Information for build selinux-policy-35.18-1.fc35

Package Nameselinux-policy
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built byzpytela
State complete
Volume prod
StartedTue, 07 Jun 2022 09:03:25 UTC
CompletedTue, 07 Jun 2022 09:10:41 UTC
Taskbuild (f35-candidate, /rpms/selinux-policy.git:13c45f017c3709141446c638397aca1aab6dffb6)
Extra{'source': {'original_url': 'git+'}}
selinux-policy-35.18-1.fc35.src.rpm (info) (download)
selinux-policy-35.18-1.fc35.noarch.rpm (info) (download)
selinux-policy-devel-35.18-1.fc35.noarch.rpm (info) (download)
selinux-policy-doc-35.18-1.fc35.noarch.rpm (info) (download)
selinux-policy-minimum-35.18-1.fc35.noarch.rpm (info) (download)
selinux-policy-mls-35.18-1.fc35.noarch.rpm (info) (download)
selinux-policy-sandbox-35.18-1.fc35.noarch.rpm (info) (download)
selinux-policy-targeted-35.18-1.fc35.noarch.rpm (info) (download)
Changelog * Mon Jun 06 2022 Zdenek Pytela <> - 35.18-1 - Allow xdm connect to unconfined_service_t over a unix stream socket - Allow sslh net_admin capability - Ecryptfs-private support - Update github actions to satisfy git 2.36 stricter rules - Update chronyd_pid_filetrans() to allow create dirs - Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket - Allow systemd-sysctl read the security state information * Fri Apr 08 2022 Zdenek Pytela <> - 35.17-1 - Allow pppd create a file in the locks directory - Add file map permission to lpd_manage_spool() interface - Allow system dbus daemon watch generic directories in /var/lib - Remove unused security socket classes from socket_class_set * Wed Apr 06 2022 Zdenek Pytela <> - 35.16-1 - Add mctp_socket security class and access vectors - Add the io_uring class - Allow fprintd read and write hardware state information - Label /var/run/ecblp0 pipe with cupsd_var_run_t - Allow iptables list cgroup directories - Allow dhclient create /run/chrony-dhcp with chronyd_var_run_t - Allow chage domtrans to sssd * Tue Feb 15 2022 Zdenek Pytela <> - 35.15-1 - Allow systemd-networkd create and use netlink netfilter socket - Allow sandbox_web_client_t watch various dirs - filesystem.te: add genfscon rule for ntfs3 filesystem * Mon Feb 14 2022 Zdenek Pytela <> - 35.14-2 - Update file to use f35 git branch * Fri Feb 11 2022 Zdenek Pytela <> - 35.14-1 - Allow sysadm_passwd_t to relabel passwd and group files - Allow confined sysadmin to use tool vipw - Allow login_userdomain map /var/lib/directories - Allow login_userdomain watch library and fonts dirs - Allow login_userdomain watch system configuration dirs - Allow login_userdomain read systemd runtime files - Fix koji repo URL pattern - Allow alsa bind mixer controls to led triggers - Add the map permission to common_anon_inode_perm permission set - Rename userfaultfd_anon_inode_perms to common_inode_perms - Allow sanlock get attributes of filesystems with extended attributes - Associate stratisd_data_t with device filesystem - Allow init read stratis data symlinks * Wed Feb 02 2022 Patrik Koncity <> - 35.13-1 - Allow systemd services watch dbusd pid directory and its parents - Allow ModemManager connect to the unconfined user domain - Label /dev/wwan.+ with modem_manager_t - Allow alsactl set group Process ID of a process - Allow domtrans to sssd_t and role access to sssd - Creating interface sssd_run_sssd() - Label utilities for exFAT filesystems with fsadm_exec_t - Label /dev/nvme-fabrics with fixed_disk_device_t - Allow init delete generic tmp named pipes - Allow timedatex dbus chat with xdm * Thu Jan 27 2022 Patrik Koncity <> - 35.12-1 - Fix badly indented used interfaces - Allow domain transition to sssd_t - Dontaudit sfcbd sys_ptrace cap_userns - Label /var/lib/plocate with locate_var_lib_t - Allow hostapd talk with unconfined user over unix domain dgram socket - Allow NetworkManager talk with unconfined user over unix domain dgram socket - Allow system_mail_t read inherited apache system content rw files - Add apache_read_inherited_sys_content_rw_files() interface - Allow rhsm-service execute its private memfd: objects - Allow dirsrv read configfs files and directories - Label /run/stratisd with stratisd_var_run_t - Allow tumblerd write to session_dbusd tmp socket files * Wed Jan 19 2022 Zdenek Pytela <> - 35.11-1 - Revert "Label /etc/cockpit/ws-certs.d with cert_t" - Allow login_userdomain write to session_dbusd tmp socket files - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t * Mon Jan 17 2022 Zdenek Pytela <> - 35.10-1 - Allow login_userdomain watch systemd-machined PID directories - Allow login_userdomain watch systemd-logind PID directories - Allow login_userdomain watch accountsd lib directories - Allow login_userdomain watch localization directories - Allow login_userdomain watch various files and dirs - Allow login_userdomain watch generic directories in /tmp - Allow rhsm-service read/write its private memfd: objects - Allow radiusd connect to the radacct port - Allow systemd-io-bridge ioctl rpm_script_t - Allow systemd-coredump userns capabilities and root mounton - Allow systemd-coredump read and write usermodehelper state - Allow login_userdomain create session_dbusd tmp socket files - Allow gkeyringd_domain write to session_dbusd tmp socket files - Allow systemd-logind delete session_dbusd tmp socket files - Allow gdm-x-session write to session dbus tmp sock files - Label /etc/cockpit/ws-certs.d with cert_t - Allow kpropd get attributes of cgroup filesystems - Allow administrative users the bpf capability - Allow sysadm_t start and stop transient services - Connect triggerin to pcre2 instead of pcre * Wed Jan 12 2022 Zdenek Pytela <> - 35.9-1 - Allow sshd read filesystem sysctl files - Revert "Allow sshd read sysctl files" - Allow tlp read its systemd unit - Allow gssproxy access to various system files. - Allow gssproxy read, write, and map ica tmpfs files - Allow gssproxy read and write z90crypt device - Allow sssd_kcm read and write z90crypt device - Allow smbcontrol read the network state information - Allow virt_domain map vhost devices - Allow fcoemon request the kernel to load a module - Allow sshd read sysctl files - Ensure that `/run/systemd/*` are properly labeled - Allow admin userdomains use socketpair() - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling - Allow lldpd connect to snmpd with a unix domain stream socket - Dontaudit pkcsslotd sys_admin capability * Thu Dec 23 2021 Zdenek Pytela <> - 35.8-1 - Allow haproxy get attributes of filesystems with extended attributes - Allow haproxy get attributes of cgroup filesystems - Allow sysadm execute sysadmctl in sysadm_t domain using sudo - Allow userdomains use pam_ssh_agent_auth for passwordless sudo - Allow sudodomains execute passwd in the passwd domain - Allow braille printing in selinux - Allow sandbox_xserver_t map sandbox_file_t - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t - Add hwtracing_device_t type for hardware-level tracing and debugging - Label port 9528/tcp with openqa_liveview - Label /var/lib/shorewall6-lite with shorewall_var_lib_t - Document Security Flask model in the policy * Fri Dec 10 2021 Zdenek Pytela <> - 35.7-1 - Allow systemd read unlabeled symbolic links - Label abrt-action-generate-backtrace with abrt_handle_event_exec_t - Allow dnsmasq watch /etc/dnsmasq.d directories - Allow rhsmcertd get attributes of tmpfs_t filesystems - Allow lldpd use an snmp subagent over a tcp socket - Allow xdm watch generic directories in /var/lib - Allow login_userdomain open/read/map system journal - Allow sysadm_t connect to cluster domains over a unix stream socket - Allow sysadm_t read/write pkcs shared memory segments - Allow sysadm_t connect to sanlock over a unix stream socket - Allow sysadm_t dbus chat with sssd - Allow sysadm_t set attributes on character device nodes - Allow sysadm_t read and write watchdog devices - Allow smbcontrol use additional socket types - Allow cloud-init dbus chat with systemd-logind - Allow svnserve send mail from the system - Update userdom_exec_user_tmp_files() with an entrypoint rule - Allow sudodomain send a null signal to sshd processes * Fri Nov 19 2021 Zdenek Pytela <> - 35.6-1 - Allow PID 1 and dbus-broker IPC with a systemd user session - Allow rpmdb read generic SSL certificates - Allow rpmdb read admin home config files - Report warning on duplicate definition of interface - Allow redis get attributes of filesystems with extended attributes - Allow sysadm_t dbus chat with realmd_t - Make cupsd_lpd_t a daemon - Allow tlp dbus-chat with NetworkManager - filesystem: add fs_use_trans for ramfs - Allow systemd-logind destroy unconfined user's IPC objects * Thu Nov 04 2021 Zdenek Pytela <> - 35.5-1 - Support sanlock VG automated recovery on storage access loss 2/2 - Support sanlock VG automated recovery on storage access loss 1/2 - Revert "Support sanlock VG automated recovery on storage access loss" - Allow tlp get service units status - Allow fedora-third-party manage 3rd party repos - Allow xdm_t nnp_transition to login_userdomain - Add the auth_read_passwd_file() interface - Allow redis-sentinel execute a notification script - Allow fetchmail search cgroup directories - Allow lvm_t to read/write devicekit disk semaphores - Allow devicekit_disk_t to use /dev/mapper/control - Allow devicekit_disk_t to get IPC info from the kernel - Allow devicekit_disk_t to read systemd-logind pid files - Allow devicekit_disk_t to mount filesystems on mnt_t directories - Allow devicekit_disk_t to manage mount_var_run_t files - Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel - Use $releasever in koji repo to reduce rawhide hardcoding - authlogin: add fcontext for tcb - Add erofs as a SELinux capable file system - Allow systemd execute user bin files - Support sanlock VG automated recovery on storage access loss - Support new PING_CHECK health checker in keepalived * Wed Oct 20 2021 Zdenek Pytela <> - 35.4-1 - rebuild * Tue Oct 19 2021 Adam Williamson <> - 35.3-1.20211019git94970fc - Allow fedora-third-party map generic cache files - Add gnome_map_generic_cache_files() interface - Add files_manage_var_lib_dirs() interface - Allow fedora-third party manage gpg keys - Allow fedora-third-party run "flatpak remote-add --from flathub" * Tue Oct 19 2021 Zdenek Pytela <> - 35.3-1 - Allow fedora-third-party run flatpak post-install actions - Allow fedora-third-party set_setsched and sys_nice * Mon Oct 18 2021 Zdenek Pytela <> - 35.2-1 - Allow fedora-third-party execute "flatpak remote-add" - Add files_manage_var_lib_files() interface - Add write permisson to userfaultfd_anon_inode_perms - Allow proper function sosreport via iotop - Allow proper function sosreport in sysadmin role - Allow fedora-third-party to connect to the system log service - Allow fedora-third-party dbus chat with policykit - Allow chrony-wait service start with DynamicUser=yes - Allow management of lnk_files if similar access to regular files - Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges - Allow systemd-resolved watch /run/systemd - Allow fedora-third-party create and use unix_dgram_socket - Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files - Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain * Thu Oct 07 2021 Zdenek Pytela <> - 35.1-1 - Add fedoratp module - Allow xdm_t domain transition to fedoratp_t - Allow ModemManager create and use netlink route socket - Add default file context for /run/gssproxy.default.sock - Allow xdm_t watch fonts directories - Allow xdm_t watch generic directories in /lib - Allow xdm_t watch generic pid directories * Thu Sep 23 2021 Zdenek Pytela <> - 34.21-1 - Add bluetooth-related permissions into a tunable block - Allow gnome at-spi processes create and use stream sockets - Allow usbmuxd get attributes of tmpfs_t filesystems - Allow fprintd install a sleep delay inhibitor - Allow collectd get attributes of infiniband devices - Allow collectd create and user netlink rdma socket - Allow collectd map packet_socket - Allow snort create and use blootooth socket - Allow systemd watch and watch_reads console devices - Allow snort create and use generic netlink socket - Allow NetworkManager dbus chat with fwupd - Allow unconfined domains read/write domain perf_events - Allow scripts to enter LUKS password - Update mount_manage_pid_files() to use manage_files_pattern - Support hitless reloads feature in haproxy - Allow haproxy list the sysfs directories content - Allow gnome at-spi processes get attributes of tmpfs filesystems - Allow unbound connectto unix_stream_socket - Allow rhsmcertd_t dbus chat with anaconda install_t * Thu Sep 16 2021 Zdenek Pytela <> - 34.20-1 - cleanup unused codes - Fix typo in the gnome_exec_atspi() interface summary - Allow xdm execute gnome-atspi services - Allow gnome at-spi processes execute dbus-daemon in caller domain - Allow xdm watch dbus configuration - Allow xdm execute dbus-daemon in the caller domain - Revert "Allow xdm_t transition to system_dbusd_t" - Allow at-spi-bus-launcher read and map xdm pid files - Allow dhcpcd set its resource limits - Allow systemd-sleep get removable devices attributes - Allow usbmuxd get attributes of fs_t filesystems * Thu Sep 09 2021 Zdenek Pytela <> - 34.19-2 - Update file to use the new f35 dist-git branch * Thu Sep 09 2021 Zdenek Pytela <> - 34.19-1 - Update the dhcp client local policy - Allow firewalld load kernel modules - Allow postfix_domain to sendto unix dgram sockets. - Allow systemd watch unallocated ttys * Tue Sep 07 2021 Zdenek Pytela <> - 34.18-1 - Allow ModemManager create a qipcrtr socket - Allow ModemManager request to load a kernel module - Label /usr/sbin/virtproxyd as virtd_exec_t - Allow communication between at-spi and gdm processes - Update ica_filetrans_named_content() with create_file_perms - Fix the gnome_atspi_domtrans() interface summary * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-5 - Add ica module to modules-targeted-contrib.conf * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-4 - Add trailing \ to the relabel() block which is needed even in a comment * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-3 - Add ica module to modules-targeted.conf * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-2 - Relabel /var/lib/rpm explicitly - Revert "Relabel /dev/dma_heap explicitly" * Fri Aug 27 2021 Zdenek Pytela <> - 34.17-1 - Add support for at-spi - Add permissions for system dbus processes - Allow various domains work with ICA crypto accelerator - Add ica module - Revert "Support using ICA crypto accelerator on s390x arch" - Allow systemd to delete fwupd var cache files - Allow vmtools_unconfined_t domain transition to rpm_script_t - Allow dirsrv read slapd tmpfs files - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" - Rename samba_exec() to samba_exec_net() - Support using ICA crypto accelerator on s390x arch - Allow systemd delete /run/systemd/default-hostname - Allow tcpdump read system state information in /proc - Allow rhsmcertd to create cache file in /var/cache/cloud-what - Allow D-bus communication between avahi and sosreport - Label /usr/libexec/gdm-runtime-config with xdm_exec_t - Allow lldpad send to kdumpctl over a unix dgram socket - Revert "Allow lldpad send to kdump over a unix dgram socket" - Allow chronyc respond to a user chronyd instance - Allow ptp4l respond to pmc - Allow lldpad send to unconfined_t over a unix dgram socket - Allow sssd to set samba setting * Thu Aug 12 2021 Zdenek Pytela <> - 34.16-1 - Allow systemd-timesyncd watch system dbus pid socket files - Allow firewalld drop capabilities - Allow rhsmcertd execute gpg - Allow lldpad send to kdump over a unix dgram socket - Allow systemd-gpt-auto-generator read udev pid files - Set default file context for /sys/firmware/efi/efivars - Allow tcpdump run as a systemd service - Allow nmap create and use netlink generic socket - Allow nscd watch system db files in /var/db - Allow cockpit_ws_t get attributes of fs_t filesystems - Allow sysadm acces to kernel module resources - Allow sysadm to read/write scsi files and manage shadow - Allow sysadm access to files_unconfined and bind rpc ports - Allow sysadm read and view kernel keyrings - Allow journal mmap and read var lib files - Allow tuned to read rhsmcertd config files - Allow bootloader to read tuned etc files - Label /usr/bin/qemu-storage-daemon with virtd_exec_t * Fri Aug 06 2021 Zdenek Pytela <> - 34.15-1 - Disable seccomp on CI containers - Allow systemd-machined stop generic service units - Allow virtlogd_t read process state of user domains - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp - Label /dev/crypto/nx-gzip with accelerator_device_t - Update the policy for systemd-journal-upload - Allow unconfined domains to bpf all other domains - Confine rhsm service and rhsm-facts service as rhsmcertd_t - Allow fcoemon talk with unconfined user over unix domain datagram socket - Allow abrt_domain read and write z90crypt device - Allow mdadm read iscsi pid files - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t - Allow hostapd bind UDP sockets to the dhcpd port - Unconfined domains should not be confined * Fri Jul 23 2021 Fedora Release Engineering <> - 34.14-2 - Rebuilt for * Wed Jul 14 2021 Zdenek Pytela <> - 34.14-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" - Remove references to init_watch_path_type attribute - Remove all redundant watch permissions for systemd - Allow systemd watch non_security_file_type dirs, files, lnk_files - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template - Allow bacula get attributes of cgroup filesystems - Allow systemd-journal-upload watch logs and journal - Create a policy for systemd-journal-upload - Allow tcpdump and nmap get attributes of infiniband_device_t - Allow arpwatch get attributes of infiniband_device_t devices - Label /dev/wmi/dell-smbios as acpi_device_t * Thu Jul 01 2021 Zdenek Pytela <> - 34.13-1 - Allow radius map its library files - Allow nftables read NetworkManager unnamed pipes - Allow logrotate rotate container log files * Tue Jun 22 2021 Zdenek Pytela <> - 34.12-2 - Add a systemd service to check that SELinux is disabled properly - specfile: Add unowned dir to the macro - Relabel /dev/dma_heap explicitly * Mon Jun 21 2021 Zdenek Pytela <> - 34.12-1 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" - Add the lockdown integrity permission to dev_map_userio_dev() - Allow systemd-modules-load read/write tracefs files - Allow sssd watch /run/systemd - Label /usr/bin/arping plain file with netutils_exec_t - Label /run/fsck with fsadm_var_run_t - Label /usr/bin/Xwayland with xserver_exec_t - Allow systemd-timesyncd watch dbus runtime dir - Allow asterisk watch localization files - Allow iscsid read all process stat - iptables.fc: Add missing legacy-restore and legacy-save entries - Label /run/libvirt/common with virt_common_var_run_t - Label /.k5identity file allow read of this file to rpc.gssd - Make usbmuxd_t a daemon * Wed Jun 09 2021 Zdenek Pytela <> - 34.11-1 - Allow sanlock get attributes of cgroup filesystems - Associate dma_device_dir_t with device filesystem - Set default file context for /var/run/systemd instead of /run/systemd - Allow nmap create and use rdma socket - Allow pkcs-slotd create and use netlink_kobject_uevent_socket * Sun Jun 06 2021 Zdenek Pytela <> - 34.10-1 - Allow using opencryptoki for ipsec - Allow using opencryptoki for certmonger - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() - Label /dev/dma_heap with dma_device_dir_t - Allow syslogd watch non security dirs conditionally - Introduce logging_syslogd_list_non_security_dirs tunable - Remove openhpi module - Allow udev to watch fixed disk devices - Allow httpd_sys_script_t read, write, and map hugetlbfs files - Allow apcupsd get attributes of cgroup filesystems * Thu May 27 2021 Zdenek Pytela <> - 34.9-1 - Add kerberos object filetrans for nsswitchdomain - Allow fail2ban watch various log files - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs() - Remove further modules recently removed from refpolicy - Remove modules not shipped and not present in refpolicy - Revert "Add permission open to files_read_inherited_tmp_files() interface" - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)" - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604" - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)" - Dontaudit setrlimit for domains that exec systemctl - Allow kdump_t net_admin capability - Allow nsswitch_domain read init pid lnk_files - Label /dev/trng with random_device_t - Label /run/systemd/default-hostname with hostname_etc_t - Add default file context specification for dnf log files - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t - Label /dev/udmabuf character device with dma_device_t - Label /dev/dma_heap/* char devices with dma_device_t - Label /dev/acpi_thermal_rel char device with acpi_device_t * Thu May 20 2021 Zdenek Pytela <> - 34.8-2 - Remove temporary explicit /dev/nvme relabeling * Thu May 20 2021 Zdenek Pytela <> - 34.8-1 - Allow local_login_t nnp_transition to login_userdomain - Allow asterisk watch localization symlinks - Allow NetworkManager_t to watch /etc - Label /var/lib/kdump with kdump_var_lib_t - Allow amanda get attributes of cgroup filesystems - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t - Allow install_t nnp_domtrans to setfiles_mac_t - Allow fcoemon create sysfs files * Thu May 13 2021 Zdenek Pytela <> - 34.7-1 - Allow tgtd read and write infiniband devices - Add a comment on virt_sandbox booleans with empty content - Deprecate duplicate dev_write_generic_sock_files() interface - Allow vnstatd_t map vnstatd_var_lib_t files - Allow privoxy execmem - Allow pmdakvm read information from the debug filesystem - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs() - Add permissions to delete lnk_files into gnome_delete_home_config() - Remove rules for inotifyfs - Remove rules for anon_inodefs - Allow systemd nnp_transition to login_userdomain - Allow unconfined_t write other processes perf_event records - Allow sysadm_t dbus chat with tuned - Allow tuned write profile files with file transition - Allow tuned manage perf_events - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() * Fri May 07 2021 Zdenek Pytela <> - 34.6-1 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() - Add kernel_write_perf_event() and kernel_manage_perf_event() - Allow syslogd_t watch root and var directories - Allow unconfined_t read other processes perf_event records - Allow login_userdomain read and map /var/lib/systemd files - Allow NetworkManager watch its config dir - Allow NetworkManager read and write z90crypt device - Allow tgtd create and use rdma socket - Allow aide connect to init with a unix socket * Tue May 04 2021 Zdenek Pytela <> - 34.5-1 - Grant execmem to varnishlog_t - We no longer need signull for varnishlog_t - Add map permission to varnishd_read_lib_files - Allow systemd-sleep tlp_filetrans_named_content() - Allow systemd-sleep execute generic programs - Allow systemd-sleep execute shell - Allow to sendmail read/write kerberos host rcache files - Allow freshclam get attributes of cgroup filesystems - Fix context of /run/systemd/timesync - Allow udev create /run/gdm with proper type - Allow chronyc socket file transition in user temp directory - Allow virtlogd_t to create virt_var_lockd_t dir - Allow pluto IKEv2 / ESP over TCP * Tue Apr 27 2021 Zdenek Pytela <> - 34.4-1 - Allow domain create anonymous inodes - Add anon_inode class to the policy - Allow systemd-coredump getattr nsfs files and net_admin capability - Allow systemd-sleep transition to sysstat_t - Allow systemd -sleep transition to tlp_t - Allow systemd-sleep transition to unconfined_service_t on bin_t executables - Allow systemd-timedated watch runtime dir and its parent - Allow system dbusd read /var/lib symlinks - Allow unconfined_service_t confidentiality and integrity lockdown - Label /var/lib/brltty with brltty_var_lib_t - Allow domain and unconfined_domain_type watch /proc/PID dirs - Additional permission for confined users loging into graphic session - Make for screen fsetid/setuid/setgid permission conditional - Allow for confined users acces to wtmp and run utempter * Fri Apr 09 2021 Zdenek Pytela <> - 34.3-1 - Label /etc/redis as redis_conf_t - Add brltty new permissions required by new upstream version - Allow cups-lpd read its private runtime socket files - Dontaudit daemon open and read init_t file - Add file context specification for /var/tmp/tmp-inst - Allow brltty create and use bluetooth_socket - Allow usbmuxd get attributes of cgroup filesystems * Tue Apr 06 2021 Zdenek Pytela <> - 34.2-1 - Allow usbmuxd get attributes of cgroup filesystems - Allow accounts-daemon get attributes of cgroup filesystems - Allow pool-geoclue get attributes of cgroup filesystems - allow systemd-sleep to set timer for suspend-then-hibernate - Allow aide connect to systemd-userdbd with a unix socket - Add new interfaces with watch_mount and watch_with_perm permissions - Add file context specification for /usr/libexec/realmd - Allow /tmp file transition for dbus-daemon also for sock_file - Allow login_userdomain create cgroup files - Allow plymouthd_t exec generic program in bin directories * Thu Apr 01 2021 Zdenek Pytela <> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <> - 3.14.8-10 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <> - 3.14.8-9 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <> - 3.14.8-8 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <> - 3.14.8-7 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <> - 3.14.8-6 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Wed Mar 03 2021 Zdenek Pytela <> - 3.14.8-5 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Wed Feb 24 2021 Zdenek Pytela <> - 3.14.8-4 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file * Tue Feb 16 2021 Zdenek Pytela <> - 3.14.8-3 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Mon Feb 15 2021 Zdenek Pytela <> - 3.14.8-2 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Thu Feb 11 2021 Zdenek Pytela <> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <> - 3.14.7-17 - Update .copr/ to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <> - 3.14.7-16 - Rebuilt for * Fri Jan 22 2021 Petr Lautrbach <> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update to reflect the state after contrib and base merge - Add announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces * Mon Sep 21 2020 Zdenek Pytela <> - 3.14.7-3 - Check out the right -contrib branch in Travis * Fri Sep 18 2020 Zdenek Pytela <> - 3.14.7-2 - Allow openvswitch fowner capability and create netlink sockets - Allow additional permissions for gnome-initial-setup - Add to map non_security_files to the userdom_admin_user_template template - kernel/filesystem: Add exfat support (no extended attributes) * Tue Sep 08 2020 Zdenek Pytela <> - 3.14.7-1 - Bump version as Fedora 33 has been branched - Allow php-fpm write access to /var/run/redis/redis.sock - Allow journalctl to read and write to inherited user domain tty - Update rkt policy to allow rkt_t domain to read sysfs filesystem - Allow arpwatch create and use rdma socket - Allow plymouth sys_chroot capability - Allow gnome-initial-setup execute in a xdm sandbox - Add new devices and filesystem interfaces * Mon Aug 24 2020 Zdenek Pytela <> - 3.14.6-25 - Allow certmonger fowner capability - The nfsdcld service is now confined by SELinux - Change transitions for ~/.config/Yubico - Allow all users to connect to systemd-userdbd with a unix socket - Add file context for ~/.config/Yubico - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow login_pgm attribute to get attributes in proc_t" - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Allow traceroute_t and ping_t to bind generic nodes. - Create macro corenet_icmp_bind_generic_node() - Allow unconfined_t to node_bind icmp_sockets in node_t domain * Thu Aug 13 2020 Zdenek Pytela <> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating * Mon Aug 03 2020 Zdenek Pytela <> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf * Thu Jul 30 2020 Zdenek Pytela <> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd * Wed Jul 29 2020 Fedora Release Engineering <> - 3.14.6-21 - Rebuilt for * Mon Jul 13 2020 Lukas Vrabec <> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen * Fri Jul 10 2020 Zdenek Pytela <> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs" * Tue Jul 07 2020 Zdenek Pytela <> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes * Fri Jun 26 2020 Zdenek Pytela <> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files * Thu Jun 25 2020 Adam Williamson <> - 3.14.6-16 - Fix scriptlets when /etc/selinux/config does not exist