ID | 24283 |
Package Name | selinux-policy |
Version | 34.1.43 |
Release | 1.el9_1.1 |
Epoch | |
Draft | False |
Source | git+https://git.cclinux.org/stage/rpms/selinux-policy.git#11c4ab6f05f5581ae9c9d5ae28a7ed4ee65733d0 |
Summary |
Description |
Built by | distrobuild |
State |
complete
|
Volume |
DEFAULT |
Started | Thu, 09 Feb 2023 02:19:01 CST |
Completed | Thu, 09 Feb 2023 02:23:48 CST |
Task | build (dist-circle9_1-updates, /stage/rpms/selinux-policy.git:11c4ab6f05f5581ae9c9d5ae28a7ed4ee65733d0) |
Extra | {'source': {'original_url': 'git+https://git.cclinux.org/stage/rpms/selinux-policy.git?#11c4ab6f05f5581ae9c9d5ae28a7ed4ee65733d0'}} |
Tags |
|
RPMs |
src | |
|
selinux-policy-34.1.43-1.el9_1.1.src.rpm (info) (download) |
noarch |
|
selinux-policy-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
|
|
selinux-policy-devel-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
|
|
selinux-policy-doc-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
|
|
selinux-policy-minimum-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
|
|
selinux-policy-mls-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
|
|
selinux-policy-sandbox-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
|
|
selinux-policy-targeted-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
|
|
Logs |
|
Changelog |
* Fri Jan 06 2023 Nikola Knazekova <nknazeko@redhat.com> - 34.1.43-1.1
- Add domain_unix_read_all_semaphores() interface
Resolves: rhbz#2136760
- Allow rhcd compute selinux access vector
Resolves: rhbz#2136760
- Add file context entries for insights-client and rhc
Resolves: rhbz#2136760
- Revert "Allow insights-client run lpr and allow the proper role"
Resolves: rhbz#2136760
- Allow insights-client dbus chat with various services
Resolves: rhbz#2136760
- Allow insights-client tcp connect to various ports
Resolves: rhbz#2136760
- Allow insights-client run lpr and allow the proper role
Resolves: rhbz#2136760
- Allow insights-client work with pcp and manage user config files
Resolves: rhbz#2136760
- Allow insights-client dbus chat with abrt
Resolves: rhbz#2136760
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
Resolves: rhbz#2136760
- Allow insights client read raw memory devices
Resolves: rhbz#2136760
- Allow insights-client domain transition on semanage execution
Resolves: rhbz#2136760
- Allow insights-client create gluster log dir with a transition
Resolves: rhbz#2136760
- Allow insights-client manage generic locks
Resolves: rhbz#2136760
- Allow insights-client unix_read all domain semaphores
Resolves: rhbz#2136760
- Allow insights-client manage samba var dirs
Resolves: rhbz#2136760
- Allow insights-client send null signal to rpm and system cronjob
Resolves: rhbz#2136760
- Allow insights-client connect to postgresql with a unix socket
Resolves: rhbz#2136760
- Allow insights-client domtrans on unix_chkpwd execution
Resolves: rhbz#2136760
* Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.43-1
- Update rhcd policy for executing additional commands 5
Resolves: rhbz#2119351
- Update rhcd policy for executing additional commands 4
Resolves: rhbz#2119351
- Allow rhcd create rpm hawkey logs with correct label
Resolves: rhbz#2119351
- Update rhcd policy for executing additional commands 3
Resolves: rhbz#2119351
- Allow sssd to set samba setting
Resolves: rhbz#2121125
- Allow journalctl read rhcd fifo files
Resolves: rhbz#2119351
- Update insights-client policy for additional commands execution 5
Resolves: rhbz#2121125
- Confine insights-client systemd unit
Resolves: rhbz#2121125
- Update insights-client policy for additional commands execution 4
Resolves: rhbz#2121125
- Update insights-client policy for additional commands execution 3
Resolves: rhbz#2121125
- Allow rhcd execute all executables
Resolves: rhbz#2119351
- Update rhcd policy for executing additional commands 2
Resolves: rhbz#2119351
- Update insights-client policy for additional commands execution 2
Resolves: rhbz#2121125
* Mon Aug 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.42-1
- Label /var/log/rhc-worker-playbook with rhcd_var_log_t
Resolves: rhbz#2119351
- Update insights-client policy (auditctl, gpg, journal)
Resolves: rhbz#2107363
* Thu Aug 25 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.41-1
- Allow unconfined domains to bpf all other domains
Resolves: RHBZ#2112014
- Allow stalld get and set scheduling policy of all domains.
Resolves: rhbz#2105038
- Allow unconfined_t transition to targetclid_home_t
Resolves: RHBZ#2106360
- Allow samba-bgqd to read a printer list
Resolves: rhbz#2118977
- Allow system_dbusd ioctl kernel with a unix stream sockets
Resolves: rhbz#2085392
- Allow chronyd bind UDP sockets to ptp_event ports.
Resolves: RHBZ#2118631
- Update tor_bind_all_unreserved_ports interface
Resolves: RHBZ#2089486
- Remove permissive domain for rhcd_t
Resolves: rhbz#2119351
- Allow unconfined and sysadm users transition for /root/.gnupg
Resolves: rhbz#2121125
- Add gpg_filetrans_admin_home_content() interface
Resolves: rhbz#2121125
- Update rhcd policy for executing additional commands
Resolves: rhbz#2119351
- Update insights-client policy for additional commands execution
Resolves: rhbz#2119507
- Add rpm setattr db files macro
Resolves: rhbz#2119507
- Add userdom_view_all_users_keys() interface
Resolves: rhbz#2119507
- Allow gpg read and write generic pty type
Resolves: rhbz#2119507
- Allow chronyc read and write generic pty type
Resolves: rhbz#2119507
* Wed Aug 10 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.40-1
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
Resolves: RHBZ#2088257
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
Resolves: RHBZ#1976684
- Allow samba-bgqd get a printer list
Resolves: rhbz#2112395
- Allow networkmanager to signal unconfined process
Resolves: RHBZ#2074414
- Update NetworkManager-dispatcher policy
Resolves: RHBZ#2101910
- Allow openvswitch search tracefs dirs
Resolves: rhbz#1988164
- Allow openvswitch use its private tmpfs files and dirs
Resolves: rhbz#1988164
- Allow openvswitch fsetid capability
Resolves: rhbz#1988164
* Tue Aug 02 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.39-1
- Add support for systemd-network-generator
Resolves: RHBZ#2111069
- Allow systemd work with install_t unix stream sockets
Resolves: rhbz#2111206
- Allow sa-update to get init status and start systemd files
Resolves: RHBZ#2061844
* Fri Jul 15 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.38-1
- Allow some domains use sd_notify()
Resolves: rhbz#2056565
- Revert "Allow rabbitmq to use systemd notify"
Resolves: rhbz#2056565
- Update winbind_rpcd_t
Resolves: rhbz#2102084
- Update chronyd_pid_filetrans() to allow create dirs
Resolves: rhbz#2101910
- Allow keepalived read the contents of the sysfs filesystem
Resolves: rhbz#2098130
- Define LIBSEPOL version 3.4-1
Resolves: rhbz#2095688
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.37-1
- Allow targetclid read /var/target files
Resolves: rhbz#2020169
- Update samba-dcerpcd policy for kerberos usage 2
Resolves: rhbz#2096521
- Allow samba-dcerpcd work with sssd
Resolves: rhbz#2096521
- Allow stalld set scheduling policy of kernel threads
Resolves: rhbz#2102224
* Tue Jun 28 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.36-1
- Allow targetclid read generic SSL certificates (fixed)
Resolves: rhbz#2020169
- Fix file context pattern for /var/target
Resolves: rhbz#2020169
- Use insights_client_etc_t in insights_search_config()
Resolves: rhbz#1965013
* Fri Jun 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.35-1
-Add the corecmd_watch_bin_dirs() interface
Resolves: rhbz#1965013
- Update rhcd policy
Resolves: rhbz#1965013
- Allow rhcd search insights configuration directories
Resolves: rhbz#1965013
- Add the kernel_read_proc_files() interface
Resolves: rhbz#1965013
- Update insights_client_filetrans_named_content()
Resolves: rhbz#2081425
- Allow transition to insights_client named content
Resolves: rhbz#2081425
- Add the insights_client_filetrans_named_content() interface
Resolves: rhbz#2081425
- Update policy for insights-client to run additional commands 3
Resolves: rhbz#2081425
- Allow insights-client execute its private memfd: objects
Resolves: rhbz#2081425
- Update policy for insights-client to run additional commands 2
Resolves: rhbz#2081425
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
Resolves: rhbz#2081425
- Change space indentation to tab in insights-client
Resolves: rhbz#2081425
- Use socket permissions sets in insights-client
Resolves: rhbz#2081425
- Update policy for insights-client to run additional commands
Resolves: rhbz#2081425
- Allow init_t to rw insights_client unnamed pipe
Resolves: rhbz#2081425
- Fix insights client
Resolves: rhbz#2081425
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
Resolves: rhbz#2081425
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
Resolves: rhbz#2081425
- Allow stalld get scheduling policy of kernel threads
Resolves: rhbz#2096776
- Update samba-dcerpcd policy for kerberos usage
Resolves: rhbz#2096521
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
Resolves: rhbz#2096255
- Allow dlm_controld send a null signal to a cluster daemon
Resolves: rhbz#2095884
- Allow dhclient manage pid files used by chronyd
The chronyd_manage_pid_files() interface was added.
- Resolves: rhbz#2094155
Allow install_t nnp_domtrans to setfiles_mac_t
- Resolves: rhbz#2073010
- Allow rabbitmq to use systemd notify
Resolves: rhbz#2056565
- Allow ksmctl create hardware state information files
Resolves: rhbz#2021131
- Label /var/target with targetd_var_t
Resolves: rhbz#2020169
- Allow targetclid read generic SSL certificates
Resolves: rhbz#2020169
* Thu Jun 09 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.34-1
- Allow stalld setsched and sys_nice
Resolves: rhbz#2092864
- Allow rhsmcertd to create cache file in /var/cache/cloud-what
Resolves: rhbz#2092333
- Update policy for samba-dcerpcd
Resolves: rhbz#2083509
- Add support for samba-dcerpcd
Resolves: rhbz#2083509
- Allow rabbitmq to access its private memfd: objects
Resolves: rhbz#2056565
- Confine targetcli
Resolves: rhbz#2020169
- Add policy for wireguard
Resolves: 1964862
- Label /var/cache/insights with insights_client_cache_t
Resolves: rhbz#2062136
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
Resolves: rhbz#2094489
- Allow auditd_t noatsecure for a transition to audisp_remote_t
Resolves: rhbz#2081907
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.33-1
- Allow insights-client manage gpg admin home content
Resolves: rhbz#2062136
- Add the gpg_manage_admin_home_content() interface
Resolves: rhbz#2062136
- Add rhcd policy
Resolves: bz#1965013
- Allow svirt connectto virtlogd
Resolves: rhbz#2000881
- Add ksm service to ksmtuned
Resolves: rhbz#2021131
- Allow nm-privhelper setsched permission and send system logs
Resolves: rhbz#2053639
- Update the policy for systemd-journal-upload
Resolves: rhbz#2085369
- Allow systemd-journal-upload watch logs and journal
Resolves: rhbz#2085369
- Create a policy for systemd-journal-upload
Resolves: rhbz#2085369
- Allow insights-client create and use unix_dgram_socket
Resolves: rhbz#2087765
- Allow insights-client search gconf homedir
Resolves: rhbz#2087765
* Wed May 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.32-1
- Dontaudit guest attempts to dbus chat with systemd domains
Resolves: rhbz#2062740
- Dontaudit guest attempts to dbus chat with system bus types
Resolves: rhbz#2062740
- Fix users for SELinux userspace 3.4
Resolves: rhbz#2079290
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
Resolves: rhbz#2076681
- Allow systemd-sleep get removable devices attributes
Resolves: rhbz#2082404
- Allow systemd-sleep tlp_filetrans_named_content()
Resolves: rhbz#2082404
- Allow systemd-sleep execute generic programs
Resolves: rhbz#2082404
- Allow systemd-sleep execute shell
Resolves: rhbz#2082404
- Allow systemd-sleep transition to sysstat_t
Resolves: rhbz#2082404
- Allow systemd-sleep transition to tlp_t
Resolves: rhbz#2082404
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
Resolves: rhbz#2082404
- allow systemd-sleep to set timer for suspend-then-hibernate
Resolves: rhbz#2082404
- Add default fc specifications for patterns in /opt
Resolves: rhbz#2081059
- Use a named transition in systemd_hwdb_manage_config()
Resolves: rhbz#2061725
* Wed May 04 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.31-2
- Remove "v" from the package version
* Mon May 02 2022 Nikola Knazekova <nknazeko@redhat.com> - v34.1.31-1
- Label /var/run/machine-id as machineid_t
Resolves: rhbz#2061680
- Allow insights-client create_socket_perms for tcp/udp sockets
Resolves: rhbz#2077377
- Allow insights-client read rhnsd config files
Resolves: rhbz#2077377
- Allow rngd drop privileges via setuid/setgid/setcap
Resolves: rhbz#2076642
- Allow tmpreaper the sys_ptrace userns capability
Resolves: rhbz#2062823
- Add stalld to modules.conf
Resolves: rhbz#2042614
- New policy for stalld
Resolves: rhbz#2042614
- Label new utility of NetworkManager nm-priv-helper
Resolves: rhbz#2053639
- Exclude container.if from selinux-policy-devel
Resolves: rhbz#1861968
* Tue Apr 19 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.30-2
- Update source branches to build a new package for RHEL 9.1.0
* Tue Apr 12 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.30-1
- Allow administrative users the bpf capability
Resolves: RHBZ#2070982
- Allow NetworkManager talk with unconfined user over unix domain dgram socket
Resolves: rhbz#2064688
- Allow hostapd talk with unconfined user over unix domain dgram socket
Resolves: rhbz#2064688
- Allow fprintd read and write hardware state information
Resolves: rhbz#2062911
- Allow fenced read kerberos key tables
Resolves: RHBZ#2060722
- Allow init watch and watch_reads user ttys
Resolves: rhbz#2060289
- Allow systemd watch and watch_reads console devices
Resolves: rhbz#2060289
- Allow nmap create and use rdma socket
Resolves: RHBZ#2059603
* Thu Mar 31 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.29-1
- Allow qemu-kvm create and use netlink rdma sockets
Resolves: rhbz#2063612
- Label corosync-cfgtool with cluster_exec_t
Resolves: rhbz#2061277
* Thu Mar 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.28-1
- Allow logrotate a domain transition to cluster administrative domain
Resolves: rhbz#2061277
- Change the selinuxuser_execstack boolean value to true
Resolves: rhbz#2064274
* Thu Feb 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.27-1
- Allow ModemManager connect to the unconfined user domain
Resolves: rhbz#2000196
- Label /dev/wwan.+ with modem_manager_t
Resolves: rhbz#2000196
- Allow systemd-coredump userns capabilities and root mounton
Resolves: rhbz#2057435
- Allow systemd-coredump read and write usermodehelper state
Resolves: rhbz#2057435
- Allow sysadm_passwd_t to relabel passwd and group files
Resolves: rhbz#2053458
- Allow systemd-sysctl read the security state information
Resolves: rhbz#2056999
- Remove unnecessary /etc file transitions for insights-client
Resolves: rhbz#2055823
- Label all content in /var/lib/insights with insights_client_var_lib_t
Resolves: rhbz#2055823
- Update insights-client policy
Resolves: rhbz#2055823
- Update insights-client: fc pattern, motd, writing to etc
Resolves: rhbz#2055823
- Update specfile to buildrequire policycoreutils-devel >= 3.3-5
- Add modules_checksum to %files
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.26-1
- Remove permissive domain for insights_client_t
Resolves: rhbz#2055823
- New policy for insight-client
Resolves: rhbz#2055823
- Allow confined sysadmin to use tool vipw
Resolves: rhbz#2053458
- Allow chage domtrans to sssd
Resolves: rhbz#2054657
- Remove label for /usr/sbin/bgpd
Resolves: rhbz#2055578
- Dontaudit pkcsslotd sys_admin capability
Resolves: rhbz#2055639
- Do not change selinuxuser_execmod and selinuxuser_execstack
Resolves: rhbz#2055822
- Allow tuned to read rhsmcertd config files
Resolves: rhbz#2055823
* Mon Feb 14 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.25-1
- Allow systemd watch unallocated ttys
Resolves: rhbz#2054150
- Allow alsa bind mixer controls to led triggers
Resolves: rhbz#2049732
- Allow alsactl set group Process ID of a process
Resolves: rhbz#2049732
- Allow unconfined to run virtd bpf
Resolves: rhbz#2033504
* Fri Feb 04 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.24-1
- Allow tumblerd write to session_dbusd tmp socket files
Resolves: rhbz#2000039
- Allow login_userdomain write to session_dbusd tmp socket files
Resolves: rhbz#2000039
- Allow login_userdomain create session_dbusd tmp socket files
Resolves: rhbz#2000039
- Allow gkeyringd_domain write to session_dbusd tmp socket files
Resolves: rhbz#2000039
- Allow systemd-logind delete session_dbusd tmp socket files
Resolves: rhbz#2000039
- Allow gdm-x-session write to session dbus tmp sock files
Resolves: rhbz#2000039
- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
Resolves: rhbz#2039453
- Label exFAT utilities at /usr/sbin
Resolves: rhbz#1972225
* Wed Feb 02 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.23-1
- Allow systemd nnp_transition to login_userdomain
Resolves: rhbz#2039453
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
Resolves: rhbz#2000039
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
Resolves: rhbz#2000039
- Allow scripts to enter LUKS password
Resolves: rhbz#2048521
- Allow system_mail_t read inherited apache system content rw files
Resolves: rhbz#2049372
- Add apache_read_inherited_sys_content_rw_files() interface
Related: rhbz#2049372
- Allow sanlock get attributes of filesystems with extended attributes
Resolves: rhbz#2047811
- Associate stratisd_data_t with device filesystem
Resolves: rhbz#2039974
- Allow init read stratis data symlinks
Resolves: rhbz#2039974
- Label /run/stratisd with stratisd_var_run_t
Resolves: rhbz#2039974
- Allow domtrans to sssd_t and role access to sssd
Resolves: rhbz#2039757
- Creating interface sssd_run_sssd()
Resolves: rhbz#2039757
- Fix badly indented used interfaces
Resolves: rhbz#2039757
- Allow domain transition to sssd_t
Resolves: rhbz#2039757
- Label /dev/nvme-fabrics with fixed_disk_device_t
Resolves: rhbz#2039759
- Allow local_login_t nnp_transition to login_userdomain
Resolves: rhbz#2039453
- Allow xdm_t nnp_transition to login_userdomain
Resolves: rhbz#2039453
- Make cupsd_lpd_t a daemon
Resolves: rhbz#2039449
- Label utilities for exFAT filesystems with fsadm_exec_t
Resolves: rhbz#1972225
- Dontaudit sfcbd sys_ptrace cap_userns
Resolves: rhbz#2040311
* Tue Jan 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.22-1
- Allow sshd read filesystem sysctl files
Resolves: rhbz#2036585
- Revert "Allow sshd read sysctl files"
Resolves: rhbz#2036585
* Mon Jan 10 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.21-1
- Remove the lockdown class from the policy
Resolves: rhbz#2017848
- Revert "define lockdown class and access"
Resolves: rhbz#2017848
- Allow gssproxy access to various system files.
Resolves: rhbz#2026974
- Allow gssproxy read, write, and map ica tmpfs files
Resolves: rhbz#2026974
- Allow gssproxy read and write z90crypt device
Resolves: rhbz#2026974
- Allow sssd_kcm read and write z90crypt device
Resolves: rhbz#2026974
- Allow abrt_domain read and write z90crypt device
Resolves: rhbz#2026974
- Allow NetworkManager read and write z90crypt device
Resolves: rhbz#2026974
- Allow smbcontrol read the network state information
Resolves: rhbz#2038157
- Allow virt_domain map vhost devices
Resolves: rhbz#2035702
- Allow fcoemon request the kernel to load a module
Resolves: rhbz#2034463
- Allow lldpd connect to snmpd with a unix domain stream socket
Resolves: rhbz#2033315
- Allow ModemManager create a qipcrtr socket
Resolves: rhbz#2036582
- Allow ModemManager request to load a kernel module
Resolves: rhbz#2036582
- Allow sshd read sysctl files
Resolves: rhbz#2036585
* Wed Dec 15 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.20-1
- Allow dnsmasq watch /etc/dnsmasq.d directories
Resolves: rhbz#2029866
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
Resolves: rhbz#2029316
- Allow lldpd use an snmp subagent over a tcp socket
Resolves: rhbz#2028561
- Allow smbcontrol use additional socket types
Resolves: rhbz#2027751
- Add write permisson to userfaultfd_anon_inode_perms
Resolves: rhbz#2027660
- Allow xdm_t watch generic directories in /lib
Resolves: rhbz#1960010
- Allow xdm_t watch fonts directories
Resolves: rhbz#1960010
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
Resolves: rhbz#2027994
- Add hwtracing_device_t type for hardware-level tracing and debugging
Resolves: rhbz#2029392
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
Resolves: rhbz#2028791
- Allow arpwatch get attributes of infiniband_device_t devices
Resolves: rhbz#2028791
- Allow tcpdump and nmap get attributes of infiniband_device_t
Resolves: rhbz#2028791
* Mon Nov 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.19-1
- Allow redis get attributes of filesystems with extended attributes
Resolves: rhbz#2014611
- Allow dirsrv read slapd tmpfs files
Resolves: rhbz#2015928
- Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label"
Resolves: rhbz#2015928
- Allow login_userdomain open/read/map system journal
Resolves: rhbz#2017838
- Allow login_userdomain read and map /var/lib/systemd files
Resolves: rhbz#2017838
- Allow nftables read NetworkManager unnamed pipes
Resolves: rhbz#2023456
- Allow xdm watch generic directories in /var/lib
Resolves: rhbz#1960010
- Allow xdm_t watch generic pid directories
Resolves: rhbz#1960010
* Mon Nov 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.18-1
- Allow fetchmail search cgroup directories
Resolves: rhbz#2015118
- Add the auth_read_passwd_file() interface
Resolves: rhbz#2014611
- Allow redis-sentinel execute a notification script
Resolves: rhbz#2014611
- Support new PING_CHECK health checker in keepalived
Resolves: rhbz#2014423
* Thu Oct 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.17-1
- Label /usr/sbin/virtproxyd as virtd_exec_t
Resolves: rhbz#2002143
- Allow at-spi-bus-launcher read and map xdm pid files
Resolves: rhbz#2011772
- Remove references to init_watch_path_type attribute
Resolves: rhbz#2007960
- Remove all redundant watch permissions for systemd
Resolves: rhbz#2007960
- Allow systemd watch non_security_file_type dirs, files, lnk_files
Resolves: rhbz#2007960
- Allow systemd-resolved watch /run/systemd
Resolves: rhbz#1992461
- Allow sssd watch /run/systemd
Resolves: rhbz#1992461
* Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.16-1
- Allow fprintd install a sleep delay inhibitor
Resolves: rhbz#1999537
- Update mount_manage_pid_files() to use manage_files_pattern
Resolves: rhbz#1999997
- Allow gnome at-spi processes create and use stream sockets
Resolves: rhbz#2004885
- Allow haproxy list the sysfs directories content
Resolves: rhbz#1986823
- Allow virtlogd_t read process state of user domains
Resolves: rhbz#1994592
- Support hitless reloads feature in haproxy
Resolves: rhbz#1997182
- Allow firewalld load kernel modules
Resolves: rhbz#1999152
- Allow communication between at-spi and gdm processes
Resolves: rhbz#2003037
- Remove "ipa = module" from modules-targeted-contrib.conf
Resolves: rhbz#2006039
* Mon Aug 30 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.15-1
- Update ica_filetrans_named_content() with create_file_perms
Resolves: rhbz#1976180
- Allow various domains work with ICA crypto accelerator
Resolves: rhbz#1976180
- Add ica module
Resolves: rhbz#1976180
- Revert "Support using ICA crypto accelerator on s390x arch"
Resolves: rhbz#1976180
- Fix the gnome_atspi_domtrans() interface summary
Resolves: rhbz#1972655
- Add support for at-spi
Resolves: rhbz#1972655
- Add permissions for system dbus processes
Resolves: rhbz#1972655
- Allow /tmp file transition for dbus-daemon also for sock_file
Resolves: rhbz#1972655
* Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.14-1
- Support using ICA crypto accelerator on s390x arch
Resolves: rhbz#1976180
- Allow systemd delete /run/systemd/default-hostname
Resolves: rhbz#1978507
- Label /usr/bin/Xwayland with xserver_exec_t
Resolves: rhbz#1993151
- Label /usr/libexec/gdm-runtime-config with xdm_exec_t
Resolves: rhbz#1993151
- Allow tcpdump read system state information in /proc
Resolves: rhbz#1972577
- Allow firewalld drop capabilities
Resolves: rhbz#1989641
* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.13-1
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
Resolves: rhbz#1977915
- Set default file context for /sys/firmware/efi/efivars
Resolves: rhbz#1972372
- Allow tcpdump run as a systemd service
Resolves: rhbz#1972577
- Allow nmap create and use netlink generic socket
Resolves: rhbz#1985212
- Allow nscd watch system db files in /var/db
Resolves: rhbz#1989416
- Allow systemd-gpt-auto-generator read udev pid files
Resolves: rhbz#1992638
* Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.12-1
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
Resolves: rhbz#1990813
- Label /dev/crypto/nx-gzip with accelerator_device_t
Resolves: rhbz#1973953
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
Resolves: rhbz#1977245
- Allow systemd-machined stop generic service units
Resolves: rhbz#1979522
- Label /.k5identity file allow read of this file to rpc.gssd
Resolves: rhbz#1980610
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 34.1.11-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.11-1
- Allow hostapd bind UDP sockets to the dhcpd port
Resolves: rhbz#1979968
- Allow mdadm read iscsi pid files
Resolves: rhbz#1976073
- Unconfined domains should not be confined
Resolves: rhbz#1977986
- Allow NetworkManager_t to watch /etc
Resolves: rhbz#1980000
- Allow using opencryptoki for ipsec
Resolves: rhbz#1977915
* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.10-1
- Allow bacula get attributes of cgroup filesystems
Resolves: rhbz#1976917
- Label /dev/wmi/dell-smbios as acpi_device_t
Resolves: rhbz#1972382
- Add the lockdown integrity permission to dev_map_userio_dev()
Resolves: rhbz#1966758
- Allow virtlogd_t to create virt_var_lockd_t dir
Resolves: rhbz#1974875
* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.9-1
- Allow systemd-coredump getattr nsfs files and net_admin capability
Resolves: rhbz#1965372
- Label /run/libvirt/common with virt_common_var_run_t
Resolves: rhbz#1969209
- Label /usr/bin/arping plain file with netutils_exec_t
Resolves: rhbz#1952515
- Make usbmuxd_t a daemon
Resolves: rhbz#1965411
- Allow usbmuxd get attributes of cgroup filesystems
Resolves: rhbz#1965411
- Label /dev/dma_heap/* char devices with dma_device_t
- Revert "Label /dev/dma_heap/* char devices with dma_device_t"
- Revert "Label /dev/dma_heap with dma_device_dir_t"
- Revert "Associate dma_device_dir_t with device filesystem"
Resolves: rhbz#1967818
- Label /var/lib/kdump with kdump_var_lib_t
Resolves: rhbz#1965989
- Allow systemd-timedated watch runtime dir and its parent
Resolves: rhbz#1970865
- Label /run/fsck with fsadm_var_run_t
Resolves: rhbz#1970911
* Thu Jun 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.8-1
- Associate dma_device_dir_t with device filesystem
Resolves: rhbz#1954116
- Add default file context specification for dnf log files
Resolves: rhbz#1955223
- Allow using opencryptoki for certmonger
Resolves: rhbz#1961756
- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
Resolves: rhbz#1961756
- Allow httpd_sys_script_t read, write, and map hugetlbfs files
Resolves: rhbz#1964890
- Dontaudit daemon open and read init_t file
Resolves: rhbz#1965412
- Allow sanlock get attributes of cgroup filesystems
Resolves: rhbz#1965217
* Tue Jun 08 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.7-1
- Set default file context for /var/run/systemd instead of /run/systemd
Resolves: rhbz#1966492
* Mon Jun 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.6-1
- Label /dev/dma_heap with dma_device_dir_t
Resolves: rhbz#1954116
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
Resolves: rhbz#1963252
- Label /run/systemd/default-hostname with hostname_etc_t
Resolves: rhbz#1966492
* Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.5-1
- Label /dev/trng with random_device_t
Resolves: rhbz#1962260
- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
Resolves: rhbz#1954116
- Label /dev/udmabuf character device with dma_device_t
Resolves: rhbz#1954116
- Label /dev/dma_heap/* char devices with dma_device_t
Resolves: rhbz#1954116
- Label /dev/acpi_thermal_rel char device with acpi_device_t
Resolves: rhbz#1954116
- Allow fcoemon create sysfs files
Resolves: rhbz#1952292
* Wed May 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.4-1
- Allow sysadm_t dbus chat with tuned
Resolves: rhbz#1953643
- Allow tuned write profile files with file transition
Resolves: rhbz#1953643
- Allow tuned manage perf_events
Resolves: rhbz#1953643
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
Resolves: rhbz#1953643
- Add kernel_write_perf_event() and kernel_manage_perf_event()
Resolves: rhbz#1953643
- Allow syslogd_t watch root and var directories
Resolves: rhbz#1957792
- Allow tgtd create and use rdma socket
Resolves: rhbz#1955559
- Allow aide connect to init with a unix socket
Resolves: rhbz#1926343
* Wed Apr 28 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.3-1
- Allow domain create anonymous inodes
Resolves: rhbz#1954145
- Add anon_inode class to the policy
Resolves: rhbz#1954145
- Allow pluto IKEv2 / ESP over TCP
Resolves: rhbz#1951471
- Add brltty new permissions required by new upstream version
Resolves: rhbz#1947842
- Label /var/lib/brltty with brltty_var_lib_t
Resolves: rhbz#1947842
- Allow login_userdomain create cgroup files
Resolves: rhbz#1951114
- Allow aide connect to systemd-userdbd with a unix socket
Resolves: rhbz#1926343
- Allow cups-lpd read its private runtime socket files
Resolves: rhbz#1947397
- Label /etc/redis as redis_conf_t
Resolves: rhbz#1947874
- Add file context specification for /usr/libexec/realmd
Resolves: rhbz#1946495
* Thu Apr 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.2-1
- Further update make-rhat-patches.sh for RHEL 9.0 beta
- Add file context specification for /var/tmp/tmp-inst
Resolves: rhbz#1924656
* Wed Apr 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.1-1
- Update selinux-policy.spec and make-rhat-patches.sh for RHEL 9.0 beta
- Allow unconfined_service_t confidentiality and integrity lockdown
Resolves: rhbz#1950267
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 34-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1
- Change the package versioning
* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-30
- Allow plymouthd_t exec generic program in bin directories
- Allow dhcpc_t domain transition to chronyc_t
- Allow login_userdomain bind xmsg port
- Allow ibacm the net_raw and sys_rawio capabilities
- Allow nsswitch_domain read cgroup files
- Allow systemd-sleep create hardware state information files
* Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-29
- Add watch_with_perm_dirs_pattern file pattern
* Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-28
- Allow arpwatch_t create netlink generic socket
- Allow postgrey read network state
- Add watch_mount_dirs_pattern file pattern
- Allow bluetooth_t dbus chat with fwupd_t
- Allow xdm_t watch accountsd lib directories
- Add additional interfaces for watching /boot
- Allow sssd_t get attributes of tmpfs filesystems
- Allow local_login_t get attributes of tmpfs filesystems
* Tue Mar 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-27
- Dontaudit domain the fowner capability
- Extend fs_manage_nfsd_fs() to allow managing dirs as well
- Allow spice-vdagentd watch systemd-logind session dirs
* Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-26
- Allow xdm_t watch systemd-logind session dirs
- Allow xdm_t transition to system_dbusd_t
- Allow confined users login into graphic session
- Allow login_userdomain watch systemd login session dirs
- install_t: Allow NoNewPriv transition from systemd
- Remove setuid/setgid capabilities from mysqld_t
- Add context for new mariadbd executable files
- Allow netutils_t create netlink generic socket
- Allow systemd the audit_control capability conditionally
* Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-25
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
* Tue Mar 02 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-24
- Allow apmd watch generic device directories
- Allow kdump load a new kernel
- Add confidentiality lockdown permission to kernel_read_core_if()
- Allow keepalived read nsfs files
- Allow local_login_t get attributes of filesystems with ext attributes
- Allow keepalived read/write its private memfd: objects
- Add missing declaration in rpm_named_filetrans()
- Change param description in cron interfaces to userdomain_prefix
* Tue Feb 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-23
- iptables.fc: Add missing legacy entries
- iptables.fc: Remove some duplicate entries
- iptables.fc: Remove duplicate file context entries
- Allow libvirtd to create generic netlink sockets
- Allow libvirtd the fsetid capability
- Allow libvirtd to read /run/utmp
- Dontaudit sys_ptrace capability when calling systemctl
- Allow udisksd to read /dev/random
- Allow udisksd to watch files under /run/mount
- Allow udisksd to watch /etc
- Allow crond to watch user_cron_spool_t directories
- Allow accountsd watch xdm config directories
- Label /etc/avahi with avahi_conf_t
- Allow sssd get cgroup filesystems attributes and search cgroup dirs
- Allow systemd-hostnamed read udev runtime data
- Remove dev_getattr_sysfs_fs() interface calls for particular domains
- Allow domain stat the /sys filesystem
- Dontaudit NetworkManager write to initrc_tmp_t pipes
- policykit.te: Clean up watch rule for policykit_auth_t
- Revert further unnecessary watch rules
- Revert "Allow getty watch its private runtime files"
- Allow systemd watch generic /var directories
- Allow init watch network config files and lnk_files
* Fri Feb 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-22
- Allow systemd-sleep get attributes of fixed disk device nodes
- Complete initial policy for systemd-coredump
- Label SDC(scini) Dell Driver
- Allow upowerd to send syslog messages
- Remove the disk write permissions from tlp_t
- Label NVMe devices as fixed_disk_device_t
- Allow rhsmcertd bind tcp sockets to a generic node
- Allow systemd-importd manage machines.lock file
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
* Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-21
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
* Fri Feb 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-20
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
* Fri Feb 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-19
- Bump version as Fedora 34 has been branched off rawhide
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow systemd-importd create /run/systemd/machines.lock file
- Allow rhsmcertd_t read kpatch lib files
- Add integrity lockdown permission into dev_read_raw_memory()
- Add confidentiality lockdown permission into fs_rw_tracefs_files()
- Allow gpsd read and write ptp4l_t shared memory.
- Allow colord watch its private lib files and /usr
- Allow init watch_reads mount PID files
- Allow IPsec and Certmonger to use opencryptoki services
* Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
* Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15
- Update specfile to not verify md5/size/mtime for active store files
- Add /var/mnt equivalency to /mnt
- Rebuild with SELinux userspace 3.2-rc1 release
* Sat Jan 09 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
- Allow domain read usermodehelper state information
- Remove all kernel_read_usermodehelper_state() interface calls
- .copr: improve timestamp format
- Allow wireshark create and use rdma socket
- Allow domain stat /proc filesystem
- Remove all kernel_getattr_proc() interface calls
- Revert "Allow passwd to get attributes in proc_t"
- Revert "Allow dovecot_auth_t stat /proc filesystem"
- Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
- Allow sssd read /run/systemd directory
- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
|