Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

selinux-policy-sandbox-38.1.63-1.el9 RPM for noarch

From CentOS Stream 9 BaseOS for s390x

Name: selinux-policy-sandbox Distribution: CentOS
Version: 38.1.63 Vendor: CentOS
Release: 1.el9 Build date: Wed Jul 30 18:53:40 2025
Group: Unspecified Build host: aarch64-06.stream.rdu2.redhat.com
Size: 88448 Source RPM: selinux-policy-38.1.63-1.el9.src.rpm
Packager: builder@centos.org
Url: https://github.com/fedora-selinux/selinux-policy
Summary: SELinux sandbox policy
SELinux sandbox policy for use with the sandbox utility.

Provides

Requires

License

GPLv2+

Changelog

* Wed Jul 30 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.63-1
  - Allow samba-dcerpcd send sigkills to passwd
  Resolves: RHEL-100032
  - Allow power-profiles-daemon watch sysfs directories
  Resolves: RHEL-100718
  - Allow power-profiles-daemon write sysfs files
  Resolves: RHEL-100718
  - Allow hostapd write to socket files in /tmp
  Resolves: RHEL-59683
  - Allow irqbalance search sssd lib directories
  Resolves: RHEL-1556
  - Add insights_client_delete_lib_dirs() interface
  Related: RHEL-59145
* Fri Jul 18 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.62-1
  - Allow "hostapd_cli ping" run as a systemd service
  Resolves: RHEL-59683
  - Allow systemd-timedated start/stop timemaster services
  Resolves: RHEL-95690
  - Allow lldpd connect to systemd-machined over a unix socket
  Resolves: RHEL-96167
  - Allow power-profiles-daemon get attributes of filesystems with extended attributes
  Resolves: RHEL-100718
  - Allow tuned-ppd watch_reads sysfs directories
  Resolves: RHEL-101687
  - Allow tuned-ppd watch sysfs directories
  Resolves: RHEL-101687
* Mon Jul 14 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.61-1
  - Fix incorrect /run and /usr/bin file context entries
  Resolves: SELINUX-4392
  - Dontaudit irqbalance read sssd public files
  Resolves: RHEL-1556
  - Update sssd_dontaudit_read_public_files()
  Resolves: RHEL-1556
  - Allow insights-client file transition for files in /var/tmp
  Resolves: SELINUX-4392
  - Add the virt_exec_virsh() interface
  Resolves: SELINUX-4392
  - Add the ssh_exec_sshd() interface
  Resolves: SELINUX-4392
  - Add rhsmcertd interfaces
  Resolves: SELINUX-4392
  - Add the bind_exec_named_checkconf() interface
  Resolves: SELINUX-4392
  - Add the auth_write_motd_var_run_files() interface
  Resolves: SELINUX-4392
  - Add the gpg_domtrans_agent() interface
  Resolves: SELINUX-4392
  - Add the gpg_read_user_secrets() interface
  Resolves: SELINUX-4392
  - Add policy for insights-core
  Resolves: SELINUX-4392
* Thu Jul 03 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.60-1
  - Allow irqbalance execute shell if irqbalance_run_unconfined is on
  Resolves: RHEL-1556
  - Update irqbalance policy for using unconfined scripts
  Resolves: RHEL-1556
* Tue Jul 01 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.59-1
  - virt: allow QEMU use of the qgs daemon for attestation
  Resolves: RHEL-87744
  - qgs: add contrib module for TDX "qgs" daemon
  Resolves: RHEL-87744
  - kernel: add interfaces for using SGX enclaves
  Resolves: RHEL-87744
  - Allow coreos-installer search sssd library directory
  Resolves: RHEL-95689
  - Label /dev/diag as diagnostic_device_t
  Resolves: RHEL-95342
  - Allow irqbalance execute shell if irqbalance_run_unconfined is on
  Resolves: RHEL-1556
* Mon Jun 09 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.58-1
  - Allow mptcpd the net_admin capability
  Resolves: RHEL-81729
  - Allow networkmanager send a general signal to iptables
  Resolves: RHEL-93741
  - Make bootupd use bootupd_tmp_t as its private type for files in /tmp
  Resolves: RHEL-94508
  - Update bootupd policy
  Resolves: RHEL-94508
  - Allow switcheroo-control dbus chat with xdm
  Resolves: RHEL-93335
  - Update the files_search_mnt() interface
  Resolves: RHEL-94184
* Thu May 29 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.57-1
  - Update policy for haproxyd
  Resolves: RHEL-88045
  - Allow NetworkManager manage NetworkManager_etc_rw_t symlinks
  Resolves: RHEL-86178
  - Allow lldpad connect to systemd-userdbd over a unix socket
  Resolves: RHEL-84046
  - Allow gconfd connect to system dbus
  Resolves: RHEL-77984
  - Allow login_pgm read filesystem sysctls
  Resolves: RHEL-77745
  - Allow login_userdomain create /run/tlog directory with user_tmp_t
  Resolves: RHEL-47241
* Tue May 06 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.56-1
  - Remove 3 permissive domains
  Resolves: RHEL-82674
  - Allow tuned-ppd dbus chat with xdm
  Resolves: RHEL-87203
  - Allow system-dbusd list systemd-machined directories
  Resolves: RHEL-85379
  - Allow NetworkManager create and use icmp_socket
  Resolves: RHEL-83529
  - Allow journalctl connect to systemd-userdbd over a unix socket
  Resolves: RHEL-82673
  - allow gdm and iiosensorproxy talk to each other via D-bus
  Resolves: RHEL-80697
  - Allow varnishd execute the prlimit64() syscall
  Resolves: RHEL-77995
  - Allow system_dbusd_t r/w unix stream sockets of unconfined_service_t
  Resolves: RHEL-61928
  - Add the getattr permission to 2 dontaudit interfaces
  Resolves: RHEL-59145
* Fri Apr 11 2025 Vit Mojzis <vmojzis@redhat.com> - 38.1.55-2
  - automotive: Deny unknown classes/permissions (RHEL-86827)
* Fri Apr 11 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.55-1
  - Allow tuned-ppd read sssd public files
  Resolves: RHEL-69526
  - Allow systemd-journal-upload read init pid files
  Resolves: RHEL-62196
  - Label SetroubleshootPrivileged.py with setroubleshootd_exec_t
  Resolves: RHEL-77319
  - Allow chronyd-restricted sendto to chronyc
  Resolves: RHEL-82308
  - Allow chronyc sendto to chronyd-restricted
  Resolves: RHEL-82308
* Mon Mar 31 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.54-1
  - Confine tuned-ppd
  Resolves: RHEL-69526
  - Make tuned work with mls policy
  Resolves: RHEL-69526
  - Allow afterburn to mount and read config drives
  Resolves: RHEL-79319
* Fri Mar 14 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.53-4
  - Allow afterburn to mount and read config drives
  Resolves: RHEL-82276
* Fri Feb 07 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.53-1
  - Allow svirt_t to connect to nbdkit over a unix stream socket
  Resolves: RHEL-56029
  - Allow power-profiles-daemon the bpf capability
  Resolves: RHEL-61117
  - Allow systemd-machined the kill user-namespace capability
  Resolves: RHEL-76352
* Fri Jan 31 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.52-1
  - Add the files_read_root_files() interface
  Resolves: RHEL-70849
  - Dontaudit systemd-logind remove all files
  Resolves: RHEL-59145
  - Add the files_dontaudit_read_all_dirs() interface
  Resolves: RHEL-59145
  - Add the files_dontaudit_delete_all_files() interface
  Resolves: RHEL-59145
  - Allow rhsmcertd notify virt-who
  Resolves: RHEL-77152
  - Allow irqbalance to run unconfined scripts conditionally
  Resolves: RHEL-1556
  - Backport bootupd policy from current Fedora rawhide
  Resolves: RHEL-70849
  - Support using systemd containers
  Resolves: RHEL-76352
  - Allow svirt_t connect to unconfined_t over a unix domain socket
  Resolves: RHEL-37539
  - Allow virt_domain to use pulseaudio - conditional
  Resolves: RHEL-1379
  - Allow telnetd read network sysctls
  Resolves: RHEL-58825
  - Allow alsa watch generic device directories
  Resolves: RHEL-61472
  - Update switcheroo policy
  Resolves: RHEL-24268
* Wed Jan 15 2025 Zdenek Pytela <zpytela@redhat.com> - 38.1.51-1
  - Allow rsyslog read systemd-logind session files
  Resolves: RHEL-73839
  - Allow samba-bgqd connect to cupsd over an unix domain stream socket
  Resolves: RHEL-72860
  - Allow svirt_t read sysfs files
  Resolves: RHEL-70839
  - Allow xdm dbus chat with power-profiles-daemon
  Resolves: RHEL-61117
  - Update power-profiles-daemon policy
  Resolves: RHEL-61117
  - Confine power-profiles-daemon
  Resolves: RHEL-61117
  - Allow virtqemud domain transition to nbdkit
  Resolves: RHEL-56029
  - Add nbdkit interfaces defined conditionally
  Resolves: RHEL-56029
  - Confine the switcheroo-control service
  Resolves: RHEL-24268
* Fri Dec 13 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.50-1
  - Allow auditctl signal auditd
  Resolves: RHEL-68969
  - Fix the cups_read_pid_files() interface to use read_files_pattern
  Resolves: RHEL-69517
  - Dontaudit systemd-coredump the sys_resource capability
  Resolves: RHEL-46339
  - Allow rpcd read network sysctls
  Resolves: RHEL-1558
  - Allow irqbalance setpcap capability in the user namespace
  Resolves: RHEL-69564
  - Allow traceroute_t bind rawip sockets to unreserved ports
  Resolves: RHEL-54561
  - Allow svirt_t the sys_rawio capability
  Resolves: RHEL-56955
  - Change /run/sysctl\.d(/.*)? fc entry to /var/run/sysctl\.d(/.*)?
  Resolves: RHEL-56988
  - Exclude container-selinux manpage from selinux-policy-doc
  Resolves: RHEL-69916
* Fri Dec 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.49-1
  - Update virtlogd policy
  Resolves: RHEL-69433
  - Allow svirt_t the sys_rawio capability
  Resolves: RHEL-56955
  - Allow qemu-ga the dac_override and dac_read_search capabilities
  Resolves: RHEL-52476
  - Allow ip the setexec permission
  Resolves: RHEL-62923
  - Allow alsa get attributes filesystems with extended attributes
  Resolves: RHEL-61472
  - Allow bacula execute container in the container domain
  Resolves: RHEL-21168
  - Allow httpd get attributes of dirsrv unit files
  Resolves: RHEL-46808
  - Update samba-bgqd policy
  Resolves: RHEL-69517
  - Allow samba-bgqd read cups config files
  Resolves: RHEL-69517
  - Update policy for samba-bgqd
  Resolves: RHEL-69517
  - Update bootupd policy for the removing-state-file test
  Resolves: RHEL-66584
  - Allow qatlib search the content of the kernel debugging filesystem
  Resolves: RHEL-53864
  - Allow qatlib connect to systemd-machined over a unix socket
  Resolves: RHEL-53864
  - Update qatlib policy for v24.02 with new features
  Resolves: RHEL-53864
* Tue Nov 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.48-1
  - Revert "Allow unconfined_t execute kmod in the kmod domain"
  Resolves: RHEL-65008
  - Add policy for /usr/libexec/samba/samba-bgqd
  Resolves: RHEL-53124
* Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.47-1
  - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
  Resolves: RHEL-56988
  - Allow lldpad create and use netlink_generic_socket
  Resolves: RHEL-61832
  - Allow unconfined_t execute kmod in the kmod domain
  Resolves: RHEL-54710
  - Allow confined users r/w to screen unix stream socket
  Resolves: RHEL-50379
  - Label /root/.screenrc and /root/.tmux.conf with screen_home_t
  Resolves: RHEL-50375
  - Allow iio-sensor-proxy the bpf capability
  Resolves: RHEL-17346
* Fri Oct 11 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.46-1
  - Rebuild
* Thu Oct 10 2024 Zdenek Pytela <zpytela@redhat.com> - 35.1.46-1
  - Label /run/modprobe.d with modules_conf_t
  Resolves: RHEL-61453
  - Allow boothd connect to kernel over a unix socket
  Resolves: RHEL-57104
  - Allow boothd connect to systemd-userdbd over a unix socket
  Resolves: RHEL-57104
  - Additional updates stalld policy for bpf usage
  Resolves: RHEL-57075
  - Update stalld policy for bpf usage
  Resolves: RHEL-57075
  - Allow ptp4l the sys_admin capability
  Resolves: RHEL-55133
  - Label /dev/hfi1_[0-9]+ devices
  Resolves: RHEL-54996
  - Confine iio-sensor-proxy
  Resolves: RHEL-17346
* Mon Sep 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-3
  - Rebuild
  Resolves: RHEL-55414
* Wed Sep 04 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-2
  - Rebuild
  Resolves: RHEL-55414
* Thu Aug 29 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-1
  - Allow setsebool_t relabel selinux data files
  Resolves: RHEL-55414
* Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.44-1
  - Allow coreos-installer-generator work with partitions
  Resolves: RHEL-38614
  - Label /etc/mdadm.conf.d with mdadm_conf_t
  Resolves: RHEL-38614
  - Change file context specification to /var/run/metadata
  Resolves: RHEL-49735
  - Allow initrc_t transition to passwd_t
  Resolves: RHEL-17404
  - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  Resolves: RHEL-25514
  - systemd: allow sys_admin capability for systemd_notify_t
  Resolves: RHEL-25514
  - Change systemd-network-generator transition to include class file
  Resolves: RHEL-47033
  - Allow sshd_keygen_t connect to userdbd over a unix stream socket
  Resolves: RHEL-47033
* Wed Jul 31 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.43-1
  - Allow rhsmcertd read/write access to /dev/papr-sysparm
  Resolves: RHEL-49599
  - Label /dev/papr-sysparm and /dev/papr-vpd
  Resolves: RHEL-49599
  - Allow rhsmcertd read, write, and map ica tmpfs files
  Resolves: RHEL-50926
  - Update afterburn file transition policy
  Resolves: RHEL-49735
  - Label /run/metadata with afterburn_runtime_t
  Resolves: RHEL-49735
  - Allow afterburn list ssh home directory
  Resolves: RHEL-49735
  - Support SGX devices
  Resolves: RHEL-50922
  - Allow systemd-pstore send a message to syslogd over a unix domain
  Resolves: RHEL-45528
  - Allow postfix_domain map postfix_etc_t files
  Resolves: RHEL-46332
  - Allow microcode create /sys/devices/system/cpu/microcode/reload
  Resolves: RHEL-26821
  - Allow svirt_tcg_t map svirt_image_t files
  Resolves: RHEL-27141
  - Allow systemd-hostnamed shut down nscd
  Resolves: RHEL-45033
  - Allow postfix_domain connect to postgresql over a unix socket
  Resolves: RHEL-6776
* Thu Jul 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.42-1
  - Label samba certificates with samba_cert_t
  Resolves: RHEL-25724
  - Allow systemd-coredumpd the sys_chroot capability
  Resolves: RHEL-45245
  - Allow svirt_tcg_t read vm sysctls
  Resolves: RHEL-27141
  - Label /usr/sbin/samba-gpupdate with samba_gpupdate_exec_t
  Resolves: RHEL-25724
  - Label /var/run/coreos-installer-reboot with coreos_installer_var_run_t
  Resolves: RHEL-38614
  - Allow coreos-installer add systemd unit file links
  Resolves: RHEL-38614
* Sun Jul 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.41-1
  - Differentiate between staff and sysadm when executing crontab with sudo
  Resolves: RHEL-31888
  - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
  Resolves: RHEL-25724
  - Allow unconfined_service_t transition to passwd_t
  Resolves: RHEL-17404
  - Allow sbd to trace processes in user namespace
  Resolves: RHEL-44680
  - Allow systemd-coredumpd sys_admin and sys_resource capabilities
  Resolves: RHEL-45245
  - Label /usr/lib/node_modules/npm/bin with bin_t
  Resolves: RHEL-36587
  - Support /var is empty
  Resolves: RHEL-29331
  - Allow timemaster write to sysfs files
  Resolves: RHEL-28777
  - Don't audit crontab_domain write attempts to user home
  Resolves: RHEL-31888
  - Transition from sudodomains to crontab_t when executing crontab_exec_t
  Resolves: RHEL-31888
  - Fix label of pseudoterminals created from sudodomain
  Resolves: RHEL-31888
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.40-1
  - Allow systemd-coredump read nsfs files
  Resolves: RHEL-39937
  - Allow login_userdomain execute systemd-tmpfiles in the caller domain
  Resolves: RHEL-40374
  - Allow ptp4l_t request that the kernel load a kernel module
  Resolves: RHEL-38905
  - Allow collectd to trace processes in user namespace
  Resolves: RHEL-36293
* Thu Jun 06 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.39-1
  - Add interfaces for watching and reading ifconfig_var_run_t
  Resolves: RHEL-39408
  - Allow dhcpcd use unix_stream_socket
  Resolves: RHEL-39408
  - Allow dhcpc read /run/netns files
  Resolves: RHEL-39408
  - Allow all domains read and write z90crypt device
  Resolves: RHEL-38833
  - Allow bootupd search efivarfs dirs
  Resolves: RHEL-36289
  - Move unconfined_domain(sap_unconfined_t) to an optional block
  Resolves: RHEL-37663
* Thu May 16 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.38-1
  - Add boolean qemu-ga to run unconfined script
  Resolves: RHEL-31211
  - Ensure dbus communication is allowed bidirectionally
  Resolves: RHEL-35782
  - Allow logwatch_mail_t read network sysctls
  Resolves: RHEL-34135
  - Allow sysadm execute dmidecode using sudo
  Resolves: RHEL-16104
  - Allow sudodomain list files in /var
  Resolves: RHEL-16104
  - Allow various services read and write z90crypt device
  Resolves: RHEL-33361
  - Allow system_cronjob_t dbus chat with avahi_t
  Resolves: RHEL-32290
  - Allow setroubleshootd get attributes of all sysctls
  Resolves: RHEL-34078
  - Remove permissive domain for bootupd_t
  Resolves: RHEL-22173
* Tue May 07 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.37-1
  - Allow numad to trace processes in user namespace
  Resolves: RHEL-33994
  - Remove permissive domain for rshim_t
  Resolves: RHEL-22173
  - Remove permissive domain for mptcpd_t
  Resolves: RHEL-22173
  - Remove permissive domain for coreos_installer_t
  Resolves: RHEL-22173
  - Remove permissive domain for afterburn_t
  Resolves: RHEL-22173
  - Update afterburn policy
  Resolves: RHEL-22173
  - Allow bootupd search EFI directory
  Resolves: RHEL-22172
  - Add the bootupd module
  Resolves: RHEL-22172
  - Add policy for bootupd
  Resolves: RHEL-22172
  - Label /dev/mmcblk0rpmb character device with removable_device_t
  Resolves: RHEL-28080
  - Differentiate between staff and sysadm when executing crontab with sudo
  Resolves: RHEL-31888
  - Add crontab_admin_domtrans interface
  Resolves: RHEL-31888
  - Add crontab_domtrans interface
  Resolves: RHEL-31888
  - Allow svirt_t read vm sysctls
  Resolves: RHEL-32296
* Mon Apr 15 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.36-1
  - Allow systemd-timedated get the timemaster service status
  Resolves: RHEL-25978
  - postfix: allow qmgr to delete mails in bounce/ directory
  Resolves: RHEL-30271
  - Allow NetworkManager the sys_ptrace capability in user namespace
  Resolves: RHEL-24346
  - Label /dev/iommu with iommu_device_t
  Resolves: RHEL-22063
  - Allow qemu-ga read vm sysctls
  Resolves: RHEL-31892
  - Update repository link and branches names for c9s
  Related: RHEL-22960
* Thu Mar 14 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-2
  - Rebuild
  Resolves: RHEL-26663
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-1
  - Allow wdmd read hardware state information
  Resolves: RHEL-26663
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.34-1
  - Allow wdmd list the contents of the sysfs directories
  Resolves: RHEL-26663
  - Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  Resolves: RHEL-26660
* Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1
  - Allow thumb_t to watch and watch_reads mount_var_run_t
  Resolves: RHEL-26073
  - Allow opafm create NFS files and directories
  Resolves: RHEL-17820
  - Label /tmp/libdnf.* with user_tmp_t
  Resolves: RHEL-11250
* Thu Feb 15 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.32-1
  - Dontaudit subscription manager setfscreate and read file contexts
  Resolves: RHEL-21635
  - Allow xdm_t to watch and watch_reads mount_var_run_t
  Resolves: RHEL-24841
  - Allow unix dgram sendto between exim processes
  Resolves: RHEL-21902
  - Allow utempter_t use ptmx
  Resolves: RHEL-24946
  - Only allow confined user domains to login locally without unconfined_login
  Resolves: RHEL-1551
  - Add userdom_spec_domtrans_confined_admin_users interface
  Resolves: RHEL-1551
  - Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  Resolves: RHEL-1551
  - Add userdom_spec_domtrans_admin_users interface
  Resolves: RHEL-1551
  - Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  Resolves: RHEL-1551
* Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1
  - Allow chronyd-restricted read chronyd key files
  Resolves: RHEL-18219
  - Allow conntrackd_t to use bpf capability2
  Resolves: RHEL-22277
  - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
  Resolves: RHEL-14735
  - Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  Resolves: RHEL-14505
  - Add interface for write-only access to NetworkManager rw conf
  Resolves: RHEL-14505
  - Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
  Resolves: RHEL-11792
* Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.30-1
  - Allow sysadm execute traceroute in sysadm_t domain using sudo
  Resolves: RHEL-14077
  - Allow qatlib set attributes of vfio device files
  Resolves: RHEL-19051
  - Allow qatlib load kernel modules
  Resolves: RHEL-19051
  - Allow qatlib run lspci
  Resolves: RHEL-19051
  - Allow qatlib manage its private runtime socket files
  Resolves: RHEL-19051
  - Allow qatlib read/write vfio devices
  Resolves: RHEL-19051
  - Allow syslog to run unconfined scripts conditionally
  Resolves: RHEL-11174
  - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  Resolves: RHEL-11174
  - Allow sendmail MTA connect to sendmail LDA
  Resolves: RHEL-15175
  - Allow sysadm execute tcpdump in sysadm_t domain using sudo
  Resolves: RHEL-15432
  - Allow opafm search nfs directories
  Resolves: RHEL-17820
  - Allow mdadm list stratisd data directories
  Resolves: RHEL-19276
  - Update cyrus_stream_connect() to use sockets in /run
  Resolves: RHEL-19282
  - Allow collectd connect to statsd port
  Resolves: RHEL-21044
  - Allow insights-client transition to sap unconfined domain
  Resolves: RHEL-21452
  - Create the sap module
  Resolves: RHEL-21452
* Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1
  - Add init_explicit_domain() interface
  Resolves: RHEL-18219
  - Allow dovecot_auth_t connect to postgresql using UNIX socket
  Resolves: RHEL-16850
  - Allow keepalived_t to use sys_ptrace of cap_userns
  Resolves: RHEL-17156
  - Make `bootc` be `install_exec_t`
  Resolves: RHEL-19199
  - Add support for chronyd-restricted
  Resolves: RHEL-18219
  - Label /dev/vas with vas_device_t
  Resolves: RHEL-17336
  - Allow gpsd use /dev/gnss devices
  Resolves: RHEL-16676
  - Allow sendmail manage its runtime files
  Resolves: RHEL-15175
  - Add support for syslogd unconfined scripts
  Resolves: RHEL-11174
* Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1
  - Create interface selinux_watch_config and add it to SELinux users
  Resolves: RHEL-1555
  - Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  Resolves: RHEL-16273
  - Allow samba-dcerpcd connect to systemd_machined over a unix socket
  Resolves: RHEL-16273
  - Allow winbind-rpcd make a TCP connection to the ldap port
  Resolves: RHEL-16273
  - Allow sudodomain read var auth files
  Resolves: RHEL-16708
  - Allow auditd read all domains process state
  Resolves: RHEL-14285
  - Allow rsync read network sysctls
  Resolves: RHEL-14638
  - Add dhcpcd bpf capability to run bpf programs
  Resolves: RHEL-15326
  - Allow systemd-localed create Xserver config dirs
  Resolves: RHEL-16716
  - Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
  Resolves: RHEL-1553
  - Update sendmail policy module for opensmtpd
  Resolves: RHEL-15175
* Tue Nov 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.27-1
  - Remove glusterd module
  Resolves: RHEL-1548
  - Improve default file context(None) of /var/lib/authselect/backups
  Resolves: RHEL-15220
  - Set default file context of /var/lib/authselect/backups to <<none>>
  Resolves: RHEL-15220
  - Create policy for afterburn
  Resolves: RHEL-12591
  - Allow unconfined_domain_type use io_uring cmd on domain
  Resolves: RHEL-11792
  - Add policy for coreos installer
  Resovles: RHEL-5164
  - Add policy for nvme-stas
  Resolves: RHEL-1557
  - Label /var/run/auditd.state as auditd_var_run_t
  Resolves: RHEL-14374
  - Allow ntp to bind and connect to ntske port.
  Resolves: RHEL-15085
  - Allow ip an explicit domain transition to other domains
  Resolves: RHEL-14246
  - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  Resolves: RHEL-14289
  - Allow sssd domain transition on passkey_child execution conditionally
  Resolves: RHEL-14014
  - Allow sssd use usb devices conditionally
  Resolves: RHEL-14014
  - Allow kdump create and use its memfd: objects
  Resolves: RHEL-14413
* Tue Oct 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.26-1
  - Allow kdump create and use its memfd: objects
  Resolves: RHEL-14413
* Fri Oct 20 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.25-1
  - Add map_read map_write to kernel_prog_run_bpf
  Resolves: RHEL-2653
  - Allow sysadm_t read nsfs files
  Resolves: RHEL-5146
  - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
  Resolves: RHEL-14029
  - Allow system_mail_t manage exim spool files and dirs
  Resolves: RHEL-14110
  - Label /run/pcsd.socket with cluster_var_run_t
  Resolves: RHEL-1664
* Fri Sep 29 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.24-1
  - Allow cupsd_t to use bpf capability
  Resolves: RHEL-3633
  - Label /dev/gnss[0-9] with gnss_device_t
  Resolves: RHEL-9936
  - Dontaudit rhsmcertd write memory device
  Resolves: RHEL-1547
* Fri Aug 25 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.23-1
  - Allow cups-pdf connect to the system log service
  Resolves: rhbz#2234765
  - Update policy for qatlib
  Resolves: rhbz#2080443
* Thu Aug 24 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.22-1
  - Allow qatlib  to modify hardware state information.
  Resolves: rhbz#2080443
  - Update policy for fdo
  Resolves: rhbz#2229722
  - Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
  Resolves: rhbz#2223305
  - Allow svirt to rw /dev/udmabuf
  Resolves: rhbz#2223727
  - Allow keepalived watch var_run dirs
  Resolves: rhbz#2186759
* Thu Aug 17 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.21-1
  - Allow logrotate_t to map generic files in /etc
  Resolves: rhbz#2231257
  - Allow insights-client manage user temporary files
  Resolves: rhbz#2224737
  - Make insights_client_t an unconfined domain
  Resolves: rhbz#2225526
* Fri Aug 11 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.20-1
  - Allow user_u and staff_u get attributes of non-security dirs
  Resolves: rhbz#2215507
  - Allow cloud_init create dhclient var files and init_t manage net_conf_t
  Resolves: rhbz#2225418
  - Allow samba-dcerpc service manage samba tmp files
  Resolves: rhbz#2230365
  - Update samba-dcerpc policy for printing
  Resolves: rhbz#2230365
  - Allow sysadm_t run kernel bpf programs
  Resolves: rhbz#2229936
  - allow mon_procd_t self:cap_userns sys_ptrace
  Resolves: rhbz#2221986
  - Remove nsplugin_role from mozilla.if
  Resolves: rhbz#2221251
  - Allow unconfined user filetrans chrome_sandbox_home_t
  Resolves: rhbz#2187893
  - Allow pdns name_bind and name_connect all ports
  Resolves: rhbz#2047945
  - Allow insights-client read and write cluster tmpfs files
  Resolves: rhbz#2221631
  - Allow ipsec read nsfs files
  Resolves: rhbz#2230277
  - Allow upsmon execute upsmon via a helper script
  Resolves: rhbz#2228403
  - Fix labeling for no-stub-resolv.conf
  Resolves: rhbz#2148390
  - Add use_nfs_home_dirs boolean for mozilla_plugin
  Resolves: rhbz#2214298
  - Change wording in /etc/selinux/config
  Resolves: rhbz#2143153
* Thu Aug 03 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.19-1
  - Allow qatlib to read sssd public files
  Resolves: rhbz#2080443
  - Fix location for /run/nsd
  Resolves: rhbz#2181600
  - Allow samba-rpcd work with passwords
  Resolves: rhbz#2107092
  - Allow rpcd_lsad setcap and use generic ptys
  Resolves: rhbz#2107092
  - Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
  Resolves: rhbz#2223305
  - Allow keepalived to manage its tmp files
  Resolves: rhbz#2179212
  - Allow nscd watch system db dirs
  Resolves: rhbz#2152124

Files

/usr/share/selinux/packages/sandbox.pp


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Oct 21 04:50:20 2025