46be9da4df* Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1 - Allow thumb_t to watch and watch_reads mount_var_run_t Resolves: RHEL-26073 - Allow opafm create NFS files and directories Resolves: RHEL-17820 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11250
c9s
Juraj Marcin
2024-02-22 18:19:15 +0100
6d154864b5* Thu Feb 15 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.32-1 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21635 - Allow xdm_t to watch and watch_reads mount_var_run_t Resolves: RHEL-24841 - Allow unix dgram sendto between exim processes Resolves: RHEL-21902 - Allow utempter_t use ptmx Resolves: RHEL-24946 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1551 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1551 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1551
Juraj Marcin
2024-02-15 17:11:49 +0100
f9546d9349* Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1 - Allow chronyd-restricted read chronyd key files Resolves: RHEL-18219 - Allow conntrackd_t to use bpf capability2 Resolves: RHEL-22277 - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on Resolves: RHEL-14735 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-14505 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-14505 - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes Resolves: RHEL-11792
Juraj Marcin
2024-01-25 13:44:44 +0100
c2074133ec* Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1 - Add init_explicit_domain() interface Resolves: RHEL-18219 - Allow dovecot_auth_t connect to postgresql using UNIX socket Resolves: RHEL-16850 - Allow keepalived_t to use sys_ptrace of cap_userns Resolves: RHEL-17156 - Make `bootc` be `install_exec_t` Resolves: RHEL-19199 - Add support for chronyd-restricted Resolves: RHEL-18219 - Label /dev/vas with vas_device_t Resolves: RHEL-17336 - Allow gpsd use /dev/gnss devices Resolves: RHEL-16676 - Allow sendmail manage its runtime files Resolves: RHEL-15175 - Add support for syslogd unconfined scripts Resolves: RHEL-11174
Juraj Marcin
2023-12-14 14:17:21 +0100
575be8bea0Add /bin = /usr/bin file context equivalency
Juraj Marcin
2023-12-13 15:26:43 +0100
a53a4197a0* Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1 - Create interface selinux_watch_config and add it to SELinux users Resolves: RHEL-1555 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-16273 - Allow samba-dcerpcd connect to systemd_machined over a unix socket Resolves: RHEL-16273 - Allow winbind-rpcd make a TCP connection to the ldap port Resolves: RHEL-16273 - Allow sudodomain read var auth files Resolves: RHEL-16708 - Allow auditd read all domains process state Resolves: RHEL-14285 - Allow rsync read network sysctls Resolves: RHEL-14638 - Add dhcpcd bpf capability to run bpf programs Resolves: RHEL-15326 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16716 - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t Resolves: RHEL-1553 - Update sendmail policy module for opensmtpd Resolves: RHEL-15175
Juraj Marcin
2023-11-30 11:37:06 +0100
4715f116ff* Tue Nov 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.27-1 - Remove glusterd module Resolves: RHEL-1548 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-15220 - Set default file context of /var/lib/authselect/backups to <<none>> Resolves: RHEL-15220 - Create policy for afterburn Resolves: RHEL-12591 - Allow unconfined_domain_type use io_uring cmd on domain Resolves: RHEL-11792 - Add policy for coreos installer Resovles: RHEL-5164 - Add policy for nvme-stas Resolves: RHEL-1557 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14374 - Allow ntp to bind and connect to ntske port. Resolves: RHEL-15085 - Allow ip an explicit domain transition to other domains Resolves: RHEL-14246 - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t Resolves: RHEL-14289 - Allow sssd domain transition on passkey_child execution conditionally Resolves: RHEL-14014 - Allow sssd use usb devices conditionally Resolves: RHEL-14014 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413
Juraj Marcin
2023-11-14 19:35:13 +0100
dbd1e9f272Remove glusterd from modules-targeted-*.conf
Juraj Marcin
2023-11-14 19:25:45 +0100
13b73ff37aAdd afterburn to modules-targeted-contrib.conf
Juraj Marcin
2023-11-14 14:03:04 +0100
04adb244eeAdd coreos_installer to modules-targeted-contrib.conf
Zdenek Pytela
2023-10-18 11:41:18 +0200
eccb49870aAdd nvme_stas to modules-targeted-contrib.conf
Zdenek Pytela
2023-10-17 20:58:06 +0200
33abfa2432* Fri Aug 25 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.23-1 - Allow cups-pdf connect to the system log service Resolves: rhbz#2234765 - Update policy for qatlib Resolves: rhbz#2080443
Nikola Knazekova
2023-08-25 21:11:09 +0200
80c07f8e7b* Thu Aug 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.22-1 - Allow qatlib to modify hardware state information. Resolves: rhbz#2080443 - Update policy for fdo Resolves: rhbz#2229722 - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file Resolves: rhbz#2223305 - Allow svirt to rw /dev/udmabuf Resolves: rhbz#2223727 - Allow keepalived watch var_run dirs Resolves: rhbz#2186759
Nikola Knazekova
2023-08-24 16:07:28 +0200
dfa70ba52b* Thu Aug 17 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.21-1 - Allow logrotate_t to map generic files in /etc Resolves: rhbz#2231257 - Allow insights-client manage user temporary files Resolves: rhbz#2224737 - Make insights_client_t an unconfined domain Resolves: rhbz#2225526
Nikola Knazekova
2023-08-17 16:29:24 +0200
d504b523d0* Fri Aug 11 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.20-1 - Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2215507 - Allow cloud_init create dhclient var files and init_t manage net_conf_t Resolves: rhbz#2225418 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2230365 - Update samba-dcerpc policy for printing Resolves: rhbz#2230365 - Allow sysadm_t run kernel bpf programs Resolves: rhbz#2229936 - allow mon_procd_t self:cap_userns sys_ptrace Resolves: rhbz#2221986 - Remove nsplugin_role from mozilla.if Resolves: rhbz#2221251 - Allow unconfined user filetrans chrome_sandbox_home_t Resolves: rhbz#2187893 - Allow pdns name_bind and name_connect all ports Resolves: rhbz#2047945 - Allow insights-client read and write cluster tmpfs files Resolves: rhbz#2221631 - Allow ipsec read nsfs files Resolves: rhbz#2230277 - Allow upsmon execute upsmon via a helper script Resolves: rhbz#2228403 - Fix labeling for no-stub-resolv.conf Resolves: rhbz#2148390 - Add use_nfs_home_dirs boolean for mozilla_plugin Resolves: rhbz#2214298 - Change wording in /etc/selinux/config Resolves: rhbz#2143153
Nikola Knazekova
2023-08-11 18:37:49 +0200
f44c4567b9Change wording in /etc/selinux/config
Nikola Knazekova
2023-08-11 18:32:54 +0200
32396fb0bc* Thu Aug 03 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.19-1 - Allow qatlib to read sssd public files Resolves: rhbz#2080443 - Fix location for /run/nsd Resolves: rhbz#2181600 - Allow samba-rpcd work with passwords Resolves: rhbz#2107092 - Allow rpcd_lsad setcap and use generic ptys Resolves: rhbz#2107092 - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty Resolves: rhbz#2223305 - Allow keepalived to manage its tmp files Resolves: rhbz#2179212 - Allow nscd watch system db dirs Resolves: rhbz#2152124
Nikola Knazekova
2023-08-03 20:10:18 +0200
ebddc59c06* Fri Jul 21 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.18-1 - Boolean: Allow virt_qemu_ga create ssh directory Resolves: rhbz#2181402 - Allow virt_qemu_ga_t create .ssh dir with correct label Resolves: rhbz#2181402 - Set default ports for keylime policy Resolves: RHEL-594 - Allow unconfined service inherit signal state from init Resolves: rhbz#2186233 - Allow sa-update connect to systemlog services Resolves: rhbz#2220643 - Allow sa-update manage spamc home files Resolves: rhbz#2220643 - Label only /usr/sbin/ripd and ripngd with zebra_exec_t Resolves: rhbz#2213605 - Add the files_getattr_non_auth_dirs() interface Resolves: rhbz#2076933 - Update policy for the sblim-sfcb service Resolves: rhbz#2076933 - Define equivalency for /run/systemd/generator.early Resolves: rhbz#2213516
Nikola Knazekova
2023-07-21 16:40:49 +0200
4004f169e9Define equivalency for /run/systemd/generator.early
Zdenek Pytela
2023-07-13 21:41:25 +0200
2d6e758511* Tue Mar 28 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.11-2 - rebuilt Resolves: rhbz#2172268
Nikola Knazekova
2023-03-28 14:38:51 +0200
33e3d41b2a* Mon Mar 27 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.11-1 - Allow passt manage qemu pid sock files Resolves: rhbz#2172268 - Exclude passt.if from selinux-policy-devel Resolves: rhbz#2172268
Nikola Knazekova
2023-03-27 18:35:13 +0200
71d7401739Exclude passt.if from selinux-policy-devel
Nikola Knazekova
2023-03-27 18:25:56 +0200
2c29fc7c57* Fri Mar 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.10-1 - Add support for the passt_t domain Resolves: rhbz#2172268 - Allow virtd_t and svirt_t work with passt Resolves: rhbz#2172268 - Add new interfaces in the virt module Resolves: rhbz#2172268 - Add passt interfaces defined conditionally Resolves: rhbz#2172268
Nikola Knazekova
2023-03-24 19:20:55 +0100
72e4cffc96* Thu Mar 16 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.9-1 - Boolean: allow qemu-ga manage ssh home directory Resolves: rhbz#2178612 - Allow wg load kernel modules, search debugfs dir Resolves: rhbz#2176487
Nikola Knazekova
2023-03-16 14:46:03 +0100
f7cdf9eba8* Thu Jan 26 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.5-1 - Reuse tmpfs_t also for the ramfs filesystem Resolves: rhbz#2160391 - Allow systemd-resolved watch tmpfs directories Resolves: rhbz#2160391 - Allow hostname_t to read network sysctls. Resolves: rhbz#2161958 - Allow ModemManager all permissions for netlink route socket Resolves: rhbz#2149560 - Allow unconfined user filetransition for sudo log files Resolves: rhbz#2160388 - Allow sudodomain use sudo.log as a logfile Resolves: rhbz#2160388 - Allow nm-cloud-setup dispatcher plugin restart nm services Resolves: rhbz#2154414 - Allow wg to send msg to kernel, write to syslog and dbus connections Resolves: rhbz#2149452 - Allow rshim bpf cap2 and read sssd public files Resolves: rhbz#2080439 - Allow svirt request the kernel to load a module Resolves: rhbz#2144735 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2014606
Nikola Knazekova
2023-01-26 18:00:30 +0100
9caf659df2* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1.1-1 - Rebase selinux-policy to the latest one in rawhide Resolves: rhbz#2082524
Zdenek Pytela
2022-11-22 10:46:45 +0100
08558d4729Change %{_usr}/share to %{_datadir} in specfile %exclude
Zdenek Pytela
2022-11-22 10:44:46 +0100