Wed, 27 Nov 2024 20:09:58 UTC | login

Information for build selinux-policy-40.17-1.fc40

ID305898
Package Nameselinux-policy
Version40.17
Release1.fc40
Epoch
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built bydavidlt
State complete
Volume DEFAULT
StartedWed, 01 May 2024 07:00:36 UTC
CompletedWed, 01 May 2024 07:00:36 UTC
Tags
f40
f41
RPMs
src
selinux-policy-40.17-1.fc40.src.rpm (info) (download)
noarch
selinux-policy-40.17-1.fc40.noarch.rpm (info) (download)
selinux-policy-devel-40.17-1.fc40.noarch.rpm (info) (download)
selinux-policy-doc-40.17-1.fc40.noarch.rpm (info) (download)
selinux-policy-minimum-40.17-1.fc40.noarch.rpm (info) (download)
selinux-policy-mls-40.17-1.fc40.noarch.rpm (info) (download)
selinux-policy-sandbox-40.17-1.fc40.noarch.rpm (info) (download)
selinux-policy-targeted-40.17-1.fc40.noarch.rpm (info) (download)
Changelog * Thu Apr 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.17-1 - Define transitions for /run/libvirt/common and /run/libvirt/qemu - Allow systemd-sleep read raw disk data - Allow numad to trace processes in user namespace - Allow abrt-dump-journal-core connect to systemd-userdbd - Allow plymouthd read efivarfs files - Update the auth_dontaudit_read_passwd_file() interface - Label /dev/mmcblk0rpmb character device with removable_device_t - fix hibernate on btrfs swapfile (F40) - Allow nut to statfs() - Allow system dbusd service status systemd services - Allow systemd-timedated get the timemaster service status * Tue Apr 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.16-1 - Allow keyutils-dns-resolver connect to the system log service - Allow qemu-ga read vm sysctls - postfix: allow qmgr to delete mails in bounce/ directory - policy: support pidfs - Confine selinux-autorelabel-generator.sh - Allow logwatch_mail_t read/write to init over a unix stream socket - Allow logwatch read logind sessions files - files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it - files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it - Allow NetworkManager the sys_ptrace capability in user namespace - dontaudit execmem for modemmanager - Allow dhcpcd use unix_stream_socket - Allow dhcpc read /run/netns files * Fri Mar 15 2024 Zdenek Pytela <zpytela@redhat.com> - 40.15-1 - Update mmap_rw_file_perms to include the lock permission - Allow plymouthd log during shutdown - Add logging_watch_all_log_dirs() and logging_watch_all_log_files() - Allow journalctl_t read filesystem sysctls - Allow cgred_t to get attributes of cgroup filesystems - Allow wdmd read hardware state information - Allow wdmd list the contents of the sysfs directories - Allow linuxptp configure phc2sys and chronyd over a unix domain socket - Allow sulogin relabel tty1 - Dontaudit sulogin the checkpoint_restore capability - Modify sudo_role_template() to allow getpgid - Remove incorrect "local" usage in varrun-convert.sh * Thu Mar 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-2 - Update varrun-convert.sh script to check for existing duplicate entries * Mon Feb 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-1 - Allow userdomain get attributes of files on an nsfs filesystem - Allow opafm create NFS files and directories - Allow virtqemud create and unlink files in /etc/libvirt/ - Allow virtqemud domain transition on swtpm execution - Add the swtpm.if interface file for interactions with other domains - Allow samba to have dac_override capability - systemd: allow sys_admin capability for systemd_notify_t - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets - Allow thumb_t to watch and watch_reads mount_var_run_t - Allow krb5kdc_t map krb5kdc_principal_t files - Allow unprivileged confined user dbus chat with setroubleshoot - Allow login_userdomain map files in /var - Allow wireguard work with firewall-cmd - Differentiate between staff and sysadm when executing crontab with sudo - Add crontab_admin_domtrans interface - Allow abrt_t nnp domain transition to abrt_handle_event_t - Allow xdm_t to watch and watch_reads mount_var_run_t - Dontaudit subscription manager setfscreate and read file contexts - Don't audit crontab_domain write attempts to user home - Transition from sudodomains to crontab_t when executing crontab_exec_t - Add crontab_domtrans interface - Fix label of pseudoterminals created from sudodomain - Allow utempter_t use ptmx - Dontaudit rpmdb attempts to connect to sssd over a unix stream socket - Allow admin user read/write on fixed_disk_device_t * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1 - Only allow confined user domains to login locally without unconfined_login - Add userdom_spec_domtrans_confined_admin_users interface - Only allow admindomain to execute shell via ssh with ssh_sysadm_login - Add userdom_spec_domtrans_admin_users interface - Move ssh dyntrans to unconfined inside unconfined_login tunable policy - Update ssh_role_template() for user ssh-agent type - Allow init to inherit system DBus file descriptors - Allow init to inherit fds from syslogd - Allow any domain to inherit fds from rpm-ostree - Update afterburn policy - Allow init_t nnp domain transition to abrtd_t * Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1 - Rename all /var/lock file context entries to /run/lock - Rename all /var/run file context entries to /run - Invert the "/var/run = /run" equivalency * Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1 - Replace init domtrans rule for confined users to allow exec init - Update dbus_role_template() to allow user service status - Allow polkit status all systemd services - Allow setroubleshootd create and use inherited io_uring - Allow load_policy read and write generic ptys - Allow gpg manage rpm cache - Allow login_userdomain name_bind to howl and xmsg udp ports - Allow rules for confined users logged in plasma - Label /dev/iommu with iommu_device_t - Remove duplicate file context entries in /run - Dontaudit getty and plymouth the checkpoint_restore capability - Allow su domains write login records - Revert "Allow su domains write login records" - Allow login_userdomain delete session dbusd tmp socket files - Allow unix dgram sendto between exim processes - Allow su domains write login records - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1 - Allow chronyd-restricted read chronyd key files - Allow conntrackd_t to use bpf capability2 - Allow systemd-networkd manage its runtime socket files - Allow init_t nnp domain transition to colord_t - Allow polkit status systemd services - nova: Fix duplicate declarations - Allow httpd work with PrivateTmp - Add interfaces for watching and reading ifconfig_var_run_t - Allow collectd read raw fixed disk device - Allow collectd read udev pid files - Set correct label on /etc/pki/pki-tomcat/kra - Allow systemd domains watch system dbus pid socket files - Allow certmonger read network sysctls - Allow mdadm list stratisd data directories - Allow syslog to run unconfined scripts conditionally - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t - Allow qatlib set attributes of vfio device files * Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1 - Allow systemd-sleep set attributes of efivarfs files - Allow samba-dcerpcd read public files - Allow spamd_update_t the sys_ptrace capability in user namespace - Allow bluetooth devices work with alsa - Allow alsa get attributes filesystems with extended attributes * Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2 - Limit %selinux_requires to version, not release * Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t - Add interface for write-only access to NetworkManager rw conf - Allow systemd-sleep send a message to syslog over a unix dgram socket - Allow init create and use netlink netfilter socket - Allow qatlib load kernel modules - Allow qatlib run lspci - Allow qatlib manage its private runtime socket files - Allow qatlib read/write vfio devices - Label /etc/redis.conf with redis_conf_t - Remove the lockdown-class rules from the policy - Allow init read all non-security socket files - Replace redundant dnsmasq pattern macros - Remove unneeded symlink perms in dnsmasq.if - Add additions to dnsmasq interface - Allow nvme_stas_t create and use netlink kobject uevent socket - Allow collectd connect to statsd port - Allow keepalived_t to use sys_ptrace of cap_userns - Allow dovecot_auth_t connect to postgresql using UNIX socket * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute - Allow sysadm execute traceroute in sysadm_t domain using sudo - Allow sysadm execute tcpdump in sysadm_t domain using sudo - Allow opafm search nfs directories - Add support for syslogd unconfined scripts - Allow gpsd use /dev/gnss devices - Allow gpg read rpm cache - Allow virtqemud additional permissions - Allow virtqemud manage its private lock files - Allow virtqemud use the io_uring api - Allow ddclient send e-mail notifications - Allow postfix_master_t map postfix data files - Allow init create and use vsock sockets - Allow thumb_t append to init unix domain stream sockets - Label /dev/vas with vas_device_t - Change domain_kernel_load_modules boolean to true - Create interface selinux_watch_config and add it to SELinux users * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1 - Add afterburn to modules-targeted-contrib.conf - Update cifs interfaces to include fs_search_auto_mountpoints() - Allow sudodomain read var auth files - Allow spamd_update_t read hardware state information - Allow virtnetworkd domain transition on tc command execution - Allow sendmail MTA connect to sendmail LDA - Allow auditd read all domains process state - Allow rsync read network sysctls - Add dhcpcd bpf capability to run bpf programs - Dontaudit systemd-hwdb dac_override capability - Allow systemd-sleep create efivarfs files * Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1 - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on - Allow graphical applications work in Wayland - Allow kdump work with PrivateTmp - Allow dovecot-auth work with PrivateTmp - Allow nfsd get attributes of all filesystems - Allow unconfined_domain_type use io_uring cmd on domain - ci: Only run Rawhide revdeps tests on the rawhide branch - Label /var/run/auditd.state as auditd_var_run_t - Allow fido-device-onboard (FDO) read the crack database - Allow ip an explicit domain transition to other domains - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t - Allow winbind_rpcd_t processes access when samba_export_all_* is on - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection - Allow ntp to bind and connect to ntske port. - Allow system_mail_t manage exim spool files and dirs - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t - Label /run/pcsd.socket with cluster_var_run_t - ci: Run cockpit tests in PRs * Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1 - Add map_read map_write to kernel_prog_run_bpf - Allow systemd-fstab-generator read all symlinks - Allow systemd-fstab-generator the dac_override capability - Allow rpcbind read network sysctls - Support using systemd containers - Allow sysadm_t to connect to iscsid using a unix domain stream socket - Add policy for coreos installer - Add coreos_installer to modules-targeted-contrib.conf * Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1 - Add policy for nvme-stas - Confine systemd fstab,sysv,rc-local - Label /etc/aliases.lmdb with etc_aliases_t - Create policy for afterburn - Add nvme_stas to modules-targeted-contrib.conf - Add plans/tests.fmf * Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1 - Add the virt_supplementary module to modules-targeted-contrib.conf - Make new virt drivers permissive - Split virt policy, introduce virt_supplementary module - Allow apcupsd cgi scripts read /sys - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes - Allow kernel_t to manage and relabel all files - Add missing optional_policy() to files_relabel_all_files() * Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1 - Allow named and ndc use the io_uring api - Deprecate common_anon_inode_perms usage - Improve default file context(None) of /var/lib/authselect/backups - Allow udev_t to search all directories with a filesystem type - Implement proper anon_inode support - Allow targetd write to the syslog pid sock_file - Add ipa_pki_retrieve_key_exec() interface - Allow kdumpctl_t to list all directories with a filesystem type - Allow udev additional permissions - Allow udev load kernel module - Allow sysadm_t to mmap modules_object_t files - Add the unconfined_read_files() and unconfined_list_dirs() interfaces - Set default file context of HOME_DIR/tmp/.* to <<none>> - Allow kernel_generic_helper_t to execute mount(1) * Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1 - Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t - Allow systemd-localed create Xserver config dirs - Allow sssd read symlinks in /etc/sssd - Label /dev/gnss[0-9] with gnss_device_t - Allow systemd-sleep read/write efivarfs variables - ci: Fix version number of packit generated srpms - Dontaudit rhsmcertd write memory device - Allow ssh_agent_type create a sockfile in /run/user/USERID - Set default file context of /var/lib/authselect/backups to <<none>> - Allow prosody read network sysctls - Allow cupsd_t to use bpf capability * Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1 - Allow sssd domain transition on passkey_child execution conditionally - Allow login_userdomain watch lnk_files in /usr - Allow login_userdomain watch video4linux devices - Change systemd-network-generator transition to include class file - Revert "Change file transition for systemd-network-generator" - Allow nm-dispatcher winbind plugin read/write samba var files - Allow systemd-networkd write to cgroup files - Allow kdump create and use its memfd: objects * Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1 - Allow fedora-third-party get generic filesystem attributes - Allow sssd use usb devices conditionally - Update policy for qatlib - Allow ssh_agent_type manage generic cache home files * Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1 - Change file transition for systemd-network-generator - Additional support for gnome-initial-setup - Update gnome-initial-setup policy for geoclue - Allow openconnect vpn open vhost net device - Allow cifs.upcall to connect to SSSD also through the /var/run socket - Grant cifs.upcall more required capabilities - Allow xenstored map xenfs files - Update policy for fdo - Allow keepalived watch var_run dirs - Allow svirt to rw /dev/udmabuf - Allow qatlib to modify hardware state information. - Allow key.dns_resolve connect to avahi over a unix stream socket - Allow key.dns_resolve create and use unix datagram socket - Use quay.io as the container image source for CI * Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1 - ci: Move srpm/rpm build to packit - .copr: Avoid subshell and changing directory - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t - Make insights_client_t an unconfined domain - Allow insights-client manage user temporary files - Allow insights-client create all rpm logs with a correct label - Allow insights-client manage generic logs - Allow cloud_init create dhclient var files and init_t manage net_conf_t - Allow insights-client read and write cluster tmpfs files - Allow ipsec read nsfs files - Make tuned work with mls policy - Remove nsplugin_role from mozilla.if - allow mon_procd_t self:cap_userns sys_ptrace - Allow pdns name_bind and name_connect all ports - Set the MLS range of fsdaemon_t to s0 - mls_systemhigh - ci: Move to actions/checkout@v3 version - .copr: Replace chown call with standard workflow safe.directory setting - .copr: Enable `set -u` for robustness - .copr: Simplify root directory variable * Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1 - Allow rhsmcertd dbus chat with policykit - Allow polkitd execute pkla-check-authorization with nnp transition - Allow user_u and staff_u get attributes of non-security dirs - Allow unconfined user filetrans chrome_sandbox_home_t - Allow svnserve execute postdrop with a transition - Do not make postfix_postdrop_t type an MTA executable file - Allow samba-dcerpc service manage samba tmp files - Add use_nfs_home_dirs boolean for mozilla_plugin - Fix labeling for no-stub-resolv.conf * Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1 - Revert "Allow winbind-rpcd use its private tmp files" - Allow upsmon execute upsmon via a helper script - Allow openconnect vpn read/write inherited vhost net device - Allow winbind-rpcd use its private tmp files - Update samba-dcerpc policy for printing - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty - Allow nscd watch system db dirs - Allow qatlib to read sssd public files - Allow fedora-third-party read /sys and proc - Allow systemd-gpt-generator mount a tmpfs filesystem - Allow journald write to cgroup files - Allow rpc.mountd read network sysctls - Allow blueman read the contents of the sysfs filesystem - Allow logrotate_t to map generic files in /etc - Boolean: Allow virt_qemu_ga create ssh directory * Tue Jul 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1 - Allow systemd-network-generator send system log messages - Dontaudit the execute permission on sock_file globally - Allow fsadm_t the file mounton permission - Allow named and ndc the io_uring sqpoll permission - Allow sssd io_uring sqpoll permission - Fix location for /run/nsd - Allow qemu-ga get fixed disk devices attributes - Update bitlbee policy - Label /usr/sbin/sos with sosreport_exec_t - Update policy for the sblim-sfcb service - Add the files_getattr_non_auth_dirs() interface - Fix the CI to work with DNF5 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.21-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1 - Make systemd_tmpfiles_t MLS trusted for lowering the level of files - Revert "Allow insights client map cache_home_t" - Allow nfsidmapd connect to systemd-machined over a unix socket - Allow snapperd connect to kernel over a unix domain stream socket - Allow virt_qemu_ga_t create .ssh dir with correct label - Allow targetd read network sysctls - Set the abrt_handle_event boolean to on - Permit kernel_t to change the user identity in object contexts - Allow insights client map cache_home_t - Label /usr/sbin/mariadbd with mysqld_exec_t - Trim changelog so that it starts at F37 time - Define equivalency for /run/systemd/generator.early * Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1 - Allow httpd tcp connect to redis port conditionally - Label only /usr/sbin/ripd and ripngd with zebra_exec_t - Dontaudit aide the execmem permission - Remove permissive from fdo - Allow sa-update manage spamc home files - Allow sa-update connect to systemlog services - Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t - Allow bootupd search EFI directory * Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1 - Change init_audit_control default value to true - Allow nfsidmapd connect to systemd-userdbd with a unix socket - Add the qatlib module - Add the fdo module - Add the bootupd module - Set default ports for keylime policy - Create policy for qatlib - Add policy for FIDO Device Onboard - Add policy for bootupd - Add the qatlib module - Add the fdo module - Add the bootupd module * Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1 - Add support for kafs-dns requested by keyutils - Allow insights-client execmem - Add support for chronyd-restricted - Add init_explicit_domain() interface - Allow fsadm_t to get attributes of cgroup filesystems - Add list_dir_perms to kerberos_read_keytab - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t - Allow sendmail manage its runtime files - Allow keyutils_dns_resolver_exec_t be an entrypoint - Allow collectd_t read network state symlinks - Revert "Allow collectd_t read proc_net link files" - Allow nfsd_t to list exports_t dirs - Allow cupsd dbus chat with xdm - Allow haproxy read hardware state information - Add the kafs module * Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1 - Label /dev/userfaultfd with userfaultfd_t - Allow blueman send general signals to unprivileged user domains - Allow dkim-milter domain transition to sendmail - Label /usr/sbin/cifs.idmap with cifs_helper_exec_t - Allow cifs-helper read sssd kerberos configuration files - Allow rpm_t sys_admin capability - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file - Allow collectd_t read proc_net link files - Allow insights-client getsession process permission - Allow insights-client work with pipe and socket tmp files - Allow insights-client map generic log files - Update cyrus_stream_connect() to use sockets in /run - Allow keyutils-dns-resolver read/view kernel key ring - Label /var/log/kdump.log with kdump_log_t * Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1 - Add support for the systemd-pstore service - Allow kdumpctl_t to execmem - Update sendmail policy module for opensmtpd - Allow nagios-mail-plugin exec postfix master - Allow subscription-manager execute ip - Allow ssh client connect with a user dbus instance - Add support for ksshaskpass - Allow rhsmcertd file transition in /run also for socket files - Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t - Allow plymouthd read/write X server miscellaneous devices - Allow systemd-sleep read udev pid files - Allow exim read network sysctls - Allow sendmail request load module - Allow named map its conf files - Allow squid map its cache files - Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition * Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1 - Update policy for systemd-sleep - Remove permissive domain for rshim_t - Remove permissive domain for mptcpd_t - Allow systemd-bootchartd the sys_ptrace userns capability - Allow sysadm_t read nsfs files - Allow sysadm_t run kernel bpf programs - Update ssh_role_template for ssh-agent - Update ssh_role_template to allow read/write unallocated ttys - Add the booth module to modules.conf - Allow firewalld rw ica_tmpfs_t files * Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1 - Remove permissive domain for cifs_helper_t - Update the cifs-helper policy - Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() - Update pkcsslotd policy for sandboxing - Allow abrt_t read kernel persistent storage files - Dontaudit targetd search httpd config dirs - Allow init_t nnp domain transition to policykit_t - Allow rpcd_lsad setcap and use generic ptys - Allow samba-dcerpcd connect to systemd_machined over a unix socket - Allow wireguard to rw network sysctls - Add policy for boothd - Allow kernel to manage its own BPF objects - Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t * Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1 - Add initial policy for cifs-helper - Label key.dns_resolver with keyutils_dns_resolver_exec_t - Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t - Allow some systemd services write to cgroup files - Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files - Allow systemd resolved to bind to arbitrary nodes - Allow plymouthd_t bpf capability to run bpf programs - Allow cupsd to create samba_var_t files - Allow rhsmcert request the kernel to load a module - Allow virsh name_connect virt_port_t - Allow certmonger manage cluster library files - Allow plymouthd read init process state - Add chromium_sandbox_t setcap capability - Allow snmpd read raw disk data - Allow samba-rpcd work with passwords - Allow unconfined service inherit signal state from init - Allow cloud-init manage gpg admin home content - Allow cluster_t dbus chat with various services - Allow nfsidmapd work with systemd-userdbd and sssd - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes - Allow plymouthd map dri and framebuffer devices - Allow rpmdb_migrate execute rpmdb - Allow logrotate dbus chat with systemd-hostnamed - Allow icecast connect to kernel using a unix stream socket - Allow lldpad connect to systemd-userdbd over a unix socket - Allow journalctl open user domain ptys and ttys - Allow keepalived to manage its tmp files - Allow ftpd read network sysctls - Label /run/bgpd with zebra_var_run_t - Allow gssproxy read network sysctls - Add the cifsutils module * Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1 - Allow telnetd read network sysctls - Allow munin system plugin read generic SSL certificates - Allow munin system plugin create and use netlink generic socket - Allow login_userdomain create user namespaces - Allow request-key to send syslog messages - Allow request-key to read/view any key - Add fs_delete_pstore_files() interface - Allow insights-client work with teamdctl - Allow insights-client read unconfined service semaphores - Allow insights-client get quotas of all filesystems - Add fs_read_pstore_files() interface - Allow generic kernel helper to read inherited kernel pipes * Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1 - Allow dovecot-deliver write to the main process runtime fifo files - Allow dmidecode write to cloud-init tmp files - Allow chronyd send a message to cloud-init over a datagram socket - Allow cloud-init domain transition to insights-client domain - Allow mongodb read filesystem sysctls - Allow mongodb read network sysctls - Allow accounts-daemon read generic systemd unit lnk files - Allow blueman watch generic device dirs - Allow nm-dispatcher tlp plugin create tlp dirs - Allow systemd-coredump mounton /usr - Allow rabbitmq to read network sysctls * Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1 - Allow certmonger dbus chat with the cron system domain - Allow geoclue read network sysctls - Allow geoclue watch the /etc directory - Allow logwatch_mail_t read network sysctls - Allow insights-client read all sysctls - Allow passt manage qemu pid sock files * Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1 - Allow sssd read accountsd fifo files - Add support for the passt_t domain - Allow virtd_t and svirt_t work with passt - Add new interfaces in the virt module - Add passt interfaces defined conditionally - Allow tshark the setsched capability - Allow poweroff create connections to system dbus - Allow wg load kernel modules, search debugfs dir - Boolean: allow qemu-ga manage ssh home directory - Label smtpd with sendmail_exec_t - Label msmtp and msmtpd with sendmail_exec_t - Allow dovecot to map files in /var/spool/dovecot * Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1 - Confine gnome-initial-setup - Allow qemu-guest-agent create and use vsock socket - Allow login_pgm setcap permission - Allow chronyc read network sysctls - Enhancement of the /usr/sbin/request-key helper policy - Fix opencryptoki file names in /dev/shm - Allow system_cronjob_t transition to rpm_script_t - Revert "Allow system_cronjob_t domtrans to rpm_script_t" - Add tunable to allow squid bind snmp port - Allow staff_t getattr init pid chr & blk files and read krb5 - Allow firewalld to rw z90crypt device - Allow httpd work with tokens in /dev/shm - Allow svirt to map svirt_image_t char files - Allow sysadm_t run initrc_t script and sysadm_r role access - Allow insights-client manage fsadm pid files * Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1 - Allowing snapper to create snapshots of /home/ subvolume/partition - Add boolean qemu-ga to run unconfined script - Label systemd-journald feature LogNamespace - Add none file context for polyinstantiated tmp dirs - Allow certmonger read the contents of the sysfs filesystem - Add journalctl the sys_resource capability - Allow nm-dispatcher plugins read generic files in /proc - Add initial policy for the /usr/sbin/request-key helper - Additional support for rpmdb_migrate - Add the keyutils module * Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1 - Boolean: allow qemu-ga read ssh home directory - Allow kernel_t to read/write all sockets - Allow kernel_t to UNIX-stream connect to all domains - Allow systemd-resolved send a datagram to journald - Allow kernel_t to manage and have "execute" access to all files - Fix the files_manage_all_files() interface - Allow rshim bpf cap2 and read sssd public files - Allow insights-client work with su and lpstat - Allow insights-client tcp connect to all ports - Allow nm-cloud-setup dispatcher plugin restart nm services - Allow unconfined user filetransition for sudo log files - Allow modemmanager create hardware state information files - Allow ModemManager all permissions for netlink route socket - Allow wg to send msg to kernel, write to syslog and dbus connections - Allow hostname_t to read network sysctls. - Dontaudit ftpd the execmem permission - Allow svirt request the kernel to load a module - Allow icecast rename its log files - Allow upsd to send signal to itself - Allow wireguard to create udp sockets and read net_conf - Use ' %setup -q ' instead of '%setup' - Pass -p 1 to ' %setup -q ' * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild * Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1 - Allow insights client work with gluster and pcp - Add insights additional capabilities - Add interfaces in domain, files, and unconfined modules - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t - Allow sudodomain use sudo.log as a logfile - Allow pdns server map its library files and bind to unreserved ports - Allow sysadm_t read/write ipmi devices - Allow prosody manage its runtime socket files - Allow kernel threads manage kernel keys - Allow systemd-userdbd the sys_resource capability - Allow systemd-journal list cgroup directories - Allow apcupsd dbus chat with systemd-logind - Allow nut_domain manage also files and sock_files in /var/run - Allow winbind-rpcd make a TCP connection to the ldap port - Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t - Allow tlp read generic SSL certificates - Allow systemd-resolved watch tmpfs directories - Revert "Allow systemd-resolved watch tmpfs directories" * Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1 - Allow NetworkManager and wpa_supplicant the bpf capability - Allow systemd-rfkill the bpf capability - Allow winbind-rpcd manage samba_share_t files and dirs - Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t - Allow gpsd the sys_ptrace userns capability - Introduce gpsd_tmp_t for sockfiles managed by gpsd_t - Allow load_policy_t write to unallocated ttys - Allow ndc read hardware state information - Allow system mail service read inherited certmonger runtime files - Add lpr_roles to system_r roles - Revert "Allow insights-client run lpr and allow the proper role" - Allow stalld to read /sys/kernel/security/lockdown file - Allow keepalived to set resource limits - Add policy for mptcpd - Add policy for rshim - Allow admin users to create user namespaces - Allow journalctl relabel with var_log_t and syslogd_var_run_t files - Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted - Trim changelog so that it starts at F35 time - Add mptcpd and rshim modules * Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1 - Allow insights-client dbus chat with various services - Allow insights-client tcp connect to various ports - Allow insights-client run lpr and allow the proper role - Allow insights-client work with pcp and manage user config files - Allow redis get user names - Allow kernel threads to use fds from all domains - Allow systemd-modules-load load kernel modules - Allow login_userdomain watch systemd-passwd pid dirs - Allow insights-client dbus chat with abrt - Grant kernel_t certain permissions in the system class - Allow systemd-resolved watch tmpfs directories - Allow systemd-timedated watch init runtime dir - Make `bootc` be `install_exec_t` - Allow systemd-coredump create user_namespace - Allow syslog the setpcap capability - donaudit virtlogd and dnsmasq execmem * Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1 - Don't make kernel_t an unconfined domain - Don't allow kernel_t to execute bin_t/usr_t binaries without a transition - Allow kernel_t to execute systemctl to do a poweroff/reboot - Grant basic permissions to the domain created by systemd_systemctl_domain() - Allow kernel_t to request module loading - Allow kernel_t to do compute_create - Allow kernel_t to manage perf events - Grant almost all capabilities to kernel_t - Allow kernel_t to fully manage all devices - Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" - Allow pulseaudio to write to session_dbusd tmp socket files - Allow systemd and unconfined_domain_type create user_namespace - Add the user_namespace security class - Reuse tmpfs_t also for the ramfs filesystem - Label udf tools with fsadm_exec_t - Allow networkmanager_dispatcher_plugin work with nscd - Watch_sb all file type directories. - Allow spamc read hardware state information files - Allow sysadm read ipmi devices - Allow insights client communicate with cupsd, mysqld, openvswitch, redis - Allow insights client read raw memory devices - Allow the spamd_update_t domain get generic filesystem attributes - Dontaudit systemd-gpt-generator the sys_admin capability - Allow ipsec_t only read tpm devices - Allow cups-pdf connect to the system log service - Allow postfix/smtpd read kerberos key table - Allow syslogd read network sysctls - Allow cdcc mmap dcc-client-map files - Add watch and watch_sb dosfs interface * Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1 - Revert "Allow sysadm_t read raw memory devices" - Allow systemd-socket-proxyd get attributes of cgroup filesystems - Allow rpc.gssd read network sysctls - Allow winbind-rpcd get attributes of device and pty filesystems - Allow insights-client domain transition on semanage execution - Allow insights-client create gluster log dir with a transition - Allow insights-client manage generic locks - Allow insights-client unix_read all domain semaphores - Add domain_unix_read_all_semaphores() interface - Allow winbind-rpcd use the terminal multiplexor - Allow mrtg send mails - Allow systemd-hostnamed dbus chat with init scripts - Allow sssd dbus chat with system cronjobs - Add interface to watch all filesystems - Add watch_sb interfaces - Add watch interfaces - Allow dhcpd bpf capability to run bpf programs - Allow netutils and traceroute bpf capability to run bpf programs - Allow pkcs_slotd_t bpf capability to run bpf programs - Allow xdm bpf capability to run bpf programs - Allow pcscd bpf capability to run bpf programs - Allow lldpad bpf capability to run bpf programs - Allow keepalived bpf capability to run bpf programs - Allow ipsec bpf capability to run bpf programs - Allow fprintd bpf capability to run bpf programs - Allow systemd-socket-proxyd get filesystems attributes - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files