rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Commit Graph

  • b6e9c86706 import UBI selinux-policy-38.1.35-2.el9_4.2 imports/c9/selinux-policy-38.1.35-2.el9_4.2 c9 eabdullin 2024-06-18 20:29:33 +0000
  • 9ff33f15d5 * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.40-1 - Allow systemd-coredump read nsfs files Resolves: RHEL-39937 - Allow login_userdomain execute systemd-tmpfiles in the caller domain Resolves: RHEL-40374 - Allow ptp4l_t request that the kernel load a kernel module Resolves: RHEL-38905 - Allow collectd to trace processes in user namespace Resolves: RHEL-36293 c9s Zdenek Pytela 2024-06-18 22:32:39 +0200
  • b2c25500b4 * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1 - Allow virtqemud manage nfs files when virt_use_nfs boolean is on Resolves: RHEL-40205 - Allow virt_driver_domain read files labeled unconfined_t Resolves: RHEL-40262 - Allow virt_driver_domain dbus chat with policykit Resolves: RHEL-40346 - Escape "interface" as a file name in a virt filetrans pattern Resolves: RHEL-34769 - Allow setroubleshootd get attributes of all sysctls Resolves: RHEL-40923 - Allow qemu-ga read vm sysctls Resolves: RHEL-40829 - Allow sbd to trace processes in user namespace Resolves: RHEL-39989 - Allow request-key execute scripts Resolves: RHEL-38920 - Update policy for haproxyd Resolves: RHEL-40877 c10s Zdenek Pytela 2024-06-18 17:27:30 +0200
  • 1dacbf26a9 * Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1 - Allow all domains read and write z90crypt device Resolves: RHEL-28539 - Allow dhcpc read /run/netns files Resolves: RHEL-39510 - Allow bootupd search efivarfs dirs Resolves: RHEL-39514 Zdenek Pytela 2024-06-07 20:10:33 +0200
  • 89ceaca299 * Thu Jun 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.39-1 - Add interfaces for watching and reading ifconfig_var_run_t Resolves: RHEL-39408 - Allow dhcpcd use unix_stream_socket Resolves: RHEL-39408 - Allow dhcpc read /run/netns files Resolves: RHEL-39408 - Allow all domains read and write z90crypt device Resolves: RHEL-38833 - Allow bootupd search efivarfs dirs Resolves: RHEL-36289 - Move unconfined_domain(sap_unconfined_t) to an optional block Resolves: RHEL-37663 Zdenek Pytela 2024-06-06 22:43:44 +0200
  • 4365f770e2 import CS selinux-policy-3.14.3-139.el8 c8 imports/c8/selinux-policy-3.14.3-139.el8_10 eabdullin 2024-05-22 10:47:43 +0000
  • 51ba4f33dc Drop baseos-ci gating Petr Lautrbach 2024-05-21 11:02:06 +0200
  • 9359be591b * Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1 - Allow postfix smtpd map aliases file - Ensure dbus communication is allowed bidirectionally - Label systemd configuration files with systemd_conf_t - Label /run/systemd/machine with systemd_machined_var_run_t - Allow systemd-hostnamed read the vsock device - Allow sysadm execute dmidecode using sudo - Allow sudodomain list files in /var - Allow setroubleshootd get attributes of all sysctls - Allow various services read and write z90crypt device - Allow nfsidmap connect to systemd-homed - Allow sandbox_x_client_t dbus chat with accountsd - Allow system_cronjob_t dbus chat with avahi_t - Allow staff_t the io_uring sqpoll permission - Allow staff_t use the io_uring API - Add support for secretmem anon inode - Backport /var/run change related improvements Zdenek Pytela 2024-05-18 00:46:09 +0200
  • fd660a4dde Correct some errors in the RPM macro changes from -2 Zdenek Pytela 2024-05-17 22:13:06 +0200
  • befd3d6c81 Update rpm configuration for the /var/run equivalency change Zdenek Pytela 2024-05-17 22:09:34 +0200
  • f05cd533e6 Update repository link and branches names for c10s Zdenek Pytela 2024-05-17 21:47:38 +0200
  • df730c18c8 * Thu May 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.38-1 - Add boolean qemu-ga to run unconfined script Resolves: RHEL-31211 - Ensure dbus communication is allowed bidirectionally Resolves: RHEL-35782 - Allow logwatch_mail_t read network sysctls Resolves: RHEL-34135 - Allow sysadm execute dmidecode using sudo Resolves: RHEL-16104 - Allow sudodomain list files in /var Resolves: RHEL-16104 - Allow various services read and write z90crypt device Resolves: RHEL-33361 - Allow system_cronjob_t dbus chat with avahi_t Resolves: RHEL-32290 - Allow setroubleshootd get attributes of all sysctls Resolves: RHEL-34078 - Remove permissive domain for bootupd_t Resolves: RHEL-22173 Zdenek Pytela 2024-05-16 18:15:13 +0200
  • 1292191ae3 * Tue May 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.37-1 - Allow numad to trace processes in user namespace Resolves: RHEL-33994 - Remove permissive domain for rshim_t Resolves: RHEL-22173 - Remove permissive domain for mptcpd_t Resolves: RHEL-22173 - Remove permissive domain for coreos_installer_t Resolves: RHEL-22173 - Remove permissive domain for afterburn_t Resolves: RHEL-22173 - Update afterburn policy Resolves: RHEL-22173 - Allow bootupd search EFI directory Resolves: RHEL-22172 - Add the bootupd module Resolves: RHEL-22172 - Add policy for bootupd Resolves: RHEL-22172 - Label /dev/mmcblk0rpmb character device with removable_device_t Resolves: RHEL-28080 - Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-31888 - Add crontab_admin_domtrans interface Resolves: RHEL-31888 - Add crontab_domtrans interface Resolves: RHEL-31888 - Allow svirt_t read vm sysctls Resolves: RHEL-32296 Zdenek Pytela 2024-05-07 22:23:57 +0200
  • 52c9844480 import CS selinux-policy-38.1.35-2.el9_3 imports/c9/selinux-policy-38.1.35-2.el9_4 eabdullin 2024-04-30 11:41:37 +0000
  • eab0528813 * Mon Apr 15 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.36-1 - Allow systemd-timedated get the timemaster service status Resolves: RHEL-25978 - postfix: allow qmgr to delete mails in bounce/ directory Resolves: RHEL-30271 - Allow NetworkManager the sys_ptrace capability in user namespace Resolves: RHEL-24346 - Label /dev/iommu with iommu_device_t Resolves: RHEL-22063 - Allow qemu-ga read vm sysctls Resolves: RHEL-31892 - Update repository link and branches names for c9s Related: RHEL-22960 Zdenek Pytela 2024-04-15 15:04:15 +0200
  • e04ed68484 Update repository link and branches names for c9s Zdenek Pytela 2024-04-15 14:52:52 +0200
  • 2a0889385e Import 135 released from CS c8-beta-135 eabdullin 2024-04-11 12:07:58 +0300
  • 7cad329921 enable the gating Milos Malik 2024-04-10 08:27:53 +0200
  • b7711cdc83 import CS selinux-policy-38.1.33-1.el9 imports/c9-beta/selinux-policy-38.1.33-1.el9 c9-beta eabdullin 2024-03-28 11:48:22 +0000
  • afa009bf11 import CS selinux-policy-3.14.3-137.el8 imports/c8-beta/selinux-policy-3.14.3-137.el8 c8-beta eabdullin 2024-03-27 20:29:59 +0000
  • 1b5f5feb56 * Thu Mar 14 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-2 - Rebuild Resolves: RHEL-26663 Zdenek Pytela 2024-03-14 15:02:43 +0100
  • 0853e85626 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-139 - Allow wdmd read hardware state information Resolves: RHEL-27507 c8s Zdenek Pytela 2024-03-08 18:57:11 +0100
  • 56acbf608d * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-1 - Allow wdmd read hardware state information Resolves: RHEL-26663 Zdenek Pytela 2024-03-08 18:32:26 +0100
  • 832df72f06 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.34-1 - Allow wdmd list the contents of the sysfs directories Resolves: RHEL-26663 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-26660 Zdenek Pytela 2024-03-08 12:03:52 +0100
  • fe855b4c90 * Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-138 - Allow wdmd list the contents of the sysfs directories Resolves: RHEL-27507 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-27394 Zdenek Pytela 2024-03-08 10:25:36 +0100
  • 46be9da4df * Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1 - Allow thumb_t to watch and watch_reads mount_var_run_t Resolves: RHEL-26073 - Allow opafm create NFS files and directories Resolves: RHEL-17820 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11250 Juraj Marcin 2024-02-22 18:19:15 +0100
  • 66e607f19e * Thu Feb 22 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-137 - Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-1388 - Allow su domains write login records Resolves: RHEL-2606 - Revert "Allow su domains write login records" Resolves: RHEL-2606 - Add crontab_admin_domtrans interface Resolves: RHEL-1388 - Allow gpg manage rpm cache Resolves: RHEL-11249 Zdenek Pytela 2024-02-22 17:27:43 +0100
  • 6d154864b5 * Thu Feb 15 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.32-1 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21635 - Allow xdm_t to watch and watch_reads mount_var_run_t Resolves: RHEL-24841 - Allow unix dgram sendto between exim processes Resolves: RHEL-21902 - Allow utempter_t use ptmx Resolves: RHEL-24946 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1551 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1551 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1551 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1551 Juraj Marcin 2024-02-15 17:11:49 +0100
  • 72be2b6d57 * Thu Feb 15 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-136 - Transition from sudodomains to crontab_t when executing crontab_exec_t Resolves: RHEL-1388 - Fix label of pseudoterminals created from sudodomain Resolves: RHEL-1388 - Allow login_userdomain to manage session_dbusd_tmp_t dirs/files Resolves: RHEL-22500 - Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t Resolves: RHEL-23442 - Allow admin user read/write on fixed_disk_device_t Resolves: RHEL-23434 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1628 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1628 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1628 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1628 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1628 - Allow utempter_t use ptmx Resolves: RHEL-25002 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21639 - Don't audit crontab_domain write attempts to user home Resolves: RHEL-1388 - Add crontab_domtrans interface Resolves: RHEL-1388 - Add dbus_manage_session_tmp_files interface Resolves: RHEL-22500 - Allow httpd read network sysctls Resolves: RHEL-22748 - Allow keepalived_unconfined_script_t dbus chat with init Resolves: RHEL-22843 Zdenek Pytela 2024-02-15 18:25:24 +0100
  • 8ab4e101e9 Limit %selinux_requires to version, not release Zdenek Pytela 2024-02-14 09:31:56 +0100
  • 0a14f83579 * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1 - Only allow confined user domains to login locally without unconfined_login - Add userdom_spec_domtrans_confined_admin_users interface - Only allow admindomain to execute shell via ssh with ssh_sysadm_login - Add userdom_spec_domtrans_admin_users interface - Move ssh dyntrans to unconfined inside unconfined_login tunable policy - Update ssh_role_template() for user ssh-agent type - Allow init to inherit system DBus file descriptors - Allow init to inherit fds from syslogd - Allow any domain to inherit fds from rpm-ostree - Update afterburn policy - Allow init_t nnp domain transition to abrtd_t Zdenek Pytela 2024-02-12 12:26:33 +0100
  • fa31a515e6 import UBI selinux-policy-38.1.23-1.el9_3.2 imports/c9/selinux-policy-38.1.23-1.el9_3.2 eabdullin 2024-02-12 08:55:25 +0000
  • 6dd5c78a95 * Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1 - Rename all /var/lock file context entries to /run/lock - Rename all /var/run file context entries to /run - Invert the "/var/run = /run" equivalency Zdenek Pytela 2024-02-06 14:20:25 +0100
  • 0ec128677b * Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1 - Replace init domtrans rule for confined users to allow exec init - Update dbus_role_template() to allow user service status - Allow polkit status all systemd services - Allow setroubleshootd create and use inherited io_uring - Allow load_policy read and write generic ptys - Allow gpg manage rpm cache - Allow login_userdomain name_bind to howl and xmsg udp ports - Allow rules for confined users logged in plasma - Label /dev/iommu with iommu_device_t - Remove duplicate file context entries in /run - Dontaudit getty and plymouth the checkpoint_restore capability - Allow su domains write login records - Revert "Allow su domains write login records" - Allow login_userdomain delete session dbusd tmp socket files - Allow unix dgram sendto between exim processes - Allow su domains write login records - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on Zdenek Pytela 2024-02-05 16:57:20 +0100
  • d620ca1705 * Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11249 - Allow su domains write login records Resolves: RHEL-2606 - Allow gpg read rpm cache Resolves: RHEL-11249 - Allow unix dgram sendto between exim processes Resolves: RHEL-21903 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-17687 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-17687 - Allow conntrackd_t to use sys_admin capability Resolves: RHEL-22276 Zdenek Pytela 2024-01-26 17:47:29 +0100
  • f9546d9349 * Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1 - Allow chronyd-restricted read chronyd key files Resolves: RHEL-18219 - Allow conntrackd_t to use bpf capability2 Resolves: RHEL-22277 - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on Resolves: RHEL-14735 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-14505 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-14505 - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes Resolves: RHEL-11792 Juraj Marcin 2024-01-25 13:44:44 +0100
  • 59b137280d import UBI selinux-policy-38.1.23-1.el9_3.1 imports/c9/selinux-policy-38.1.23-1.el9_3.1 eabdullin 2024-01-24 21:04:40 +0000
  • ac73b2b07b * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1 - Allow chronyd-restricted read chronyd key files - Allow conntrackd_t to use bpf capability2 - Allow systemd-networkd manage its runtime socket files - Allow init_t nnp domain transition to colord_t - Allow polkit status systemd services - nova: Fix duplicate declarations - Allow httpd work with PrivateTmp - Add interfaces for watching and reading ifconfig_var_run_t - Allow collectd read raw fixed disk device - Allow collectd read udev pid files - Set correct label on /etc/pki/pki-tomcat/kra - Allow systemd domains watch system dbus pid socket files - Allow certmonger read network sysctls - Allow mdadm list stratisd data directories - Allow syslog to run unconfined scripts conditionally - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t - Allow qatlib set attributes of vfio device files Zdenek Pytela 2024-01-24 21:28:05 +0100
  • 88b880c6c7 * Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.30-1 - Allow sysadm execute traceroute in sysadm_t domain using sudo Resolves: RHEL-14077 - Allow qatlib set attributes of vfio device files Resolves: RHEL-19051 - Allow qatlib load kernel modules Resolves: RHEL-19051 - Allow qatlib run lspci Resolves: RHEL-19051 - Allow qatlib manage its private runtime socket files Resolves: RHEL-19051 - Allow qatlib read/write vfio devices Resolves: RHEL-19051 - Allow syslog to run unconfined scripts conditionally Resolves: RHEL-11174 - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t Resolves: RHEL-11174 - Allow sendmail MTA connect to sendmail LDA Resolves: RHEL-15175 - Allow sysadm execute tcpdump in sysadm_t domain using sudo Resolves: RHEL-15432 - Allow opafm search nfs directories Resolves: RHEL-17820 - Allow mdadm list stratisd data directories Resolves: RHEL-19276 - Update cyrus_stream_connect() to use sockets in /run Resolves: RHEL-19282 - Allow collectd connect to statsd port Resolves: RHEL-21044 - Allow insights-client transition to sap unconfined domain Resolves: RHEL-21452 - Create the sap module Resolves: RHEL-21452 Zdenek Pytela 2024-01-13 00:24:21 +0100
  • 05d668a2ce Add the sap module to modules-targeted-contrib.conf Zdenek Pytela 2024-01-12 19:14:13 +0100
  • a99bd017ea * Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134 - Allow syslog to run unconfined scripts conditionally Resolves: RHEL-10087 - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t Resolves: RHEL-10087 - Allow collectd connect to statsd port Resolves: RHEL-19482 - Allow collectd_t read network state symlinks Resolves: RHEL-19482 - Allow collectd_t domain to create netlink_generic_socket sockets Resolves: RHEL-19482 - Allow opafm search nfs directories Resolves: RHEL-19426 - Allow mdadm list stratisd data directories Resolves: RHEL-21374 Zdenek Pytela 2024-01-12 16:52:31 +0100
  • 7815a6c36b import UBI selinux-policy-3.14.3-128.el8_9.1 imports/c8/selinux-policy-3.14.3-128.el8_9.1 eabdullin 2024-01-10 13:23:18 +0000
  • 443b716de1 * Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1 - Allow systemd-sleep set attributes of efivarfs files - Allow samba-dcerpcd read public files - Allow spamd_update_t the sys_ptrace capability in user namespace - Allow bluetooth devices work with alsa - Allow alsa get attributes filesystems with extended attributes Zdenek Pytela 2024-01-09 20:59:16 +0100
  • e46b929e63 Limit %selinux_requires to version, not release Yaakov Selkowitz 2024-01-02 11:15:16 -0500
  • 68923ff3dd * Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t - Add interface for write-only access to NetworkManager rw conf - Allow systemd-sleep send a message to syslog over a unix dgram socket - Allow init create and use netlink netfilter socket - Allow qatlib load kernel modules - Allow qatlib run lspci - Allow qatlib manage its private runtime socket files - Allow qatlib read/write vfio devices - Label /etc/redis.conf with redis_conf_t - Remove the lockdown-class rules from the policy - Allow init read all non-security socket files - Replace redundant dnsmasq pattern macros - Remove unneeded symlink perms in dnsmasq.if - Add additions to dnsmasq interface - Allow nvme_stas_t create and use netlink kobject uevent socket - Allow collectd connect to statsd port - Allow keepalived_t to use sys_ptrace of cap_userns - Allow dovecot_auth_t connect to postgresql using UNIX socket Zdenek Pytela 2023-12-21 17:03:58 +0100
  • c2074133ec * Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1 - Add init_explicit_domain() interface Resolves: RHEL-18219 - Allow dovecot_auth_t connect to postgresql using UNIX socket Resolves: RHEL-16850 - Allow keepalived_t to use sys_ptrace of cap_userns Resolves: RHEL-17156 - Make `bootc` be `install_exec_t` Resolves: RHEL-19199 - Add support for chronyd-restricted Resolves: RHEL-18219 - Label /dev/vas with vas_device_t Resolves: RHEL-17336 - Allow gpsd use /dev/gnss devices Resolves: RHEL-16676 - Allow sendmail manage its runtime files Resolves: RHEL-15175 - Add support for syslogd unconfined scripts Resolves: RHEL-11174 Juraj Marcin 2023-12-14 14:17:21 +0100
  • 575be8bea0 Add /bin = /usr/bin file context equivalency Juraj Marcin 2023-12-13 15:26:43 +0100
  • 701a31705c Add /bin = /usr/bin file context equivalency Juraj Marcin 2023-12-13 15:26:43 +0100
  • bbcf1324a4 * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: RHEL-18027 - Allow sysadm execute traceroute in sysadm_t domain using sudo Resolves: RHEL-9947 - Allow sysadm execute tcpdump in sysadm_t domain using sudo Resolves: RHEL-15398 - Add support for syslogd unconfined scripts Resolves: RHEL-10087 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: RHEL-18027 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute Resolves: RHEL-1954 - Dontaudit rhsmcertd write memory device Resolves: RHEL-17721 Zdenek Pytela 2023-12-13 16:34:09 +0100
  • df4c66da89 * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute - Allow sysadm execute traceroute in sysadm_t domain using sudo - Allow sysadm execute tcpdump in sysadm_t domain using sudo - Allow opafm search nfs directories - Add support for syslogd unconfined scripts - Allow gpsd use /dev/gnss devices - Allow gpg read rpm cache - Allow virtqemud additional permissions - Allow virtqemud manage its private lock files - Allow virtqemud use the io_uring api - Allow ddclient send e-mail notifications - Allow postfix_master_t map postfix data files - Allow init create and use vsock sockets - Allow thumb_t append to init unix domain stream sockets - Label /dev/vas with vas_device_t - Change domain_kernel_load_modules boolean to true - Create interface selinux_watch_config and add it to SELinux users Zdenek Pytela 2023-12-13 16:42:42 +0100
  • a53a4197a0 * Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1 - Create interface selinux_watch_config and add it to SELinux users Resolves: RHEL-1555 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-16273 - Allow samba-dcerpcd connect to systemd_machined over a unix socket Resolves: RHEL-16273 - Allow winbind-rpcd make a TCP connection to the ldap port Resolves: RHEL-16273 - Allow sudodomain read var auth files Resolves: RHEL-16708 - Allow auditd read all domains process state Resolves: RHEL-14285 - Allow rsync read network sysctls Resolves: RHEL-14638 - Add dhcpcd bpf capability to run bpf programs Resolves: RHEL-15326 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16716 - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t Resolves: RHEL-1553 - Update sendmail policy module for opensmtpd Resolves: RHEL-15175 Juraj Marcin 2023-11-30 11:37:06 +0100
  • 83b950022b * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132 - Allow sudodomain read var auth files Resolves: RHEL-16567 - Update cifs interfaces to include fs_search_auto_mountpoints() Resolves: RHEL-14072 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16715 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14376 - Allow auditd read all domains process state Resolves: RHEL-14471 - Allow sudo userdomain to run rpm related commands Resolves: RHEL-1679 - Remove insights_client_watch_lib_dirs() interface Resolves: RHEL-16185 Zdenek Pytela 2023-11-28 14:43:30 +0100
  • ce3921683b * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1 - Add afterburn to modules-targeted-contrib.conf - Update cifs interfaces to include fs_search_auto_mountpoints() - Allow sudodomain read var auth files - Allow spamd_update_t read hardware state information - Allow virtnetworkd domain transition on tc command execution - Allow sendmail MTA connect to sendmail LDA - Allow auditd read all domains process state - Allow rsync read network sysctls - Add dhcpcd bpf capability to run bpf programs - Dontaudit systemd-hwdb dac_override capability - Allow systemd-sleep create efivarfs files Zdenek Pytela 2023-11-28 15:43:25 +0100
  • bced996a06 Add afterburn to modules-targeted-contrib.conf Juraj Marcin 2023-11-14 14:03:04 +0100
  • 4715f116ff * Tue Nov 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.27-1 - Remove glusterd module Resolves: RHEL-1548 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-15220 - Set default file context of /var/lib/authselect/backups to <<none>> Resolves: RHEL-15220 - Create policy for afterburn Resolves: RHEL-12591 - Allow unconfined_domain_type use io_uring cmd on domain Resolves: RHEL-11792 - Add policy for coreos installer Resovles: RHEL-5164 - Add policy for nvme-stas Resolves: RHEL-1557 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14374 - Allow ntp to bind and connect to ntske port. Resolves: RHEL-15085 - Allow ip an explicit domain transition to other domains Resolves: RHEL-14246 - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t Resolves: RHEL-14289 - Allow sssd domain transition on passkey_child execution conditionally Resolves: RHEL-14014 - Allow sssd use usb devices conditionally Resolves: RHEL-14014 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413 Juraj Marcin 2023-11-14 19:35:13 +0100
  • dbd1e9f272 Remove glusterd from modules-targeted-*.conf Juraj Marcin 2023-11-14 19:25:45 +0100
  • 13b73ff37a Add afterburn to modules-targeted-contrib.conf Juraj Marcin 2023-11-14 14:03:04 +0100
  • 04adb244ee Add coreos_installer to modules-targeted-contrib.conf Zdenek Pytela 2023-10-18 11:41:18 +0200
  • eccb49870a Add nvme_stas to modules-targeted-contrib.conf Zdenek Pytela 2023-10-17 20:58:06 +0200
  • 5e3d4c805f import UBI selinux-policy-3.14.3-128.el8 imports/c8/selinux-policy-3.14.3-128.el8 eabdullin 2023-11-14 18:50:07 +0000
  • 648853f428 * Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1 - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on - Allow graphical applications work in Wayland - Allow kdump work with PrivateTmp - Allow dovecot-auth work with PrivateTmp - Allow nfsd get attributes of all filesystems - Allow unconfined_domain_type use io_uring cmd on domain - ci: Only run Rawhide revdeps tests on the rawhide branch - Label /var/run/auditd.state as auditd_var_run_t - Allow fido-device-onboard (FDO) read the crack database - Allow ip an explicit domain transition to other domains - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t - Allow winbind_rpcd_t processes access when samba_export_all_* is on - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection - Allow ntp to bind and connect to ntske port. - Allow system_mail_t manage exim spool files and dirs - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t - Label /run/pcsd.socket with cluster_var_run_t - ci: Run cockpit tests in PRs Zdenek Pytela 2023-11-14 20:38:51 +0100
  • f8347e3b30 fix the sequence of script commands Milos Malik 2023-11-09 08:08:39 +0100
  • 5db7d069a4 fix the sequence of script commands Milos Malik 2023-11-09 07:00:01 +0100
  • e756dec2b1 * Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131 - Additional permissions for ip-vrf Resolves: RHEL-9981 - Allow ip an explicit domain transition to other domains Resolves: RHEL-9981 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-5845 - Allow system_mail_t manage exim spool files and dirs Resolves: RHEL-14186 Zdenek Pytela 2023-11-08 12:13:14 +0100
  • ef87d821a3 import UBI selinux-policy-38.1.23-1.el9 imports/c9/selinux-policy-38.1.23-1.el9 eabdullin 2023-11-07 11:24:37 +0000
  • 95f948b470 improve the Tier1 test plan Milos Malik 2023-11-03 09:02:07 +0100
  • bd4dd09bb0 run relevant Tier1 tests via TMT Milos Malik 2023-11-01 15:04:17 +0100
  • 78a1079d35 * Tue Oct 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.26-1 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413 Zdenek Pytela 2023-10-31 11:17:20 +0100
  • 01fb30d35f * Fri Oct 20 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.25-1 - Add map_read map_write to kernel_prog_run_bpf Resolves: RHEL-2653 - Allow sysadm_t read nsfs files Resolves: RHEL-5146 - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t Resolves: RHEL-14029 - Allow system_mail_t manage exim spool files and dirs Resolves: RHEL-14110 - Label /run/pcsd.socket with cluster_var_run_t Resolves: RHEL-1664 Zdenek Pytela 2023-10-20 14:55:36 +0200
  • 2d11fcc9ab * Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1 - Add map_read map_write to kernel_prog_run_bpf - Allow systemd-fstab-generator read all symlinks - Allow systemd-fstab-generator the dac_override capability - Allow rpcbind read network sysctls - Support using systemd containers - Allow sysadm_t to connect to iscsid using a unix domain stream socket - Add policy for coreos installer - Add coreos_installer to modules-targeted-contrib.conf Zdenek Pytela 2023-10-19 17:45:01 +0200
  • 8c0b466d95 Add coreos_installer to modules-targeted-contrib.conf Zdenek Pytela 2023-10-18 11:41:18 +0200
  • 1cd26ed671 * Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1 - Add policy for nvme-stas - Confine systemd fstab,sysv,rc-local - Label /etc/aliases.lmdb with etc_aliases_t - Create policy for afterburn Zdenek Pytela 2023-10-17 22:01:25 +0200
  • 583057eb53 Add nvme_stas to modules-targeted-contrib.conf Zdenek Pytela 2023-10-17 20:58:06 +0200
  • 83b7e2bd35 Add plans/tests.fmf Zdenek Pytela 2023-10-11 10:44:14 +0200
  • 6fbdf6352d Add the virt_supplementary module to modules-targeted-contrib.conf Zdenek Pytela 2023-10-10 10:48:45 +0200
  • 2bde33920c * Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1 - Make new virt drivers permissive - Split virt policy, introduce virt_supplementary module - Allow apcupsd cgi scripts read /sys - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes - Allow kernel_t to manage and relabel all files - Add missing optional_policy() to files_relabel_all_files() Zdenek Pytela 2023-10-10 10:47:42 +0200
  • 995481ca80 * Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1 - Allow named and ndc use the io_uring api - Deprecate common_anon_inode_perms usage - Improve default file context(None) of /var/lib/authselect/backups - Allow udev_t to search all directories with a filesystem type - Implement proper anon_inode support - Allow targetd write to the syslog pid sock_file - Add ipa_pki_retrieve_key_exec() interface - Allow kdumpctl_t to list all directories with a filesystem type - Allow udev additional permissions - Allow udev load kernel module - Allow sysadm_t to mmap modules_object_t files - Add the unconfined_read_files() and unconfined_list_dirs() interfaces - Set default file context of HOME_DIR/tmp/.* to <<none>> - Allow kernel_generic_helper_t to execute mount(1) Zdenek Pytela 2023-10-03 21:48:58 +0200
  • 1826d51b0d * Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130 - Label msmtp and msmtpd with sendmail_exec_t Resolves: RHEL-1678 - Set default file context of HOME_DIR/tmp/.* to <<none>> Resolves: RHEL-1099 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-3539 Lukas Vrabec 2023-10-04 13:12:59 +0200
  • 11c92f5ea8 * Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1 - Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t - Allow systemd-localed create Xserver config dirs - Allow sssd read symlinks in /etc/sssd - Label /dev/gnss[0-9] with gnss_device_t - Allow systemd-sleep read/write efivarfs variables - ci: Fix version number of packit generated srpms - Dontaudit rhsmcertd write memory device - Allow ssh_agent_type create a sockfile in /run/user/USERID - Set default file context of /var/lib/authselect/backups to <<none>> - Allow prosody read network sysctls - Allow cupsd_t to use bpf capability Zdenek Pytela 2023-09-29 20:49:14 +0200
  • 728deb0464 * Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129 - Set default file context of /var/lib/authselect/backups to <<none>> Resolves: RHEL-3539 - Add file context specification for /usr/libexec/realmd Resolves: RHEL-2147 - Add numad the ipc_owner capability Resolves: RHEL-2415 Lukas Vrabec 2023-09-29 14:50:40 +0200
  • 8f1dc2715d * Fri Sep 29 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.24-1 - Allow cupsd_t to use bpf capability Resolves: RHEL-3633 - Label /dev/gnss[0-9] with gnss_device_t Resolves: RHEL-9936 - Dontaudit rhsmcertd write memory device Resolves: RHEL-1547 Juraj Marcin 2023-09-29 16:03:24 +0200
  • dbf07eba2d Update source branches to build a new package for RHEL 9.4.0 Resolves: RHEL-1547 Juraj Marcin 2023-09-29 20:20:48 +0200
  • 64c741479f import CS selinux-policy-3.14.3-128.el8 imports/c8-beta/selinux-policy-3.14.3-128.el8 eabdullin 2023-09-27 14:11:30 +0000
  • 81fc94fa79 import CS selinux-policy-38.1.23-1.el9 imports/c9-beta/selinux-policy-38.1.23-1.el9 eabdullin 2023-09-21 20:25:40 +0000
  • fd4ae372bc import UBI selinux-policy-3.14.3-117.el8_8.3 imports/c8/selinux-policy-3.14.3-117.el8_8.3 eabdullin 2023-09-21 07:45:03 +0000
  • 4beb93659f * Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1 - Allow sssd domain transition on passkey_child execution conditionally - Allow login_userdomain watch lnk_files in /usr - Allow login_userdomain watch video4linux devices - Change systemd-network-generator transition to include class file - Revert "Change file transition for systemd-network-generator" - Allow nm-dispatcher winbind plugin read/write samba var files - Allow systemd-networkd write to cgroup files - Allow kdump create and use its memfd: objects Zdenek Pytela 2023-09-15 14:49:49 +0200
  • 973e5990a6 import UBI selinux-policy-38.1.11-2.el9_2.4 imports/c9/selinux-policy-38.1.11-2.el9_2.4 eabdullin 2023-09-12 09:43:36 +0000
  • 16fcf3610b * Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1 - Allow fedora-third-party get generic filesystem attributes - Allow sssd use usb devices conditionally - Update policy for qatlib - Allow ssh_agent_type manage generic cache home files Zdenek Pytela 2023-08-31 22:03:34 +0200
  • 33abfa2432 * Fri Aug 25 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.23-1 - Allow cups-pdf connect to the system log service Resolves: rhbz#2234765 - Update policy for qatlib Resolves: rhbz#2080443 Nikola Knazekova 2023-08-25 21:11:09 +0200
  • d3c8942890 * Fri Aug 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-128 - Allow ssh_agent_type manage generic cache home files Resolves: rhbz#2177704 - Add chromium_sandbox_t setcap capability Resolves: rhbz#2221573 Zdenek Pytela 2023-08-25 14:02:35 +0200
  • 42961943f5 * Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1 - Change file transition for systemd-network-generator - Additional support for gnome-initial-setup - Update gnome-initial-setup policy for geoclue - Allow openconnect vpn open vhost net device - Allow cifs.upcall to connect to SSSD also through the /var/run socket - Grant cifs.upcall more required capabilities - Allow xenstored map xenfs files - Update policy for fdo - Allow keepalived watch var_run dirs - Allow svirt to rw /dev/udmabuf - Allow qatlib to modify hardware state information. - Allow key.dns_resolve connect to avahi over a unix stream socket - Allow key.dns_resolve create and use unix datagram socket - Use quay.io as the container image source for CI Zdenek Pytela 2023-08-24 21:17:38 +0200
  • 80c07f8e7b * Thu Aug 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.22-1 - Allow qatlib to modify hardware state information. Resolves: rhbz#2080443 - Update policy for fdo Resolves: rhbz#2229722 - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file Resolves: rhbz#2223305 - Allow svirt to rw /dev/udmabuf Resolves: rhbz#2223727 - Allow keepalived watch var_run dirs Resolves: rhbz#2186759 Nikola Knazekova 2023-08-24 16:07:28 +0200
  • dfa70ba52b * Thu Aug 17 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.21-1 - Allow logrotate_t to map generic files in /etc Resolves: rhbz#2231257 - Allow insights-client manage user temporary files Resolves: rhbz#2224737 - Make insights_client_t an unconfined domain Resolves: rhbz#2225526 Nikola Knazekova 2023-08-17 16:29:24 +0200
  • ef4e39e85f * Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127 - Allow cloud_init create dhclient var files and init_t manage net_conf_t 3 Resolves: rhbz#2229726 Zdenek Pytela 2023-08-17 13:47:08 +0200
  • 314088eca9 * Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1 - ci: Move srpm/rpm build to packit - .copr: Avoid subshell and changing directory - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t - Make insights_client_t an unconfined domain - Allow insights-client manage user temporary files - Allow insights-client create all rpm logs with a correct label - Allow insights-client manage generic logs - Allow cloud_init create dhclient var files and init_t manage net_conf_t - Allow insights-client read and write cluster tmpfs files - Allow ipsec read nsfs files - Make tuned work with mls policy - Remove nsplugin_role from mozilla.if - allow mon_procd_t self:cap_userns sys_ptrace - Allow pdns name_bind and name_connect all ports - Set the MLS range of fsdaemon_t to s0 - mls_systemhigh - ci: Move to actions/checkout@v3 version - .copr: Replace chown call with standard workflow safe.directory setting - .copr: Enable `set -u` for robustness - .copr: Simplify root directory variable Zdenek Pytela 2023-08-11 23:48:28 +0200
  • 29d572116d * Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126 - Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2 Resolves: rhbz#2229726 - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t Resolves: rhbz#2177704 - Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2 Resolves: rhbz#2229726 - Make insights_client_t an unconfined domain Resolves: rhbz#2225527 - Allow insights-client create all rpm logs with a correct label Resolves: rhbz#2229559 - Allow insights-client manage generic logs Resolves: rhbz#2229559 Zdenek Pytela 2023-08-11 20:39:42 +0200
  • d504b523d0 * Fri Aug 11 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.20-1 - Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2215507 - Allow cloud_init create dhclient var files and init_t manage net_conf_t Resolves: rhbz#2225418 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2230365 - Update samba-dcerpc policy for printing Resolves: rhbz#2230365 - Allow sysadm_t run kernel bpf programs Resolves: rhbz#2229936 - allow mon_procd_t self:cap_userns sys_ptrace Resolves: rhbz#2221986 - Remove nsplugin_role from mozilla.if Resolves: rhbz#2221251 - Allow unconfined user filetrans chrome_sandbox_home_t Resolves: rhbz#2187893 - Allow pdns name_bind and name_connect all ports Resolves: rhbz#2047945 - Allow insights-client read and write cluster tmpfs files Resolves: rhbz#2221631 - Allow ipsec read nsfs files Resolves: rhbz#2230277 - Allow upsmon execute upsmon via a helper script Resolves: rhbz#2228403 - Fix labeling for no-stub-resolv.conf Resolves: rhbz#2148390 - Add use_nfs_home_dirs boolean for mozilla_plugin Resolves: rhbz#2214298 - Change wording in /etc/selinux/config Resolves: rhbz#2143153 Nikola Knazekova 2023-08-11 18:37:49 +0200
  • f44c4567b9 Change wording in /etc/selinux/config Nikola Knazekova 2023-08-11 18:32:54 +0200
  • 02754e0832 * Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1 - Allow rhsmcertd dbus chat with policykit - Allow polkitd execute pkla-check-authorization with nnp transition - Allow user_u and staff_u get attributes of non-security dirs - Allow unconfined user filetrans chrome_sandbox_home_t - Allow svnserve execute postdrop with a transition - Do not make postfix_postdrop_t type an MTA executable file - Allow samba-dcerpc service manage samba tmp files - Add use_nfs_home_dirs boolean for mozilla_plugin - Fix labeling for no-stub-resolv.conf Zdenek Pytela 2023-08-04 19:48:49 +0200
  • 1b1eb8edb4 * Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125 - Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2216151 - Allow unconfined user filetrans chrome_sandbox_home_t 1/2 Resolves: rhbz#2221573 - Allow unconfined user filetrans chrome_sandbox_home_t 2/2 Resolves: rhbz#2221573 - Allow insights-client execmem Resolves: rhbz#2225233 - Allow svnserve execute postdrop with a transition Resolves: rhbz#2004843 - Do not make postfix_postdrop_t type an MTA executable file Resolves: rhbz#2004843 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2210771 - Update samba-dcerpc policy for printing Resolves: rhbz#2210771 Zdenek Pytela 2023-08-04 16:16:26 +0200