- Allow postfix smtpd map aliases file
- Ensure dbus communication is allowed bidirectionally
- Label systemd configuration files with systemd_conf_t
- Label /run/systemd/machine with systemd_machined_var_run_t
- Allow systemd-hostnamed read the vsock device
- Allow sysadm execute dmidecode using sudo
- Allow sudodomain list files in /var
- Allow setroubleshootd get attributes of all sysctls
- Allow various services read and write z90crypt device
- Allow nfsidmap connect to systemd-homed
- Allow sandbox_x_client_t dbus chat with accountsd
- Allow system_cronjob_t dbus chat with avahi_t
- Allow staff_t the io_uring sqpoll permission
- Allow staff_t use the io_uring API
- Add support for secretmem anon inode
- Backport /var/run change related improvements
The commands should always end || : , because by policy we should
ensure RPM scriptlets always exit 0:
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
Also, rm is in _bindir, not _sbindir.
This seems to have caused a failed test for an nbdkit update:
https://openqa.fedoraproject.org/tests/2628713#
the live image build failed because of a scriptlet error that
seems to be caused by this:
INFO:anaconda.modules.payloads.payload.dnf.transaction_progress:Configuring (running scriptlet for): nbdkit-selinux-1.39.6-1.fc41.noarch 1715870254 02561380439e4e22473970fa46db331b277dc254650fdcb96130a056cadaf02f
INFO:dnf.rpm:/var/tmp/rpm-tmp.ycmrWv: line 10: /usr/sbin/rm: No such file or directory
warning: %post(nbdkit-selinux-1.39.6-1.fc41.noarch) scriptlet failed, exit status 1
ERROR:dnf.rpm:Error in POSTIN scriptlet in rpm package nbdkit-selinux
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Various updating and installing scenarios are now supported:
- using rpm triggers for other packages in selinux-policy
- inside the selinux_modules_install and selinux_modules_uninstall
rpm macros when selinux subpackages are being built
- Only allow confined user domains to login locally without unconfined_login
- Add userdom_spec_domtrans_confined_admin_users interface
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
- Add userdom_spec_domtrans_admin_users interface
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
- Update ssh_role_template() for user ssh-agent type
- Allow init to inherit system DBus file descriptors
- Allow init to inherit fds from syslogd
- Allow any domain to inherit fds from rpm-ostree
- Update afterburn policy
- Allow init_t nnp domain transition to abrtd_t
- Replace init domtrans rule for confined users to allow exec init
- Update dbus_role_template() to allow user service status
- Allow polkit status all systemd services
- Allow setroubleshootd create and use inherited io_uring
- Allow load_policy read and write generic ptys
- Allow gpg manage rpm cache
- Allow login_userdomain name_bind to howl and xmsg udp ports
- Allow rules for confined users logged in plasma
- Label /dev/iommu with iommu_device_t
- Remove duplicate file context entries in /run
- Dontaudit getty and plymouth the checkpoint_restore capability
- Allow su domains write login records
- Revert "Allow su domains write login records"
- Allow login_userdomain delete session dbusd tmp socket files
- Allow unix dgram sendto between exim processes
- Allow su domains write login records
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
- Allow systemd-sleep set attributes of efivarfs files
- Allow samba-dcerpcd read public files
- Allow spamd_update_t the sys_ptrace capability in user namespace
- Allow bluetooth devices work with alsa
- Allow alsa get attributes filesystems with extended attributes
Using exact NVR dependencies works well within RPMS from a single SRPM,
but otherwise relies on assumptions which do not always hold out.
Because %release includes %dist, this is particularly fragile in the
context of the Rawhide->ELN->c10s build pipeline. For instance, if a
package which uses %selinux_requires gets built for ELN with the rawhide
selinux-policy, then .fcNN will be hardcoded into the ELN build, and the
ELN build with .elnNNN will never meet the condition (since f > e).
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
- Allow sysadm execute traceroute in sysadm_t domain using sudo
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
- Allow opafm search nfs directories
- Add support for syslogd unconfined scripts
- Allow gpsd use /dev/gnss devices
- Allow gpg read rpm cache
- Allow virtqemud additional permissions
- Allow virtqemud manage its private lock files
- Allow virtqemud use the io_uring api
- Allow ddclient send e-mail notifications
- Allow postfix_master_t map postfix data files
- Allow init create and use vsock sockets
- Allow thumb_t append to init unix domain stream sockets
- Label /dev/vas with vas_device_t
- Change domain_kernel_load_modules boolean to true
- Create interface selinux_watch_config and add it to SELinux users
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
- Allow graphical applications work in Wayland
- Allow kdump work with PrivateTmp
- Allow dovecot-auth work with PrivateTmp
- Allow nfsd get attributes of all filesystems
- Allow unconfined_domain_type use io_uring cmd on domain
- ci: Only run Rawhide revdeps tests on the rawhide branch
- Label /var/run/auditd.state as auditd_var_run_t
- Allow fido-device-onboard (FDO) read the crack database
- Allow ip an explicit domain transition to other domains
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
- Allow ntp to bind and connect to ntske port.
- Allow system_mail_t manage exim spool files and dirs
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
- Label /run/pcsd.socket with cluster_var_run_t
- ci: Run cockpit tests in PRs
- Add map_read map_write to kernel_prog_run_bpf
- Allow systemd-fstab-generator read all symlinks
- Allow systemd-fstab-generator the dac_override capability
- Allow rpcbind read network sysctls
- Support using systemd containers
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
- Add policy for coreos installer
- Add coreos_installer to modules-targeted-contrib.conf
- Allow named and ndc use the io_uring api
- Deprecate common_anon_inode_perms usage
- Improve default file context(None) of /var/lib/authselect/backups
- Allow udev_t to search all directories with a filesystem type
- Implement proper anon_inode support
- Allow targetd write to the syslog pid sock_file
- Add ipa_pki_retrieve_key_exec() interface
- Allow kdumpctl_t to list all directories with a filesystem type
- Allow udev additional permissions
- Allow udev load kernel module
- Allow sysadm_t to mmap modules_object_t files
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
- Set default file context of HOME_DIR/tmp/.* to <<none>>
- Allow kernel_generic_helper_t to execute mount(1)
- Change file transition for systemd-network-generator
- Additional support for gnome-initial-setup
- Update gnome-initial-setup policy for geoclue
- Allow openconnect vpn open vhost net device
- Allow cifs.upcall to connect to SSSD also through the /var/run socket
- Grant cifs.upcall more required capabilities
- Allow xenstored map xenfs files
- Update policy for fdo
- Allow keepalived watch var_run dirs
- Allow svirt to rw /dev/udmabuf
- Allow qatlib to modify hardware state information.
- Allow key.dns_resolve connect to avahi over a unix stream socket
- Allow key.dns_resolve create and use unix datagram socket
- Use quay.io as the container image source for CI
- Allow rhsmcertd dbus chat with policykit
- Allow polkitd execute pkla-check-authorization with nnp transition
- Allow user_u and staff_u get attributes of non-security dirs
- Allow unconfined user filetrans chrome_sandbox_home_t
- Allow svnserve execute postdrop with a transition
- Do not make postfix_postdrop_t type an MTA executable file
- Allow samba-dcerpc service manage samba tmp files
- Add use_nfs_home_dirs boolean for mozilla_plugin
- Fix labeling for no-stub-resolv.conf
- Allow systemd-network-generator send system log messages
- Dontaudit the execute permission on sock_file globally
- Allow fsadm_t the file mounton permission
- Allow named and ndc the io_uring sqpoll permission
- Allow sssd io_uring sqpoll permission
- Fix location for /run/nsd
- Allow qemu-ga get fixed disk devices attributes
- Update bitlbee policy
- Label /usr/sbin/sos with sosreport_exec_t
- Update policy for the sblim-sfcb service
- Add the files_getattr_non_auth_dirs() interface
- Fix the CI to work with DNF5
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files
- Revert "Allow insights client map cache_home_t"
- Allow nfsidmapd connect to systemd-machined over a unix socket
- Allow snapperd connect to kernel over a unix domain stream socket
- Allow virt_qemu_ga_t create .ssh dir with correct label
- Allow targetd read network sysctls
- Set the abrt_handle_event boolean to on
- Permit kernel_t to change the user identity in object contexts
- Allow insights client map cache_home_t
- Label /usr/sbin/mariadbd with mysqld_exec_t
- Trim changelog so that it starts at F37 time
- Define equivalency for /run/systemd/generator.early
Default file context specification for /run/systemd/generator.early
has been set as an equivalency to /usr/lib/systemd/system,
similar to existing entries for generator and generator.late.
- Change init_audit_control default value to true
- Allow nfsidmapd connect to systemd-userdbd with a unix socket
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
- Set default ports for keylime policy
- Create policy for qatlib
- Add policy for FIDO Device Onboard
- Add policy for bootupd
- Add the qatlib module
- Add the fdo module
- Add the bootupd module
- Add support for kafs-dns requested by keyutils
- Allow insights-client execmem
- Add support for chronyd-restricted
- Add init_explicit_domain() interface
- Allow fsadm_t to get attributes of cgroup filesystems
- Add list_dir_perms to kerberos_read_keytab
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
- Allow sendmail manage its runtime files
- Allow keyutils_dns_resolver_exec_t be an entrypoint
- Allow collectd_t read network state symlinks
- Revert "Allow collectd_t read proc_net link files"
- Allow nfsd_t to list exports_t dirs
- Allow cupsd dbus chat with xdm
- Allow haproxy read hardware state information
- Add the kafs module
The container_selinux.8 manpage is a part of the upstream
container-selinux package and it should rather be a part
of container-selinux.
Resolves: rhbz#2209120
- Add support for the systemd-pstore service
- Allow kdumpctl_t to execmem
- Update sendmail policy module for opensmtpd
- Allow nagios-mail-plugin exec postfix master
- Allow subscription-manager execute ip
- Allow ssh client connect with a user dbus instance
- Add support for ksshaskpass
- Allow rhsmcertd file transition in /run also for socket files
- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
- Allow plymouthd read/write X server miscellaneous devices
- Allow systemd-sleep read udev pid files
- Allow exim read network sysctls
- Allow sendmail request load module
- Allow named map its conf files
- Allow squid map its cache files
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition