586 lines
22 KiB
Plaintext
586 lines
22 KiB
Plaintext
* Fri Dec 20 2024 Petr Lautrbach <lautrbach@redhat.com> - 40.13.19-2
|
|
- Rebuild with SELinux Userspace 3.8
|
|
|
|
* Wed Dec 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.19-1
|
|
- Allow systemd-journald getattr nsfs files
|
|
Resolves: RHEL-71803
|
|
- Allow systemd-related domains getattr nsfs files
|
|
Resolves: RHEL-71803
|
|
|
|
* Fri Dec 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.18-1
|
|
- Sync dist/targeted/modules.conf with Fedora 42
|
|
Resolves: RHEL-70850
|
|
- Add support for sap
|
|
Resolves: RHEL-70850
|
|
- Allow sssd_selinux_manager_t the setcap process permission
|
|
Resolves: RHEL-70822
|
|
- Allow virtqemud open svirt_devpts_t char files
|
|
Resolves: RHEL-43446
|
|
- Fix the cups_read_pid_files() interface to use read_files_pattern
|
|
Resolves: RHEL-69512
|
|
|
|
* Thu Dec 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.17-1
|
|
- Update samba-bgqd policy
|
|
Resolves: RHEL-69512
|
|
- Allow samba-bgqd read cups config files
|
|
Resolves: RHEL-69512
|
|
- Allow virtqemud additional permissions for tmpfs_t blk devices
|
|
Resolves: RHEL-61235
|
|
- Allow virtqemud rw access to svirt_image_t chr files
|
|
Resolves: RHEL-61235
|
|
- Allow virtqemud rw and setattr access to fixed block devices
|
|
Resolves: RHEL-61235
|
|
- Label /etc/mdevctl.d/scripts.d with bin_t
|
|
Resolves: RHEL-39893
|
|
- Fix the /etc/mdevctl\.d(/.*)? regexp
|
|
Resolves: RHEL-39893
|
|
- Allow virtnodedev watch mdevctl config dirs
|
|
Resolves: RHEL-39893
|
|
- Make mdevctl_conf_t member of the file_type attribute
|
|
Resolves: RHEL-39893
|
|
- Label /etc/mdevctl.d with mdevctl_conf_t
|
|
Resolves: RHEL-39893
|
|
- Allow virtqemud relabelfrom virt_log_t files
|
|
Resolves: RHEL-48236
|
|
- Allow virtqemud_t relabel virtqemud_var_run_t sock_files
|
|
Resolves: RHEL-48236
|
|
- Allow virtqemud relabelfrom virtqemud_var_run_t dirs
|
|
Resolves: RHEL-48236
|
|
- Allow svirt_tcg_t read virtqemud_t fifo_files
|
|
Resolves: RHEL-48236
|
|
- Allow virtqemud rw and setattr access to sev devices
|
|
Resolves: RHEL-69128
|
|
- Allow virtqemud directly read and write to a fixed disk
|
|
Resolves: RHEL-61235
|
|
- Allow svirt_t the sys_rawio capability
|
|
Resolves: RHEL-61235
|
|
- Allow svirt_t the sys_rawio capability
|
|
Resolves: RHEL-61235
|
|
- Allow virtqemud connect to sanlock over a unix stream socket
|
|
Resolves: RHEL-44352
|
|
- allow gdm and iiosensorproxy talk to each other via D-bus
|
|
Resolves: RHEL-70850
|
|
- Allow sendmail to map mail server configuration files
|
|
Related: RHEL-54014
|
|
- Allow procmail to read mail aliases
|
|
Resolves: RHEL-54014
|
|
- Grant rhsmcertd chown capability & userdb access
|
|
Resolves: RHEL-68481
|
|
|
|
* Fri Nov 29 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.16-1
|
|
- Fix the file type for /run/systemd/generator
|
|
Resolves: RHEL-68313
|
|
|
|
* Thu Nov 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.15-1
|
|
- Allow qatlib search the content of the kernel debugging filesystem
|
|
Resolves: RHEL-66334
|
|
- Allow qatlib connect to systemd-machined over a unix socket
|
|
Resolves: RHEL-66334
|
|
- Update policy for samba-bgqd
|
|
Resolves: RHEL-64908
|
|
- Allow httpd get attributes of dirsrv unit files
|
|
Resolves: RHEL-62706
|
|
- Allow virtstoraged read vm sysctls
|
|
Resolves: RHEL-61742
|
|
- Allow virtstoraged execute mount programs in the mount domain
|
|
Resolves: RHEL-61742
|
|
- Update policy for rpc-virtstorage
|
|
Resolves: RHEL-61742
|
|
- Allow virtstoraged get attributes of configfs dirs
|
|
Resolves: RHEL-61742
|
|
- Allow virt_driver_domain read virtd-lxc files in /proc
|
|
Resolves: RHEL-61742
|
|
- Allow virtstoraged manage files with virt_content_t type
|
|
Resolves: RHEL-61742
|
|
- Allow virtstoraged use the io_uring API
|
|
Resolves: RHEL-61742
|
|
- Allow virtstoraged execute lvm programs in the lvm domain
|
|
Resolves: RHEL-61742
|
|
- Allow svirt_t connect to unconfined_t over a unix domain socket
|
|
Resolves: RHEL-61246
|
|
- Label /usr/lib/node_modules_22/npm/bin with bin_t
|
|
Resolves: RHEL-56350
|
|
- Allow bacula execute container in the container domain
|
|
Resolves: RHEL-39529
|
|
- Label /run/systemd/generator with systemd_unit_file_t
|
|
Resolves: RHEL-68313
|
|
|
|
* Tue Nov 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.14-1
|
|
- mls/modules.conf - fix typo
|
|
- Use dist/targeted/modules.conf in build workflow
|
|
- Fix default and dist config files
|
|
- CI: update to actions/checkout@v4
|
|
- Clean up and sync securetty_types
|
|
- Bring config files from dist-git into the source repo
|
|
- Sync users with Fedora targeted users
|
|
|
|
* Tue Nov 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.13-1
|
|
- Revert "Allow unconfined_t execute kmod in the kmod domain"
|
|
Resolves: RHEL-65190
|
|
- Add policy for /usr/libexec/samba/samba-bgqd
|
|
Resolves: RHEL-64908
|
|
- Label samba certificates with samba_cert_t
|
|
Resolves: RHEL-64908
|
|
- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
|
|
Resolves: RHEL-64908
|
|
- Allow rpcd read network sysctls
|
|
Resolves: RHEL-64737
|
|
- Label all semanage store files in /etc as semanage_store_t
|
|
Resolves: RHEL-65864
|
|
|
|
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 40.13.12-2
|
|
- Bump release for October 2024 mass rebuild:
|
|
Resolves: RHEL-64018
|
|
|
|
* Thu Oct 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.12-1
|
|
- Dontaudit subscription manager setfscreate and read file contexts
|
|
Resolves: RHEL-58009
|
|
- Allow the sysadm user use the secretmem API
|
|
Resolves: RHEL-40953
|
|
- Allow sudodomain list files in /var
|
|
Resolves: RHEL-58068
|
|
- Allow gnome-remote-desktop watch /etc directory
|
|
Resolves: RHEL-35877
|
|
- Allow journalctl connect to systemd-userdbd over a unix socket
|
|
Resolves: RHEL-58072
|
|
- systemd: allow sys_admin capability for systemd_notify_t
|
|
Resolves: RHEL-58072
|
|
- Allow some confined users send to lldpad over a unix dgram socket
|
|
Resolves: RHEL-61634
|
|
- Allow lldpad send to sysadm_t over a unix dgram socket
|
|
Resolves: RHEL-61634
|
|
- Allow lldpd connect to systemd-machined over a unix socket
|
|
Resolves: RHEL-61634
|
|
|
|
* Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.11-1
|
|
- Allow ping_t read network sysctls
|
|
Resolves: RHEL-54299
|
|
- Label /usr/lib/node_modules/npm/bin with bin_t
|
|
Resolves: RHEL-56350
|
|
- Label /run/sssd with sssd_var_run_t
|
|
Resolves: RHEL-57065
|
|
- Allow virtqemud read virtd_t files
|
|
Resolves: RHEL-57713
|
|
- Allow wdmd read hardware state information
|
|
Resolves: RHEL-57982
|
|
- Allow wdmd list the contents of the sysfs directories
|
|
Resolves: RHEL-57982
|
|
- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
|
|
Resolves: RHEL-58380
|
|
- Allow dirsrv read network sysctls
|
|
Resolves: RHEL-58381
|
|
- Allow lldpad create and use netlink_generic_socket
|
|
Resolves: RHEL-61634
|
|
- Allow unconfined_t execute kmod in the kmod domain
|
|
Resolves: RHEL-61755
|
|
- Confine the pcm service
|
|
Resolves: RHEL-52838
|
|
- Allow iio-sensor-proxy the bpf capability
|
|
Resolves: RHEL-62355
|
|
- Confine iio-sensor-proxy
|
|
Resolves: RHEL-62355
|
|
|
|
* Wed Oct 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.10-1
|
|
- Confine gnome-remote-desktop
|
|
Resolves: RHEL-35877
|
|
- Allow virtqemud get attributes of a tmpfs filesystem
|
|
Resolves: RHEL-40855
|
|
- Allow virtqemud get attributes of cifs files
|
|
Resolves: RHEL-40855
|
|
- Allow virtqemud get attributes of filesystems with extended attributes
|
|
Resolves: RHEL-39668
|
|
- Allow virtqemud get attributes of NFS filesystems
|
|
Resolves: RHEL-40855
|
|
- Add support for secretmem anon inode
|
|
Resolves: RHEL-40953
|
|
- Allow systemd-sleep read raw disk data
|
|
Resolves: RHEL-49600
|
|
- Allow systemd-hwdb send messages to kernel unix datagram sockets
|
|
Resolves: RHEL-50810
|
|
- Label /run/modprobe.d with modules_conf_t
|
|
Resolves: RHEL-54591
|
|
- Allow setsebool_t relabel selinux data files
|
|
Resolves: RHEL-55412
|
|
- Don't audit crontab_domain write attempts to user home
|
|
Resolves: RHEL-56349
|
|
- Differentiate between staff and sysadm when executing crontab with sudo
|
|
Resolves: RHEL-56349
|
|
- Add crontab_admin_domtrans interface
|
|
Resolves: RHEL-56349
|
|
- Add crontab_domtrans interface
|
|
Resolves: RHEL-56349
|
|
- Allow boothd connect to kernel over a unix socket
|
|
Resolves: RHEL-58060
|
|
- Fix label of pseudoterminals created from sudodomain
|
|
Resolves: RHEL-58068
|
|
- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
|
|
Resolves: RHEL-58072
|
|
- Allow rsyslog read systemd-logind session files
|
|
Resolves: RHEL-40961
|
|
- Label /dev/mmcblk0rpmb character device with removable_device_t
|
|
Resolves: RHEL-55265
|
|
- Label /dev/hfi1_[0-9]+ devices
|
|
Resolves: RHEL-62836
|
|
- Label /dev/papr-sysparm and /dev/papr-vpd
|
|
Resolves: RHEL-56908
|
|
- Support SGX devices
|
|
Resolves: RHEL-62354
|
|
- Suppress semodule's stderr
|
|
Resolves: RHEL-59192
|
|
|
|
* Mon Aug 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.9-1
|
|
- Allow virtqemud relabelfrom also for file and sock_file
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud relabel user tmp files and socket files
|
|
Resolves: RHEL-49763
|
|
- Update virtqemud policy for libguestfs usage
|
|
Resolves: RHEL-49763
|
|
- Label /run/libvirt/qemu/channel with virtqemud_var_run_t
|
|
Resolves: RHEL-47274
|
|
|
|
* Tue Aug 13 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.8-1
|
|
- Add virt_create_log() and virt_write_log() interfaces
|
|
Resolves: RHEL-47274
|
|
- Update libvirt policy
|
|
Resolves: RHEL-45464
|
|
Resolves: RHEL-49763
|
|
- Allow svirt_tcg_t map svirt_image_t files
|
|
Resolves: RHEL-47274
|
|
- Allow svirt_tcg_t read vm sysctls
|
|
Resolves: RHEL-47274
|
|
- Additional updates stalld policy for bpf usage
|
|
Resolves: RHEL-50356
|
|
|
|
* Thu Aug 08 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.7-1
|
|
- Add the swtpm.if interface file for interactions with other domains
|
|
Resolves: RHEL-47274
|
|
- Allow virtproxyd create and use its private tmp files
|
|
Resolves: RHEL-40499
|
|
- Allow virtproxyd read network state
|
|
Resolves: RHEL-40499
|
|
- Allow virtqemud domain transition on swtpm execution
|
|
Resolves: RHEL-47274
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud relabel virt_var_run_t directories
|
|
Resolves: RHEL-47274
|
|
Resolves: RHEL-45464
|
|
Resolves: RHEL-49763
|
|
- Allow virtqemud domain transition on passt execution
|
|
Resolves: RHEL-45464
|
|
- Allow virt_driver_domain create and use log files in /var/log
|
|
Resolves: RHEL-40239
|
|
- Allow virt_driver_domain connect to systemd-userdbd over a unix socket
|
|
Resolves: RHEL-44932
|
|
Resolves: RHEL-44898
|
|
- Update stalld policy for bpf usage
|
|
Resolves: RHEL-50356
|
|
- Allow boothd connect to systemd-userdbd over a unix socket
|
|
Resolves: RHEL-45907
|
|
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
|
Resolves: RHEL-46011
|
|
- Allow systemd-machined manage runtime sockets
|
|
Resolves: RHEL-49567
|
|
- Allow ip command write to ipsec's logs
|
|
Resolves: RHEL-41222
|
|
- Allow init_t nnp domain transition to firewalld_t
|
|
Resolves: RHEL-52481
|
|
- Update qatlib policy for v24.02 with new features
|
|
Resolves: RHEL-50377
|
|
- Allow postfix_domain map postfix_etc_t files
|
|
Resolves: RHEL-46327
|
|
|
|
* Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.6-1
|
|
- Allow virtnodedevd run udev with a domain transition
|
|
Resolves: RHEL-39890
|
|
- Allow virtnodedev_t create and use virtnodedev_lock_t
|
|
Resolves: RHEL-39890
|
|
- Allow svirt attach_queue to a virtqemud tun_socket
|
|
Resolves: RHEL-44312
|
|
- Label /run/systemd/machine with systemd_machined_var_run_t
|
|
Resolves: RHEL-49567
|
|
- Allow to create and delete socket files created by rhsm.service
|
|
|
|
* Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.5-1
|
|
- Allow to create and delete socket files created by rhsm.service
|
|
Resolves: RHEL-40857
|
|
- Allow svirt read virtqemud fifo files
|
|
Resolves: RHEL-40350
|
|
- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
|
|
Resolves: RHEL-37822
|
|
- Allow virtqemud read virt-dbus process state
|
|
Resolves: RHEL-37822
|
|
- Allow virtqemud run ssh client with a transition
|
|
Resolves: RHEL-43215
|
|
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
|
|
Resolves: RHEL-41168
|
|
- Allow NetworkManager the sys_ptrace capability in user namespace
|
|
Resolves: RHEL-46717
|
|
- Update keyutils policy
|
|
Resolves: RHEL-38920
|
|
- Allow ip the setexec permission
|
|
Resolves: RHEL-41182
|
|
|
|
* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.4-1
|
|
- Confine libvirt-dbus
|
|
Resolves: RHEL-37822
|
|
- Allow sssd create and use io_uring
|
|
Resolves: RHEL-43448
|
|
- Allow virtqemud the kill capability in user namespace
|
|
Resolves: RHEL-44996
|
|
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
|
|
Resolves: RHEL-44191
|
|
- Allow virtqemud read vm sysctls
|
|
Resolves: RHEL-40938
|
|
- Allow svirt_t read vm sysctls
|
|
Resolves: RHEL-40938
|
|
- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
|
|
Resolves: RHEL-40859
|
|
- Allow systemd-hostnamed read the vsock device
|
|
Resolves: RHEL-45309
|
|
- Allow systemd (PID 1) manage systemd conf files
|
|
Resolves: RHEL-45304
|
|
- Allow journald read systemd config files and directories
|
|
Resolves: RHEL-45304
|
|
- Allow systemd_domain read systemd_conf_t dirs
|
|
Resolves: RHEL-45304
|
|
- Label systemd configuration files with systemd_conf_t
|
|
Resolves: RHEL-45304
|
|
- Allow dhcpcd the kill capability
|
|
Resolves: RHEL-43417
|
|
- Add support for libvirt hooks
|
|
Resolves: RHEL-41168
|
|
|
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 40.13.3-2
|
|
- Bump release for June 2024 mass rebuild
|
|
|
|
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.3-1
|
|
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
|
|
Resolves: RHEL-40205
|
|
- Allow virt_driver_domain read files labeled unconfined_t
|
|
Resolves: RHEL-40262
|
|
- Allow virt_driver_domain dbus chat with policykit
|
|
Resolves: RHEL-40346
|
|
- Escape "interface" as a file name in a virt filetrans pattern
|
|
Resolves: RHEL-34769
|
|
- Allow setroubleshootd get attributes of all sysctls
|
|
Resolves: RHEL-40923
|
|
- Allow qemu-ga read vm sysctls
|
|
Resolves: RHEL-40829
|
|
- Allow sbd to trace processes in user namespace
|
|
Resolves: RHEL-39989
|
|
- Allow request-key execute scripts
|
|
Resolves: RHEL-38920
|
|
- Update policy for haproxyd
|
|
Resolves: RHEL-40877
|
|
|
|
* Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.2-1
|
|
- Allow all domains read and write z90crypt device
|
|
Resolves: RHEL-28539
|
|
- Allow dhcpc read /run/netns files
|
|
Resolves: RHEL-39510
|
|
- Allow bootupd search efivarfs dirs
|
|
Resolves: RHEL-39514
|
|
|
|
* Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13.1-1
|
|
- Allow logwatch read logind sessions files
|
|
Resolves: RHEL-30441
|
|
- Allow sulogin relabel tty1
|
|
Resolves: RHEL-30440
|
|
- Dontaudit sulogin the checkpoint_restore capability
|
|
Resolves: RHEL-30440
|
|
- Allow postfix smtpd map aliases file
|
|
Resolves: RHEL-35544
|
|
- Ensure dbus communication is allowed bidirectionally
|
|
Resolves: RHEL-35783
|
|
- Allow various services read and write z90crypt device
|
|
Resolves: RHEL-28539
|
|
- Allow dhcpcd use unix_stream_socket
|
|
Resolves: RHEL-33081
|
|
- Allow xdm_t to watch and watch_reads mount_var_run_t
|
|
Resolves: RHEL-36073
|
|
- Allow plymouthd log during shutdown
|
|
Resolves: RHEL-30455
|
|
- Update rpm configuration for the /var/run equivalency change
|
|
Resolves: RHEL-36094
|
|
|
|
* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
|
|
- Only allow confined user domains to login locally without unconfined_login
|
|
- Add userdom_spec_domtrans_confined_admin_users interface
|
|
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
|
- Add userdom_spec_domtrans_admin_users interface
|
|
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
|
- Update ssh_role_template() for user ssh-agent type
|
|
- Allow init to inherit system DBus file descriptors
|
|
- Allow init to inherit fds from syslogd
|
|
- Allow any domain to inherit fds from rpm-ostree
|
|
- Update afterburn policy
|
|
- Allow init_t nnp domain transition to abrtd_t
|
|
|
|
* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
|
|
- Rename all /var/lock file context entries to /run/lock
|
|
- Rename all /var/run file context entries to /run
|
|
- Invert the "/var/run = /run" equivalency
|
|
|
|
* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
|
|
- Replace init domtrans rule for confined users to allow exec init
|
|
- Update dbus_role_template() to allow user service status
|
|
- Allow polkit status all systemd services
|
|
- Allow setroubleshootd create and use inherited io_uring
|
|
- Allow load_policy read and write generic ptys
|
|
- Allow gpg manage rpm cache
|
|
- Allow login_userdomain name_bind to howl and xmsg udp ports
|
|
- Allow rules for confined users logged in plasma
|
|
- Label /dev/iommu with iommu_device_t
|
|
- Remove duplicate file context entries in /run
|
|
- Dontaudit getty and plymouth the checkpoint_restore capability
|
|
- Allow su domains write login records
|
|
- Revert "Allow su domains write login records"
|
|
- Allow login_userdomain delete session dbusd tmp socket files
|
|
- Allow unix dgram sendto between exim processes
|
|
- Allow su domains write login records
|
|
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
|
|
|
|
* Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
|
|
- Allow chronyd-restricted read chronyd key files
|
|
- Allow conntrackd_t to use bpf capability2
|
|
- Allow systemd-networkd manage its runtime socket files
|
|
- Allow init_t nnp domain transition to colord_t
|
|
- Allow polkit status systemd services
|
|
- nova: Fix duplicate declarations
|
|
- Allow httpd work with PrivateTmp
|
|
- Add interfaces for watching and reading ifconfig_var_run_t
|
|
- Allow collectd read raw fixed disk device
|
|
- Allow collectd read udev pid files
|
|
- Set correct label on /etc/pki/pki-tomcat/kra
|
|
- Allow systemd domains watch system dbus pid socket files
|
|
- Allow certmonger read network sysctls
|
|
- Allow mdadm list stratisd data directories
|
|
- Allow syslog to run unconfined scripts conditionally
|
|
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
|
- Allow qatlib set attributes of vfio device files
|
|
|
|
* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
|
|
- Allow systemd-sleep set attributes of efivarfs files
|
|
- Allow samba-dcerpcd read public files
|
|
- Allow spamd_update_t the sys_ptrace capability in user namespace
|
|
- Allow bluetooth devices work with alsa
|
|
- Allow alsa get attributes filesystems with extended attributes
|
|
|
|
* Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2
|
|
- Limit %%selinux_requires to version, not release
|
|
|
|
* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
|
|
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
|
- Add interface for write-only access to NetworkManager rw conf
|
|
- Allow systemd-sleep send a message to syslog over a unix dgram socket
|
|
- Allow init create and use netlink netfilter socket
|
|
- Allow qatlib load kernel modules
|
|
- Allow qatlib run lspci
|
|
- Allow qatlib manage its private runtime socket files
|
|
- Allow qatlib read/write vfio devices
|
|
- Label /etc/redis.conf with redis_conf_t
|
|
- Remove the lockdown-class rules from the policy
|
|
- Allow init read all non-security socket files
|
|
- Replace redundant dnsmasq pattern macros
|
|
- Remove unneeded symlink perms in dnsmasq.if
|
|
- Add additions to dnsmasq interface
|
|
- Allow nvme_stas_t create and use netlink kobject uevent socket
|
|
- Allow collectd connect to statsd port
|
|
- Allow keepalived_t to use sys_ptrace of cap_userns
|
|
- Allow dovecot_auth_t connect to postgresql using UNIX socket
|
|
|
|
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
|
|
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
|
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
|
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
|
- Allow opafm search nfs directories
|
|
- Add support for syslogd unconfined scripts
|
|
- Allow gpsd use /dev/gnss devices
|
|
- Allow gpg read rpm cache
|
|
- Allow virtqemud additional permissions
|
|
- Allow virtqemud manage its private lock files
|
|
- Allow virtqemud use the io_uring api
|
|
- Allow ddclient send e-mail notifications
|
|
- Allow postfix_master_t map postfix data files
|
|
- Allow init create and use vsock sockets
|
|
- Allow thumb_t append to init unix domain stream sockets
|
|
- Label /dev/vas with vas_device_t
|
|
- Change domain_kernel_load_modules boolean to true
|
|
- Create interface selinux_watch_config and add it to SELinux users
|
|
|
|
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
|
|
- Add afterburn to modules-targeted-contrib.conf
|
|
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
|
- Allow sudodomain read var auth files
|
|
- Allow spamd_update_t read hardware state information
|
|
- Allow virtnetworkd domain transition on tc command execution
|
|
- Allow sendmail MTA connect to sendmail LDA
|
|
- Allow auditd read all domains process state
|
|
- Allow rsync read network sysctls
|
|
- Add dhcpcd bpf capability to run bpf programs
|
|
- Dontaudit systemd-hwdb dac_override capability
|
|
- Allow systemd-sleep create efivarfs files
|
|
|
|
* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
|
|
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
|
|
- Allow graphical applications work in Wayland
|
|
- Allow kdump work with PrivateTmp
|
|
- Allow dovecot-auth work with PrivateTmp
|
|
- Allow nfsd get attributes of all filesystems
|
|
- Allow unconfined_domain_type use io_uring cmd on domain
|
|
- ci: Only run Rawhide revdeps tests on the rawhide branch
|
|
- Label /var/run/auditd.state as auditd_var_run_t
|
|
- Allow fido-device-onboard (FDO) read the crack database
|
|
- Allow ip an explicit domain transition to other domains
|
|
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
|
|
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
|
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
|
|
- Allow ntp to bind and connect to ntske port.
|
|
- Allow system_mail_t manage exim spool files and dirs
|
|
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
|
|
- Label /run/pcsd.socket with cluster_var_run_t
|
|
- ci: Run cockpit tests in PRs
|
|
|
|
* Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
|
|
- Add map_read map_write to kernel_prog_run_bpf
|
|
- Allow systemd-fstab-generator read all symlinks
|
|
- Allow systemd-fstab-generator the dac_override capability
|
|
- Allow rpcbind read network sysctls
|
|
- Support using systemd containers
|
|
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
|
|
- Add policy for coreos installer
|
|
- Add coreos_installer to modules-targeted-contrib.conf
|
|
|
|
* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
|
|
- Add policy for nvme-stas
|
|
- Confine systemd fstab,sysv,rc-local
|
|
- Label /etc/aliases.lmdb with etc_aliases_t
|
|
- Create policy for afterburn
|
|
- Add nvme_stas to modules-targeted-contrib.conf
|
|
- Add plans/tests.fmf
|
|
|
|
* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
|
|
- Add the virt_supplementary module to modules-targeted-contrib.conf
|
|
- Make new virt drivers permissive
|
|
- Split virt policy, introduce virt_supplementary module
|
|
- Allow apcupsd cgi scripts read /sys
|
|
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
|
|
- Allow kernel_t to manage and relabel all files
|
|
- Add missing optional_policy() to files_relabel_all_files()
|
|
|
|
* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
|
|
- Allow named and ndc use the io_uring api
|
|
- Deprecate common_anon_inode_perms usage
|
|
- Improve default file context(None) of /var/lib/authselect/backups
|
|
- Allow udev_t to search all directories with a filesystem type
|
|
- Implement proper anon_inode support
|
|
- Allow targetd write to the syslog pid sock_file
|
|
- Add ipa_pki_retrieve_key_exec() interface
|
|
- Allow kdumpctl_t to list all directories with a filesystem type
|
|
- Allow udev additional permissions
|
|
- Allow udev load kernel module
|
|
- Allow sysadm_t to mmap modules_object_t files
|
|
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
|
|
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
|
- Allow kernel_generic_helper_t to execute mount(1)
|