- Allow systemd read unlabeled symbolic links
- Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
- Allow dnsmasq watch /etc/dnsmasq.d directories
- Allow rhsmcertd get attributes of tmpfs_t filesystems
- Allow lldpd use an snmp subagent over a tcp socket
- Allow xdm watch generic directories in /var/lib
- Allow login_userdomain open/read/map system journal
- Allow sysadm_t connect to cluster domains over a unix stream socket
- Allow sysadm_t read/write pkcs shared memory segments
- Allow sysadm_t connect to sanlock over a unix stream socket
- Allow sysadm_t dbus chat with sssd
- Allow sysadm_t set attributes on character device nodes
- Allow sysadm_t read and write watchdog devices
- Allow smbcontrol use additional socket types
- Allow cloud-init dbus chat with systemd-logind
- Allow svnserve send mail from the system
- Update userdom_exec_user_tmp_files() with an entrypoint rule
- Allow sudodomain send a null signal to sshd processes
- Support sanlock VG automated recovery on storage access loss 2/2
- Support sanlock VG automated recovery on storage access loss 1/2
- Revert "Support sanlock VG automated recovery on storage access loss"
- Allow tlp get service units status
- Allow fedora-third-party manage 3rd party repos
- Allow xdm_t nnp_transition to login_userdomain
- Add the auth_read_passwd_file() interface
- Allow redis-sentinel execute a notification script
- Allow fetchmail search cgroup directories
- Allow lvm_t to read/write devicekit disk semaphores
- Allow devicekit_disk_t to use /dev/mapper/control
- Allow devicekit_disk_t to get IPC info from the kernel
- Allow devicekit_disk_t to read systemd-logind pid files
- Allow devicekit_disk_t to mount filesystems on mnt_t directories
- Allow devicekit_disk_t to manage mount_var_run_t files
- Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
- Use $releasever in koji repo to reduce rawhide hardcoding
- authlogin: add fcontext for tcb
- Add erofs as a SELinux capable file system
- Allow systemd execute user bin files
- Support sanlock VG automated recovery on storage access loss
- Support new PING_CHECK health checker in keepalived
- Allow fedora-third-party execute "flatpak remote-add"
- Add files_manage_var_lib_files() interface
- Add write permisson to userfaultfd_anon_inode_perms
- Allow proper function sosreport via iotop
- Allow proper function sosreport in sysadmin role
- Allow fedora-third-party to connect to the system log service
- Allow fedora-third-party dbus chat with policykit
- Allow chrony-wait service start with DynamicUser=yes
- Allow management of lnk_files if similar access to regular files
- Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
- Allow systemd-resolved watch /run/systemd
- Allow fedora-third-party create and use unix_dgram_socket
- Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
- Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
- Allow ModemManager create a qipcrtr socket
- Allow ModemManager request to load a kernel module
- Label /usr/sbin/virtproxyd as virtd_exec_t
- Allow communication between at-spi and gdm processes
- Update ica_filetrans_named_content() with create_file_perms
- Fix the gnome_atspi_domtrans() interface summary
- Allow systemd-timesyncd watch system dbus pid socket files
- Allow firewalld drop capabilities
- Allow rhsmcertd execute gpg
- Allow lldpad send to kdump over a unix dgram socket
- Allow systemd-gpt-auto-generator read udev pid files
- Set default file context for /sys/firmware/efi/efivars
- Allow tcpdump run as a systemd service
- Allow nmap create and use netlink generic socket
- Allow nscd watch system db files in /var/db
- Allow cockpit_ws_t get attributes of fs_t filesystems
- Allow sysadm acces to kernel module resources
- Allow sysadm to read/write scsi files and manage shadow
- Allow sysadm access to files_unconfined and bind rpc ports
- Allow sysadm read and view kernel keyrings
- Allow journal mmap and read var lib files
- Allow tuned to read rhsmcertd config files
- Allow bootloader to read tuned etc files
- Label /usr/bin/qemu-storage-daemon with virtd_exec_t
- Disable seccomp on CI containers
- Allow systemd-machined stop generic service units
- Allow virtlogd_t read process state of user domains
- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
- Label /dev/crypto/nx-gzip with accelerator_device_t
- Update the policy for systemd-journal-upload
- Allow unconfined domains to bpf all other domains
- Confine rhsm service and rhsm-facts service as rhsmcertd_t
- Allow fcoemon talk with unconfined user over unix domain datagram socket
- Allow abrt_domain read and write z90crypt device
- Allow mdadm read iscsi pid files
- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
- Allow hostapd bind UDP sockets to the dhcpd port
- Unconfined domains should not be confined
- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
- Remove references to init_watch_path_type attribute
- Remove all redundant watch permissions for systemd
- Allow systemd watch non_security_file_type dirs, files, lnk_files
- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
- Allow bacula get attributes of cgroup filesystems
- Allow systemd-journal-upload watch logs and journal
- Create a policy for systemd-journal-upload
- Allow tcpdump and nmap get attributes of infiniband_device_t
- Allow arpwatch get attributes of infiniband_device_t devices
- Label /dev/wmi/dell-smbios as acpi_device_t
- Allow sanlock get attributes of cgroup filesystems
- Associate dma_device_dir_t with device filesystem
- Set default file context for /var/run/systemd instead of /run/systemd
- Allow nmap create and use rdma socket
- Allow pkcs-slotd create and use netlink_kobject_uevent_socket
- Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
- Add kernel_write_perf_event() and kernel_manage_perf_event()
- Allow syslogd_t watch root and var directories
- Allow unconfined_t read other processes perf_event records
- Allow login_userdomain read and map /var/lib/systemd files
- Allow NetworkManager watch its config dir
- Allow NetworkManager read and write z90crypt device
- Allow tgtd create and use rdma socket
- Allow aide connect to init with a unix socket
- Grant execmem to varnishlog_t
- We no longer need signull for varnishlog_t
- Add map permission to varnishd_read_lib_files
- Allow systemd-sleep tlp_filetrans_named_content()
- Allow systemd-sleep execute generic programs
- Allow systemd-sleep execute shell
- Allow to sendmail read/write kerberos host rcache files
- Allow freshclam get attributes of cgroup filesystems
- Fix context of /run/systemd/timesync
- Allow udev create /run/gdm with proper type
- Allow chronyc socket file transition in user temp directory
- Allow virtlogd_t to create virt_var_lockd_t dir
- Allow pluto IKEv2 / ESP over TCP
- Allow domain create anonymous inodes
- Add anon_inode class to the policy
- Allow systemd-coredump getattr nsfs files and net_admin capability
- Allow systemd-sleep transition to sysstat_t
- Allow systemd-sleep transition to tlp_t
- Allow systemd-sleep transition to unconfined_service_t on bin_t executables
- Allow systemd-timedated watch runtime dir and its parent
- Allow system dbusd read /var/lib symlinks
- Allow unconfined_service_t confidentiality and integrity lockdown
- Label /var/lib/brltty with brltty_var_lib_t
- Allow domain and unconfined_domain_type watch /proc/PID dirs
- Additional permission for confined users loging into graphic session
- Make for screen fsetid/setuid/setgid permission conditional
- Allow for confined users acces to wtmp and run utempter
- Allow polkit-agent-helper-1 read logind sessions files
- Allow polkit-agent-helper read init state
- Allow login_userdomain watch generic device dirs
- Allow login_userdomain listen on bluetooth sockets
- Allow user_t and staff_t bind netlink_generic_socket
- Allow login_userdomain write inaccessible nodes
- Allow transition from xdm domain to unconfined_t domain.
- Add 'make validate' step to CI
- Disallow user_t run su/sudo and staff_t run su
- Fix typo in rsyncd.conf in rsync.if
- Add an alias for nvme_device_t
- Allow systemd watch and watch_reads unallocated ttys
In the 9613e80506e7ffa37e9b150f2a3f8641dd7c26ea selinux-policy commit,
the type of nvme device files has changed from nvme_device_t to
fixed_disk_device_t.
This cannot currently be resolved in specfile selinux macros as fixfiles
excludes /dev entries. For files in /dev with changed context, restorecon
needs to be run explicitly to restore the context.
This is a temporary workaround till April 2021 when the updated policy
can be considered spread enough.
- Allow unconfined integrity lockdown permission
- Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
- Allow systemd-machined manage systemd-userdbd runtime sockets
- Enable systemd-sysctl domtrans for udev
- Introduce kernel_load_unsigned_module interface and use it for couple domains
- Allow gpg watch user gpg secrets dirs
- Build also the container module in CI
- Remove duplicate code from kernel.te
- Allow restorecond to watch all non-auth directories
- Allow restorecond to watch its config file
- Allow userdomain watch various filesystem objects
- Allow systemd-logind and systemd-sleep integrity lockdown permission
- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
- Allow pulseaudio watch devices and systemd-logind session dirs
- Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
- Remove duplicate files_mounton_etc(init_t) call
- Add watch permissions to manage_* object permissions sets
- Allow journalctl watch generic log dirs and /run/log/journal dir
- Label /etc/resolv.conf as net_conf_t even when it's a symlink
- Allow SSSD to watch /var/run/NetworkManager
- Allow dnsmasq_t to watch /etc
- Remove unnecessary lines from the new watch interfaces
- Fix docstring for init_watch_dir()
- Allow xdm watch its private lib dirs, /etc, /usr
- Allow lockdown confidentiality for domains using perf_event
- define lockdown class and access
- Add perfmon capability for all domains using perf_event
- Allow ptp4l_t bpf capability to run bpf programs
- Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
- access_vectors: Add new capabilities to cap2
- Allow systemd and systemd-resolved watch dbus pid objects
- Add new watch interfaces in the base and userdomain policy
- Add watch permissions for contrib packages
- Allow xdm watch /usr directories
- Allow getty watch its private runtime files
- Add watch permissions for nscd and sssd
- Add watch permissions for firewalld and NetworkManager
- Add watch permissions for syslogd
- Add watch permissions for systemd services
- Allow restorecond watch /etc dirs
- Add watch permissions for user domain types
- Add watch permissions for init
- Add basic watch interfaces for systemd
- Add basic watch interfaces to the base module
- Add additional watch object permissions sets and patterns
- Allow init_t to watch localization symlinks
- Allow init_t to watch mount directories
- Allow init_t to watch cgroup files
- Add basic watch patterns
- Add new watch* permissions
- Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
- Dontaudit setsched for rndc
- Allow systemd-logind destroy entries in message queue
- Add userdom_destroy_unpriv_user_msgq() interface
- ci: Install build dependencies from koji
- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
- Add new cmadmin port for bfdd dameon
- virtiofs supports Xattrs and SELinux
- Allow domain write to systemd-resolved PID socket files
- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
- Allow rhsmcertd_t domain transition to kpatch_t
- Revert "Add kpatch_exec() interface"
- Revert "Allow rhsmcertd execute kpatch"
- Allow openvswitch create and use xfrm netlink sockets
- Allow openvswitch_t perf_event write permission
- Add kpatch_exec() interface
- Allow rhsmcertd execute kpatch
- Adds rule to allow glusterd to access RDMA socket
- radius: Lexical sort of service-specific corenet rules by service name
- VQP: Include IANA-assigned TCP/1589
- radius: Allow binding to the VQP port (VMPS)
- radius: Allow binding to the BDF Control and Echo ports
- radius: Allow binding to the DHCP client port
- radius: Allow net_raw; allow binding to the DHCP server ports
- Add rsync_sys_admin tunable to allow rsync sys_admin capability
- Allow staff_u run pam_console_apply
- Allow openvswitch_t perf_event open permission
- Allow sysadm read and write /dev/rfkill
- Allow certmonger fsetid capability
- Allow domain read usermodehelper state information
In the src.fedoraproject.org/rpms/selinux-policy packages repository,
the default branch name has changed to "rawhide", with a symref (link)
of "main". The make-rhat-patches.sh file was updated to use "rawhide"
in the DISTGIT_BRANCH variable instead of "master".
The rpm-verify command reports changes for packaged files in the active
store (/var/lib/selinux) which are changed on the selinux-policy-*
packages updates. In order to pass the rpm verification process, the
specfile option %verify(not md5 size mtime) for each of the affected
files will prevent from reporting a failure in any of the rpm-verify
subtests:
- S file Size differs
- 5 digest (formerly MD5 sum) differs
- T mTime differs