- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.
Resolves: rhbz#2209120
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition
- Add initial policy for cifs-helper
- Label key.dns_resolver with keyutils_dns_resolver_exec_t
- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t
- Allow some systemd services write to cgroup files
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files
- Allow systemd resolved to bind to arbitrary nodes
- Allow plymouthd_t bpf capability to run bpf programs
- Allow cupsd to create samba_var_t files
- Allow rhsmcert request the kernel to load a module
- Allow virsh name_connect virt_port_t
- Allow certmonger manage cluster library files
- Allow plymouthd read init process state
- Add chromium_sandbox_t setcap capability
- Allow snmpd read raw disk data
- Allow samba-rpcd work with passwords
- Allow unconfined service inherit signal state from init
- Allow cloud-init manage gpg admin home content
- Allow cluster_t dbus chat with various services
- Allow nfsidmapd work with systemd-userdbd and sssd
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
- Allow plymouthd map dri and framebuffer devices
- Allow rpmdb_migrate execute rpmdb
- Allow logrotate dbus chat with systemd-hostnamed
- Allow icecast connect to kernel using a unix stream socket
- Allow lldpad connect to systemd-userdbd over a unix socket
- Allow journalctl open user domain ptys and ttys
- Allow keepalived to manage its tmp files
- Allow ftpd read network sysctls
- Label /run/bgpd with zebra_var_run_t
- Allow gssproxy read network sysctls
- Add the cifsutils module
- Allow sssd read accountsd fifo files
- Add support for the passt_t domain
- Allow virtd_t and svirt_t work with passt
- Add new interfaces in the virt module
- Add passt interfaces defined conditionally
- Allow tshark the setsched capability
- Allow poweroff create connections to system dbus
- Allow wg load kernel modules, search debugfs dir
- Boolean: allow qemu-ga manage ssh home directory
- Label smtpd with sendmail_exec_t
- Label msmtp and msmtpd with sendmail_exec_t
- Allow dovecot to map files in /var/spool/dovecot
- Allowing snapper to create snapshots of /home/ subvolume/partition
- Add boolean qemu-ga to run unconfined script
- Label systemd-journald feature LogNamespace
- Add none file context for polyinstantiated tmp dirs
- Allow certmonger read the contents of the sysfs filesystem
- Add journalctl the sys_resource capability
- Allow nm-dispatcher plugins read generic files in /proc
- Add initial policy for the /usr/sbin/request-key helper
- Additional support for rpmdb_migrate
- Add the keyutils module
- Boolean: allow qemu-ga read ssh home directory
- Allow kernel_t to read/write all sockets
- Allow kernel_t to UNIX-stream connect to all domains
- Allow systemd-resolved send a datagram to journald
- Allow kernel_t to manage and have "execute" access to all files
- Fix the files_manage_all_files() interface
- Allow rshim bpf cap2 and read sssd public files
- Allow insights-client work with su and lpstat
- Allow insights-client tcp connect to all ports
- Allow nm-cloud-setup dispatcher plugin restart nm services
- Allow unconfined user filetransition for sudo log files
- Allow modemmanager create hardware state information files
- Allow ModemManager all permissions for netlink route socket
- Allow wg to send msg to kernel, write to syslog and dbus connections
- Allow hostname_t to read network sysctls.
- Dontaudit ftpd the execmem permission
- Allow svirt request the kernel to load a module
- Allow icecast rename its log files
- Allow upsd to send signal to itself
- Allow wireguard to create udp sockets and read net_conf
- Use %autosetup instead of %setup
- Pass -p 1 to %autosetup
This means that the first component of the path is stripped when
applying patches. This is needed so that patches created by git can be
applied.
Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
- Allow NetworkManager and wpa_supplicant the bpf capability
- Allow systemd-rfkill the bpf capability
- Allow winbind-rpcd manage samba_share_t files and dirs
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
- Allow gpsd the sys_ptrace userns capability
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
- Allow load_policy_t write to unallocated ttys
- Allow ndc read hardware state information
- Allow system mail service read inherited certmonger runtime files
- Add lpr_roles to system_r roles
- Revert "Allow insights-client run lpr and allow the proper role"
- Allow stalld to read /sys/kernel/security/lockdown file
- Allow keepalived to set resource limits
- Add policy for mptcpd
- Add policy for rshim
- Allow admin users to create user namespaces
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
- Trim changelog so that it starts at F35 time
- Add mptcpd and rshim modules
The changelog contains entries from 16 years ago, making the content
unwieldy. With this commit, changelog starts at the time when
F35 package version in rawhide branched off F34.
- Allow insights-client dbus chat with various services
- Allow insights-client tcp connect to various ports
- Allow insights-client run lpr and allow the proper role
- Allow insights-client work with pcp and manage user config files
- Allow redis get user names
- Allow kernel threads to use fds from all domains
- Allow systemd-modules-load load kernel modules
- Allow login_userdomain watch systemd-passwd pid dirs
- Allow insights-client dbus chat with abrt
- Grant kernel_t certain permissions in the system class
- Allow systemd-resolved watch tmpfs directories
- Allow systemd-timedated watch init runtime dir
- Make `bootc` be `install_exec_t`
- Allow systemd-coredump create user_namespace
- Allow syslog the setpcap capability
- donaudit virtlogd and dnsmasq execmem
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
- Add numad the ipc_owner capability
- Allow gst-plugin-scanner read virtual memory sysctls
- Allow init read/write inherited user fifo files
- Update dnssec-trigger policy: setsched, module_request
- added policy for systemd-socket-proxyd
- Add the new 'cmd' permission to the 'io_uring' class
- Allow winbind-rpcd read and write its key ring
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
- pidof executed by abrt can readlink /proc/*/exe
- Fix typo in comment
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
And break the dependency loop with rpm-plugin-selinux
From rpm documentation:
* meta (since rpm >= 4.16)
Denotes a “meta” dependency, which must not affect transaction
ordering. Typical use-cases would be meta-packages and sub-package
cross-dependencies whose purpose is just to ensure the sub-packages
stay on common version.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1851266
- Allow nm-dispatcher custom plugin dbus chat with nm
- Allow nm-dispatcher sendmail plugin get status of systemd services
- Allow xdm read the kernel key ring
- Allow login_userdomain check status of mount units
- Allow postfix/smtp and postfix/virtual read kerberos key table
- Allow services execute systemd-notify
- Do not allow login_userdomain use sd_notify()
- Allow launch-xenstored read filesystem sysctls
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
- Allow openvswitch fsetid capability
- Allow openvswitch use its private tmpfs files and dirs
- Allow openvswitch search tracefs dirs
- Allow pmdalinux read files on an nfsd filesystem
- Allow winbind-rpcd write to winbind pid files
- Allow networkmanager to signal unconfined process
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
- Allow samba-bgqd get a printer list
- fix(init.fc): Fix section description
- Allow fedora-third-party read the passwords file
- Remove permissive domain for rhcd_t
- Allow pmie read network state information and network sysctls
- Revert "Dontaudit domain the fowner capability"
- Allow sysadm_t to run bpftool on the userdomain attribute
- Add the userdom_prog_run_bpf_userdomain() interface
- Allow insights-client rpm named file transitions
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
- Allow sa-update to get init status and start systemd files
- Use insights_client_filetrans_named_content
- Make default file context match with named transitions
- Allow nm-dispatcher tlp plugin send system log messages
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
- Add permissions to manage lnk_files into gnome_manage_home_config
- Allow rhsmcertd to read insights config files
- Label /etc/insights-client/machine-id
- fix(devices.fc): Replace single quote in comment to solve parsing issues
- Make NetworkManager_dispatcher_custom_t an unconfined domain
interface_info is generated by sepolgen-ifgen in %post. Therefore it
should not be verified as part of the package.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Allow transition to insights_client named content
- Add the insights_client_filetrans_named_content() interface
- Update policy for insights-client to run additional commands 3
- Allow dhclient manage pid files used by chronyd
- Allow stalld get scheduling policy of kernel threads
- Allow samba-dcerpcd work with sssd
- Allow dlm_controld send a null signal to a cluster daemon
- Allow ksmctl create hardware state information files
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
- Update samba-dcerpcd policy for kerberos usage
- Allow insights-client execute its private memfd: objects
- Update policy for insights-client to run additional commands 2
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
- Change space indentation to tab in insights-client
- Use socket permissions sets in insights-client
- Update policy for insights-client to run additional commands
- Change rpm_setattr_db_files() to use a pattern
- Allow init_t to rw insights_client unnamed pipe
- Add rpm setattr db files macro
- Fix insights client
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
- Allow rabbitmq to access its private memfd: objects
- Update policy for samba-dcerpcd
- Allow stalld setsched and sys_nice
Unconditional execution can make the rpm scriptlet failing:
Running scriptlet: selinux-policy-targeted-36.9-1.fc36.noarch 4/4
/usr/sbin/restorecon: SELinux: Could not get canonical path for /etc/NetworkManager/dispatcher.d restorecon: No such file or directory.
warning: %posttrans(selinux-policy-targeted-36.9-1.fc36.noarch) scriptlet failed, exit status 255
Resolves: rhbz#2082547