Trim changelog so that it starts at F37 time
This commit is contained in:
parent
1ade1aa864
commit
59a0d615a7
@ -1451,318 +1451,3 @@ exit 0
|
||||
- Allow blueman read/write its private memfd: objects
|
||||
- Allow insights-client read rhnsd config files
|
||||
- Allow insights-client create_socket_perms for tcp/udp sockets
|
||||
|
||||
* Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1
|
||||
- Allow nm-dispatcher chronyc plugin append to init stream sockets
|
||||
- Allow tmpreaper the sys_ptrace userns capability
|
||||
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
|
||||
- Allow nm-dispatcher tlp plugin read/write the wireless device
|
||||
- Allow nm-dispatcher tlp plugin append to init socket
|
||||
- Allow nm-dispatcher tlp plugin be client of a system bus
|
||||
- Allow nm-dispatcher list its configuration directory
|
||||
- Ecryptfs-private support
|
||||
- Allow colord map /var/lib directories
|
||||
- Allow ntlm_auth read the network state information
|
||||
- Allow insights-client search rhnsd configuration directory
|
||||
|
||||
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3
|
||||
- Add support for nm-dispatcher tlp-rdw scripts
|
||||
- Update github actions to satisfy git 2.36 stricter rules
|
||||
- New policy for stalld
|
||||
- Allow colord read generic files in /var/lib
|
||||
- Allow xdm mounton user temporary socket files
|
||||
- Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket
|
||||
- Allow sssd domtrans to pkcs_slotd_t
|
||||
- Allow keepalived setsched and sys_nice
|
||||
- Allow xdm map generic files in /var/lib
|
||||
- Allow xdm read generic symbolic links in /var/lib
|
||||
- Allow pppd create a file in the locks directory
|
||||
- Add file map permission to lpd_manage_spool() interface
|
||||
- Allow system dbus daemon watch generic directories in /var/lib
|
||||
- Allow pcscd the sys_ptrace userns capability
|
||||
- Add the corecmd_watch_bin_dirs() interface
|
||||
|
||||
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-2
|
||||
- Relabel explicitly some dirs in %posttrans scriptlets
|
||||
|
||||
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-1
|
||||
- Add stalld module to modules-targeted-contrib.conf
|
||||
|
||||
* Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1
|
||||
- Add support for systemd-network-generator
|
||||
- Add the io_uring class
|
||||
- Allow nm-dispatcher dhclient plugin append to init stream sockets
|
||||
- Relax the naming pattern for systemd private shared libraries
|
||||
- Allow nm-dispatcher iscsid plugin append to init socket
|
||||
- Add the init_append_stream_sockets() interface
|
||||
- Allow nm-dispatcher dnssec-trigger script to execute pidof
|
||||
- Add support for nm-dispatcher dnssec-trigger scripts
|
||||
- Allow chronyd talk with unconfined user over unix domain dgram socket
|
||||
- Allow fenced read kerberos key tables
|
||||
- Add support for nm-dispatcher ddclient scripts
|
||||
- Add systemd_getattr_generic_unit_files() interface
|
||||
- Allow fprintd read and write hardware state information
|
||||
- Allow exim watch generic certificate directories
|
||||
- Remove duplicate fc entries for corosync and corosync-notifyd
|
||||
- Label corosync-cfgtool with cluster_exec_t
|
||||
- Allow qemu-kvm create and use netlink rdma sockets
|
||||
- Allow logrotate a domain transition to cluster administrative domain
|
||||
|
||||
* Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1
|
||||
- Add support for nm-dispatcher console helper scripts
|
||||
- Allow nm-dispatcher plugins read its directory and sysfs
|
||||
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
|
||||
- devices: Add a comment about cardmgr_dev_t
|
||||
- Add basic policy for BinderFS
|
||||
- Label /var/run/ecblp0 pipe with cupsd_var_run_t
|
||||
- Allow rpmdb create directory in /usr/lib/sysimage
|
||||
- Allow rngd drop privileges via setuid/setgid/setcap
|
||||
- Allow init watch and watch_reads user ttys
|
||||
- Allow systemd-logind dbus chat with sosreport
|
||||
- Allow chronyd send a message to sosreport over datagram socket
|
||||
- Remove unnecessary /etc file transitions for insights-client
|
||||
- Label all content in /var/lib/insights with insights_client_var_lib_t
|
||||
- Update insights-client policy
|
||||
|
||||
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-2
|
||||
- Add insights_client module to modules-targeted-contrib.conf
|
||||
|
||||
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1
|
||||
- Update NetworkManager-dispatcher cloud and chronyc policy
|
||||
- Update insights-client: fc pattern, motd, writing to etc
|
||||
- Allow systemd-sysctl read the security state information
|
||||
- Allow init create and mounton to support PrivateDevices
|
||||
- Allow sosreport dbus chat abrt systemd timedatex
|
||||
|
||||
* Tue Feb 22 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-2
|
||||
- Update specfile to buildrequire policycoreutils-devel >= 3.3-4
|
||||
- Add modules_checksum to %files
|
||||
|
||||
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
|
||||
- Update NetworkManager-dispatcher policy to use scripts
|
||||
- Allow init mounton kernel messages device
|
||||
- Revert "Make dbus-broker service working on s390x arch"
|
||||
- Remove permissive domain for insights_client_t
|
||||
- Allow userdomain read symlinks in /var/lib
|
||||
- Allow iptables list cgroup directories
|
||||
- Dontaudit mdadm list dirsrv tmpfs dirs
|
||||
- Dontaudit dirsrv search filesystem sysctl directories
|
||||
- Allow chage domtrans to sssd
|
||||
- Allow postfix_domain read dovecot certificates
|
||||
- Allow systemd-networkd create and use netlink netfilter socket
|
||||
- Allow nm-dispatcher read nm-dispatcher-script symlinks
|
||||
- filesystem.te: add genfscon rule for ntfs3 filesystem
|
||||
- Allow rhsmcertd get attributes of cgroup filesystems
|
||||
- Allow sandbox_web_client_t watch various dirs
|
||||
- Exclude container.if from policy devel files
|
||||
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
|
||||
|
||||
* Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
|
||||
- Allow sysadm_passwd_t to relabel passwd and group files
|
||||
- Allow confined sysadmin to use tool vipw
|
||||
- Allow login_userdomain map /var/lib/directories
|
||||
- Allow login_userdomain watch library and fonts dirs
|
||||
- Allow login_userdomain watch system configuration dirs
|
||||
- Allow login_userdomain read systemd runtime files
|
||||
- Allow ctdb create cluster logs
|
||||
- Allow alsa bind mixer controls to led triggers
|
||||
- New policy for insight-client
|
||||
- Add mctp_socket security class and access vectors
|
||||
- Fix koji repo URL pattern
|
||||
- Update chronyd_pid_filetrans() to allow create dirs
|
||||
- Update NetworkManager-dispatcher policy
|
||||
- Allow unconfined to run virtd bpf
|
||||
- Allow nm-privhelper setsched permission and send system logs
|
||||
- Add the map permission to common_anon_inode_perm permission set
|
||||
- Rename userfaultfd_anon_inode_perms to common_inode_perms
|
||||
- Allow confined users to use kinit,klist and etc.
|
||||
- Allow rhsmcertd create rpm hawkey logs with correct label
|
||||
|
||||
* Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
|
||||
- Label exFAT utilities at /usr/sbin
|
||||
- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
|
||||
- Enable genfs_seclabel_symlinks policy capability
|
||||
- Sync policy/policy_capabilities with refpolicy
|
||||
- refpolicy: drop unused socket security classes
|
||||
- Label new utility of NetworkManager nm-priv-helper
|
||||
- Label NetworkManager-dispatcher service with separate context
|
||||
- Allow sanlock get attributes of filesystems with extended attributes
|
||||
- Associate stratisd_data_t with device filesystem
|
||||
- Allow init read stratis data symlinks
|
||||
|
||||
* Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
|
||||
- Allow systemd services watch dbusd pid directory and its parents
|
||||
- Allow ModemManager connect to the unconfined user domain
|
||||
- Label /dev/wwan.+ with modem_manager_t
|
||||
- Allow alsactl set group Process ID of a process
|
||||
- Allow domtrans to sssd_t and role access to sssd
|
||||
- Creating interface sssd_run_sssd()
|
||||
- Label utilities for exFAT filesystems with fsadm_exec_t
|
||||
- Label /dev/nvme-fabrics with fixed_disk_device_t
|
||||
- Allow init delete generic tmp named pipes
|
||||
- Allow timedatex dbus chat with xdm
|
||||
|
||||
* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
|
||||
- Fix badly indented used interfaces
|
||||
- Allow domain transition to sssd_t
|
||||
- Dontaudit sfcbd sys_ptrace cap_userns
|
||||
- Label /var/lib/plocate with locate_var_lib_t
|
||||
- Allow hostapd talk with unconfined user over unix domain dgram socket
|
||||
- Allow NetworkManager talk with unconfined user over unix domain dgram socket
|
||||
- Allow system_mail_t read inherited apache system content rw files
|
||||
- Add apache_read_inherited_sys_content_rw_files() interface
|
||||
- Allow rhsm-service execute its private memfd: objects
|
||||
- Allow dirsrv read configfs files and directories
|
||||
- Label /run/stratisd with stratisd_var_run_t
|
||||
- Allow tumblerd write to session_dbusd tmp socket files
|
||||
|
||||
* Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
|
||||
- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
|
||||
- Allow login_userdomain write to session_dbusd tmp socket files
|
||||
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
|
||||
|
||||
* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
|
||||
- Allow login_userdomain watch systemd-machined PID directories
|
||||
- Allow login_userdomain watch systemd-logind PID directories
|
||||
- Allow login_userdomain watch accountsd lib directories
|
||||
- Allow login_userdomain watch localization directories
|
||||
- Allow login_userdomain watch various files and dirs
|
||||
- Allow login_userdomain watch generic directories in /tmp
|
||||
- Allow rhsm-service read/write its private memfd: objects
|
||||
- Allow radiusd connect to the radacct port
|
||||
- Allow systemd-io-bridge ioctl rpm_script_t
|
||||
- Allow systemd-coredump userns capabilities and root mounton
|
||||
- Allow systemd-coredump read and write usermodehelper state
|
||||
- Allow login_userdomain create session_dbusd tmp socket files
|
||||
- Allow gkeyringd_domain write to session_dbusd tmp socket files
|
||||
- Allow systemd-logind delete session_dbusd tmp socket files
|
||||
- Allow gdm-x-session write to session dbus tmp sock files
|
||||
- Label /etc/cockpit/ws-certs.d with cert_t
|
||||
- Allow kpropd get attributes of cgroup filesystems
|
||||
- Allow administrative users the bpf capability
|
||||
- Allow sysadm_t start and stop transient services
|
||||
- Connect triggerin to pcre2 instead of pcre
|
||||
|
||||
* Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
|
||||
- Allow sshd read filesystem sysctl files
|
||||
- Revert "Allow sshd read sysctl files"
|
||||
- Allow tlp read its systemd unit
|
||||
- Allow gssproxy access to various system files.
|
||||
- Allow gssproxy read, write, and map ica tmpfs files
|
||||
- Allow gssproxy read and write z90crypt device
|
||||
- Allow sssd_kcm read and write z90crypt device
|
||||
- Allow smbcontrol read the network state information
|
||||
- Allow virt_domain map vhost devices
|
||||
- Allow fcoemon request the kernel to load a module
|
||||
- Allow sshd read sysctl files
|
||||
- Ensure that `/run/systemd/*` are properly labeled
|
||||
- Allow admin userdomains use socketpair()
|
||||
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
|
||||
- Allow lldpd connect to snmpd with a unix domain stream socket
|
||||
- Dontaudit pkcsslotd sys_admin capability
|
||||
|
||||
* Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
|
||||
- Allow haproxy get attributes of filesystems with extended attributes
|
||||
- Allow haproxy get attributes of cgroup filesystems
|
||||
- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
|
||||
- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
|
||||
- Allow sudodomains execute passwd in the passwd domain
|
||||
- Allow braille printing in selinux
|
||||
- Allow sandbox_xserver_t map sandbox_file_t
|
||||
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
|
||||
- Add hwtracing_device_t type for hardware-level tracing and debugging
|
||||
- Label port 9528/tcp with openqa_liveview
|
||||
- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
|
||||
- Document Security Flask model in the policy
|
||||
|
||||
* Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
|
||||
- Allow systemd read unlabeled symbolic links
|
||||
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
|
||||
- Allow dnsmasq watch /etc/dnsmasq.d directories
|
||||
- Allow rhsmcertd get attributes of tmpfs_t filesystems
|
||||
- Allow lldpd use an snmp subagent over a tcp socket
|
||||
- Allow xdm watch generic directories in /var/lib
|
||||
- Allow login_userdomain open/read/map system journal
|
||||
- Allow sysadm_t connect to cluster domains over a unix stream socket
|
||||
- Allow sysadm_t read/write pkcs shared memory segments
|
||||
- Allow sysadm_t connect to sanlock over a unix stream socket
|
||||
- Allow sysadm_t dbus chat with sssd
|
||||
- Allow sysadm_t set attributes on character device nodes
|
||||
- Allow sysadm_t read and write watchdog devices
|
||||
- Allow smbcontrol use additional socket types
|
||||
- Allow cloud-init dbus chat with systemd-logind
|
||||
- Allow svnserve send mail from the system
|
||||
- Update userdom_exec_user_tmp_files() with an entrypoint rule
|
||||
- Allow sudodomain send a null signal to sshd processes
|
||||
|
||||
* Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
|
||||
- Allow PID 1 and dbus-broker IPC with a systemd user session
|
||||
- Allow rpmdb read generic SSL certificates
|
||||
- Allow rpmdb read admin home config files
|
||||
- Report warning on duplicate definition of interface
|
||||
- Allow redis get attributes of filesystems with extended attributes
|
||||
- Allow sysadm_t dbus chat with realmd_t
|
||||
- Make cupsd_lpd_t a daemon
|
||||
- Allow tlp dbus-chat with NetworkManager
|
||||
- filesystem: add fs_use_trans for ramfs
|
||||
- Allow systemd-logind destroy unconfined user's IPC objects
|
||||
|
||||
* Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
|
||||
- Support sanlock VG automated recovery on storage access loss 2/2
|
||||
- Support sanlock VG automated recovery on storage access loss 1/2
|
||||
- Revert "Support sanlock VG automated recovery on storage access loss"
|
||||
- Allow tlp get service units status
|
||||
- Allow fedora-third-party manage 3rd party repos
|
||||
- Allow xdm_t nnp_transition to login_userdomain
|
||||
- Add the auth_read_passwd_file() interface
|
||||
- Allow redis-sentinel execute a notification script
|
||||
- Allow fetchmail search cgroup directories
|
||||
- Allow lvm_t to read/write devicekit disk semaphores
|
||||
- Allow devicekit_disk_t to use /dev/mapper/control
|
||||
- Allow devicekit_disk_t to get IPC info from the kernel
|
||||
- Allow devicekit_disk_t to read systemd-logind pid files
|
||||
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
|
||||
- Allow devicekit_disk_t to manage mount_var_run_t files
|
||||
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
|
||||
- Use $releasever in koji repo to reduce rawhide hardcoding
|
||||
- authlogin: add fcontext for tcb
|
||||
- Add erofs as a SELinux capable file system
|
||||
- Allow systemd execute user bin files
|
||||
- Support sanlock VG automated recovery on storage access loss
|
||||
- Support new PING_CHECK health checker in keepalived
|
||||
|
||||
* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1
|
||||
- Allow fedora-third-party map generic cache files
|
||||
- Add gnome_map_generic_cache_files() interface
|
||||
- Add files_manage_var_lib_dirs() interface
|
||||
- Allow fedora-third party manage gpg keys
|
||||
- Allow fedora-third-party run "flatpak remote-add --from flathub"
|
||||
|
||||
* Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1
|
||||
- Allow fedora-third-party run flatpak post-install actions
|
||||
- Allow fedora-third-party set_setsched and sys_nice
|
||||
|
||||
* Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
|
||||
- Allow fedora-third-party execute "flatpak remote-add"
|
||||
- Add files_manage_var_lib_files() interface
|
||||
- Add write permisson to userfaultfd_anon_inode_perms
|
||||
- Allow proper function sosreport via iotop
|
||||
- Allow proper function sosreport in sysadmin role
|
||||
- Allow fedora-third-party to connect to the system log service
|
||||
- Allow fedora-third-party dbus chat with policykit
|
||||
- Allow chrony-wait service start with DynamicUser=yes
|
||||
- Allow management of lnk_files if similar access to regular files
|
||||
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
|
||||
- Allow systemd-resolved watch /run/systemd
|
||||
- Allow fedora-third-party create and use unix_dgram_socket
|
||||
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
|
||||
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
|
||||
|
||||
* Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
|
||||
- Add fedoratp module
|
||||
- Allow xdm_t domain transition to fedoratp_t
|
||||
- Allow ModemManager create and use netlink route socket
|
||||
- Add default file context for /run/gssproxy.default.sock
|
||||
- Allow xdm_t watch fonts directories
|
||||
- Allow xdm_t watch generic directories in /lib
|
||||
- Allow xdm_t watch generic pid directories
|
||||
|
Loading…
Reference in New Issue
Block a user