- Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it."
- Revert "Add interface to allow types to associate with cgroup filesystems"
- Revert "kdbusfs should not be accessible for now."
- Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp"
- Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode."
- Remove the legacy kdbus module
- Remove "kdbus = module" from modules-targeted-base.conf
- Additional support for keepalived running in a namespace
- Remove systemd_dbus_chat_resolved(pcp_pmie_t)
- virt: remove the libvirt qmf rules
- Allow certmonger manage dirsrv services
- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
- Allow domain dbus chat with systemd-resolved
- Define file context for /var/run/netns directory only
- Revert "Add support for fuse.glusterfs"
- Allow pdns server to read system state
- Allow irqbalance nnp_transition
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
- Allow journalctl process set its resource limits
- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
- Make keepalived work with network namespaces
- Create sssd_connect_all_unreserved_ports boolean
- Allow hypervkvpd to request kernel to load a module
- Allow systemd_private_tmp(dirsrv_tmp_t)
- Allow microcode_ctl get attributes of sysfs directories
- Remove duplicate files_dontaudit_list_tmp(radiusd_t) line
- Allow radiusd connect to gssproxy over unix domain stream socket
- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
- Allow qemu read and write /dev/mapper/control
- Allow tlp_t can_exec() tlp_exec_t
- Dontaudit vpnc_t setting its process scheduling
- Remove files_mmap_usr_files() call for particular domains
- Allow dirsrv_t list cgroup directories
- Crete the kerberos_write_kadmind_tmp_files() interface
- Allow realmd_t dbus chat with accountsd_t
- Label systemd-growfs and systemd-makefs as fsadm_exec_t
- Allow staff_u and user_u setattr generic usb devices
- Allow sysadm_t dbus chat with accountsd
- Modify kernel_rw_key() not to include append permission
- Add kernel_rw_key() interface to access to kernel keyrings
- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
- Allow systemd-modules to load kernel modules
- Add cachefiles_dev_t as a typealias to cachefiles_device_t
- Allow libkrb5 lib read client keytabs
- Allow domain mmap usr_t files
- Remove files_mmap_usr_files() call for systemd domains
- Allow sshd write to kadmind temporary files
- Do not audit staff_t and user_t attempts to manage boot_t entries
- Add files_dontaudit_manage_boot_dirs() interface
- Allow systemd-tty-ask-password-agent read efivarfs files
- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
- Support multiple ways of tlp invocation
- Allow qemu-kvm read and write /dev/mapper/control
- Introduce logrotate_use_cifs boolean
- Allow ptp4l_t sys_admin capability to run bpf programs
- Allow to getattr files on an nsfs filesystem
- httpd: Allow NoNewPriv transition from systemd
- Allow rhsmd read process state of all domains and kernel threads
- Allow rhsmd mmap /etc/passwd
- Allow systemd-logind manage efivarfs files
- Allow initrc_t tlp_filetrans_named_content()
- Allow systemd_resolved_t to read efivarfs
- Allow systemd_modules_load_t to read efivarfs
- Introduce systemd_read_efivarfs_type attribute
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
- Add file context for /sys/kernel/tracing
- Allow chronyc_t domain to use nsswitch
- Allow nscd_socket_use() for domains in nscd_use() unconditionally
- Add allow rules for lttng-sessiond domain
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow gluster geo-replication in rsync mode
- Allow nagios_plugin_domain execute programs in bin directories
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow tcpdump sniffing offloaded (RDMA) traffic
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow read efivarfs_t files by domains executing systemctl file
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal
- Allow rngd create netlink_kobject_uevent_socket and read udev runtime files
- Allow ssh-keygen create file in /var/lib/glusterd
- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
- Merge ipa and ipa_custodia modules
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Introduce daemons_dontaudit_scheduling boolean
- Modify path for arping in netutils.fc to match both bin and sbin
- Change file context for /var/run/pam_ssh to match file transition
- Add file context entry and file transition for /var/run/pam_timestamp
- Allow NetworkManager read its unit files and manage services
- Add init_daemon_domain() for geoclue_t
- Allow to use nnp_transition in pulseaudio_role
- Allow pdns_t domain to map files in /usr.
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow login_pgm create and bind on netlink_selinux_socket
- Allow certmonger_t domain to read pkcs_slotd lock files
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
- Allow local_login_t domain to getattr cgroup filesystem
- Allow systemd_logind_t domain to manage user_tmp_t char and block devices
- Dontaudit timedatex_t read file_contexts_t and validate security contexts
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Added macro for stratisd to chat over dbus
- Add dac_override capability to stratisd_t domain
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Create files_create_non_security_dirs() interface
- Introduce new type pdns_var_lib_t
- Allow zebra_t domain to read files labled as nsfs_t.
- Allow systemd to setattr on all device_nodes
- Allow systemd to mounton and list all proc types
- Fix nonexisting types in rtas_errd_rw_lock interface
- Allow snmpd_t domain to trace processes in user namespace
- Allow timedatex_t domain to read relatime clock and adjtime_t files
- Allow zebra_t domain to execute zebra binaries
- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
- Allow ksmtuned_t domain to trace processes in user namespace
- Allow systemd to read symlinks in /var/lib
- Update dev_mounton_all_device_nodes() interface
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
- Allow systemd_domain to map files in /usr.
- Allow strongswan start using swanctl method BZ(1773381)
- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
- Allow timedatex_t domain dbus chat with both confined and unconfined users
- Allow timedatex_t domain dbus chat with unconfined users
- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
- Make unconfined domains part of domain_named_attribute
- Label tcp ports 24816,24817 as pulp_port_t
- Remove duplicate entries for initrc_t in init.te
- Fix typo bugs in rtas_errd_read_lock() interface
- cockpit: Drop cockpit-cert-session
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Fix typo in dev_filetrans_all_named_dev()
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Fix typo in cachefiles device
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Allow cephfs to use xattrs for storing contexts
- Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Allow Gluster mount client to mount files_type
- Dontaudit and disallow sys_admin capability for keepalived_t domain
- Update numad policy to allow signull, kill, nice and trace processes
- Allow ipmievd_t to RW watchdog devices
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
- Allow user domains to manage user session services
- Allow staff and user users to get status of user systemd session
- Update sudo_role_template() to allow caller domain to read syslog pid files
- Revert "nova.fc: fix duplicated slash"
- Introduce new bolean httpd_use_opencryptoki
- Add new interface apache_read_state()
- Allow setroubleshoot_fixit_t to read random_device_t
- Label /etc/named direcotory as named_conf_t BZ(1759495)
- nova.fc: fix duplicated slash
- Allow dkim to execute sendmail
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634)
- Allow avahi_t to send msg to xdm_t
- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019)
- Allow systemd_logind_t domain to read blk_files in domain removable_device_t
- Add new interface udev_getattr_rules_chr_files()
- Update aide_t domain to allow this tool to analyze also /dev filesystem
- Allow bitlbee_t domain map files in /usr
- Allow stratisd to getattr of fixed disk device nodes
- Add net_broadcast capability to openvswitch_t domain BZ(1716044)
- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973)
- Allow cobblerd_t domain search apache configuration dirs
- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
- Label /var/log/collectd.log as collectd_log_t
- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360)
- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767)
- networkmanager: allow NetworkManager_t to create bluetooth_socket
- Fix ipa_custodia_stream_connect interface
- Add new interface udev_getattr_rules_chr_files()
- Make dbus-broker service working on s390x arch
- Add new interface dev_mounton_all_device_nodes()
- Add new interface dev_create_all_files()
- Allow systemd(init_t) to load kernel modules
- Allow ldconfig_t domain to manage initrc_tmp_t objects
- Add new interface init_write_initrc_tmp_pipes()
- Add new interface init_manage_script_tmp_files()
- Allow xdm_t setpcap capability in user namespace BZ(1756790)
- Allow x_userdomain to mmap generic SSL certificates
- Allow xdm_t domain to user netlink_route sockets BZ(1756791)
- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245)
- Allow sudo userdomain to run rpm related commands
- Add sys_admin capability for ipsec_t domain
- Allow systemd_modules_load_t domain to read systemd pid files
- Add new interface init_read_pid_files()
- Allow systemd labeled as init_t domain to manage faillog_t objects
- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
- Make ipa_custodia policy active
- Run ipa-custodia as ipa_custodia_t
- Update webalizer_t SELinux policy
- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598)
- Allow rhsmcertd_t domain to read rtas_errd lock files
- Add new interface rtas_errd_read_lock()
- Update allow rules set for nrpe_t domain
- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
- Allow avahi_t to send msg to lpr_t
- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
- Allow dlm_controld_t domain to read random device
- Label libvirt drivers as virtd_exec_t
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Add new macro systemd_timedated_status to systemd.if to get timedated service status
- Introduce xdm_manage_bootloader booelan
- Revert "Unconfined domains, need to create content with the correct labels"
- Allow xdm_t domain to read sssd pid files BZ(1753240)
- Move open, audit_access, and execmod to common file perms
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Fix typo in cachefilesd module
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
- Add sys_admin capability for keepalived_t labeled processes
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
- Create new type ipmievd_helper_t domain for loading kernel modules.
- Run stratisd service as stratisd_t
- Fix abrt_upload_watch_t in abrt policy
- Update keepalived policy
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
- Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
- Allow amanda_t to manage its var lib files and read random_device_t
- Create admin_crontab_t and admin_crontab_tmp_t types
- Add setgid and setuid capabilities to keepalived_t domain
- Update cron_role() template to accept third parameter with SELinux domain prefix
- Allow psad_t domain to create tcp diag sockets BZ(1750324)
- Allow systemd to mount fwupd_cache_t BZ(1750288)
- Allow chronyc_t domain to append to all non_security files
- Update zebra SELinux policy to make it work also with frr service
- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
- Label /var/run/mysql as mysqld_var_run_t
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
- Update timedatex policy to manage localization
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
- Update gnome_dontaudit_read_config
- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
- Allow systemd labeled as init_t domain to remount rootfs filesystem
- Add interface files_remount_rootfs()
- Dontaudit sys_admin capability for iptables_t SELinux domain
- Label /dev/cachefilesd as cachefiles_device_t
- Make stratisd policy active
- Allow userdomains to dbus chat with policykit daemon
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
- New interface files_append_non_security_files()
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Remove rule allowing all processes to stream connect to unconfined domains
- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
- Dontaudit sandbox web types to setattr lib_t dirs
- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369)
- Allow haproxy_t domain to read network state of system
- Allow processes labeled as keepalived_t domain to get process group
- Introduce dbusd_unit_file_type
- Allow pesign_t domain to read/write named cache files.
- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
- Allow httpd_t domain to read/write named_cache_t files
- Add new interface bind_rw_cache()
- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
- Update cpucontrol_t SELinux policy
- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
- Run lldpd service as lldpad_t.
- Allow spamd_update_t domain to create unix dgram sockets.
- Update dbus role template for confined users to allow login into x session
- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
- Fix typo in networkmanager_append_log() interface
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
- Allow login user type to use systemd user session
- Allow xdm_t domain to start dbusd services.
- Introduce new type xdm_unit_file_t
- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute
- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632)
- Allow ipsec_t domain to read/write named cache files
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
- Label udp 8125 port as statsd_port_t
- cockpit: Allow cockpit-session to read cockpit-tls state
- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)
- Allow named_t domain to read/write samba_var_t files BZ(1738794)
- Dontaudit abrt_t domain to read root_t files
- Allow ipa_dnskey_t domain to read kerberos keytab
- Allow mongod_t domain to read cgroup_t files BZ(1739357)
- Update ibacm_t policy
- Allow systemd to relabel all files on system.
- Revert "Add new boolean systemd_can_relabel"
- Allow xdm_t domain to read kernel sysctl BZ(1740385)
- Add sys_admin capability for xdm_t in user namespace. BZ(1740386)
- Allow dbus communications with resolved for DNS lookups
- Add new boolean systemd_can_relabel
- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t
- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
- Run lvmdbusd service as lvm_t
- Allow tlp domain run tlp in trace mode BZ(1737106)
- Make timedatex_t domain system dbus bus client BZ(1737239)
- Allow cgdcbxd_t domain to list cgroup dirs
- Allow systemd to create and bindmount dirs. BZ(1734831)
- New policy for rrdcached
- Allow dhcpd_t domain to read network sysctls.
- Allow nut services to communicate with unconfined domains
- Allow virt_domain to Support ecryptfs home dirs.
- Allow domain transition lsmd_t to sensord_t
- Allow httpd_t to signull mailman_cgi_t process
- Make rrdcached policy active
- Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542
- Allow machinectl to run pull-tar BZ(1724247)
- Allow spamd_update_t domain to read network state of system BZ(1733172)
- Allow dlm_controld_t domain to transition to the lvm_t
- Allow sandbox_web_client_t domain to do sys_chroot in user namespace
- Allow virtlockd process read virtlockd.conf file
- Add more permissions for session dbus types to make working dbus broker with systemd user sessions
- Allow sssd_t domain to read gnome config and named cache files
- Allow brltty to request to load kernel module
- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
- Allow sssd_t domain to read kernel net sysctls BZ(1732185)
- Run timedatex service as timedatex_t
- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
- Allow cyrus work with PrivateTmp
- Make cgdcbxd_t domain working with SELinux enforcing.
- Make working wireshark execute byt confined users staff_t and sysadm_t
- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963)
- Allow svnserve_t domain to read system state
- allow named_t to map named_cache_t files
- Label user cron spool file with user_cron_spool_t
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
- Allow lograte_t domain to manage collect_rw_content files and dirs
- Add interface collectd_manage_rw_content()
- Allow ifconfig_t domain to manage vmware logs
- Remove system_r role from staff_u user.
- Make new timedatex policy module active
- Add systemd_private_tmp_type attribute
- Allow systemd to load kernel modules during boot process.
- Allow sysadm_t and staff_t domains to read wireshark shared memory
- Label /usr/libexec/utempter/utempter as utemper_exec_t
- Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197)
- Allow sysadm_t domain to create netlink selinux sockets
- Make cgdcbxd active in Fedora upstream sources