Commit Graph

170 Commits

Author SHA1 Message Date
Zdenek Pytela
9484341286 * Fri Dec 13 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.50-1
- Allow auditctl signal auditd
Resolves: RHEL-68969
- Fix the cups_read_pid_files() interface to use read_files_pattern
Resolves: RHEL-69517
- Dontaudit systemd-coredump the sys_resource capability
Resolves: RHEL-46339
- Allow rpcd read network sysctls
Resolves: RHEL-1558
- Allow irqbalance setpcap capability in the user namespace
Resolves: RHEL-69564
- Allow traceroute_t bind rawip sockets to unreserved ports
Resolves: RHEL-54561
- Allow svirt_t the sys_rawio capability
Resolves: RHEL-56955
- Change /run/sysctl\.d(/.*)? fc entry to /var/run/sysctl\.d(/.*)?
Resolves: RHEL-56988
- Exclude container-selinux manpage from selinux-policy-doc
Resolves: RHEL-69916
2024-12-13 15:45:13 +01:00
Zdenek Pytela
655176404c Exclude container-selinux manpage from selinux-policy-doc
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.

Resolves: RHEL-69916
2024-12-13 14:47:24 +01:00
Zdenek Pytela
93f4aed9d6 * Fri Dec 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.49-1
- Update virtlogd policy
Resolves: RHEL-69433
- Allow svirt_t the sys_rawio capability
Resolves: RHEL-56955
- Allow qemu-ga the dac_override and dac_read_search capabilities
Resolves: RHEL-52476
- Allow ip the setexec permission
Resolves: RHEL-62923
- Allow alsa get attributes filesystems with extended attributes
Resolves: RHEL-61472
- Allow bacula execute container in the container domain
Resolves: RHEL-21168
- Allow httpd get attributes of dirsrv unit files
Resolves: RHEL-46808
- Update samba-bgqd policy
Resolves: RHEL-69517
- Allow samba-bgqd read cups config files
Resolves: RHEL-69517
- Update policy for samba-bgqd
Resolves: RHEL-69517
- Update bootupd policy for the removing-state-file test
Resolves: RHEL-66584
- Allow qatlib search the content of the kernel debugging filesystem
Resolves: RHEL-53864
- Allow qatlib connect to systemd-machined over a unix socket
Resolves: RHEL-53864
- Update qatlib policy for v24.02 with new features
Resolves: RHEL-53864
2024-12-06 17:19:42 +00:00
Milos Malik
29816f1443 try to enable CRB and EPEL repositories
Try to enable the following repositories:
 * EPEL
 * CRB

Do not fail when something goes wrong.
2024-12-03 15:51:58 +01:00
Zdenek Pytela
ea341191c4 * Tue Nov 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.48-1
- Revert "Allow unconfined_t execute kmod in the kmod domain"
Resolves: RHEL-65008
- Add policy for /usr/libexec/samba/samba-bgqd
Resolves: RHEL-53124
2024-11-12 17:57:29 +01:00
Zdenek Pytela
a79b0f387d * Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.47-1
- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
Resolves: RHEL-56988
- Allow lldpad create and use netlink_generic_socket
Resolves: RHEL-61832
- Allow unconfined_t execute kmod in the kmod domain
Resolves: RHEL-54710
- Allow confined users r/w to screen unix stream socket
Resolves: RHEL-50379
- Label /root/.screenrc and /root/.tmux.conf with screen_home_t
Resolves: RHEL-50375
- Allow iio-sensor-proxy the bpf capability
Resolves: RHEL-17346
2024-10-23 13:11:34 +02:00
Zdenek Pytela
b21b210b94 * Fri Oct 11 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.46-1
- Rebuild
2024-10-11 15:33:47 +02:00
Zdenek Pytela
93538d0a93 * Thu Oct 10 2024 Zdenek Pytela <zpytela@redhat.com> - 35.1.46-1
- Label /run/modprobe.d with modules_conf_t
Resolves: RHEL-61453
- Allow boothd connect to kernel over a unix socket
Resolves: RHEL-57104
- Allow boothd connect to systemd-userdbd over a unix socket
Resolves: RHEL-57104
- Additional updates stalld policy for bpf usage
Resolves: RHEL-57075
- Update stalld policy for bpf usage
Resolves: RHEL-57075
- Allow ptp4l the sys_admin capability
Resolves: RHEL-55133
- Label /dev/hfi1_[0-9]+ devices
Resolves: RHEL-54996
- Confine iio-sensor-proxy
Resolves: RHEL-17346
2024-10-10 21:54:48 +02:00
Zdenek Pytela
6d48c6e32c * Mon Sep 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-3
- Rebuild
Resolves: RHEL-55414
2024-09-16 17:29:25 +02:00
Zdenek Pytela
5273cf04c1 * Wed Sep 04 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-2
- Rebuild
Resolves: RHEL-55414
2024-09-04 12:11:27 +02:00
Zdenek Pytela
6b28f7d202 * Thu Aug 29 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-1
- Allow setsebool_t relabel selinux data files
Resolves: RHEL-55414
2024-08-29 14:28:06 +02:00
Zdenek Pytela
c72977faea * Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.44-1
- Allow coreos-installer-generator work with partitions
Resolves: RHEL-38614
- Label /etc/mdadm.conf.d with mdadm_conf_t
Resolves: RHEL-38614
- Change file context specification to /var/run/metadata
Resolves: RHEL-49735
- Allow initrc_t transition to passwd_t
Resolves: RHEL-17404
- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
Resolves: RHEL-25514
- systemd: allow sys_admin capability for systemd_notify_t
Resolves: RHEL-25514
- Change systemd-network-generator transition to include class file
Resolves: RHEL-47033
- Allow sshd_keygen_t connect to userdbd over a unix stream socket
Resolves: RHEL-47033
2024-08-12 22:55:56 +02:00
Zdenek Pytela
a922a23d90 * Wed Jul 31 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.43-1
- Allow rhsmcertd read/write access to /dev/papr-sysparm
Resolves: RHEL-49599
- Label /dev/papr-sysparm and /dev/papr-vpd
Resolves: RHEL-49599
- Allow rhsmcertd read, write, and map ica tmpfs files
Resolves: RHEL-50926
- Update afterburn file transition policy
Resolves: RHEL-49735
- Label /run/metadata with afterburn_runtime_t
Resolves: RHEL-49735
- Allow afterburn list ssh home directory
Resolves: RHEL-49735
- Support SGX devices
Resolves: RHEL-50922
- Allow systemd-pstore send a message to syslogd over a unix domain
Resolves: RHEL-45528
- Allow postfix_domain map postfix_etc_t files
Resolves: RHEL-46332
- Allow microcode create /sys/devices/system/cpu/microcode/reload
Resolves: RHEL-26821
- Allow svirt_tcg_t map svirt_image_t files
Resolves: RHEL-27141
- Allow systemd-hostnamed shut down nscd
Resolves: RHEL-45033
- Allow postfix_domain connect to postgresql over a unix socket
Resolves: RHEL-6776
2024-07-31 18:07:13 +02:00
Zdenek Pytela
2271084e56 * Thu Jul 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.42-1
- Label samba certificates with samba_cert_t
Resolves: RHEL-25724
- Allow systemd-coredumpd the sys_chroot capability
Resolves: RHEL-45245
- Allow svirt_tcg_t read vm sysctls
Resolves: RHEL-27141
- Label /usr/sbin/samba-gpupdate with samba_gpupdate_exec_t
Resolves: RHEL-25724
- Label /var/run/coreos-installer-reboot with coreos_installer_var_run_t
Resolves: RHEL-38614
- Allow coreos-installer add systemd unit file links
Resolves: RHEL-38614
2024-07-18 13:52:06 +02:00
Zdenek Pytela
c74c6d2868 * Sun Jul 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.41-1
- Differentiate between staff and sysadm when executing crontab with sudo
Resolves: RHEL-31888
- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
Resolves: RHEL-25724
- Allow unconfined_service_t transition to passwd_t
Resolves: RHEL-17404
- Allow sbd to trace processes in user namespace
Resolves: RHEL-44680
- Allow systemd-coredumpd sys_admin and sys_resource capabilities
Resolves: RHEL-45245
- Label /usr/lib/node_modules/npm/bin with bin_t
Resolves: RHEL-36587
- Support /var is empty
Resolves: RHEL-29331
- Allow timemaster write to sysfs files
Resolves: RHEL-28777
- Don't audit crontab_domain write attempts to user home
Resolves: RHEL-31888
- Transition from sudodomains to crontab_t when executing crontab_exec_t
Resolves: RHEL-31888
- Fix label of pseudoterminals created from sudodomain
Resolves: RHEL-31888
2024-07-07 22:17:56 +02:00
Zdenek Pytela
9ff33f15d5 * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.40-1
- Allow systemd-coredump read nsfs files
Resolves: RHEL-39937
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
Resolves: RHEL-40374
- Allow ptp4l_t request that the kernel load a kernel module
Resolves: RHEL-38905
- Allow collectd to trace processes in user namespace
Resolves: RHEL-36293
2024-06-18 22:32:39 +02:00
Zdenek Pytela
89ceaca299 * Thu Jun 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.39-1
- Add interfaces for watching and reading ifconfig_var_run_t
Resolves: RHEL-39408
- Allow dhcpcd use unix_stream_socket
Resolves: RHEL-39408
- Allow dhcpc read /run/netns files
Resolves: RHEL-39408
- Allow all domains read and write z90crypt device
Resolves: RHEL-38833
- Allow bootupd search efivarfs dirs
Resolves: RHEL-36289
- Move unconfined_domain(sap_unconfined_t) to an optional block
Resolves: RHEL-37663
2024-06-06 23:54:31 +02:00
Zdenek Pytela
df730c18c8 * Thu May 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.38-1
- Add boolean qemu-ga to run unconfined script
Resolves: RHEL-31211
- Ensure dbus communication is allowed bidirectionally
Resolves: RHEL-35782
- Allow logwatch_mail_t read network sysctls
Resolves: RHEL-34135
- Allow sysadm execute dmidecode using sudo
Resolves: RHEL-16104
- Allow sudodomain list files in /var
Resolves: RHEL-16104
- Allow various services read and write z90crypt device
Resolves: RHEL-33361
- Allow system_cronjob_t dbus chat with avahi_t
Resolves: RHEL-32290
- Allow setroubleshootd get attributes of all sysctls
Resolves: RHEL-34078
- Remove permissive domain for bootupd_t
Resolves: RHEL-22173
2024-05-16 18:15:13 +02:00
Zdenek Pytela
1292191ae3 * Tue May 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.37-1
- Allow numad to trace processes in user namespace
Resolves: RHEL-33994
- Remove permissive domain for rshim_t
Resolves: RHEL-22173
- Remove permissive domain for mptcpd_t
Resolves: RHEL-22173
- Remove permissive domain for coreos_installer_t
Resolves: RHEL-22173
- Remove permissive domain for afterburn_t
Resolves: RHEL-22173
- Update afterburn policy
Resolves: RHEL-22173
- Allow bootupd search EFI directory
Resolves: RHEL-22172
- Add the bootupd module
Resolves: RHEL-22172
- Add policy for bootupd
Resolves: RHEL-22172
- Label /dev/mmcblk0rpmb character device with removable_device_t
Resolves: RHEL-28080
- Differentiate between staff and sysadm when executing crontab with sudo
Resolves: RHEL-31888
- Add crontab_admin_domtrans interface
Resolves: RHEL-31888
- Add crontab_domtrans interface
Resolves: RHEL-31888
- Allow svirt_t read vm sysctls
Resolves: RHEL-32296
2024-05-07 22:35:20 +02:00
Zdenek Pytela
eab0528813 * Mon Apr 15 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.36-1
- Allow systemd-timedated get the timemaster service status
Resolves: RHEL-25978
- postfix: allow qmgr to delete mails in bounce/ directory
Resolves: RHEL-30271
- Allow NetworkManager the sys_ptrace capability in user namespace
Resolves: RHEL-24346
- Label /dev/iommu with iommu_device_t
Resolves: RHEL-22063
- Allow qemu-ga read vm sysctls
Resolves: RHEL-31892
- Update repository link and branches names for c9s
Related: RHEL-22960
2024-04-15 15:04:15 +02:00
Zdenek Pytela
e04ed68484 Update repository link and branches names for c9s
Now the fedora-selinux/selinux-policy repository is used for policy
sources and both git and dist-git use the c9s branch.

Related: RHEL-22960
2024-04-15 15:00:51 +02:00
Zdenek Pytela
1b5f5feb56 * Thu Mar 14 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-2
- Rebuild
Resolves: RHEL-26663
2024-03-14 15:02:43 +01:00
Zdenek Pytela
56acbf608d * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-1
- Allow wdmd read hardware state information
Resolves: RHEL-26663
2024-03-08 18:32:26 +01:00
Zdenek Pytela
832df72f06 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.34-1
- Allow wdmd list the contents of the sysfs directories
Resolves: RHEL-26663
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
Resolves: RHEL-26660
2024-03-08 12:03:52 +01:00
Juraj Marcin
46be9da4df * Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1
- Allow thumb_t to watch and watch_reads mount_var_run_t
Resolves: RHEL-26073
- Allow opafm create NFS files and directories
Resolves: RHEL-17820
- Label /tmp/libdnf.* with user_tmp_t
Resolves: RHEL-11250
2024-02-22 18:19:15 +01:00
Juraj Marcin
6d154864b5 * Thu Feb 15 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.32-1
- Dontaudit subscription manager setfscreate and read file contexts
Resolves: RHEL-21635
- Allow xdm_t to watch and watch_reads mount_var_run_t
Resolves: RHEL-24841
- Allow unix dgram sendto between exim processes
Resolves: RHEL-21902
- Allow utempter_t use ptmx
Resolves: RHEL-24946
- Only allow confined user domains to login locally without unconfined_login
Resolves: RHEL-1551
- Add userdom_spec_domtrans_confined_admin_users interface
Resolves: RHEL-1551
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
Resolves: RHEL-1551
- Add userdom_spec_domtrans_admin_users interface
Resolves: RHEL-1551
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
Resolves: RHEL-1551
2024-02-15 18:32:21 +01:00
Juraj Marcin
f9546d9349 * Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1
- Allow chronyd-restricted read chronyd key files
Resolves: RHEL-18219
- Allow conntrackd_t to use bpf capability2
Resolves: RHEL-22277
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
Resolves: RHEL-14735
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
Resolves: RHEL-14505
- Add interface for write-only access to NetworkManager rw conf
Resolves: RHEL-14505
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
Resolves: RHEL-11792
2024-01-25 14:18:27 +01:00
Zdenek Pytela
88b880c6c7 * Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.30-1
- Allow sysadm execute traceroute in sysadm_t domain using sudo
Resolves: RHEL-14077
- Allow qatlib set attributes of vfio device files
Resolves: RHEL-19051
- Allow qatlib load kernel modules
Resolves: RHEL-19051
- Allow qatlib run lspci
Resolves: RHEL-19051
- Allow qatlib manage its private runtime socket files
Resolves: RHEL-19051
- Allow qatlib read/write vfio devices
Resolves: RHEL-19051
- Allow syslog to run unconfined scripts conditionally
Resolves: RHEL-11174
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
Resolves: RHEL-11174
- Allow sendmail MTA connect to sendmail LDA
Resolves: RHEL-15175
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
Resolves: RHEL-15432
- Allow opafm search nfs directories
Resolves: RHEL-17820
- Allow mdadm list stratisd data directories
Resolves: RHEL-19276
- Update cyrus_stream_connect() to use sockets in /run
Resolves: RHEL-19282
- Allow collectd connect to statsd port
Resolves: RHEL-21044
- Allow insights-client transition to sap unconfined domain
Resolves: RHEL-21452
- Create the sap module
Resolves: RHEL-21452
2024-01-13 00:24:21 +01:00
Zdenek Pytela
05d668a2ce Add the sap module to modules-targeted-contrib.conf
Resolves: RHEL-21452
2024-01-12 19:14:13 +01:00
Juraj Marcin
c2074133ec * Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1
- Add init_explicit_domain() interface
Resolves: RHEL-18219
- Allow dovecot_auth_t connect to postgresql using UNIX socket
Resolves: RHEL-16850
- Allow keepalived_t to use sys_ptrace of cap_userns
Resolves: RHEL-17156
- Make `bootc` be `install_exec_t`
Resolves: RHEL-19199
- Add support for chronyd-restricted
Resolves: RHEL-18219
- Label /dev/vas with vas_device_t
Resolves: RHEL-17336
- Allow gpsd use /dev/gnss devices
Resolves: RHEL-16676
- Allow sendmail manage its runtime files
Resolves: RHEL-15175
- Add support for syslogd unconfined scripts
Resolves: RHEL-11174
2023-12-14 14:17:21 +01:00
Juraj Marcin
575be8bea0 Add /bin = /usr/bin file context equivalency
Resolves: RHEL-5032
2023-12-14 14:00:17 +01:00
Juraj Marcin
a53a4197a0 * Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1
- Create interface selinux_watch_config and add it to SELinux users
Resolves: RHEL-1555
- Allow  winbind_rpcd_t processes access when samba_export_all_* is on
Resolves: RHEL-16273
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
Resolves: RHEL-16273
- Allow winbind-rpcd make a TCP connection to the ldap port
Resolves: RHEL-16273
- Allow sudodomain read var auth files
Resolves: RHEL-16708
- Allow auditd read all domains process state
Resolves: RHEL-14285
- Allow rsync read network sysctls
Resolves: RHEL-14638
- Add dhcpcd bpf capability to run bpf programs
Resolves: RHEL-15326
- Allow systemd-localed create Xserver config dirs
Resolves: RHEL-16716
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
Resolves: RHEL-1553
- Update sendmail policy module for opensmtpd
Resolves: RHEL-15175
2023-11-30 11:37:06 +01:00
Juraj Marcin
4715f116ff * Tue Nov 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.27-1
- Remove glusterd module
Resolves: RHEL-1548
- Improve default file context(None) of /var/lib/authselect/backups
Resolves: RHEL-15220
- Set default file context of /var/lib/authselect/backups to <<none>>
Resolves: RHEL-15220
- Create policy for afterburn
Resolves: RHEL-12591
- Allow unconfined_domain_type use io_uring cmd on domain
Resolves: RHEL-11792
- Add policy for coreos installer
Resovles: RHEL-5164
- Add policy for nvme-stas
Resolves: RHEL-1557
- Label /var/run/auditd.state as auditd_var_run_t
Resolves: RHEL-14374
- Allow ntp to bind and connect to ntske port.
Resolves: RHEL-15085
- Allow ip an explicit domain transition to other domains
Resolves: RHEL-14246
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
Resolves: RHEL-14289
- Allow sssd domain transition on passkey_child execution conditionally
Resolves: RHEL-14014
- Allow sssd use usb devices conditionally
Resolves: RHEL-14014
- Allow kdump create and use its memfd: objects
Resolves: RHEL-14413
2023-11-14 20:51:42 +01:00
Juraj Marcin
dbd1e9f272 Remove glusterd from modules-targeted-*.conf
Resolves: RHEL-1548
2023-11-14 20:51:42 +01:00
Juraj Marcin
13b73ff37a Add afterburn to modules-targeted-contrib.conf
Resolves: RHEL-12591
2023-11-14 20:51:42 +01:00
Zdenek Pytela
04adb244ee Add coreos_installer to modules-targeted-contrib.conf
Resolves: RHEL-5164
2023-11-14 20:51:29 +01:00
Zdenek Pytela
eccb49870a Add nvme_stas to modules-targeted-contrib.conf
Resolves: RHEL-1557
2023-11-14 20:51:12 +01:00
Milos Malik
f8347e3b30 fix the sequence of script commands
A missing ';' character can cause an error when the script lines
get concatenated and executed on RHEL-9 machines.
2023-11-09 08:08:39 +01:00
Milos Malik
bd4dd09bb0 run relevant Tier1 tests via TMT
From now on, all relevant Tier1 tests will be executed via TMT.
2023-11-02 14:05:24 +01:00
Zdenek Pytela
78a1079d35 * Tue Oct 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.26-1
- Allow kdump create and use its memfd: objects
Resolves: RHEL-14413
2023-10-31 11:17:20 +01:00
Zdenek Pytela
01fb30d35f * Fri Oct 20 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.25-1
- Add map_read map_write to kernel_prog_run_bpf
Resolves: RHEL-2653
- Allow sysadm_t read nsfs files
Resolves: RHEL-5146
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
Resolves: RHEL-14029
- Allow system_mail_t manage exim spool files and dirs
Resolves: RHEL-14110
- Label /run/pcsd.socket with cluster_var_run_t
Resolves: RHEL-1664
2023-10-20 14:55:36 +02:00
Juraj Marcin
8f1dc2715d * Fri Sep 29 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.24-1
- Allow cupsd_t to use bpf capability
Resolves: RHEL-3633
- Label /dev/gnss[0-9] with gnss_device_t
Resolves: RHEL-9936
- Dontaudit rhsmcertd write memory device
Resolves: RHEL-1547
2023-09-29 20:24:09 +02:00
Juraj Marcin
dbf07eba2d Update source branches to build a new package for RHEL 9.4.0
Resolves: RHEL-1547
2023-09-29 20:20:48 +02:00
Nikola Knazekova
33abfa2432 * Fri Aug 25 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.23-1
- Allow cups-pdf connect to the system log service
Resolves: rhbz#2234765
- Update policy for qatlib
Resolves: rhbz#2080443
2023-08-25 21:11:09 +02:00
Nikola Knazekova
80c07f8e7b * Thu Aug 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.22-1
- Allow qatlib  to modify hardware state information.
Resolves: rhbz#2080443
- Update policy for fdo
Resolves: rhbz#2229722
- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
Resolves: rhbz#2223305
- Allow svirt to rw /dev/udmabuf
Resolves: rhbz#2223727
- Allow keepalived watch var_run dirs
Resolves: rhbz#2186759
2023-08-24 16:07:28 +02:00
Nikola Knazekova
dfa70ba52b * Thu Aug 17 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.21-1
- Allow logrotate_t to map generic files in /etc
Resolves: rhbz#2231257
- Allow insights-client manage user temporary files
Resolves: rhbz#2224737
- Make insights_client_t an unconfined domain
Resolves: rhbz#2225526
2023-08-17 16:29:24 +02:00
Nikola Knazekova
d504b523d0 * Fri Aug 11 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.20-1
- Allow user_u and staff_u get attributes of non-security dirs
Resolves: rhbz#2215507
- Allow cloud_init create dhclient var files and init_t manage net_conf_t
Resolves: rhbz#2225418
- Allow samba-dcerpc service manage samba tmp files
Resolves: rhbz#2230365
- Update samba-dcerpc policy for printing
Resolves: rhbz#2230365
- Allow sysadm_t run kernel bpf programs
Resolves: rhbz#2229936
- allow mon_procd_t self:cap_userns sys_ptrace
Resolves: rhbz#2221986
- Remove nsplugin_role from mozilla.if
Resolves: rhbz#2221251
- Allow unconfined user filetrans chrome_sandbox_home_t
Resolves: rhbz#2187893
- Allow pdns name_bind and name_connect all ports
Resolves: rhbz#2047945
- Allow insights-client read and write cluster tmpfs files
Resolves: rhbz#2221631
- Allow ipsec read nsfs files
Resolves: rhbz#2230277
- Allow upsmon execute upsmon via a helper script
Resolves: rhbz#2228403
- Fix labeling for no-stub-resolv.conf
Resolves: rhbz#2148390
- Add use_nfs_home_dirs boolean for mozilla_plugin
Resolves: rhbz#2214298
- Change wording in /etc/selinux/config
Resolves: rhbz#2143153
2023-08-11 18:37:49 +02:00
Nikola Knazekova
f44c4567b9 Change wording in /etc/selinux/config
Replace "In earlier Fedora kernel builds"
with "Up to RHEL 8 release included,".

Update doc link

Resolves: rhbz#2143153
2023-08-11 18:34:53 +02:00
Nikola Knazekova
32396fb0bc * Thu Aug 03 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.19-1
- Allow qatlib to read sssd public files
Resolves: rhbz#2080443
- Fix location for /run/nsd
Resolves: rhbz#2181600
- Allow samba-rpcd work with passwords
Resolves: rhbz#2107092
- Allow rpcd_lsad setcap and use generic ptys
Resolves: rhbz#2107092
- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
Resolves: rhbz#2223305
- Allow keepalived to manage its tmp files
Resolves: rhbz#2179212
- Allow nscd watch system db dirs
Resolves: rhbz#2152124
2023-08-03 20:10:18 +02:00
Nikola Knazekova
ebddc59c06 * Fri Jul 21 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.18-1
- Boolean: Allow virt_qemu_ga create ssh directory
Resolves: rhbz#2181402
- Allow virt_qemu_ga_t create .ssh dir with correct label
Resolves: rhbz#2181402
- Set default ports for keylime policy
Resolves: RHEL-594
- Allow unconfined service inherit signal state from init
Resolves: rhbz#2186233
- Allow sa-update connect to systemlog services
Resolves: rhbz#2220643
- Allow sa-update manage spamc home files
Resolves: rhbz#2220643
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
Resolves: rhbz#2213605
- Add the files_getattr_non_auth_dirs() interface
Resolves: rhbz#2076933
- Update policy for the sblim-sfcb service
Resolves: rhbz#2076933
- Define equivalency for /run/systemd/generator.early
Resolves: rhbz#2213516
2023-07-25 15:46:54 +02:00