Changelog for
selinux-policy-37.23-1.fc37.noarch.rpm :
* Tue Oct 17 2023 Zdenek Pytela
- 37.23-1- Allow apcupsd cgi scripts read /sys- Allow named and ndc the io_uring sqpoll permission- Allow sssd io_uring sqpoll permission
* Thu Jun 29 2023 Zdenek Pytela - 37.22-1- Allow exim read network sysctls- Allow kernel to manage its own BPF objects- Allow plymouthd read/write X server miscellaneous devices- Allow blueman send general signals to unprivileged user domains- Allow logwatch_mail_t read network sysctls
* Mon May 15 2023 Zdenek Pytela - 37.21-2- Trim changelog so that it starts at F36 time
* Mon May 15 2023 Zdenek Pytela - 37.21-1- Allow rpmdb_migrate execute rpmdb- Allow logrotate dbus chat with systemd-hostnamed- Allow modemmanager create hardware state information files- Allow ModemManager all permissions for netlink route socket- Add journalctl the sys_resource capability
* Wed Apr 26 2023 Zdenek Pytela - 37.20-1- Allow mongodb read filesystem sysctls- Allow mongodb read network sysctls- Allow blueman watch generic device dirs- Allow nm-dispatcher tlp plugin create tlp dirs- Allow systemd-coredump mounton /usr- Allow system_cronjob_t transition to rpm_script_t- Revert \"Allow system_cronjob_t domtrans to rpm_script_t\"- Allow systemd-resolved send a datagram to journald
* Fri Feb 03 2023 Zdenek Pytela - 37.19-1- Allow systemd-userdbd the sys_resource capability- Additional support for rpmdb_migrate- Allow nm-cloud-setup dispatcher plugin restart nm services- Dontaudit ftpd the execmem permission- Allow icecast rename its log files- Allow systemd-rfkill the bpf capability
* Mon Jan 16 2023 Zdenek Pytela - 37.18-1- Allow apcupsd dbus chat with systemd-logind- Allow nut_domain manage also files and sock_files in /var/run- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t- Allow tlp read generic SSL certificates- Allow systemd-resolved watch tmpfs directories- Revert \"Allow systemd-resolved watch tmpfs directories\"- Allow stalld to read /sys/kernel/security/lockdown file
* Mon Dec 19 2022 Zdenek Pytela - 37.17-1- Allow gpsd the sys_ptrace userns capability- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t- Allow ndc read hardware state information- Allow journalctl relabel with var_log_t and syslogd_var_run_t files- Allow systemd-resolved watch tmpfs directories- Allow systemd-timedated watch init runtime dir- donaudit virtlogd and dnsmasq execmem- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted- Trim changelog so that it starts at F35 time
* Tue Dec 06 2022 Zdenek Pytela - 37.16-1- Reuse tmpfs_t also for the ramfs filesystem- Allow spamc read hardware state information files- Dontaudit systemd-gpt-generator the sys_admin capability- Allow syslogd read network sysctls
* Wed Nov 23 2022 Zdenek Pytela - 37.15-1- Revert \"Allow sysadm_t read raw memory devices\"- Allow systemd-socket-proxyd get attributes of cgroup filesystems- Allow rpc.gssd read network sysctls- Allow winbind-rpcd get attributes of device and pty filesystems- Allow insights-client domain transition on semanage execution- Allow insights-client create gluster log dir with a transition- Allow insights-client manage generic locks- Allow insights-client unix_read all domain semaphores- Add domain_unix_read_all_semaphores() interface- Allow winbind-rpcd use the terminal multiplexor- Allow mrtg send mails- Allow systemd-hostnamed dbus chat with init scripts- Allow sssd dbus chat with system cronjobs- Add interface to watch all filesystems- Add watch_sb interfaces- Add watch interfaces- Allow dhcpd bpf capability to run bpf programs- Allow netutils and traceroute bpf capability to run bpf programs- Allow pkcs_slotd_t bpf capability to run bpf programs- Allow xdm bpf capability to run bpf programs- Allow pcscd bpf capability to run bpf programs- Allow lldpad bpf capability to run bpf programs- Allow keepalived bpf capability to run bpf programs- Allow ipsec bpf capability to run bpf programs- Allow fprintd bpf capability to run bpf programs- Allow systemd-socket-proxyd get filesystems attributes- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
* Tue Nov 01 2022 Zdenek Pytela - 37.14-1- Allow systemd-gpt-generator raw write to a fixed disk- Allow rotatelogs read httpd_log_t symlinks- Add winbind-rpcd to samba_enable_home_dirs boolean- Allow system cronjobs dbus chat with setroubleshoot- Allow setroubleshootd read device sysctls- Allow virt_domain read device sysctls- Allow rhcd compute selinux access vector- Allow insights-client manage samba var dirs- Label ports 10161-10162 tcp/udp with snmp- Allow aide to connect to systemd_machined with a unix socket.- Allow samba-dcerpcd use NSCD services over a unix stream socket- Allow vlock search the contents of the /dev/pts directory- Allow insights-client send null signal to rpm and system cronjob- Label port 15354/tcp and 15354/udp with opendnssec- Allow ftpd map ftpd_var_run files- Allow targetclid to manage tmp files- Allow insights-client connect to postgresql with a unix socket- Allow insights-client domtrans on unix_chkpwd execution- Add file context entries for insights-client and rhc- Allow pulseaudio create gnome content (~/.config)- Allow login_userdomain dbus chat with rhsmcertd- Allow sbd the sys_ptrace capability- Allow ptp4l_t name_bind ptp_event_port_t
* Mon Oct 03 2022 Zdenek Pytela - 37.13-1- Remove the ipa module- Allow sss daemons read/write unnamed pipes of cloud-init- Allow postfix_mailqueue create and use unix dgram sockets- Allow xdm watch user home directories- Allow nm-dispatcher ddclient plugin load a kernel module- Stop ignoring standalone interface files- Drop cockpit module- Allow init map its private tmp files- Allow xenstored change its hard resource limits- Allow system_mail-t read network sysctls- Add bgpd sys_chroot capability
* Fri Sep 23 2022 Zdenek Pytela - 37.12-2- Update file to use the f37 dist-git branch in F37
* Thu Sep 22 2022 Zdenek Pytela - 37.12-1- nut-upsd: kernel_read_system_state, fs_getattr_cgroup- Add numad the ipc_owner capability- Allow gst-plugin-scanner read virtual memory sysctls- Allow init read/write inherited user fifo files- Update dnssec-trigger policy: setsched, module_request- added policy for systemd-socket-proxyd- Add the new \'cmd\' permission to the \'io_uring\' class- Allow winbind-rpcd read and write its key ring- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t- blueman-mechanism can read ~/.local/lib/python
*/site-packages directory- pidof executed by abrt can readlink /proc/
*/exe- Fix typo in comment- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
* Wed Sep 14 2022 Zdenek Pytela - 37.11-1- Allow tor get filesystem attributes- Allow utempter append to login_userdomain stream- Allow login_userdomain accept a stream connection to XDM- Allow login_userdomain write to boltd named pipes- Allow staff_u and user_u users write to bolt pipe- Allow login_userdomain watch various directories- Update rhcd policy for executing additional commands 5- Update rhcd policy for executing additional commands 4- Allow rhcd create rpm hawkey logs with correct label- Allow systemd-gpt-auto-generator to check for empty dirs- Update rhcd policy for executing additional commands 3- Allow journalctl read rhcd fifo files- Update insights-client policy for additional commands execution 5- Allow init remount all file_type filesystems- Confine insights-client systemd unit- Update insights-client policy for additional commands execution 4- Allow pcp pmcd search tracefs and acct_data dirs- Allow httpd read network sysctls- Dontaudit domain map permission on directories- Revert \"Allow X userdomains to mmap user_fonts_cache_t dirs\"- Revert \"Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)\"- Update insights-client policy for additional commands execution 3- Allow systemd permissions needed for sandboxed services- Add rhcd module- Make dependency on rpm-plugin-selinux unordered
* Fri Sep 02 2022 Zdenek Pytela - 37.10-1- Allow ipsec_t read/write tpm devices- Allow rhcd execute all executables- Update rhcd policy for executing additional commands 2- Update insights-client policy for additional commands execution 2- Allow sysadm_t read raw memory devices- Allow chronyd send and receive chronyd/ntp client packets- Allow ssh client read kerberos homedir config files- Label /var/log/rhc-worker-playbook with rhcd_var_log_t- Update insights-client policy (auditctl, gpg, journal)- Allow system_cronjob_t domtrans to rpm_script_t- Allow smbd_t process noatsecure permission for winbind_rpcd_t- Update tor_bind_all_unreserved_ports interface- Allow chronyd bind UDP sockets to ptp_event ports.- Allow unconfined and sysadm users transition for /root/.gnupg- Add gpg_filetrans_admin_home_content() interface- Update rhcd policy for executing additional commands- Update insights-client policy for additional commands execution- Add userdom_view_all_users_keys() interface- Allow gpg read and write generic pty type- Allow chronyc read and write generic pty type- Allow system_dbusd ioctl kernel with a unix stream sockets- Allow samba-bgqd to read a printer list- Allow stalld get and set scheduling policy of all domains.- Allow unconfined_t transition to targetclid_home_t
* Thu Aug 11 2022 Zdenek Pytela - 37.9-1- Allow nm-dispatcher custom plugin dbus chat with nm- Allow nm-dispatcher sendmail plugin get status of systemd services- Allow xdm read the kernel key ring- Allow login_userdomain check status of mount units- Allow postfix/smtp and postfix/virtual read kerberos key table- Allow services execute systemd-notify- Do not allow login_userdomain use sd_notify()- Allow launch-xenstored read filesystem sysctls- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd- Allow openvswitch fsetid capability- Allow openvswitch use its private tmpfs files and dirs- Allow openvswitch search tracefs dirs- Allow pmdalinux read files on an nfsd filesystem- Allow winbind-rpcd write to winbind pid files- Allow networkmanager to signal unconfined process- Allow systemd_hostnamed label /run/systemd/
* as hostnamed_etc_t- Allow samba-bgqd get a printer list- fix(init.fc): Fix section description- Allow fedora-third-party read the passwords file- Remove permissive domain for rhcd_t- Allow pmie read network state information and network sysctls- Revert \"Dontaudit domain the fowner capability\"- Allow sysadm_t to run bpftool on the userdomain attribute- Add the userdom_prog_run_bpf_userdomain() interface- Allow insights-client rpm named file transitions- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
* Mon Aug 01 2022 Zdenek Pytela - 37.8-1- Allow sa-update to get init status and start systemd files- Use insights_client_filetrans_named_content- Make default file context match with named transitions- Allow nm-dispatcher tlp plugin send system log messages- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket- Add permissions to manage lnk_files into gnome_manage_home_config- Allow rhsmcertd to read insights config files- Label /etc/insights-client/machine-id- fix(devices.fc): Replace single quote in comment to solve parsing issues- Make NetworkManager_dispatcher_custom_t an unconfined domain
* Sat Jul 23 2022 Fedora Release Engineering - 37.7-2- Rebuilt for
* Thu Jul 14 2022 Zdenek Pytela - 37.7-1- Update winbind_rpcd_t- Allow some domains use sd_notify()- Revert \"Allow rabbitmq to use systemd notify\"- fix( Fix syntax warning: \"is not\" with a literal- Allow nm-dispatcher console plugin manage etc files- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs- Allow nm-dispatcher console plugin setfscreate- Support using systemd-update-helper in rpm scriptlets- Allow nm-dispatcher winbind plugin read samba config files- Allow domain use userfaultfd over all domains- Allow cups-lpd read network sysctls
* Wed Jun 29 2022 Zdenek Pytela - 37.6-1- Allow stalld set scheduling policy of kernel threads- Allow targetclid read /var/target files- Allow targetclid read generic SSL certificates (fixed)- Allow firewalld read the contents of the sysfs filesystem- Fix file context pattern for /var/target- Use insights_client_etc_t in insights_search_config()- Allow nm-dispatcher ddclient plugin handle systemd services- Allow nm-dispatcher winbind plugin run smbcontrol- Allow nm-dispatcher custom plugin create and use unix dgram socket- Update samba-dcerpcd policy for kerberos usage 2- Allow keepalived read the contents of the sysfs filesystem- Allow amandad read network sysctls- Allow cups-lpd read network sysctls- Allow kpropd read network sysctls- Update insights_client_filetrans_named_content()- Allow rabbitmq to use systemd notify- Label /var/target with targetd_var_t- Allow targetclid read generic SSL certificates- Update rhcd policy- Allow rhcd search insights configuration directories- Add the kernel_read_proc_files() interface- Require policycoreutils >= 3.4-1- Add a script for enclosing interfaces in ifndef statements- Disable rpm verification on interface_info
* Wed Jun 22 2022 Zdenek Pytela - 37.5-1- Allow transition to insights_client named content- Add the insights_client_filetrans_named_content() interface- Update policy for insights-client to run additional commands 3- Allow dhclient manage pid files used by chronyd- Allow stalld get scheduling policy of kernel threads- Allow samba-dcerpcd work with sssd- Allow dlm_controld send a null signal to a cluster daemon- Allow ksmctl create hardware state information files- Allow winbind_rpcd_t connect to self over a unix_stream_socket- Update samba-dcerpcd policy for kerberos usage- Allow insights-client execute its private memfd: objects- Update policy for insights-client to run additional commands 2- Use insights_client_tmp_t instead of insights_client_var_tmp_t- Change space indentation to tab in insights-client- Use socket permissions sets in insights-client- Update policy for insights-client to run additional commands- Change rpm_setattr_db_files() to use a pattern- Allow init_t to rw insights_client unnamed pipe- Add rpm setattr db files macro- Fix insights client- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling- Allow rabbitmq to access its private memfd: objects- Update policy for samba-dcerpcd- Allow stalld setsched and sys_nice
* Tue Jun 07 2022 Zdenek Pytela - 37.4-1- Allow auditd_t noatsecure for a transition to audisp_remote_t- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket- Allow pcp_domain execute its private memfd: objects- Add support for samba-dcerpcd- Add policy for wireguard- Confine targetcli- Allow systemd work with install_t unix stream sockets- Allow iscsid the sys_ptrace userns capability- Allow xdm connect to unconfined_service_t over a unix stream socket
* Fri May 27 2022 Zdenek Pytela - 37.3-1- Allow nm-dispatcher custom plugin execute systemctl- Allow nm-dispatcher custom plugin dbus chat with nm- Allow nm-dispatcher custom plugin create and use udp socket- Allow nm-dispatcher custom plugin create and use netlink_route_socket- Use create_netlink_socket_perms in netlink_route_socket class permissions- Add support for nm-dispatcher sendmail scripts- Allow sslh net_admin capability- Allow insights-client manage gpg admin home content- Add the gpg_manage_admin_home_content() interface- Allow rhsmcertd create generic log files- Update logging_create_generic_logs() to use create_files_pattern()- Label /var/cache/insights with insights_client_cache_t- Allow insights-client search gconf homedir- Allow insights-client create and use unix_dgram_socket- Allow blueman execute its private memfd: files- Move the chown call into
* Fri May 06 2022 Zdenek Pytela - 37.2-1- Use the networkmanager_dispatcher_plugin attribute in allow rules- Make a custom nm-dispatcher plugin transition- Label port 4784/tcp and 4784/udp with bfd_multi- Allow systemd watch and watch_reads user ptys- Allow sblim-gatherd the kill capability- Label more vdsm utils with virtd_exec_t- Add ksm service to ksmtuned- Add rhcd policy- Dontaudit guest attempts to dbus chat with systemd domains- Dontaudit guest attempts to dbus chat with system bus types- Use a named transition in systemd_hwdb_manage_config()- Add default fc specifications for patterns in /opt- Add the files_create_etc_files() interface- Allow nm-dispatcher console plugin create and write files in /etc- Allow nm-dispatcher console plugin transition to the setfiles domain- Allow more nm-dispatcher plugins append to init stream sockets- Allow nm-dispatcher tlp plugin dbus chat with nm- Reorder networkmanager_dispatcher_plugin_template() calls- Allow svirt connectto virtlogd- Allow blueman map its private memfd: files- Allow sysadm user execute init scripts with a transition- Allow sblim-sfcbd connect to sblim-reposd stream- Allow keepalived_unconfined_script_t dbus chat with init- Run restorecon with \"-i\" not to report errors
* Mon May 02 2022 Zdenek Pytela - 37.1-1- Fix users for SELinux userspace 3.4- Label /var/run/machine-id as machineid_t- Add stalld to modules.conf- Use files_tmpfs_file() for rhsmcertd_tmpfs_t- Allow blueman read/write its private memfd: objects- Allow insights-client read rhnsd config files- Allow insights-client create_socket_perms for tcp/udp sockets
* Tue Apr 26 2022 Zdenek Pytela - 36.8-1- Allow nm-dispatcher chronyc plugin append to init stream sockets- Allow tmpreaper the sys_ptrace userns capability- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t- Allow nm-dispatcher tlp plugin read/write the wireless device- Allow nm-dispatcher tlp plugin append to init socket- Allow nm-dispatcher tlp plugin be client of a system bus- Allow nm-dispatcher list its configuration directory- Ecryptfs-private support- Allow colord map /var/lib directories- Allow ntlm_auth read the network state information- Allow insights-client search rhnsd configuration directory
* Thu Apr 21 2022 Zdenek Pytela - 36.7-3- Add support for nm-dispatcher tlp-rdw scripts- Update github actions to satisfy git 2.36 stricter rules- New policy for stalld- Allow colord read generic files in /var/lib- Allow xdm mounton user temporary socket files- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket- Allow sssd domtrans to pkcs_slotd_t- Allow keepalived setsched and sys_nice- Allow xdm map generic files in /var/lib- Allow xdm read generic symbolic links in /var/lib- Allow pppd create a file in the locks directory- Add file map permission to lpd_manage_spool() interface- Allow system dbus daemon watch generic directories in /var/lib- Allow pcscd the sys_ptrace userns capability- Add the corecmd_watch_bin_dirs() interface
* Thu Apr 21 2022 Zdenek Pytela - 36.7-2- Relabel explicitly some dirs in %posttrans scriptlets
* Thu Apr 21 2022 Zdenek Pytela - 36.7-1- Add stalld module to modules-targeted-contrib.conf
* Mon Apr 04 2022 Zdenek Pytela - 36.6-1- Add support for systemd-network-generator- Add the io_uring class- Allow nm-dispatcher dhclient plugin append to init stream sockets- Relax the naming pattern for systemd private shared libraries- Allow nm-dispatcher iscsid plugin append to init socket- Add the init_append_stream_sockets() interface- Allow nm-dispatcher dnssec-trigger script to execute pidof- Add support for nm-dispatcher dnssec-trigger scripts- Allow chronyd talk with unconfined user over unix domain dgram socket- Allow fenced read kerberos key tables- Add support for nm-dispatcher ddclient scripts- Add systemd_getattr_generic_unit_files() interface- Allow fprintd read and write hardware state information- Allow exim watch generic certificate directories- Remove duplicate fc entries for corosync and corosync-notifyd- Label corosync-cfgtool with cluster_exec_t- Allow qemu-kvm create and use netlink rdma sockets- Allow logrotate a domain transition to cluster administrative domain
* Fri Mar 18 2022 Zdenek Pytela - 36.5-1- Add support for nm-dispatcher console helper scripts- Allow nm-dispatcher plugins read its directory and sysfs- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t- devices: Add a comment about cardmgr_dev_t- Add basic policy for BinderFS- Label /var/run/ecblp0 pipe with cupsd_var_run_t- Allow rpmdb create directory in /usr/lib/sysimage- Allow rngd drop privileges via setuid/setgid/setcap- Allow init watch and watch_reads user ttys- Allow systemd-logind dbus chat with sosreport- Allow chronyd send a message to sosreport over datagram socket- Remove unnecessary /etc file transitions for insights-client- Label all content in /var/lib/insights with insights_client_var_lib_t- Update insights-client policy
* Wed Feb 23 2022 Zdenek Pytela - 36.4-2- Add insights_client module to modules-targeted-contrib.conf
* Wed Feb 23 2022 Zdenek Pytela - 36.4-1- Update NetworkManager-dispatcher cloud and chronyc policy- Update insights-client: fc pattern, motd, writing to etc- Allow systemd-sysctl read the security state information- Allow init create and mounton to support PrivateDevices- Allow sosreport dbus chat abrt systemd timedatex
* Tue Feb 22 2022 Zdenek Pytela - 36.3-2- Update specfile to buildrequire policycoreutils-devel >= 3.3-4- Add modules_checksum to %files
* Thu Feb 17 2022 Zdenek Pytela - 36.3-1- Update NetworkManager-dispatcher policy to use scripts- Allow init mounton kernel messages device- Revert \"Make dbus-broker service working on s390x arch\"- Remove permissive domain for insights_client_t- Allow userdomain read symlinks in /var/lib- Allow iptables list cgroup directories- Dontaudit mdadm list dirsrv tmpfs dirs- Dontaudit dirsrv search filesystem sysctl directories- Allow chage domtrans to sssd- Allow postfix_domain read dovecot certificates- Allow systemd-networkd create and use netlink netfilter socket- Allow nm-dispatcher read nm-dispatcher-script symlinks- filesystem.te: add genfscon rule for ntfs3 filesystem- Allow rhsmcertd get attributes of cgroup filesystems- Allow sandbox_web_client_t watch various dirs- Exclude container.if from policy devel files- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
* Fri Feb 11 2022 Zdenek Pytela - 36.2-1- Allow sysadm_passwd_t to relabel passwd and group files- Allow confined sysadmin to use tool vipw- Allow login_userdomain map /var/lib/directories- Allow login_userdomain watch library and fonts dirs- Allow login_userdomain watch system configuration dirs- Allow login_userdomain read systemd runtime files- Allow ctdb create cluster logs- Allow alsa bind mixer controls to led triggers- New policy for insight-client- Add mctp_socket security class and access vectors- Fix koji repo URL pattern- Update chronyd_pid_filetrans() to allow create dirs- Update NetworkManager-dispatcher policy- Allow unconfined to run virtd bpf- Allow nm-privhelper setsched permission and send system logs- Add the map permission to common_anon_inode_perm permission set- Rename userfaultfd_anon_inode_perms to common_inode_perms- Allow confined users to use kinit,klist and etc.- Allow rhsmcertd create rpm hawkey logs with correct label
* Thu Feb 03 2022 Zdenek Pytela - 36.1-1- Label exFAT utilities at /usr/sbin- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path- Enable genfs_seclabel_symlinks policy capability- Sync policy/policy_capabilities with refpolicy- refpolicy: drop unused socket security classes- Label new utility of NetworkManager nm-priv-helper- Label NetworkManager-dispatcher service with separate context- Allow sanlock get attributes of filesystems with extended attributes- Associate stratisd_data_t with device filesystem- Allow init read stratis data symlinks