Sun, 29 May 2022 11:13:01 UTC

Information for build selinux-policy-34.6-1.eln110

ID1745087
Package Nameselinux-policy
Version34.6
Release1.eln110
Epoch
Sourcegit+https://src.fedoraproject.org/rpms/selinux-policy.git#4fecc6469f54df3cb510885f364f1c38c2474ee6
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built bybpeck/jenkins-continuous-infra.apps.ci.centos.org
State complete
Volume DEFAULT
StartedFri, 07 May 2021 21:20:09 UTC
CompletedFri, 07 May 2021 21:28:02 UTC
Taskbuild (eln, /rpms/selinux-policy.git:4fecc6469f54df3cb510885f364f1c38c2474ee6)
Extra{'source': {'original_url': 'git+https://src.fedoraproject.org/rpms/selinux-policy.git#4fecc6469f54df3cb510885f364f1c38c2474ee6'}}
Tags No tags
RPMs
src
selinux-policy-34.6-1.eln110.src.rpm (info) (download)
noarch
selinux-policy-34.6-1.eln110.noarch.rpm (info) (download)
selinux-policy-devel-34.6-1.eln110.noarch.rpm (info) (download)
selinux-policy-doc-34.6-1.eln110.noarch.rpm (info) (download)
selinux-policy-minimum-34.6-1.eln110.noarch.rpm (info) (download)
selinux-policy-mls-34.6-1.eln110.noarch.rpm (info) (download)
selinux-policy-sandbox-34.6-1.eln110.noarch.rpm (info) (download)
selinux-policy-targeted-34.6-1.eln110.noarch.rpm (info) (download)
Logs
noarch
root.log
hw_info.log
state.log
build.log
mock_output.log
noarch_rpmdiff.json
Changelog * Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() - Add kernel_write_perf_event() and kernel_manage_perf_event() - Allow syslogd_t watch root and var directories - Allow unconfined_t read other processes perf_event records - Allow login_userdomain read and map /var/lib/systemd files - Allow NetworkManager watch its config dir - Allow NetworkManager read and write z90crypt device - Allow tgtd create and use rdma socket - Allow aide connect to init with a unix socket * Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1 - Grant execmem to varnishlog_t - We no longer need signull for varnishlog_t - Add map permission to varnishd_read_lib_files - Allow systemd-sleep tlp_filetrans_named_content() - Allow systemd-sleep execute generic programs - Allow systemd-sleep execute shell - Allow to sendmail read/write kerberos host rcache files - Allow freshclam get attributes of cgroup filesystems - Fix context of /run/systemd/timesync - Allow udev create /run/gdm with proper type - Allow chronyc socket file transition in user temp directory - Allow virtlogd_t to create virt_var_lockd_t dir - Allow pluto IKEv2 / ESP over TCP * Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1 - Allow domain create anonymous inodes - Add anon_inode class to the policy - Allow systemd-coredump getattr nsfs files and net_admin capability - Allow systemd-sleep transition to sysstat_t - Allow systemd -sleep transition to tlp_t - Allow systemd-sleep transition to unconfined_service_t on bin_t executables - Allow systemd-timedated watch runtime dir and its parent - Allow system dbusd read /var/lib symlinks - Allow unconfined_service_t confidentiality and integrity lockdown - Label /var/lib/brltty with brltty_var_lib_t - Allow domain and unconfined_domain_type watch /proc/PID dirs - Additional permission for confined users loging into graphic session - Make for screen fsetid/setuid/setgid permission conditional - Allow for confined users acces to wtmp and run utempter * Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1 - Label /etc/redis as redis_conf_t - Add brltty new permissions required by new upstream version - Allow cups-lpd read its private runtime socket files - Dontaudit daemon open and read init_t file - Add file context specification for /var/tmp/tmp-inst - Allow brltty create and use bluetooth_socket - Allow usbmuxd get attributes of cgroup filesystems * Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1 - Allow usbmuxd get attributes of cgroup filesystems - Allow accounts-daemon get attributes of cgroup filesystems - Allow pool-geoclue get attributes of cgroup filesystems - allow systemd-sleep to set timer for suspend-then-hibernate - Allow aide connect to systemd-userdbd with a unix socket - Add new interfaces with watch_mount and watch_with_perm permissions - Add file context specification for /usr/libexec/realmd - Allow /tmp file transition for dbus-daemon also for sock_file - Allow login_userdomain create cgroup files - Allow plymouthd_t exec generic program in bin directories * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17 - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update README.md to reflect the state after contrib and base merge - Add README.md announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - fc_sort.py: Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces * Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3 - Check out the right -contrib branch in Travis * Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2 - Allow openvswitch fowner capability and create netlink sockets - Allow additional permissions for gnome-initial-setup - Add to map non_security_files to the userdom_admin_user_template template - kernel/filesystem: Add exfat support (no extended attributes) * Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1 - Bump version as Fedora 33 has been branched - Allow php-fpm write access to /var/run/redis/redis.sock - Allow journalctl to read and write to inherited user domain tty - Update rkt policy to allow rkt_t domain to read sysfs filesystem - Allow arpwatch create and use rdma socket - Allow plymouth sys_chroot capability - Allow gnome-initial-setup execute in a xdm sandbox - Add new devices and filesystem interfaces * Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25 - Allow certmonger fowner capability - The nfsdcld service is now confined by SELinux - Change transitions for ~/.config/Yubico - Allow all users to connect to systemd-userdbd with a unix socket - Add file context for ~/.config/Yubico - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow login_pgm attribute to get attributes in proc_t" - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Allow traceroute_t and ping_t to bind generic nodes. - Create macro corenet_icmp_bind_generic_node() - Allow unconfined_t to node_bind icmp_sockets in node_t domain * Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf * Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.6-21 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Jul 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen * Fri Jul 10 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs" * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files * Thu Jun 25 2020 Adam Williamson <awilliam@redhat.com> - 3.14.6-16 - Fix scriptlets when /etc/selinux/config does not exist * Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15 - Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid - Support multiple ways of tlp invocation - Allow qemu-kvm read and write /dev/mapper/control - Introduce logrotate_use_cifs boolean - Allow ptp4l_t sys_admin capability to run bpf programs - Allow to getattr files on an nsfs filesystem - httpd: Allow NoNewPriv transition from systemd - Allow rhsmd read process state of all domains and kernel threads - Allow rhsmd mmap /etc/passwd - Allow systemd-logind manage efivarfs files - Allow initrc_t tlp_filetrans_named_content() - Allow systemd_resolved_t to read efivarfs - Allow systemd_modules_load_t to read efivarfs - Introduce systemd_read_efivarfs_type attribute - Allow named transition for /run/tlp from a user shell - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files - Add file context for /sys/kernel/tracing * Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14 - Allow chronyc_t domain to use nsswitch - Allow nscd_socket_use() for domains in nscd_use() unconditionally - Add allow rules for lttng-sessiond domain - Label dirsrv systemd unit files and add dirsrv_systemctl() - Allow gluster geo-replication in rsync mode - Allow nagios_plugin_domain execute programs in bin directories - Allow sys_admin capability for domain labeled systemd_bootchart_t - Split the arping path regexp to 2 lines to prevent from relabeling - Allow tcpdump sniffing offloaded (RDMA) traffic - Revert "Change arping path regexp to work around fixfiles incorrect handling" - Change arping path regexp to work around fixfiles incorrect handling - Allow read efivarfs_t files by domains executing systemctl file * Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13 - Update networkmanager_read_pid_files() to allow also list_dir_perms - Update policy for NetworkManager_ssh_t - Allow glusterd synchronize between master and slave - Allow spamc_t domain to read network state - Allow strongswan use tun/tap devices and keys - Allow systemd_userdbd_t domain logging to journal * Tue Apr 14 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12 - Allow rngd create netlink_kobject_uevent_socket and read udev runtime files - Allow ssh-keygen create file in /var/lib/glusterd - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files - Merge ipa and ipa_custodia modules - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t - Introduce daemons_dontaudit_scheduling boolean - Modify path for arping in netutils.fc to match both bin and sbin - Change file context for /var/run/pam_ssh to match file transition - Add file context entry and file transition for /var/run/pam_timestamp * Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11 - Allow NetworkManager manage dhcpd unit files - Update ninfod policy to add nnp transition from systemd to ninfod - Remove container interface calling by named_filetrans_domain. * Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10 - Allow openfortivpn exec shell - Remove label session_dbusd_tmp_t for /run/user/USERID/systemd - Add ibacm_t ipc_lock capability - Allow ipsec_t connectto ipsec_mgmt_t - Remove ipa_custodia - Allow systemd-journald to read user_tmp_t symlinks * Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9 - Allow zabbix_t manage and filetrans temporary socket files - Makefile: fix tmp/%.mod.fc target * Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8 - Allow NetworkManager read its unit files and manage services - Add init_daemon_domain() for geoclue_t - Allow to use nnp_transition in pulseaudio_role - Allow pdns_t domain to map files in /usr. - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t - Allow login_pgm create and bind on netlink_selinux_socket * Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7 - Allow sssd read systemd-resolved runtime directory - Allow sssd read NetworkManager's runtime directory - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t - Allow system_mail_t to signull pcscd_t - Create interface pcscd_signull - Allow auditd poweroff or switch to single mode * Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6 - Allow postfix stream connect to cyrus through runtime socket - Dontaudit daemons to set and get scheduling policy/parameters * Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5 - Allow certmonger_t domain to read pkcs_slotd lock files - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853) - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets - Make file context more variable for /usr/bin/fusermount and /bin/fusermount - Allow local_login_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices * Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4 - Update virt_read_qemu_pid_files inteface - Allow systemd_logind_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices - Allow nsswitch_domain attribute to stream connect to systemd process * Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3 - Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks - Allow systemd_userdbd_t domain to read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2 - Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces - Update radiusd policy - Allow systemd_private_tmp(named_tmp_t) - Allow bacula dac_override capability - Allow systemd_networkd_t to read efivarfs - Add support for systemd-userdbd - Allow systemd system services read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-1 - Bump version to 3.14.6 because fedora 32 was branched * Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24 - Allow ptp4l_t create and use packet_socket sockets - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories * Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23 - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Added apache create log dirs macro - Tiny documentation fix - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Dontaudit domain chronyd_t to list in user home dirs. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Allow syslog_t to read efivarfs_t files - Add ioctl to term_dontaudit_use_ptmx macro - Update xserver_rw_session macro * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.5-22 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21 - Dontaudit timedatex_t read file_contexts_t and validate security contexts - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus. * Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20 - Fix typo in anaconda SELinux module - Allow rtkit_t domain to control scheduling for your install_t processes - Boolean: rngd_t to use executable memory - Allow rngd_t domain to use nsswitch BZ(1787661) - Allow exim to execute bin_t without domain trans - Allow create udp sockets for abrt_upload_watch_t domains - Drop label zebra_t for frr binaries - Allow NetworkManager_t domain to get status of samba services - Update milter policy to allow use sendmail - Modify file context for .local directory to match exactly BZ(1637401) - Allow init_t domain to create own socket files in /tmp - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files - Create files_create_non_security_dirs() interface * Fri Dec 20 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-19 - Allow init_t nnp domain transition to kmod_t - Allow userdomain dbus chat with systemd_resolved_t - Allow init_t read and setattr on /var/lib/fprintd - Allow sysadm_t dbus chat with colord_t - Allow confined users run fwupdmgr - Allow confined users run machinectl - Allow systemd labeled as init_t domain to create dirs labeled as var_t - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) - Add new file context rabbitmq_conf_t. - Allow journalctl read init state BZ(1731753) - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain - Change type in transition for /var/cache/{dnf,yum} directory - Allow cockpit_ws_t read efivarfs_t BZ(1777085) - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) - Allow named_t domain to mmap named_zone_t files BZ(1647493) - Make boinc_var_lib_t label system mountdir attribute - Allow stratis_t domain to request load modules - Update fail2ban policy - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. * Thu Nov 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-18 - Allow systemd to read all proc - Introduce new type pdns_var_lib_t - Allow zebra_t domain to read files labled as nsfs_t. - Allow systemd to setattr on all device_nodes - Allow systemd to mounton and list all proc types * Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-17 - Fix nonexisting types in rtas_errd_rw_lock interface - Allow snmpd_t domain to trace processes in user namespace - Allow timedatex_t domain to read relatime clock and adjtime_t files - Allow zebra_t domain to execute zebra binaries - Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t - Allow ksmtuned_t domain to trace processes in user namespace - Allow systemd to read symlinks in /var/lib - Update dev_mounton_all_device_nodes() interface - Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. - Allow systemd_domain to map files in /usr. - Allow strongswan start using swanctl method BZ(1773381) - Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976) * Thu Nov 21 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-16 - Allow timedatex_t domain dbus chat with both confined and unconfined users - Allow timedatex_t domain dbus chat with unconfined users - Allow NetworkManager_t manage dhcpc_state_t BZ(1770698) - Make unconfined domains part of domain_named_attribute - Label tcp ports 24816,24817 as pulp_port_t - Remove duplicate entries for initrc_t in init.te * Thu Nov 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-15 - Increase SELinux userspace version which should be required. * Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-14 - Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0 * Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-13 - Fix typo bugs in rtas_errd_read_lock() interface - cockpit: Drop cockpit-cert-session - Allow timedatex_t domain to systemctl chronyd domains - Allow ipa_helper_t to read kr5_keytab_t files - cockpit: Allow cockpit-session to read cockpit-tls state directory - Allow stratisd_t domain to read nvme and fixed disk devices - Update lldpad_t policy module - Dontaudit tmpreaper_t getting attributes from sysctl_type files - cockpit: Support https instance factory - Added macro for timedatex to chat over dbus. - Fix typo in dev_filetrans_all_named_dev() - Update files_manage_etc_runtime_files() interface to allow manage also dirs - Fix typo in cachefiles device - Dontaudit sys_admin capability for auditd_t domains - Allow x_userdomain to read adjtime_t files - Allow users using template userdom_unpriv_user_template() to run bpf tool - Allow x_userdomain to dbus_chat with timedatex. * Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12 - Label /var/cache/nginx as httpd_cache_t - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Created dnsmasq_use_ipset boolean - Allow capability dac_override in logwatch_mail_t domain - Allow automount_t domain to execute ping in own SELinux domain (ping_t) - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t - Allow collectd_t domain to create netlink_generic_socket sockets - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. - Label /etc/postfix/chroot-update as postfix_exec_t - Update tmpreaper_t policy due to fuser command - Allow kdump_t domain to create netlink_route and udp sockets - Allow stratisd to connect to dbus - Allow fail2ban_t domain to create netlink netfilter sockets. - Allow dovecot get filesystem quotas - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689) - Allow systemd-tmpfiles processes to set rlimit information - Allow cephfs to use xattrs for storing contexts - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t * Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11 - Allow confined users to run newaliases - Add interface mysql_dontaudit_rw_db() - Label /var/lib/xfsdump/inventory as amanda_var_lib_t - Allow tmpreaper_t domain to read all domains state - Make httpd_var_lib_t label system mountdir attribute - Update cockpit policy - Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Donaudit ifconfig_t domain to read/write mysqld_db_t files - Dontaudit domains read/write leaked pipes * Tue Oct 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-10 - Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Allow Gluster mount client to mount files_type - Dontaudit and disallow sys_admin capability for keepalived_t domain - Update numad policy to allow signull, kill, nice and trace processes - Allow ipmievd_t to RW watchdog devices - Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files - Allow user domains to manage user session services - Allow staff and user users to get status of user systemd session - Update sudo_role_template() to allow caller domain to read syslog pid files * Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-9 - Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226) * Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-8 - Update apache and pkcs policies to make active opencryptoki rules - Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884) * Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-7 - Revert "nova.fc: fix duplicated slash" - Introduce new bolean httpd_use_opencryptoki - Add new interface apache_read_state() - Allow setroubleshoot_fixit_t to read random_device_t - Label /etc/named direcotory as named_conf_t BZ(1759495) - nova.fc: fix duplicated slash - Allow dkim to execute sendmail - Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files - Update aide_t domain to allow this tool to analyze also /dev filesystem - Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634) - Allow avahi_t to send msg to xdm_t - Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem - Update dev_manage_sysfs() to support managing also lnk files BZ(1759019) - Allow systemd_logind_t domain to read blk_files in domain removable_device_t - Add new interface udev_getattr_rules_chr_files() * Fri Oct 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-6 - Update aide_t domain to allow this tool to analyze also /dev filesystem - Allow bitlbee_t domain map files in /usr - Allow stratisd to getattr of fixed disk device nodes - Add net_broadcast capability to openvswitch_t domain BZ(1716044) - Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973) - Allow cobblerd_t domain search apache configuration dirs - Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428) - Label /var/log/collectd.log as collectd_log_t - Allow boltd_t domain to manage sysfs files and dirs BZ(1754360) - Add fowner capability to the pcp_pmlogger_t domain BZ(1754767) - networkmanager: allow NetworkManager_t to create bluetooth_socket - Fix ipa_custodia_stream_connect interface - Add new interface udev_getattr_rules_chr_files() - Make dbus-broker service working on s390x arch - Add new interface dev_mounton_all_device_nodes() - Add new interface dev_create_all_files() - Allow systemd(init_t) to load kernel modules - Allow ldconfig_t domain to manage initrc_tmp_t objects - Add new interface init_write_initrc_tmp_pipes() - Add new interface init_manage_script_tmp_files() - Allow xdm_t setpcap capability in user namespace BZ(1756790) - Allow x_userdomain to mmap generic SSL certificates - Allow xdm_t domain to user netlink_route sockets BZ(1756791) - Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245) - Allow sudo userdomain to run rpm related commands - Add sys_admin capability for ipsec_t domain - Allow systemd_modules_load_t domain to read systemd pid files - Add new interface init_read_pid_files() - Allow systemd labeled as init_t domain to manage faillog_t objects - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc - Make ipa_custodia policy active * Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-5 - Fix ipa_custodia_stream_connect interface - Allow systemd_modules_load_t domain to read systemd pid files - Add new interface init_read_pid_files() - Allow systemd labeled as init_t domain to manage faillog_t objects - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc * Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-4 - Run ipa-custodia as ipa_custodia_t - Update webalizer_t SELinux policy - Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598) - Allow rhsmcertd_t domain to read rtas_errd lock files - Add new interface rtas_errd_read_lock() - Update allow rules set for nrpe_t domain - Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if - Allow avahi_t to send msg to lpr_t - Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label - Allow dlm_controld_t domain to read random device - Label libvirt drivers as virtd_exec_t - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Add new macro systemd_timedated_status to systemd.if to get timedated service status - Introduce xdm_manage_bootloader booelan - Revert "Unconfined domains, need to create content with the correct labels" - Allow xdm_t domain to read sssd pid files BZ(1753240) - Move open, audit_access, and execmod to common file perms * Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3 - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Fix typo in cachefilesd module - Allow cachefilesd_t domain to read/write cachefiles_device_t devices - Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy - Add sys_admin capability for keepalived_t labeled processes - Allow user_mail_domain attribute to manage files labeled as etc_aliases_t. - Create new type ipmievd_helper_t domain for loading kernel modules. - Run stratisd service as stratisd_t - Fix abrt_upload_watch_t in abrt policy - Update keepalived policy - Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types - Revert "Create admin_crontab_t and admin_crontab_tmp_t types" - Revert "Update cron_role() template to accept third parameter with SELinux domain prefix" - Allow amanda_t to manage its var lib files and read random_device_t - Create admin_crontab_t and admin_crontab_tmp_t types - Add setgid and setuid capabilities to keepalived_t domain - Update cron_role() template to accept third parameter with SELinux domain prefix - Allow psad_t domain to create tcp diag sockets BZ(1750324) - Allow systemd to mount fwupd_cache_t BZ(1750288) - Allow chronyc_t domain to append to all non_security files - Update zebra SELinux policy to make it work also with frr service - Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024) - Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763) - Label /var/run/mysql as mysqld_var_run_t - Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects. - Update timedatex policy to manage localization - Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces - Update gnome_dontaudit_read_config - Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997) - Allow systemd labeled as init_t domain to remount rootfs filesystem - Add interface files_remount_rootfs() - Dontaudit sys_admin capability for iptables_t SELinux domain - Label /dev/cachefilesd as cachefiles_device_t - Make stratisd policy active - Allow userdomains to dbus chat with policykit daemon - Update userdomains to pass correct parametes based on updates from cron_*_role interfaces - New interface files_append_non_security_files() - Label 2618/tcp and 2618/udp as priority_e_com_port_t - Label 2616/tcp and 2616/udp as appswitch_emp_port_t - Label 2615/tcp and 2615/udp as firepower_port_t - Label 2610/tcp and 2610/udp as versa_tek_port_t - Label 2613/tcp and 2613/udp as smntubootstrap_port_t - Label 3784/tcp and 3784/udp as bfd_control_port_t - Remove rule allowing all processes to stream connect to unconfined domains * Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2 - Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket - Dontaudit sandbox web types to setattr lib_t dirs - Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369) - Allow haproxy_t domain to read network state of system - Allow processes labeled as keepalived_t domain to get process group - Introduce dbusd_unit_file_type - Allow pesign_t domain to read/write named cache files. - Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. - Allow httpd_t domain to read/write named_cache_t files - Add new interface bind_rw_cache() - Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t. - Update cpucontrol_t SELinux policy - Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t - Run lldpd service as lldpad_t. - Allow spamd_update_t domain to create unix dgram sockets. - Update dbus role template for confined users to allow login into x session - Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t - Fix typo in networkmanager_append_log() interface - Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label - Allow login user type to use systemd user session - Allow xdm_t domain to start dbusd services. - Introduce new type xdm_unit_file_t - Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute - Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632) - Allow ipsec_t domain to read/write named cache files - Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label - Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus - Label udp 8125 port as statsd_port_t * Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-1 - Bump version * Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-31 - Update timedatex policy BZ(1734197) * Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-30 - cockpit: Allow cockpit-session to read cockpit-tls state - Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983) - Allow named_t domain to read/write samba_var_t files BZ(1738794) - Dontaudit abrt_t domain to read root_t files - Allow ipa_dnskey_t domain to read kerberos keytab - Allow mongod_t domain to read cgroup_t files BZ(1739357) - Update ibacm_t policy - Allow systemd to relabel all files on system. - Revert "Add new boolean systemd_can_relabel" - Allow xdm_t domain to read kernel sysctl BZ(1740385) - Add sys_admin capability for xdm_t in user namespace. BZ(1740386) - Allow dbus communications with resolved for DNS lookups - Add new boolean systemd_can_relabel - Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp - Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t - Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs - Run lvmdbusd service as lvm_t * Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-29 - Allow dlm_controld_t domain setgid capability - Fix SELinux modules not installing in chroots. Resolves: rhbz#1665643 * Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-28 - Allow systemd to create and bindmount dirs. BZ(1734831) * Mon Aug 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-27 - Allow tlp domain run tlp in trace mode BZ(1737106) - Make timedatex_t domain system dbus bus client BZ(1737239) - Allow cgdcbxd_t domain to list cgroup dirs - Allow systemd to create and bindmount dirs. BZ(1734831) * Tue Jul 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-26 - New policy for rrdcached - Allow dhcpd_t domain to read network sysctls. - Allow nut services to communicate with unconfined domains - Allow virt_domain to Support ecryptfs home dirs. - Allow domain transition lsmd_t to sensord_t - Allow httpd_t to signull mailman_cgi_t process - Make rrdcached policy active - Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542 - Allow machinectl to run pull-tar BZ(1724247) * Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Run timedatex service as timedatex_t - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - allow named_t to map named_cache_t files - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Make new timedatex policy module active - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources * Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24 - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports - Allow mysqld_t domain to manage cluster pid files - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool - Allow dkim-milter to send e-mails BZ(1716937) - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) - Update svnserve_t policy to make working svnserve hooks - Allow varnishlog_t domain to check for presence of varnishd_t domains - Update sandboxX policy to make working firefox inside SELinux sandbox - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices - Allow gssd_t domain to list tmpfs_t dirs - Allow mdadm_t domain to read tmpfs_t files - Allow sbd_t domain to check presence of processes labeled as cluster_t - Dontaudit httpd_sys_script_t to read systemd unit files - Allow blkmapd_t domain to read nvme devices - Update cpucontrol_t domain to make working microcode service - Allow domain transition from logwatch_t do postfix_postqueue_t - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' - Allow httpd_sys_script_t domain to mmap httpcontent - Allow sbd_t to manage cgroups_t files - Update wireshark policy to make working tshar labeled as wireshark_t - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources - Allow sysadm_t domain to dbus chat with rtkit daemon - Allow x_userdomains to nnp domain transition to thumb_t domain - Allow unconfined_domain_type to setattr own process lnk files. - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon - Allow staff and admin domains to setpcap in user namespace - Allow staff and sysadm to use lockdev - Allow staff and sysadm users to run iotop. - Dontaudit traceroute_t domain require sys_admin capability - Dontaudit dbus chat between kernel_t and init_t - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t * Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23 - Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager - Fix all interfaces which cannot by compiled because of typos - Allow X userdomains to mmap user_fonts_cache_t dirs * Mon Jul 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-22 - Label /var/kerberos/krb5 as krb5_keytab_t - Allow glusterd_t domain to setpgid - Allow lsmd_t domain to execute /usr/bin/debuginfo-install - Allow sbd_t domain to manage cgroup dirs - Allow opafm_t domain to modify scheduling information of another process. - Allow wireshark_t domain to create netlink netfilter sockets - Allow gpg_agent_t domain to use nsswitch - Allow httpd script types to mmap httpd rw content - Allow dkim_milter_t domain to execute shell BZ(17116937) - Allow sbd_t domain to use nsswitch - Allow rhsmcertd_t domain to send signull to all domains - Allow snort_t domain to create netlink netfilter sockets BZ(1723184) - Dontaudit blueman to read state of all domains on system BZ(1722696) - Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) - Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) - Replace "-" by "_" in types names - Change condor_domain declaration in condor_systemctl - Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) - Allow auditd_t domain to send signals to audisp_remote_t domain - Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) - Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files - Add interface kernel_relabelfrom_usermodehelper() - Dontaudit unpriv_userdomain to manage boot_t files - Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) - Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) - Allow associate efivarfs_t on sysfs_t * Tue Jun 18 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-21 - Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864) - cockpit: Support split-out TLS proxy - Allow dkim_milter_t to use shell BZ(1716937) - Create explicit fc rule for mailman executable BZ(1666004) - Update interface networkmanager_manage_pid_files() to allow manage also dirs - Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701) - Add new interface bind_map_dnssec_keys() - Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files - Allow redis_t domain to read public sssd files - Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569) - Allow confined users to login via cockpit - Allow nfsd_t domain to do chroot becasue of new version of nfsd - Add gpg_agent_roles to system_r roles - Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files - Allow rhsmcertd_t domain to manage rpm cache - Allow sbd_t domain to read tmpfs_t symlinks - Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs - Allow kadmind_t domain to read home config data - Allow sbd_t domain to readwrite cgroups - Allow NetworkManager_t domain to read nsfs_t files BZ(1715597) - Label /var/log/pacemaker/pacemaker as cluster_var_log_t - Allow certmonger_t domain to manage named cache files/dirs - Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) - Allow crack_t domain read /et/passwd files - Label fontconfig cache and config files and directories BZ(1659905) - Allow dhcpc_t domain to manage network manager pid files - Label /usr/sbin/nft as iptables_exec_t - Allow userdomain attribute to manage cockpit_ws_t stream sockets - Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes - Add interface ssh_agent_signal() * Thu May 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-20 - Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) - Allow spamd_update_t to exec itsef - Fix broken logwatch SELinux module - Allow logwatch_mail_t to manage logwatch cache files/dirs - Update wireshark_t domain to use several sockets - Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t * Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-19 - Fix bind_read_cache() interface to allow only read perms to caller domains - [speech-dispatcher.if] m4 macro names can not have - in them - Grant varnishlog_t access to varnishd_etc_t - Allow nrpe_t domain to read process state of systemd_logind_t - Allow mongod_t domain to connect on https port BZ(1711922) - Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets - Dontaudit spamd_update_t domain to read all domains states BZ(1711799) - Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871) - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)" - Make boinc_var_lib_t mountpoint BZ(1711682) - Allow wireshark_t domain to create fifo temp files - All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy - Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484) - Fix typo in gpg SELinux module - Update gpg policy to make ti working with confined users - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Build in parallel on Travis - Fix parallel build of the policy - Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t" - Add interface systemd_logind_read_state() - Fix find commands in Makefiles - Allow systemd-timesyncd to read network state BZ(1694272) - Update userdomains to allow confined users to create gpg keys - Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow su_domain_type to getattr to /dev/gpmctl - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users * Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18 - Fix typo in gpg SELinux module - Update gpg policy to make ti working with confined users - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Update userdomains to allow confined users to create gpg keys - Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow su_domain_type to getattr to /dev/gpmctl - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users * Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-17 - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Fix typo in dbus_role_template() - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Allow userdomains dbus domain to execute dbus broker. BZ(1710113) - Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572) - Allow virt domains to access xserver devices BZ(1705685) - Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512) - Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598) - Allow pcp_pmie_t domain to use fsetid capability BZ(1708082) - Allow pcp_pmlogger_t to use setrlimit BZ(1708951) - Allow gpsd_t domain to read udev db BZ(1709025) - Add sys_ptrace capaiblity for namespace_init_t domain - Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331) - Allow rhsmcertd_t domain to read rpm cache files - Label /efi same as /boot/efi boot_t BZ(1571962) - Allow transition from udev_t to tlp_t BZ(1705246) - Remove initrc_exec_t for /usr/sbin/apachectl file