Fri, 22 Nov 2024 00:30:26 CST | login

Information for build selinux-policy-34.1.43-1.el9_1.1

ID24283
Package Nameselinux-policy
Version34.1.43
Release1.el9_1.1
Epoch
DraftFalse
Sourcegit+https://git.cclinux.org/stage/rpms/selinux-policy.git#11c4ab6f05f5581ae9c9d5ae28a7ed4ee65733d0
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built bydistrobuild
State complete
Volume DEFAULT
StartedThu, 09 Feb 2023 02:19:01 CST
CompletedThu, 09 Feb 2023 02:23:48 CST
Taskbuild (dist-circle9_1-updates, /stage/rpms/selinux-policy.git:11c4ab6f05f5581ae9c9d5ae28a7ed4ee65733d0)
Extra{'source': {'original_url': 'git+https://git.cclinux.org/stage/rpms/selinux-policy.git?#11c4ab6f05f5581ae9c9d5ae28a7ed4ee65733d0'}}
Tags
dist-circle9-compose
dist-circle9-updates
RPMs
src
selinux-policy-34.1.43-1.el9_1.1.src.rpm (info) (download)
noarch
selinux-policy-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
selinux-policy-devel-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
selinux-policy-doc-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
selinux-policy-minimum-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
selinux-policy-mls-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
selinux-policy-sandbox-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
selinux-policy-targeted-34.1.43-1.el9_1.1.noarch.rpm (info) (download)
Logs
noarch
build.log
hw_info.log
installed_pkgs.log
mock_output.log
noarch_rpmdiff.json
root.log
state.log
Changelog * Fri Jan 06 2023 Nikola Knazekova <nknazeko@redhat.com> - 34.1.43-1.1 - Add domain_unix_read_all_semaphores() interface Resolves: rhbz#2136760 - Allow rhcd compute selinux access vector Resolves: rhbz#2136760 - Add file context entries for insights-client and rhc Resolves: rhbz#2136760 - Revert "Allow insights-client run lpr and allow the proper role" Resolves: rhbz#2136760 - Allow insights-client dbus chat with various services Resolves: rhbz#2136760 - Allow insights-client tcp connect to various ports Resolves: rhbz#2136760 - Allow insights-client run lpr and allow the proper role Resolves: rhbz#2136760 - Allow insights-client work with pcp and manage user config files Resolves: rhbz#2136760 - Allow insights-client dbus chat with abrt Resolves: rhbz#2136760 - Allow insights client communicate with cupsd, mysqld, openvswitch, redis Resolves: rhbz#2136760 - Allow insights client read raw memory devices Resolves: rhbz#2136760 - Allow insights-client domain transition on semanage execution Resolves: rhbz#2136760 - Allow insights-client create gluster log dir with a transition Resolves: rhbz#2136760 - Allow insights-client manage generic locks Resolves: rhbz#2136760 - Allow insights-client unix_read all domain semaphores Resolves: rhbz#2136760 - Allow insights-client manage samba var dirs Resolves: rhbz#2136760 - Allow insights-client send null signal to rpm and system cronjob Resolves: rhbz#2136760 - Allow insights-client connect to postgresql with a unix socket Resolves: rhbz#2136760 - Allow insights-client domtrans on unix_chkpwd execution Resolves: rhbz#2136760 * Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.43-1 - Update rhcd policy for executing additional commands 5 Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 4 Resolves: rhbz#2119351 - Allow rhcd create rpm hawkey logs with correct label Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 3 Resolves: rhbz#2119351 - Allow sssd to set samba setting Resolves: rhbz#2121125 - Allow journalctl read rhcd fifo files Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 5 Resolves: rhbz#2121125 - Confine insights-client systemd unit Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 4 Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 3 Resolves: rhbz#2121125 - Allow rhcd execute all executables Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 2 Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 2 Resolves: rhbz#2121125 * Mon Aug 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.42-1 - Label /var/log/rhc-worker-playbook with rhcd_var_log_t Resolves: rhbz#2119351 - Update insights-client policy (auditctl, gpg, journal) Resolves: rhbz#2107363 * Thu Aug 25 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.41-1 - Allow unconfined domains to bpf all other domains Resolves: RHBZ#2112014 - Allow stalld get and set scheduling policy of all domains. Resolves: rhbz#2105038 - Allow unconfined_t transition to targetclid_home_t Resolves: RHBZ#2106360 - Allow samba-bgqd to read a printer list Resolves: rhbz#2118977 - Allow system_dbusd ioctl kernel with a unix stream sockets Resolves: rhbz#2085392 - Allow chronyd bind UDP sockets to ptp_event ports. Resolves: RHBZ#2118631 - Update tor_bind_all_unreserved_ports interface Resolves: RHBZ#2089486 - Remove permissive domain for rhcd_t Resolves: rhbz#2119351 - Allow unconfined and sysadm users transition for /root/.gnupg Resolves: rhbz#2121125 - Add gpg_filetrans_admin_home_content() interface Resolves: rhbz#2121125 - Update rhcd policy for executing additional commands Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution Resolves: rhbz#2119507 - Add rpm setattr db files macro Resolves: rhbz#2119507 - Add userdom_view_all_users_keys() interface Resolves: rhbz#2119507 - Allow gpg read and write generic pty type Resolves: rhbz#2119507 - Allow chronyc read and write generic pty type Resolves: rhbz#2119507 * Wed Aug 10 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.40-1 - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd Resolves: RHBZ#2088257 - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t Resolves: RHBZ#1976684 - Allow samba-bgqd get a printer list Resolves: rhbz#2112395 - Allow networkmanager to signal unconfined process Resolves: RHBZ#2074414 - Update NetworkManager-dispatcher policy Resolves: RHBZ#2101910 - Allow openvswitch search tracefs dirs Resolves: rhbz#1988164 - Allow openvswitch use its private tmpfs files and dirs Resolves: rhbz#1988164 - Allow openvswitch fsetid capability Resolves: rhbz#1988164 * Tue Aug 02 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.39-1 - Add support for systemd-network-generator Resolves: RHBZ#2111069 - Allow systemd work with install_t unix stream sockets Resolves: rhbz#2111206 - Allow sa-update to get init status and start systemd files Resolves: RHBZ#2061844 * Fri Jul 15 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.38-1 - Allow some domains use sd_notify() Resolves: rhbz#2056565 - Revert "Allow rabbitmq to use systemd notify" Resolves: rhbz#2056565 - Update winbind_rpcd_t Resolves: rhbz#2102084 - Update chronyd_pid_filetrans() to allow create dirs Resolves: rhbz#2101910 - Allow keepalived read the contents of the sysfs filesystem Resolves: rhbz#2098130 - Define LIBSEPOL version 3.4-1 Resolves: rhbz#2095688 * Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.37-1 - Allow targetclid read /var/target files Resolves: rhbz#2020169 - Update samba-dcerpcd policy for kerberos usage 2 Resolves: rhbz#2096521 - Allow samba-dcerpcd work with sssd Resolves: rhbz#2096521 - Allow stalld set scheduling policy of kernel threads Resolves: rhbz#2102224 * Tue Jun 28 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.36-1 - Allow targetclid read generic SSL certificates (fixed) Resolves: rhbz#2020169 - Fix file context pattern for /var/target Resolves: rhbz#2020169 - Use insights_client_etc_t in insights_search_config() Resolves: rhbz#1965013 * Fri Jun 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.35-1 -Add the corecmd_watch_bin_dirs() interface Resolves: rhbz#1965013 - Update rhcd policy Resolves: rhbz#1965013 - Allow rhcd search insights configuration directories Resolves: rhbz#1965013 - Add the kernel_read_proc_files() interface Resolves: rhbz#1965013 - Update insights_client_filetrans_named_content() Resolves: rhbz#2081425 - Allow transition to insights_client named content Resolves: rhbz#2081425 - Add the insights_client_filetrans_named_content() interface Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 3 Resolves: rhbz#2081425 - Allow insights-client execute its private memfd: objects Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 2 Resolves: rhbz#2081425 - Use insights_client_tmp_t instead of insights_client_var_tmp_t Resolves: rhbz#2081425 - Change space indentation to tab in insights-client Resolves: rhbz#2081425 - Use socket permissions sets in insights-client Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands Resolves: rhbz#2081425 - Allow init_t to rw insights_client unnamed pipe Resolves: rhbz#2081425 - Fix insights client Resolves: rhbz#2081425 - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling Resolves: rhbz#2081425 - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t Resolves: rhbz#2081425 - Allow stalld get scheduling policy of kernel threads Resolves: rhbz#2096776 - Update samba-dcerpcd policy for kerberos usage Resolves: rhbz#2096521 - Allow winbind_rpcd_t connect to self over a unix_stream_socket Resolves: rhbz#2096255 - Allow dlm_controld send a null signal to a cluster daemon Resolves: rhbz#2095884 - Allow dhclient manage pid files used by chronyd The chronyd_manage_pid_files() interface was added. - Resolves: rhbz#2094155 Allow install_t nnp_domtrans to setfiles_mac_t - Resolves: rhbz#2073010 - Allow rabbitmq to use systemd notify Resolves: rhbz#2056565 - Allow ksmctl create hardware state information files Resolves: rhbz#2021131 - Label /var/target with targetd_var_t Resolves: rhbz#2020169 - Allow targetclid read generic SSL certificates Resolves: rhbz#2020169 * Thu Jun 09 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.34-1 - Allow stalld setsched and sys_nice Resolves: rhbz#2092864 - Allow rhsmcertd to create cache file in /var/cache/cloud-what Resolves: rhbz#2092333 - Update policy for samba-dcerpcd Resolves: rhbz#2083509 - Add support for samba-dcerpcd Resolves: rhbz#2083509 - Allow rabbitmq to access its private memfd: objects Resolves: rhbz#2056565 - Confine targetcli Resolves: rhbz#2020169 - Add policy for wireguard Resolves: 1964862 - Label /var/cache/insights with insights_client_cache_t Resolves: rhbz#2062136 - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket Resolves: rhbz#2094489 - Allow auditd_t noatsecure for a transition to audisp_remote_t Resolves: rhbz#2081907 * Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.33-1 - Allow insights-client manage gpg admin home content Resolves: rhbz#2062136 - Add the gpg_manage_admin_home_content() interface Resolves: rhbz#2062136 - Add rhcd policy Resolves: bz#1965013 - Allow svirt connectto virtlogd Resolves: rhbz#2000881 - Add ksm service to ksmtuned Resolves: rhbz#2021131 - Allow nm-privhelper setsched permission and send system logs Resolves: rhbz#2053639 - Update the policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow systemd-journal-upload watch logs and journal Resolves: rhbz#2085369 - Create a policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow insights-client create and use unix_dgram_socket Resolves: rhbz#2087765 - Allow insights-client search gconf homedir Resolves: rhbz#2087765 * Wed May 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.32-1 - Dontaudit guest attempts to dbus chat with systemd domains Resolves: rhbz#2062740 - Dontaudit guest attempts to dbus chat with system bus types Resolves: rhbz#2062740 - Fix users for SELinux userspace 3.4 Resolves: rhbz#2079290 - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template Resolves: rhbz#2076681 - Allow systemd-sleep get removable devices attributes Resolves: rhbz#2082404 - Allow systemd-sleep tlp_filetrans_named_content() Resolves: rhbz#2082404 - Allow systemd-sleep execute generic programs Resolves: rhbz#2082404 - Allow systemd-sleep execute shell Resolves: rhbz#2082404 - Allow systemd-sleep transition to sysstat_t Resolves: rhbz#2082404 - Allow systemd-sleep transition to tlp_t Resolves: rhbz#2082404 - Allow systemd-sleep transition to unconfined_service_t on bin_t executables Resolves: rhbz#2082404 - allow systemd-sleep to set timer for suspend-then-hibernate Resolves: rhbz#2082404 - Add default fc specifications for patterns in /opt Resolves: rhbz#2081059 - Use a named transition in systemd_hwdb_manage_config() Resolves: rhbz#2061725 * Wed May 04 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.31-2 - Remove "v" from the package version * Mon May 02 2022 Nikola Knazekova <nknazeko@redhat.com> - v34.1.31-1 - Label /var/run/machine-id as machineid_t Resolves: rhbz#2061680 - Allow insights-client create_socket_perms for tcp/udp sockets Resolves: rhbz#2077377 - Allow insights-client read rhnsd config files Resolves: rhbz#2077377 - Allow rngd drop privileges via setuid/setgid/setcap Resolves: rhbz#2076642 - Allow tmpreaper the sys_ptrace userns capability Resolves: rhbz#2062823 - Add stalld to modules.conf Resolves: rhbz#2042614 - New policy for stalld Resolves: rhbz#2042614 - Label new utility of NetworkManager nm-priv-helper Resolves: rhbz#2053639 - Exclude container.if from selinux-policy-devel Resolves: rhbz#1861968 * Tue Apr 19 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.30-2 - Update source branches to build a new package for RHEL 9.1.0 * Tue Apr 12 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.30-1 - Allow administrative users the bpf capability Resolves: RHBZ#2070982 - Allow NetworkManager talk with unconfined user over unix domain dgram socket Resolves: rhbz#2064688 - Allow hostapd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2064688 - Allow fprintd read and write hardware state information Resolves: rhbz#2062911 - Allow fenced read kerberos key tables Resolves: RHBZ#2060722 - Allow init watch and watch_reads user ttys Resolves: rhbz#2060289 - Allow systemd watch and watch_reads console devices Resolves: rhbz#2060289 - Allow nmap create and use rdma socket Resolves: RHBZ#2059603 * Thu Mar 31 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.29-1 - Allow qemu-kvm create and use netlink rdma sockets Resolves: rhbz#2063612 - Label corosync-cfgtool with cluster_exec_t Resolves: rhbz#2061277 * Thu Mar 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.28-1 - Allow logrotate a domain transition to cluster administrative domain Resolves: rhbz#2061277 - Change the selinuxuser_execstack boolean value to true Resolves: rhbz#2064274 * Thu Feb 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.27-1 - Allow ModemManager connect to the unconfined user domain Resolves: rhbz#2000196 - Label /dev/wwan.+ with modem_manager_t Resolves: rhbz#2000196 - Allow systemd-coredump userns capabilities and root mounton Resolves: rhbz#2057435 - Allow systemd-coredump read and write usermodehelper state Resolves: rhbz#2057435 - Allow sysadm_passwd_t to relabel passwd and group files Resolves: rhbz#2053458 - Allow systemd-sysctl read the security state information Resolves: rhbz#2056999 - Remove unnecessary /etc file transitions for insights-client Resolves: rhbz#2055823 - Label all content in /var/lib/insights with insights_client_var_lib_t Resolves: rhbz#2055823 - Update insights-client policy Resolves: rhbz#2055823 - Update insights-client: fc pattern, motd, writing to etc Resolves: rhbz#2055823 - Update specfile to buildrequire policycoreutils-devel >= 3.3-5 - Add modules_checksum to %files * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.26-1 - Remove permissive domain for insights_client_t Resolves: rhbz#2055823 - New policy for insight-client Resolves: rhbz#2055823 - Allow confined sysadmin to use tool vipw Resolves: rhbz#2053458 - Allow chage domtrans to sssd Resolves: rhbz#2054657 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2055578 - Dontaudit pkcsslotd sys_admin capability Resolves: rhbz#2055639 - Do not change selinuxuser_execmod and selinuxuser_execstack Resolves: rhbz#2055822 - Allow tuned to read rhsmcertd config files Resolves: rhbz#2055823 * Mon Feb 14 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.25-1 - Allow systemd watch unallocated ttys Resolves: rhbz#2054150 - Allow alsa bind mixer controls to led triggers Resolves: rhbz#2049732 - Allow alsactl set group Process ID of a process Resolves: rhbz#2049732 - Allow unconfined to run virtd bpf Resolves: rhbz#2033504 * Fri Feb 04 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.24-1 - Allow tumblerd write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain create session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gkeyringd_domain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow systemd-logind delete session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gdm-x-session write to session dbus tmp sock files Resolves: rhbz#2000039 - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t Resolves: rhbz#2039453 - Label exFAT utilities at /usr/sbin Resolves: rhbz#1972225 * Wed Feb 02 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.23-1 - Allow systemd nnp_transition to login_userdomain Resolves: rhbz#2039453 - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t Resolves: rhbz#2000039 - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling Resolves: rhbz#2000039 - Allow scripts to enter LUKS password Resolves: rhbz#2048521 - Allow system_mail_t read inherited apache system content rw files Resolves: rhbz#2049372 - Add apache_read_inherited_sys_content_rw_files() interface Related: rhbz#2049372 - Allow sanlock get attributes of filesystems with extended attributes Resolves: rhbz#2047811 - Associate stratisd_data_t with device filesystem Resolves: rhbz#2039974 - Allow init read stratis data symlinks Resolves: rhbz#2039974 - Label /run/stratisd with stratisd_var_run_t Resolves: rhbz#2039974 - Allow domtrans to sssd_t and role access to sssd Resolves: rhbz#2039757 - Creating interface sssd_run_sssd() Resolves: rhbz#2039757 - Fix badly indented used interfaces Resolves: rhbz#2039757 - Allow domain transition to sssd_t Resolves: rhbz#2039757 - Label /dev/nvme-fabrics with fixed_disk_device_t Resolves: rhbz#2039759 - Allow local_login_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Allow xdm_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Make cupsd_lpd_t a daemon Resolves: rhbz#2039449 - Label utilities for exFAT filesystems with fsadm_exec_t Resolves: rhbz#1972225 - Dontaudit sfcbd sys_ptrace cap_userns Resolves: rhbz#2040311 * Tue Jan 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.22-1 - Allow sshd read filesystem sysctl files Resolves: rhbz#2036585 - Revert "Allow sshd read sysctl files" Resolves: rhbz#2036585 * Mon Jan 10 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.21-1 - Remove the lockdown class from the policy Resolves: rhbz#2017848 - Revert "define lockdown class and access" Resolves: rhbz#2017848 - Allow gssproxy access to various system files. Resolves: rhbz#2026974 - Allow gssproxy read, write, and map ica tmpfs files Resolves: rhbz#2026974 - Allow gssproxy read and write z90crypt device Resolves: rhbz#2026974 - Allow sssd_kcm read and write z90crypt device Resolves: rhbz#2026974 - Allow abrt_domain read and write z90crypt device Resolves: rhbz#2026974 - Allow NetworkManager read and write z90crypt device Resolves: rhbz#2026974 - Allow smbcontrol read the network state information Resolves: rhbz#2038157 - Allow virt_domain map vhost devices Resolves: rhbz#2035702 - Allow fcoemon request the kernel to load a module Resolves: rhbz#2034463 - Allow lldpd connect to snmpd with a unix domain stream socket Resolves: rhbz#2033315 - Allow ModemManager create a qipcrtr socket Resolves: rhbz#2036582 - Allow ModemManager request to load a kernel module Resolves: rhbz#2036582 - Allow sshd read sysctl files Resolves: rhbz#2036585 * Wed Dec 15 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.20-1 - Allow dnsmasq watch /etc/dnsmasq.d directories Resolves: rhbz#2029866 - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t Resolves: rhbz#2029316 - Allow lldpd use an snmp subagent over a tcp socket Resolves: rhbz#2028561 - Allow smbcontrol use additional socket types Resolves: rhbz#2027751 - Add write permisson to userfaultfd_anon_inode_perms Resolves: rhbz#2027660 - Allow xdm_t watch generic directories in /lib Resolves: rhbz#1960010 - Allow xdm_t watch fonts directories Resolves: rhbz#1960010 - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t Resolves: rhbz#2027994 - Add hwtracing_device_t type for hardware-level tracing and debugging Resolves: rhbz#2029392 - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() Resolves: rhbz#2028791 - Allow arpwatch get attributes of infiniband_device_t devices Resolves: rhbz#2028791 - Allow tcpdump and nmap get attributes of infiniband_device_t Resolves: rhbz#2028791 * Mon Nov 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.19-1 - Allow redis get attributes of filesystems with extended attributes Resolves: rhbz#2014611 - Allow dirsrv read slapd tmpfs files Resolves: rhbz#2015928 - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" Resolves: rhbz#2015928 - Allow login_userdomain open/read/map system journal Resolves: rhbz#2017838 - Allow login_userdomain read and map /var/lib/systemd files Resolves: rhbz#2017838 - Allow nftables read NetworkManager unnamed pipes Resolves: rhbz#2023456 - Allow xdm watch generic directories in /var/lib Resolves: rhbz#1960010 - Allow xdm_t watch generic pid directories Resolves: rhbz#1960010 * Mon Nov 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.18-1 - Allow fetchmail search cgroup directories Resolves: rhbz#2015118 - Add the auth_read_passwd_file() interface Resolves: rhbz#2014611 - Allow redis-sentinel execute a notification script Resolves: rhbz#2014611 - Support new PING_CHECK health checker in keepalived Resolves: rhbz#2014423 * Thu Oct 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.17-1 - Label /usr/sbin/virtproxyd as virtd_exec_t Resolves: rhbz#2002143 - Allow at-spi-bus-launcher read and map xdm pid files Resolves: rhbz#2011772 - Remove references to init_watch_path_type attribute Resolves: rhbz#2007960 - Remove all redundant watch permissions for systemd Resolves: rhbz#2007960 - Allow systemd watch non_security_file_type dirs, files, lnk_files Resolves: rhbz#2007960 - Allow systemd-resolved watch /run/systemd Resolves: rhbz#1992461 - Allow sssd watch /run/systemd Resolves: rhbz#1992461 * Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.16-1 - Allow fprintd install a sleep delay inhibitor Resolves: rhbz#1999537 - Update mount_manage_pid_files() to use manage_files_pattern Resolves: rhbz#1999997 - Allow gnome at-spi processes create and use stream sockets Resolves: rhbz#2004885 - Allow haproxy list the sysfs directories content Resolves: rhbz#1986823 - Allow virtlogd_t read process state of user domains Resolves: rhbz#1994592 - Support hitless reloads feature in haproxy Resolves: rhbz#1997182 - Allow firewalld load kernel modules Resolves: rhbz#1999152 - Allow communication between at-spi and gdm processes Resolves: rhbz#2003037 - Remove "ipa = module" from modules-targeted-contrib.conf Resolves: rhbz#2006039 * Mon Aug 30 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.15-1 - Update ica_filetrans_named_content() with create_file_perms Resolves: rhbz#1976180 - Allow various domains work with ICA crypto accelerator Resolves: rhbz#1976180 - Add ica module Resolves: rhbz#1976180 - Revert "Support using ICA crypto accelerator on s390x arch" Resolves: rhbz#1976180 - Fix the gnome_atspi_domtrans() interface summary Resolves: rhbz#1972655 - Add support for at-spi Resolves: rhbz#1972655 - Add permissions for system dbus processes Resolves: rhbz#1972655 - Allow /tmp file transition for dbus-daemon also for sock_file Resolves: rhbz#1972655 * Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.14-1 - Support using ICA crypto accelerator on s390x arch Resolves: rhbz#1976180 - Allow systemd delete /run/systemd/default-hostname Resolves: rhbz#1978507 - Label /usr/bin/Xwayland with xserver_exec_t Resolves: rhbz#1993151 - Label /usr/libexec/gdm-runtime-config with xdm_exec_t Resolves: rhbz#1993151 - Allow tcpdump read system state information in /proc Resolves: rhbz#1972577 - Allow firewalld drop capabilities Resolves: rhbz#1989641 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.13-1 - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp Resolves: rhbz#1977915 - Set default file context for /sys/firmware/efi/efivars Resolves: rhbz#1972372 - Allow tcpdump run as a systemd service Resolves: rhbz#1972577 - Allow nmap create and use netlink generic socket Resolves: rhbz#1985212 - Allow nscd watch system db files in /var/db Resolves: rhbz#1989416 - Allow systemd-gpt-auto-generator read udev pid files Resolves: rhbz#1992638 * Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.12-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" Resolves: rhbz#1990813 - Label /dev/crypto/nx-gzip with accelerator_device_t Resolves: rhbz#1973953 - Label /usr/bin/qemu-storage-daemon with virtd_exec_t Resolves: rhbz#1977245 - Allow systemd-machined stop generic service units Resolves: rhbz#1979522 - Label /.k5identity file allow read of this file to rpc.gssd Resolves: rhbz#1980610 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 34.1.11-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.11-1 - Allow hostapd bind UDP sockets to the dhcpd port Resolves: rhbz#1979968 - Allow mdadm read iscsi pid files Resolves: rhbz#1976073 - Unconfined domains should not be confined Resolves: rhbz#1977986 - Allow NetworkManager_t to watch /etc Resolves: rhbz#1980000 - Allow using opencryptoki for ipsec Resolves: rhbz#1977915 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.10-1 - Allow bacula get attributes of cgroup filesystems Resolves: rhbz#1976917 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: rhbz#1972382 - Add the lockdown integrity permission to dev_map_userio_dev() Resolves: rhbz#1966758 - Allow virtlogd_t to create virt_var_lockd_t dir Resolves: rhbz#1974875 * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.9-1 - Allow systemd-coredump getattr nsfs files and net_admin capability Resolves: rhbz#1965372 - Label /run/libvirt/common with virt_common_var_run_t Resolves: rhbz#1969209 - Label /usr/bin/arping plain file with netutils_exec_t Resolves: rhbz#1952515 - Make usbmuxd_t a daemon Resolves: rhbz#1965411 - Allow usbmuxd get attributes of cgroup filesystems Resolves: rhbz#1965411 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" Resolves: rhbz#1967818 - Label /var/lib/kdump with kdump_var_lib_t Resolves: rhbz#1965989 - Allow systemd-timedated watch runtime dir and its parent Resolves: rhbz#1970865 - Label /run/fsck with fsadm_var_run_t Resolves: rhbz#1970911 * Thu Jun 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.8-1 - Associate dma_device_dir_t with device filesystem Resolves: rhbz#1954116 - Add default file context specification for dnf log files Resolves: rhbz#1955223 - Allow using opencryptoki for certmonger Resolves: rhbz#1961756 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1961756 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1964890 - Dontaudit daemon open and read init_t file Resolves: rhbz#1965412 - Allow sanlock get attributes of cgroup filesystems Resolves: rhbz#1965217 * Tue Jun 08 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.7-1 - Set default file context for /var/run/systemd instead of /run/systemd Resolves: rhbz#1966492 * Mon Jun 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.6-1 - Label /dev/dma_heap with dma_device_dir_t Resolves: rhbz#1954116 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1963252 - Label /run/systemd/default-hostname with hostname_etc_t Resolves: rhbz#1966492 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.5-1 - Label /dev/trng with random_device_t Resolves: rhbz#1962260 - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t Resolves: rhbz#1954116 - Label /dev/udmabuf character device with dma_device_t Resolves: rhbz#1954116 - Label /dev/dma_heap/* char devices with dma_device_t Resolves: rhbz#1954116 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: rhbz#1954116 - Allow fcoemon create sysfs files Resolves: rhbz#1952292 * Wed May 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.4-1 - Allow sysadm_t dbus chat with tuned Resolves: rhbz#1953643 - Allow tuned write profile files with file transition Resolves: rhbz#1953643 - Allow tuned manage perf_events Resolves: rhbz#1953643 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Add kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Allow syslogd_t watch root and var directories Resolves: rhbz#1957792 - Allow tgtd create and use rdma socket Resolves: rhbz#1955559 - Allow aide connect to init with a unix socket Resolves: rhbz#1926343 * Wed Apr 28 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.3-1 - Allow domain create anonymous inodes Resolves: rhbz#1954145 - Add anon_inode class to the policy Resolves: rhbz#1954145 - Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1951471 - Add brltty new permissions required by new upstream version Resolves: rhbz#1947842 - Label /var/lib/brltty with brltty_var_lib_t Resolves: rhbz#1947842 - Allow login_userdomain create cgroup files Resolves: rhbz#1951114 - Allow aide connect to systemd-userdbd with a unix socket Resolves: rhbz#1926343 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1947397 - Label /etc/redis as redis_conf_t Resolves: rhbz#1947874 - Add file context specification for /usr/libexec/realmd Resolves: rhbz#1946495 * Thu Apr 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.2-1 - Further update make-rhat-patches.sh for RHEL 9.0 beta - Add file context specification for /var/tmp/tmp-inst Resolves: rhbz#1924656 * Wed Apr 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.1-1 - Update selinux-policy.spec and make-rhat-patches.sh for RHEL 9.0 beta - Allow unconfined_service_t confidentiality and integrity lockdown Resolves: rhbz#1950267 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 34-2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-30 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-29 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-28 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems * Tue Mar 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-27 - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-26 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-25 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Tue Mar 02 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-24 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Tue Feb 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-23 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files * Fri Feb 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-22 - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-21 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Fri Feb 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-20 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Fri Feb 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-19 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17 - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Sat Jan 09 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t