- Change file transition for systemd-network-generator
- Additional support for gnome-initial-setup
- Update gnome-initial-setup policy for geoclue
- Allow openconnect vpn open vhost net device
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
- Grant cifs.upcall more required capabilities
- Allow xenstored map xenfs files
- Update policy for fdo
- Allow keepalived watch var_run dirs
- Allow svirt to rw /dev/udmabuf
- Allow qatlib to modify hardware state information.
- Allow key.dns_resolve connect to avahi over a unix stream socket
- Allow key.dns_resolve create and use unix datagram socket
- Use quay.io as the container image source for CI
- Allow rhsmcertd dbus chat with policykit
- Allow polkitd execute pkla-check-authorization with nnp transition
- Allow user_u and staff_u get attributes of non-security dirs
- Allow unconfined user filetrans chrome_sandbox_home_t
- Allow svnserve execute postdrop with a transition
- Do not make postfix_postdrop_t type an MTA executable file
- Allow samba-dcerpc service manage samba tmp files
- Add use_nfs_home_dirs boolean for mozilla_plugin
- Fix labeling for no-stub-resolv.conf
- Allow systemd-network-generator send system log messages
- Dontaudit the execute permission on sock_file globally
- Allow fsadm_t the file mounton permission
- Allow named and ndc the io_uring sqpoll permission
- Allow sssd io_uring sqpoll permission
- Fix location for /run/nsd
- Allow qemu-ga get fixed disk devices attributes
- Update bitlbee policy
- Label /usr/sbin/sos with sosreport_exec_t
- Update policy for the sblim-sfcb service
- Add the files_getattr_non_auth_dirs() interface
- Fix the CI to work with DNF5
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
- Revert "Allow insights client map cache_home_t"
- Allow nfsidmapd connect to systemd-machined over a unix socket
- Allow snapperd connect to kernel over a unix domain stream socket
- Allow virt_qemu_ga_t create .ssh dir with correct label
- Allow targetd read network sysctls
- Set the abrt_handle_event boolean to on
- Permit kernel_t to change the user identity in object contexts
- Allow insights client map cache_home_t
- Label /usr/sbin/mariadbd with mysqld_exec_t
- Trim changelog so that it starts at F37 time
- Define equivalency for /run/systemd/generator.early
Default file context specification for /run/systemd/generator.early
has been set as an equivalency to /usr/lib/systemd/system,
similar to existing entries for generator and generator.late.
- Change init_audit_control default value to true
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
- Set default ports for keylime policy
- Create policy for qatlib
- Add policy for FIDO Device Onboard
- Add policy for bootupd
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.
Resolves: rhbz#2209120
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
- Add initial policy for cifs-helper
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
- Allow some systemd services write to cgroup files
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
- Allow systemd resolved to bind to arbitrary nodes
- Allow plymouthd_t bpf capability to run bpf programs
- Allow cupsd to create samba_var_t files
- Allow rhsmcert request the kernel to load a module
- Allow virsh name_connect virt_port_t
- Allow certmonger manage cluster library files
- Allow plymouthd read init process state
- Add chromium_sandbox_t setcap capability
- Allow snmpd read raw disk data
- Allow samba-rpcd work with passwords
- Allow unconfined service inherit signal state from init
- Allow cloud-init manage gpg admin home content
- Allow cluster_t dbus chat with various services
- Allow nfsidmapd work with systemd-userdbd and sssd
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
- Allow plymouthd map dri and framebuffer devices
- Allow rpmdb_migrate execute rpmdb
- Allow logrotate dbus chat with systemd-hostnamed
- Allow icecast connect to kernel using a unix stream socket
- Allow lldpad connect to systemd-userdbd over a unix socket
- Allow journalctl open user domain ptys and ttys
- Allow keepalived to manage its tmp files
- Allow ftpd read network sysctls
- Label /run/bgpd with zebra_var_run_t
- Allow gssproxy read network sysctls
- Add the cifsutils module
- Allow sssd read accountsd fifo files
- Add support for the passt_t domain
- Allow virtd_t and svirt_t work with passt
- Add new interfaces in the virt module
- Add passt interfaces defined conditionally
- Allow tshark the setsched capability
- Allow poweroff create connections to system dbus
- Allow wg load kernel modules, search debugfs dir
- Boolean: allow qemu-ga manage ssh home directory
- Label smtpd with sendmail_exec_t
- Label msmtp and msmtpd with sendmail_exec_t
- Allow dovecot to map files in /var/spool/dovecot
- Allowing snapper to create snapshots of /home/ subvolume/partition
- Add boolean qemu-ga to run unconfined script
- Label systemd-journald feature LogNamespace
- Add none file context for polyinstantiated tmp dirs
- Allow certmonger read the contents of the sysfs filesystem
- Add journalctl the sys_resource capability
- Allow nm-dispatcher plugins read generic files in /proc
- Add initial policy for the /usr/sbin/request-key helper
- Additional support for rpmdb_migrate
- Add the keyutils module
- Boolean: allow qemu-ga read ssh home directory
- Allow kernel_t to read/write all sockets
- Allow kernel_t to UNIX-stream connect to all domains
- Allow systemd-resolved send a datagram to journald
- Allow kernel_t to manage and have "execute" access to all files
- Fix the files_manage_all_files() interface
- Allow rshim bpf cap2 and read sssd public files
- Allow insights-client work with su and lpstat
- Allow insights-client tcp connect to all ports
- Allow nm-cloud-setup dispatcher plugin restart nm services
- Allow unconfined user filetransition for sudo log files
- Allow modemmanager create hardware state information files
- Allow ModemManager all permissions for netlink route socket
- Allow wg to send msg to kernel, write to syslog and dbus connections
- Allow hostname_t to read network sysctls.
- Dontaudit ftpd the execmem permission
- Allow svirt request the kernel to load a module
- Allow icecast rename its log files
- Allow upsd to send signal to itself
- Allow wireguard to create udp sockets and read net_conf
- Use %autosetup instead of %setup
- Pass -p 1 to %autosetup
This means that the first component of the path is stripped when
applying patches. This is needed so that patches created by git can be
applied.
Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
- Allow NetworkManager and wpa_supplicant the bpf capability
- Allow systemd-rfkill the bpf capability
- Allow winbind-rpcd manage samba_share_t files and dirs
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
- Allow gpsd the sys_ptrace userns capability
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
- Allow load_policy_t write to unallocated ttys
- Allow ndc read hardware state information
- Allow system mail service read inherited certmonger runtime files
- Add lpr_roles to system_r roles
- Revert "Allow insights-client run lpr and allow the proper role"
- Allow stalld to read /sys/kernel/security/lockdown file
- Allow keepalived to set resource limits
- Add policy for mptcpd
- Add policy for rshim
- Allow admin users to create user namespaces
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
- Trim changelog so that it starts at F35 time
- Add mptcpd and rshim modules
The changelog contains entries from 16 years ago, making the content
unwieldy. With this commit, changelog starts at the time when
F35 package version in rawhide branched off F34.
- Allow insights-client dbus chat with various services
- Allow insights-client tcp connect to various ports
- Allow insights-client run lpr and allow the proper role
- Allow insights-client work with pcp and manage user config files
- Allow redis get user names
- Allow kernel threads to use fds from all domains
- Allow systemd-modules-load load kernel modules
- Allow login_userdomain watch systemd-passwd pid dirs
- Allow insights-client dbus chat with abrt
- Grant kernel_t certain permissions in the system class
- Allow systemd-resolved watch tmpfs directories
- Allow systemd-timedated watch init runtime dir
- Make `bootc` be `install_exec_t`
- Allow systemd-coredump create user_namespace
- Allow syslog the setpcap capability
- donaudit virtlogd and dnsmasq execmem
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
- Add numad the ipc_owner capability
- Allow gst-plugin-scanner read virtual memory sysctls
- Allow init read/write inherited user fifo files
- Update dnssec-trigger policy: setsched, module_request
- added policy for systemd-socket-proxyd
- Add the new 'cmd' permission to the 'io_uring' class
- Allow winbind-rpcd read and write its key ring
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
- pidof executed by abrt can readlink /proc/*/exe
- Fix typo in comment
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
And break the dependency loop with rpm-plugin-selinux
From rpm documentation:
* meta (since rpm >= 4.16)
Denotes a “meta” dependency, which must not affect transaction
ordering. Typical use-cases would be meta-packages and sub-package
cross-dependencies whose purpose is just to ensure the sub-packages
stay on common version.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1851266
