Changelog |
* Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
- Allow sa-update to get init status and start systemd files
- Use insights_client_filetrans_named_content
- Make default file context match with named transitions
- Allow nm-dispatcher tlp plugin send system log messages
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
- Add permissions to manage lnk_files into gnome_manage_home_config
- Allow rhsmcertd to read insights config files
- Label /etc/insights-client/machine-id
- fix(devices.fc): Replace single quote in comment to solve parsing issues
- Make NetworkManager_dispatcher_custom_t an unconfined domain
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
- Update winbind_rpcd_t
- Allow some domains use sd_notify()
- Revert "Allow rabbitmq to use systemd notify"
- fix(sedoctool.py): Fix syntax warning: "is not" with a literal
- Allow nm-dispatcher console plugin manage etc files
- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
- Allow nm-dispatcher console plugin setfscreate
- Support using systemd-update-helper in rpm scriptlets
- Allow nm-dispatcher winbind plugin read samba config files
- Allow domain use userfaultfd over all domains
- Allow cups-lpd read network sysctls
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
- Allow stalld set scheduling policy of kernel threads
- Allow targetclid read /var/target files
- Allow targetclid read generic SSL certificates (fixed)
- Allow firewalld read the contents of the sysfs filesystem
- Fix file context pattern for /var/target
- Use insights_client_etc_t in insights_search_config()
- Allow nm-dispatcher ddclient plugin handle systemd services
- Allow nm-dispatcher winbind plugin run smbcontrol
- Allow nm-dispatcher custom plugin create and use unix dgram socket
- Update samba-dcerpcd policy for kerberos usage 2
- Allow keepalived read the contents of the sysfs filesystem
- Allow amandad read network sysctls
- Allow cups-lpd read network sysctls
- Allow kpropd read network sysctls
- Update insights_client_filetrans_named_content()
- Allow rabbitmq to use systemd notify
- Label /var/target with targetd_var_t
- Allow targetclid read generic SSL certificates
- Update rhcd policy
- Allow rhcd search insights configuration directories
- Add the kernel_read_proc_files() interface
- Require policycoreutils >= 3.4-1
- Add a script for enclosing interfaces in ifndef statements
- Disable rpm verification on interface_info
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
- Allow transition to insights_client named content
- Add the insights_client_filetrans_named_content() interface
- Update policy for insights-client to run additional commands 3
- Allow dhclient manage pid files used by chronyd
- Allow stalld get scheduling policy of kernel threads
- Allow samba-dcerpcd work with sssd
- Allow dlm_controld send a null signal to a cluster daemon
- Allow ksmctl create hardware state information files
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
- Update samba-dcerpcd policy for kerberos usage
- Allow insights-client execute its private memfd: objects
- Update policy for insights-client to run additional commands 2
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
- Change space indentation to tab in insights-client
- Use socket permissions sets in insights-client
- Update policy for insights-client to run additional commands
- Change rpm_setattr_db_files() to use a pattern
- Allow init_t to rw insights_client unnamed pipe
- Add rpm setattr db files macro
- Fix insights client
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
- Allow rabbitmq to access its private memfd: objects
- Update policy for samba-dcerpcd
- Allow stalld setsched and sys_nice
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
- Allow auditd_t noatsecure for a transition to audisp_remote_t
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
- Allow pcp_domain execute its private memfd: objects
- Add support for samba-dcerpcd
- Add policy for wireguard
- Confine targetcli
- Allow systemd work with install_t unix stream sockets
- Allow iscsid the sys_ptrace userns capability
- Allow xdm connect to unconfined_service_t over a unix stream socket
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
- Allow nm-dispatcher custom plugin execute systemctl
- Allow nm-dispatcher custom plugin dbus chat with nm
- Allow nm-dispatcher custom plugin create and use udp socket
- Allow nm-dispatcher custom plugin create and use netlink_route_socket
- Use create_netlink_socket_perms in netlink_route_socket class permissions
- Add support for nm-dispatcher sendmail scripts
- Allow sslh net_admin capability
- Allow insights-client manage gpg admin home content
- Add the gpg_manage_admin_home_content() interface
- Allow rhsmcertd create generic log files
- Update logging_create_generic_logs() to use create_files_pattern()
- Label /var/cache/insights with insights_client_cache_t
- Allow insights-client search gconf homedir
- Allow insights-client create and use unix_dgram_socket
- Allow blueman execute its private memfd: files
- Move the chown call into make-srpm.sh
* Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
- Use the networkmanager_dispatcher_plugin attribute in allow rules
- Make a custom nm-dispatcher plugin transition
- Label port 4784/tcp and 4784/udp with bfd_multi
- Allow systemd watch and watch_reads user ptys
- Allow sblim-gatherd the kill capability
- Label more vdsm utils with virtd_exec_t
- Add ksm service to ksmtuned
- Add rhcd policy
- Dontaudit guest attempts to dbus chat with systemd domains
- Dontaudit guest attempts to dbus chat with system bus types
- Use a named transition in systemd_hwdb_manage_config()
- Add default fc specifications for patterns in /opt
- Add the files_create_etc_files() interface
- Allow nm-dispatcher console plugin create and write files in /etc
- Allow nm-dispatcher console plugin transition to the setfiles domain
- Allow more nm-dispatcher plugins append to init stream sockets
- Allow nm-dispatcher tlp plugin dbus chat with nm
- Reorder networkmanager_dispatcher_plugin_template() calls
- Allow svirt connectto virtlogd
- Allow blueman map its private memfd: files
- Allow sysadm user execute init scripts with a transition
- Allow sblim-sfcbd connect to sblim-reposd stream
- Allow keepalived_unconfined_script_t dbus chat with init
- Run restorecon with "-i" not to report errors
* Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
- Fix users for SELinux userspace 3.4
- Label /var/run/machine-id as machineid_t
- Add stalld to modules.conf
- Use files_tmpfs_file() for rhsmcertd_tmpfs_t
- Allow blueman read/write its private memfd: objects
- Allow insights-client read rhnsd config files
- Allow insights-client create_socket_perms for tcp/udp sockets
* Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1
- Allow nm-dispatcher chronyc plugin append to init stream sockets
- Allow tmpreaper the sys_ptrace userns capability
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
- Allow nm-dispatcher tlp plugin read/write the wireless device
- Allow nm-dispatcher tlp plugin append to init socket
- Allow nm-dispatcher tlp plugin be client of a system bus
- Allow nm-dispatcher list its configuration directory
- Ecryptfs-private support
- Allow colord map /var/lib directories
- Allow ntlm_auth read the network state information
- Allow insights-client search rhnsd configuration directory
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3
- Add support for nm-dispatcher tlp-rdw scripts
- Update github actions to satisfy git 2.36 stricter rules
- New policy for stalld
- Allow colord read generic files in /var/lib
- Allow xdm mounton user temporary socket files
- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket
- Allow sssd domtrans to pkcs_slotd_t
- Allow keepalived setsched and sys_nice
- Allow xdm map generic files in /var/lib
- Allow xdm read generic symbolic links in /var/lib
- Allow pppd create a file in the locks directory
- Add file map permission to lpd_manage_spool() interface
- Allow system dbus daemon watch generic directories in /var/lib
- Allow pcscd the sys_ptrace userns capability
- Add the corecmd_watch_bin_dirs() interface
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-2
- Relabel explicitly some dirs in %posttrans scriptlets
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-1
- Add stalld module to modules-targeted-contrib.conf
* Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1
- Add support for systemd-network-generator
- Add the io_uring class
- Allow nm-dispatcher dhclient plugin append to init stream sockets
- Relax the naming pattern for systemd private shared libraries
- Allow nm-dispatcher iscsid plugin append to init socket
- Add the init_append_stream_sockets() interface
- Allow nm-dispatcher dnssec-trigger script to execute pidof
- Add support for nm-dispatcher dnssec-trigger scripts
- Allow chronyd talk with unconfined user over unix domain dgram socket
- Allow fenced read kerberos key tables
- Add support for nm-dispatcher ddclient scripts
- Add systemd_getattr_generic_unit_files() interface
- Allow fprintd read and write hardware state information
- Allow exim watch generic certificate directories
- Remove duplicate fc entries for corosync and corosync-notifyd
- Label corosync-cfgtool with cluster_exec_t
- Allow qemu-kvm create and use netlink rdma sockets
- Allow logrotate a domain transition to cluster administrative domain
* Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1
- Add support for nm-dispatcher console helper scripts
- Allow nm-dispatcher plugins read its directory and sysfs
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
- devices: Add a comment about cardmgr_dev_t
- Add basic policy for BinderFS
- Label /var/run/ecblp0 pipe with cupsd_var_run_t
- Allow rpmdb create directory in /usr/lib/sysimage
- Allow rngd drop privileges via setuid/setgid/setcap
- Allow init watch and watch_reads user ttys
- Allow systemd-logind dbus chat with sosreport
- Allow chronyd send a message to sosreport over datagram socket
- Remove unnecessary /etc file transitions for insights-client
- Label all content in /var/lib/insights with insights_client_var_lib_t
- Update insights-client policy
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-2
- Add insights_client module to modules-targeted-contrib.conf
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1
- Update NetworkManager-dispatcher cloud and chronyc policy
- Update insights-client: fc pattern, motd, writing to etc
- Allow systemd-sysctl read the security state information
- Allow init create and mounton to support PrivateDevices
- Allow sosreport dbus chat abrt systemd timedatex
* Tue Feb 22 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-2
- Update specfile to buildrequire policycoreutils-devel >= 3.3-4
- Add modules_checksum to %files
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
- Update NetworkManager-dispatcher policy to use scripts
- Allow init mounton kernel messages device
- Revert "Make dbus-broker service working on s390x arch"
- Remove permissive domain for insights_client_t
- Allow userdomain read symlinks in /var/lib
- Allow iptables list cgroup directories
- Dontaudit mdadm list dirsrv tmpfs dirs
- Dontaudit dirsrv search filesystem sysctl directories
- Allow chage domtrans to sssd
- Allow postfix_domain read dovecot certificates
- Allow systemd-networkd create and use netlink netfilter socket
- Allow nm-dispatcher read nm-dispatcher-script symlinks
- filesystem.te: add genfscon rule for ntfs3 filesystem
- Allow rhsmcertd get attributes of cgroup filesystems
- Allow sandbox_web_client_t watch various dirs
- Exclude container.if from policy devel files
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
* Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
- Allow sysadm_passwd_t to relabel passwd and group files
- Allow confined sysadmin to use tool vipw
- Allow login_userdomain map /var/lib/directories
- Allow login_userdomain watch library and fonts dirs
- Allow login_userdomain watch system configuration dirs
- Allow login_userdomain read systemd runtime files
- Allow ctdb create cluster logs
- Allow alsa bind mixer controls to led triggers
- New policy for insight-client
- Add mctp_socket security class and access vectors
- Fix koji repo URL pattern
- Update chronyd_pid_filetrans() to allow create dirs
- Update NetworkManager-dispatcher policy
- Allow unconfined to run virtd bpf
- Allow nm-privhelper setsched permission and send system logs
- Add the map permission to common_anon_inode_perm permission set
- Rename userfaultfd_anon_inode_perms to common_inode_perms
- Allow confined users to use kinit,klist and etc.
- Allow rhsmcertd create rpm hawkey logs with correct label
* Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
- Label exFAT utilities at /usr/sbin
- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
- Enable genfs_seclabel_symlinks policy capability
- Sync policy/policy_capabilities with refpolicy
- refpolicy: drop unused socket security classes
- Label new utility of NetworkManager nm-priv-helper
- Label NetworkManager-dispatcher service with separate context
- Allow sanlock get attributes of filesystems with extended attributes
- Associate stratisd_data_t with device filesystem
- Allow init read stratis data symlinks
* Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
- Allow systemd services watch dbusd pid directory and its parents
- Allow ModemManager connect to the unconfined user domain
- Label /dev/wwan.+ with modem_manager_t
- Allow alsactl set group Process ID of a process
- Allow domtrans to sssd_t and role access to sssd
- Creating interface sssd_run_sssd()
- Label utilities for exFAT filesystems with fsadm_exec_t
- Label /dev/nvme-fabrics with fixed_disk_device_t
- Allow init delete generic tmp named pipes
- Allow timedatex dbus chat with xdm
* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
- Fix badly indented used interfaces
- Allow domain transition to sssd_t
- Dontaudit sfcbd sys_ptrace cap_userns
- Label /var/lib/plocate with locate_var_lib_t
- Allow hostapd talk with unconfined user over unix domain dgram socket
- Allow NetworkManager talk with unconfined user over unix domain dgram socket
- Allow system_mail_t read inherited apache system content rw files
- Add apache_read_inherited_sys_content_rw_files() interface
- Allow rhsm-service execute its private memfd: objects
- Allow dirsrv read configfs files and directories
- Label /run/stratisd with stratisd_var_run_t
- Allow tumblerd write to session_dbusd tmp socket files
* Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
- Allow login_userdomain write to session_dbusd tmp socket files
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
- Allow login_userdomain watch systemd-machined PID directories
- Allow login_userdomain watch systemd-logind PID directories
- Allow login_userdomain watch accountsd lib directories
- Allow login_userdomain watch localization directories
- Allow login_userdomain watch various files and dirs
- Allow login_userdomain watch generic directories in /tmp
- Allow rhsm-service read/write its private memfd: objects
- Allow radiusd connect to the radacct port
- Allow systemd-io-bridge ioctl rpm_script_t
- Allow systemd-coredump userns capabilities and root mounton
- Allow systemd-coredump read and write usermodehelper state
- Allow login_userdomain create session_dbusd tmp socket files
- Allow gkeyringd_domain write to session_dbusd tmp socket files
- Allow systemd-logind delete session_dbusd tmp socket files
- Allow gdm-x-session write to session dbus tmp sock files
- Label /etc/cockpit/ws-certs.d with cert_t
- Allow kpropd get attributes of cgroup filesystems
- Allow administrative users the bpf capability
- Allow sysadm_t start and stop transient services
- Connect triggerin to pcre2 instead of pcre
* Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
- Allow sshd read filesystem sysctl files
- Revert "Allow sshd read sysctl files"
- Allow tlp read its systemd unit
- Allow gssproxy access to various system files.
- Allow gssproxy read, write, and map ica tmpfs files
- Allow gssproxy read and write z90crypt device
- Allow sssd_kcm read and write z90crypt device
- Allow smbcontrol read the network state information
- Allow virt_domain map vhost devices
- Allow fcoemon request the kernel to load a module
- Allow sshd read sysctl files
- Ensure that `/run/systemd/*` are properly labeled
- Allow admin userdomains use socketpair()
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
- Allow lldpd connect to snmpd with a unix domain stream socket
- Dontaudit pkcsslotd sys_admin capability
* Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
- Allow haproxy get attributes of filesystems with extended attributes
- Allow haproxy get attributes of cgroup filesystems
- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
- Allow sudodomains execute passwd in the passwd domain
- Allow braille printing in selinux
- Allow sandbox_xserver_t map sandbox_file_t
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
- Add hwtracing_device_t type for hardware-level tracing and debugging
- Label port 9528/tcp with openqa_liveview
- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
- Document Security Flask model in the policy
* Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
- Allow systemd read unlabeled symbolic links
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
- Allow dnsmasq watch /etc/dnsmasq.d directories
- Allow rhsmcertd get attributes of tmpfs_t filesystems
- Allow lldpd use an snmp subagent over a tcp socket
- Allow xdm watch generic directories in /var/lib
- Allow login_userdomain open/read/map system journal
- Allow sysadm_t connect to cluster domains over a unix stream socket
- Allow sysadm_t read/write pkcs shared memory segments
- Allow sysadm_t connect to sanlock over a unix stream socket
- Allow sysadm_t dbus chat with sssd
- Allow sysadm_t set attributes on character device nodes
- Allow sysadm_t read and write watchdog devices
- Allow smbcontrol use additional socket types
- Allow cloud-init dbus chat with systemd-logind
- Allow svnserve send mail from the system
- Update userdom_exec_user_tmp_files() with an entrypoint rule
- Allow sudodomain send a null signal to sshd processes
* Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
- Allow PID 1 and dbus-broker IPC with a systemd user session
- Allow rpmdb read generic SSL certificates
- Allow rpmdb read admin home config files
- Report warning on duplicate definition of interface
- Allow redis get attributes of filesystems with extended attributes
- Allow sysadm_t dbus chat with realmd_t
- Make cupsd_lpd_t a daemon
- Allow tlp dbus-chat with NetworkManager
- filesystem: add fs_use_trans for ramfs
- Allow systemd-logind destroy unconfined user's IPC objects
* Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
- Support sanlock VG automated recovery on storage access loss 2/2
- Support sanlock VG automated recovery on storage access loss 1/2
- Revert "Support sanlock VG automated recovery on storage access loss"
- Allow tlp get service units status
- Allow fedora-third-party manage 3rd party repos
- Allow xdm_t nnp_transition to login_userdomain
- Add the auth_read_passwd_file() interface
- Allow redis-sentinel execute a notification script
- Allow fetchmail search cgroup directories
- Allow lvm_t to read/write devicekit disk semaphores
- Allow devicekit_disk_t to use /dev/mapper/control
- Allow devicekit_disk_t to get IPC info from the kernel
- Allow devicekit_disk_t to read systemd-logind pid files
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
- Allow devicekit_disk_t to manage mount_var_run_t files
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
- Use $releasever in koji repo to reduce rawhide hardcoding
- authlogin: add fcontext for tcb
- Add erofs as a SELinux capable file system
- Allow systemd execute user bin files
- Support sanlock VG automated recovery on storage access loss
- Support new PING_CHECK health checker in keepalived
* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1
- Allow fedora-third-party map generic cache files
- Add gnome_map_generic_cache_files() interface
- Add files_manage_var_lib_dirs() interface
- Allow fedora-third party manage gpg keys
- Allow fedora-third-party run "flatpak remote-add --from flathub"
* Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1
- Allow fedora-third-party run flatpak post-install actions
- Allow fedora-third-party set_setsched and sys_nice
* Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
- Allow fedora-third-party execute "flatpak remote-add"
- Add files_manage_var_lib_files() interface
- Add write permisson to userfaultfd_anon_inode_perms
- Allow proper function sosreport via iotop
- Allow proper function sosreport in sysadmin role
- Allow fedora-third-party to connect to the system log service
- Allow fedora-third-party dbus chat with policykit
- Allow chrony-wait service start with DynamicUser=yes
- Allow management of lnk_files if similar access to regular files
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
- Allow systemd-resolved watch /run/systemd
- Allow fedora-third-party create and use unix_dgram_socket
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
* Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
- Add fedoratp module
- Allow xdm_t domain transition to fedoratp_t
- Allow ModemManager create and use netlink route socket
- Add default file context for /run/gssproxy.default.sock
- Allow xdm_t watch fonts directories
- Allow xdm_t watch generic directories in /lib
- Allow xdm_t watch generic pid directories
* Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.21-1
- Add bluetooth-related permissions into a tunable block
- Allow gnome at-spi processes create and use stream sockets
- Allow usbmuxd get attributes of tmpfs_t filesystems
- Allow fprintd install a sleep delay inhibitor
- Allow collectd get attributes of infiniband devices
- Allow collectd create and user netlink rdma socket
- Allow collectd map packet_socket
- Allow snort create and use blootooth socket
- Allow systemd watch and watch_reads console devices
- Allow snort create and use generic netlink socket
- Allow NetworkManager dbus chat with fwupd
- Allow unconfined domains read/write domain perf_events
- Allow scripts to enter LUKS password
- Update mount_manage_pid_files() to use manage_files_pattern
- Support hitless reloads feature in haproxy
- Allow haproxy list the sysfs directories content
- Allow gnome at-spi processes get attributes of tmpfs filesystems
- Allow unbound connectto unix_stream_socket
- Allow rhsmcertd_t dbus chat with anaconda install_t
* Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 34.20-1
- cleanup unused codes
- Fix typo in the gnome_exec_atspi() interface summary
- Allow xdm execute gnome-atspi services
- Allow gnome at-spi processes execute dbus-daemon in caller domain
- Allow xdm watch dbus configuration
- Allow xdm execute dbus-daemon in the caller domain
- Revert "Allow xdm_t transition to system_dbusd_t"
- Allow at-spi-bus-launcher read and map xdm pid files
- Allow dhcpcd set its resource limits
- Allow systemd-sleep get removable devices attributes
- Allow usbmuxd get attributes of fs_t filesystems
* Thu Sep 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.19-1
- Update the dhcp client local policy
- Allow firewalld load kernel modules
- Allow postfix_domain to sendto unix dgram sockets.
- Allow systemd watch unallocated ttys
* Tue Sep 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.18-1
- Allow ModemManager create a qipcrtr socket
- Allow ModemManager request to load a kernel module
- Label /usr/sbin/virtproxyd as virtd_exec_t
- Allow communication between at-spi and gdm processes
- Update ica_filetrans_named_content() with create_file_perms
- Fix the gnome_atspi_domtrans() interface summary
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-5
- Add ica module to modules-targeted-contrib.conf
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-4
- Add trailing \ to the relabel() block which is needed even in a comment
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3
- Add ica module to modules-targeted.conf
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-2
- Relabel /var/lib/rpm explicitly
- Revert "Relabel /dev/dma_heap explicitly"
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-1
- Add support for at-spi
- Add permissions for system dbus processes
- Allow various domains work with ICA crypto accelerator
- Add ica module
- Revert "Support using ICA crypto accelerator on s390x arch"
- Allow systemd to delete fwupd var cache files
- Allow vmtools_unconfined_t domain transition to rpm_script_t
- Allow dirsrv read slapd tmpfs files
- Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label"
- Rename samba_exec() to samba_exec_net()
- Support using ICA crypto accelerator on s390x arch
- Allow systemd delete /run/systemd/default-hostname
- Allow tcpdump read system state information in /proc
- Allow rhsmcertd to create cache file in /var/cache/cloud-what
- Allow D-bus communication between avahi and sosreport
- Label /usr/libexec/gdm-runtime-config with xdm_exec_t
- Allow lldpad send to kdumpctl over a unix dgram socket
- Revert "Allow lldpad send to kdump over a unix dgram socket"
- Allow chronyc respond to a user chronyd instance
- Allow ptp4l respond to pmc
- Allow lldpad send to unconfined_t over a unix dgram socket
- Allow sssd to set samba setting
* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1
- Allow systemd-timesyncd watch system dbus pid socket files
- Allow firewalld drop capabilities
- Allow rhsmcertd execute gpg
- Allow lldpad send to kdump over a unix dgram socket
- Allow systemd-gpt-auto-generator read udev pid files
- Set default file context for /sys/firmware/efi/efivars
- Allow tcpdump run as a systemd service
- Allow nmap create and use netlink generic socket
- Allow nscd watch system db files in /var/db
- Allow cockpit_ws_t get attributes of fs_t filesystems
- Allow sysadm acces to kernel module resources
- Allow sysadm to read/write scsi files and manage shadow
- Allow sysadm access to files_unconfined and bind rpc ports
- Allow sysadm read and view kernel keyrings
- Allow journal mmap and read var lib files
- Allow tuned to read rhsmcertd config files
- Allow bootloader to read tuned etc files
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
* Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1
- Disable seccomp on CI containers
- Allow systemd-machined stop generic service units
- Allow virtlogd_t read process state of user domains
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
- Label /dev/crypto/nx-gzip with accelerator_device_t
- Update the policy for systemd-journal-upload
- Allow unconfined domains to bpf all other domains
- Confine rhsm service and rhsm-facts service as rhsmcertd_t
- Allow fcoemon talk with unconfined user over unix domain datagram socket
- Allow abrt_domain read and write z90crypt device
- Allow mdadm read iscsi pid files
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
- Allow hostapd bind UDP sockets to the dhcpd port
- Unconfined domains should not be confined
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 34.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
- Remove references to init_watch_path_type attribute
- Remove all redundant watch permissions for systemd
- Allow systemd watch non_security_file_type dirs, files, lnk_files
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
- Allow bacula get attributes of cgroup filesystems
- Allow systemd-journal-upload watch logs and journal
- Create a policy for systemd-journal-upload
- Allow tcpdump and nmap get attributes of infiniband_device_t
- Allow arpwatch get attributes of infiniband_device_t devices
- Label /dev/wmi/dell-smbios as acpi_device_t
* Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1
- Allow radius map its library files
- Allow nftables read NetworkManager unnamed pipes
- Allow logrotate rotate container log files
* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2
- Add a systemd service to check that SELinux is disabled properly
- specfile: Add unowned dir to the macro
- Relabel /dev/dma_heap explicitly
* Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1
- Label /dev/dma_heap/* char devices with dma_device_t
- Revert "Label /dev/dma_heap/* char devices with dma_device_t"
- Revert "Label /dev/dma_heap with dma_device_dir_t"
- Revert "Associate dma_device_dir_t with device filesystem"
- Add the lockdown integrity permission to dev_map_userio_dev()
- Allow systemd-modules-load read/write tracefs files
- Allow sssd watch /run/systemd
- Label /usr/bin/arping plain file with netutils_exec_t
- Label /run/fsck with fsadm_var_run_t
- Label /usr/bin/Xwayland with xserver_exec_t
- Allow systemd-timesyncd watch dbus runtime dir
- Allow asterisk watch localization files
- Allow iscsid read all process stat
- iptables.fc: Add missing legacy-restore and legacy-save entries
- Label /run/libvirt/common with virt_common_var_run_t
- Label /.k5identity file allow read of this file to rpc.gssd
- Make usbmuxd_t a daemon
* Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1
- Allow sanlock get attributes of cgroup filesystems
- Associate dma_device_dir_t with device filesystem
- Set default file context for /var/run/systemd instead of /run/systemd
- Allow nmap create and use rdma socket
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
* Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1
- Allow using opencryptoki for ipsec
- Allow using opencryptoki for certmonger
- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
- Label /dev/dma_heap with dma_device_dir_t
- Allow syslogd watch non security dirs conditionally
- Introduce logging_syslogd_list_non_security_dirs tunable
- Remove openhpi module
- Allow udev to watch fixed disk devices
- Allow httpd_sys_script_t read, write, and map hugetlbfs files
- Allow apcupsd get attributes of cgroup filesystems
* Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1
- Add kerberos object filetrans for nsswitchdomain
- Allow fail2ban watch various log files
- Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()
- Remove further modules recently removed from refpolicy
- Remove modules not shipped and not present in refpolicy
- Revert "Add permission open to files_read_inherited_tmp_files() interface"
- Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)"
- Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604"
- Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)"
- Dontaudit setrlimit for domains that exec systemctl
- Allow kdump_t net_admin capability
- Allow nsswitch_domain read init pid lnk_files
- Label /dev/trng with random_device_t
- Label /run/systemd/default-hostname with hostname_etc_t
- Add default file context specification for dnf log files
- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
- Label /dev/udmabuf character device with dma_device_t
- Label /dev/dma_heap/* char devices with dma_device_t
- Label /dev/acpi_thermal_rel char device with acpi_device_t
* Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-2
- Remove temporary explicit /dev/nvme relabeling
* Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1
- Allow local_login_t nnp_transition to login_userdomain
- Allow asterisk watch localization symlinks
- Allow NetworkManager_t to watch /etc
- Label /var/lib/kdump with kdump_var_lib_t
- Allow amanda get attributes of cgroup filesystems
- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
- Allow install_t nnp_domtrans to setfiles_mac_t
- Allow fcoemon create sysfs files
* Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1
- Allow tgtd read and write infiniband devices
- Add a comment on virt_sandbox booleans with empty content
- Deprecate duplicate dev_write_generic_sock_files() interface
- Allow vnstatd_t map vnstatd_var_lib_t files
- Allow privoxy execmem
- Allow pmdakvm read information from the debug filesystem
- Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()
- Add permissions to delete lnk_files into gnome_delete_home_config()
- Remove rules for inotifyfs
- Remove rules for anon_inodefs
- Allow systemd nnp_transition to login_userdomain
- Allow unconfined_t write other processes perf_event records
- Allow sysadm_t dbus chat with tuned
- Allow tuned write profile files with file transition
- Allow tuned manage perf_events
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
* Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
- Add kernel_write_perf_event() and kernel_manage_perf_event()
- Allow syslogd_t watch root and var directories
- Allow unconfined_t read other processes perf_event records
- Allow login_userdomain read and map /var/lib/systemd files
- Allow NetworkManager watch its config dir
- Allow NetworkManager read and write z90crypt device
- Allow tgtd create and use rdma socket
- Allow aide connect to init with a unix socket
* Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1
- Grant execmem to varnishlog_t
- We no longer need signull for varnishlog_t
- Add map permission to varnishd_read_lib_files
- Allow systemd-sleep tlp_filetrans_named_content()
- Allow systemd-sleep execute generic programs
- Allow systemd-sleep execute shell
- Allow to sendmail read/write kerberos host rcache files
- Allow freshclam get attributes of cgroup filesystems
- Fix context of /run/systemd/timesync
- Allow udev create /run/gdm with proper type
- Allow chronyc socket file transition in user temp directory
- Allow virtlogd_t to create virt_var_lockd_t dir
- Allow pluto IKEv2 / ESP over TCP
* Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1
- Allow domain create anonymous inodes
- Add anon_inode class to the policy
- Allow systemd-coredump getattr nsfs files and net_admin capability
- Allow systemd-sleep transition to sysstat_t
- Allow systemd -sleep transition to tlp_t
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
- Allow systemd-timedated watch runtime dir and its parent
- Allow system dbusd read /var/lib symlinks
- Allow unconfined_service_t confidentiality and integrity lockdown
- Label /var/lib/brltty with brltty_var_lib_t
- Allow domain and unconfined_domain_type watch /proc/PID dirs
- Additional permission for confined users loging into graphic session
- Make for screen fsetid/setuid/setgid permission conditional
- Allow for confined users acces to wtmp and run utempter
* Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1
- Label /etc/redis as redis_conf_t
- Add brltty new permissions required by new upstream version
- Allow cups-lpd read its private runtime socket files
- Dontaudit daemon open and read init_t file
- Add file context specification for /var/tmp/tmp-inst
- Allow brltty create and use bluetooth_socket
- Allow usbmuxd get attributes of cgroup filesystems
* Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1
- Allow usbmuxd get attributes of cgroup filesystems
- Allow accounts-daemon get attributes of cgroup filesystems
- Allow pool-geoclue get attributes of cgroup filesystems
- allow systemd-sleep to set timer for suspend-then-hibernate
- Allow aide connect to systemd-userdbd with a unix socket
- Add new interfaces with watch_mount and watch_with_perm permissions
- Add file context specification for /usr/libexec/realmd
- Allow /tmp file transition for dbus-daemon also for sock_file
- Allow login_userdomain create cgroup files
- Allow plymouthd_t exec generic program in bin directories
* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1
- Change the package versioning
* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10
- Allow plymouthd_t exec generic program in bin directories
- Allow dhcpc_t domain transition to chronyc_t
- Allow login_userdomain bind xmsg port
- Allow ibacm the net_raw and sys_rawio capabilities
- Allow nsswitch_domain read cgroup files
- Allow systemd-sleep create hardware state information files
* Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9
- Add watch_with_perm_dirs_pattern file pattern
* Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8
- Allow arpwatch_t create netlink generic socket
- Allow postgrey read network state
- Add watch_mount_dirs_pattern file pattern
- Allow bluetooth_t dbus chat with fwupd_t
- Allow xdm_t watch accountsd lib directories
- Add additional interfaces for watching /boot
- Allow sssd_t get attributes of tmpfs filesystems
- Allow local_login_t get attributes of tmpfs filesystems
- Dontaudit domain the fowner capability
- Extend fs_manage_nfsd_fs() to allow managing dirs as well
- Allow spice-vdagentd watch systemd-logind session dirs
* Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7
- Allow xdm_t watch systemd-logind session dirs
- Allow xdm_t transition to system_dbusd_t
- Allow confined users login into graphic session
- Allow login_userdomain watch systemd login session dirs
- install_t: Allow NoNewPriv transition from systemd
- Remove setuid/setgid capabilities from mysqld_t
- Add context for new mariadbd executable files
- Allow netutils_t create netlink generic socket
- Allow systemd the audit_control capability conditionally
* Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
* Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5
- Allow apmd watch generic device directories
- Allow kdump load a new kernel
- Add confidentiality lockdown permission to kernel_read_core_if()
- Allow keepalived read nsfs files
- Allow local_login_t get attributes of filesystems with ext attributes
- Allow keepalived read/write its private memfd: objects
- Add missing declaration in rpm_named_filetrans()
- Change param description in cron interfaces to userdomain_prefix
* Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4
- iptables.fc: Add missing legacy entries
- iptables.fc: Remove some duplicate entries
- iptables.fc: Remove duplicate file context entries
- Allow libvirtd to create generic netlink sockets
- Allow libvirtd the fsetid capability
- Allow libvirtd to read /run/utmp
- Dontaudit sys_ptrace capability when calling systemctl
- Allow udisksd to read /dev/random
- Allow udisksd to watch files under /run/mount
- Allow udisksd to watch /etc
- Allow crond to watch user_cron_spool_t directories
- Allow accountsd watch xdm config directories
- Label /etc/avahi with avahi_conf_t
- Allow sssd get cgroup filesystems attributes and search cgroup dirs
- Allow systemd-hostnamed read udev runtime data
- Remove dev_getattr_sysfs_fs() interface calls for particular domains
- Allow domain stat the /sys filesystem
- Dontaudit NetworkManager write to initrc_tmp_t pipes
- policykit.te: Clean up watch rule for policykit_auth_t
- Revert further unnecessary watch rules
- Revert "Allow getty watch its private runtime files"
- Allow systemd watch generic /var directories
- Allow init watch network config files and lnk_files
- Allow systemd-sleep get attributes of fixed disk device nodes
- Complete initial policy for systemd-coredump
- Label SDC(scini) Dell Driver
- Allow upowerd to send syslog messages
- Remove the disk write permissions from tlp_t
- Label NVMe devices as fixed_disk_device_t
- Allow rhsmcertd bind tcp sockets to a generic node
- Allow systemd-importd manage machines.lock file
* Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
* Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
* Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1
- Bump version as Fedora 34 has been branched off rawhide
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow systemd-importd create /run/systemd/machines.lock file
- Allow rhsmcertd_t read kpatch lib files
- Add integrity lockdown permission into dev_read_raw_memory()
- Add confidentiality lockdown permission into fs_rw_tracefs_files()
- Allow gpsd read and write ptp4l_t shared memory.
- Allow colord watch its private lib files and /usr
- Allow init watch_reads mount PID files
- Allow IPsec and Certmonger to use opencryptoki services
* Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
* Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15
- Update specfile to not verify md5/size/mtime for active store files
- Add /var/mnt equivalency to /mnt
- Rebuild with SELinux userspace 3.2-rc1 release
* Fri Jan 08 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
- Allow domain read usermodehelper state information
- Remove all kernel_read_usermodehelper_state() interface calls
- .copr: improve timestamp format
- Allow wireshark create and use rdma socket
- Allow domain stat /proc filesystem
- Remove all kernel_getattr_proc() interface calls
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow dovecot_auth_t stat /proc filesystem"
- Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
- Allow sssd read /run/systemd directory
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
* Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13
- Label /dev/isst_interface as cpu_device_t
- Dontaudit firewalld dac_override capability
- Allow ipsec set the context of a SPD entry to the default context
- Build binary RPMs in CI
- Add SRPM build scripts for COPR
* Tue Dec 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12
- Allow dovecot_auth_t stat /proc filesystem
- Allow sysadm_u user and unconfined_domain_type manage perf_events
- Allow pcp-pmcd manage perf_events
- Add manage_perf_event_perms object permissions set
- Add perf_event access vectors.
- Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
- Allow stub-resolv.conf to be a symlink
- sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
- Create the systemd_dbus_chat_resolved() compatibility interface
- Allow nsswitch-domain write to systemd-resolved PID socket files
- Add systemd_resolved_write_pid_sock_files() interface
- Add default file context for "/var/run/chrony-dhcp(/.*)?"
- Allow timedatex dbus chat with cron system domain
- Add cron_dbus_chat_system_job() interface
- Allow systemd-logind manage init's pid files
* Wed Dec 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11
- Allow systemd-logind manage init's pid files
- Allow tcsd the setgid capability
- Allow systemd-resolved manage its private runtime symlinks
- Update systemd_resolved_read_pid() to also read symlinks
- Update systemd-sleep policy
- Add groupadd_t fowner capability
- Migrate to GitHub Actions
- Update README.md to reflect the state after contrib and base merge
- Add README.md announcing merging of selinux-policy and selinux-policy-contrib
- Adapt .travis.yml to contrib merge
- Merge contrib into the main repo
- Prepare to merge contrib repo
- Move stuff around to match the main repo
* Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10
- Allow Xephyr connect to 6000/tcp port and open user ptys
- Allow kexec manage generic tmp files
- Update targetd nfs & lvm
- Add interface rpc_manage_exports
- Merge selinux-policy and selinux-policy-contrib repos
* Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9
- Allow varnish map its private tmp files
- Allow dovecot bind to smtp ports
- Change fetchmail temporary files path to /var/spool/mail
- Allow cups_pdf_t domain to communicate with unix_dgram_socket
- Set file context for symlinks in /etc/httpd to etc_t
- Allow rpmdb rw access to inherited console, ttys, and ptys
- Allow dnsmasq read public files
- Announce merging of selinux-policy and selinux-policy-contrib
- Label /etc/resolv.conf as net_conf_t only if it is a plain file
- Fix range for unreserved ports
- Add files_search_non_security_dirs() interface
- Introduce logging_syslogd_append_public_content tunable
- Add miscfiles_append_public_files() interface
* Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8
- Set correct default file context for /usr/libexec/pcp/lib/*
- Introduce rpmdb_t type
- Allow slapd manage files/dirs in ldap certificates directory
- Revert "Allow certmonger add new entries in a generic certificates directory"
- Allow certmonger add new entries in a generic certificates directory
- Allow slapd add new entries in ldap certificates directory
- Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
- Let keepalived bind a raw socket
- Add default file context for /usr/libexec/pcp/lib/*
- squid: Allow net_raw capability when squid_use_tproxy is enabled
- systemd: allow networkd to check namespaces
- Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
- Allow resolved to created varlink sockets and the domain to talk to it
- selinux: tweak selinux_get_enforce_mode() to allow status page to be used
- systemd: allow all systemd services to check selinux status
- Set default file context for /var/lib/ipsec/nss
- Allow user domains transition to rpmdb_t
- Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
- Revert "Add miscfiles_create_generic_cert_dirs() interface"
- Update miscfiles_manage_all_certs() to include managing directories
- Add miscfiles_create_generic_cert_dirs() interface
- Add miscfiles_add_entry_generic_cert_dirs() interface
- Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
* Tue Nov 03 2020 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-7
- Rebuild with latest libsepol
- Bump policy version to 33
* Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6
- rpc.fc: Include /etc/exports.d dir & files
- Create chronyd_pid_filetrans() interface
- Change invalid type redisd_t to redis_t in redis_stream_connect()
- Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
- Allow init dbus chat with kernel
- Allow initrc_t create /run/chronyd-dhcp directory with a transition
- Drop gcc from dependencies in Travis CI
- fc_sort.py: Use "==" for comparing integers.
- re-implement fc_sort in python
- Remove invalid file context line
- Drop git from dependencies in Travis CI
* Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5
- Remove empty line from rshd.fc
- Allow systemd-logind read swap files
- Add fstools_read_swap_files() interface
- Allow dyntransition from sshd_t to unconfined_t
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
* Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4
- Allow chronyd_t to accept and make NTS-KE connections
- Allow domain write to an automount unnamed pipe
- Label /var/run/zincati/public/motd.d/* as motd_var_run_t
- Allow login programs to (only) read MOTD files and symlinks
- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
- Confine systemd-sleep service
- Add fstools_rw_swap_files() interface
- Label 4460/tcp port as ntske_port_t
- Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
* Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3
- Check out the right -contrib branch in Travis
* Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2
- Allow openvswitch fowner capability and create netlink sockets
- Allow additional permissions for gnome-initial-setup
- Add to map non_security_files to the userdom_admin_user_template template
- kernel/filesystem: Add exfat support (no extended attributes)
* Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1
- Bump version as Fedora 33 has been branched
- Allow php-fpm write access to /var/run/redis/redis.sock
- Allow journalctl to read and write to inherited user domain tty
- Update rkt policy to allow rkt_t domain to read sysfs filesystem
- Allow arpwatch create and use rdma socket
- Allow plymouth sys_chroot capability
- Allow gnome-initial-setup execute in a xdm sandbox
- Add new devices and filesystem interfaces
* Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25
- Allow certmonger fowner capability
- The nfsdcld service is now confined by SELinux
- Change transitions for ~/.config/Yubico
- Allow all users to connect to systemd-userdbd with a unix socket
- Add file context for ~/.config/Yubico
- Allow syslogd_t domain to read/write tmpfs systemd-bootchart files
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow login_pgm attribute to get attributes in proc_t"
- Allow login_pgm attribute to get attributes in proc_t
- Allow passwd to get attributes in proc_t
- Allow traceroute_t and ping_t to bind generic nodes.
- Create macro corenet_icmp_bind_generic_node()
- Allow unconfined_t to node_bind icmp_sockets in node_t domain
* Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24
- Add ipa_helper_noatsecure() interface unconditionally
- Conditionally allow nagios_plugin_domain dbus chat with init
- Revert "Update allow rules set for nrpe_t domain"
- Add ipa_helper_noatsecure() interface to ipa.if
- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
- Allow kadmind manage kerberos host rcache
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
- Define named file transition for sshd on /tmp/krb5_0.rcache2
- Allow systemd-machined create userdbd runtime sock files
- Disable kdbus module before updating
* Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23
- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
|