to the java policy module - Changes to the dbus policy module - Changes to the gnome policy module - Changes to the apache policy module - Changes to the accountsd policy module - Changes to the alsa policy module - Changes to the evolution policy module - Changes to the bluetooth policy module - Changes to the games policy module - Changes to the gift policy module - Changes to the gpg policy module - Changes to the hadoop policy module - Tab clean up in kdump file context file - Changes to the kdump policy module - Changes to the gpg policy module - Changes to the dbus policy module - Changes to the evolution policy module - Changes to the gpm policy module - Version bump for evolution file context fixes by Laurent Bigonville - Version bump for nut file context fixes by Laurent Bigonville - Changes to the kdumpgui policy module - Tab clean up in kerberos file context file - Changes to the kerberos policy module and relevant dependencies - Changes to the kerneloops policy module - Tab clean up in kerberos file context file - Changes to the kismet policy module - Clean up amavis XML header - Initial keyboardd policy module - Tab clean up in ksmtuned file context file - Changes to the ksmtuned policy module - Tab clean up in ktalk file context file - Changes to the ktalk policy module - Changes to the kudzu policy module - Initial iodine policy module - Initial dirmngr policy module - Changes to the iodine policy module - Changes to the kerberos policy module - Changes to the kdumpgui policy module - Update deprecated interface calls ( gnome_read_config -> - gnome_read_generic_home_content ) - Changes to the mozilla policy module - Changes to the thunderbird policy module - Changes to the l2tp policy module - Tab clean up in ldap file context file - Changes to the ldap policy module - Tab clean up in likewise file context file - Changes to the likewise policy module - Tab clean up in lircd file context file - Changes to the lircd policy module - Changes to the livecd policy module - Tab clean up in loadkeys file context file - Changes to the loadkeys policy module and relevant dependencies - Tab clean up in lockdev file context file - Changes to the lockdev policy module - Tab clean up in logrotate file context file - Changes to the logrotate policy module and relevant dependencies - Tab clean up in logwatch file context file - Changes to the logrotate policy module - Changes to the logwatch policy module - Tab clean up in lpd file context file - Changes to the lpd policy module - Tab clean up in cron policy module - Changes to the lpd policy module - Changes to the consolekit policy module - Tab fix in cron policy module - Tab clean up in mailman file context file - Changes to the mailman policy module and relevant dependencies - Tab clean up in mcelog file context file - Changes to the mcelog policy module - Tab clean up in mediawiki file context file - Mediawiki XML clean up - Tab clean up in memcached file context file - Changes to the memcached policy module - Changes to the apache policy module - Tab clean up in milter file context file - Changes to the milter policy module and relevant dependencies - Changes to the modemmanager policy module - Tab clean up in mojomojo file context file - Changes to the mojomojo policy module and relevant dependencies - Changes to the gpg policy module - Changes to the mongodb policy module - Changes to the mono policy module - Changes to the monop policy module - Tab clean up in mozilla file context file - Changes to the mozilla policy module and relevant dependencies - Changes to the mozilla policy module - Changes to the apache policy module - Tab clean up in mpd file context file - Changes to the mpd policy module - Tab clean up in mplayer file context file - Changes to the evolution policy module - Changes to the mplayer policy module - Changes to the irc policy module - Tab clean up in mrtg file context file - Changes to the mrtg policy module - Tab clean up in mta file context file - Changes to the mta policy module and relevant dependencies - Changes to the mta policy module and relevant dependencies - Get rid of mozilla_conf_t as it is unused - Changes to the logrotate policy module - Changes to the logwatch policy module - Changes to the java policy module - Changes to the apache module and relevant dependencies - Tab clean up in munin file context file - Changes to the munin policy module and relevant dependencies - Tab clean up in mysql file context file - Changes to mysqld policy module - Changes to various policy modules - Changes to the munin policy module - Changes to the dovecot policy module - Changes to various policy modules - Changes to the mta policy module - Changes to the certmonger policy module and relavant dependencies - Tab clean up in nagios file context file - Changes to the nagios policy module and relevant dependencies - Changes to the modutils policy module - Tab cleanup in the nessus file context file - Changes to the nessus policy module - Tab clean up in the network manager file context file - Changes to the networkmanager policy module and relevant dependencies - Changes to the mozilla policy module - Changes to the cobbler policy module - Initial rngd policy module - Tab clean up in the nis file context file - Changes to the nis policy module - Tab clean up in the nscd file context file - Changes to the nscd policy module - Tab clean up in the nsd file context file - Changes to the nsd policy module - Tab clean up in the nslcd file context file - Changes to the nslcd policy module - Tab clean up in the ntop file context file - Changes to the ntop policy module - Tab clean up in the ntp file context file - Changes to the ntp policy module - Changes to the numad policy module - Tab clean up in the nut file context file - Changes to the nut policy module - Tab clean up in the nx file context file - Changes to the nx policy module - Changes to the oav policy module - Initial obex policy module - Tab clean up in the oddjob file context file - Tab clean up in gpg policy module - Changes to the oddjob policy module - Changes to the mozilla policy module - Initial pacemaker policy module - Tab clean up in the oidentd file context file - Changes to the oident policy module - Tab clean up in the openca file context file - Changes to the openca policy module - Tab clean up in the openct file context file - Changes to the openct policy module - Tab clean up in the openvpn file context file - Changes to the openvpn policy module - Tab clean up in the pads file context file - Changes to the pads policy module - Tab clean up in the passenger file context file - Changes to the passenger policy module and relevant dependencies - Tab clean up in the pcmcia file context file - Changes to the pcmcia policy module - Tab clean up in the pcscd file context file - Changes to the pcscd policy module and relevant dependencies - Tab clean up in the pegasus file context file - Changes to the pegasus policy module - Tab clean up in the perdition file context file - Changes to the perdition policy module - Tab clean up in the pingd file context file - Changes to the pingd policy module - Changes to the plymouthd policy module - Changes to the mozilla policy module - Changes to the plymouth policy module - Tab clean up in the podsleuth file context file - Changes to the podsleuth policy module - Tab clean up in the policykit file context file - Changes to the policykit policy module and relevant dependencies - Tab clean up in the portage file context file - Changes to the portage policy module - Tab clean up in the portmap file context file - Changes to the portmap policy module - Tab clean up in the portreserve file context file - Changes to the portreserve policy module - Tab clean up in the portslave file context file - Changes to the portslave policy module and relevant dependencies - Tab clean up in the postfix file context file - Changes to the postfix policy module and relevant dependencies - Fixes to various policy modules - Tab clean up in the postfixpolicyd file context file - Changes to the postfixpolicyd policy module - Tab clean up in the postgrey file context file - Changes to the postgrey policy module - Tab clean up in the ppp file context file - Changes to the ppp policy module and relevant dependencies - Tab clean up in the prelink file context file - Changes to the prelink policy module and relevant dependencies - Tab clean up in the prelude file context file - Changes to the prelude policy module - Tab clean up in the privoxy file context file - Changes to the privoxy policy module - Tab clean up in the procmail file context file - Changes to the procmail policy module - Tab clean up in the psad file context file - Changes to the psad policy module - Changes to the ptchown policy module - Tab clean up in the publicfile file context file - Changes to the publicfile policy module - Fix a fatal syntax error in mozilla_plugin_role() - Changes to the plymouth policy module - Changes to the policykit policy module - Module version bump for fixes in shorewall, fail2ban and portage policy - modules by Sven Vermeulen - Tab clean up in the puppet file context file - Changes to ther puppet policy module and relevant dependencies - Initial pwauth policy module - Tab clean up in the pxe file context file - Changes to the pxe policy module - Tab clean up in the pyzor file context file - Changes to the pyzor policy module - Tab clean up in the qemu file context file - Changes to the qemu policy module - Tab clean up in the virt file context file - Changes to the virt policy module and relevant depedencies - Changes to the virt policy module - Changes to the cron policy module - Changes to the qemu policy module - Changes to the virt policy module - Epylog wants sys_nice and setsched - Tab clean up in the qmail file context file - Changes to the qmail policy module - Tab clean up in the qpid file context file - Changes to the qpid policy module - Tab clean up in the quota file context file - Changes to the quota policy module and relevant dependencies - Initial rabbitmq policy module - Tab clean up in the radius file context file - Changes to the radius policy module - Tab clean up in the radvd file context file - Changes to the radvd policy module - Changes to the raid policy module - Tab clean up in the razor file context file - Changes to the razor policy module and relevant dependencies - Smokeping cgi needs to run ping with a domain transition Remove - redundant socket create already provided by - sysnet_dns_name_resolve() - Changes to the virt policy module - Changes to the apache policy module - Changes to the gnome policy module - Changes to the rdisc policy mpdule - Changes to the readahead policy module - Changes to the remotelogin policy module - Tab clean up in the resmgr file context file - Changes to the resmgr policy module - Tab clean up in the rgmanager file context file - Changes to the rgmanager policy module - Initial Realmd policy module and relevant dependencies - Fix resmgrd init script file context specification - Changes to the cups policy module - automount reads overcommit_memory - Changes to the networkmanager policy module - Freshclam manages amavis spool content - Changes to the tftp policy module - Changes to the cobbler policy module - Tab clean up in the rhcs file context file - Changes to the rhcs policy module and relevant dependencies - Tab clean up in the rhgb file context file - Changes to the rhgb policy module - Tab clean up in the rhsmcertd file context file - Changes to the rhsmcertd policy module - Tab clean up in the ricci file context file - Changes to the ricci policy module - Tab clean up in the rlogin file context file - Changes to the rlogin policy module - Tab clean up in the roundup file context file - Changes to the roundup policy module - Changes to the remotelogin policy module - Changes to the apache policy module - Changes to the awstats policy module - fix puppet_admin() need to require types that it uses - Replace wrong type in puppet_admin() - Fix a syntax error in ricci_domtrans() - Catch all rpcbind content in /var/run - Changes to the cups policy module - Tab clean up in the rpc file context file - Changes to the rpc policy module - Tab clean up in the rpcbind file context file - Changes to the rpcbind policy module - Tab clean up in the rpm file context file - Changes to the rpm policy module and depedencies - Changes to the rshd policy module - Changes to the virt policy module - Changes to the rssh policy module - Tab clean up in the rsync file context file - Fix a typo in apache XML - Changes to the rsync policy module - Changes to the rtkit policy module - Tab clean up in the rwho file context file - Changes to the rwho policy module - Reads /proc/sys/kernel/random/poolsize - Tab clean up in the samba file context file - Changes to the samba policy module and relevant dependencies - Tab clean up in the sambagui file context file - Changes to the sambagui policy module - Initial firewallgui policy module - Tab clean up in the samhain file context file - Changes to the samhain policy module - Tab clean up in the sanlock file context file - Changes to the sanlock policy module and relevant dependencies - Tab clean up in the sasl file context file - Changes to the sasl policy module - Chnages to the sblim policy module - Tab clean up in the screen file context file - Changes to the screen policy module - Tab clean up in the sectoolm file context file - Changes to firewallgui policy module - Changes to the sectoolm policy module - Tab clean up in the sendmail file context file - Changes to the sendmail policy module and relevant dependencies - Tab clean up in the setroubleshoot file context file - Changes to the setroubleshoot policy module - Tab clean up in the shorewall file context file - Changes to the shorewall policy module - Tab clean up in the shutdown file context file - Changes to the shutdown policy module and relevant dependencies - Tab clean up in the slocate file context file - Changes to the slocate policy module and relevant dependencies - These domains transition to shutdown domain now so they no longer need - direct access - Re-add missing network rule in screen policy module - fail2ban server sets scheduler - shutdown XML clean up - libvirtd sets kernel scheduler - mongod reads cpuinfo_max_freq - Changes to the slrnpull policy module - Tab clean up in the smartmon file context file - Changes to the smartmon policy module - Tab clean up in the smokeping file context file - Changes to the smokeping policy module - Tab clean up in the smoltclient file context file - Changes to the smoltclient policy module - Tab clean up in the snmp file context file - Changes to the snmp policy module - Tab clean up in the snort file context file - Changes to the snort policy module - Changes to the sosreport policy module and relevant dependencies - Tab clean up in the soundserver file context file - Changes to the soundserver policy module - Tab clean up in the spamassassin file context file - Changes to the spamassassin policy module and relevant dependendies - spamassassin_role callers create ~/.spamd with the spamd_home_t user - home type instead - Re-add sys_admin capability that was lost with porting from Fedora - Move mailscanner content to mailscanner module - Changes to the speedtouch policy module - Tab clean up in the squid file context file - Changes to the squid policy module - Changes to the sssd policy module - Tab clean up in the stunnel file context file - Changes to the stunnel policy module - Tab clean up in the sxid file context file - Changes to the sxid policy module - Tab clean up in the sysstat file context file - Changes to the sysstat policy module - Tab clean up in the tcpd file context file - Changes to the tcpd policy module - Changes to the tcsd policy module - Tab clean up in the telepathy file context file - Changes to the telepathy policy module - Tab clean up in the telnet file context file - Changes to the telnet policy module - Tab clean up in the tftp file context file - Changes to the tftp policy module - Tab clean up in the tgtd file context file - Changes to the tgtd policy module - Tab clean up in the thunderbird file context file - Changes to the thunderbird policy module - Catch /var/log/cron directory as well - Dovecot module version bump for fixes by Sven Vermeulen - Portage module version bump for fixes by Sven Vermeulen - Cron module version bump for fixes by Sven Vermeulen - Changes to the exim policy module - Entropyd reads /proc/meminfo - Blueman reads tmp_t directories - Do not audit attempts by cups config to read tmp_t directories - Do not audit attempts by fail2ban to read tmp_t directories - Do not audit attempts by firewalld to read tmp_t directories - Gnomeclock reads urandom and realtime clock - Kdumpctl needs sys_chroot capability - Various kdumpgui fixes from Fedora - Do not audit attempts by logwatch to read tmp_t directories - Catch all alias files - Refine aliases file transition with names - Realmd dbus chat policykit and networkmanager from Fedora - Do not audit attempts by tuned to read tmp_t directories - Changes to the timidity policy module - Tab clean up in the tmpreaper file context file - Changes to the tmpreaper policy module and relevant dependencies - Tab clean up in the tor file context file - Changes to the tor policy module - Changes to the transproxy policy module - Tab clean up in the tripwire file context file - Changes to the tripwire policy module - Tab clean up in the tuned file context file - Changes to the tuned policy module - Tab clean up in the tvtime file context file - Changes to the tvtime policy module - Changes to the tzdata policy module - Changes to the ucspitcp policy module - Tab clean up in the ulogd file context file - Changes to the ulogd policy module - Tab clean up in the uml file context file - Changes to the uml policy module - Make it so that irc clients can also get attributes of cifs, nfs, fuse - and other file systems - Changes to the updfstab policy module - Changes to the uptime policy module - Tab clean up in the usbmodules file context file - Changes to the usbmodule policy module - Changes to the usbmuxd policy module - Tab clean up in the userhelper file context file - Screen sends child terminated signals to all interactive fd domains - Changes to the userhelper policy module and relevant dependencies - Changes to the virt policy module - Module version bump for fail2ban changes by Sven Vermeulen - Changes to the rpm policy module - fix smartmon init script file context specification - Changes to the usernetctl policy module - Tab clean up in the uucp file context file - Changes to the uucp policy module - Changes to the virt policy module - Tab clean up in the uuid file context file - Changes to the uuidd policy module - Tab clean up in the uwimap file context file - Changes to the uwimap policy module - Tab clean up in the varnishd file context file - Changes to the varnishd policy module - Changes to the vbetool policy module - Tab clean up in the vdagent file context file - Changes to the vdagent policy module - Tab clean up in the vhostmd file context file - Changes to the vhostmd policy module - Changes to the vlock policy module - Tab clean up in the vmware file context file - Changes to the vmware policy module - Tab clean up in the vnstatd file context file - Changes to the vnstatd policy module - Tab clean up in the vpn file context file - Changes to the vpnc policy module - Tab clean up in the w3c file context file - Changes to the w3c policy module - Tab clean up in the watchdog file context file - Changes to the watchdog policy module - Changes to the wdmd policy module - Changes to the webadm policy modules - Changes to the webalizer policy module - White space fix in apache policy module - Changes to the wine policy module - Tab clean up in the wireshark file context file - Changes to the wireshark policy module - Tab clean up in the wm file context file - Changes to the wm policy module - Changes to the inn policy module - Move man cache file type to miscfiles - Changes to the inn policy module - More accurate dbadm boolean descriptions - mysql_admin() has access to ~/.my.cnf files - Tab clean up in the xen file context file - Changes to the xen policy module and relevant dependencies - Tab clean up in the xfs file context file - Changes to the xfs policy module - Changes to the xguest policy module and relevant dependencies - Changes to the xprint policy module - Changes to the xscreensaver policy module - Tab clean up in the yam file context file - Changes to the yam policy module - Tab clean up in the zabbix file context file - Changes to the zabbix policy module - Tab clean up in the zarafa file context file - Changes to the zarafa policy module - Tab clean up in the zebra file context file - Changes to the zebra policy module - Changes to the zosremote policy module - Changes to the mysql policy module - Tab clean up in the pulseaudio file context file - Changes to the pulseaudio policy module and relevant dependencies - Changes to the pulseaudio policy module - One chown too many - Changes to the mplayer policy module - The prelink cron script now runs in its own domain - Initial smstools policy module - Initial openvswitch policy module and relevant dependencies - Reads pcsd pid files - Reads random device - winbind manages smbd pid sock files from Fedora - Changes to the bind policy module - CG rules daemon reads all sysctls - Runs consoletype and searches nfs state data from Fedora - Support munin unbound plugin from Fedora - Zabbix sends signals from Fedora - Blueman sets scheduler and sends signals from Fedora - pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead - Module version bumps for fixes in portage and virt modules by Sven - Vermeulen - Policy module version bumps for various changes by Sven Vermeulen - Changes to the openvpn policy module - Module version bumps for various fixes by Sven Vermeulen - Changes to the mandb policy module - Changes to the tmpreaper policy module - Changes to the munin policy module - Changes to the rngd policy module - Changes to the awstats policy module and relevant dependencies - Changes to the apache policy module - Changes to various policy modules - Changes to the abrt policy module - Changes to the passenger policy module and relevant depedencies - Changes to the pegagus policy module - Changes to the mta policy module - Changes to the fetchmail policy module - Changes to the bitlbee policy module - Changes to the blueman policy module and relevant dependencies - Changes to the amavis policy module - Changes to the userhelper policy module - Changes to the blueman policy module - Changes to the squid policy module - Changes to the sblim policy module - Changes to the kdumpgui policy module - Changes to the mailman policy module - Changes to the realmd policy module - Changes to the raid policy module - Changes to the samba policy module - Changes to the various policy modules - Changes to the snmp policy module - Changes to the spamassassin policy module - Changes to the sssd policy module - Changes to the l2tpd policy module - Changes to the shorewall policy module - Changes to the xen policy module - Changes to the tftp policy modules - Changes to the accountsd policy module - Changes to the tgtd policy module - Changes to the corosync policy module - Changes to the kdump policy module - Changes to the openvswitch policy module - Changes to the mpd policy module - Changes to the mozilla policy module - Changes to the zarafa policy module - Changes to the boinc policy module - Changes to the setroubleshoot policy module - Changes to the dspam policy module - Changes to the rgrmanager policy module and relevant dependencies - Changes to the svnserve policy module - Changes to the virt policy module - Changes to the prelink policy module - Changes to the apache policy module - Changes to the gnomeclock policy module - Changes to various policy modules - Changes to the pegagus policy module - Changes to the shorewall policy module - Changes to the kerberos policy module - Changes to the rhcs policy module - Changes to the irc policy module - Changes to the clamav policy module - Changes to the mrtg policy module - Changes to the munin policy module - Changes to the amavis policy module - Changes to the ppp policy module - Initial jockey policy module - Module version bumps for "several named transition for directories - created in /var/run by initscripts" in various modules by Laurent - Bigonville - Module version bumps for fixes in various modules by Laurent Bigonville - Module version bump for changes to the consolekit policy module by - Laurent Bigonville - Changes to the stunnel policy module - Module version bumps for fixes in various modules by Sven Vermeulen - Changes to the virt policy module - Changes to the apache policy module - Changes to the wm policy module - Changes to the samba policy module - Changes to the certmonger policy module - Changes to the mozilla policy module - Changes to the corosync policy module - Changes to the pacemaker policy module - Changes to the tuned policy module - Changes to the cups module and relevant dependencies - Changes to the rhsmcertd policy module - Changes to the lpd policy module - Changes to the munin policy module - Changes to the ntp policy module - Changes to the tor policy module - Changes to the firewalld policy module - Changes to the dspam policy module - Changes to the setroubleshoot policy module - Changes to the condor policy module - Changes to the kerberos policy module - Changes to the passenger policy module - Changes to the ppp policy module - Changes to the the dkim policy module - Changes to the abrt policy module - Changes to the lircd policy module - Changes to the dkim policy module - Changes to the virt policy module - Changes to the munin policy module - Changes to the dovecot policy module - Changes to the cobbler policy module - Changes to the userhelper policy module - Changes to the logwatch policy module - Changes to the wdmd policy module and relevant dependencies - Changes to the nscd policy module and relevant dependencies - Changes to the dbus policy module - Module version bumps for fixes in various policy modules by Laurent - Bigonville - Changes to the cups policy module - Changes to the dbus policy module - Changes to the apcupsd policy module - Remove redundant net_bind_service capabilities in various modules - Changes to the virt policy module - Changes to the puppet policy module - Module version bumps for fixes in various policy module by Sven - Vermeulen - Module version bumps for file context fixes in various policy modules by - Laurent Bigonville - Make httpd_manage_all_user_content() do what it advertises - Add more networking rules to mplayer policy module for compatibility - Fix fcronsighup file context. Should be crontab_exec_t as per previous - spec - Module version bumps for changes in various modules by Sven Vermeulen - Move asterisk_exec() and modify XML header - Consolekit creates /var/run/console directories with a type transition - unconditionally - Module version bump in consolekit policy module for changes by Sven - Vermeulen - The imaplogin executable file should be courier_pop_exec_t according to - existing file context specification - Module version bump for changes to the fail2ban policy module by Sven - Vermeulen - Modules version bumps for changes in various policy modules by Sven - Vermeulen - -Laurent Bigonville (28): - Add Debian locations for Telepathy connection managers - Label telepathy-rakia as telepathy-sofiasip - Allow smartd daemon to write in /var/lib/smartmontools directory - Add Debian location for smartd daemon initscript - Add Debian location for accounts-daemon daemon - Add Debian location for rtkit-daemon daemon - Add Debian location for tcsd init script - Add Debian location for libvirtd init script - Add Debian location for evolution executables - Add Debian locationis for nut executables and configuration files - Add several named transition for directories created in /var/run by - initscripts - Run packagekit under apt_t context on Debian distribution - Add proper label for colord daemon in debian - Allow the system dbus to search cgroup directories - Allow virtd_t context to read sysctl_crypto_t - Allow colord_t context to read sysctl_crypto_t - Add proper label for gconfd-2 daemon in Debian - Ensure that consolekit can create /var/run/console directory on Debian - Properly label nm-dispatcher.action on Debian - policykit.fc: Properly label polkit-agent-helper-1 on Debian - cups.fc: Properly label cups-pk-helper-mechanism on Debian - Allow pcscd the fsetid capability - Allow networkmanager_t to read crypto_sysctl_t - Allow virsh_t context to read sysctl_crypto_t - Allow cupsd_t to read cupsd_log_t - gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian - ptchown.fc: Properly label pt_chown executable in Debian - Label /usr/bin/kvm as qemu_exec_t - -Matthew Thode (2): - added autofs support and nsswitch support - removing refrences to named_var_lib_t as it doesn't exist anymore for - bind.if - -Mika Pflüger (3): - Allow saslauthd_t to talk to mysqld via TCP - Quota policy adjustments: * Allow quota_t to load kernel modules - Debian locations for dovecot deliver and dovecot auth. - -Russell Coker (1): - Fix djbdns ports - -Sven Vermeulen (75): - Update with new substitutions - Mark the pid directory as a pid directory - Add in transitions for queue types when the queues are created - Fix typo in interface postfix_exec_postqueue - Allow maildelivery to use dotlock files in the mail spool - Allow postfix local to change ownership of mailfiles - Use libexec location for postfix binaries - Allow initrc_t to create run dirs for contrib modules - Update logwatch location in file context - Sandbox is an inherent part of the portage inner workings - Fix startup issue with fail2ban-client - Be able to get output from fail2ban-client - Ignore searches when ran from the user home directory - Shorewall admins execute shorewall too - Shorewall needs sys_admin capability for manipulating network stack - Be able to display dovecot errors - Remove transition to ldconfig - Adding interfaces for handling cron log files - Fail2ban client checks state of log files before telling the server - Support mysql init script - Support initial creation of mysql database files - Portage fetch domain needs to access certificates - Make samba domtrans optional in virt - Fix typo in tunable declaration for fcron_crond - Introducing cron_manage_log_files interface - Introduce dontaudit interfaces for leaked fd and unix stream sockets - Dontaudit attempts by system_mail_t to use leaked fd or stream sockets - Support at service - Additional postfix admin requirements - Reintroduce postfix_var_run_t for pid directory and fowner capability - Postfix deferred queue should not mark mails as postfix_spool_maildrop_t - Running qemu with SDL support requires more xserver-related privileges - Fix typo in clockspeed comment - Support openvpn status file - Asterisk voicemail messages are generated from tmp - Make rtkit calls optional - Gentoo installs dovecot certs in /etc/ssl/dovecot - Moving sandbox code to sandbox section (v2) - Allow sandbox to log violations - Use rw_fifo_file_perms - Apache should not depend on gpg - Named init script creates rundir - Add ~/.maildir as a valid maildir destination - Support stunnel_read_config for startup - Updates on stunnel policy - More .maildir fixes - Mark make.profile entry as portage_conf_t (v2) - Move mta call (coding style) - Changes to puppet domain - Allow rpc admin to run exportfs - Grant sys_admin capability to puppet - Puppet module helper scripts are puppet_var_lib_t - Support netlink_route_socket creation for puppet - Puppet initscript creates /run/puppet - Puppet runs statfs against selinuxfs - mplayer streams HTTP resources - fcron and fcronsighup binaries are moved - Asterisk needs to search through logs - Denial in mail log on node bind - Fix typo in mcelog_admin (missing bracket) - Add in contexts for fcron rm.systab and systab.tmp - Remove pulseaudio filename_trans conflict - Allow asterisk admins to execute asterisk binary directly - Support tagfiles for consolekit - ConsoleKit needs to read the dbus machine-id - File context updates for courier-imap - Update on file contexts for OpenLDAP - Update on file contexts for wpa_supplicant - Allow IRC clients to read certificates - Allow reading /proc/self for fail2ban due to FAM support - Update file contexts for puppet - Support ~/.tmux.conf as tmux configuration file - Add setuid/setgid capability to ulogd_t - Support tmux control socket - Postfix creates defer(red) queue locations - |