8ab4e101e9Limit %selinux_requires to version, not release
Zdenek Pytela
2024-02-14 09:31:56 +0100
0a14f83579* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1 - Only allow confined user domains to login locally without unconfined_login - Add userdom_spec_domtrans_confined_admin_users interface - Only allow admindomain to execute shell via ssh with ssh_sysadm_login - Add userdom_spec_domtrans_admin_users interface - Move ssh dyntrans to unconfined inside unconfined_login tunable policy - Update ssh_role_template() for user ssh-agent type - Allow init to inherit system DBus file descriptors - Allow init to inherit fds from syslogd - Allow any domain to inherit fds from rpm-ostree - Update afterburn policy - Allow init_t nnp domain transition to abrtd_t
Zdenek Pytela
2024-02-12 12:26:33 +0100
6dd5c78a95* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1 - Rename all /var/lock file context entries to /run/lock - Rename all /var/run file context entries to /run - Invert the "/var/run = /run" equivalency
Zdenek Pytela
2024-02-06 14:20:25 +0100
0ec128677b* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1 - Replace init domtrans rule for confined users to allow exec init - Update dbus_role_template() to allow user service status - Allow polkit status all systemd services - Allow setroubleshootd create and use inherited io_uring - Allow load_policy read and write generic ptys - Allow gpg manage rpm cache - Allow login_userdomain name_bind to howl and xmsg udp ports - Allow rules for confined users logged in plasma - Label /dev/iommu with iommu_device_t - Remove duplicate file context entries in /run - Dontaudit getty and plymouth the checkpoint_restore capability - Allow su domains write login records - Revert "Allow su domains write login records" - Allow login_userdomain delete session dbusd tmp socket files - Allow unix dgram sendto between exim processes - Allow su domains write login records - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
Zdenek Pytela
2024-02-05 16:57:20 +0100
d620ca1705* Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11249 - Allow su domains write login records Resolves: RHEL-2606 - Allow gpg read rpm cache Resolves: RHEL-11249 - Allow unix dgram sendto between exim processes Resolves: RHEL-21903 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-17687 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-17687 - Allow conntrackd_t to use sys_admin capability Resolves: RHEL-22276
Zdenek Pytela
2024-01-26 17:47:29 +0100
f9546d9349* Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1 - Allow chronyd-restricted read chronyd key files Resolves: RHEL-18219 - Allow conntrackd_t to use bpf capability2 Resolves: RHEL-22277 - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on Resolves: RHEL-14735 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-14505 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-14505 - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes Resolves: RHEL-11792
Juraj Marcin
2024-01-25 13:44:44 +0100
443b716de1* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1 - Allow systemd-sleep set attributes of efivarfs files - Allow samba-dcerpcd read public files - Allow spamd_update_t the sys_ptrace capability in user namespace - Allow bluetooth devices work with alsa - Allow alsa get attributes filesystems with extended attributes
Zdenek Pytela
2024-01-09 20:59:16 +0100
e46b929e63Limit %selinux_requires to version, not release
Yaakov Selkowitz
2024-01-02 11:15:16 -0500
68923ff3dd* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t - Add interface for write-only access to NetworkManager rw conf - Allow systemd-sleep send a message to syslog over a unix dgram socket - Allow init create and use netlink netfilter socket - Allow qatlib load kernel modules - Allow qatlib run lspci - Allow qatlib manage its private runtime socket files - Allow qatlib read/write vfio devices - Label /etc/redis.conf with redis_conf_t - Remove the lockdown-class rules from the policy - Allow init read all non-security socket files - Replace redundant dnsmasq pattern macros - Remove unneeded symlink perms in dnsmasq.if - Add additions to dnsmasq interface - Allow nvme_stas_t create and use netlink kobject uevent socket - Allow collectd connect to statsd port - Allow keepalived_t to use sys_ptrace of cap_userns - Allow dovecot_auth_t connect to postgresql using UNIX socket
Zdenek Pytela
2023-12-21 17:03:58 +0100
c2074133ec* Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1 - Add init_explicit_domain() interface Resolves: RHEL-18219 - Allow dovecot_auth_t connect to postgresql using UNIX socket Resolves: RHEL-16850 - Allow keepalived_t to use sys_ptrace of cap_userns Resolves: RHEL-17156 - Make bootc be install_exec_t Resolves: RHEL-19199 - Add support for chronyd-restricted Resolves: RHEL-18219 - Label /dev/vas with vas_device_t Resolves: RHEL-17336 - Allow gpsd use /dev/gnss devices Resolves: RHEL-16676 - Allow sendmail manage its runtime files Resolves: RHEL-15175 - Add support for syslogd unconfined scripts Resolves: RHEL-11174
Juraj Marcin
2023-12-14 14:17:21 +0100
575be8bea0Add /bin = /usr/bin file context equivalency
Juraj Marcin
2023-12-13 15:26:43 +0100
701a31705cAdd /bin = /usr/bin file context equivalency
Juraj Marcin
2023-12-13 15:26:43 +0100
bbcf1324a4* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: RHEL-18027 - Allow sysadm execute traceroute in sysadm_t domain using sudo Resolves: RHEL-9947 - Allow sysadm execute tcpdump in sysadm_t domain using sudo Resolves: RHEL-15398 - Add support for syslogd unconfined scripts Resolves: RHEL-10087 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: RHEL-18027 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute Resolves: RHEL-1954 - Dontaudit rhsmcertd write memory device Resolves: RHEL-17721
Zdenek Pytela
2023-12-13 16:34:09 +0100
df4c66da89* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute - Allow sysadm execute traceroute in sysadm_t domain using sudo - Allow sysadm execute tcpdump in sysadm_t domain using sudo - Allow opafm search nfs directories - Add support for syslogd unconfined scripts - Allow gpsd use /dev/gnss devices - Allow gpg read rpm cache - Allow virtqemud additional permissions - Allow virtqemud manage its private lock files - Allow virtqemud use the io_uring api - Allow ddclient send e-mail notifications - Allow postfix_master_t map postfix data files - Allow init create and use vsock sockets - Allow thumb_t append to init unix domain stream sockets - Label /dev/vas with vas_device_t - Change domain_kernel_load_modules boolean to true - Create interface selinux_watch_config and add it to SELinux users
Zdenek Pytela
2023-12-13 16:42:42 +0100
a53a4197a0* Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1 - Create interface selinux_watch_config and add it to SELinux users Resolves: RHEL-1555 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-16273 - Allow samba-dcerpcd connect to systemd_machined over a unix socket Resolves: RHEL-16273 - Allow winbind-rpcd make a TCP connection to the ldap port Resolves: RHEL-16273 - Allow sudodomain read var auth files Resolves: RHEL-16708 - Allow auditd read all domains process state Resolves: RHEL-14285 - Allow rsync read network sysctls Resolves: RHEL-14638 - Add dhcpcd bpf capability to run bpf programs Resolves: RHEL-15326 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16716 - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t Resolves: RHEL-1553 - Update sendmail policy module for opensmtpd Resolves: RHEL-15175
Juraj Marcin
2023-11-30 11:37:06 +0100
83b950022b* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132 - Allow sudodomain read var auth files Resolves: RHEL-16567 - Update cifs interfaces to include fs_search_auto_mountpoints() Resolves: RHEL-14072 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16715 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14376 - Allow auditd read all domains process state Resolves: RHEL-14471 - Allow sudo userdomain to run rpm related commands Resolves: RHEL-1679 - Remove insights_client_watch_lib_dirs() interface Resolves: RHEL-16185
Zdenek Pytela
2023-11-28 14:43:30 +0100
ce3921683b* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1 - Add afterburn to modules-targeted-contrib.conf - Update cifs interfaces to include fs_search_auto_mountpoints() - Allow sudodomain read var auth files - Allow spamd_update_t read hardware state information - Allow virtnetworkd domain transition on tc command execution - Allow sendmail MTA connect to sendmail LDA - Allow auditd read all domains process state - Allow rsync read network sysctls - Add dhcpcd bpf capability to run bpf programs - Dontaudit systemd-hwdb dac_override capability - Allow systemd-sleep create efivarfs files
Zdenek Pytela
2023-11-28 15:43:25 +0100
bced996a06Add afterburn to modules-targeted-contrib.conf
Juraj Marcin
2023-11-14 14:03:04 +0100
4715f116ff* Tue Nov 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.27-1 - Remove glusterd module Resolves: RHEL-1548 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-15220 - Set default file context of /var/lib/authselect/backups to <<none>> Resolves: RHEL-15220 - Create policy for afterburn Resolves: RHEL-12591 - Allow unconfined_domain_type use io_uring cmd on domain Resolves: RHEL-11792 - Add policy for coreos installer Resovles: RHEL-5164 - Add policy for nvme-stas Resolves: RHEL-1557 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14374 - Allow ntp to bind and connect to ntske port. Resolves: RHEL-15085 - Allow ip an explicit domain transition to other domains Resolves: RHEL-14246 - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t Resolves: RHEL-14289 - Allow sssd domain transition on passkey_child execution conditionally Resolves: RHEL-14014 - Allow sssd use usb devices conditionally Resolves: RHEL-14014 - Allow kdump create and use its memfd: objects Resolves: RHEL-14413
Juraj Marcin
2023-11-14 19:35:13 +0100
dbd1e9f272Remove glusterd from modules-targeted-*.conf
Juraj Marcin
2023-11-14 19:25:45 +0100
13b73ff37aAdd afterburn to modules-targeted-contrib.conf
Juraj Marcin
2023-11-14 14:03:04 +0100
04adb244eeAdd coreos_installer to modules-targeted-contrib.conf
Zdenek Pytela
2023-10-18 11:41:18 +0200
eccb49870aAdd nvme_stas to modules-targeted-contrib.conf
Zdenek Pytela
2023-10-17 20:58:06 +0200
648853f428* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1 - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on - Allow graphical applications work in Wayland - Allow kdump work with PrivateTmp - Allow dovecot-auth work with PrivateTmp - Allow nfsd get attributes of all filesystems - Allow unconfined_domain_type use io_uring cmd on domain - ci: Only run Rawhide revdeps tests on the rawhide branch - Label /var/run/auditd.state as auditd_var_run_t - Allow fido-device-onboard (FDO) read the crack database - Allow ip an explicit domain transition to other domains - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t - Allow winbind_rpcd_t processes access when samba_export_all_* is on - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection - Allow ntp to bind and connect to ntske port. - Allow system_mail_t manage exim spool files and dirs - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t - Label /run/pcsd.socket with cluster_var_run_t - ci: Run cockpit tests in PRs
Zdenek Pytela
2023-11-14 20:38:51 +0100
f8347e3b30fix the sequence of script commands
Milos Malik
2023-11-09 08:08:39 +0100
5db7d069a4fix the sequence of script commands
Milos Malik
2023-11-09 07:00:01 +0100
e756dec2b1* Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131 - Additional permissions for ip-vrf Resolves: RHEL-9981 - Allow ip an explicit domain transition to other domains Resolves: RHEL-9981 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-5845 - Allow system_mail_t manage exim spool files and dirs Resolves: RHEL-14186
Zdenek Pytela
2023-11-08 12:13:14 +0100
6fbdf6352dAdd the virt_supplementary module to modules-targeted-contrib.conf
Zdenek Pytela
2023-10-10 10:48:45 +0200
2bde33920c* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1 - Make new virt drivers permissive - Split virt policy, introduce virt_supplementary module - Allow apcupsd cgi scripts read /sys - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes - Allow kernel_t to manage and relabel all files - Add missing optional_policy() to files_relabel_all_files()
Zdenek Pytela
2023-10-10 10:47:42 +0200
995481ca80* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1 - Allow named and ndc use the io_uring api - Deprecate common_anon_inode_perms usage - Improve default file context(None) of /var/lib/authselect/backups - Allow udev_t to search all directories with a filesystem type - Implement proper anon_inode support - Allow targetd write to the syslog pid sock_file - Add ipa_pki_retrieve_key_exec() interface - Allow kdumpctl_t to list all directories with a filesystem type - Allow udev additional permissions - Allow udev load kernel module - Allow sysadm_t to mmap modules_object_t files - Add the unconfined_read_files() and unconfined_list_dirs() interfaces - Set default file context of HOME_DIR/tmp/.* to <<none>> - Allow kernel_generic_helper_t to execute mount(1)
Zdenek Pytela
2023-10-03 21:48:58 +0200
1826d51b0d* Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130 - Label msmtp and msmtpd with sendmail_exec_t Resolves: RHEL-1678 - Set default file context of HOME_DIR/tmp/.* to <<none>> Resolves: RHEL-1099 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-3539
Lukas Vrabec
2023-10-04 13:12:59 +0200
11c92f5ea8* Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1 - Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t - Allow systemd-localed create Xserver config dirs - Allow sssd read symlinks in /etc/sssd - Label /dev/gnss[0-9] with gnss_device_t - Allow systemd-sleep read/write efivarfs variables - ci: Fix version number of packit generated srpms - Dontaudit rhsmcertd write memory device - Allow ssh_agent_type create a sockfile in /run/user/USERID - Set default file context of /var/lib/authselect/backups to <<none>> - Allow prosody read network sysctls - Allow cupsd_t to use bpf capability
Zdenek Pytela
2023-09-29 20:49:14 +0200
728deb0464* Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129 - Set default file context of /var/lib/authselect/backups to <<none>> Resolves: RHEL-3539 - Add file context specification for /usr/libexec/realmd Resolves: RHEL-2147 - Add numad the ipc_owner capability Resolves: RHEL-2415
Lukas Vrabec
2023-09-29 14:50:40 +0200
8f1dc2715d* Fri Sep 29 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.24-1 - Allow cupsd_t to use bpf capability Resolves: RHEL-3633 - Label /dev/gnss[0-9] with gnss_device_t Resolves: RHEL-9936 - Dontaudit rhsmcertd write memory device Resolves: RHEL-1547
Juraj Marcin
2023-09-29 16:03:24 +0200
dbf07eba2dUpdate source branches to build a new package for RHEL 9.4.0 Resolves: RHEL-1547
Juraj Marcin
2023-09-29 20:20:48 +0200
16fcf3610b* Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1 - Allow fedora-third-party get generic filesystem attributes - Allow sssd use usb devices conditionally - Update policy for qatlib - Allow ssh_agent_type manage generic cache home files
Zdenek Pytela
2023-08-31 22:03:34 +0200
33abfa2432* Fri Aug 25 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.23-1 - Allow cups-pdf connect to the system log service Resolves: rhbz#2234765 - Update policy for qatlib Resolves: rhbz#2080443
Nikola Knazekova
2023-08-25 21:11:09 +0200
42961943f5* Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1 - Change file transition for systemd-network-generator - Additional support for gnome-initial-setup - Update gnome-initial-setup policy for geoclue - Allow openconnect vpn open vhost net device - Allow cifs.upcall to connect to SSSD also through the /var/run socket - Grant cifs.upcall more required capabilities - Allow xenstored map xenfs files - Update policy for fdo - Allow keepalived watch var_run dirs - Allow svirt to rw /dev/udmabuf - Allow qatlib to modify hardware state information. - Allow key.dns_resolve connect to avahi over a unix stream socket - Allow key.dns_resolve create and use unix datagram socket - Use quay.io as the container image source for CI
Zdenek Pytela
2023-08-24 21:17:38 +0200
80c07f8e7b* Thu Aug 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.22-1 - Allow qatlib to modify hardware state information. Resolves: rhbz#2080443 - Update policy for fdo Resolves: rhbz#2229722 - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file Resolves: rhbz#2223305 - Allow svirt to rw /dev/udmabuf Resolves: rhbz#2223727 - Allow keepalived watch var_run dirs Resolves: rhbz#2186759
Nikola Knazekova
2023-08-24 16:07:28 +0200
dfa70ba52b* Thu Aug 17 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.21-1 - Allow logrotate_t to map generic files in /etc Resolves: rhbz#2231257 - Allow insights-client manage user temporary files Resolves: rhbz#2224737 - Make insights_client_t an unconfined domain Resolves: rhbz#2225526
Nikola Knazekova
2023-08-17 16:29:24 +0200
ef4e39e85f* Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127 - Allow cloud_init create dhclient var files and init_t manage net_conf_t 3 Resolves: rhbz#2229726
Zdenek Pytela
2023-08-17 13:47:08 +0200
314088eca9* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1 - ci: Move srpm/rpm build to packit - .copr: Avoid subshell and changing directory - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t - Make insights_client_t an unconfined domain - Allow insights-client manage user temporary files - Allow insights-client create all rpm logs with a correct label - Allow insights-client manage generic logs - Allow cloud_init create dhclient var files and init_t manage net_conf_t - Allow insights-client read and write cluster tmpfs files - Allow ipsec read nsfs files - Make tuned work with mls policy - Remove nsplugin_role from mozilla.if - allow mon_procd_t self:cap_userns sys_ptrace - Allow pdns name_bind and name_connect all ports - Set the MLS range of fsdaemon_t to s0 - mls_systemhigh - ci: Move to actions/checkout@v3 version - .copr: Replace chown call with standard workflow safe.directory setting - .copr: Enable set -u for robustness - .copr: Simplify root directory variable
Zdenek Pytela
2023-08-11 23:48:28 +0200
29d572116d* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126 - Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2 Resolves: rhbz#2229726 - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t Resolves: rhbz#2177704 - Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2 Resolves: rhbz#2229726 - Make insights_client_t an unconfined domain Resolves: rhbz#2225527 - Allow insights-client create all rpm logs with a correct label Resolves: rhbz#2229559 - Allow insights-client manage generic logs Resolves: rhbz#2229559
Zdenek Pytela
2023-08-11 20:39:42 +0200
d504b523d0* Fri Aug 11 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.20-1 - Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2215507 - Allow cloud_init create dhclient var files and init_t manage net_conf_t Resolves: rhbz#2225418 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2230365 - Update samba-dcerpc policy for printing Resolves: rhbz#2230365 - Allow sysadm_t run kernel bpf programs Resolves: rhbz#2229936 - allow mon_procd_t self:cap_userns sys_ptrace Resolves: rhbz#2221986 - Remove nsplugin_role from mozilla.if Resolves: rhbz#2221251 - Allow unconfined user filetrans chrome_sandbox_home_t Resolves: rhbz#2187893 - Allow pdns name_bind and name_connect all ports Resolves: rhbz#2047945 - Allow insights-client read and write cluster tmpfs files Resolves: rhbz#2221631 - Allow ipsec read nsfs files Resolves: rhbz#2230277 - Allow upsmon execute upsmon via a helper script Resolves: rhbz#2228403 - Fix labeling for no-stub-resolv.conf Resolves: rhbz#2148390 - Add use_nfs_home_dirs boolean for mozilla_plugin Resolves: rhbz#2214298 - Change wording in /etc/selinux/config Resolves: rhbz#2143153
Nikola Knazekova
2023-08-11 18:37:49 +0200
f44c4567b9Change wording in /etc/selinux/config
Nikola Knazekova
2023-08-11 18:32:54 +0200
02754e0832* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1 - Allow rhsmcertd dbus chat with policykit - Allow polkitd execute pkla-check-authorization with nnp transition - Allow user_u and staff_u get attributes of non-security dirs - Allow unconfined user filetrans chrome_sandbox_home_t - Allow svnserve execute postdrop with a transition - Do not make postfix_postdrop_t type an MTA executable file - Allow samba-dcerpc service manage samba tmp files - Add use_nfs_home_dirs boolean for mozilla_plugin - Fix labeling for no-stub-resolv.conf
Zdenek Pytela
2023-08-04 19:48:49 +0200
1b1eb8edb4* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125 - Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2216151 - Allow unconfined user filetrans chrome_sandbox_home_t 1/2 Resolves: rhbz#2221573 - Allow unconfined user filetrans chrome_sandbox_home_t 2/2 Resolves: rhbz#2221573 - Allow insights-client execmem Resolves: rhbz#2225233 - Allow svnserve execute postdrop with a transition Resolves: rhbz#2004843 - Do not make postfix_postdrop_t type an MTA executable file Resolves: rhbz#2004843 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2210771 - Update samba-dcerpc policy for printing Resolves: rhbz#2210771
Zdenek Pytela
2023-08-04 16:16:26 +0200
32396fb0bc* Thu Aug 03 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.19-1 - Allow qatlib to read sssd public files Resolves: rhbz#2080443 - Fix location for /run/nsd Resolves: rhbz#2181600 - Allow samba-rpcd work with passwords Resolves: rhbz#2107092 - Allow rpcd_lsad setcap and use generic ptys Resolves: rhbz#2107092 - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty Resolves: rhbz#2223305 - Allow keepalived to manage its tmp files Resolves: rhbz#2179212 - Allow nscd watch system db dirs Resolves: rhbz#2152124
Nikola Knazekova
2023-08-03 20:10:18 +0200
c618bb9f5d* Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1 - Revert "Allow winbind-rpcd use its private tmp files" - Allow upsmon execute upsmon via a helper script - Allow openconnect vpn read/write inherited vhost net device - Allow winbind-rpcd use its private tmp files - Update samba-dcerpc policy for printing - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty - Allow nscd watch system db dirs - Allow qatlib to read sssd public files - Allow fedora-third-party read /sys and proc - Allow systemd-gpt-generator mount a tmpfs filesystem - Allow journald write to cgroup files - Allow rpc.mountd read network sysctls - Allow blueman read the contents of the sysfs filesystem - Allow logrotate_t to map generic files in /etc - Boolean: Allow virt_qemu_ga create ssh directory
Zdenek Pytela
2023-08-02 21:26:24 +0200
1969a71055* Fri Jul 21 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1 - Allow systemd-network-generator send system log messages - Dontaudit the execute permission on sock_file globally - Allow fsadm_t the file mounton permission - Allow named and ndc the io_uring sqpoll permission - Allow sssd io_uring sqpoll permission - Fix location for /run/nsd - Allow qemu-ga get fixed disk devices attributes - Update bitlbee policy - Label /usr/sbin/sos with sosreport_exec_t - Update policy for the sblim-sfcb service - Add the files_getattr_non_auth_dirs() interface - Fix the CI to work with DNF5
Zdenek Pytela
2023-07-21 18:02:15 +0200
ebddc59c06* Fri Jul 21 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.18-1 - Boolean: Allow virt_qemu_ga create ssh directory Resolves: rhbz#2181402 - Allow virt_qemu_ga_t create .ssh dir with correct label Resolves: rhbz#2181402 - Set default ports for keylime policy Resolves: RHEL-594 - Allow unconfined service inherit signal state from init Resolves: rhbz#2186233 - Allow sa-update connect to systemlog services Resolves: rhbz#2220643 - Allow sa-update manage spamc home files Resolves: rhbz#2220643 - Label only /usr/sbin/ripd and ripngd with zebra_exec_t Resolves: rhbz#2213605 - Add the files_getattr_non_auth_dirs() interface Resolves: rhbz#2076933 - Update policy for the sblim-sfcb service Resolves: rhbz#2076933 - Define equivalency for /run/systemd/generator.early Resolves: rhbz#2213516
Nikola Knazekova
2023-07-21 16:40:49 +0200
4004f169e9Define equivalency for /run/systemd/generator.early
Zdenek Pytela
2023-07-13 21:41:25 +0200
edd3ad31f7* Thu Jul 20 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-124 - Add the files_getattr_non_auth_dirs() interface Resolves: rhbz#2076937 - Update policy for the sblim-sfcb service Resolves: rhbz#2076937 - Dontaudit sfcbd sys_ptrace cap_userns Resolves: rhbz#2076937 - Label /usr/sbin/sos with sosreport_exec_t Resolves: rhbz#2167731 - Allow sa-update manage spamc home files Resolves: rhbz#2222200 - Allow sa-update connect to systemlog services Resolves: rhbz#2222200 - Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t Resolves: rhbz#2222200
Zdenek Pytela
2023-07-20 17:52:48 +0200
3861cc6854* Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1 - Make systemd_tmpfiles_t MLS trusted for lowering the level of files - Revert "Allow insights client map cache_home_t" - Allow nfsidmapd connect to systemd-machined over a unix socket - Allow snapperd connect to kernel over a unix domain stream socket - Allow virt_qemu_ga_t create .ssh dir with correct label - Allow targetd read network sysctls - Set the abrt_handle_event boolean to on - Permit kernel_t to change the user identity in object contexts - Allow insights client map cache_home_t - Label /usr/sbin/mariadbd with mysqld_exec_t - Trim changelog so that it starts at F37 time - Define equivalency for /run/systemd/generator.early
Zdenek Pytela
2023-07-13 22:29:20 +0200
59a0d615a7Trim changelog so that it starts at F37 time
Zdenek Pytela
2023-07-13 21:43:45 +0200
1ade1aa864Define equivalency for /run/systemd/generator.early
Zdenek Pytela
2023-07-13 21:41:25 +0200
914941a2d8* Thu Jun 29 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.17-1 - Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833
Nikola Knazekova
2023-06-29 16:21:48 +0200
d02fad6b26Add the qatlib module
Zdenek Pytela
2023-06-27 15:26:02 +0200
30ffa3999cAdd the fdo module
Zdenek Pytela
2023-06-27 15:23:13 +0200
17816ad3ccAdd the booth module to modules.conf
Zdenek Pytela
2023-05-26 22:23:01 +0200
01e007e93dExclude container-selinux manpage from selinux-policy-doc
Zdenek Pytela
2023-06-29 00:18:35 +0200
23e1dd29b9* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-123 - Label only /usr/sbin/ripd and ripngd with zebra_exec_t Resolves: rhbz#2213606 - Allow httpd tcp connect to redis port conditionally Resolves: rhbz#2213965 - Exclude container-selinux manpage from selinux-policy-doc Resolves: rhbz#2218362
Zdenek Pytela
2023-06-29 12:37:59 +0200
3217953fb6* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1 - Allow httpd tcp connect to redis port conditionally - Label only /usr/sbin/ripd and ripngd with zebra_exec_t - Dontaudit aide the execmem permission - Remove permissive from fdo - Allow sa-update manage spamc home files - Allow sa-update connect to systemlog services - Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t - Allow bootupd search EFI directory
Zdenek Pytela
2023-06-29 11:47:37 +0200
1e0560a070* Thu Jun 29 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.16-1 - Remove permissive from fdo Resolves: rhbz#2026795 - Add the qatlib module Resolves: rhbz#2080443 - Add the fdo module Resolves: rhbz#2026795 - Add the booth module to modules.conf Resolves: rhbz#2128833 - Add policy for FIDO Device Onboard Resolves: rhbz#2026795 - Create policy for qatlib Resolves: rhbz#2080443 - Add policy for boothd Resolves: rhbz#2128833 - Add list_dir_perms to kerberos_read_keytab Resolves: rhbz#2112729 - Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t Resolves: rhbz#2209973 - Allow collectd_t read network state symlinks Resolves: rhbz#2209650 - Revert "Allow collectd_t read proc_net link files" Resolves: rhbz#2209650 - Allow insights-client execmem Resolves: rhbz#2207894 - Label udf tools with fsadm_exec_t Resolves: rhbz#2039774
Nikola Knazekova
2023-06-29 11:15:17 +0200
0a1d561fed* Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1 - Change init_audit_control default value to true - Allow nfsidmapd connect to systemd-userdbd with a unix socket - Add the qatlib module - Add the fdo module - Add the bootupd module - Set default ports for keylime policy - Create policy for qatlib - Add policy for FIDO Device Onboard - Add policy for bootupd - Add the qatlib module - Add the fdo module - Add the bootupd module
Zdenek Pytela
2023-06-27 20:40:11 +0200
33df875935Add the qatlib module
Zdenek Pytela
2023-06-27 15:28:13 +0200
1726cd56f8Add the fdo module
Zdenek Pytela
2023-06-27 15:27:59 +0200
fcf01bf48fAdd the bootupd module
Zdenek Pytela
2023-06-27 15:27:42 +0200
ca2263f358* Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1 - Add support for kafs-dns requested by keyutils - Allow insights-client execmem - Add support for chronyd-restricted - Add init_explicit_domain() interface - Allow fsadm_t to get attributes of cgroup filesystems - Add list_dir_perms to kerberos_read_keytab - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t - Allow sendmail manage its runtime files - Allow keyutils_dns_resolver_exec_t be an entrypoint - Allow collectd_t read network state symlinks - Revert "Allow collectd_t read proc_net link files" - Allow nfsd_t to list exports_t dirs - Allow cupsd dbus chat with xdm - Allow haproxy read hardware state information - Add the kafs module
Zdenek Pytela
2023-06-25 13:08:51 +0200
d71412e8adAdd the kafs module
Zdenek Pytela
2023-06-23 17:09:10 +0200
ca4271f5cc* Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.15-1 - Add fs_delete_pstore_files() interface Resolves: rhbz#2181565 - Add fs_read_pstore_files() interface Resolves: rhbz#2181565 - Allow insights-client getsession process permission Resolves: rhbz#2214581 - Allow insights-client work with pipe and socket tmp files Resolves: rhbz#2214581 - Allow insights-client map generic log files Resolves: rhbz#2214581 - Allow insights-client read unconfined service semaphores Resolves: rhbz#2214581 - Allow insights-client get quotas of all filesystems Resolves: rhbz#2214581 - Allow haproxy read hardware state information Resolves: rhbz#2164691 - Allow cupsd dbus chat with xdm Resolves: rhbz#2143641 - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file Resolves: rhbz#2165863 - Add none file context for polyinstantiated tmp dirs Resolves: rhbz#2099194 - Add support for the systemd-pstore service Resolves: rhbz#2181565 - Label /dev/userfaultfd with userfaultfd_t Resolves: rhbz#2175290 - Allow collectd_t read proc_net link files Resolves: rhbz#2209650 - Label smtpd with sendmail_exec_t Resolves: rhbz#2213573 - Label msmtp and msmtpd with sendmail_exec_t Resolves: rhbz#2213573 - Allow dovecot-deliver write to the main process runtime fifo files Resolves: rhbz#2211787 - Allow subscription-manager execute ip Resolves: rhbz#2211566 - Allow ftpd read network sysctls Resolves: rhbz#2175856
Zdenek Pytela
2023-06-15 21:48:19 +0200
289f477398* Thu Jun 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-122 - Update cyrus_stream_connect() to use sockets in /run Resolves: rhbz#2165752 - Allow insights-client map generic log files Resolves: rhbz#2214572 - Allow insights-client work with pipe and socket tmp files Resolves: rhbz#2207819 - Allow insights-client getsession process permission Resolves: rhbz#2207819 - Allow keepalived to manage its tmp files Resolves: rhbz#2179335
Nikola Knazekova
2023-06-15 19:06:04 +0200
38fd9a9006* Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1 - Label /dev/userfaultfd with userfaultfd_t - Allow blueman send general signals to unprivileged user domains - Allow dkim-milter domain transition to sendmail - Label /usr/sbin/cifs.idmap with cifs_helper_exec_t - Allow cifs-helper read sssd kerberos configuration files - Allow rpm_t sys_admin capability - Allow dovecot_deliver_t create/map dovecot_spool_t dir/file - Allow collectd_t read proc_net link files - Allow insights-client getsession process permission - Allow insights-client work with pipe and socket tmp files - Allow insights-client map generic log files - Update cyrus_stream_connect() to use sockets in /run - Allow keyutils-dns-resolver read/view kernel key ring - Label /var/log/kdump.log with kdump_log_t
Zdenek Pytela
2023-06-15 11:13:58 +0200
Zdenek Pytela
eabdullin
Juraj Marcin
Yaakov Selkowitz
Juraj Marcin
Milos Malik
Lukas Vrabec
Nikola Knazekova
Fedora Release Engineering
Andrew Lukoshko