SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-minimum-34.27-1.fc34.noarch.rpm :

* Mon Apr 11 2022 Zdenek Pytela - 34.27-1- Add the io_uring class- Add mctp_socket security class and access vectors- Remove unused security socket classes from socket_class_set- Allow iptables list cgroup directories- Fix koji repo URL pattern
* Tue Feb 15 2022 Zdenek Pytela - 34.26-1- Allow alsa bind mixer controls to led triggers- Allow sandbox_web_client_t watch various dirs- Add the map permission to common_anon_inode_perm permission set- Rename userfaultfd_anon_inode_perms to common_inode_perms- Allow tlp get service units status- Allow login_userdomain write to session_dbusd tmp socket files
* Tue Feb 01 2022 Zdenek Pytela - 34.25-1- Allow alsactl set group Process ID of a process- Allow init delete generic tmp named pipes- Allow xdm watch generic directories in /var/lib- Allow tumblerd write to session_dbusd tmp socket files- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t- Make cupsd_lpd_t a daemon
* Mon Jan 17 2022 Zdenek Pytela - 34.24-1- Allow systemd-coredump read and write usermodehelper state- Allow login_userdomain watch systemd-machined PID directories- Allow login_userdomain watch systemd-logind PID directories- Allow login_userdomain watch accountsd lib directories- Allow login_userdomain watch localization directories- Allow login_userdomain watch various files and dirs- Allow login_userdomain watch generic directories in /tmp- Allow login_userdomain create session_dbusd tmp socket files- Allow gkeyringd_domain write to session_dbusd tmp socket files- Allow systemd-logind delete session_dbusd tmp socket files- Allow gdm-x-session write to session dbus tmp sock files- Allow systemd-logind destroy unconfined user\'s IPC objects
* Thu Jan 06 2022 Zdenek Pytela - 34.23-1- Allow admin userdomains use socketpair()- Allow userdomains use pam_ssh_agent_auth for passwordless sudo- Allow sandbox_xserver_t map sandbox_file_t- Add erofs as a SELinux capable file system- Update CI/COPR scripts for the f34 branch
* Mon Oct 18 2021 Zdenek Pytela - 34.22-1- Add write permisson to userfaultfd_anon_inode_perms- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges- Add default file context for /run/gssproxy.default.sock- Allow xdm_t watch fonts directories- Allow xdm_t watch generic directories in /lib- Allow xdm_t watch generic pid directories
* Thu Sep 23 2021 Zdenek Pytela - 34.21-1- Add bluetooth-related permissions into a tunable block- Allow gnome at-spi processes create and use stream sockets- Allow usbmuxd get attributes of tmpfs_t filesystems- Allow fprintd install a sleep delay inhibitor- Allow collectd get attributes of infiniband devices- Allow collectd create and user netlink rdma socket- Allow collectd map packet_socket- Allow snort create and use blootooth socket- Allow systemd watch and watch_reads console devices- Allow snort create and use generic netlink socket- Allow NetworkManager dbus chat with fwupd- Allow unconfined domains read/write domain perf_events- Allow scripts to enter LUKS password- Update mount_manage_pid_files() to use manage_files_pattern- Support hitless reloads feature in haproxy- Allow haproxy list the sysfs directories content- Allow gnome at-spi processes get attributes of tmpfs filesystems- Allow unbound connectto unix_stream_socket- Allow rhsmcertd_t dbus chat with anaconda install_t
* Thu Sep 16 2021 Zdenek Pytela - 34.20-1- cleanup unused codes- Fix typo in the gnome_exec_atspi() interface summary- Allow xdm execute gnome-atspi services- Allow gnome at-spi processes execute dbus-daemon in caller domain- Allow xdm watch dbus configuration- Allow xdm execute dbus-daemon in the caller domain- Revert \"Allow xdm_t transition to system_dbusd_t\"- Allow at-spi-bus-launcher read and map xdm pid files- Allow dhcpcd set its resource limits- Allow systemd-sleep get removable devices attributes- Allow usbmuxd get attributes of fs_t filesystems
* Thu Sep 09 2021 Zdenek Pytela - 34.19-1- Update the dhcp client local policy- Allow firewalld load kernel modules- Allow postfix_domain to sendto unix dgram sockets.- Allow systemd watch unallocated ttys
* Tue Sep 07 2021 Zdenek Pytela - 34.18-1- Allow ModemManager create a qipcrtr socket- Allow ModemManager request to load a kernel module- Label /usr/sbin/virtproxyd as virtd_exec_t- Allow communication between at-spi and gdm processes- Update ica_filetrans_named_content() with create_file_perms- Fix the gnome_atspi_domtrans() interface summary
* Fri Aug 27 2021 Zdenek Pytela - 34.17-2- Relabel /var/lib/rpm explicitly- Revert \"Relabel /dev/dma_heap explicitly\"- Add ica module to modules-targeted-contrib.conf
* Fri Aug 27 2021 Zdenek Pytela - 34.17-1- Add support for at-spi- Add permissions for system dbus processes- Allow various domains work with ICA crypto accelerator- Add ica module- Revert \"Support using ICA crypto accelerator on s390x arch\"- Allow systemd to delete fwupd var cache files- Allow vmtools_unconfined_t domain transition to rpm_script_t- Allow dirsrv read slapd tmpfs files- Revert \"Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label\"- Rename samba_exec() to samba_exec_net()- Support using ICA crypto accelerator on s390x arch- Allow systemd delete /run/systemd/default-hostname- Allow tcpdump read system state information in /proc- Allow rhsmcertd to create cache file in /var/cache/cloud-what- Allow D-bus communication between avahi and sosreport- Label /usr/libexec/gdm-runtime-config with xdm_exec_t- Allow lldpad send to kdumpctl over a unix dgram socket- Revert \"Allow lldpad send to kdump over a unix dgram socket\"- Allow chronyc respond to a user chronyd instance- Allow ptp4l respond to pmc- Allow lldpad send to unconfined_t over a unix dgram socket- Allow sssd to set samba setting
* Thu Aug 12 2021 Zdenek Pytela - 34.16-1- Allow systemd-timesyncd watch system dbus pid socket files- Allow firewalld drop capabilities- Allow rhsmcertd execute gpg- Allow lldpad send to kdump over a unix dgram socket- Allow systemd-gpt-auto-generator read udev pid files- Set default file context for /sys/firmware/efi/efivars- Allow tcpdump run as a systemd service- Allow nmap create and use netlink generic socket- Allow nscd watch system db files in /var/db- Allow cockpit_ws_t get attributes of fs_t filesystems- Allow sysadm acces to kernel module resources- Allow sysadm to read/write scsi files and manage shadow- Allow sysadm access to files_unconfined and bind rpc ports- Allow sysadm read and view kernel keyrings- Allow journal mmap and read var lib files- Allow tuned to read rhsmcertd config files- Allow bootloader to read tuned etc files- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
* Fri Aug 06 2021 Zdenek Pytela - 34.15-1- Disable seccomp on CI containers- Allow systemd-machined stop generic service units- Allow virtlogd_t read process state of user domains- Add \"/\" at the beginning of dev/shm/var\\.lib\\.opencryptoki.
* regexp- Label /dev/crypto/nx-gzip with accelerator_device_t- Update the policy for systemd-journal-upload- Allow unconfined domains to bpf all other domains- Confine rhsm service and rhsm-facts service as rhsmcertd_t- Allow fcoemon talk with unconfined user over unix domain datagram socket- Allow abrt_domain read and write z90crypt device- Allow mdadm read iscsi pid files- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t- Allow hostapd bind UDP sockets to the dhcpd port- Unconfined domains should not be confined
* Wed Jul 14 2021 Zdenek Pytela - 34.14-1- Revert \"update libs_filetrans_named_content() to have support for /usr/lib/debug directory\"- Remove references to init_watch_path_type attribute- Remove all redundant watch permissions for systemd- Allow systemd watch non_security_file_type dirs, files, lnk_files- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template- Allow bacula get attributes of cgroup filesystems- Allow systemd-journal-upload watch logs and journal- Create a policy for systemd-journal-upload- Allow tcpdump and nmap get attributes of infiniband_device_t- Allow arpwatch get attributes of infiniband_device_t devices- Label /dev/wmi/dell-smbios as acpi_device_t
* Thu Jul 01 2021 Zdenek Pytela - 34.13-1- Allow radius map its library files- Allow nftables read NetworkManager unnamed pipes- Allow logrotate rotate container log files
* Tue Jun 22 2021 Zdenek Pytela - 34.12-2- Add a systemd service to check that SELinux is disabled properly- specfile: Add unowned dir to the macro- Relabel /dev/dma_heap explicitly
* Mon Jun 21 2021 Zdenek Pytela - 34.12-1- Label /dev/dma_heap/
* char devices with dma_device_t- Revert \"Label /dev/dma_heap/
* char devices with dma_device_t\"- Revert \"Label /dev/dma_heap with dma_device_dir_t\"- Revert \"Associate dma_device_dir_t with device filesystem\"- Add the lockdown integrity permission to dev_map_userio_dev()- Allow systemd-modules-load read/write tracefs files- Allow sssd watch /run/systemd- Label /usr/bin/arping plain file with netutils_exec_t- Label /run/fsck with fsadm_var_run_t- Label /usr/bin/Xwayland with xserver_exec_t- Allow systemd-timesyncd watch dbus runtime dir- Allow asterisk watch localization files- Allow iscsid read all process stat- iptables.fc: Add missing legacy-restore and legacy-save entries- Label /run/libvirt/common with virt_common_var_run_t- Label /.k5identity file allow read of this file to rpc.gssd- Make usbmuxd_t a daemon
* Wed Jun 09 2021 Zdenek Pytela - 34.11-1- Allow sanlock get attributes of cgroup filesystems- Associate dma_device_dir_t with device filesystem- Set default file context for /var/run/systemd instead of /run/systemd- Allow nmap create and use rdma socket- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
* Sun Jun 06 2021 Zdenek Pytela - 34.10-1- Allow using opencryptoki for ipsec- Allow using opencryptoki for certmonger- Label var.lib.opencryptoki.
* files and create pkcs_tmpfs_filetrans()- Label /dev/dma_heap with dma_device_dir_t- Allow syslogd watch non security dirs conditionally- Introduce logging_syslogd_list_non_security_dirs tunable- Remove openhpi module- Allow udev to watch fixed disk devices- Allow httpd_sys_script_t read, write, and map hugetlbfs files- Allow apcupsd get attributes of cgroup filesystems
* Thu May 27 2021 Zdenek Pytela - 34.9-1- Add kerberos object filetrans for nsswitchdomain- Allow fail2ban watch various log files- Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()- Remove further modules recently removed from refpolicy- Remove modules not shipped and not present in refpolicy- Revert \"Add permission open to files_read_inherited_tmp_files() interface\"- Revert \"Allow pcp_pmlogger_t to use setrlimit BZ(1708951)\"- Revert \"Dontaudit logrotate to setrlimit itself. rhbz#1309604\"- Revert \"Allow cockpit_ws_t domain to set limits BZ(1701703)\"- Dontaudit setrlimit for domains that exec systemctl- Allow kdump_t net_admin capability- Allow nsswitch_domain read init pid lnk_files- Label /dev/trng with random_device_t- Label /run/systemd/default-hostname with hostname_etc_t- Add default file context specification for dnf log files- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t- Label /dev/udmabuf character device with dma_device_t- Label /dev/dma_heap/
* char devices with dma_device_t- Label /dev/acpi_thermal_rel char device with acpi_device_t
* Thu May 20 2021 Zdenek Pytela - 34.8-1- Allow local_login_t nnp_transition to login_userdomain- Allow asterisk watch localization symlinks- Allow NetworkManager_t to watch /etc- Label /var/lib/kdump with kdump_var_lib_t- Allow amanda get attributes of cgroup filesystems- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t- Allow install_t nnp_domtrans to setfiles_mac_t- Allow fcoemon create sysfs files
* Thu May 13 2021 Zdenek Pytela - 34.7-1- Allow tgtd read and write infiniband devices- Add a comment on virt_sandbox booleans with empty content- Deprecate duplicate dev_write_generic_sock_files() interface- Allow vnstatd_t map vnstatd_var_lib_t files- Allow privoxy execmem- Allow pmdakvm read information from the debug filesystem- Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()- Add permissions to delete lnk_files into gnome_delete_home_config()- Remove rules for inotifyfs- Remove rules for anon_inodefs- Allow systemd nnp_transition to login_userdomain- Allow unconfined_t write other processes perf_event records- Allow sysadm_t dbus chat with tuned- Allow tuned write profile files with file transition- Allow tuned manage perf_events- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
* Fri May 07 2021 Zdenek Pytela - 34.6-1- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()- Add kernel_write_perf_event() and kernel_manage_perf_event()- Allow syslogd_t watch root and var directories- Allow unconfined_t read other processes perf_event records- Allow login_userdomain read and map /var/lib/systemd files- Allow NetworkManager watch its config dir- Allow NetworkManager read and write z90crypt device- Allow tgtd create and use rdma socket- Allow aide connect to init with a unix socket
* Tue May 04 2021 Zdenek Pytela - 34.5-1- Grant execmem to varnishlog_t- We no longer need signull for varnishlog_t- Add map permission to varnishd_read_lib_files- Allow systemd-sleep tlp_filetrans_named_content()- Allow systemd-sleep execute generic programs- Allow systemd-sleep execute shell- Allow to sendmail read/write kerberos host rcache files- Allow freshclam get attributes of cgroup filesystems- Fix context of /run/systemd/timesync- Allow udev create /run/gdm with proper type- Allow chronyc socket file transition in user temp directory- Allow virtlogd_t to create virt_var_lockd_t dir- Allow pluto IKEv2 / ESP over TCP
* Tue Apr 27 2021 Zdenek Pytela - 34.4-1- Allow domain create anonymous inodes- Add anon_inode class to the policy- Allow systemd-coredump getattr nsfs files and net_admin capability- Allow systemd-sleep transition to sysstat_t- Allow systemd-sleep transition to tlp_t- Allow systemd-sleep transition to unconfined_service_t on bin_t executables- Allow systemd-timedated watch runtime dir and its parent- Allow system dbusd read /var/lib symlinks- Allow unconfined_service_t confidentiality and integrity lockdown- Label /var/lib/brltty with brltty_var_lib_t- Allow domain and unconfined_domain_type watch /proc/PID dirs- Additional permission for confined users loging into graphic session- Make for screen fsetid/setuid/setgid permission conditional- Allow for confined users acces to wtmp and run utempter
* Fri Apr 09 2021 Zdenek Pytela - 34.3-1- Label /etc/redis as redis_conf_t- Add brltty new permissions required by new upstream version- Allow cups-lpd read its private runtime socket files- Dontaudit daemon open and read init_t file- Add file context specification for /var/tmp/tmp-inst- Allow brltty create and use bluetooth_socket- Allow usbmuxd get attributes of cgroup filesystems
* Tue Apr 06 2021 Zdenek Pytela - 34.2-1- Allow usbmuxd get attributes of cgroup filesystems- Allow accounts-daemon get attributes of cgroup filesystems- Allow pool-geoclue get attributes of cgroup filesystems- allow systemd-sleep to set timer for suspend-then-hibernate- Allow aide connect to systemd-userdbd with a unix socket- Add new interfaces with watch_mount and watch_with_perm permissions- Add file context specification for /usr/libexec/realmd- Allow /tmp file transition for dbus-daemon also for sock_file- Allow login_userdomain create cgroup files- Allow plymouthd_t exec generic program in bin directories
* Thu Apr 01 2021 Zdenek Pytela - 34.1-1- Change the package versioning
* Thu Apr 01 2021 Zdenek Pytela - 3.14.7-30- Allow plymouthd_t exec generic program in bin directories- Allow dhcpc_t domain transition to chronyc_t- Allow login_userdomain bind xmsg port- Allow ibacm the net_raw and sys_rawio capabilities- Allow nsswitch_domain read cgroup files- Allow systemd-sleep create hardware state information files
* Mon Mar 29 2021 Zdenek Pytela - 3.14.7-29- Add watch_with_perm_dirs_pattern file pattern
* Fri Mar 26 2021 Zdenek Pytela - 3.14.7-28- Allow arpwatch_t create netlink generic socket- Allow postgrey read network state- Add watch_mount_dirs_pattern file pattern- Allow bluetooth_t dbus chat with fwupd_t- Allow xdm_t watch accountsd lib directories- Add additional interfaces for watching /boot- Allow sssd_t get attributes of tmpfs filesystems- Allow local_login_t get attributes of tmpfs filesystems
* Tue Mar 23 2021 Zdenek Pytela - 3.14.7-27- Dontaudit domain the fowner capability- Extend fs_manage_nfsd_fs() to allow managing dirs as well- Allow spice-vdagentd watch systemd-logind session dirs
* Fri Mar 19 2021 Zdenek Pytela - 3.14.7-26- Allow xdm_t watch systemd-logind session dirs- Allow xdm_t transition to system_dbusd_t- Allow confined users login into graphic session- Allow login_userdomain watch systemd login session dirs- install_t: Allow NoNewPriv transition from systemd- Remove setuid/setgid capabilities from mysqld_t- Add context for new mariadbd executable files- Allow netutils_t create netlink generic socket- Allow systemd the audit_control capability conditionally
* Thu Mar 11 2021 Zdenek Pytela - 3.14.7-25- Allow polkit-agent-helper-1 read logind sessions files- Allow polkit-agent-helper read init state- Allow login_userdomain watch generic device dirs- Allow login_userdomain listen on bluetooth sockets- Allow user_t and staff_t bind netlink_generic_socket- Allow login_userdomain write inaccessible nodes- Allow transition from xdm domain to unconfined_t domain.- Add \'make validate\' step to CI- Disallow user_t run su/sudo and staff_t run su- Fix typo in rsyncd.conf in rsync.if- Add an alias for nvme_device_t- Allow systemd watch and watch_reads unallocated ttys
* Tue Mar 02 2021 Zdenek Pytela - 3.14.7-24- Allow apmd watch generic device directories- Allow kdump load a new kernel- Add confidentiality lockdown permission to kernel_read_core_if()- Allow keepalived read nsfs files- Allow local_login_t get attributes of filesystems with ext attributes- Allow keepalived read/write its private memfd: objects- Add missing declaration in rpm_named_filetrans()- Change param description in cron interfaces to userdomain_prefix
* Tue Feb 23 2021 Zdenek Pytela - 3.14.7-23- iptables.fc: Add missing legacy entries- iptables.fc: Remove some duplicate entries- iptables.fc: Remove duplicate file context entries- Allow libvirtd to create generic netlink sockets- Allow libvirtd the fsetid capability- Allow libvirtd to read /run/utmp- Dontaudit sys_ptrace capability when calling systemctl- Allow udisksd to read /dev/random- Allow udisksd to watch files under /run/mount- Allow udisksd to watch /etc- Allow crond to watch user_cron_spool_t directories- Allow accountsd watch xdm config directories- Label /etc/avahi with avahi_conf_t- Allow sssd get cgroup filesystems attributes and search cgroup dirs- Allow systemd-hostnamed read udev runtime data- Remove dev_getattr_sysfs_fs() interface calls for particular domains- Allow domain stat the /sys filesystem- Dontaudit NetworkManager write to initrc_tmp_t pipes- policykit.te: Clean up watch rule for policykit_auth_t- Revert further unnecessary watch rules- Revert \"Allow getty watch its private runtime files\"- Allow systemd watch generic /var directories- Allow init watch network config files and lnk_files
* Fri Feb 19 2021 Zdenek Pytela - 3.14.7-22- Allow systemd-sleep get attributes of fixed disk device nodes- Complete initial policy for systemd-coredump- Label SDC(scini) Dell Driver- Allow upowerd to send syslog messages- Remove the disk write permissions from tlp_t- Label NVMe devices as fixed_disk_device_t- Allow rhsmcertd bind tcp sockets to a generic node- Allow systemd-importd manage machines.lock file- Allow unconfined integrity lockdown permission- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined- Allow systemd-machined manage systemd-userdbd runtime sockets- Enable systemd-sysctl domtrans for udev- Introduce kernel_load_unsigned_module interface and use it for couple domains- Allow gpg watch user gpg secrets dirs- Build also the container module in CI- Remove duplicate code from kernel.te- Allow restorecond to watch all non-auth directories- Allow restorecond to watch its config file
* Tue Feb 16 2021 Zdenek Pytela - 3.14.7-21- Allow unconfined integrity lockdown permission- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined- Allow systemd-machined manage systemd-userdbd runtime sockets- Enable systemd-sysctl domtrans for udev- Introduce kernel_load_unsigned_module interface and use it for couple domains- Allow gpg watch user gpg secrets dirs- Build also the container module in CI- Remove duplicate code from kernel.te- Allow restorecond to watch all non-auth directories- Allow restorecond to watch its config file
* Fri Feb 12 2021 Zdenek Pytela - 3.14.7-20- Allow userdomain watch various filesystem objects- Allow systemd-logind and systemd-sleep integrity lockdown permission- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context- Allow pulseaudio watch devices and systemd-logind session dirs- Allow abrt-dump-journal-
* watch generic log dirs and /run/log/journal dir- Remove duplicate files_mounton_etc(init_t) call- Add watch permissions to manage_
* object permissions sets- Allow journalctl watch generic log dirs and /run/log/journal dir- Label /etc/resolv.conf as net_conf_t even when it\'s a symlink- Allow SSSD to watch /var/run/NetworkManager- Allow dnsmasq_t to watch /etc- Remove unnecessary lines from the new watch interfaces- Fix docstring for init_watch_dir()- Allow xdm watch its private lib dirs, /etc, /usr
* Fri Feb 12 2021 Zdenek Pytela - 3.14.7-19- Bump version as Fedora 34 has been branched off rawhide- Allow xdm watch its private lib dirs, /etc, /usr- Allow systemd-importd create /run/systemd/machines.lock file- Allow rhsmcertd_t read kpatch lib files- Add integrity lockdown permission into dev_read_raw_memory()- Add confidentiality lockdown permission into fs_rw_tracefs_files()- Allow gpsd read and write ptp4l_t shared memory.- Allow colord watch its private lib files and /usr- Allow init watch_reads mount PID files- Allow IPsec and Certmonger to use opencryptoki services
* Sun Feb 07 2021 Zdenek Pytela - 3.14.7-18- Allow lockdown confidentiality for domains using perf_event- define lockdown class and access- Add perfmon capability for all domains using perf_event- Allow ptp4l_t bpf capability to run bpf programs- Revert \"Allow ptp4l_t sys_admin capability to run bpf programs\"- access_vectors: Add new capabilities to cap2- Allow systemd and systemd-resolved watch dbus pid objects- Add new watch interfaces in the base and userdomain policy- Add watch permissions for contrib packages- Allow xdm watch /usr directories- Allow getty watch its private runtime files- Add watch permissions for nscd and sssd- Add watch permissions for firewalld and NetworkManager- Add watch permissions for syslogd- Add watch permissions for systemd services- Allow restorecond watch /etc dirs- Add watch permissions for user domain types- Add watch permissions for init- Add basic watch interfaces for systemd- Add basic watch interfaces to the base module- Add additional watch object permissions sets and patterns- Allow init_t to watch localization symlinks- Allow init_t to watch mount directories- Allow init_t to watch cgroup files- Add basic watch patterns- Add new watch
* permissions
* Fri Feb 05 2021 Zdenek Pytela - 3.14.7-17- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH- Dontaudit setsched for rndc- Allow systemd-logind destroy entries in message queue- Add userdom_destroy_unpriv_user_msgq() interface- ci: Install build dependencies from koji- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm- Add new cmadmin port for bfdd dameon- virtiofs supports Xattrs and SELinux- Allow domain write to systemd-resolved PID socket files- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type- Allow rhsmcertd_t domain transition to kpatch_t- Revert \"Add kpatch_exec() interface\"- Revert \"Allow rhsmcertd execute kpatch\"- Allow openvswitch create and use xfrm netlink sockets- Allow openvswitch_t perf_event write permission- Add kpatch_exec() interface- Allow rhsmcertd execute kpatch- Adds rule to allow glusterd to access RDMA socket- radius: Lexical sort of service-specific corenet rules by service name- VQP: Include IANA-assigned TCP/1589- radius: Allow binding to the VQP port (VMPS)- radius: Allow binding to the BDF Control and Echo ports- radius: Allow binding to the DHCP client port- radius: Allow net_raw; allow binding to the DHCP server ports- Add rsync_sys_admin tunable to allow rsync sys_admin capability- Allow staff_u run pam_console_apply- Allow openvswitch_t perf_event open permission- Allow sysadm read and write /dev/rfkill- Allow certmonger fsetid capability- Allow domain read usermodehelper state information
* Wed Jan 27 2021 Fedora Release Engineering - 3.14.7-16- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Petr Lautrbach - 3.14.7-15- Update specfile to not verify md5/size/mtime for active store files- Add /var/mnt equivalency to /mnt- Rebuild with SELinux userspace 3.2-rc1 release
* Fri Jan 08 2021 Zdenek Pytela - 3.14.7-14- Allow domain read usermodehelper state information- Remove all kernel_read_usermodehelper_state() interface calls- .copr: improve timestamp format- Allow wireshark create and use rdma socket- Allow domain stat /proc filesystem- Remove all kernel_getattr_proc() interface calls- Revert \"Allow passwd to get attributes in proc_t\"- Revert \"Allow dovecot_auth_t stat /proc filesystem\"- Revert \"Allow sssd, unix_chkpwd, groupadd stat /proc filesystem\"- Allow sssd read /run/systemd directory- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
* Thu Dec 17 2020 Zdenek Pytela - 3.14.7-13- Label /dev/isst_interface as cpu_device_t- Dontaudit firewalld dac_override capability- Allow ipsec set the context of a SPD entry to the default context- Build binary RPMs in CI- Add SRPM build scripts for COPR
* Tue Dec 15 2020 Zdenek Pytela - 3.14.7-12- Allow dovecot_auth_t stat /proc filesystem- Allow sysadm_u user and unconfined_domain_type manage perf_events- Allow pcp-pmcd manage perf_events- Add manage_perf_event_perms object permissions set- Add perf_event access vectors.- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem- Allow stub-resolv.conf to be a symlink- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t- Create the systemd_dbus_chat_resolved() compatibility interface- Allow nsswitch-domain write to systemd-resolved PID socket files- Add systemd_resolved_write_pid_sock_files() interface- Add default file context for \"/var/run/chrony-dhcp(/.
*)?\"- Allow timedatex dbus chat with cron system domain- Add cron_dbus_chat_system_job() interface- Allow systemd-logind manage init\'s pid files
* Wed Dec 09 2020 Zdenek Pytela - 3.14.7-11- Allow systemd-logind manage init\'s pid files- Allow tcsd the setgid capability- Allow systemd-resolved manage its private runtime symlinks- Update systemd_resolved_read_pid() to also read symlinks- Update systemd-sleep policy- Add groupadd_t fowner capability- Migrate to GitHub Actions- Update README.md to reflect the state after contrib and base merge- Add README.md announcing merging of selinux-policy and selinux-policy-contrib- Adapt .travis.yml to contrib merge- Merge contrib into the main repo- Prepare to merge contrib repo- Move stuff around to match the main repo
* Thu Nov 26 2020 Zdenek Pytela - 3.14.7-10- Allow Xephyr connect to 6000/tcp port and open user ptys- Allow kexec manage generic tmp files- Update targetd nfs & lvm- Add interface rpc_manage_exports- Merge selinux-policy and selinux-policy-contrib repos
* Tue Nov 24 2020 Zdenek Pytela - 3.14.7-9- Allow varnish map its private tmp files- Allow dovecot bind to smtp ports- Change fetchmail temporary files path to /var/spool/mail- Allow cups_pdf_t domain to communicate with unix_dgram_socket- Set file context for symlinks in /etc/httpd to etc_t- Allow rpmdb rw access to inherited console, ttys, and ptys- Allow dnsmasq read public files- Announce merging of selinux-policy and selinux-policy-contrib- Label /etc/resolv.conf as net_conf_t only if it is a plain file- Fix range for unreserved ports- Add files_search_non_security_dirs() interface- Introduce logging_syslogd_append_public_content tunable- Add miscfiles_append_public_files() interface
* Fri Nov 13 2020 Zdenek Pytela - 3.14.7-8- Set correct default file context for /usr/libexec/pcp/lib/
*- Introduce rpmdb_t type- Allow slapd manage files/dirs in ldap certificates directory- Revert \"Allow certmonger add new entries in a generic certificates directory\"- Allow certmonger add new entries in a generic certificates directory- Allow slapd add new entries in ldap certificates directory- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)- Let keepalived bind a raw socket- Add default file context for /usr/libexec/pcp/lib/
*- squid: Allow net_raw capability when squid_use_tproxy is enabled- systemd: allow networkd to check namespaces- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed- Allow resolved to created varlink sockets and the domain to talk to it- selinux: tweak selinux_get_enforce_mode() to allow status page to be used- systemd: allow all systemd services to check selinux status- Set default file context for /var/lib/ipsec/nss- Allow user domains transition to rpmdb_t- Revert \"Add miscfiles_add_entry_generic_cert_dirs() interface\"- Revert \"Add miscfiles_create_generic_cert_dirs() interface\"- Update miscfiles_manage_all_certs() to include managing directories- Add miscfiles_create_generic_cert_dirs() interface- Add miscfiles_add_entry_generic_cert_dirs() interface- Revert \"Label /var/run/zincati/public/motd.d/
* as motd_var_run_t\"
* Tue Nov 03 2020 Petr Lautrbach - 3.14.7-7- Rebuild with latest libsepol- Bump policy version to 33
* Thu Oct 22 2020 Zdenek Pytela - 3.14.7-6- rpc.fc: Include /etc/exports.d dir & files- Create chronyd_pid_filetrans() interface- Change invalid type redisd_t to redis_t in redis_stream_connect()- Revert \"Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template\"- Allow init dbus chat with kernel- Allow initrc_t create /run/chronyd-dhcp directory with a transition- Drop gcc from dependencies in Travis CI- fc_sort.py: Use \"==\" for comparing integers.- re-implement fc_sort in python- Remove invalid file context line- Drop git from dependencies in Travis CI
* Tue Oct 06 2020 Zdenek Pytela - 3.14.7-5- Remove empty line from rshd.fc- Allow systemd-logind read swap files- Add fstools_read_swap_files() interface- Allow dyntransition from sshd_t to unconfined_t- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
* Fri Sep 25 2020 Zdenek Pytela - 3.14.7-4- Allow chronyd_t to accept and make NTS-KE connections- Allow domain write to an automount unnamed pipe- Label /var/run/zincati/public/motd.d/
* as motd_var_run_t- Allow login programs to (only) read MOTD files and symlinks- Relabel /usr/sbin/charon-systemd as ipsec_exec_t- Confine systemd-sleep service- Add fstools_rw_swap_files() interface- Label 4460/tcp port as ntske_port_t- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
* Mon Sep 21 2020 Zdenek Pytela - 3.14.7-3- Check out the right -contrib branch in Travis
* Fri Sep 18 2020 Zdenek Pytela - 3.14.7-2- Allow openvswitch fowner capability and create netlink sockets- Allow additional permissions for gnome-initial-setup- Add to map non_security_files to the userdom_admin_user_template template- kernel/filesystem: Add exfat support (no extended attributes)
* Tue Sep 08 2020 Zdenek Pytela - 3.14.7-1- Bump version as Fedora 33 has been branched- Allow php-fpm write access to /var/run/redis/redis.sock- Allow journalctl to read and write to inherited user domain tty- Update rkt policy to allow rkt_t domain to read sysfs filesystem- Allow arpwatch create and use rdma socket- Allow plymouth sys_chroot capability- Allow gnome-initial-setup execute in a xdm sandbox- Add new devices and filesystem interfaces
* Mon Aug 24 2020 Zdenek Pytela - 3.14.6-25- Allow certmonger fowner capability- The nfsdcld service is now confined by SELinux- Change transitions for ~/.config/Yubico- Allow all users to connect to systemd-userdbd with a unix socket- Add file context for ~/.config/Yubico- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files- Allow login_pgm attribute to get attributes in proc_t- Allow passwd to get attributes in proc_t- Revert \"Allow passwd to get attributes in proc_t\"- Revert \"Allow login_pgm attribute to get attributes in proc_t\"- Allow login_pgm attribute to get attributes in proc_t- Allow passwd to get attributes in proc_t- Allow traceroute_t and ping_t to bind generic nodes.- Create macro corenet_icmp_bind_generic_node()- Allow unconfined_t to node_bind icmp_sockets in node_t domain
* Thu Aug 13 2020 Zdenek Pytela - 3.14.6-24- Add ipa_helper_noatsecure() interface unconditionally- Conditionally allow nagios_plugin_domain dbus chat with init- Revert \"Update allow rules set for nrpe_t domain\"- Add ipa_helper_noatsecure() interface to ipa.if- Label /usr/libexec/qemu-pr-helper with virtd_exec_t- Allow kadmind manage kerberos host rcache- Allow nsswitch_domain to connect to systemd-machined using a unix socket- Define named file transition for sshd on /tmp/krb5_0.rcache2- Allow systemd-machined create userdbd runtime sock files- Disable kdbus module before updating
* Mon Aug 03 2020 Zdenek Pytela - 3.14.6-23- Revert \"Add support for /sys/fs/kdbus and allow login_pgm domain to access it.\"- Revert \"Add interface to allow types to associate with cgroup filesystems\"- Revert \"kdbusfs should not be accessible for now.\"- Revert \"kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp\"- Revert \"Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode.\"- Remove the legacy kdbus module- Remove \"kdbus = module\" from modules-targeted-base.conf
* Thu Jul 30 2020 Zdenek Pytela - 3.14.6-22- Allow virtlockd only getattr and lock block devices- Allow qemu-ga read all non security file types conditionally- Allow virtlockd manage VMs posix file locks- Allow smbd get attributes of device files labeled samba_share_t- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t- Add a new httpd_can_manage_courier_spool boolean- Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files- Revert \"Allow qemu-kvm read and write /dev/mapper/control\"- Revert \"Allow qemu read and write /dev/mapper/control\"- Revert \"Dontaudit and disallow sys_admin capability for keepalived_t domain\"- Dontaudit pcscd_t setting its process scheduling- Dontaudit thumb_t setting its process scheduling- Allow munin domain transition with NoNewPrivileges- Add dev_lock_all_blk_files() interface- Allow auditd manage kerberos host rcache files- Allow systemd-logind dbus chat with fwupd
* Wed Jul 29 2020 Fedora Release Engineering - 3.14.6-21- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 13 2020 Lukas Vrabec - 3.14.6-20- Align gen_tunable() syntax with sepolgen
* Fri Jul 10 2020 Zdenek Pytela - 3.14.6-19- Additional support for keepalived running in a namespace- Remove systemd_dbus_chat_resolved(pcp_pmie_t)- virt: remove the libvirt qmf rules- Allow certmonger manage dirsrv services- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists- Allow domain dbus chat with systemd-resolved- Define file context for /var/run/netns directory only- Revert \"Add support for fuse.glusterfs\"
* Tue Jul 07 2020 Zdenek Pytela - 3.14.6-18- Allow oddjob_t process noatsecure permission for ipa_helper_t- Allow keepalived manage its private type runtime directories- Update irqbalance runtime directory file context- Allow irqbalance file transition for pid sock_files and directories- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t- Allow virtlogd_t manage virt lib files- Allow systemd set efivarfs files attributes- Support systemctl --user in machinectl- Allow chkpwd_t read and write systemd-machined devpts character nodes- Allow init_t write to inherited systemd-logind sessions pipes
* Fri Jun 26 2020 Zdenek Pytela - 3.14.6-17- Allow pdns server to read system state- Allow irqbalance nnp_transition- Fix description tag for the sssd_connect_all_unreserved_ports tunable- Allow journalctl process set its resource limits- Add sssd_access_kernel_keys tunable to conditionally access kernel keys- Make keepalived work with network namespaces- Create sssd_connect_all_unreserved_ports boolean- Allow hypervkvpd to request kernel to load a module- Allow systemd_private_tmp(dirsrv_tmp_t)- Allow microcode_ctl get attributes of sysfs directories- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line- Allow radiusd connect to gssproxy over unix domain stream socket- Add fwupd_cache_t file context for \'/var/cache/fwupd(/.
*)?\'- Allow qemu read and write /dev/mapper/control- Allow tlp_t can_exec() tlp_exec_t- Dontaudit vpnc_t setting its process scheduling- Remove files_mmap_usr_files() call for particular domains- Allow dirsrv_t list cgroup directories- Crete the kerberos_write_kadmind_tmp_files() interface- Allow realmd_t dbus chat with accountsd_t- Label systemd-growfs and systemd-makefs as fsadm_exec_t- Allow staff_u and user_u setattr generic usb devices- Allow sysadm_t dbus chat with accountsd- Modify kernel_rw_key() not to include append permission- Add kernel_rw_key() interface to access to kernel keyrings- Modify systemd_delete_private_tmp() to use delete_
*_pattern macros- Allow systemd-modules to load kernel modules- Add cachefiles_dev_t as a typealias to cachefiles_device_t- Allow libkrb5 lib read client keytabs- Allow domain mmap usr_t files- Remove files_mmap_usr_files() call for systemd domains- Allow sshd write to kadmind temporary files- Do not audit staff_t and user_t attempts to manage boot_t entries- Add files_dontaudit_manage_boot_dirs() interface- Allow systemd-tty-ask-password-agent read efivarfs files
* Thu Jun 25 2020 Adam Williamson - 3.14.6-16- Fix scriptlets when /etc/selinux/config does not exist
* Thu Jun 04 2020 Zdenek Pytela - 3.14.6-15- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid- Support multiple ways of tlp invocation- Allow qemu-kvm read and write /dev/mapper/control- Introduce logrotate_use_cifs boolean- Allow ptp4l_t sys_admin capability to run bpf programs- Allow to getattr files on an nsfs filesystem- httpd: Allow NoNewPriv transition from systemd- Allow rhsmd read process state of all domains and kernel threads- Allow rhsmd mmap /etc/passwd- Allow systemd-logind manage efivarfs files- Allow initrc_t tlp_filetrans_named_content()- Allow systemd_resolved_t to read efivarfs- Allow systemd_modules_load_t to read efivarfs- Introduce systemd_read_efivarfs_type attribute- Allow named transition for /run/tlp from a user shell- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files- Add file context for /sys/kernel/tracing
* Tue May 19 2020 Zdenek Pytela - 3.14.6-14- Allow chronyc_t domain to use nsswitch- Allow nscd_socket_use() for domains in nscd_use() unconditionally- Add allow rules for lttng-sessiond domain- Label dirsrv systemd unit files and add dirsrv_systemctl()- Allow gluster geo-replication in rsync mode- Allow nagios_plugin_domain execute programs in bin directories- Allow sys_admin capability for domain labeled systemd_bootchart_t- Split the arping path regexp to 2 lines to prevent from relabeling- Allow tcpdump sniffing offloaded (RDMA) traffic- Revert \"Change arping path regexp to work around fixfiles incorrect handling\"- Change arping path regexp to work around fixfiles incorrect handling- Allow read efivarfs_t files by domains executing systemctl file
* Wed Apr 29 2020 Zdenek Pytela - 3.14.6-13- Update networkmanager_read_pid_files() to allow also list_dir_perms- Update policy for NetworkManager_ssh_t- Allow glusterd synchronize between master and slave- Allow spamc_t domain to read network state- Allow strongswan use tun/tap devices and keys- Allow systemd_userdbd_t domain logging to journal
* Tue Apr 14 2020 Zdenek Pytela - 3.14.6-12- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files- Allow ssh-keygen create file in /var/lib/glusterd- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files- Merge ipa and ipa_custodia modules- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t- Introduce daemons_dontaudit_scheduling boolean- Modify path for arping in netutils.fc to match both bin and sbin- Change file context for /var/run/pam_ssh to match file transition- Add file context entry and file transition for /var/run/pam_timestamp
  
ICM