diff --git a/changelog b/changelog new file mode 100644 index 00000000..53fb3726 --- /dev/null +++ b/changelog @@ -0,0 +1,1233 @@ +* Tue Nov 12 2024 Zdenek Pytela - 40.13.13-1 +- Revert "Allow unconfined_t execute kmod in the kmod domain" +Resolves: RHEL-65190 +- Add policy for /usr/libexec/samba/samba-bgqd +Resolves: RHEL-64908 +- Label samba certificates with samba_cert_t +Resolves: RHEL-64908 +- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t +Resolves: RHEL-64908 +- Allow rpcd read network sysctls +Resolves: RHEL-64737 +- Label all semanage store files in /etc as semanage_store_t +Resolves: RHEL-65864 + +* Tue Oct 29 2024 Troy Dawson - 40.13.12-2 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Thu Oct 24 2024 Zdenek Pytela - 40.13.12-1 +- Dontaudit subscription manager setfscreate and read file contexts +Resolves: RHEL-58009 +- Allow the sysadm user use the secretmem API +Resolves: RHEL-40953 +- Allow sudodomain list files in /var +Resolves: RHEL-58068 +- Allow gnome-remote-desktop watch /etc directory +Resolves: RHEL-35877 +- Allow journalctl connect to systemd-userdbd over a unix socket +Resolves: RHEL-58072 +- systemd: allow sys_admin capability for systemd_notify_t +Resolves: RHEL-58072 +- Allow some confined users send to lldpad over a unix dgram socket +Resolves: RHEL-61634 +- Allow lldpad send to sysadm_t over a unix dgram socket +Resolves: RHEL-61634 +- Allow lldpd connect to systemd-machined over a unix socket +Resolves: RHEL-61634 + +* Wed Oct 23 2024 Zdenek Pytela - 40.13.11-1 +- Allow ping_t read network sysctls +Resolves: RHEL-54299 +- Label /usr/lib/node_modules/npm/bin with bin_t +Resolves: RHEL-56350 +- Label /run/sssd with sssd_var_run_t +Resolves: RHEL-57065 +- Allow virtqemud read virtd_t files +Resolves: RHEL-57713 +- Allow wdmd read hardware state information +Resolves: RHEL-57982 +- Allow wdmd list the contents of the sysfs directories +Resolves: RHEL-57982 +- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t +Resolves: RHEL-58380 +- Allow dirsrv read network sysctls +Resolves: RHEL-58381 +- Allow lldpad create and use netlink_generic_socket +Resolves: RHEL-61634 +- Allow unconfined_t execute kmod in the kmod domain +Resolves: RHEL-61755 +- Confine the pcm service +Resolves: RHEL-52838 +- Allow iio-sensor-proxy the bpf capability +Resolves: RHEL-62355 +- Confine iio-sensor-proxy +Resolves: RHEL-62355 + +* Wed Oct 16 2024 Zdenek Pytela - 40.13.10-1 +- Confine gnome-remote-desktop +Resolves: RHEL-35877 +- Allow virtqemud get attributes of a tmpfs filesystem +Resolves: RHEL-40855 +- Allow virtqemud get attributes of cifs files +Resolves: RHEL-40855 +- Allow virtqemud get attributes of filesystems with extended attributes +Resolves: RHEL-39668 +- Allow virtqemud get attributes of NFS filesystems +Resolves: RHEL-40855 +- Add support for secretmem anon inode +Resolves: RHEL-40953 +- Allow systemd-sleep read raw disk data +Resolves: RHEL-49600 +- Allow systemd-hwdb send messages to kernel unix datagram sockets +Resolves: RHEL-50810 +- Label /run/modprobe.d with modules_conf_t +Resolves: RHEL-54591 +- Allow setsebool_t relabel selinux data files +Resolves: RHEL-55412 +- Don't audit crontab_domain write attempts to user home +Resolves: RHEL-56349 +- Differentiate between staff and sysadm when executing crontab with sudo +Resolves: RHEL-56349 +- Add crontab_admin_domtrans interface +Resolves: RHEL-56349 +- Add crontab_domtrans interface +Resolves: RHEL-56349 +- Allow boothd connect to kernel over a unix socket +Resolves: RHEL-58060 +- Fix label of pseudoterminals created from sudodomain +Resolves: RHEL-58068 +- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets +Resolves: RHEL-58072 +- Allow rsyslog read systemd-logind session files +Resolves: RHEL-40961 +- Label /dev/mmcblk0rpmb character device with removable_device_t +Resolves: RHEL-55265 +- Label /dev/hfi1_[0-9]+ devices +Resolves: RHEL-62836 +- Label /dev/papr-sysparm and /dev/papr-vpd +Resolves: RHEL-56908 +- Support SGX devices +Resolves: RHEL-62354 +- Suppress semodule's stderr +Resolves: RHEL-59192 + +* Mon Aug 26 2024 Zdenek Pytela - 40.13.9-1 +- Allow virtqemud relabelfrom also for file and sock_file +Resolves: RHEL-49763 +- Allow virtqemud relabel user tmp files and socket files +Resolves: RHEL-49763 +- Update virtqemud policy for libguestfs usage +Resolves: RHEL-49763 +- Label /run/libvirt/qemu/channel with virtqemud_var_run_t +Resolves: RHEL-47274 + +* Tue Aug 13 2024 Zdenek Pytela - 40.13.8-1 +- Add virt_create_log() and virt_write_log() interfaces +Resolves: RHEL-47274 +- Update libvirt policy +Resolves: RHEL-45464 +Resolves: RHEL-49763 +- Allow svirt_tcg_t map svirt_image_t files +Resolves: RHEL-47274 +- Allow svirt_tcg_t read vm sysctls +Resolves: RHEL-47274 +- Additional updates stalld policy for bpf usage +Resolves: RHEL-50356 + +* Thu Aug 08 2024 Zdenek Pytela - 40.13.7-1 +- Add the swtpm.if interface file for interactions with other domains +Resolves: RHEL-47274 +- Allow virtproxyd create and use its private tmp files +Resolves: RHEL-40499 +- Allow virtproxyd read network state +Resolves: RHEL-40499 +- Allow virtqemud domain transition on swtpm execution +Resolves: RHEL-47274 +Resolves: RHEL-49763 +- Allow virtqemud relabel virt_var_run_t directories +Resolves: RHEL-47274 +Resolves: RHEL-45464 +Resolves: RHEL-49763 +- Allow virtqemud domain transition on passt execution +Resolves: RHEL-45464 +- Allow virt_driver_domain create and use log files in /var/log +Resolves: RHEL-40239 +- Allow virt_driver_domain connect to systemd-userdbd over a unix socket +Resolves: RHEL-44932 +Resolves: RHEL-44898 +- Update stalld policy for bpf usage +Resolves: RHEL-50356 +- Allow boothd connect to systemd-userdbd over a unix socket +Resolves: RHEL-45907 +- Allow linuxptp configure phc2sys and chronyd over a unix domain socket +Resolves: RHEL-46011 +- Allow systemd-machined manage runtime sockets +Resolves: RHEL-49567 +- Allow ip command write to ipsec's logs +Resolves: RHEL-41222 +- Allow init_t nnp domain transition to firewalld_t +Resolves: RHEL-52481 +- Update qatlib policy for v24.02 with new features +Resolves: RHEL-50377 +- Allow postfix_domain map postfix_etc_t files +Resolves: RHEL-46327 + +* Thu Jul 25 2024 Zdenek Pytela - 40.13.6-1 +- Allow virtnodedevd run udev with a domain transition +Resolves: RHEL-39890 +- Allow virtnodedev_t create and use virtnodedev_lock_t +Resolves: RHEL-39890 +- Allow svirt attach_queue to a virtqemud tun_socket +Resolves: RHEL-44312 +- Label /run/systemd/machine with systemd_machined_var_run_t +Resolves: RHEL-49567 +- Allow to create and delete socket files created by rhsm.service + +* Tue Jul 16 2024 Zdenek Pytela - 40.13.5-1 +- Allow to create and delete socket files created by rhsm.service +Resolves: RHEL-40857 +- Allow svirt read virtqemud fifo files +Resolves: RHEL-40350 +- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket +Resolves: RHEL-37822 +- Allow virtqemud read virt-dbus process state +Resolves: RHEL-37822 +- Allow virtqemud run ssh client with a transition +Resolves: RHEL-43215 +- Allow virtnetworkd exec shell when virt_hooks_unconfined is on +Resolves: RHEL-41168 +- Allow NetworkManager the sys_ptrace capability in user namespace +Resolves: RHEL-46717 +- Update keyutils policy +Resolves: RHEL-38920 +- Allow ip the setexec permission +Resolves: RHEL-41182 + +* Fri Jun 28 2024 Zdenek Pytela - 40.13.4-1 +- Confine libvirt-dbus +Resolves: RHEL-37822 +- Allow sssd create and use io_uring +Resolves: RHEL-43448 +- Allow virtqemud the kill capability in user namespace +Resolves: RHEL-44996 +- Allow login_userdomain execute systemd-tmpfiles in the caller domain +Resolves: RHEL-44191 +- Allow virtqemud read vm sysctls +Resolves: RHEL-40938 +- Allow svirt_t read vm sysctls +Resolves: RHEL-40938 +- Allow rshim get options of the netlink class for KOBJECT_UEVENT family +Resolves: RHEL-40859 +- Allow systemd-hostnamed read the vsock device +Resolves: RHEL-45309 +- Allow systemd (PID 1) manage systemd conf files +Resolves: RHEL-45304 +- Allow journald read systemd config files and directories +Resolves: RHEL-45304 +- Allow systemd_domain read systemd_conf_t dirs +Resolves: RHEL-45304 +- Label systemd configuration files with systemd_conf_t +Resolves: RHEL-45304 +- Allow dhcpcd the kill capability +Resolves: RHEL-43417 +- Add support for libvirt hooks +Resolves: RHEL-41168 + +* Mon Jun 24 2024 Troy Dawson - 40.13.3-2 +- Bump release for June 2024 mass rebuild + +* Tue Jun 18 2024 Zdenek Pytela - 40.13.3-1 +- Allow virtqemud manage nfs files when virt_use_nfs boolean is on +Resolves: RHEL-40205 +- Allow virt_driver_domain read files labeled unconfined_t +Resolves: RHEL-40262 +- Allow virt_driver_domain dbus chat with policykit +Resolves: RHEL-40346 +- Escape "interface" as a file name in a virt filetrans pattern +Resolves: RHEL-34769 +- Allow setroubleshootd get attributes of all sysctls +Resolves: RHEL-40923 +- Allow qemu-ga read vm sysctls +Resolves: RHEL-40829 +- Allow sbd to trace processes in user namespace +Resolves: RHEL-39989 +- Allow request-key execute scripts +Resolves: RHEL-38920 +- Update policy for haproxyd +Resolves: RHEL-40877 + +* Fri Jun 07 2024 Zdenek Pytela - 40.13.2-1 +- Allow all domains read and write z90crypt device +Resolves: RHEL-28539 +- Allow dhcpc read /run/netns files +Resolves: RHEL-39510 +- Allow bootupd search efivarfs dirs +Resolves: RHEL-39514 + +* Fri May 17 2024 Zdenek Pytela - 40.13.1-1 +- Allow logwatch read logind sessions files +Resolves: RHEL-30441 +- Allow sulogin relabel tty1 +Resolves: RHEL-30440 +- Dontaudit sulogin the checkpoint_restore capability +Resolves: RHEL-30440 +- Allow postfix smtpd map aliases file +Resolves: RHEL-35544 +- Ensure dbus communication is allowed bidirectionally +Resolves: RHEL-35783 +- Allow various services read and write z90crypt device +Resolves: RHEL-28539 +- Allow dhcpcd use unix_stream_socket +Resolves: RHEL-33081 +- Allow xdm_t to watch and watch_reads mount_var_run_t +Resolves: RHEL-36073 +- Allow plymouthd log during shutdown +Resolves: RHEL-30455 +- Update rpm configuration for the /var/run equivalency change +Resolves: RHEL-36094 + +* Mon Feb 12 2024 Zdenek Pytela - 40.13-1 +- Only allow confined user domains to login locally without unconfined_login +- Add userdom_spec_domtrans_confined_admin_users interface +- Only allow admindomain to execute shell via ssh with ssh_sysadm_login +- Add userdom_spec_domtrans_admin_users interface +- Move ssh dyntrans to unconfined inside unconfined_login tunable policy +- Update ssh_role_template() for user ssh-agent type +- Allow init to inherit system DBus file descriptors +- Allow init to inherit fds from syslogd +- Allow any domain to inherit fds from rpm-ostree +- Update afterburn policy +- Allow init_t nnp domain transition to abrtd_t + +* Tue Feb 06 2024 Zdenek Pytela - 40.12-1 +- Rename all /var/lock file context entries to /run/lock +- Rename all /var/run file context entries to /run +- Invert the "/var/run = /run" equivalency + +* Mon Feb 05 2024 Zdenek Pytela - 40.11-1 +- Replace init domtrans rule for confined users to allow exec init +- Update dbus_role_template() to allow user service status +- Allow polkit status all systemd services +- Allow setroubleshootd create and use inherited io_uring +- Allow load_policy read and write generic ptys +- Allow gpg manage rpm cache +- Allow login_userdomain name_bind to howl and xmsg udp ports +- Allow rules for confined users logged in plasma +- Label /dev/iommu with iommu_device_t +- Remove duplicate file context entries in /run +- Dontaudit getty and plymouth the checkpoint_restore capability +- Allow su domains write login records +- Revert "Allow su domains write login records" +- Allow login_userdomain delete session dbusd tmp socket files +- Allow unix dgram sendto between exim processes +- Allow su domains write login records +- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on + +* Wed Jan 24 2024 Zdenek Pytela - 40.10-1 +- Allow chronyd-restricted read chronyd key files +- Allow conntrackd_t to use bpf capability2 +- Allow systemd-networkd manage its runtime socket files +- Allow init_t nnp domain transition to colord_t +- Allow polkit status systemd services +- nova: Fix duplicate declarations +- Allow httpd work with PrivateTmp +- Add interfaces for watching and reading ifconfig_var_run_t +- Allow collectd read raw fixed disk device +- Allow collectd read udev pid files +- Set correct label on /etc/pki/pki-tomcat/kra +- Allow systemd domains watch system dbus pid socket files +- Allow certmonger read network sysctls +- Allow mdadm list stratisd data directories +- Allow syslog to run unconfined scripts conditionally +- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t +- Allow qatlib set attributes of vfio device files + +* Tue Jan 09 2024 Zdenek Pytela - 40.9-1 +- Allow systemd-sleep set attributes of efivarfs files +- Allow samba-dcerpcd read public files +- Allow spamd_update_t the sys_ptrace capability in user namespace +- Allow bluetooth devices work with alsa +- Allow alsa get attributes filesystems with extended attributes + +* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 +- Limit %%selinux_requires to version, not release + +* Thu Dec 21 2023 Zdenek Pytela - 40.8-1 +- Allow hypervkvp_t write access to NetworkManager_etc_rw_t +- Add interface for write-only access to NetworkManager rw conf +- Allow systemd-sleep send a message to syslog over a unix dgram socket +- Allow init create and use netlink netfilter socket +- Allow qatlib load kernel modules +- Allow qatlib run lspci +- Allow qatlib manage its private runtime socket files +- Allow qatlib read/write vfio devices +- Label /etc/redis.conf with redis_conf_t +- Remove the lockdown-class rules from the policy +- Allow init read all non-security socket files +- Replace redundant dnsmasq pattern macros +- Remove unneeded symlink perms in dnsmasq.if +- Add additions to dnsmasq interface +- Allow nvme_stas_t create and use netlink kobject uevent socket +- Allow collectd connect to statsd port +- Allow keepalived_t to use sys_ptrace of cap_userns +- Allow dovecot_auth_t connect to postgresql using UNIX socket + +* Wed Dec 13 2023 Zdenek Pytela - 40.7-1 +- Make named_zone_t and named_var_run_t a part of the mountpoint attribute +- Allow sysadm execute traceroute in sysadm_t domain using sudo +- Allow sysadm execute tcpdump in sysadm_t domain using sudo +- Allow opafm search nfs directories +- Add support for syslogd unconfined scripts +- Allow gpsd use /dev/gnss devices +- Allow gpg read rpm cache +- Allow virtqemud additional permissions +- Allow virtqemud manage its private lock files +- Allow virtqemud use the io_uring api +- Allow ddclient send e-mail notifications +- Allow postfix_master_t map postfix data files +- Allow init create and use vsock sockets +- Allow thumb_t append to init unix domain stream sockets +- Label /dev/vas with vas_device_t +- Change domain_kernel_load_modules boolean to true +- Create interface selinux_watch_config and add it to SELinux users + +* Tue Nov 28 2023 Zdenek Pytela - 40.6-1 +- Add afterburn to modules-targeted-contrib.conf +- Update cifs interfaces to include fs_search_auto_mountpoints() +- Allow sudodomain read var auth files +- Allow spamd_update_t read hardware state information +- Allow virtnetworkd domain transition on tc command execution +- Allow sendmail MTA connect to sendmail LDA +- Allow auditd read all domains process state +- Allow rsync read network sysctls +- Add dhcpcd bpf capability to run bpf programs +- Dontaudit systemd-hwdb dac_override capability +- Allow systemd-sleep create efivarfs files + +* Tue Nov 14 2023 Zdenek Pytela - 40.5-1 +- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on +- Allow graphical applications work in Wayland +- Allow kdump work with PrivateTmp +- Allow dovecot-auth work with PrivateTmp +- Allow nfsd get attributes of all filesystems +- Allow unconfined_domain_type use io_uring cmd on domain +- ci: Only run Rawhide revdeps tests on the rawhide branch +- Label /var/run/auditd.state as auditd_var_run_t +- Allow fido-device-onboard (FDO) read the crack database +- Allow ip an explicit domain transition to other domains +- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t +- Allow winbind_rpcd_t processes access when samba_export_all_* is on +- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection +- Allow ntp to bind and connect to ntske port. +- Allow system_mail_t manage exim spool files and dirs +- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t +- Label /run/pcsd.socket with cluster_var_run_t +- ci: Run cockpit tests in PRs + +* Thu Oct 19 2023 Zdenek Pytela - 40.4-1 +- Add map_read map_write to kernel_prog_run_bpf +- Allow systemd-fstab-generator read all symlinks +- Allow systemd-fstab-generator the dac_override capability +- Allow rpcbind read network sysctls +- Support using systemd containers +- Allow sysadm_t to connect to iscsid using a unix domain stream socket +- Add policy for coreos installer +- Add coreos_installer to modules-targeted-contrib.conf + +* Tue Oct 17 2023 Zdenek Pytela - 40.3-1 +- Add policy for nvme-stas +- Confine systemd fstab,sysv,rc-local +- Label /etc/aliases.lmdb with etc_aliases_t +- Create policy for afterburn +- Add nvme_stas to modules-targeted-contrib.conf +- Add plans/tests.fmf + +* Tue Oct 10 2023 Zdenek Pytela - 40.2-1 +- Add the virt_supplementary module to modules-targeted-contrib.conf +- Make new virt drivers permissive +- Split virt policy, introduce virt_supplementary module +- Allow apcupsd cgi scripts read /sys +- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes +- Allow kernel_t to manage and relabel all files +- Add missing optional_policy() to files_relabel_all_files() + +* Tue Oct 03 2023 Zdenek Pytela - 40.1-1 +- Allow named and ndc use the io_uring api +- Deprecate common_anon_inode_perms usage +- Improve default file context(None) of /var/lib/authselect/backups +- Allow udev_t to search all directories with a filesystem type +- Implement proper anon_inode support +- Allow targetd write to the syslog pid sock_file +- Add ipa_pki_retrieve_key_exec() interface +- Allow kdumpctl_t to list all directories with a filesystem type +- Allow udev additional permissions +- Allow udev load kernel module +- Allow sysadm_t to mmap modules_object_t files +- Add the unconfined_read_files() and unconfined_list_dirs() interfaces +- Set default file context of HOME_DIR/tmp/.* to <> +- Allow kernel_generic_helper_t to execute mount(1) + +* Fri Sep 29 2023 Zdenek Pytela - 38.29-1 +- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t +- Allow systemd-localed create Xserver config dirs +- Allow sssd read symlinks in /etc/sssd +- Label /dev/gnss[0-9] with gnss_device_t +- Allow systemd-sleep read/write efivarfs variables +- ci: Fix version number of packit generated srpms +- Dontaudit rhsmcertd write memory device +- Allow ssh_agent_type create a sockfile in /run/user/USERID +- Set default file context of /var/lib/authselect/backups to <> +- Allow prosody read network sysctls +- Allow cupsd_t to use bpf capability + +* Fri Sep 15 2023 Zdenek Pytela - 38.28-1 +- Allow sssd domain transition on passkey_child execution conditionally +- Allow login_userdomain watch lnk_files in /usr +- Allow login_userdomain watch video4linux devices +- Change systemd-network-generator transition to include class file +- Revert "Change file transition for systemd-network-generator" +- Allow nm-dispatcher winbind plugin read/write samba var files +- Allow systemd-networkd write to cgroup files +- Allow kdump create and use its memfd: objects + +* Thu Aug 31 2023 Zdenek Pytela - 38.27-1 +- Allow fedora-third-party get generic filesystem attributes +- Allow sssd use usb devices conditionally +- Update policy for qatlib +- Allow ssh_agent_type manage generic cache home files + +* Thu Aug 24 2023 Zdenek Pytela - 38.26-1 +- Change file transition for systemd-network-generator +- Additional support for gnome-initial-setup +- Update gnome-initial-setup policy for geoclue +- Allow openconnect vpn open vhost net device +- Allow cifs.upcall to connect to SSSD also through the /var/run socket +- Grant cifs.upcall more required capabilities +- Allow xenstored map xenfs files +- Update policy for fdo +- Allow keepalived watch var_run dirs +- Allow svirt to rw /dev/udmabuf +- Allow qatlib to modify hardware state information. +- Allow key.dns_resolve connect to avahi over a unix stream socket +- Allow key.dns_resolve create and use unix datagram socket +- Use quay.io as the container image source for CI + +* Fri Aug 11 2023 Zdenek Pytela - 38.25-1 +- ci: Move srpm/rpm build to packit +- .copr: Avoid subshell and changing directory +- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file +- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t +- Make insights_client_t an unconfined domain +- Allow insights-client manage user temporary files +- Allow insights-client create all rpm logs with a correct label +- Allow insights-client manage generic logs +- Allow cloud_init create dhclient var files and init_t manage net_conf_t +- Allow insights-client read and write cluster tmpfs files +- Allow ipsec read nsfs files +- Make tuned work with mls policy +- Remove nsplugin_role from mozilla.if +- allow mon_procd_t self:cap_userns sys_ptrace +- Allow pdns name_bind and name_connect all ports +- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh +- ci: Move to actions/checkout@v3 version +- .copr: Replace chown call with standard workflow safe.directory setting +- .copr: Enable `set -u` for robustness +- .copr: Simplify root directory variable + +* Fri Aug 04 2023 Zdenek Pytela - 38.24-1 +- Allow rhsmcertd dbus chat with policykit +- Allow polkitd execute pkla-check-authorization with nnp transition +- Allow user_u and staff_u get attributes of non-security dirs +- Allow unconfined user filetrans chrome_sandbox_home_t +- Allow svnserve execute postdrop with a transition +- Do not make postfix_postdrop_t type an MTA executable file +- Allow samba-dcerpc service manage samba tmp files +- Add use_nfs_home_dirs boolean for mozilla_plugin +- Fix labeling for no-stub-resolv.conf + +* Wed Aug 02 2023 Zdenek Pytela - 38.23-1 +- Revert "Allow winbind-rpcd use its private tmp files" +- Allow upsmon execute upsmon via a helper script +- Allow openconnect vpn read/write inherited vhost net device +- Allow winbind-rpcd use its private tmp files +- Update samba-dcerpc policy for printing +- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty +- Allow nscd watch system db dirs +- Allow qatlib to read sssd public files +- Allow fedora-third-party read /sys and proc +- Allow systemd-gpt-generator mount a tmpfs filesystem +- Allow journald write to cgroup files +- Allow rpc.mountd read network sysctls +- Allow blueman read the contents of the sysfs filesystem +- Allow logrotate_t to map generic files in /etc +- Boolean: Allow virt_qemu_ga create ssh directory + +* Tue Jul 25 2023 Zdenek Pytela - 38.22-1 +- Allow systemd-network-generator send system log messages +- Dontaudit the execute permission on sock_file globally +- Allow fsadm_t the file mounton permission +- Allow named and ndc the io_uring sqpoll permission +- Allow sssd io_uring sqpoll permission +- Fix location for /run/nsd +- Allow qemu-ga get fixed disk devices attributes +- Update bitlbee policy +- Label /usr/sbin/sos with sosreport_exec_t +- Update policy for the sblim-sfcb service +- Add the files_getattr_non_auth_dirs() interface +- Fix the CI to work with DNF5 + +* Sat Jul 22 2023 Fedora Release Engineering - 38.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jul 13 2023 Zdenek Pytela - 38.21-1 +- Make systemd_tmpfiles_t MLS trusted for lowering the level of files +- Revert "Allow insights client map cache_home_t" +- Allow nfsidmapd connect to systemd-machined over a unix socket +- Allow snapperd connect to kernel over a unix domain stream socket +- Allow virt_qemu_ga_t create .ssh dir with correct label +- Allow targetd read network sysctls +- Set the abrt_handle_event boolean to on +- Permit kernel_t to change the user identity in object contexts +- Allow insights client map cache_home_t +- Label /usr/sbin/mariadbd with mysqld_exec_t +- Trim changelog so that it starts at F37 time +- Define equivalency for /run/systemd/generator.early + +* Thu Jun 29 2023 Zdenek Pytela - 38.20-1 +- Allow httpd tcp connect to redis port conditionally +- Label only /usr/sbin/ripd and ripngd with zebra_exec_t +- Dontaudit aide the execmem permission +- Remove permissive from fdo +- Allow sa-update manage spamc home files +- Allow sa-update connect to systemlog services +- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t +- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t +- Allow bootupd search EFI directory + +* Tue Jun 27 2023 Zdenek Pytela - 38.19-1 +- Change init_audit_control default value to true +- Allow nfsidmapd connect to systemd-userdbd with a unix socket +- Add the qatlib module +- Add the fdo module +- Add the bootupd module +- Set default ports for keylime policy +- Create policy for qatlib +- Add policy for FIDO Device Onboard +- Add policy for bootupd +- Add the qatlib module +- Add the fdo module +- Add the bootupd module + +* Sun Jun 25 2023 Zdenek Pytela - 38.18-1 +- Add support for kafs-dns requested by keyutils +- Allow insights-client execmem +- Add support for chronyd-restricted +- Add init_explicit_domain() interface +- Allow fsadm_t to get attributes of cgroup filesystems +- Add list_dir_perms to kerberos_read_keytab +- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t +- Allow sendmail manage its runtime files +- Allow keyutils_dns_resolver_exec_t be an entrypoint +- Allow collectd_t read network state symlinks +- Revert "Allow collectd_t read proc_net link files" +- Allow nfsd_t to list exports_t dirs +- Allow cupsd dbus chat with xdm +- Allow haproxy read hardware state information +- Add the kafs module + +* Thu Jun 15 2023 Zdenek Pytela - 38.17-1 +- Label /dev/userfaultfd with userfaultfd_t +- Allow blueman send general signals to unprivileged user domains +- Allow dkim-milter domain transition to sendmail +- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t +- Allow cifs-helper read sssd kerberos configuration files +- Allow rpm_t sys_admin capability +- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file +- Allow collectd_t read proc_net link files +- Allow insights-client getsession process permission +- Allow insights-client work with pipe and socket tmp files +- Allow insights-client map generic log files +- Update cyrus_stream_connect() to use sockets in /run +- Allow keyutils-dns-resolver read/view kernel key ring +- Label /var/log/kdump.log with kdump_log_t + +* Fri Jun 09 2023 Zdenek Pytela - 38.16-1 +- Add support for the systemd-pstore service +- Allow kdumpctl_t to execmem +- Update sendmail policy module for opensmtpd +- Allow nagios-mail-plugin exec postfix master +- Allow subscription-manager execute ip +- Allow ssh client connect with a user dbus instance +- Add support for ksshaskpass +- Allow rhsmcertd file transition in /run also for socket files +- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t +- Allow plymouthd read/write X server miscellaneous devices +- Allow systemd-sleep read udev pid files +- Allow exim read network sysctls +- Allow sendmail request load module +- Allow named map its conf files +- Allow squid map its cache files +- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition + +* Tue May 30 2023 Zdenek Pytela - 38.15-1 +- Update policy for systemd-sleep +- Remove permissive domain for rshim_t +- Remove permissive domain for mptcpd_t +- Allow systemd-bootchartd the sys_ptrace userns capability +- Allow sysadm_t read nsfs files +- Allow sysadm_t run kernel bpf programs +- Update ssh_role_template for ssh-agent +- Update ssh_role_template to allow read/write unallocated ttys +- Add the booth module to modules.conf +- Allow firewalld rw ica_tmpfs_t files + +* Fri May 26 2023 Zdenek Pytela - 38.14-1 +- Remove permissive domain for cifs_helper_t +- Update the cifs-helper policy +- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() +- Update pkcsslotd policy for sandboxing +- Allow abrt_t read kernel persistent storage files +- Dontaudit targetd search httpd config dirs +- Allow init_t nnp domain transition to policykit_t +- Allow rpcd_lsad setcap and use generic ptys +- Allow samba-dcerpcd connect to systemd_machined over a unix socket +- Allow wireguard to rw network sysctls +- Add policy for boothd +- Allow kernel to manage its own BPF objects +- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t + +* Mon May 22 2023 Zdenek Pytela - 38.13-1 +- Add initial policy for cifs-helper +- Label key.dns_resolver with keyutils_dns_resolver_exec_t +- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t +- Allow some systemd services write to cgroup files +- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files +- Allow systemd resolved to bind to arbitrary nodes +- Allow plymouthd_t bpf capability to run bpf programs +- Allow cupsd to create samba_var_t files +- Allow rhsmcert request the kernel to load a module +- Allow virsh name_connect virt_port_t +- Allow certmonger manage cluster library files +- Allow plymouthd read init process state +- Add chromium_sandbox_t setcap capability +- Allow snmpd read raw disk data +- Allow samba-rpcd work with passwords +- Allow unconfined service inherit signal state from init +- Allow cloud-init manage gpg admin home content +- Allow cluster_t dbus chat with various services +- Allow nfsidmapd work with systemd-userdbd and sssd +- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes +- Allow plymouthd map dri and framebuffer devices +- Allow rpmdb_migrate execute rpmdb +- Allow logrotate dbus chat with systemd-hostnamed +- Allow icecast connect to kernel using a unix stream socket +- Allow lldpad connect to systemd-userdbd over a unix socket +- Allow journalctl open user domain ptys and ttys +- Allow keepalived to manage its tmp files +- Allow ftpd read network sysctls +- Label /run/bgpd with zebra_var_run_t +- Allow gssproxy read network sysctls +- Add the cifsutils module + +* Tue Apr 25 2023 Zdenek Pytela - 38.12-1 +- Allow telnetd read network sysctls +- Allow munin system plugin read generic SSL certificates +- Allow munin system plugin create and use netlink generic socket +- Allow login_userdomain create user namespaces +- Allow request-key to send syslog messages +- Allow request-key to read/view any key +- Add fs_delete_pstore_files() interface +- Allow insights-client work with teamdctl +- Allow insights-client read unconfined service semaphores +- Allow insights-client get quotas of all filesystems +- Add fs_read_pstore_files() interface +- Allow generic kernel helper to read inherited kernel pipes + +* Fri Apr 14 2023 Zdenek Pytela - 38.11-1 +- Allow dovecot-deliver write to the main process runtime fifo files +- Allow dmidecode write to cloud-init tmp files +- Allow chronyd send a message to cloud-init over a datagram socket +- Allow cloud-init domain transition to insights-client domain +- Allow mongodb read filesystem sysctls +- Allow mongodb read network sysctls +- Allow accounts-daemon read generic systemd unit lnk files +- Allow blueman watch generic device dirs +- Allow nm-dispatcher tlp plugin create tlp dirs +- Allow systemd-coredump mounton /usr +- Allow rabbitmq to read network sysctls + +* Tue Apr 04 2023 Zdenek Pytela - 38.10-1 +- Allow certmonger dbus chat with the cron system domain +- Allow geoclue read network sysctls +- Allow geoclue watch the /etc directory +- Allow logwatch_mail_t read network sysctls +- Allow insights-client read all sysctls +- Allow passt manage qemu pid sock files + +* Fri Mar 24 2023 Zdenek Pytela - 38.9-1 +- Allow sssd read accountsd fifo files +- Add support for the passt_t domain +- Allow virtd_t and svirt_t work with passt +- Add new interfaces in the virt module +- Add passt interfaces defined conditionally +- Allow tshark the setsched capability +- Allow poweroff create connections to system dbus +- Allow wg load kernel modules, search debugfs dir +- Boolean: allow qemu-ga manage ssh home directory +- Label smtpd with sendmail_exec_t +- Label msmtp and msmtpd with sendmail_exec_t +- Allow dovecot to map files in /var/spool/dovecot + +* Fri Mar 03 2023 Zdenek Pytela - 38.8-1 +- Confine gnome-initial-setup +- Allow qemu-guest-agent create and use vsock socket +- Allow login_pgm setcap permission +- Allow chronyc read network sysctls +- Enhancement of the /usr/sbin/request-key helper policy +- Fix opencryptoki file names in /dev/shm +- Allow system_cronjob_t transition to rpm_script_t +- Revert "Allow system_cronjob_t domtrans to rpm_script_t" +- Add tunable to allow squid bind snmp port +- Allow staff_t getattr init pid chr & blk files and read krb5 +- Allow firewalld to rw z90crypt device +- Allow httpd work with tokens in /dev/shm +- Allow svirt to map svirt_image_t char files +- Allow sysadm_t run initrc_t script and sysadm_r role access +- Allow insights-client manage fsadm pid files + +* Wed Feb 08 2023 Zdenek Pytela - 38.7-1 +- Allowing snapper to create snapshots of /home/ subvolume/partition +- Add boolean qemu-ga to run unconfined script +- Label systemd-journald feature LogNamespace +- Add none file context for polyinstantiated tmp dirs +- Allow certmonger read the contents of the sysfs filesystem +- Add journalctl the sys_resource capability +- Allow nm-dispatcher plugins read generic files in /proc +- Add initial policy for the /usr/sbin/request-key helper +- Additional support for rpmdb_migrate +- Add the keyutils module + +* Mon Jan 30 2023 Zdenek Pytela - 38.6-1 +- Boolean: allow qemu-ga read ssh home directory +- Allow kernel_t to read/write all sockets +- Allow kernel_t to UNIX-stream connect to all domains +- Allow systemd-resolved send a datagram to journald +- Allow kernel_t to manage and have "execute" access to all files +- Fix the files_manage_all_files() interface +- Allow rshim bpf cap2 and read sssd public files +- Allow insights-client work with su and lpstat +- Allow insights-client tcp connect to all ports +- Allow nm-cloud-setup dispatcher plugin restart nm services +- Allow unconfined user filetransition for sudo log files +- Allow modemmanager create hardware state information files +- Allow ModemManager all permissions for netlink route socket +- Allow wg to send msg to kernel, write to syslog and dbus connections +- Allow hostname_t to read network sysctls. +- Dontaudit ftpd the execmem permission +- Allow svirt request the kernel to load a module +- Allow icecast rename its log files +- Allow upsd to send signal to itself +- Allow wireguard to create udp sockets and read net_conf +- Use '%autosetup' instead of '%setup' +- Pass -p 1 to '%autosetup' + +* Sat Jan 21 2023 Fedora Release Engineering - 38.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jan 13 2023 Zdenek Pytela - 38.5-1 +- Allow insights client work with gluster and pcp +- Add insights additional capabilities +- Add interfaces in domain, files, and unconfined modules +- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t +- Allow sudodomain use sudo.log as a logfile +- Allow pdns server map its library files and bind to unreserved ports +- Allow sysadm_t read/write ipmi devices +- Allow prosody manage its runtime socket files +- Allow kernel threads manage kernel keys +- Allow systemd-userdbd the sys_resource capability +- Allow systemd-journal list cgroup directories +- Allow apcupsd dbus chat with systemd-logind +- Allow nut_domain manage also files and sock_files in /var/run +- Allow winbind-rpcd make a TCP connection to the ldap port +- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t +- Allow tlp read generic SSL certificates +- Allow systemd-resolved watch tmpfs directories +- Revert "Allow systemd-resolved watch tmpfs directories" + +* Mon Dec 19 2022 Zdenek Pytela - 38.4-1 +- Allow NetworkManager and wpa_supplicant the bpf capability +- Allow systemd-rfkill the bpf capability +- Allow winbind-rpcd manage samba_share_t files and dirs +- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t +- Allow gpsd the sys_ptrace userns capability +- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t +- Allow load_policy_t write to unallocated ttys +- Allow ndc read hardware state information +- Allow system mail service read inherited certmonger runtime files +- Add lpr_roles to system_r roles +- Revert "Allow insights-client run lpr and allow the proper role" +- Allow stalld to read /sys/kernel/security/lockdown file +- Allow keepalived to set resource limits +- Add policy for mptcpd +- Add policy for rshim +- Allow admin users to create user namespaces +- Allow journalctl relabel with var_log_t and syslogd_var_run_t files +- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted +- Trim changelog so that it starts at F35 time +- Add mptcpd and rshim modules + +* Wed Dec 14 2022 Zdenek Pytela - 38.3-1 +- Allow insights-client dbus chat with various services +- Allow insights-client tcp connect to various ports +- Allow insights-client run lpr and allow the proper role +- Allow insights-client work with pcp and manage user config files +- Allow redis get user names +- Allow kernel threads to use fds from all domains +- Allow systemd-modules-load load kernel modules +- Allow login_userdomain watch systemd-passwd pid dirs +- Allow insights-client dbus chat with abrt +- Grant kernel_t certain permissions in the system class +- Allow systemd-resolved watch tmpfs directories +- Allow systemd-timedated watch init runtime dir +- Make `bootc` be `install_exec_t` +- Allow systemd-coredump create user_namespace +- Allow syslog the setpcap capability +- donaudit virtlogd and dnsmasq execmem + +* Tue Dec 06 2022 Zdenek Pytela - 38.2-1 +- Don't make kernel_t an unconfined domain +- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition +- Allow kernel_t to execute systemctl to do a poweroff/reboot +- Grant basic permissions to the domain created by systemd_systemctl_domain() +- Allow kernel_t to request module loading +- Allow kernel_t to do compute_create +- Allow kernel_t to manage perf events +- Grant almost all capabilities to kernel_t +- Allow kernel_t to fully manage all devices +- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" +- Allow pulseaudio to write to session_dbusd tmp socket files +- Allow systemd and unconfined_domain_type create user_namespace +- Add the user_namespace security class +- Reuse tmpfs_t also for the ramfs filesystem +- Label udf tools with fsadm_exec_t +- Allow networkmanager_dispatcher_plugin work with nscd +- Watch_sb all file type directories. +- Allow spamc read hardware state information files +- Allow sysadm read ipmi devices +- Allow insights client communicate with cupsd, mysqld, openvswitch, redis +- Allow insights client read raw memory devices +- Allow the spamd_update_t domain get generic filesystem attributes +- Dontaudit systemd-gpt-generator the sys_admin capability +- Allow ipsec_t only read tpm devices +- Allow cups-pdf connect to the system log service +- Allow postfix/smtpd read kerberos key table +- Allow syslogd read network sysctls +- Allow cdcc mmap dcc-client-map files +- Add watch and watch_sb dosfs interface + +* Mon Nov 21 2022 Zdenek Pytela - 38.1-1 +- Revert "Allow sysadm_t read raw memory devices" +- Allow systemd-socket-proxyd get attributes of cgroup filesystems +- Allow rpc.gssd read network sysctls +- Allow winbind-rpcd get attributes of device and pty filesystems +- Allow insights-client domain transition on semanage execution +- Allow insights-client create gluster log dir with a transition +- Allow insights-client manage generic locks +- Allow insights-client unix_read all domain semaphores +- Add domain_unix_read_all_semaphores() interface +- Allow winbind-rpcd use the terminal multiplexor +- Allow mrtg send mails +- Allow systemd-hostnamed dbus chat with init scripts +- Allow sssd dbus chat with system cronjobs +- Add interface to watch all filesystems +- Add watch_sb interfaces +- Add watch interfaces +- Allow dhcpd bpf capability to run bpf programs +- Allow netutils and traceroute bpf capability to run bpf programs +- Allow pkcs_slotd_t bpf capability to run bpf programs +- Allow xdm bpf capability to run bpf programs +- Allow pcscd bpf capability to run bpf programs +- Allow lldpad bpf capability to run bpf programs +- Allow keepalived bpf capability to run bpf programs +- Allow ipsec bpf capability to run bpf programs +- Allow fprintd bpf capability to run bpf programs +- Allow systemd-socket-proxyd get filesystems attributes +- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files + +* Mon Oct 31 2022 Zdenek Pytela - 37.14-1 +- Allow rotatelogs read httpd_log_t symlinks +- Add winbind-rpcd to samba_enable_home_dirs boolean +- Allow system cronjobs dbus chat with setroubleshoot +- Allow setroubleshootd read device sysctls +- Allow virt_domain read device sysctls +- Allow rhcd compute selinux access vector +- Allow insights-client manage samba var dirs +- Label ports 10161-10162 tcp/udp with snmp +- Allow aide to connect to systemd_machined with a unix socket. +- Allow samba-dcerpcd use NSCD services over a unix stream socket +- Allow vlock search the contents of the /dev/pts directory +- Allow insights-client send null signal to rpm and system cronjob +- Label port 15354/tcp and 15354/udp with opendnssec +- Allow ftpd map ftpd_var_run files +- Allow targetclid to manage tmp files +- Allow insights-client connect to postgresql with a unix socket +- Allow insights-client domtrans on unix_chkpwd execution +- Add file context entries for insights-client and rhc +- Allow pulseaudio create gnome content (~/.config) +- Allow login_userdomain dbus chat with rhsmcertd +- Allow sbd the sys_ptrace capability +- Allow ptp4l_t name_bind ptp_event_port_t + +* Mon Oct 03 2022 Zdenek Pytela - 37.13-1 +- Remove the ipa module +- Allow sss daemons read/write unnamed pipes of cloud-init +- Allow postfix_mailqueue create and use unix dgram sockets +- Allow xdm watch user home directories +- Allow nm-dispatcher ddclient plugin load a kernel module +- Stop ignoring standalone interface files +- Drop cockpit module +- Allow init map its private tmp files +- Allow xenstored change its hard resource limits +- Allow system_mail-t read network sysctls +- Add bgpd sys_chroot capability + +* Thu Sep 22 2022 Zdenek Pytela - 37.12-1 +- nut-upsd: kernel_read_system_state, fs_getattr_cgroup +- Add numad the ipc_owner capability +- Allow gst-plugin-scanner read virtual memory sysctls +- Allow init read/write inherited user fifo files +- Update dnssec-trigger policy: setsched, module_request +- added policy for systemd-socket-proxyd +- Add the new 'cmd' permission to the 'io_uring' class +- Allow winbind-rpcd read and write its key ring +- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t +- blueman-mechanism can read ~/.local/lib/python*/site-packages directory +- pidof executed by abrt can readlink /proc/*/exe +- Fix typo in comment +- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum + +* Wed Sep 14 2022 Zdenek Pytela - 37.11-1 +- Allow tor get filesystem attributes +- Allow utempter append to login_userdomain stream +- Allow login_userdomain accept a stream connection to XDM +- Allow login_userdomain write to boltd named pipes +- Allow staff_u and user_u users write to bolt pipe +- Allow login_userdomain watch various directories +- Update rhcd policy for executing additional commands 5 +- Update rhcd policy for executing additional commands 4 +- Allow rhcd create rpm hawkey logs with correct label +- Allow systemd-gpt-auto-generator to check for empty dirs +- Update rhcd policy for executing additional commands 3 +- Allow journalctl read rhcd fifo files +- Update insights-client policy for additional commands execution 5 +- Allow init remount all file_type filesystems +- Confine insights-client systemd unit +- Update insights-client policy for additional commands execution 4 +- Allow pcp pmcd search tracefs and acct_data dirs +- Allow httpd read network sysctls +- Dontaudit domain map permission on directories +- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" +- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" +- Update insights-client policy for additional commands execution 3 +- Allow systemd permissions needed for sandboxed services +- Add rhcd module +- Make dependency on rpm-plugin-selinux unordered + +* Fri Sep 02 2022 Zdenek Pytela - 37.10-1 +- Allow ipsec_t read/write tpm devices +- Allow rhcd execute all executables +- Update rhcd policy for executing additional commands 2 +- Update insights-client policy for additional commands execution 2 +- Allow sysadm_t read raw memory devices +- Allow chronyd send and receive chronyd/ntp client packets +- Allow ssh client read kerberos homedir config files +- Label /var/log/rhc-worker-playbook with rhcd_var_log_t +- Update insights-client policy (auditctl, gpg, journal) +- Allow system_cronjob_t domtrans to rpm_script_t +- Allow smbd_t process noatsecure permission for winbind_rpcd_t +- Update tor_bind_all_unreserved_ports interface +- Allow chronyd bind UDP sockets to ptp_event ports. +- Allow unconfined and sysadm users transition for /root/.gnupg +- Add gpg_filetrans_admin_home_content() interface +- Update rhcd policy for executing additional commands +- Update insights-client policy for additional commands execution +- Add userdom_view_all_users_keys() interface +- Allow gpg read and write generic pty type +- Allow chronyc read and write generic pty type +- Allow system_dbusd ioctl kernel with a unix stream sockets +- Allow samba-bgqd to read a printer list +- Allow stalld get and set scheduling policy of all domains. +- Allow unconfined_t transition to targetclid_home_t + +* Thu Aug 11 2022 Zdenek Pytela - 37.9-1 +- Allow nm-dispatcher custom plugin dbus chat with nm +- Allow nm-dispatcher sendmail plugin get status of systemd services +- Allow xdm read the kernel key ring +- Allow login_userdomain check status of mount units +- Allow postfix/smtp and postfix/virtual read kerberos key table +- Allow services execute systemd-notify +- Do not allow login_userdomain use sd_notify() +- Allow launch-xenstored read filesystem sysctls +- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd +- Allow openvswitch fsetid capability +- Allow openvswitch use its private tmpfs files and dirs +- Allow openvswitch search tracefs dirs +- Allow pmdalinux read files on an nfsd filesystem +- Allow winbind-rpcd write to winbind pid files +- Allow networkmanager to signal unconfined process +- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t +- Allow samba-bgqd get a printer list +- fix(init.fc): Fix section description +- Allow fedora-third-party read the passwords file +- Remove permissive domain for rhcd_t +- Allow pmie read network state information and network sysctls +- Revert "Dontaudit domain the fowner capability" +- Allow sysadm_t to run bpftool on the userdomain attribute +- Add the userdom_prog_run_bpf_userdomain() interface +- Allow insights-client rpm named file transitions +- Add /var/tmp/insights-archive to insights_client_filetrans_named_content + +* Mon Aug 01 2022 Zdenek Pytela - 37.8-1 +- Allow sa-update to get init status and start systemd files +- Use insights_client_filetrans_named_content +- Make default file context match with named transitions +- Allow nm-dispatcher tlp plugin send system log messages +- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket +- Add permissions to manage lnk_files into gnome_manage_home_config +- Allow rhsmcertd to read insights config files +- Label /etc/insights-client/machine-id +- fix(devices.fc): Replace single quote in comment to solve parsing issues +- Make NetworkManager_dispatcher_custom_t an unconfined domain + +* Sat Jul 23 2022 Fedora Release Engineering - 37.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jul 14 2022 Zdenek Pytela - 37.7-1 +- Update winbind_rpcd_t +- Allow some domains use sd_notify() +- Revert "Allow rabbitmq to use systemd notify" +- fix(sedoctool.py): Fix syntax warning: "is not" with a literal +- Allow nm-dispatcher console plugin manage etc files +- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs +- Allow nm-dispatcher console plugin setfscreate +- Support using systemd-update-helper in rpm scriptlets +- Allow nm-dispatcher winbind plugin read samba config files +- Allow domain use userfaultfd over all domains +- Allow cups-lpd read network sysctls + +* Wed Jun 29 2022 Zdenek Pytela - 37.6-1 +- Allow stalld set scheduling policy of kernel threads +- Allow targetclid read /var/target files +- Allow targetclid read generic SSL certificates (fixed) +- Allow firewalld read the contents of the sysfs filesystem +- Fix file context pattern for /var/target +- Use insights_client_etc_t in insights_search_config() +- Allow nm-dispatcher ddclient plugin handle systemd services +- Allow nm-dispatcher winbind plugin run smbcontrol +- Allow nm-dispatcher custom plugin create and use unix dgram socket +- Update samba-dcerpcd policy for kerberos usage 2 +- Allow keepalived read the contents of the sysfs filesystem +- Allow amandad read network sysctls +- Allow cups-lpd read network sysctls +- Allow kpropd read network sysctls +- Update insights_client_filetrans_named_content() +- Allow rabbitmq to use systemd notify +- Label /var/target with targetd_var_t +- Allow targetclid read generic SSL certificates +- Update rhcd policy +- Allow rhcd search insights configuration directories +- Add the kernel_read_proc_files() interface +- Require policycoreutils >= 3.4-1 +- Add a script for enclosing interfaces in ifndef statements +- Disable rpm verification on interface_info + +* Wed Jun 22 2022 Zdenek Pytela - 37.5-1 +- Allow transition to insights_client named content +- Add the insights_client_filetrans_named_content() interface +- Update policy for insights-client to run additional commands 3 +- Allow dhclient manage pid files used by chronyd +- Allow stalld get scheduling policy of kernel threads +- Allow samba-dcerpcd work with sssd +- Allow dlm_controld send a null signal to a cluster daemon +- Allow ksmctl create hardware state information files +- Allow winbind_rpcd_t connect to self over a unix_stream_socket +- Update samba-dcerpcd policy for kerberos usage +- Allow insights-client execute its private memfd: objects +- Update policy for insights-client to run additional commands 2 +- Use insights_client_tmp_t instead of insights_client_var_tmp_t +- Change space indentation to tab in insights-client +- Use socket permissions sets in insights-client +- Update policy for insights-client to run additional commands +- Change rpm_setattr_db_files() to use a pattern +- Allow init_t to rw insights_client unnamed pipe +- Add rpm setattr db files macro +- Fix insights client +- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling +- Allow rabbitmq to access its private memfd: objects +- Update policy for samba-dcerpcd +- Allow stalld setsched and sys_nice + +* Tue Jun 07 2022 Zdenek Pytela - 37.4-1 +- Allow auditd_t noatsecure for a transition to audisp_remote_t +- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket +- Allow pcp_domain execute its private memfd: objects +- Add support for samba-dcerpcd +- Add policy for wireguard +- Confine targetcli +- Allow systemd work with install_t unix stream sockets +- Allow iscsid the sys_ptrace userns capability +- Allow xdm connect to unconfined_service_t over a unix stream socket + +* Fri May 27 2022 Zdenek Pytela - 37.3-1 +- Allow nm-dispatcher custom plugin execute systemctl +- Allow nm-dispatcher custom plugin dbus chat with nm +- Allow nm-dispatcher custom plugin create and use udp socket +- Allow nm-dispatcher custom plugin create and use netlink_route_socket +- Use create_netlink_socket_perms in netlink_route_socket class permissions +- Add support for nm-dispatcher sendmail scripts +- Allow sslh net_admin capability +- Allow insights-client manage gpg admin home content +- Add the gpg_manage_admin_home_content() interface +- Allow rhsmcertd create generic log files +- Update logging_create_generic_logs() to use create_files_pattern() +- Label /var/cache/insights with insights_client_cache_t +- Allow insights-client search gconf homedir +- Allow insights-client create and use unix_dgram_socket +- Allow blueman execute its private memfd: files +- Move the chown call into make-srpm.sh + +* Fri May 06 2022 Zdenek Pytela - 37.2-1 +- Use the networkmanager_dispatcher_plugin attribute in allow rules +- Make a custom nm-dispatcher plugin transition +- Label port 4784/tcp and 4784/udp with bfd_multi +- Allow systemd watch and watch_reads user ptys +- Allow sblim-gatherd the kill capability +- Label more vdsm utils with virtd_exec_t +- Add ksm service to ksmtuned +- Add rhcd policy +- Dontaudit guest attempts to dbus chat with systemd domains +- Dontaudit guest attempts to dbus chat with system bus types +- Use a named transition in systemd_hwdb_manage_config() +- Add default fc specifications for patterns in /opt +- Add the files_create_etc_files() interface +- Allow nm-dispatcher console plugin create and write files in /etc +- Allow nm-dispatcher console plugin transition to the setfiles domain +- Allow more nm-dispatcher plugins append to init stream sockets +- Allow nm-dispatcher tlp plugin dbus chat with nm +- Reorder networkmanager_dispatcher_plugin_template() calls +- Allow svirt connectto virtlogd +- Allow blueman map its private memfd: files +- Allow sysadm user execute init scripts with a transition +- Allow sblim-sfcbd connect to sblim-reposd stream +- Allow keepalived_unconfined_script_t dbus chat with init +- Run restorecon with "-i" not to report errors + +* Mon May 02 2022 Zdenek Pytela - 37.1-1 +- Fix users for SELinux userspace 3.4 +- Label /var/run/machine-id as machineid_t +- Add stalld to modules.conf +- Use files_tmpfs_file() for rhsmcertd_tmpfs_t +- Allow blueman read/write its private memfd: objects +- Allow insights-client read rhnsd config files +- Allow insights-client create_socket_perms for tcp/udp sockets diff --git a/selinux-policy.spec b/selinux-policy.spec index e09a3c37..013267ed 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -871,1236 +871,4 @@ exit 0 %endif %changelog -* Tue Nov 12 2024 Zdenek Pytela - 40.13.13-1 -- Revert "Allow unconfined_t execute kmod in the kmod domain" -Resolves: RHEL-65190 -- Add policy for /usr/libexec/samba/samba-bgqd -Resolves: RHEL-64908 -- Label samba certificates with samba_cert_t -Resolves: RHEL-64908 -- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t -Resolves: RHEL-64908 -- Allow rpcd read network sysctls -Resolves: RHEL-64737 -- Label all semanage store files in /etc as semanage_store_t -Resolves: RHEL-65864 - -* Tue Oct 29 2024 Troy Dawson - 40.13.12-2 -- Bump release for October 2024 mass rebuild: - Resolves: RHEL-64018 - -* Thu Oct 24 2024 Zdenek Pytela - 40.13.12-1 -- Dontaudit subscription manager setfscreate and read file contexts -Resolves: RHEL-58009 -- Allow the sysadm user use the secretmem API -Resolves: RHEL-40953 -- Allow sudodomain list files in /var -Resolves: RHEL-58068 -- Allow gnome-remote-desktop watch /etc directory -Resolves: RHEL-35877 -- Allow journalctl connect to systemd-userdbd over a unix socket -Resolves: RHEL-58072 -- systemd: allow sys_admin capability for systemd_notify_t -Resolves: RHEL-58072 -- Allow some confined users send to lldpad over a unix dgram socket -Resolves: RHEL-61634 -- Allow lldpad send to sysadm_t over a unix dgram socket -Resolves: RHEL-61634 -- Allow lldpd connect to systemd-machined over a unix socket -Resolves: RHEL-61634 - -* Wed Oct 23 2024 Zdenek Pytela - 40.13.11-1 -- Allow ping_t read network sysctls -Resolves: RHEL-54299 -- Label /usr/lib/node_modules/npm/bin with bin_t -Resolves: RHEL-56350 -- Label /run/sssd with sssd_var_run_t -Resolves: RHEL-57065 -- Allow virtqemud read virtd_t files -Resolves: RHEL-57713 -- Allow wdmd read hardware state information -Resolves: RHEL-57982 -- Allow wdmd list the contents of the sysfs directories -Resolves: RHEL-57982 -- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t -Resolves: RHEL-58380 -- Allow dirsrv read network sysctls -Resolves: RHEL-58381 -- Allow lldpad create and use netlink_generic_socket -Resolves: RHEL-61634 -- Allow unconfined_t execute kmod in the kmod domain -Resolves: RHEL-61755 -- Confine the pcm service -Resolves: RHEL-52838 -- Allow iio-sensor-proxy the bpf capability -Resolves: RHEL-62355 -- Confine iio-sensor-proxy -Resolves: RHEL-62355 - -* Wed Oct 16 2024 Zdenek Pytela - 40.13.10-1 -- Confine gnome-remote-desktop -Resolves: RHEL-35877 -- Allow virtqemud get attributes of a tmpfs filesystem -Resolves: RHEL-40855 -- Allow virtqemud get attributes of cifs files -Resolves: RHEL-40855 -- Allow virtqemud get attributes of filesystems with extended attributes -Resolves: RHEL-39668 -- Allow virtqemud get attributes of NFS filesystems -Resolves: RHEL-40855 -- Add support for secretmem anon inode -Resolves: RHEL-40953 -- Allow systemd-sleep read raw disk data -Resolves: RHEL-49600 -- Allow systemd-hwdb send messages to kernel unix datagram sockets -Resolves: RHEL-50810 -- Label /run/modprobe.d with modules_conf_t -Resolves: RHEL-54591 -- Allow setsebool_t relabel selinux data files -Resolves: RHEL-55412 -- Don't audit crontab_domain write attempts to user home -Resolves: RHEL-56349 -- Differentiate between staff and sysadm when executing crontab with sudo -Resolves: RHEL-56349 -- Add crontab_admin_domtrans interface -Resolves: RHEL-56349 -- Add crontab_domtrans interface -Resolves: RHEL-56349 -- Allow boothd connect to kernel over a unix socket -Resolves: RHEL-58060 -- Fix label of pseudoterminals created from sudodomain -Resolves: RHEL-58068 -- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets -Resolves: RHEL-58072 -- Allow rsyslog read systemd-logind session files -Resolves: RHEL-40961 -- Label /dev/mmcblk0rpmb character device with removable_device_t -Resolves: RHEL-55265 -- Label /dev/hfi1_[0-9]+ devices -Resolves: RHEL-62836 -- Label /dev/papr-sysparm and /dev/papr-vpd -Resolves: RHEL-56908 -- Support SGX devices -Resolves: RHEL-62354 -- Suppress semodule's stderr -Resolves: RHEL-59192 - -* Mon Aug 26 2024 Zdenek Pytela - 40.13.9-1 -- Allow virtqemud relabelfrom also for file and sock_file -Resolves: RHEL-49763 -- Allow virtqemud relabel user tmp files and socket files -Resolves: RHEL-49763 -- Update virtqemud policy for libguestfs usage -Resolves: RHEL-49763 -- Label /run/libvirt/qemu/channel with virtqemud_var_run_t -Resolves: RHEL-47274 - -* Tue Aug 13 2024 Zdenek Pytela - 40.13.8-1 -- Add virt_create_log() and virt_write_log() interfaces -Resolves: RHEL-47274 -- Update libvirt policy -Resolves: RHEL-45464 -Resolves: RHEL-49763 -- Allow svirt_tcg_t map svirt_image_t files -Resolves: RHEL-47274 -- Allow svirt_tcg_t read vm sysctls -Resolves: RHEL-47274 -- Additional updates stalld policy for bpf usage -Resolves: RHEL-50356 - -* Thu Aug 08 2024 Zdenek Pytela - 40.13.7-1 -- Add the swtpm.if interface file for interactions with other domains -Resolves: RHEL-47274 -- Allow virtproxyd create and use its private tmp files -Resolves: RHEL-40499 -- Allow virtproxyd read network state -Resolves: RHEL-40499 -- Allow virtqemud domain transition on swtpm execution -Resolves: RHEL-47274 -Resolves: RHEL-49763 -- Allow virtqemud relabel virt_var_run_t directories -Resolves: RHEL-47274 -Resolves: RHEL-45464 -Resolves: RHEL-49763 -- Allow virtqemud domain transition on passt execution -Resolves: RHEL-45464 -- Allow virt_driver_domain create and use log files in /var/log -Resolves: RHEL-40239 -- Allow virt_driver_domain connect to systemd-userdbd over a unix socket -Resolves: RHEL-44932 -Resolves: RHEL-44898 -- Update stalld policy for bpf usage -Resolves: RHEL-50356 -- Allow boothd connect to systemd-userdbd over a unix socket -Resolves: RHEL-45907 -- Allow linuxptp configure phc2sys and chronyd over a unix domain socket -Resolves: RHEL-46011 -- Allow systemd-machined manage runtime sockets -Resolves: RHEL-49567 -- Allow ip command write to ipsec's logs -Resolves: RHEL-41222 -- Allow init_t nnp domain transition to firewalld_t -Resolves: RHEL-52481 -- Update qatlib policy for v24.02 with new features -Resolves: RHEL-50377 -- Allow postfix_domain map postfix_etc_t files -Resolves: RHEL-46327 - -* Thu Jul 25 2024 Zdenek Pytela - 40.13.6-1 -- Allow virtnodedevd run udev with a domain transition -Resolves: RHEL-39890 -- Allow virtnodedev_t create and use virtnodedev_lock_t -Resolves: RHEL-39890 -- Allow svirt attach_queue to a virtqemud tun_socket -Resolves: RHEL-44312 -- Label /run/systemd/machine with systemd_machined_var_run_t -Resolves: RHEL-49567 -- Allow to create and delete socket files created by rhsm.service - -* Tue Jul 16 2024 Zdenek Pytela - 40.13.5-1 -- Allow to create and delete socket files created by rhsm.service -Resolves: RHEL-40857 -- Allow svirt read virtqemud fifo files -Resolves: RHEL-40350 -- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket -Resolves: RHEL-37822 -- Allow virtqemud read virt-dbus process state -Resolves: RHEL-37822 -- Allow virtqemud run ssh client with a transition -Resolves: RHEL-43215 -- Allow virtnetworkd exec shell when virt_hooks_unconfined is on -Resolves: RHEL-41168 -- Allow NetworkManager the sys_ptrace capability in user namespace -Resolves: RHEL-46717 -- Update keyutils policy -Resolves: RHEL-38920 -- Allow ip the setexec permission -Resolves: RHEL-41182 - -* Fri Jun 28 2024 Zdenek Pytela - 40.13.4-1 -- Confine libvirt-dbus -Resolves: RHEL-37822 -- Allow sssd create and use io_uring -Resolves: RHEL-43448 -- Allow virtqemud the kill capability in user namespace -Resolves: RHEL-44996 -- Allow login_userdomain execute systemd-tmpfiles in the caller domain -Resolves: RHEL-44191 -- Allow virtqemud read vm sysctls -Resolves: RHEL-40938 -- Allow svirt_t read vm sysctls -Resolves: RHEL-40938 -- Allow rshim get options of the netlink class for KOBJECT_UEVENT family -Resolves: RHEL-40859 -- Allow systemd-hostnamed read the vsock device -Resolves: RHEL-45309 -- Allow systemd (PID 1) manage systemd conf files -Resolves: RHEL-45304 -- Allow journald read systemd config files and directories -Resolves: RHEL-45304 -- Allow systemd_domain read systemd_conf_t dirs -Resolves: RHEL-45304 -- Label systemd configuration files with systemd_conf_t -Resolves: RHEL-45304 -- Allow dhcpcd the kill capability -Resolves: RHEL-43417 -- Add support for libvirt hooks -Resolves: RHEL-41168 - -* Mon Jun 24 2024 Troy Dawson - 40.13.3-2 -- Bump release for June 2024 mass rebuild - -* Tue Jun 18 2024 Zdenek Pytela - 40.13.3-1 -- Allow virtqemud manage nfs files when virt_use_nfs boolean is on -Resolves: RHEL-40205 -- Allow virt_driver_domain read files labeled unconfined_t -Resolves: RHEL-40262 -- Allow virt_driver_domain dbus chat with policykit -Resolves: RHEL-40346 -- Escape "interface" as a file name in a virt filetrans pattern -Resolves: RHEL-34769 -- Allow setroubleshootd get attributes of all sysctls -Resolves: RHEL-40923 -- Allow qemu-ga read vm sysctls -Resolves: RHEL-40829 -- Allow sbd to trace processes in user namespace -Resolves: RHEL-39989 -- Allow request-key execute scripts -Resolves: RHEL-38920 -- Update policy for haproxyd -Resolves: RHEL-40877 - -* Fri Jun 07 2024 Zdenek Pytela - 40.13.2-1 -- Allow all domains read and write z90crypt device -Resolves: RHEL-28539 -- Allow dhcpc read /run/netns files -Resolves: RHEL-39510 -- Allow bootupd search efivarfs dirs -Resolves: RHEL-39514 - -* Fri May 17 2024 Zdenek Pytela - 40.13.1-1 -- Allow logwatch read logind sessions files -Resolves: RHEL-30441 -- Allow sulogin relabel tty1 -Resolves: RHEL-30440 -- Dontaudit sulogin the checkpoint_restore capability -Resolves: RHEL-30440 -- Allow postfix smtpd map aliases file -Resolves: RHEL-35544 -- Ensure dbus communication is allowed bidirectionally -Resolves: RHEL-35783 -- Allow various services read and write z90crypt device -Resolves: RHEL-28539 -- Allow dhcpcd use unix_stream_socket -Resolves: RHEL-33081 -- Allow xdm_t to watch and watch_reads mount_var_run_t -Resolves: RHEL-36073 -- Allow plymouthd log during shutdown -Resolves: RHEL-30455 -- Update rpm configuration for the /var/run equivalency change -Resolves: RHEL-36094 - -* Mon Feb 12 2024 Zdenek Pytela - 40.13-1 -- Only allow confined user domains to login locally without unconfined_login -- Add userdom_spec_domtrans_confined_admin_users interface -- Only allow admindomain to execute shell via ssh with ssh_sysadm_login -- Add userdom_spec_domtrans_admin_users interface -- Move ssh dyntrans to unconfined inside unconfined_login tunable policy -- Update ssh_role_template() for user ssh-agent type -- Allow init to inherit system DBus file descriptors -- Allow init to inherit fds from syslogd -- Allow any domain to inherit fds from rpm-ostree -- Update afterburn policy -- Allow init_t nnp domain transition to abrtd_t - -* Tue Feb 06 2024 Zdenek Pytela - 40.12-1 -- Rename all /var/lock file context entries to /run/lock -- Rename all /var/run file context entries to /run -- Invert the "/var/run = /run" equivalency - -* Mon Feb 05 2024 Zdenek Pytela - 40.11-1 -- Replace init domtrans rule for confined users to allow exec init -- Update dbus_role_template() to allow user service status -- Allow polkit status all systemd services -- Allow setroubleshootd create and use inherited io_uring -- Allow load_policy read and write generic ptys -- Allow gpg manage rpm cache -- Allow login_userdomain name_bind to howl and xmsg udp ports -- Allow rules for confined users logged in plasma -- Label /dev/iommu with iommu_device_t -- Remove duplicate file context entries in /run -- Dontaudit getty and plymouth the checkpoint_restore capability -- Allow su domains write login records -- Revert "Allow su domains write login records" -- Allow login_userdomain delete session dbusd tmp socket files -- Allow unix dgram sendto between exim processes -- Allow su domains write login records -- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on - -* Wed Jan 24 2024 Zdenek Pytela - 40.10-1 -- Allow chronyd-restricted read chronyd key files -- Allow conntrackd_t to use bpf capability2 -- Allow systemd-networkd manage its runtime socket files -- Allow init_t nnp domain transition to colord_t -- Allow polkit status systemd services -- nova: Fix duplicate declarations -- Allow httpd work with PrivateTmp -- Add interfaces for watching and reading ifconfig_var_run_t -- Allow collectd read raw fixed disk device -- Allow collectd read udev pid files -- Set correct label on /etc/pki/pki-tomcat/kra -- Allow systemd domains watch system dbus pid socket files -- Allow certmonger read network sysctls -- Allow mdadm list stratisd data directories -- Allow syslog to run unconfined scripts conditionally -- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t -- Allow qatlib set attributes of vfio device files - -* Tue Jan 09 2024 Zdenek Pytela - 40.9-1 -- Allow systemd-sleep set attributes of efivarfs files -- Allow samba-dcerpcd read public files -- Allow spamd_update_t the sys_ptrace capability in user namespace -- Allow bluetooth devices work with alsa -- Allow alsa get attributes filesystems with extended attributes - -* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 -- Limit %%selinux_requires to version, not release - -* Thu Dec 21 2023 Zdenek Pytela - 40.8-1 -- Allow hypervkvp_t write access to NetworkManager_etc_rw_t -- Add interface for write-only access to NetworkManager rw conf -- Allow systemd-sleep send a message to syslog over a unix dgram socket -- Allow init create and use netlink netfilter socket -- Allow qatlib load kernel modules -- Allow qatlib run lspci -- Allow qatlib manage its private runtime socket files -- Allow qatlib read/write vfio devices -- Label /etc/redis.conf with redis_conf_t -- Remove the lockdown-class rules from the policy -- Allow init read all non-security socket files -- Replace redundant dnsmasq pattern macros -- Remove unneeded symlink perms in dnsmasq.if -- Add additions to dnsmasq interface -- Allow nvme_stas_t create and use netlink kobject uevent socket -- Allow collectd connect to statsd port -- Allow keepalived_t to use sys_ptrace of cap_userns -- Allow dovecot_auth_t connect to postgresql using UNIX socket - -* Wed Dec 13 2023 Zdenek Pytela - 40.7-1 -- Make named_zone_t and named_var_run_t a part of the mountpoint attribute -- Allow sysadm execute traceroute in sysadm_t domain using sudo -- Allow sysadm execute tcpdump in sysadm_t domain using sudo -- Allow opafm search nfs directories -- Add support for syslogd unconfined scripts -- Allow gpsd use /dev/gnss devices -- Allow gpg read rpm cache -- Allow virtqemud additional permissions -- Allow virtqemud manage its private lock files -- Allow virtqemud use the io_uring api -- Allow ddclient send e-mail notifications -- Allow postfix_master_t map postfix data files -- Allow init create and use vsock sockets -- Allow thumb_t append to init unix domain stream sockets -- Label /dev/vas with vas_device_t -- Change domain_kernel_load_modules boolean to true -- Create interface selinux_watch_config and add it to SELinux users - -* Tue Nov 28 2023 Zdenek Pytela - 40.6-1 -- Add afterburn to modules-targeted-contrib.conf -- Update cifs interfaces to include fs_search_auto_mountpoints() -- Allow sudodomain read var auth files -- Allow spamd_update_t read hardware state information -- Allow virtnetworkd domain transition on tc command execution -- Allow sendmail MTA connect to sendmail LDA -- Allow auditd read all domains process state -- Allow rsync read network sysctls -- Add dhcpcd bpf capability to run bpf programs -- Dontaudit systemd-hwdb dac_override capability -- Allow systemd-sleep create efivarfs files - -* Tue Nov 14 2023 Zdenek Pytela - 40.5-1 -- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on -- Allow graphical applications work in Wayland -- Allow kdump work with PrivateTmp -- Allow dovecot-auth work with PrivateTmp -- Allow nfsd get attributes of all filesystems -- Allow unconfined_domain_type use io_uring cmd on domain -- ci: Only run Rawhide revdeps tests on the rawhide branch -- Label /var/run/auditd.state as auditd_var_run_t -- Allow fido-device-onboard (FDO) read the crack database -- Allow ip an explicit domain transition to other domains -- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t -- Allow winbind_rpcd_t processes access when samba_export_all_* is on -- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection -- Allow ntp to bind and connect to ntske port. -- Allow system_mail_t manage exim spool files and dirs -- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t -- Label /run/pcsd.socket with cluster_var_run_t -- ci: Run cockpit tests in PRs - -* Thu Oct 19 2023 Zdenek Pytela - 40.4-1 -- Add map_read map_write to kernel_prog_run_bpf -- Allow systemd-fstab-generator read all symlinks -- Allow systemd-fstab-generator the dac_override capability -- Allow rpcbind read network sysctls -- Support using systemd containers -- Allow sysadm_t to connect to iscsid using a unix domain stream socket -- Add policy for coreos installer -- Add coreos_installer to modules-targeted-contrib.conf - -* Tue Oct 17 2023 Zdenek Pytela - 40.3-1 -- Add policy for nvme-stas -- Confine systemd fstab,sysv,rc-local -- Label /etc/aliases.lmdb with etc_aliases_t -- Create policy for afterburn -- Add nvme_stas to modules-targeted-contrib.conf -- Add plans/tests.fmf - -* Tue Oct 10 2023 Zdenek Pytela - 40.2-1 -- Add the virt_supplementary module to modules-targeted-contrib.conf -- Make new virt drivers permissive -- Split virt policy, introduce virt_supplementary module -- Allow apcupsd cgi scripts read /sys -- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes -- Allow kernel_t to manage and relabel all files -- Add missing optional_policy() to files_relabel_all_files() - -* Tue Oct 03 2023 Zdenek Pytela - 40.1-1 -- Allow named and ndc use the io_uring api -- Deprecate common_anon_inode_perms usage -- Improve default file context(None) of /var/lib/authselect/backups -- Allow udev_t to search all directories with a filesystem type -- Implement proper anon_inode support -- Allow targetd write to the syslog pid sock_file -- Add ipa_pki_retrieve_key_exec() interface -- Allow kdumpctl_t to list all directories with a filesystem type -- Allow udev additional permissions -- Allow udev load kernel module -- Allow sysadm_t to mmap modules_object_t files -- Add the unconfined_read_files() and unconfined_list_dirs() interfaces -- Set default file context of HOME_DIR/tmp/.* to <> -- Allow kernel_generic_helper_t to execute mount(1) - -* Fri Sep 29 2023 Zdenek Pytela - 38.29-1 -- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t -- Allow systemd-localed create Xserver config dirs -- Allow sssd read symlinks in /etc/sssd -- Label /dev/gnss[0-9] with gnss_device_t -- Allow systemd-sleep read/write efivarfs variables -- ci: Fix version number of packit generated srpms -- Dontaudit rhsmcertd write memory device -- Allow ssh_agent_type create a sockfile in /run/user/USERID -- Set default file context of /var/lib/authselect/backups to <> -- Allow prosody read network sysctls -- Allow cupsd_t to use bpf capability - -* Fri Sep 15 2023 Zdenek Pytela - 38.28-1 -- Allow sssd domain transition on passkey_child execution conditionally -- Allow login_userdomain watch lnk_files in /usr -- Allow login_userdomain watch video4linux devices -- Change systemd-network-generator transition to include class file -- Revert "Change file transition for systemd-network-generator" -- Allow nm-dispatcher winbind plugin read/write samba var files -- Allow systemd-networkd write to cgroup files -- Allow kdump create and use its memfd: objects - -* Thu Aug 31 2023 Zdenek Pytela - 38.27-1 -- Allow fedora-third-party get generic filesystem attributes -- Allow sssd use usb devices conditionally -- Update policy for qatlib -- Allow ssh_agent_type manage generic cache home files - -* Thu Aug 24 2023 Zdenek Pytela - 38.26-1 -- Change file transition for systemd-network-generator -- Additional support for gnome-initial-setup -- Update gnome-initial-setup policy for geoclue -- Allow openconnect vpn open vhost net device -- Allow cifs.upcall to connect to SSSD also through the /var/run socket -- Grant cifs.upcall more required capabilities -- Allow xenstored map xenfs files -- Update policy for fdo -- Allow keepalived watch var_run dirs -- Allow svirt to rw /dev/udmabuf -- Allow qatlib to modify hardware state information. -- Allow key.dns_resolve connect to avahi over a unix stream socket -- Allow key.dns_resolve create and use unix datagram socket -- Use quay.io as the container image source for CI - -* Fri Aug 11 2023 Zdenek Pytela - 38.25-1 -- ci: Move srpm/rpm build to packit -- .copr: Avoid subshell and changing directory -- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file -- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t -- Make insights_client_t an unconfined domain -- Allow insights-client manage user temporary files -- Allow insights-client create all rpm logs with a correct label -- Allow insights-client manage generic logs -- Allow cloud_init create dhclient var files and init_t manage net_conf_t -- Allow insights-client read and write cluster tmpfs files -- Allow ipsec read nsfs files -- Make tuned work with mls policy -- Remove nsplugin_role from mozilla.if -- allow mon_procd_t self:cap_userns sys_ptrace -- Allow pdns name_bind and name_connect all ports -- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh -- ci: Move to actions/checkout@v3 version -- .copr: Replace chown call with standard workflow safe.directory setting -- .copr: Enable `set -u` for robustness -- .copr: Simplify root directory variable - -* Fri Aug 04 2023 Zdenek Pytela - 38.24-1 -- Allow rhsmcertd dbus chat with policykit -- Allow polkitd execute pkla-check-authorization with nnp transition -- Allow user_u and staff_u get attributes of non-security dirs -- Allow unconfined user filetrans chrome_sandbox_home_t -- Allow svnserve execute postdrop with a transition -- Do not make postfix_postdrop_t type an MTA executable file -- Allow samba-dcerpc service manage samba tmp files -- Add use_nfs_home_dirs boolean for mozilla_plugin -- Fix labeling for no-stub-resolv.conf - -* Wed Aug 02 2023 Zdenek Pytela - 38.23-1 -- Revert "Allow winbind-rpcd use its private tmp files" -- Allow upsmon execute upsmon via a helper script -- Allow openconnect vpn read/write inherited vhost net device -- Allow winbind-rpcd use its private tmp files -- Update samba-dcerpc policy for printing -- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty -- Allow nscd watch system db dirs -- Allow qatlib to read sssd public files -- Allow fedora-third-party read /sys and proc -- Allow systemd-gpt-generator mount a tmpfs filesystem -- Allow journald write to cgroup files -- Allow rpc.mountd read network sysctls -- Allow blueman read the contents of the sysfs filesystem -- Allow logrotate_t to map generic files in /etc -- Boolean: Allow virt_qemu_ga create ssh directory - -* Tue Jul 25 2023 Zdenek Pytela - 38.22-1 -- Allow systemd-network-generator send system log messages -- Dontaudit the execute permission on sock_file globally -- Allow fsadm_t the file mounton permission -- Allow named and ndc the io_uring sqpoll permission -- Allow sssd io_uring sqpoll permission -- Fix location for /run/nsd -- Allow qemu-ga get fixed disk devices attributes -- Update bitlbee policy -- Label /usr/sbin/sos with sosreport_exec_t -- Update policy for the sblim-sfcb service -- Add the files_getattr_non_auth_dirs() interface -- Fix the CI to work with DNF5 - -* Sat Jul 22 2023 Fedora Release Engineering - 38.21-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jul 13 2023 Zdenek Pytela - 38.21-1 -- Make systemd_tmpfiles_t MLS trusted for lowering the level of files -- Revert "Allow insights client map cache_home_t" -- Allow nfsidmapd connect to systemd-machined over a unix socket -- Allow snapperd connect to kernel over a unix domain stream socket -- Allow virt_qemu_ga_t create .ssh dir with correct label -- Allow targetd read network sysctls -- Set the abrt_handle_event boolean to on -- Permit kernel_t to change the user identity in object contexts -- Allow insights client map cache_home_t -- Label /usr/sbin/mariadbd with mysqld_exec_t -- Trim changelog so that it starts at F37 time -- Define equivalency for /run/systemd/generator.early - -* Thu Jun 29 2023 Zdenek Pytela - 38.20-1 -- Allow httpd tcp connect to redis port conditionally -- Label only /usr/sbin/ripd and ripngd with zebra_exec_t -- Dontaudit aide the execmem permission -- Remove permissive from fdo -- Allow sa-update manage spamc home files -- Allow sa-update connect to systemlog services -- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t -- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t -- Allow bootupd search EFI directory - -* Tue Jun 27 2023 Zdenek Pytela - 38.19-1 -- Change init_audit_control default value to true -- Allow nfsidmapd connect to systemd-userdbd with a unix socket -- Add the qatlib module -- Add the fdo module -- Add the bootupd module -- Set default ports for keylime policy -- Create policy for qatlib -- Add policy for FIDO Device Onboard -- Add policy for bootupd -- Add the qatlib module -- Add the fdo module -- Add the bootupd module - -* Sun Jun 25 2023 Zdenek Pytela - 38.18-1 -- Add support for kafs-dns requested by keyutils -- Allow insights-client execmem -- Add support for chronyd-restricted -- Add init_explicit_domain() interface -- Allow fsadm_t to get attributes of cgroup filesystems -- Add list_dir_perms to kerberos_read_keytab -- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t -- Allow sendmail manage its runtime files -- Allow keyutils_dns_resolver_exec_t be an entrypoint -- Allow collectd_t read network state symlinks -- Revert "Allow collectd_t read proc_net link files" -- Allow nfsd_t to list exports_t dirs -- Allow cupsd dbus chat with xdm -- Allow haproxy read hardware state information -- Add the kafs module - -* Thu Jun 15 2023 Zdenek Pytela - 38.17-1 -- Label /dev/userfaultfd with userfaultfd_t -- Allow blueman send general signals to unprivileged user domains -- Allow dkim-milter domain transition to sendmail -- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t -- Allow cifs-helper read sssd kerberos configuration files -- Allow rpm_t sys_admin capability -- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file -- Allow collectd_t read proc_net link files -- Allow insights-client getsession process permission -- Allow insights-client work with pipe and socket tmp files -- Allow insights-client map generic log files -- Update cyrus_stream_connect() to use sockets in /run -- Allow keyutils-dns-resolver read/view kernel key ring -- Label /var/log/kdump.log with kdump_log_t - -* Fri Jun 09 2023 Zdenek Pytela - 38.16-1 -- Add support for the systemd-pstore service -- Allow kdumpctl_t to execmem -- Update sendmail policy module for opensmtpd -- Allow nagios-mail-plugin exec postfix master -- Allow subscription-manager execute ip -- Allow ssh client connect with a user dbus instance -- Add support for ksshaskpass -- Allow rhsmcertd file transition in /run also for socket files -- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t -- Allow plymouthd read/write X server miscellaneous devices -- Allow systemd-sleep read udev pid files -- Allow exim read network sysctls -- Allow sendmail request load module -- Allow named map its conf files -- Allow squid map its cache files -- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition - -* Tue May 30 2023 Zdenek Pytela - 38.15-1 -- Update policy for systemd-sleep -- Remove permissive domain for rshim_t -- Remove permissive domain for mptcpd_t -- Allow systemd-bootchartd the sys_ptrace userns capability -- Allow sysadm_t read nsfs files -- Allow sysadm_t run kernel bpf programs -- Update ssh_role_template for ssh-agent -- Update ssh_role_template to allow read/write unallocated ttys -- Add the booth module to modules.conf -- Allow firewalld rw ica_tmpfs_t files - -* Fri May 26 2023 Zdenek Pytela - 38.14-1 -- Remove permissive domain for cifs_helper_t -- Update the cifs-helper policy -- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() -- Update pkcsslotd policy for sandboxing -- Allow abrt_t read kernel persistent storage files -- Dontaudit targetd search httpd config dirs -- Allow init_t nnp domain transition to policykit_t -- Allow rpcd_lsad setcap and use generic ptys -- Allow samba-dcerpcd connect to systemd_machined over a unix socket -- Allow wireguard to rw network sysctls -- Add policy for boothd -- Allow kernel to manage its own BPF objects -- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t - -* Mon May 22 2023 Zdenek Pytela - 38.13-1 -- Add initial policy for cifs-helper -- Label key.dns_resolver with keyutils_dns_resolver_exec_t -- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t -- Allow some systemd services write to cgroup files -- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files -- Allow systemd resolved to bind to arbitrary nodes -- Allow plymouthd_t bpf capability to run bpf programs -- Allow cupsd to create samba_var_t files -- Allow rhsmcert request the kernel to load a module -- Allow virsh name_connect virt_port_t -- Allow certmonger manage cluster library files -- Allow plymouthd read init process state -- Add chromium_sandbox_t setcap capability -- Allow snmpd read raw disk data -- Allow samba-rpcd work with passwords -- Allow unconfined service inherit signal state from init -- Allow cloud-init manage gpg admin home content -- Allow cluster_t dbus chat with various services -- Allow nfsidmapd work with systemd-userdbd and sssd -- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes -- Allow plymouthd map dri and framebuffer devices -- Allow rpmdb_migrate execute rpmdb -- Allow logrotate dbus chat with systemd-hostnamed -- Allow icecast connect to kernel using a unix stream socket -- Allow lldpad connect to systemd-userdbd over a unix socket -- Allow journalctl open user domain ptys and ttys -- Allow keepalived to manage its tmp files -- Allow ftpd read network sysctls -- Label /run/bgpd with zebra_var_run_t -- Allow gssproxy read network sysctls -- Add the cifsutils module - -* Tue Apr 25 2023 Zdenek Pytela - 38.12-1 -- Allow telnetd read network sysctls -- Allow munin system plugin read generic SSL certificates -- Allow munin system plugin create and use netlink generic socket -- Allow login_userdomain create user namespaces -- Allow request-key to send syslog messages -- Allow request-key to read/view any key -- Add fs_delete_pstore_files() interface -- Allow insights-client work with teamdctl -- Allow insights-client read unconfined service semaphores -- Allow insights-client get quotas of all filesystems -- Add fs_read_pstore_files() interface -- Allow generic kernel helper to read inherited kernel pipes - -* Fri Apr 14 2023 Zdenek Pytela - 38.11-1 -- Allow dovecot-deliver write to the main process runtime fifo files -- Allow dmidecode write to cloud-init tmp files -- Allow chronyd send a message to cloud-init over a datagram socket -- Allow cloud-init domain transition to insights-client domain -- Allow mongodb read filesystem sysctls -- Allow mongodb read network sysctls -- Allow accounts-daemon read generic systemd unit lnk files -- Allow blueman watch generic device dirs -- Allow nm-dispatcher tlp plugin create tlp dirs -- Allow systemd-coredump mounton /usr -- Allow rabbitmq to read network sysctls - -* Tue Apr 04 2023 Zdenek Pytela - 38.10-1 -- Allow certmonger dbus chat with the cron system domain -- Allow geoclue read network sysctls -- Allow geoclue watch the /etc directory -- Allow logwatch_mail_t read network sysctls -- Allow insights-client read all sysctls -- Allow passt manage qemu pid sock files - -* Fri Mar 24 2023 Zdenek Pytela - 38.9-1 -- Allow sssd read accountsd fifo files -- Add support for the passt_t domain -- Allow virtd_t and svirt_t work with passt -- Add new interfaces in the virt module -- Add passt interfaces defined conditionally -- Allow tshark the setsched capability -- Allow poweroff create connections to system dbus -- Allow wg load kernel modules, search debugfs dir -- Boolean: allow qemu-ga manage ssh home directory -- Label smtpd with sendmail_exec_t -- Label msmtp and msmtpd with sendmail_exec_t -- Allow dovecot to map files in /var/spool/dovecot - -* Fri Mar 03 2023 Zdenek Pytela - 38.8-1 -- Confine gnome-initial-setup -- Allow qemu-guest-agent create and use vsock socket -- Allow login_pgm setcap permission -- Allow chronyc read network sysctls -- Enhancement of the /usr/sbin/request-key helper policy -- Fix opencryptoki file names in /dev/shm -- Allow system_cronjob_t transition to rpm_script_t -- Revert "Allow system_cronjob_t domtrans to rpm_script_t" -- Add tunable to allow squid bind snmp port -- Allow staff_t getattr init pid chr & blk files and read krb5 -- Allow firewalld to rw z90crypt device -- Allow httpd work with tokens in /dev/shm -- Allow svirt to map svirt_image_t char files -- Allow sysadm_t run initrc_t script and sysadm_r role access -- Allow insights-client manage fsadm pid files - -* Wed Feb 08 2023 Zdenek Pytela - 38.7-1 -- Allowing snapper to create snapshots of /home/ subvolume/partition -- Add boolean qemu-ga to run unconfined script -- Label systemd-journald feature LogNamespace -- Add none file context for polyinstantiated tmp dirs -- Allow certmonger read the contents of the sysfs filesystem -- Add journalctl the sys_resource capability -- Allow nm-dispatcher plugins read generic files in /proc -- Add initial policy for the /usr/sbin/request-key helper -- Additional support for rpmdb_migrate -- Add the keyutils module - -* Mon Jan 30 2023 Zdenek Pytela - 38.6-1 -- Boolean: allow qemu-ga read ssh home directory -- Allow kernel_t to read/write all sockets -- Allow kernel_t to UNIX-stream connect to all domains -- Allow systemd-resolved send a datagram to journald -- Allow kernel_t to manage and have "execute" access to all files -- Fix the files_manage_all_files() interface -- Allow rshim bpf cap2 and read sssd public files -- Allow insights-client work with su and lpstat -- Allow insights-client tcp connect to all ports -- Allow nm-cloud-setup dispatcher plugin restart nm services -- Allow unconfined user filetransition for sudo log files -- Allow modemmanager create hardware state information files -- Allow ModemManager all permissions for netlink route socket -- Allow wg to send msg to kernel, write to syslog and dbus connections -- Allow hostname_t to read network sysctls. -- Dontaudit ftpd the execmem permission -- Allow svirt request the kernel to load a module -- Allow icecast rename its log files -- Allow upsd to send signal to itself -- Allow wireguard to create udp sockets and read net_conf -- Use '%autosetup' instead of '%setup' -- Pass -p 1 to '%autosetup' - -* Sat Jan 21 2023 Fedora Release Engineering - 38.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Jan 13 2023 Zdenek Pytela - 38.5-1 -- Allow insights client work with gluster and pcp -- Add insights additional capabilities -- Add interfaces in domain, files, and unconfined modules -- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t -- Allow sudodomain use sudo.log as a logfile -- Allow pdns server map its library files and bind to unreserved ports -- Allow sysadm_t read/write ipmi devices -- Allow prosody manage its runtime socket files -- Allow kernel threads manage kernel keys -- Allow systemd-userdbd the sys_resource capability -- Allow systemd-journal list cgroup directories -- Allow apcupsd dbus chat with systemd-logind -- Allow nut_domain manage also files and sock_files in /var/run -- Allow winbind-rpcd make a TCP connection to the ldap port -- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t -- Allow tlp read generic SSL certificates -- Allow systemd-resolved watch tmpfs directories -- Revert "Allow systemd-resolved watch tmpfs directories" - -* Mon Dec 19 2022 Zdenek Pytela - 38.4-1 -- Allow NetworkManager and wpa_supplicant the bpf capability -- Allow systemd-rfkill the bpf capability -- Allow winbind-rpcd manage samba_share_t files and dirs -- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t -- Allow gpsd the sys_ptrace userns capability -- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t -- Allow load_policy_t write to unallocated ttys -- Allow ndc read hardware state information -- Allow system mail service read inherited certmonger runtime files -- Add lpr_roles to system_r roles -- Revert "Allow insights-client run lpr and allow the proper role" -- Allow stalld to read /sys/kernel/security/lockdown file -- Allow keepalived to set resource limits -- Add policy for mptcpd -- Add policy for rshim -- Allow admin users to create user namespaces -- Allow journalctl relabel with var_log_t and syslogd_var_run_t files -- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted -- Trim changelog so that it starts at F35 time -- Add mptcpd and rshim modules - -* Wed Dec 14 2022 Zdenek Pytela - 38.3-1 -- Allow insights-client dbus chat with various services -- Allow insights-client tcp connect to various ports -- Allow insights-client run lpr and allow the proper role -- Allow insights-client work with pcp and manage user config files -- Allow redis get user names -- Allow kernel threads to use fds from all domains -- Allow systemd-modules-load load kernel modules -- Allow login_userdomain watch systemd-passwd pid dirs -- Allow insights-client dbus chat with abrt -- Grant kernel_t certain permissions in the system class -- Allow systemd-resolved watch tmpfs directories -- Allow systemd-timedated watch init runtime dir -- Make `bootc` be `install_exec_t` -- Allow systemd-coredump create user_namespace -- Allow syslog the setpcap capability -- donaudit virtlogd and dnsmasq execmem - -* Tue Dec 06 2022 Zdenek Pytela - 38.2-1 -- Don't make kernel_t an unconfined domain -- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition -- Allow kernel_t to execute systemctl to do a poweroff/reboot -- Grant basic permissions to the domain created by systemd_systemctl_domain() -- Allow kernel_t to request module loading -- Allow kernel_t to do compute_create -- Allow kernel_t to manage perf events -- Grant almost all capabilities to kernel_t -- Allow kernel_t to fully manage all devices -- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" -- Allow pulseaudio to write to session_dbusd tmp socket files -- Allow systemd and unconfined_domain_type create user_namespace -- Add the user_namespace security class -- Reuse tmpfs_t also for the ramfs filesystem -- Label udf tools with fsadm_exec_t -- Allow networkmanager_dispatcher_plugin work with nscd -- Watch_sb all file type directories. -- Allow spamc read hardware state information files -- Allow sysadm read ipmi devices -- Allow insights client communicate with cupsd, mysqld, openvswitch, redis -- Allow insights client read raw memory devices -- Allow the spamd_update_t domain get generic filesystem attributes -- Dontaudit systemd-gpt-generator the sys_admin capability -- Allow ipsec_t only read tpm devices -- Allow cups-pdf connect to the system log service -- Allow postfix/smtpd read kerberos key table -- Allow syslogd read network sysctls -- Allow cdcc mmap dcc-client-map files -- Add watch and watch_sb dosfs interface - -* Mon Nov 21 2022 Zdenek Pytela - 38.1-1 -- Revert "Allow sysadm_t read raw memory devices" -- Allow systemd-socket-proxyd get attributes of cgroup filesystems -- Allow rpc.gssd read network sysctls -- Allow winbind-rpcd get attributes of device and pty filesystems -- Allow insights-client domain transition on semanage execution -- Allow insights-client create gluster log dir with a transition -- Allow insights-client manage generic locks -- Allow insights-client unix_read all domain semaphores -- Add domain_unix_read_all_semaphores() interface -- Allow winbind-rpcd use the terminal multiplexor -- Allow mrtg send mails -- Allow systemd-hostnamed dbus chat with init scripts -- Allow sssd dbus chat with system cronjobs -- Add interface to watch all filesystems -- Add watch_sb interfaces -- Add watch interfaces -- Allow dhcpd bpf capability to run bpf programs -- Allow netutils and traceroute bpf capability to run bpf programs -- Allow pkcs_slotd_t bpf capability to run bpf programs -- Allow xdm bpf capability to run bpf programs -- Allow pcscd bpf capability to run bpf programs -- Allow lldpad bpf capability to run bpf programs -- Allow keepalived bpf capability to run bpf programs -- Allow ipsec bpf capability to run bpf programs -- Allow fprintd bpf capability to run bpf programs -- Allow systemd-socket-proxyd get filesystems attributes -- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files - -* Mon Oct 31 2022 Zdenek Pytela - 37.14-1 -- Allow rotatelogs read httpd_log_t symlinks -- Add winbind-rpcd to samba_enable_home_dirs boolean -- Allow system cronjobs dbus chat with setroubleshoot -- Allow setroubleshootd read device sysctls -- Allow virt_domain read device sysctls -- Allow rhcd compute selinux access vector -- Allow insights-client manage samba var dirs -- Label ports 10161-10162 tcp/udp with snmp -- Allow aide to connect to systemd_machined with a unix socket. -- Allow samba-dcerpcd use NSCD services over a unix stream socket -- Allow vlock search the contents of the /dev/pts directory -- Allow insights-client send null signal to rpm and system cronjob -- Label port 15354/tcp and 15354/udp with opendnssec -- Allow ftpd map ftpd_var_run files -- Allow targetclid to manage tmp files -- Allow insights-client connect to postgresql with a unix socket -- Allow insights-client domtrans on unix_chkpwd execution -- Add file context entries for insights-client and rhc -- Allow pulseaudio create gnome content (~/.config) -- Allow login_userdomain dbus chat with rhsmcertd -- Allow sbd the sys_ptrace capability -- Allow ptp4l_t name_bind ptp_event_port_t - -* Mon Oct 03 2022 Zdenek Pytela - 37.13-1 -- Remove the ipa module -- Allow sss daemons read/write unnamed pipes of cloud-init -- Allow postfix_mailqueue create and use unix dgram sockets -- Allow xdm watch user home directories -- Allow nm-dispatcher ddclient plugin load a kernel module -- Stop ignoring standalone interface files -- Drop cockpit module -- Allow init map its private tmp files -- Allow xenstored change its hard resource limits -- Allow system_mail-t read network sysctls -- Add bgpd sys_chroot capability - -* Thu Sep 22 2022 Zdenek Pytela - 37.12-1 -- nut-upsd: kernel_read_system_state, fs_getattr_cgroup -- Add numad the ipc_owner capability -- Allow gst-plugin-scanner read virtual memory sysctls -- Allow init read/write inherited user fifo files -- Update dnssec-trigger policy: setsched, module_request -- added policy for systemd-socket-proxyd -- Add the new 'cmd' permission to the 'io_uring' class -- Allow winbind-rpcd read and write its key ring -- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t -- blueman-mechanism can read ~/.local/lib/python*/site-packages directory -- pidof executed by abrt can readlink /proc/*/exe -- Fix typo in comment -- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum - -* Wed Sep 14 2022 Zdenek Pytela - 37.11-1 -- Allow tor get filesystem attributes -- Allow utempter append to login_userdomain stream -- Allow login_userdomain accept a stream connection to XDM -- Allow login_userdomain write to boltd named pipes -- Allow staff_u and user_u users write to bolt pipe -- Allow login_userdomain watch various directories -- Update rhcd policy for executing additional commands 5 -- Update rhcd policy for executing additional commands 4 -- Allow rhcd create rpm hawkey logs with correct label -- Allow systemd-gpt-auto-generator to check for empty dirs -- Update rhcd policy for executing additional commands 3 -- Allow journalctl read rhcd fifo files -- Update insights-client policy for additional commands execution 5 -- Allow init remount all file_type filesystems -- Confine insights-client systemd unit -- Update insights-client policy for additional commands execution 4 -- Allow pcp pmcd search tracefs and acct_data dirs -- Allow httpd read network sysctls -- Dontaudit domain map permission on directories -- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" -- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" -- Update insights-client policy for additional commands execution 3 -- Allow systemd permissions needed for sandboxed services -- Add rhcd module -- Make dependency on rpm-plugin-selinux unordered - -* Fri Sep 02 2022 Zdenek Pytela - 37.10-1 -- Allow ipsec_t read/write tpm devices -- Allow rhcd execute all executables -- Update rhcd policy for executing additional commands 2 -- Update insights-client policy for additional commands execution 2 -- Allow sysadm_t read raw memory devices -- Allow chronyd send and receive chronyd/ntp client packets -- Allow ssh client read kerberos homedir config files -- Label /var/log/rhc-worker-playbook with rhcd_var_log_t -- Update insights-client policy (auditctl, gpg, journal) -- Allow system_cronjob_t domtrans to rpm_script_t -- Allow smbd_t process noatsecure permission for winbind_rpcd_t -- Update tor_bind_all_unreserved_ports interface -- Allow chronyd bind UDP sockets to ptp_event ports. -- Allow unconfined and sysadm users transition for /root/.gnupg -- Add gpg_filetrans_admin_home_content() interface -- Update rhcd policy for executing additional commands -- Update insights-client policy for additional commands execution -- Add userdom_view_all_users_keys() interface -- Allow gpg read and write generic pty type -- Allow chronyc read and write generic pty type -- Allow system_dbusd ioctl kernel with a unix stream sockets -- Allow samba-bgqd to read a printer list -- Allow stalld get and set scheduling policy of all domains. -- Allow unconfined_t transition to targetclid_home_t - -* Thu Aug 11 2022 Zdenek Pytela - 37.9-1 -- Allow nm-dispatcher custom plugin dbus chat with nm -- Allow nm-dispatcher sendmail plugin get status of systemd services -- Allow xdm read the kernel key ring -- Allow login_userdomain check status of mount units -- Allow postfix/smtp and postfix/virtual read kerberos key table -- Allow services execute systemd-notify -- Do not allow login_userdomain use sd_notify() -- Allow launch-xenstored read filesystem sysctls -- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd -- Allow openvswitch fsetid capability -- Allow openvswitch use its private tmpfs files and dirs -- Allow openvswitch search tracefs dirs -- Allow pmdalinux read files on an nfsd filesystem -- Allow winbind-rpcd write to winbind pid files -- Allow networkmanager to signal unconfined process -- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t -- Allow samba-bgqd get a printer list -- fix(init.fc): Fix section description -- Allow fedora-third-party read the passwords file -- Remove permissive domain for rhcd_t -- Allow pmie read network state information and network sysctls -- Revert "Dontaudit domain the fowner capability" -- Allow sysadm_t to run bpftool on the userdomain attribute -- Add the userdom_prog_run_bpf_userdomain() interface -- Allow insights-client rpm named file transitions -- Add /var/tmp/insights-archive to insights_client_filetrans_named_content - -* Mon Aug 01 2022 Zdenek Pytela - 37.8-1 -- Allow sa-update to get init status and start systemd files -- Use insights_client_filetrans_named_content -- Make default file context match with named transitions -- Allow nm-dispatcher tlp plugin send system log messages -- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket -- Add permissions to manage lnk_files into gnome_manage_home_config -- Allow rhsmcertd to read insights config files -- Label /etc/insights-client/machine-id -- fix(devices.fc): Replace single quote in comment to solve parsing issues -- Make NetworkManager_dispatcher_custom_t an unconfined domain - -* Sat Jul 23 2022 Fedora Release Engineering - 37.7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jul 14 2022 Zdenek Pytela - 37.7-1 -- Update winbind_rpcd_t -- Allow some domains use sd_notify() -- Revert "Allow rabbitmq to use systemd notify" -- fix(sedoctool.py): Fix syntax warning: "is not" with a literal -- Allow nm-dispatcher console plugin manage etc files -- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs -- Allow nm-dispatcher console plugin setfscreate -- Support using systemd-update-helper in rpm scriptlets -- Allow nm-dispatcher winbind plugin read samba config files -- Allow domain use userfaultfd over all domains -- Allow cups-lpd read network sysctls - -* Wed Jun 29 2022 Zdenek Pytela - 37.6-1 -- Allow stalld set scheduling policy of kernel threads -- Allow targetclid read /var/target files -- Allow targetclid read generic SSL certificates (fixed) -- Allow firewalld read the contents of the sysfs filesystem -- Fix file context pattern for /var/target -- Use insights_client_etc_t in insights_search_config() -- Allow nm-dispatcher ddclient plugin handle systemd services -- Allow nm-dispatcher winbind plugin run smbcontrol -- Allow nm-dispatcher custom plugin create and use unix dgram socket -- Update samba-dcerpcd policy for kerberos usage 2 -- Allow keepalived read the contents of the sysfs filesystem -- Allow amandad read network sysctls -- Allow cups-lpd read network sysctls -- Allow kpropd read network sysctls -- Update insights_client_filetrans_named_content() -- Allow rabbitmq to use systemd notify -- Label /var/target with targetd_var_t -- Allow targetclid read generic SSL certificates -- Update rhcd policy -- Allow rhcd search insights configuration directories -- Add the kernel_read_proc_files() interface -- Require policycoreutils >= 3.4-1 -- Add a script for enclosing interfaces in ifndef statements -- Disable rpm verification on interface_info - -* Wed Jun 22 2022 Zdenek Pytela - 37.5-1 -- Allow transition to insights_client named content -- Add the insights_client_filetrans_named_content() interface -- Update policy for insights-client to run additional commands 3 -- Allow dhclient manage pid files used by chronyd -- Allow stalld get scheduling policy of kernel threads -- Allow samba-dcerpcd work with sssd -- Allow dlm_controld send a null signal to a cluster daemon -- Allow ksmctl create hardware state information files -- Allow winbind_rpcd_t connect to self over a unix_stream_socket -- Update samba-dcerpcd policy for kerberos usage -- Allow insights-client execute its private memfd: objects -- Update policy for insights-client to run additional commands 2 -- Use insights_client_tmp_t instead of insights_client_var_tmp_t -- Change space indentation to tab in insights-client -- Use socket permissions sets in insights-client -- Update policy for insights-client to run additional commands -- Change rpm_setattr_db_files() to use a pattern -- Allow init_t to rw insights_client unnamed pipe -- Add rpm setattr db files macro -- Fix insights client -- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling -- Allow rabbitmq to access its private memfd: objects -- Update policy for samba-dcerpcd -- Allow stalld setsched and sys_nice - -* Tue Jun 07 2022 Zdenek Pytela - 37.4-1 -- Allow auditd_t noatsecure for a transition to audisp_remote_t -- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket -- Allow pcp_domain execute its private memfd: objects -- Add support for samba-dcerpcd -- Add policy for wireguard -- Confine targetcli -- Allow systemd work with install_t unix stream sockets -- Allow iscsid the sys_ptrace userns capability -- Allow xdm connect to unconfined_service_t over a unix stream socket - -* Fri May 27 2022 Zdenek Pytela - 37.3-1 -- Allow nm-dispatcher custom plugin execute systemctl -- Allow nm-dispatcher custom plugin dbus chat with nm -- Allow nm-dispatcher custom plugin create and use udp socket -- Allow nm-dispatcher custom plugin create and use netlink_route_socket -- Use create_netlink_socket_perms in netlink_route_socket class permissions -- Add support for nm-dispatcher sendmail scripts -- Allow sslh net_admin capability -- Allow insights-client manage gpg admin home content -- Add the gpg_manage_admin_home_content() interface -- Allow rhsmcertd create generic log files -- Update logging_create_generic_logs() to use create_files_pattern() -- Label /var/cache/insights with insights_client_cache_t -- Allow insights-client search gconf homedir -- Allow insights-client create and use unix_dgram_socket -- Allow blueman execute its private memfd: files -- Move the chown call into make-srpm.sh - -* Fri May 06 2022 Zdenek Pytela - 37.2-1 -- Use the networkmanager_dispatcher_plugin attribute in allow rules -- Make a custom nm-dispatcher plugin transition -- Label port 4784/tcp and 4784/udp with bfd_multi -- Allow systemd watch and watch_reads user ptys -- Allow sblim-gatherd the kill capability -- Label more vdsm utils with virtd_exec_t -- Add ksm service to ksmtuned -- Add rhcd policy -- Dontaudit guest attempts to dbus chat with systemd domains -- Dontaudit guest attempts to dbus chat with system bus types -- Use a named transition in systemd_hwdb_manage_config() -- Add default fc specifications for patterns in /opt -- Add the files_create_etc_files() interface -- Allow nm-dispatcher console plugin create and write files in /etc -- Allow nm-dispatcher console plugin transition to the setfiles domain -- Allow more nm-dispatcher plugins append to init stream sockets -- Allow nm-dispatcher tlp plugin dbus chat with nm -- Reorder networkmanager_dispatcher_plugin_template() calls -- Allow svirt connectto virtlogd -- Allow blueman map its private memfd: files -- Allow sysadm user execute init scripts with a transition -- Allow sblim-sfcbd connect to sblim-reposd stream -- Allow keepalived_unconfined_script_t dbus chat with init -- Run restorecon with "-i" not to report errors - -* Mon May 02 2022 Zdenek Pytela - 37.1-1 -- Fix users for SELinux userspace 3.4 -- Label /var/run/machine-id as machineid_t -- Add stalld to modules.conf -- Use files_tmpfs_file() for rhsmcertd_tmpfs_t -- Allow blueman read/write its private memfd: objects -- Allow insights-client read rhnsd config files -- Allow insights-client create_socket_perms for tcp/udp sockets +%autochangelog