Sun, 24 Nov 2024 08:13:15 CST | login

Information for build selinux-policy-38.1.8-1.el9

ID25046
Package Nameselinux-policy
Version38.1.8
Release1.el9
Epoch
DraftFalse
Sourceselinux-policy-38.1.8-1.el9.src.rpm
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built bycirclekoji
State complete
Volume DEFAULT
StartedSun, 14 May 2023 13:32:55 CST
CompletedSun, 14 May 2023 13:37:32 CST
Taskbuild (dist-circle9, selinux-policy-38.1.8-1.el9.src.rpm)
Extra{'source': {'original_url': 'selinux-policy-38.1.8-1.el9.src.rpm'}}
Tags
dist-circle9
RPMs
src
selinux-policy-38.1.8-1.el9.src.rpm (info) (download)
noarch
selinux-policy-38.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-devel-38.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-doc-38.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-minimum-38.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-mls-38.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-sandbox-38.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-targeted-38.1.8-1.el9.noarch.rpm (info) (download)
Logs
noarch
build.log
hw_info.log
installed_pkgs.log
mock_output.log
noarch_rpmdiff.json
root.log
state.log
Changelog * Thu Feb 16 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.8-1 - Allow svirt to map svirt_image_t char files Resolves: rhbz#2170482 - Fix opencryptoki file names in /dev/shm Resolves: rhbz#2166283 * Wed Feb 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.7-1 - Allow staff_t getattr init pid chr & blk files and read krb5 Resolves: rhbz#2112729 - Allow firewalld to rw z90crypt device Resolves: rhbz#2166877 - Allow httpd work with tokens in /dev/shm Resolves: rhbz#2166283 * Thu Feb 09 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.6-1 - Allow modemmanager create hardware state information files Resolves: rhbz#2149560 - Dontaudit ftpd the execmem permission Resolves: rhbz#2164434 - Allow nm-dispatcher plugins read generic files in /proc Resolves: rhbz#2164845 - Label systemd-journald feature LogNamespace Resolves: rhbz#2124797 - Boolean: allow qemu-ga read ssh home directory Resolves: rhbz#1917024 * Thu Jan 26 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.5-1 - Reuse tmpfs_t also for the ramfs filesystem Resolves: rhbz#2160391 - Allow systemd-resolved watch tmpfs directories Resolves: rhbz#2160391 - Allow hostname_t to read network sysctls. Resolves: rhbz#2161958 - Allow ModemManager all permissions for netlink route socket Resolves: rhbz#2149560 - Allow unconfined user filetransition for sudo log files Resolves: rhbz#2160388 - Allow sudodomain use sudo.log as a logfile Resolves: rhbz#2160388 - Allow nm-cloud-setup dispatcher plugin restart nm services Resolves: rhbz#2154414 - Allow wg to send msg to kernel, write to syslog and dbus connections Resolves: rhbz#2149452 - Allow rshim bpf cap2 and read sssd public files Resolves: rhbz#2080439 - Allow svirt request the kernel to load a module Resolves: rhbz#2144735 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2014606 * Thu Jan 12 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.4-1 - Add lpr_roles to system_r roles Resolves: rhbz#2152150 - Allow insights client work with gluster and pcp Resolves: rhbz#2152150 - Add interfaces in domain, files, and unconfined modules Resolves: rhbz#2152150 - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t Resolves: rhbz#2152150 - Add insights additional capabilities Resolves: rhbz#2152150 - Revert "Allow insights-client run lpr and allow the proper role" Resolves: rhbz#2152150 - Allow prosody manage its runtime socket files Resolves: rhbz#2157891 - Allow syslogd read network sysctls Resolves: rhbz#2156068 - Allow NetworkManager and wpa_supplicant the bpf capability Resolves: rhbz#2137085 - Allow sysadm_t read/write ipmi devices Resolves: rhbz#2158419 - Allow wireguard to create udp sockets and read net_conf Resolves: rhbz#2149452 - Allow systemd-rfkill the bpf capability Resolves: rhbz#2149390 - Allow load_policy_t write to unallocated ttys Resolves: rhbz#2145181 - Allow winbind-rpcd manage samba_share_t files and dirs Resolves: rhbz#2150680 * Thu Dec 15 2022 Nikola Knazekova <nknazeko@redhat.com> - 38.1.3-1 - Allow stalld to read /sys/kernel/security/lockdown file Resolves: rhbz#2140673 - Allow syslog the setpcap capability Resolves: rhbz#2151841 - Allow pulseaudio to write to session_dbusd tmp socket files Resolves: rhbz#2132942 - Allow keepalived to set resource limits Resolves: rhbz#2151212 - Add policy for mptcpd Resolves: bz#1972222 - Add policy for rshim Resolves: rhbz#2080439 - Allow insights-client dbus chat with abrt Resolves: rhbz#2152166 - Allow insights-client work with pcp and manage user config files Resolves: rhbz#2152150 - Allow insights-client run lpr and allow the proper role Resolves: rhbz#2152150 - Allow insights-client tcp connect to various ports Resolves: rhbz#2152150 - Allow insights-client dbus chat with various services Resolves: rhbz#2152150 - Allow journalctl relabel with var_log_t and syslogd_var_run_t files Resolves: rhbz#2152823 * Wed Nov 30 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1.2-1 - Allow insights client communicate with cupsd, mysqld, openvswitch, redis Resolves: rhbz#2124549 - Allow insights client read raw memory devices Resolves: rhbz#2124549 - Allow networkmanager_dispatcher_plugin work with nscd Resolves: rhbz#2149317 - Allow ipsec_t only read tpm devices Resolves: rhbz#2147380 - Watch_sb all file type directories. Resolves: rhbz#2139363 - Add watch and watch_sb dosfs interface Resolves: rhbz#2139363 - Revert "define lockdown class and access" Resolves: rhbz#2145266 - Allow postfix/smtpd read kerberos key table Resolves: rhbz#2145266 - Remove the lockdown class from the policy Resolves: rhbz#2145266 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2145266 - Revert "refpolicy: drop unused socket security classes" Resolves: rhbz#2145266 * Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1.1-1 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2082524 * Wed Nov 16 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.47-1 - Add domain_unix_read_all_semaphores() interface Resolves: rhbz#2123358 - Allow chronyd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2141255 - Allow unbound connectto unix_stream_socket Resolves: rhbz#2141236 - added policy for systemd-socket-proxyd Resolves: rhbz#2141606 - Allow samba-dcerpcd use NSCD services over a unix stream socket Resolves: rhbz#2121729 - Allow insights-client unix_read all domain semaphores Resolves: rhbz#2123358 - Allow insights-client manage generic locks Resolves: rhbz#2123358 - Allow insights-client create gluster log dir with a transition Resolves: rhbz#2123358 - Allow insights-client domain transition on semanage execution Resolves: rhbz#2123358 - Disable rpm verification on interface_info Resolves: rhbz#2134515 * Fri Nov 04 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.46-1 - new version Resolves: rhbz#2134827 * Thu Nov 03 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.45-1 - Add watch_sb interfaces Resolves: rhbz#2139363 - Add watch interfaces Resolves: rhbz#2139363 - Allow dhcpd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow netutils and traceroute bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pkcs_slotd_t bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow xdm bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow pcscd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow lldpad bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow keepalived bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow ipsec bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow fprintd bpf capability to run bpf programs Resolves: rhbz#2134827 - Allow iptables list cgroup directories Resolves: rhbz#2134829 - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files Resolves: rhbz#2042515 - Dontaudit dirsrv search filesystem sysctl directories Resolves: rhbz#2134726 * Thu Oct 13 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.44-1 - Allow insights-client domtrans on unix_chkpwd execution Resolves: rhbz#2126091 - Allow insights-client connect to postgresql with a unix socket Resolves: rhbz#2126091 - Allow insights-client send null signal to rpm and system cronjob Resolves: rhbz#2126091 - Allow insights-client manage samba var dirs Resolves: rhbz#2126091 - Allow rhcd compute selinux access vector Resolves: rhbz#2126091 - Add file context entries for insights-client and rhc Resolves: rhbz#2126161 - Allow pulseaudio create gnome content (~/.config) Resolves: rhbz#2132942 - Allow rhsmcertd execute gpg Resolves: rhbz#2130204 - Label ports 10161-10162 tcp/udp with snmp Resolves: rhbz#2133221 - Allow lldpad send to unconfined_t over a unix dgram socket Resolves: rhbz#2112044 - Label port 15354/tcp and 15354/udp with opendnssec Resolves: rhbz#2057501 - Allow aide to connect to systemd_machined with a unix socket. Resolves: bz#2062936 - Allow ftpd map ftpd_var_run files Resolves: bz#2124943 - Allow ptp4l respond to pmc Resolves: rhbz#2131689 - Allow radiusd connect to the radacct port Resolves: rhbz#2132424 - Allow xdm execute gnome-atspi services Resolves: rhbz#2132244 - Allow ptp4l_t name_bind ptp_event_port_t Resolves: rhbz#2130170 - Allow targetclid to manage tmp files Resolves: rhbz#2127408 - Allow sbd the sys_ptrace capability Resolves: rhbz#2124695 * Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.43-1 - Update rhcd policy for executing additional commands 5 Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 4 Resolves: rhbz#2119351 - Allow rhcd create rpm hawkey logs with correct label Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 3 Resolves: rhbz#2119351 - Allow sssd to set samba setting Resolves: rhbz#2121125 - Allow journalctl read rhcd fifo files Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 5 Resolves: rhbz#2121125 - Confine insights-client systemd unit Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 4 Resolves: rhbz#2121125 - Update insights-client policy for additional commands execution 3 Resolves: rhbz#2121125 - Allow rhcd execute all executables Resolves: rhbz#2119351 - Update rhcd policy for executing additional commands 2 Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution 2 Resolves: rhbz#2121125 * Mon Aug 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.42-1 - Label /var/log/rhc-worker-playbook with rhcd_var_log_t Resolves: rhbz#2119351 - Update insights-client policy (auditctl, gpg, journal) Resolves: rhbz#2107363 * Thu Aug 25 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.41-1 - Allow unconfined domains to bpf all other domains Resolves: RHBZ#2112014 - Allow stalld get and set scheduling policy of all domains. Resolves: rhbz#2105038 - Allow unconfined_t transition to targetclid_home_t Resolves: RHBZ#2106360 - Allow samba-bgqd to read a printer list Resolves: rhbz#2118977 - Allow system_dbusd ioctl kernel with a unix stream sockets Resolves: rhbz#2085392 - Allow chronyd bind UDP sockets to ptp_event ports. Resolves: RHBZ#2118631 - Update tor_bind_all_unreserved_ports interface Resolves: RHBZ#2089486 - Remove permissive domain for rhcd_t Resolves: rhbz#2119351 - Allow unconfined and sysadm users transition for /root/.gnupg Resolves: rhbz#2121125 - Add gpg_filetrans_admin_home_content() interface Resolves: rhbz#2121125 - Update rhcd policy for executing additional commands Resolves: rhbz#2119351 - Update insights-client policy for additional commands execution Resolves: rhbz#2119507 - Add rpm setattr db files macro Resolves: rhbz#2119507 - Add userdom_view_all_users_keys() interface Resolves: rhbz#2119507 - Allow gpg read and write generic pty type Resolves: rhbz#2119507 - Allow chronyc read and write generic pty type Resolves: rhbz#2119507 * Wed Aug 10 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.40-1 - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd Resolves: RHBZ#2088257 - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t Resolves: RHBZ#1976684 - Allow samba-bgqd get a printer list Resolves: rhbz#2112395 - Allow networkmanager to signal unconfined process Resolves: RHBZ#2074414 - Update NetworkManager-dispatcher policy Resolves: RHBZ#2101910 - Allow openvswitch search tracefs dirs Resolves: rhbz#1988164 - Allow openvswitch use its private tmpfs files and dirs Resolves: rhbz#1988164 - Allow openvswitch fsetid capability Resolves: rhbz#1988164 * Tue Aug 02 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.39-1 - Add support for systemd-network-generator Resolves: RHBZ#2111069 - Allow systemd work with install_t unix stream sockets Resolves: rhbz#2111206 - Allow sa-update to get init status and start systemd files Resolves: RHBZ#2061844 * Fri Jul 15 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.38-1 - Allow some domains use sd_notify() Resolves: rhbz#2056565 - Revert "Allow rabbitmq to use systemd notify" Resolves: rhbz#2056565 - Update winbind_rpcd_t Resolves: rhbz#2102084 - Update chronyd_pid_filetrans() to allow create dirs Resolves: rhbz#2101910 - Allow keepalived read the contents of the sysfs filesystem Resolves: rhbz#2098130 - Define LIBSEPOL version 3.4-1 Resolves: rhbz#2095688 * Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.37-1 - Allow targetclid read /var/target files Resolves: rhbz#2020169 - Update samba-dcerpcd policy for kerberos usage 2 Resolves: rhbz#2096521 - Allow samba-dcerpcd work with sssd Resolves: rhbz#2096521 - Allow stalld set scheduling policy of kernel threads Resolves: rhbz#2102224 * Tue Jun 28 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.36-1 - Allow targetclid read generic SSL certificates (fixed) Resolves: rhbz#2020169 - Fix file context pattern for /var/target Resolves: rhbz#2020169 - Use insights_client_etc_t in insights_search_config() Resolves: rhbz#1965013 * Fri Jun 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.35-1 -Add the corecmd_watch_bin_dirs() interface Resolves: rhbz#1965013 - Update rhcd policy Resolves: rhbz#1965013 - Allow rhcd search insights configuration directories Resolves: rhbz#1965013 - Add the kernel_read_proc_files() interface Resolves: rhbz#1965013 - Update insights_client_filetrans_named_content() Resolves: rhbz#2081425 - Allow transition to insights_client named content Resolves: rhbz#2081425 - Add the insights_client_filetrans_named_content() interface Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 3 Resolves: rhbz#2081425 - Allow insights-client execute its private memfd: objects Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands 2 Resolves: rhbz#2081425 - Use insights_client_tmp_t instead of insights_client_var_tmp_t Resolves: rhbz#2081425 - Change space indentation to tab in insights-client Resolves: rhbz#2081425 - Use socket permissions sets in insights-client Resolves: rhbz#2081425 - Update policy for insights-client to run additional commands Resolves: rhbz#2081425 - Allow init_t to rw insights_client unnamed pipe Resolves: rhbz#2081425 - Fix insights client Resolves: rhbz#2081425 - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling Resolves: rhbz#2081425 - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t Resolves: rhbz#2081425 - Allow stalld get scheduling policy of kernel threads Resolves: rhbz#2096776 - Update samba-dcerpcd policy for kerberos usage Resolves: rhbz#2096521 - Allow winbind_rpcd_t connect to self over a unix_stream_socket Resolves: rhbz#2096255 - Allow dlm_controld send a null signal to a cluster daemon Resolves: rhbz#2095884 - Allow dhclient manage pid files used by chronyd The chronyd_manage_pid_files() interface was added. - Resolves: rhbz#2094155 Allow install_t nnp_domtrans to setfiles_mac_t - Resolves: rhbz#2073010 - Allow rabbitmq to use systemd notify Resolves: rhbz#2056565 - Allow ksmctl create hardware state information files Resolves: rhbz#2021131 - Label /var/target with targetd_var_t Resolves: rhbz#2020169 - Allow targetclid read generic SSL certificates Resolves: rhbz#2020169 * Thu Jun 09 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.34-1 - Allow stalld setsched and sys_nice Resolves: rhbz#2092864 - Allow rhsmcertd to create cache file in /var/cache/cloud-what Resolves: rhbz#2092333 - Update policy for samba-dcerpcd Resolves: rhbz#2083509 - Add support for samba-dcerpcd Resolves: rhbz#2083509 - Allow rabbitmq to access its private memfd: objects Resolves: rhbz#2056565 - Confine targetcli Resolves: rhbz#2020169 - Add policy for wireguard Resolves: 1964862 - Label /var/cache/insights with insights_client_cache_t Resolves: rhbz#2062136 - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket Resolves: rhbz#2094489 - Allow auditd_t noatsecure for a transition to audisp_remote_t Resolves: rhbz#2081907 * Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.33-1 - Allow insights-client manage gpg admin home content Resolves: rhbz#2062136 - Add the gpg_manage_admin_home_content() interface Resolves: rhbz#2062136 - Add rhcd policy Resolves: bz#1965013 - Allow svirt connectto virtlogd Resolves: rhbz#2000881 - Add ksm service to ksmtuned Resolves: rhbz#2021131 - Allow nm-privhelper setsched permission and send system logs Resolves: rhbz#2053639 - Update the policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow systemd-journal-upload watch logs and journal Resolves: rhbz#2085369 - Create a policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow insights-client create and use unix_dgram_socket Resolves: rhbz#2087765 - Allow insights-client search gconf homedir Resolves: rhbz#2087765 * Wed May 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.32-1 - Dontaudit guest attempts to dbus chat with systemd domains Resolves: rhbz#2062740 - Dontaudit guest attempts to dbus chat with system bus types Resolves: rhbz#2062740 - Fix users for SELinux userspace 3.4 Resolves: rhbz#2079290 - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template Resolves: rhbz#2076681 - Allow systemd-sleep get removable devices attributes Resolves: rhbz#2082404 - Allow systemd-sleep tlp_filetrans_named_content() Resolves: rhbz#2082404 - Allow systemd-sleep execute generic programs Resolves: rhbz#2082404 - Allow systemd-sleep execute shell Resolves: rhbz#2082404 - Allow systemd-sleep transition to sysstat_t Resolves: rhbz#2082404 - Allow systemd-sleep transition to tlp_t Resolves: rhbz#2082404 - Allow systemd-sleep transition to unconfined_service_t on bin_t executables Resolves: rhbz#2082404 - allow systemd-sleep to set timer for suspend-then-hibernate Resolves: rhbz#2082404 - Add default fc specifications for patterns in /opt Resolves: rhbz#2081059 - Use a named transition in systemd_hwdb_manage_config() Resolves: rhbz#2061725 * Wed May 04 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.31-2 - Remove "v" from the package version * Mon May 02 2022 Nikola Knazekova <nknazeko@redhat.com> - v34.1.31-1 - Label /var/run/machine-id as machineid_t Resolves: rhbz#2061680 - Allow insights-client create_socket_perms for tcp/udp sockets Resolves: rhbz#2077377 - Allow insights-client read rhnsd config files Resolves: rhbz#2077377 - Allow rngd drop privileges via setuid/setgid/setcap Resolves: rhbz#2076642 - Allow tmpreaper the sys_ptrace userns capability Resolves: rhbz#2062823 - Add stalld to modules.conf Resolves: rhbz#2042614 - New policy for stalld Resolves: rhbz#2042614 - Label new utility of NetworkManager nm-priv-helper Resolves: rhbz#2053639 - Exclude container.if from selinux-policy-devel Resolves: rhbz#1861968 * Tue Apr 19 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.30-2 - Update source branches to build a new package for RHEL 9.1.0 * Tue Apr 12 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.30-1 - Allow administrative users the bpf capability Resolves: RHBZ#2070982 - Allow NetworkManager talk with unconfined user over unix domain dgram socket Resolves: rhbz#2064688 - Allow hostapd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2064688 - Allow fprintd read and write hardware state information Resolves: rhbz#2062911 - Allow fenced read kerberos key tables Resolves: RHBZ#2060722 - Allow init watch and watch_reads user ttys Resolves: rhbz#2060289 - Allow systemd watch and watch_reads console devices Resolves: rhbz#2060289 - Allow nmap create and use rdma socket Resolves: RHBZ#2059603 * Thu Mar 31 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.29-1 - Allow qemu-kvm create and use netlink rdma sockets Resolves: rhbz#2063612 - Label corosync-cfgtool with cluster_exec_t Resolves: rhbz#2061277 * Thu Mar 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.28-1 - Allow logrotate a domain transition to cluster administrative domain Resolves: rhbz#2061277 - Change the selinuxuser_execstack boolean value to true Resolves: rhbz#2064274 * Thu Feb 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.27-1 - Allow ModemManager connect to the unconfined user domain Resolves: rhbz#2000196 - Label /dev/wwan.+ with modem_manager_t Resolves: rhbz#2000196 - Allow systemd-coredump userns capabilities and root mounton Resolves: rhbz#2057435 - Allow systemd-coredump read and write usermodehelper state Resolves: rhbz#2057435 - Allow sysadm_passwd_t to relabel passwd and group files Resolves: rhbz#2053458 - Allow systemd-sysctl read the security state information Resolves: rhbz#2056999 - Remove unnecessary /etc file transitions for insights-client Resolves: rhbz#2055823 - Label all content in /var/lib/insights with insights_client_var_lib_t Resolves: rhbz#2055823 - Update insights-client policy Resolves: rhbz#2055823 - Update insights-client: fc pattern, motd, writing to etc Resolves: rhbz#2055823 - Update specfile to buildrequire policycoreutils-devel >= 3.3-5 - Add modules_checksum to %files * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.26-1 - Remove permissive domain for insights_client_t Resolves: rhbz#2055823 - New policy for insight-client Resolves: rhbz#2055823 - Allow confined sysadmin to use tool vipw Resolves: rhbz#2053458 - Allow chage domtrans to sssd Resolves: rhbz#2054657 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2055578 - Dontaudit pkcsslotd sys_admin capability Resolves: rhbz#2055639 - Do not change selinuxuser_execmod and selinuxuser_execstack Resolves: rhbz#2055822 - Allow tuned to read rhsmcertd config files Resolves: rhbz#2055823 * Mon Feb 14 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.25-1 - Allow systemd watch unallocated ttys Resolves: rhbz#2054150 - Allow alsa bind mixer controls to led triggers Resolves: rhbz#2049732 - Allow alsactl set group Process ID of a process Resolves: rhbz#2049732 - Allow unconfined to run virtd bpf Resolves: rhbz#2033504 * Fri Feb 04 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.24-1 - Allow tumblerd write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain create session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gkeyringd_domain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow systemd-logind delete session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gdm-x-session write to session dbus tmp sock files Resolves: rhbz#2000039 - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t Resolves: rhbz#2039453 - Label exFAT utilities at /usr/sbin Resolves: rhbz#1972225 * Wed Feb 02 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.23-1 - Allow systemd nnp_transition to login_userdomain Resolves: rhbz#2039453 - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t Resolves: rhbz#2000039 - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling Resolves: rhbz#2000039 - Allow scripts to enter LUKS password Resolves: rhbz#2048521 - Allow system_mail_t read inherited apache system content rw files Resolves: rhbz#2049372 - Add apache_read_inherited_sys_content_rw_files() interface Related: rhbz#2049372 - Allow sanlock get attributes of filesystems with extended attributes Resolves: rhbz#2047811 - Associate stratisd_data_t with device filesystem Resolves: rhbz#2039974 - Allow init read stratis data symlinks Resolves: rhbz#2039974 - Label /run/stratisd with stratisd_var_run_t Resolves: rhbz#2039974 - Allow domtrans to sssd_t and role access to sssd Resolves: rhbz#2039757 - Creating interface sssd_run_sssd() Resolves: rhbz#2039757 - Fix badly indented used interfaces Resolves: rhbz#2039757 - Allow domain transition to sssd_t Resolves: rhbz#2039757 - Label /dev/nvme-fabrics with fixed_disk_device_t Resolves: rhbz#2039759 - Allow local_login_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Allow xdm_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Make cupsd_lpd_t a daemon Resolves: rhbz#2039449 - Label utilities for exFAT filesystems with fsadm_exec_t Resolves: rhbz#1972225 - Dontaudit sfcbd sys_ptrace cap_userns Resolves: rhbz#2040311 * Tue Jan 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.22-1 - Allow sshd read filesystem sysctl files Resolves: rhbz#2036585 - Revert "Allow sshd read sysctl files" Resolves: rhbz#2036585 * Mon Jan 10 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.21-1 - Remove the lockdown class from the policy Resolves: rhbz#2017848 - Revert "define lockdown class and access" Resolves: rhbz#2017848 - Allow gssproxy access to various system files. Resolves: rhbz#2026974 - Allow gssproxy read, write, and map ica tmpfs files Resolves: rhbz#2026974 - Allow gssproxy read and write z90crypt device Resolves: rhbz#2026974 - Allow sssd_kcm read and write z90crypt device Resolves: rhbz#2026974 - Allow abrt_domain read and write z90crypt device Resolves: rhbz#2026974 - Allow NetworkManager read and write z90crypt device Resolves: rhbz#2026974 - Allow smbcontrol read the network state information Resolves: rhbz#2038157 - Allow virt_domain map vhost devices Resolves: rhbz#2035702 - Allow fcoemon request the kernel to load a module Resolves: rhbz#2034463 - Allow lldpd connect to snmpd with a unix domain stream socket Resolves: rhbz#2033315 - Allow ModemManager create a qipcrtr socket Resolves: rhbz#2036582 - Allow ModemManager request to load a kernel module Resolves: rhbz#2036582 - Allow sshd read sysctl files Resolves: rhbz#2036585 * Wed Dec 15 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.20-1 - Allow dnsmasq watch /etc/dnsmasq.d directories Resolves: rhbz#2029866 - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t Resolves: rhbz#2029316 - Allow lldpd use an snmp subagent over a tcp socket Resolves: rhbz#2028561 - Allow smbcontrol use additional socket types Resolves: rhbz#2027751 - Add write permisson to userfaultfd_anon_inode_perms Resolves: rhbz#2027660 - Allow xdm_t watch generic directories in /lib Resolves: rhbz#1960010 - Allow xdm_t watch fonts directories Resolves: rhbz#1960010 - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t Resolves: rhbz#2027994 - Add hwtracing_device_t type for hardware-level tracing and debugging Resolves: rhbz#2029392 - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() Resolves: rhbz#2028791 - Allow arpwatch get attributes of infiniband_device_t devices Resolves: rhbz#2028791 - Allow tcpdump and nmap get attributes of infiniband_device_t Resolves: rhbz#2028791 * Mon Nov 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.19-1 - Allow redis get attributes of filesystems with extended attributes Resolves: rhbz#2014611 - Allow dirsrv read slapd tmpfs files Resolves: rhbz#2015928 - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" Resolves: rhbz#2015928 - Allow login_userdomain open/read/map system journal Resolves: rhbz#2017838 - Allow login_userdomain read and map /var/lib/systemd files Resolves: rhbz#2017838 - Allow nftables read NetworkManager unnamed pipes Resolves: rhbz#2023456 - Allow xdm watch generic directories in /var/lib Resolves: rhbz#1960010 - Allow xdm_t watch generic pid directories Resolves: rhbz#1960010 * Mon Nov 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.18-1 - Allow fetchmail search cgroup directories Resolves: rhbz#2015118 - Add the auth_read_passwd_file() interface Resolves: rhbz#2014611 - Allow redis-sentinel execute a notification script Resolves: rhbz#2014611 - Support new PING_CHECK health checker in keepalived Resolves: rhbz#2014423 * Thu Oct 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.17-1 - Label /usr/sbin/virtproxyd as virtd_exec_t Resolves: rhbz#2002143 - Allow at-spi-bus-launcher read and map xdm pid files Resolves: rhbz#2011772 - Remove references to init_watch_path_type attribute Resolves: rhbz#2007960 - Remove all redundant watch permissions for systemd Resolves: rhbz#2007960 - Allow systemd watch non_security_file_type dirs, files, lnk_files Resolves: rhbz#2007960 - Allow systemd-resolved watch /run/systemd Resolves: rhbz#1992461 - Allow sssd watch /run/systemd Resolves: rhbz#1992461 * Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.16-1 - Allow fprintd install a sleep delay inhibitor Resolves: rhbz#1999537 - Update mount_manage_pid_files() to use manage_files_pattern Resolves: rhbz#1999997 - Allow gnome at-spi processes create and use stream sockets Resolves: rhbz#2004885 - Allow haproxy list the sysfs directories content Resolves: rhbz#1986823 - Allow virtlogd_t read process state of user domains Resolves: rhbz#1994592 - Support hitless reloads feature in haproxy Resolves: rhbz#1997182 - Allow firewalld load kernel modules Resolves: rhbz#1999152 - Allow communication between at-spi and gdm processes Resolves: rhbz#2003037 - Remove "ipa = module" from modules-targeted-contrib.conf Resolves: rhbz#2006039 * Mon Aug 30 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.15-1 - Update ica_filetrans_named_content() with create_file_perms Resolves: rhbz#1976180 - Allow various domains work with ICA crypto accelerator Resolves: rhbz#1976180 - Add ica module Resolves: rhbz#1976180 - Revert "Support using ICA crypto accelerator on s390x arch" Resolves: rhbz#1976180 - Fix the gnome_atspi_domtrans() interface summary Resolves: rhbz#1972655 - Add support for at-spi Resolves: rhbz#1972655 - Add permissions for system dbus processes Resolves: rhbz#1972655 - Allow /tmp file transition for dbus-daemon also for sock_file Resolves: rhbz#1972655 * Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.14-1 - Support using ICA crypto accelerator on s390x arch Resolves: rhbz#1976180 - Allow systemd delete /run/systemd/default-hostname Resolves: rhbz#1978507 - Label /usr/bin/Xwayland with xserver_exec_t Resolves: rhbz#1993151 - Label /usr/libexec/gdm-runtime-config with xdm_exec_t Resolves: rhbz#1993151 - Allow tcpdump read system state information in /proc Resolves: rhbz#1972577 - Allow firewalld drop capabilities Resolves: rhbz#1989641 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.13-1 - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp Resolves: rhbz#1977915 - Set default file context for /sys/firmware/efi/efivars Resolves: rhbz#1972372 - Allow tcpdump run as a systemd service Resolves: rhbz#1972577 - Allow nmap create and use netlink generic socket Resolves: rhbz#1985212 - Allow nscd watch system db files in /var/db Resolves: rhbz#1989416 - Allow systemd-gpt-auto-generator read udev pid files Resolves: rhbz#1992638 * Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.12-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" Resolves: rhbz#1990813 - Label /dev/crypto/nx-gzip with accelerator_device_t Resolves: rhbz#1973953 - Label /usr/bin/qemu-storage-daemon with virtd_exec_t Resolves: rhbz#1977245 - Allow systemd-machined stop generic service units Resolves: rhbz#1979522 - Label /.k5identity file allow read of this file to rpc.gssd Resolves: rhbz#1980610 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 34.1.11-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.11-1 - Allow hostapd bind UDP sockets to the dhcpd port Resolves: rhbz#1979968 - Allow mdadm read iscsi pid files Resolves: rhbz#1976073 - Unconfined domains should not be confined Resolves: rhbz#1977986 - Allow NetworkManager_t to watch /etc Resolves: rhbz#1980000 - Allow using opencryptoki for ipsec Resolves: rhbz#1977915 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.10-1 - Allow bacula get attributes of cgroup filesystems Resolves: rhbz#1976917 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: rhbz#1972382 - Add the lockdown integrity permission to dev_map_userio_dev() Resolves: rhbz#1966758 - Allow virtlogd_t to create virt_var_lockd_t dir Resolves: rhbz#1974875 * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.9-1 - Allow systemd-coredump getattr nsfs files and net_admin capability Resolves: rhbz#1965372 - Label /run/libvirt/common with virt_common_var_run_t Resolves: rhbz#1969209 - Label /usr/bin/arping plain file with netutils_exec_t Resolves: rhbz#1952515 - Make usbmuxd_t a daemon Resolves: rhbz#1965411 - Allow usbmuxd get attributes of cgroup filesystems Resolves: rhbz#1965411 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" Resolves: rhbz#1967818 - Label /var/lib/kdump with kdump_var_lib_t Resolves: rhbz#1965989 - Allow systemd-timedated watch runtime dir and its parent Resolves: rhbz#1970865 - Label /run/fsck with fsadm_var_run_t Resolves: rhbz#1970911 * Thu Jun 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.8-1 - Associate dma_device_dir_t with device filesystem Resolves: rhbz#1954116 - Add default file context specification for dnf log files Resolves: rhbz#1955223 - Allow using opencryptoki for certmonger Resolves: rhbz#1961756 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1961756 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1964890 - Dontaudit daemon open and read init_t file Resolves: rhbz#1965412 - Allow sanlock get attributes of cgroup filesystems Resolves: rhbz#1965217 * Tue Jun 08 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.7-1 - Set default file context for /var/run/systemd instead of /run/systemd Resolves: rhbz#1966492 * Mon Jun 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.6-1 - Label /dev/dma_heap with dma_device_dir_t Resolves: rhbz#1954116 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1963252 - Label /run/systemd/default-hostname with hostname_etc_t Resolves: rhbz#1966492 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.5-1 - Label /dev/trng with random_device_t Resolves: rhbz#1962260 - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t Resolves: rhbz#1954116 - Label /dev/udmabuf character device with dma_device_t Resolves: rhbz#1954116 - Label /dev/dma_heap/* char devices with dma_device_t Resolves: rhbz#1954116 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: rhbz#1954116 - Allow fcoemon create sysfs files Resolves: rhbz#1952292 * Wed May 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.4-1 - Allow sysadm_t dbus chat with tuned Resolves: rhbz#1953643 - Allow tuned write profile files with file transition Resolves: rhbz#1953643 - Allow tuned manage perf_events Resolves: rhbz#1953643 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Add kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Allow syslogd_t watch root and var directories Resolves: rhbz#1957792 - Allow tgtd create and use rdma socket Resolves: rhbz#1955559 - Allow aide connect to init with a unix socket Resolves: rhbz#1926343 * Wed Apr 28 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.3-1 - Allow domain create anonymous inodes Resolves: rhbz#1954145 - Add anon_inode class to the policy Resolves: rhbz#1954145 - Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1951471 - Add brltty new permissions required by new upstream version Resolves: rhbz#1947842 - Label /var/lib/brltty with brltty_var_lib_t Resolves: rhbz#1947842 - Allow login_userdomain create cgroup files Resolves: rhbz#1951114 - Allow aide connect to systemd-userdbd with a unix socket Resolves: rhbz#1926343 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1947397 - Label /etc/redis as redis_conf_t Resolves: rhbz#1947874 - Add file context specification for /usr/libexec/realmd Resolves: rhbz#1946495 * Thu Apr 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.2-1 - Further update make-rhat-patches.sh for RHEL 9.0 beta - Add file context specification for /var/tmp/tmp-inst Resolves: rhbz#1924656 * Wed Apr 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.1-1 - Update selinux-policy.spec and make-rhat-patches.sh for RHEL 9.0 beta - Allow unconfined_service_t confidentiality and integrity lockdown Resolves: rhbz#1950267 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 34-2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937