SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-targeted-3.14.4-55.fc31.noarch.rpm :

* Thu Oct 01 2020 Zdenek Pytela - 3.14.4-55- Allow domain write to an automount unnamed pipe
* Thu Aug 27 2020 Zdenek Pytela - 3.14.4-54- Allow munin domain transition with NoNewPrivileges- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files- Allow unconfined_t to node_bind icmp_sockets in node_t domain- Change transitions for ~/.config/Yubico- Add file context for ~/.config/Yubico- Create macro corenet_icmp_bind_generic_node()- Allow traceroute_t and ping_t to bind generic nodes.- Allow systemd set efivarfs files attributes- Split the arping path regexp to 2 lines to prevent from relabeling
* Thu Jun 04 2020 Zdenek Pytela - 3.14.4-53- Support multiple ways of tlp invocation- Split the arping path regexp to 2 lines to prevent from relabeling- Allow initrc_t tlp_filetrans_named_content()- Allow named transition for /run/tlp from a user shell- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
* Tue May 19 2020 Zdenek Pytela - 3.14.4-52- Label dirsrv systemd unit files and add dirsrv_systemctl()- Allow nagios_plugin_domain execute programs in bin directories- Update networkmanager_read_pid_files() to allow also list_dir_perms- Update policy for NetworkManager_ssh_t- Allow spamc_t domain to read network state- Allow pdns_t domain to map files in /usr.- Allow sys_admin capability for domain labeled systemd_bootchart_t- Revert \"Change arping path regexp to work around fixfiles incorrect handling\"- Change arping path regexp to work around fixfiles incorrect handling- Allow strongswan use tun/tap devices and keys
* Fri Apr 03 2020 Zdenek Pytela - 3.14.4-51- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t- Allow NetworkManager manage dhcpd unit files- Allow openfortivpn exec shell- Add ibacm_t ipc_lock capability- Remove container interface calling by named_filetrans_domain.- Modify path for arping in netutils.fc to match both bin and sbin- Add file context entry and file transition for /var/run/pam_timestamp- Allow ipsec_t connectto ipsec_mgmt_t
* Thu Mar 19 2020 Zdenek Pytela - 3.14.4-50- Allow zabbix_t manage and filetrans temporary socket files- Allow NetworkManager read its unit files and manage services- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t- Allow sssd read systemd-resolved runtime directory- Allow sssd read NetworkManager\'s runtime directory- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t- Allow system_mail_t to signull pcscd_t- Create interface pcscd_signull- Allow postfix stream connect to cyrus through runtime socket- Allow auditd poweroff or switch to single mode
* Sat Feb 22 2020 Lukas Vrabec - 3.14.4-49- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets- Update virt_read_qemu_pid_files inteface- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
* Sat Feb 15 2020 Lukas Vrabec - 3.14.4-48- Allow vhostmd communication with hosted virtual machines- Add and update virt interfaces- Update radiusd policy- Allow systemd_private_tmp(named_tmp_t)- Allow bacula dac_override capability
* Fri Feb 07 2020 Zdenek Pytela - 3.14.4-47- Allow ipa_custodia_t create and use netlink_route_socket sockets.- Allow networkmanager_t transition to setfiles_t- Create init_create_dirs boolean to allow init create directories- Create files_create_non_security_dirs() interface
* Fri Jan 31 2020 Zdenek Pytela - 3.14.4-46- Added apache create log dirs macro- Allow thumb_t connect to system_dbusd_t BZ(1795044)- Allow saslauthd_t filetrans variable files for /tmp directory- Allow openfortivpn_t to manage net_conf_t files.- Introduce boolean openfortivpn_can_network_connect.- Allow init_t to create apache log dirs.- Add file transition for /dev/nvidia-uvm BZ(1770588)- Update xserver_rw_session macro
* Fri Jan 24 2020 Zdenek Pytela - 3.14.4-45- Make stratisd_t domain unconfined for now.- stratisd_t policy updates.- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t- Label /stratis as stratisd_data_t- Allow opafm_t to create and use netlink rdma sockets.- Allow stratisd_t domain to read/write fixed disk devices and removable devices.- Add dac_override capability to stratisd_t domain- Added macro for stratisd to chat over dbus- Allow init_t set the nice level of all domains BZ(1778088)- Allow userdomain to chat with stratisd over dbus.
* Mon Jan 13 2020 Lukas Vrabec - 3.14.4-44- Fix typo in anaconda SELinux module- Allow rtkit_t domain to control scheduling for your install_t processes- Boolean: rngd_t to use executable memory- Allow rngd_t domain to use nsswitch BZ(1787661)- Allow exim to execute bin_t without domain trans- Allow create udp sockets for abrt_upload_watch_t domains- Drop label zebra_t for frr binaries- Allow NetworkManager_t domain to get status of samba services- Update milter policy to allow use sendmail- Modify file context for .local directory to match exactly BZ(1637401)- Add new file context rabbitmq_conf_t.- Allow journalctl read init state BZ(1731753)- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain- Change type in transition for /var/cache/{dnf,yum} directory- Allow cockpit_ws_t read efivarfs_t BZ(1777085)- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)- Allow named_t domain to mmap named_zone_t files BZ(1647493)- Make boinc_var_lib_t label system mountdir attribute- Allow stratis_t domain to request load modules- Update fail2ban policy- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.- Allow init_t domain to create own socket files in /tmp- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files- Allow userdomain dbus chat with systemd_resolved_t- Allow init_t read and setattr on /var/lib/fprintd- Allow systemd_domain to map files in /usr.- Allow sysadm_t dbus chat with colord_t- Allow confined users run fwupdmgr- Allow confined users run machinectl- Allow systemd labeled as init_t domain to create dirs labeled as var_t- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)
* Thu Nov 28 2019 Zdenek Pytela - 3.14.4-43- Fix nonexisting types in rtas_errd_rw_lock interface- Allow snmpd_t domain to trace processes in user namespace- Allow zebra_t domain to execute zebra binaries- Allow ksmtuned_t domain to trace processes in user namespace- Allow systemd to read symlinks in /var/lib- Update dev_mounton_all_device_nodes() interface- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.- Allow strongswan start using swanctl method BZ(1773381)- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
* Fri Nov 22 2019 Zdenek Pytela - 3.14.4-42- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)- Label tcp ports 24816,24817 as pulp_port_t
* Wed Nov 13 2019 Lukas Vrabec - 3.14.4-41- Fix typo bugs in rtas_errd_read_lock() interface- Allow timedatex_t domain to systemctl chronyd domains- Allow ipa_helper_t to read kr5_keytab_t files- cockpit: Allow cockpit-session to read cockpit-tls state directory- Allow stratisd_t domain to read nvme and fixed disk devices- Update lldpad_t policy module- Dontaudit tmpreaper_t getting attributes from sysctl_type files- cockpit: Support https instance factory- Added macro for timedatex to chat over dbus.- Update files_manage_etc_runtime_files() interface to allow manage also dirs- Dontaudit sys_admin capability for auditd_t domains- Allow x_userdomain to read adjtime_t files- Allow users using template userdom_unpriv_user_template() to run bpf tool- Allow x_userdomain to dbus_chat with timedatex.
* Sun Nov 03 2019 Lukas Vrabec - 3.14.4-40- Label /var/cache/nginx as httpd_cache_t- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald- Created dnsmasq_use_ipset boolean- Allow capability dac_override in logwatch_mail_t domain- Allow automount_t domain to execute ping in own SELinux domain (ping_t)- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t- Allow collectd_t domain to create netlink_generic_socket sockets- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.- Label /etc/postfix/chroot-update as postfix_exec_t- Update tmpreaper_t policy due to fuser command- Allow kdump_t domain to create netlink_route and udp sockets- Allow stratisd to connect to dbus- Allow fail2ban_t domain to create netlink netfilter sockets.- Allow dovecot get filesystem quotas- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)- Allow systemd-tmpfiles processes to set rlimit information- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
* Fri Oct 25 2019 Lukas Vrabec - 3.14.4-39- Allow confined users to run newaliases- Add interface mysql_dontaudit_rw_db()- Label /var/lib/xfsdump/inventory as amanda_var_lib_t- Allow tmpreaper_t domain to read all domains state- Make httpd_var_lib_t label system mountdir attribute- Update cockpit policy- Allow nagios_script_t domain list files labled sysfs_t.- Allow jetty_t domain search and read cgroup_t files.- Donaudit ifconfig_t domain to read/write mysqld_db_t files- Dontaudit domains read/write leaked pipes
* Tue Oct 22 2019 Lukas Vrabec - 3.14.4-38- Allow nagios_script_t domain list files labled sysfs_t.- Allow jetty_t domain search and read cgroup_t files.- Allow Gluster mount client to mount files_type- Dontaudit and disallow sys_admin capability for keepalived_t domain- Update numad policy to allow signull, kill, nice and trace processes- Allow ipmievd_t to RW watchdog devices- Update allow rules set for pads_t domain- Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)- Update apache and pkcs policies to make active opencryptoki rules- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files- Allow user domains to manage user session services- Allow staff and user users to get status of user systemd session- Update sudo_role_template() to allow caller domain to read syslog pid files
* Wed Oct 09 2019 Lukas Vrabec - 3.14.4-37- Remove duplicate file context for /usr//bin/nova-api-metadata- Introduce new bolean httpd_use_opencryptoki- Allow setroubleshoot_fixit_t to read random_device_t- Label /etc/named direcotory as named_conf_t BZ(1759495)- Allow dkim to execute sendmail- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files- Update aide_t domain to allow this tool to analyze also /dev filesystem- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)- Allow avahi_t to send msg to xdm_t- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)- Allow systemd_logind_t domain to read blk_files in domain removable_device_t- Add new interface udev_getattr_rules_chr_files()
* Fri Oct 04 2019 Lukas Vrabec - 3.14.4-36- Update aide_t domain to allow this tool to analyze also /dev filesystem- Allow bitlbee_t domain map files in /usr- Allow stratisd to getattr of fixed disk device nodes- Add net_broadcast capability to openvswitch_t domain BZ(1716044)- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)- Allow cobblerd_t domain search apache configuration dirs- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)- Label /var/log/collectd.log as collectd_log_t- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)- networkmanager: allow NetworkManager_t to create bluetooth_socket- Fix ipa_custodia_stream_connect interface- Add new interface udev_getattr_rules_chr_files()- Make dbus-broker service working on s390x arch- Add new interface dev_mounton_all_device_nodes()- Add new interface dev_create_all_files()- Allow systemd(init_t) to load kernel modules- Allow ldconfig_t domain to manage initrc_tmp_t objects- Add new interface init_write_initrc_tmp_pipes()- Add new interface init_manage_script_tmp_files()- Allow xdm_t setpcap capability in user namespace BZ(1756790)- Allow xdm_t domain to user netlink_route sockets BZ(1756791)- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)- Allow sudo userdomain to run rpm related commands- Add sys_admin capability for ipsec_t domain- Allow systemd_modules_load_t domain to read systemd pid files- Add new interface init_read_pid_files()- Allow systemd labeled as init_t domain to manage faillog_t objects- Add file context ipsec_var_run_t for /var/run/charon\\.dck to ipsec.fc- Make ipa_custodia policy active- Make stratisd policy active
* Fri Sep 20 2019 Lukas Vrabec - 3.14.4-35- Fix ipa_custodia_stream_connect interface- Allow systemd_modules_load_t domain to read systemd pid files- Add new interface init_read_pid_files()- Allow systemd labeled as init_t domain to manage faillog_t objects- Add file context ipsec_var_run_t for /var/run/charon\\.dck to ipsec.fc
* Fri Sep 20 2019 Lukas Vrabec - 3.14.4-34- Run ipa-custodia as ipa_custodia_t- Update webalizer_t SELinux policy- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)- Allow rhsmcertd_t domain to read rtas_errd lock files- Add new interface rtas_errd_read_lock()- Update allow rules set for nrpe_t domain- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if- Allow avahi_t to send msg to lpr_t- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label- Allow dlm_controld_t domain to read random device- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)- Allow gssproxy_t domain read state of all processes on system- Make ipa_custodia policy active- Make stratisd policy active- Introduce xdm_manage_bootloader booelan- Add new macro systemd_timedated_status to systemd.if to get timedated service status- Allow xdm_t domain to read sssd pid files BZ(1753240)
* Fri Sep 13 2019 Lukas Vrabec - 3.14.4-33- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)- Allow gssproxy_t domain read state of all processes on system- Update travis-CI file- Fix syntax erros in keepalived policy- Add sys_admin capability for keepalived_t labeled processes- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.- Create new type ipmievd_helper_t domain for loading kernel modules.- Run stratisd service as stratisd_t- Fix abrt_upload_watch_t in abrt policy- Update keepalived policy- Update cron_role, cron_admin_role and cron_unconfined_role to avoid
*_t_t types- Revert \"Create admin_crontab_t and admin_crontab_tmp_t types\"- Revert \"Update cron_role() template to accept third parameter with SELinux domain prefix\"- Allow amanda_t to manage its var lib files and read random_device_t- Create admin_crontab_t and admin_crontab_tmp_t types- Add setgid and setuid capabilities to keepalived_t domain- Update cron_role() template to accept third parameter with SELinux domain prefix- Allow psad_t domain to create tcp diag sockets BZ(1750324)- Allow systemd to mount fwupd_cache_t BZ(1750288)- Allow chronyc_t domain to append to all non_security files- Update zebra SELinux policy to make it work also with frr service- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)- Label /var/run/mysql as mysqld_var_run_t- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.- Update timedatex policy to manage localization- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces- Update gnome_dontaudit_read_config- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)- Update travis-CI file- Allow systemd labeled as init_t domain to remount rootfs filesystem- Add interface files_remount_rootfs()- Dontaudit sys_admin capability for iptables_t SELinux domain- Allow userdomains to dbus chat with policykit daemon- Update userdomains to pass correct parametes based on updates from cron_
*_role interfaces- New interface files_append_non_security_files()- Label 2618/tcp and 2618/udp as priority_e_com_port_t- Label 2616/tcp and 2616/udp as appswitch_emp_port_t- Label 2615/tcp and 2615/udp as firepower_port_t- Label 2610/tcp and 2610/udp as versa_tek_port_t- Label 2613/tcp and 2613/udp as smntubootstrap_port_t- Label 3784/tcp and 3784/udp as bfd_control_port_t- Remove rule allowing all processes to stream connect to unconfined domains
* Wed Sep 04 2019 Lukas Vrabec - 3.14.4-32- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket- Dontaudit sandbox web types to setattr lib_t dirs- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)- Allow haproxy_t domain to read network state of system- Allow processes labeled as keepalived_t domain to get process group- Introduce dbusd_unit_file_type- Allow pesign_t domain to read/write named cache files.- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.- Allow httpd_t domain to read/write named_cache_t files- Add new interface bind_rw_cache()- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.- Update cpucontrol_t SELinux policy- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t- Run lldpd service as lldpad_t.- Allow spamd_update_t domain to create unix dgram sockets.- Update dbus role template for confined users to allow login into x session- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t- Fix typo in networkmanager_append_log() interface- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label- Allow login user type to use systemd user session- Allow xdm_t domain to start dbusd services.- Introduce new type xdm_unit_file_t- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)- Allow ipsec_t domain to read/write named cache files- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus- Label udp 8125 port as statsd_port_t
* Tue Aug 13 2019 Lukas Vrabec - 3.14.4-31- Update timedatex policy BZ(1734197)
* Tue Aug 13 2019 Lukas Vrabec - 3.14.4-30- cockpit: Allow cockpit-session to read cockpit-tls state- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)- Allow named_t domain to read/write samba_var_t files BZ(1738794)- Dontaudit abrt_t domain to read root_t files- Allow ipa_dnskey_t domain to read kerberos keytab- Allow mongod_t domain to read cgroup_t files BZ(1739357)- Update ibacm_t policy- Allow systemd to relabel all files on system.- Revert \"Add new boolean systemd_can_relabel\"- Allow xdm_t domain to read kernel sysctl BZ(1740385)- Add sys_admin capability for xdm_t in user namespace. BZ(1740386)- Allow dbus communications with resolved for DNS lookups- Add new boolean systemd_can_relabel- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp- Label \'/var/usrlocal/(.
*/)?sbin(/.
*)?\' as bin_t- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs- Run lvmdbusd service as lvm_t
* Wed Aug 07 2019 Lukas Vrabec - 3.14.4-29- Allow dlm_controld_t domain setgid capability- Fix SELinux modules not installing in chroots.Resolves: rhbz#1665643
* Tue Aug 06 2019 Lukas Vrabec - 3.14.4-28- Allow systemd to create and bindmount dirs. BZ(1734831)
* Mon Aug 05 2019 Lukas Vrabec - 3.14.4-27- Allow tlp domain run tlp in trace mode BZ(1737106)- Make timedatex_t domain system dbus bus client BZ(1737239)- Allow cgdcbxd_t domain to list cgroup dirs- Allow systemd to create and bindmount dirs. BZ(1734831)
* Tue Jul 30 2019 Lukas Vrabec - 3.14.4-26- New policy for rrdcached- Allow dhcpd_t domain to read network sysctls.- Allow nut services to communicate with unconfined domains- Allow virt_domain to Support ecryptfs home dirs.- Allow domain transition lsmd_t to sensord_t- Allow httpd_t to signull mailman_cgi_t process- Make rrdcached policy active- Label /etc/sysconfig/ip6?tables\\.save as system_conf_t Resolves: rhbz#1733542- Allow machinectl to run pull-tar BZ(1724247)
* Fri Jul 26 2019 Lukas Vrabec - 3.14.4-25- Allow spamd_update_t domain to read network state of system BZ(1733172)- Allow dlm_controld_t domain to transition to the lvm_t- Allow sandbox_web_client_t domain to do sys_chroot in user namespace- Allow virtlockd process read virtlockd.conf file- Add more permissions for session dbus types to make working dbus broker with systemd user sessions- Allow sssd_t domain to read gnome config and named cache files- Allow brltty to request to load kernel module- Add svnserve_tmp_t label forl svnserve temp files to system private tmp- Allow sssd_t domain to read kernel net sysctls BZ(1732185)- Run timedatex service as timedatex_t- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool- Allow cyrus work with PrivateTmp- Make cgdcbxd_t domain working with SELinux enforcing.- Make working wireshark execute byt confined users staff_t and sysadm_t- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963)- Allow svnserve_t domain to read system state- allow named_t to map named_cache_t files- Label user cron spool file with user_cron_spool_t- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession- Allow lograte_t domain to manage collect_rw_content files and dirs- Add interface collectd_manage_rw_content()- Allow ifconfig_t domain to manage vmware logs- Remove system_r role from staff_u user.- Make new timedatex policy module active- Add systemd_private_tmp_type attribute- Allow systemd to load kernel modules during boot process.- Allow sysadm_t and staff_t domains to read wireshark shared memory- Label /usr/libexec/utempter/utempter as utemper_exec_t- Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197)- Allow sysadm_t domain to create netlink selinux sockets- Make cgdcbxd active in Fedora upstream sources
* Wed Jul 17 2019 Lukas Vrabec - 3.14.4-24- Label user cron spool file with user_cron_spool_t- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession- Allow lograte_t domain to manage collect_rw_content files and dirs- Add interface collectd_manage_rw_content()- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports- Allow mysqld_t domain to manage cluster pid files- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool- Allow dkim-milter to send e-mails BZ(1716937)- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799)- Update svnserve_t policy to make working svnserve hooks- Allow varnishlog_t domain to check for presence of varnishd_t domains- Update sandboxX policy to make working firefox inside SELinux sandbox- Remove allow rule from svirt_transition_svirt_sandbox interface to don\'t allow containers to connect to random services- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices- Allow gssd_t domain to list tmpfs_t dirs- Allow mdadm_t domain to read tmpfs_t files- Allow sbd_t domain to check presence of processes labeled as cluster_t- Dontaudit httpd_sys_script_t to read systemd unit files- Allow blkmapd_t domain to read nvme devices- Update cpucontrol_t domain to make working microcode service- Allow domain transition from logwatch_t do postfix_postqueue_t- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: \'chronyc -n tracking > /var/lib/test\'- Allow httpd_sys_script_t domain to mmap httpcontent- Allow sbd_t to manage cgroups_t files- Update wireshark policy to make working tshar labeled as wireshark_t- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files- Allow sysadm_t domain to create netlink selinux sockets- Make cgdcbxd active in Fedora upstream sources- Allow sysadm_t domain to dbus chat with rtkit daemon- Allow x_userdomains to nnp domain transition to thumb_t domain- Allow unconfined_domain_type to setattr own process lnk files.- Add interface files_write_generic_pid_sockets()- Dontaudit writing to user home dirs by gnome-keyring-daemon- Allow staff and admin domains to setpcap in user namespace- Allow staff and sysadm to use lockdev- Allow staff and sysadm users to run iotop.- Dontaudit traceroute_t domain require sys_admin capability- Dontaudit dbus chat between kernel_t and init_t- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
* Wed Jul 10 2019 Lukas Vrabec - 3.14.4-23- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager- Fix all interfaces which cannot by compiled because of typos- Allow X userdomains to mmap user_fonts_cache_t dirs
* Mon Jul 08 2019 Lukas Vrabec - 3.14.4-22- Label /var/kerberos/krb5 as krb5_keytab_t- Allow glusterd_t domain to setpgid- Allow lsmd_t domain to execute /usr/bin/debuginfo-install- Allow sbd_t domain to manage cgroup dirs- Allow opafm_t domain to modify scheduling information of another process.- Allow wireshark_t domain to create netlink netfilter sockets- Allow gpg_agent_t domain to use nsswitch- Allow httpd script types to mmap httpd rw content- Allow dkim_milter_t domain to execute shell BZ(17116937)- Allow sbd_t domain to use nsswitch- Allow rhsmcertd_t domain to send signull to all domains- Allow snort_t domain to create netlink netfilter sockets BZ(1723184)- Dontaudit blueman to read state of all domains on system BZ(1722696)- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217)- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)- Replace \"-\" by \"_\" in types names- Change condor_domain declaration in condor_systemctl- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405)- Allow auditd_t domain to send signals to audisp_remote_t domain- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files- Add interface kernel_relabelfrom_usermodehelper()- Dontaudit unpriv_userdomain to manage boot_t files- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531)- Allow associate efivarfs_t on sysfs_t
* Tue Jun 18 2019 Lukas Vrabec - 3.14.4-21- Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864)- cockpit: Support split-out TLS proxy- Allow dkim_milter_t to use shell BZ(1716937)- Create explicit fc rule for mailman executable BZ(1666004)- Update interface networkmanager_manage_pid_files() to allow manage also dirs- Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)- Add new interface bind_map_dnssec_keys()- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files- Allow redis_t domain to read public sssd files- Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569)- Allow confined users to login via cockpit- Allow nfsd_t domain to do chroot becasue of new version of nfsd- Add gpg_agent_roles to system_r roles- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files- Allow rhsmcertd_t domain to manage rpm cache- Allow sbd_t domain to read tmpfs_t symlinks- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs- Allow kadmind_t domain to read home config data- Allow sbd_t domain to readwrite cgroups- Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)- Label /var/log/pacemaker/pacemaker as cluster_var_log_t- Allow certmonger_t domain to manage named cache files/dirs- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)- Allow crack_t domain read /et/passwd files- Label fontconfig cache and config files and directories BZ(1659905)- Allow dhcpc_t domain to manage network manager pid files- Label /usr/sbin/nft as iptables_exec_t- Allow userdomain attribute to manage cockpit_ws_t stream sockets- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes- Add interface ssh_agent_signal()
* Thu May 30 2019 Lukas Vrabec - 3.14.4-20- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)- Allow spamd_update_t to exec itsef- Fix broken logwatch SELinux module- Allow logwatch_mail_t to manage logwatch cache files/dirs- Update wireshark_t domain to use several sockets- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t
* Mon May 27 2019 Lukas Vrabec - 3.14.4-19- Fix bind_read_cache() interface to allow only read perms to caller domains- [speech-dispatcher.if] m4 macro names can not have - in them- Grant varnishlog_t access to varnishd_etc_t- Allow nrpe_t domain to read process state of systemd_logind_t- Allow mongod_t domain to connect on https port BZ(1711922)- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)- Revert \"Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)\"- Make boinc_var_lib_t mountpoint BZ(1711682)- Allow wireshark_t domain to create fifo temp files- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)- Fix typo in gpg SELinux module- Update gpg policy to make ti working with confined users- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files- Label /var/run/user/
*/dbus-1 as session_dbusd_tmp_t- Add dac_override capability to namespace_init_t domain- Label /usr/sbin/corosync-qdevice as cluster_exec_t- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)- Label /usr/libexec/dnf-utils as debuginfo_exec_t- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Build in parallel on Travis- Fix parallel build of the policy- Revert \"Make able deply overcloud via neutron_t to label nsfs as fs_t\"- Add interface systemd_logind_read_state()- Fix find commands in Makefiles- Allow systemd-timesyncd to read network state BZ(1694272)- Update userdomains to allow confined users to create gpg keys- Allow associate all filesystem_types with fs_t- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)- Allow init_t to manage session_dbusd_tmp_t dirs- Allow systemd_gpt_generator_t to read/write to clearance- Allow su_domain_type to getattr to /dev/gpmctl- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
* Fri May 17 2019 Lukas Vrabec - 3.14.4-18- Fix typo in gpg SELinux module- Update gpg policy to make ti working with confined users- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files- Label /var/run/user/
*/dbus-1 as session_dbusd_tmp_t- Add dac_override capability to namespace_init_t domain- Label /usr/sbin/corosync-qdevice as cluster_exec_t- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)- Label /usr/libexec/dnf-utils as debuginfo_exec_t- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Label /usr/bin/tshark as wireshark_exec_t- Update userdomains to allow confined users to create gpg keys- Allow associate all filesystem_types with fs_t- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)- Allow init_t to manage session_dbusd_tmp_t dirs- Allow systemd_gpt_generator_t to read/write to clearance- Allow su_domain_type to getattr to /dev/gpmctl- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
* Fri May 17 2019 Lukas Vrabec - 3.14.4-17- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Label /usr/bin/tshark as wireshark_exec_t- Fix typo in dbus_role_template()- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)- Allow virt domains to access xserver devices BZ(1705685)- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)- Allow gpsd_t domain to read udev db BZ(1709025)- Add sys_ptrace capaiblity for namespace_init_t domain- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)- Allow rhsmcertd_t domain to read rpm cache files- Label /efi same as /boot/efi boot_t BZ(1571962)- Allow transition from udev_t to tlp_t BZ(1705246)- Remove initrc_exec_t for /usr/sbin/apachectl file
* Fri May 03 2019 Lukas Vrabec - 3.14.4-16- Add fcontext for apachectl util to fix missing output when executed \"httpd -t\" from this script.
* Thu May 02 2019 Lukas Vrabec - 3.14.4-15- Allow iscsid_t domain to mmap modules_dep_t files- Allow ngaios to use chown capability- Dontaudit gpg_domain to create netlink_audit sockets- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)- Allow dirsrv_t domain to execute own tmp files BZ(1703111)- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files- Update domain_can_mmap_files() boolean to allow also mmap lnk files- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
* Fri Apr 26 2019 Lukas Vrabec - 3.14.4-14- Allow transition from cockpit_session to unpriv user domains
* Thu Apr 25 2019 Lukas Vrabec - 3.14.4-13- Introduce deny_bluetooth boolean- Allow greylist_milter_t to read network system state BZ(1702672)- Allow freeipmi domains to mmap freeipmi_var_cache_t files- Allow rhsmcertd_t and rpm_t domains to chat over dbus- Allow thumb_t domain to delete cache_home_t files BZ(1701643)- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus- Add new interface boltd_dbus_chat()- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)- Allow cockpit_ws_t domain to set limits BZ(1701703)- Update Nagios policy when sudo is used- Deamon rhsmcertd is able to install certs for docker again- Introduce deny_bluetooth boolean- Don\'t allow a container to connect to random services- Remove file context /usr/share/spamassassin/sa-update\\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus- Allow unconfined_t to use bpf tools- Allow x_userdomains to communicate with boltd daemon over dbus
* Fri Apr 19 2019 Lukas Vrabec - 3.14.4-12- Fix typo in cups SELinux policy- Allow iscsid_t to read modules deps BZ(1700245)- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442)- Allow httpd_rotatelogs_t to execute generic binaries- Update system_dbus policy because of dbus-broker-20-2- Allow httpd_t doman to read/write /dev/zero device BZ(1700758)- Allow tlp_t domain to read module deps files BZ(1699459)- Add file context for /usr/lib/dotnet/dotnet- Update dev_rw_zero() interface by adding map permission- Allow bounded transition for executing init scripts
* Fri Apr 12 2019 Lukas Vrabec - 3.14.4-11- Allow mongod_t domain to lsearch in cgroups BZ(1698743)- Allow rngd communication with pcscd BZ(1679217)- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
* Tue Apr 09 2019 Lukas Vrabec - 3.14.4-10- Allow systemd_modules_load to read modules_dep_t files- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)
* Mon Apr 08 2019 Lukas Vrabec - 3.14.4-9- Merge #18 `Add check for config file consistency`- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943)- Fix typo in rhsmcertd SELinux module- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t- Allow unconfined users to use vsock unlabeled sockets- Add interface kernel_rw_unlabeled_vsock_socket()- Allow unconfined users to use smc unlabeled sockets- Add interface kernel_rw_unlabeled_smc_socket- Allow systemd_resolved_t domain to read system network state BZ(1697039)- Allow systemd to mounton kernel sysctls BZ(1696201)- Add interface kernel_mounton_kernel_sysctl() BZ(1696201)- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201
* Fri Apr 05 2019 Lukas Vrabec - 3.14.4-8- Allow systemd to mounton several systemd direstory to increase security of systemdResolves: rhbz#1696201
* Wed Apr 03 2019 Lukas Vrabec - 3.14.4-7- Allow fontconfig file transition for xguest_u user- Add gnome_filetrans_fontconfig_home_content interface- Add permissions needed by systemd\'s machinectl shell/login- Update SELinux policy for xen services- Add dac_override capability for kdumpctl_t process domain- Allow chronyd_t domain to exec shell- Fix varnisncsa typo- Allow init start freenx-server BZ(1678025)- Create logrotate_use_fusefs boolean- Add tcpd_wrapped_domain for telnetd BZ(1676940)- Allow tcpd bind to services ports BZ(1676940)- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy-contrib into rawhide- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t- Allow esmtp access .esmtprc BZ(1691149)- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy-contrib into rawhide- Allow tlp_t domain to read nvme block devices BZ(1692154)- Add support for smart card authentication in cockpit BZ(1690444)- Add permissions needed by systemd\'s machinectl shell/login- Allow kmod_t domain to mmap modules_dep_t files.- Allow systemd_machined_t dac_override capability BZ(1670787)- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files- Allow unconfined_domain_type to use bpf tools BZ(1694115)- Revert \"Allow unconfined_domain_type to use bpf tools BZ(1694115)\"- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Allow unconfined_domain_type to use bpf tools BZ(1694115)- Allow init_t read mnt_t symlinks BZ(1637070)- Update dev_filetrans_all_named_dev() interface- Allow xdm_t domain to execmod temp files BZ(1686675)- Revert \"Allow xdm_t domain to create own tmp files BZ(1686675)\"- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)- Allow confined users labeled as staff_t to run iptables.- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Allow xdm_t domain to create own tmp files BZ(1686675)- Add miscfiles_dontaudit_map_generic_certs interface.
* Sat Mar 23 2019 Lukas Vrabec - 3.14.4-6- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)- Allow fail2ban execute journalctl BZ(1689034)- Update sudodomains to make working confined users run sudo/su- Introduce new boolean unconfined_dyntrans_all.- Allow iptables_t domain to read NetworkManager state BZ(1690881)
* Tue Mar 19 2019 Lukas Vrabec - 3.14.4-5- Update xen SELinux module- Improve labeling for PCP plugins- Allow varnishd_t domain to read sysfs_t files- Update vmtools policy- Allow virt_qemu_ga_t domain to read udev_var_run_t files- Update nagios_run_sudo boolean with few allow rules related to accessing sssd- Update file context for modutils rhbz#1689975- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293- Grant permissions for onloadfs files of all classes.- Allow all domains to send dbus msgs to vmtools_unconfined_t processes- Label /dev/pkey as crypt_device_t- Allow sudodomains to write to systemd_logind_sessions_t pipes.- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
* Tue Mar 12 2019 Lukas Vrabec - 3.14.4-4- Update vmtools policy- Allow virt_qemu_ga_t domain to read udev_var_run_t files- Update nagios_run_sudo boolean with few allow rules related to accessing sssd- Update travis CI to install selinux-policy dependencies without checking for gpg check- Allow journalctl_t domain to mmap syslogd_var_run_t files- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046- Allow sbd_t domain to bypass permission checks for sending signals- Allow sbd_t domain read/write all sysctls- Allow kpatch_t domain to communicate with policykit_t domsin over dbus- Allow boltd_t to stream connect to sytem dbus- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)- Allow all domains to send dbus msgs to vmtools_unconfined_t processes- Label /dev/pkey as crypt_device_t- Allow sudodomains to write to systemd_logind_sessions_t pipes.- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.- Allow ifconfig_t domain to read /dev/random BZ(1687516)- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660- Update travis CI to install selinux-policy dependencies without checking for gpg check- Label /usr/sbin/nodm as xdm_exec_t same as other display managers- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
* Wed Feb 27 2019 Lukas Vrabec - 3.14.4-3- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because \"%pretrans\" cannot use shell scripts.Resolves: rhbz#1683365
* Tue Feb 26 2019 Lukas Vrabec - 3.14.4-2- Merge insmod_t, depmod_t and update_modules_t do kmod_t
* Mon Feb 25 2019 Lukas Vrabec - 3.14.4-1- Allow openvpn_t domain to set capability BZ(1680276)- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on- Allow chronyd_t domain to send data over dgram socket- Add rolekit_dgram_send() interface- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./
*)? and /var/run/motd as pam_var_run_t
* Thu Feb 14 2019 Lukas Vrabec - 3.14.3-22- Allow dovecot_t domain to connect to mysql db- Add dac_override capability for sbd_t SELinux domain- Add dac_override capability for spamd_update_t domain- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
* Tue Feb 12 2019 Lukas Vrabec - 3.14.3-21- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243- Allow ddclient_t to setcap Resolves: rhbz#1674298- Add dac_override capability to vpnc_t domain- Add dac_override capability to spamd_t domain- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run- Allow read network state of system for processes labeled as ibacm_t- Allow ibacm_t domain to send dgram sockets to kernel processes- Allow dovecot_t to connect to MySQL UNIX socket- Fix CI for use on forks- Fix typo bug in sensord policy- Update ibacm_t policy after testing lastest version of this component- Allow sensord_t domain to mmap own log files- Allow virt_doamin to read/write dev device- Add dac_override capability for ipa_helper_t- Update policy with multiple allow rules to make working installing VM in MLS policy- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
* Sat Feb 02 2019 Lukas Vrabec - 3.14.3-20- Allow sensord_t domain to use nsswitch and execute shell- Allow opafm_t domain to execute lib_t files- Allow opafm_t domain to manage kdump_crash_t files and dirs- Allow virt domains to read/write cephfs filesystems- Allow virtual machine to write to fixed_disk_device_t- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t- Allow vhostmd_t read libvirt configuration files- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
* Tue Jan 29 2019 Lukas Vrabec - 3.14.3-19- Add new xdp_socket class- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains- Allow boltd_t domain to read cache_home_t files BZ(1669911)- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912)- Allow gpg_agent_t to create own tmpfs dirs and sockets- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572)- Add multiple interfaces for vpnc interface file- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702)- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp).- Allow gssd_t domain to manage kernel keyrings of every domain.- Revert \"Allow gssd_t domain to read/write kernel keyrings of every domain.\"- Allow plymouthd_t search efivarfs directory BZ(1664143)
* Tue Jan 15 2019 Lukas Vrabec - 3.14.3-18- Allow plymouthd_t search efivarfs directory BZ(1664143)- Allow arpwatch send e-mail notifications BZ(1657327)- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t- Allow gssd_t domain to read/write kernel keyrings of every domain.- Allow systemd_timedated_t domain nnp_transition BZ(1666222)- Add the fs_search_efivarfs_dir interface- Create tangd_port_t with default label tcp/7406- Add interface domain_rw_all_domains_keyrings()- Some of the selinux-policy macros doesn\'t work in chroots/initial installs. BZ(1665643)
* Fri Jan 11 2019 Lukas Vrabec - 3.14.3-17- Allow staff_t domain to read read_binfmt_misc filesystem- Add interface fs_read_binfmt_misc()- Revert \"Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)\"
* Fri Jan 11 2019 Lukas Vrabec - 3.14.3-16- Allow sensord_t to execute own binary files- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432)- Allow virtd_lxc_t domains use BPF BZ(1662613)- Allow openvpn_t domain to read systemd state BZ(1661065)- Dontaudit ptrace all domains for blueman_t BZ(1653671)- Used correct renamed interface for imapd_t domain- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)- Allow hddtemp_t domain to read nvme block devices BZ(1663579)- Add dac_override capability to spamd_t domain BZ(1645667)- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)- Specify recipients that will be notified about build CI results.- Allow saslauthd_t domain to mmap own pid files BZ(1653024)- Add dac_override capability for snapperd_t domain BZ(1619356)- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)- Add new interface: rpm_script_signal()- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008)- Make workin: systemd-run --system --pty bash BZ(1647162)- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)- Specify recipients that will be notified about build CI results.- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain- Add rules to allow systemd to mounton systemd_timedated_var_lib_t.- Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
* Sun Dec 16 2018 Lukas Vrabec - 3.14.3-15- Add macro-expander script to selinux-policy-devel package
* Thu Dec 06 2018 Lukas Vrabec - 3.14.3-14- Remove all ganesha bits from gluster and rpc policy- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t- Add dac_override capability to ssad_t domains- Allow pesign_t domain to read gnome home configs- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t- Allow rngd_t domains read kernel state- Allow certmonger_t domains to read bind cache- Allow ypbind_t domain to stream connect to sssd- Allow rngd_t domain to setsched- Allow sanlock_t domain to read/write sysfs_t files- Add dac_override capability to postfix_local_t domain- Allow ypbind_t to search sssd_var_lib_t dirs- Allow virt_qemu_ga_t domain to write to user_tmp_t files- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files- Add new interface sssd_signal()- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t- Add sys_resource capability to the systemd_passwd_agent_t domain- Allow ipsec_t domains to read bind cache- kernel/files.fc: Label /run/motd as etc_t- Allow systemd to stream connect to userdomain processes- Label /var/lib/private/systemd/ as init_var_lib_t- Allow initrc_t domain to create new socket labeled as init_T- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.- Add tracefs_t type to mountpoint attribute- Allow useradd_t and groupadd_t domains to send signals to sssd_t- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
* Wed Nov 07 2018 Lukas Vrabec - 3.14.3-13- Update pesign policy to allow pesign_t domain to read bind cache files/dirs- Add dac_override capability to mdadm_t domain- Create ibacm_tmpfs_t type for the ibacm policy- Dontaudit capability sys_admin for dhcpd_t domain- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.- Allow abrt_t domain to mmap generic tmp_t files- Label /usr/sbin/wpa_cli as wpa_cli_exec_t- Allow sandbox_xserver_t domain write to user_tmp_t files- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints- Add interface files_map_generic_tmp_files()- Add dac_override capability to the syslogd_t domain- Create systemd_timedated_var_run_t label- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
* Sun Nov 04 2018 Lukas Vrabec - 3.14.3-12- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)- Add dac_override capability to postgrey_t domain BZ(1638954)- Allow thumb_t domain to execute own tmpfs files BZ(1643698)- Allow xdm_t domain to manage dosfs_t files BZ(1645770)- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801)- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
* Sun Nov 04 2018 Lukas Vrabec - 3.14.3-11- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)- Add dac_override capability to ftpd_t domain- Allow gpg_t to create own tmpfs dirs and sockets- Allow rhsmcertd_t domain to relabel cert_t files- Add SELinux policy for kpatch- Allow nova_t domain to use pam- sysstat: grant sysstat_t the search_dir_perms set- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)- Allow systemd_logind_t to read fixed dist device BZ(1645631)- Allow systemd_logind_t domain to read nvme devices BZ(1645567)- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)- kernel/files.fc: Label /run/motd.d(/.
*)? as etc_t- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)- Allow X display manager to check status and reload services which are part of x_domain attribute- Add interface miscfiles_relabel_generic_cert()- Make kpatch policy active- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs- Dontaudit sys_admin capability for netutils_t domain- Label tcp and udp ports 2611 as qpasa_agent_port_t
* Tue Oct 16 2018 Lukas Vrabec - 3.14.3-10- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
* Mon Oct 15 2018 Lukas Vrabec - 3.14.3-9- Allow caller domains using cron_
*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)- Add interface cron_system_spool_entrypoint()- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)- Add interfaces for boltd SELinux module- Add dac_override capability to modemmanager_t domain BZ(1636608)- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)- Label correctly /var/named/chroot
*/dev/unrandom in bind chroot.
* Sat Oct 13 2018 Lukas Vrabec - 3.14.3-8- ejabberd SELinux module removed, it\'s shipped by ejabberd-selinux package
* Sat Oct 13 2018 Lukas Vrabec - 3.14.3-7- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros
* Tue Oct 09 2018 Lukas Vrabec - 3.14.3-6- Allow boltd_t to be activated by init socket activation- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803)- Update SELinux policy for libreswan based on the latest rebase 3.26- Fix typo in init_named_socket_activation interface
* Thu Oct 04 2018 Lukas Vrabec - 3.14.3-5- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)- Fix typo in boltd.te policy- Allow fail2ban_t domain to mmap journal- Add kill capability to named_t domain- Allow neutron domain to read/write /var/run/utmp- Create boltd_var_run_t type for boltd pid files- Allow tomcat_domain to read /dev/random- Allow neutron_t domain to use pam- Add the port used by nsca (Nagios Service Check Acceptor)
  
ICM