Changelog for
selinux-policy-minimum-40.29-2.fc40.noarch.rpm :
* Sat Oct 26 2024 Zdenek Pytela
- 40.29-2- Rebuild
* Fri Oct 25 2024 Zdenek Pytela - 40.29-1- Allow systemd-machined the kill user-namespace capability- Use better escape method for \"interface\"- Allow the sysadm user use the secretmem API- Allow boothd connect to systemd-userdbd over a unix socket- Allow staff user nlmsg_write- Update policy for xdm with confined users
* Wed Oct 02 2024 Zdenek Pytela - 40.28-1- Allow chronyc sendto to chronyd-restricted- Allow cups sys_ptrace capability in the user namespace- Allow abrt-dump-journal-core connect to winbindd- Allow sysadm_t to create PF_KEY sockets- Allow init and systemd-logind to inherit fds from sshd- Label /usr/bin/noping and /usr/bin/oping with ping_exec_t- Allow virtstoraged get attributes of configfs dirs- Update policy for rpc-virtstorage- Allow thumb_t map dri devices- Allow samba use the io_uring API- Allow nut-upsmon read systemd-logind session files- Support SGX devices
* Tue Aug 06 2024 Zdenek Pytela - 40.27-1- Allow NetworkManager_dispatcher_t send SIGKILL to plugins- Allow setroubleshootd execute sendmail with a domain transition- Allow key.dns_resolve set attributes on the kernel key ring- Update fstab and cryptsetup generators policy- Allow cryptsetup-generator read and write fstab-generator unit file- Allow postfix_domain map postfix_etc_t files- Update qatlib policy for v24.02 with new features- Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t- Allow tlp status power services- Allow login_userdomain read aliases file- Allow login_userdomain read ipsec config files- Allow login_userdomain read all pid files- Allow xdm_t read and write the dma device- Allow rsyslog read systemd-logind session files
* Thu Jul 25 2024 Zdenek Pytela - 40.26-1- Label /run/modprobe.d with modules_conf_t- Allow virtstoraged manage files with virt_content_t type- Allow virtqemud unmount a filesystem with extended attributes- Allow svirt_t connect to unconfined_t over a unix domain socket- Allow ssh_t to change role to system_r- Allow systemd_getty_generator_t to read and write to tty_device_t
* Tue Jul 23 2024 Zdenek Pytela - 40.25-1- Allow virtqemud connect to sanlock over a unix stream socket- Allow virtqemud relabel virt_var_run_t directories- Allow svirt_tcg_t read vm sysctls- Allow virtnodedevd connect to systemd-userdbd over a unix socket- Allow svirt read virtqemud fifo files- Allow svirt attach_queue to a virtqemud tun_socket- Allow virtqemud run ssh client with a transition- Sync systemd-generator policy with rawhide- Allow staff use watch /run/systemd- Update keyutils policy- Allow updatedb connect to userdbd over a unix stream socket- Allow systemd-coredump read nsfs files
* Wed Jul 17 2024 Zdenek Pytela - 40.24-1- Allow the staff user use wireshark- Allow locate stream connect to systemd-userdbd- Allow postfix-smtpd read mysql config files- Allow virtnetworkd exec shell when virt_hooks_unconfined is on- Allow systemd-networkd write files in /var/lib/systemd/network- Allow systemd-networkd list /var/lib/systemd/network- Allow abrt-dump-journal read all non_security socket files- Add support for libvirt hooks- Allow to create and delete socket files created by rhsm.service
* Thu Jun 20 2024 Zdenek Pytela - 40.23-1- Synchronize policy for systemd-generators with rawhide- Allow certmonger read and write tpm devices- Allow virt_driver_domain dbus chat with policykit- Allow login_userdomain execute systemd-tmpfiles in the caller domain- Revert \"Allow systemd-machined manage runtime sockets\"- Label /usr/bin/ntfsck with fsadm_exec_t- Escape \"interface\" as a file name in a virt filetrans pattern- Allow gnome-software work for login_userdomain
* Sat Jun 08 2024 Zdenek Pytela - 40.22-1- Allow systemd-machined manage runtime sockets- Allow systemd-gpt-generator setfscreate- Allow bootupd search efivarfs dirs- Sync policy for confined systemd generators with rawhide- Update policy for fstab and gpt generators- Allow systemd (PID 1) manage systemd conf files- Allow pulseaudio map its runtime files- Update policy for getty-generator- Allow systemd-machined manage runtime sockets- Allow fstab-generator create unit file symlinks- Dontaudit systemd-coredump sys_admin capability- Update policy for fstab-generator- Allow virtqemud read vm sysctls- Add policy for second batch of generators- Update policy for systemd generators- ci: Adjust Cockpit test plans
* Fri May 31 2024 Zdenek Pytela - 40.21-1- Add policy for second batch of generators- Update policy for systemd generators- ci: Adjust Cockpit test plans
* Mon May 20 2024 Zdenek Pytela - 40.20-1- Allow journald read systemd config files and directories- Allow systemd_domain read systemd_conf_t dirs- Fix bad Python regexp escapes- Allow fido services connect to postgres database
* Fri May 17 2024 Zdenek Pytela - 40.19-1- Allow postfix smtpd map aliases file- Ensure dbus communication is allowed bidirectionally- Label systemd configuration files with systemd_conf_t- Label /run/systemd/machine with systemd_machined_var_run_t- Allow systemd-hostnamed read the vsock device- Allow sysadm execute dmidecode using sudo- Allow sudodomain list files in /var- Allow setroubleshootd get attributes of all sysctls- Allow various services read and write z90crypt device- Allow nfsidmap connect to systemd-homed- Allow sandbox_x_client_t dbus chat with accountsd- Allow system_cronjob_t dbus chat with avahi_t- Allow staff_t the io_uring sqpoll permission- Allow staff_t use the io_uring API- Add support for secretmem anon inode
* Thu May 16 2024 Adam Williamson - 40.18-3- Correct some errors in the RPM macro changes from -2
* Mon May 06 2024 Zdenek Pytela - 40.18-2- Update rpm configuration for the /var/run equivalency change
* Mon May 06 2024 Zdenek Pytela - 40.18-1- Allow virtqemud read vfio devices- Allow virtqemud get attributes of a tmpfs filesystem- Allow svirt_t read vm sysctls- Allow virtqemud create and unlink files in /etc/libvirt/- Allow virtqemud get attributes of cifs files- Allow virtqemud get attributes of filesystems with extended attributes- Allow virtqemud get attributes of NFS filesystems- Allow virt_domain read and write usb devices conditionally- Allow virtstoraged use the io_uring API- Allow virtstoraged execute lvm programs in the lvm domain- Allow virtnodevd_t map /var/lib files- Allow svirt_tcg_t map svirt_image_t files- Allow abrt-dump-journal-core connect to systemd-homed- Allow abrt-dump-journal-core connect to systemd-machined- Allow sssd create and use io_uring- Allow selinux-relabel-generator create units dir- Allow dbus-broker read/write inherited user ttys
* Thu Apr 25 2024 Zdenek Pytela - 40.17-1- Define transitions for /run/libvirt/common and /run/libvirt/qemu- Allow systemd-sleep read raw disk data- Allow numad to trace processes in user namespace- Allow abrt-dump-journal-core connect to systemd-userdbd- Allow plymouthd read efivarfs files- Update the auth_dontaudit_read_passwd_file() interface- Label /dev/mmcblk0rpmb character device with removable_device_t- fix hibernate on btrfs swapfile (F40)- Allow nut to statfs()- Allow system dbusd service status systemd services- Allow systemd-timedated get the timemaster service status
* Tue Apr 09 2024 Zdenek Pytela - 40.16-1- Allow keyutils-dns-resolver connect to the system log service- Allow qemu-ga read vm sysctls- postfix: allow qmgr to delete mails in bounce/ directory- policy: support pidfs- Confine selinux-autorelabel-generator.sh- Allow logwatch_mail_t read/write to init over a unix stream socket- Allow logwatch read logind sessions files- files_dontaudit_getattr_tmpfs_files allowed the access and didn\'t dontaudit it- files_dontaudit_mounton_modules_object allowed the access and didn\'t dontaudit it- Allow NetworkManager the sys_ptrace capability in user namespace- dontaudit execmem for modemmanager- Allow dhcpcd use unix_stream_socket- Allow dhcpc read /run/netns files
* Fri Mar 15 2024 Zdenek Pytela - 40.15-1- Update mmap_rw_file_perms to include the lock permission- Allow plymouthd log during shutdown- Add logging_watch_all_log_dirs() and logging_watch_all_log_files()- Allow journalctl_t read filesystem sysctls- Allow cgred_t to get attributes of cgroup filesystems- Allow wdmd read hardware state information- Allow wdmd list the contents of the sysfs directories- Allow linuxptp configure phc2sys and chronyd over a unix domain socket- Allow sulogin relabel tty1- Dontaudit sulogin the checkpoint_restore capability- Modify sudo_role_template() to allow getpgid- Remove incorrect \"local\" usage in varrun-convert.sh
* Thu Mar 07 2024 Zdenek Pytela - 40.14-2- Update varrun-convert.sh script to check for existing duplicate entries
* Mon Feb 26 2024 Zdenek Pytela - 40.14-1- Allow userdomain get attributes of files on an nsfs filesystem- Allow opafm create NFS files and directories- Allow virtqemud create and unlink files in /etc/libvirt/- Allow virtqemud domain transition on swtpm execution- Add the swtpm.if interface file for interactions with other domains- Allow samba to have dac_override capability- systemd: allow sys_admin capability for systemd_notify_t- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets- Allow thumb_t to watch and watch_reads mount_var_run_t- Allow krb5kdc_t map krb5kdc_principal_t files- Allow unprivileged confined user dbus chat with setroubleshoot- Allow login_userdomain map files in /var- Allow wireguard work with firewall-cmd- Differentiate between staff and sysadm when executing crontab with sudo- Add crontab_admin_domtrans interface- Allow abrt_t nnp domain transition to abrt_handle_event_t- Allow xdm_t to watch and watch_reads mount_var_run_t- Dontaudit subscription manager setfscreate and read file contexts- Don\'t audit crontab_domain write attempts to user home- Transition from sudodomains to crontab_t when executing crontab_exec_t- Add crontab_domtrans interface- Fix label of pseudoterminals created from sudodomain- Allow utempter_t use ptmx- Dontaudit rpmdb attempts to connect to sssd over a unix stream socket- Allow admin user read/write on fixed_disk_device_t
* Mon Feb 12 2024 Zdenek Pytela - 40.13-1- Only allow confined user domains to login locally without unconfined_login- Add userdom_spec_domtrans_confined_admin_users interface- Only allow admindomain to execute shell via ssh with ssh_sysadm_login- Add userdom_spec_domtrans_admin_users interface- Move ssh dyntrans to unconfined inside unconfined_login tunable policy- Update ssh_role_template() for user ssh-agent type- Allow init to inherit system DBus file descriptors- Allow init to inherit fds from syslogd- Allow any domain to inherit fds from rpm-ostree- Update afterburn policy- Allow init_t nnp domain transition to abrtd_t
* Tue Feb 06 2024 Zdenek Pytela - 40.12-1- Rename all /var/lock file context entries to /run/lock- Rename all /var/run file context entries to /run- Invert the \"/var/run = /run\" equivalency
* Mon Feb 05 2024 Zdenek Pytela - 40.11-1- Replace init domtrans rule for confined users to allow exec init- Update dbus_role_template() to allow user service status- Allow polkit status all systemd services- Allow setroubleshootd create and use inherited io_uring- Allow load_policy read and write generic ptys- Allow gpg manage rpm cache- Allow login_userdomain name_bind to howl and xmsg udp ports- Allow rules for confined users logged in plasma- Label /dev/iommu with iommu_device_t- Remove duplicate file context entries in /run- Dontaudit getty and plymouth the checkpoint_restore capability- Allow su domains write login records- Revert \"Allow su domains write login records\"- Allow login_userdomain delete session dbusd tmp socket files- Allow unix dgram sendto between exim processes- Allow su domains write login records- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
* Wed Jan 24 2024 Zdenek Pytela - 40.10-1- Allow chronyd-restricted read chronyd key files- Allow conntrackd_t to use bpf capability2- Allow systemd-networkd manage its runtime socket files- Allow init_t nnp domain transition to colord_t- Allow polkit status systemd services- nova: Fix duplicate declarations- Allow httpd work with PrivateTmp- Add interfaces for watching and reading ifconfig_var_run_t- Allow collectd read raw fixed disk device- Allow collectd read udev pid files- Set correct label on /etc/pki/pki-tomcat/kra- Allow systemd domains watch system dbus pid socket files- Allow certmonger read network sysctls- Allow mdadm list stratisd data directories- Allow syslog to run unconfined scripts conditionally- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t- Allow qatlib set attributes of vfio device files
* Tue Jan 09 2024 Zdenek Pytela - 40.9-1- Allow systemd-sleep set attributes of efivarfs files- Allow samba-dcerpcd read public files- Allow spamd_update_t the sys_ptrace capability in user namespace- Allow bluetooth devices work with alsa- Allow alsa get attributes filesystems with extended attributes
* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2- Limit %selinux_requires to version, not release
* Thu Dec 21 2023 Zdenek Pytela - 40.8-1- Allow hypervkvp_t write access to NetworkManager_etc_rw_t- Add interface for write-only access to NetworkManager rw conf- Allow systemd-sleep send a message to syslog over a unix dgram socket- Allow init create and use netlink netfilter socket- Allow qatlib load kernel modules- Allow qatlib run lspci- Allow qatlib manage its private runtime socket files- Allow qatlib read/write vfio devices- Label /etc/redis.conf with redis_conf_t- Remove the lockdown-class rules from the policy- Allow init read all non-security socket files- Replace redundant dnsmasq pattern macros- Remove unneeded symlink perms in dnsmasq.if- Add additions to dnsmasq interface- Allow nvme_stas_t create and use netlink kobject uevent socket- Allow collectd connect to statsd port- Allow keepalived_t to use sys_ptrace of cap_userns- Allow dovecot_auth_t connect to postgresql using UNIX socket
* Wed Dec 13 2023 Zdenek Pytela - 40.7-1- Make named_zone_t and named_var_run_t a part of the mountpoint attribute- Allow sysadm execute traceroute in sysadm_t domain using sudo- Allow sysadm execute tcpdump in sysadm_t domain using sudo- Allow opafm search nfs directories- Add support for syslogd unconfined scripts- Allow gpsd use /dev/gnss devices- Allow gpg read rpm cache- Allow virtqemud additional permissions- Allow virtqemud manage its private lock files- Allow virtqemud use the io_uring api- Allow ddclient send e-mail notifications- Allow postfix_master_t map postfix data files- Allow init create and use vsock sockets- Allow thumb_t append to init unix domain stream sockets- Label /dev/vas with vas_device_t- Change domain_kernel_load_modules boolean to true- Create interface selinux_watch_config and add it to SELinux users
* Tue Nov 28 2023 Zdenek Pytela - 40.6-1- Add afterburn to modules-targeted-contrib.conf- Update cifs interfaces to include fs_search_auto_mountpoints()- Allow sudodomain read var auth files- Allow spamd_update_t read hardware state information- Allow virtnetworkd domain transition on tc command execution- Allow sendmail MTA connect to sendmail LDA- Allow auditd read all domains process state- Allow rsync read network sysctls- Add dhcpcd bpf capability to run bpf programs- Dontaudit systemd-hwdb dac_override capability- Allow systemd-sleep create efivarfs files
* Tue Nov 14 2023 Zdenek Pytela - 40.5-1- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on- Allow graphical applications work in Wayland- Allow kdump work with PrivateTmp- Allow dovecot-auth work with PrivateTmp- Allow nfsd get attributes of all filesystems- Allow unconfined_domain_type use io_uring cmd on domain- ci: Only run Rawhide revdeps tests on the rawhide branch- Label /var/run/auditd.state as auditd_var_run_t- Allow fido-device-onboard (FDO) read the crack database- Allow ip an explicit domain transition to other domains- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t- Allow winbind_rpcd_t processes access when samba_export_all_
* is on- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection- Allow ntp to bind and connect to ntske port.- Allow system_mail_t manage exim spool files and dirs- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t- Label /run/pcsd.socket with cluster_var_run_t- ci: Run cockpit tests in PRs
* Thu Oct 19 2023 Zdenek Pytela - 40.4-1- Add map_read map_write to kernel_prog_run_bpf- Allow systemd-fstab-generator read all symlinks- Allow systemd-fstab-generator the dac_override capability- Allow rpcbind read network sysctls- Support using systemd containers- Allow sysadm_t to connect to iscsid using a unix domain stream socket- Add policy for coreos installer- Add coreos_installer to modules-targeted-contrib.conf
* Tue Oct 17 2023 Zdenek Pytela - 40.3-1- Add policy for nvme-stas- Confine systemd fstab,sysv,rc-local- Label /etc/aliases.lmdb with etc_aliases_t- Create policy for afterburn- Add nvme_stas to modules-targeted-contrib.conf- Add plans/tests.fmf
* Tue Oct 10 2023 Zdenek Pytela - 40.2-1- Add the virt_supplementary module to modules-targeted-contrib.conf- Make new virt drivers permissive- Split virt policy, introduce virt_supplementary module- Allow apcupsd cgi scripts read /sys- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes- Allow kernel_t to manage and relabel all files- Add missing optional_policy() to files_relabel_all_files()
* Tue Oct 03 2023 Zdenek Pytela - 40.1-1- Allow named and ndc use the io_uring api- Deprecate common_anon_inode_perms usage- Improve default file context(None) of /var/lib/authselect/backups- Allow udev_t to search all directories with a filesystem type- Implement proper anon_inode support- Allow targetd write to the syslog pid sock_file- Add ipa_pki_retrieve_key_exec() interface- Allow kdumpctl_t to list all directories with a filesystem type- Allow udev additional permissions- Allow udev load kernel module- Allow sysadm_t to mmap modules_object_t files- Add the unconfined_read_files() and unconfined_list_dirs() interfaces- Set default file context of HOME_DIR/tmp/.
* to <>- Allow kernel_generic_helper_t to execute mount(1)
* Fri Sep 29 2023 Zdenek Pytela - 38.29-1- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t- Allow systemd-localed create Xserver config dirs- Allow sssd read symlinks in /etc/sssd- Label /dev/gnss[0-9] with gnss_device_t- Allow systemd-sleep read/write efivarfs variables- ci: Fix version number of packit generated srpms- Dontaudit rhsmcertd write memory device- Allow ssh_agent_type create a sockfile in /run/user/USERID- Set default file context of /var/lib/authselect/backups to <>- Allow prosody read network sysctls- Allow cupsd_t to use bpf capability
* Fri Sep 15 2023 Zdenek Pytela - 38.28-1- Allow sssd domain transition on passkey_child execution conditionally- Allow login_userdomain watch lnk_files in /usr- Allow login_userdomain watch video4linux devices- Change systemd-network-generator transition to include class file- Revert \"Change file transition for systemd-network-generator\"- Allow nm-dispatcher winbind plugin read/write samba var files- Allow systemd-networkd write to cgroup files- Allow kdump create and use its memfd: objects
* Thu Aug 31 2023 Zdenek Pytela - 38.27-1- Allow fedora-third-party get generic filesystem attributes- Allow sssd use usb devices conditionally- Update policy for qatlib- Allow ssh_agent_type manage generic cache home files
* Thu Aug 24 2023 Zdenek Pytela - 38.26-1- Change file transition for systemd-network-generator- Additional support for gnome-initial-setup- Update gnome-initial-setup policy for geoclue- Allow openconnect vpn open vhost net device- Allow cifs.upcall to connect to SSSD also through the /var/run socket- Grant cifs.upcall more required capabilities- Allow xenstored map xenfs files- Update policy for fdo- Allow keepalived watch var_run dirs- Allow svirt to rw /dev/udmabuf- Allow qatlib to modify hardware state information.- Allow key.dns_resolve connect to avahi over a unix stream socket- Allow key.dns_resolve create and use unix datagram socket- Use quay.io as the container image source for CI
* Fri Aug 11 2023 Zdenek Pytela - 38.25-1- ci: Move srpm/rpm build to packit- .copr: Avoid subshell and changing directory- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t- Make insights_client_t an unconfined domain- Allow insights-client manage user temporary files- Allow insights-client create all rpm logs with a correct label- Allow insights-client manage generic logs- Allow cloud_init create dhclient var files and init_t manage net_conf_t- Allow insights-client read and write cluster tmpfs files- Allow ipsec read nsfs files- Make tuned work with mls policy- Remove nsplugin_role from mozilla.if- allow mon_procd_t self:cap_userns sys_ptrace- Allow pdns name_bind and name_connect all ports- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh- ci: Move to actions/checkoutAATTv3 version- .copr: Replace chown call with standard workflow safe.directory setting- .copr: Enable `set -u` for robustness- .copr: Simplify root directory variable
* Fri Aug 04 2023 Zdenek Pytela - 38.24-1- Allow rhsmcertd dbus chat with policykit- Allow polkitd execute pkla-check-authorization with nnp transition- Allow user_u and staff_u get attributes of non-security dirs- Allow unconfined user filetrans chrome_sandbox_home_t- Allow svnserve execute postdrop with a transition- Do not make postfix_postdrop_t type an MTA executable file- Allow samba-dcerpc service manage samba tmp files- Add use_nfs_home_dirs boolean for mozilla_plugin- Fix labeling for no-stub-resolv.conf
* Wed Aug 02 2023 Zdenek Pytela - 38.23-1- Revert \"Allow winbind-rpcd use its private tmp files\"- Allow upsmon execute upsmon via a helper script- Allow openconnect vpn read/write inherited vhost net device- Allow winbind-rpcd use its private tmp files- Update samba-dcerpc policy for printing- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty- Allow nscd watch system db dirs- Allow qatlib to read sssd public files- Allow fedora-third-party read /sys and proc- Allow systemd-gpt-generator mount a tmpfs filesystem- Allow journald write to cgroup files- Allow rpc.mountd read network sysctls- Allow blueman read the contents of the sysfs filesystem- Allow logrotate_t to map generic files in /etc- Boolean: Allow virt_qemu_ga create ssh directory
* Tue Jul 25 2023 Zdenek Pytela - 38.22-1- Allow systemd-network-generator send system log messages- Dontaudit the execute permission on sock_file globally- Allow fsadm_t the file mounton permission- Allow named and ndc the io_uring sqpoll permission- Allow sssd io_uring sqpoll permission- Fix location for /run/nsd- Allow qemu-ga get fixed disk devices attributes- Update bitlbee policy- Label /usr/sbin/sos with sosreport_exec_t- Update policy for the sblim-sfcb service- Add the files_getattr_non_auth_dirs() interface- Fix the CI to work with DNF5
* Sat Jul 22 2023 Fedora Release Engineering - 38.21-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jul 13 2023 Zdenek Pytela - 38.21-1- Make systemd_tmpfiles_t MLS trusted for lowering the level of files- Revert \"Allow insights client map cache_home_t\"- Allow nfsidmapd connect to systemd-machined over a unix socket- Allow snapperd connect to kernel over a unix domain stream socket- Allow virt_qemu_ga_t create .ssh dir with correct label- Allow targetd read network sysctls- Set the abrt_handle_event boolean to on- Permit kernel_t to change the user identity in object contexts- Allow insights client map cache_home_t- Label /usr/sbin/mariadbd with mysqld_exec_t- Trim changelog so that it starts at F37 time- Define equivalency for /run/systemd/generator.early
* Thu Jun 29 2023 Zdenek Pytela - 38.20-1- Allow httpd tcp connect to redis port conditionally- Label only /usr/sbin/ripd and ripngd with zebra_exec_t- Dontaudit aide the execmem permission- Remove permissive from fdo- Allow sa-update manage spamc home files- Allow sa-update connect to systemlog services- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t- Allow bootupd search EFI directory
* Tue Jun 27 2023 Zdenek Pytela - 38.19-1- Change init_audit_control default value to true- Allow nfsidmapd connect to systemd-userdbd with a unix socket- Add the qatlib module- Add the fdo module- Add the bootupd module- Set default ports for keylime policy- Create policy for qatlib- Add policy for FIDO Device Onboard- Add policy for bootupd- Add the qatlib module- Add the fdo module- Add the bootupd module
* Sun Jun 25 2023 Zdenek Pytela - 38.18-1- Add support for kafs-dns requested by keyutils- Allow insights-client execmem- Add support for chronyd-restricted- Add init_explicit_domain() interface- Allow fsadm_t to get attributes of cgroup filesystems- Add list_dir_perms to kerberos_read_keytab- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t- Allow sendmail manage its runtime files- Allow keyutils_dns_resolver_exec_t be an entrypoint- Allow collectd_t read network state symlinks- Revert \"Allow collectd_t read proc_net link files\"- Allow nfsd_t to list exports_t dirs- Allow cupsd dbus chat with xdm- Allow haproxy read hardware state information- Add the kafs module
* Thu Jun 15 2023 Zdenek Pytela - 38.17-1- Label /dev/userfaultfd with userfaultfd_t- Allow blueman send general signals to unprivileged user domains- Allow dkim-milter domain transition to sendmail- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t- Allow cifs-helper read sssd kerberos configuration files- Allow rpm_t sys_admin capability- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file- Allow collectd_t read proc_net link files- Allow insights-client getsession process permission- Allow insights-client work with pipe and socket tmp files- Allow insights-client map generic log files- Update cyrus_stream_connect() to use sockets in /run- Allow keyutils-dns-resolver read/view kernel key ring- Label /var/log/kdump.log with kdump_log_t
* Fri Jun 09 2023 Zdenek Pytela - 38.16-1- Add support for the systemd-pstore service- Allow kdumpctl_t to execmem- Update sendmail policy module for opensmtpd- Allow nagios-mail-plugin exec postfix master- Allow subscription-manager execute ip- Allow ssh client connect with a user dbus instance- Add support for ksshaskpass- Allow rhsmcertd file transition in /run also for socket files- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t- Allow plymouthd read/write X server miscellaneous devices- Allow systemd-sleep read udev pid files- Allow exim read network sysctls- Allow sendmail request load module- Allow named map its conf files- Allow squid map its cache files- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
* Tue May 30 2023 Zdenek Pytela - 38.15-1- Update policy for systemd-sleep- Remove permissive domain for rshim_t- Remove permissive domain for mptcpd_t- Allow systemd-bootchartd the sys_ptrace userns capability- Allow sysadm_t read nsfs files- Allow sysadm_t run kernel bpf programs- Update ssh_role_template for ssh-agent- Update ssh_role_template to allow read/write unallocated ttys- Add the booth module to modules.conf- Allow firewalld rw ica_tmpfs_t files
* Fri May 26 2023 Zdenek Pytela - 38.14-1- Remove permissive domain for cifs_helper_t- Update the cifs-helper policy- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()- Update pkcsslotd policy for sandboxing- Allow abrt_t read kernel persistent storage files- Dontaudit targetd search httpd config dirs- Allow init_t nnp domain transition to policykit_t- Allow rpcd_lsad setcap and use generic ptys- Allow samba-dcerpcd connect to systemd_machined over a unix socket- Allow wireguard to rw network sysctls- Add policy for boothd- Allow kernel to manage its own BPF objects- Label /usr/lib/systemd/system/proftpd.
* & vsftpd.
* with ftpd_unit_file_t
* Mon May 22 2023 Zdenek Pytela - 38.13-1- Add initial policy for cifs-helper- Label key.dns_resolver with keyutils_dns_resolver_exec_t- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t- Allow some systemd services write to cgroup files- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files- Allow systemd resolved to bind to arbitrary nodes- Allow plymouthd_t bpf capability to run bpf programs- Allow cupsd to create samba_var_t files- Allow rhsmcert request the kernel to load a module- Allow virsh name_connect virt_port_t- Allow certmonger manage cluster library files- Allow plymouthd read init process state- Add chromium_sandbox_t setcap capability- Allow snmpd read raw disk data- Allow samba-rpcd work with passwords- Allow unconfined service inherit signal state from init- Allow cloud-init manage gpg admin home content- Allow cluster_t dbus chat with various services- Allow nfsidmapd work with systemd-userdbd and sssd- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes- Allow plymouthd map dri and framebuffer devices- Allow rpmdb_migrate execute rpmdb- Allow logrotate dbus chat with systemd-hostnamed- Allow icecast connect to kernel using a unix stream socket- Allow lldpad connect to systemd-userdbd over a unix socket- Allow journalctl open user domain ptys and ttys- Allow keepalived to manage its tmp files- Allow ftpd read network sysctls- Label /run/bgpd with zebra_var_run_t- Allow gssproxy read network sysctls- Add the cifsutils module
* Tue Apr 25 2023 Zdenek Pytela - 38.12-1- Allow telnetd read network sysctls- Allow munin system plugin read generic SSL certificates- Allow munin system plugin create and use netlink generic socket- Allow login_userdomain create user namespaces- Allow request-key to send syslog messages- Allow request-key to read/view any key- Add fs_delete_pstore_files() interface- Allow insights-client work with teamdctl- Allow insights-client read unconfined service semaphores- Allow insights-client get quotas of all filesystems- Add fs_read_pstore_files() interface- Allow generic kernel helper to read inherited kernel pipes
* Fri Apr 14 2023 Zdenek Pytela - 38.11-1- Allow dovecot-deliver write to the main process runtime fifo files- Allow dmidecode write to cloud-init tmp files- Allow chronyd send a message to cloud-init over a datagram socket- Allow cloud-init domain transition to insights-client domain- Allow mongodb read filesystem sysctls- Allow mongodb read network sysctls- Allow accounts-daemon read generic systemd unit lnk files- Allow blueman watch generic device dirs- Allow nm-dispatcher tlp plugin create tlp dirs- Allow systemd-coredump mounton /usr- Allow rabbitmq to read network sysctls
* Tue Apr 04 2023 Zdenek Pytela - 38.10-1- Allow certmonger dbus chat with the cron system domain- Allow geoclue read network sysctls- Allow geoclue watch the /etc directory- Allow logwatch_mail_t read network sysctls- Allow insights-client read all sysctls- Allow passt manage qemu pid sock files
* Fri Mar 24 2023 Zdenek Pytela - 38.9-1- Allow sssd read accountsd fifo files- Add support for the passt_t domain- Allow virtd_t and svirt_t work with passt- Add new interfaces in the virt module- Add passt interfaces defined conditionally- Allow tshark the setsched capability- Allow poweroff create connections to system dbus- Allow wg load kernel modules, search debugfs dir- Boolean: allow qemu-ga manage ssh home directory- Label smtpd with sendmail_exec_t- Label msmtp and msmtpd with sendmail_exec_t- Allow dovecot to map files in /var/spool/dovecot
* Fri Mar 03 2023 Zdenek Pytela - 38.8-1- Confine gnome-initial-setup- Allow qemu-guest-agent create and use vsock socket- Allow login_pgm setcap permission- Allow chronyc read network sysctls- Enhancement of the /usr/sbin/request-key helper policy- Fix opencryptoki file names in /dev/shm- Allow system_cronjob_t transition to rpm_script_t- Revert \"Allow system_cronjob_t domtrans to rpm_script_t\"- Add tunable to allow squid bind snmp port- Allow staff_t getattr init pid chr & blk files and read krb5- Allow firewalld to rw z90crypt device- Allow httpd work with tokens in /dev/shm- Allow svirt to map svirt_image_t char files- Allow sysadm_t run initrc_t script and sysadm_r role access- Allow insights-client manage fsadm pid files
* Wed Feb 08 2023 Zdenek Pytela - 38.7-1- Allowing snapper to create snapshots of /home/ subvolume/partition- Add boolean qemu-ga to run unconfined script- Label systemd-journald feature LogNamespace- Add none file context for polyinstantiated tmp dirs- Allow certmonger read the contents of the sysfs filesystem- Add journalctl the sys_resource capability- Allow nm-dispatcher plugins read generic files in /proc- Add initial policy for the /usr/sbin/request-key helper- Additional support for rpmdb_migrate- Add the keyutils module
* Mon Jan 30 2023 Zdenek Pytela - 38.6-1- Boolean: allow qemu-ga read ssh home directory- Allow kernel_t to read/write all sockets- Allow kernel_t to UNIX-stream connect to all domains- Allow systemd-resolved send a datagram to journald- Allow kernel_t to manage and have \"execute\" access to all files- Fix the files_manage_all_files() interface- Allow rshim bpf cap2 and read sssd public files- Allow insights-client work with su and lpstat- Allow insights-client tcp connect to all ports- Allow nm-cloud-setup dispatcher plugin restart nm services- Allow unconfined user filetransition for sudo log files- Allow modemmanager create hardware state information files- Allow ModemManager all permissions for netlink route socket- Allow wg to send msg to kernel, write to syslog and dbus connections- Allow hostname_t to read network sysctls.- Dontaudit ftpd the execmem permission- Allow svirt request the kernel to load a module- Allow icecast rename its log files- Allow upsd to send signal to itself- Allow wireguard to create udp sockets and read net_conf- Use \'%setup -q\' instead of \'%setup\'- Pass -p 1 to \'%setup -q\'
* Sat Jan 21 2023 Fedora Release Engineering - 38.5-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jan 13 2023 Zdenek Pytela - 38.5-1- Allow insights client work with gluster and pcp- Add insights additional capabilities- Add interfaces in domain, files, and unconfined modules- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t- Allow sudodomain use sudo.log as a logfile- Allow pdns server map its library files and bind to unreserved ports- Allow sysadm_t read/write ipmi devices- Allow prosody manage its runtime socket files- Allow kernel threads manage kernel keys- Allow systemd-userdbd the sys_resource capability- Allow systemd-journal list cgroup directories- Allow apcupsd dbus chat with systemd-logind- Allow nut_domain manage also files and sock_files in /var/run- Allow winbind-rpcd make a TCP connection to the ldap port- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t- Allow tlp read generic SSL certificates- Allow systemd-resolved watch tmpfs directories- Revert \"Allow systemd-resolved watch tmpfs directories\"
* Mon Dec 19 2022 Zdenek Pytela - 38.4-1- Allow NetworkManager and wpa_supplicant the bpf capability- Allow systemd-rfkill the bpf capability- Allow winbind-rpcd manage samba_share_t files and dirs- Label /var/lib/httpd/md(/.
*)? with httpd_sys_rw_content_t- Allow gpsd the sys_ptrace userns capability- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t- Allow load_policy_t write to unallocated ttys- Allow ndc read hardware state information- Allow system mail service read inherited certmonger runtime files- Add lpr_roles to system_r roles- Revert \"Allow insights-client run lpr and allow the proper role\"- Allow stalld to read /sys/kernel/security/lockdown file- Allow keepalived to set resource limits- Add policy for mptcpd- Add policy for rshim- Allow admin users to create user namespaces- Allow journalctl relabel with var_log_t and syslogd_var_run_t files- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted- Trim changelog so that it starts at F35 time- Add mptcpd and rshim modules
* Wed Dec 14 2022 Zdenek Pytela - 38.3-1- Allow insights-client dbus chat with various services- Allow insights-client tcp connect to various ports- Allow insights-client run lpr and allow the proper role- Allow insights-client work with pcp and manage user config files- Allow redis get user names- Allow kernel threads to use fds from all domains- Allow systemd-modules-load load kernel modules- Allow login_userdomain watch systemd-passwd pid dirs- Allow insights-client dbus chat with abrt- Grant kernel_t certain permissions in the system class- Allow systemd-resolved watch tmpfs directories- Allow systemd-timedated watch init runtime dir- Make `bootc` be `install_exec_t`- Allow systemd-coredump create user_namespace- Allow syslog the setpcap capability- donaudit virtlogd and dnsmasq execmem
* Tue Dec 06 2022 Zdenek Pytela - 38.2-1- Don\'t make kernel_t an unconfined domain- Don\'t allow kernel_t to execute bin_t/usr_t binaries without a transition- Allow kernel_t to execute systemctl to do a poweroff/reboot- Grant basic permissions to the domain created by systemd_systemctl_domain()- Allow kernel_t to request module loading- Allow kernel_t to do compute_create- Allow kernel_t to manage perf events- Grant almost all capabilities to kernel_t- Allow kernel_t to fully manage all devices- Revert \"In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue\"- Allow pulseaudio to write to session_dbusd tmp socket files- Allow systemd and unconfined_domain_type create user_namespace- Add the user_namespace security class- Reuse tmpfs_t also for the ramfs filesystem- Label udf tools with fsadm_exec_t- Allow networkmanager_dispatcher_plugin work with nscd- Watch_sb all file type directories.- Allow spamc read hardware state information files- Allow sysadm read ipmi devices- Allow insights client communicate with cupsd, mysqld, openvswitch, redis- Allow insights client read raw memory devices- Allow the spamd_update_t domain get generic filesystem attributes- Dontaudit systemd-gpt-generator the sys_admin capability- Allow ipsec_t only read tpm devices- Allow cups-pdf connect to the system log service- Allow postfix/smtpd read kerberos key table- Allow syslogd read network sysctls- Allow cdcc mmap dcc-client-map files- Add watch and watch_sb dosfs interface
* Mon Nov 21 2022 Zdenek Pytela - 38.1-1- Revert \"Allow sysadm_t read raw memory devices\"- Allow systemd-socket-proxyd get attributes of cgroup filesystems- Allow rpc.gssd read network sysctls- Allow winbind-rpcd get attributes of device and pty filesystems- Allow insights-client domain transition on semanage execution- Allow insights-client create gluster log dir with a transition- Allow insights-client manage generic locks- Allow insights-client unix_read all domain semaphores- Add domain_unix_read_all_semaphores() interface- Allow winbind-rpcd use the terminal multiplexor- Allow mrtg send mails- Allow systemd-hostnamed dbus chat with init scripts- Allow sssd dbus chat with system cronjobs- Add interface to watch all filesystems- Add watch_sb interfaces- Add watch interfaces- Allow dhcpd bpf capability to run bpf programs- Allow netutils and traceroute bpf capability to run bpf programs- Allow pkcs_slotd_t bpf capability to run bpf programs- Allow xdm bpf capability to run bpf programs- Allow pcscd bpf capability to run bpf programs- Allow lldpad bpf capability to run bpf programs- Allow keepalived bpf capability to run bpf programs- Allow ipsec bpf capability to run bpf programs- Allow fprintd bpf capability to run bpf programs- Allow systemd-socket-proxyd get filesystems attributes- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files