SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-doc-38.1.23-1.el9.noarch.rpm :

* Fri Aug 25 2023 Nikola Knazekova - 38.1.23-1- Allow cups-pdf connect to the system log serviceResolves: rhbz#2234765- Update policy for qatlibResolves: rhbz#2080443
* Thu Aug 24 2023 Nikola Knazekova - 38.1.22-1- Allow qatlib to modify hardware state information.Resolves: rhbz#2080443- Update policy for fdoResolves: rhbz#2229722- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_fileResolves: rhbz#2223305- Allow svirt to rw /dev/udmabufResolves: rhbz#2223727- Allow keepalived watch var_run dirsResolves: rhbz#2186759
* Thu Aug 17 2023 Nikola Knazekova - 38.1.21-1- Allow logrotate_t to map generic files in /etcResolves: rhbz#2231257- Allow insights-client manage user temporary filesResolves: rhbz#2224737- Make insights_client_t an unconfined domainResolves: rhbz#2225526
* Fri Aug 11 2023 Nikola Knazekova - 38.1.20-1- Allow user_u and staff_u get attributes of non-security dirsResolves: rhbz#2215507- Allow cloud_init create dhclient var files and init_t manage net_conf_tResolves: rhbz#2225418- Allow samba-dcerpc service manage samba tmp filesResolves: rhbz#2230365- Update samba-dcerpc policy for printingResolves: rhbz#2230365- Allow sysadm_t run kernel bpf programsResolves: rhbz#2229936- allow mon_procd_t self:cap_userns sys_ptraceResolves: rhbz#2221986- Remove nsplugin_role from mozilla.ifResolves: rhbz#2221251- Allow unconfined user filetrans chrome_sandbox_home_tResolves: rhbz#2187893- Allow pdns name_bind and name_connect all portsResolves: rhbz#2047945- Allow insights-client read and write cluster tmpfs filesResolves: rhbz#2221631- Allow ipsec read nsfs filesResolves: rhbz#2230277- Allow upsmon execute upsmon via a helper scriptResolves: rhbz#2228403- Fix labeling for no-stub-resolv.confResolves: rhbz#2148390- Add use_nfs_home_dirs boolean for mozilla_pluginResolves: rhbz#2214298- Change wording in /etc/selinux/configResolves: rhbz#2143153
* Thu Aug 03 2023 Nikola Knazekova - 38.1.19-1- Allow qatlib to read sssd public filesResolves: rhbz#2080443- Fix location for /run/nsdResolves: rhbz#2181600- Allow samba-rpcd work with passwordsResolves: rhbz#2107092- Allow rpcd_lsad setcap and use generic ptysResolves: rhbz#2107092- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain ptyResolves: rhbz#2223305- Allow keepalived to manage its tmp filesResolves: rhbz#2179212- Allow nscd watch system db dirsResolves: rhbz#2152124
* Fri Jul 21 2023 Nikola Knazekova - 38.1.18-1- Boolean: Allow virt_qemu_ga create ssh directoryResolves: rhbz#2181402- Allow virt_qemu_ga_t create .ssh dir with correct labelResolves: rhbz#2181402- Set default ports for keylime policyResolves: RHEL-594- Allow unconfined service inherit signal state from initResolves: rhbz#2186233- Allow sa-update connect to systemlog servicesResolves: rhbz#2220643- Allow sa-update manage spamc home filesResolves: rhbz#2220643- Label only /usr/sbin/ripd and ripngd with zebra_exec_tResolves: rhbz#2213605- Add the files_getattr_non_auth_dirs() interfaceResolves: rhbz#2076933- Update policy for the sblim-sfcb serviceResolves: rhbz#2076933- Define equivalency for /run/systemd/generator.earlyResolves: rhbz#2213516
* Thu Jun 29 2023 Nikola Knazekova - 38.1.17-1- Add the qatlib moduleResolves: rhbz#2080443- Add the fdo moduleResolves: rhbz#2026795- Add the booth module to modules.confResolves: rhbz#2128833
* Thu Jun 29 2023 Nikola Knazekova - 38.1.16-1- Remove permissive from fdoResolves: rhbz#2026795- Add the qatlib moduleResolves: rhbz#2080443- Add the fdo moduleResolves: rhbz#2026795- Add the booth module to modules.confResolves: rhbz#2128833- Add policy for FIDO Device OnboardResolves: rhbz#2026795- Create policy for qatlibResolves: rhbz#2080443- Add policy for boothdResolves: rhbz#2128833- Add list_dir_perms to kerberos_read_keytabResolves: rhbz#2112729- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_tResolves: rhbz#2209973- Allow collectd_t read network state symlinksResolves: rhbz#2209650- Revert \"Allow collectd_t read proc_net link files\"Resolves: rhbz#2209650- Allow insights-client execmemResolves: rhbz#2207894- Label udf tools with fsadm_exec_tResolves: rhbz#2039774
* Thu Jun 15 2023 Zdenek Pytela - 38.1.15-1- Add fs_delete_pstore_files() interfaceResolves: rhbz#2181565- Add fs_read_pstore_files() interfaceResolves: rhbz#2181565- Allow insights-client getsession process permissionResolves: rhbz#2214581- Allow insights-client work with pipe and socket tmp filesResolves: rhbz#2214581- Allow insights-client map generic log filesResolves: rhbz#2214581- Allow insights-client read unconfined service semaphoresResolves: rhbz#2214581- Allow insights-client get quotas of all filesystemsResolves: rhbz#2214581- Allow haproxy read hardware state informationResolves: rhbz#2164691- Allow cupsd dbus chat with xdmResolves: rhbz#2143641- Allow dovecot_deliver_t create/map dovecot_spool_t dir/fileResolves: rhbz#2165863- Add none file context for polyinstantiated tmp dirsResolves: rhbz#2099194- Add support for the systemd-pstore serviceResolves: rhbz#2181565- Label /dev/userfaultfd with userfaultfd_tResolves: rhbz#2175290- Allow collectd_t read proc_net link filesResolves: rhbz#2209650- Label smtpd with sendmail_exec_tResolves: rhbz#2213573- Label msmtp and msmtpd with sendmail_exec_tResolves: rhbz#2213573- Allow dovecot-deliver write to the main process runtime fifo filesResolves: rhbz#2211787- Allow subscription-manager execute ipResolves: rhbz#2211566- Allow ftpd read network sysctlsResolves: rhbz#2175856
* Fri May 26 2023 Nikola Knazekova - 38.1.14-1- Allow firewalld rw ica_tmpfs_t filesResolves: rhbz#2207487- Add chromium_sandbox_t setcap capabilityResolves: rhbz#2187893- Allow certmonger manage cluster library filesResolves: rhbz#2179022- Allow wireguard to rw network sysctlsResolves: rhbz#2192154- Label /usr/lib/systemd/system/proftpd.
* & vsftpd.
* with ftpd_unit_file_tResolves: rhbz#2188173- Allow plymouthd_t bpf capability to run bpf programsResolves: rhbz#2184803- Update pkcsslotd policy for sandboxingResolves: rhbz#2209235- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_tResolves: rhbz#2203201
* Thu May 18 2023 Nikola Knazekova - 38.1.13-1- Allow insights-client work with teamdctlResolves: rhbz#2190178- Allow virsh name_connect virt_port_tResolves: rhzb#2187290- Allow cupsd to create samba_var_t filesResolves: rhbz#2174445- Allow dovecot to map files in /var/spool/dovecotResolves: rhbz#2165863- Add tunable to allow squid bind snmp portResolves: rhbz#2151378- Allow rhsmcert request the kernel to load a moduleResolves: rhbz#2203359- Allow snmpd read raw disk dataResolves: rhbz#2196528
* Fri Apr 14 2023 Nikola Knazekova - 38.1.12-1- Allow cloud-init domain transition to insights-client domainResolves: rhbz#2162663- Allow chronyd send a message to cloud-init over a datagram socketResolves: rhbz#2162663- Allow dmidecode write to cloud-init tmp filesResolves: rhbz#2162663- Allow login_pgm setcap permissionResolves: rhbz#2174331- Allow tshark the setsched capabilityResolves: rhbz#2165634- Allow chronyc read network sysctlsResolves: rhbz#2173604- Allow systemd-timedated watch init runtime dirResolves: rhbz#2175137- Add journalctl the sys_resource capabilityResolves: rhbz#2153782- Allow system_cronjob_t transition to rpm_script_tResolves: rhbz#2173685- Revert \"Allow system_cronjob_t domtrans to rpm_script_t\"Resolves: rhbz#2173685- Allow insights-client tcp connect to all portsResolves: rhbz#2183083- Allow insights-client work with su and lpstatResolves: rhbz#2183083- Allow insights-client manage fsadm pid filesResolves: rhbz#2183083- Allow insights-client read all sysctlsResolves: rhbz#2183083- Allow rabbitmq to read network sysctlsResolves: rhbz#2184999
* Tue Mar 28 2023 Nikola Knazekova - 38.1.11-2- rebuiltResolves: rhbz#2172268
* Mon Mar 27 2023 Nikola Knazekova - 38.1.11-1- Allow passt manage qemu pid sock filesResolves: rhbz#2172268- Exclude passt.if from selinux-policy-develResolves: rhbz#2172268
* Fri Mar 24 2023 Nikola Knazekova - 38.1.10-1- Add support for the passt_t domainResolves: rhbz#2172268- Allow virtd_t and svirt_t work with passtResolves: rhbz#2172268- Add new interfaces in the virt moduleResolves: rhbz#2172268- Add passt interfaces defined conditionallyResolves: rhbz#2172268
* Thu Mar 16 2023 Nikola Knazekova - 38.1.9-1- Boolean: allow qemu-ga manage ssh home directoryResolves: rhbz#2178612- Allow wg load kernel modules, search debugfs dirResolves: rhbz#2176487
* Thu Feb 16 2023 Nikola Knazekova - 38.1.8-1- Allow svirt to map svirt_image_t char filesResolves: rhbz#2170482- Fix opencryptoki file names in /dev/shmResolves: rhbz#2166283
* Wed Feb 15 2023 Nikola Knazekova - 38.1.7-1- Allow staff_t getattr init pid chr & blk files and read krb5Resolves: rhbz#2112729- Allow firewalld to rw z90crypt deviceResolves: rhbz#2166877- Allow httpd work with tokens in /dev/shmResolves: rhbz#2166283
* Thu Feb 09 2023 Nikola Knazekova - 38.1.6-1- Allow modemmanager create hardware state information filesResolves: rhbz#2149560- Dontaudit ftpd the execmem permissionResolves: rhbz#2164434- Allow nm-dispatcher plugins read generic files in /procResolves: rhbz#2164845- Label systemd-journald feature LogNamespaceResolves: rhbz#2124797- Boolean: allow qemu-ga read ssh home directoryResolves: rhbz#1917024
* Thu Jan 26 2023 Nikola Knazekova - 38.1.5-1- Reuse tmpfs_t also for the ramfs filesystemResolves: rhbz#2160391- Allow systemd-resolved watch tmpfs directoriesResolves: rhbz#2160391- Allow hostname_t to read network sysctls.Resolves: rhbz#2161958- Allow ModemManager all permissions for netlink route socketResolves: rhbz#2149560- Allow unconfined user filetransition for sudo log filesResolves: rhbz#2160388- Allow sudodomain use sudo.log as a logfileResolves: rhbz#2160388- Allow nm-cloud-setup dispatcher plugin restart nm servicesResolves: rhbz#2154414- Allow wg to send msg to kernel, write to syslog and dbus connectionsResolves: rhbz#2149452- Allow rshim bpf cap2 and read sssd public filesResolves: rhbz#2080439- Allow svirt request the kernel to load a moduleResolves: rhbz#2144735- Rebase selinux-policy to the latest one in rawhideResolves: rhbz#2014606
* Thu Jan 12 2023 Nikola Knazekova - 38.1.4-1- Add lpr_roles to system_r rolesResolves: rhbz#2152150- Allow insights client work with gluster and pcpResolves: rhbz#2152150- Add interfaces in domain, files, and unconfined modulesResolves: rhbz#2152150- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_tResolves: rhbz#2152150- Add insights additional capabilitiesResolves: rhbz#2152150- Revert \"Allow insights-client run lpr and allow the proper role\"Resolves: rhbz#2152150- Allow prosody manage its runtime socket filesResolves: rhbz#2157891- Allow syslogd read network sysctlsResolves: rhbz#2156068- Allow NetworkManager and wpa_supplicant the bpf capabilityResolves: rhbz#2137085- Allow sysadm_t read/write ipmi devicesResolves: rhbz#2158419- Allow wireguard to create udp sockets and read net_confResolves: rhbz#2149452- Allow systemd-rfkill the bpf capabilityResolves: rhbz#2149390- Allow load_policy_t write to unallocated ttysResolves: rhbz#2145181- Allow winbind-rpcd manage samba_share_t files and dirsResolves: rhbz#2150680
* Thu Dec 15 2022 Nikola Knazekova - 38.1.3-1- Allow stalld to read /sys/kernel/security/lockdown fileResolves: rhbz#2140673- Allow syslog the setpcap capabilityResolves: rhbz#2151841- Allow pulseaudio to write to session_dbusd tmp socket filesResolves: rhbz#2132942- Allow keepalived to set resource limitsResolves: rhbz#2151212- Add policy for mptcpdResolves: bz#1972222- Add policy for rshimResolves: rhbz#2080439- Allow insights-client dbus chat with abrtResolves: rhbz#2152166- Allow insights-client work with pcp and manage user config filesResolves: rhbz#2152150- Allow insights-client run lpr and allow the proper roleResolves: rhbz#2152150- Allow insights-client tcp connect to various portsResolves: rhbz#2152150- Allow insights-client dbus chat with various servicesResolves: rhbz#2152150- Allow journalctl relabel with var_log_t and syslogd_var_run_t filesResolves: rhbz#2152823
* Wed Nov 30 2022 Zdenek Pytela - 38.1.2-1- Allow insights client communicate with cupsd, mysqld, openvswitch, redisResolves: rhbz#2124549- Allow insights client read raw memory devicesResolves: rhbz#2124549- Allow networkmanager_dispatcher_plugin work with nscdResolves: rhbz#2149317- Allow ipsec_t only read tpm devicesResolves: rhbz#2147380- Watch_sb all file type directories.Resolves: rhbz#2139363- Add watch and watch_sb dosfs interfaceResolves: rhbz#2139363- Revert \"define lockdown class and access\"Resolves: rhbz#2145266- Allow postfix/smtpd read kerberos key tableResolves: rhbz#2145266- Remove the lockdown class from the policyResolves: rhbz#2145266- Remove label for /usr/sbin/bgpdResolves: rhbz#2145266- Revert \"refpolicy: drop unused socket security classes\"Resolves: rhbz#2145266
* Mon Nov 21 2022 Zdenek Pytela - 38.1.1-1- Rebase selinux-policy to the latest one in rawhideResolves: rhbz#2082524
* Wed Nov 16 2022 Zdenek Pytela - 34.1.47-1- Add domain_unix_read_all_semaphores() interfaceResolves: rhbz#2123358- Allow chronyd talk with unconfined user over unix domain dgram socketResolves: rhbz#2141255- Allow unbound connectto unix_stream_socketResolves: rhbz#2141236- added policy for systemd-socket-proxydResolves: rhbz#2141606- Allow samba-dcerpcd use NSCD services over a unix stream socketResolves: rhbz#2121729- Allow insights-client unix_read all domain semaphoresResolves: rhbz#2123358- Allow insights-client manage generic locksResolves: rhbz#2123358- Allow insights-client create gluster log dir with a transitionResolves: rhbz#2123358- Allow insights-client domain transition on semanage executionResolves: rhbz#2123358- Disable rpm verification on interface_infoResolves: rhbz#2134515
* Fri Nov 04 2022 Nikola Knazekova - 34.1.46-1- new versionResolves: rhbz#2134827
* Thu Nov 03 2022 Nikola Knazekova - 34.1.45-1- Add watch_sb interfacesResolves: rhbz#2139363- Add watch interfacesResolves: rhbz#2139363- Allow dhcpd bpf capability to run bpf programsResolves: rhbz#2134827- Allow netutils and traceroute bpf capability to run bpf programsResolves: rhbz#2134827- Allow pkcs_slotd_t bpf capability to run bpf programsResolves: rhbz#2134827- Allow xdm bpf capability to run bpf programsResolves: rhbz#2134827- Allow pcscd bpf capability to run bpf programsResolves: rhbz#2134827- Allow lldpad bpf capability to run bpf programsResolves: rhbz#2134827- Allow keepalived bpf capability to run bpf programsResolves: rhbz#2134827- Allow ipsec bpf capability to run bpf programsResolves: rhbz#2134827- Allow fprintd bpf capability to run bpf programsResolves: rhbz#2134827- Allow iptables list cgroup directoriesResolves: rhbz#2134829- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t filesResolves: rhbz#2042515- Dontaudit dirsrv search filesystem sysctl directoriesResolves: rhbz#2134726
* Thu Oct 13 2022 Nikola Knazekova - 34.1.44-1- Allow insights-client domtrans on unix_chkpwd executionResolves: rhbz#2126091- Allow insights-client connect to postgresql with a unix socketResolves: rhbz#2126091- Allow insights-client send null signal to rpm and system cronjobResolves: rhbz#2126091- Allow insights-client manage samba var dirsResolves: rhbz#2126091- Allow rhcd compute selinux access vectorResolves: rhbz#2126091- Add file context entries for insights-client and rhcResolves: rhbz#2126161- Allow pulseaudio create gnome content (~/.config)Resolves: rhbz#2132942- Allow rhsmcertd execute gpgResolves: rhbz#2130204- Label ports 10161-10162 tcp/udp with snmpResolves: rhbz#2133221- Allow lldpad send to unconfined_t over a unix dgram socketResolves: rhbz#2112044- Label port 15354/tcp and 15354/udp with opendnssecResolves: rhbz#2057501- Allow aide to connect to systemd_machined with a unix socket.Resolves: bz#2062936- Allow ftpd map ftpd_var_run filesResolves: bz#2124943- Allow ptp4l respond to pmcResolves: rhbz#2131689- Allow radiusd connect to the radacct portResolves: rhbz#2132424- Allow xdm execute gnome-atspi servicesResolves: rhbz#2132244- Allow ptp4l_t name_bind ptp_event_port_tResolves: rhbz#2130170- Allow targetclid to manage tmp filesResolves: rhbz#2127408- Allow sbd the sys_ptrace capabilityResolves: rhbz#2124695
* Thu Sep 08 2022 Zdenek Pytela - 34.1.43-1- Update rhcd policy for executing additional commands 5Resolves: rhbz#2119351- Update rhcd policy for executing additional commands 4Resolves: rhbz#2119351- Allow rhcd create rpm hawkey logs with correct labelResolves: rhbz#2119351- Update rhcd policy for executing additional commands 3Resolves: rhbz#2119351- Allow sssd to set samba settingResolves: rhbz#2121125- Allow journalctl read rhcd fifo filesResolves: rhbz#2119351- Update insights-client policy for additional commands execution 5Resolves: rhbz#2121125- Confine insights-client systemd unitResolves: rhbz#2121125- Update insights-client policy for additional commands execution 4Resolves: rhbz#2121125- Update insights-client policy for additional commands execution 3Resolves: rhbz#2121125- Allow rhcd execute all executablesResolves: rhbz#2119351- Update rhcd policy for executing additional commands 2Resolves: rhbz#2119351- Update insights-client policy for additional commands execution 2Resolves: rhbz#2121125
* Mon Aug 29 2022 Zdenek Pytela - 34.1.42-1- Label /var/log/rhc-worker-playbook with rhcd_var_log_tResolves: rhbz#2119351- Update insights-client policy (auditctl, gpg, journal)Resolves: rhbz#2107363
* Thu Aug 25 2022 Nikola Knazekova - 34.1.41-1- Allow unconfined domains to bpf all other domainsResolves: RHBZ#2112014- Allow stalld get and set scheduling policy of all domains.Resolves: rhbz#2105038- Allow unconfined_t transition to targetclid_home_tResolves: RHBZ#2106360- Allow samba-bgqd to read a printer listResolves: rhbz#2118977- Allow system_dbusd ioctl kernel with a unix stream socketsResolves: rhbz#2085392- Allow chronyd bind UDP sockets to ptp_event ports.Resolves: RHBZ#2118631- Update tor_bind_all_unreserved_ports interfaceResolves: RHBZ#2089486- Remove permissive domain for rhcd_tResolves: rhbz#2119351- Allow unconfined and sysadm users transition for /root/.gnupgResolves: rhbz#2121125- Add gpg_filetrans_admin_home_content() interfaceResolves: rhbz#2121125- Update rhcd policy for executing additional commandsResolves: rhbz#2119351- Update insights-client policy for additional commands executionResolves: rhbz#2119507- Add rpm setattr db files macroResolves: rhbz#2119507- Add userdom_view_all_users_keys() interfaceResolves: rhbz#2119507- Allow gpg read and write generic pty typeResolves: rhbz#2119507- Allow chronyc read and write generic pty typeResolves: rhbz#2119507
* Wed Aug 10 2022 Nikola Knazekova - 34.1.40-1- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogdResolves: RHBZ#2088257- Allow systemd_hostnamed label /run/systemd/
* as hostnamed_etc_tResolves: RHBZ#1976684- Allow samba-bgqd get a printer listResolves: rhbz#2112395- Allow networkmanager to signal unconfined processResolves: RHBZ#2074414- Update NetworkManager-dispatcher policyResolves: RHBZ#2101910- Allow openvswitch search tracefs dirsResolves: rhbz#1988164- Allow openvswitch use its private tmpfs files and dirsResolves: rhbz#1988164- Allow openvswitch fsetid capabilityResolves: rhbz#1988164
* Tue Aug 02 2022 Nikola Knazekova - 34.1.39-1- Add support for systemd-network-generatorResolves: RHBZ#2111069- Allow systemd work with install_t unix stream socketsResolves: rhbz#2111206- Allow sa-update to get init status and start systemd filesResolves: RHBZ#2061844
* Fri Jul 15 2022 Nikola Knazekova - 34.1.38-1- Allow some domains use sd_notify()Resolves: rhbz#2056565- Revert \"Allow rabbitmq to use systemd notify\"Resolves: rhbz#2056565- Update winbind_rpcd_tResolves: rhbz#2102084- Update chronyd_pid_filetrans() to allow create dirsResolves: rhbz#2101910- Allow keepalived read the contents of the sysfs filesystemResolves: rhbz#2098130- Define LIBSEPOL version 3.4-1Resolves: rhbz#2095688
* Wed Jun 29 2022 Zdenek Pytela - 34.1.37-1- Allow targetclid read /var/target filesResolves: rhbz#2020169- Update samba-dcerpcd policy for kerberos usage 2Resolves: rhbz#2096521- Allow samba-dcerpcd work with sssdResolves: rhbz#2096521- Allow stalld set scheduling policy of kernel threadsResolves: rhbz#2102224
* Tue Jun 28 2022 Zdenek Pytela - 34.1.36-1- Allow targetclid read generic SSL certificates (fixed)Resolves: rhbz#2020169- Fix file context pattern for /var/targetResolves: rhbz#2020169- Use insights_client_etc_t in insights_search_config()Resolves: rhbz#1965013
* Fri Jun 24 2022 Zdenek Pytela - 34.1.35-1-Add the corecmd_watch_bin_dirs() interfaceResolves: rhbz#1965013- Update rhcd policyResolves: rhbz#1965013- Allow rhcd search insights configuration directoriesResolves: rhbz#1965013- Add the kernel_read_proc_files() interfaceResolves: rhbz#1965013- Update insights_client_filetrans_named_content()Resolves: rhbz#2081425- Allow transition to insights_client named contentResolves: rhbz#2081425- Add the insights_client_filetrans_named_content() interfaceResolves: rhbz#2081425- Update policy for insights-client to run additional commands 3Resolves: rhbz#2081425- Allow insights-client execute its private memfd: objectsResolves: rhbz#2081425- Update policy for insights-client to run additional commands 2Resolves: rhbz#2081425- Use insights_client_tmp_t instead of insights_client_var_tmp_tResolves: rhbz#2081425- Change space indentation to tab in insights-clientResolves: rhbz#2081425- Use socket permissions sets in insights-clientResolves: rhbz#2081425- Update policy for insights-client to run additional commandsResolves: rhbz#2081425- Allow init_t to rw insights_client unnamed pipeResolves: rhbz#2081425- Fix insights clientResolves: rhbz#2081425- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handlingResolves: rhbz#2081425- Do not let system_cronjob_t create redhat-access-insights.log with var_log_tResolves: rhbz#2081425- Allow stalld get scheduling policy of kernel threadsResolves: rhbz#2096776- Update samba-dcerpcd policy for kerberos usageResolves: rhbz#2096521- Allow winbind_rpcd_t connect to self over a unix_stream_socketResolves: rhbz#2096255- Allow dlm_controld send a null signal to a cluster daemonResolves: rhbz#2095884- Allow dhclient manage pid files used by chronydThe chronyd_manage_pid_files() interface was added.- Resolves: rhbz#2094155Allow install_t nnp_domtrans to setfiles_mac_t- Resolves: rhbz#2073010- Allow rabbitmq to use systemd notifyResolves: rhbz#2056565- Allow ksmctl create hardware state information filesResolves: rhbz#2021131- Label /var/target with targetd_var_tResolves: rhbz#2020169- Allow targetclid read generic SSL certificatesResolves: rhbz#2020169
* Thu Jun 09 2022 Zdenek Pytela - 34.1.34-1- Allow stalld setsched and sys_niceResolves: rhbz#2092864- Allow rhsmcertd to create cache file in /var/cache/cloud-whatResolves: rhbz#2092333- Update policy for samba-dcerpcdResolves: rhbz#2083509- Add support for samba-dcerpcdResolves: rhbz#2083509- Allow rabbitmq to access its private memfd: objectsResolves: rhbz#2056565- Confine targetcliResolves: rhbz#2020169- Add policy for wireguardResolves: 1964862- Label /var/cache/insights with insights_client_cache_tResolves: rhbz#2062136- Allow ctdbd nlmsg_read on netlink_tcpdiag_socketResolves: rhbz#2094489- Allow auditd_t noatsecure for a transition to audisp_remote_tResolves: rhbz#2081907
* Fri May 27 2022 Zdenek Pytela - 34.1.33-1- Allow insights-client manage gpg admin home contentResolves: rhbz#2062136- Add the gpg_manage_admin_home_content() interfaceResolves: rhbz#2062136- Add rhcd policyResolves: bz#1965013- Allow svirt connectto virtlogdResolves: rhbz#2000881- Add ksm service to ksmtunedResolves: rhbz#2021131- Allow nm-privhelper setsched permission and send system logsResolves: rhbz#2053639- Update the policy for systemd-journal-uploadResolves: rhbz#2085369- Allow systemd-journal-upload watch logs and journalResolves: rhbz#2085369- Create a policy for systemd-journal-uploadResolves: rhbz#2085369- Allow insights-client create and use unix_dgram_socketResolves: rhbz#2087765- Allow insights-client search gconf homedirResolves: rhbz#2087765
* Wed May 11 2022 Zdenek Pytela - 34.1.32-1- Dontaudit guest attempts to dbus chat with systemd domainsResolves: rhbz#2062740- Dontaudit guest attempts to dbus chat with system bus typesResolves: rhbz#2062740- Fix users for SELinux userspace 3.4Resolves: rhbz#2079290- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type templateResolves: rhbz#2076681- Allow systemd-sleep get removable devices attributesResolves: rhbz#2082404- Allow systemd-sleep tlp_filetrans_named_content()Resolves: rhbz#2082404- Allow systemd-sleep execute generic programsResolves: rhbz#2082404- Allow systemd-sleep execute shellResolves: rhbz#2082404- Allow systemd-sleep transition to sysstat_tResolves: rhbz#2082404- Allow systemd-sleep transition to tlp_tResolves: rhbz#2082404- Allow systemd-sleep transition to unconfined_service_t on bin_t executablesResolves: rhbz#2082404- allow systemd-sleep to set timer for suspend-then-hibernateResolves: rhbz#2082404- Add default fc specifications for patterns in /optResolves: rhbz#2081059- Use a named transition in systemd_hwdb_manage_config()Resolves: rhbz#2061725
* Wed May 04 2022 Nikola Knazekova - 34.1.31-2- Remove \"v\" from the package version
* Mon May 02 2022 Nikola Knazekova - v34.1.31-1- Label /var/run/machine-id as machineid_tResolves: rhbz#2061680- Allow insights-client create_socket_perms for tcp/udp socketsResolves: rhbz#2077377- Allow insights-client read rhnsd config filesResolves: rhbz#2077377- Allow rngd drop privileges via setuid/setgid/setcapResolves: rhbz#2076642- Allow tmpreaper the sys_ptrace userns capabilityResolves: rhbz#2062823- Add stalld to modules.confResolves: rhbz#2042614- New policy for stalldResolves: rhbz#2042614- Label new utility of NetworkManager nm-priv-helperResolves: rhbz#2053639- Exclude container.if from selinux-policy-develResolves: rhbz#1861968
* Tue Apr 19 2022 Zdenek Pytela - 34.1.30-2- Update source branches to build a new package for RHEL 9.1.0
* Tue Apr 12 2022 Nikola Knazekova - 34.1.30-1- Allow administrative users the bpf capabilityResolves: RHBZ#2070982- Allow NetworkManager talk with unconfined user over unix domain dgram socketResolves: rhbz#2064688- Allow hostapd talk with unconfined user over unix domain dgram socketResolves: rhbz#2064688- Allow fprintd read and write hardware state informationResolves: rhbz#2062911- Allow fenced read kerberos key tablesResolves: RHBZ#2060722- Allow init watch and watch_reads user ttysResolves: rhbz#2060289- Allow systemd watch and watch_reads console devicesResolves: rhbz#2060289- Allow nmap create and use rdma socketResolves: RHBZ#2059603
* Thu Mar 31 2022 Zdenek Pytela - 34.1.29-1- Allow qemu-kvm create and use netlink rdma socketsResolves: rhbz#2063612- Label corosync-cfgtool with cluster_exec_tResolves: rhbz#2061277
* Thu Mar 24 2022 Zdenek Pytela - 34.1.28-1- Allow logrotate a domain transition to cluster administrative domainResolves: rhbz#2061277- Change the selinuxuser_execstack boolean value to trueResolves: rhbz#2064274
* Thu Feb 24 2022 Zdenek Pytela - 34.1.27-1- Allow ModemManager connect to the unconfined user domainResolves: rhbz#2000196- Label /dev/wwan.+ with modem_manager_tResolves: rhbz#2000196- Allow systemd-coredump userns capabilities and root mountonResolves: rhbz#2057435- Allow systemd-coredump read and write usermodehelper stateResolves: rhbz#2057435- Allow sysadm_passwd_t to relabel passwd and group filesResolves: rhbz#2053458- Allow systemd-sysctl read the security state informationResolves: rhbz#2056999- Remove unnecessary /etc file transitions for insights-clientResolves: rhbz#2055823- Label all content in /var/lib/insights with insights_client_var_lib_tResolves: rhbz#2055823- Update insights-client policyResolves: rhbz#2055823- Update insights-client: fc pattern, motd, writing to etcResolves: rhbz#2055823- Update specfile to buildrequire policycoreutils-devel >= 3.3-5- Add modules_checksum to %files
* Thu Feb 17 2022 Zdenek Pytela - 34.1.26-1- Remove permissive domain for insights_client_tResolves: rhbz#2055823- New policy for insight-clientResolves: rhbz#2055823- Allow confined sysadmin to use tool vipwResolves: rhbz#2053458- Allow chage domtrans to sssdResolves: rhbz#2054657- Remove label for /usr/sbin/bgpdResolves: rhbz#2055578- Dontaudit pkcsslotd sys_admin capabilityResolves: rhbz#2055639- Do not change selinuxuser_execmod and selinuxuser_execstackResolves: rhbz#2055822- Allow tuned to read rhsmcertd config filesResolves: rhbz#2055823
* Mon Feb 14 2022 Zdenek Pytela - 34.1.25-1- Allow systemd watch unallocated ttysResolves: rhbz#2054150- Allow alsa bind mixer controls to led triggersResolves: rhbz#2049732- Allow alsactl set group Process ID of a processResolves: rhbz#2049732- Allow unconfined to run virtd bpfResolves: rhbz#2033504
* Fri Feb 04 2022 Zdenek Pytela - 34.1.24-1- Allow tumblerd write to session_dbusd tmp socket filesResolves: rhbz#2000039- Allow login_userdomain write to session_dbusd tmp socket filesResolves: rhbz#2000039- Allow login_userdomain create session_dbusd tmp socket filesResolves: rhbz#2000039- Allow gkeyringd_domain write to session_dbusd tmp socket filesResolves: rhbz#2000039- Allow systemd-logind delete session_dbusd tmp socket filesResolves: rhbz#2000039- Allow gdm-x-session write to session dbus tmp sock filesResolves: rhbz#2000039- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_tResolves: rhbz#2039453- Label exFAT utilities at /usr/sbinResolves: rhbz#1972225
* Wed Feb 02 2022 Zdenek Pytela - 34.1.23-1- Allow systemd nnp_transition to login_userdomainResolves: rhbz#2039453- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_tResolves: rhbz#2000039- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labelingResolves: rhbz#2000039- Allow scripts to enter LUKS passwordResolves: rhbz#2048521- Allow system_mail_t read inherited apache system content rw filesResolves: rhbz#2049372- Add apache_read_inherited_sys_content_rw_files() interfaceRelated: rhbz#2049372- Allow sanlock get attributes of filesystems with extended attributesResolves: rhbz#2047811- Associate stratisd_data_t with device filesystemResolves: rhbz#2039974- Allow init read stratis data symlinksResolves: rhbz#2039974- Label /run/stratisd with stratisd_var_run_tResolves: rhbz#2039974- Allow domtrans to sssd_t and role access to sssdResolves: rhbz#2039757- Creating interface sssd_run_sssd()Resolves: rhbz#2039757- Fix badly indented used interfacesResolves: rhbz#2039757- Allow domain transition to sssd_tResolves: rhbz#2039757- Label /dev/nvme-fabrics with fixed_disk_device_tResolves: rhbz#2039759- Allow local_login_t nnp_transition to login_userdomainResolves: rhbz#2039453- Allow xdm_t nnp_transition to login_userdomainResolves: rhbz#2039453- Make cupsd_lpd_t a daemonResolves: rhbz#2039449- Label utilities for exFAT filesystems with fsadm_exec_tResolves: rhbz#1972225- Dontaudit sfcbd sys_ptrace cap_usernsResolves: rhbz#2040311
* Tue Jan 11 2022 Zdenek Pytela - 34.1.22-1- Allow sshd read filesystem sysctl filesResolves: rhbz#2036585- Revert \"Allow sshd read sysctl files\"Resolves: rhbz#2036585
* Mon Jan 10 2022 Zdenek Pytela - 34.1.21-1- Remove the lockdown class from the policyResolves: rhbz#2017848- Revert \"define lockdown class and access\"Resolves: rhbz#2017848- Allow gssproxy access to various system files.Resolves: rhbz#2026974- Allow gssproxy read, write, and map ica tmpfs filesResolves: rhbz#2026974- Allow gssproxy read and write z90crypt deviceResolves: rhbz#2026974- Allow sssd_kcm read and write z90crypt deviceResolves: rhbz#2026974- Allow abrt_domain read and write z90crypt deviceResolves: rhbz#2026974- Allow NetworkManager read and write z90crypt deviceResolves: rhbz#2026974- Allow smbcontrol read the network state informationResolves: rhbz#2038157- Allow virt_domain map vhost devicesResolves: rhbz#2035702- Allow fcoemon request the kernel to load a moduleResolves: rhbz#2034463- Allow lldpd connect to snmpd with a unix domain stream socketResolves: rhbz#2033315- Allow ModemManager create a qipcrtr socketResolves: rhbz#2036582- Allow ModemManager request to load a kernel moduleResolves: rhbz#2036582- Allow sshd read sysctl filesResolves: rhbz#2036585
* Wed Dec 15 2021 Zdenek Pytela - 34.1.20-1- Allow dnsmasq watch /etc/dnsmasq.d directoriesResolves: rhbz#2029866- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_tResolves: rhbz#2029316- Allow lldpd use an snmp subagent over a tcp socketResolves: rhbz#2028561- Allow smbcontrol use additional socket typesResolves: rhbz#2027751- Add write permisson to userfaultfd_anon_inode_permsResolves: rhbz#2027660- Allow xdm_t watch generic directories in /libResolves: rhbz#1960010- Allow xdm_t watch fonts directoriesResolves: rhbz#1960010- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_tResolves: rhbz#2027994- Add hwtracing_device_t type for hardware-level tracing and debuggingResolves: rhbz#2029392- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()Resolves: rhbz#2028791- Allow arpwatch get attributes of infiniband_device_t devicesResolves: rhbz#2028791- Allow tcpdump and nmap get attributes of infiniband_device_tResolves: rhbz#2028791
* Mon Nov 29 2021 Zdenek Pytela - 34.1.19-1- Allow redis get attributes of filesystems with extended attributesResolves: rhbz#2014611- Allow dirsrv read slapd tmpfs filesResolves: rhbz#2015928- Revert \"Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label\"Resolves: rhbz#2015928- Allow login_userdomain open/read/map system journalResolves: rhbz#2017838- Allow login_userdomain read and map /var/lib/systemd filesResolves: rhbz#2017838- Allow nftables read NetworkManager unnamed pipesResolves: rhbz#2023456- Allow xdm watch generic directories in /var/libResolves: rhbz#1960010- Allow xdm_t watch generic pid directoriesResolves: rhbz#1960010
* Mon Nov 01 2021 Zdenek Pytela - 34.1.18-1- Allow fetchmail search cgroup directoriesResolves: rhbz#2015118- Add the auth_read_passwd_file() interfaceResolves: rhbz#2014611- Allow redis-sentinel execute a notification scriptResolves: rhbz#2014611- Support new PING_CHECK health checker in keepalivedResolves: rhbz#2014423
* Thu Oct 14 2021 Zdenek Pytela - 34.1.17-1- Label /usr/sbin/virtproxyd as virtd_exec_tResolves: rhbz#2002143- Allow at-spi-bus-launcher read and map xdm pid filesResolves: rhbz#2011772- Remove references to init_watch_path_type attributeResolves: rhbz#2007960- Remove all redundant watch permissions for systemdResolves: rhbz#2007960- Allow systemd watch non_security_file_type dirs, files, lnk_filesResolves: rhbz#2007960- Allow systemd-resolved watch /run/systemdResolves: rhbz#1992461- Allow sssd watch /run/systemdResolves: rhbz#1992461
* Thu Sep 23 2021 Zdenek Pytela - 34.1.16-1- Allow fprintd install a sleep delay inhibitorResolves: rhbz#1999537- Update mount_manage_pid_files() to use manage_files_patternResolves: rhbz#1999997- Allow gnome at-spi processes create and use stream socketsResolves: rhbz#2004885- Allow haproxy list the sysfs directories contentResolves: rhbz#1986823- Allow virtlogd_t read process state of user domainsResolves: rhbz#1994592- Support hitless reloads feature in haproxyResolves: rhbz#1997182- Allow firewalld load kernel modulesResolves: rhbz#1999152- Allow communication between at-spi and gdm processesResolves: rhbz#2003037- Remove \"ipa = module\" from modules-targeted-contrib.confResolves: rhbz#2006039
* Mon Aug 30 2021 Zdenek Pytela - 34.1.15-1- Update ica_filetrans_named_content() with create_file_permsResolves: rhbz#1976180- Allow various domains work with ICA crypto acceleratorResolves: rhbz#1976180- Add ica moduleResolves: rhbz#1976180- Revert \"Support using ICA crypto accelerator on s390x arch\"Resolves: rhbz#1976180- Fix the gnome_atspi_domtrans() interface summaryResolves: rhbz#1972655- Add support for at-spiResolves: rhbz#1972655- Add permissions for system dbus processesResolves: rhbz#1972655- Allow /tmp file transition for dbus-daemon also for sock_fileResolves: rhbz#1972655
* Wed Aug 25 2021 Zdenek Pytela - 34.1.14-1- Support using ICA crypto accelerator on s390x archResolves: rhbz#1976180- Allow systemd delete /run/systemd/default-hostnameResolves: rhbz#1978507- Label /usr/bin/Xwayland with xserver_exec_tResolves: rhbz#1993151- Label /usr/libexec/gdm-runtime-config with xdm_exec_tResolves: rhbz#1993151- Allow tcpdump read system state information in /procResolves: rhbz#1972577- Allow firewalld drop capabilitiesResolves: rhbz#1989641
  
ICM