selinux-policy-38.11-1.fc38 RPM for noarch

From Fedora 38 testing updates for armhfp / Packages / s

SELinux core policy package.
Originally based off of reference policy,
the policy has been adjusted to provide support for Fedora.

Provides

• selinux-policy
• config(selinux-policy)
• rpm_macro(_file_context_file)
• rpm_macro(_file_context_file_pre)
• rpm_macro(_file_custom_defined_booleans)
• rpm_macro(_file_custom_defined_booleans_tmp)
• rpm_macro(_selinux_policy_version)
• rpm_macro(_selinux_store_path)
• rpm_macro(_selinux_store_policy_path)
• rpm_macro(selinux_modules_install)
• rpm_macro(selinux_modules_uninstall)
• rpm_macro(selinux_relabel_post)
• rpm_macro(selinux_relabel_pre)
• rpm_macro(selinux_requires)
• rpm_macro(selinux_set_booleans)
• rpm_macro(selinux_unset_booleans)
• selinux-policy-base

Requires

• /bin/awk
• /bin/sh
• /bin/sh
• /bin/sh
• /bin/sh
• /usr/bin/sha512sum
• config(selinux-policy) = 38.11-1.fc38
• policycoreutils >= 3.4-1
• rpm-plugin-selinux
• rpmlib(CompressedFileNames) <= 3.0.4-1
• rpmlib(FileDigests) <= 4.6.0-1
• rpmlib(PayloadFilesHavePrefix) <= 4.0-1
• rpmlib(PayloadIsZstd) <= 5.4.18-1
• selinux-policy-any = 38.11-1.fc38

License

GPL-2.0-or-later

Changelog

* Mon Apr 17 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1
  - Allow dovecot-deliver write to the main process runtime fifo files
  - Allow dmidecode write to cloud-init tmp files
  - Allow chronyd send a message to cloud-init over a datagram socket
  - Allow cloud-init domain transition to insights-client domain
  - Allow mongodb read filesystem sysctls
  - Allow mongodb read network sysctls
  - Allow accounts-daemon read generic systemd unit lnk files
  - Allow blueman watch generic device dirs
  - Allow nm-dispatcher tlp plugin create tlp dirs
  - Allow systemd-coredump mounton /usr
  - Allow rabbitmq to read network sysctls
* Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1
  - Allow certmonger dbus chat with the cron system domain
  - Allow geoclue read network sysctls
  - Allow geoclue watch the /etc directory
  - Allow logwatch_mail_t read network sysctls
  - Allow insights-client read all sysctls
  - Allow passt manage qemu pid sock files
* Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1
  - Allow sssd read accountsd fifo files
  - Add support for the passt_t domain
  - Allow virtd_t and svirt_t work with passt
  - Add new interfaces in the virt module
  - Add passt interfaces defined conditionally
  - Allow tshark the setsched capability
  - Allow poweroff create connections to system dbus
  - Allow wg load kernel modules, search debugfs dir
  - Boolean: allow qemu-ga manage ssh home directory
  - Label smtpd with sendmail_exec_t
  - Label msmtp and msmtpd with sendmail_exec_t
  - Allow dovecot to map files in /var/spool/dovecot
* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-2
  - Update make-rhat-patches.sh file to use the f38 dist-git branch in F38
* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1
  - Confine gnome-initial-setup
  - Allow qemu-guest-agent create and use vsock socket
  - Allow login_pgm setcap permission
  - Allow chronyc read network sysctls
  - Enhancement of the /usr/sbin/request-key helper policy
  - Fix opencryptoki file names in /dev/shm
  - Allow system_cronjob_t transition to rpm_script_t
  - Revert "Allow system_cronjob_t domtrans to rpm_script_t"
  - Add tunable to allow squid bind snmp port
  - Allow staff_t getattr init pid chr & blk files and read krb5
  - Allow firewalld to rw z90crypt device
  - Allow httpd work with tokens in /dev/shm
  - Allow svirt to map svirt_image_t char files
  - Allow sysadm_t run initrc_t script and sysadm_r role access
  - Allow insights-client manage fsadm pid files
* Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1
  - Allowing snapper to create snapshots of /home/ subvolume/partition
  - Add boolean qemu-ga to run unconfined script
  - Label systemd-journald feature LogNamespace
  - Add none file context for polyinstantiated tmp dirs
  - Allow certmonger read the contents of the sysfs filesystem
  - Add journalctl the sys_resource capability
  - Allow nm-dispatcher plugins read generic files in /proc
  - Add initial policy for the /usr/sbin/request-key helper
  - Additional support for rpmdb_migrate
  - Add the keyutils module
* Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1
  - Boolean: allow qemu-ga read ssh home directory
  - Allow kernel_t to read/write all sockets
  - Allow kernel_t to UNIX-stream connect to all domains
  - Allow systemd-resolved send a datagram to journald
  - Allow kernel_t to manage and have "execute" access to all files
  - Fix the files_manage_all_files() interface
  - Allow rshim bpf cap2 and read sssd public files
  - Allow insights-client work with su and lpstat
  - Allow insights-client tcp connect to all ports
  - Allow nm-cloud-setup dispatcher plugin restart nm services
  - Allow unconfined user filetransition for sudo log files
  - Allow modemmanager create hardware state information files
  - Allow ModemManager all permissions for netlink route socket
  - Allow wg to send msg to kernel, write to syslog and dbus connections
  - Allow hostname_t to read network sysctls.
  - Dontaudit ftpd the execmem permission
  - Allow svirt request the kernel to load a module
  - Allow icecast rename its log files
  - Allow upsd to send signal to itself
  - Allow wireguard to create udp sockets and read net_conf
  - Use '
  %setup       -q
  
  
  ' instead of '%setup'
  - Pass -p 1 to '
  %setup       -q
  
  
  '
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.5-2
  - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1
  - Allow insights client work with gluster and pcp
  - Add insights additional capabilities
  - Add interfaces in domain, files, and unconfined modules
  - Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
  - Allow sudodomain use sudo.log as a logfile
  - Allow pdns server map its library files and bind to unreserved ports
  - Allow sysadm_t read/write ipmi devices
  - Allow prosody manage its runtime socket files
  - Allow kernel threads manage kernel keys
  - Allow systemd-userdbd the sys_resource capability
  - Allow systemd-journal list cgroup directories
  - Allow apcupsd dbus chat with systemd-logind
  - Allow nut_domain manage also files and sock_files in /var/run
  - Allow winbind-rpcd make a TCP connection to the ldap port
  - Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t
  - Allow tlp read generic SSL certificates
  - Allow systemd-resolved watch tmpfs directories
  - Revert "Allow systemd-resolved watch tmpfs directories"
* Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1
  - Allow NetworkManager and wpa_supplicant the bpf capability
  - Allow systemd-rfkill the bpf capability
  - Allow winbind-rpcd manage samba_share_t files and dirs
  - Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t
  - Allow gpsd the sys_ptrace userns capability
  - Introduce gpsd_tmp_t for sockfiles managed by gpsd_t
  - Allow load_policy_t write to unallocated ttys
  - Allow ndc read hardware state information
  - Allow system mail service read inherited certmonger runtime files
  - Add lpr_roles  to system_r roles
  - Revert "Allow insights-client run lpr and allow the proper role"
  - Allow stalld to read /sys/kernel/security/lockdown file
  - Allow keepalived to set resource limits
  - Add policy for mptcpd
  - Add policy for rshim
  - Allow admin users to create user namespaces
  - Allow journalctl relabel with var_log_t and syslogd_var_run_t files
  - Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted
  - Trim changelog so that it starts at F35 time
  - Add mptcpd and rshim modules
* Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1
  - Allow insights-client dbus chat with various services
  - Allow insights-client tcp connect to various ports
  - Allow insights-client run lpr and allow the proper role
  - Allow insights-client work with pcp and manage user config files
  - Allow redis get user names
  - Allow kernel threads to use fds from all domains
  - Allow systemd-modules-load load kernel modules
  - Allow login_userdomain watch systemd-passwd pid dirs
  - Allow insights-client dbus chat with abrt
  - Grant kernel_t certain permissions in the system class
  - Allow systemd-resolved watch tmpfs directories
  - Allow systemd-timedated watch init runtime dir
  - Make `bootc` be `install_exec_t`
  - Allow systemd-coredump create user_namespace
  - Allow syslog the setpcap capability
  - donaudit virtlogd and dnsmasq execmem
* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
  - Don't make kernel_t an unconfined domain
  - Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
  - Allow kernel_t to execute systemctl to do a poweroff/reboot
  - Grant basic permissions to the domain created by systemd_systemctl_domain()
  - Allow kernel_t to request module loading
  - Allow kernel_t to do compute_create
  - Allow kernel_t to manage perf events
  - Grant almost all capabilities to kernel_t
  - Allow kernel_t to fully manage all devices
  - Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
  - Allow pulseaudio to write to session_dbusd tmp socket files
  - Allow systemd and unconfined_domain_type create user_namespace
  - Add the user_namespace security class
  - Reuse tmpfs_t also for the ramfs filesystem
  - Label udf tools with fsadm_exec_t
  - Allow networkmanager_dispatcher_plugin work with nscd
  - Watch_sb all file type directories.
  - Allow spamc read hardware state information files
  - Allow sysadm read ipmi devices
  - Allow insights client communicate with cupsd, mysqld, openvswitch, redis
  - Allow insights client read raw memory devices
  - Allow the spamd_update_t domain get generic filesystem attributes
  - Dontaudit systemd-gpt-generator the sys_admin capability
  - Allow ipsec_t only read tpm devices
  - Allow cups-pdf connect to the system log service
  - Allow postfix/smtpd read kerberos key table
  - Allow syslogd read network sysctls
  - Allow cdcc mmap dcc-client-map files
  - Add watch and watch_sb dosfs interface
* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
  - Revert "Allow sysadm_t read raw memory devices"
  - Allow systemd-socket-proxyd get attributes of cgroup filesystems
  - Allow rpc.gssd read network sysctls
  - Allow winbind-rpcd get attributes of device and pty filesystems
  - Allow insights-client domain transition on semanage execution
  - Allow insights-client create gluster log dir with a transition
  - Allow insights-client manage generic locks
  - Allow insights-client unix_read all domain semaphores
  - Add domain_unix_read_all_semaphores() interface
  - Allow winbind-rpcd use the terminal multiplexor
  - Allow mrtg send mails
  - Allow systemd-hostnamed dbus chat with init scripts
  - Allow sssd dbus chat with system cronjobs
  - Add interface to watch all filesystems
  - Add watch_sb interfaces
  - Add watch interfaces
  - Allow dhcpd bpf capability to run bpf programs
  - Allow netutils and traceroute bpf capability to run bpf programs
  - Allow pkcs_slotd_t bpf capability to run bpf programs
  - Allow xdm bpf capability to run bpf programs
  - Allow pcscd bpf capability to run bpf programs
  - Allow lldpad bpf capability to run bpf programs
  - Allow keepalived bpf capability to run bpf programs
  - Allow ipsec bpf capability to run bpf programs
  - Allow fprintd bpf capability to run bpf programs
  - Allow systemd-socket-proxyd get filesystems attributes
  - Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
* Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1
  - Allow rotatelogs read httpd_log_t symlinks
  - Add winbind-rpcd to samba_enable_home_dirs boolean
  - Allow system cronjobs dbus chat with setroubleshoot
  - Allow setroubleshootd read device sysctls
  - Allow virt_domain read device sysctls
  - Allow rhcd compute selinux access vector
  - Allow insights-client manage samba var dirs
  - Label ports 10161-10162 tcp/udp with snmp
  - Allow aide to connect to systemd_machined with a unix socket.
  - Allow samba-dcerpcd use NSCD services over a unix stream socket
  - Allow vlock search the contents of the /dev/pts directory
  - Allow insights-client send null signal to rpm and system cronjob
  - Label port 15354/tcp and 15354/udp with opendnssec
  - Allow ftpd map ftpd_var_run files
  - Allow targetclid to manage tmp files
  - Allow insights-client connect to postgresql with a unix socket
  - Allow insights-client domtrans on unix_chkpwd execution
  - Add file context entries for insights-client and rhc
  - Allow pulseaudio create gnome content (~/.config)
  - Allow login_userdomain dbus chat with rhsmcertd
  - Allow sbd the sys_ptrace capability
  - Allow ptp4l_t name_bind ptp_event_port_t
* Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1
  - Remove the ipa module
  - Allow sss daemons read/write unnamed pipes of cloud-init
  - Allow postfix_mailqueue create and use unix dgram sockets
  - Allow xdm watch user home directories
  - Allow nm-dispatcher ddclient plugin load a kernel module
  - Stop ignoring standalone interface files
  - Drop cockpit module
  - Allow init map its private tmp files
  - Allow xenstored change its hard resource limits
  - Allow system_mail-t read network sysctls
  - Add bgpd sys_chroot capability
* Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
  - nut-upsd: kernel_read_system_state, fs_getattr_cgroup
  - Add numad the ipc_owner capability
  - Allow gst-plugin-scanner read virtual memory sysctls
  - Allow init read/write inherited user fifo files
  - Update dnssec-trigger policy: setsched, module_request
  - added policy for systemd-socket-proxyd
  - Add the new 'cmd' permission to the 'io_uring' class
  - Allow winbind-rpcd read and write its key ring
  - Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
  - blueman-mechanism can read ~/.local/lib/python*/site-packages directory
  - pidof executed by abrt can readlink /proc/*/exe
  - Fix typo in comment
  - Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
* Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
  - Allow tor get filesystem attributes
  - Allow utempter append to login_userdomain stream
  - Allow login_userdomain accept a stream connection to XDM
  - Allow login_userdomain write to boltd named pipes
  - Allow staff_u and user_u users write to bolt pipe
  - Allow login_userdomain watch various directories
  - Update rhcd policy for executing additional commands 5
  - Update rhcd policy for executing additional commands 4
  - Allow rhcd create rpm hawkey logs with correct label
  - Allow systemd-gpt-auto-generator to check for empty dirs
  - Update rhcd policy for executing additional commands 3
  - Allow journalctl read rhcd fifo files
  - Update insights-client policy for additional commands execution 5
  - Allow init remount all file_type filesystems
  - Confine insights-client systemd unit
  - Update insights-client policy for additional commands execution 4
  - Allow pcp pmcd search tracefs and acct_data dirs
  - Allow httpd read network sysctls
  - Dontaudit domain map permission on directories
  - Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
  - Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
  - Update insights-client policy for additional commands execution 3
  - Allow systemd permissions needed for sandboxed services
  - Add rhcd module
  - Make dependency on rpm-plugin-selinux unordered
* Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
  - Allow ipsec_t read/write tpm devices
  - Allow rhcd execute all executables
  - Update rhcd policy for executing additional commands 2
  - Update insights-client policy for additional commands execution 2
  - Allow sysadm_t read raw memory devices
  - Allow chronyd send and receive chronyd/ntp client packets
  - Allow ssh client read kerberos homedir config files
  - Label /var/log/rhc-worker-playbook with rhcd_var_log_t
  - Update insights-client policy (auditctl, gpg, journal)
  - Allow system_cronjob_t domtrans to rpm_script_t
  - Allow smbd_t process noatsecure permission for winbind_rpcd_t
  - Update tor_bind_all_unreserved_ports interface
  - Allow chronyd bind UDP sockets to ptp_event ports.
  - Allow unconfined and sysadm users transition for /root/.gnupg
  - Add gpg_filetrans_admin_home_content() interface
  - Update rhcd policy for executing additional commands
  - Update insights-client policy for additional commands execution
  - Add userdom_view_all_users_keys() interface
  - Allow gpg read and write generic pty type
  - Allow chronyc read and write generic pty type
  - Allow system_dbusd ioctl kernel with a unix stream sockets
  - Allow samba-bgqd to read a printer list
  - Allow stalld get and set scheduling policy of all domains.
  - Allow unconfined_t transition to targetclid_home_t
* Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
  - Allow nm-dispatcher custom plugin dbus chat with nm
  - Allow nm-dispatcher sendmail plugin get status of systemd services
  - Allow xdm read the kernel key ring
  - Allow login_userdomain check status of mount units
  - Allow postfix/smtp and postfix/virtual read kerberos key table
  - Allow services execute systemd-notify
  - Do not allow login_userdomain use sd_notify()
  - Allow launch-xenstored read filesystem sysctls
  - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
  - Allow openvswitch fsetid capability
  - Allow openvswitch use its private tmpfs files and dirs
  - Allow openvswitch search tracefs dirs
  - Allow pmdalinux read files on an nfsd filesystem
  - Allow winbind-rpcd write to winbind pid files
  - Allow networkmanager to signal unconfined process
  - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
  - Allow samba-bgqd get a printer list
  - fix(init.fc): Fix section description
  - Allow fedora-third-party read the passwords file
  - Remove permissive domain for rhcd_t
  - Allow pmie read network state information and network sysctls
  - Revert "Dontaudit domain the fowner capability"
  - Allow sysadm_t to run bpftool on the userdomain attribute
  - Add the userdom_prog_run_bpf_userdomain() interface
  - Allow insights-client rpm named file transitions
  - Add /var/tmp/insights-archive to insights_client_filetrans_named_content
* Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
  - Allow sa-update to get init status and start systemd files
  - Use insights_client_filetrans_named_content
  - Make default file context match with named transitions
  - Allow nm-dispatcher tlp plugin send system log messages
  - Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
  - Add permissions to manage lnk_files into gnome_manage_home_config
  - Allow rhsmcertd to read insights config files
  - Label /etc/insights-client/machine-id
  - fix(devices.fc): Replace single quote in comment to solve parsing issues
  - Make NetworkManager_dispatcher_custom_t an unconfined domain
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2
  - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
  - Update winbind_rpcd_t
  - Allow some domains use sd_notify()
  - Revert "Allow rabbitmq to use systemd notify"
  - fix(sedoctool.py): Fix syntax warning: "is not" with a literal
  - Allow nm-dispatcher console plugin manage etc files
  - Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
  - Allow nm-dispatcher console plugin setfscreate
  - Support using systemd-update-helper in rpm scriptlets
  - Allow nm-dispatcher winbind plugin read samba config files
  - Allow domain use userfaultfd over all domains
  - Allow cups-lpd read network sysctls
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
  - Allow stalld set scheduling policy of kernel threads
  - Allow targetclid read /var/target files
  - Allow targetclid read generic SSL certificates (fixed)
  - Allow firewalld read the contents of the sysfs filesystem
  - Fix file context pattern for /var/target
  - Use insights_client_etc_t in insights_search_config()
  - Allow nm-dispatcher ddclient plugin handle systemd services
  - Allow nm-dispatcher winbind plugin run smbcontrol
  - Allow nm-dispatcher custom plugin create and use unix dgram socket
  - Update samba-dcerpcd policy for kerberos usage 2
  - Allow keepalived read the contents of the sysfs filesystem
  - Allow amandad read network sysctls
  - Allow cups-lpd read network sysctls
  - Allow kpropd read network sysctls
  - Update insights_client_filetrans_named_content()
  - Allow rabbitmq to use systemd notify
  - Label /var/target with targetd_var_t
  - Allow targetclid read generic SSL certificates
  - Update rhcd policy
  - Allow rhcd search insights configuration directories
  - Add the kernel_read_proc_files() interface
  - Require policycoreutils >= 3.4-1
  - Add a script for enclosing interfaces in ifndef statements
  - Disable rpm verification on interface_info
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
  - Allow transition to insights_client named content
  - Add the insights_client_filetrans_named_content() interface
  - Update policy for insights-client to run additional commands 3
  - Allow dhclient manage pid files used by chronyd
  - Allow stalld get scheduling policy of kernel threads
  - Allow samba-dcerpcd work with sssd
  - Allow dlm_controld send a null signal to a cluster daemon
  - Allow ksmctl create hardware state information files
  - Allow winbind_rpcd_t connect to self over a unix_stream_socket
  - Update samba-dcerpcd policy for kerberos usage
  - Allow insights-client execute its private memfd: objects
  - Update policy for insights-client to run additional commands 2
  - Use insights_client_tmp_t instead of insights_client_var_tmp_t
  - Change space indentation to tab in insights-client
  - Use socket permissions sets in insights-client
  - Update policy for insights-client to run additional commands
  - Change rpm_setattr_db_files() to use a pattern
  - Allow init_t to rw insights_client unnamed pipe
  - Add rpm setattr db files macro
  - Fix insights client
  - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
  - Allow rabbitmq to access its private memfd: objects
  - Update policy for samba-dcerpcd
  - Allow stalld setsched and sys_nice
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
  - Allow auditd_t noatsecure for a transition to audisp_remote_t
  - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
  - Allow pcp_domain execute its private memfd: objects
  - Add support for samba-dcerpcd
  - Add policy for wireguard
  - Confine targetcli
  - Allow systemd work with install_t unix stream sockets
  - Allow iscsid the sys_ptrace userns capability
  - Allow xdm connect to unconfined_service_t over a unix stream socket
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
  - Allow nm-dispatcher custom plugin execute systemctl
  - Allow nm-dispatcher custom plugin dbus chat with nm
  - Allow nm-dispatcher custom plugin create and use udp socket
  - Allow nm-dispatcher custom plugin create and use netlink_route_socket
  - Use create_netlink_socket_perms in netlink_route_socket class permissions
  - Add support for nm-dispatcher sendmail scripts
  - Allow sslh net_admin capability
  - Allow insights-client manage gpg admin home content
  - Add the gpg_manage_admin_home_content() interface
  - Allow rhsmcertd create generic log files
  - Update logging_create_generic_logs() to use create_files_pattern()
  - Label /var/cache/insights with insights_client_cache_t
  - Allow insights-client search gconf homedir
  - Allow insights-client create and use unix_dgram_socket
  - Allow blueman execute its private memfd: files
  - Move the chown call into make-srpm.sh
* Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
  - Use the networkmanager_dispatcher_plugin attribute in allow rules
  - Make a custom nm-dispatcher plugin transition
  - Label port 4784/tcp and 4784/udp with bfd_multi
  - Allow systemd watch and watch_reads user ptys
  - Allow sblim-gatherd the kill capability
  - Label more vdsm utils with virtd_exec_t
  - Add ksm service to ksmtuned
  - Add rhcd policy
  - Dontaudit guest attempts to dbus chat with systemd domains
  - Dontaudit guest attempts to dbus chat with system bus types
  - Use a named transition in systemd_hwdb_manage_config()
  - Add default fc specifications for patterns in /opt
  - Add the files_create_etc_files() interface
  - Allow nm-dispatcher console plugin create and write files in /etc
  - Allow nm-dispatcher console plugin transition to the setfiles domain
  - Allow more nm-dispatcher plugins append to init stream sockets
  - Allow nm-dispatcher tlp plugin dbus chat with nm
  - Reorder networkmanager_dispatcher_plugin_template() calls
  - Allow svirt connectto virtlogd
  - Allow blueman map its private memfd: files
  - Allow sysadm user execute init scripts with a transition
  - Allow sblim-sfcbd connect to sblim-reposd stream
  - Allow keepalived_unconfined_script_t dbus chat with init
  - Run restorecon with "-i" not to report errors
* Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
  - Fix users for SELinux userspace 3.4
  - Label /var/run/machine-id as machineid_t
  - Add stalld to modules.conf
  - Use files_tmpfs_file() for rhsmcertd_tmpfs_t
  - Allow blueman read/write its private memfd: objects
  - Allow insights-client read rhnsd config files
  - Allow insights-client create_socket_perms for tcp/udp sockets
* Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1
  - Allow nm-dispatcher chronyc plugin append to init stream sockets
  - Allow tmpreaper the sys_ptrace userns capability
  - Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
  - Allow nm-dispatcher tlp plugin read/write the wireless device
  - Allow nm-dispatcher tlp plugin append to init socket
  - Allow nm-dispatcher tlp plugin be client of a system bus
  - Allow nm-dispatcher list its configuration directory
  - Ecryptfs-private support
  - Allow colord map /var/lib directories
  - Allow ntlm_auth read the network state information
  - Allow insights-client search rhnsd configuration directory
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3
  - Add support for nm-dispatcher tlp-rdw scripts
  - Update github actions to satisfy git 2.36 stricter rules
  - New policy for stalld
  - Allow colord read generic files in /var/lib
  - Allow xdm mounton user temporary socket files
  - Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket
  - Allow sssd domtrans to pkcs_slotd_t
  - Allow keepalived setsched and sys_nice
  - Allow xdm map generic files in /var/lib
  - Allow xdm read generic symbolic links in /var/lib
  - Allow pppd create a file in the locks directory
  - Add file map permission to lpd_manage_spool() interface
  - Allow system dbus daemon watch generic directories in /var/lib
  - Allow pcscd the sys_ptrace userns capability
  - Add the corecmd_watch_bin_dirs() interface
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-2
  - Relabel explicitly some dirs in %posttrans scriptlets
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-1
  - Add stalld module to modules-targeted-contrib.conf
* Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1
  - Add support for systemd-network-generator
  - Add the io_uring class
  - Allow nm-dispatcher dhclient plugin append to init stream sockets
  - Relax the naming pattern for systemd private shared libraries
  - Allow nm-dispatcher iscsid plugin append to init socket
  - Add the init_append_stream_sockets() interface
  - Allow nm-dispatcher dnssec-trigger script to execute pidof
  - Add support for nm-dispatcher dnssec-trigger scripts
  - Allow chronyd talk with unconfined user over unix domain dgram socket
  - Allow fenced read kerberos key tables
  - Add support for nm-dispatcher ddclient scripts
  - Add systemd_getattr_generic_unit_files() interface
  - Allow fprintd read and write hardware state information
  - Allow exim watch generic certificate directories
  - Remove duplicate fc entries for corosync and corosync-notifyd
  - Label corosync-cfgtool with cluster_exec_t
  - Allow qemu-kvm create and use netlink rdma sockets
  - Allow logrotate a domain transition to cluster administrative domain
* Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1
  - Add support for nm-dispatcher console helper scripts
  - Allow nm-dispatcher plugins read its directory and sysfs
  - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
  - devices: Add a comment about cardmgr_dev_t
  - Add basic policy for BinderFS
  - Label /var/run/ecblp0 pipe with cupsd_var_run_t
  - Allow rpmdb create directory in /usr/lib/sysimage
  - Allow rngd drop privileges via setuid/setgid/setcap
  - Allow init watch and watch_reads user ttys
  - Allow systemd-logind dbus chat with sosreport
  - Allow chronyd send a message to sosreport over datagram socket
  - Remove unnecessary /etc file transitions for insights-client
  - Label all content in /var/lib/insights with insights_client_var_lib_t
  - Update insights-client policy
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-2
  - Add insights_client module to modules-targeted-contrib.conf
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1
  - Update NetworkManager-dispatcher cloud and chronyc policy
  - Update insights-client: fc pattern, motd, writing to etc
  - Allow systemd-sysctl read the security state information
  - Allow init create and mounton to support PrivateDevices
  - Allow sosreport dbus chat abrt systemd timedatex
* Tue Feb 22 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-2
  - Update specfile to buildrequire policycoreutils-devel >= 3.3-4
  - Add modules_checksum to %files
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
  - Update NetworkManager-dispatcher policy to use scripts
  - Allow init mounton kernel messages device
  - Revert "Make dbus-broker service working on s390x arch"
  - Remove permissive domain for insights_client_t
  - Allow userdomain read symlinks in /var/lib
  - Allow iptables list cgroup directories
  - Dontaudit mdadm list dirsrv tmpfs dirs
  - Dontaudit dirsrv search filesystem sysctl directories
  - Allow chage domtrans to sssd
  - Allow postfix_domain read dovecot certificates
  - Allow systemd-networkd create and use netlink netfilter socket
  - Allow nm-dispatcher read nm-dispatcher-script symlinks
  - filesystem.te: add genfscon rule for ntfs3 filesystem
  - Allow rhsmcertd get attributes of cgroup filesystems
  - Allow sandbox_web_client_t watch various dirs
  - Exclude container.if from policy devel files
  - Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
* Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
  - Allow sysadm_passwd_t to relabel passwd and group files
  - Allow confined sysadmin to use tool vipw
  - Allow login_userdomain map /var/lib/directories
  - Allow login_userdomain watch library and fonts dirs
  - Allow login_userdomain watch system configuration dirs
  - Allow login_userdomain read systemd runtime files
  - Allow ctdb create cluster logs
  - Allow alsa bind mixer controls to led triggers
  - New policy for insight-client
  - Add mctp_socket security class and access vectors
  - Fix koji repo URL pattern
  - Update chronyd_pid_filetrans() to allow create dirs
  - Update NetworkManager-dispatcher policy
  - Allow unconfined to run virtd bpf
  - Allow nm-privhelper setsched permission and send system logs
  - Add the map permission to common_anon_inode_perm permission set
  - Rename userfaultfd_anon_inode_perms to common_inode_perms
  - Allow confined users to use kinit,klist and etc.
  - Allow rhsmcertd create rpm hawkey logs with correct label
* Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
  - Label exFAT utilities at /usr/sbin
  - policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
  - Enable genfs_seclabel_symlinks policy capability
  - Sync policy/policy_capabilities with refpolicy
  - refpolicy: drop unused socket security classes
  - Label new utility of NetworkManager nm-priv-helper
  - Label NetworkManager-dispatcher service with separate context
  - Allow sanlock get attributes of filesystems with extended attributes
  - Associate stratisd_data_t with device filesystem
  - Allow init read stratis data symlinks
* Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
  - Allow systemd services watch dbusd pid directory and its parents
  - Allow ModemManager connect to the unconfined user domain
  - Label /dev/wwan.+ with modem_manager_t
  - Allow alsactl set group Process ID of a process
  - Allow domtrans to sssd_t and role access to sssd
  - Creating interface sssd_run_sssd()
  - Label utilities for exFAT filesystems with fsadm_exec_t
  - Label /dev/nvme-fabrics with fixed_disk_device_t
  - Allow init delete generic tmp named pipes
  - Allow timedatex dbus chat with xdm
* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
  - Fix badly indented used interfaces
  - Allow domain transition to sssd_t
  - Dontaudit sfcbd sys_ptrace cap_userns
  - Label /var/lib/plocate with locate_var_lib_t
  - Allow hostapd talk with unconfined user over unix domain dgram socket
  - Allow NetworkManager talk with unconfined user over unix domain dgram socket
  - Allow system_mail_t read inherited apache system content rw files
  - Add apache_read_inherited_sys_content_rw_files() interface
  - Allow rhsm-service execute its private memfd: objects
  - Allow dirsrv read configfs files and directories
  - Label /run/stratisd with stratisd_var_run_t
  - Allow tumblerd write to session_dbusd tmp socket files
* Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
  - Revert "Label /etc/cockpit/ws-certs.d with cert_t"
  - Allow login_userdomain write to session_dbusd tmp socket files
  - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
  - Allow login_userdomain watch systemd-machined PID directories
  - Allow login_userdomain watch systemd-logind PID directories
  - Allow login_userdomain watch accountsd lib directories
  - Allow login_userdomain watch localization directories
  - Allow login_userdomain watch various files and dirs
  - Allow login_userdomain watch generic directories in /tmp
  - Allow rhsm-service read/write its private memfd: objects
  - Allow radiusd connect to the radacct port
  - Allow systemd-io-bridge ioctl rpm_script_t
  - Allow systemd-coredump userns capabilities and root mounton
  - Allow systemd-coredump read and write usermodehelper state
  - Allow login_userdomain create session_dbusd tmp socket files
  - Allow gkeyringd_domain write to session_dbusd tmp socket files
  - Allow systemd-logind delete session_dbusd tmp socket files
  - Allow gdm-x-session write to session dbus tmp sock files
  - Label /etc/cockpit/ws-certs.d with cert_t
  - Allow kpropd get attributes of cgroup filesystems
  - Allow administrative users the bpf capability
  - Allow sysadm_t start and stop transient services
  - Connect triggerin to pcre2 instead of pcre
* Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
  - Allow sshd read filesystem sysctl files
  - Revert "Allow sshd read sysctl files"
  - Allow tlp read its systemd unit
  - Allow gssproxy access to various system files.
  - Allow gssproxy read, write, and map ica tmpfs files
  - Allow gssproxy read and write z90crypt device
  - Allow sssd_kcm read and write z90crypt device
  - Allow smbcontrol read the network state information
  - Allow virt_domain map vhost devices
  - Allow fcoemon request the kernel to load a module
  - Allow sshd read sysctl files
  - Ensure that `/run/systemd/*` are properly labeled
  - Allow admin userdomains use socketpair()
  - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
  - Allow lldpd connect to snmpd with a unix domain stream socket
  - Dontaudit pkcsslotd sys_admin capability
* Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
  - Allow haproxy get attributes of filesystems with extended attributes
  - Allow haproxy get attributes of cgroup filesystems
  - Allow sysadm execute sysadmctl in sysadm_t domain using sudo
  - Allow userdomains use pam_ssh_agent_auth for passwordless sudo
  - Allow sudodomains execute passwd in the passwd domain
  - Allow braille printing in selinux
  - Allow sandbox_xserver_t map sandbox_file_t
  - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
  - Add hwtracing_device_t type for hardware-level tracing and debugging
  - Label port 9528/tcp with openqa_liveview
  - Label /var/lib/shorewall6-lite with shorewall_var_lib_t
  - Document Security Flask model in the policy
* Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
  - Allow systemd read unlabeled symbolic links
  - Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
  - Allow dnsmasq watch /etc/dnsmasq.d directories
  - Allow rhsmcertd get attributes of tmpfs_t filesystems
  - Allow lldpd use an snmp subagent over a tcp socket
  - Allow xdm watch generic directories in /var/lib
  - Allow login_userdomain open/read/map system journal
  - Allow sysadm_t connect to cluster domains over a unix stream socket
  - Allow sysadm_t read/write pkcs shared memory segments
  - Allow sysadm_t connect to sanlock over a unix stream socket
  - Allow sysadm_t dbus chat with sssd
  - Allow sysadm_t set attributes on character device nodes
  - Allow sysadm_t read and write watchdog devices
  - Allow smbcontrol use additional socket types
  - Allow cloud-init dbus chat with systemd-logind
  - Allow svnserve send mail from the system
  - Update userdom_exec_user_tmp_files() with an entrypoint rule
  - Allow sudodomain send a null signal to sshd processes
* Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
  - Allow PID 1 and dbus-broker IPC with a systemd user session
  - Allow rpmdb read generic SSL certificates
  - Allow rpmdb read admin home config files
  - Report warning on duplicate definition of interface
  - Allow redis get attributes of filesystems with extended attributes
  - Allow sysadm_t dbus chat with realmd_t
  - Make cupsd_lpd_t a daemon
  - Allow tlp dbus-chat with NetworkManager
  - filesystem: add fs_use_trans for ramfs
  - Allow systemd-logind destroy unconfined user's IPC objects
* Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
  - Support sanlock VG automated recovery on storage access loss 2/2
  - Support sanlock VG automated recovery on storage access loss 1/2
  - Revert "Support sanlock VG automated recovery on storage access loss"
  - Allow tlp get service units status
  - Allow fedora-third-party manage 3rd party repos
  - Allow xdm_t nnp_transition to login_userdomain
  - Add the auth_read_passwd_file() interface
  - Allow redis-sentinel execute a notification script
  - Allow fetchmail search cgroup directories
  - Allow lvm_t to read/write devicekit disk semaphores
  - Allow devicekit_disk_t to use /dev/mapper/control
  - Allow devicekit_disk_t to get IPC info from the kernel
  - Allow devicekit_disk_t to read systemd-logind pid files
  - Allow devicekit_disk_t to mount filesystems on mnt_t directories
  - Allow devicekit_disk_t to manage mount_var_run_t files
  - Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
  - Use $releasever in koji repo to reduce rawhide hardcoding
  - authlogin: add fcontext for tcb
  - Add erofs as a SELinux capable file system
  - Allow systemd execute user bin files
  - Support sanlock VG automated recovery on storage access loss
  - Support new PING_CHECK health checker in keepalived
* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1
  - Allow fedora-third-party map generic cache files
  - Add gnome_map_generic_cache_files() interface
  - Add files_manage_var_lib_dirs() interface
  - Allow fedora-third party manage gpg keys
  - Allow fedora-third-party run "flatpak remote-add --from flathub"
* Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1
  - Allow fedora-third-party run flatpak post-install actions
  - Allow fedora-third-party set_setsched and sys_nice
* Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
  - Allow fedora-third-party execute "flatpak remote-add"
  - Add files_manage_var_lib_files() interface
  - Add write permisson to userfaultfd_anon_inode_perms
  - Allow proper function sosreport via iotop
  - Allow proper function sosreport in sysadmin role
  - Allow fedora-third-party to connect to the system log service
  - Allow fedora-third-party dbus chat with policykit
  - Allow chrony-wait service start with DynamicUser=yes
  - Allow management of lnk_files if similar access to regular files
  - Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
  - Allow systemd-resolved watch /run/systemd
  - Allow fedora-third-party create and use unix_dgram_socket
  - Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
  - Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
* Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
  - Add fedoratp module
  - Allow xdm_t domain transition to fedoratp_t
  - Allow ModemManager create and use netlink route socket
  - Add default file context for /run/gssproxy.default.sock
  - Allow xdm_t watch fonts directories
  - Allow xdm_t watch generic directories in /lib
  - Allow xdm_t watch generic pid directories

Files

/etc/selinux
/etc/selinux/config
/etc/sysconfig/selinux
/usr/lib/rpm/macros.d/macros.selinux-policy
/usr/lib/systemd/system/selinux-check-proper-disable.service
/usr/lib/tmpfiles.d/selinux-policy.conf
/usr/share/licenses/selinux-policy
/usr/share/licenses/selinux-policy/COPYING
/usr/share/selinux
/usr/share/selinux/packages

Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Apr 9 21:54:28 2024