Fri, 22 Nov 2024 04:09:22 UTC | login

Information for build selinux-policy-41.25-1.fc41

ID343524
Package Nameselinux-policy
Version41.25
Release1.fc41
Epoch
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built bydavidlt
State complete
Volume DEFAULT
StartedTue, 19 Nov 2024 10:00:29 UTC
CompletedTue, 19 Nov 2024 10:00:29 UTC
Tags
f41
RPMs
src
selinux-policy-41.25-1.fc41.src.rpm (info) (download)
noarch
selinux-policy-41.25-1.fc41.noarch.rpm (info) (download)
selinux-policy-devel-41.25-1.fc41.noarch.rpm (info) (download)
selinux-policy-doc-41.25-1.fc41.noarch.rpm (info) (download)
selinux-policy-minimum-41.25-1.fc41.noarch.rpm (info) (download)
selinux-policy-mls-41.25-1.fc41.noarch.rpm (info) (download)
selinux-policy-sandbox-41.25-1.fc41.noarch.rpm (info) (download)
selinux-policy-targeted-41.25-1.fc41.noarch.rpm (info) (download)
Changelog * Thu Nov 14 2024 Zdenek Pytela <zpytela@redhat.com> - 41.25-1 - Allow dirsrv-snmp map dirsv_tmpfs_t files - Label /usr/lib/node_modules_22/npm/bin with bin_t - Add policy for /usr/libexec/samba/samba-bgqd - Allow gnome-remote-desktop watch /etc directory - Allow rpcd read network sysctls - Allow journalctl connect to systemd-userdbd over a unix socket - Allow some confined users send to lldpad over a unix dgram socket - Allow lldpad send to unconfined_t over a unix dgram socket - Allow lldpd connect to systemd-machined over a unix socket - Confine the ktls service * Fri Oct 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.24-1 - Allow dirsrv read network sysctls - Label /run/sssd with sssd_var_run_t - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t - Allow unconfined_t execute kmod in the kmod domain - Allow confined users r/w to screen unix stream socket - Label /root/.screenrc and /root/.tmux.conf with screen_home_t - Allow virtqemud read virtd_t files - Allow ping_t read network sysctls * Mon Oct 21 2024 Zdenek Pytela <zpytela@redhat.com> - 41.23-1 - Allow systemd-homework connect to init over a unix socket - Fix systemd-homed blobs directory permissions - Allow virtqemud read sgx_vepc devices - Allow lldpad create and use netlink_generic_socket * Wed Oct 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.22-1 - Allow systemd-homework write to init pid socket - Allow init create /var/cache/systemd/home - Confine the pcm service - Allow login_userdomain read thumb tmp files - Update power-profiles-daemon policy - Fix the /etc/mdevctl\.d(/.*)? regexp - Grant rhsmcertd chown capability & userdb access - Allow iio-sensor-proxy the bpf capability - Allow systemd-machined the kill user-namespace capability * Mon Oct 14 2024 Zdenek Pytela <zpytela@redhat.com> - 41.21-1 - Remove the fail2ban module sources - Remove the linuxptp module sources - Remove legacy rules for slrnpull - Remove the aiccu module sources - Remove the bcfg2 module sources - Remove the amtu module sources - Remove the rhev module sources - Remove all file context entries for /bin and /lib - Allow ptp4l the sys_admin capability - Confine power-profiles-daemon - Label /var/cache/systemd/home with systemd_homed_cache_t - Allow login_userdomain connect to systemd-homed over a unix socket - Allow boothd connect to systemd-homed over a unix socket - Allow systemd-homed get attributes of a tmpfs filesystem - Allow abrt-dump-journal-core connect to systemd-homed over a unix socket - Allow aide connect to systemd-homed over a unix socket - Label /dev/hfi1_[0-9]+ devices - Suppress semodule's stderr * Fri Oct 04 2024 Zdenek Pytela <zpytela@redhat.com> - 41.20-1 - Remove the openct module sources - Remove the timidity module sources - Enable the slrn module - Remove i18n_input module sources - Enable the distcc module - Remove the ddcprobe module sources - Remove the timedatex module sources - Remove the djbdns module sources - Confine iio-sensor-proxy - Allow staff user nlmsg_write - Update policy for xdm with confined users - Allow virtnodedev watch mdevctl config dirs - Allow ssh watch home config dirs - Allow ssh map home configs files - Allow ssh read network sysctls - Allow chronyc sendto to chronyd-restricted - Allow cups sys_ptrace capability in the user namespace * Wed Sep 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.19-1 - Add policy for systemd-homed - Remove fc entry for /usr/bin/pump - Label /usr/bin/noping and /usr/bin/oping with ping_exec_t - Allow accountsd read gnome-initial-setup tmp files - Allow xdm write to gnome-initial-setup fifo files - Allow rngd read and write generic usb devices - Allow qatlib search the content of the kernel debugging filesystem - Allow qatlib connect to systemd-machined over a unix socket * Wed Sep 18 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.18-1 - Drop ru man pages - mls/modules.conf - fix typo - Allow unprivileged user watch /run/systemd - Allow boothd connect to kernel over a unix socket * Mon Sep 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.17-2 - Relabel /etc/mdevctl.d * Thu Sep 12 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.17-1 - Clean up and sync securetty_types - Bring config files from dist-git into the source repo - Confine gnome-remote-desktop - Allow virtstoraged execute mount programs in the mount domain - Make mdevctl_conf_t member of the file_type attribute * Tue Sep 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.16-2 - Rebuild * Tue Sep 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.16-1 - Label /etc/mdevctl.d with mdevctl_conf_t - Sync users with Fedora targeted users - Update policy for rpc-virtstorage - Allow virtstoraged get attributes of configfs dirs - Fix SELinux policy for sandbox X server to fix 'sandbox -X' command - Update bootupd policy when ESP is not mounted - Allow thumb_t map dri devices - Allow samba use the io_uring API - Allow the sysadm user use the secretmem API - Allow nut-upsmon read systemd-logind session files - Allow sysadm_t to create PF_KEY sockets - Update bootupd policy for the removing-state-file test - Allow coreos-installer-generator manage mdadm_conf_t files * Thu Aug 29 2024 Zdenek Pytela <zpytela@redhat.com> - 41.15-1 - Allow setsebool_t relabel selinux data files - Allow virtqemud relabelfrom virtqemud_var_run_t dirs - Use better escape method for "interface" - Allow init and systemd-logind to inherit fds from sshd - Allow systemd-ssh-generator read sysctl files - Sync modules.conf with Fedora targeted modules - Allow virtqemud relabel user tmp files and socket files - Add missing sys_chroot capability to groupadd policy - Label /run/libvirt/qemu/channel with virtqemud_var_run_t - Allow virtqemud relabelfrom also for file and sock_file - Add virt_create_log() and virt_write_log() interfaces - Call binaries without full path * Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 41.14-1 - Update libvirt policy - Add port 80/udp and 443/udp to http_port_t definition - Additional updates stalld policy for bpf usage - Label systemd-pcrextend and systemd-pcrlock properly - Allow coreos_installer_t work with partitions - Revert "Allow coreos-installer-generator work with partitions" - Add policy for systemd-pcrextend - Update policy for systemd-getty-generator - Allow ip command write to ipsec's logs - Allow virt_driver_domain read virtd-lxc files in /proc - Revert "Allow svirt read virtqemud fifo files" - Update virtqemud policy for libguestfs usage - Allow virtproxyd create and use its private tmp files - Allow virtproxyd read network state - Allow virt_driver_domain create and use log files in /var/log - Allow samba-dcerpcd work with ctdb cluster * Tue Aug 06 2024 Zdenek Pytela <zpytela@redhat.com> - 41.13-1 - Allow NetworkManager_dispatcher_t send SIGKILL to plugins - Allow setroubleshootd execute sendmail with a domain transition - Allow key.dns_resolve set attributes on the kernel key ring - Update qatlib policy for v24.02 with new features - Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t - Allow tlp status power services - Allow virtqemud domain transition on passt execution - Allow virt_driver_domain connect to systemd-userdbd over a unix socket - Allow boothd connect to systemd-userdbd over a unix socket - Update policy for awstats scripts - Allow bitlbee execute generic programs in system bin directories - Allow login_userdomain read aliases file - Allow login_userdomain read ipsec config files - Allow login_userdomain read all pid files - Allow rsyslog read systemd-logind session files - Allow libvirt-dbus stream connect to virtlxcd * Wed Jul 31 2024 Zdenek Pytela <zpytela@redhat.com> - 41.12-1 - Update bootupd policy - Allow rhsmcertd read/write access to /dev/papr-sysparm - Label /dev/papr-sysparm and /dev/papr-vpd - Allow abrt-dump-journal-core connect to winbindd - Allow systemd-hostnamed shut down nscd - Allow systemd-pstore send a message to syslogd over a unix domain - Allow postfix_domain map postfix_etc_t files - Allow microcode create /sys/devices/system/cpu/microcode/reload - Allow rhsmcertd read, write, and map ica tmpfs files - Support SGX devices - Allow initrc_t transition to passwd_t - Update fstab and cryptsetup generators policy - Allow xdm_t read and write the dma device - Update stalld policy for bpf usage - Allow systemd_gpt_generator to getattr on DOS directories * Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.11-1 - Make cgroup_memory_pressure_t a part of the file_type attribute - Allow ssh_t to change role to system_r - Update policy for coreos generators - Allow init_t nnp domain transition to firewalld_t - Label /run/modprobe.d with modules_conf_t - Allow virtnodedevd run udev with a domain transition - Allow virtnodedev_t create and use virtnodedev_lock_t - Allow virtstoraged manage files with virt_content_t type - Allow virtqemud unmount a filesystem with extended attributes - Allow svirt_t connect to unconfined_t over a unix domain socket * Mon Jul 22 2024 Zdenek Pytela <zpytela@redhat.com> - 41.10-1 - Update afterburn file transition policy - Allow systemd_generator read attributes of all filesystems - Allow fstab-generator read and write cryptsetup-generator unit file - Allow cryptsetup-generator read and write fstab-generator unit file - Allow systemd_generator map files in /etc - Allow systemd_generator read init's process state - Allow coreos-installer-generator read sssd public files - Allow coreos-installer-generator work with partitions - Label /etc/mdadm.conf.d with mdadm_conf_t - Confine coreos generators - Label /run/metadata with afterburn_runtime_t - Allow afterburn list ssh home directory - Label samba certificates with samba_cert_t - Label /run/coreos-installer-reboot with coreos_installer_var_run_t - Allow virtqemud read virt-dbus process state - Allow staff user dbus chat with virt-dbus - Allow staff use watch /run/systemd - Allow systemd_generator to write kmsg * Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild * Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.9-1 - Allow virtqemud connect to sanlock over a unix stream socket - Allow virtqemud relabel virt_var_run_t directories - Allow svirt_tcg_t read vm sysctls - Allow virtnodedevd connect to systemd-userdbd over a unix socket - Allow svirt read virtqemud fifo files - Allow svirt attach_queue to a virtqemud tun_socket - Allow virtqemud run ssh client with a transition - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket - Update keyutils policy - Allow sshd_keygen_t connect to userdbd over a unix stream socket - Allow postfix-smtpd read mysql config files - Allow locate stream connect to systemd-userdbd - Allow the staff user use wireshark - Allow updatedb connect to userdbd over a unix stream socket - Allow gpg_t set attributes of public-keys.d - Allow gpg_t get attributes of login_userdomain stream - Allow systemd_getty_generator_t read /proc/1/environ - Allow systemd_getty_generator_t to read and write to tty_device_t * Thu Jul 11 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-4 - Move %postInstall to %posttrans - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)` - Drop obsolete modules from config - Install dnf protected files only when policy is built * Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 41.8-3 - Relabel files under /usr/bin to fix stale context after sbin merge * Wed Jul 10 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-2 - Merge -base and -contrib * Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1 - Drop publicfile module - Remove permissive domain for systemd_nsresourced_t - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t - Allow to create and delete socket files created by rhsm.service - Allow virtnetworkd exec shell when virt_hooks_unconfined is on - Allow unconfined_service_t transition to passwd_t - Support /var is empty - Allow abrt-dump-journal read all non_security socket files - Allow timemaster write to sysfs files - Dontaudit domain write cgroup files - Label /usr/lib/node_modules/npm/bin with bin_t - Allow ip the setexec permission - Allow systemd-networkd write files in /var/lib/systemd/network - Fix typo in systemd_nsresourced_prog_run_bpf() * Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1 - Confine libvirt-dbus - Allow virtqemud the kill capability in user namespace - Allow rshim get options of the netlink class for KOBJECT_UEVENT family - Allow dhcpcd the kill capability - Allow systemd-networkd list /var/lib/systemd/network - Allow sysadm_t run systemd-nsresourced bpf programs - Update policy for systemd generators interactions - Allow create memory.pressure files with cgroup_memory_pressure_t - Add support for libvirt hooks * Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1 - Allow certmonger read and write tpm devices - Allow all domains to connect to systemd-nsresourced over a unix socket - Allow systemd-machined read the vsock device - Update policy for systemd generators - Allow ptp4l_t request that the kernel load a kernel module - Allow sbd to trace processes in user namespace - Allow request-key execute scripts - Update policy for haproxyd * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1 - Update policy for systemd-nsresourced - Correct sbin-related file context entries * Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1 - Allow login_userdomain execute systemd-tmpfiles in the caller domain - Allow virt_driver_domain read files labeled unconfined_t - Allow virt_driver_domain dbus chat with policykit - Allow virtqemud manage nfs files when virt_use_nfs boolean is on - Add rules for interactions between generators - Label memory.pressure files with cgroup_memory_pressure_t - Revert "Allow some systemd services write to cgroup files" - Update policy for systemd-nsresourced - Label /usr/bin/ntfsck with fsadm_exec_t - Allow systemd_fstab_generator_t read tmpfs files - Update policy for systemd-nsresourced - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin - Remove a few lines duplicated between {dkim,milter}.fc - Alias /bin → /usr/bin and remove redundant paths - Drop duplicate line for /usr/sbin/unix_chkpwd - Drop duplicate paths for /usr/sbin * Tue Jun 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.3-1 - Update systemd-generator policy - Remove permissive domain for bootupd_t - Remove permissive domain for coreos_installer_t - Remove permissive domain for afterburn_t - Add the sap module to modules.conf - Move unconfined_domain(sap_unconfined_t) to an optional block - Create the sap module - Allow systemd-coredumpd sys_admin and sys_resource capabilities - Allow systemd-coredump read nsfs files - Allow generators auto file transition only for plain files - Allow systemd-hwdb write to the kernel messages device - Escape "interface" as a file name in a virt filetrans pattern - Allow gnome-software work for login_userdomain - Allow systemd-machined manage runtime sockets - Revert "Allow systemd-machined manage runtime sockets" * Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 41.2-1 - Allow postfix_domain connect to postgresql over a unix socket - Dontaudit systemd-coredump sys_admin capability - Allow all domains read and write z90crypt device - Allow tpm2 generator setfscreate - Allow systemd (PID 1) manage systemd conf files - Allow pulseaudio map its runtime files - Update policy for getty-generator - Allow systemd-hwdb send messages to kernel unix datagram sockets - Allow systemd-machined manage runtime sockets * Mon Jun 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.1-1 - Allow fstab-generator create unit file symlinks - Update policy for cryptsetup-generator - Update policy for fstab-generator - Allow virtqemud read vm sysctls - Allow collectd to trace processes in user namespace - Allow bootupd search efivarfs dirs - Add policy for systemd-mountfsd - Add policy for systemd-nsresourced - Update policy generators - Add policy for anaconda-generator - Update policy for fstab and gpt generators - Add policy for kdump-dep-generator * Thu May 30 2024 Zdenek Pytela <zpytela@redhat.com> - 40.21-1 - Add policy for a generic generator - Add policy for tpm2 generator - Add policy for ssh-generator - Add policy for second batch of generators - Update policy for systemd generators - ci: Adjust Cockpit test plans * Sun May 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.20-1 - Allow journald read systemd config files and directories - Allow systemd_domain read systemd_conf_t dirs - Fix bad Python regexp escapes - Allow fido services connect to postgres database * Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1 - Allow postfix smtpd map aliases file - Ensure dbus communication is allowed bidirectionally - Label systemd configuration files with systemd_conf_t - Label /run/systemd/machine with systemd_machined_var_run_t - Allow systemd-hostnamed read the vsock device - Allow sysadm execute dmidecode using sudo - Allow sudodomain list files in /var - Allow setroubleshootd get attributes of all sysctls - Allow various services read and write z90crypt device - Allow nfsidmap connect to systemd-homed - Allow sandbox_x_client_t dbus chat with accountsd - Allow system_cronjob_t dbus chat with avahi_t - Allow staff_t the io_uring sqpoll permission - Allow staff_t use the io_uring API - Add support for secretmem anon inode * Thu May 16 2024 Adam Williamson <awilliam@redhat.com> - 40.18-3 - Correct some errors in the RPM macro changes from -2 * Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-2 - Update rpm configuration for the /var/run equivalency change * Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-1 - Allow virtqemud read vfio devices - Allow virtqemud get attributes of a tmpfs filesystem - Allow svirt_t read vm sysctls - Allow virtqemud create and unlink files in /etc/libvirt/ - Allow virtqemud get attributes of cifs files - Allow virtqemud get attributes of filesystems with extended attributes - Allow virtqemud get attributes of NFS filesystems - Allow virt_domain read and write usb devices conditionally - Allow virtstoraged use the io_uring API - Allow virtstoraged execute lvm programs in the lvm domain - Allow virtnodevd_t map /var/lib files - Allow svirt_tcg_t map svirt_image_t files - Allow abrt-dump-journal-core connect to systemd-homed - Allow abrt-dump-journal-core connect to systemd-machined - Allow sssd create and use io_uring - Allow selinux-relabel-generator create units dir - Allow dbus-broker read/write inherited user ttys * Thu Apr 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.17-1 - Define transitions for /run/libvirt/common and /run/libvirt/qemu - Allow systemd-sleep read raw disk data - Allow numad to trace processes in user namespace - Allow abrt-dump-journal-core connect to systemd-userdbd - Allow plymouthd read efivarfs files - Update the auth_dontaudit_read_passwd_file() interface - Label /dev/mmcblk0rpmb character device with removable_device_t - fix hibernate on btrfs swapfile (F40) - Allow nut to statfs() - Allow system dbusd service status systemd services - Allow systemd-timedated get the timemaster service status * Tue Apr 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.16-1 - Allow keyutils-dns-resolver connect to the system log service - Allow qemu-ga read vm sysctls - postfix: allow qmgr to delete mails in bounce/ directory - policy: support pidfs - Confine selinux-autorelabel-generator.sh - Allow logwatch_mail_t read/write to init over a unix stream socket - Allow logwatch read logind sessions files - files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it - files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it - Allow NetworkManager the sys_ptrace capability in user namespace - dontaudit execmem for modemmanager - Allow dhcpcd use unix_stream_socket - Allow dhcpc read /run/netns files * Fri Mar 15 2024 Zdenek Pytela <zpytela@redhat.com> - 40.15-1 - Update mmap_rw_file_perms to include the lock permission - Allow plymouthd log during shutdown - Add logging_watch_all_log_dirs() and logging_watch_all_log_files() - Allow journalctl_t read filesystem sysctls - Allow cgred_t to get attributes of cgroup filesystems - Allow wdmd read hardware state information - Allow wdmd list the contents of the sysfs directories - Allow linuxptp configure phc2sys and chronyd over a unix domain socket - Allow sulogin relabel tty1 - Dontaudit sulogin the checkpoint_restore capability - Modify sudo_role_template() to allow getpgid - Remove incorrect "local" usage in varrun-convert.sh * Thu Mar 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-2 - Update varrun-convert.sh script to check for existing duplicate entries * Mon Feb 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-1 - Allow userdomain get attributes of files on an nsfs filesystem - Allow opafm create NFS files and directories - Allow virtqemud create and unlink files in /etc/libvirt/ - Allow virtqemud domain transition on swtpm execution - Add the swtpm.if interface file for interactions with other domains - Allow samba to have dac_override capability - systemd: allow sys_admin capability for systemd_notify_t - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets - Allow thumb_t to watch and watch_reads mount_var_run_t - Allow krb5kdc_t map krb5kdc_principal_t files - Allow unprivileged confined user dbus chat with setroubleshoot - Allow login_userdomain map files in /var - Allow wireguard work with firewall-cmd - Differentiate between staff and sysadm when executing crontab with sudo - Add crontab_admin_domtrans interface - Allow abrt_t nnp domain transition to abrt_handle_event_t - Allow xdm_t to watch and watch_reads mount_var_run_t - Dontaudit subscription manager setfscreate and read file contexts - Don't audit crontab_domain write attempts to user home - Transition from sudodomains to crontab_t when executing crontab_exec_t - Add crontab_domtrans interface - Fix label of pseudoterminals created from sudodomain - Allow utempter_t use ptmx - Dontaudit rpmdb attempts to connect to sssd over a unix stream socket - Allow admin user read/write on fixed_disk_device_t * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1 - Only allow confined user domains to login locally without unconfined_login - Add userdom_spec_domtrans_confined_admin_users interface - Only allow admindomain to execute shell via ssh with ssh_sysadm_login - Add userdom_spec_domtrans_admin_users interface - Move ssh dyntrans to unconfined inside unconfined_login tunable policy - Update ssh_role_template() for user ssh-agent type - Allow init to inherit system DBus file descriptors - Allow init to inherit fds from syslogd - Allow any domain to inherit fds from rpm-ostree - Update afterburn policy - Allow init_t nnp domain transition to abrtd_t * Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1 - Rename all /var/lock file context entries to /run/lock - Rename all /var/run file context entries to /run - Invert the "/var/run = /run" equivalency * Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1 - Replace init domtrans rule for confined users to allow exec init - Update dbus_role_template() to allow user service status - Allow polkit status all systemd services - Allow setroubleshootd create and use inherited io_uring - Allow load_policy read and write generic ptys - Allow gpg manage rpm cache - Allow login_userdomain name_bind to howl and xmsg udp ports - Allow rules for confined users logged in plasma - Label /dev/iommu with iommu_device_t - Remove duplicate file context entries in /run - Dontaudit getty and plymouth the checkpoint_restore capability - Allow su domains write login records - Revert "Allow su domains write login records" - Allow login_userdomain delete session dbusd tmp socket files - Allow unix dgram sendto between exim processes - Allow su domains write login records - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1 - Allow chronyd-restricted read chronyd key files - Allow conntrackd_t to use bpf capability2 - Allow systemd-networkd manage its runtime socket files - Allow init_t nnp domain transition to colord_t - Allow polkit status systemd services - nova: Fix duplicate declarations - Allow httpd work with PrivateTmp - Add interfaces for watching and reading ifconfig_var_run_t - Allow collectd read raw fixed disk device - Allow collectd read udev pid files - Set correct label on /etc/pki/pki-tomcat/kra - Allow systemd domains watch system dbus pid socket files - Allow certmonger read network sysctls - Allow mdadm list stratisd data directories - Allow syslog to run unconfined scripts conditionally - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t - Allow qatlib set attributes of vfio device files * Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1 - Allow systemd-sleep set attributes of efivarfs files - Allow samba-dcerpcd read public files - Allow spamd_update_t the sys_ptrace capability in user namespace - Allow bluetooth devices work with alsa - Allow alsa get attributes filesystems with extended attributes * Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2 - Limit %selinux_requires to version, not release * Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t - Add interface for write-only access to NetworkManager rw conf - Allow systemd-sleep send a message to syslog over a unix dgram socket - Allow init create and use netlink netfilter socket - Allow qatlib load kernel modules - Allow qatlib run lspci - Allow qatlib manage its private runtime socket files - Allow qatlib read/write vfio devices - Label /etc/redis.conf with redis_conf_t - Remove the lockdown-class rules from the policy - Allow init read all non-security socket files - Replace redundant dnsmasq pattern macros - Remove unneeded symlink perms in dnsmasq.if - Add additions to dnsmasq interface - Allow nvme_stas_t create and use netlink kobject uevent socket - Allow collectd connect to statsd port - Allow keepalived_t to use sys_ptrace of cap_userns - Allow dovecot_auth_t connect to postgresql using UNIX socket * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute - Allow sysadm execute traceroute in sysadm_t domain using sudo - Allow sysadm execute tcpdump in sysadm_t domain using sudo - Allow opafm search nfs directories - Add support for syslogd unconfined scripts - Allow gpsd use /dev/gnss devices - Allow gpg read rpm cache - Allow virtqemud additional permissions - Allow virtqemud manage its private lock files - Allow virtqemud use the io_uring api - Allow ddclient send e-mail notifications - Allow postfix_master_t map postfix data files - Allow init create and use vsock sockets - Allow thumb_t append to init unix domain stream sockets - Label /dev/vas with vas_device_t - Change domain_kernel_load_modules boolean to true - Create interface selinux_watch_config and add it to SELinux users * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1 - Add afterburn to modules-targeted-contrib.conf - Update cifs interfaces to include fs_search_auto_mountpoints() - Allow sudodomain read var auth files - Allow spamd_update_t read hardware state information - Allow virtnetworkd domain transition on tc command execution - Allow sendmail MTA connect to sendmail LDA - Allow auditd read all domains process state - Allow rsync read network sysctls - Add dhcpcd bpf capability to run bpf programs - Dontaudit systemd-hwdb dac_override capability - Allow systemd-sleep create efivarfs files * Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1 - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on - Allow graphical applications work in Wayland - Allow kdump work with PrivateTmp - Allow dovecot-auth work with PrivateTmp - Allow nfsd get attributes of all filesystems - Allow unconfined_domain_type use io_uring cmd on domain - ci: Only run Rawhide revdeps tests on the rawhide branch - Label /var/run/auditd.state as auditd_var_run_t - Allow fido-device-onboard (FDO) read the crack database - Allow ip an explicit domain transition to other domains - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t - Allow winbind_rpcd_t processes access when samba_export_all_* is on - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection - Allow ntp to bind and connect to ntske port. - Allow system_mail_t manage exim spool files and dirs - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t - Label /run/pcsd.socket with cluster_var_run_t - ci: Run cockpit tests in PRs * Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1 - Add map_read map_write to kernel_prog_run_bpf - Allow systemd-fstab-generator read all symlinks - Allow systemd-fstab-generator the dac_override capability - Allow rpcbind read network sysctls - Support using systemd containers - Allow sysadm_t to connect to iscsid using a unix domain stream socket - Add policy for coreos installer - Add coreos_installer to modules-targeted-contrib.conf * Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1 - Add policy for nvme-stas - Confine systemd fstab,sysv,rc-local - Label /etc/aliases.lmdb with etc_aliases_t - Create policy for afterburn - Add nvme_stas to modules-targeted-contrib.conf - Add plans/tests.fmf * Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1 - Add the virt_supplementary module to modules-targeted-contrib.conf - Make new virt drivers permissive - Split virt policy, introduce virt_supplementary module - Allow apcupsd cgi scripts read /sys - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes - Allow kernel_t to manage and relabel all files - Add missing optional_policy() to files_relabel_all_files() * Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1 - Allow named and ndc use the io_uring api - Deprecate common_anon_inode_perms usage - Improve default file context(None) of /var/lib/authselect/backups - Allow udev_t to search all directories with a filesystem type - Implement proper anon_inode support - Allow targetd write to the syslog pid sock_file - Add ipa_pki_retrieve_key_exec() interface - Allow kdumpctl_t to list all directories with a filesystem type - Allow udev additional permissions - Allow udev load kernel module - Allow sysadm_t to mmap modules_object_t files - Add the unconfined_read_files() and unconfined_list_dirs() interfaces - Set default file context of HOME_DIR/tmp/.* to <<none>> - Allow kernel_generic_helper_t to execute mount(1)