Information for build selinux-policy-35.10-1.eln114

Package Nameselinux-policy
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built bydistrobuildsync-eln/
State complete
Volume prod
StartedTue, 18 Jan 2022 08:26:00 UTC
CompletedTue, 18 Jan 2022 08:34:31 UTC
Taskbuild (eln, /rpms/selinux-policy:b8cfdb19219950edc49ed070a652c393c346f1b5)
Extra{'source': {'original_url': 'git+'}}
Tags No tags
selinux-policy-35.10-1.eln114.src.rpm (info) (download)
selinux-policy-35.10-1.eln114.noarch.rpm (info) (download)
selinux-policy-devel-35.10-1.eln114.noarch.rpm (info) (download)
selinux-policy-doc-35.10-1.eln114.noarch.rpm (info) (download)
selinux-policy-minimum-35.10-1.eln114.noarch.rpm (info) (download)
selinux-policy-mls-35.10-1.eln114.noarch.rpm (info) (download)
selinux-policy-sandbox-35.10-1.eln114.noarch.rpm (info) (download)
selinux-policy-targeted-35.10-1.eln114.noarch.rpm (info) (download)
Changelog * Mon Jan 17 2022 Zdenek Pytela <> - 35.10-1 - Allow login_userdomain watch systemd-machined PID directories - Allow login_userdomain watch systemd-logind PID directories - Allow login_userdomain watch accountsd lib directories - Allow login_userdomain watch localization directories - Allow login_userdomain watch various files and dirs - Allow login_userdomain watch generic directories in /tmp - Allow rhsm-service read/write its private memfd: objects - Allow radiusd connect to the radacct port - Allow systemd-io-bridge ioctl rpm_script_t - Allow systemd-coredump userns capabilities and root mounton - Allow systemd-coredump read and write usermodehelper state - Allow login_userdomain create session_dbusd tmp socket files - Allow gkeyringd_domain write to session_dbusd tmp socket files - Allow systemd-logind delete session_dbusd tmp socket files - Allow gdm-x-session write to session dbus tmp sock files - Label /etc/cockpit/ws-certs.d with cert_t - Allow kpropd get attributes of cgroup filesystems - Allow administrative users the bpf capability - Allow sysadm_t start and stop transient services - Connect triggerin to pcre2 instead of pcre * Wed Jan 12 2022 Zdenek Pytela <> - 35.9-1 - Allow sshd read filesystem sysctl files - Revert "Allow sshd read sysctl files" - Allow tlp read its systemd unit - Allow gssproxy access to various system files. - Allow gssproxy read, write, and map ica tmpfs files - Allow gssproxy read and write z90crypt device - Allow sssd_kcm read and write z90crypt device - Allow smbcontrol read the network state information - Allow virt_domain map vhost devices - Allow fcoemon request the kernel to load a module - Allow sshd read sysctl files - Ensure that `/run/systemd/*` are properly labeled - Allow admin userdomains use socketpair() - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling - Allow lldpd connect to snmpd with a unix domain stream socket - Dontaudit pkcsslotd sys_admin capability * Thu Dec 23 2021 Zdenek Pytela <> - 35.8-1 - Allow haproxy get attributes of filesystems with extended attributes - Allow haproxy get attributes of cgroup filesystems - Allow sysadm execute sysadmctl in sysadm_t domain using sudo - Allow userdomains use pam_ssh_agent_auth for passwordless sudo - Allow sudodomains execute passwd in the passwd domain - Allow braille printing in selinux - Allow sandbox_xserver_t map sandbox_file_t - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t - Add hwtracing_device_t type for hardware-level tracing and debugging - Label port 9528/tcp with openqa_liveview - Label /var/lib/shorewall6-lite with shorewall_var_lib_t - Document Security Flask model in the policy * Fri Dec 10 2021 Zdenek Pytela <> - 35.7-1 - Allow systemd read unlabeled symbolic links - Label abrt-action-generate-backtrace with abrt_handle_event_exec_t - Allow dnsmasq watch /etc/dnsmasq.d directories - Allow rhsmcertd get attributes of tmpfs_t filesystems - Allow lldpd use an snmp subagent over a tcp socket - Allow xdm watch generic directories in /var/lib - Allow login_userdomain open/read/map system journal - Allow sysadm_t connect to cluster domains over a unix stream socket - Allow sysadm_t read/write pkcs shared memory segments - Allow sysadm_t connect to sanlock over a unix stream socket - Allow sysadm_t dbus chat with sssd - Allow sysadm_t set attributes on character device nodes - Allow sysadm_t read and write watchdog devices - Allow smbcontrol use additional socket types - Allow cloud-init dbus chat with systemd-logind - Allow svnserve send mail from the system - Update userdom_exec_user_tmp_files() with an entrypoint rule - Allow sudodomain send a null signal to sshd processes * Fri Nov 19 2021 Zdenek Pytela <> - 35.6-1 - Allow PID 1 and dbus-broker IPC with a systemd user session - Allow rpmdb read generic SSL certificates - Allow rpmdb read admin home config files - Report warning on duplicate definition of interface - Allow redis get attributes of filesystems with extended attributes - Allow sysadm_t dbus chat with realmd_t - Make cupsd_lpd_t a daemon - Allow tlp dbus-chat with NetworkManager - filesystem: add fs_use_trans for ramfs - Allow systemd-logind destroy unconfined user's IPC objects * Thu Nov 04 2021 Zdenek Pytela <> - 35.5-1 - Support sanlock VG automated recovery on storage access loss 2/2 - Support sanlock VG automated recovery on storage access loss 1/2 - Revert "Support sanlock VG automated recovery on storage access loss" - Allow tlp get service units status - Allow fedora-third-party manage 3rd party repos - Allow xdm_t nnp_transition to login_userdomain - Add the auth_read_passwd_file() interface - Allow redis-sentinel execute a notification script - Allow fetchmail search cgroup directories - Allow lvm_t to read/write devicekit disk semaphores - Allow devicekit_disk_t to use /dev/mapper/control - Allow devicekit_disk_t to get IPC info from the kernel - Allow devicekit_disk_t to read systemd-logind pid files - Allow devicekit_disk_t to mount filesystems on mnt_t directories - Allow devicekit_disk_t to manage mount_var_run_t files - Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel - Use $releasever in koji repo to reduce rawhide hardcoding - authlogin: add fcontext for tcb - Add erofs as a SELinux capable file system - Allow systemd execute user bin files - Support sanlock VG automated recovery on storage access loss - Support new PING_CHECK health checker in keepalived * Wed Oct 20 2021 Zdenek Pytela <> - 35.4-1 - Allow fedora-third-party map generic cache files - Add gnome_map_generic_cache_files() interface - Add files_manage_var_lib_dirs() interface - Allow fedora-third party manage gpg keys - Allow fedora-third-party run "flatpak remote-add --from flathub" * Tue Oct 19 2021 Zdenek Pytela <> - 35.3-1 - Allow fedora-third-party run flatpak post-install actions - Allow fedora-third-party set_setsched and sys_nice * Mon Oct 18 2021 Zdenek Pytela <> - 35.2-1 - Allow fedora-third-party execute "flatpak remote-add" - Add files_manage_var_lib_files() interface - Add write permisson to userfaultfd_anon_inode_perms - Allow proper function sosreport via iotop - Allow proper function sosreport in sysadmin role - Allow fedora-third-party to connect to the system log service - Allow fedora-third-party dbus chat with policykit - Allow chrony-wait service start with DynamicUser=yes - Allow management of lnk_files if similar access to regular files - Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges - Allow systemd-resolved watch /run/systemd - Allow fedora-third-party create and use unix_dgram_socket - Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files - Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain * Thu Oct 07 2021 Zdenek Pytela <> - 35.1-1 - Add fedoratp module - Allow xdm_t domain transition to fedoratp_t - Allow ModemManager create and use netlink route socket - Add default file context for /run/gssproxy.default.sock - Allow xdm_t watch fonts directories - Allow xdm_t watch generic directories in /lib - Allow xdm_t watch generic pid directories * Thu Sep 23 2021 Zdenek Pytela <> - 34.21-1 - Add bluetooth-related permissions into a tunable block - Allow gnome at-spi processes create and use stream sockets - Allow usbmuxd get attributes of tmpfs_t filesystems - Allow fprintd install a sleep delay inhibitor - Allow collectd get attributes of infiniband devices - Allow collectd create and user netlink rdma socket - Allow collectd map packet_socket - Allow snort create and use blootooth socket - Allow systemd watch and watch_reads console devices - Allow snort create and use generic netlink socket - Allow NetworkManager dbus chat with fwupd - Allow unconfined domains read/write domain perf_events - Allow scripts to enter LUKS password - Update mount_manage_pid_files() to use manage_files_pattern - Support hitless reloads feature in haproxy - Allow haproxy list the sysfs directories content - Allow gnome at-spi processes get attributes of tmpfs filesystems - Allow unbound connectto unix_stream_socket - Allow rhsmcertd_t dbus chat with anaconda install_t * Thu Sep 16 2021 Zdenek Pytela <> - 34.20-1 - cleanup unused codes - Fix typo in the gnome_exec_atspi() interface summary - Allow xdm execute gnome-atspi services - Allow gnome at-spi processes execute dbus-daemon in caller domain - Allow xdm watch dbus configuration - Allow xdm execute dbus-daemon in the caller domain - Revert "Allow xdm_t transition to system_dbusd_t" - Allow at-spi-bus-launcher read and map xdm pid files - Allow dhcpcd set its resource limits - Allow systemd-sleep get removable devices attributes - Allow usbmuxd get attributes of fs_t filesystems * Thu Sep 09 2021 Zdenek Pytela <> - 34.19-1 - Update the dhcp client local policy - Allow firewalld load kernel modules - Allow postfix_domain to sendto unix dgram sockets. - Allow systemd watch unallocated ttys * Tue Sep 07 2021 Zdenek Pytela <> - 34.18-1 - Allow ModemManager create a qipcrtr socket - Allow ModemManager request to load a kernel module - Label /usr/sbin/virtproxyd as virtd_exec_t - Allow communication between at-spi and gdm processes - Update ica_filetrans_named_content() with create_file_perms - Fix the gnome_atspi_domtrans() interface summary * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-5 - Add ica module to modules-targeted-contrib.conf * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-4 - Add trailing \ to the relabel() block which is needed even in a comment * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-3 - Add ica module to modules-targeted.conf * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-2 - Relabel /var/lib/rpm explicitly - Revert "Relabel /dev/dma_heap explicitly" * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-1 - Add support for at-spi - Add permissions for system dbus processes - Allow various domains work with ICA crypto accelerator - Add ica module - Revert "Support using ICA crypto accelerator on s390x arch" - Allow systemd to delete fwupd var cache files - Allow vmtools_unconfined_t domain transition to rpm_script_t - Allow dirsrv read slapd tmpfs files - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" - Rename samba_exec() to samba_exec_net() - Support using ICA crypto accelerator on s390x arch - Allow systemd delete /run/systemd/default-hostname - Allow tcpdump read system state information in /proc - Allow rhsmcertd to create cache file in /var/cache/cloud-what - Allow D-bus communication between avahi and sosreport - Label /usr/libexec/gdm-runtime-config with xdm_exec_t - Allow lldpad send to kdumpctl over a unix dgram socket - Revert "Allow lldpad send to kdump over a unix dgram socket" - Allow chronyc respond to a user chronyd instance - Allow ptp4l respond to pmc - Allow lldpad send to unconfined_t over a unix dgram socket - Allow sssd to set samba setting * Thu Aug 12 2021 Zdenek Pytela <> - 34.16-1 - Allow systemd-timesyncd watch system dbus pid socket files - Allow firewalld drop capabilities - Allow rhsmcertd execute gpg - Allow lldpad send to kdump over a unix dgram socket - Allow systemd-gpt-auto-generator read udev pid files - Set default file context for /sys/firmware/efi/efivars - Allow tcpdump run as a systemd service - Allow nmap create and use netlink generic socket - Allow nscd watch system db files in /var/db - Allow cockpit_ws_t get attributes of fs_t filesystems - Allow sysadm acces to kernel module resources - Allow sysadm to read/write scsi files and manage shadow - Allow sysadm access to files_unconfined and bind rpc ports - Allow sysadm read and view kernel keyrings - Allow journal mmap and read var lib files - Allow tuned to read rhsmcertd config files - Allow bootloader to read tuned etc files - Label /usr/bin/qemu-storage-daemon with virtd_exec_t * Fri Aug 06 2021 Zdenek Pytela <> - 34.15-1 - Disable seccomp on CI containers - Allow systemd-machined stop generic service units - Allow virtlogd_t read process state of user domains - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp - Label /dev/crypto/nx-gzip with accelerator_device_t - Update the policy for systemd-journal-upload - Allow unconfined domains to bpf all other domains - Confine rhsm service and rhsm-facts service as rhsmcertd_t - Allow fcoemon talk with unconfined user over unix domain datagram socket - Allow abrt_domain read and write z90crypt device - Allow mdadm read iscsi pid files - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t - Allow hostapd bind UDP sockets to the dhcpd port - Unconfined domains should not be confined * Fri Jul 23 2021 Fedora Release Engineering <> - 34.14-2 - Rebuilt for * Wed Jul 14 2021 Zdenek Pytela <> - 34.14-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" - Remove references to init_watch_path_type attribute - Remove all redundant watch permissions for systemd - Allow systemd watch non_security_file_type dirs, files, lnk_files - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template - Allow bacula get attributes of cgroup filesystems - Allow systemd-journal-upload watch logs and journal - Create a policy for systemd-journal-upload - Allow tcpdump and nmap get attributes of infiniband_device_t - Allow arpwatch get attributes of infiniband_device_t devices - Label /dev/wmi/dell-smbios as acpi_device_t * Thu Jul 01 2021 Zdenek Pytela <> - 34.13-1 - Allow radius map its library files - Allow nftables read NetworkManager unnamed pipes - Allow logrotate rotate container log files * Tue Jun 22 2021 Zdenek Pytela <> - 34.12-2 - Add a systemd service to check that SELinux is disabled properly - specfile: Add unowned dir to the macro - Relabel /dev/dma_heap explicitly * Mon Jun 21 2021 Zdenek Pytela <> - 34.12-1 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" - Add the lockdown integrity permission to dev_map_userio_dev() - Allow systemd-modules-load read/write tracefs files - Allow sssd watch /run/systemd - Label /usr/bin/arping plain file with netutils_exec_t - Label /run/fsck with fsadm_var_run_t - Label /usr/bin/Xwayland with xserver_exec_t - Allow systemd-timesyncd watch dbus runtime dir - Allow asterisk watch localization files - Allow iscsid read all process stat - iptables.fc: Add missing legacy-restore and legacy-save entries - Label /run/libvirt/common with virt_common_var_run_t - Label /.k5identity file allow read of this file to rpc.gssd - Make usbmuxd_t a daemon * Wed Jun 09 2021 Zdenek Pytela <> - 34.11-1 - Allow sanlock get attributes of cgroup filesystems - Associate dma_device_dir_t with device filesystem - Set default file context for /var/run/systemd instead of /run/systemd - Allow nmap create and use rdma socket - Allow pkcs-slotd create and use netlink_kobject_uevent_socket * Sun Jun 06 2021 Zdenek Pytela <> - 34.10-1 - Allow using opencryptoki for ipsec - Allow using opencryptoki for certmonger - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() - Label /dev/dma_heap with dma_device_dir_t - Allow syslogd watch non security dirs conditionally - Introduce logging_syslogd_list_non_security_dirs tunable - Remove openhpi module - Allow udev to watch fixed disk devices - Allow httpd_sys_script_t read, write, and map hugetlbfs files - Allow apcupsd get attributes of cgroup filesystems * Thu May 27 2021 Zdenek Pytela <> - 34.9-1 - Add kerberos object filetrans for nsswitchdomain - Allow fail2ban watch various log files - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs() - Remove further modules recently removed from refpolicy - Remove modules not shipped and not present in refpolicy - Revert "Add permission open to files_read_inherited_tmp_files() interface" - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)" - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604" - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)" - Dontaudit setrlimit for domains that exec systemctl - Allow kdump_t net_admin capability - Allow nsswitch_domain read init pid lnk_files - Label /dev/trng with random_device_t - Label /run/systemd/default-hostname with hostname_etc_t - Add default file context specification for dnf log files - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t - Label /dev/udmabuf character device with dma_device_t - Label /dev/dma_heap/* char devices with dma_device_t - Label /dev/acpi_thermal_rel char device with acpi_device_t * Thu May 20 2021 Zdenek Pytela <> - 34.8-2 - Remove temporary explicit /dev/nvme relabeling * Thu May 20 2021 Zdenek Pytela <> - 34.8-1 - Allow local_login_t nnp_transition to login_userdomain - Allow asterisk watch localization symlinks - Allow NetworkManager_t to watch /etc - Label /var/lib/kdump with kdump_var_lib_t - Allow amanda get attributes of cgroup filesystems - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t - Allow install_t nnp_domtrans to setfiles_mac_t - Allow fcoemon create sysfs files * Thu May 13 2021 Zdenek Pytela <> - 34.7-1 - Allow tgtd read and write infiniband devices - Add a comment on virt_sandbox booleans with empty content - Deprecate duplicate dev_write_generic_sock_files() interface - Allow vnstatd_t map vnstatd_var_lib_t files - Allow privoxy execmem - Allow pmdakvm read information from the debug filesystem - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs() - Add permissions to delete lnk_files into gnome_delete_home_config() - Remove rules for inotifyfs - Remove rules for anon_inodefs - Allow systemd nnp_transition to login_userdomain - Allow unconfined_t write other processes perf_event records - Allow sysadm_t dbus chat with tuned - Allow tuned write profile files with file transition - Allow tuned manage perf_events - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() * Fri May 07 2021 Zdenek Pytela <> - 34.6-1 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() - Add kernel_write_perf_event() and kernel_manage_perf_event() - Allow syslogd_t watch root and var directories - Allow unconfined_t read other processes perf_event records - Allow login_userdomain read and map /var/lib/systemd files - Allow NetworkManager watch its config dir - Allow NetworkManager read and write z90crypt device - Allow tgtd create and use rdma socket - Allow aide connect to init with a unix socket * Tue May 04 2021 Zdenek Pytela <> - 34.5-1 - Grant execmem to varnishlog_t - We no longer need signull for varnishlog_t - Add map permission to varnishd_read_lib_files - Allow systemd-sleep tlp_filetrans_named_content() - Allow systemd-sleep execute generic programs - Allow systemd-sleep execute shell - Allow to sendmail read/write kerberos host rcache files - Allow freshclam get attributes of cgroup filesystems - Fix context of /run/systemd/timesync - Allow udev create /run/gdm with proper type - Allow chronyc socket file transition in user temp directory - Allow virtlogd_t to create virt_var_lockd_t dir - Allow pluto IKEv2 / ESP over TCP * Tue Apr 27 2021 Zdenek Pytela <> - 34.4-1 - Allow domain create anonymous inodes - Add anon_inode class to the policy - Allow systemd-coredump getattr nsfs files and net_admin capability - Allow systemd-sleep transition to sysstat_t - Allow systemd -sleep transition to tlp_t - Allow systemd-sleep transition to unconfined_service_t on bin_t executables - Allow systemd-timedated watch runtime dir and its parent - Allow system dbusd read /var/lib symlinks - Allow unconfined_service_t confidentiality and integrity lockdown - Label /var/lib/brltty with brltty_var_lib_t - Allow domain and unconfined_domain_type watch /proc/PID dirs - Additional permission for confined users loging into graphic session - Make for screen fsetid/setuid/setgid permission conditional - Allow for confined users acces to wtmp and run utempter * Fri Apr 09 2021 Zdenek Pytela <> - 34.3-1 - Label /etc/redis as redis_conf_t - Add brltty new permissions required by new upstream version - Allow cups-lpd read its private runtime socket files - Dontaudit daemon open and read init_t file - Add file context specification for /var/tmp/tmp-inst - Allow brltty create and use bluetooth_socket - Allow usbmuxd get attributes of cgroup filesystems * Tue Apr 06 2021 Zdenek Pytela <> - 34.2-1 - Allow usbmuxd get attributes of cgroup filesystems - Allow accounts-daemon get attributes of cgroup filesystems - Allow pool-geoclue get attributes of cgroup filesystems - allow systemd-sleep to set timer for suspend-then-hibernate - Allow aide connect to systemd-userdbd with a unix socket - Add new interfaces with watch_mount and watch_with_perm permissions - Add file context specification for /usr/libexec/realmd - Allow /tmp file transition for dbus-daemon also for sock_file - Allow login_userdomain create cgroup files - Allow plymouthd_t exec generic program in bin directories * Thu Apr 01 2021 Zdenek Pytela <> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <> - 3.14.8-10 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <> - 3.14.8-9 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <> - 3.14.8-8 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <> - 3.14.8-7 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <> - 3.14.8-6 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Wed Mar 03 2021 Zdenek Pytela <> - 3.14.8-5 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Wed Feb 24 2021 Zdenek Pytela <> - 3.14.8-4 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file * Tue Feb 16 2021 Zdenek Pytela <> - 3.14.8-3 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Mon Feb 15 2021 Zdenek Pytela <> - 3.14.8-2 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Thu Feb 11 2021 Zdenek Pytela <> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <> - 3.14.7-17 - Update .copr/ to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <> - 3.14.7-16 - Rebuilt for * Fri Jan 22 2021 Petr Lautrbach <> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update to reflect the state after contrib and base merge - Add announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces * Mon Sep 21 2020 Zdenek Pytela <> - 3.14.7-3 - Check out the right -contrib branch in Travis * Fri Sep 18 2020 Zdenek Pytela <> - 3.14.7-2 - Allow openvswitch fowner capability and create netlink sockets - Allow additional permissions for gnome-initial-setup - Add to map non_security_files to the userdom_admin_user_template template - kernel/filesystem: Add exfat support (no extended attributes) * Tue Sep 08 2020 Zdenek Pytela <> - 3.14.7-1 - Bump version as Fedora 33 has been branched - Allow php-fpm write access to /var/run/redis/redis.sock - Allow journalctl to read and write to inherited user domain tty - Update rkt policy to allow rkt_t domain to read sysfs filesystem - Allow arpwatch create and use rdma socket - Allow plymouth sys_chroot capability - Allow gnome-initial-setup execute in a xdm sandbox - Add new devices and filesystem interfaces * Mon Aug 24 2020 Zdenek Pytela <> - 3.14.6-25 - Allow certmonger fowner capability - The nfsdcld service is now confined by SELinux - Change transitions for ~/.config/Yubico - Allow all users to connect to systemd-userdbd with a unix socket - Add file context for ~/.config/Yubico - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow login_pgm attribute to get attributes in proc_t" - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Allow traceroute_t and ping_t to bind generic nodes. - Create macro corenet_icmp_bind_generic_node() - Allow unconfined_t to node_bind icmp_sockets in node_t domain * Thu Aug 13 2020 Zdenek Pytela <> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating * Mon Aug 03 2020 Zdenek Pytela <> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf * Thu Jul 30 2020 Zdenek Pytela <> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd * Wed Jul 29 2020 Fedora Release Engineering <> - 3.14.6-21 - Rebuilt for * Mon Jul 13 2020 Lukas Vrabec <> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen * Fri Jul 10 2020 Zdenek Pytela <> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs" * Tue Jul 07 2020 Zdenek Pytela <> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes * Fri Jun 26 2020 Zdenek Pytela <> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files * Thu Jun 25 2020 Adam Williamson <> - 3.14.6-16 - Fix scriptlets when /etc/selinux/config does not exist * Thu Jun 04 2020 Zdenek Pytela <> - 3.14.6-15 - Add fetchmail_uidl_cache_t type for /var/mail/ - Support multiple ways of tlp invocation - Allow qemu-kvm read and write /dev/mapper/control - Introduce logrotate_use_cifs boolean - Allow ptp4l_t sys_admin capability to run bpf programs - Allow to getattr files on an nsfs filesystem - httpd: Allow NoNewPriv transition from systemd - Allow rhsmd read process state of all domains and kernel threads - Allow rhsmd mmap /etc/passwd - Allow systemd-logind manage efivarfs files - Allow initrc_t tlp_filetrans_named_content() - Allow systemd_resolved_t to read efivarfs - Allow systemd_modules_load_t to read efivarfs - Introduce systemd_read_efivarfs_type attribute - Allow named transition for /run/tlp from a user shell - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files - Add file context for /sys/kernel/tracing * Tue May 19 2020 Zdenek Pytela <> - 3.14.6-14 - Allow chronyc_t domain to use nsswitch - Allow nscd_socket_use() for domains in nscd_use() unconditionally - Add allow rules for lttng-sessiond domain - Label dirsrv systemd unit files and add dirsrv_systemctl() - Allow gluster geo-replication in rsync mode - Allow nagios_plugin_domain execute programs in bin directories - Allow sys_admin capability for domain labeled systemd_bootchart_t - Split the arping path regexp to 2 lines to prevent from relabeling - Allow tcpdump sniffing offloaded (RDMA) traffic - Revert "Change arping path regexp to work around fixfiles incorrect handling" - Change arping path regexp to work around fixfiles incorrect handling - Allow read efivarfs_t files by domains executing systemctl file * Wed Apr 29 2020 Zdenek Pytela <> - 3.14.6-13 - Update networkmanager_read_pid_files() to allow also list_dir_perms - Update policy for NetworkManager_ssh_t - Allow glusterd synchronize between master and slave - Allow spamc_t domain to read network state - Allow strongswan use tun/tap devices and keys - Allow systemd_userdbd_t domain logging to journal * Tue Apr 14 2020 Zdenek Pytela <> - 3.14.6-12 - Allow rngd create netlink_kobject_uevent_socket and read udev runtime files - Allow ssh-keygen create file in /var/lib/glusterd - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files - Merge ipa and ipa_custodia modules - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t - Introduce daemons_dontaudit_scheduling boolean - Modify path for arping in netutils.fc to match both bin and sbin - Change file context for /var/run/pam_ssh to match file transition - Add file context entry and file transition for /var/run/pam_timestamp * Tue Mar 31 2020 Zdenek Pytela <> - 3.14.6-11 - Allow NetworkManager manage dhcpd unit files - Update ninfod policy to add nnp transition from systemd to ninfod - Remove container interface calling by named_filetrans_domain. * Wed Mar 25 2020 Zdenek Pytela <> - 3.14.6-10 - Allow openfortivpn exec shell - Remove label session_dbusd_tmp_t for /run/user/USERID/systemd - Add ibacm_t ipc_lock capability - Allow ipsec_t connectto ipsec_mgmt_t - Remove ipa_custodia - Allow systemd-journald to read user_tmp_t symlinks * Wed Mar 18 2020 Zdenek Pytela <> - 3.14.6-9 - Allow zabbix_t manage and filetrans temporary socket files - Makefile: fix tmp/%.mod.fc target * Fri Mar 13 2020 Zdenek Pytela <> - 3.14.6-8 - Allow NetworkManager read its unit files and manage services - Add init_daemon_domain() for geoclue_t - Allow to use nnp_transition in pulseaudio_role - Allow pdns_t domain to map files in /usr. - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t - Allow login_pgm create and bind on netlink_selinux_socket * Mon Mar 09 2020 Zdenek Pytela <> - 3.14.6-7 - Allow sssd read systemd-resolved runtime directory - Allow sssd read NetworkManager's runtime directory - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t - Allow system_mail_t to signull pcscd_t - Create interface pcscd_signull - Allow auditd poweroff or switch to single mode * Fri Feb 28 2020 Lukas Vrabec <> - 3.14.6-6 - Allow postfix stream connect to cyrus through runtime socket - Dontaudit daemons to set and get scheduling policy/parameters * Sat Feb 22 2020 Lukas Vrabec <> - 3.14.6-5 - Allow certmonger_t domain to read pkcs_slotd lock files - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853) - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets - Make file context more variable for /usr/bin/fusermount and /bin/fusermount - Allow local_login_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices * Tue Feb 18 2020 Lukas Vrabec <> - 3.14.6-4 - Update virt_read_qemu_pid_files inteface - Allow systemd_logind_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices - Allow nsswitch_domain attribute to stream connect to systemd process * Sun Feb 16 2020 Lukas Vrabec <> - 3.14.6-3 - Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks - Allow systemd_userdbd_t domain to read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <> - 3.14.6-2 - Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces - Update radiusd policy - Allow systemd_private_tmp(named_tmp_t) - Allow bacula dac_override capability - Allow systemd_networkd_t to read efivarfs - Add support for systemd-userdbd - Allow systemd system services read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <> - 3.14.6-1 - Bump version to 3.14.6 because fedora 32 was branched * Fri Feb 07 2020 Zdenek Pytela <> - 3.14.5-24 - Allow ptp4l_t create and use packet_socket sockets - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories * Fri Jan 31 2020 Zdenek Pytela <> - 3.14.5-23 - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Added apache create log dirs macro - Tiny documentation fix - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Dontaudit domain chronyd_t to list in user home dirs. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Allow syslog_t to read efivarfs_t files - Add ioctl to term_dontaudit_use_ptmx macro - Update xserver_rw_session macro * Thu Jan 30 2020 Fedora Release Engineering <> - 3.14.5-22 - Rebuilt for * Fri Jan 24 2020 Zdenek Pytela <> - 3.14.5-21 - Dontaudit timedatex_t read file_contexts_t and validate security contexts - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus.