rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
6,254 Commits 11 Branches 163 Tags 37 MiB
ab34faefd5
Commit Graph

6254 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Vit Mojzis
ab34faefd5 Fri Feb 27 2026 Vit Mojzis <vmojzis@redhat.com> - 42.1.18-2 
- Rebuild for SELinux userspace 3.10

This is needed because the policydb version was increased to 24 in the
latest userspace.

1c1631b16d

Resolves: RHEL-152308
 2026-02-27 12:06:06 +01:00
Zdenek Pytela
cc5a8d52a6 * Mon Feb 23 2026 Zdenek Pytela <zpytela@redhat.com> - 42.1.18-1 
- Allow NetworkManager list bpf directories
Resolves: RHEL-142171
- Dontaudit systemd-generator connect to sssd over a unix stream socket
Resolves: RHEL-114886
- Allow pkcsslotd read files in /proc and /sys
Resolves: RHEL-130812
- Allow pkcsslotd map its private tmpfs files
Resolves: RHEL-130812
- Allow tlshd communication to unconfined_t over a tcp socket
Resolves: RHEL-125106
- Label /run/insights-client.ppid with insights_client_run_t
Resolves: RHEL-146687
- Allow NM nvme dispatcher script start systemd services
Resolves: RHEL-140760
- Allow tlshd write generic certificate dirs
Resolves: RHEL-127023
- Allow aide get attributes of tmpfs and devtmpfs filesystems
Resolves: RHEL-121479
- Allow plasma login manager stop login services
Resolves: RHEL-140911
- Rebuild selinux policy after installation of the extra package
Resolves: RHEL-135875
Resolves: RHEL-143926
- Move triggerin scriptlets to the parent packages
Resolves: RHEL-141813
- Rebuild policy before running {binsbin|varrun}-convert.sh
Resolves: RHEL-141813
 2026-02-23 18:29:17 +01:00
Vit Mojzis
e9fa604b58 Rebuild policy before running {binsbin|varrun}-convert.sh 
Both {binsbin|varrun}-convert.sh scripts use
/etc/selinux/<policytype>/contexts/files/file_contexts file, which is
updated during policy rebuild. Therefore the policy needs to be rebuilt
before the scripts are executed in order for
%remove{Binsbin|VarRun}ModuleLua to take effect.

Without the policy rebuild, both extra_{binsbin|varrun} modules get
removed on each selinux-policy-targeted update, since
%remove{Binsbin|VarRun}ModuleLua removes the module file, but there is
no change to /contexts/files/file_contexts and
{binsbin|varrun}-convert.sh result in noop (no module installation).

Also, fix labels of both /var/run and /usr/sbin since %relabel is
executed before the -convert scripts.

Resolves: RHEL-141813
 2026-02-23 18:07:34 +01:00
Vit Mojzis
10195126e9 Move triggerin scriptlets to the parent packages 
Most DSP packages are required by their parent package (e.g. usbguard
requires usbguard-selinux), which determines the installation order.
-selinux package is installed first and the parent package second.

The "triggerin" scriptlets are supposed to fix labeling of the parent
package binaries, but those are not in place yet when the -selinux
package gets installed.

Targeting the parent package ensures that both the binaries and the
corresponding policy module are already in place. If selinux-policy is
not present in the system (and the -selinux package therefore does not
get installed), the scriptlet is not triggered at all.

Fixes:
$ sudo dnf install usbguard
...
Running transaction
  Preparing        :                                                                                                                                                                                                                                      1/1
  Running scriptlet: usbguard-selinux-1.1.3-6.el10.noarch                                                                                                                                                                                                 1/4
  Installing       : usbguard-selinux-1.1.3-6.el10.noarch                                                                                                                                                                                                 1/4
  Running scriptlet: usbguard-selinux-1.1.3-6.el10.noarch                                                                                                                                                                                                 1/4
/usr/sbin/restorecon: lstat(/usr/sbin/usbguard*) failed: No such file or directory
warning: %triggerin(selinux-policy-42.1.7-1.el10.noarch) scriptlet failed, exit status 255

Error in <unknown> scriptlet in rpm package usbguard-selinux
  Installing       : protobuf-3.19.6-11.el10.x86_64                                                                                                                                                                                                       2/4
  Installing       : libqb-2.0.8-6.el10.x86_64                                                                                                                                                                                                            3/4
  Installing       : usbguard-1.1.3-6.el10.x86_64                                                                                                                                                                                                         4/4
  Running scriptlet: usbguard-1.1.3-6.el10.x86_64                                                                                                                                                                                                         4/4
  Running scriptlet: usbguard-selinux-1.1.3-6.el10.noarch                                                                                                                                                                                                 4/4
  Running scriptlet: usbguard-1.1.3-6.el10.x86_64                                                                                                                                                                                                         4/4
Installed products updated.

Resolves: RHEL-141813
 2026-02-23 18:05:58 +01:00
Veronika Syncakova
c50b7abf33 selinux-policy-42.1.17-2 
- Rebuild selinux policy after installation of the extra package

Resolves: RHEL-135875
 2026-02-18 12:10:10 +01:00
Zdenek Pytela
5fa5440168 * Fri Feb 13 2026 Zdenek Pytela <zpytela@redhat.com> - 42.1.17-1 
- Allow rhsmcertd read anaconda run files
Resolves: RHEL-141391
- Allow mdadm to use CAP_BPF during RAID monitoring
Resolves: RHEL-135765
- Allow mdadm the CAP_SYS_PTRACE capability
Resolves: RHEL-135765
- Allow staff and sysadm execute iotop using sudo
Resolves: RHEL-134940
- Allow kernel_t to read/write all domains' pipes
Resolves: RHEL-124442
- Allow nfsd_t domain setuid and setgid capability for rpc.mountd
Resolves: RHEL-148107
 2026-02-13 14:50:23 +01:00
Zdenek Pytela
4c11bd9602 * Fri Feb 06 2026 Zdenek Pytela <zpytela@redhat.com> - 42.1.16-1 
- Allow sshd-session inherit limits from its parent sshd process
Resolves: RHEL-136673
- Revert "Allow sshd-session inherit limits from its parent process"
Resolves: RHEL-136673
- Allow tlshd write generic certificates
Resolves: RHEL-123737
- Allow systemd-hostnamed to create its Varlink socket
Resolves: RHEL-139385
- Update gpg_role() interface with unix_stream_socket permissions
Resolves: RHEL-128555
- Label /etc/aliases.cdb with etc_aliases_t
Resolves: RHEL-109976
- Add aliases.lmdb to mta_filetrans_named_content()
Resolves: RHEL-140884
- Update policy for bootupd
Resolves: RHEL-141391
 2026-02-06 17:00:59 +01:00
Vit Mojzis
0e246205f4 Macros: Require only "stable" version of selinux-policy 
In special circumstances it is possible that selinux-policy used to
build a DSP package is later not available for installation.

Work around this problem by only recommending the latest policy version
and adding a fallback "Requires" to a hardcoded "stable" version. This
version should be updated when major policy changes take place.

Resolves: RHEL-141423
 2026-01-27 11:50:02 +01:00
Zdenek Pytela
cca03a1822 * Mon Jan 26 2026 Zdenek Pytela <zpytela@redhat.com> - 42.1.15-1 
- Allow hostapd write to socket files in /tmp
Resolves: RHEL-77047
- Allow stap server read virtual memory sysctls
Resolves: RHEL-114104
- Allow sshd-session inherit limits from its parent process
Resolves: RHEL-136673
- Allow sshd noatsecure on sshd-session execution
Resolves: RHEL-138247
- Allow sshd-net read and write to sshd vsock socket
Related: RHEL-138247
 2026-01-26 17:43:03 +01:00
Zdenek Pytela
490b991228 Update specfile trigger for openwsman 
Resolves: RHEL-133024
 2026-01-09 16:53:02 +01:00
Zdenek Pytela
b2dcfa5570 * Fri Jan 09 2026 Zdenek Pytela <zpytela@redhat.com> - 42.1.14-1 
- Update ktls policy
Resolves: RHEL-123737
- Update policy for redfish-finder
Resolves: RHEL-50299
- Allow sshd-session read, write, and map ica tmpfs files
Resolves: RHEL-138247
- Allow sshd_net_t ioctl on unix_stream_socket of sshd_session_t
Resolves: RHEL-127721
- Allow stalld map sysfs files
Resolves: RHEL-135512
- Allow aide get attributes of a filesystem with extended attributes
Resolves: RHEL-121479
- Label miscellaneous /dev/papr-* devices
Resolves: RHEL-129839
- Allow KDE Plasma Login Manager to function as a display manager
Resolves: RHEL-135676
- Update specfile trigger for openwsmand
Resolves: RHEL-133024
 2026-01-09 16:48:55 +01:00
Zdenek Pytela
f864196683 * Thu Dec 11 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.13-1 
- Add the rpm_signal() interface
Related: RHEL-107589
- Allow tuned_t use its private tmpfs files
Related: RHEL-107589
- Allow samba-bgqd send to smbd over a unix datagram socket
Resolves: RHEL-93731
- Allow kdump search kdumpctl_tmp_t directories
Resolves: RHEL-116041
- Confine redfish_finder - host api discovery service
Resolves: RHEL-50299
- Update policy for dhcpc_hook_t
Resolves: RHEL-113937
- Label /usr/libexec/dhcpcd-run-hooks with dhcpc_hook_exec_t
Resolves: RHEL-113937
- Allow systemd to map files under /sys
Resolves: RHEL-132638
 2025-12-11 20:35:39 +01:00
Zdenek Pytela
4afa8953fb Update specfile trigger for smartmontools 
Resolves: RHEL-113167
 2025-11-26 20:22:23 +01:00
Zdenek Pytela
3c0c6e4aa8 * Wed Nov 26 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.12-1 
- Update kernel_secretmem_use()
Resolves: RHEL-116154
- Allow system_mail_t read apache system content conditionally
Resolves: RHEL-114970
- Allow create kerberos files in postgresql db home
Resolves: RHEL-119619
- Update specfile trigger for smartmontools
Resolves: RHEL-113167
 2025-11-26 20:19:40 +01:00
Vit Mojzis
31b63ea738 Add missing binsbin and varrun script calls 
Related: RHEL-116044
 2025-11-13 14:04:51 +01:00
Zdenek Pytela
cc78cf0044 * Tue Nov 11 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.11-1 
- Allow iotop stream connect to systemd-userdbd
Resolves: RHEL-105481
- Allow insights-client manage /etc symlinks
Resolves: RHEL-107589
- Allow insights-client get attributes of the rpm executable
Resolves: RHEL-124855
- Allow nfsidmapd search virt lib directories
Resolves: RHEL-68722
- Allow kdump search kdumpctl_tmp_t directories
Resolves: RHEL-116041
 2025-11-11 22:21:45 +01:00
Zdenek Pytela
2ed1e92aa1 Update specfile triggers for DSP modules 
Resolves: RHEL-116044
 2025-10-28 14:59:17 +01:00
Zdenek Pytela
d386a97bbf * Mon Oct 27 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.10-1 
- Allow sshd-auth read generic proc files
Resolves: RHEL-107732
- Allow sshd-auth read and write user domain ptys
Resolves: RHEL-107732
- Allow sshd-session get attributes of sshd vsock socket
Resolves: RHEL-107732
- Adjust guest and xguest users policy for sshd-session
Resolves: RHEL-107732
- Update files_search_base_file_types()
Resolves: RHEL-107732
- Allow sshd-session read cockpit pid files
Resolves: RHEL-107732
- Add default contexts for sshd-seesion
Resolves: RHEL-107732
- Define types for new openssh executables
Resolves: RHEL-107732
- Allow ras-mc-ctl get attributes of the kmod executable
Resolves: RHEL-102535
- Define file equivalency for /var/opt
Resolves: RHEL-116512
- Update specfile triggers for DSP modules
Resolves: RHEL-116044
 2025-10-28 11:52:07 +01:00
Zdenek Pytela
932ca30f2d * Wed Oct 08 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.9-1 
- Allow systemd-oomd watch tmpfs dirs
Resolves: RHEL-106998
- Allow systemd-oomd watch dbus pid sock files
Resolves: RHEL-106998
- Allow userdomain to connect to systemd-oomd over a unix socket
Resolves: RHEL-106998
- Allow 'oomctl dump' to interact with systemd-oomd
Resolves: RHEL-106998
- Basic functionality for systemd-oomd
Resolves: RHEL-106998
- Basic enablement for systemd-oomd
Resolves: RHEL-106998
- Remove permissive domains
Resolves: RHEL-107038
- Allow iptables manage its private fifo_files in /tmp
Resolves: RHEL-83775
- Allow ras-mc-ctl write to sysfs files
Resolves: RHEL-86926
- Allow nfs generator create and use netlink sockets
Resolves: RHEL-111556
- Revert "Allow virt_domain write to virt_image_t files"
Resolves: RHEL-93773
 2025-10-08 15:45:52 +02:00
Zdenek Pytela
697ef79028 * Fri Sep 19 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.8-1 
- Reapply "Add insights_core interfaces"
Resolves: RHEL-112368
- Reapply "Add policy for insights-core"
Resolves: RHEL-112368
 2025-09-24 13:51:25 +02:00
jan janasek
29a65ab4d4 selinux-policy: eliminate overlapping test plans 
component-filtered and tier1-filtered plans are overlapping with tests that have metadata:
"tier: 1" and "component:selinux-policy", therefore condition "tier:-1" added to component-filtered
plan to not run those those tests twice.

Signed-off-by: Jan Janasek <jjanasek@redhat.com>
 2025-08-25 13:11:18 +02:00
Zdenek Pytela
9448d92f10 * Thu Aug 21 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.7-1 
- Revert "Add policy for insights-core"
Resolves: RHEL-110651
- Revert "Add insights_core interfaces"
Resolves: RHEL-110651
 2025-08-21 22:21:55 +02:00
Vit Mojzis
f9b8f17b4f Add selinux-policy-automotive sub-package 
The package is modeled after selinux-policy-minimum in that it contains
all the modules that are present in selinux-policy-targeted, but most of
them are disabled (all that are not present in modules-automotive.lst).

Requires dist/automotive directory containing config files in the
selinux-policy tar.

Resolves: RHEL-105410
 2025-08-13 13:19:09 +02:00
Zdenek Pytela
e37d06d30f Add binsbin-convert.sh script 
After selinux-policy part of Changes/Unify_bin_and_sbin [1] has been
done, some packages shipping their own policy modules still contain
entries in /usr/sbin. For such entries not to be overriden by the
/usr/sbin=/usr/bin equivalency, this script is meant as a temporary
measure to create an extra SELinux local module with equivalent entries,
but in /usr/bin.

Debugging:
DEBUG=yes /usr/libexec/selinux/binsbin-convert.sh targeted

[1] https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin

Resolves: RHEL-69118
 2025-08-12 16:21:34 +02:00
Zdenek Pytela
c4ebc6797d * Tue Aug 12 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.6-1 
- Apply generator template to selinux-autorelabel generator
Resolves: RHEL-107516
- Allow systemd-coredumpd capabilities in the user namespace
Resolves: RHEL-97586
- Allow virtqemud start a vm which uses nbdkit
Resolves: RHEL-69118
- Add nbdkit_signal() and nbdkit_signull() interfaces
Resolves: RHEL-69118
- Allow openvswitch read virtqemud process state
Resolves: RHEL-65322
- Add binsbin-convert.sh script
Resolves: RHEL-69118
 2025-08-12 16:13:11 +02:00
Zdenek Pytela
2a666c944a * Fri Aug 08 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.5-1 
- Confine nfs-server generator
Resolves: RHEL-106119
- Support virtqemud handle hotplug hostdev devices
Resolves: RHEL-65266
- Allow virtstoraged create qemu /var/run files
Resolves: RHEL-104344
- Allow virtqemud write to sysfs files
Resolves: RHEL-104378
- Allow unconfined_domain_type cap2_userns capabilities
Resolves: RHEL-93656
 2025-08-08 18:12:56 +02:00
Zdenek Pytela
7126ba3cdf * Thu Jul 31 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.4-1 
- Allow systemd-coredump the sys_chroot capability
Resolves: RHEL-97586
- Add the rhcd_rw_fifo_files() interface
Related: RHEL-99318
- Add insights_client_delete_lib_dirs() interface
Related: RHEL-99318
 2025-07-31 13:35:04 +02:00
Vit Mojzis
c682b95984 Rebuild for SELinux userspace 3.9 
Related: RHEL-104006
 2025-07-23 20:07:12 +02:00
Zdenek Pytela
767de9739d * Fri Jul 18 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.3-1 
- Allow svirt read virtqemud fifo files
Resolves: RHEL-104069
- Allow virtqemud handle virt_content_t chr files
Resolves: RHEL-76104
- Allow "hostapd_cli ping" run as a systemd service
Resolves: RHEL-77047
- All sblim-sfcbd the dac_read_search capability
Resolves: RHEL-98287
- Allow sblim domain read systemd session files
Resolves: RHEL-98287
- Allow sblim-sfcbd execute dnsdomainname
Resolves: RHEL-98287
- Allow systemd-importd create and unlink init pid socket
Resolves: RHEL-98490
 2025-07-18 19:29:08 +02:00
Zdenek Pytela
831808b791 * Wed Jul 16 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.2-1 
- Remove permissive domains
Resolves: RHEL-103661
- Adjust modules list
Resolves: RHEL-103661
 2025-07-16 17:05:53 +02:00
Zdenek Pytela
3c58b106cf * Mon Jul 14 2025 Zdenek Pytela <zpytela@redhat.com> - 42.1.1-1 
- Rebase selinux-policy to the newest one available in Fedora 42
Resolves: RHEL-54303
 2025-07-14 17:07:34 +02:00
Zdenek Pytela
5f13f86c60 * Wed Jul 02 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.35-1 
- Remove duplicate summary header
Related: RHEL-87742
- Allow irqbalance execute shell if irqbalance_run_unconfined is on
Resolves: RHEL-54019
- virt: allow QEMU use of the qgs daemon for attestation
Resolves: RHEL-87742
- qgs: add contrib module for TDX "qgs" daemon
Resolves: RHEL-87742
- kernel: add interfaces for using SGX enclaves
Resolves: RHEL-87742
 2025-07-02 16:34:29 +02:00
Zdenek Pytela
a43247ed31 * Tue Jul 01 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.34-1 
- Allow systemd-coredump the sys_admin capability
Resolves: RHEL-97586
- Dontaudit systemd-coredump the sys_resource capability
Resolves: RHEL-97586
- Allow systemd-coredumpd sys_admin and sys_resource capabilities
Resolves: RHEL-97586
- Allow systemd-coredump read nsfs files
Resolves: RHEL-97586
- Dontaudit systemd-coredump sys_admin capability
Resolves: RHEL-97586
- Allow svirt-tcg read init state
Resolves: RHEL-95725
- Allow virtqemud create and unlink files in /etc/libvirt/
Resolves: RHEL-95725
- Allow virtqemud send a generic signal to passt
Resolves: RHEL-44994
- Allow openvswitch ioctl vduse devices
Resolves: RHEL-93041
- Label /dev/vduse/control and /dev/vduse/NAME devices
Resolves: RHEL-93041
- Allow virtstoraged the sys_rawio capability
Resolves: RHEL-44639
- Allow virtstoraged fsetid capability
Resolves: RHEL-44639
- Allow virtqemud additional permissions on scsi generic chr files
Resolves: RHEL-44628
- Allow irqbalance execute shell if irqbalance_run_unconfined is on
Resolves: RHEL-54019
- Fix files_dontaudit_delete_all_files()
Resolves: RHEL-86789
- Allow virtnodedev create mdevctl config dirs
Resolves: RHEL-98559
- Allow cryptsetup-generator manage systemd unit files
Resolves: RHEL-98656
 2025-07-01 17:04:08 +02:00
Zdenek Pytela
1ba9a90255 * Fri Jun 06 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.33-1 
- Allow systemd_generator read files in /proc and /sys
Resolves: RHEL-36740
- Update irqbalance policy for using unconfined scripts
Resolves: RHEL-54019
- Allow utempter use terminal multiplexor
Resolves: RHEL-56344
- Allow virtqemud execute ovs-vsctl with a domain transition
Resolves: RHEL-65322
- Allow mptcpd the net_admin capability
Resolves: RHEL-70730
- Allow tomcat execute cracklib-check with a domain transition
Resolves: RHEL-82090
- Update the files_search_mnt() interface
Resolves: RHEL-85178
- Allow key.dns_resolve set attributes on the kernel key ring
Resolves: RHEL-91602
- Allow switcheroo-control dbus chat with xdm
Resolves: RHEL-93535
- Revert "Allow virt_domain write to virt_image_t files"
Resolves: RHEL-93773
 2025-06-06 10:19:29 +02:00
Zdenek Pytela
fd51330eda * Thu May 29 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.32-1 
- Backport policy for additional systemd generators from rawhide
Resolves: RHEL-36740
- Allow login_userdomain create /run/tlog directory with user_tmp_t
Resolves: RHEL-56344
- Backport bootupd policy from current Fedora rawhide
Resolves: RHEL-86588
 2025-05-30 15:15:52 +02:00
Petr Lautrbach
c69e93c91c Revert "Add selinux-policy-epel test plan" 
This reverts commit 94ea41534e.

selinux-policy-epel will be obsoleted when
redhat/centos-stream/rpms/selinux-policy!197
is merged and RHEL-89587 is resolved

Related: RHEL-89587
 2025-05-21 10:03:23 +02:00
Petr Lautrbach
dbae004177 Revert "Make make-rhat-patches.sh selinux-policy-epel aware" 
This reverts commit 61db7c0bba.

selinux-policy-epel will be obsoleted when
https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/merge_requests/197
is merged and RHEL-89587 is resolved

Related: RHEL-89587
 2025-05-21 10:03:23 +02:00
Petr Lautrbach
8dea43b936 Build selinux-policy-extra 
In 40.13.26-1 modules related to EPEL repository were filtered out and
shipped in selinux-policy-epel in EPEL repository. But it was not
possible to let epel-release to automatically install
selinux-policy-epel when it was enabled.

With this change:
- EPEL related modules are build in repository again
- selinux-policy-extra is introduced to require -targeted-extra or
  -mls-extra when -targeted or -mls are installed
- some modules which are related to 3rd party and which are already
  dropped in selinux-policy-epel are filtered out completely

Resolves: RHEL-89587
 2025-05-21 10:03:16 +02:00
Zdenek Pytela
7010f47ab1 * Tue May 20 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.31-1 
- Label /dev/diag as diagnostic_device_t
Resolves: RHEL-89804
- Label SetroubleshootPrivileged.py with setroubleshootd_exec_t
Resolves: RHEL-87727
- Allow syslogd watch syslog_conf_t directories
Resolves: RHEL-87648
- Allow networkmanager send a general signal to iptables
Resolves: RHEL-86780
- Define file equivalency for /var/etc
Resolves: RHEL-86678
- Update bootupd policy when ESP is not mounted
Resolves: RHEL-86588
- dontaudit execmem for modemmanager
Resolves: RHEL-86176
- Allow systemd create journal pid files
Resolves: RHEL-72692
- Allow virtqemud read/write/setattr input event devices
Resolves: RHEL-46385
 2025-05-20 15:22:39 +02:00
Zdenek Pytela
399d79b252 * Mon Apr 28 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.30-1 
- Allow auditctl signal auditd
Resolves: RHEL-87418
- Update bootupd policy for the removing-state-file test
Resolves: RHEL-87372
- Allow systemd-user-runtime-dir get/set tmpfs quotas
Resolves: RHEL-86789
- Allow systemd-user-runtime-dir delete gnome homedir content
Resolves: RHEL-86789
- Confine /usr/lib/systemd/systemd-user-runtime-dir
Resolves: RHEL-86789
- Allow system-dbusd list systemd-machined directories
Resolves: RHEL-86528
- Allow NetworkManager create and use icmp_socket
Resolves: RHEL-86258
- Allow tuned-ppd dbus chat with xdm
Resolves: RHEL-85849
- Allow virt_domain write to virt_image_t files
Resolves: RHEL-85319
- Allow rhsmcertd connect to systemd-machined
Resolves: RHEL-83925
- Allow varnishd execute the prlimit64() syscall
Resolves: RHEL-77779
- Allow systemd-machined the kill user-namespace capability
Resolves: RHEL-77087
- Allow system_dbusd_t r/w unix stream sockets of unconfined_service_t
Resolves: RHEL-62185
- Allow tlshd read network sysctls
Resolves: RHEL-74424
 2025-04-28 17:13:57 +02:00
Zdenek Pytela
04dfd0db74 * Tue Apr 15 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.29-1 
- Revert "Dontaudit access of virt-related permissive domains"
Resolves: RHEL-79833
- Remove permissive domains
Resolves: RHEL-82672
 2025-04-15 14:08:02 +02:00
Petr Lautrbach
94ea41534e Add selinux-policy-epel test plan 
- should be triggered only in CI by commit
- should check current selinux-policy version and latest
  selinux-policy-epel version and fail if they're different to notify
  maintainer about needed action

Related: RHEL-74424
 2025-04-11 07:44:41 +02:00
Petr Lautrbach
61db7c0bba Make make-rhat-patches.sh selinux-policy-epel aware 
In case of change commit id it will warn user to update
also selinux-policy-epel.spec

Adds the following script output:

WARNING: selinux-policy-epel needs to be updated to use 56617809a873ce441278ef56a5b7e92c3c2cb56d:

    cd <selinux-policy-epel directory>
    fedpkg switch-brach epel10
    fedpkg new-sources /home/plautrba/devel/centos/rpms/selinux-policy/make-rhat-patches-epel/selinux-policy-5661780.tar.gz container-selinux.tgz
    git apply /home/plautrba/devel/centos/rpms/selinux-policy/make-rhat-patches-epel/selinux-policy-epel-5661780.patch

Related: RHEL-74424
 2025-04-11 07:44:41 +02:00
Zdenek Pytela
30a191682d * Tue Apr 08 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.28-1 
- Change path of tuned and tuned-ppd to /usr/sbin
Resolves: RHEL-69450
- Update the pcmsensor policy
Resolves: RHEL-80452
- Allow dovecot-deliver read mail aliases
Resolves: RHEL-80153
- Allow boothd connect to systemd-machined over a unix socket
Resolves: RHEL-75471
- Allow chronyd-restricted sendto to chronyc
Resolves: RHEL-82299
- Allow chronyc sendto to chronyd-restricted
Resolves: RHEL-82299
- Allow cifs.idmap helper to set attributes on kernel keys
Resolves: RHEL-83921
- Remove ktls from modules-filtered.lst
Resolves: RHEL-74424
 2025-04-08 18:37:43 +02:00
Zdenek Pytela
fab9313c6d Remove ktls from modules-filtered.lst 
The module was added to RHEL 10 during RHEL 10.1 development phase.

Resolves: RHEL-74424
 2025-04-08 18:33:03 +02:00
Zdenek Pytela
b148e340be * Mon Mar 31 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.27-1 
- Allow afterburn to mount and read config drives
Resolves: RHEL-82120
- Update afterburn file transition policy
Resolves: RHEL-82120
- Label /run/metadata with afterburn_runtime_t
Resolves: RHEL-82120
- Allow afterburn list ssh home directory
Resolves: RHEL-82120
- Confine tuned-ppd
Resolves: RHEL-69450
- Update ktls policy
Resolves: RHEL-74424
- Add the switcheroo module
Resolves: RHEL-83267
- Update switcheroo policy
Resolves: RHEL-83267
- Confine the switcheroo-control service
Resolves: RHEL-83267
 2025-03-31 16:20:52 +02:00
Zdenek Pytela
09fc1276e0 * Mon Feb 17 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.26-1 
- Rename winbind_rpcd_* types to samba_dcerpcd_*
Resolves: RHEL-14759
- Allow samba-dcerpcd work with ctdb cluster
Resolves: RHEL-14759
- Revert "Remove socket from unconfined_domain_type allow rule"
Resolves: RHEL-77327
- Dontaudit access of virt-related permissive domains
Resolves: RHEL-77808
- Add selinux_requires_min macro
Resolves: RHEL-54715
- Filter out EPEL related modules
Resolves: RHEL-73505
 2025-02-17 15:35:52 +01:00
Vit Mojzis
17418f272b Add selinux_requires_min macro 
DSP adopters who don't set any booleans should not require
policycoreutils-python-utils.
In order not to break established packages that use the selinux_requires
macro, a new one is introduced (can be adopted over time).

Also drop policycoreutils-python, since that is only relevant for
RHEL-7 and older.

Resolves: RHEL-54715
 2025-02-17 14:29:07 +01:00
Petr Lautrbach
0ebb49f063 Filter out EPEL related modules 
Resolves: RHEL-73505
 2025-02-07 17:20:00 +01:00
Zdenek Pytela
1f5673f9d0 * Thu Feb 06 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.25-1 
- Update ktlshd policy to read /proc/keys and domain keyrings
Resolves: RHEL-42672
- Allow pcmsensor read nmi_watchdog state information
Resolves: RHEL-52838
- Support peer-to-peer migration of vms using ssh
Resolves: RHEL-77351
- Allow virt_domain read hardware state information unconditionally
Resolves: RHEL-71270
- Allow timemaster write to sysfs files
Resolves: RHEL-44637
- Allow virtqemud map svirt_image_t plain files
Resolves: RHEL-40080
- Allow virtqemud unmount a filesystem with extended attributes
Resolves: RHEL-40080
- Allow virtqemud work with nvdimm devices
Resolves: RHEL-71656
- Update virtqemud policy regarding the svirt_tcg_t domain
Resolves: RHEL-71270
- Allow virtqemud use hostdev usb devices conditionally
Resolves: RHEL-74230
- Support saving and restoring a VM to/from a block device
Resolves: RHEL-76138
- Allow virtnwfilterd dbus chat with firewalld
Resolves: RHEL-76138
- Allow virt_domain to use pulseaudio - conditional
Resolves: RHEL-62763
- Allow virtstoraged write to sysfs files
Resolves: RHEL-44637
- Allow irqbalance to run unconfined scripts conditionally
Resolves: RHEL-54019
- Allow rhsmcertd notify virt-who
Resolves: RHEL-77114
- Allow init mounton crypto sysctl files
Resolves: RHEL-56250
 2025-02-07 11:54:25 +01:00