selinux-policy-35.8-1.fc36 | Build Info

Information for build selinux-policy-35.8-1.fc36

1870000

Package Name

selinux-policy

Version

35.8

Release

1.fc36

Epoch

Source

git+https://src.fedoraproject.org/rpms/selinux-policy.git#d0828ed3ca44c4b665f805b73a40950ba507020b

Summary

SELinux policy configuration

Description

SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.

Built by

zpytela

State

complete

Volume

prod

Started

Thu, 23 Dec 2021 21:23:43 UTC

Completed

Thu, 23 Dec 2021 21:33:41 UTC

Task

build (rawhide, /rpms/selinux-policy.git:d0828ed3ca44c4b665f805b73a40950ba507020b)

Extra

{'source': {'original_url': 'git+https://src.fedoraproject.org/rpms/selinux-policy.git#d0828ed3ca44c4b665f805b73a40950ba507020b'}}

Tags

No tags

RPMs

src
	selinux-policy-35.8-1.fc36.src.rpm (info) (download)
noarch
	selinux-policy-35.8-1.fc36.noarch.rpm (info) (download)
	selinux-policy-devel-35.8-1.fc36.noarch.rpm (info) (download)
	selinux-policy-doc-35.8-1.fc36.noarch.rpm (info) (download)
	selinux-policy-minimum-35.8-1.fc36.noarch.rpm (info) (download)
	selinux-policy-mls-35.8-1.fc36.noarch.rpm (info) (download)
	selinux-policy-sandbox-35.8-1.fc36.noarch.rpm (info) (download)
	selinux-policy-targeted-35.8-1.fc36.noarch.rpm (info) (download)

Logs

noarch
	hw_info.log
	state.log
	build.log
	root.log
	mock_output.log
	noarch_rpmdiff.json

Changelog

* Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1 - Allow haproxy get attributes of filesystems with extended attributes - Allow haproxy get attributes of cgroup filesystems - Allow sysadm execute sysadmctl in sysadm_t domain using sudo - Allow userdomains use pam_ssh_agent_auth for passwordless sudo - Allow sudodomains execute passwd in the passwd domain - Allow braille printing in selinux - Allow sandbox_xserver_t map sandbox_file_t - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t - Add hwtracing_device_t type for hardware-level tracing and debugging - Label port 9528/tcp with openqa_liveview - Label /var/lib/shorewall6-lite with shorewall_var_lib_t - Document Security Flask model in the policy * Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1 - Allow systemd read unlabeled symbolic links - Label abrt-action-generate-backtrace with abrt_handle_event_exec_t - Allow dnsmasq watch /etc/dnsmasq.d directories - Allow rhsmcertd get attributes of tmpfs_t filesystems - Allow lldpd use an snmp subagent over a tcp socket - Allow xdm watch generic directories in /var/lib - Allow login_userdomain open/read/map system journal - Allow sysadm_t connect to cluster domains over a unix stream socket - Allow sysadm_t read/write pkcs shared memory segments - Allow sysadm_t connect to sanlock over a unix stream socket - Allow sysadm_t dbus chat with sssd - Allow sysadm_t set attributes on character device nodes - Allow sysadm_t read and write watchdog devices - Allow smbcontrol use additional socket types - Allow cloud-init dbus chat with systemd-logind - Allow svnserve send mail from the system - Update userdom_exec_user_tmp_files() with an entrypoint rule - Allow sudodomain send a null signal to sshd processes * Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1 - Allow PID 1 and dbus-broker IPC with a systemd user session - Allow rpmdb read generic SSL certificates - Allow rpmdb read admin home config files - Report warning on duplicate definition of interface - Allow redis get attributes of filesystems with extended attributes - Allow sysadm_t dbus chat with realmd_t - Make cupsd_lpd_t a daemon - Allow tlp dbus-chat with NetworkManager - filesystem: add fs_use_trans for ramfs - Allow systemd-logind destroy unconfined user's IPC objects * Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1 - Support sanlock VG automated recovery on storage access loss 2/2 - Support sanlock VG automated recovery on storage access loss 1/2 - Revert "Support sanlock VG automated recovery on storage access loss" - Allow tlp get service units status - Allow fedora-third-party manage 3rd party repos - Allow xdm_t nnp_transition to login_userdomain - Add the auth_read_passwd_file() interface - Allow redis-sentinel execute a notification script - Allow fetchmail search cgroup directories - Allow lvm_t to read/write devicekit disk semaphores - Allow devicekit_disk_t to use /dev/mapper/control - Allow devicekit_disk_t to get IPC info from the kernel - Allow devicekit_disk_t to read systemd-logind pid files - Allow devicekit_disk_t to mount filesystems on mnt_t directories - Allow devicekit_disk_t to manage mount_var_run_t files - Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel - Use $releasever in koji repo to reduce rawhide hardcoding - authlogin: add fcontext for tcb - Add erofs as a SELinux capable file system - Allow systemd execute user bin files - Support sanlock VG automated recovery on storage access loss - Support new PING_CHECK health checker in keepalived * Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1 - Allow fedora-third-party map generic cache files - Add gnome_map_generic_cache_files() interface - Add files_manage_var_lib_dirs() interface - Allow fedora-third party manage gpg keys - Allow fedora-third-party run "flatpak remote-add --from flathub" * Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1 - Allow fedora-third-party run flatpak post-install actions - Allow fedora-third-party set_setsched and sys_nice * Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1 - Allow fedora-third-party execute "flatpak remote-add" - Add files_manage_var_lib_files() interface - Add write permisson to userfaultfd_anon_inode_perms - Allow proper function sosreport via iotop - Allow proper function sosreport in sysadmin role - Allow fedora-third-party to connect to the system log service - Allow fedora-third-party dbus chat with policykit - Allow chrony-wait service start with DynamicUser=yes - Allow management of lnk_files if similar access to regular files - Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges - Allow systemd-resolved watch /run/systemd - Allow fedora-third-party create and use unix_dgram_socket - Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files - Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain * Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1 - Add fedoratp module - Allow xdm_t domain transition to fedoratp_t - Allow ModemManager create and use netlink route socket - Add default file context for /run/gssproxy.default.sock - Allow xdm_t watch fonts directories - Allow xdm_t watch generic directories in /lib - Allow xdm_t watch generic pid directories * Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.21-1 - Add bluetooth-related permissions into a tunable block - Allow gnome at-spi processes create and use stream sockets - Allow usbmuxd get attributes of tmpfs_t filesystems - Allow fprintd install a sleep delay inhibitor - Allow collectd get attributes of infiniband devices - Allow collectd create and user netlink rdma socket - Allow collectd map packet_socket - Allow snort create and use blootooth socket - Allow systemd watch and watch_reads console devices - Allow snort create and use generic netlink socket - Allow NetworkManager dbus chat with fwupd - Allow unconfined domains read/write domain perf_events - Allow scripts to enter LUKS password - Update mount_manage_pid_files() to use manage_files_pattern - Support hitless reloads feature in haproxy - Allow haproxy list the sysfs directories content - Allow gnome at-spi processes get attributes of tmpfs filesystems - Allow unbound connectto unix_stream_socket - Allow rhsmcertd_t dbus chat with anaconda install_t * Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 34.20-1 - cleanup unused codes - Fix typo in the gnome_exec_atspi() interface summary - Allow xdm execute gnome-atspi services - Allow gnome at-spi processes execute dbus-daemon in caller domain - Allow xdm watch dbus configuration - Allow xdm execute dbus-daemon in the caller domain - Revert "Allow xdm_t transition to system_dbusd_t" - Allow at-spi-bus-launcher read and map xdm pid files - Allow dhcpcd set its resource limits - Allow systemd-sleep get removable devices attributes - Allow usbmuxd get attributes of fs_t filesystems * Thu Sep 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.19-1 - Update the dhcp client local policy - Allow firewalld load kernel modules - Allow postfix_domain to sendto unix dgram sockets. - Allow systemd watch unallocated ttys * Tue Sep 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.18-1 - Allow ModemManager create a qipcrtr socket - Allow ModemManager request to load a kernel module - Label /usr/sbin/virtproxyd as virtd_exec_t - Allow communication between at-spi and gdm processes - Update ica_filetrans_named_content() with create_file_perms - Fix the gnome_atspi_domtrans() interface summary * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-5 - Add ica module to modules-targeted-contrib.conf * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-4 - Add trailing \ to the relabel() block which is needed even in a comment * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3 - Add ica module to modules-targeted.conf * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-2 - Relabel /var/lib/rpm explicitly - Revert "Relabel /dev/dma_heap explicitly" * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-1 - Add support for at-spi - Add permissions for system dbus processes - Allow various domains work with ICA crypto accelerator - Add ica module - Revert "Support using ICA crypto accelerator on s390x arch" - Allow systemd to delete fwupd var cache files - Allow vmtools_unconfined_t domain transition to rpm_script_t - Allow dirsrv read slapd tmpfs files - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" - Rename samba_exec() to samba_exec_net() - Support using ICA crypto accelerator on s390x arch - Allow systemd delete /run/systemd/default-hostname - Allow tcpdump read system state information in /proc - Allow rhsmcertd to create cache file in /var/cache/cloud-what - Allow D-bus communication between avahi and sosreport - Label /usr/libexec/gdm-runtime-config with xdm_exec_t - Allow lldpad send to kdumpctl over a unix dgram socket - Revert "Allow lldpad send to kdump over a unix dgram socket" - Allow chronyc respond to a user chronyd instance - Allow ptp4l respond to pmc - Allow lldpad send to unconfined_t over a unix dgram socket - Allow sssd to set samba setting * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1 - Allow systemd-timesyncd watch system dbus pid socket files - Allow firewalld drop capabilities - Allow rhsmcertd execute gpg - Allow lldpad send to kdump over a unix dgram socket - Allow systemd-gpt-auto-generator read udev pid files - Set default file context for /sys/firmware/efi/efivars - Allow tcpdump run as a systemd service - Allow nmap create and use netlink generic socket - Allow nscd watch system db files in /var/db - Allow cockpit_ws_t get attributes of fs_t filesystems - Allow sysadm acces to kernel module resources - Allow sysadm to read/write scsi files and manage shadow - Allow sysadm access to files_unconfined and bind rpc ports - Allow sysadm read and view kernel keyrings - Allow journal mmap and read var lib files - Allow tuned to read rhsmcertd config files - Allow bootloader to read tuned etc files - Label /usr/bin/qemu-storage-daemon with virtd_exec_t * Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1 - Disable seccomp on CI containers - Allow systemd-machined stop generic service units - Allow virtlogd_t read process state of user domains - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp - Label /dev/crypto/nx-gzip with accelerator_device_t - Update the policy for systemd-journal-upload - Allow unconfined domains to bpf all other domains - Confine rhsm service and rhsm-facts service as rhsmcertd_t - Allow fcoemon talk with unconfined user over unix domain datagram socket - Allow abrt_domain read and write z90crypt device - Allow mdadm read iscsi pid files - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t - Allow hostapd bind UDP sockets to the dhcpd port - Unconfined domains should not be confined * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 34.14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" - Remove references to init_watch_path_type attribute - Remove all redundant watch permissions for systemd - Allow systemd watch non_security_file_type dirs, files, lnk_files - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template - Allow bacula get attributes of cgroup filesystems - Allow systemd-journal-upload watch logs and journal - Create a policy for systemd-journal-upload - Allow tcpdump and nmap get attributes of infiniband_device_t - Allow arpwatch get attributes of infiniband_device_t devices - Label /dev/wmi/dell-smbios as acpi_device_t * Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1 - Allow radius map its library files - Allow nftables read NetworkManager unnamed pipes - Allow logrotate rotate container log files * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2 - Add a systemd service to check that SELinux is disabled properly - specfile: Add unowned dir to the macro - Relabel /dev/dma_heap explicitly * Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" - Add the lockdown integrity permission to dev_map_userio_dev() - Allow systemd-modules-load read/write tracefs files - Allow sssd watch /run/systemd - Label /usr/bin/arping plain file with netutils_exec_t - Label /run/fsck with fsadm_var_run_t - Label /usr/bin/Xwayland with xserver_exec_t - Allow systemd-timesyncd watch dbus runtime dir - Allow asterisk watch localization files - Allow iscsid read all process stat - iptables.fc: Add missing legacy-restore and legacy-save entries - Label /run/libvirt/common with virt_common_var_run_t - Label /.k5identity file allow read of this file to rpc.gssd - Make usbmuxd_t a daemon * Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1 - Allow sanlock get attributes of cgroup filesystems - Associate dma_device_dir_t with device filesystem - Set default file context for /var/run/systemd instead of /run/systemd - Allow nmap create and use rdma socket - Allow pkcs-slotd create and use netlink_kobject_uevent_socket * Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1 - Allow using opencryptoki for ipsec - Allow using opencryptoki for certmonger - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() - Label /dev/dma_heap with dma_device_dir_t - Allow syslogd watch non security dirs conditionally - Introduce logging_syslogd_list_non_security_dirs tunable - Remove openhpi module - Allow udev to watch fixed disk devices - Allow httpd_sys_script_t read, write, and map hugetlbfs files - Allow apcupsd get attributes of cgroup filesystems * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1 - Add kerberos object filetrans for nsswitchdomain - Allow fail2ban watch various log files - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs() - Remove further modules recently removed from refpolicy - Remove modules not shipped and not present in refpolicy - Revert "Add permission open to files_read_inherited_tmp_files() interface" - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)" - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604" - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)" - Dontaudit setrlimit for domains that exec systemctl - Allow kdump_t net_admin capability - Allow nsswitch_domain read init pid lnk_files - Label /dev/trng with random_device_t - Label /run/systemd/default-hostname with hostname_etc_t - Add default file context specification for dnf log files - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t - Label /dev/udmabuf character device with dma_device_t - Label /dev/dma_heap/* char devices with dma_device_t - Label /dev/acpi_thermal_rel char device with acpi_device_t * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-2 - Remove temporary explicit /dev/nvme relabeling * Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1 - Allow local_login_t nnp_transition to login_userdomain - Allow asterisk watch localization symlinks - Allow NetworkManager_t to watch /etc - Label /var/lib/kdump with kdump_var_lib_t - Allow amanda get attributes of cgroup filesystems - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t - Allow install_t nnp_domtrans to setfiles_mac_t - Allow fcoemon create sysfs files * Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1 - Allow tgtd read and write infiniband devices - Add a comment on virt_sandbox booleans with empty content - Deprecate duplicate dev_write_generic_sock_files() interface - Allow vnstatd_t map vnstatd_var_lib_t files - Allow privoxy execmem - Allow pmdakvm read information from the debug filesystem - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs() - Add permissions to delete lnk_files into gnome_delete_home_config() - Remove rules for inotifyfs - Remove rules for anon_inodefs - Allow systemd nnp_transition to login_userdomain - Allow unconfined_t write other processes perf_event records - Allow sysadm_t dbus chat with tuned - Allow tuned write profile files with file transition - Allow tuned manage perf_events - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() - Add kernel_write_perf_event() and kernel_manage_perf_event() - Allow syslogd_t watch root and var directories - Allow unconfined_t read other processes perf_event records - Allow login_userdomain read and map /var/lib/systemd files - Allow NetworkManager watch its config dir - Allow NetworkManager read and write z90crypt device - Allow tgtd create and use rdma socket - Allow aide connect to init with a unix socket * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1 - Grant execmem to varnishlog_t - We no longer need signull for varnishlog_t - Add map permission to varnishd_read_lib_files - Allow systemd-sleep tlp_filetrans_named_content() - Allow systemd-sleep execute generic programs - Allow systemd-sleep execute shell - Allow to sendmail read/write kerberos host rcache files - Allow freshclam get attributes of cgroup filesystems - Fix context of /run/systemd/timesync - Allow udev create /run/gdm with proper type - Allow chronyc socket file transition in user temp directory - Allow virtlogd_t to create virt_var_lockd_t dir - Allow pluto IKEv2 / ESP over TCP * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1 - Allow domain create anonymous inodes - Add anon_inode class to the policy - Allow systemd-coredump getattr nsfs files and net_admin capability - Allow systemd-sleep transition to sysstat_t - Allow systemd -sleep transition to tlp_t - Allow systemd-sleep transition to unconfined_service_t on bin_t executables - Allow systemd-timedated watch runtime dir and its parent - Allow system dbusd read /var/lib symlinks - Allow unconfined_service_t confidentiality and integrity lockdown - Label /var/lib/brltty with brltty_var_lib_t - Allow domain and unconfined_domain_type watch /proc/PID dirs - Additional permission for confined users loging into graphic session - Make for screen fsetid/setuid/setgid permission conditional - Allow for confined users acces to wtmp and run utempter * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1 - Label /etc/redis as redis_conf_t - Add brltty new permissions required by new upstream version - Allow cups-lpd read its private runtime socket files - Dontaudit daemon open and read init_t file - Add file context specification for /var/tmp/tmp-inst - Allow brltty create and use bluetooth_socket - Allow usbmuxd get attributes of cgroup filesystems * Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1 - Allow usbmuxd get attributes of cgroup filesystems - Allow accounts-daemon get attributes of cgroup filesystems - Allow pool-geoclue get attributes of cgroup filesystems - allow systemd-sleep to set timer for suspend-then-hibernate - Allow aide connect to systemd-userdbd with a unix socket - Add new interfaces with watch_mount and watch_with_perm permissions - Add file context specification for /usr/libexec/realmd - Allow /tmp file transition for dbus-daemon also for sock_file - Allow login_userdomain create cgroup files - Allow plymouthd_t exec generic program in bin directories * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17 - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update README.md to reflect the state after contrib and base merge - Add README.md announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - fc_sort.py: Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces * Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3 - Check out the right -contrib branch in Travis * Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2 - Allow openvswitch fowner capability and create netlink sockets - Allow additional permissions for gnome-initial-setup - Add to map non_security_files to the userdom_admin_user_template template - kernel/filesystem: Add exfat support (no extended attributes) * Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1 - Bump version as Fedora 33 has been branched - Allow php-fpm write access to /var/run/redis/redis.sock - Allow journalctl to read and write to inherited user domain tty - Update rkt policy to allow rkt_t domain to read sysfs filesystem - Allow arpwatch create and use rdma socket - Allow plymouth sys_chroot capability - Allow gnome-initial-setup execute in a xdm sandbox - Add new devices and filesystem interfaces * Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25 - Allow certmonger fowner capability - The nfsdcld service is now confined by SELinux - Change transitions for ~/.config/Yubico - Allow all users to connect to systemd-userdbd with a unix socket - Add file context for ~/.config/Yubico - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow login_pgm attribute to get attributes in proc_t" - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Allow traceroute_t and ping_t to bind generic nodes. - Create macro corenet_icmp_bind_generic_node() - Allow unconfined_t to node_bind icmp_sockets in node_t domain * Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf * Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.6-21 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Jul 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen * Fri Jul 10 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs" * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files * Thu Jun 25 2020 Adam Williamson <awilliam@redhat.com> - 3.14.6-16 - Fix scriptlets when /etc/selinux/config does not exist * Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15 - Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid - Support multiple ways of tlp invocation - Allow qemu-kvm read and write /dev/mapper/control - Introduce logrotate_use_cifs boolean - Allow ptp4l_t sys_admin capability to run bpf programs - Allow to getattr files on an nsfs filesystem - httpd: Allow NoNewPriv transition from systemd - Allow rhsmd read process state of all domains and kernel threads - Allow rhsmd mmap /etc/passwd - Allow systemd-logind manage efivarfs files - Allow initrc_t tlp_filetrans_named_content() - Allow systemd_resolved_t to read efivarfs - Allow systemd_modules_load_t to read efivarfs - Introduce systemd_read_efivarfs_type attribute - Allow named transition for /run/tlp from a user shell - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files - Add file context for /sys/kernel/tracing * Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14 - Allow chronyc_t domain to use nsswitch - Allow nscd_socket_use() for domains in nscd_use() unconditionally - Add allow rules for lttng-sessiond domain - Label dirsrv systemd unit files and add dirsrv_systemctl() - Allow gluster geo-replication in rsync mode - Allow nagios_plugin_domain execute programs in bin directories - Allow sys_admin capability for domain labeled systemd_bootchart_t - Split the arping path regexp to 2 lines to prevent from relabeling - Allow tcpdump sniffing offloaded (RDMA) traffic - Revert "Change arping path regexp to work around fixfiles incorrect handling" - Change arping path regexp to work around fixfiles incorrect handling - Allow read efivarfs_t files by domains executing systemctl file * Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13 - Update networkmanager_read_pid_files() to allow also list_dir_perms - Update policy for NetworkManager_ssh_t - Allow glusterd synchronize between master and slave - Allow spamc_t domain to read network state - Allow strongswan use tun/tap devices and keys - Allow systemd_userdbd_t domain logging to journal * Tue Apr 14 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12 - Allow rngd create netlink_kobject_uevent_socket and read udev runtime files - Allow ssh-keygen create file in /var/lib/glusterd - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files - Merge ipa and ipa_custodia modules - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t - Introduce daemons_dontaudit_scheduling boolean - Modify path for arping in netutils.fc to match both bin and sbin - Change file context for /var/run/pam_ssh to match file transition - Add file context entry and file transition for /var/run/pam_timestamp * Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11 - Allow NetworkManager manage dhcpd unit files - Update ninfod policy to add nnp transition from systemd to ninfod - Remove container interface calling by named_filetrans_domain. * Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10 - Allow openfortivpn exec shell - Remove label session_dbusd_tmp_t for /run/user/USERID/systemd - Add ibacm_t ipc_lock capability - Allow ipsec_t connectto ipsec_mgmt_t - Remove ipa_custodia - Allow systemd-journald to read user_tmp_t symlinks * Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9 - Allow zabbix_t manage and filetrans temporary socket files - Makefile: fix tmp/%.mod.fc target * Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8 - Allow NetworkManager read its unit files and manage services - Add init_daemon_domain() for geoclue_t - Allow to use nnp_transition in pulseaudio_role - Allow pdns_t domain to map files in /usr. - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t - Allow login_pgm create and bind on netlink_selinux_socket * Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7 - Allow sssd read systemd-resolved runtime directory - Allow sssd read NetworkManager's runtime directory - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t - Allow system_mail_t to signull pcscd_t - Create interface pcscd_signull - Allow auditd poweroff or switch to single mode * Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6 - Allow postfix stream connect to cyrus through runtime socket - Dontaudit daemons to set and get scheduling policy/parameters * Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5 - Allow certmonger_t domain to read pkcs_slotd lock files - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853) - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets - Make file context more variable for /usr/bin/fusermount and /bin/fusermount - Allow local_login_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices * Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4 - Update virt_read_qemu_pid_files inteface - Allow systemd_logind_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices - Allow nsswitch_domain attribute to stream connect to systemd process * Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3 - Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks - Allow systemd_userdbd_t domain to read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2 - Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces - Update radiusd policy - Allow systemd_private_tmp(named_tmp_t) - Allow bacula dac_override capability - Allow systemd_networkd_t to read efivarfs - Add support for systemd-userdbd - Allow systemd system services read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-1 - Bump version to 3.14.6 because fedora 32 was branched * Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24 - Allow ptp4l_t create and use packet_socket sockets - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories * Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23 - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Added apache create log dirs macro - Tiny documentation fix - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Dontaudit domain chronyd_t to list in user home dirs. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Allow syslog_t to read efivarfs_t files - Add ioctl to term_dontaudit_use_ptmx macro - Update xserver_rw_session macro * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.5-22 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21 - Dontaudit timedatex_t read file_contexts_t and validate security contexts - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus. * Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20 - Fix typo in anaconda SELinux module - Allow rtkit_t domain to control scheduling for your install_t processes - Boolean: rngd_t to use executable memory - Allow rngd_t domain to use nsswitch BZ(1787661) - Allow exim to execute bin_t without domain trans - Allow create udp sockets for abrt_upload_watch_t domains - Drop label zebra_t for frr binaries - Allow NetworkManager_t domain to get status of samba services - Update milter policy to allow use sendmail - Modify file context for .local directory to match exactly BZ(1637401) - Allow init_t domain to create own socket files in /tmp - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files - Create files_create_non_security_dirs() interface