selinux-policy-37.12-2.fc37 RPM for noarch

From Fedora 37 for s390x / s

SELinux core policy package.
Originally based off of reference policy,
the policy has been adjusted to provide support for Fedora.

Provides

• selinux-policy
• config(selinux-policy)
• rpm_macro(_file_context_file)
• rpm_macro(_file_context_file_pre)
• rpm_macro(_file_custom_defined_booleans)
• rpm_macro(_file_custom_defined_booleans_tmp)
• rpm_macro(_selinux_policy_version)
• rpm_macro(_selinux_store_path)
• rpm_macro(_selinux_store_policy_path)
• rpm_macro(selinux_modules_install)
• rpm_macro(selinux_modules_uninstall)
• rpm_macro(selinux_relabel_post)
• rpm_macro(selinux_relabel_pre)
• rpm_macro(selinux_requires)
• rpm_macro(selinux_set_booleans)
• rpm_macro(selinux_unset_booleans)
• selinux-policy-base

Requires

• /bin/awk
• /bin/sh
• /bin/sh
• /bin/sh
• /bin/sh
• /usr/bin/sha512sum
• config(selinux-policy) = 37.12-2.fc37
• policycoreutils >= 3.4-1
• rpm-plugin-selinux
• rpmlib(CompressedFileNames) <= 3.0.4-1
• rpmlib(FileDigests) <= 4.6.0-1
• rpmlib(PayloadFilesHavePrefix) <= 4.0-1
• rpmlib(PayloadIsZstd) <= 5.4.18-1
• selinux-policy-any = 37.12-2.fc37

License

GPLv2+

Changelog

* Fri Sep 23 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-2
  - Update make-rhat-patches.sh file to use the f37 dist-git branch in F37
* Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1
  - nut-upsd: kernel_read_system_state, fs_getattr_cgroup
  - Add numad the ipc_owner capability
  - Allow gst-plugin-scanner read virtual memory sysctls
  - Allow init read/write inherited user fifo files
  - Update dnssec-trigger policy: setsched, module_request
  - added policy for systemd-socket-proxyd
  - Add the new 'cmd' permission to the 'io_uring' class
  - Allow winbind-rpcd read and write its key ring
  - Label /run/NetworkManager/no-stub-resolv.conf net_conf_t
  - blueman-mechanism can read ~/.local/lib/python*/site-packages directory
  - pidof executed by abrt can readlink /proc/*/exe
  - Fix typo in comment
  - Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum
* Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1
  - Allow tor get filesystem attributes
  - Allow utempter append to login_userdomain stream
  - Allow login_userdomain accept a stream connection to XDM
  - Allow login_userdomain write to boltd named pipes
  - Allow staff_u and user_u users write to bolt pipe
  - Allow login_userdomain watch various directories
  - Update rhcd policy for executing additional commands 5
  - Update rhcd policy for executing additional commands 4
  - Allow rhcd create rpm hawkey logs with correct label
  - Allow systemd-gpt-auto-generator to check for empty dirs
  - Update rhcd policy for executing additional commands 3
  - Allow journalctl read rhcd fifo files
  - Update insights-client policy for additional commands execution 5
  - Allow init remount all file_type filesystems
  - Confine insights-client systemd unit
  - Update insights-client policy for additional commands execution 4
  - Allow pcp pmcd search tracefs and acct_data dirs
  - Allow httpd read network sysctls
  - Dontaudit domain map permission on directories
  - Revert "Allow X userdomains to mmap user_fonts_cache_t dirs"
  - Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)"
  - Update insights-client policy for additional commands execution 3
  - Allow systemd permissions needed for sandboxed services
  - Add rhcd module
  - Make dependency on rpm-plugin-selinux unordered
* Fri Sep 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.10-1
  - Allow ipsec_t read/write tpm devices
  - Allow rhcd execute all executables
  - Update rhcd policy for executing additional commands 2
  - Update insights-client policy for additional commands execution 2
  - Allow sysadm_t read raw memory devices
  - Allow chronyd send and receive chronyd/ntp client packets
  - Allow ssh client read kerberos homedir config files
  - Label /var/log/rhc-worker-playbook with rhcd_var_log_t
  - Update insights-client policy (auditctl, gpg, journal)
  - Allow system_cronjob_t domtrans to rpm_script_t
  - Allow smbd_t process noatsecure permission for winbind_rpcd_t
  - Update tor_bind_all_unreserved_ports interface
  - Allow chronyd bind UDP sockets to ptp_event ports.
  - Allow unconfined and sysadm users transition for /root/.gnupg
  - Add gpg_filetrans_admin_home_content() interface
  - Update rhcd policy for executing additional commands
  - Update insights-client policy for additional commands execution
  - Add userdom_view_all_users_keys() interface
  - Allow gpg read and write generic pty type
  - Allow chronyc read and write generic pty type
  - Allow system_dbusd ioctl kernel with a unix stream sockets
  - Allow samba-bgqd to read a printer list
  - Allow stalld get and set scheduling policy of all domains.
  - Allow unconfined_t transition to targetclid_home_t
* Thu Aug 11 2022 Zdenek Pytela <zpytela@redhat.com> - 37.9-1
  - Allow nm-dispatcher custom plugin dbus chat with nm
  - Allow nm-dispatcher sendmail plugin get status of systemd services
  - Allow xdm read the kernel key ring
  - Allow login_userdomain check status of mount units
  - Allow postfix/smtp and postfix/virtual read kerberos key table
  - Allow services execute systemd-notify
  - Do not allow login_userdomain use sd_notify()
  - Allow launch-xenstored read filesystem sysctls
  - Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd
  - Allow openvswitch fsetid capability
  - Allow openvswitch use its private tmpfs files and dirs
  - Allow openvswitch search tracefs dirs
  - Allow pmdalinux read files on an nfsd filesystem
  - Allow winbind-rpcd write to winbind pid files
  - Allow networkmanager to signal unconfined process
  - Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t
  - Allow samba-bgqd get a printer list
  - fix(init.fc): Fix section description
  - Allow fedora-third-party read the passwords file
  - Remove permissive domain for rhcd_t
  - Allow pmie read network state information and network sysctls
  - Revert "Dontaudit domain the fowner capability"
  - Allow sysadm_t to run bpftool on the userdomain attribute
  - Add the userdom_prog_run_bpf_userdomain() interface
  - Allow insights-client rpm named file transitions
  - Add /var/tmp/insights-archive to insights_client_filetrans_named_content
* Mon Aug 01 2022 Zdenek Pytela <zpytela@redhat.com> - 37.8-1
  - Allow sa-update to get init status and start systemd files
  - Use insights_client_filetrans_named_content
  - Make default file context match with named transitions
  - Allow nm-dispatcher tlp plugin send system log messages
  - Allow nm-dispatcher tlp plugin create and use unix_dgram_socket
  - Add permissions to manage lnk_files into gnome_manage_home_config
  - Allow rhsmcertd to read insights config files
  - Label /etc/insights-client/machine-id
  - fix(devices.fc): Replace single quote in comment to solve parsing issues
  - Make NetworkManager_dispatcher_custom_t an unconfined domain
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.7-2
  - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jul 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.7-1
  - Update winbind_rpcd_t
  - Allow some domains use sd_notify()
  - Revert "Allow rabbitmq to use systemd notify"
  - fix(sedoctool.py): Fix syntax warning: "is not" with a literal
  - Allow nm-dispatcher console plugin manage etc files
  - Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
  - Allow nm-dispatcher console plugin setfscreate
  - Support using systemd-update-helper in rpm scriptlets
  - Allow nm-dispatcher winbind plugin read samba config files
  - Allow domain use userfaultfd over all domains
  - Allow cups-lpd read network sysctls
* Wed Jun 29 2022 Zdenek Pytela <zpytela@redhat.com> - 37.6-1
  - Allow stalld set scheduling policy of kernel threads
  - Allow targetclid read /var/target files
  - Allow targetclid read generic SSL certificates (fixed)
  - Allow firewalld read the contents of the sysfs filesystem
  - Fix file context pattern for /var/target
  - Use insights_client_etc_t in insights_search_config()
  - Allow nm-dispatcher ddclient plugin handle systemd services
  - Allow nm-dispatcher winbind plugin run smbcontrol
  - Allow nm-dispatcher custom plugin create and use unix dgram socket
  - Update samba-dcerpcd policy for kerberos usage 2
  - Allow keepalived read the contents of the sysfs filesystem
  - Allow amandad read network sysctls
  - Allow cups-lpd read network sysctls
  - Allow kpropd read network sysctls
  - Update insights_client_filetrans_named_content()
  - Allow rabbitmq to use systemd notify
  - Label /var/target with targetd_var_t
  - Allow targetclid read generic SSL certificates
  - Update rhcd policy
  - Allow rhcd search insights configuration directories
  - Add the kernel_read_proc_files() interface
  - Require policycoreutils >= 3.4-1
  - Add a script for enclosing interfaces in ifndef statements
  - Disable rpm verification on interface_info
* Wed Jun 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.5-1
  - Allow transition to insights_client named content
  - Add the insights_client_filetrans_named_content() interface
  - Update policy for insights-client to run additional commands 3
  - Allow dhclient manage pid files used by chronyd
  - Allow stalld get scheduling policy of kernel threads
  - Allow samba-dcerpcd work with sssd
  - Allow dlm_controld send a null signal to a cluster daemon
  - Allow ksmctl create hardware state information files
  - Allow winbind_rpcd_t connect to self over a unix_stream_socket
  - Update samba-dcerpcd policy for kerberos usage
  - Allow insights-client execute its private memfd: objects
  - Update policy for insights-client to run additional commands 2
  - Use insights_client_tmp_t instead of insights_client_var_tmp_t
  - Change space indentation to tab in insights-client
  - Use socket permissions sets in insights-client
  - Update policy for insights-client to run additional commands
  - Change rpm_setattr_db_files() to use a pattern
  - Allow init_t to rw insights_client unnamed pipe
  - Add rpm setattr db files macro
  - Fix insights client
  - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling
  - Allow rabbitmq to access its private memfd: objects
  - Update policy for samba-dcerpcd
  - Allow stalld setsched and sys_nice
* Tue Jun 07 2022 Zdenek Pytela <zpytela@redhat.com> - 37.4-1
  - Allow auditd_t noatsecure for a transition to audisp_remote_t
  - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket
  - Allow pcp_domain execute its private memfd: objects
  - Add support for samba-dcerpcd
  - Add policy for wireguard
  - Confine targetcli
  - Allow systemd work with install_t unix stream sockets
  - Allow iscsid the sys_ptrace userns capability
  - Allow xdm connect to unconfined_service_t over a unix stream socket
* Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 37.3-1
  - Allow nm-dispatcher custom plugin execute systemctl
  - Allow nm-dispatcher custom plugin dbus chat with nm
  - Allow nm-dispatcher custom plugin create and use udp socket
  - Allow nm-dispatcher custom plugin create and use netlink_route_socket
  - Use create_netlink_socket_perms in netlink_route_socket class permissions
  - Add support for nm-dispatcher sendmail scripts
  - Allow sslh net_admin capability
  - Allow insights-client manage gpg admin home content
  - Add the gpg_manage_admin_home_content() interface
  - Allow rhsmcertd create generic log files
  - Update logging_create_generic_logs() to use create_files_pattern()
  - Label /var/cache/insights with insights_client_cache_t
  - Allow insights-client search gconf homedir
  - Allow insights-client create and use unix_dgram_socket
  - Allow blueman execute its private memfd: files
  - Move the chown call into make-srpm.sh
* Fri May 06 2022 Zdenek Pytela <zpytela@redhat.com> - 37.2-1
  - Use the networkmanager_dispatcher_plugin attribute in allow rules
  - Make a custom nm-dispatcher plugin transition
  - Label port 4784/tcp and 4784/udp with bfd_multi
  - Allow systemd watch and watch_reads user ptys
  - Allow sblim-gatherd the kill capability
  - Label more vdsm utils with virtd_exec_t
  - Add ksm service to ksmtuned
  - Add rhcd policy
  - Dontaudit guest attempts to dbus chat with systemd domains
  - Dontaudit guest attempts to dbus chat with system bus types
  - Use a named transition in systemd_hwdb_manage_config()
  - Add default fc specifications for patterns in /opt
  - Add the files_create_etc_files() interface
  - Allow nm-dispatcher console plugin create and write files in /etc
  - Allow nm-dispatcher console plugin transition to the setfiles domain
  - Allow more nm-dispatcher plugins append to init stream sockets
  - Allow nm-dispatcher tlp plugin dbus chat with nm
  - Reorder networkmanager_dispatcher_plugin_template() calls
  - Allow svirt connectto virtlogd
  - Allow blueman map its private memfd: files
  - Allow sysadm user execute init scripts with a transition
  - Allow sblim-sfcbd connect to sblim-reposd stream
  - Allow keepalived_unconfined_script_t dbus chat with init
  - Run restorecon with "-i" not to report errors
* Mon May 02 2022 Zdenek Pytela <zpytela@redhat.com> - 37.1-1
  - Fix users for SELinux userspace 3.4
  - Label /var/run/machine-id as machineid_t
  - Add stalld to modules.conf
  - Use files_tmpfs_file() for rhsmcertd_tmpfs_t
  - Allow blueman read/write its private memfd: objects
  - Allow insights-client read rhnsd config files
  - Allow insights-client create_socket_perms for tcp/udp sockets
* Tue Apr 26 2022 Zdenek Pytela <zpytela@redhat.com> - 36.8-1
  - Allow nm-dispatcher chronyc plugin append to init stream sockets
  - Allow tmpreaper the sys_ptrace userns capability
  - Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t
  - Allow nm-dispatcher tlp plugin read/write the wireless device
  - Allow nm-dispatcher tlp plugin append to init socket
  - Allow nm-dispatcher tlp plugin be client of a system bus
  - Allow nm-dispatcher list its configuration directory
  - Ecryptfs-private support
  - Allow colord map /var/lib directories
  - Allow ntlm_auth read the network state information
  - Allow insights-client search rhnsd configuration directory
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-3
  - Add support for nm-dispatcher tlp-rdw scripts
  - Update github actions to satisfy git 2.36 stricter rules
  - New policy for stalld
  - Allow colord read generic files in /var/lib
  - Allow xdm mounton user temporary socket files
  - Allow systemd-gpt-auto-generator create and use netlink_kobject_uevent_socket
  - Allow sssd domtrans to pkcs_slotd_t
  - Allow keepalived setsched and sys_nice
  - Allow xdm map generic files in /var/lib
  - Allow xdm read generic symbolic links in /var/lib
  - Allow pppd create a file in the locks directory
  - Add file map permission to lpd_manage_spool() interface
  - Allow system dbus daemon watch generic directories in /var/lib
  - Allow pcscd the sys_ptrace userns capability
  - Add the corecmd_watch_bin_dirs() interface
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-2
  - Relabel explicitly some dirs in %posttrans scriptlets
* Thu Apr 21 2022 Zdenek Pytela <zpytela@redhat.com> - 36.7-1
  - Add stalld module to modules-targeted-contrib.conf
* Mon Apr 04 2022 Zdenek Pytela <zpytela@redhat.com> - 36.6-1
  - Add support for systemd-network-generator
  - Add the io_uring class
  - Allow nm-dispatcher dhclient plugin append to init stream sockets
  - Relax the naming pattern for systemd private shared libraries
  - Allow nm-dispatcher iscsid plugin append to init socket
  - Add the init_append_stream_sockets() interface
  - Allow nm-dispatcher dnssec-trigger script to execute pidof
  - Add support for nm-dispatcher dnssec-trigger scripts
  - Allow chronyd talk with unconfined user over unix domain dgram socket
  - Allow fenced read kerberos key tables
  - Add support for nm-dispatcher ddclient scripts
  - Add systemd_getattr_generic_unit_files() interface
  - Allow fprintd read and write hardware state information
  - Allow exim watch generic certificate directories
  - Remove duplicate fc entries for corosync and corosync-notifyd
  - Label corosync-cfgtool with cluster_exec_t
  - Allow qemu-kvm create and use netlink rdma sockets
  - Allow logrotate a domain transition to cluster administrative domain
* Fri Mar 18 2022 Zdenek Pytela <zpytela@redhat.com> - 36.5-1
  - Add support for nm-dispatcher console helper scripts
  - Allow nm-dispatcher plugins read its directory and sysfs
  - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t
  - devices: Add a comment about cardmgr_dev_t
  - Add basic policy for BinderFS
  - Label /var/run/ecblp0 pipe with cupsd_var_run_t
  - Allow rpmdb create directory in /usr/lib/sysimage
  - Allow rngd drop privileges via setuid/setgid/setcap
  - Allow init watch and watch_reads user ttys
  - Allow systemd-logind dbus chat with sosreport
  - Allow chronyd send a message to sosreport over datagram socket
  - Remove unnecessary /etc file transitions for insights-client
  - Label all content in /var/lib/insights with insights_client_var_lib_t
  - Update insights-client policy
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-2
  - Add insights_client module to modules-targeted-contrib.conf
* Wed Feb 23 2022 Zdenek Pytela <zpytela@redhat.com> - 36.4-1
  - Update NetworkManager-dispatcher cloud and chronyc policy
  - Update insights-client: fc pattern, motd, writing to etc
  - Allow systemd-sysctl read the security state information
  - Allow init create and mounton to support PrivateDevices
  - Allow sosreport dbus chat abrt systemd timedatex
* Tue Feb 22 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-2
  - Update specfile to buildrequire policycoreutils-devel >= 3.3-4
  - Add modules_checksum to %files
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
  - Update NetworkManager-dispatcher policy to use scripts
  - Allow init mounton kernel messages device
  - Revert "Make dbus-broker service working on s390x arch"
  - Remove permissive domain for insights_client_t
  - Allow userdomain read symlinks in /var/lib
  - Allow iptables list cgroup directories
  - Dontaudit mdadm list dirsrv tmpfs dirs
  - Dontaudit dirsrv search filesystem sysctl directories
  - Allow chage domtrans to sssd
  - Allow postfix_domain read dovecot certificates
  - Allow systemd-networkd create and use netlink netfilter socket
  - Allow nm-dispatcher read nm-dispatcher-script symlinks
  - filesystem.te: add genfscon rule for ntfs3 filesystem
  - Allow rhsmcertd get attributes of cgroup filesystems
  - Allow sandbox_web_client_t watch various dirs
  - Exclude container.if from policy devel files
  - Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
* Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
  - Allow sysadm_passwd_t to relabel passwd and group files
  - Allow confined sysadmin to use tool vipw
  - Allow login_userdomain map /var/lib/directories
  - Allow login_userdomain watch library and fonts dirs
  - Allow login_userdomain watch system configuration dirs
  - Allow login_userdomain read systemd runtime files
  - Allow ctdb create cluster logs
  - Allow alsa bind mixer controls to led triggers
  - New policy for insight-client
  - Add mctp_socket security class and access vectors
  - Fix koji repo URL pattern
  - Update chronyd_pid_filetrans() to allow create dirs
  - Update NetworkManager-dispatcher policy
  - Allow unconfined to run virtd bpf
  - Allow nm-privhelper setsched permission and send system logs
  - Add the map permission to common_anon_inode_perm permission set
  - Rename userfaultfd_anon_inode_perms to common_inode_perms
  - Allow confined users to use kinit,klist and etc.
  - Allow rhsmcertd create rpm hawkey logs with correct label
* Thu Feb 03 2022 Zdenek Pytela <zpytela@redhat.com> - 36.1-1
  - Label exFAT utilities at /usr/sbin
  - policy/modules/contrib: Support /usr/lib/sysimage/rpm as the rpmdb path
  - Enable genfs_seclabel_symlinks policy capability
  - Sync policy/policy_capabilities with refpolicy
  - refpolicy: drop unused socket security classes
  - Label new utility of NetworkManager nm-priv-helper
  - Label NetworkManager-dispatcher service with separate context
  - Allow sanlock get attributes of filesystems with extended attributes
  - Associate stratisd_data_t with device filesystem
  - Allow init read stratis data symlinks
* Tue Feb 01 2022 Zdenek Pytela <zpytela@redhat.com> - 35.13-1
  - Allow systemd services watch dbusd pid directory and its parents
  - Allow ModemManager connect to the unconfined user domain
  - Label /dev/wwan.+ with modem_manager_t
  - Allow alsactl set group Process ID of a process
  - Allow domtrans to sssd_t and role access to sssd
  - Creating interface sssd_run_sssd()
  - Label utilities for exFAT filesystems with fsadm_exec_t
  - Label /dev/nvme-fabrics with fixed_disk_device_t
  - Allow init delete generic tmp named pipes
  - Allow timedatex dbus chat with xdm
* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 35.12-1
  - Fix badly indented used interfaces
  - Allow domain transition to sssd_t
  - Dontaudit sfcbd sys_ptrace cap_userns
  - Label /var/lib/plocate with locate_var_lib_t
  - Allow hostapd talk with unconfined user over unix domain dgram socket
  - Allow NetworkManager talk with unconfined user over unix domain dgram socket
  - Allow system_mail_t read inherited apache system content rw files
  - Add apache_read_inherited_sys_content_rw_files() interface
  - Allow rhsm-service execute its private memfd: objects
  - Allow dirsrv read configfs files and directories
  - Label /run/stratisd with stratisd_var_run_t
  - Allow tumblerd write to session_dbusd tmp socket files
* Wed Jan 19 2022 Zdenek Pytela <zpytela@redhat.com> - 35.11-1
  - Revert "Label /etc/cockpit/ws-certs.d with cert_t"
  - Allow login_userdomain write to session_dbusd tmp socket files
  - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1
  - Allow login_userdomain watch systemd-machined PID directories
  - Allow login_userdomain watch systemd-logind PID directories
  - Allow login_userdomain watch accountsd lib directories
  - Allow login_userdomain watch localization directories
  - Allow login_userdomain watch various files and dirs
  - Allow login_userdomain watch generic directories in /tmp
  - Allow rhsm-service read/write its private memfd: objects
  - Allow radiusd connect to the radacct port
  - Allow systemd-io-bridge ioctl rpm_script_t
  - Allow systemd-coredump userns capabilities and root mounton
  - Allow systemd-coredump read and write usermodehelper state
  - Allow login_userdomain create session_dbusd tmp socket files
  - Allow gkeyringd_domain write to session_dbusd tmp socket files
  - Allow systemd-logind delete session_dbusd tmp socket files
  - Allow gdm-x-session write to session dbus tmp sock files
  - Label /etc/cockpit/ws-certs.d with cert_t
  - Allow kpropd get attributes of cgroup filesystems
  - Allow administrative users the bpf capability
  - Allow sysadm_t start and stop transient services
  - Connect triggerin to pcre2 instead of pcre
* Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
  - Allow sshd read filesystem sysctl files
  - Revert "Allow sshd read sysctl files"
  - Allow tlp read its systemd unit
  - Allow gssproxy access to various system files.
  - Allow gssproxy read, write, and map ica tmpfs files
  - Allow gssproxy read and write z90crypt device
  - Allow sssd_kcm read and write z90crypt device
  - Allow smbcontrol read the network state information
  - Allow virt_domain map vhost devices
  - Allow fcoemon request the kernel to load a module
  - Allow sshd read sysctl files
  - Ensure that `/run/systemd/*` are properly labeled
  - Allow admin userdomains use socketpair()
  - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
  - Allow lldpd connect to snmpd with a unix domain stream socket
  - Dontaudit pkcsslotd sys_admin capability
* Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
  - Allow haproxy get attributes of filesystems with extended attributes
  - Allow haproxy get attributes of cgroup filesystems
  - Allow sysadm execute sysadmctl in sysadm_t domain using sudo
  - Allow userdomains use pam_ssh_agent_auth for passwordless sudo
  - Allow sudodomains execute passwd in the passwd domain
  - Allow braille printing in selinux
  - Allow sandbox_xserver_t map sandbox_file_t
  - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t
  - Add hwtracing_device_t type for hardware-level tracing and debugging
  - Label port 9528/tcp with openqa_liveview
  - Label /var/lib/shorewall6-lite with shorewall_var_lib_t
  - Document Security Flask model in the policy
* Fri Dec 10 2021 Zdenek Pytela <zpytela@redhat.com> - 35.7-1
  - Allow systemd read unlabeled symbolic links
  - Label abrt-action-generate-backtrace with abrt_handle_event_exec_t
  - Allow dnsmasq watch /etc/dnsmasq.d directories
  - Allow rhsmcertd get attributes of tmpfs_t filesystems
  - Allow lldpd use an snmp subagent over a tcp socket
  - Allow xdm watch generic directories in /var/lib
  - Allow login_userdomain open/read/map system journal
  - Allow sysadm_t connect to cluster domains over a unix stream socket
  - Allow sysadm_t read/write pkcs shared memory segments
  - Allow sysadm_t connect to sanlock over a unix stream socket
  - Allow sysadm_t dbus chat with sssd
  - Allow sysadm_t set attributes on character device nodes
  - Allow sysadm_t read and write watchdog devices
  - Allow smbcontrol use additional socket types
  - Allow cloud-init dbus chat with systemd-logind
  - Allow svnserve send mail from the system
  - Update userdom_exec_user_tmp_files() with an entrypoint rule
  - Allow sudodomain send a null signal to sshd processes
* Fri Nov 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.6-1
  - Allow PID 1 and dbus-broker IPC with a systemd user session
  - Allow rpmdb read generic SSL certificates
  - Allow rpmdb read admin home config files
  - Report warning on duplicate definition of interface
  - Allow redis get attributes of filesystems with extended attributes
  - Allow sysadm_t dbus chat with realmd_t
  - Make cupsd_lpd_t a daemon
  - Allow tlp dbus-chat with NetworkManager
  - filesystem: add fs_use_trans for ramfs
  - Allow systemd-logind destroy unconfined user's IPC objects
* Thu Nov 04 2021 Zdenek Pytela <zpytela@redhat.com> - 35.5-1
  - Support sanlock VG automated recovery on storage access loss 2/2
  - Support sanlock VG automated recovery on storage access loss 1/2
  - Revert "Support sanlock VG automated recovery on storage access loss"
  - Allow tlp get service units status
  - Allow fedora-third-party manage 3rd party repos
  - Allow xdm_t nnp_transition to login_userdomain
  - Add the auth_read_passwd_file() interface
  - Allow redis-sentinel execute a notification script
  - Allow fetchmail search cgroup directories
  - Allow lvm_t to read/write devicekit disk semaphores
  - Allow devicekit_disk_t to use /dev/mapper/control
  - Allow devicekit_disk_t to get IPC info from the kernel
  - Allow devicekit_disk_t to read systemd-logind pid files
  - Allow devicekit_disk_t to mount filesystems on mnt_t directories
  - Allow devicekit_disk_t to manage mount_var_run_t files
  - Allow rasdaemon sys_admin capability to verify the CAP_SYS_ADMIN of the soft_offline_page function implemented in the kernel
  - Use $releasever in koji repo to reduce rawhide hardcoding
  - authlogin: add fcontext for tcb
  - Add erofs as a SELinux capable file system
  - Allow systemd execute user bin files
  - Support sanlock VG automated recovery on storage access loss
  - Support new PING_CHECK health checker in keepalived
* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 35.4-1
  - Allow fedora-third-party map generic cache files
  - Add gnome_map_generic_cache_files() interface
  - Add files_manage_var_lib_dirs() interface
  - Allow fedora-third party manage gpg keys
  - Allow fedora-third-party run "flatpak remote-add --from flathub"
* Tue Oct 19 2021 Zdenek Pytela <zpytela@redhat.com> - 35.3-1
  - Allow fedora-third-party run flatpak post-install actions
  - Allow fedora-third-party set_setsched and sys_nice
* Mon Oct 18 2021 Zdenek Pytela <zpytela@redhat.com> - 35.2-1
  - Allow fedora-third-party execute "flatpak remote-add"
  - Add files_manage_var_lib_files() interface
  - Add write permisson to userfaultfd_anon_inode_perms
  - Allow proper function sosreport via iotop
  - Allow proper function sosreport in sysadmin role
  - Allow fedora-third-party to connect to the system log service
  - Allow fedora-third-party dbus chat with policykit
  - Allow chrony-wait service start with DynamicUser=yes
  - Allow management of lnk_files if similar access to regular files
  - Allow unconfined_t transition to mozilla_plugin_t with NoNewPrivileges
  - Allow systemd-resolved watch /run/systemd
  - Allow fedora-third-party create and use unix_dgram_socket
  - Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files
  - Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain
* Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1
  - Add fedoratp module
  - Allow xdm_t domain transition to fedoratp_t
  - Allow ModemManager create and use netlink route socket
  - Add default file context for /run/gssproxy.default.sock
  - Allow xdm_t watch fonts directories
  - Allow xdm_t watch generic directories in /lib
  - Allow xdm_t watch generic pid directories
* Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.21-1
  - Add bluetooth-related permissions into a tunable block
  - Allow gnome at-spi processes create and use stream sockets
  - Allow usbmuxd get attributes of tmpfs_t filesystems
  - Allow fprintd install a sleep delay inhibitor
  - Allow collectd get attributes of infiniband devices
  - Allow collectd create and user netlink rdma socket
  - Allow collectd map packet_socket
  - Allow snort create and use blootooth socket
  - Allow systemd watch and watch_reads console devices
  - Allow snort create and use generic netlink socket
  - Allow NetworkManager dbus chat with fwupd
  - Allow unconfined domains read/write domain perf_events
  - Allow scripts to enter LUKS password
  - Update mount_manage_pid_files() to use manage_files_pattern
  - Support hitless reloads feature in haproxy
  - Allow haproxy list the sysfs directories content
  - Allow gnome at-spi processes get attributes of tmpfs filesystems
  - Allow unbound connectto unix_stream_socket
  - Allow rhsmcertd_t dbus chat with anaconda install_t
* Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 34.20-1
  - cleanup unused codes
  - Fix typo in the gnome_exec_atspi() interface summary
  - Allow xdm execute gnome-atspi services
  - Allow gnome at-spi processes execute dbus-daemon in caller domain
  - Allow xdm watch dbus configuration
  - Allow xdm execute dbus-daemon in the caller domain
  - Revert "Allow xdm_t transition to system_dbusd_t"
  - Allow at-spi-bus-launcher read and map xdm pid files
  - Allow dhcpcd set its resource limits
  - Allow systemd-sleep get removable devices attributes
  - Allow usbmuxd get attributes of fs_t filesystems
* Thu Sep 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.19-1
  - Update the dhcp client local policy
  - Allow firewalld load kernel modules
  - Allow postfix_domain to sendto unix dgram sockets.
  - Allow systemd watch unallocated ttys
* Tue Sep 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.18-1
  - Allow ModemManager create a qipcrtr socket
  - Allow ModemManager request to load a kernel module
  - Label /usr/sbin/virtproxyd as virtd_exec_t
  - Allow communication between at-spi and gdm processes
  - Update ica_filetrans_named_content() with create_file_perms
  - Fix the gnome_atspi_domtrans() interface summary
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-5
  - Add ica module to modules-targeted-contrib.conf
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-4
  - Add trailing \ to the relabel() block which is needed even in a comment
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3
  - Add ica module to modules-targeted.conf
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-2
  - Relabel /var/lib/rpm explicitly
  - Revert "Relabel /dev/dma_heap explicitly"
* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-1
  - Add support for at-spi
  - Add permissions for system dbus processes
  - Allow various domains work with ICA crypto accelerator
  - Add ica module
  - Revert "Support using ICA crypto accelerator on s390x arch"
  - Allow systemd to delete fwupd var cache files
  - Allow vmtools_unconfined_t domain transition to rpm_script_t
  - Allow dirsrv read slapd tmpfs files
  - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label"
  - Rename samba_exec() to samba_exec_net()
  - Support using ICA crypto accelerator on s390x arch
  - Allow systemd delete /run/systemd/default-hostname
  - Allow tcpdump read system state information in /proc
  - Allow rhsmcertd to create cache file in /var/cache/cloud-what
  - Allow D-bus communication between avahi and sosreport
  - Label /usr/libexec/gdm-runtime-config with xdm_exec_t
  - Allow lldpad send to kdumpctl over a unix dgram socket
  - Revert "Allow lldpad send to kdump over a unix dgram socket"
  - Allow chronyc respond to a user chronyd instance
  - Allow ptp4l respond to pmc
  - Allow lldpad send to unconfined_t over a unix dgram socket
  - Allow sssd to set samba setting
* Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.16-1
  - Allow systemd-timesyncd watch system dbus pid socket files
  - Allow firewalld drop capabilities
  - Allow rhsmcertd execute gpg
  - Allow lldpad send to kdump over a unix dgram socket
  - Allow systemd-gpt-auto-generator read udev pid files
  - Set default file context for /sys/firmware/efi/efivars
  - Allow tcpdump run as a systemd service
  - Allow nmap create and use netlink generic socket
  - Allow nscd watch system db files in /var/db
  - Allow cockpit_ws_t get attributes of fs_t filesystems
  - Allow sysadm acces to kernel module resources
  - Allow sysadm to read/write scsi files and manage shadow
  - Allow sysadm access to files_unconfined and bind rpc ports
  - Allow sysadm read and view kernel keyrings
  - Allow journal mmap and read var lib files
  - Allow tuned to read rhsmcertd config files
  - Allow bootloader to read tuned etc files
  - Label /usr/bin/qemu-storage-daemon with virtd_exec_t
* Fri Aug 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.15-1
  - Disable seccomp on CI containers
  - Allow systemd-machined stop generic service units
  - Allow virtlogd_t read process state of user domains
  - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp
  - Label /dev/crypto/nx-gzip with accelerator_device_t
  - Update the policy for systemd-journal-upload
  - Allow unconfined domains to bpf all other domains
  - Confine rhsm service and rhsm-facts service as rhsmcertd_t
  - Allow fcoemon talk with unconfined user over unix domain datagram socket
  - Allow abrt_domain read and write z90crypt device
  - Allow mdadm read iscsi pid files
  - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern()
  - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
  - Allow hostapd bind UDP sockets to the dhcpd port
  - Unconfined domains should not be confined
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 34.14-2
  - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.14-1
  - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory"
  - Remove references to init_watch_path_type attribute
  - Remove all redundant watch permissions for systemd
  - Allow systemd watch non_security_file_type dirs, files, lnk_files
  - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
  - Allow bacula get attributes of cgroup filesystems
  - Allow systemd-journal-upload watch logs and journal
  - Create a policy for systemd-journal-upload
  - Allow tcpdump and nmap get attributes of infiniband_device_t
  - Allow arpwatch get attributes of infiniband_device_t devices
  - Label /dev/wmi/dell-smbios as acpi_device_t
* Thu Jul 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.13-1
  - Allow radius map its library files
  - Allow nftables read NetworkManager unnamed pipes
  - Allow logrotate rotate container log files
* Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-2
  - Add a systemd service to check that SELinux is disabled properly
  - specfile: Add unowned dir to the macro
  - Relabel /dev/dma_heap explicitly
* Mon Jun 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.12-1
  - Label /dev/dma_heap/* char devices with dma_device_t
  - Revert "Label /dev/dma_heap/* char devices with dma_device_t"
  - Revert "Label /dev/dma_heap with dma_device_dir_t"
  - Revert "Associate dma_device_dir_t with device filesystem"
  - Add the lockdown integrity permission to dev_map_userio_dev()
  - Allow systemd-modules-load read/write tracefs files
  - Allow sssd watch /run/systemd
  - Label /usr/bin/arping plain file with netutils_exec_t
  - Label /run/fsck with fsadm_var_run_t
  - Label /usr/bin/Xwayland with xserver_exec_t
  - Allow systemd-timesyncd watch dbus runtime dir
  - Allow asterisk watch localization files
  - Allow iscsid read all process stat
  - iptables.fc: Add missing legacy-restore and legacy-save entries
  - Label /run/libvirt/common with virt_common_var_run_t
  - Label /.k5identity file allow read of this file to rpc.gssd
  - Make usbmuxd_t a daemon
* Wed Jun 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.11-1
  - Allow sanlock get attributes of cgroup filesystems
  - Associate dma_device_dir_t with device filesystem
  - Set default file context for /var/run/systemd instead of /run/systemd
  - Allow nmap create and use rdma socket
  - Allow pkcs-slotd create and use netlink_kobject_uevent_socket
* Sun Jun 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.10-1
  - Allow using opencryptoki for ipsec
  - Allow using opencryptoki for certmonger
  - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()
  - Label /dev/dma_heap with dma_device_dir_t
  - Allow syslogd watch non security dirs conditionally
  - Introduce logging_syslogd_list_non_security_dirs tunable
  - Remove openhpi module
  - Allow udev to watch fixed disk devices
  - Allow httpd_sys_script_t read, write, and map hugetlbfs files
  - Allow apcupsd get attributes of cgroup filesystems
* Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.9-1
  - Add kerberos object filetrans for nsswitchdomain
  - Allow fail2ban watch various log files
  - Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()
  - Remove further modules recently removed from refpolicy
  - Remove modules not shipped and not present in refpolicy
  - Revert "Add permission open to files_read_inherited_tmp_files() interface"
  - Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)"
  - Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604"
  - Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)"
  - Dontaudit setrlimit for domains that exec systemctl
  - Allow kdump_t net_admin capability
  - Allow nsswitch_domain read init pid lnk_files
  - Label /dev/trng with random_device_t
  - Label /run/systemd/default-hostname with hostname_etc_t
  - Add default file context specification for dnf log files
  - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
  - Label /dev/udmabuf character device with dma_device_t
  - Label /dev/dma_heap/* char devices with dma_device_t
  - Label /dev/acpi_thermal_rel char device with acpi_device_t
* Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-2
  - Remove temporary explicit /dev/nvme relabeling
* Thu May 20 2021 Zdenek Pytela <zpytela@redhat.com> - 34.8-1
  - Allow local_login_t nnp_transition to login_userdomain
  - Allow asterisk watch localization symlinks
  - Allow NetworkManager_t to watch /etc
  - Label /var/lib/kdump with kdump_var_lib_t
  - Allow amanda get attributes of cgroup filesystems
  - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t
  - Allow install_t nnp_domtrans to setfiles_mac_t
  - Allow fcoemon create sysfs files
* Thu May 13 2021 Zdenek Pytela <zpytela@redhat.com> - 34.7-1
  - Allow tgtd read and write infiniband devices
  - Add a comment on virt_sandbox booleans with empty content
  - Deprecate duplicate dev_write_generic_sock_files() interface
  - Allow vnstatd_t map vnstatd_var_lib_t files
  - Allow privoxy execmem
  - Allow pmdakvm read information from the debug filesystem
  - Add lockdown integrity into kernel_read_debugfs() and kernel_manage_debugfs()
  - Add permissions to delete lnk_files into gnome_delete_home_config()
  - Remove rules for inotifyfs
  - Remove rules for anon_inodefs
  - Allow systemd nnp_transition to login_userdomain
  - Allow unconfined_t write other processes perf_event records
  - Allow sysadm_t dbus chat with tuned
  - Allow tuned write profile files with file transition
  - Allow tuned manage perf_events
  - Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
* Fri May 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.6-1
  - Make domains use kernel_write_perf_event() and kernel_manage_perf_event()
  - Add kernel_write_perf_event() and kernel_manage_perf_event()
  - Allow syslogd_t watch root and var directories
  - Allow unconfined_t read other processes perf_event records
  - Allow login_userdomain read and map /var/lib/systemd files
  - Allow NetworkManager watch its config dir
  - Allow NetworkManager read and write z90crypt device
  - Allow tgtd create and use rdma socket
  - Allow aide connect to init with a unix socket
* Tue May 04 2021 Zdenek Pytela <zpytela@redhat.com> - 34.5-1
  - Grant execmem to varnishlog_t
  - We no longer need signull for varnishlog_t
  - Add map permission to varnishd_read_lib_files
  - Allow systemd-sleep tlp_filetrans_named_content()
  - Allow systemd-sleep execute generic programs
  - Allow systemd-sleep execute shell
  - Allow to sendmail read/write kerberos host rcache files
  - Allow freshclam get attributes of cgroup filesystems
  - Fix context of /run/systemd/timesync
  - Allow udev create /run/gdm with proper type
  - Allow chronyc socket file transition in user temp directory
  - Allow virtlogd_t to create virt_var_lockd_t dir
  - Allow pluto IKEv2 / ESP over TCP
* Tue Apr 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.4-1
  - Allow domain create anonymous inodes
  - Add anon_inode class to the policy
  - Allow systemd-coredump getattr nsfs files and net_admin capability
  - Allow systemd-sleep transition to sysstat_t
  - Allow systemd -sleep transition to tlp_t
  - Allow systemd-sleep transition to unconfined_service_t on bin_t executables
  - Allow systemd-timedated watch runtime dir and its parent
  - Allow system dbusd read /var/lib symlinks
  - Allow unconfined_service_t confidentiality and integrity lockdown
  - Label /var/lib/brltty with brltty_var_lib_t
  - Allow domain and unconfined_domain_type watch /proc/PID dirs
  - Additional permission for confined users loging into graphic session
  - Make for screen fsetid/setuid/setgid permission conditional
  - Allow for confined users acces to wtmp and run utempter
* Fri Apr 09 2021 Zdenek Pytela <zpytela@redhat.com> - 34.3-1
  - Label /etc/redis as redis_conf_t
  - Add brltty new permissions required by new upstream version
  - Allow cups-lpd read its private runtime socket files
  - Dontaudit daemon open and read init_t file
  - Add file context specification for /var/tmp/tmp-inst
  - Allow brltty create and use bluetooth_socket
  - Allow usbmuxd get attributes of cgroup filesystems
* Tue Apr 06 2021 Zdenek Pytela <zpytela@redhat.com> - 34.2-1
  - Allow usbmuxd get attributes of cgroup filesystems
  - Allow accounts-daemon get attributes of cgroup filesystems
  - Allow pool-geoclue get attributes of cgroup filesystems
  - allow systemd-sleep to set timer for suspend-then-hibernate
  - Allow aide connect to systemd-userdbd with a unix socket
  - Add new interfaces with watch_mount and watch_with_perm permissions
  - Add file context specification for /usr/libexec/realmd
  - Allow /tmp file transition for dbus-daemon also for sock_file
  - Allow login_userdomain create cgroup files
  - Allow plymouthd_t exec generic program in bin directories
* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1
  - Change the package versioning
* Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-10
  - Allow plymouthd_t exec generic program in bin directories
  - Allow dhcpc_t domain transition to chronyc_t
  - Allow login_userdomain bind xmsg port
  - Allow ibacm the net_raw and sys_rawio capabilities
  - Allow nsswitch_domain read cgroup files
  - Allow systemd-sleep create hardware state information files
* Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-9
  - Add watch_with_perm_dirs_pattern file pattern
* Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-8
  - Allow arpwatch_t create netlink generic socket
  - Allow postgrey read network state
  - Add watch_mount_dirs_pattern file pattern
  - Allow bluetooth_t dbus chat with fwupd_t
  - Allow xdm_t watch accountsd lib directories
  - Add additional interfaces for watching /boot
  - Allow sssd_t get attributes of tmpfs filesystems
  - Allow local_login_t get attributes of tmpfs filesystems
  - Dontaudit domain the fowner capability
  - Extend fs_manage_nfsd_fs() to allow managing dirs as well
  - Allow spice-vdagentd watch systemd-logind session dirs
* Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-7
  - Allow xdm_t watch systemd-logind session dirs
  - Allow xdm_t transition to system_dbusd_t
  - Allow confined users login into graphic session
  - Allow login_userdomain watch systemd login session dirs
  - install_t: Allow NoNewPriv transition from systemd
  - Remove setuid/setgid capabilities from mysqld_t
  - Add context for new mariadbd executable files
  - Allow netutils_t create netlink generic socket
  - Allow systemd the audit_control capability conditionally
* Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-6
  - Allow polkit-agent-helper-1 read logind sessions files
  - Allow polkit-agent-helper read init state
  - Allow login_userdomain watch generic device dirs
  - Allow login_userdomain listen on bluetooth sockets
  - Allow user_t and staff_t bind netlink_generic_socket
  - Allow login_userdomain write inaccessible nodes
  - Allow transition from xdm domain to unconfined_t domain.
  - Add 'make validate' step to CI
  - Disallow user_t run su/sudo and staff_t run su
  - Fix typo in rsyncd.conf in rsync.if
  - Add an alias for nvme_device_t
  - Allow systemd watch and watch_reads unallocated ttys
* Wed Mar 03 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-5
  - Allow apmd watch generic device directories
  - Allow kdump load a new kernel
  - Add confidentiality lockdown permission to kernel_read_core_if()
  - Allow keepalived read nsfs files
  - Allow local_login_t get attributes of filesystems with ext attributes
  - Allow keepalived read/write its private memfd: objects
  - Add missing declaration in rpm_named_filetrans()
  - Change param description in cron interfaces to userdomain_prefix
* Wed Feb 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-4
  - iptables.fc: Add missing legacy entries
  - iptables.fc: Remove some duplicate entries
  - iptables.fc: Remove duplicate file context entries
  - Allow libvirtd to create generic netlink sockets
  - Allow libvirtd the fsetid capability
  - Allow libvirtd to read /run/utmp
  - Dontaudit sys_ptrace capability when calling systemctl
  - Allow udisksd to read /dev/random
  - Allow udisksd to watch files under /run/mount
  - Allow udisksd to watch /etc
  - Allow crond to watch user_cron_spool_t directories
  - Allow accountsd watch xdm config directories
  - Label /etc/avahi with avahi_conf_t
  - Allow sssd get cgroup filesystems attributes and search cgroup dirs
  - Allow systemd-hostnamed read udev runtime data
  - Remove dev_getattr_sysfs_fs() interface calls for particular domains
  - Allow domain stat the /sys filesystem
  - Dontaudit NetworkManager write to initrc_tmp_t pipes
  - policykit.te: Clean up watch rule for policykit_auth_t
  - Revert further unnecessary watch rules
  - Revert "Allow getty watch its private runtime files"
  - Allow systemd watch generic /var directories
  - Allow init watch network config files and lnk_files
  - Allow systemd-sleep get attributes of fixed disk device nodes
  - Complete initial policy for systemd-coredump
  - Label SDC(scini) Dell Driver
  - Allow upowerd to send syslog messages
  - Remove the disk write permissions from tlp_t
  - Label NVMe devices as fixed_disk_device_t
  - Allow rhsmcertd bind tcp sockets to a generic node
  - Allow systemd-importd manage machines.lock file
* Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-3
  - Allow unconfined integrity lockdown permission
  - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined
  - Allow systemd-machined manage systemd-userdbd runtime sockets
  - Enable systemd-sysctl domtrans for udev
  - Introduce kernel_load_unsigned_module interface and use it for couple domains
  - Allow gpg watch user gpg secrets dirs
  - Build also the container module in CI
  - Remove duplicate code from kernel.te
  - Allow restorecond to watch all non-auth directories
  - Allow restorecond to watch its config file
* Mon Feb 15 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-2
  - Allow userdomain watch various filesystem objects
  - Allow systemd-logind and systemd-sleep integrity lockdown permission
  - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
  - Allow pulseaudio watch devices and systemd-logind session dirs
  - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir
  - Remove duplicate files_mounton_etc(init_t) call
  - Add watch permissions to manage_* object permissions sets
  - Allow journalctl watch generic log dirs and /run/log/journal dir
  - Label /etc/resolv.conf as net_conf_t even when it's a symlink
  - Allow SSSD to watch /var/run/NetworkManager
  - Allow dnsmasq_t to watch /etc
  - Remove unnecessary lines from the new watch interfaces
  - Fix docstring for init_watch_dir()
  - Allow xdm watch its private lib dirs, /etc, /usr
* Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.8-1
  - Bump version as Fedora 34 has been branched off rawhide
  - Allow xdm watch its private lib dirs, /etc, /usr
  - Allow systemd-importd create /run/systemd/machines.lock file
  - Allow rhsmcertd_t read kpatch lib files
  - Add integrity lockdown permission into dev_read_raw_memory()
  - Add confidentiality lockdown permission into fs_rw_tracefs_files()
  - Allow gpsd read and write ptp4l_t shared memory.
  - Allow colord watch its private lib files and /usr
  - Allow init watch_reads mount PID files
  - Allow IPsec and Certmonger to use opencryptoki services
* Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18
  - Allow lockdown confidentiality for domains using perf_event
  - define lockdown class and access
  - Add perfmon capability for all domains using perf_event
  - Allow ptp4l_t bpf capability to run bpf programs
  - Revert "Allow ptp4l_t sys_admin capability to run bpf programs"
  - access_vectors: Add new capabilities to cap2
  - Allow systemd and systemd-resolved watch dbus pid objects
  - Add new watch interfaces in the base and userdomain policy
  - Add watch permissions for contrib packages
  - Allow xdm watch /usr directories
  - Allow getty watch its private runtime files
  - Add watch permissions for nscd and sssd
  - Add watch permissions for firewalld and NetworkManager
  - Add watch permissions for syslogd
  - Add watch permissions for systemd services
  - Allow restorecond watch /etc dirs
  - Add watch permissions for user domain types
  - Add watch permissions for init
  - Add basic watch interfaces for systemd
  - Add basic watch interfaces to the base module
  - Add additional watch object permissions sets and patterns
  - Allow init_t to watch localization symlinks
  - Allow init_t to watch mount directories
  - Allow init_t to watch cgroup files
  - Add basic watch patterns
  - Add new watch* permissions
* Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17
  - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH
  - Dontaudit setsched for rndc
  - Allow systemd-logind destroy entries in message queue
  - Add userdom_destroy_unpriv_user_msgq() interface
  - ci: Install build dependencies from koji
  - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
  - Add new cmadmin port for bfdd dameon
  - virtiofs supports Xattrs and SELinux
  - Allow domain write to systemd-resolved PID socket files
  - Label /var/run/pcsd-ruby.socket       socket with cluster_var_run_t type
  - Allow rhsmcertd_t domain transition to kpatch_t
  - Revert "Add kpatch_exec() interface"
  - Revert "Allow rhsmcertd execute kpatch"
  - Allow openvswitch create and use xfrm netlink sockets
  - Allow openvswitch_t perf_event write permission
  - Add kpatch_exec() interface
  - Allow rhsmcertd execute kpatch
  - Adds rule to allow glusterd to access RDMA socket
  - radius: Lexical sort of service-specific corenet rules by service name
  - VQP: Include IANA-assigned TCP/1589
  - radius: Allow binding to the VQP port (VMPS)
  - radius: Allow binding to the BDF Control and Echo ports
  - radius: Allow binding to the DHCP client port
  - radius: Allow net_raw; allow binding to the DHCP server ports
  - Add rsync_sys_admin tunable to allow rsync sys_admin capability
  - Allow staff_u run pam_console_apply
  - Allow openvswitch_t perf_event open permission
  - Allow sysadm read and write /dev/rfkill
  - Allow certmonger fsetid capability
  - Allow domain read usermodehelper state information
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16
  - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15
  - Update specfile to not verify md5/size/mtime for active store files
  - Add /var/mnt equivalency to /mnt
  - Rebuild with SELinux userspace 3.2-rc1 release
* Fri Jan 08 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14
  - Allow domain read usermodehelper state information
  - Remove all kernel_read_usermodehelper_state() interface calls
  - .copr: improve timestamp format
  - Allow wireshark create and use rdma socket
  - Allow domain stat /proc filesystem
  - Remove all kernel_getattr_proc() interface calls
  - Revert "Allow passwd to get attributes in proc_t"
  - Revert "Allow dovecot_auth_t stat /proc filesystem"
  - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"
  - Allow sssd read /run/systemd directory
  - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
* Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13
  - Label /dev/isst_interface as cpu_device_t
  - Dontaudit firewalld dac_override capability
  - Allow ipsec set the context of a SPD entry to the default context
  - Build binary RPMs in CI
  - Add SRPM build scripts for COPR
* Tue Dec 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12
  - Allow dovecot_auth_t stat /proc filesystem
  - Allow sysadm_u user and unconfined_domain_type manage perf_events
  - Allow pcp-pmcd manage perf_events
  - Add manage_perf_event_perms object permissions set
  - Add perf_event access vectors.
  - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem
  - Allow stub-resolv.conf to be a symlink
  - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t
  - Create the systemd_dbus_chat_resolved() compatibility interface
  - Allow nsswitch-domain write to systemd-resolved PID socket files
  - Add systemd_resolved_write_pid_sock_files() interface
  - Add default file context for "/var/run/chrony-dhcp(/.*)?"
  - Allow timedatex dbus chat with cron system domain
  - Add cron_dbus_chat_system_job() interface
  - Allow systemd-logind manage init's pid files
* Wed Dec 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11
  - Allow systemd-logind manage init's pid files
  - Allow tcsd the setgid capability
  - Allow systemd-resolved manage its private runtime symlinks
  - Update systemd_resolved_read_pid() to also read symlinks
  - Update systemd-sleep policy
  - Add groupadd_t fowner capability
  - Migrate to GitHub Actions
  - Update README.md to reflect the state after contrib and base merge
  - Add README.md announcing merging of selinux-policy and selinux-policy-contrib
  - Adapt .travis.yml to contrib merge
  - Merge contrib into the main repo
  - Prepare to merge contrib repo
  - Move stuff around to match the main repo
* Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10
  - Allow Xephyr connect to 6000/tcp port and open user ptys
  - Allow kexec manage generic tmp files
  - Update targetd nfs & lvm
  - Add interface rpc_manage_exports
  - Merge selinux-policy and selinux-policy-contrib repos
* Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9
  - Allow varnish map its private tmp files
  - Allow dovecot bind to smtp ports
  - Change fetchmail temporary files path to /var/spool/mail
  - Allow cups_pdf_t domain to communicate with unix_dgram_socket
  - Set file context for symlinks in /etc/httpd to etc_t
  - Allow rpmdb rw access to inherited console, ttys, and ptys
  - Allow dnsmasq read public files
  - Announce merging of selinux-policy and selinux-policy-contrib
  - Label /etc/resolv.conf as net_conf_t only if it is a plain file
  - Fix range for unreserved ports
  - Add files_search_non_security_dirs() interface
  - Introduce logging_syslogd_append_public_content tunable
  - Add miscfiles_append_public_files() interface
* Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8
  - Set correct default file context for /usr/libexec/pcp/lib/*
  - Introduce rpmdb_t type
  - Allow slapd manage files/dirs in ldap certificates directory
  - Revert "Allow certmonger add new entries in a generic certificates directory"
  - Allow certmonger add new entries in a generic certificates directory
  - Allow slapd add new entries in ldap certificates directory
  - Remove retired PCP pmwebd and pmmgr daemons (since 5.0)
  - Let keepalived bind a raw socket
  - Add default file context for /usr/libexec/pcp/lib/*
  - squid: Allow net_raw capability when squid_use_tproxy is enabled
  - systemd: allow networkd to check namespaces
  - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed
  - Allow resolved to created varlink sockets and the domain to talk to it
  - selinux: tweak selinux_get_enforce_mode() to allow status page to be used
  - systemd: allow all systemd services to check selinux status
  - Set default file context for /var/lib/ipsec/nss
  - Allow user domains transition to rpmdb_t
  - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface"
  - Revert "Add miscfiles_create_generic_cert_dirs() interface"
  - Update miscfiles_manage_all_certs() to include managing directories
  - Add miscfiles_create_generic_cert_dirs() interface
  - Add miscfiles_add_entry_generic_cert_dirs() interface
  - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t"
* Tue Nov 03 2020 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-7
  - Rebuild with latest libsepol
  - Bump policy version to 33
* Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6
  - rpc.fc: Include /etc/exports.d dir & files
  - Create chronyd_pid_filetrans() interface
  - Change invalid type redisd_t to redis_t in redis_stream_connect()
  - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template"
  - Allow init dbus chat with kernel
  - Allow initrc_t create /run/chronyd-dhcp directory with a transition
  - Drop gcc from dependencies in Travis CI
  - fc_sort.py: Use "==" for comparing integers.
  - re-implement fc_sort in python
  - Remove invalid file context line
  - Drop git from dependencies in Travis CI
* Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5
  - Remove empty line from rshd.fc
  - Allow systemd-logind read swap files
  - Add fstools_read_swap_files() interface
  - Allow dyntransition from sshd_t to unconfined_t
  - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
* Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4
  - Allow chronyd_t to accept and make NTS-KE connections
  - Allow domain write to an automount unnamed pipe
  - Label /var/run/zincati/public/motd.d/* as motd_var_run_t
  - Allow login programs to (only) read MOTD files and symlinks
  - Relabel /usr/sbin/charon-systemd as ipsec_exec_t
  - Confine systemd-sleep service
  - Add fstools_rw_swap_files() interface
  - Label 4460/tcp port as ntske_port_t
  - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces

Files

/etc/selinux
/etc/selinux/config
/etc/sysconfig/selinux
/usr/lib/rpm/macros.d/macros.selinux-policy
/usr/lib/systemd/system/selinux-check-proper-disable.service
/usr/lib/tmpfiles.d/selinux-policy.conf
/usr/share/licenses/selinux-policy
/usr/share/licenses/selinux-policy/COPYING
/usr/share/selinux
/usr/share/selinux/packages

Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Apr 9 21:25:34 2024