- Allowing snapper to create snapshots of /home/ subvolume/partition
- Add boolean qemu-ga to run unconfined script
- Label systemd-journald feature LogNamespace
- Add none file context for polyinstantiated tmp dirs
- Allow certmonger read the contents of the sysfs filesystem
- Add journalctl the sys_resource capability
- Allow nm-dispatcher plugins read generic files in /proc
- Add initial policy for the /usr/sbin/request-key helper
- Additional support for rpmdb_migrate
- Add the keyutils module
- Boolean: allow qemu-ga read ssh home directory
- Allow kernel_t to read/write all sockets
- Allow kernel_t to UNIX-stream connect to all domains
- Allow systemd-resolved send a datagram to journald
- Allow kernel_t to manage and have "execute" access to all files
- Fix the files_manage_all_files() interface
- Allow rshim bpf cap2 and read sssd public files
- Allow insights-client work with su and lpstat
- Allow insights-client tcp connect to all ports
- Allow nm-cloud-setup dispatcher plugin restart nm services
- Allow unconfined user filetransition for sudo log files
- Allow modemmanager create hardware state information files
- Allow ModemManager all permissions for netlink route socket
- Allow wg to send msg to kernel, write to syslog and dbus connections
- Allow hostname_t to read network sysctls.
- Dontaudit ftpd the execmem permission
- Allow svirt request the kernel to load a module
- Allow icecast rename its log files
- Allow upsd to send signal to itself
- Allow wireguard to create udp sockets and read net_conf
- Use %autosetup instead of %setup
- Pass -p 1 to %autosetup
This means that the first component of the path is stripped when
applying patches. This is needed so that patches created by git can be
applied.
Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
- Allow NetworkManager and wpa_supplicant the bpf capability
- Allow systemd-rfkill the bpf capability
- Allow winbind-rpcd manage samba_share_t files and dirs
- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
- Allow gpsd the sys_ptrace userns capability
- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
- Allow load_policy_t write to unallocated ttys
- Allow ndc read hardware state information
- Allow system mail service read inherited certmonger runtime files
- Add lpr_roles to system_r roles
- Revert "Allow insights-client run lpr and allow the proper role"
- Allow stalld to read /sys/kernel/security/lockdown file
- Allow keepalived to set resource limits
- Add policy for mptcpd
- Add policy for rshim
- Allow admin users to create user namespaces
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
- Trim changelog so that it starts at F35 time
- Add mptcpd and rshim modules
The changelog contains entries from 16 years ago, making the content
unwieldy. With this commit, changelog starts at the time when
F35 package version in rawhide branched off F34.
- Allow insights-client dbus chat with various services
- Allow insights-client tcp connect to various ports
- Allow insights-client run lpr and allow the proper role
- Allow insights-client work with pcp and manage user config files
- Allow redis get user names
- Allow kernel threads to use fds from all domains
- Allow systemd-modules-load load kernel modules
- Allow login_userdomain watch systemd-passwd pid dirs
- Allow insights-client dbus chat with abrt
- Grant kernel_t certain permissions in the system class
- Allow systemd-resolved watch tmpfs directories
- Allow systemd-timedated watch init runtime dir
- Make `bootc` be `install_exec_t`
- Allow systemd-coredump create user_namespace
- Allow syslog the setpcap capability
- donaudit virtlogd and dnsmasq execmem
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
- nut-upsd: kernel_read_system_state, fs_getattr_cgroup
- Add numad the ipc_owner capability
- Allow gst-plugin-scanner read virtual memory sysctls
- Allow init read/write inherited user fifo files
- Update dnssec-trigger policy: setsched, module_request
- added policy for systemd-socket-proxyd
- Add the new 'cmd' permission to the 'io_uring' class
- Allow winbind-rpcd read and write its key ring
- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
- blueman-mechanism can read ~/.local/lib/python*/site-packages directory
- pidof executed by abrt can readlink /proc/*/exe
- Fix typo in comment
- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
And break the dependency loop with rpm-plugin-selinux
From rpm documentation:
* meta (since rpm >= 4.16)
Denotes a “meta” dependency, which must not affect transaction
ordering. Typical use-cases would be meta-packages and sub-package
cross-dependencies whose purpose is just to ensure the sub-packages
stay on common version.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1851266
- Allow nm-dispatcher custom plugin dbus chat with nm
- Allow nm-dispatcher sendmail plugin get status of systemd services
- Allow xdm read the kernel key ring
- Allow login_userdomain check status of mount units
- Allow postfix/smtp and postfix/virtual read kerberos key table
- Allow services execute systemd-notify
- Do not allow login_userdomain use sd_notify()
- Allow launch-xenstored read filesystem sysctls
- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
- Allow openvswitch fsetid capability
- Allow openvswitch use its private tmpfs files and dirs
- Allow openvswitch search tracefs dirs
- Allow pmdalinux read files on an nfsd filesystem
- Allow winbind-rpcd write to winbind pid files
- Allow networkmanager to signal unconfined process
- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
- Allow samba-bgqd get a printer list
- fix(init.fc): Fix section description
- Allow fedora-third-party read the passwords file
- Remove permissive domain for rhcd_t
- Allow pmie read network state information and network sysctls
- Revert "Dontaudit domain the fowner capability"
- Allow sysadm_t to run bpftool on the userdomain attribute
- Add the userdom_prog_run_bpf_userdomain() interface
- Allow insights-client rpm named file transitions
- Add /var/tmp/insights-archive to insights_client_filetrans_named_content
- Allow sa-update to get init status and start systemd files
- Use insights_client_filetrans_named_content
- Make default file context match with named transitions
- Allow nm-dispatcher tlp plugin send system log messages
- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
- Add permissions to manage lnk_files into gnome_manage_home_config
- Allow rhsmcertd to read insights config files
- Label /etc/insights-client/machine-id
- fix(devices.fc): Replace single quote in comment to solve parsing issues
- Make NetworkManager_dispatcher_custom_t an unconfined domain
interface_info is generated by sepolgen-ifgen in %post. Therefore it
should not be verified as part of the package.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Allow transition to insights_client named content
- Add the insights_client_filetrans_named_content() interface
- Update policy for insights-client to run additional commands 3
- Allow dhclient manage pid files used by chronyd
- Allow stalld get scheduling policy of kernel threads
- Allow samba-dcerpcd work with sssd
- Allow dlm_controld send a null signal to a cluster daemon
- Allow ksmctl create hardware state information files
- Allow winbind_rpcd_t connect to self over a unix_stream_socket
- Update samba-dcerpcd policy for kerberos usage
- Allow insights-client execute its private memfd: objects
- Update policy for insights-client to run additional commands 2
- Use insights_client_tmp_t instead of insights_client_var_tmp_t
- Change space indentation to tab in insights-client
- Use socket permissions sets in insights-client
- Update policy for insights-client to run additional commands
- Change rpm_setattr_db_files() to use a pattern
- Allow init_t to rw insights_client unnamed pipe
- Add rpm setattr db files macro
- Fix insights client
- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
- Allow rabbitmq to access its private memfd: objects
- Update policy for samba-dcerpcd
- Allow stalld setsched and sys_nice
Unconditional execution can make the rpm scriptlet failing:
Running scriptlet: selinux-policy-targeted-36.9-1.fc36.noarch 4/4
/usr/sbin/restorecon: SELinux: Could not get canonical path for /etc/NetworkManager/dispatcher.d restorecon: No such file or directory.
warning: %posttrans(selinux-policy-targeted-36.9-1.fc36.noarch) scriptlet failed, exit status 255
Resolves: rhbz#2082547
- Allow auditd_t noatsecure for a transition to audisp_remote_t
- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
- Allow pcp_domain execute its private memfd: objects
- Add support for samba-dcerpcd
- Add policy for wireguard
- Confine targetcli
- Allow systemd work with install_t unix stream sockets
- Allow iscsid the sys_ptrace userns capability
- Allow xdm connect to unconfined_service_t over a unix stream socket
- Use the networkmanager_dispatcher_plugin attribute in allow rules
- Make a custom nm-dispatcher plugin transition
- Label port 4784/tcp and 4784/udp with bfd_multi
- Allow systemd watch and watch_reads user ptys
- Allow sblim-gatherd the kill capability
- Label more vdsm utils with virtd_exec_t
- Add ksm service to ksmtuned
- Add rhcd policy
- Dontaudit guest attempts to dbus chat with systemd domains
- Dontaudit guest attempts to dbus chat with system bus types
- Use a named transition in systemd_hwdb_manage_config()
- Add default fc specifications for patterns in /opt
- Add the files_create_etc_files() interface
- Allow nm-dispatcher console plugin create and write files in /etc
- Allow nm-dispatcher console plugin transition to the setfiles domain
- Allow more nm-dispatcher plugins append to init stream sockets
- Allow nm-dispatcher tlp plugin dbus chat with nm
- Reorder networkmanager_dispatcher_plugin_template() calls
- Allow svirt connectto virtlogd
- Allow blueman map its private memfd: files
- Allow sysadm user execute init scripts with a transition
- Allow sblim-sfcbd connect to sblim-reposd stream
- Allow keepalived_unconfined_script_t dbus chat with init
- Run restorecon with "-i" not to report errors
The %posttrans scriptlet contains explicit call to restorecon
to restore context of files/directories which are not handled
properly on updates. When a file or directory does not exist,
an error is reported:
/usr/sbin/restorecon: lstat(/etc/NetworkManager/dispatcher.d) failed: No such file or directory
warning: %posttrans(selinux-policy-targeted-36.8-1.fc36.noarch) scriptlet failed, exit status 255
Error in POSTTRANS scriptlet in rpm package selinux-policy-targeted
With the "-i" switch, restorecon does not report an error.
Resolves: rhbz#2082547
- Allow nm-dispatcher chronyc plugin append to init stream sockets
- Allow tmpreaper the sys_ptrace userns capability
- Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
- Allow nm-dispatcher tlp plugin read/write the wireless device
- Allow nm-dispatcher tlp plugin append to init socket
- Allow nm-dispatcher tlp plugin be client of a system bus
- Allow nm-dispatcher list its configuration directory
- Ecryptfs-private support
- Allow colord map /var/lib directories
- Allow ntlm_auth read the network state information
- Allow insights-client search rhnsd configuration directory
- Add support for systemd-network-generator
- Add the io_uring class
- Allow nm-dispatcher dhclient plugin append to init stream sockets
- Relax the naming pattern for systemd private shared libraries
- Allow nm-dispatcher iscsid plugin append to init socket
- Add the init_append_stream_sockets() interface
- Allow nm-dispatcher dnssec-trigger script to execute pidof
- Add support for nm-dispatcher dnssec-trigger scripts
- Allow chronyd talk with unconfined user over unix domain dgram socket
- Allow fenced read kerberos key tables
- Add support for nm-dispatcher ddclient scripts
- Add systemd_getattr_generic_unit_files() interface
- Allow fprintd read and write hardware state information
- Allow exim watch generic certificate directories
- Remove duplicate fc entries for corosync and corosync-notifyd
- Label corosync-cfgtool with cluster_exec_t
- Allow qemu-kvm create and use netlink rdma sockets
- Allow logrotate a domain transition to cluster administrative domain
- Add support for nm-dispatcher console helper scripts
- Allow nm-dispatcher plugins read its directory and sysfs
- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
- devices: Add a comment about cardmgr_dev_t
- Add basic policy for BinderFS
- Label /var/run/ecblp0 pipe with cupsd_var_run_t
- Allow rpmdb create directory in /usr/lib/sysimage
- Allow rngd drop privileges via setuid/setgid/setcap
- Allow init watch and watch_reads user ttys
- Allow systemd-logind dbus chat with sosreport
- Allow chronyd send a message to sosreport over datagram socket
- Remove unnecessary /etc file transitions for insights-client
- Label all content in /var/lib/insights with insights_client_var_lib_t
- Update insights-client policy
- Update NetworkManager-dispatcher cloud and chronyc policy
- Update insights-client: fc pattern, motd, writing to etc
- Allow systemd-sysctl read the security state information
- Allow init create and mounton to support PrivateDevices
- Allow sosreport dbus chat abrt systemd timedatex
- Allow sysadm_passwd_t to relabel passwd and group files
- Allow confined sysadmin to use tool vipw
- Allow login_userdomain map /var/lib/directories
- Allow login_userdomain watch library and fonts dirs
- Allow login_userdomain watch system configuration dirs
- Allow login_userdomain read systemd runtime files
- Allow ctdb create cluster logs
- Allow alsa bind mixer controls to led triggers
- New policy for insight-client
- Add mctp_socket security class and access vectors
- Fix koji repo URL pattern
- Update chronyd_pid_filetrans() to allow create dirs
- Update NetworkManager-dispatcher policy
- Allow unconfined to run virtd bpf
- Allow nm-privhelper setsched permission and send system logs
- Add the map permission to common_anon_inode_perm permission set
- Rename userfaultfd_anon_inode_perms to common_inode_perms
- Allow confined users to use kinit,klist and etc.
- Allow rhsmcertd create rpm hawkey logs with correct label