|
|
|
|
Changelog for selinux-policy-sandbox-3.14.3-139.el8_10.1.noarch.rpm :
* Fri Oct 25 2024 Zdenek Pytela - 3.14.3-139.1- Allow setsebool_t relabel selinux data filesResolves: RHEL-55432- Allow dirsrv-snmp map dirsv_tmpfs_t filesResolves: RHEL-32441- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t filesResolves: RHEL-32441 * Fri Mar 08 2024 Zdenek Pytela - 3.14.3-139- Allow wdmd read hardware state informationResolves: RHEL-27507 * Fri Mar 08 2024 Zdenek Pytela - 3.14.3-138- Allow wdmd list the contents of the sysfs directoriesResolves: RHEL-27507- Allow linuxptp configure phc2sys and chronyd over a unix domain socketResolves: RHEL-27394 * Thu Feb 22 2024 Zdenek Pytela - 3.14.3-137- Differentiate between staff and sysadm when executing crontab with sudoResolves: RHEL-1388- Allow su domains write login recordsResolves: RHEL-2606- Revert \"Allow su domains write login records\"Resolves: RHEL-2606- Add crontab_admin_domtrans interfaceResolves: RHEL-1388- Allow gpg manage rpm cacheResolves: RHEL-11249 * Thu Feb 15 2024 Zdenek Pytela - 3.14.3-136- Transition from sudodomains to crontab_t when executing crontab_exec_tResolves: RHEL-1388- Fix label of pseudoterminals created from sudodomainResolves: RHEL-1388- Allow login_userdomain to manage session_dbusd_tmp_t dirs/filesResolves: RHEL-22500- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_tResolves: RHEL-23442- Allow admin user read/write on fixed_disk_device_tResolves: RHEL-23434- Only allow confined user domains to login locally without unconfined_loginResolves: RHEL-1628- Add userdom_spec_domtrans_confined_admin_users interfaceResolves: RHEL-1628- Only allow admindomain to execute shell via ssh with ssh_sysadm_loginResolves: RHEL-1628- Add userdom_spec_domtrans_admin_users interfaceResolves: RHEL-1628- Move ssh dyntrans to unconfined inside unconfined_login tunable policyResolves: RHEL-1628- Allow utempter_t use ptmxResolves: RHEL-25002- Dontaudit subscription manager setfscreate and read file contextsResolves: RHEL-21639- Don\'t audit crontab_domain write attempts to user homeResolves: RHEL-1388- Add crontab_domtrans interfaceResolves: RHEL-1388- Add dbus_manage_session_tmp_files interfaceResolves: RHEL-22500- Allow httpd read network sysctlsResolves: RHEL-22748- Allow keepalived_unconfined_script_t dbus chat with initResolves: RHEL-22843 * Fri Jan 26 2024 Zdenek Pytela - 3.14.3-135- Label /tmp/libdnf. * with user_tmp_tResolves: RHEL-11249- Allow su domains write login recordsResolves: RHEL-2606- Allow gpg read rpm cacheResolves: RHEL-11249- Allow unix dgram sendto between exim processesResolves: RHEL-21903- Allow hypervkvp_t write access to NetworkManager_etc_rw_tResolves: RHEL-17687- Add interface for write-only access to NetworkManager rw confResolves: RHEL-17687- Allow conntrackd_t to use sys_admin capabilityResolves: RHEL-22276 * Fri Jan 12 2024 Zdenek Pytela - 3.14.3-134- Allow syslog to run unconfined scripts conditionallyResolves: RHEL-10087- Allow syslogd_t nnp_transition to syslogd_unconfined_script_tResolves: RHEL-10087- Allow collectd connect to statsd portResolves: RHEL-19482- Allow collectd_t read network state symlinksResolves: RHEL-19482- Allow collectd_t domain to create netlink_generic_socket socketsResolves: RHEL-19482- Allow opafm search nfs directoriesResolves: RHEL-19426- Allow mdadm list stratisd data directoriesResolves: RHEL-21374 * Wed Dec 13 2023 Zdenek Pytela - 3.14.3-133- Label /dev/acpi_thermal_rel char device with acpi_device_tResolves: RHEL-18027- Allow sysadm execute traceroute in sysadm_t domain using sudoResolves: RHEL-9947- Allow sysadm execute tcpdump in sysadm_t domain using sudoResolves: RHEL-15398- Add support for syslogd unconfined scriptsResolves: RHEL-10087- Label /dev/wmi/dell-smbios as acpi_device_tResolves: RHEL-18027- Make named_zone_t and named_var_run_t a part of the mountpoint attributeResolves: RHEL-1954- Dontaudit rhsmcertd write memory deviceResolves: RHEL-17721 * Tue Nov 28 2023 Zdenek Pytela - 3.14.3-132- Allow sudodomain read var auth filesResolves: RHEL-16567- Update cifs interfaces to include fs_search_auto_mountpoints()Resolves: RHEL-14072- Allow systemd-localed create Xserver config dirsResolves: RHEL-16715- Label /var/run/auditd.state as auditd_var_run_tResolves: RHEL-14376- Allow auditd read all domains process stateResolves: RHEL-14471- Allow sudo userdomain to run rpm related commandsResolves: RHEL-1679- Remove insights_client_watch_lib_dirs() interfaceResolves: RHEL-16185 * Wed Nov 08 2023 Zdenek Pytela - 3.14.3-131- Additional permissions for ip-vrfResolves: RHEL-9981- Allow ip an explicit domain transition to other domainsResolves: RHEL-9981- Allow winbind_rpcd_t processes access when samba_export_all_ * is onResolves: RHEL-5845- Allow system_mail_t manage exim spool files and dirsResolves: RHEL-14186 * Wed Oct 04 2023 Lukas Vrabec - 3.14.3-130- Label msmtp and msmtpd with sendmail_exec_tResolves: RHEL-1678- Set default file context of HOME_DIR/tmp/. * to <>Resolves: RHEL-1099- Improve default file context(None) of /var/lib/authselect/backupsResolves: RHEL-3539 * Fri Sep 29 2023 Lukas Vrabec - 3.14.3-129- Set default file context of /var/lib/authselect/backups to <>Resolves: RHEL-3539- Add file context specification for /usr/libexec/realmdResolves: RHEL-2147- Add numad the ipc_owner capabilityResolves: RHEL-2415 * Fri Aug 25 2023 Zdenek Pytela - 3.14.3-128- Allow ssh_agent_type manage generic cache home filesResolves: rhbz#2177704- Add chromium_sandbox_t setcap capabilityResolves: rhbz#2221573 * Thu Aug 17 2023 Zdenek Pytela - 3.14.3-127- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3Resolves: rhbz#2229726 * Fri Aug 11 2023 Zdenek Pytela - 3.14.3-126- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2Resolves: rhbz#2229726- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_tResolves: rhbz#2177704- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2Resolves: rhbz#2229726- Make insights_client_t an unconfined domainResolves: rhbz#2225527- Allow insights-client create all rpm logs with a correct labelResolves: rhbz#2229559- Allow insights-client manage generic logsResolves: rhbz#2229559 * Fri Aug 04 2023 Zdenek Pytela - 3.14.3-125- Allow user_u and staff_u get attributes of non-security dirsResolves: rhbz#2216151- Allow unconfined user filetrans chrome_sandbox_home_t 1/2Resolves: rhbz#2221573- Allow unconfined user filetrans chrome_sandbox_home_t 2/2Resolves: rhbz#2221573- Allow insights-client execmemResolves: rhbz#2225233- Allow svnserve execute postdrop with a transitionResolves: rhbz#2004843- Do not make postfix_postdrop_t type an MTA executable fileResolves: rhbz#2004843- Allow samba-dcerpc service manage samba tmp filesResolves: rhbz#2210771- Update samba-dcerpc policy for printingResolves: rhbz#2210771 * Thu Jul 20 2023 Zdenek Pytela - 3.14.3-124- Add the files_getattr_non_auth_dirs() interfaceResolves: rhbz#2076937- Update policy for the sblim-sfcb serviceResolves: rhbz#2076937- Dontaudit sfcbd sys_ptrace cap_usernsResolves: rhbz#2076937- Label /usr/sbin/sos with sosreport_exec_tResolves: rhbz#2167731- Allow sa-update manage spamc home filesResolves: rhbz#2222200- Allow sa-update connect to systemlog servicesResolves: rhbz#2222200- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_tResolves: rhbz#2222200 * Thu Jun 29 2023 Zdenek Pytela - 3.14.3-123- Label only /usr/sbin/ripd and ripngd with zebra_exec_tResolves: rhbz#2213606- Allow httpd tcp connect to redis port conditionallyResolves: rhbz#2213965- Exclude container-selinux manpage from selinux-policy-docResolves: rhbz#2218362 * Thu Jun 15 2023 Nikola Knazekova - 3.14.3-122- Update cyrus_stream_connect() to use sockets in /runResolves: rhbz#2165752- Allow insights-client map generic log filesResolves: rhbz#2214572- Allow insights-client work with pipe and socket tmp filesResolves: rhbz#2207819- Allow insights-client getsession process permissionResolves: rhbz#2207819- Allow keepalived to manage its tmp filesResolves: rhbz#2179335 * Thu May 25 2023 Zdenek Pytela - 3.14.3-121- Update pkcsslotd policy for sandboxing 2/2Resolves: rhbz#2208162- Update pkcsslotd policy for sandboxing 1/2Resolves: rhbz#2208162- Allow abrt_t read kernel persistent storage filesResolves: rhbz#2207914- Add allow rules for lttng-sessiond domainResolves: rhbz#2203509- Allow rpcd_lsad setcap and use generic ptysResolves: rhbz#2107106- Allow samba-dcerpcd connect to systemd_machined over a unix socketResolves: rhbz#2107106- Dontaudit targetd search httpd config dirsResolves: rhbz#2203720 * Thu May 11 2023 Zdenek Pytela - 3.14.3-120- Allow unconfined service inherit signal state from initResolves: rhbz#2177254- Allow systemd-pstore delete kernel persistent storage filesResolves: rhbz#2181558- Add fs_delete_pstore_files() interfaceResolves: rhbz#2181558- Allow certmonger manage cluster library filesResolves: rhbz#2177836- Allow samba-rpcd work with passwordsResolves: rhbz#2107106- Allow snmpd read raw disk dataResolves: rhbz#2160000- Allow cluster_t dbus chat with various servicesResolves: rhbz#2196524 * Fri Apr 21 2023 Zdenek Pytela - 3.14.3-119- Add unconfined_server_read_semaphores() interfaceResolves: rhbz#2183351- Allow systemd-pstore read kernel persistent storage filesResolves: rhbz#2181558- Add fs_read_pstore_files() interfaceResolves: rhbz#2181558- Allow insights-client work with teamdctlResolves: rhbz#2185158- Allow insights-client read unconfined service semaphoresResolves: rhbz#2183351- Allow insights-client get quotas of all filesystemsResolves: rhbz#2183351 * Thu Apr 13 2023 Zdenek Pytela - 3.14.3-118- Allow login_pgm setcap permissionResolves: rhbz#2172541- Label /run/fsck with fsadm_var_run_tResolves: rhbz#2184348- Add boolean qemu-ga to run unconfined scriptResolves: rhbz#2028762- Allow dovecot-deliver write to the main process runtime fifo filesResolves: rhbz#2170495- Allow certmonger dbus chat with the cron system domainResolves: rhbz#2173289- Allow insights-client read all sysctlsResolves: rhbz#2177607 * Thu Feb 16 2023 Zdenek Pytela - 3.14.3-117- Fix opencryptoki file names in /dev/shmResolves: rhbz#2028637- Allow system_cronjob_t transition to rpm_script_tResolves: rhbz#2154242- Revert \"Allow system_cronjob_t domtrans to rpm_script_t\"Resolves: rhbz#2154242- Allow httpd work with tokens in /dev/shmResolves: rhbz#2028637- Allow keepalived to set resource limitsResolves: rhbz#2168638- Allow insights-client manage fsadm pid files * Thu Feb 09 2023 Zdenek Pytela - 3.14.3-116- Allow sysadm_t run initrc_t script and sysadm_r role accessResolves: rhbz#2039662- Allow insights-client manage fsadm pid filesResolves: rhbz#2166802- Add journalctl the sys_resource capabilityResolves: rhbz#2136189 * Thu Jan 26 2023 Zdenek Pytela - 3.14.3-115- Fix syntax problem in redis.teResolves: rhbz#2112228- Allow unconfined user filetransition for sudo log filesResolves: rhbz#2164047- Allow winbind-rpcd make a TCP connection to the ldap portResolves: rhbz#2152642- Allow winbind-rpcd manage samba_share_t files and dirsResolves: rhbz#2152642- Allow insights-client work with su and lpstatResolves: rhbz#2134125- Allow insights-client read nvme devicesResolves: rhbz#2143878- Allow insights-client tcp connect to all portsResolves: rhbz#2143878- Allow redis-sentinel execute a notification scriptResolves: rhbz#2112228 * Thu Jan 12 2023 Zdenek Pytela - 3.14.3-114- Add interfaces in domain, files, and unconfined modulesResolves: rhbz#2141311- Allow sysadm_t read/write ipmi devicesResolves: rhbz#2148561- Allow sudodomain use sudo.log as a logfileResolves: rhbz#2143762- Add insights additional capabilitiesResolves: rhbz#2158779- Allow insights client work with gluster and pcpResolves: rhbz#2141311- Allow prosody manage its runtime socket filesResolves: rhbz#2157902- Allow system mail service read inherited certmonger runtime filesResolves: rhbz#2143337- Add lpr_roles to system_r rolesResolves: rhbz#2151111 * Thu Dec 15 2022 Zdenek Pytela - 3.14.3-113- Allow systemd-socket-proxyd get attributes of cgroup filesystemsResolves: rhbz#2088441- Allow systemd-socket-proxyd get filesystems attributesResolves: rhbz#2088441- Allow sysadm read ipmi devicesResolves: rhbz#2148561- Allow system mail service read inherited certmonger runtime filesResolves: rhbz#2143337- Add lpr_roles to system_r rolesResolves: rhbz#2151111- Allow insights-client tcp connect to various portsResolves: rhbz#2151111- Allow insights-client work with pcp and manage user config filesResolves: rhbz#2151111- Allow insights-client dbus chat with various servicesResolves: rhbz#2152867- Allow insights-client dbus chat with abrtResolves: rhbz#2152867- Allow redis get user namesResolves: rhbz#2112228- Add winbind-rpcd to samba_enable_home_dirs booleanResolves: rhbz#2143696 * Wed Nov 30 2022 Zdenek Pytela - 3.14.3-112- Allow ipsec_t only read tpm devicesResolves: rhbz#2147380- Allow ipsec_t read/write tpm devicesResolves: rhbz#2147380- Label udf tools with fsadm_exec_tResolves: rhbz#1972230- Allow the spamd_update_t domain get generic filesystem attributesResolves: rhbz#2144501- Allow cdcc mmap dcc-client-map filesResolves: rhbz#2144505- Allow insights client communicate with cupsd, mysqld, openvswitch, redisResolves: rhbz#2143878- Allow insights client read raw memory devicesResolves: rhbz#2143878- Allow winbind-rpcd get attributes of device and pty filesystemsResolves: rhbz#2107106- Allow postfix/smtpd read kerberos key tableResolves: rhbz#1983308 * Fri Nov 11 2022 Zdenek Pytela - 3.14.3-111- Add domain_unix_read_all_semaphores() interfaceResolves: rhbz#2141311- Allow iptables list cgroup directoriesResolves: rhbz#2134820- Allow systemd-hostnamed dbus chat with init scriptsResolves: rhbz#2111632- Allow systemd to read symlinks in /var/libResolves: rhbz#2118784- Allow insights-client domain transition on semanage executionResolves: rhbz#2141311- Allow insights-client create gluster log dir with a transitionResolves: rhbz#2141311- Allow insights-client manage generic locksResolves: rhbz#2141311- Allow insights-client unix_read all domain semaphoresResolves: rhbz#2141311- Allow winbind-rpcd use the terminal multiplexorResolves: rhbz#2107106- Allow mrtg send mailsResolves: rhbz#2103675- Allow sssd dbus chat with system cronjobsResolves: rhbz#2132922- Allow postfix/smtp and postfix/virtual read kerberos key tableResolves: rhbz#1983308 * Thu Oct 20 2022 Zdenek Pytela - 3.14.3-110- Add the systemd_connectto_socket_proxyd_unix_sockets() interfaceResolves: rhbz#208441- Add the dev_map_vhost() interfaceResolves: rhbz#2122920- Allow init remount all file_type filesystemsResolves: rhbz#2122239- added policy for systemd-socket-proxydResolves: rhbz#2088441- Allow virt_domain map vhost devicesResolves: rhbz#2122920- Allow virt domains to access xserver devicesResolves: rhbz#2122920- Allow rotatelogs read httpd_log_t symlinksResolves: rhbz#2030633- Allow vlock search the contents of the /dev/pts directoryResolves: rhbz#2122838- Allow system cronjobs dbus chat with setroubleshootResolves: rhbz#2125008- Allow ptp4l_t name_bind ptp_event_port_tResolves: rhbz#2130168- Allow pcp_domain execute its private memfd: objectsResolves: rhbz#2090711- Allow samba-dcerpcd use NSCD services over a unix stream socketResolves: rhbz#2121709- Allow insights-client manage samba var dirsResolves: rhbz#2132230 * Wed Oct 12 2022 Zdenek Pytela - 3.14.3-109- Add the files_map_read_etc_files() interfaceResolves: rhbz#2132230- Allow insights-client manage samba var dirsResolves: rhbz#2132230- Allow insights-client send null signal to rpm and system cronjobResolves: rhbz#2132230- Update rhcd policy for executing additional commands 4Resolves: rhbz#2132230- Allow insights-client connect to postgresql with a unix socketResolves: rhbz#2132230- Allow insights-client domtrans on unix_chkpwd executionResolves: rhbz#2132230- Add file context entries for insights-client and rhcResolves: rhbz#2132230- Allow snmpd_t domain to trace processes in user namespaceResolves: rhbz#2121084- Allow sbd the sys_ptrace capabilityResolves: rhbz#2124552- Allow pulseaudio create gnome content (~/.config)Resolves: rhbz#2124387 * Thu Sep 08 2022 Zdenek Pytela - 3.14.3-108- Allow unconfined_service_t insights client content filetransResolves: rhbz#2119507- Allow nsswitch_domain to connect to systemd-machined using a unix socketResolves: rhbz#2119507- Add init_status_all_script_files() interfaceResolves: rhbz#2119507- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfacesResolves: rhbz#2119507- Update insights-client policy for additional commands execution 5Resolves: rhbz#2119507- Confine insights-client systemd unitResolves: rhbz#2119507- Update insights-client policy for additional commands execution 4Resolves: rhbz#2119507- Change rhsmcertd_t to insights_client_t in insights-client policyResolves: rhbz#2119507- Allow insights-client send signull to unconfined_service_tResolves: rhbz#2119507- Update insights-client policy for additional commands execution 3Resolves: rhbz#2119507- Allow journalctl read init stateResolves: rhbz#2119507- Update insights-client policy for additional commands execution 2Resolves: rhbz#2119507 * Thu Aug 25 2022 Zdenek Pytela - 3.14.3-107- Label 319/udp port with ptp_event_port_tResolves: rhbz#2118628- Allow unconfined and sysadm users transition for /root/.gnupgResolves: rhbz#2119507- Add the kernel_read_proc_files() interfaceResolves: rhbz#2119507- Add userdom_view_all_users_keys() interfaceResolves: rhbz#2119507- Allow system_cronjob_t domtrans to rpm_script_tResolves: rhbz#2118362- Allow smbd_t process noatsecure permission for winbind_rpcd_tResolves: rhbz#2117199- Allow chronyd bind UDP sockets to ptp_event portsResolves: rhbz#2118628- Allow samba-bgqd to read a printer listResolves: rhbz#2118958- Add gpg_filetrans_admin_home_content() interfaceResolves: rhbz#2119507- Update insights-client policy for additional commands executionResolves: rhbz#2119507- Allow gpg read and write generic pty typeResolves: rhbz#2119507- Allow chronyc read and write generic pty typeResolves: rhbz#2119507- Disable rpm verification on interface_infoResolves: rhbz#2119472 * Wed Aug 10 2022 Zdenek Pytela - 3.14.3-106- Allow networkmanager to signal unconfined processResolves: rhbz#1918148- Allow sa-update to get init status and start systemd filesResolves: rhbz#2011239- Allow samba-bgqd get a printer listResolves: rhbz#2114737- Allow insights-client rpm named file transitionsResolves: rhbz#2104913- Add /var/tmp/insights-archive to insights_client_filetrans_named_contentResolves: rhbz#2104913- Use insights_client_filetrans_named_contentResolves: rhbz#2104913- Make default file context match with named transitionsResolves: rhbz#2104913- Allow rhsmcertd to read insights config filesResolves: rhbz#2104913- Label /etc/insights-client/machine-idResolves: rhbz#2104913 * Fri Jul 29 2022 Zdenek Pytela - 3.14.3-105- Do not call systemd_userdbd_stream_connect() for winbind-rpcdResolves: rhbz#2108383- Update winbind_rpcd_tResolves: rhbz#2108383- Allow irqbalance file transition for pid sock_files and directoriesResolves: rhbz#2111916- Update irqbalance runtime directory file contextResolves: rhbz#2111916 * Tue Jun 28 2022 Zdenek Pytela - 3.14.3-104- Update samba-dcerpcd policy for kerberos usage 2Resolves: rhbz#2096825 * Mon Jun 27 2022 Zdenek Pytela - 3.14.3-103- Allow domain read usermodehelper state informationResolves: rhbz#2083504- Remove all kernel_read_usermodehelper_state() interface callsResolves: rhbz#2083504- Allow samba-dcerpcd work with sssdResolves: rhbz#2096825- Allow winbind_rpcd_t connect to self over a unix_stream_socketResolves: rhbz#2096825- Update samba-dcerpcd policy for kerberos usageResolves: rhbz#2096825- Allow keepalived read the contents of the sysfs filesystemResolves: rhbz#2098189- Update policy for samba-dcerpcdResolves: rhbz#2083504- Remove all kernel_read_usermodehelper_state() interface calls 2/2Resolves: rhbz#2083504- Update insights_client_filetrans_named_content()Resolves: rhbz#2091117 * Wed Jun 22 2022 Zdenek Pytela - 3.14.3-102- Allow transition to insights_client named contentResolves: rhbz#2091117- Add the insights_client_filetrans_named_content() interfaceResolves: rhbz#2091117- Update policy for insights-client to run additional commands 3Resolves: rhbz#2091117 * Fri Jun 17 2022 Zdenek Pytela - 3.14.3-101- Add the init_status_config_transient_files() interfaceResolves: rhbz#2091117- Allow init_t to rw insights_client unnamed pipeResolves: rhbz#2091117- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handlingResolves: rhbz#2091117- Allow insights-client get status of the systemd transient scriptsResolves: rhbz#2091117- Allow insights-client execute its private memfd: objectsResolves: rhbz#2091117- Update policy for insights-client to run additional commands 2Resolves: rhbz#2091117- Do not call systemd_userdbd_stream_connect() for insights-clientResolves: rhbz#2091117- Use insights_client_tmp_t instead of insights_client_var_tmp_tResolves: rhbz#2091117- Change space indentation to tab in insights-clientResolves: rhbz#2091117- Use socket permissions sets in insights-clientResolves: rhbz#2091117- Update policy for insights-client to run additional commandsResolves: rhbz#2091117- Change rpm_setattr_db_files() to use a patternResolves: rhbz#2091117- Add rpm setattr db files macroResolves: rhbz#2091117- Fix insights clientResolves: rhbz#2091117- Do not let system_cronjob_t create redhat-access-insights.log with var_log_tResolves: rhbz#2091117 * Tue Jun 07 2022 Zdenek Pytela - 3.14.3-100- Update logging_create_generic_logs() to use create_files_pattern()Resolves: rhbz#2081907- Add the auth_read_passwd_file() interfaceResolves: rhbz#2083504- Allow auditd_t noatsecure for a transition to audisp_remote_tResolves: rhbz#2081907- Add support for samba-dcerpcdResolves: rhbz#2083504- Allow rhsmcertd create generic log filesResolves: rhbz#1852086- Allow ctdbd nlmsg_read on netlink_tcpdiag_socketResolves: rhbz#2090800 * Mon May 23 2022 Zdenek Pytela - 3.14.3-99- Allow ifconfig_t domain to manage vmware logsResolves: rhbz#1721943- Allow insights-client manage gpg admin home contentResolves: rhbz#2060834- Add the gpg_manage_admin_home_content() interfaceResolves: rhbz#2060834- Label /var/cache/insights with insights_client_cache_tResolves: rhbz#2063195- Allow insights-client search gconf homedirResolves: rhbz#2087069- Allow insights-client create and use unix_dgram_socketResolves: rhbz#2087069- Label more vdsm utils with virtd_exec_tResolves: rhbz#2063871- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_tResolves: rhbz#2063871- Allow sblim-gatherd the kill capabilityResolves: rhbz#2082677- Allow privoxy execmemResolves: rhbz#2083940 * Wed May 04 2022 Zdenek Pytela - 3.14.3-98- Allow sysadm user execute init scripts with a transitionResolves: rhbz#2039662- Change invalid type redisd_t to redis_t in redis_stream_connect()Resolves: rhbz#1897517- Allow php-fpm write access to /var/run/redis/redis.sockResolves: rhbz#1897517- Allow sssd read systemd-resolved runtime directoryResolves: rhbz#2060721- Allow postfix stream connect to cyrus through runtime socketResolves: rhbz#2066005- Allow insights-client create_socket_perms for tcp/udp socketsResolves: rhbz#2073395- Allow insights-client read rhnsd config filesResolves: rhbz#2073395- Allow sblim-sfcbd connect to sblim-reposd streamResolves: rhbz#2075810- Allow rngd drop privileges via setuid/setgid/setcapResolves: rhbz#2076641- Allow rngd_t domain to use nsswitchResolves: rhbz#2076641 * Fri Apr 22 2022 Nikola Knazekova - 3.14.3-97- Create macro corenet_icmp_bind_generic_node()Resolves: rhbz#2070870- Allow traceroute_t and ping_t to bind generic nodes.Resolves: rhbz#2070870- Allow administrative users the bpf capabilityResolves: rhbz#2070983- Allow insights-client search rhnsd configuration directoryResolves: rhbz#2073395- Allow ntlm_auth read the network state informationResolves: rhbz#2073349- Allow keepalived setsched and sys_niceResolves: rhbz#2008033- Revert \"Allow administrative users the bpf capability\"Resolves: rhbz#2070983 * Thu Apr 07 2022 Zdenek Pytela - 3.14.3-96- Add interface rpc_manage_exportsResolves: rhbz#2062183- Allow sshd read filesystem sysctl filesResolves: rhbz#2061403- Update targetd nfs & lvmResolves: rhbz#2062183- Allow dhcpd_t domain to read network sysctls.Resolves: rhbz#2059509- Allow chronyd talk with unconfined user over unix domain dgram socketResolves: rhbz#2065313- Allow fenced read kerberos key tablesResolves: rhbz#1964839 * Thu Mar 24 2022 Zdenek Pytela - 3.14.3-95- Allow hostapd talk with unconfined user over unix domain dgram socketResolves: rhbz#2068007 * Thu Mar 10 2022 Nikola Knazekova nknazekoAATTredhat.com - 3.14.3-94- Allow chronyd send a message to sosreport over datagram socket- Allow systemd-logind dbus chat with sosreportResolves: rhbz#2062607 * Thu Feb 24 2022 Zdenek Pytela - 3.14.3-93- Allow systemd-networkd dbus chat with sosreportResolves: rhbz#1949493- Allow sysadm_passwd_t to relabel passwd and group filesResolves: rhbz#2053457- Allow confined sysadmin to use tool vipwResolves: rhbz#2053457- Allow sosreport dbus chat with abrt and timedatexResolves: rhbz#1949493- Remove unnecessary /etc file transitions for insights-clientResolves: rhbz#2031853- Label all content in /var/lib/insights with insights_client_var_lib_tResolves: rhbz#2031853- Update insights-client policyResolves: rhbz#2031853- Update insights-client: fc pattern, motd, writing to etcResolves: rhbz#2031853- Remove permissive domain for insights_client_tResolves: rhbz#2031853- New policy for insight-clientResolves: rhbz#2031853- Add the insights_client moduleResolves: rhbz#2031853- Update specfile to buildrequire policycoreutils-devel >= 2.9-19- Add modules_checksum to %files * Wed Feb 16 2022 Zdenek Pytela - 3.14.3-92- Allow postfix_domain read dovecot certificates 1/2Resolves: rhbz#2043599- Dontaudit dirsrv search filesystem sysctl directories 1/2Resolves: rhbz#2042568- Allow chage domtrans to sssdResolves: rhbz#2054718- Allow postfix_domain read dovecot certificates 2/2Resolves: rhbz#2043599- Allow ctdb create cluster logsResolves: rhbz#2049481- Allow alsa bind mixer controls to led triggersResolves: rhbz#2049730- Allow alsactl set group Process ID of a processResolves: rhbz#2049730- Dontaudit mdadm list dirsrv tmpfs dirsResolves: rhbz#2011174- Dontaudit dirsrv search filesystem sysctl directories 2/2Resolves: rhbz#2042568- Revert \"Label NetworkManager-dispatcher service with separate context\"Related: rhbz#1989070- Revert \"Allow NetworkManager-dispatcher dbus chat with NetworkManager\"Related: rhbz#1989070 * Wed Feb 09 2022 Zdenek Pytela - 3.14.3-91- Allow NetworkManager-dispatcher dbus chat with NetworkManagerResolves: rhbz#1989070 * Fri Feb 04 2022 Zdenek Pytela - 3.14.3-90- Fix badly indented used interfacesResolves: rhbz#2030156- Allow domain transition to sssd_t 1/2Resolves: rhbz#2022690- Allow confined users to use kinit,klist and etc.Resolves: rhbz#2026598- Allow login_userdomain open/read/map system journalResolves: rhbz#2046481- Allow init read stratis data symlinks 2/2Resolves: rhbz#2048514- Label new utility of NetworkManager nm-priv-helperResolves: rhbz#1986076- Label NetworkManager-dispatcher service with separate contextResolves: rhbz#1989070- Allow domtrans to sssd_t and role access to sssdResolves: rhbz#2030156- Creating interface sssd_run_sssd()Resolves: rhbz#2030156- Allow domain transition to sssd_t 2/2Resolves: rhbz#2022690- Allow timedatex dbus chat with xdmResolves: rhbz#2040214- Associate stratisd_data_t with device filesystemResolves: rhbz#2048514- Allow init read stratis data symlinks 1/2Resolves: rhbz#2048514- Allow rhsmcertd create rpm hawkey logs with correct labelResolves: rhbz#1949871 * Wed Jan 26 2022 Zdenek Pytela - 3.14.3-89- Allow NetworkManager talk with unconfined user over unix domain dgram socketResolves: rhbz#2044048- Allow system_mail_t read inherited apache system content rw filesResolves: rhbz#1988339- Add apache_read_inherited_sys_content_rw_files() interfaceRelated: rhbz#1988339- Allow rhsm-service execute its private memfd: objectsResolves: rhbz#2029873- Allow dirsrv read configfs files and directoriesResolves: rhbz#2042568- Label /run/stratisd with stratisd_var_run_tResolves: rhbz#1879585- Fix path for excluding container.if from selinux-policy-develResolves: rhbz#1861968 * Thu Jan 20 2022 Zdenek Pytela - 3.14.3-88- Revert \"Label /etc/cockpit/ws-certs.d with cert_t\"Related: rhbz#1907473 * Tue Jan 18 2022 Zdenek Pytela - 3.14.3-87- Set default file context for /sys/firmware/efi/efivarsResolves: rhbz#2039458- Allow sysadm_t start and stop transient servicesResolves: rhbz#2031065- Label /etc/cockpit/ws-certs.d with cert_tResolves: rhbz#1907473- Allow smbcontrol read the network state informationResolves: rhbz#2033873- Allow rhsm-service read/write its private memfd: objectsResolves: rhbz#2029873- Allow fcoemon request the kernel to load a moduleResolves: rhbz#1940317- Allow radiusd connect to the radacct portResolves: rhbz#2038955- Label /var/lib/shorewall6-lite with shorewall_var_lib_tResolves: rhbz#2041447- Exclude container.if from selinux-policy-develResolves: rhbz#1861968 * Mon Jan 03 2022 Zdenek Pytela - 3.14.3-86- Allow sysadm execute sysadmctl in sysadm_t domain using sudoResolves: rhbz#2013749- Allow local_login_t get attributes of tmpfs filesystemsResolves: rhbz#2015539- Allow local_login_t get attributes of filesystems with ext attributesResolves: rhbz#2015539- Allow local_login_t domain to getattr cgroup filesystemResolves: rhbz#2015539- Allow systemd read unlabeled symbolic linksResolves: rhbz#2021835- Allow userdomains use pam_ssh_agent_auth for passwordless sudoResolves: rhbz#1917879- Allow sudodomains execute passwd in the passwd domainResolves: rhbz#1943572- Label authcompat.py with authconfig_exec_tResolves: rhbz#1919122- Dontaudit pkcsslotd sys_admin capabilityResolves: rhbz#2021887- Allow lldpd connect to snmpd with a unix domain stream socketResolves: rhbz#1991029 * Tue Dec 07 2021 Zdenek Pytela - 3.14.3-85- Allow unconfined_t to node_bind icmp_sockets in node_t domainResolves: rhbz#2025445- Allow rhsmcertd get attributes of tmpfs_t filesystemsResolves: rhbz#2015820- The nfsdcld service is now confined by SELinuxResolves: rhbz#2026588- Allow smbcontrol use additional socket typesResolves: rhbz#2027740- Allow lldpd use an snmp subagent over a tcp socketResolves: rhbz#2028379 * Wed Nov 24 2021 Zdenek Pytela - 3.14.3-84- Allow sysadm_t read/write pkcs shared memory segmentsResolves: rhbz#1965251- Allow sysadm_t connect to sanlock over a unix stream socketResolves: rhbz#1965251- Allow sysadm_t dbus chat with sssdResolves: rhbz#1965251- Allow sysadm_t set attributes on character device nodesResolves: rhbz#1965251- Allow sysadm_t read and write watchdog devicesResolves: rhbz#1965251- Allow sysadm_t connect to cluster domains over a unix stream socketResolves: rhbz#1965251- Allow sysadm_t dbus chat with tuned 2/2Resolves: rhbz#1965251- Update userdom_exec_user_tmp_files() with an entrypoint ruleResolves: rhbz#1920883- Allow sudodomain send a null signal to sshd processesResolves: rhbz#1966945- Allow sysadm_t dbus chat with tuned 1/2Resolves: rhbz#1965251- Allow cloud-init dbus chat with systemd-logindResolves: rhbz#2009769- Allow svnserve send mail from the systemResolves: rhbz#2004843- Allow svnserve_t domain to read system stateResolves: rhbz#2004843 * Tue Nov 09 2021 Zdenek Pytela - 3.14.3-83- VQP: Include IANA-assigned TCP/1589Resolves: rhbz#1924038- Label port 3785/udp with bfd_echoResolves: rhbz#1924038- Allow sysadm_t dbus chat with realmd_tResolves: rhbz#2000488- Support sanlock VG automated recovery on storage access loss 1/2Resolves: rhbz#1985000- Revert \"Support sanlock VG automated recovery on storage access loss\"Resolves: rhbz#1985000- Support sanlock VG automated recovery on storage access lossResolves: rhbz#1985000- radius: Lexical sort of service-specific corenet rules by service nameResolves: rhbz#1924038- radius: Allow binding to the BDF Control and Echo portsResolves: rhbz#1924038- radius: Allow binding to the DHCP client portResolves: rhbz#1924038- radius: Allow net_raw; allow binding to the DHCP server portsResolves: rhbz#1924038- Support hitless reloads feature in haproxyResolves: rhbz#2015423- Allow redis get attributes of filesystems with extended attributesResolves: rhbz#2015435- Support sanlock VG automated recovery on storage access loss 2/2Resolves: rhbz#1985000- Revert \"Support sanlock VG automated recovery on storage access loss\"Resolves: rhbz#1985000 * Wed Oct 20 2021 Zdenek Pytela - 3.14.3-82- Support sanlock VG automated recovery on storage access lossResolves: rhbz#1985000- Allow proper function sosreport in sysadmin roleResolves: rhbz#1965251- Allow systemd execute user bin filesResolves: rhbz#1860443- Label /dev/crypto/nx-gzip with accelerator_device_tResolves: rhbz#2011166- Allow ipsec_t and login_userdomain named file transition in tmpfsResolves: rhbz#2001599- Support sanlock VG automated recovery on storage access lossResolves: rhbz#1985000- Allow proper function sosreport via iotopResolves: rhbz#1965251- Call pkcs_tmpfs_named_filetrans for certmongerResolves: rhbz#2001599- Allow ibacm the net_raw and sys_rawio capabilitiesResolves: rhbz#2010644- Support new PING_CHECK health checker in keepalivedResolves: rhbz#2010873- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron scriptResolves: rhbz#2011239 * Mon Oct 04 2021 Zdenek Pytela - 3.14.3-81- Allow unconfined domains to bpf all other domainsResolves: rhbz#1991443- Allow vmtools_unconfined_t domain transition to rpm_script_tResolves: rhbz#1872245- Allow unbound connectto unix_stream_socketResolves: rhbz#1905441- Label /usr/sbin/virtproxyd as virtd_exec_tResolves: rhbz#1854332- Allow postfix_domain to sendto unix dgram sockets.Resolves: rhbz#1920521 * Thu Sep 16 2021 Zdenek Pytela - 3.14.3-80- Allow rhsmcertd_t dbus chat with anaconda install_tResolves: rhbz#2004990 * Fri Aug 27 2021 Zdenek Pytela - 3.14.3-79- Introduce xdm_manage_bootloader booelanResolves: rhbz#1994096- Rename samba_exec() to samba_exec_net()Resolves: rhbz#1855215- Allow sssd to set samba settingResolves: rhbz#1855215- Allow dirsrv read slapd tmpfs filesResolves: rhbz#1843238- Allow rhsmcertd to create cache file in /var/cache/cloud-whatResolves: rhbz#1994718 * Wed Aug 25 2021 Zdenek Pytela - 3.14.3-78- Label /usr/bin/Xwayland with xserver_exec_tResolves: rhbz#1984584- Label /usr/libexec/gdm-runtime-config with xdm_exec_tResolves: rhbz#1984584- Allow D-bus communication between avahi and sosreportResolves: rhbz#1916397- Allow lldpad send to kdumpctl over a unix dgram socketResolves: rhbz#1979121- Revert \"Allow lldpad send to kdump over a unix dgram socket\"Resolves: rhbz#1979121- Allow chronyc respond to a user chronyd instanceResolves: rhbz#1993104- Allow ptp4l respond to pmcResolves: rhbz#1993104- Allow lldpad send to unconfined_t over a unix dgram socketResolves: rhbz#1993270 * Thu Aug 12 2021 Zdenek Pytela - 3.14.3-77- Revert \"update libs_filetrans_named_content() to have support for /usr/lib/debug directory\"Resolves: rhbz#1887739- Allow sysadm to read/write scsi files and manage shadowResolves: rhbz#1956302- Allow rhsmcertd execute gpgResolves: rhbz#1887572- Allow lldpad send to kdump over a unix dgram socketResolves: rhbz#1979121- Remove glusterd SELinux module from distribution policyResolves: rhbz#1816718 * Tue Aug 10 2021 Zdenek Pytela - 3.14.3-76- Allow login_userdomain read and map /var/lib/systemd filesResolves: rhbz#1965251- Allow sysadm acces to kernel module resourcesResolves: rhbz#1965251- Allow sysadm to read/write scsi files and manage shadowResolves: rhbz#1965251- Allow sysadm access to files_unconfined and bind rpc portsResolves: rhbz#1965251- Allow sysadm read and view kernel keyringsResolves: rhbz#1965251- Allow bootloader to read tuned etc filesResolves: rhbz#1965251- Update the policy for systemd-journal-uploadResolves: rhbz#1913414- Allow journal mmap and read var lib filesResolves: rhbz#1965251- Allow tuned to read rhsmcertd config filesResolves: rhbz#1965251- Allow bootloader to read tuned etc filesResolves: rhbz#1965251- Confine rhsm service and rhsm-facts service as rhsmcertd_tResolves: rhbz#1846081- Allow virtlogd_t read process state of user domainsResolves: rhbz#1797899- Allow cockpit_ws_t get attributes of fs_t filesystemsResolves: rhbz#1979182 * Thu Jul 29 2021 Zdenek Pytela - 3.14.3-75- Add the unconfined_dgram_send() interfaceResolves: rhbz#1978562- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()Resolves: rhbz#1936522- Add checkpoint_restore cap2 capabilityResolves: rhbz#1973325- Allow fcoemon talk with unconfined user over unix domain datagram socketResolves: rhbz#1978562- Allow hostapd bind UDP sockets to the dhcpd portResolves: rhbz#1977676- Allow NetworkManager read and write z90crypt deviceResolves: rhbz#1938203- Allow abrt_domain read and write z90crypt deviceResolves: rhbz#1938203- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_tResolves: rhbz#1937111- Allow mdadm read iscsi pid filesResolves: rhbz#1924716 * Fri Jul 16 2021 Zdenek Pytela - 3.14.3-74- Allow dyntransition from sshd_t to unconfined_tResolves: rhbz#1947841 * Wed Jul 14 2021 Zdenek Pytela - 3.14.3-73- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type templateResolves: rhbz#1947841- Allow transition from xdm domain to unconfined_t domain.Resolves: rhbz#1947841- Allow nftables read NetworkManager unnamed pipesResolves: rhbz#1967857- Create a policy for systemd-journal-uploadResolves: rhbz#1913414- Add dev_getattr_infiniband_dev() interface.Resolves: rhbz#1972522- Allow tcpdump and nmap get attributes of infiniband_device_tResolves: rhbz#1972522- Allow fcoemon create sysfs filesResolves: rhbz#1978562- Allow nftables read NetworkManager unnamed pipesResolves: rhbz#1967857- Allow radius map its library filesResolves: rhbz#1854650- Allow arpwatch get attributes of infiniband_device_t devicesResolves: rhbz#1936522 * Tue Jun 29 2021 Zdenek Pytela - 3.14.3-72- Allow systemd-sleep get attributes of fixed disk device nodesResolves: rhbz#1931460- Allow systemd-sleep create hardware state information filesResolves: rhbz#1968610- virtiofs supports Xattrs and SELinuxResolves: rhbz#1899703- Label 4460/tcp port as ntske_port_tResolves: rhbz#1961207- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.Resolves: rhbz#1961207- Allow chronyd_t to accept and make NTS-KE connectionsResolves: rhbz#1961207- Dontaudit NetworkManager write to initrc_tmp_t pipesResolves: rhbz#1963162- Allow logrotate rotate container log filesResolves: rhbz#1892170- Allow rhsmd read process state of all domains and kernel threadsResolves: rhbz#1878020 * Tue Jun 15 2021 Zdenek Pytela - 3.14.3-71- Allow nmap create and use rdma socketResolves: rhbz#1844530- Label /.k5identity file allow read of this file to rpc.gssdResolves: rhbz#1951093- Label /var/lib/kdump with kdump_var_lib_tResolves: rhbz#1965985- Label /run/libvirt/common with virt_common_var_run_tResolves: rhbz#1966842 * Wed Jun 09 2021 Zdenek Pytela - 3.14.3-70- Allow using opencryptoki for ipsecResolves: rhbz#1894132- Remove all kernel_getattr_proc() interface callsResolves: rhbz#1967125- Allow domain stat /proc filesystemResolves: rhbz#1967125- Allow pkcs-slotd create and use netlink_kobject_uevent_socketResolves: rhbz#1969725- Label var.lib.opencryptoki. * files and create pkcs_tmpfs_filetrans()Resolves: rhbz#1894132- Allow using opencryptoki for certmongerResolves: rhbz#1894132- install_t: Allow NoNewPriv transition from systemdResolves: rhbz#1955547- Remove all kernel_getattr_proc() interface callsResolves: rhbz#1967125- Allow httpd_sys_script_t read, write, and map hugetlbfs filesResolves: rhbz#1966133 * Wed Jun 02 2021 Zdenek Pytela - 3.14.3-69- Add /var/usrlocal equivalency ruleResolves: rhbz#1943381- Label \'/var/usrlocal/(. */)?sbin(/. *)?\' as bin_tResolves: rhbz#1943381- Label /dev/trng with random_device_tResolves: rhbz#1934483- Allow systemd-sleep transition to sysstat_tResolves: rhbz#1927551- Allow systemd-sleep transition to tlp_tResolves: rhbz#1927551- Allow systemd-sleep transition to unconfined_service_t on bin_t executablesResolves: rhbz#1927551- Allow systemd-sleep execute generic programsResolves: rhbz#1948070- Allow systemd-sleep execute shellResolves: rhbz#1954358- Allow nsswitch_domain read init pid lnk_filesResolves: rhbz#1860924- Introduce logging_syslogd_list_non_security_dirs tunableResolves: rhbz#1823669- Add sysstat_domtrans() to allow systemd-sleep transition to sysstat_tResolves: rhbz#1927551- Change param description in cron interfaces to userdomain_prefixResolves: rhbz#1801249- Add missing declaration in rpm_named_filetrans()Resolves: rhbz#1801249 * Thu May 20 2021 Zdenek Pytela - 3.14.3-68- Allow pluto IKEv2 / ESP over TCPResolves: rhbz#1931848- Label SDC(scini) Dell DriverResolves: rhbz#1936882- Add file context specification for /var/tmp/tmp-instResolves: rhbz#1919253- Allow virtlogd_t to create virt_var_lockd_t dirResolves: rhbz#1941464- Allow cups-lpd read its private runtime socket filesResolves: rhbz#1919399 * Mon Mar 15 2021 Zdenek Pytela - 3.14.3-67- Allow systemd the audit_control capability conditionallyResolves: rhbz#1861771 * Thu Mar 04 2021 Zdenek Pytela - 3.14.3-66- Disallow user_t run su/sudo and staff_t run suResolves: rhbz#1907517 * Mon Feb 22 2021 Zdenek Pytela - 3.14.3-65- Relabel /usr/sbin/charon-systemd as ipsec_exec_tResolves: rhbz#1889542 * Wed Feb 17 2021 Zdenek Pytela - 3.14.3-64- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right contextResolves: rhbz#1874527Resolves: rhbz#1877044- Allow rhsmcertd bind tcp sockets to a generic nodeResolves: rhbz#1923985- Allow ipsec_mgmt_t mmap ipsec_conf_file_t filesResolves: rhbz#1889542- Allow strongswan start using swanctl methodResolves: rhbz#1889542- Allow systemd-importd manage machines.lock fileResolves: rhbz#1788055 * Thu Feb 11 2021 Zdenek Pytela - 3.14.3-63- Allow rtkit_daemon_t domain set process nice value in user namespacesResolves: rhbz#1910507- Allow gpsd read and write ptp4l_t shared memory.Resolves: rhbz#1803845- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t typeResolves: rhbz#1804626- Allow Certmonger to use opencryptoki servicesResolves: rhbz#1894132- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpmResolves: rhbz#1815603- Allow rhsmcertd_t read kpatch lib filesResolves: rhbz#1895322- Allow ipsec_t connectto ipsec_mgmt_tResolves: rhbz#1848355- Allow IPsec to use opencryptoki servicesResolves: rhbz#1894132- Allow systemd-importd create /run/systemd/machines.lock fileResolves: rhbz#1788055 * Fri Jan 29 2021 Zdenek Pytela - 3.14.3-62- Allow rhsmcertd_t domain transition to kpatch_tResolves: rhbz#1895322- Revert \"Add kpatch_exec() interface\"Resolves: rhbz#1895322- Revert \"Allow rhsmcertd execute kpatch\"Resolves: rhbz#1895322- Dontaudit NetworkManager_t domain to write to kdump temp pipiesResolves: rhbz#1842897- Allow NetworkManager_t domain to get status of samba servicesResolves: rhbz#1781806- Allow openvswitch create and use xfrm netlink socketsResolves: rhbz#1916046- Allow openvswitch_t perf_event write permissionResolves: rhbz#1916046- Add write_perf_event_perms object permission setRelated: rhbz#1916046 * Wed Jan 27 2021 Zdenek Pytela - 3.14.3-61- Add kpatch_exec() interfaceResolves: rhbz#1895322- Allow rhsmcertd execute kpatchResolves: rhbz#1895322- Allow openvswitch_t perf_event open permissionResolves: rhbz#1916046- Allow openvswitch fowner capability and create netlink socketsResolves: rhbz#1883980- Add net_broadcast capability to openvswitch_t domainResolves: rhbz#1883980- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t filesResolves: rhbz#1883980- Allow machinectl to run pull-tarResolves: rhbz#1788055 * Wed Jan 13 2021 Zdenek Pytela - 3.14.3-60- Allow wireshark create and use rdma socketResolves: rhbz#1844370- Allow to use nnp_transition in pulseaudio_roleResolves: rhbz#1854471- Allow certmonger fsetid capabilityResolves: rhbz#1873211- Add rsync_sys_admin tunable to allow rsync sys_admin capabilityResolves: rhbz#1889673- Allow sysadm read and write /dev/rfkillResolves: rhbz#1831630- Allow staff_u run pam_console_applyResolves: rhbz#1817690- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_tResolves: rhbz#1907485 * Thu Dec 17 2020 Zdenek Pytela - 3.14.3-59- Add cron_dbus_chat_system_job() interfaceResolves: rhbz#1883906- Dontaudit firewalld dac_override capabilityResolves: rhbz#1759010- Allow tcsd the setgid capabilityResolves: rhbz#1898694- Allow timedatex dbus chat with cron system domainResolves: rhbz#1883906- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domainResolves: rhbz#1854299- Allow pcp-pmcd manage perf_eventsResolves: rhbz#1901958- Label /dev/isst_interface as cpu_device_tResolves: rhbz#1902227- Allow ipsec set the context of a SPD entry to the default contextResolves: rhbz#1880474- Allow sysadm_u user and unconfined_domain_type manage perf_eventsResolves: rhbz#1901958- Add manage_perf_event_perms object permissions setResolves: rhbz#1901958- Add perf_event access vectors.Resolves: rhbz#1901958- Remove \"ipa = module\" from modules-targeted-contrib.confResolves: rhbz#1461914 * Thu Dec 03 2020 Zdenek Pytela - 3.14.3-58- Allow kexec manage generic tmp filesResolves: rhbz#1896424- Update systemd-sleep policyResolves: rhbz#1850177- Add groupadd_t fowner capabilityResolves: rhbz#1884179 * Tue Nov 24 2020 Zdenek Pytela - 3.14.3-57- Allow dovecot bind to smtp portsResolves: rhbz#1881884- Change fetchmail temporary files path to /var/spool/mailResolves: rhbz#1853389- Set file context for symlinks in /etc/httpd to etc_tResolves: rhbz#1900650- Allow dnsmasq read public filesResolves: rhbz#1782539- Fix range for unreserved portsResolves: rhbz#1794531- Introduce logging_syslogd_append_public_content tunableResolves: rhbz#1823672- Add files_search_non_security_dirs() interfaceResolves: rhbz#1823672- Add miscfiles_append_public_files() interfaceResolves: rhbz#1823672 * Thu Nov 12 2020 Zdenek Pytela - 3.14.3-56- Let keepalived bind a raw socketResolves: rhbz#1895130- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pidResolves: rhbz#1853389- Allow arpwatch create and use rdma socketResolves: rhbz#1843409- Set correct default file context for /usr/libexec/pcp/lib/ *Resolves: rhbz#1886369- Allow systemd-logind manage efivarfs filesResolves: rhbz#1869979- Allow systemd_resolved_t to read efivarfsResolves: rhbz#1869979- Allow systemd_modules_load_t to read efivarfsResolves: rhbz#1869979- Allow read efivarfs_t files by domains executing systemctl fileResolves: rhbz#1869979- Introduce systemd_read_efivarfs_type attributeResolves: rhbz#1869979 * Mon Oct 26 2020 Zdenek Pytela - 3.14.3-55- Allow init dbus chat with kernelResolves: rhbz#1694681- Confine systemd-sleep serviceResolves: rhbz#1850177- Add default file context for /usr/libexec/pcp/lib/ *Resolves: rhbz#1886369- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capabilityResolves: rhbz#1873658- Add fstools_rw_swap_files() interfaceResolves: rhbz#1850177 * Thu Sep 17 2020 Zdenek Pytela - 3.14.3-54- Allow plymouth sys_chroot capabilityResolves: rhbz#1869814 * Sun Aug 23 2020 Zdenek Pytela - 3.14.3-53- Allow certmonger fowner capabilityResolves: rhbz#1870596- Define named file transition for saslauthd on /tmp/krb5_0.rcache2Resolves: rhbz#1870300- Label /usr/libexec/qemu-pr-helper with virtd_exec_tResolves: rhbz#1867115 * Thu Aug 13 2020 Zdenek Pytela - 3.14.3-52- Add ipa_helper_noatsecure() interface unconditionallyResolves: rhbz#1853432- Conditionally allow nagios_plugin_domain dbus chat with initResolves: rhbz#1750821- Revert \"Update allow rules set for nrpe_t domain\"Resolves: rhbz#1750821- Add ipa_helper_noatsecure() interface to ipa.ifResolves: rhbz#1853432- Allow tomcat map user temporary filesResolves: rhbz#1857675- Allow tomcat manage user temporary filesResolves: rhbz#1857675- Add file context for /sys/kernel/tracingResolves: rhbz#1847331- Define named file transition for sshd on /tmp/krb5_0.rcache2Resolves: rhbz#1848953 * Mon Aug 03 2020 Zdenek Pytela - 3.14.3-51- Allow kadmind manage kerberos host rcacheResolves: rhbz#1863043- Allow virtlockd only getattr and lock block devicesResolves: rhbz#1832756- Allow qemu-ga read all non security file types conditionallyResolves: rhbz#1747960- Allow virtlockd manage VMs posix file locksResolves: rhbz#1832756- Add dev_lock_all_blk_files() interfaceResolves: rhbz#1832756- Allow systemd-logind dbus chat with fwupdResolves: rhbz#1851932- Update xserver_rw_session macroResolves: rhbz#1851448 * Wed Jul 29 2020 Zdenek Pytela - 3.14.3-50- Revert \"Allow qemu-kvm read and write /dev/mapper/control\"This reverts commit f948eaf3d010215fc912e42013e4f88870279093.- Allow smbd get attributes of device files labeled samba_share_tResolves: rhbz#1851816- Allow tomcat read user temporary filesResolves: rhbz#1857675- Revert \"Dontaudit and disallow sys_admin capability for keepalived_t domain\"Resolves: rhbz#1815281- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_tResolves: rhbz#1848953- Allow auditd manage kerberos host rcache filesResolves: rhbz#1855770 * Thu Jul 09 2020 Zdenek Pytela - 3.14.3-49- Additional support for keepalived running in a namespaceResolves: rhbz#1815281- Allow keepalived manage its private type runtime directoriesResolves: rhbz#1815281- Run ipa_helper_noatsecure(oddjob_t) only if the interface existsResolves: rhbz#1853432- Allow oddjob_t process noatsecure permission for ipa_helper_tResolves: rhbz#1853432- Allow domain dbus chat with systemd-resolvedResolves: rhbz#1852378- Define file context for /var/run/netns directory onlyRelated: rhbz#1815281 * Mon Jun 29 2020 Zdenek Pytela - 3.14.3-48- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_tResolves: rhbz#1836820 * Mon Jun 29 2020 Zdenek Pytela - 3.14.3-47- Allow virtlogd_t manage virt lib filesResolves: rhbz#1832756- Allow pdns server to read system stateResolves: rhbz#1801214- Support systemctl --user in machinectlResolves: rhbz#1788616- Allow chkpwd_t read and write systemd-machined devpts character nodesResolves: rhbz#1788616- Allow init_t write to inherited systemd-logind sessions pipesResolves: rhbz#1788616- Label systemd-growfs and systemd-makefs as fsadm_exec_tResolves: rhbz#1820798- Allow staff_u and user_u setattr generic usb devicesResolves: rhbz#1783325- Allow sysadm_t dbus chat with accountsdResolves: rhbz#1828809 * Tue Jun 23 2020 Zdenek Pytela - 3.14.3-46- Fix description tag for the sssd_connect_all_unreserved_ports tunableRelated: rhbz#1826748- Allow journalctl process set its resource limitsResolves: rhbz#1825894- Add sssd_access_kernel_keys tunable to conditionally access kernel keysResolves: rhbz#1802062- Make keepalived work with network namespacesResolves: rhbz#1815281- Create sssd_connect_all_unreserved_ports booleanResolves: rhbz#1826748- Allow hypervkvpd to request kernel to load a moduleResolves: rhbz#1842414- Allow systemd_private_tmp(dirsrv_tmp_t)Resolves: rhbz#1836820- Allow radiusd connect to gssproxy over unix domain stream socketResolves: rhbz#1813572- Add fwupd_cache_t file context for \'/var/cache/fwupd(/. *)?\'Resolves: rhbz#1832231- Modify kernel_rw_key() not to include append permissionRelated: rhbz#1802062- Add kernel_rw_key() interface to access to kernel keyringsRelated: rhbz#1802062- Modify systemd_delete_private_tmp() to use delete_ *_pattern macrosResolves: rhbz#1836820- Allow systemd-modules to load kernel modulesResolves: rhbz#1823246- Add cachefiles_dev_t as a typealias to cachefiles_device_tResolves: rhbz#1814796 * Mon Jun 15 2020 Zdenek Pytela - 3.14.3-45- Remove files_mmap_usr_files() call for particular domainsRelated: rhbz#1801214- Allow dirsrv_t list cgroup directoriesResolves: rhbz#1836795- Create the kerberos_write_kadmind_tmp_files() interfaceRelated: rhbz#1841488- Allow realmd_t dbus chat with accountsd_tResolves: rhbz#1792895- Allow nagios_plugin_domain execute programs in bin directoriesResolves: rhbz#1815621- Update allow rules set for nrpe_t domainResolves: rhbz#1750821- Allow Gluster mount client to mount files_typeResolves: rhbz#1753626- Allow qemu-kvm read and write /dev/mapper/controlResolves: rhbz#1835909- Introduce logrotate_use_cifs booleanResolves: rhbz#1795923- Allow ptp4l_t sys_admin capability to run bpf programsResolves: rhbz#1759214- Allow rhsmd mmap /etc/passwdResolves: rhbz#1814644- Remove files_mmap_usr_files() call for systemd_localed_tRelated: rhbz#1801214- Allow domain mmap usr_t filesResolves: rhbz#1801214- Allow libkrb5 lib read client keytabsResolves: rhbz#1831769- Add files_dontaudit_manage_boot_dirs() interfaceRelated: rhbz#1803868- Create files_create_non_security_dirs() interfaceRelated: rhbz#1840265- Add new interface dev_mounton_all_device_nodes()Related: rhbz#1840265- Add new interface dev_create_all_files()Related: rhbz#1840265- Allow sshd write to kadmind temporary filesResolves: rhbz#1841488- Create init_create_dirs boolean to allow init create directoriesResolves: rhbz#1832231- Do not audit staff_t and user_t attempts to manage boot_t entriesResolves: rhbz#1803868- Allow systemd to relabel all files on system.Resolves: rhbz#1818981- Make dbus-broker service working on s390x archResolves: rhbz#1840265 * Wed May 20 2020 Zdenek Pytela - 3.14.3-44- Make boinc_var_lib_t label system mountdir attributeResolves: rhbz#1779070- Allow aide to be executed by systemd with correct (aide_t) domainResolves: rhbz#1814809- Allow chronyc_t domain to use nsswitchResolves: rhbz#1772852- Allow nscd_socket_use() for domains in nscd_use() unconditionallyResolves: rhbz#1772852- Allow gluster geo-replication in rsync modeResolves: rhbz#1831109- Update networkmanager_read_pid_files() to allow also list_dir_permsResolves: rhbz#1781818- Allow associating all labels with CephFSResolves: bz#1814689- Allow tcpdump sniffing offloaded (RDMA) trafficResolves: rhbz#1834773 * Fri Apr 17 2020 Zdenek Pytela - 3.14.3-43- Update radiusd policyResolves: rhbz#1803407- Allow sssd read NetworkManager\'s runtime directoryResolves: rhbz#1781818- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_tResolves: rhbz#1777506- Allow ipa_helper_t to read kr5_keytab_t filesResolves: rhbz#1769423- Add ibacm_t ipc_lock capabilityResolves: rhbz#1754719- Allow opafm_t to create and use netlink rdma sockets.Resolves: rhbz#1786670- Allow ptp4l_t create and use packet_socket socketsResolves: rhbz#1759214- Update ctdbd_t policyResolves: rhbz#1735748- Allow glusterd synchronize between master and slaveResolves: rhbz#1824662- Allow auditd poweroff or switch to single modeResolves: rhbz#1826788- Allow init_t set the nice level of all domainsResolves: rhbz#1819121- Label /etc/sysconfig/ip6?tables\\.save as system_conf_tResolves: rhbz#1776873- Add file context entry and file transition for /var/run/pam_timestampResolves: rhbz#1791957 * Wed Apr 08 2020 Zdenek Pytela - 3.14.3-42- Allow ssh-keygen create file in /var/lib/glusterdResolves: rhbz#1816663- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t filesResolves: rhbz#1819243- Remove container interface calling by named_filetrans_domain.- Makefile: fix tmp/%.mod.fc targetResolves: rhbz#1821191 * Mon Mar 16 2020 Zdenek Pytela - 3.14.3-41- Allow NetworkManager read its unit files and manage services- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_tResolves: rhbz#1806894 * Tue Feb 18 2020 Lukas Vrabec - 3.14.3-40- Update virt_read_qemu_pid_files intefaceResolves: rhbz#1782925 * Sat Feb 15 2020 Lukas Vrabec - 3.14.3-39- Allow vhostmd communication with hosted virtual machines- Add and update virt interfacesResolves: rhbz#1782925 * Tue Jan 28 2020 Zdenek Pytela - 3.14.3-38- Dontaudit timedatex_t read file_contexts_t and validate security contextsResolves: rhbz#1779098 * Tue Jan 21 2020 Lukas Vrabec - 3.14.3-37- Make stratisd_t domain unconfined for RHEL-8.2Resolves: rhbz#1791557- stratisd_t policy updatesResolves: rhbz#1791557 * Thu Jan 16 2020 Lukas Vrabec - 3.14.3-36- Label /stratis as stratisd_data_tResolves: rhbz#1791557 * Tue Jan 14 2020 Lukas Vrabec - 3.14.3-35- Allow stratisd_t domain to read/write fixed disk devices and removable devices.Resolves: rhbz#1790795 * Mon Jan 13 2020 Lukas Vrabec - 3.14.3-34- Added macro for stratisd to chat over dbus- Add dac_override capability to stratisd_t domain- Allow userdomain to chat with stratisd over dbus.Resolves: rhbz#1787298 * Fri Jan 10 2020 Lukas Vrabec - 3.14.3-33- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directoryResolves: rhbz#1778126 * Wed Jan 08 2020 Lukas Vrabec - 3.14.3-32- Allow create udp sockets for abrt_upload_watch_t domainsResolves: rhbz#1777761 * Wed Jan 08 2020 Lukas Vrabec - 3.14.3-31- Allow sssd_t domain to read kernel net sysctlsResolves: rhbz#1777042 * Fri Dec 13 2019 Zdenek Pytela - 3.14.3-30- Allow userdomain dbus chat with systemd_resolved_tResolves: rhbz#1773463- Allow init_t read and setattr on /var/lib/fprintdResolves: rhbz#1781696- Allow sysadm_t dbus chat with colord_tResolves: rhbz#1772669- Allow confined users run fwupdmgrResolves: rhbz#1772619- Allow confined users run machinectlResolves: rhbz#1772625- Allow systemd labeled as init_t domain to create dirs labeled as var_tResolves: rhbz#1778126- Allow systemd labeled as init_t domain to manage faillog_t objectsResolves: rhbz#1671019- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfacesResolves: rhbz#1781696- Allow pulseaudio create .config and dgram sendto to unpriv_userdomainResolves: rhbz#1703231- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)Resolves: rhbz#1777761- Change type in transition for /var/cache/{dnf,yum} directoryResolves: rhbz#1686833- Revert \"Update zebra SELinux policy to make it work also with frr service\"This reverts commit 73653250a252ad6eefcb3aae00749017e396ab8d.- Revert \"Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t\"This reverts commit a19eb1021cbd6c637344954cead54caae081e07c.- Allow stratis_t domain to request load modulesResolves: rhbz#1726259- Allow stratisd to connect to dbusResolves: rhbz#1726259- Run stratisd service as stratisd_tResolves: rhbz#1726259- Add support for smart card authentication in cockpit BZ(1690444)Resolves: rhbz#1771414- cockpit: Support split-out TLS proxyResolves: rhbz#1771414- cockpit: Allow cockpit-session to read cockpit-tls stateResolves: rhbz#1771414- Update cockpit policyResolves: rhbz#1771414- cockpit: Support https instance factoryResolves: rhbz#1771414- cockpit: Allow cockpit-session to read cockpit-tls state directoryResolves: rhbz#1771414- Fix nonexisting types in rtas_errd_rw_lock interfaceResolves: rhbz#1744234 * Wed Nov 27 2019 Lukas Vrabec - 3.14.3-29- Allow timedatex_t domain to read relatime clock and adjtime_t filesResolves: rhbz#1771513 * Fri Nov 22 2019 Lukas Vrabec - 3.14.3-28- Update timedatex policy to add macrosResolves: rhbz#1771513 * Fri Nov 15 2019 Lukas Vrabec - 3.14.3-27- Allow timedatex_t domain dbus chat with both confined and unconfined usersResolves: rhbz#1771513- Fix typo bugs in rtas_errd_read_lock() interfaceResolves: rhbz#1750096- Allow timedatex_t domain to systemctl chronyd domainsResolves: rhbz#1771513- Fix typo in dev_filetrans_all_named_dev()Resolves: rhbz#1750096 * Mon Nov 11 2019 Lukas Vrabec - 3.14.3-26- New policy for rrdcachedResolves: rhbz#1726255- Update timedatex policy- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if- Add new macro systemd_timedated_status to systemd.if to get timedated service statusResolves: rhbz#1730204- Update lldpad_t policy moduleResolves: rhbz#1726246- Dontaudit sandbox web types to setattr lib_t dirsResolves: rhbz#1739858- Fix typo in cachefiles deviceResolves: rhbz#1750096 * Thu Nov 07 2019 Lukas Vrabec - 3.14.3-25- Allow sssd_t domain to read gnome config and named cache filesResolves: rhbz#1743907- Allow httpd_t to signull mailman_cgi_t processResolves: rhbz#1686462- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and filesResolves: rhbz#1758545- Allow cachefilesd_t domain to read/write cachefiles_device_t devicesResolves: rhbz#1750096- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policyResolves: rhbz#1750096- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_tResolves:rhbz#1746511- Label libvirt drivers as virtd_exec_tResolves: rhbz#1745076- Update apache and pkcs policies to make active opencryptoki rulesResolves: rhbz#1744198- Introduce new bolean httpd_use_opencryptokiResolves: rhbz#1744198- Allow gssproxy_t domain read state of all processes on systemResolves: rhbz#1752031- Dontaudit tmpreaper_t getting attributes from sysctl_type filesResolves: rhbz#1730204- Added macro for timedatex to chat over dbus.Resolves: rhbz#1730204- Run timedatex service as timedatex_tResolves: rhbz#1730204- Run lldpd service as lldpad_t.Resolves: rhbz#1726246- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_tResolves: rhbz#1765065- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t filesResolves: rhbz#1744234- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.Resolves: rhbz#1765065- Update tmpreaper_t policy due to fuser commandResolves: rhbz#1765065- Allow fail2ban_t domain to create netlink netfilter sockets.Resolves: rhbz#1766415- Label /dev/cachefilesd as cachefiles_device_tResolves: rhbz#1750096- Label udp 8125 port as statsd_port_tResolves: rhbz#1746511- Allow systemd(init_t) to load kernel modulesResolves: rhbz#1758255- Dontaudit sys_admin capability for auditd_t domainsResolves: rhbz#1669040- Allow x_userdomain to dbus_chat with timedatex.Resolves: rhbz#1730204 * Fri Oct 25 2019 Lukas Vrabec - 3.14.3-24- Allow confined users to run newaliasesResolves:rhbz#1750405- Add interface mysql_dontaudit_rw_db()Resolves: rhbz#1747926- Label /var/lib/xfsdump/inventory as amanda_var_lib_tResolves: rhbz#1739137- Allow tmpreaper_t domain to read all domains stateResolves: rhbz#1765065- Allow ipa_ods_exporter_t domain to read krb5_keytab filesResolves: rhbz#1759900- Allow rhsmcertd_t domain to read rtas_errd lock filesResolves: rhbz#1744234- Add new interface rtas_errd_read_lock()Resolves: rhbz#1744234- Donaudit ifconfig_t domain to read/write mysqld_db_t filesResolves: rhbz#1747926 * Thu Oct 17 2019 Lukas Vrabec - 3.14.3-23- Label only regular files inside /usr/lib/frr direcotry as zebra_exec_tResolves: rhbz#1714984- Dontaudit and disallow sys_admin capability for keepalived_t domainResolves: rhbz#1729174- Allow processes labeled as keepalived_t domain to get process groupResolves: rhbz#1746955 * Mon Oct 14 2019 Lukas Vrabec - 3.14.3-22- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo filesResolves: rhbz#1756006- Allow user domains to manage user session servicesResolves: rhbz#1727887- Allow staff and user users to get status of user systemd sessionResolves: rhbz#1727887 * Fri Oct 11 2019 Lukas Vrabec - 3.14.3-21- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.Resolves: rhbz#1750405- Allow dlm_controld_t domain to read random deviceResolves: rhbz#1752943- Allow haproxy_t domain to read network state of systemResolves: rhbz#1746974- Allow avahi_t to send msg to lpr_tResolves: rhbz#1752843- Create new type ipmievd_helper_t domain for loading kernel modules.Resolves: rhbz#1673804- networkmanager: allow NetworkManager_t to create bluetooth_socketResolves: rhbz#1747768- Label /etc/named direcotory as named_conf_tResolves: rhbz#1759505- Update aide_t domain to allow this tool to analyze also /dev filesystemResolves: rhbz#1758265- Update zebra SELinux policy to make it work also with frr serviceResolves: rhbz#1714984- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.Resolves: rhbz#1711909- Allow chronyc_t domain to append to all non_security files Resolves: rhbz#1696252- Allow httpd_t domain to read/write named_cache_t filesResolves: rhbz#1690484- Add new interface bind_rw_cache()Resolves: rhbz#1690484- Label /var/run/mysql as mysqld_var_run_tResolves: rhbz#1687867- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.Resolves: rhbz#1612552- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t typesResolves: rhbz#1647971- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespacesResolves: rhbz#1663874- Update gnome_dontaudit_read_configResolves: rhbz#1663874- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis portsResolves: rhbz#1687499- Update keepalived policyResolves: rhbz#1728332- Add sys_admin capability for keepalived_t labeled processesResolves: rhbz#1729174- Fix abrt_upload_watch_t in abrt policyResolves: rhbz#1737419- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t labelResolves: rhbz#1737550- Allow amanda_t to manage its var lib files and read random_device_tResolves: rhbz#1739137- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)Resolves: rhbz#1743684- Allow pesign_t domain to read/write named cache files.Resolves: rhbz#1745429- Allow login user type to use systemd user sessionResolves: rhbz#1727887- Allow avahi_t to send msg to xdm_tResolves: rhbz#1755401- Allow ldconfig_t domain to manage initrc_tmp_t objectsResolves: rhbz#1756006- Add new interface init_write_initrc_tmp_pipes()- Add new interface init_manage_script_tmp_files()- Add new interface udev_getattr_rules_chr_files()- Run lvmdbusd service as lvm_tResolves: rhbz#1726166- Label 2618/tcp and 2618/udp as priority_e_com_port_t- Label 2616/tcp and 2616/udp as appswitch_emp_port_t- Label 2615/tcp and 2615/udp as firepower_port_t- Label 2610/tcp and 2610/udp as versa_tek_port_t- Label 2613/tcp and 2613/udp as smntubootstrap_port_t- Label 3784/tcp and 3784/udp as bfd_control_port_t- Allow systemd labeled as init_t domain to remount rootfs filesystemResolves: rhbz#1698197- Add interface files_remount_rootfs()- New interface files_append_non_security_files()- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbusResolves: rhbz#1612552- Update userdomains to pass correct parametes based on updates from cron_ *_role interfaces Resolves: rhbz#1647971- Dontaudit sys_admin capability for iptables_t SELinux domainResolves: rhbz#1669040- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)Resolves: rhbz#1671019- Allow userdomains to dbus chat with policykit daemonResolves: rhbz#1727902- Allow ipsec_t domain to read/write named cache filesResolves: rhbz#1743777- Add sys_admin capability for ipsec_t domainResolves: rhbz#1753662 * Mon Sep 16 2019 Lukas Vrabec - 3.14.3-20- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux labelResolves: rhbz#1720639 * Fri Aug 30 2019 Lukas Vrabec - 3.14.3-19- Update cpucontrol_t SELinux policyResolves: rhbz#1743930 * Mon Aug 19 2019 Lukas Vrabec - 3.14.3-18- Allow dlm_controld_t domain to transition to the lvm_tResolves: rhbz#1732956 * Fri Aug 16 2019 Lukas Vrabec - 3.14.3-17- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_tResolves: rhbz#1669485- Fix typo in networkmanager_append_log() interfaceResolves: rhbz#1687460- Update gpg policy to make ti working with confined usersResolves: rhbz#1640296 * Wed Aug 14 2019 Lukas Vrabec - 3.14.3-16- Allow audisp_remote_t domain to read kerberos keytabResolves: rhbz#1740146 * Mon Aug 12 2019 Lukas Vrabec - 3.14.3-15- Dontaudit abrt_t domain to read root_t filesResolves: rhbz#1734403- Allow ipa_dnskey_t domain to read kerberos keytabResolves: rhbz#1730144- Update ibacm_t policy- Allow dlm_controld_t domain setgid capabilityResolves: rhbz#1738608- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmpResolves: rhbz#1740146- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirsResolves: rhbz#1670139 * Wed Aug 07 2019 Lukas Vrabec - 3.14.3-14- Allow cgdcbxd_t domain to list cgroup dirsResolves: rhbz#1651991 * Mon Jul 29 2019 Lukas Vrabec - 3.14.3-13- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytabResolves: rhbz#1730144- Allow virtlockd process read virtlockd.conf fileResolves: rhbz#1733185- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.Resolves: rhbz#1733185- Allow brltty to request to load kernel moduleResolves: rhbz#1689955- Add svnserve_tmp_t label forl svnserve temp files to system private tmpResolves: rhbz#1729955- Dontaudit svirt_tcg_t domain to read process state of libvirtResolves: rhbz#1732500- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig toolResolves: rhbz#1732381- Allow cyrus work with PrivateTmpResolves: rhbz#1725023- Make cgdcbxd_t domain working with SELinux enforcing.Resolves: rhbz#1651991- Remove system_r role from staff_u user.Resolves: rhbz#1677052- Add systemd_private_tmp_type attributeResolves: rhbz#1725023- Allow systemd to load kernel modules during boot process.Resolves: rhbz#1644805 * Fri Jul 19 2019 Lukas Vrabec - 3.14.3-12- Make working wireshark execute byt confined users staff_t and sysadm_tResolves: rhbz#1712788- Label user cron spool file with user_cron_spool_tResolves: rhbz#1727342- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line toolResolves: rhbz#1668667- Update svnserve_t policy to make working svnserve hooksResolves: rhbz#1729955- Allow varnishlog_t domain to check for presence of varnishd_t domainsResolves: rhbz#1730270- Allow lsmd_t domain to execute /usr/bin/debuginfo-installResolves: rhbz#1720648- Update sandboxX policy to make working firefox inside SELinux sandboxResolves: rhbz#1663874- Remove allow rule from svirt_transition_svirt_sandbox interface to don\'t allow containers to connect to random servicesResolves: rhbz#1695248- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devicesResolves: rhbz#1690484- Allow opafm_t domain to modify scheduling information of another process.Resolves: rhbz#1725874- Allow gssd_t domain to list tmpfs_t dirsResolves: rhbz#1674470- Allow mdadm_t domain to read tmpfs_t filesResolves: rhbz#1669996- Allow sbd_t domain to check presence of processes labeled as cluster_tResolves: rhbz#1669595- Dontaudit httpd_sys_script_t to read systemd unit filesResolves: rhbz#1670139- Allow blkmapd_t domain to read nvme devicesResolves: rhbz#1669985- Update cpucontrol_t domain to make working microcode serviceResolves: rhbz#1669485- Allow domain transition from logwatch_t do postfix_postqueue_tResolves: rhbz#1669162- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: \'chronyc -n tracking > /var/lib/test\'Resolves: rhbz#1696252- Allow httpd_sys_script_t domain to mmap httpdcontentResolves: rhbz#1693137- Allow sbd_t to manage cgroups_t filesResolves: rhbz#1715134- Update wireshark policy to make working tshar labeled as wireshark_tResolves: rhbz#1711005- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t filesResolves: rhbz#1719083- Allow sbd_t domain to use nsswitchResolves: rhbz#1723498- Allow sysadm_t and staff_t domains to read wireshark shared memoryResolves: rhbz#1712788- Label /usr/libexec/utempter/utempter as utemper_exec_tResolves: rhbz#1729571- Allow unconfined_domain_type to setattr own process lnk files.Resolves: rhbz#1730500- Add interface files_write_generic_pid_sockets()- Dontaudit writing to user home dirs by gnome-keyring-daemonResolves: rhbz#1689797- Allow staff and admin domains to setpcap in user namespaceResolves: rhbz#1673922- Allow staff and sysadm to use lockdevResolves: rhbz#1673269- Allow staff and sysadm users to run iotop.Resolves: rhbz#1671241- Dontaudit traceroute_t domain require sys_admin capabilityResolves: rhbz#1671672- Dontaudit dbus chat between kernel_t and init_tResolves: rhbz#1669095- Allow systemd labeled as init_t to create mountpoints without any specific label as default_tResolves: rhbz#1696144 * Wed Jul 10 2019 Lukas Vrabec - 3.14.3-11- Fix minor changes to pass coverity scanResolves: rhbz#1728578 * Tue Jul 09 2019 Lukas Vrabec - 3.14.3-10- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files- Label /var/kerberos/krb5 as krb5_keytab_tResolves: rhbz#1669975- Allow sbd_t domain to manage cgroup dirsResolves: rhbz#1715134- Allow wireshark_t domain to create netlink netfilter socketsResolves: rhbz#1711005- Allow gpg_agent_t domain to use nsswitchResolves: rhbz#1567073- Allow httpd script types to mmap httpd rw contentResolves: rhbz#1693137- Allow confined users to login via cockpitResolves: rhbz#1718814- Replace \"-\" by \"_\" in speechdispatcher types names- Change condor_domain declaration in condor_systemctl- Update interface networkmanager_manage_pid_files() to allow manage also dirsResolves: rhbz#1720070- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t filesResolves: rhbz#1719083- Fix all interfaces which cannot by compiled because of typosResolves: rhbz#1687460- Allow auditd_t domain to send signals to audisp_remote_t domainResolves: rhbz#1726659- Allow associate efivarfs_t on sysfs_tResolves: rhbz#1709747- Allow userdomain attribute to manage cockpit_ws_t stream socketsResolves: rhbz#1718814- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes- Add interface ssh_agent_signal()- Dontaudit unpriv_userdomain to manage boot_t filesResolves: rhbz#1723773- Allow crack_t domain read /et/passwd filesResolves: rhbz#1721132- Allow dhcpc_t domain to manage network manager pid filesResolves: rhbz#1720070 * Mon Jun 10 2019 Lukas Vrabec - 3.14.3-9- Allow redis_t domain to read public sssd filesResolves: rhbz#1718200- Label /usr/sbin/nft as iptables_exec_tResolves: rhbz#1656891 * Wed Jun 05 2019 Lukas Vrabec - 3.14.3-8- Allow sbd_t domain to read tmpfs_t symlinksResolves: rhbz#1715134 * Mon Jun 03 2019 Lukas Vrabec - 3.14.3-7- Allow kadmind_t domain to read home config dataResolves: rhbz#1664983- Allow sbd_t domain to readwrite cgroupsResolves: rhbz#1715134- Label /var/log/pacemaker/pacemaker as cluster_var_log_tResolves: rhbz#1712058- Allow certmonger_t domain to manage named cache files/dirs * Mon May 27 2019 Lukas Vrabec - 3.14.3-6- Allow kadmind_t domain to read pkcs11 module configsResolves: rhbz#1664983- Allow kadmind_t domain to read named_cache_t filesResolves: rhbz#1703241- Fix bind_read_cache() interface to allow only read perms to caller domains- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram socketsResolves: rhbz#1711909- Allow wireshark_t domain to create fifo temp filesResolves: rhbz#1711005- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_tResolves :rhbz#1656837- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t filesResolves: rhbz#1648854- Label /var/run/user/ */dbus-1 as session_dbusd_tmp_tResolves:rhbz#1688671- Add dac_override capability to namespace_init_t domainResolves: rhbz#1557420- Label /usr/sbin/corosync-qdevice as cluster_exec_tResolves: rhbz#1690925- Label /usr/libexec/dnf-utils as debuginfo_exec_tResolves: rhbz#1711183- Allow rtkit_scheduled for sysadmResolves: rhbz#1703241- Fix find commands in Makefiles- Allow associate all filesystem_types with fs_tResolves: rhbz#1614209- Allow init_t to manage session_dbusd_tmp_t dirsResolves: rhbz#1688671- Allow systemd_gpt_generator_t to read/write to clearanceResolves: rhbz#1558573- Allow su_domain_type to getattr to /dev/gpmctlResolves: rhbz#1593667 * Fri May 17 2019 Lukas Vrabec - 3.14.3-5- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_tResolves :rhbz#1656837- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t filesResolves: rhbz#1648854- Label /var/run/user/ */dbus-1 as session_dbusd_tmp_tResolves:rhbz#1688671- Add dac_override capability to namespace_init_t domainResolves: rhbz#1557420- Label /usr/sbin/corosync-qdevice as cluster_exec_tResolves: rhbz#1690925- Label /usr/libexec/dnf-utils as debuginfo_exec_tResolves: rhbz#1711183- Label /usr/bin/tshark as wireshark_exec_tResolves: rhbz#1710962- Allow rhsmcertd_t domain to read rpm cache filesResolves: rhbz#1641648- Allow associate all filesystem_types with fs_tResolves: rhbz#1614209- Allow init_t to manage session_dbusd_tmp_t dirsResolves: rhbz#1688671- Allow systemd_gpt_generator_t to read/write to clearanceResolves: rhbz#1558573- Allow su_domain_type to getattr to /dev/gpmctlResolves: rhbz#1593667- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux usersResolves: rhbz#1709372 * Thu May 02 2019 Lukas Vrabec - 3.14.3-4- Rebase with Fedora 30 package selinux-policy-3.14.3-34.fc30Resolves: rhbz#1673107 * Tue Apr 23 2019 Lukas Vrabec - 3.14.3-3- Rebase with Fedora 30 package selinux-policy-3.14.3-31.fc30Resolves: rhbz#1673107 * Tue Apr 16 2019 Lukas Vrabec - 3.14.3-2- Fix interface kernel_mounton_kernel_sysctl()Resolves: rhbz#1700222 * Wed Apr 10 2019 Lukas Vrabec - 3.14.3-1- Rebase with Fedora 30 package selinux-policy-3.14.3-28.fc30Resolves: rhbz#1673107 * Fri Feb 22 2019 Lukas Vrabec - 3.14.1-61- Add dac_override capability for sbd_t SELinux domainResolves: rhbz#1677325- Allow syslogd_t domain to send null signal to all domains on systemResolves: rhbz#1676923 * Fri Feb 15 2019 Lukas Vrabec - 3.14.1-60- Update kdump_manage_crash() interface to allow also manage dirs by caller domainResolves: rhbz#1627861 * Mon Feb 11 2019 Lukas Vrabec - 3.14.1-59- Add dac_override capability to spamd_t domainResolves: rhbz#1567073 * Mon Feb 11 2019 Lukas Vrabec - 3.14.1-58- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/runResolves: rhbz#1635674- Update mount_read_pid_files macro to allow also list mount_var_run_t dirsResolves: rhbz#1664448- Allow userdomain to stop systemd user session during logout.Resolves: rhbz#1664448 * Wed Feb 06 2019 Lukas Vrabec - 3.14.1-57- Allow read network state of system for processes labeled as ibacm_tResolves: rhbz#1635674- Allow ibacm_t domain to send dgram sockets to kernel processesResolves: rhbz#1635674- Allow virt_doamin to read/write dev deviceResolves: rhbz#1672188- Update ibacm_t policy after testing lastest version of this componentResolves: rhbz#1635674- Allow sensord_t domain to mmap own log filesResolves:rhbz#1656055- Label /dev/sev char device as sev_device_tResolves: rhbz#1672188 * Wed Feb 06 2019 Lukas Vrabec - 3.14.1-56- Allow virt_doamin to read/write dev deviceResolves: rhbz#1672188- Update ibacm_t policy after testing lastest version of this componentResolves: rhbz#1635674- Allow sensord_t domain to mmap own log filesResolves:rhbz#1656055- Add dac_override capability for ipa_helper_tResolves: rhbz#1668168- Allow sensord_t domain to use nsswitch and execute shellResolves: rhbz#1656055- Allow opafm_t domain to execute lib_t filesResolves: rhbz#1627861- Allow opafm_t domain to manage kdump_crash_t files and dirsResolves: rhbz#1627861- Label /dev/sev char device as sev_device_tResolves: rhbz#1672188 * Fri Feb 01 2019 Lukas Vrabec - 3.14.1-55- Fix broken config files because of missing level specification in user_t contextsResolves: rhbz#1664448 * Fri Feb 01 2019 Lukas Vrabec - 3.14.1-54- Allow sensord_t domain to use nsswitch and execute shellResolves: rhbz#1656055- Allow opafm_t domain to execute lib_t filesResolves: rhbz#1627861 * Tue Jan 29 2019 Lukas Vrabec - 3.14.1-53- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domainsResolves: rhbz#1664448- Allow systemd to read selinux logind configResolves: rhbz#1664448- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions.- Allow transition from init_t domain to user_t domain during ssh login with confined user user_uResolves: rhbz#1664448 * Thu Jan 24 2019 Lukas Vrabec - 3.14.1-52- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions.Resolves: rhbz#1557301 * Mon Jan 14 2019 Lukas Vrabec - 3.14.1-51- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_tResolves: rhbz#1664345- Create tangd_port_t with default label tcp/7406Resolves: rhbz#1664345- Remove tangd_t domain from permissive domains.Resolves: rhbz#1664345 * Fri Jan 11 2019 Lukas Vrabec - 3.14.1-50- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_tResolves: rhbz#1656055- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain.Resolves: rhbz#1630198- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag socketsResolves: rhbz#1557301- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domainResolves: rhbz#1630198 * Tue Dec 11 2018 Lukas Vrabec - 3.14.1-49- Update nslcd_t domain to allow view kernel and systemd keyringsResolves: rhbz#1657916- Allow arpwatch_t domains to execute shell BZ(1644568)- Allow processes labeled as ipa_otpd_t stream connect to sssd.- Add new SELinux domain pcp_plugin_t.Resolves: rhbz#1648386- Remove all ganesha bits from gluster and rpc policyResolves: rhbz#1639227- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_tResolves: rhbz#1656837- Add dac_override capability to ssad_t domainsResolves: rhbz#1655551- Allow pesign_t domain to read gnome home configsResolves: rhbz#1644796- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_tResolves: rhbz#1656055- Allow rngd_t domains read kernel stateResolves: rhbz#1656054- Allow certmonger_t domains to read bind cacheResolves: rhbz#1655077- Allow ypbind_t domain to stream connect to sssdResolves: rhbz#1583953- Allow rngd_t domain to setschedResolves: rhbz#1653872- Add interface init_view_key()- Allow systemd to mmap all pidfilesResolves: rhbz#1622548- Add files_map_all_pids() interface- Allow passwd_t domain mamange sssd public nad lib files, read pid files and send signals to sssd_t domainsResolves: rhbz#1657291- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_tResolves: rhbz#1639846- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t- Add sys_resource capability to the systemd_passwd_agent_t domainResolves: rhbz#1590981- Allow ipsec_t domains to read bind cacheResolves: rhbz#1654692- kernel/files.fc: Label /run/motd as etc_t- Allow systemd to stream connect to userdomain processesResolves: rhbz#1644733 * Tue Nov 27 2018 Lukas Vrabec - 3.14.1-48- Allow sanlock_t domain to read/write sysfs_t filesResolves: rhbz#1647594- Add dac_override capability to postfix_local_t domain- Allow ypbind_t to search sssd_var_lib_t dirs- Allow virt_qemu_ga_t domain to write to user_tmp_t files- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files- Label /var/lib/private/systemd/ as init_var_lib_tResolves: rhbz#1649312- Allow initrc_t domain to create new socket labeled as init_t- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.Resolves: rhbz#1639675- Add tracefs_t type to mountpoint attributeResolves: rhbz#1647819- Allow useradd_t and groupadd_t domains to send signals to sssd_tResolves: rhbz#1651531- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utilsResolves: rhbz#1651531 * Wed Nov 07 2018 Lukas Vrabec - 3.14.1-47- Update pesign policy to allow pesign_t domain to read bind cache files/dirsResolves: rhbz#1644796- Add dac_override capability to mdadm_t domainResolves: rhbz#1599646- Create ibacm_tmpfs_t type for the ibacm policyResolves: rhbz#1581715- Dontaudit capability sys_admin for dhcpd_t domainResolves: rhbz#1635643- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.Resolves: rhbz#1639181- Allow abrt_t domain to mmap generic tmp_t filesResolves:rhbz#1644727- Label /usr/sbin/wpa_cli as wpa_cli_exec_tResolves: rhbz#1644899- Allow sandbox_xserver_t domain write to user_tmp_t filesResolves:rhbz#1644315- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)- Add dac_override capability to postgrey_t domain BZ(1638954)- Allow thumb_t domain to execute own tmpfs files BZ(1643698)- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpointsResolves: rhbz#1644727- Add interface files_map_generic_tmp_files()- Add dac_override capability to the syslogd_t domainResolves: rhbz#1644373- Create systemd_timedated_var_run_t label- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)- kernel/files.fc: Label /run/motd.d(/. *)? as etc_t- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) * Mon Oct 22 2018 Lukas Vrabec - 3.14.1-46- Add dac_override capability to ftpd_t domainResolves: rhbz#1641049- Allow X display manager to check status and reload services which are part of x_domain attributeResolves: rhbz#1641082 * Fri Oct 19 2018 Lukas Vrabec - 3.14.1-45- Allow gpg_t to create own tmpfs dirs and sockets- Allow rhsmcertd_t domain to relabel cert_t files- Add SELinux policy for kpatchResolves: rhbz#1630198- Allow nova_t domain to use pam- sysstat: grant sysstat_t the search_dir_perms set- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)- Allow caller domains using cron_ *_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)- Add interface cron_system_spool_entrypoint()- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)- Add interfaces for boltd SELinux module- Add dac_override capability to modemmanager_t domain BZ(1636608)- Add interface miscfiles_relabel_generic_cert()- Make kpatch policy active- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs- Dontaudit sys_admin capability for netutils_t domain- Label tcp and udp ports 2611 as qpasa_agent_port_t- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)- Label correctly /var/named/chroot */dev/unrandom in bind chroot. * Sat Oct 13 2018 Lukas Vrabec - 3.14.1-44- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macrosResolves: rhbz#1633198- Allow boltd_t to read fwupd_t processes state- Turn named_write_master_zones boolean on by default.Resolves: rhbz#1633158- Label /etc/rhsm as rhsmcertd_config_tResolves: rhbz#1636212- Allow httpd_t domain to write to httpd_config_t dirs if httpd_run_ipa boolean is turned onResolves: rhbz#1624930- Allow dhcpd_t domain to mmap dhcpd_state_t filesResolves: rhbz#1635643- Allow abrt_t domain to manage usr_t dirsResolves: rhbz#1619001- Allow certmonger_t domain to manage cockpit pid filesResolves: rhbz#1629685- Update opafm_t domain after basic testing this serviceResolves: rhbz#1627861- Allow systemd-tty-ask to ask for password of encrypted partions during bootResolves: rhbz#1638666- Update sysnet_read_dhcp_config interface to allow caller domain also mmap dhcp_etc_t files- Add interface files_manage_usr_dirs() * Wed Oct 10 2018 Lukas Vrabec - 3.14.1-43- Allow ibacm_t domain to read/write to infiniband devices Allow ibacm_t domain to getattr tmpfs_t filesystem.Resolves: rhbz#1635674- Update SELinux policy for libreswan based on the latest rebase 3.26Resolves: rhbz#1637089 * Mon Oct 08 2018 Lukas Vrabec - 3.14.1-42- Allow cockpit to create motd file in /var/run/cockpitResolves: rhbz#1629678- Allow cockpit_t domain to read systemd stateResolves: rhbz#1629588 * Thu Oct 04 2018 Lukas Vrabec - 3.14.1-41- Tomcat should not be unconfined domain- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t- Add interface apcupsd_read_power_files()- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain- Allow dac_override capability to amanda_t domain- Allow geoclue_t domain to get attributes of fs_t filesystems- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-clientResolves: rhbz#1629678Resolves: rhbz#1629685Resolves: rhbz#1626100Resolves: rhbz#1629588Resolves: rhbz#1630317 * Sat Sep 15 2018 Lukas Vrabec - 3.14.1-40- Tomcat should not be unconfined domain- Allow cockpit_t domain to read systemd state- Allow abrt_t domain to write to usr_t files- Allow cockpit to create motd file in /var/run/cockpit- Label /usr/sbin/pcsd as cluster_exec_t- Allow pesign_t domain to getattr all fs- Allow tomcat servers to manage usr_t files- Dontaudit tomcat serves to append to /dev/random device- Allow dirsrvadmin_script_t domain to read httpd tmp files- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs- Revert \"Allow firewalld_t domain to read random device\"- Allow postfix domains to mmap system db files- Allow geoclue_t domain to execute own tmp files- Allow virt_qemu_ga_t domain to read network state BZ(1592145)- Update ibacm_read_pid_files interface to allow also reading link files- Allow zebra_t domain to create packet_sockets- Allow opafm_t domain to list sysfs- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t- Add boolean: domain_can_mmap_files.- Allow sshd_t domain to read cockpit pid files- Allow syslogd_t domain to manage cert_t files- Allow getattr as part of files_mounton_kernel_symbol_table.- Fix typo \"aduit\" -> \"audit\"- Revert \"Add new interface dev_map_userio()\"- Add new interface dev_map_userio()- Allow systemd to read ibacm pid filesResolves: rhbz#1615318Resolves: rhbz#1619001Resolves: rhbz#1627646 * Fri Sep 07 2018 Lukas Vrabec - 3.14.1-39- Merge remote-tracking branch \'fedora-contrib/f28\' into rhel8.0-contrib- Tomcat should not be unconfined domain- Update ibacm_read_pid_files interface to allow also reading link files- Allow zebra_t domain to create packet_sockets- Allow opafm_t domain to list sysfs- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.- Allow chronyd_t domain to read virt_var_lib_t files- Allow tomcat services create link file in /tmp- Label /etc/shorewall6 as shorewall_etc_t- Allow winbind_t domain kill in user namespaces- Allow firewalld_t domain to read random device- Allow abrt_t domain to do execmem- Allow geoclue_t domain to execute own var_lib_t files- Allow openfortivpn_t domain to read system network state- Allow dnsmasq_t domain to read networkmanager lib files- sssd: Allow to limit capabilities using libcap- sssd: Remove unnecessary capability- sssd: Do not audit usage of lib nss_systemd.so- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file- Add correct namespace_init_exec_t context to /etc/security/namespace.d/ *- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files- Allow exim_t domain to mmap bin files- Allow mysqld_t domain to executed with nnp transition- Allow svirt_t domain to mmap svirt_image_t block files- Add caps dac_read_search and dav_override to pesign_t domain- Allow iscsid_t domain to mmap userio chr files- Merge remote-tracking branch \'fedora-base/f28\' into rhel8.0-base- Revert \"Add new interface dev_map_userio()\"- Add new interface dev_map_userio()- Allow systemd to read ibacm pid files- Allow systemd to create symlinks in for /var/lib- Add comment to show that template call also allows changing shells- Document userdom_change_password_template() behaviour- Merge remote-tracking branch \'fedora-base/f28\' into rhel8.0-base- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file- Fix typo in logging SELinux module- Allow usertype to mmap user_tmp_type files- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue- Revert \"Add execute_no_trans permission to mmap_exec_file_perms pattern\"- Add boolean: domain_can_mmap_files.- Allow ipsec_t domian to mmap own tmp files- Add .gitignore file- Add execute_no_trans permission to mmap_exec_file_perms pattern- Allow sudodomain to search caller domain proc info- Allow audisp_remote_t domain to read auditd_etc_t- netlabel: Remove unnecessary sssd nsswitch related macros- Allow to use sss module in auth_use_nsswitch- Limit communication with init_t over dbus- Add actual modules.conf to the git repo- Add few interfaces to optional block- Allow sysadm_t and staff_t domain to manage systemd unit files- Add interface dev_map_userio_dev()Resolves: rhbz#1623411Resolves: rhbz#1624648Resolves: rhbz#1596618Resolves: rhbz#1574878Resolves: rhbz#1577324Resolves: rhbz#1625202Resolves: rhbz#1581715Resolves: rhbz#1625127 * Tue Aug 28 2018 Lukas Vrabec - 3.14.1-38- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socketResolves: rhbz#1621142- Add interface devicekit_mounton_var_lib()- Allow httpd_t domain to mmap tmp files- Allow tcsd_t domain to have dac_override capability- Allow cupsd_t to rename cupsd_etc_t files- Allow iptables_t domain to create rawip sockets- Allow amanda_t domain to mmap own tmpfs files- Allow fcoemon_t domain to write to sysfs_t dirs- Allow dovecot_auth_t domain to have dac_override capability- Allow geoclue_t domain to mmap own tmp files- Allow chronyc_t domain to read network state- Allow apcupsd_t domain to execute itself- Allow modemmanager_t domain to stream connect to sssd- Allow chonyc_t domain to rw userdomain pipes- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks- Allow nagios_script_t domain to mmap nagios_spool_t files- Allow geoclue_t domain to mmap geoclue_var_lib_t files- Allow geoclue_t domain to map generic certs- Update munin_manage_var_lib_files to allow manage also dirs- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl- Fix typo in virt SELinux policy module- Allow virtd_t domain to create netlink_socket- Allow rpm_t domain to write to audit- Allow nagios_script_t domain to mmap nagios_etc_t files- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t- Allow kdumpctl_t domain to getattr fixed disk device in mls- Fix typo in stapserver policy- Dontaudit abrt_t domain to write to usr_t dirs- Revert \"Allow rpcbind to bind on all unreserved udp ports\"- Allow rpcbind to bind on all unreserved udp ports- Allow virtlogd to execute itself- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs- Allos systemd to socket activate ibacm service- Allow dirsrv_t domain to mmap user_t files- Allow dhcpc_t domain to read /dev/random- Allow systemd to mounton device_var_lib_t dirs- Allow systemd to mounton kernel system table- Label also chr_file /dev/mtd. * devices as fixed_disk_device_t- Allow syslogd_t domain to create netlink generic sockets- Label /dev/tpmrm[0-9] * as tpm_device_t- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl- Allow insmod_t domain to read iptables pid files- Allow systemd to mounton /etc- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry- Allow xserver_t domain to start using systemd socket activation- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature- Associate several proc labels to fs_t- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run * Tue Aug 21 2018 Lukas Vrabec - 3.14.1-37- Dontaudit abrt_t domain to write to usr_t dirs- Revert \"Allow rpcbind to bind on all unreserved udp ports\"- Allow rpcbind to bind on all unreserved udp ports- Allow virtlogd to execute itself- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs- Allos systemd to socket activate ibacm service- Allow dirsrv_t domain to mmap user_t files- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files- Allow kdumpctl to write to files on all levels- Allow httpd_t domain to mmap httpd_config_t files- Allow sanlock_t domain to connectto to unix_stream_socket- Revert \"Add same context for symlink as binary\"- Allow mysql execute rsync- Update nfsd_t policy because of ganesha features- Allow conman to getattr devpts_t- Allow tomcat_domain to connect to smtp ports- Allow tomcat_t domain to mmap tomcat_var_lib_t files- Allow nagios_t domain to mmap nagios_log_t files- Allow kpropd_t domain to mmap krb5kdc_principal_t files- Allow kdumpctl_t domain to read fixed disk storage- Allow xserver_t domain to start using systemd socket activation- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature- Associate several proc labels to fs_t- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run- Fix typo in syslogd policy- Update syslogd policy to make working elasticsearch- Label tcp and udp ports 9200 as wap_wsp_port- Allow few domains to rw inherited kdumpctl tmp pipes * Mon Aug 13 2018 Lukas Vrabec - 3.14.1-36- Add missing tarball from sourcesResolves: rhbz#1615312 * Mon Aug 13 2018 Daniel Kopeček - 3.14.1-35- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildrootResolves: rhbz#1615312 * Fri Aug 10 2018 Lukas Vrabec - 3.14.1-34- Fix issue with aliases in apache interface fileResolves: rhbz#1596618- Add same context for symlink as binary- Allow boltd_t to send logs to journal- Allow colord_use_nfs to allow colord also mmap nfs_t files- Allow mysqld_safe_t do execute itself- Allow smbd_t domain to chat via dbus with avahi daemon- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain- Add alias httpd__script_t to _script_t to make sepolicy generate working- Allow gpg_t domain to mmap gpg_agent_tmp_t files- Allow kprop_t domain to read network state- Add support boltd policy- Allow kpropd domain to exec itself- Allow pdns_t to bind on tcp transproxy port- Add support for opafm service- Allow hsqldb_t domain to read cgroup files- Allow rngd_t domain to read generic certs- Allow innd_t domain to mmap own var_lib_t files- Update screen_role_temaplate interface- Allow chronyd_t domain to mmap own tmpfs files- Allow chronyd_t domain to mmap own tmpfs files- label /var/lib/pgsql/data/log as postgresql_log_t- Allow sysadm_t domain to accept socket- Allow systemd to manage passwd_file_t- Allow sshd_t domain to mmap user_tmp_t files- Allow systemd to mounont boltd lib dirs- Allow sysadm_t domain to create rawip sockets- Allow sysadm_t domain to listen on socket- Update sudo_role_template() to allow caller domain also setattr generic ptys * Sun Jul 29 2018 Lukas Vrabec - 3.14.1-33- Allow sblim_sfcbd_t domain to mmap own tmpfs files- Allow nfsd_t domain to read krb5 keytab files- Allow nfsd_t domain to manage fadm pid files- Allow virt_domain to create icmp sockets BZ(1609142)- Dontaudit oracleasm_t domain to request sys_admin capability- Update logging_manage_all_logs() interface to allow caller domain map all logfiles * Thu Jul 26 2018 Lukas Vrabec - 3.14.1-32- Allow aide to mmap all files- Revert \"Allow firewalld_t do read iptables_var_run_t files\"- Revert \"Allow firewalld to create rawip sockets\"- Allow svirt_tcg_t domain to read system state of virtd_t domains- Update rhcs contexts to reflects the latest fenced changes- Allow httpd_t domain to rw user_tmp_t files- Fix typo in openct policy- Allow winbind_t domian to connect to all ephemeral ports- Allow firewalld_t do read iptables_var_run_t files- Allow abrt_t domain to mmap data_home files- Allow glusterd_t domain to mmap user_tmp_t files- Allow mongodb_t domain to mmap own var_lib_t files- Allow firewalld to read kernel usermodehelper state- Allow modemmanager_t to read sssd public files- Allow openct_t domain to mmap own var_run_t files- Allow nnp transition for devicekit daemons- Allow firewalld to create rawip sockets- Allow firewalld to getattr proc filesystem- Dontaudit sys_admin capability for pcscd_t domain- Revert \"Allow pcsd_t domain sys_admin capability\"- Allow fetchmail_t domain to stream connect to sssd- Allow pcsd_t domain sys_admin capability- Allow cupsd_t to create cupsd_etc_t dirs- Allow varnishlog_t domain to list varnishd_var_lib_t dirs- Allow mongodb_t domain to read system network state BZ(1599230)- Allow zoneminder_t to getattr of fs_t- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)- Allow iscsid_t domain to mmap sysfs_t files- Allow httpd_t domain to mmap own cache files- Add sys_resource capability to nslcd_t domain- Fixed typo in logging_audisp_domain interface- Add interface files_mmap_all_files()- Add interface iptables_read_var_run()- Allow systemd to mounton init_var_run_t files- Update policy rules for auditd_t based on changes in audit version 3- Allow systemd_tmpfiles_t do mmap system db files- Don\'t setup unlabeled_t as an entry_type- Allow unconfined_service_t to transition to container_runtime_t- Improve domain_transition_pattern to allow mmap entrypoint bin file. * Wed Jul 18 2018 Lukas Vrabec - 3.14.1-31- Allow cupsd_t domain to mmap cupsd_etc_t files- Allow kadmind_t domain to mmap krb5kdc_principal_t- Allow virtlogd_t domain to read virt_etc_t link files- Allow dirsrv_t domain to read crack db- Dontaudit pegasus_t to require sys_admin capability- Allow mysqld_t domain to exec mysqld_exec_t binary files- Allow abrt_t odmain to read rhsmcertd lib files- Allow winbind_t domain to request kernel module loads- Allow tomcat_domain to read cgroup_t files- Allow varnishlog_t domain to mmap varnishd_var_lib_t files- Allow innd_t domain to mmap news_spool_t files- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t- Allow fenced_t domain to reboot- Allow amanda_t domain to read network system state- Allow abrt_t domain to read rhsmcertd logs- Fix typo in radius policy- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555)- Label /usr/bin/esmtp-wrapper as sendmail_exec_t- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files- Dontaudit thumb to read mmap_min_addr- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904)- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443)- Allow collectd_t domain to use ecryptfs files BZ(1592640)- Dontaudit mmap home type files for abrt_t domain- Allow fprintd_t domain creating own tmp files BZ(1590686)- Allow collectd_t domain to bind on bacula_port_t BZ(1590830)- Allow fail2ban_t domain to getpgid BZ(1591421)- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808)- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458)- Allow radiusd_t domain to mmap radius_etc_rw_t files- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729)- Add dac_read_search capability to thumb_t domain- Add dac_override capability to cups_pdf_t domain BZ(1594271)- Add net_admin capability to connntrackd_t domain BZ(1594221)- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)- Allow motion_t to mmap video devices BZ(1590446)- Add dac_override capability to mpd_t domain BZ(1585358)- Allow fsdaemon_t domain to write to mta home files BZ(1588212)- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)- Allow sssd_t domain to write to general cert files BZ(1589339)- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)- Allow cockpit_session_t to read kernel network state BZ(1596941)- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)- Allows systemd to get attribues of core kernel interface BZ(1596928)- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled- Revert \"Allow unconfined and sysadm users to use bpftool BZ(1591440)\"- Allow userdomain sudo domains to use generic ptys- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690)- Remove duplicated userdom_delete_user_home_content_files- Add systemd_dbus_chat_resolved interface- Allow load_policy_t domain to read/write to systemd sockets BZ(1582812)- Add new interface init_prog_run_bpf()- Allow unconfined and sysadm users to use bpftool BZ(1591440)- Label /run/cockpit/motd as etc_t BZ(1584167)- Allow systemd_machined_t domain to sendto syslogd_t over unix dgram sockets- Add interface userdom_dontaudit_mmap_user_home_content_files()- Allow systemd to listen bluetooth sockets BZ(1592223)- Allow systemd to remove user_home_t files BZ(1418463)- Allow xdm_t domain to mmap and read cert_t files BZ(1553761)- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)- Allow systemd to delete user temp files BZ(1595189)- Allow systemd to mounton core kernel interface- Add dac_override capability to ipsec_t domain BZ(1589534)- Allow systemd domain to mmap lvm config files BZ(1594584)- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files- Allow systemd_modules_load_t to access unabeled infiniband pkeys * Fri Jun 29 2018 Lukas Vrabec - 3.14.1-30- Add ibacm policy- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t- Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services- Allow crond_t domain to create netlink selinux sockets and dac_override cap.- Allow radiusd_t domain to have dac_override capability- Allow amanda_t domain to have setgid capability- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label- Allow abrt_t domain to write to rhsmcertd pid files- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control- Add vhostmd_t domain to read/write to svirt images- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files- Allow sssd_t and slpad_t domains to mmap generic certs- Allow chronyc_t domain use inherited user ttys- Allow stapserver_t domain to mmap own tmp files- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain- Merge pull request #60 from vmojzis/rawhide- Allow tangd_t domain stream connect to sssd- Allow oddjob_t domain to chat with systemd via dbus- Allow freeipmi domains to mmap sysfs files- Fix typo in logwatch interface file- Allow spamd_t to manage logwatch_cache_t files/dirs- Allow dnsmasw_t domain to create own tmp files and manage mnt files- Allow fail2ban_client_t to inherit rlimit information from parent process- Allow nscd_t to read kernel sysctls- Label /var/log/conman.d as conman_log_t- Add dac_override capability to tor_t domain- Allow certmonger_t to readwrite to user_tmp_t dirs- Allow abrt_upload_watch_t domain to read general certs- Allow chornyd_t read phc2sys_t shared memory- Add several allow rules for pesign policy:- Add setgid and setuid capabilities to mysqlfd_safe_t domain- Add tomcat_can_network_connect_db boolean- Update virt_use_sanlock() boolean to read sanlock state- Add sanlock_read_state() interface- Allow zoneminder_t to getattr of fs_t- Allow rhsmcertd_t domain to send signull to postgresql_t domain- Add log file type to collectd and allow corresponding access- Allow policykit_t domain to dbus chat with dhcpc_t- Adding new boolean keepalived_connect_any()- Allow amanda to create own amanda_tmpfs_t files- Allow gdomap_t domain to connect to qdomap_port_t- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type- Allow ntop_t domain to create/map various sockets/files.- Enable the dictd to communicate via D-bus.- Allow inetd_child process to chat via dbus with abrt- Allow zabbix_agent_t domain to connect to redis_port_t- Allow rhsmcertd_t domain to read xenfs_t files- Allow zabbix_agent_t to run zabbix scripts- Fix openvswith SELinux module- Fix wrong path in tlp context file BZ(1586329)- Update brltty SELinux module- Allow rabbitmq_t domain to create own tmp files/dirs- Allow policykit_t mmap policykit_auth_exec_t files- Allow ipmievd_t domain to read general certs- Add sys_ptrace capability to pcp_pmie_t domain- Allow squid domain to exec ldconfig- Update gpg SELinux policy module- Allow mailman_domain to read system network state- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices- Allow antivirus_domain to read all domain system state- Allow targetd_t domain to red gconf_home_t files/dirs- Label /usr/libexec/bluetooth/obexd as obexd_exec_t- Allow init_t domain to create netlink rdma sockets for ibacm policy- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files- Allow lvm_t domain to write files to all mls levels- Add to su_role_template allow rule for creating netlink_selinux sockets- Allow sysadm_t domain to mmap hwdb db- Allow udev_t domain to mmap kernel modules- Allow sysadm_screen_t to have capability dac_override and chown- Allow sysadm_t domain to mmap journal- Merge branch \'rawhide\' of github.com:fedora-selinux/selinux-policy into rawhide- Label /etc/systemd/system.control/ dir as systemd_unit_file_t- Merge pull request #215 from bachradsusi/merge-conf-from-fedora- Allow sysadm_t and staff_t domains to use sudo io logging- Allow sysadm_t domain create sctp sockets- Add snapperd_contexts to the policy- Use system_u:system_r:unconfined_t:s0 in userhelper_context- Remove unneeded system_u seusers mapping.- Fedora targeted default user is unconfined_u, root is unconfined_u as well- Update config to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.- Change failsafe_context to unconfined_r:unconfined_t:s0- Update lxc_contexts from Fedora config.tgz- Add lxc_contexts config file- Allow traceroute_t domain to exec bin_t binaries- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override- Add new interface dev_map_sysfs()- Allow sshd_keygen_t to execute plymouthd- Allow systemd_networkd_t create and relabel tun sockets- Add new interface postgresql_signull()- Merge pull request #214 from wrabcak/fb-dhcpc- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)- Allow confined users get AFS tokens- Allow sysadm_t domain to chat via dbus- Associate sysctl_kernel_t type with filesystem attribute * Fri Jun 08 2018 Lukas Vrabec - 3.14.1-29- Fix typos in zabbix.te file- Add missing requires- Allow tomcat domain sends email- Fix typo in sge policy- Allow certmonger to sends emails- Allow tomcat_t do mmap tomcat_tmp_t files- Improve sge_rw_tcp_sockets interface- Adding new interface: sge_rw_tcp_sockets()- Update sge_execd_t domain with few rules- Add new zabbix_run_sudo boolean- Allow virtual machines to manage cephfs filesystems.- Allow rhsmcertd_t domain to read sssd public files and stream connect to sssd- Add dac_override capability to sendmail_t domain- Fix typo in netutils.te file- Update traceroute_t domain to allow create dccp sockets- Update ssh_keysign policy- Allow sshd_t domain to read/write sge tcp sockets * Wed Jun 06 2018 Lukas Vrabec - 3.14.1-28- Update ctdb domain to support gNFS setup- Allow authconfig_t dbus chat with policykit- Allow lircd_t domain to read system state- Revert \"Allow fsdaemon_t do send emails BZ(1582701)\"- Typo in uuidd policy- Allow tangd_t domain read certs- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)- Allow vpnc_t domain to read generic certs BZ(1583100)- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)- Allow NetworkManager_ssh_t domain to be system dbud client- Allow virt_qemu_ga_t read utmp- Add capability dac_override to system_mail_t domain- Update uuidd policy to reflect last changes from base branch- Add cap dac_override to procmail_t domain- Allow sendmail to mmap etc_aliases_t files BZ(1578569)- Add new interface dbus_read_pid_sock_files()- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled- Allow fsdaemon_t do send emails BZ(1582701)- Allow firewalld_t domain to request kernel module BZ(1573501)- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)- Add sys_admin capability to fprint_t SELinux domain- Allow cyrus_t domain to create own files under /var/run BZ(1582885)- Allow cachefiles_kernel_t domain to have capability dac_override- Update policy for ypserv_t domain- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t- Allow cyrus to have dac_override capability- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets- Fix homedir polyinstantion under mls- Fixed typo in init.if file- Allow systemd to remove generic tmpt files BZ(1583144)- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)- Fix typo in authlogin SELinux security module- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)- Allow audisp_t domain to mmap audisp_exec_t binary- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file- Label tcp/udp ports 2612 as qpasa_agetn_port_t * Sat May 26 2018 Lukas Vrabec - 3.14.1-27- Add dac_override to exim policy BZ(1574303)- Fix typo in conntrackd.fc file- Allow sssd_t to kill sssd_selinux_manager_t- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp- Allow policykit_auth_t to read udev db files BZ(1574419)- Allow varnishd_t do be dbus client BZ(1582251)- Allow cyrus_t domain to mmap own pid files BZ(1582183)- Allow user_mail_t domain to mmap etc_aliases_t files- Allow gkeyringd domains to run ssh agents- Allow gpg_pinentry_t domain read ssh state- Allow gpg_agent_t to send msgs to syslog/journal- Add dac_override capability to dovecot_t domain- Allow nscd_t domain to mmap system_db_t files- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files- Allow mailman_mail_t domain to search for apache configs- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.- Improve procmail_domtrans() to allow mmaping procmail_exec_t- Allow ptrace arbitrary processes- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)- Allow certmonger to geattr of filesystems BZ(1578755)- Allow hypervvssd_t domain to read fixed disk devices- Allow several domains to manage ecryptfs_t filesystem- Allow userdom_use_user_ttys for loadkeys_t domain- Add dac_override capability to cachefiles_kernel_t domain- Allow blueman to execute ldconfig BZ(1577581)- Allow gpg_pinentry_t domain to read state of gpg_t processes- Add dac_override capability to cgconfig_t domain BZ(1574649)- Add dac_override to glusterd_t domain BZ(1578501)- Allow fsdaemon_t to create own fsdaemon_var_lib_t dirs BZ(1569724)- Allow plymouth_t domain to read/write systemd sockets BZ(1578882)- Allow use of U2F Yubikey as authentication for a sudo command BZ(1578915)- Append map permission to apache_read_modules() interface- Allow certwatch_t domain to getattr of extended attributes fs_t filesystem- Add new interface: dirsrv_noatsecure()- Add dac_override capability to remote_login_t domain- Allow chrome_sandbox_t to mmap tmp files- Update ulogd SELinux security policy- Allow sysadm_u use xdm- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)- Add interface ssh_read_state()- Fix typo in sysnetwork.if file- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files- Allow noatsecure permission for all domain transitions from systemd.- Allow systemd to read tangd db files- Fix typo in ssh.if file- Allow xdm_t domain to mmap xserver_misc_device_t files- Allow xdm_t domain to execute systemd-coredump binary- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used- Associate sysctl_vm_overcommit_t with fs_t- Allow systemd creating bluetooth sockets- Allow ssh client to read network sysctl BZ(1574170)- Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files- Allow sysadm user to sys_ptrace cap_userns- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.- Allow ssh client to read network state BZ(1574174)- Allow ssh basic client to read/write to tun tap devices BZ(1574184)- Allow ssh basic client to create tun sockets BZ(1574186)- Disable secure mode environment cleansing for dirsrv_t * Mon May 21 2018 Lukas Vrabec - 3.14.1-26- Disable secure mode environment cleansing for dirsrv_t- - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. * Mon May 21 2018 Lukas Vrabec - 3.14.1-25- Add dac_override capability to remote_login_t domain- Allow chrome_sandbox_t to mmap tmp files- Update ulogd SELinux security policy- Allow rhsmcertd_t domain send signull to apache processes- Allow systemd socket activation for modemmanager- Allow geoclue to dbus chat with systemd- Fix file contexts on conntrackd policy- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t- Allow nscd_t domain to be system dbusd client- Allow abrt_t domain to read sysctl- Add dac_read_search capability for tangd- Allow systemd socket activation for rshd domain- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t- Allow kdump_t domain to map /boot files- Allow conntrackd_t domain to send msgs to syslog- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t- Allow swnserve_t domain to stream connect to sasl domain- Allow smbcontrol_t to create dirs with samba_var_t label- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)- Allow tangd to read public sssd files BZ(1509054)- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)- Allow ctdb_t domain modify ctdb_exec_t files- Allow firewalld_t domain to create netlink_netfilter sockets- Allow radiusd_t domain to read network sysctls- Allow pegasus_t domain to mount tracefs_t filesystem- Allow psad_t domain to read all domains state- Allow tomcat_t domain to connect to mongod_t tcp port- Allow dovecot and postfix to connect to systemd stream sockets- Make nmbd_t domain dbus system client BZ(1569856)- Merge pull request #55 from SISheogorath/fix/tlp-policy- Merge pull request #54 from tmzullinger/rawhide- Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro BZ(1566168)- Allow gssproxy_t domain to read gssd_t state BZ(1572945)- Allow create systemd to mount pid files- Add files_map_boot_files() interface- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)- Fix typo xserver SELinux module- Allow systemd to mmap files with var_log_t label- Allow x_userdomains read/write to xserver session- Allow users staff and sysadm to run wireshark on own domain- Fix typos s/xserver/xdm/ for allow creating xserver misc devices- Allow systemd-bootchart to create own tmpfs files- Merge pull request #213 from tmzullinger/rawhide- Allow xdm_t domain to install Nouveau drivers BZ(1570996) * Sat Apr 28 2018 Lukas Vrabec - 3.14.1-24- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) * Fri Apr 27 2018 Lukas Vrabec - 3.14.1-23- Allow dnssec_trigger_t domain to read system network state BZ(1570205)- Add dac_override capability to mailman_mail_t domain- Add dac_override capability to radvd_t domain- Update openvswitch policy- Add dac_override capability to oddjob_homedir_t domain- Allow slapd_t domain to mmap slapd_var_run_t files- Rename tang policy to tangd- Allow virtd_t domain to relabel virt_var_lib_t files- Allow logrotate_t domain to stop services via systemd- Add tang policy- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t- Allow snapperd_t daemon to create unlabeled dirs.- Make httpd_var_run_t mountpoint- Allow hsqldb_t domain to mmap own temp files- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP- Add new Boolean tomcat_use_execmem- Allow nfsd_t domain to read/write sysctl fs files- Allow conman to read system state- Allow brltty_t domain to be dbusd system client- Allow zebra_t domain to bind on babel udp port- Allow freeipmi domain to read sysfs_t files- Allow targetd_t domain mmap lvm config files- Allow abrt_t domain to manage kdump crash files- gnome_data_filetrans macro should be in optional block- Allow netutils_t domain to create bluetooth sockets- Allow traceroute to bind on generic sctp node- Allow traceroute to search network sysctls- Allow systemd to use virtio console- Label /dev/op_panel and /dev/opal-prd as opal_device_t- Label /run/ebtables.lock as iptables_var_run_t- Allow udev_t domain to manage udev_rules_t char files.- Assign babel_port_t label to udp port 6696- Add new interface lvm_map_config- Merge pull request #212 from stlaz/patch-1- Allow local_login_t reads of udev_var_run_t context * Wed Apr 18 2018 Lukas Vrabec - 3.14.1-22- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)- Allow l2tpd domain to stream connect to sssd BZ(1568160)- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) * Mon Apr 16 2018 Lukas Vrabec - 3.14.1-21- Allow certwatch to manage cert files BZ(1561418)- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748)- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851)- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096)- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on.- Allow pppd_t domain creating pppox sockets BZ(1566271)- Allow abrt to map var_lib_t files- Allow chronyc to read system state BZ(1565217)- Allow keepalived_t domain to chat with systemd via dbus- Allow git to mmap git_(sys|user)_content_t files BZ(1518027)- removed boinc dev_getattr_ *_dev- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels- Allow x userdomain to mmap xserver_tmpfs_t files- Allow sysadm_t to mount tracefs_t- Allow unconfined user all perms under bpf class BZ(1565738)- Allow SELinux users (except guest and xguest) to using bluetooth sockets- Add new interface files_map_var_lib_files()- Allow user_t and staff_t domains create netlink tcpdiag sockets- Allow systemd-networkd to read sysctl_t files- Allow systemd_networkd_t to read/write tun tap devices- refpolicy: Update for kernel sctp support * Sat Apr 07 2018 Lukas Vrabec - 3.14.1-20- Add new boolean redis_enable_notify()- Label /var/log/shibboleth-www(/. *) as httpd_sys_rw_content_t- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab- Add dac_override and dac_read_search capability to hypervvssd_t domain- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t- Allow samba to create /tmp/host_0 as krb5_host_rcache_t- Add dac_override capability to fsdaemon_t BZ(1564143)- Allow abrt_t domain to map dos files BZ(1564193)- Add dac_override capability to automount_t domain- Allow keepalived_t domain to connect to system dbus bus- Allow nfsd_t to read nvme block devices BZ(1562554)- Allow lircd_t domain to execute bin_t files BZ(1562835)- Allow l2tpd_t domain to read sssd public files BZ(1563355)- Allow logrotate_t domain to do dac_override BZ(1539327)- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t- Add capability sys_resource to systemd_sysctl_t domain- Label all /dev/rbd * devices as fixed_disk_device_t- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469)- Allow local_login_t domain to rread udev db- Allow systemd_gpt_generator_t to read /dev/random device- add definition of bpf class and systemd perms * Thu Mar 29 2018 Lukas Vrabec - 3.14.1-19- Allow accountsd_t domain to dac override BZ(1561304)- Allow cockpit_ws_t domain to read system state BZ(1561053)- Allow postfix_map_t domain to use inherited user ptys BZ(1561295)- Allow abrt_dump_oops_t domain dac override BZ(1561467)- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755)- Allow crontab domains to do dac override- Allow snapperd_t domain to unmount fs_t filesystems- Allow pcp processes to read fixed_disk devices BZ(1560816)- Allow unconfined and confined users to use dccp sockets- Allow systemd to manage bpf dirs/files- Allow traceroute_t to create dccp_sockets * Mon Mar 26 2018 Lukas Vrabec - 3.14.1-18Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) * Sun Mar 25 2018 Lukas Vrabec - 3.14.1-17- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)- Allow nagios to mmap nagios config files BZ(1559683)- Fixing Ganesha module- Fix typo in NetworkManager module- Fix bug in gssproxy SELinux module- Allow abrt_t domain to mmap container_file_t files BZ(1525573)- Allow networkmanager to be run ssh client BZ(1558441)- Allow pcp domains to do dc override BZ(1557913)- Dontaudit pcp_pmie_t to reaquest lost kernel module- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955)- Allow httpd_t to read httpd_log_t dirs BZ(1554912)- Allow fail2ban_t to read system network state BZ(1557752)- Allow dac override capability to mandb_t domain BZ(1529399)- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681)- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369)- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439)- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359)- Allow snapperd to relabel snapperd_data_t- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow insmod_t to load modules BZ(1544189)- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595)- Allow systemd_networkd_t to read/write tun tap devices- Add shell_exec_t file as domain entry for init_t- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347)- Improve userdom_mmap_user_home_content_files- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414)- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Wed Mar 21 2018 Lukas Vrabec - 3.14.1-16- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled- Allow semanage_t domain mmap usr_t files- Add new boolean: ssh_use_tcpd() * Tue Mar 20 2018 Lukas Vrabec - 3.14.1-15- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/- Allow newrole_t dacoverride capability- Allow traceroute_t domain to mmap packet sockets- Allow netutils_t domain to mmap usmmon device- Allow netutils_t domain to use mmap on packet_sockets- Allow traceroute to create icmp packets- Allos sysadm_t domain to create tipc sockets- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets * Thu Mar 15 2018 Lukas Vrabec - 3.14.1-14- Allow rpcd_t domain dac override- Allow rpm domain to mmap rpm_var_lib_t files- Allow arpwatch domain to create bluetooth sockets- Allow secadm_t domain to mmap audit config and log files- Update init_abstract_socket_activation() to allow also creating tcp sockets- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain.- Add SELinux support for systemd-importd- Create new type bpf_t and label /sys/fs/bpf with this type * Mon Mar 12 2018 Lukas Vrabec - 3.14.1-13- allow bluetooth_t domain to create alg_socket bz(1554410)- allow tor_t domain to execute bin_t files bz(1496274)- allow iscsid_t domain to mmap kernel modules bz(1553759)- update minidlna selinux policy bz(1554087)- allow motion_t domain to read sysfs_t files bz(1554142)- allow snapperd_t domain to getattr on all files,dirs,sockets,pipes bz(1551738)- allow l2tp_t domain to read ipsec config files bz(1545348)- allow colord_t to mmap home user files bz(1551033)- dontaudit httpd_t creating kobject uevent sockets bz(1552536)- allow ipmievd_t to mmap kernel modules bz(1552535)- allow boinc_t domain to read cgroup files bz(1468381)- backport allow rules from refpolicy upstream repo- allow gpg_t domain to bind on all unereserved udp ports- allow systemd to create systemd_rfkill_var_lib_t dirs bz(1502164)- allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t bz(1483655)- allow xdm_t domain to sys_ptrace bz(1554150)- allow application_domain_type also mmap inherited user temp files bz(1552765)- update ipsec_read_config() interface- fix broken sysadm selinux module- allow ipsec_t to search for bind cache bz(1542746)- allow staff_t to send sigkill to mount_t domain bz(1544272)- label /run/systemd/resolve/stub-resolv.conf as net_conf_t bz(1471545)- label ip6tables.init as iptables_exec_t bz(1551463)- allow hostname_t to use usb ttys bz(1542903)- add fsetid capability to updpwd_t domain bz(1543375)- allow systemd machined send signal to all domains bz(1372644)- dontaudit create netlink selinux sockets for unpriv selinux users bz(1547876)- allow sysadm_t to create netlink generic sockets bz(1547874)- allow passwd_t domain chroot- dontaudit confined unpriviliged users setuid capability * Tue Mar 06 2018 Lukas Vrabec - 3.14.1-12- Allow l2tpd_t domain to create pppox sockets- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251)- Add interface abrt_map_cache()- Update gnome_manage_home_config() to allow also map permission BZ(1544270)- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770)- Dontaudit kernel bug when several services requesting load kernel module- Allow traceroute and unconfined domains creating sctp sockets- Add interface corenet_sctp_bind_generic_node()- Allow ping_t domain to create icmp sockets- Allow staff_t to mmap abrt_var_cache_t BZ(1544273)- Fix typo bug in dev_map_framebuffer() interface BZ(1551842)- Dontaudit kernel bug when several services requesting load kernel module * Mon Mar 05 2018 Lukas Vrabec - 3.14.1-11- Allow vdagent_t domain search cgroup dirs BZ(1541564)- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)- Allow bluetooth domain creating bluetooth sockets BZ(1551577)- pki_log_t should be log_file- Allow gpgdomain to unix_stream socket connectto- Make working gpg agent in gpg_agent_t domain- Dontaudit thumb_t to rw lvm pipes BZ(154997)- Allow start cups_lpd via systemd socket activation BZ(1532015)- Improve screen_role_template Resolves: rhbz#1534111- Dontaudit modemmanager to setpgid. BZ(1520482)- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227)- Allow systemd-networkd to create netlink generic sockets BZ(1551578)- refpolicy: Define getrlimit permission for class process- refpolicy: Define smc_socket security class- Allow transition from sysadm role into mdadm_t domain.- ssh_t trying to communicate with gpg agent not sshd_t- Allow sshd_t communicate with gpg_agent_t- Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643)- Revert \"Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)\"- Revert \"Allow systemd to request load kernel module BZ(1547227)\"- Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576)- Add interface lvm_dontaudit_rw_pipes() BZ(154997)- Add interfaces for systemd socket activation- Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098) * Thu Feb 22 2018 Lukas Vrabec - 3.14.1-10- refpolicy: Define extended_socket_class policy capability and socket classes- Make bluetooth_var_lib_t as mountpoint BZ(1547416)- Allow systemd to request load kernel module BZ(1547227)- Allow ipsec_t domain to read l2tpd pid files- Allow sysadm to read/write trace filesystem BZ(1547875)- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761) * Tue Feb 20 2018 Lukas Vrabec - 3.14.1-9- Fix broken cups Security Module- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079)- Allow geoclue to connect to tcp nmea port BZ(1362118)- Allow pcp_pmcd_t to read mock lib files BZ(1536152)- Allow abrt_t domain to mmap passwd file BZ(1540666)- Allow gpsd_t domain to get session id of another process BZ(1540584)- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405)- Allow cluster_t dbus chat with systemd BZ(1540163)- Add interface raid_stream_connect()- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689)- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911)- Make cups_pdf_t domain system dbusd client BZ(1532043)- Allow logrotate to read auditd_log_t files BZ(1525017)- Improve snapperd SELinux policy BZ(1514272)- Allow virt_domain to read virt_image_t files BZ(1312572)- Allow openvswitch_t stream connect svirt_t- Update dbus_dontaudit_stream_connect_system_dbusd() interface- Allow openvswitch domain to manage svirt_tmp_t sock files- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210)- Merge pull request #50 from dodys/pkcs- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118)- Allow systemd to access rfkill lib dirs BZ(1539733)- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044)- Allow vxfs filesystem to use SELinux labels- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231)- Allow few services to dbus chat with snapperd BZ(1514272)- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180)- Fix logging as staff_u into Fedora 27- Fix broken systemd_tmpfiles_run() interface * Fri Feb 09 2018 Igor Gnatenko - 3.14.1-8- Escape macros in %changelog * Thu Feb 08 2018 Lukas Vrabec - 3.14.1-7- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600)- Allow keepalived_t domain getattr proc filesystem- Allow init_t to create UNIX sockets for unconfined services (BZ1543049)- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t * Tue Feb 06 2018 Lukas Vrabec - 3.14.1-6- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets- Add new interface ppp_filetrans_named_content()- Allow keepalived_t read sysctl_net_t files- Allow puppetmaster_t domtran to puppetagent_t- Allow kdump_t domain to read kernel ring buffer- Allow boinc_t to mmap boinc tmpfs files BZ(1540816)- Merge pull request #47 from masatake/keepalived-signal- Allow keepalived_t create and write a file under /tmp- Allow ipsec_t domain to exec ifconfig_exec_t binaries.- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock- Allow updpwd_t domain to create files in /etc with shadow_t label * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-5- Allow opendnssec daemon to execute ods-signer BZ(1537971) * Tue Jan 30 2018 Lukas Vrabec - 3.14.1-4- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems)- Update dbus_role_template() BZ(1536218)- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119)- Allow blueman_t dbus chat with policykit_t BZ(1470501)- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110)- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275)- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471)- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636)- Allow jetty_t domain to mmap own temp files BZ(1534628)- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624)- Consistently label usr_t for kernel/initrd in /usr- kernel/files.fc: Label /usr/lib/sysimage as usr_t- Allow iptables sysctl load list support with SELinux enforced- Label HOME_DIR/.config/systemd/user/ * user unit files as systemd_unit_file_t BZ(1531864) * Fri Jan 19 2018 Lukas Vrabec - 3.14.1-3- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide- Allow virt_domains to acces infiniband pkeys.- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180)- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t- Allow audisp_remote_t domain write to files on all levels * Mon Jan 15 2018 Lukas Vrabec - 3.14.1-2- Allow aide to mmap usr_t files BZ(1534182)- Allow ypserv_t domain to connect to tcp ports BZ(1534245)- Allow vmtools_t domain creating vmware_log_t files- Allow openvswitch_t domain to acces infiniband devices- Allow dirsrv_t domain to create tmp link files- Allow pcp_pmie_t domain to exec itself. BZ(153326)- Update openvswitch SELinux module- Allow virtd_t to create also sock_files with label virt_var_run_t- Allow chronyc_t domain to manage chronyd_keys_t files.- Allow logwatch to exec journal binaries BZ(1403463)- Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864)- Update logging_read_all_logs to allow mmap all logfiles BZ(1403463)- Add Label systemd_unit_file_t for /var/run/systemd/units/ * Mon Jan 08 2018 Lukas Vrabec - 3.14.1-1- Removed big SELinux policy patches against tresys refpolicy and use tarballs from fedora-selinux github organisation * Mon Jan 08 2018 Lukas Vrabec - 3.13.1-310- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy * Fri Jan 05 2018 Lukas Vrabec - 3.13.1-309- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy- Allow git_script_t to mmap git_user_content_t files BZ(1530937)- Allow certmonger domain to create temp files BZ(1530795)- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)- Allow fsdaemon_t to read nvme devices BZ(1530018)- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)- Update munin plugin policy BZ(1528471)- Allow sendmail_t domain to be system dbusd client BZ(1478735)- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)- Allow thumb_t to mmap non security files BZ(1517393)- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)- Fix broken sysnet_filetrans_named_content() interface- Allow init_t to create tcp sockets for unconfined services BZ(1366968)- Allow xdm_t to getattr on xserver_t process files BZ(1506116)- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)- Add interface files_map_non_security_files() * Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308- Make working SELinux sandbox with Wayland. BZ(1474082)- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723)- Allow collectd to connect to lmtp_port_t BZ(1304029)- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776)- Allow thumb_t to mmap removable_t files. BZ(1522724)- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)- Add interface fs_mmap_removable_files() * Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307- Allow crond_t to read pcp lib files BZ(1525420)- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)- Allow certwatch_t to mmap generic certs. BZ(1527173)- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876)- Add interface userdom_map_user_home_files()- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/ * as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202)- Allow xdm_t dbus chat with modemmanager_t BZ(1526722)- All domains accessing home_cert_t objects should also mmap it. BZ(1519810) * Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306- Allow thumb_t domain to dosfs_t BZ(1517720)- Allow gssd_t to read realmd_var_lib_t files BZ(1521125)- Allow domain transition from logrotate_t to chronyc_t BZ(1436013)- Allow git_script_t to mmap git_sys_content_t BZ(1517541)- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803)- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642)- Allow colord_t to mmap xdm pid files BZ(1518382)- Allow arpwatch to mmap usbmon device BZ(152456)- Allow mandb_t to read public sssd files BZ(1514093)- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659)- Allow qpid to map files.- Allow plymouthd_t to mmap firamebuf device BZ(1517405)- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611)- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449)- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816)- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282)- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048)- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899)- Update samba_manage_var_files() interface by adding map permission. BZ(1517125)- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395)- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849)- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956)- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019)- Add interface fs_map_dos_files()- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729)- Add interface xserver_map_xdm_pid() BZ(1518382)- Add new interface dev_map_usbmon_dev() BZ(1524256)- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137)- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810)- Fix typo in filesystem.if- Add interface dev_map_framebuffer()- Allow chkpwd command to mmap /etc/shadow BZ(1513704)- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529)- Allow thumb_t domain to mmap fusefs_t files BZ(1517517)- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125)- Add interface fs_map_cifs_files()- Merge pull request #207 from rhatdan/labels- Merge pull request #208 from rhatdan/logdir- Allow domains that manage logfiles to man logdirs * Fri Nov 24 2017 Lukas Vrabec - 3.13.1-305- Make ganesha nfs server * Tue Nov 21 2017 Lukas Vrabec - 3.13.1-304- Add interface raid_relabel_mdadm_var_run_content()- Fix iscsi SELinux module- Allow spamc_t domain to read home mail content BZ(1414366)- Allow sendmail_t to list postfix config dirs BZ(1514868)- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153)- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877)- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304)- Allow cupsd_t domain to localization BZ(1514350)- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451)- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301)- Allow abrt_t domain to mmap fusefs_t files BZ(1515169)- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)- Allow httpd_t domain to mmap all httpd content type BZ(1514866)- Allow mandb_t to read /etc/passwd BZ(1514903)- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093)- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975)- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263)- Allow systemd to read/write to mount_var_run_t files BZ(1515373)- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373)- Allow home managers to mmap nfs_t files BZ(1514372)- Add interface fs_mmap_nfs_files()- Allow systemd-mount to create new directory for mountpoint BZ(1514880)- Allow getty to use usbttys- Add interface systemd_rfkill_domtrans()- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403)- Add interface fs_mmap_fusefs_files()- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251) * Thu Nov 16 2017 Lukas Vrabec - 3.13.1-303- Allow pcp_pmlogger to send logs to journal BZ(1512367)- Merge pull request #40 from lslebodn/kcm_kerberos- Allow services to use kerberos KCM BZ(1512128)- Allow system_mail_t domain to be system_dbus_client BZ(1512476)- Allow aide domain to stream connect to sssd_t BZ(1512500)- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809)- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269)- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584)- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227)- Allow lircd_t domain to execute shell BZ(1512787)- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814)- Allow redis to creating tmp files with own label BZ(1513518)- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502)- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303)- Add map permission to samba_rw_var_files interface. BZ(1513908)- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t- Add dac_read_search and dac_override capabilities to ganesha- Allow ldap_t domain to manage also slapd_tmp_t lnk files- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584)- Add dac_override capability to dhcpd_t doamin BZ(1510030)- Allow snapperd_t to remove old snaps BZ(1510862)- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704)- Allow xdm_t send signull to all xserver unconfined types BZ(1499390)- Allow fs associate for sysctl_vm_t BZ(1447301)- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479)- Allow xdm_t domain to read usermodehelper_t state BZ(1412609)- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948)- Allow systemd to mmap kernel modules BZ(1513399)- Allow userdomains to mmap fifo_files BZ(1512242)- Merge pull request #205 from rhatdan/labels- Add map permission to init_domtrans() interface BZ(1513832)- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883)- Unconfined domains, need to create content with the correct labels- Container runtimes are running iptables within a different user namespace- Add interface files_rmdir_all_dirs() * Mon Nov 06 2017 Lukas Vrabec - 3.13.1-302- Allow jabber domains to connect to postgresql ports- Dontaudit slapd_t to block suspend system- Allow spamc_t to stream connect to cyrys.- Allow passenger to connect to mysqld_port_t- Allow ipmievd to use nsswitch- Allow chronyc_t domain to use user_ptys- Label all files /var/log/opensm. * as opensm_log_t because opensm creating new log files with name opensm-subnet.lst- Fix typo bug in tlp module- Allow userdomain gkeyringd domain to create stream socket with userdomain * Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301- Merge pull request #37 from milosmalik/rawhide- Allow mozilla_plugin_t domain to dbus chat with devicekit- Dontaudit leaked logwatch pipes- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)- Allow chronyd daemon to execute chronyc. BZ(1507478)- Allow pdns to read network system state BZ(1507244)- Allow gssproxy to read network system state Resolves: rhbz#1507191- Allow nfsd_t domain to read configfs_t files/dirs- Allow tgtd_t domain to read generic certs- Allow ptp4l to send msgs via dgram socket to unprivileged user domains- Allow dirsrv_snmp_t to use inherited user ptys and read system state- Allow glusterd_t domain to create own tmpfs dirs/files- Allow keepalived stream connect to snmp * Thu Oct 26 2017 Lukas Vrabec - 3.13.1-300- Allow zabbix_t domain to change its resource limits- Add new boolean nagios_use_nfs- Allow system_mail_t to search network sysctls- Hide all allow rules with ptrace inside deny_ptrace boolean- Allow nagios_script_t to read nagios_spool_t files- Allow sbd_t to create own sbd_tmpfs_t dirs/files- Allow firewalld and networkmanager to chat with hypervkvp via dbus- Allow dmidecode to read rhsmcert_log_t files- Allow mail system to connect mariadb sockets.- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877)- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170)- Allow iptables_t to run setfiles to restore context on system- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466) * Tue Oct 24 2017 Lukas Vrabec - 3.13.1-299- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t- Allow chronyd_t do request kernel module and block_suspend capability- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912)- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220)- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110)- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables- Allow svnserve to use kerberos- Allow conman to use ptmx. Add conman_use_nfs boolean- Allow nnp transition for amavis and tmpreaper SELinux domains- Allow chronyd_t to mmap chronyc_exec_t binary files- Add dac_read_search capability to openvswitch_t domain- Allow svnserve to manage own svnserve_log_t files/dirs- Allow keepalived_t to search network sysctls- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain- Add kill capability to openvswitch_t domain- Label also compressed logs in /var/log for different services- Allow inetd_child_t and system_cronjob_t to run chronyc.- Allow chrony to create netlink route sockets- Add SELinux support for chronyc- Add support for running certbot(letsencrypt) in crontab- Allow nnp trasintion for unconfined_service_t- Allow unpriv user domains and unconfined_service_t to use chronyc * Sun Oct 22 2017 Lukas Vrabec - 3.13.1-298- Drop *.lst files from file list- Ship file_contexts.homedirs in store- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522)- Allow haproxy daemon to reexec itself. BZ(1447800)- Allow conmand to use usb ttys.- Allow systemd_machined to read mock lib files. BZ(1504493)- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) * Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297- Fix typo in virt file contexts file- allow ipa_dnskey_t to read /proc/net/unix file- Allow openvswitch to run setfiles in setfiles_t domain.- Allow openvswitch_t domain to read process data of neutron_t domains- Fix typo in ipa_cert_filetrans_named_content() interface- Fix typo bug in summary of xguest SELinux module- Allow virtual machine with svirt_t label to stream connect to openvswitch.- Label qemu-pr-helper script as virt_exec_t so this script won\'t run as unconfined_service_t * Tue Oct 17 2017 Lukas Vrabec - 3.13.1-296- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852)- Add nnp transition rule for services using NoNewPrivileges systemd feature- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923)- Add init_nnp_daemon_domain interface- Allow nnp transition capability- Merge pull request #204 from konradwilk/rhbz1484908- Label postgresql-check-db-dir as postgresql_exec_t * Tue Oct 10 2017 Lukas Vrabec - 3.13.1-295- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)- Allow fail2ban_t domain to mmap journals. BZ(1500089)- Add dac_override to abrt_t domain BZ(1499860)- Allow pppd domain to mmap own pid files BZ(1498587)- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules- Allow systemd to read sysfs sym links. BZ(1499327)- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)- Make systemd_networkd_var_run as mountpoint BZ(1499862)- Allow noatsecure for java-based unconfined services. BZ(1358476)- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) * Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294- Allow cloud-init to create content in /var/run/cloud-init- Dontaudit VM to read gnome-boxes process data BZ(1415975)- Allow winbind_t domain mmap samba_var_t files- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035)- Add dac_override capability to groupadd_t domain BZ(1497091)- Allow unconfined_service_t to start containers * Sun Oct 08 2017 Petr Lautrbach - 3.13.1-293- Drop policyhelp utility BZ(1498429) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-292- Allow cupsd_t to execute ld_so_cache_t BZ(1478602)- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806)- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531)- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318)- Allow systemd to maange sysfs BZ(1471361) * Tue Oct 03 2017 Lukas Vrabec - 3.13.1-291- Switch default value of SELinux boolean httpd_graceful_shutdown to off. * Fri Sep 29 2017 Lukas Vrabec - 3.13.1-290- Allow virtlogd_t domain to write inhibit systemd pipes.- Add dac_override capability to openvpn_t domain- Add dac_override capability to xdm_t domain- Allow dac_override to groupadd_t domain BZ(1497081)- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) * Wed Sep 27 2017 Lukas Vrabec - 3.13.1-289- Allow tlp_t domain stream connect to sssd_t domain- Add missing dac_override capability- Add systemd_tmpfiles_t dac_override capability * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288- Remove all unnecessary dac_override capability in SELinux modules * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287- Allow init noatsecure httpd_t- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)- Allow unconfined_t domain to create new users with proper SELinux lables- Allow init noatsecure httpd_t- Label tcp port 3269 as ldap_port_t * Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286- Add new boolean tomcat_read_rpm_db()- Allow tomcat to connect on mysqld tcp ports- Add new interface apache_delete_tmp()- Add interface fprintd_exec()- Add interface fprintd_mounton_var_lib()- Allow mozilla plugin to mmap video devices BZ(1492580)- Add ctdbd_t domain sys_source capability and allow setrlimit- Allow systemd-logind to use ypbind- Allow systemd to remove apache tmp files- Allow ldconfig domain to mmap ldconfig cache files- Allow systemd to exec fprintd BZ(1491808)- Allow systemd to mounton fprintd lib dir * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285- Allow svirt_t read userdomain state * Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files- Allow automount domain to manage mount pid files- Allow stunnel_t domain setsched- Add keepalived domain setpgid capability- Merge pull request #24 from teg/rawhide- Merge pull request #28 from lslebodn/revert_1e8403055- Allow sysctl_irq_t assciate with proc_t- Enable cgourp sec labeling- Allow sshd_t domain to send signull to xdm_t processes * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283- Allow passwd_t domain mmap /etc/shadow and /etc/passwd- Allow pulseaudio_t domain to map user tmp files- Allow mozilla plugin to mmap mozilla tmpfs files * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282- Add new bunch of map rules- Merge pull request #25 from NetworkManager/nm-ovs- Make working webadm_t userdomain- Allow redis domain to execute shell scripts.- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t- Add couple capabilities to keepalived domain and allow get attributes of all domains- Allow dmidecode read rhsmcertd lock files- Add new interface rhsmcertd_rw_lock_files()- Add new bunch of map rules- Merge pull request #199 from mscherer/add_conntrackd- Add support labeling for vmci and vsock device- Add userdom_dontaudit_manage_admin_files() interface * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281- Allow domains reading raw memory also use mmap. * Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404)- Fix denials during ipa-server-install process on F27+- Allow httpd_t to mmap cert_t- Add few rules to make tlp_t domain working in enforcing mode- Allow cloud_init_t to dbus chat with systemd_timedated_t- Allow logrotate_t to write to kmsg- Add capability kill to rhsmcertd_t- Allow winbind to manage smbd_tmp_t files- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404)- Add interface miscfiles_map_generic_certs() * Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279- Allow abrt_dump_oops_t to read sssd_public_t files- Allow cockpit_ws_t to mmap usr_t files- Allow systemd to read/write dri devices. * Thu Aug 31 2017 Lukas Vrabec - 3.13.1-278- Add couple rules related to map permissions- Allow ddclient use nsswitch BZ(1456241)- Allow thumb_t domain getattr fixed_disk device. BZ(1379137)- Add interface dbus_manage_session_tmp_dirs()- Dontaudit useradd_t sys_ptrace BZ(1480121)- Allow ipsec_t can exec ipsec_exec_t- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs * Mon Aug 28 2017 Lukas Vrabec - 3.13.1-277- Allow cupsd_t to execute ld_so_cache- Add cgroup_seclabel policycap.- Allow xdm_t to read systemd hwdb- Add new interface systemd_hwdb_mmap_config()- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050) * Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276- Allow couple map rules * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275- Make confined users working- Allow ipmievd_t domain to load kernel modules- Allow logrotate to reload transient systemd unit * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-274- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain- Allow nscd_t domain to search network sysctls- Allow iscsid_t domain to read mount pid files- Allow ksmtuned_t domain manage sysfs_t files/dirs- Allow keepalived_t domain domtrans into iptables_t- Allow rshd_t domain reads net sysctls- Allow systemd to create syslog netlink audit socket- Allow ifconfig_t domain unmount fs_t- Label /dev/gpiochip * devices as gpio_device_t * Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170)- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.- Label /var/run/agetty.reload as getty_var_run_t- Add missing filecontext for sln binary- Allow systemd to read/write to event_device_t BZ(1471401) * Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272- Allow sssd_t domain to map sssd_var_lib_t files- allow map permission where needed- contrib: allow map permission where needed- Allow syslogd_t to map syslogd_var_run_t files- allow map permission where needed * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc- Label /usr/libexec/sudo/sesh as shell_exec_t * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270- refpolicy: Infiniband pkeys and endport * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524)- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy- refpolicy: Define and allow map permission- init: Add NoNewPerms support for systemd.- Add nnp_nosuid_transition policycap and related class/perm definitions. * Mon Aug 07 2017 Petr Lautrbach - 3.13.1-268- Update for SELinux userspace release 20170804 / 2.7- Omit precompiled regular expressions from file_contexts.bin files | |