SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for selinux-policy-minimum-41.27-1.fc42.noarch.rpm :

* Tue Dec 17 2024 Zdenek Pytela - 41.27-1- Update ktlsh policy- Allow request-key to read /etc/passwd- Allow request-key to manage all domains\' keys- Add support for the KVM guest memfd anon inodes- Allow auditctl signal auditd- Dontaudit systemd-coredump the sys_resource capability- Allow traceroute_t bind rawip sockets to unreserved ports- Fix the cups_read_pid_files() interface to use read_files_pattern- Allow virtqemud additional permissions for tmpfs_t blk devices- Allow virtqemud rw access to svirt_image_t chr files- Allow virtqemud rw and setattr access to fixed block devices- Label /etc/mdevctl.d/scripts.d with bin_t- Allow virtqemud open svirt_devpts_t char files- Allow virtqemud relabelfrom virt_log_t files- Allow svirt_tcg_t read virtqemud_t fifo_files- Allow virtqemud rw and setattr access to sev devices- Allow virtqemud directly read and write to a fixed disk- Allow virtqemud_t relabel virt_var_lib_t files- Allow virtqemud_t relabel virtqemud_var_run_t sock_files- Add gnome_filetrans_gstreamer_admin_home_content() interface- Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t- Make bootupd_t permissive- Allow init_t nnp domain transition to locate_t- allow gdm and iiosensorproxy talk to each other via D-bus- Allow systemd-journald getattr nsfs files- Allow sendmail to map mail server configuration files- Allow procmail to read mail aliases- Allow cifs.idmap helper to set attributes on kernel keys- Allow irqbalance setpcap capability in the user namespace- Allow sssd_selinux_manager_t the setcap process permission- Allow systemd-sleep manage efivarfs files- Allow systemd-related domains getattr nsfs files- Allow svirt_t the sys_rawio capability- Allow alsa watch generic device directories- Move systemd-homed interfaces to seperate optional_policy block- Update samba-bgqd policy- Update virtlogd policy- Allow svirt_t the sys_rawio capability- Allow qemu-ga the dac_override and dac_read_search capabilities- Allow bacula execute container in the container domain- Allow httpd get attributes of dirsrv unit files- Allow samba-bgqd read cups config files- Add label rshim_var_run_t for /run/rshim.pid
* Mon Dec 02 2024 Petr Lautrbach - 41.26-2- Rebuild with SELinux Userspace 3.8
* Tue Nov 19 2024 Zdenek Pytela - 41.26-1- [5/5][sync from \'mysql-selinux\'] Add mariadb-backup- [4/5][sync from \'mysql-selinux\'] Fix regex to also match \'/var/lib/mysql/mysqlx.sock\'- [3/5][sync from \'mysql-selinux\'] Allow mysqld_t to read and write to the \'memory.pressure\' file in cgroup2- [2/5][sync from \'mysql-selinux\'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705- [1/5][sync from \'mysql-selinux\'] Allow \'mysqld\' to use \'/usr/bin/hostname\'- Allow systemd-networkd read mount pid files- Update policy for samba-bgqd- Allow chronyd read networkmanager\'s pid files- Allow staff user connect to generic tcp ports- Allow gnome-remote-desktop dbus chat with policykit- Allow tlp the setpgid process permission- Update the bootupd policy- Allow sysadm_t use the io_uring API- Allow sysadm user dbus chat with virt-dbus- Allow virtqemud_t read virsh_t files- Allow virt_dbus_t connect to virtd_t over a unix stream socket- Allow systemd-tpm2-generator read hardware state information- Allow coreos-installer-generator execute generic programs- Allow coreos-installer domain transition on udev execution- Revert \"Allow unconfined_t execute kmod in the kmod domain\"- Allow iio-sensor-proxy create and use unix dgram socket- Allow virtstoraged read vm sysctls- Support ssh connections via systemd-ssh-generator- Label all semanage store files in /etc as semanage_store_t- Add file transition for nvidia-modeset
* Fri Oct 25 2024 Zdenek Pytela - 41.25-1- Allow dirsrv-snmp map dirsv_tmpfs_t files- Label /usr/lib/node_modules_22/npm/bin with bin_t- Add policy for /usr/libexec/samba/samba-bgqd- Allow gnome-remote-desktop watch /etc directory- Allow rpcd read network sysctls- Allow journalctl connect to systemd-userdbd over a unix socket- Allow some confined users send to lldpad over a unix dgram socket- Allow lldpad send to unconfined_t over a unix dgram socket- Allow lldpd connect to systemd-machined over a unix socket- Confine the ktls service
* Wed Oct 23 2024 Zdenek Pytela - 41.24-1- Allow dirsrv read network sysctls- Label /run/sssd with sssd_var_run_t- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t- Allow unconfined_t execute kmod in the kmod domain- Allow confined users r/w to screen unix stream socket- Label /root/.screenrc and /root/.tmux.conf with screen_home_t- Allow virtqemud read virtd_t files- Allow ping_t read network sysctls
* Mon Oct 21 2024 Zdenek Pytela - 41.23-1- Allow systemd-homework connect to init over a unix socket- Fix systemd-homed blobs directory permissions- Allow virtqemud read sgx_vepc devices- Allow lldpad create and use netlink_generic_socket
* Wed Oct 16 2024 Zdenek Pytela - 41.22-1- Allow systemd-homework write to init pid socket- Allow init create /var/cache/systemd/home- Confine the pcm service- Allow login_userdomain read thumb tmp files- Update power-profiles-daemon policy- Fix the /etc/mdevctl\\.d(/.
*)? regexp- Grant rhsmcertd chown capability & userdb access- Allow iio-sensor-proxy the bpf capability- Allow systemd-machined the kill user-namespace capability
* Fri Oct 11 2024 Zdenek Pytela - 41.21-1- Remove the fail2ban module sources- Remove the linuxptp module sources- Remove legacy rules for slrnpull- Remove the aiccu module sources- Remove the bcfg2 module sources- Remove the amtu module sources- Remove the rhev module sources- Remove all file context entries for /bin and /lib- Allow ptp4l the sys_admin capability- Confine power-profiles-daemon- Label /var/cache/systemd/home with systemd_homed_cache_t- Allow login_userdomain connect to systemd-homed over a unix socket- Allow boothd connect to systemd-homed over a unix socket- Allow systemd-homed get attributes of a tmpfs filesystem- Allow abrt-dump-journal-core connect to systemd-homed over a unix socket- Allow aide connect to systemd-homed over a unix socket- Label /dev/hfi1_[0-9]+ devices- Suppress semodule\'s stderr
* Thu Oct 03 2024 Zdenek Pytela - 41.20-1- Remove the openct module sources- Remove the timidity module sources- Enable the slrn module- Remove i18n_input module sources- Enable the distcc module- Remove the ddcprobe module sources- Remove the timedatex module sources- Remove the djbdns module sources- Confine iio-sensor-proxy- Allow staff user nlmsg_write- Update policy for xdm with confined users- Allow virtnodedev watch mdevctl config dirs- Allow ssh watch home config dirs- Allow ssh map home configs files- Allow ssh read network sysctls- Allow chronyc sendto to chronyd-restricted- Allow cups sys_ptrace capability in the user namespace
* Tue Sep 24 2024 Zdenek Pytela - 41.19-1- Add policy for systemd-homed- Remove fc entry for /usr/bin/pump- Label /usr/bin/noping and /usr/bin/oping with ping_exec_t- Allow accountsd read gnome-initial-setup tmp files- Allow xdm write to gnome-initial-setup fifo files- Allow rngd read and write generic usb devices- Allow qatlib search the content of the kernel debugging filesystem- Allow qatlib connect to systemd-machined over a unix socket
* Wed Sep 18 2024 Petr Lautrbach - 41.18-1- Drop ru man pages- mls/modules.conf - fix typo- Allow unprivileged user watch /run/systemd- Allow boothd connect to kernel over a unix socket
* Mon Sep 16 2024 Zdenek Pytela - 41.17-2- Relabel /etc/mdevctl.d
* Thu Sep 12 2024 Petr Lautrbach - 41.17-1- Clean up and sync securetty_types- Bring config files from dist-git into the source repo- Confine gnome-remote-desktop- Allow virtstoraged execute mount programs in the mount domain- Make mdevctl_conf_t member of the file_type attribute
* Fri Sep 06 2024 Zdenek Pytela - 41.16-1- Label /etc/mdevctl.d with mdevctl_conf_t- Sync users with Fedora targeted users- Update policy for rpc-virtstorage- Allow virtstoraged get attributes of configfs dirs- Fix SELinux policy for sandbox X server to fix \'sandbox -X\' command- Update bootupd policy when ESP is not mounted- Allow thumb_t map dri devices- Allow samba use the io_uring API- Allow the sysadm user use the secretmem API- Allow nut-upsmon read systemd-logind session files- Allow sysadm_t to create PF_KEY sockets- Update bootupd policy for the removing-state-file test- Allow coreos-installer-generator manage mdadm_conf_t files
* Thu Aug 29 2024 Zdenek Pytela - 41.15-1- Allow setsebool_t relabel selinux data files- Allow virtqemud relabelfrom virtqemud_var_run_t dirs- Use better escape method for \"interface\"- Allow init and systemd-logind to inherit fds from sshd- Allow systemd-ssh-generator read sysctl files- Sync modules.conf with Fedora targeted modules- Allow virtqemud relabel user tmp files and socket files- Add missing sys_chroot capability to groupadd policy- Label /run/libvirt/qemu/channel with virtqemud_var_run_t- Allow virtqemud relabelfrom also for file and sock_file- Add virt_create_log() and virt_write_log() interfaces- Call binaries without full path
* Mon Aug 12 2024 Zdenek Pytela - 41.14-1- Update libvirt policy- Add port 80/udp and 443/udp to http_port_t definition- Additional updates stalld policy for bpf usage- Label systemd-pcrextend and systemd-pcrlock properly- Allow coreos_installer_t work with partitions- Revert \"Allow coreos-installer-generator work with partitions\"- Add policy for systemd-pcrextend- Update policy for systemd-getty-generator- Allow ip command write to ipsec\'s logs- Allow virt_driver_domain read virtd-lxc files in /proc- Revert \"Allow svirt read virtqemud fifo files\"- Update virtqemud policy for libguestfs usage- Allow virtproxyd create and use its private tmp files- Allow virtproxyd read network state- Allow virt_driver_domain create and use log files in /var/log- Allow samba-dcerpcd work with ctdb cluster
* Tue Aug 06 2024 Zdenek Pytela - 41.13-1- Allow NetworkManager_dispatcher_t send SIGKILL to plugins- Allow setroubleshootd execute sendmail with a domain transition- Allow key.dns_resolve set attributes on the kernel key ring- Update qatlib policy for v24.02 with new features- Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t- Allow tlp status power services- Allow virtqemud domain transition on passt execution- Allow virt_driver_domain connect to systemd-userdbd over a unix socket- Allow boothd connect to systemd-userdbd over a unix socket- Update policy for awstats scripts- Allow bitlbee execute generic programs in system bin directories- Allow login_userdomain read aliases file- Allow login_userdomain read ipsec config files- Allow login_userdomain read all pid files- Allow rsyslog read systemd-logind session files- Allow libvirt-dbus stream connect to virtlxcd
* Wed Jul 31 2024 Zdenek Pytela - 41.12-1- Update bootupd policy- Allow rhsmcertd read/write access to /dev/papr-sysparm- Label /dev/papr-sysparm and /dev/papr-vpd- Allow abrt-dump-journal-core connect to winbindd- Allow systemd-hostnamed shut down nscd- Allow systemd-pstore send a message to syslogd over a unix domain- Allow postfix_domain map postfix_etc_t files- Allow microcode create /sys/devices/system/cpu/microcode/reload- Allow rhsmcertd read, write, and map ica tmpfs files- Support SGX devices- Allow initrc_t transition to passwd_t- Update fstab and cryptsetup generators policy- Allow xdm_t read and write the dma device- Update stalld policy for bpf usage- Allow systemd_gpt_generator to getattr on DOS directories
* Thu Jul 25 2024 Zdenek Pytela - 41.11-1- Make cgroup_memory_pressure_t a part of the file_type attribute- Allow ssh_t to change role to system_r- Update policy for coreos generators- Allow init_t nnp domain transition to firewalld_t- Label /run/modprobe.d with modules_conf_t- Allow virtnodedevd run udev with a domain transition- Allow virtnodedev_t create and use virtnodedev_lock_t- Allow virtstoraged manage files with virt_content_t type- Allow virtqemud unmount a filesystem with extended attributes- Allow svirt_t connect to unconfined_t over a unix domain socket
* Mon Jul 22 2024 Zdenek Pytela - 41.10-1- Update afterburn file transition policy- Allow systemd_generator read attributes of all filesystems- Allow fstab-generator read and write cryptsetup-generator unit file- Allow cryptsetup-generator read and write fstab-generator unit file- Allow systemd_generator map files in /etc- Allow systemd_generator read init\'s process state- Allow coreos-installer-generator read sssd public files- Allow coreos-installer-generator work with partitions- Label /etc/mdadm.conf.d with mdadm_conf_t- Confine coreos generators- Label /run/metadata with afterburn_runtime_t- Allow afterburn list ssh home directory- Label samba certificates with samba_cert_t- Label /run/coreos-installer-reboot with coreos_installer_var_run_t- Allow virtqemud read virt-dbus process state- Allow staff user dbus chat with virt-dbus- Allow staff use watch /run/systemd- Allow systemd_generator to write kmsg
* Sat Jul 20 2024 Fedora Release Engineering - 41.9-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Tue Jul 16 2024 Zdenek Pytela - 41.9-1- Allow virtqemud connect to sanlock over a unix stream socket- Allow virtqemud relabel virt_var_run_t directories- Allow svirt_tcg_t read vm sysctls- Allow virtnodedevd connect to systemd-userdbd over a unix socket- Allow svirt read virtqemud fifo files- Allow svirt attach_queue to a virtqemud tun_socket- Allow virtqemud run ssh client with a transition- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket- Update keyutils policy- Allow sshd_keygen_t connect to userdbd over a unix stream socket- Allow postfix-smtpd read mysql config files- Allow locate stream connect to systemd-userdbd- Allow the staff user use wireshark- Allow updatedb connect to userdbd over a unix stream socket- Allow gpg_t set attributes of public-keys.d- Allow gpg_t get attributes of login_userdomain stream- Allow systemd_getty_generator_t read /proc/1/environ- Allow systemd_getty_generator_t to read and write to tty_device_t
* Thu Jul 11 2024 Petr Lautrbach 41.8-4- Move %postInstall to %posttrans- Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)`- Drop obsolete modules from config- Install dnf protected files only when policy is built
* Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek - 41.8-3- Relabel files under /usr/bin to fix stale context after sbin merge
* Wed Jul 10 2024 Petr Lautrbach 41.8-2- Merge -base and -contrib
* Wed Jul 10 2024 Zdenek Pytela - 41.8-1- Drop publicfile module- Remove permissive domain for systemd_nsresourced_t- Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t- Allow to create and delete socket files created by rhsm.service- Allow virtnetworkd exec shell when virt_hooks_unconfined is on- Allow unconfined_service_t transition to passwd_t- Support /var is empty- Allow abrt-dump-journal read all non_security socket files- Allow timemaster write to sysfs files- Dontaudit domain write cgroup files- Label /usr/lib/node_modules/npm/bin with bin_t- Allow ip the setexec permission- Allow systemd-networkd write files in /var/lib/systemd/network- Fix typo in systemd_nsresourced_prog_run_bpf()
* Fri Jun 28 2024 Zdenek Pytela - 41.7-1- Confine libvirt-dbus- Allow virtqemud the kill capability in user namespace- Allow rshim get options of the netlink class for KOBJECT_UEVENT family- Allow dhcpcd the kill capability- Allow systemd-networkd list /var/lib/systemd/network- Allow sysadm_t run systemd-nsresourced bpf programs- Update policy for systemd generators interactions- Allow create memory.pressure files with cgroup_memory_pressure_t- Add support for libvirt hooks
* Wed Jun 19 2024 Zdenek Pytela - 41.6-1- Allow certmonger read and write tpm devices- Allow all domains to connect to systemd-nsresourced over a unix socket- Allow systemd-machined read the vsock device- Update policy for systemd generators- Allow ptp4l_t request that the kernel load a kernel module- Allow sbd to trace processes in user namespace- Allow request-key execute scripts- Update policy for haproxyd
* Tue Jun 18 2024 Zdenek Pytela - 41.5-1- Update policy for systemd-nsresourced- Correct sbin-related file context entries
* Mon Jun 17 2024 Zdenek Pytela - 41.4-1- Allow login_userdomain execute systemd-tmpfiles in the caller domain- Allow virt_driver_domain read files labeled unconfined_t- Allow virt_driver_domain dbus chat with policykit- Allow virtqemud manage nfs files when virt_use_nfs boolean is on- Add rules for interactions between generators- Label memory.pressure files with cgroup_memory_pressure_t- Revert \"Allow some systemd services write to cgroup files\"- Update policy for systemd-nsresourced- Label /usr/bin/ntfsck with fsadm_exec_t- Allow systemd_fstab_generator_t read tmpfs files- Update policy for systemd-nsresourced- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin- Remove a few lines duplicated between {dkim,milter}.fc- Alias /bin → /usr/bin and remove redundant paths- Drop duplicate line for /usr/sbin/unix_chkpwd- Drop duplicate paths for /usr/sbin
* Tue Jun 11 2024 Zdenek Pytela - 41.3-1- Update systemd-generator policy- Remove permissive domain for bootupd_t- Remove permissive domain for coreos_installer_t- Remove permissive domain for afterburn_t- Add the sap module to modules.conf- Move unconfined_domain(sap_unconfined_t) to an optional block- Create the sap module- Allow systemd-coredumpd sys_admin and sys_resource capabilities- Allow systemd-coredump read nsfs files- Allow generators auto file transition only for plain files- Allow systemd-hwdb write to the kernel messages device- Escape \"interface\" as a file name in a virt filetrans pattern- Allow gnome-software work for login_userdomain- Allow systemd-machined manage runtime sockets- Revert \"Allow systemd-machined manage runtime sockets\"
* Fri Jun 07 2024 Zdenek Pytela - 41.2-1- Allow postfix_domain connect to postgresql over a unix socket- Dontaudit systemd-coredump sys_admin capability- Allow all domains read and write z90crypt device- Allow tpm2 generator setfscreate- Allow systemd (PID 1) manage systemd conf files- Allow pulseaudio map its runtime files- Update policy for getty-generator- Allow systemd-hwdb send messages to kernel unix datagram sockets- Allow systemd-machined manage runtime sockets
* Mon Jun 03 2024 Zdenek Pytela - 41.1-1- Allow fstab-generator create unit file symlinks- Update policy for cryptsetup-generator- Update policy for fstab-generator- Allow virtqemud read vm sysctls- Allow collectd to trace processes in user namespace- Allow bootupd search efivarfs dirs- Add policy for systemd-mountfsd- Add policy for systemd-nsresourced- Update policy generators- Add policy for anaconda-generator- Update policy for fstab and gpt generators- Add policy for kdump-dep-generator
* Thu May 30 2024 Zdenek Pytela - 40.21-1- Add policy for a generic generator- Add policy for tpm2 generator- Add policy for ssh-generator- Add policy for second batch of generators- Update policy for systemd generators- ci: Adjust Cockpit test plans
* Sun May 19 2024 Zdenek Pytela - 40.20-1- Allow journald read systemd config files and directories- Allow systemd_domain read systemd_conf_t dirs- Fix bad Python regexp escapes- Allow fido services connect to postgres database
* Fri May 17 2024 Zdenek Pytela - 40.19-1- Allow postfix smtpd map aliases file- Ensure dbus communication is allowed bidirectionally- Label systemd configuration files with systemd_conf_t- Label /run/systemd/machine with systemd_machined_var_run_t- Allow systemd-hostnamed read the vsock device- Allow sysadm execute dmidecode using sudo- Allow sudodomain list files in /var- Allow setroubleshootd get attributes of all sysctls- Allow various services read and write z90crypt device- Allow nfsidmap connect to systemd-homed- Allow sandbox_x_client_t dbus chat with accountsd- Allow system_cronjob_t dbus chat with avahi_t- Allow staff_t the io_uring sqpoll permission- Allow staff_t use the io_uring API- Add support for secretmem anon inode
* Thu May 16 2024 Adam Williamson - 40.18-3- Correct some errors in the RPM macro changes from -2
* Mon May 06 2024 Zdenek Pytela - 40.18-2- Update rpm configuration for the /var/run equivalency change
* Mon May 06 2024 Zdenek Pytela - 40.18-1- Allow virtqemud read vfio devices- Allow virtqemud get attributes of a tmpfs filesystem- Allow svirt_t read vm sysctls- Allow virtqemud create and unlink files in /etc/libvirt/- Allow virtqemud get attributes of cifs files- Allow virtqemud get attributes of filesystems with extended attributes- Allow virtqemud get attributes of NFS filesystems- Allow virt_domain read and write usb devices conditionally- Allow virtstoraged use the io_uring API- Allow virtstoraged execute lvm programs in the lvm domain- Allow virtnodevd_t map /var/lib files- Allow svirt_tcg_t map svirt_image_t files- Allow abrt-dump-journal-core connect to systemd-homed- Allow abrt-dump-journal-core connect to systemd-machined- Allow sssd create and use io_uring- Allow selinux-relabel-generator create units dir- Allow dbus-broker read/write inherited user ttys
* Thu Apr 25 2024 Zdenek Pytela - 40.17-1- Define transitions for /run/libvirt/common and /run/libvirt/qemu- Allow systemd-sleep read raw disk data- Allow numad to trace processes in user namespace- Allow abrt-dump-journal-core connect to systemd-userdbd- Allow plymouthd read efivarfs files- Update the auth_dontaudit_read_passwd_file() interface- Label /dev/mmcblk0rpmb character device with removable_device_t- fix hibernate on btrfs swapfile (F40)- Allow nut to statfs()- Allow system dbusd service status systemd services- Allow systemd-timedated get the timemaster service status
* Tue Apr 09 2024 Zdenek Pytela - 40.16-1- Allow keyutils-dns-resolver connect to the system log service- Allow qemu-ga read vm sysctls- postfix: allow qmgr to delete mails in bounce/ directory- policy: support pidfs- Confine selinux-autorelabel-generator.sh- Allow logwatch_mail_t read/write to init over a unix stream socket- Allow logwatch read logind sessions files- files_dontaudit_getattr_tmpfs_files allowed the access and didn\'t dontaudit it- files_dontaudit_mounton_modules_object allowed the access and didn\'t dontaudit it- Allow NetworkManager the sys_ptrace capability in user namespace- dontaudit execmem for modemmanager- Allow dhcpcd use unix_stream_socket- Allow dhcpc read /run/netns files
* Fri Mar 15 2024 Zdenek Pytela - 40.15-1- Update mmap_rw_file_perms to include the lock permission- Allow plymouthd log during shutdown- Add logging_watch_all_log_dirs() and logging_watch_all_log_files()- Allow journalctl_t read filesystem sysctls- Allow cgred_t to get attributes of cgroup filesystems- Allow wdmd read hardware state information- Allow wdmd list the contents of the sysfs directories- Allow linuxptp configure phc2sys and chronyd over a unix domain socket- Allow sulogin relabel tty1- Dontaudit sulogin the checkpoint_restore capability- Modify sudo_role_template() to allow getpgid- Remove incorrect \"local\" usage in varrun-convert.sh
* Thu Mar 07 2024 Zdenek Pytela - 40.14-2- Update varrun-convert.sh script to check for existing duplicate entries
* Mon Feb 26 2024 Zdenek Pytela - 40.14-1- Allow userdomain get attributes of files on an nsfs filesystem- Allow opafm create NFS files and directories- Allow virtqemud create and unlink files in /etc/libvirt/- Allow virtqemud domain transition on swtpm execution- Add the swtpm.if interface file for interactions with other domains- Allow samba to have dac_override capability- systemd: allow sys_admin capability for systemd_notify_t- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets- Allow thumb_t to watch and watch_reads mount_var_run_t- Allow krb5kdc_t map krb5kdc_principal_t files- Allow unprivileged confined user dbus chat with setroubleshoot- Allow login_userdomain map files in /var- Allow wireguard work with firewall-cmd- Differentiate between staff and sysadm when executing crontab with sudo- Add crontab_admin_domtrans interface- Allow abrt_t nnp domain transition to abrt_handle_event_t- Allow xdm_t to watch and watch_reads mount_var_run_t- Dontaudit subscription manager setfscreate and read file contexts- Don\'t audit crontab_domain write attempts to user home- Transition from sudodomains to crontab_t when executing crontab_exec_t- Add crontab_domtrans interface- Fix label of pseudoterminals created from sudodomain- Allow utempter_t use ptmx- Dontaudit rpmdb attempts to connect to sssd over a unix stream socket- Allow admin user read/write on fixed_disk_device_t
* Mon Feb 12 2024 Zdenek Pytela - 40.13-1- Only allow confined user domains to login locally without unconfined_login- Add userdom_spec_domtrans_confined_admin_users interface- Only allow admindomain to execute shell via ssh with ssh_sysadm_login- Add userdom_spec_domtrans_admin_users interface- Move ssh dyntrans to unconfined inside unconfined_login tunable policy- Update ssh_role_template() for user ssh-agent type- Allow init to inherit system DBus file descriptors- Allow init to inherit fds from syslogd- Allow any domain to inherit fds from rpm-ostree- Update afterburn policy- Allow init_t nnp domain transition to abrtd_t
* Tue Feb 06 2024 Zdenek Pytela - 40.12-1- Rename all /var/lock file context entries to /run/lock- Rename all /var/run file context entries to /run- Invert the \"/var/run = /run\" equivalency
* Mon Feb 05 2024 Zdenek Pytela - 40.11-1- Replace init domtrans rule for confined users to allow exec init- Update dbus_role_template() to allow user service status- Allow polkit status all systemd services- Allow setroubleshootd create and use inherited io_uring- Allow load_policy read and write generic ptys- Allow gpg manage rpm cache- Allow login_userdomain name_bind to howl and xmsg udp ports- Allow rules for confined users logged in plasma- Label /dev/iommu with iommu_device_t- Remove duplicate file context entries in /run- Dontaudit getty and plymouth the checkpoint_restore capability- Allow su domains write login records- Revert \"Allow su domains write login records\"- Allow login_userdomain delete session dbusd tmp socket files- Allow unix dgram sendto between exim processes- Allow su domains write login records- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
* Wed Jan 24 2024 Zdenek Pytela - 40.10-1- Allow chronyd-restricted read chronyd key files- Allow conntrackd_t to use bpf capability2- Allow systemd-networkd manage its runtime socket files- Allow init_t nnp domain transition to colord_t- Allow polkit status systemd services- nova: Fix duplicate declarations- Allow httpd work with PrivateTmp- Add interfaces for watching and reading ifconfig_var_run_t- Allow collectd read raw fixed disk device- Allow collectd read udev pid files- Set correct label on /etc/pki/pki-tomcat/kra- Allow systemd domains watch system dbus pid socket files- Allow certmonger read network sysctls- Allow mdadm list stratisd data directories- Allow syslog to run unconfined scripts conditionally- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t- Allow qatlib set attributes of vfio device files
* Tue Jan 09 2024 Zdenek Pytela - 40.9-1- Allow systemd-sleep set attributes of efivarfs files- Allow samba-dcerpcd read public files- Allow spamd_update_t the sys_ptrace capability in user namespace- Allow bluetooth devices work with alsa- Allow alsa get attributes filesystems with extended attributes
* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2- Limit %selinux_requires to version, not release
* Thu Dec 21 2023 Zdenek Pytela - 40.8-1- Allow hypervkvp_t write access to NetworkManager_etc_rw_t- Add interface for write-only access to NetworkManager rw conf- Allow systemd-sleep send a message to syslog over a unix dgram socket- Allow init create and use netlink netfilter socket- Allow qatlib load kernel modules- Allow qatlib run lspci- Allow qatlib manage its private runtime socket files- Allow qatlib read/write vfio devices- Label /etc/redis.conf with redis_conf_t- Remove the lockdown-class rules from the policy- Allow init read all non-security socket files- Replace redundant dnsmasq pattern macros- Remove unneeded symlink perms in dnsmasq.if- Add additions to dnsmasq interface- Allow nvme_stas_t create and use netlink kobject uevent socket- Allow collectd connect to statsd port- Allow keepalived_t to use sys_ptrace of cap_userns- Allow dovecot_auth_t connect to postgresql using UNIX socket
* Wed Dec 13 2023 Zdenek Pytela - 40.7-1- Make named_zone_t and named_var_run_t a part of the mountpoint attribute- Allow sysadm execute traceroute in sysadm_t domain using sudo- Allow sysadm execute tcpdump in sysadm_t domain using sudo- Allow opafm search nfs directories- Add support for syslogd unconfined scripts- Allow gpsd use /dev/gnss devices- Allow gpg read rpm cache- Allow virtqemud additional permissions- Allow virtqemud manage its private lock files- Allow virtqemud use the io_uring api- Allow ddclient send e-mail notifications- Allow postfix_master_t map postfix data files- Allow init create and use vsock sockets- Allow thumb_t append to init unix domain stream sockets- Label /dev/vas with vas_device_t- Change domain_kernel_load_modules boolean to true- Create interface selinux_watch_config and add it to SELinux users
* Tue Nov 28 2023 Zdenek Pytela - 40.6-1- Add afterburn to modules-targeted-contrib.conf- Update cifs interfaces to include fs_search_auto_mountpoints()- Allow sudodomain read var auth files- Allow spamd_update_t read hardware state information- Allow virtnetworkd domain transition on tc command execution- Allow sendmail MTA connect to sendmail LDA- Allow auditd read all domains process state- Allow rsync read network sysctls- Add dhcpcd bpf capability to run bpf programs- Dontaudit systemd-hwdb dac_override capability- Allow systemd-sleep create efivarfs files
* Tue Nov 14 2023 Zdenek Pytela - 40.5-1- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on- Allow graphical applications work in Wayland- Allow kdump work with PrivateTmp- Allow dovecot-auth work with PrivateTmp- Allow nfsd get attributes of all filesystems- Allow unconfined_domain_type use io_uring cmd on domain- ci: Only run Rawhide revdeps tests on the rawhide branch- Label /var/run/auditd.state as auditd_var_run_t- Allow fido-device-onboard (FDO) read the crack database- Allow ip an explicit domain transition to other domains- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t- Allow winbind_rpcd_t processes access when samba_export_all_
* is on- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection- Allow ntp to bind and connect to ntske port.- Allow system_mail_t manage exim spool files and dirs- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t- Label /run/pcsd.socket with cluster_var_run_t- ci: Run cockpit tests in PRs
* Thu Oct 19 2023 Zdenek Pytela - 40.4-1- Add map_read map_write to kernel_prog_run_bpf- Allow systemd-fstab-generator read all symlinks- Allow systemd-fstab-generator the dac_override capability- Allow rpcbind read network sysctls- Support using systemd containers- Allow sysadm_t to connect to iscsid using a unix domain stream socket- Add policy for coreos installer- Add coreos_installer to modules-targeted-contrib.conf
* Tue Oct 17 2023 Zdenek Pytela - 40.3-1- Add policy for nvme-stas- Confine systemd fstab,sysv,rc-local- Label /etc/aliases.lmdb with etc_aliases_t- Create policy for afterburn- Add nvme_stas to modules-targeted-contrib.conf- Add plans/tests.fmf
* Tue Oct 10 2023 Zdenek Pytela - 40.2-1- Add the virt_supplementary module to modules-targeted-contrib.conf- Make new virt drivers permissive- Split virt policy, introduce virt_supplementary module- Allow apcupsd cgi scripts read /sys- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes- Allow kernel_t to manage and relabel all files- Add missing optional_policy() to files_relabel_all_files()
* Tue Oct 03 2023 Zdenek Pytela - 40.1-1- Allow named and ndc use the io_uring api- Deprecate common_anon_inode_perms usage- Improve default file context(None) of /var/lib/authselect/backups- Allow udev_t to search all directories with a filesystem type- Implement proper anon_inode support- Allow targetd write to the syslog pid sock_file- Add ipa_pki_retrieve_key_exec() interface- Allow kdumpctl_t to list all directories with a filesystem type- Allow udev additional permissions- Allow udev load kernel module- Allow sysadm_t to mmap modules_object_t files- Add the unconfined_read_files() and unconfined_list_dirs() interfaces- Set default file context of HOME_DIR/tmp/.
* to <>- Allow kernel_generic_helper_t to execute mount(1)
  
ICM