Using exact NVR dependencies works well within RPMS from a single SRPM,
but otherwise relies on assumptions which do not always hold out.
Because %release includes %dist, this is particularly fragile in the
context of the Rawhide->ELN->c10s build pipeline. For instance, if a
package which uses %selinux_requires gets built for ELN with the rawhide
selinux-policy, then .fcNN will be hardcoded into the ELN build, and the
ELN build with .elnNNN will never meet the condition (since f > e).
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
- Allow sysadm execute traceroute in sysadm_t domain using sudo
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
- Allow opafm search nfs directories
- Add support for syslogd unconfined scripts
- Allow gpsd use /dev/gnss devices
- Allow gpg read rpm cache
- Allow virtqemud additional permissions
- Allow virtqemud manage its private lock files
- Allow virtqemud use the io_uring api
- Allow ddclient send e-mail notifications
- Allow postfix_master_t map postfix data files
- Allow init create and use vsock sockets
- Allow thumb_t append to init unix domain stream sockets
- Label /dev/vas with vas_device_t
- Change domain_kernel_load_modules boolean to true
- Create interface selinux_watch_config and add it to SELinux users
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
- Allow graphical applications work in Wayland
- Allow kdump work with PrivateTmp
- Allow dovecot-auth work with PrivateTmp
- Allow nfsd get attributes of all filesystems
- Allow unconfined_domain_type use io_uring cmd on domain
- ci: Only run Rawhide revdeps tests on the rawhide branch
- Label /var/run/auditd.state as auditd_var_run_t
- Allow fido-device-onboard (FDO) read the crack database
- Allow ip an explicit domain transition to other domains
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
- Allow ntp to bind and connect to ntske port.
- Allow system_mail_t manage exim spool files and dirs
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
- Label /run/pcsd.socket with cluster_var_run_t
- ci: Run cockpit tests in PRs
- Add map_read map_write to kernel_prog_run_bpf
- Allow systemd-fstab-generator read all symlinks
- Allow systemd-fstab-generator the dac_override capability
- Allow rpcbind read network sysctls
- Support using systemd containers
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
- Add policy for coreos installer
- Add coreos_installer to modules-targeted-contrib.conf
- Allow named and ndc use the io_uring api
- Deprecate common_anon_inode_perms usage
- Improve default file context(None) of /var/lib/authselect/backups
- Allow udev_t to search all directories with a filesystem type
- Implement proper anon_inode support
- Allow targetd write to the syslog pid sock_file
- Add ipa_pki_retrieve_key_exec() interface
- Allow kdumpctl_t to list all directories with a filesystem type
- Allow udev additional permissions
- Allow udev load kernel module
- Allow sysadm_t to mmap modules_object_t files
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
- Set default file context of HOME_DIR/tmp/.* to <<none>>
- Allow kernel_generic_helper_t to execute mount(1)
- Change file transition for systemd-network-generator
- Additional support for gnome-initial-setup
- Update gnome-initial-setup policy for geoclue
- Allow openconnect vpn open vhost net device
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
- Grant cifs.upcall more required capabilities
- Allow xenstored map xenfs files
- Update policy for fdo
- Allow keepalived watch var_run dirs
- Allow svirt to rw /dev/udmabuf
- Allow qatlib to modify hardware state information.
- Allow key.dns_resolve connect to avahi over a unix stream socket
- Allow key.dns_resolve create and use unix datagram socket
- Use quay.io as the container image source for CI
- Allow rhsmcertd dbus chat with policykit
- Allow polkitd execute pkla-check-authorization with nnp transition
- Allow user_u and staff_u get attributes of non-security dirs
- Allow unconfined user filetrans chrome_sandbox_home_t
- Allow svnserve execute postdrop with a transition
- Do not make postfix_postdrop_t type an MTA executable file
- Allow samba-dcerpc service manage samba tmp files
- Add use_nfs_home_dirs boolean for mozilla_plugin
- Fix labeling for no-stub-resolv.conf
- Allow systemd-network-generator send system log messages
- Dontaudit the execute permission on sock_file globally
- Allow fsadm_t the file mounton permission
- Allow named and ndc the io_uring sqpoll permission
- Allow sssd io_uring sqpoll permission
- Fix location for /run/nsd
- Allow qemu-ga get fixed disk devices attributes
- Update bitlbee policy
- Label /usr/sbin/sos with sosreport_exec_t
- Update policy for the sblim-sfcb service
- Add the files_getattr_non_auth_dirs() interface
- Fix the CI to work with DNF5
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
- Revert "Allow insights client map cache_home_t"
- Allow nfsidmapd connect to systemd-machined over a unix socket
- Allow snapperd connect to kernel over a unix domain stream socket
- Allow virt_qemu_ga_t create .ssh dir with correct label
- Allow targetd read network sysctls
- Set the abrt_handle_event boolean to on
- Permit kernel_t to change the user identity in object contexts
- Allow insights client map cache_home_t
- Label /usr/sbin/mariadbd with mysqld_exec_t
- Trim changelog so that it starts at F37 time
- Define equivalency for /run/systemd/generator.early
- Change init_audit_control default value to true
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
- Set default ports for keylime policy
- Create policy for qatlib
- Add policy for FIDO Device Onboard
- Add policy for bootupd
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.
Resolves: rhbz#2209120
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
- Add initial policy for cifs-helper
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
- Allow some systemd services write to cgroup files
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
- Allow systemd resolved to bind to arbitrary nodes
- Allow plymouthd_t bpf capability to run bpf programs
- Allow cupsd to create samba_var_t files
- Allow rhsmcert request the kernel to load a module
- Allow virsh name_connect virt_port_t
- Allow certmonger manage cluster library files
- Allow plymouthd read init process state
- Add chromium_sandbox_t setcap capability
- Allow snmpd read raw disk data
- Allow samba-rpcd work with passwords
- Allow unconfined service inherit signal state from init
- Allow cloud-init manage gpg admin home content
- Allow cluster_t dbus chat with various services
- Allow nfsidmapd work with systemd-userdbd and sssd
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
- Allow plymouthd map dri and framebuffer devices
- Allow rpmdb_migrate execute rpmdb
- Allow logrotate dbus chat with systemd-hostnamed
- Allow icecast connect to kernel using a unix stream socket
- Allow lldpad connect to systemd-userdbd over a unix socket
- Allow journalctl open user domain ptys and ttys
- Allow keepalived to manage its tmp files
- Allow ftpd read network sysctls
- Label /run/bgpd with zebra_var_run_t
- Allow gssproxy read network sysctls
- Add the cifsutils module
- Allow sssd read accountsd fifo files
- Add support for the passt_t domain
- Allow virtd_t and svirt_t work with passt
- Add new interfaces in the virt module
- Add passt interfaces defined conditionally
- Allow tshark the setsched capability
- Allow poweroff create connections to system dbus
- Allow wg load kernel modules, search debugfs dir
- Boolean: allow qemu-ga manage ssh home directory
- Label smtpd with sendmail_exec_t
- Label msmtp and msmtpd with sendmail_exec_t
- Allow dovecot to map files in /var/spool/dovecot
- Allowing snapper to create snapshots of /home/ subvolume/partition
- Add boolean qemu-ga to run unconfined script
- Label systemd-journald feature LogNamespace
- Add none file context for polyinstantiated tmp dirs
- Allow certmonger read the contents of the sysfs filesystem
- Add journalctl the sys_resource capability
- Allow nm-dispatcher plugins read generic files in /proc
- Add initial policy for the /usr/sbin/request-key helper
- Additional support for rpmdb_migrate
- Add the keyutils module
- Boolean: allow qemu-ga read ssh home directory
- Allow kernel_t to read/write all sockets
- Allow kernel_t to UNIX-stream connect to all domains
- Allow systemd-resolved send a datagram to journald
- Allow kernel_t to manage and have "execute" access to all files
- Fix the files_manage_all_files() interface
- Allow rshim bpf cap2 and read sssd public files
- Allow insights-client work with su and lpstat
- Allow insights-client tcp connect to all ports
- Allow nm-cloud-setup dispatcher plugin restart nm services
- Allow unconfined user filetransition for sudo log files
- Allow modemmanager create hardware state information files
- Allow ModemManager all permissions for netlink route socket
- Allow wg to send msg to kernel, write to syslog and dbus connections
- Allow hostname_t to read network sysctls.
- Dontaudit ftpd the execmem permission
- Allow svirt request the kernel to load a module
- Allow icecast rename its log files
- Allow upsd to send signal to itself
- Allow wireguard to create udp sockets and read net_conf
- Use %autosetup instead of %setup
- Pass -p 1 to %autosetup
This means that the first component of the path is stripped when
applying patches. This is needed so that patches created by git can be
applied.
Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
- Allow NetworkManager and wpa_supplicant the bpf capability
- Allow systemd-rfkill the bpf capability
- Allow winbind-rpcd manage samba_share_t files and dirs
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
- Allow gpsd the sys_ptrace userns capability
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
- Allow load_policy_t write to unallocated ttys
- Allow ndc read hardware state information
- Allow system mail service read inherited certmonger runtime files
- Add lpr_roles to system_r roles
- Revert "Allow insights-client run lpr and allow the proper role"
- Allow stalld to read /sys/kernel/security/lockdown file
- Allow keepalived to set resource limits
- Add policy for mptcpd
- Add policy for rshim
- Allow admin users to create user namespaces
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
- Trim changelog so that it starts at F35 time
- Add mptcpd and rshim modules
The changelog contains entries from 16 years ago, making the content
unwieldy. With this commit, changelog starts at the time when
F35 package version in rawhide branched off F34.
- Allow insights-client dbus chat with various services
- Allow insights-client tcp connect to various ports
- Allow insights-client run lpr and allow the proper role
- Allow insights-client work with pcp and manage user config files
- Allow redis get user names
- Allow kernel threads to use fds from all domains
- Allow systemd-modules-load load kernel modules
- Allow login_userdomain watch systemd-passwd pid dirs
- Allow insights-client dbus chat with abrt
- Grant kernel_t certain permissions in the system class
- Allow systemd-resolved watch tmpfs directories
- Allow systemd-timedated watch init runtime dir
- Make `bootc` be `install_exec_t`
- Allow systemd-coredump create user_namespace
- Allow syslog the setpcap capability
- donaudit virtlogd and dnsmasq execmem
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
- Add numad the ipc_owner capability
- Allow gst-plugin-scanner read virtual memory sysctls
- Allow init read/write inherited user fifo files
- Update dnssec-trigger policy: setsched, module_request
- added policy for systemd-socket-proxyd
- Add the new 'cmd' permission to the 'io_uring' class
- Allow winbind-rpcd read and write its key ring
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
- pidof executed by abrt can readlink /proc/*/exe
- Fix typo in comment
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
And break the dependency loop with rpm-plugin-selinux
From rpm documentation:
* meta (since rpm >= 4.16)
Denotes a “meta” dependency, which must not affect transaction
ordering. Typical use-cases would be meta-packages and sub-package
cross-dependencies whose purpose is just to ensure the sub-packages
stay on common version.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1851266
- Allow nm-dispatcher custom plugin dbus chat with nm
- Allow nm-dispatcher sendmail plugin get status of systemd services
- Allow xdm read the kernel key ring
- Allow login_userdomain check status of mount units
- Allow postfix/smtp and postfix/virtual read kerberos key table
- Allow services execute systemd-notify
- Do not allow login_userdomain use sd_notify()
- Allow launch-xenstored read filesystem sysctls
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
- Allow openvswitch fsetid capability
- Allow openvswitch use its private tmpfs files and dirs
- Allow openvswitch search tracefs dirs
- Allow pmdalinux read files on an nfsd filesystem
- Allow winbind-rpcd write to winbind pid files
- Allow networkmanager to signal unconfined process
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
- Allow samba-bgqd get a printer list
- fix(init.fc): Fix section description
- Allow fedora-third-party read the passwords file
- Remove permissive domain for rhcd_t
- Allow pmie read network state information and network sysctls
- Revert "Dontaudit domain the fowner capability"
- Allow sysadm_t to run bpftool on the userdomain attribute
- Add the userdom_prog_run_bpf_userdomain() interface
- Allow insights-client rpm named file transitions
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
- Allow sa-update to get init status and start systemd files
- Use insights_client_filetrans_named_content
- Make default file context match with named transitions
- Allow nm-dispatcher tlp plugin send system log messages
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
- Add permissions to manage lnk_files into gnome_manage_home_config
- Allow rhsmcertd to read insights config files
- Label /etc/insights-client/machine-id
- fix(devices.fc): Replace single quote in comment to solve parsing issues
- Make NetworkManager_dispatcher_custom_t an unconfined domain
interface_info is generated by sepolgen-ifgen in %post. Therefore it
should not be verified as part of the package.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Allow transition to insights_client named content
- Add the insights_client_filetrans_named_content() interface
- Update policy for insights-client to run additional commands 3
- Allow dhclient manage pid files used by chronyd
- Allow stalld get scheduling policy of kernel threads
- Allow samba-dcerpcd work with sssd
- Allow dlm_controld send a null signal to a cluster daemon
- Allow ksmctl create hardware state information files
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
- Update samba-dcerpcd policy for kerberos usage
- Allow insights-client execute its private memfd: objects
- Update policy for insights-client to run additional commands 2
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
- Change space indentation to tab in insights-client
- Use socket permissions sets in insights-client
- Update policy for insights-client to run additional commands
- Change rpm_setattr_db_files() to use a pattern
- Allow init_t to rw insights_client unnamed pipe
- Add rpm setattr db files macro
- Fix insights client
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
- Allow rabbitmq to access its private memfd: objects
- Update policy for samba-dcerpcd
- Allow stalld setsched and sys_nice
Unconditional execution can make the rpm scriptlet failing:
Running scriptlet: selinux-policy-targeted-36.9-1.fc36.noarch 4/4
/usr/sbin/restorecon: SELinux: Could not get canonical path for /etc/NetworkManager/dispatcher.d restorecon: No such file or directory.
warning: %posttrans(selinux-policy-targeted-36.9-1.fc36.noarch) scriptlet failed, exit status 255
Resolves: rhbz#2082547
- Allow auditd_t noatsecure for a transition to audisp_remote_t
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
- Allow pcp_domain execute its private memfd: objects
- Add support for samba-dcerpcd
- Add policy for wireguard
- Confine targetcli
- Allow systemd work with install_t unix stream sockets
- Allow iscsid the sys_ptrace userns capability
- Allow xdm connect to unconfined_service_t over a unix stream socket
- Use the networkmanager_dispatcher_plugin attribute in allow rules
- Make a custom nm-dispatcher plugin transition
- Label port 4784/tcp and 4784/udp with bfd_multi
- Allow systemd watch and watch_reads user ptys
- Allow sblim-gatherd the kill capability
- Label more vdsm utils with virtd_exec_t
- Add ksm service to ksmtuned
- Add rhcd policy
- Dontaudit guest attempts to dbus chat with systemd domains
- Dontaudit guest attempts to dbus chat with system bus types
- Use a named transition in systemd_hwdb_manage_config()
- Add default fc specifications for patterns in /opt
- Add the files_create_etc_files() interface
- Allow nm-dispatcher console plugin create and write files in /etc
- Allow nm-dispatcher console plugin transition to the setfiles domain
- Allow more nm-dispatcher plugins append to init stream sockets
- Allow nm-dispatcher tlp plugin dbus chat with nm
- Reorder networkmanager_dispatcher_plugin_template() calls
- Allow svirt connectto virtlogd
- Allow blueman map its private memfd: files
- Allow sysadm user execute init scripts with a transition
- Allow sblim-sfcbd connect to sblim-reposd stream
- Allow keepalived_unconfined_script_t dbus chat with init
- Run restorecon with "-i" not to report errors
The %posttrans scriptlet contains explicit call to restorecon
to restore context of files/directories which are not handled
properly on updates. When a file or directory does not exist,
an error is reported:
/usr/sbin/restorecon: lstat(/etc/NetworkManager/dispatcher.d) failed: No such file or directory
warning: %posttrans(selinux-policy-targeted-36.8-1.fc36.noarch) scriptlet failed, exit status 255
Error in POSTTRANS scriptlet in rpm package selinux-policy-targeted
With the "-i" switch, restorecon does not report an error.
Resolves: rhbz#2082547
- Allow nm-dispatcher chronyc plugin append to init stream sockets
- Allow tmpreaper the sys_ptrace userns capability
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
- Allow nm-dispatcher tlp plugin read/write the wireless device
- Allow nm-dispatcher tlp plugin append to init socket
- Allow nm-dispatcher tlp plugin be client of a system bus
- Allow nm-dispatcher list its configuration directory
- Ecryptfs-private support
- Allow colord map /var/lib directories
- Allow ntlm_auth read the network state information
- Allow insights-client search rhnsd configuration directory
- Add support for systemd-network-generator
- Add the io_uring class
- Allow nm-dispatcher dhclient plugin append to init stream sockets
- Relax the naming pattern for systemd private shared libraries
- Allow nm-dispatcher iscsid plugin append to init socket
- Add the init_append_stream_sockets() interface
- Allow nm-dispatcher dnssec-trigger script to execute pidof
- Add support for nm-dispatcher dnssec-trigger scripts
- Allow chronyd talk with unconfined user over unix domain dgram socket
- Allow fenced read kerberos key tables
- Add support for nm-dispatcher ddclient scripts
- Add systemd_getattr_generic_unit_files() interface
- Allow fprintd read and write hardware state information
- Allow exim watch generic certificate directories
- Remove duplicate fc entries for corosync and corosync-notifyd
- Label corosync-cfgtool with cluster_exec_t
- Allow qemu-kvm create and use netlink rdma sockets
- Allow logrotate a domain transition to cluster administrative domain
- Add support for nm-dispatcher console helper scripts
- Allow nm-dispatcher plugins read its directory and sysfs
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
- devices: Add a comment about cardmgr_dev_t
- Add basic policy for BinderFS
- Label /var/run/ecblp0 pipe with cupsd_var_run_t
- Allow rpmdb create directory in /usr/lib/sysimage
- Allow rngd drop privileges via setuid/setgid/setcap
- Allow init watch and watch_reads user ttys
- Allow systemd-logind dbus chat with sosreport
- Allow chronyd send a message to sosreport over datagram socket
- Remove unnecessary /etc file transitions for insights-client
- Label all content in /var/lib/insights with insights_client_var_lib_t
- Update insights-client policy
- Update NetworkManager-dispatcher cloud and chronyc policy
- Update insights-client: fc pattern, motd, writing to etc
- Allow systemd-sysctl read the security state information
- Allow init create and mounton to support PrivateDevices
- Allow sosreport dbus chat abrt systemd timedatex
- Allow sysadm_passwd_t to relabel passwd and group files
- Allow confined sysadmin to use tool vipw
- Allow login_userdomain map /var/lib/directories
- Allow login_userdomain watch library and fonts dirs
- Allow login_userdomain watch system configuration dirs
- Allow login_userdomain read systemd runtime files
- Allow ctdb create cluster logs
- Allow alsa bind mixer controls to led triggers
- New policy for insight-client
- Add mctp_socket security class and access vectors
- Fix koji repo URL pattern
- Update chronyd_pid_filetrans() to allow create dirs
- Update NetworkManager-dispatcher policy
- Allow unconfined to run virtd bpf
- Allow nm-privhelper setsched permission and send system logs
- Add the map permission to common_anon_inode_perm permission set
- Rename userfaultfd_anon_inode_perms to common_inode_perms
- Allow confined users to use kinit,klist and etc.
- Allow rhsmcertd create rpm hawkey logs with correct label
- Label exFAT utilities at /usr/sbin
- policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
- Enable genfs_seclabel_symlinks policy capability
- Sync policy/policy_capabilities with refpolicy
- refpolicy: drop unused socket security classes
- Label new utility of NetworkManager nm-priv-helper
- Label NetworkManager-dispatcher service with separate context
- Allow sanlock get attributes of filesystems with extended attributes
- Associate stratisd_data_t with device filesystem
- Allow init read stratis data symlinks
- Allow systemd services watch dbusd pid directory and its parents
- Allow ModemManager connect to the unconfined user domain
- Label /dev/wwan.+ with modem_manager_t
- Allow alsactl set group Process ID of a process
- Allow domtrans to sssd_t and role access to sssd
- Creating interface sssd_run_sssd()
- Label utilities for exFAT filesystems with fsadm_exec_t
- Label /dev/nvme-fabrics with fixed_disk_device_t
- Allow init delete generic tmp named pipes
- Allow timedatex dbus chat with xdm
- Allow haproxy get attributes of filesystems with extended attributes
- Allow haproxy get attributes of cgroup filesystems
- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
- Allow sudodomains execute passwd in the passwd domain
- Allow braille printing in selinux
- Allow sandbox_xserver_t map sandbox_file_t
- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
- Add hwtracing_device_t type for hardware-level tracing and debugging
- Label port 9528/tcp with openqa_liveview
- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
- Document Security Flask model in the policy
- Allow systemd read unlabeled symbolic links
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
- Allow dnsmasq watch /etc/dnsmasq.d directories
- Allow rhsmcertd get attributes of tmpfs_t filesystems
- Allow lldpd use an snmp subagent over a tcp socket
- Allow xdm watch generic directories in /var/lib
- Allow login_userdomain open/read/map system journal
- Allow sysadm_t connect to cluster domains over a unix stream socket
- Allow sysadm_t read/write pkcs shared memory segments
- Allow sysadm_t connect to sanlock over a unix stream socket
- Allow sysadm_t dbus chat with sssd
- Allow sysadm_t set attributes on character device nodes
- Allow sysadm_t read and write watchdog devices
- Allow smbcontrol use additional socket types
- Allow cloud-init dbus chat with systemd-logind
- Allow svnserve send mail from the system
- Update userdom_exec_user_tmp_files() with an entrypoint rule
- Allow sudodomain send a null signal to sshd processes
- Support sanlock VG automated recovery on storage access loss 2/2
- Support sanlock VG automated recovery on storage access loss 1/2
- Revert "Support sanlock VG automated recovery on storage access loss"
- Allow tlp get service units status
- Allow fedora-third-party manage 3rd party repos
- Allow xdm_t nnp_transition to login_userdomain
- Add the auth_read_passwd_file() interface
- Allow redis-sentinel execute a notification script
- Allow fetchmail search cgroup directories
- Allow lvm_t to read/write devicekit disk semaphores
- Allow devicekit_disk_t to use /dev/mapper/control
- Allow devicekit_disk_t to get IPC info from the kernel
- Allow devicekit_disk_t to read systemd-logind pid files
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
- Allow devicekit_disk_t to manage mount_var_run_t files
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
- Use $releasever in koji repo to reduce rawhide hardcoding
- authlogin: add fcontext for tcb
- Add erofs as a SELinux capable file system
- Allow systemd execute user bin files
- Support sanlock VG automated recovery on storage access loss
- Support new PING_CHECK health checker in keepalived
- Allow fedora-third-party execute "flatpak remote-add"
- Add files_manage_var_lib_files() interface
- Add write permisson to userfaultfd_anon_inode_perms
- Allow proper function sosreport via iotop
- Allow proper function sosreport in sysadmin role
- Allow fedora-third-party to connect to the system log service
- Allow fedora-third-party dbus chat with policykit
- Allow chrony-wait service start with DynamicUser=yes
- Allow management of lnk_files if similar access to regular files
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
- Allow systemd-resolved watch /run/systemd
- Allow fedora-third-party create and use unix_dgram_socket
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
- Allow ModemManager create a qipcrtr socket
- Allow ModemManager request to load a kernel module
- Label /usr/sbin/virtproxyd as virtd_exec_t
- Allow communication between at-spi and gdm processes
- Update ica_filetrans_named_content() with create_file_perms
- Fix the gnome_atspi_domtrans() interface summary