Changelog for
selinux-policy-sandbox-38.1.35-2.el9_4.noarch.rpm :
* Thu Mar 14 2024 Zdenek Pytela
- 38.1.35-2- RebuildResolves: RHEL-26663
* Fri Mar 08 2024 Zdenek Pytela - 38.1.35-1- Allow wdmd read hardware state informationResolves: RHEL-26663
* Fri Mar 08 2024 Zdenek Pytela - 38.1.34-1- Allow wdmd list the contents of the sysfs directoriesResolves: RHEL-26663- Allow linuxptp configure phc2sys and chronyd over a unix domain socketResolves: RHEL-26660
* Thu Feb 22 2024 Juraj Marcin - 38.1.33-1- Allow thumb_t to watch and watch_reads mount_var_run_tResolves: RHEL-26073- Allow opafm create NFS files and directoriesResolves: RHEL-17820- Label /tmp/libdnf.
* with user_tmp_tResolves: RHEL-11250
* Thu Feb 15 2024 Juraj Marcin - 38.1.32-1- Dontaudit subscription manager setfscreate and read file contextsResolves: RHEL-21635- Allow xdm_t to watch and watch_reads mount_var_run_tResolves: RHEL-24841- Allow unix dgram sendto between exim processesResolves: RHEL-21902- Allow utempter_t use ptmxResolves: RHEL-24946- Only allow confined user domains to login locally without unconfined_loginResolves: RHEL-1551- Add userdom_spec_domtrans_confined_admin_users interfaceResolves: RHEL-1551- Only allow admindomain to execute shell via ssh with ssh_sysadm_loginResolves: RHEL-1551- Add userdom_spec_domtrans_admin_users interfaceResolves: RHEL-1551- Move ssh dyntrans to unconfined inside unconfined_login tunable policyResolves: RHEL-1551
* Thu Jan 25 2024 Juraj Marcin - 38.1.31-1- Allow chronyd-restricted read chronyd key filesResolves: RHEL-18219- Allow conntrackd_t to use bpf capability2Resolves: RHEL-22277- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is onResolves: RHEL-14735- Allow hypervkvp_t write access to NetworkManager_etc_rw_tResolves: RHEL-14505- Add interface for write-only access to NetworkManager rw confResolves: RHEL-14505- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodesResolves: RHEL-11792
* Fri Jan 12 2024 Zdenek Pytela - 38.1.30-1- Allow sysadm execute traceroute in sysadm_t domain using sudoResolves: RHEL-14077- Allow qatlib set attributes of vfio device filesResolves: RHEL-19051- Allow qatlib load kernel modulesResolves: RHEL-19051- Allow qatlib run lspciResolves: RHEL-19051- Allow qatlib manage its private runtime socket filesResolves: RHEL-19051- Allow qatlib read/write vfio devicesResolves: RHEL-19051- Allow syslog to run unconfined scripts conditionallyResolves: RHEL-11174- Allow syslogd_t nnp_transition to syslogd_unconfined_script_tResolves: RHEL-11174- Allow sendmail MTA connect to sendmail LDAResolves: RHEL-15175- Allow sysadm execute tcpdump in sysadm_t domain using sudoResolves: RHEL-15432- Allow opafm search nfs directoriesResolves: RHEL-17820- Allow mdadm list stratisd data directoriesResolves: RHEL-19276- Update cyrus_stream_connect() to use sockets in /runResolves: RHEL-19282- Allow collectd connect to statsd portResolves: RHEL-21044- Allow insights-client transition to sap unconfined domainResolves: RHEL-21452- Create the sap moduleResolves: RHEL-21452
* Thu Dec 14 2023 Juraj Marcin - 38.1.29-1- Add init_explicit_domain() interfaceResolves: RHEL-18219- Allow dovecot_auth_t connect to postgresql using UNIX socketResolves: RHEL-16850- Allow keepalived_t to use sys_ptrace of cap_usernsResolves: RHEL-17156- Make `bootc` be `install_exec_t`Resolves: RHEL-19199- Add support for chronyd-restrictedResolves: RHEL-18219- Label /dev/vas with vas_device_tResolves: RHEL-17336- Allow gpsd use /dev/gnss devicesResolves: RHEL-16676- Allow sendmail manage its runtime filesResolves: RHEL-15175- Add support for syslogd unconfined scriptsResolves: RHEL-11174
* Thu Nov 30 2023 Juraj Marcin - 38.1.28-1- Create interface selinux_watch_config and add it to SELinux usersResolves: RHEL-1555- Allow winbind_rpcd_t processes access when samba_export_all_
* is onResolves: RHEL-16273- Allow samba-dcerpcd connect to systemd_machined over a unix socketResolves: RHEL-16273- Allow winbind-rpcd make a TCP connection to the ldap portResolves: RHEL-16273- Allow sudodomain read var auth filesResolves: RHEL-16708- Allow auditd read all domains process stateResolves: RHEL-14285- Allow rsync read network sysctlsResolves: RHEL-14638- Add dhcpcd bpf capability to run bpf programsResolves: RHEL-15326- Allow systemd-localed create Xserver config dirsResolves: RHEL-16716- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_tResolves: RHEL-1553- Update sendmail policy module for opensmtpdResolves: RHEL-15175
* Tue Nov 14 2023 Juraj Marcin - 38.1.27-1- Remove glusterd moduleResolves: RHEL-1548- Improve default file context(None) of /var/lib/authselect/backupsResolves: RHEL-15220- Set default file context of /var/lib/authselect/backups to <>Resolves: RHEL-15220- Create policy for afterburnResolves: RHEL-12591- Allow unconfined_domain_type use io_uring cmd on domainResolves: RHEL-11792- Add policy for coreos installerResovles: RHEL-5164- Add policy for nvme-stasResolves: RHEL-1557- Label /var/run/auditd.state as auditd_var_run_tResolves: RHEL-14374- Allow ntp to bind and connect to ntske port.Resolves: RHEL-15085- Allow ip an explicit domain transition to other domainsResolves: RHEL-14246- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_tResolves: RHEL-14289- Allow sssd domain transition on passkey_child execution conditionallyResolves: RHEL-14014- Allow sssd use usb devices conditionallyResolves: RHEL-14014- Allow kdump create and use its memfd: objectsResolves: RHEL-14413
* Tue Oct 31 2023 Zdenek Pytela - 38.1.26-1- Allow kdump create and use its memfd: objectsResolves: RHEL-14413
* Fri Oct 20 2023 Zdenek Pytela - 38.1.25-1- Add map_read map_write to kernel_prog_run_bpfResolves: RHEL-2653- Allow sysadm_t read nsfs filesResolves: RHEL-5146- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_tResolves: RHEL-14029- Allow system_mail_t manage exim spool files and dirsResolves: RHEL-14110- Label /run/pcsd.socket with cluster_var_run_tResolves: RHEL-1664
* Fri Sep 29 2023 Juraj Marcin - 38.1.24-1- Allow cupsd_t to use bpf capabilityResolves: RHEL-3633- Label /dev/gnss[0-9] with gnss_device_tResolves: RHEL-9936- Dontaudit rhsmcertd write memory deviceResolves: RHEL-1547
* Fri Aug 25 2023 Nikola Knazekova - 38.1.23-1- Allow cups-pdf connect to the system log serviceResolves: rhbz#2234765- Update policy for qatlibResolves: rhbz#2080443
* Thu Aug 24 2023 Nikola Knazekova - 38.1.22-1- Allow qatlib to modify hardware state information.Resolves: rhbz#2080443- Update policy for fdoResolves: rhbz#2229722- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_fileResolves: rhbz#2223305- Allow svirt to rw /dev/udmabufResolves: rhbz#2223727- Allow keepalived watch var_run dirsResolves: rhbz#2186759
* Thu Aug 17 2023 Nikola Knazekova - 38.1.21-1- Allow logrotate_t to map generic files in /etcResolves: rhbz#2231257- Allow insights-client manage user temporary filesResolves: rhbz#2224737- Make insights_client_t an unconfined domainResolves: rhbz#2225526
* Fri Aug 11 2023 Nikola Knazekova - 38.1.20-1- Allow user_u and staff_u get attributes of non-security dirsResolves: rhbz#2215507- Allow cloud_init create dhclient var files and init_t manage net_conf_tResolves: rhbz#2225418- Allow samba-dcerpc service manage samba tmp filesResolves: rhbz#2230365- Update samba-dcerpc policy for printingResolves: rhbz#2230365- Allow sysadm_t run kernel bpf programsResolves: rhbz#2229936- allow mon_procd_t self:cap_userns sys_ptraceResolves: rhbz#2221986- Remove nsplugin_role from mozilla.ifResolves: rhbz#2221251- Allow unconfined user filetrans chrome_sandbox_home_tResolves: rhbz#2187893- Allow pdns name_bind and name_connect all portsResolves: rhbz#2047945- Allow insights-client read and write cluster tmpfs filesResolves: rhbz#2221631- Allow ipsec read nsfs filesResolves: rhbz#2230277- Allow upsmon execute upsmon via a helper scriptResolves: rhbz#2228403- Fix labeling for no-stub-resolv.confResolves: rhbz#2148390- Add use_nfs_home_dirs boolean for mozilla_pluginResolves: rhbz#2214298- Change wording in /etc/selinux/configResolves: rhbz#2143153
* Thu Aug 03 2023 Nikola Knazekova - 38.1.19-1- Allow qatlib to read sssd public filesResolves: rhbz#2080443- Fix location for /run/nsdResolves: rhbz#2181600- Allow samba-rpcd work with passwordsResolves: rhbz#2107092- Allow rpcd_lsad setcap and use generic ptysResolves: rhbz#2107092- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain ptyResolves: rhbz#2223305- Allow keepalived to manage its tmp filesResolves: rhbz#2179212- Allow nscd watch system db dirsResolves: rhbz#2152124
* Fri Jul 21 2023 Nikola Knazekova - 38.1.18-1- Boolean: Allow virt_qemu_ga create ssh directoryResolves: rhbz#2181402- Allow virt_qemu_ga_t create .ssh dir with correct labelResolves: rhbz#2181402- Set default ports for keylime policyResolves: RHEL-594- Allow unconfined service inherit signal state from initResolves: rhbz#2186233- Allow sa-update connect to systemlog servicesResolves: rhbz#2220643- Allow sa-update manage spamc home filesResolves: rhbz#2220643- Label only /usr/sbin/ripd and ripngd with zebra_exec_tResolves: rhbz#2213605- Add the files_getattr_non_auth_dirs() interfaceResolves: rhbz#2076933- Update policy for the sblim-sfcb serviceResolves: rhbz#2076933- Define equivalency for /run/systemd/generator.earlyResolves: rhbz#2213516
* Thu Jun 29 2023 Nikola Knazekova - 38.1.17-1- Add the qatlib moduleResolves: rhbz#2080443- Add the fdo moduleResolves: rhbz#2026795- Add the booth module to modules.confResolves: rhbz#2128833
* Thu Jun 29 2023 Nikola Knazekova - 38.1.16-1- Remove permissive from fdoResolves: rhbz#2026795- Add the qatlib moduleResolves: rhbz#2080443- Add the fdo moduleResolves: rhbz#2026795- Add the booth module to modules.confResolves: rhbz#2128833- Add policy for FIDO Device OnboardResolves: rhbz#2026795- Create policy for qatlibResolves: rhbz#2080443- Add policy for boothdResolves: rhbz#2128833- Add list_dir_perms to kerberos_read_keytabResolves: rhbz#2112729- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_tResolves: rhbz#2209973- Allow collectd_t read network state symlinksResolves: rhbz#2209650- Revert \"Allow collectd_t read proc_net link files\"Resolves: rhbz#2209650- Allow insights-client execmemResolves: rhbz#2207894- Label udf tools with fsadm_exec_tResolves: rhbz#2039774
* Thu Jun 15 2023 Zdenek Pytela - 38.1.15-1- Add fs_delete_pstore_files() interfaceResolves: rhbz#2181565- Add fs_read_pstore_files() interfaceResolves: rhbz#2181565- Allow insights-client getsession process permissionResolves: rhbz#2214581- Allow insights-client work with pipe and socket tmp filesResolves: rhbz#2214581- Allow insights-client map generic log filesResolves: rhbz#2214581- Allow insights-client read unconfined service semaphoresResolves: rhbz#2214581- Allow insights-client get quotas of all filesystemsResolves: rhbz#2214581- Allow haproxy read hardware state informationResolves: rhbz#2164691- Allow cupsd dbus chat with xdmResolves: rhbz#2143641- Allow dovecot_deliver_t create/map dovecot_spool_t dir/fileResolves: rhbz#2165863- Add none file context for polyinstantiated tmp dirsResolves: rhbz#2099194- Add support for the systemd-pstore serviceResolves: rhbz#2181565- Label /dev/userfaultfd with userfaultfd_tResolves: rhbz#2175290- Allow collectd_t read proc_net link filesResolves: rhbz#2209650- Label smtpd with sendmail_exec_tResolves: rhbz#2213573- Label msmtp and msmtpd with sendmail_exec_tResolves: rhbz#2213573- Allow dovecot-deliver write to the main process runtime fifo filesResolves: rhbz#2211787- Allow subscription-manager execute ipResolves: rhbz#2211566- Allow ftpd read network sysctlsResolves: rhbz#2175856
* Fri May 26 2023 Nikola Knazekova - 38.1.14-1- Allow firewalld rw ica_tmpfs_t filesResolves: rhbz#2207487- Add chromium_sandbox_t setcap capabilityResolves: rhbz#2187893- Allow certmonger manage cluster library filesResolves: rhbz#2179022- Allow wireguard to rw network sysctlsResolves: rhbz#2192154- Label /usr/lib/systemd/system/proftpd.
* & vsftpd.
* with ftpd_unit_file_tResolves: rhbz#2188173- Allow plymouthd_t bpf capability to run bpf programsResolves: rhbz#2184803- Update pkcsslotd policy for sandboxingResolves: rhbz#2209235- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_tResolves: rhbz#2203201
* Thu May 18 2023 Nikola Knazekova - 38.1.13-1- Allow insights-client work with teamdctlResolves: rhbz#2190178- Allow virsh name_connect virt_port_tResolves: rhzb#2187290- Allow cupsd to create samba_var_t filesResolves: rhbz#2174445- Allow dovecot to map files in /var/spool/dovecotResolves: rhbz#2165863- Add tunable to allow squid bind snmp portResolves: rhbz#2151378- Allow rhsmcert request the kernel to load a moduleResolves: rhbz#2203359- Allow snmpd read raw disk dataResolves: rhbz#2196528
* Fri Apr 14 2023 Nikola Knazekova - 38.1.12-1- Allow cloud-init domain transition to insights-client domainResolves: rhbz#2162663- Allow chronyd send a message to cloud-init over a datagram socketResolves: rhbz#2162663- Allow dmidecode write to cloud-init tmp filesResolves: rhbz#2162663- Allow login_pgm setcap permissionResolves: rhbz#2174331- Allow tshark the setsched capabilityResolves: rhbz#2165634- Allow chronyc read network sysctlsResolves: rhbz#2173604- Allow systemd-timedated watch init runtime dirResolves: rhbz#2175137- Add journalctl the sys_resource capabilityResolves: rhbz#2153782- Allow system_cronjob_t transition to rpm_script_tResolves: rhbz#2173685- Revert \"Allow system_cronjob_t domtrans to rpm_script_t\"Resolves: rhbz#2173685- Allow insights-client tcp connect to all portsResolves: rhbz#2183083- Allow insights-client work with su and lpstatResolves: rhbz#2183083- Allow insights-client manage fsadm pid filesResolves: rhbz#2183083- Allow insights-client read all sysctlsResolves: rhbz#2183083- Allow rabbitmq to read network sysctlsResolves: rhbz#2184999
* Tue Mar 28 2023 Nikola Knazekova - 38.1.11-2- rebuiltResolves: rhbz#2172268
* Mon Mar 27 2023 Nikola Knazekova - 38.1.11-1- Allow passt manage qemu pid sock filesResolves: rhbz#2172268- Exclude passt.if from selinux-policy-develResolves: rhbz#2172268
* Fri Mar 24 2023 Nikola Knazekova - 38.1.10-1- Add support for the passt_t domainResolves: rhbz#2172268- Allow virtd_t and svirt_t work with passtResolves: rhbz#2172268- Add new interfaces in the virt moduleResolves: rhbz#2172268- Add passt interfaces defined conditionallyResolves: rhbz#2172268
* Thu Mar 16 2023 Nikola Knazekova - 38.1.9-1- Boolean: allow qemu-ga manage ssh home directoryResolves: rhbz#2178612- Allow wg load kernel modules, search debugfs dirResolves: rhbz#2176487
* Thu Feb 16 2023 Nikola Knazekova - 38.1.8-1- Allow svirt to map svirt_image_t char filesResolves: rhbz#2170482- Fix opencryptoki file names in /dev/shmResolves: rhbz#2166283
* Wed Feb 15 2023 Nikola Knazekova - 38.1.7-1- Allow staff_t getattr init pid chr & blk files and read krb5Resolves: rhbz#2112729- Allow firewalld to rw z90crypt deviceResolves: rhbz#2166877- Allow httpd work with tokens in /dev/shmResolves: rhbz#2166283
* Thu Feb 09 2023 Nikola Knazekova - 38.1.6-1- Allow modemmanager create hardware state information filesResolves: rhbz#2149560- Dontaudit ftpd the execmem permissionResolves: rhbz#2164434- Allow nm-dispatcher plugins read generic files in /procResolves: rhbz#2164845- Label systemd-journald feature LogNamespaceResolves: rhbz#2124797- Boolean: allow qemu-ga read ssh home directoryResolves: rhbz#1917024
* Thu Jan 26 2023 Nikola Knazekova - 38.1.5-1- Reuse tmpfs_t also for the ramfs filesystemResolves: rhbz#2160391- Allow systemd-resolved watch tmpfs directoriesResolves: rhbz#2160391- Allow hostname_t to read network sysctls.Resolves: rhbz#2161958- Allow ModemManager all permissions for netlink route socketResolves: rhbz#2149560- Allow unconfined user filetransition for sudo log filesResolves: rhbz#2160388- Allow sudodomain use sudo.log as a logfileResolves: rhbz#2160388- Allow nm-cloud-setup dispatcher plugin restart nm servicesResolves: rhbz#2154414- Allow wg to send msg to kernel, write to syslog and dbus connectionsResolves: rhbz#2149452- Allow rshim bpf cap2 and read sssd public filesResolves: rhbz#2080439- Allow svirt request the kernel to load a moduleResolves: rhbz#2144735- Rebase selinux-policy to the latest one in rawhideResolves: rhbz#2014606
* Thu Jan 12 2023 Nikola Knazekova - 38.1.4-1- Add lpr_roles to system_r rolesResolves: rhbz#2152150- Allow insights client work with gluster and pcpResolves: rhbz#2152150- Add interfaces in domain, files, and unconfined modulesResolves: rhbz#2152150- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_tResolves: rhbz#2152150- Add insights additional capabilitiesResolves: rhbz#2152150- Revert \"Allow insights-client run lpr and allow the proper role\"Resolves: rhbz#2152150- Allow prosody manage its runtime socket filesResolves: rhbz#2157891- Allow syslogd read network sysctlsResolves: rhbz#2156068- Allow NetworkManager and wpa_supplicant the bpf capabilityResolves: rhbz#2137085- Allow sysadm_t read/write ipmi devicesResolves: rhbz#2158419- Allow wireguard to create udp sockets and read net_confResolves: rhbz#2149452- Allow systemd-rfkill the bpf capabilityResolves: rhbz#2149390- Allow load_policy_t write to unallocated ttysResolves: rhbz#2145181- Allow winbind-rpcd manage samba_share_t files and dirsResolves: rhbz#2150680
* Thu Dec 15 2022 Nikola Knazekova - 38.1.3-1- Allow stalld to read /sys/kernel/security/lockdown fileResolves: rhbz#2140673- Allow syslog the setpcap capabilityResolves: rhbz#2151841- Allow pulseaudio to write to session_dbusd tmp socket filesResolves: rhbz#2132942- Allow keepalived to set resource limitsResolves: rhbz#2151212- Add policy for mptcpdResolves: bz#1972222- Add policy for rshimResolves: rhbz#2080439- Allow insights-client dbus chat with abrtResolves: rhbz#2152166- Allow insights-client work with pcp and manage user config filesResolves: rhbz#2152150- Allow insights-client run lpr and allow the proper roleResolves: rhbz#2152150- Allow insights-client tcp connect to various portsResolves: rhbz#2152150- Allow insights-client dbus chat with various servicesResolves: rhbz#2152150- Allow journalctl relabel with var_log_t and syslogd_var_run_t filesResolves: rhbz#2152823
* Wed Nov 30 2022 Zdenek Pytela - 38.1.2-1- Allow insights client communicate with cupsd, mysqld, openvswitch, redisResolves: rhbz#2124549- Allow insights client read raw memory devicesResolves: rhbz#2124549- Allow networkmanager_dispatcher_plugin work with nscdResolves: rhbz#2149317- Allow ipsec_t only read tpm devicesResolves: rhbz#2147380- Watch_sb all file type directories.Resolves: rhbz#2139363- Add watch and watch_sb dosfs interfaceResolves: rhbz#2139363- Revert \"define lockdown class and access\"Resolves: rhbz#2145266- Allow postfix/smtpd read kerberos key tableResolves: rhbz#2145266- Remove the lockdown class from the policyResolves: rhbz#2145266- Remove label for /usr/sbin/bgpdResolves: rhbz#2145266- Revert \"refpolicy: drop unused socket security classes\"Resolves: rhbz#2145266
* Mon Nov 21 2022 Zdenek Pytela - 38.1.1-1- Rebase selinux-policy to the latest one in rawhideResolves: rhbz#2082524
* Wed Nov 16 2022 Zdenek Pytela - 34.1.47-1- Add domain_unix_read_all_semaphores() interfaceResolves: rhbz#2123358- Allow chronyd talk with unconfined user over unix domain dgram socketResolves: rhbz#2141255- Allow unbound connectto unix_stream_socketResolves: rhbz#2141236- added policy for systemd-socket-proxydResolves: rhbz#2141606- Allow samba-dcerpcd use NSCD services over a unix stream socketResolves: rhbz#2121729- Allow insights-client unix_read all domain semaphoresResolves: rhbz#2123358- Allow insights-client manage generic locksResolves: rhbz#2123358- Allow insights-client create gluster log dir with a transitionResolves: rhbz#2123358- Allow insights-client domain transition on semanage executionResolves: rhbz#2123358- Disable rpm verification on interface_infoResolves: rhbz#2134515
* Fri Nov 04 2022 Nikola Knazekova - 34.1.46-1- new versionResolves: rhbz#2134827
* Thu Nov 03 2022 Nikola Knazekova - 34.1.45-1- Add watch_sb interfacesResolves: rhbz#2139363- Add watch interfacesResolves: rhbz#2139363- Allow dhcpd bpf capability to run bpf programsResolves: rhbz#2134827- Allow netutils and traceroute bpf capability to run bpf programsResolves: rhbz#2134827- Allow pkcs_slotd_t bpf capability to run bpf programsResolves: rhbz#2134827- Allow xdm bpf capability to run bpf programsResolves: rhbz#2134827- Allow pcscd bpf capability to run bpf programsResolves: rhbz#2134827- Allow lldpad bpf capability to run bpf programsResolves: rhbz#2134827- Allow keepalived bpf capability to run bpf programsResolves: rhbz#2134827- Allow ipsec bpf capability to run bpf programsResolves: rhbz#2134827- Allow fprintd bpf capability to run bpf programsResolves: rhbz#2134827- Allow iptables list cgroup directoriesResolves: rhbz#2134829- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t filesResolves: rhbz#2042515- Dontaudit dirsrv search filesystem sysctl directoriesResolves: rhbz#2134726
* Thu Oct 13 2022 Nikola Knazekova - 34.1.44-1- Allow insights-client domtrans on unix_chkpwd executionResolves: rhbz#2126091- Allow insights-client connect to postgresql with a unix socketResolves: rhbz#2126091- Allow insights-client send null signal to rpm and system cronjobResolves: rhbz#2126091- Allow insights-client manage samba var dirsResolves: rhbz#2126091- Allow rhcd compute selinux access vectorResolves: rhbz#2126091- Add file context entries for insights-client and rhcResolves: rhbz#2126161- Allow pulseaudio create gnome content (~/.config)Resolves: rhbz#2132942- Allow rhsmcertd execute gpgResolves: rhbz#2130204- Label ports 10161-10162 tcp/udp with snmpResolves: rhbz#2133221- Allow lldpad send to unconfined_t over a unix dgram socketResolves: rhbz#2112044- Label port 15354/tcp and 15354/udp with opendnssecResolves: rhbz#2057501- Allow aide to connect to systemd_machined with a unix socket.Resolves: bz#2062936- Allow ftpd map ftpd_var_run filesResolves: bz#2124943- Allow ptp4l respond to pmcResolves: rhbz#2131689- Allow radiusd connect to the radacct portResolves: rhbz#2132424- Allow xdm execute gnome-atspi servicesResolves: rhbz#2132244- Allow ptp4l_t name_bind ptp_event_port_tResolves: rhbz#2130170- Allow targetclid to manage tmp filesResolves: rhbz#2127408- Allow sbd the sys_ptrace capabilityResolves: rhbz#2124695
* Thu Sep 08 2022 Zdenek Pytela - 34.1.43-1- Update rhcd policy for executing additional commands 5Resolves: rhbz#2119351- Update rhcd policy for executing additional commands 4Resolves: rhbz#2119351- Allow rhcd create rpm hawkey logs with correct labelResolves: rhbz#2119351- Update rhcd policy for executing additional commands 3Resolves: rhbz#2119351- Allow sssd to set samba settingResolves: rhbz#2121125- Allow journalctl read rhcd fifo filesResolves: rhbz#2119351- Update insights-client policy for additional commands execution 5Resolves: rhbz#2121125- Confine insights-client systemd unitResolves: rhbz#2121125- Update insights-client policy for additional commands execution 4Resolves: rhbz#2121125- Update insights-client policy for additional commands execution 3Resolves: rhbz#2121125- Allow rhcd execute all executablesResolves: rhbz#2119351- Update rhcd policy for executing additional commands 2Resolves: rhbz#2119351- Update insights-client policy for additional commands execution 2Resolves: rhbz#2121125
* Mon Aug 29 2022 Zdenek Pytela - 34.1.42-1- Label /var/log/rhc-worker-playbook with rhcd_var_log_tResolves: rhbz#2119351- Update insights-client policy (auditctl, gpg, journal)Resolves: rhbz#2107363
* Thu Aug 25 2022 Nikola Knazekova - 34.1.41-1- Allow unconfined domains to bpf all other domainsResolves: RHBZ#2112014- Allow stalld get and set scheduling policy of all domains.Resolves: rhbz#2105038- Allow unconfined_t transition to targetclid_home_tResolves: RHBZ#2106360- Allow samba-bgqd to read a printer listResolves: rhbz#2118977- Allow system_dbusd ioctl kernel with a unix stream socketsResolves: rhbz#2085392- Allow chronyd bind UDP sockets to ptp_event ports.Resolves: RHBZ#2118631- Update tor_bind_all_unreserved_ports interfaceResolves: RHBZ#2089486- Remove permissive domain for rhcd_tResolves: rhbz#2119351- Allow unconfined and sysadm users transition for /root/.gnupgResolves: rhbz#2121125- Add gpg_filetrans_admin_home_content() interfaceResolves: rhbz#2121125- Update rhcd policy for executing additional commandsResolves: rhbz#2119351- Update insights-client policy for additional commands executionResolves: rhbz#2119507- Add rpm setattr db files macroResolves: rhbz#2119507- Add userdom_view_all_users_keys() interfaceResolves: rhbz#2119507- Allow gpg read and write generic pty typeResolves: rhbz#2119507- Allow chronyc read and write generic pty typeResolves: rhbz#2119507
* Wed Aug 10 2022 Nikola Knazekova - 34.1.40-1- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogdResolves: RHBZ#2088257- Allow systemd_hostnamed label /run/systemd/
* as hostnamed_etc_tResolves: RHBZ#1976684- Allow samba-bgqd get a printer listResolves: rhbz#2112395- Allow networkmanager to signal unconfined processResolves: RHBZ#2074414- Update NetworkManager-dispatcher policyResolves: RHBZ#2101910- Allow openvswitch search tracefs dirsResolves: rhbz#1988164- Allow openvswitch use its private tmpfs files and dirsResolves: rhbz#1988164- Allow openvswitch fsetid capabilityResolves: rhbz#1988164
* Tue Aug 02 2022 Nikola Knazekova - 34.1.39-1- Add support for systemd-network-generatorResolves: RHBZ#2111069- Allow systemd work with install_t unix stream socketsResolves: rhbz#2111206- Allow sa-update to get init status and start systemd filesResolves: RHBZ#2061844
* Fri Jul 15 2022 Nikola Knazekova - 34.1.38-1- Allow some domains use sd_notify()Resolves: rhbz#2056565- Revert \"Allow rabbitmq to use systemd notify\"Resolves: rhbz#2056565- Update winbind_rpcd_tResolves: rhbz#2102084- Update chronyd_pid_filetrans() to allow create dirsResolves: rhbz#2101910- Allow keepalived read the contents of the sysfs filesystemResolves: rhbz#2098130- Define LIBSEPOL version 3.4-1Resolves: rhbz#2095688
* Wed Jun 29 2022 Zdenek Pytela - 34.1.37-1- Allow targetclid read /var/target filesResolves: rhbz#2020169- Update samba-dcerpcd policy for kerberos usage 2Resolves: rhbz#2096521- Allow samba-dcerpcd work with sssdResolves: rhbz#2096521- Allow stalld set scheduling policy of kernel threadsResolves: rhbz#2102224
* Tue Jun 28 2022 Zdenek Pytela - 34.1.36-1- Allow targetclid read generic SSL certificates (fixed)Resolves: rhbz#2020169- Fix file context pattern for /var/targetResolves: rhbz#2020169- Use insights_client_etc_t in insights_search_config()Resolves: rhbz#1965013
* Fri Jun 24 2022 Zdenek Pytela - 34.1.35-1-Add the corecmd_watch_bin_dirs() interfaceResolves: rhbz#1965013- Update rhcd policyResolves: rhbz#1965013- Allow rhcd search insights configuration directoriesResolves: rhbz#1965013- Add the kernel_read_proc_files() interfaceResolves: rhbz#1965013- Update insights_client_filetrans_named_content()Resolves: rhbz#2081425- Allow transition to insights_client named contentResolves: rhbz#2081425- Add the insights_client_filetrans_named_content() interfaceResolves: rhbz#2081425- Update policy for insights-client to run additional commands 3Resolves: rhbz#2081425- Allow insights-client execute its private memfd: objectsResolves: rhbz#2081425- Update policy for insights-client to run additional commands 2Resolves: rhbz#2081425- Use insights_client_tmp_t instead of insights_client_var_tmp_tResolves: rhbz#2081425- Change space indentation to tab in insights-clientResolves: rhbz#2081425- Use socket permissions sets in insights-clientResolves: rhbz#2081425- Update policy for insights-client to run additional commandsResolves: rhbz#2081425- Allow init_t to rw insights_client unnamed pipeResolves: rhbz#2081425- Fix insights clientResolves: rhbz#2081425- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handlingResolves: rhbz#2081425- Do not let system_cronjob_t create redhat-access-insights.log with var_log_tResolves: rhbz#2081425- Allow stalld get scheduling policy of kernel threadsResolves: rhbz#2096776- Update samba-dcerpcd policy for kerberos usageResolves: rhbz#2096521- Allow winbind_rpcd_t connect to self over a unix_stream_socketResolves: rhbz#2096255- Allow dlm_controld send a null signal to a cluster daemonResolves: rhbz#2095884- Allow dhclient manage pid files used by chronydThe chronyd_manage_pid_files() interface was added.- Resolves: rhbz#2094155Allow install_t nnp_domtrans to setfiles_mac_t- Resolves: rhbz#2073010- Allow rabbitmq to use systemd notifyResolves: rhbz#2056565- Allow ksmctl create hardware state information filesResolves: rhbz#2021131- Label /var/target with targetd_var_tResolves: rhbz#2020169- Allow targetclid read generic SSL certificatesResolves: rhbz#2020169
* Thu Jun 09 2022 Zdenek Pytela - 34.1.34-1- Allow stalld setsched and sys_niceResolves: rhbz#2092864- Allow rhsmcertd to create cache file in /var/cache/cloud-whatResolves: rhbz#2092333- Update policy for samba-dcerpcdResolves: rhbz#2083509- Add support for samba-dcerpcdResolves: rhbz#2083509- Allow rabbitmq to access its private memfd: objectsResolves: rhbz#2056565- Confine targetcliResolves: rhbz#2020169- Add policy for wireguardResolves: 1964862- Label /var/cache/insights with insights_client_cache_tResolves: rhbz#2062136- Allow ctdbd nlmsg_read on netlink_tcpdiag_socketResolves: rhbz#2094489- Allow auditd_t noatsecure for a transition to audisp_remote_tResolves: rhbz#2081907
* Fri May 27 2022 Zdenek Pytela - 34.1.33-1- Allow insights-client manage gpg admin home contentResolves: rhbz#2062136- Add the gpg_manage_admin_home_content() interfaceResolves: rhbz#2062136- Add rhcd policyResolves: bz#1965013- Allow svirt connectto virtlogdResolves: rhbz#2000881- Add ksm service to ksmtunedResolves: rhbz#2021131- Allow nm-privhelper setsched permission and send system logsResolves: rhbz#2053639- Update the policy for systemd-journal-uploadResolves: rhbz#2085369- Allow systemd-journal-upload watch logs and journalResolves: rhbz#2085369- Create a policy for systemd-journal-uploadResolves: rhbz#2085369- Allow insights-client create and use unix_dgram_socketResolves: rhbz#2087765- Allow insights-client search gconf homedirResolves: rhbz#2087765
* Wed May 11 2022 Zdenek Pytela - 34.1.32-1- Dontaudit guest attempts to dbus chat with systemd domainsResolves: rhbz#2062740- Dontaudit guest attempts to dbus chat with system bus typesResolves: rhbz#2062740- Fix users for SELinux userspace 3.4Resolves: rhbz#2079290- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type templateResolves: rhbz#2076681- Allow systemd-sleep get removable devices attributesResolves: rhbz#2082404- Allow systemd-sleep tlp_filetrans_named_content()Resolves: rhbz#2082404- Allow systemd-sleep execute generic programsResolves: rhbz#2082404- Allow systemd-sleep execute shellResolves: rhbz#2082404- Allow systemd-sleep transition to sysstat_tResolves: rhbz#2082404- Allow systemd-sleep transition to tlp_tResolves: rhbz#2082404- Allow systemd-sleep transition to unconfined_service_t on bin_t executablesResolves: rhbz#2082404- allow systemd-sleep to set timer for suspend-then-hibernateResolves: rhbz#2082404- Add default fc specifications for patterns in /optResolves: rhbz#2081059- Use a named transition in systemd_hwdb_manage_config()Resolves: rhbz#2061725
* Wed May 04 2022 Nikola Knazekova - 34.1.31-2- Remove \"v\" from the package version
* Mon May 02 2022 Nikola Knazekova - v34.1.31-1- Label /var/run/machine-id as machineid_tResolves: rhbz#2061680- Allow insights-client create_socket_perms for tcp/udp socketsResolves: rhbz#2077377- Allow insights-client read rhnsd config filesResolves: rhbz#2077377- Allow rngd drop privileges via setuid/setgid/setcapResolves: rhbz#2076642- Allow tmpreaper the sys_ptrace userns capabilityResolves: rhbz#2062823- Add stalld to modules.confResolves: rhbz#2042614- New policy for stalldResolves: rhbz#2042614- Label new utility of NetworkManager nm-priv-helperResolves: rhbz#2053639- Exclude container.if from selinux-policy-develResolves: rhbz#1861968
* Tue Apr 19 2022 Zdenek Pytela - 34.1.30-2- Update source branches to build a new package for RHEL 9.1.0
* Tue Apr 12 2022 Nikola Knazekova - 34.1.30-1- Allow administrative users the bpf capabilityResolves: RHBZ#2070982- Allow NetworkManager talk with unconfined user over unix domain dgram socketResolves: rhbz#2064688- Allow hostapd talk with unconfined user over unix domain dgram socketResolves: rhbz#2064688- Allow fprintd read and write hardware state informationResolves: rhbz#2062911- Allow fenced read kerberos key tablesResolves: RHBZ#2060722- Allow init watch and watch_reads user ttysResolves: rhbz#2060289- Allow systemd watch and watch_reads console devicesResolves: rhbz#2060289- Allow nmap create and use rdma socketResolves: RHBZ#2059603
* Thu Mar 31 2022 Zdenek Pytela - 34.1.29-1- Allow qemu-kvm create and use netlink rdma socketsResolves: rhbz#2063612- Label corosync-cfgtool with cluster_exec_tResolves: rhbz#2061277
* Thu Mar 24 2022 Zdenek Pytela - 34.1.28-1- Allow logrotate a domain transition to cluster administrative domainResolves: rhbz#2061277- Change the selinuxuser_execstack boolean value to trueResolves: rhbz#2064274