SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-37.15-1.fc37.noarch.rpm :

* Wed Nov 23 2022 Zdenek Pytela - 37.15-1- Revert \"Allow sysadm_t read raw memory devices\"- Allow systemd-socket-proxyd get attributes of cgroup filesystems- Allow rpc.gssd read network sysctls- Allow winbind-rpcd get attributes of device and pty filesystems- Allow insights-client domain transition on semanage execution- Allow insights-client create gluster log dir with a transition- Allow insights-client manage generic locks- Allow insights-client unix_read all domain semaphores- Add domain_unix_read_all_semaphores() interface- Allow winbind-rpcd use the terminal multiplexor- Allow mrtg send mails- Allow systemd-hostnamed dbus chat with init scripts- Allow sssd dbus chat with system cronjobs- Add interface to watch all filesystems- Add watch_sb interfaces- Add watch interfaces- Allow dhcpd bpf capability to run bpf programs- Allow netutils and traceroute bpf capability to run bpf programs- Allow pkcs_slotd_t bpf capability to run bpf programs- Allow xdm bpf capability to run bpf programs- Allow pcscd bpf capability to run bpf programs- Allow lldpad bpf capability to run bpf programs- Allow keepalived bpf capability to run bpf programs- Allow ipsec bpf capability to run bpf programs- Allow fprintd bpf capability to run bpf programs- Allow systemd-socket-proxyd get filesystems attributes- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
* Tue Nov 01 2022 Zdenek Pytela - 37.14-1- Allow systemd-gpt-generator raw write to a fixed disk- Allow rotatelogs read httpd_log_t symlinks- Add winbind-rpcd to samba_enable_home_dirs boolean- Allow system cronjobs dbus chat with setroubleshoot- Allow setroubleshootd read device sysctls- Allow virt_domain read device sysctls- Allow rhcd compute selinux access vector- Allow insights-client manage samba var dirs- Label ports 10161-10162 tcp/udp with snmp- Allow aide to connect to systemd_machined with a unix socket.- Allow samba-dcerpcd use NSCD services over a unix stream socket- Allow vlock search the contents of the /dev/pts directory- Allow insights-client send null signal to rpm and system cronjob- Label port 15354/tcp and 15354/udp with opendnssec- Allow ftpd map ftpd_var_run files- Allow targetclid to manage tmp files- Allow insights-client connect to postgresql with a unix socket- Allow insights-client domtrans on unix_chkpwd execution- Add file context entries for insights-client and rhc- Allow pulseaudio create gnome content (~/.config)- Allow login_userdomain dbus chat with rhsmcertd- Allow sbd the sys_ptrace capability- Allow ptp4l_t name_bind ptp_event_port_t
* Mon Oct 03 2022 Zdenek Pytela - 37.13-1- Remove the ipa module- Allow sss daemons read/write unnamed pipes of cloud-init- Allow postfix_mailqueue create and use unix dgram sockets- Allow xdm watch user home directories- Allow nm-dispatcher ddclient plugin load a kernel module- Stop ignoring standalone interface files- Drop cockpit module- Allow init map its private tmp files- Allow xenstored change its hard resource limits- Allow system_mail-t read network sysctls- Add bgpd sys_chroot capability
* Fri Sep 23 2022 Zdenek Pytela - 37.12-2- Update make-rhat-patches.sh file to use the f37 dist-git branch in F37
* Thu Sep 22 2022 Zdenek Pytela - 37.12-1- nut-upsd: kernel_read_system_state, fs_getattr_cgroup- Add numad the ipc_owner capability- Allow gst-plugin-scanner read virtual memory sysctls- Allow init read/write inherited user fifo files- Update dnssec-trigger policy: setsched, module_request- added policy for systemd-socket-proxyd- Add the new \'cmd\' permission to the \'io_uring\' class- Allow winbind-rpcd read and write its key ring- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t- blueman-mechanism can read ~/.local/lib/python
*/site-packages directory- pidof executed by abrt can readlink /proc/
*/exe- Fix typo in comment- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
* Wed Sep 14 2022 Zdenek Pytela - 37.11-1- Allow tor get filesystem attributes- Allow utempter append to login_userdomain stream- Allow login_userdomain accept a stream connection to XDM- Allow login_userdomain write to boltd named pipes- Allow staff_u and user_u users write to bolt pipe- Allow login_userdomain watch various directories- Update rhcd policy for executing additional commands 5- Update rhcd policy for executing additional commands 4- Allow rhcd create rpm hawkey logs with correct label- Allow systemd-gpt-auto-generator to check for empty dirs- Update rhcd policy for executing additional commands 3- Allow journalctl read rhcd fifo files- Update insights-client policy for additional commands execution 5- Allow init remount all file_type filesystems- Confine insights-client systemd unit- Update insights-client policy for additional commands execution 4- Allow pcp pmcd search tracefs and acct_data dirs- Allow httpd read network sysctls- Dontaudit domain map permission on directories- Revert \"Allow X userdomains to mmap user_fonts_cache_t dirs\"- Revert \"Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)\"- Update insights-client policy for additional commands execution 3- Allow systemd permissions needed for sandboxed services- Add rhcd module- Make dependency on rpm-plugin-selinux unordered
* Fri Sep 02 2022 Zdenek Pytela - 37.10-1- Allow ipsec_t read/write tpm devices- Allow rhcd execute all executables- Update rhcd policy for executing additional commands 2- Update insights-client policy for additional commands execution 2- Allow sysadm_t read raw memory devices- Allow chronyd send and receive chronyd/ntp client packets- Allow ssh client read kerberos homedir config files- Label /var/log/rhc-worker-playbook with rhcd_var_log_t- Update insights-client policy (auditctl, gpg, journal)- Allow system_cronjob_t domtrans to rpm_script_t- Allow smbd_t process noatsecure permission for winbind_rpcd_t- Update tor_bind_all_unreserved_ports interface- Allow chronyd bind UDP sockets to ptp_event ports.- Allow unconfined and sysadm users transition for /root/.gnupg- Add gpg_filetrans_admin_home_content() interface- Update rhcd policy for executing additional commands- Update insights-client policy for additional commands execution- Add userdom_view_all_users_keys() interface- Allow gpg read and write generic pty type- Allow chronyc read and write generic pty type- Allow system_dbusd ioctl kernel with a unix stream sockets- Allow samba-bgqd to read a printer list- Allow stalld get and set scheduling policy of all domains.- Allow unconfined_t transition to targetclid_home_t
* Thu Aug 11 2022 Zdenek Pytela - 37.9-1- Allow nm-dispatcher custom plugin dbus chat with nm- Allow nm-dispatcher sendmail plugin get status of systemd services- Allow xdm read the kernel key ring- Allow login_userdomain check status of mount units- Allow postfix/smtp and postfix/virtual read kerberos key table- Allow services execute systemd-notify- Do not allow login_userdomain use sd_notify()- Allow launch-xenstored read filesystem sysctls- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd- Allow openvswitch fsetid capability- Allow openvswitch use its private tmpfs files and dirs- Allow openvswitch search tracefs dirs- Allow pmdalinux read files on an nfsd filesystem- Allow winbind-rpcd write to winbind pid files- Allow networkmanager to signal unconfined process- Allow systemd_hostnamed label /run/systemd/
* as hostnamed_etc_t- Allow samba-bgqd get a printer list- fix(init.fc): Fix section description- Allow fedora-third-party read the passwords file- Remove permissive domain for rhcd_t- Allow pmie read network state information and network sysctls- Revert \"Dontaudit domain the fowner capability\"- Allow sysadm_t to run bpftool on the userdomain attribute- Add the userdom_prog_run_bpf_userdomain() interface- Allow insights-client rpm named file transitions- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
* Mon Aug 01 2022 Zdenek Pytela - 37.8-1- Allow sa-update to get init status and start systemd files- Use insights_client_filetrans_named_content- Make default file context match with named transitions- Allow nm-dispatcher tlp plugin send system log messages- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket- Add permissions to manage lnk_files into gnome_manage_home_config- Allow rhsmcertd to read insights config files- Label /etc/insights-client/machine-id- fix(devices.fc): Replace single quote in comment to solve parsing issues- Make NetworkManager_dispatcher_custom_t an unconfined domain
* Sat Jul 23 2022 Fedora Release Engineering - 37.7-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jul 14 2022 Zdenek Pytela - 37.7-1- Update winbind_rpcd_t- Allow some domains use sd_notify()- Revert \"Allow rabbitmq to use systemd notify\"- fix(sedoctool.py): Fix syntax warning: \"is not\" with a literal- Allow nm-dispatcher console plugin manage etc files- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs- Allow nm-dispatcher console plugin setfscreate- Support using systemd-update-helper in rpm scriptlets- Allow nm-dispatcher winbind plugin read samba config files- Allow domain use userfaultfd over all domains- Allow cups-lpd read network sysctls
* Wed Jun 29 2022 Zdenek Pytela - 37.6-1- Allow stalld set scheduling policy of kernel threads- Allow targetclid read /var/target files- Allow targetclid read generic SSL certificates (fixed)- Allow firewalld read the contents of the sysfs filesystem- Fix file context pattern for /var/target- Use insights_client_etc_t in insights_search_config()- Allow nm-dispatcher ddclient plugin handle systemd services- Allow nm-dispatcher winbind plugin run smbcontrol- Allow nm-dispatcher custom plugin create and use unix dgram socket- Update samba-dcerpcd policy for kerberos usage 2- Allow keepalived read the contents of the sysfs filesystem- Allow amandad read network sysctls- Allow cups-lpd read network sysctls- Allow kpropd read network sysctls- Update insights_client_filetrans_named_content()- Allow rabbitmq to use systemd notify- Label /var/target with targetd_var_t- Allow targetclid read generic SSL certificates- Update rhcd policy- Allow rhcd search insights configuration directories- Add the kernel_read_proc_files() interface- Require policycoreutils >= 3.4-1- Add a script for enclosing interfaces in ifndef statements- Disable rpm verification on interface_info
* Wed Jun 22 2022 Zdenek Pytela - 37.5-1- Allow transition to insights_client named content- Add the insights_client_filetrans_named_content() interface- Update policy for insights-client to run additional commands 3- Allow dhclient manage pid files used by chronyd- Allow stalld get scheduling policy of kernel threads- Allow samba-dcerpcd work with sssd- Allow dlm_controld send a null signal to a cluster daemon- Allow ksmctl create hardware state information files- Allow winbind_rpcd_t connect to self over a unix_stream_socket- Update samba-dcerpcd policy for kerberos usage- Allow insights-client execute its private memfd: objects- Update policy for insights-client to run additional commands 2- Use insights_client_tmp_t instead of insights_client_var_tmp_t- Change space indentation to tab in insights-client- Use socket permissions sets in insights-client- Update policy for insights-client to run additional commands- Change rpm_setattr_db_files() to use a pattern- Allow init_t to rw insights_client unnamed pipe- Add rpm setattr db files macro- Fix insights client- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling- Allow rabbitmq to access its private memfd: objects- Update policy for samba-dcerpcd- Allow stalld setsched and sys_nice
* Tue Jun 07 2022 Zdenek Pytela - 37.4-1- Allow auditd_t noatsecure for a transition to audisp_remote_t- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket- Allow pcp_domain execute its private memfd: objects- Add support for samba-dcerpcd- Add policy for wireguard- Confine targetcli- Allow systemd work with install_t unix stream sockets- Allow iscsid the sys_ptrace userns capability- Allow xdm connect to unconfined_service_t over a unix stream socket
* Fri May 27 2022 Zdenek Pytela - 37.3-1- Allow nm-dispatcher custom plugin execute systemctl- Allow nm-dispatcher custom plugin dbus chat with nm- Allow nm-dispatcher custom plugin create and use udp socket- Allow nm-dispatcher custom plugin create and use netlink_route_socket- Use create_netlink_socket_perms in netlink_route_socket class permissions- Add support for nm-dispatcher sendmail scripts- Allow sslh net_admin capability- Allow insights-client manage gpg admin home content- Add the gpg_manage_admin_home_content() interface- Allow rhsmcertd create generic log files- Update logging_create_generic_logs() to use create_files_pattern()- Label /var/cache/insights with insights_client_cache_t- Allow insights-client search gconf homedir- Allow insights-client create and use unix_dgram_socket- Allow blueman execute its private memfd: files- Move the chown call into make-srpm.sh
* Fri May 06 2022 Zdenek Pytela - 37.2-1- Use the networkmanager_dispatcher_plugin attribute in allow rules- Make a custom nm-dispatcher plugin transition- Label port 4784/tcp and 4784/udp with bfd_multi- Allow systemd watch and watch_reads user ptys- Allow sblim-gatherd the kill capability- Label more vdsm utils with virtd_exec_t- Add ksm service to ksmtuned- Add rhcd policy- Dontaudit guest attempts to dbus chat with systemd domains- Dontaudit guest attempts to dbus chat with system bus types- Use a named transition in systemd_hwdb_manage_config()- Add default fc specifications for patterns in /opt- Add the files_create_etc_files() interface- Allow nm-dispatcher console plugin create and write files in /etc- Allow nm-dispatcher console plugin transition to the setfiles domain- Allow more nm-dispatcher plugins append to init stream sockets- Allow nm-dispatcher tlp plugin dbus chat with nm- Reorder networkmanager_dispatcher_plugin_template() calls- Allow svirt connectto virtlogd- Allow blueman map its private memfd: files- Allow sysadm user execute init scripts with a transition- Allow sblim-sfcbd connect to sblim-reposd stream- Allow keepalived_unconfined_script_t dbus chat with init- Run restorecon with \"-i\" not to report errors
* Mon May 02 2022 Zdenek Pytela - 37.1-1- Fix users for SELinux userspace 3.4- Label /var/run/machine-id as machineid_t- Add stalld to modules.conf- Use files_tmpfs_file() for rhsmcertd_tmpfs_t- Allow blueman read/write its private memfd: objects- Allow insights-client read rhnsd config files- Allow insights-client create_socket_perms for tcp/udp sockets
* Tue Apr 26 2022 Zdenek Pytela - 36.8-1- Allow nm-dispatcher chronyc plugin append to init stream sockets- Allow tmpreaper the sys_ptrace userns capability- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t- Allow nm-dispatcher tlp plugin read/write the wireless device- Allow nm-dispatcher tlp plugin append to init socket- Allow nm-dispatcher tlp plugin be client of a system bus- Allow nm-dispatcher list its configuration directory- Ecryptfs-private support- Allow colord map /var/lib directories- Allow ntlm_auth read the network state information- Allow insights-client search rhnsd configuration directory
* Thu Apr 21 2022 Zdenek Pytela - 36.7-3- Add support for nm-dispatcher tlp-rdw scripts- Update github actions to satisfy git 2.36 stricter rules- New policy for stalld- Allow colord read generic files in /var/lib- Allow xdm mounton user temporary socket files- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket- Allow sssd domtrans to pkcs_slotd_t- Allow keepalived setsched and sys_nice- Allow xdm map generic files in /var/lib- Allow xdm read generic symbolic links in /var/lib- Allow pppd create a file in the locks directory- Add file map permission to lpd_manage_spool() interface- Allow system dbus daemon watch generic directories in /var/lib- Allow pcscd the sys_ptrace userns capability- Add the corecmd_watch_bin_dirs() interface
* Thu Apr 21 2022 Zdenek Pytela - 36.7-2- Relabel explicitly some dirs in %posttrans scriptlets
* Thu Apr 21 2022 Zdenek Pytela - 36.7-1- Add stalld module to modules-targeted-contrib.conf
* Mon Apr 04 2022 Zdenek Pytela - 36.6-1- Add support for systemd-network-generator- Add the io_uring class- Allow nm-dispatcher dhclient plugin append to init stream sockets- Relax the naming pattern for systemd private shared libraries- Allow nm-dispatcher iscsid plugin append to init socket- Add the init_append_stream_sockets() interface- Allow nm-dispatcher dnssec-trigger script to execute pidof- Add support for nm-dispatcher dnssec-trigger scripts- Allow chronyd talk with unconfined user over unix domain dgram socket- Allow fenced read kerberos key tables- Add support for nm-dispatcher ddclient scripts- Add systemd_getattr_generic_unit_files() interface- Allow fprintd read and write hardware state information- Allow exim watch generic certificate directories- Remove duplicate fc entries for corosync and corosync-notifyd- Label corosync-cfgtool with cluster_exec_t- Allow qemu-kvm create and use netlink rdma sockets- Allow logrotate a domain transition to cluster administrative domain
* Fri Mar 18 2022 Zdenek Pytela - 36.5-1- Add support for nm-dispatcher console helper scripts- Allow nm-dispatcher plugins read its directory and sysfs- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t- devices: Add a comment about cardmgr_dev_t- Add basic policy for BinderFS- Label /var/run/ecblp0 pipe with cupsd_var_run_t- Allow rpmdb create directory in /usr/lib/sysimage- Allow rngd drop privileges via setuid/setgid/setcap- Allow init watch and watch_reads user ttys- Allow systemd-logind dbus chat with sosreport- Allow chronyd send a message to sosreport over datagram socket- Remove unnecessary /etc file transitions for insights-client- Label all content in /var/lib/insights with insights_client_var_lib_t- Update insights-client policy
* Wed Feb 23 2022 Zdenek Pytela - 36.4-2- Add insights_client module to modules-targeted-contrib.conf
* Wed Feb 23 2022 Zdenek Pytela - 36.4-1- Update NetworkManager-dispatcher cloud and chronyc policy- Update insights-client: fc pattern, motd, writing to etc- Allow systemd-sysctl read the security state information- Allow init create and mounton to support PrivateDevices- Allow sosreport dbus chat abrt systemd timedatex
* Tue Feb 22 2022 Zdenek Pytela - 36.3-2- Update specfile to buildrequire policycoreutils-devel >= 3.3-4- Add modules_checksum to %files
* Thu Feb 17 2022 Zdenek Pytela - 36.3-1- Update NetworkManager-dispatcher policy to use scripts- Allow init mounton kernel messages device- Revert \"Make dbus-broker service working on s390x arch\"- Remove permissive domain for insights_client_t- Allow userdomain read symlinks in /var/lib- Allow iptables list cgroup directories- Dontaudit mdadm list dirsrv tmpfs dirs- Dontaudit dirsrv search filesystem sysctl directories- Allow chage domtrans to sssd- Allow postfix_domain read dovecot certificates- Allow systemd-networkd create and use netlink netfilter socket- Allow nm-dispatcher read nm-dispatcher-script symlinks- filesystem.te: add genfscon rule for ntfs3 filesystem- Allow rhsmcertd get attributes of cgroup filesystems- Allow sandbox_web_client_t watch various dirs- Exclude container.if from policy devel files- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
* Fri Feb 11 2022 Zdenek Pytela - 36.2-1- Allow sysadm_passwd_t to relabel passwd and group files- Allow confined sysadmin to use tool vipw- Allow login_userdomain map /var/lib/directories- Allow login_userdomain watch library and fonts dirs- Allow login_userdomain watch system configuration dirs- Allow login_userdomain read systemd runtime files- Allow ctdb create cluster logs- Allow alsa bind mixer controls to led triggers- New policy for insight-client- Add mctp_socket security class and access vectors- Fix koji repo URL pattern- Update chronyd_pid_filetrans() to allow create dirs- Update NetworkManager-dispatcher policy- Allow unconfined to run virtd bpf- Allow nm-privhelper setsched permission and send system logs- Add the map permission to common_anon_inode_perm permission set- Rename userfaultfd_anon_inode_perms to common_inode_perms- Allow confined users to use kinit,klist and etc.- Allow rhsmcertd create rpm hawkey logs with correct label
* Thu Feb 03 2022 Zdenek Pytela - 36.1-1- Label exFAT utilities at /usr/sbin- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path- Enable genfs_seclabel_symlinks policy capability- Sync policy/policy_capabilities with refpolicy- refpolicy: drop unused socket security classes- Label new utility of NetworkManager nm-priv-helper- Label NetworkManager-dispatcher service with separate context- Allow sanlock get attributes of filesystems with extended attributes- Associate stratisd_data_t with device filesystem- Allow init read stratis data symlinks
* Tue Feb 01 2022 Zdenek Pytela - 35.13-1- Allow systemd services watch dbusd pid directory and its parents- Allow ModemManager connect to the unconfined user domain- Label /dev/wwan.+ with modem_manager_t- Allow alsactl set group Process ID of a process- Allow domtrans to sssd_t and role access to sssd- Creating interface sssd_run_sssd()- Label utilities for exFAT filesystems with fsadm_exec_t- Label /dev/nvme-fabrics with fixed_disk_device_t- Allow init delete generic tmp named pipes- Allow timedatex dbus chat with xdm
* Wed Jan 26 2022 Zdenek Pytela - 35.12-1- Fix badly indented used interfaces- Allow domain transition to sssd_t- Dontaudit sfcbd sys_ptrace cap_userns- Label /var/lib/plocate with locate_var_lib_t- Allow hostapd talk with unconfined user over unix domain dgram socket- Allow NetworkManager talk with unconfined user over unix domain dgram socket- Allow system_mail_t read inherited apache system content rw files- Add apache_read_inherited_sys_content_rw_files() interface- Allow rhsm-service execute its private memfd: objects- Allow dirsrv read configfs files and directories- Label /run/stratisd with stratisd_var_run_t- Allow tumblerd write to session_dbusd tmp socket files
* Wed Jan 19 2022 Zdenek Pytela - 35.11-1- Revert \"Label /etc/cockpit/ws-certs.d with cert_t\"- Allow login_userdomain write to session_dbusd tmp socket files- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
* Mon Jan 17 2022 Zdenek Pytela - 35.10-1- Allow login_userdomain watch systemd-machined PID directories- Allow login_userdomain watch systemd-logind PID directories- Allow login_userdomain watch accountsd lib directories- Allow login_userdomain watch localization directories- Allow login_userdomain watch various files and dirs- Allow login_userdomain watch generic directories in /tmp- Allow rhsm-service read/write its private memfd: objects- Allow radiusd connect to the radacct port- Allow systemd-io-bridge ioctl rpm_script_t- Allow systemd-coredump userns capabilities and root mounton- Allow systemd-coredump read and write usermodehelper state- Allow login_userdomain create session_dbusd tmp socket files- Allow gkeyringd_domain write to session_dbusd tmp socket files- Allow systemd-logind delete session_dbusd tmp socket files- Allow gdm-x-session write to session dbus tmp sock files- Label /etc/cockpit/ws-certs.d with cert_t- Allow kpropd get attributes of cgroup filesystems- Allow administrative users the bpf capability- Allow sysadm_t start and stop transient services- Connect triggerin to pcre2 instead of pcre
* Wed Jan 12 2022 Zdenek Pytela - 35.9-1- Allow sshd read filesystem sysctl files- Revert \"Allow sshd read sysctl files\"- Allow tlp read its systemd unit- Allow gssproxy access to various system files.- Allow gssproxy read, write, and map ica tmpfs files- Allow gssproxy read and write z90crypt device- Allow sssd_kcm read and write z90crypt device- Allow smbcontrol read the network state information- Allow virt_domain map vhost devices- Allow fcoemon request the kernel to load a module- Allow sshd read sysctl files- Ensure that `/run/systemd/
*` are properly labeled- Allow admin userdomains use socketpair()- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling- Allow lldpd connect to snmpd with a unix domain stream socket- Dontaudit pkcsslotd sys_admin capability
* Thu Dec 23 2021 Zdenek Pytela - 35.8-1- Allow haproxy get attributes of filesystems with extended attributes- Allow haproxy get attributes of cgroup filesystems- Allow sysadm execute sysadmctl in sysadm_t domain using sudo- Allow userdomains use pam_ssh_agent_auth for passwordless sudo- Allow sudodomains execute passwd in the passwd domain- Allow braille printing in selinux- Allow sandbox_xserver_t map sandbox_file_t- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t- Add hwtracing_device_t type for hardware-level tracing and debugging- Label port 9528/tcp with openqa_liveview- Label /var/lib/shorewall6-lite with shorewall_var_lib_t- Document Security Flask model in the policy
* Fri Dec 10 2021 Zdenek Pytela - 35.7-1- Allow systemd read unlabeled symbolic links- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t- Allow dnsmasq watch /etc/dnsmasq.d directories- Allow rhsmcertd get attributes of tmpfs_t filesystems- Allow lldpd use an snmp subagent over a tcp socket- Allow xdm watch generic directories in /var/lib- Allow login_userdomain open/read/map system journal- Allow sysadm_t connect to cluster domains over a unix stream socket- Allow sysadm_t read/write pkcs shared memory segments- Allow sysadm_t connect to sanlock over a unix stream socket- Allow sysadm_t dbus chat with sssd- Allow sysadm_t set attributes on character device nodes- Allow sysadm_t read and write watchdog devices- Allow smbcontrol use additional socket types- Allow cloud-init dbus chat with systemd-logind- Allow svnserve send mail from the system- Update userdom_exec_user_tmp_files() with an entrypoint rule- Allow sudodomain send a null signal to sshd processes
* Fri Nov 19 2021 Zdenek Pytela - 35.6-1- Allow PID 1 and dbus-broker IPC with a systemd user session- Allow rpmdb read generic SSL certificates- Allow rpmdb read admin home config files- Report warning on duplicate definition of interface- Allow redis get attributes of filesystems with extended attributes- Allow sysadm_t dbus chat with realmd_t- Make cupsd_lpd_t a daemon- Allow tlp dbus-chat with NetworkManager- filesystem: add fs_use_trans for ramfs- Allow systemd-logind destroy unconfined user\'s IPC objects
* Thu Nov 04 2021 Zdenek Pytela - 35.5-1- Support sanlock VG automated recovery on storage access loss 2/2- Support sanlock VG automated recovery on storage access loss 1/2- Revert \"Support sanlock VG automated recovery on storage access loss\"- Allow tlp get service units status- Allow fedora-third-party manage 3rd party repos- Allow xdm_t nnp_transition to login_userdomain- Add the auth_read_passwd_file() interface- Allow redis-sentinel execute a notification script- Allow fetchmail search cgroup directories- Allow lvm_t to read/write devicekit disk semaphores- Allow devicekit_disk_t to use /dev/mapper/control- Allow devicekit_disk_t to get IPC info from the kernel- Allow devicekit_disk_t to read systemd-logind pid files- Allow devicekit_disk_t to mount filesystems on mnt_t directories- Allow devicekit_disk_t to manage mount_var_run_t files- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel- Use $releasever in koji repo to reduce rawhide hardcoding- authlogin: add fcontext for tcb- Add erofs as a SELinux capable file system- Allow systemd execute user bin files- Support sanlock VG automated recovery on storage access loss- Support new PING_CHECK health checker in keepalived
* Wed Oct 20 2021 Zdenek Pytela - 35.4-1- Allow fedora-third-party map generic cache files- Add gnome_map_generic_cache_files() interface- Add files_manage_var_lib_dirs() interface- Allow fedora-third party manage gpg keys- Allow fedora-third-party run \"flatpak remote-add --from flathub\"
* Tue Oct 19 2021 Zdenek Pytela - 35.3-1- Allow fedora-third-party run flatpak post-install actions- Allow fedora-third-party set_setsched and sys_nice
* Mon Oct 18 2021 Zdenek Pytela - 35.2-1- Allow fedora-third-party execute \"flatpak remote-add\"- Add files_manage_var_lib_files() interface- Add write permisson to userfaultfd_anon_inode_perms- Allow proper function sosreport via iotop- Allow proper function sosreport in sysadmin role- Allow fedora-third-party to connect to the system log service- Allow fedora-third-party dbus chat with policykit- Allow chrony-wait service start with DynamicUser=yes- Allow management of lnk_files if similar access to regular files- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges- Allow systemd-resolved watch /run/systemd- Allow fedora-third-party create and use unix_dgram_socket- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
* Thu Oct 07 2021 Zdenek Pytela - 35.1-1- Add fedoratp module- Allow xdm_t domain transition to fedoratp_t- Allow ModemManager create and use netlink route socket- Add default file context for /run/gssproxy.default.sock- Allow xdm_t watch fonts directories- Allow xdm_t watch generic directories in /lib- Allow xdm_t watch generic pid directories
* Thu Sep 23 2021 Zdenek Pytela - 34.21-1- Add bluetooth-related permissions into a tunable block- Allow gnome at-spi processes create and use stream sockets- Allow usbmuxd get attributes of tmpfs_t filesystems- Allow fprintd install a sleep delay inhibitor- Allow collectd get attributes of infiniband devices- Allow collectd create and user netlink rdma socket- Allow collectd map packet_socket- Allow snort create and use blootooth socket- Allow systemd watch and watch_reads console devices- Allow snort create and use generic netlink socket- Allow NetworkManager dbus chat with fwupd- Allow unconfined domains read/write domain perf_events- Allow scripts to enter LUKS password- Update mount_manage_pid_files() to use manage_files_pattern- Support hitless reloads feature in haproxy- Allow haproxy list the sysfs directories content- Allow gnome at-spi processes get attributes of tmpfs filesystems- Allow unbound connectto unix_stream_socket- Allow rhsmcertd_t dbus chat with anaconda install_t
* Thu Sep 16 2021 Zdenek Pytela - 34.20-1- cleanup unused codes- Fix typo in the gnome_exec_atspi() interface summary- Allow xdm execute gnome-atspi services- Allow gnome at-spi processes execute dbus-daemon in caller domain- Allow xdm watch dbus configuration- Allow xdm execute dbus-daemon in the caller domain- Revert \"Allow xdm_t transition to system_dbusd_t\"- Allow at-spi-bus-launcher read and map xdm pid files- Allow dhcpcd set its resource limits- Allow systemd-sleep get removable devices attributes- Allow usbmuxd get attributes of fs_t filesystems
* Thu Sep 09 2021 Zdenek Pytela - 34.19-1- Update the dhcp client local policy- Allow firewalld load kernel modules- Allow postfix_domain to sendto unix dgram sockets.- Allow systemd watch unallocated ttys
* Tue Sep 07 2021 Zdenek Pytela - 34.18-1- Allow ModemManager create a qipcrtr socket- Allow ModemManager request to load a kernel module- Label /usr/sbin/virtproxyd as virtd_exec_t- Allow communication between at-spi and gdm processes- Update ica_filetrans_named_content() with create_file_perms- Fix the gnome_atspi_domtrans() interface summary
* Fri Aug 27 2021 Zdenek Pytela - 34.17-5- Add ica module to modules-targeted-contrib.conf
* Fri Aug 27 2021 Zdenek Pytela - 34.17-4- Add trailing \\ to the relabel() block which is needed even in a comment
* Fri Aug 27 2021 Zdenek Pytela - 34.17-3- Add ica module to modules-targeted.conf
* Fri Aug 27 2021 Zdenek Pytela - 34.17-2- Relabel /var/lib/rpm explicitly- Revert \"Relabel /dev/dma_heap explicitly\"
* Fri Aug 27 2021 Zdenek Pytela - 34.17-1- Add support for at-spi- Add permissions for system dbus processes- Allow various domains work with ICA crypto accelerator- Add ica module- Revert \"Support using ICA crypto accelerator on s390x arch\"- Allow systemd to delete fwupd var cache files- Allow vmtools_unconfined_t domain transition to rpm_script_t- Allow dirsrv read slapd tmpfs files- Revert \"Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label\"- Rename samba_exec() to samba_exec_net()- Support using ICA crypto accelerator on s390x arch- Allow systemd delete /run/systemd/default-hostname- Allow tcpdump read system state information in /proc- Allow rhsmcertd to create cache file in /var/cache/cloud-what- Allow D-bus communication between avahi and sosreport- Label /usr/libexec/gdm-runtime-config with xdm_exec_t- Allow lldpad send to kdumpctl over a unix dgram socket- Revert \"Allow lldpad send to kdump over a unix dgram socket\"- Allow chronyc respond to a user chronyd instance- Allow ptp4l respond to pmc- Allow lldpad send to unconfined_t over a unix dgram socket- Allow sssd to set samba setting
* Thu Aug 12 2021 Zdenek Pytela - 34.16-1- Allow systemd-timesyncd watch system dbus pid socket files- Allow firewalld drop capabilities- Allow rhsmcertd execute gpg- Allow lldpad send to kdump over a unix dgram socket- Allow systemd-gpt-auto-generator read udev pid files- Set default file context for /sys/firmware/efi/efivars- Allow tcpdump run as a systemd service- Allow nmap create and use netlink generic socket- Allow nscd watch system db files in /var/db- Allow cockpit_ws_t get attributes of fs_t filesystems- Allow sysadm acces to kernel module resources- Allow sysadm to read/write scsi files and manage shadow- Allow sysadm access to files_unconfined and bind rpc ports- Allow sysadm read and view kernel keyrings- Allow journal mmap and read var lib files- Allow tuned to read rhsmcertd config files- Allow bootloader to read tuned etc files- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
* Fri Aug 06 2021 Zdenek Pytela - 34.15-1- Disable seccomp on CI containers- Allow systemd-machined stop generic service units- Allow virtlogd_t read process state of user domains- Add \"/\" at the beginning of dev/shm/var\\.lib\\.opencryptoki.
* regexp- Label /dev/crypto/nx-gzip with accelerator_device_t- Update the policy for systemd-journal-upload- Allow unconfined domains to bpf all other domains- Confine rhsm service and rhsm-facts service as rhsmcertd_t- Allow fcoemon talk with unconfined user over unix domain datagram socket- Allow abrt_domain read and write z90crypt device- Allow mdadm read iscsi pid files- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t- Allow hostapd bind UDP sockets to the dhcpd port- Unconfined domains should not be confined
* Fri Jul 23 2021 Fedora Release Engineering - 34.14-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 Zdenek Pytela - 34.14-1- Revert \"update libs_filetrans_named_content() to have support for /usr/lib/debug directory\"- Remove references to init_watch_path_type attribute- Remove all redundant watch permissions for systemd- Allow systemd watch non_security_file_type dirs, files, lnk_files- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template- Allow bacula get attributes of cgroup filesystems- Allow systemd-journal-upload watch logs and journal- Create a policy for systemd-journal-upload- Allow tcpdump and nmap get attributes of infiniband_device_t- Allow arpwatch get attributes of infiniband_device_t devices- Label /dev/wmi/dell-smbios as acpi_device_t
* Thu Jul 01 2021 Zdenek Pytela - 34.13-1- Allow radius map its library files- Allow nftables read NetworkManager unnamed pipes- Allow logrotate rotate container log files
* Tue Jun 22 2021 Zdenek Pytela - 34.12-2- Add a systemd service to check that SELinux is disabled properly- specfile: Add unowned dir to the macro- Relabel /dev/dma_heap explicitly
* Mon Jun 21 2021 Zdenek Pytela - 34.12-1- Label /dev/dma_heap/
* char devices with dma_device_t- Revert \"Label /dev/dma_heap/
* char devices with dma_device_t\"- Revert \"Label /dev/dma_heap with dma_device_dir_t\"- Revert \"Associate dma_device_dir_t with device filesystem\"- Add the lockdown integrity permission to dev_map_userio_dev()- Allow systemd-modules-load read/write tracefs files- Allow sssd watch /run/systemd- Label /usr/bin/arping plain file with netutils_exec_t- Label /run/fsck with fsadm_var_run_t- Label /usr/bin/Xwayland with xserver_exec_t- Allow systemd-timesyncd watch dbus runtime dir- Allow asterisk watch localization files- Allow iscsid read all process stat- iptables.fc: Add missing legacy-restore and legacy-save entries- Label /run/libvirt/common with virt_common_var_run_t- Label /.k5identity file allow read of this file to rpc.gssd- Make usbmuxd_t a daemon
* Wed Jun 09 2021 Zdenek Pytela - 34.11-1- Allow sanlock get attributes of cgroup filesystems- Associate dma_device_dir_t with device filesystem- Set default file context for /var/run/systemd instead of /run/systemd- Allow nmap create and use rdma socket- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
* Sun Jun 06 2021 Zdenek Pytela - 34.10-1- Allow using opencryptoki for ipsec- Allow using opencryptoki for certmonger- Label var.lib.opencryptoki.
* files and create pkcs_tmpfs_filetrans()- Label /dev/dma_heap with dma_device_dir_t- Allow syslogd watch non security dirs conditionally- Introduce logging_syslogd_list_non_security_dirs tunable- Remove openhpi module- Allow udev to watch fixed disk devices- Allow httpd_sys_script_t read, write, and map hugetlbfs files- Allow apcupsd get attributes of cgroup filesystems
* Thu May 27 2021 Zdenek Pytela - 34.9-1- Add kerberos object filetrans for nsswitchdomain- Allow fail2ban watch various log files- Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()- Remove further modules recently removed from refpolicy- Remove modules not shipped and not present in refpolicy- Revert \"Add permission open to files_read_inherited_tmp_files() interface\"- Revert \"Allow pcp_pmlogger_t to use setrlimit BZ(1708951)\"- Revert \"Dontaudit logrotate to setrlimit itself. rhbz#1309604\"- Revert \"Allow cockpit_ws_t domain to set limits BZ(1701703)\"- Dontaudit setrlimit for domains that exec systemctl- Allow kdump_t net_admin capability- Allow nsswitch_domain read init pid lnk_files- Label /dev/trng with random_device_t- Label /run/systemd/default-hostname with hostname_etc_t- Add default file context specification for dnf log files- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t- Label /dev/udmabuf character device with dma_device_t- Label /dev/dma_heap/
* char devices with dma_device_t- Label /dev/acpi_thermal_rel char device with acpi_device_t
* Thu May 20 2021 Zdenek Pytela - 34.8-2- Remove temporary explicit /dev/nvme relabeling
* Thu May 20 2021 Zdenek Pytela - 34.8-1- Allow local_login_t nnp_transition to login_userdomain- Allow asterisk watch localization symlinks- Allow NetworkManager_t to watch /etc- Label /var/lib/kdump with kdump_var_lib_t- Allow amanda get attributes of cgroup filesystems- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t- Allow install_t nnp_domtrans to setfiles_mac_t- Allow fcoemon create sysfs files
* Thu May 13 2021 Zdenek Pytela - 34.7-1- Allow tgtd read and write infiniband devices- Add a comment on virt_sandbox booleans with empty content- Deprecate duplicate dev_write_generic_sock_files() interface- Allow vnstatd_t map vnstatd_var_lib_t files- Allow privoxy execmem- Allow pmdakvm read information from the debug filesystem- Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()- Add permissions to delete lnk_files into gnome_delete_home_config()- Remove rules for inotifyfs- Remove rules for anon_inodefs- Allow systemd nnp_transition to login_userdomain- Allow unconfined_t write other processes perf_event records- Allow sysadm_t dbus chat with tuned- Allow tuned write profile files with file transition- Allow tuned manage perf_events- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
* Fri May 07 2021 Zdenek Pytela - 34.6-1- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()- Add kernel_write_perf_event() and kernel_manage_perf_event()- Allow syslogd_t watch root and var directories- Allow unconfined_t read other processes perf_event records- Allow login_userdomain read and map /var/lib/systemd files- Allow NetworkManager watch its config dir- Allow NetworkManager read and write z90crypt device- Allow tgtd create and use rdma socket- Allow aide connect to init with a unix socket
* Tue May 04 2021 Zdenek Pytela - 34.5-1- Grant execmem to varnishlog_t- We no longer need signull for varnishlog_t- Add map permission to varnishd_read_lib_files- Allow systemd-sleep tlp_filetrans_named_content()- Allow systemd-sleep execute generic programs- Allow systemd-sleep execute shell- Allow to sendmail read/write kerberos host rcache files- Allow freshclam get attributes of cgroup filesystems- Fix context of /run/systemd/timesync- Allow udev create /run/gdm with proper type- Allow chronyc socket file transition in user temp directory- Allow virtlogd_t to create virt_var_lockd_t dir- Allow pluto IKEv2 / ESP over TCP
* Tue Apr 27 2021 Zdenek Pytela - 34.4-1- Allow domain create anonymous inodes- Add anon_inode class to the policy- Allow systemd-coredump getattr nsfs files and net_admin capability- Allow systemd-sleep transition to sysstat_t- Allow systemd -sleep transition to tlp_t- Allow systemd-sleep transition to unconfined_service_t on bin_t executables- Allow systemd-timedated watch runtime dir and its parent- Allow system dbusd read /var/lib symlinks- Allow unconfined_service_t confidentiality and integrity lockdown- Label /var/lib/brltty with brltty_var_lib_t- Allow domain and unconfined_domain_type watch /proc/PID dirs- Additional permission for confined users loging into graphic session- Make for screen fsetid/setuid/setgid permission conditional- Allow for confined users acces to wtmp and run utempter
* Fri Apr 09 2021 Zdenek Pytela - 34.3-1- Label /etc/redis as redis_conf_t- Add brltty new permissions required by new upstream version- Allow cups-lpd read its private runtime socket files- Dontaudit daemon open and read init_t file- Add file context specification for /var/tmp/tmp-inst- Allow brltty create and use bluetooth_socket- Allow usbmuxd get attributes of cgroup filesystems
* Tue Apr 06 2021 Zdenek Pytela - 34.2-1- Allow usbmuxd get attributes of cgroup filesystems- Allow accounts-daemon get attributes of cgroup filesystems- Allow pool-geoclue get attributes of cgroup filesystems- allow systemd-sleep to set timer for suspend-then-hibernate- Allow aide connect to systemd-userdbd with a unix socket- Add new interfaces with watch_mount and watch_with_perm permissions- Add file context specification for /usr/libexec/realmd- Allow /tmp file transition for dbus-daemon also for sock_file- Allow login_userdomain create cgroup files- Allow plymouthd_t exec generic program in bin directories
* Thu Apr 01 2021 Zdenek Pytela - 34.1-1- Change the package versioning
* Thu Apr 01 2021 Zdenek Pytela - 3.14.8-10- Allow plymouthd_t exec generic program in bin directories- Allow dhcpc_t domain transition to chronyc_t- Allow login_userdomain bind xmsg port- Allow ibacm the net_raw and sys_rawio capabilities- Allow nsswitch_domain read cgroup files- Allow systemd-sleep create hardware state information files
* Mon Mar 29 2021 Zdenek Pytela - 3.14.8-9- Add watch_with_perm_dirs_pattern file pattern
* Fri Mar 26 2021 Zdenek Pytela - 3.14.8-8- Allow arpwatch_t create netlink generic socket- Allow postgrey read network state- Add watch_mount_dirs_pattern file pattern- Allow bluetooth_t dbus chat with fwupd_t- Allow xdm_t watch accountsd lib directories- Add additional interfaces for watching /boot- Allow sssd_t get attributes of tmpfs filesystems- Allow local_login_t get attributes of tmpfs filesystems- Dontaudit domain the fowner capability- Extend fs_manage_nfsd_fs() to allow managing dirs as well- Allow spice-vdagentd watch systemd-logind session dirs
* Fri Mar 19 2021 Zdenek Pytela - 3.14.8-7- Allow xdm_t watch systemd-logind session dirs- Allow xdm_t transition to system_dbusd_t- Allow confined users login into graphic session- Allow login_userdomain watch systemd login session dirs- install_t: Allow NoNewPriv transition from systemd- Remove setuid/setgid capabilities from mysqld_t- Add context for new mariadbd executable files- Allow netutils_t create netlink generic socket- Allow systemd the audit_control capability conditionally
* Thu Mar 11 2021 Zdenek Pytela - 3.14.8-6- Allow polkit-agent-helper-1 read logind sessions files- Allow polkit-agent-helper read init state- Allow login_userdomain watch generic device dirs- Allow login_userdomain listen on bluetooth sockets- Allow user_t and staff_t bind netlink_generic_socket- Allow login_userdomain write inaccessible nodes- Allow transition from xdm domain to unconfined_t domain.- Add \'make validate\' step to CI- Disallow user_t run su/sudo and staff_t run su- Fix typo in rsyncd.conf in rsync.if- Add an alias for nvme_device_t- Allow systemd watch and watch_reads unallocated ttys
* Wed Mar 03 2021 Zdenek Pytela - 3.14.8-5- Allow apmd watch generic device directories- Allow kdump load a new kernel- Add confidentiality lockdown permission to kernel_read_core_if()- Allow keepalived read nsfs files- Allow local_login_t get attributes of filesystems with ext attributes- Allow keepalived read/write its private memfd: objects- Add missing declaration in rpm_named_filetrans()- Change param description in cron interfaces to userdomain_prefix
* Wed Feb 24 2021 Zdenek Pytela - 3.14.8-4- iptables.fc: Add missing legacy entries- iptables.fc: Remove some duplicate entries- iptables.fc: Remove duplicate file context entries- Allow libvirtd to create generic netlink sockets- Allow libvirtd the fsetid capability- Allow libvirtd to read /run/utmp- Dontaudit sys_ptrace capability when calling systemctl- Allow udisksd to read /dev/random- Allow udisksd to watch files under /run/mount- Allow udisksd to watch /etc- Allow crond to watch user_cron_spool_t directories- Allow accountsd watch xdm config directories- Label /etc/avahi with avahi_conf_t- Allow sssd get cgroup filesystems attributes and search cgroup dirs- Allow systemd-hostnamed read udev runtime data- Remove dev_getattr_sysfs_fs() interface calls for particular domains- Allow domain stat the /sys filesystem- Dontaudit NetworkManager write to initrc_tmp_t pipes- policykit.te: Clean up watch rule for policykit_auth_t- Revert further unnecessary watch rules- Revert \"Allow getty watch its private runtime files\"- Allow systemd watch generic /var directories- Allow init watch network config files and lnk_files- Allow systemd-sleep get attributes of fixed disk device nodes- Complete initial policy for systemd-coredump- Label SDC(scini) Dell Driver- Allow upowerd to send syslog messages- Remove the disk write permissions from tlp_t- Label NVMe devices as fixed_disk_device_t- Allow rhsmcertd bind tcp sockets to a generic node- Allow systemd-importd manage machines.lock file
* Tue Feb 16 2021 Zdenek Pytela - 3.14.8-3- Allow unconfined integrity lockdown permission- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined- Allow systemd-machined manage systemd-userdbd runtime sockets- Enable systemd-sysctl domtrans for udev- Introduce kernel_load_unsigned_module interface and use it for couple domains- Allow gpg watch user gpg secrets dirs- Build also the container module in CI- Remove duplicate code from kernel.te- Allow restorecond to watch all non-auth directories- Allow restorecond to watch its config file
* Mon Feb 15 2021 Zdenek Pytela - 3.14.8-2- Allow userdomain watch various filesystem objects- Allow systemd-logind and systemd-sleep integrity lockdown permission- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context- Allow pulseaudio watch devices and systemd-logind session dirs- Allow abrt-dump-journal-
* watch generic log dirs and /run/log/journal dir- Remove duplicate files_mounton_etc(init_t) call- Add watch permissions to manage_
* object permissions sets- Allow journalctl watch generic log dirs and /run/log/journal dir- Label /etc/resolv.conf as net_conf_t even when it\'s a symlink- Allow SSSD to watch /var/run/NetworkManager- Allow dnsmasq_t to watch /etc- Remove unnecessary lines from the new watch interfaces- Fix docstring for init_watch_dir()- Allow xdm watch its private lib dirs, /etc, /usr
* Thu Feb 11 2021 Zdenek Pytela - 3.14.8-1- Bump version as Fedora 34 has been branched off rawhide- Allow xdm watch its private lib dirs, /etc, /usr- Allow systemd-importd create /run/systemd/machines.lock file- Allow rhsmcertd_t read kpatch lib files- Add integrity lockdown permission into dev_read_raw_memory()- Add confidentiality lockdown permission into fs_rw_tracefs_files()- Allow gpsd read and write ptp4l_t shared memory.- Allow colord watch its private lib files and /usr- Allow init watch_reads mount PID files- Allow IPsec and Certmonger to use opencryptoki services
* Sun Feb 07 2021 Zdenek Pytela - 3.14.7-18- Allow lockdown confidentiality for domains using perf_event- define lockdown class and access- Add perfmon capability for all domains using perf_event- Allow ptp4l_t bpf capability to run bpf programs- Revert \"Allow ptp4l_t sys_admin capability to run bpf programs\"- access_vectors: Add new capabilities to cap2- Allow systemd and systemd-resolved watch dbus pid objects- Add new watch interfaces in the base and userdomain policy- Add watch permissions for contrib packages- Allow xdm watch /usr directories- Allow getty watch its private runtime files- Add watch permissions for nscd and sssd- Add watch permissions for firewalld and NetworkManager- Add watch permissions for syslogd- Add watch permissions for systemd services- Allow restorecond watch /etc dirs- Add watch permissions for user domain types- Add watch permissions for init- Add basic watch interfaces for systemd- Add basic watch interfaces to the base module- Add additional watch object permissions sets and patterns- Allow init_t to watch localization symlinks- Allow init_t to watch mount directories- Allow init_t to watch cgroup files- Add basic watch patterns- Add new watch
* permissions
* Fri Feb 05 2021 Zdenek Pytela - 3.14.7-17- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH- Dontaudit setsched for rndc- Allow systemd-logind destroy entries in message queue- Add userdom_destroy_unpriv_user_msgq() interface- ci: Install build dependencies from koji- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm- Add new cmadmin port for bfdd dameon- virtiofs supports Xattrs and SELinux- Allow domain write to systemd-resolved PID socket files- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type- Allow rhsmcertd_t domain transition to kpatch_t- Revert \"Add kpatch_exec() interface\"- Revert \"Allow rhsmcertd execute kpatch\"- Allow openvswitch create and use xfrm netlink sockets- Allow openvswitch_t perf_event write permission- Add kpatch_exec() interface- Allow rhsmcertd execute kpatch- Adds rule to allow glusterd to access RDMA socket- radius: Lexical sort of service-specific corenet rules by service name- VQP: Include IANA-assigned TCP/1589- radius: Allow binding to the VQP port (VMPS)- radius: Allow binding to the BDF Control and Echo ports- radius: Allow binding to the DHCP client port- radius: Allow net_raw; allow binding to the DHCP server ports- Add rsync_sys_admin tunable to allow rsync sys_admin capability- Allow staff_u run pam_console_apply- Allow openvswitch_t perf_event open permission- Allow sysadm read and write /dev/rfkill- Allow certmonger fsetid capability- Allow domain read usermodehelper state information
* Wed Jan 27 2021 Fedora Release Engineering - 3.14.7-16- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Petr Lautrbach - 3.14.7-15- Update specfile to not verify md5/size/mtime for active store files- Add /var/mnt equivalency to /mnt- Rebuild with SELinux userspace 3.2-rc1 release
* Fri Jan 08 2021 Zdenek Pytela - 3.14.7-14- Allow domain read usermodehelper state information- Remove all kernel_read_usermodehelper_state() interface calls- .copr: improve timestamp format- Allow wireshark create and use rdma socket- Allow domain stat /proc filesystem- Remove all kernel_getattr_proc() interface calls- Revert \"Allow passwd to get attributes in proc_t\"- Revert \"Allow dovecot_auth_t stat /proc filesystem\"- Revert \"Allow sssd, unix_chkpwd, groupadd stat /proc filesystem\"- Allow sssd read /run/systemd directory- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
* Thu Dec 17 2020 Zdenek Pytela - 3.14.7-13- Label /dev/isst_interface as cpu_device_t- Dontaudit firewalld dac_override capability- Allow ipsec set the context of a SPD entry to the default context- Build binary RPMs in CI- Add SRPM build scripts for COPR
* Tue Dec 15 2020 Zdenek Pytela - 3.14.7-12- Allow dovecot_auth_t stat /proc filesystem- Allow sysadm_u user and unconfined_domain_type manage perf_events- Allow pcp-pmcd manage perf_events- Add manage_perf_event_perms object permissions set- Add perf_event access vectors.- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem- Allow stub-resolv.conf to be a symlink- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t- Create the systemd_dbus_chat_resolved() compatibility interface- Allow nsswitch-domain write to systemd-resolved PID socket files- Add systemd_resolved_write_pid_sock_files() interface- Add default file context for \"/var/run/chrony-dhcp(/.
*)?\"- Allow timedatex dbus chat with cron system domain- Add cron_dbus_chat_system_job() interface- Allow systemd-logind manage init\'s pid files
* Wed Dec 09 2020 Zdenek Pytela - 3.14.7-11- Allow systemd-logind manage init\'s pid files- Allow tcsd the setgid capability- Allow systemd-resolved manage its private runtime symlinks- Update systemd_resolved_read_pid() to also read symlinks- Update systemd-sleep policy- Add groupadd_t fowner capability- Migrate to GitHub Actions- Update README.md to reflect the state after contrib and base merge- Add README.md announcing merging of selinux-policy and selinux-policy-contrib- Adapt .travis.yml to contrib merge- Merge contrib into the main repo- Prepare to merge contrib repo- Move stuff around to match the main repo
* Thu Nov 26 2020 Zdenek Pytela - 3.14.7-10- Allow Xephyr connect to 6000/tcp port and open user ptys- Allow kexec manage generic tmp files- Update targetd nfs & lvm- Add interface rpc_manage_exports- Merge selinux-policy and selinux-policy-contrib repos
* Tue Nov 24 2020 Zdenek Pytela - 3.14.7-9- Allow varnish map its private tmp files- Allow dovecot bind to smtp ports- Change fetchmail temporary files path to /var/spool/mail- Allow cups_pdf_t domain to communicate with unix_dgram_socket- Set file context for symlinks in /etc/httpd to etc_t- Allow rpmdb rw access to inherited console, ttys, and ptys- Allow dnsmasq read public files- Announce merging of selinux-policy and selinux-policy-contrib- Label /etc/resolv.conf as net_conf_t only if it is a plain file- Fix range for unreserved ports- Add files_search_non_security_dirs() interface- Introduce logging_syslogd_append_public_content tunable- Add miscfiles_append_public_files() interface
  
ICM