SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-minimum-34-1.fc34.noarch.rpm :

* Thu Apr 01 2021 Zdenek Pytela - 34.1-1- Change the package versioning
* Thu Apr 01 2021 Zdenek Pytela - 3.14.7-30- Allow plymouthd_t exec generic program in bin directories- Allow dhcpc_t domain transition to chronyc_t- Allow login_userdomain bind xmsg port- Allow ibacm the net_raw and sys_rawio capabilities- Allow nsswitch_domain read cgroup files- Allow systemd-sleep create hardware state information files
* Mon Mar 29 2021 Zdenek Pytela - 3.14.7-29- Add watch_with_perm_dirs_pattern file pattern
* Fri Mar 26 2021 Zdenek Pytela - 3.14.7-28- Allow arpwatch_t create netlink generic socket- Allow postgrey read network state- Add watch_mount_dirs_pattern file pattern- Allow bluetooth_t dbus chat with fwupd_t- Allow xdm_t watch accountsd lib directories- Add additional interfaces for watching /boot- Allow sssd_t get attributes of tmpfs filesystems- Allow local_login_t get attributes of tmpfs filesystems
* Tue Mar 23 2021 Zdenek Pytela - 3.14.7-27- Dontaudit domain the fowner capability- Extend fs_manage_nfsd_fs() to allow managing dirs as well- Allow spice-vdagentd watch systemd-logind session dirs
* Fri Mar 19 2021 Zdenek Pytela - 3.14.7-26- Allow xdm_t watch systemd-logind session dirs- Allow xdm_t transition to system_dbusd_t- Allow confined users login into graphic session- Allow login_userdomain watch systemd login session dirs- install_t: Allow NoNewPriv transition from systemd- Remove setuid/setgid capabilities from mysqld_t- Add context for new mariadbd executable files- Allow netutils_t create netlink generic socket- Allow systemd the audit_control capability conditionally
* Thu Mar 11 2021 Zdenek Pytela - 3.14.7-25- Allow polkit-agent-helper-1 read logind sessions files- Allow polkit-agent-helper read init state- Allow login_userdomain watch generic device dirs- Allow login_userdomain listen on bluetooth sockets- Allow user_t and staff_t bind netlink_generic_socket- Allow login_userdomain write inaccessible nodes- Allow transition from xdm domain to unconfined_t domain.- Add \'make validate\' step to CI- Disallow user_t run su/sudo and staff_t run su- Fix typo in rsyncd.conf in rsync.if- Add an alias for nvme_device_t- Allow systemd watch and watch_reads unallocated ttys
* Tue Mar 02 2021 Zdenek Pytela - 3.14.7-24- Allow apmd watch generic device directories- Allow kdump load a new kernel- Add confidentiality lockdown permission to kernel_read_core_if()- Allow keepalived read nsfs files- Allow local_login_t get attributes of filesystems with ext attributes- Allow keepalived read/write its private memfd: objects- Add missing declaration in rpm_named_filetrans()- Change param description in cron interfaces to userdomain_prefix
* Tue Feb 23 2021 Zdenek Pytela - 3.14.7-23- iptables.fc: Add missing legacy entries- iptables.fc: Remove some duplicate entries- iptables.fc: Remove duplicate file context entries- Allow libvirtd to create generic netlink sockets- Allow libvirtd the fsetid capability- Allow libvirtd to read /run/utmp- Dontaudit sys_ptrace capability when calling systemctl- Allow udisksd to read /dev/random- Allow udisksd to watch files under /run/mount- Allow udisksd to watch /etc- Allow crond to watch user_cron_spool_t directories- Allow accountsd watch xdm config directories- Label /etc/avahi with avahi_conf_t- Allow sssd get cgroup filesystems attributes and search cgroup dirs- Allow systemd-hostnamed read udev runtime data- Remove dev_getattr_sysfs_fs() interface calls for particular domains- Allow domain stat the /sys filesystem- Dontaudit NetworkManager write to initrc_tmp_t pipes- policykit.te: Clean up watch rule for policykit_auth_t- Revert further unnecessary watch rules- Revert \"Allow getty watch its private runtime files\"- Allow systemd watch generic /var directories- Allow init watch network config files and lnk_files
* Fri Feb 19 2021 Zdenek Pytela - 3.14.7-22- Allow systemd-sleep get attributes of fixed disk device nodes- Complete initial policy for systemd-coredump- Label SDC(scini) Dell Driver- Allow upowerd to send syslog messages- Remove the disk write permissions from tlp_t- Label NVMe devices as fixed_disk_device_t- Allow rhsmcertd bind tcp sockets to a generic node- Allow systemd-importd manage machines.lock file- Allow unconfined integrity lockdown permission- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined- Allow systemd-machined manage systemd-userdbd runtime sockets- Enable systemd-sysctl domtrans for udev- Introduce kernel_load_unsigned_module interface and use it for couple domains- Allow gpg watch user gpg secrets dirs- Build also the container module in CI- Remove duplicate code from kernel.te- Allow restorecond to watch all non-auth directories- Allow restorecond to watch its config file
* Tue Feb 16 2021 Zdenek Pytela - 3.14.7-21- Allow unconfined integrity lockdown permission- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined- Allow systemd-machined manage systemd-userdbd runtime sockets- Enable systemd-sysctl domtrans for udev- Introduce kernel_load_unsigned_module interface and use it for couple domains- Allow gpg watch user gpg secrets dirs- Build also the container module in CI- Remove duplicate code from kernel.te- Allow restorecond to watch all non-auth directories- Allow restorecond to watch its config file
* Fri Feb 12 2021 Zdenek Pytela - 3.14.7-20- Allow userdomain watch various filesystem objects- Allow systemd-logind and systemd-sleep integrity lockdown permission- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context- Allow pulseaudio watch devices and systemd-logind session dirs- Allow abrt-dump-journal-
* watch generic log dirs and /run/log/journal dir- Remove duplicate files_mounton_etc(init_t) call- Add watch permissions to manage_
* object permissions sets- Allow journalctl watch generic log dirs and /run/log/journal dir- Label /etc/resolv.conf as net_conf_t even when it\'s a symlink- Allow SSSD to watch /var/run/NetworkManager- Allow dnsmasq_t to watch /etc- Remove unnecessary lines from the new watch interfaces- Fix docstring for init_watch_dir()- Allow xdm watch its private lib dirs, /etc, /usr
* Fri Feb 12 2021 Zdenek Pytela - 3.14.7-19- Bump version as Fedora 34 has been branched off rawhide- Allow xdm watch its private lib dirs, /etc, /usr- Allow systemd-importd create /run/systemd/machines.lock file- Allow rhsmcertd_t read kpatch lib files- Add integrity lockdown permission into dev_read_raw_memory()- Add confidentiality lockdown permission into fs_rw_tracefs_files()- Allow gpsd read and write ptp4l_t shared memory.- Allow colord watch its private lib files and /usr- Allow init watch_reads mount PID files- Allow IPsec and Certmonger to use opencryptoki services
* Sun Feb 07 2021 Zdenek Pytela - 3.14.7-18- Allow lockdown confidentiality for domains using perf_event- define lockdown class and access- Add perfmon capability for all domains using perf_event- Allow ptp4l_t bpf capability to run bpf programs- Revert \"Allow ptp4l_t sys_admin capability to run bpf programs\"- access_vectors: Add new capabilities to cap2- Allow systemd and systemd-resolved watch dbus pid objects- Add new watch interfaces in the base and userdomain policy- Add watch permissions for contrib packages- Allow xdm watch /usr directories- Allow getty watch its private runtime files- Add watch permissions for nscd and sssd- Add watch permissions for firewalld and NetworkManager- Add watch permissions for syslogd- Add watch permissions for systemd services- Allow restorecond watch /etc dirs- Add watch permissions for user domain types- Add watch permissions for init- Add basic watch interfaces for systemd- Add basic watch interfaces to the base module- Add additional watch object permissions sets and patterns- Allow init_t to watch localization symlinks- Allow init_t to watch mount directories- Allow init_t to watch cgroup files- Add basic watch patterns- Add new watch
* permissions
* Fri Feb 05 2021 Zdenek Pytela - 3.14.7-17- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH- Dontaudit setsched for rndc- Allow systemd-logind destroy entries in message queue- Add userdom_destroy_unpriv_user_msgq() interface- ci: Install build dependencies from koji- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm- Add new cmadmin port for bfdd dameon- virtiofs supports Xattrs and SELinux- Allow domain write to systemd-resolved PID socket files- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type- Allow rhsmcertd_t domain transition to kpatch_t- Revert \"Add kpatch_exec() interface\"- Revert \"Allow rhsmcertd execute kpatch\"- Allow openvswitch create and use xfrm netlink sockets- Allow openvswitch_t perf_event write permission- Add kpatch_exec() interface- Allow rhsmcertd execute kpatch- Adds rule to allow glusterd to access RDMA socket- radius: Lexical sort of service-specific corenet rules by service name- VQP: Include IANA-assigned TCP/1589- radius: Allow binding to the VQP port (VMPS)- radius: Allow binding to the BDF Control and Echo ports- radius: Allow binding to the DHCP client port- radius: Allow net_raw; allow binding to the DHCP server ports- Add rsync_sys_admin tunable to allow rsync sys_admin capability- Allow staff_u run pam_console_apply- Allow openvswitch_t perf_event open permission- Allow sysadm read and write /dev/rfkill- Allow certmonger fsetid capability- Allow domain read usermodehelper state information
* Wed Jan 27 2021 Fedora Release Engineering - 3.14.7-16- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Petr Lautrbach - 3.14.7-15- Update specfile to not verify md5/size/mtime for active store files- Add /var/mnt equivalency to /mnt- Rebuild with SELinux userspace 3.2-rc1 release
* Fri Jan 08 2021 Zdenek Pytela - 3.14.7-14- Allow domain read usermodehelper state information- Remove all kernel_read_usermodehelper_state() interface calls- .copr: improve timestamp format- Allow wireshark create and use rdma socket- Allow domain stat /proc filesystem- Remove all kernel_getattr_proc() interface calls- Revert \"Allow passwd to get attributes in proc_t\"- Revert \"Allow dovecot_auth_t stat /proc filesystem\"- Revert \"Allow sssd, unix_chkpwd, groupadd stat /proc filesystem\"- Allow sssd read /run/systemd directory- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
* Thu Dec 17 2020 Zdenek Pytela - 3.14.7-13- Label /dev/isst_interface as cpu_device_t- Dontaudit firewalld dac_override capability- Allow ipsec set the context of a SPD entry to the default context- Build binary RPMs in CI- Add SRPM build scripts for COPR
* Tue Dec 15 2020 Zdenek Pytela - 3.14.7-12- Allow dovecot_auth_t stat /proc filesystem- Allow sysadm_u user and unconfined_domain_type manage perf_events- Allow pcp-pmcd manage perf_events- Add manage_perf_event_perms object permissions set- Add perf_event access vectors.- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem- Allow stub-resolv.conf to be a symlink- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t- Create the systemd_dbus_chat_resolved() compatibility interface- Allow nsswitch-domain write to systemd-resolved PID socket files- Add systemd_resolved_write_pid_sock_files() interface- Add default file context for \"/var/run/chrony-dhcp(/.
*)?\"- Allow timedatex dbus chat with cron system domain- Add cron_dbus_chat_system_job() interface- Allow systemd-logind manage init\'s pid files
* Wed Dec 09 2020 Zdenek Pytela - 3.14.7-11- Allow systemd-logind manage init\'s pid files- Allow tcsd the setgid capability- Allow systemd-resolved manage its private runtime symlinks- Update systemd_resolved_read_pid() to also read symlinks- Update systemd-sleep policy- Add groupadd_t fowner capability- Migrate to GitHub Actions- Update README.md to reflect the state after contrib and base merge- Add README.md announcing merging of selinux-policy and selinux-policy-contrib- Adapt .travis.yml to contrib merge- Merge contrib into the main repo- Prepare to merge contrib repo- Move stuff around to match the main repo
* Thu Nov 26 2020 Zdenek Pytela - 3.14.7-10- Allow Xephyr connect to 6000/tcp port and open user ptys- Allow kexec manage generic tmp files- Update targetd nfs & lvm- Add interface rpc_manage_exports- Merge selinux-policy and selinux-policy-contrib repos
* Tue Nov 24 2020 Zdenek Pytela - 3.14.7-9- Allow varnish map its private tmp files- Allow dovecot bind to smtp ports- Change fetchmail temporary files path to /var/spool/mail- Allow cups_pdf_t domain to communicate with unix_dgram_socket- Set file context for symlinks in /etc/httpd to etc_t- Allow rpmdb rw access to inherited console, ttys, and ptys- Allow dnsmasq read public files- Announce merging of selinux-policy and selinux-policy-contrib- Label /etc/resolv.conf as net_conf_t only if it is a plain file- Fix range for unreserved ports- Add files_search_non_security_dirs() interface- Introduce logging_syslogd_append_public_content tunable- Add miscfiles_append_public_files() interface
* Fri Nov 13 2020 Zdenek Pytela - 3.14.7-8- Set correct default file context for /usr/libexec/pcp/lib/
*- Introduce rpmdb_t type- Allow slapd manage files/dirs in ldap certificates directory- Revert \"Allow certmonger add new entries in a generic certificates directory\"- Allow certmonger add new entries in a generic certificates directory- Allow slapd add new entries in ldap certificates directory- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)- Let keepalived bind a raw socket- Add default file context for /usr/libexec/pcp/lib/
*- squid: Allow net_raw capability when squid_use_tproxy is enabled- systemd: allow networkd to check namespaces- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed- Allow resolved to created varlink sockets and the domain to talk to it- selinux: tweak selinux_get_enforce_mode() to allow status page to be used- systemd: allow all systemd services to check selinux status- Set default file context for /var/lib/ipsec/nss- Allow user domains transition to rpmdb_t- Revert \"Add miscfiles_add_entry_generic_cert_dirs() interface\"- Revert \"Add miscfiles_create_generic_cert_dirs() interface\"- Update miscfiles_manage_all_certs() to include managing directories- Add miscfiles_create_generic_cert_dirs() interface- Add miscfiles_add_entry_generic_cert_dirs() interface- Revert \"Label /var/run/zincati/public/motd.d/
* as motd_var_run_t\"
* Tue Nov 03 2020 Petr Lautrbach - 3.14.7-7- Rebuild with latest libsepol- Bump policy version to 33
* Thu Oct 22 2020 Zdenek Pytela - 3.14.7-6- rpc.fc: Include /etc/exports.d dir & files- Create chronyd_pid_filetrans() interface- Change invalid type redisd_t to redis_t in redis_stream_connect()- Revert \"Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template\"- Allow init dbus chat with kernel- Allow initrc_t create /run/chronyd-dhcp directory with a transition- Drop gcc from dependencies in Travis CI- fc_sort.py: Use \"==\" for comparing integers.- re-implement fc_sort in python- Remove invalid file context line- Drop git from dependencies in Travis CI
* Tue Oct 06 2020 Zdenek Pytela - 3.14.7-5- Remove empty line from rshd.fc- Allow systemd-logind read swap files- Add fstools_read_swap_files() interface- Allow dyntransition from sshd_t to unconfined_t- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
* Fri Sep 25 2020 Zdenek Pytela - 3.14.7-4- Allow chronyd_t to accept and make NTS-KE connections- Allow domain write to an automount unnamed pipe- Label /var/run/zincati/public/motd.d/
* as motd_var_run_t- Allow login programs to (only) read MOTD files and symlinks- Relabel /usr/sbin/charon-systemd as ipsec_exec_t- Confine systemd-sleep service- Add fstools_rw_swap_files() interface- Label 4460/tcp port as ntske_port_t- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
* Mon Sep 21 2020 Zdenek Pytela - 3.14.7-3- Check out the right -contrib branch in Travis
* Fri Sep 18 2020 Zdenek Pytela - 3.14.7-2- Allow openvswitch fowner capability and create netlink sockets- Allow additional permissions for gnome-initial-setup- Add to map non_security_files to the userdom_admin_user_template template- kernel/filesystem: Add exfat support (no extended attributes)
* Tue Sep 08 2020 Zdenek Pytela - 3.14.7-1- Bump version as Fedora 33 has been branched- Allow php-fpm write access to /var/run/redis/redis.sock- Allow journalctl to read and write to inherited user domain tty- Update rkt policy to allow rkt_t domain to read sysfs filesystem- Allow arpwatch create and use rdma socket- Allow plymouth sys_chroot capability- Allow gnome-initial-setup execute in a xdm sandbox- Add new devices and filesystem interfaces
* Mon Aug 24 2020 Zdenek Pytela - 3.14.6-25- Allow certmonger fowner capability- The nfsdcld service is now confined by SELinux- Change transitions for ~/.config/Yubico- Allow all users to connect to systemd-userdbd with a unix socket- Add file context for ~/.config/Yubico- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files- Allow login_pgm attribute to get attributes in proc_t- Allow passwd to get attributes in proc_t- Revert \"Allow passwd to get attributes in proc_t\"- Revert \"Allow login_pgm attribute to get attributes in proc_t\"- Allow login_pgm attribute to get attributes in proc_t- Allow passwd to get attributes in proc_t- Allow traceroute_t and ping_t to bind generic nodes.- Create macro corenet_icmp_bind_generic_node()- Allow unconfined_t to node_bind icmp_sockets in node_t domain
* Thu Aug 13 2020 Zdenek Pytela - 3.14.6-24- Add ipa_helper_noatsecure() interface unconditionally- Conditionally allow nagios_plugin_domain dbus chat with init- Revert \"Update allow rules set for nrpe_t domain\"- Add ipa_helper_noatsecure() interface to ipa.if- Label /usr/libexec/qemu-pr-helper with virtd_exec_t- Allow kadmind manage kerberos host rcache- Allow nsswitch_domain to connect to systemd-machined using a unix socket- Define named file transition for sshd on /tmp/krb5_0.rcache2- Allow systemd-machined create userdbd runtime sock files- Disable kdbus module before updating
* Mon Aug 03 2020 Zdenek Pytela - 3.14.6-23- Revert \"Add support for /sys/fs/kdbus and allow login_pgm domain to access it.\"- Revert \"Add interface to allow types to associate with cgroup filesystems\"- Revert \"kdbusfs should not be accessible for now.\"- Revert \"kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp\"- Revert \"Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.\"- Remove the legacy kdbus module- Remove \"kdbus = module\" from modules-targeted-base.conf
* Thu Jul 30 2020 Zdenek Pytela - 3.14.6-22- Allow virtlockd only getattr and lock block devices- Allow qemu-ga read all non security file types conditionally- Allow virtlockd manage VMs posix file locks- Allow smbd get attributes of device files labeled samba_share_t- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t- Add a new httpd_can_manage_courier_spool boolean- Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files- Revert \"Allow qemu-kvm read and write /dev/mapper/control\"- Revert \"Allow qemu read and write /dev/mapper/control\"- Revert \"Dontaudit and disallow sys_admin capability for keepalived_t domain\"- Dontaudit pcscd_t setting its process scheduling- Dontaudit thumb_t setting its process scheduling- Allow munin domain transition with NoNewPrivileges- Add dev_lock_all_blk_files() interface- Allow auditd manage kerberos host rcache files- Allow systemd-logind dbus chat with fwupd
* Wed Jul 29 2020 Fedora Release Engineering - 3.14.6-21- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 13 2020 Lukas Vrabec - 3.14.6-20- Align gen_tunable() syntax with sepolgen
* Fri Jul 10 2020 Zdenek Pytela - 3.14.6-19- Additional support for keepalived running in a namespace- Remove systemd_dbus_chat_resolved(pcp_pmie_t)- virt: remove the libvirt qmf rules- Allow certmonger manage dirsrv services- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists- Allow domain dbus chat with systemd-resolved- Define file context for /var/run/netns directory only- Revert \"Add support for fuse.glusterfs\"
* Tue Jul 07 2020 Zdenek Pytela - 3.14.6-18- Allow oddjob_t process noatsecure permission for ipa_helper_t- Allow keepalived manage its private type runtime directories- Update irqbalance runtime directory file context- Allow irqbalance file transition for pid sock_files and directories- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t- Allow virtlogd_t manage virt lib files- Allow systemd set efivarfs files attributes- Support systemctl --user in machinectl- Allow chkpwd_t read and write systemd-machined devpts character nodes- Allow init_t write to inherited systemd-logind sessions pipes
* Fri Jun 26 2020 Zdenek Pytela - 3.14.6-17- Allow pdns server to read system state- Allow irqbalance nnp_transition- Fix description tag for the sssd_connect_all_unreserved_ports tunable- Allow journalctl process set its resource limits- Add sssd_access_kernel_keys tunable to conditionally access kernel keys- Make keepalived work with network namespaces- Create sssd_connect_all_unreserved_ports boolean- Allow hypervkvpd to request kernel to load a module- Allow systemd_private_tmp(dirsrv_tmp_t)- Allow microcode_ctl get attributes of sysfs directories- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line- Allow radiusd connect to gssproxy over unix domain stream socket- Add fwupd_cache_t file context for \'/var/cache/fwupd(/.
*)?\'- Allow qemu read and write /dev/mapper/control- Allow tlp_t can_exec() tlp_exec_t- Dontaudit vpnc_t setting its process scheduling- Remove files_mmap_usr_files() call for particular domains- Allow dirsrv_t list cgroup directories- Crete the kerberos_write_kadmind_tmp_files() interface- Allow realmd_t dbus chat with accountsd_t- Label systemd-growfs and systemd-makefs as fsadm_exec_t- Allow staff_u and user_u setattr generic usb devices- Allow sysadm_t dbus chat with accountsd- Modify kernel_rw_key() not to include append permission- Add kernel_rw_key() interface to access to kernel keyrings- Modify systemd_delete_private_tmp() to use delete_
*_pattern macros- Allow systemd-modules to load kernel modules- Add cachefiles_dev_t as a typealias to cachefiles_device_t- Allow libkrb5 lib read client keytabs- Allow domain mmap usr_t files- Remove files_mmap_usr_files() call for systemd domains- Allow sshd write to kadmind temporary files- Do not audit staff_t and user_t attempts to manage boot_t entries- Add files_dontaudit_manage_boot_dirs() interface- Allow systemd-tty-ask-password-agent read efivarfs files
* Thu Jun 25 2020 Adam Williamson - 3.14.6-16- Fix scriptlets when /etc/selinux/config does not exist
* Thu Jun 04 2020 Zdenek Pytela - 3.14.6-15- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid- Support multiple ways of tlp invocation- Allow qemu-kvm read and write /dev/mapper/control- Introduce logrotate_use_cifs boolean- Allow ptp4l_t sys_admin capability to run bpf programs- Allow to getattr files on an nsfs filesystem- httpd: Allow NoNewPriv transition from systemd- Allow rhsmd read process state of all domains and kernel threads- Allow rhsmd mmap /etc/passwd- Allow systemd-logind manage efivarfs files- Allow initrc_t tlp_filetrans_named_content()- Allow systemd_resolved_t to read efivarfs- Allow systemd_modules_load_t to read efivarfs- Introduce systemd_read_efivarfs_type attribute- Allow named transition for /run/tlp from a user shell- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files- Add file context for /sys/kernel/tracing
* Tue May 19 2020 Zdenek Pytela - 3.14.6-14- Allow chronyc_t domain to use nsswitch- Allow nscd_socket_use() for domains in nscd_use() unconditionally- Add allow rules for lttng-sessiond domain- Label dirsrv systemd unit files and add dirsrv_systemctl()- Allow gluster geo-replication in rsync mode- Allow nagios_plugin_domain execute programs in bin directories- Allow sys_admin capability for domain labeled systemd_bootchart_t- Split the arping path regexp to 2 lines to prevent from relabeling- Allow tcpdump sniffing offloaded (RDMA) traffic- Revert \"Change arping path regexp to work around fixfiles incorrect handling\"- Change arping path regexp to work around fixfiles incorrect handling- Allow read efivarfs_t files by domains executing systemctl file
* Wed Apr 29 2020 Zdenek Pytela - 3.14.6-13- Update networkmanager_read_pid_files() to allow also list_dir_perms- Update policy for NetworkManager_ssh_t- Allow glusterd synchronize between master and slave- Allow spamc_t domain to read network state- Allow strongswan use tun/tap devices and keys- Allow systemd_userdbd_t domain logging to journal
* Tue Apr 14 2020 Zdenek Pytela - 3.14.6-12- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files- Allow ssh-keygen create file in /var/lib/glusterd- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files- Merge ipa and ipa_custodia modules- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t- Introduce daemons_dontaudit_scheduling boolean- Modify path for arping in netutils.fc to match both bin and sbin- Change file context for /var/run/pam_ssh to match file transition- Add file context entry and file transition for /var/run/pam_timestamp
* Tue Mar 31 2020 Zdenek Pytela - 3.14.6-11- Allow NetworkManager manage dhcpd unit files- Update ninfod policy to add nnp transition from systemd to ninfod- Remove container interface calling by named_filetrans_domain.
* Wed Mar 25 2020 Zdenek Pytela - 3.14.6-10- Allow openfortivpn exec shell- Remove label session_dbusd_tmp_t for /run/user/USERID/systemd- Add ibacm_t ipc_lock capability- Allow ipsec_t connectto ipsec_mgmt_t- Remove ipa_custodia- Allow systemd-journald to read user_tmp_t symlinks
* Wed Mar 18 2020 Zdenek Pytela - 3.14.6-9- Allow zabbix_t manage and filetrans temporary socket files- Makefile: fix tmp/%.mod.fc target
* Fri Mar 13 2020 Zdenek Pytela - 3.14.6-8- Allow NetworkManager read its unit files and manage services- Add init_daemon_domain() for geoclue_t- Allow to use nnp_transition in pulseaudio_role- Allow pdns_t domain to map files in /usr.- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t- Allow login_pgm create and bind on netlink_selinux_socket
* Mon Mar 09 2020 Zdenek Pytela - 3.14.6-7- Allow sssd read systemd-resolved runtime directory- Allow sssd read NetworkManager\'s runtime directory- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t- Allow system_mail_t to signull pcscd_t- Create interface pcscd_signull- Allow auditd poweroff or switch to single mode
* Fri Feb 28 2020 Lukas Vrabec - 3.14.6-6- Allow postfix stream connect to cyrus through runtime socket- Dontaudit daemons to set and get scheduling policy/parameters
* Sat Feb 22 2020 Lukas Vrabec - 3.14.6-5- Allow certmonger_t domain to read pkcs_slotd lock files- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets- Make file context more variable for /usr/bin/fusermount and /bin/fusermount- Allow local_login_t domain to getattr cgroup filesystem- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
* Tue Feb 18 2020 Lukas Vrabec - 3.14.6-4- Update virt_read_qemu_pid_files inteface- Allow systemd_logind_t domain to getattr cgroup filesystem- Allow systemd_logind_t domain to manage user_tmp_t char and block devices- Allow nsswitch_domain attribute to stream connect to systemd process
* Sun Feb 16 2020 Lukas Vrabec - 3.14.6-3- Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks- Allow systemd_userdbd_t domain to read efivarfs files
* Sat Feb 15 2020 Lukas Vrabec - 3.14.6-2- Allow vhostmd communication with hosted virtual machines- Add and update virt interfaces- Update radiusd policy- Allow systemd_private_tmp(named_tmp_t)- Allow bacula dac_override capability- Allow systemd_networkd_t to read efivarfs- Add support for systemd-userdbd- Allow systemd system services read efivarfs files
* Sat Feb 15 2020 Lukas Vrabec - 3.14.6-1- Bump version to 3.14.6 because fedora 32 was branched
* Fri Feb 07 2020 Zdenek Pytela - 3.14.5-24- Allow ptp4l_t create and use packet_socket sockets- Allow ipa_custodia_t create and use netlink_route_socket sockets.- Allow networkmanager_t transition to setfiles_t- Create init_create_dirs boolean to allow init create directories
* Fri Jan 31 2020 Zdenek Pytela - 3.14.5-23- Allow thumb_t connect to system_dbusd_t BZ(1795044)- Allow saslauthd_t filetrans variable files for /tmp directory- Added apache create log dirs macro- Tiny documentation fix- Allow openfortivpn_t to manage net_conf_t files.- Introduce boolean openfortivpn_can_network_connect.- Dontaudit domain chronyd_t to list in user home dirs.- Allow init_t to create apache log dirs.- Add file transition for /dev/nvidia-uvm BZ(1770588)- Allow syslog_t to read efivarfs_t files- Add ioctl to term_dontaudit_use_ptmx macro- Update xserver_rw_session macro
* Thu Jan 30 2020 Fedora Release Engineering - 3.14.5-22- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 24 2020 Zdenek Pytela - 3.14.5-21- Dontaudit timedatex_t read file_contexts_t and validate security contexts- Make stratisd_t domain unconfined for now.- stratisd_t policy updates.- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t- Label /stratis as stratisd_data_t- Allow opafm_t to create and use netlink rdma sockets.- Allow stratisd_t domain to read/write fixed disk devices and removable devices.- Added macro for stratisd to chat over dbus- Add dac_override capability to stratisd_t domain- Allow init_t set the nice level of all domains BZ(1778088)- Allow userdomain to chat with stratisd over dbus.
* Mon Jan 13 2020 Lukas Vrabec - 3.14.5-20- Fix typo in anaconda SELinux module- Allow rtkit_t domain to control scheduling for your install_t processes- Boolean: rngd_t to use executable memory- Allow rngd_t domain to use nsswitch BZ(1787661)- Allow exim to execute bin_t without domain trans- Allow create udp sockets for abrt_upload_watch_t domains- Drop label zebra_t for frr binaries- Allow NetworkManager_t domain to get status of samba services- Update milter policy to allow use sendmail- Modify file context for .local directory to match exactly BZ(1637401)- Allow init_t domain to create own socket files in /tmp- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files- Create files_create_non_security_dirs() interface
* Fri Dec 20 2019 Zdenek Pytela - 3.14.5-19- Allow init_t nnp domain transition to kmod_t- Allow userdomain dbus chat with systemd_resolved_t- Allow init_t read and setattr on /var/lib/fprintd- Allow sysadm_t dbus chat with colord_t- Allow confined users run fwupdmgr- Allow confined users run machinectl- Allow systemd labeled as init_t domain to create dirs labeled as var_t- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)- Add new file context rabbitmq_conf_t.- Allow journalctl read init state BZ(1731753)- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain- Change type in transition for /var/cache/{dnf,yum} directory- Allow cockpit_ws_t read efivarfs_t BZ(1777085)- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)- Allow named_t domain to mmap named_zone_t files BZ(1647493)- Make boinc_var_lib_t label system mountdir attribute- Allow stratis_t domain to request load modules- Update fail2ban policy- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
* Thu Nov 28 2019 Lukas Vrabec - 3.14.5-18- Allow systemd to read all proc- Introduce new type pdns_var_lib_t- Allow zebra_t domain to read files labled as nsfs_t.- Allow systemd to setattr on all device_nodes- Allow systemd to mounton and list all proc types
* Wed Nov 27 2019 Lukas Vrabec - 3.14.5-17- Fix nonexisting types in rtas_errd_rw_lock interface- Allow snmpd_t domain to trace processes in user namespace- Allow timedatex_t domain to read relatime clock and adjtime_t files- Allow zebra_t domain to execute zebra binaries- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t- Allow ksmtuned_t domain to trace processes in user namespace- Allow systemd to read symlinks in /var/lib- Update dev_mounton_all_device_nodes() interface- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.- Allow systemd_domain to map files in /usr.- Allow strongswan start using swanctl method BZ(1773381)- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
* Thu Nov 21 2019 Zdenek Pytela - 3.14.5-16- Allow timedatex_t domain dbus chat with both confined and unconfined users- Allow timedatex_t domain dbus chat with unconfined users- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)- Make unconfined domains part of domain_named_attribute- Label tcp ports 24816,24817 as pulp_port_t- Remove duplicate entries for initrc_t in init.te
* Thu Nov 14 2019 Lukas Vrabec - 3.14.5-15- Increase SELinux userspace version which should be required.
* Wed Nov 13 2019 Lukas Vrabec - 3.14.5-14- Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0
* Wed Nov 13 2019 Lukas Vrabec - 3.14.5-13- Fix typo bugs in rtas_errd_read_lock() interface- cockpit: Drop cockpit-cert-session- Allow timedatex_t domain to systemctl chronyd domains- Allow ipa_helper_t to read kr5_keytab_t files- cockpit: Allow cockpit-session to read cockpit-tls state directory- Allow stratisd_t domain to read nvme and fixed disk devices- Update lldpad_t policy module- Dontaudit tmpreaper_t getting attributes from sysctl_type files- cockpit: Support https instance factory- Added macro for timedatex to chat over dbus.- Fix typo in dev_filetrans_all_named_dev()- Update files_manage_etc_runtime_files() interface to allow manage also dirs- Fix typo in cachefiles device- Dontaudit sys_admin capability for auditd_t domains- Allow x_userdomain to read adjtime_t files- Allow users using template userdom_unpriv_user_template() to run bpf tool- Allow x_userdomain to dbus_chat with timedatex.
* Sun Nov 03 2019 Lukas Vrabec - 3.14.5-12- Label /var/cache/nginx as httpd_cache_t- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald- Created dnsmasq_use_ipset boolean- Allow capability dac_override in logwatch_mail_t domain- Allow automount_t domain to execute ping in own SELinux domain (ping_t)- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t- Allow collectd_t domain to create netlink_generic_socket sockets- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.- Label /etc/postfix/chroot-update as postfix_exec_t- Update tmpreaper_t policy due to fuser command- Allow kdump_t domain to create netlink_route and udp sockets- Allow stratisd to connect to dbus- Allow fail2ban_t domain to create netlink netfilter sockets.- Allow dovecot get filesystem quotas- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)- Allow systemd-tmpfiles processes to set rlimit information- Allow cephfs to use xattrs for storing contexts- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
* Fri Oct 25 2019 Lukas Vrabec - 3.14.5-11- Allow confined users to run newaliases- Add interface mysql_dontaudit_rw_db()- Label /var/lib/xfsdump/inventory as amanda_var_lib_t- Allow tmpreaper_t domain to read all domains state- Make httpd_var_lib_t label system mountdir attribute- Update cockpit policy- Update timedatex policy to add macros, more detail below- Allow nagios_script_t domain list files labled sysfs_t.- Allow jetty_t domain search and read cgroup_t files.- Donaudit ifconfig_t domain to read/write mysqld_db_t files- Dontaudit domains read/write leaked pipes
* Tue Oct 22 2019 Lukas Vrabec - 3.14.5-10- Update timedatex policy to add macros, more detail below- Allow nagios_script_t domain list files labled sysfs_t.- Allow jetty_t domain search and read cgroup_t files.- Allow Gluster mount client to mount files_type- Dontaudit and disallow sys_admin capability for keepalived_t domain- Update numad policy to allow signull, kill, nice and trace processes- Allow ipmievd_t to RW watchdog devices- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files- Allow user domains to manage user session services- Allow staff and user users to get status of user systemd session- Update sudo_role_template() to allow caller domain to read syslog pid files
* Fri Oct 11 2019 Lukas Vrabec - 3.14.5-9- Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
* Wed Oct 09 2019 Lukas Vrabec - 3.14.5-8- Update apache and pkcs policies to make active opencryptoki rules- Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
* Wed Oct 09 2019 Lukas Vrabec - 3.14.5-7- Revert \"nova.fc: fix duplicated slash\"- Introduce new bolean httpd_use_opencryptoki- Add new interface apache_read_state()- Allow setroubleshoot_fixit_t to read random_device_t- Label /etc/named direcotory as named_conf_t BZ(1759495)- nova.fc: fix duplicated slash- Allow dkim to execute sendmail- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files- Update aide_t domain to allow this tool to analyze also /dev filesystem- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)- Allow avahi_t to send msg to xdm_t- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)- Allow systemd_logind_t domain to read blk_files in domain removable_device_t- Add new interface udev_getattr_rules_chr_files()
* Fri Oct 04 2019 Lukas Vrabec - 3.14.5-6- Update aide_t domain to allow this tool to analyze also /dev filesystem- Allow bitlbee_t domain map files in /usr- Allow stratisd to getattr of fixed disk device nodes- Add net_broadcast capability to openvswitch_t domain BZ(1716044)- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)- Allow cobblerd_t domain search apache configuration dirs- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)- Label /var/log/collectd.log as collectd_log_t- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)- networkmanager: allow NetworkManager_t to create bluetooth_socket- Fix ipa_custodia_stream_connect interface- Add new interface udev_getattr_rules_chr_files()- Make dbus-broker service working on s390x arch- Add new interface dev_mounton_all_device_nodes()- Add new interface dev_create_all_files()- Allow systemd(init_t) to load kernel modules- Allow ldconfig_t domain to manage initrc_tmp_t objects- Add new interface init_write_initrc_tmp_pipes()- Add new interface init_manage_script_tmp_files()- Allow xdm_t setpcap capability in user namespace BZ(1756790)- Allow x_userdomain to mmap generic SSL certificates- Allow xdm_t domain to user netlink_route sockets BZ(1756791)- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)- Allow sudo userdomain to run rpm related commands- Add sys_admin capability for ipsec_t domain- Allow systemd_modules_load_t domain to read systemd pid files- Add new interface init_read_pid_files()- Allow systemd labeled as init_t domain to manage faillog_t objects- Add file context ipsec_var_run_t for /var/run/charon\\.dck to ipsec.fc- Make ipa_custodia policy active
* Fri Sep 20 2019 Lukas Vrabec - 3.14.5-5- Fix ipa_custodia_stream_connect interface- Allow systemd_modules_load_t domain to read systemd pid files- Add new interface init_read_pid_files()- Allow systemd labeled as init_t domain to manage faillog_t objects- Add file context ipsec_var_run_t for /var/run/charon\\.dck to ipsec.fc
* Fri Sep 20 2019 Lukas Vrabec - 3.14.5-4- Run ipa-custodia as ipa_custodia_t- Update webalizer_t SELinux policy- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)- Allow rhsmcertd_t domain to read rtas_errd lock files- Add new interface rtas_errd_read_lock()- Update allow rules set for nrpe_t domain- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if- Allow avahi_t to send msg to lpr_t- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label- Allow dlm_controld_t domain to read random device- Label libvirt drivers as virtd_exec_t- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)- Allow gssproxy_t domain read state of all processes on system- Add new macro systemd_timedated_status to systemd.if to get timedated service status- Introduce xdm_manage_bootloader booelan- Revert \"Unconfined domains, need to create content with the correct labels\"- Allow xdm_t domain to read sssd pid files BZ(1753240)- Move open, audit_access, and execmod to common file perms
* Fri Sep 13 2019 Lukas Vrabec - 3.14.5-3- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)- Allow gssproxy_t domain read state of all processes on system- Fix typo in cachefilesd module- Allow cachefilesd_t domain to read/write cachefiles_device_t devices- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy- Add sys_admin capability for keepalived_t labeled processes- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.- Create new type ipmievd_helper_t domain for loading kernel modules.- Run stratisd service as stratisd_t- Fix abrt_upload_watch_t in abrt policy- Update keepalived policy- Update cron_role, cron_admin_role and cron_unconfined_role to avoid
*_t_t types- Revert \"Create admin_crontab_t and admin_crontab_tmp_t types\"- Revert \"Update cron_role() template to accept third parameter with SELinux domain prefix\"- Allow amanda_t to manage its var lib files and read random_device_t- Create admin_crontab_t and admin_crontab_tmp_t types- Add setgid and setuid capabilities to keepalived_t domain- Update cron_role() template to accept third parameter with SELinux domain prefix- Allow psad_t domain to create tcp diag sockets BZ(1750324)- Allow systemd to mount fwupd_cache_t BZ(1750288)- Allow chronyc_t domain to append to all non_security files- Update zebra SELinux policy to make it work also with frr service- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)- Label /var/run/mysql as mysqld_var_run_t- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.- Update timedatex policy to manage localization- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces- Update gnome_dontaudit_read_config- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)- Allow systemd labeled as init_t domain to remount rootfs filesystem- Add interface files_remount_rootfs()- Dontaudit sys_admin capability for iptables_t SELinux domain- Label /dev/cachefilesd as cachefiles_device_t- Make stratisd policy active- Allow userdomains to dbus chat with policykit daemon- Update userdomains to pass correct parametes based on updates from cron_
*_role interfaces- New interface files_append_non_security_files()- Label 2618/tcp and 2618/udp as priority_e_com_port_t- Label 2616/tcp and 2616/udp as appswitch_emp_port_t- Label 2615/tcp and 2615/udp as firepower_port_t- Label 2610/tcp and 2610/udp as versa_tek_port_t- Label 2613/tcp and 2613/udp as smntubootstrap_port_t- Label 3784/tcp and 3784/udp as bfd_control_port_t- Remove rule allowing all processes to stream connect to unconfined domains
* Wed Sep 04 2019 Lukas Vrabec - 3.14.5-2- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket- Dontaudit sandbox web types to setattr lib_t dirs- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)- Allow haproxy_t domain to read network state of system- Allow processes labeled as keepalived_t domain to get process group- Introduce dbusd_unit_file_type- Allow pesign_t domain to read/write named cache files.- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.- Allow httpd_t domain to read/write named_cache_t files- Add new interface bind_rw_cache()- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.- Update cpucontrol_t SELinux policy- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t- Run lldpd service as lldpad_t.- Allow spamd_update_t domain to create unix dgram sockets.- Update dbus role template for confined users to allow login into x session- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t- Fix typo in networkmanager_append_log() interface- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label- Allow login user type to use systemd user session- Allow xdm_t domain to start dbusd services.- Introduce new type xdm_unit_file_t- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)- Allow ipsec_t domain to read/write named cache files- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus- Label udp 8125 port as statsd_port_t
* Tue Aug 13 2019 Lukas Vrabec - 3.14.5-1- Bump version
* Tue Aug 13 2019 Lukas Vrabec - 3.14.4-31- Update timedatex policy BZ(1734197)
* Tue Aug 13 2019 Lukas Vrabec - 3.14.4-30- cockpit: Allow cockpit-session to read cockpit-tls state- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)- Allow named_t domain to read/write samba_var_t files BZ(1738794)- Dontaudit abrt_t domain to read root_t files- Allow ipa_dnskey_t domain to read kerberos keytab- Allow mongod_t domain to read cgroup_t files BZ(1739357)- Update ibacm_t policy- Allow systemd to relabel all files on system.- Revert \"Add new boolean systemd_can_relabel\"- Allow xdm_t domain to read kernel sysctl BZ(1740385)- Add sys_admin capability for xdm_t in user namespace. BZ(1740386)- Allow dbus communications with resolved for DNS lookups- Add new boolean systemd_can_relabel- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp- Label \'/var/usrlocal/(.
*/)?sbin(/.
*)?\' as bin_t- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs- Run lvmdbusd service as lvm_t
* Wed Aug 07 2019 Lukas Vrabec - 3.14.4-29- Allow dlm_controld_t domain setgid capability- Fix SELinux modules not installing in chroots.Resolves: rhbz#1665643
* Tue Aug 06 2019 Lukas Vrabec - 3.14.4-28- Allow systemd to create and bindmount dirs. BZ(1734831)
* Mon Aug 05 2019 Lukas Vrabec - 3.14.4-27- Allow tlp domain run tlp in trace mode BZ(1737106)- Make timedatex_t domain system dbus bus client BZ(1737239)- Allow cgdcbxd_t domain to list cgroup dirs- Allow systemd to create and bindmount dirs. BZ(1734831)
* Tue Jul 30 2019 Lukas Vrabec - 3.14.4-26- New policy for rrdcached- Allow dhcpd_t domain to read network sysctls.- Allow nut services to communicate with unconfined domains- Allow virt_domain to Support ecryptfs home dirs.- Allow domain transition lsmd_t to sensord_t- Allow httpd_t to signull mailman_cgi_t process- Make rrdcached policy active- Label /etc/sysconfig/ip6?tables\\.save as system_conf_t Resolves: rhbz#1733542- Allow machinectl to run pull-tar BZ(1724247)
* Fri Jul 26 2019 Lukas Vrabec - 3.14.4-25- Allow spamd_update_t domain to read network state of system BZ(1733172)- Allow dlm_controld_t domain to transition to the lvm_t- Allow sandbox_web_client_t domain to do sys_chroot in user namespace- Allow virtlockd process read virtlockd.conf file- Add more permissions for session dbus types to make working dbus broker with systemd user sessions- Allow sssd_t domain to read gnome config and named cache files- Allow brltty to request to load kernel module- Add svnserve_tmp_t label forl svnserve temp files to system private tmp- Allow sssd_t domain to read kernel net sysctls BZ(1732185)- Run timedatex service as timedatex_t- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool- Allow cyrus work with PrivateTmp- Make cgdcbxd_t domain working with SELinux enforcing.- Make working wireshark execute byt confined users staff_t and sysadm_t- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963)- Allow svnserve_t domain to read system state- allow named_t to map named_cache_t files- Label user cron spool file with user_cron_spool_t- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession- Allow lograte_t domain to manage collect_rw_content files and dirs- Add interface collectd_manage_rw_content()- Allow ifconfig_t domain to manage vmware logs- Remove system_r role from staff_u user.- Make new timedatex policy module active- Add systemd_private_tmp_type attribute- Allow systemd to load kernel modules during boot process.- Allow sysadm_t and staff_t domains to read wireshark shared memory- Label /usr/libexec/utempter/utempter as utemper_exec_t- Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197)- Allow sysadm_t domain to create netlink selinux sockets- Make cgdcbxd active in Fedora upstream sources
* Wed Jul 17 2019 Lukas Vrabec - 3.14.4-24- Label user cron spool file with user_cron_spool_t- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession- Allow lograte_t domain to manage collect_rw_content files and dirs- Add interface collectd_manage_rw_content()- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports- Allow mysqld_t domain to manage cluster pid files- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool- Allow dkim-milter to send e-mails BZ(1716937)- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799)- Update svnserve_t policy to make working svnserve hooks- Allow varnishlog_t domain to check for presence of varnishd_t domains- Update sandboxX policy to make working firefox inside SELinux sandbox- Remove allow rule from svirt_transition_svirt_sandbox interface to don\'t allow containers to connect to random services- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices- Allow gssd_t domain to list tmpfs_t dirs- Allow mdadm_t domain to read tmpfs_t files- Allow sbd_t domain to check presence of processes labeled as cluster_t- Dontaudit httpd_sys_script_t to read systemd unit files- Allow blkmapd_t domain to read nvme devices- Update cpucontrol_t domain to make working microcode service- Allow domain transition from logwatch_t do postfix_postqueue_t- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: \'chronyc -n tracking > /var/lib/test\'- Allow httpd_sys_script_t domain to mmap httpcontent- Allow sbd_t to manage cgroups_t files- Update wireshark policy to make working tshar labeled as wireshark_t- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files- Allow sysadm_t domain to create netlink selinux sockets- Make cgdcbxd active in Fedora upstream sources- Allow sysadm_t domain to dbus chat with rtkit daemon- Allow x_userdomains to nnp domain transition to thumb_t domain- Allow unconfined_domain_type to setattr own process lnk files.- Add interface files_write_generic_pid_sockets()- Dontaudit writing to user home dirs by gnome-keyring-daemon- Allow staff and admin domains to setpcap in user namespace- Allow staff and sysadm to use lockdev- Allow staff and sysadm users to run iotop.- Dontaudit traceroute_t domain require sys_admin capability- Dontaudit dbus chat between kernel_t and init_t- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
* Wed Jul 10 2019 Lukas Vrabec - 3.14.4-23- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager- Fix all interfaces which cannot by compiled because of typos- Allow X userdomains to mmap user_fonts_cache_t dirs
* Mon Jul 08 2019 Lukas Vrabec - 3.14.4-22- Label /var/kerberos/krb5 as krb5_keytab_t- Allow glusterd_t domain to setpgid- Allow lsmd_t domain to execute /usr/bin/debuginfo-install- Allow sbd_t domain to manage cgroup dirs- Allow opafm_t domain to modify scheduling information of another process.- Allow wireshark_t domain to create netlink netfilter sockets- Allow gpg_agent_t domain to use nsswitch- Allow httpd script types to mmap httpd rw content- Allow dkim_milter_t domain to execute shell BZ(17116937)- Allow sbd_t domain to use nsswitch- Allow rhsmcertd_t domain to send signull to all domains- Allow snort_t domain to create netlink netfilter sockets BZ(1723184)- Dontaudit blueman to read state of all domains on system BZ(1722696)- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217)- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308)- Replace \"-\" by \"_\" in types names- Change condor_domain declaration in condor_systemctl- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405)- Allow auditd_t domain to send signals to audisp_remote_t domain- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files- Add interface kernel_relabelfrom_usermodehelper()- Dontaudit unpriv_userdomain to manage boot_t files- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531)- Allow associate efivarfs_t on sysfs_t
* Tue Jun 18 2019 Lukas Vrabec - 3.14.4-21- Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864)- cockpit: Support split-out TLS proxy- Allow dkim_milter_t to use shell BZ(1716937)- Create explicit fc rule for mailman executable BZ(1666004)- Update interface networkmanager_manage_pid_files() to allow manage also dirs- Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)- Add new interface bind_map_dnssec_keys()- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files- Allow redis_t domain to read public sssd files- Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569)- Allow confined users to login via cockpit- Allow nfsd_t domain to do chroot becasue of new version of nfsd- Add gpg_agent_roles to system_r roles- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files- Allow rhsmcertd_t domain to manage rpm cache- Allow sbd_t domain to read tmpfs_t symlinks- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs- Allow kadmind_t domain to read home config data- Allow sbd_t domain to readwrite cgroups- Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)- Label /var/log/pacemaker/pacemaker as cluster_var_log_t- Allow certmonger_t domain to manage named cache files/dirs- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)- Allow crack_t domain read /et/passwd files- Label fontconfig cache and config files and directories BZ(1659905)- Allow dhcpc_t domain to manage network manager pid files- Label /usr/sbin/nft as iptables_exec_t- Allow userdomain attribute to manage cockpit_ws_t stream sockets- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes- Add interface ssh_agent_signal()
* Thu May 30 2019 Lukas Vrabec - 3.14.4-20- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800)- Allow spamd_update_t to exec itsef- Fix broken logwatch SELinux module- Allow logwatch_mail_t to manage logwatch cache files/dirs- Update wireshark_t domain to use several sockets- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t
* Mon May 27 2019 Lukas Vrabec - 3.14.4-19- Fix bind_read_cache() interface to allow only read perms to caller domains- [speech-dispatcher.if] m4 macro names can not have - in them- Grant varnishlog_t access to varnishd_etc_t- Allow nrpe_t domain to read process state of systemd_logind_t- Allow mongod_t domain to connect on https port BZ(1711922)- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets- Dontaudit spamd_update_t domain to read all domains states BZ(1711799)- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871)- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)- Revert \"Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)\"- Make boinc_var_lib_t mountpoint BZ(1711682)- Allow wireshark_t domain to create fifo temp files- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484)- Fix typo in gpg SELinux module- Update gpg policy to make ti working with confined users- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files- Label /var/run/user/
*/dbus-1 as session_dbusd_tmp_t- Add dac_override capability to namespace_init_t domain- Label /usr/sbin/corosync-qdevice as cluster_exec_t- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)- Label /usr/libexec/dnf-utils as debuginfo_exec_t- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Build in parallel on Travis- Fix parallel build of the policy- Revert \"Make able deply overcloud via neutron_t to label nsfs as fs_t\"- Add interface systemd_logind_read_state()- Fix find commands in Makefiles- Allow systemd-timesyncd to read network state BZ(1694272)- Update userdomains to allow confined users to create gpg keys- Allow associate all filesystem_types with fs_t- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)- Allow init_t to manage session_dbusd_tmp_t dirs- Allow systemd_gpt_generator_t to read/write to clearance- Allow su_domain_type to getattr to /dev/gpmctl- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
* Fri May 17 2019 Lukas Vrabec - 3.14.4-18- Fix typo in gpg SELinux module- Update gpg policy to make ti working with confined users- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files- Label /var/run/user/
*/dbus-1 as session_dbusd_tmp_t- Add dac_override capability to namespace_init_t domain- Label /usr/sbin/corosync-qdevice as cluster_exec_t- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484)- Label /usr/libexec/dnf-utils as debuginfo_exec_t- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Label /usr/bin/tshark as wireshark_exec_t- Update userdomains to allow confined users to create gpg keys- Allow associate all filesystem_types with fs_t- Dontaudit syslogd_t using kill in unamespaces BZ(1711122)- Allow init_t to manage session_dbusd_tmp_t dirs- Allow systemd_gpt_generator_t to read/write to clearance- Allow su_domain_type to getattr to /dev/gpmctl- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
* Fri May 17 2019 Lukas Vrabec - 3.14.4-17- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on- Allow nrpe_t domain to be dbus cliennt- Add interface sssd_signull()- Label /usr/bin/tshark as wireshark_exec_t- Fix typo in dbus_role_template()- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)- Allow userdomains dbus domain to execute dbus broker. BZ(1710113)- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572)- Allow virt domains to access xserver devices BZ(1705685)- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512)- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082)- Allow pcp_pmlogger_t to use setrlimit BZ(1708951)- Allow gpsd_t domain to read udev db BZ(1709025)- Add sys_ptrace capaiblity for namespace_init_t domain- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331)- Allow rhsmcertd_t domain to read rpm cache files- Label /efi same as /boot/efi boot_t BZ(1571962)- Allow transition from udev_t to tlp_t BZ(1705246)- Remove initrc_exec_t for /usr/sbin/apachectl file
* Fri May 03 2019 Lukas Vrabec - 3.14.4-16- Add fcontext for apachectl util to fix missing output when executed \"httpd -t\" from this script.
* Thu May 02 2019 Lukas Vrabec - 3.14.4-15- Allow iscsid_t domain to mmap modules_dep_t files- Allow ngaios to use chown capability- Dontaudit gpg_domain to create netlink_audit sockets- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)- Allow dirsrv_t domain to execute own tmp files BZ(1703111)- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files- Update domain_can_mmap_files() boolean to allow also mmap lnk files- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
* Fri Apr 26 2019 Lukas Vrabec - 3.14.4-14- Allow transition from cockpit_session to unpriv user domains
* Thu Apr 25 2019 Lukas Vrabec - 3.14.4-13- Introduce deny_bluetooth boolean- Allow greylist_milter_t to read network system state BZ(1702672)- Allow freeipmi domains to mmap freeipmi_var_cache_t files- Allow rhsmcertd_t and rpm_t domains to chat over dbus- Allow thumb_t domain to delete cache_home_t files BZ(1701643)- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus- Add new interface boltd_dbus_chat()- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791)- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)- Allow cockpit_ws_t domain to set limits BZ(1701703)- Update Nagios policy when sudo is used- Deamon rhsmcertd is able to install certs for docker again- Introduce deny_bluetooth boolean- Don\'t allow a container to connect to random services- Remove file context /usr/share/spamassassin/sa-update\\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t.- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus- Allow unconfined_t to use bpf tools- Allow x_userdomains to communicate with boltd daemon over dbus
* Fri Apr 19 2019 Lukas Vrabec - 3.14.4-12- Fix typo in cups SELinux policy- Allow iscsid_t to read modules deps BZ(1700245)- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442)- Allow httpd_rotatelogs_t to execute generic binaries- Update system_dbus policy because of dbus-broker-20-2- Allow httpd_t doman to read/write /dev/zero device BZ(1700758)- Allow tlp_t domain to read module deps files BZ(1699459)- Add file context for /usr/lib/dotnet/dotnet- Update dev_rw_zero() interface by adding map permission- Allow bounded transition for executing init scripts
* Fri Apr 12 2019 Lukas Vrabec - 3.14.4-11- Allow mongod_t domain to lsearch in cgroups BZ(1698743)- Allow rngd communication with pcscd BZ(1679217)- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t.- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
* Tue Apr 09 2019 Lukas Vrabec - 3.14.4-10- Allow systemd_modules_load to read modules_dep_t files- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)
* Mon Apr 08 2019 Lukas Vrabec - 3.14.4-9- Merge #18 `Add check for config file consistency`- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943)- Fix typo in rhsmcertd SELinux module- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t- Allow unconfined users to use vsock unlabeled sockets- Add interface kernel_rw_unlabeled_vsock_socket()- Allow unconfined users to use smc unlabeled sockets- Add interface kernel_rw_unlabeled_smc_socket- Allow systemd_resolved_t domain to read system network state BZ(1697039)- Allow systemd to mounton kernel sysctls BZ(1696201)- Add interface kernel_mounton_kernel_sysctl() BZ(1696201)- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201
* Fri Apr 05 2019 Lukas Vrabec - 3.14.4-8- Allow systemd to mounton several systemd direstory to increase security of systemdResolves: rhbz#1696201
* Wed Apr 03 2019 Lukas Vrabec - 3.14.4-7- Allow fontconfig file transition for xguest_u user- Add gnome_filetrans_fontconfig_home_content interface- Add permissions needed by systemd\'s machinectl shell/login- Update SELinux policy for xen services- Add dac_override capability for kdumpctl_t process domain- Allow chronyd_t domain to exec shell- Fix varnisncsa typo- Allow init start freenx-server BZ(1678025)- Create logrotate_use_fusefs boolean- Add tcpd_wrapped_domain for telnetd BZ(1676940)- Allow tcpd bind to services ports BZ(1676940)- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy-contrib into rawhide- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t- Allow esmtp access .esmtprc BZ(1691149)- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy-contrib into rawhide- Allow tlp_t domain to read nvme block devices BZ(1692154)- Add support for smart card authentication in cockpit BZ(1690444)- Add permissions needed by systemd\'s machinectl shell/login- Allow kmod_t domain to mmap modules_dep_t files.- Allow systemd_machined_t dac_override capability BZ(1670787)- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files- Allow unconfined_domain_type to use bpf tools BZ(1694115)- Revert \"Allow unconfined_domain_type to use bpf tools BZ(1694115)\"- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Allow unconfined_domain_type to use bpf tools BZ(1694115)- Allow init_t read mnt_t symlinks BZ(1637070)- Update dev_filetrans_all_named_dev() interface- Allow xdm_t domain to execmod temp files BZ(1686675)- Revert \"Allow xdm_t domain to create own tmp files BZ(1686675)\"- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582)- Allow confined users labeled as staff_t to run iptables.- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Allow xdm_t domain to create own tmp files BZ(1686675)- Add miscfiles_dontaudit_map_generic_certs interface.
  
ICM