* Tue Apr 15 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.29-1 - Revert "Dontaudit access of virt-related permissive domains" Resolves: RHEL-79833 - Remove permissive domains Resolves: RHEL-82672 * Tue Apr 08 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.28-1 - Change path of tuned and tuned-ppd to /usr/sbin Resolves: RHEL-69450 - Update the pcmsensor policy Resolves: RHEL-80452 - Allow dovecot-deliver read mail aliases Resolves: RHEL-80153 - Allow boothd connect to systemd-machined over a unix socket Resolves: RHEL-75471 - Allow chronyd-restricted sendto to chronyc Resolves: RHEL-82299 - Allow chronyc sendto to chronyd-restricted Resolves: RHEL-82299 - Allow cifs.idmap helper to set attributes on kernel keys Resolves: RHEL-83921 - Remove ktls from modules-filtered.lst Resolves: RHEL-74424 * Mon Mar 31 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.27-1 - Allow afterburn to mount and read config drives Resolves: RHEL-82120 - Update afterburn file transition policy Resolves: RHEL-82120 - Label /run/metadata with afterburn_runtime_t Resolves: RHEL-82120 - Allow afterburn list ssh home directory Resolves: RHEL-82120 - Confine tuned-ppd Resolves: RHEL-69450 - Update ktls policy Resolves: RHEL-74424 - Add the switcheroo module Resolves: RHEL-83267 - Update switcheroo policy Resolves: RHEL-83267 - Confine the switcheroo-control service Resolves: RHEL-83267 * Mon Feb 17 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.26-1 - Rename winbind_rpcd_* types to samba_dcerpcd_* Resolves: RHEL-14759 - Allow samba-dcerpcd work with ctdb cluster Resolves: RHEL-14759 - Revert "Remove socket from unconfined_domain_type allow rule" Resolves: RHEL-77327 - Dontaudit access of virt-related permissive domains Resolves: RHEL-77808 - Add selinux_requires_min macro Resolves: RHEL-54715 - Filter out EPEL related modules Resolves: RHEL-73505 * Thu Feb 06 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.25-1 - Update ktlshd policy to read /proc/keys and domain keyrings Resolves: RHEL-42672 - Allow pcmsensor read nmi_watchdog state information Resolves: RHEL-52838 - Support peer-to-peer migration of vms using ssh Resolves: RHEL-77351 - Allow virt_domain read hardware state information unconditionally Resolves: RHEL-71270 - Allow timemaster write to sysfs files Resolves: RHEL-44637 - Allow virtqemud map svirt_image_t plain files Resolves: RHEL-40080 - Allow virtqemud unmount a filesystem with extended attributes Resolves: RHEL-40080 - Allow virtqemud work with nvdimm devices Resolves: RHEL-71656 - Update virtqemud policy regarding the svirt_tcg_t domain Resolves: RHEL-71270 - Allow virtqemud use hostdev usb devices conditionally Resolves: RHEL-74230 - Support saving and restoring a VM to/from a block device Resolves: RHEL-76138 - Allow virtnwfilterd dbus chat with firewalld Resolves: RHEL-76138 - Allow virt_domain to use pulseaudio - conditional Resolves: RHEL-62763 - Allow virtstoraged write to sysfs files Resolves: RHEL-44637 - Allow irqbalance to run unconfined scripts conditionally Resolves: RHEL-54019 - Allow rhsmcertd notify virt-who Resolves: RHEL-77114 - Allow init mounton crypto sysctl files Resolves: RHEL-56250 * Mon Jan 27 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.24-1 - Allow systemd-generator connect to syslog over a unix datagram socket Resolves: RHEL-75879 - Allow ssh_t to change role to system_r Resolves: RHEL-53972 - Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type Resolves: RHEL-39893 - Allow virtqemud manage fixed disk device nodes Resolves: RHEL-71656 - Allow samba-bgqd connect to cupsd over an unix domain stream socket Resolves: RHEL-72861 - Allow systemd-machined read the vsock device Resolves: RHEL-74280 - Allow pcmsensor write nmi_watchdog state information Resolves: RHEL-52838 - Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t Resolves: RHEL-52838 * Fri Jan 24 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.23-2 - Rebuild other packages with with selinux-policy-40.13.23 Resolves: RHEL-36741 * Thu Jan 23 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.23-1 - Remove the lockdown class from the policy Resolves: RHEL-36741 - Remove socket from unconfined_domain_type allow rule Resolves: RHEL-36741 - Include key_socket in socket_class_set Resolves: RHEL-36741 * Thu Jan 16 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.22-1 - Allow staff user dbus chat with virt-dbus Resolves: RHEL-73914 - Allow virtqemud domain transition to nbdkit Resolves: RHEL-69118 - Add nbdkit interfaces defined conditionally Resolves: RHEL-69118 - Allow svirt_t read sysfs files Resolves: RHEL-71270 - Label /dev/pmem[0-9]+ with fixed_disk_device_t Resolves: RHEL-71656 - Add support for the KVM guest memfd anon inodes Resolves: RHEL-69128 - Allow sysadm user dbus chat with virt-dbus Resolves: RHEL-73914 - Allow initrc_t transition to passwd_t Resolves: RHEL-71665 - Allow unconfined_service_t transition to passwd_t Resolves: RHEL-71665 * Wed Jan 08 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.21-1 - Allow init create vsock socket for sshd Resolves: RHEL-72549 - Support ssh connections via systemd-ssh-generator Resolves: RHEL-72549 - Allow ssh generator work with systemd unit files Resolves: RHEL-72549 - Confine systemd system-ssh-generator Resolves: RHEL-72549 - Allow login_userdomain getattr nsfs files Resolves: RHEL-72549 - Allow virtqemud send a generic signal to the ssh client domain Resolves: RHEL-53972 - Add the auth_dontaudit_read_passwd_file() interface Resolves: RHEL-71490 - Dontaudit request-key read /etc/passwd Resolves: RHEL-71490 * Fri Jan 03 2025 Zdenek Pytela <zpytela@redhat.com> - 40.13.20-1 - Allow virtqemud domain transition on numad execution Resolves: RHEL-65789 - Support virt live migration using ssh Resolves: RHEL-53972 - Allow ssh_t read systemd config files Resolves: RHEL-53972 - Allow virtqemud permissions needed for live migration Resolves: RHEL-43217 - Allow virtqemud the getpgid process permission Resolves: RHEL-46357 - Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on Resolves: RHEL-71068 - Allow virtqemud relabelfrom virt_log_t files Resolves: RHEL-48236 - Allow virtqemud relabel tun_socket Resolves: RHEL-71394 - Allow gnome-remote-desktop dbus chat with policykit Resolves: RHEL-35877 - Update ktlsh policy Resolves: RHEL-42672 - Confine the ktls service Resolves: RHEL-42672 - Allow request-key to read /etc/passwd Resolves: RHEL-71490 - Allow request-key to manage all domains' keys Resolves: RHEL-71490 * Fri Dec 20 2024 Petr Lautrbach <lautrbach@redhat.com> - 40.13.19-2 - Rebuild with SELinux Userspace 3.8 * Wed Dec 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.19-1 - Allow systemd-journald getattr nsfs files Resolves: RHEL-71803 - Allow systemd-related domains getattr nsfs files Resolves: RHEL-71803 * Fri Dec 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.18-1 - Sync dist/targeted/modules.conf with Fedora 42 Resolves: RHEL-70850 - Add support for sap Resolves: RHEL-70850 - Allow sssd_selinux_manager_t the setcap process permission Resolves: RHEL-70822 - Allow virtqemud open svirt_devpts_t char files Resolves: RHEL-43446 - Fix the cups_read_pid_files() interface to use read_files_pattern Resolves: RHEL-69512 * Thu Dec 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.17-1 - Update samba-bgqd policy Resolves: RHEL-69512 - Allow samba-bgqd read cups config files Resolves: RHEL-69512 - Allow virtqemud additional permissions for tmpfs_t blk devices Resolves: RHEL-61235 - Allow virtqemud rw access to svirt_image_t chr files Resolves: RHEL-61235 - Allow virtqemud rw and setattr access to fixed block devices Resolves: RHEL-61235 - Label /etc/mdevctl.d/scripts.d with bin_t Resolves: RHEL-39893 - Fix the /etc/mdevctl\.d(/.*)? regexp Resolves: RHEL-39893 - Allow virtnodedev watch mdevctl config dirs Resolves: RHEL-39893 - Make mdevctl_conf_t member of the file_type attribute Resolves: RHEL-39893 - Label /etc/mdevctl.d with mdevctl_conf_t Resolves: RHEL-39893 - Allow virtqemud relabelfrom virt_log_t files Resolves: RHEL-48236 - Allow virtqemud_t relabel virtqemud_var_run_t sock_files Resolves: RHEL-48236 - Allow virtqemud relabelfrom virtqemud_var_run_t dirs Resolves: RHEL-48236 - Allow svirt_tcg_t read virtqemud_t fifo_files Resolves: RHEL-48236 - Allow virtqemud rw and setattr access to sev devices Resolves: RHEL-69128 - Allow virtqemud directly read and write to a fixed disk Resolves: RHEL-61235 - Allow svirt_t the sys_rawio capability Resolves: RHEL-61235 - Allow svirt_t the sys_rawio capability Resolves: RHEL-61235 - Allow virtqemud connect to sanlock over a unix stream socket Resolves: RHEL-44352 - allow gdm and iiosensorproxy talk to each other via D-bus Resolves: RHEL-70850 - Allow sendmail to map mail server configuration files Related: RHEL-54014 - Allow procmail to read mail aliases Resolves: RHEL-54014 - Grant rhsmcertd chown capability & userdb access Resolves: RHEL-68481 * Fri Nov 29 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.16-1 - Fix the file type for /run/systemd/generator Resolves: RHEL-68313 * Thu Nov 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.15-1 - Allow qatlib search the content of the kernel debugging filesystem Resolves: RHEL-66334 - Allow qatlib connect to systemd-machined over a unix socket Resolves: RHEL-66334 - Update policy for samba-bgqd Resolves: RHEL-64908 - Allow httpd get attributes of dirsrv unit files Resolves: RHEL-62706 - Allow virtstoraged read vm sysctls Resolves: RHEL-61742 - Allow virtstoraged execute mount programs in the mount domain Resolves: RHEL-61742 - Update policy for rpc-virtstorage Resolves: RHEL-61742 - Allow virtstoraged get attributes of configfs dirs Resolves: RHEL-61742 - Allow virt_driver_domain read virtd-lxc files in /proc Resolves: RHEL-61742 - Allow virtstoraged manage files with virt_content_t type Resolves: RHEL-61742 - Allow virtstoraged use the io_uring API Resolves: RHEL-61742 - Allow virtstoraged execute lvm programs in the lvm domain Resolves: RHEL-61742 - Allow svirt_t connect to unconfined_t over a unix domain socket Resolves: RHEL-61246 - Label /usr/lib/node_modules_22/npm/bin with bin_t Resolves: RHEL-56350 - Allow bacula execute container in the container domain Resolves: RHEL-39529 - Label /run/systemd/generator with systemd_unit_file_t Resolves: RHEL-68313 * Tue Nov 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.14-1 - mls/modules.conf - fix typo - Use dist/targeted/modules.conf in build workflow - Fix default and dist config files - CI: update to actions/checkout@v4 - Clean up and sync securetty_types - Bring config files from dist-git into the source repo - Sync users with Fedora targeted users * Tue Nov 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.13-1 - Revert "Allow unconfined_t execute kmod in the kmod domain" Resolves: RHEL-65190 - Add policy for /usr/libexec/samba/samba-bgqd Resolves: RHEL-64908 - Label samba certificates with samba_cert_t Resolves: RHEL-64908 - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t Resolves: RHEL-64908 - Allow rpcd read network sysctls Resolves: RHEL-64737 - Label all semanage store files in /etc as semanage_store_t Resolves: RHEL-65864 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 40.13.12-2 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 * Thu Oct 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.12-1 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-58009 - Allow the sysadm user use the secretmem API Resolves: RHEL-40953 - Allow sudodomain list files in /var Resolves: RHEL-58068 - Allow gnome-remote-desktop watch /etc directory Resolves: RHEL-35877 - Allow journalctl connect to systemd-userdbd over a unix socket Resolves: RHEL-58072 - systemd: allow sys_admin capability for systemd_notify_t Resolves: RHEL-58072 - Allow some confined users send to lldpad over a unix dgram socket Resolves: RHEL-61634 - Allow lldpad send to sysadm_t over a unix dgram socket Resolves: RHEL-61634 - Allow lldpd connect to systemd-machined over a unix socket Resolves: RHEL-61634 * Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.11-1 - Allow ping_t read network sysctls Resolves: RHEL-54299 - Label /usr/lib/node_modules/npm/bin with bin_t Resolves: RHEL-56350 - Label /run/sssd with sssd_var_run_t Resolves: RHEL-57065 - Allow virtqemud read virtd_t files Resolves: RHEL-57713 - Allow wdmd read hardware state information Resolves: RHEL-57982 - Allow wdmd list the contents of the sysfs directories Resolves: RHEL-57982 - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t Resolves: RHEL-58380 - Allow dirsrv read network sysctls Resolves: RHEL-58381 - Allow lldpad create and use netlink_generic_socket Resolves: RHEL-61634 - Allow unconfined_t execute kmod in the kmod domain Resolves: RHEL-61755 - Confine the pcm service Resolves: RHEL-52838 - Allow iio-sensor-proxy the bpf capability Resolves: RHEL-62355 - Confine iio-sensor-proxy Resolves: RHEL-62355 * Wed Oct 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.10-1 - Confine gnome-remote-desktop Resolves: RHEL-35877 - Allow virtqemud get attributes of a tmpfs filesystem Resolves: RHEL-40855 - Allow virtqemud get attributes of cifs files Resolves: RHEL-40855 - Allow virtqemud get attributes of filesystems with extended attributes Resolves: RHEL-39668 - Allow virtqemud get attributes of NFS filesystems Resolves: RHEL-40855 - Add support for secretmem anon inode Resolves: RHEL-40953 - Allow systemd-sleep read raw disk data Resolves: RHEL-49600 - Allow systemd-hwdb send messages to kernel unix datagram sockets Resolves: RHEL-50810 - Label /run/modprobe.d with modules_conf_t Resolves: RHEL-54591 - Allow setsebool_t relabel selinux data files Resolves: RHEL-55412 - Don't audit crontab_domain write attempts to user home Resolves: RHEL-56349 - Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-56349 - Add crontab_admin_domtrans interface Resolves: RHEL-56349 - Add crontab_domtrans interface Resolves: RHEL-56349 - Allow boothd connect to kernel over a unix socket Resolves: RHEL-58060 - Fix label of pseudoterminals created from sudodomain Resolves: RHEL-58068 - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets Resolves: RHEL-58072 - Allow rsyslog read systemd-logind session files Resolves: RHEL-40961 - Label /dev/mmcblk0rpmb character device with removable_device_t Resolves: RHEL-55265 - Label /dev/hfi1_[0-9]+ devices Resolves: RHEL-62836 - Label /dev/papr-sysparm and /dev/papr-vpd Resolves: RHEL-56908 - Support SGX devices Resolves: RHEL-62354 - Suppress semodule's stderr Resolves: RHEL-59192 * Mon Aug 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.9-1 - Allow virtqemud relabelfrom also for file and sock_file Resolves: RHEL-49763 - Allow virtqemud relabel user tmp files and socket files Resolves: RHEL-49763 - Update virtqemud policy for libguestfs usage Resolves: RHEL-49763 - Label /run/libvirt/qemu/channel with virtqemud_var_run_t Resolves: RHEL-47274 * Tue Aug 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.8-1 - Add virt_create_log() and virt_write_log() interfaces Resolves: RHEL-47274 - Update libvirt policy Resolves: RHEL-45464 Resolves: RHEL-49763 - Allow svirt_tcg_t map svirt_image_t files Resolves: RHEL-47274 - Allow svirt_tcg_t read vm sysctls Resolves: RHEL-47274 - Additional updates stalld policy for bpf usage Resolves: RHEL-50356 * Thu Aug 08 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.7-1 - Add the swtpm.if interface file for interactions with other domains Resolves: RHEL-47274 - Allow virtproxyd create and use its private tmp files Resolves: RHEL-40499 - Allow virtproxyd read network state Resolves: RHEL-40499 - Allow virtqemud domain transition on swtpm execution Resolves: RHEL-47274 Resolves: RHEL-49763 - Allow virtqemud relabel virt_var_run_t directories Resolves: RHEL-47274 Resolves: RHEL-45464 Resolves: RHEL-49763 - Allow virtqemud domain transition on passt execution Resolves: RHEL-45464 - Allow virt_driver_domain create and use log files in /var/log Resolves: RHEL-40239 - Allow virt_driver_domain connect to systemd-userdbd over a unix socket Resolves: RHEL-44932 Resolves: RHEL-44898 - Update stalld policy for bpf usage Resolves: RHEL-50356 - Allow boothd connect to systemd-userdbd over a unix socket Resolves: RHEL-45907 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-46011 - Allow systemd-machined manage runtime sockets Resolves: RHEL-49567 - Allow ip command write to ipsec's logs Resolves: RHEL-41222 - Allow init_t nnp domain transition to firewalld_t Resolves: RHEL-52481 - Update qatlib policy for v24.02 with new features Resolves: RHEL-50377 - Allow postfix_domain map postfix_etc_t files Resolves: RHEL-46327 * Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.6-1 - Allow virtnodedevd run udev with a domain transition Resolves: RHEL-39890 - Allow virtnodedev_t create and use virtnodedev_lock_t Resolves: RHEL-39890 - Allow svirt attach_queue to a virtqemud tun_socket Resolves: RHEL-44312 - Label /run/systemd/machine with systemd_machined_var_run_t Resolves: RHEL-49567 - Allow to create and delete socket files created by rhsm.service * Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.5-1 - Allow to create and delete socket files created by rhsm.service Resolves: RHEL-40857 - Allow svirt read virtqemud fifo files Resolves: RHEL-40350 - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket Resolves: RHEL-37822 - Allow virtqemud read virt-dbus process state Resolves: RHEL-37822 - Allow virtqemud run ssh client with a transition Resolves: RHEL-43215 - Allow virtnetworkd exec shell when virt_hooks_unconfined is on Resolves: RHEL-41168 - Allow NetworkManager the sys_ptrace capability in user namespace Resolves: RHEL-46717 - Update keyutils policy Resolves: RHEL-38920 - Allow ip the setexec permission Resolves: RHEL-41182 * Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.4-1 - Confine libvirt-dbus Resolves: RHEL-37822 - Allow sssd create and use io_uring Resolves: RHEL-43448 - Allow virtqemud the kill capability in user namespace Resolves: RHEL-44996 - Allow login_userdomain execute systemd-tmpfiles in the caller domain Resolves: RHEL-44191 - Allow virtqemud read vm sysctls Resolves: RHEL-40938 - Allow svirt_t read vm sysctls Resolves: RHEL-40938 - Allow rshim get options of the netlink class for KOBJECT_UEVENT family Resolves: RHEL-40859 - Allow systemd-hostnamed read the vsock device Resolves: RHEL-45309 - Allow systemd (PID 1) manage systemd conf files Resolves: RHEL-45304 - Allow journald read systemd config files and directories Resolves: RHEL-45304 - Allow systemd_domain read systemd_conf_t dirs Resolves: RHEL-45304 - Label systemd configuration files with systemd_conf_t Resolves: RHEL-45304 - Allow dhcpcd the kill capability Resolves: RHEL-43417 - Add support for libvirt hooks Resolves: RHEL-41168 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 40.13.3-2 - Bump release for June 2024 mass rebuild * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1 - Allow virtqemud manage nfs files when virt_use_nfs boolean is on Resolves: RHEL-40205 - Allow virt_driver_domain read files labeled unconfined_t Resolves: RHEL-40262 - Allow virt_driver_domain dbus chat with policykit Resolves: RHEL-40346 - Escape "interface" as a file name in a virt filetrans pattern Resolves: RHEL-34769 - Allow setroubleshootd get attributes of all sysctls Resolves: RHEL-40923 - Allow qemu-ga read vm sysctls Resolves: RHEL-40829 - Allow sbd to trace processes in user namespace Resolves: RHEL-39989 - Allow request-key execute scripts Resolves: RHEL-38920 - Update policy for haproxyd Resolves: RHEL-40877 * Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1 - Allow all domains read and write z90crypt device Resolves: RHEL-28539 - Allow dhcpc read /run/netns files Resolves: RHEL-39510 - Allow bootupd search efivarfs dirs Resolves: RHEL-39514 * Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.1-1 - Allow logwatch read logind sessions files Resolves: RHEL-30441 - Allow sulogin relabel tty1 Resolves: RHEL-30440 - Dontaudit sulogin the checkpoint_restore capability Resolves: RHEL-30440 - Allow postfix smtpd map aliases file Resolves: RHEL-35544 - Ensure dbus communication is allowed bidirectionally Resolves: RHEL-35783 - Allow various services read and write z90crypt device Resolves: RHEL-28539 - Allow dhcpcd use unix_stream_socket Resolves: RHEL-33081 - Allow xdm_t to watch and watch_reads mount_var_run_t Resolves: RHEL-36073 - Allow plymouthd log during shutdown Resolves: RHEL-30455 - Update rpm configuration for the /var/run equivalency change Resolves: RHEL-36094