Sat, 13 Aug 2022 00:50:20 UTC | login

Information for build selinux-policy-34.1.16-1.el9

Package Nameselinux-policy
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built byzpytela
State complete
StartedFri, 24 Sep 2021 08:26:00 UTC
CompletedFri, 24 Sep 2021 08:33:50 UTC
Taskbuild (c9s-candidate, /redhat/centos-stream/rpms/selinux-policy:5ad9abab4336c7402925d37bf04c291f1e92ae44)
Extra{'source': {'original_url': 'git+'}}
selinux-policy-34.1.16-1.el9.src.rpm (info) (download)
selinux-policy-34.1.16-1.el9.noarch.rpm (info) (download)
selinux-policy-devel-34.1.16-1.el9.noarch.rpm (info) (download)
selinux-policy-doc-34.1.16-1.el9.noarch.rpm (info) (download)
selinux-policy-minimum-34.1.16-1.el9.noarch.rpm (info) (download)
selinux-policy-mls-34.1.16-1.el9.noarch.rpm (info) (download)
selinux-policy-sandbox-34.1.16-1.el9.noarch.rpm (info) (download)
selinux-policy-targeted-34.1.16-1.el9.noarch.rpm (info) (download)
Changelog * Thu Sep 23 2021 Zdenek Pytela <> - 34.1.16-1 - Allow fprintd install a sleep delay inhibitor Resolves: rhbz#1999537 - Update mount_manage_pid_files() to use manage_files_pattern Resolves: rhbz#1999997 - Allow gnome at-spi processes create and use stream sockets Resolves: rhbz#2004885 - Allow haproxy list the sysfs directories content Resolves: rhbz#1986823 - Allow virtlogd_t read process state of user domains Resolves: rhbz#1994592 - Support hitless reloads feature in haproxy Resolves: rhbz#1997182 - Allow firewalld load kernel modules Resolves: rhbz#1999152 - Allow communication between at-spi and gdm processes Resolves: rhbz#2003037 - Remove "ipa = module" from modules-targeted-contrib.conf Resolves: rhbz#2006039 * Mon Aug 30 2021 Zdenek Pytela <> - 34.1.15-1 - Update ica_filetrans_named_content() with create_file_perms Resolves: rhbz#1976180 - Allow various domains work with ICA crypto accelerator Resolves: rhbz#1976180 - Add ica module Resolves: rhbz#1976180 - Revert "Support using ICA crypto accelerator on s390x arch" Resolves: rhbz#1976180 - Fix the gnome_atspi_domtrans() interface summary Resolves: rhbz#1972655 - Add support for at-spi Resolves: rhbz#1972655 - Add permissions for system dbus processes Resolves: rhbz#1972655 - Allow /tmp file transition for dbus-daemon also for sock_file Resolves: rhbz#1972655 * Wed Aug 25 2021 Zdenek Pytela <> - 34.1.14-1 - Support using ICA crypto accelerator on s390x arch Resolves: rhbz#1976180 - Allow systemd delete /run/systemd/default-hostname Resolves: rhbz#1978507 - Label /usr/bin/Xwayland with xserver_exec_t Resolves: rhbz#1993151 - Label /usr/libexec/gdm-runtime-config with xdm_exec_t Resolves: rhbz#1993151 - Allow tcpdump read system state information in /proc Resolves: rhbz#1972577 - Allow firewalld drop capabilities Resolves: rhbz#1989641 * Thu Aug 12 2021 Zdenek Pytela <> - 34.1.13-1 - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp Resolves: rhbz#1977915 - Set default file context for /sys/firmware/efi/efivars Resolves: rhbz#1972372 - Allow tcpdump run as a systemd service Resolves: rhbz#1972577 - Allow nmap create and use netlink generic socket Resolves: rhbz#1985212 - Allow nscd watch system db files in /var/db Resolves: rhbz#1989416 - Allow systemd-gpt-auto-generator read udev pid files Resolves: rhbz#1992638 * Tue Aug 10 2021 Zdenek Pytela <> - 34.1.12-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" Resolves: rhbz#1990813 - Label /dev/crypto/nx-gzip with accelerator_device_t Resolves: rhbz#1973953 - Label /usr/bin/qemu-storage-daemon with virtd_exec_t Resolves: rhbz#1977245 - Allow systemd-machined stop generic service units Resolves: rhbz#1979522 - Label /.k5identity file allow read of this file to rpc.gssd Resolves: rhbz#1980610 * Tue Aug 10 2021 Mohan Boddu <> - 34.1.11-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Thu Jul 29 2021 Zdenek Pytela <> - 34.1.11-1 - Allow hostapd bind UDP sockets to the dhcpd port Resolves: rhbz#1979968 - Allow mdadm read iscsi pid files Resolves: rhbz#1976073 - Unconfined domains should not be confined Resolves: rhbz#1977986 - Allow NetworkManager_t to watch /etc Resolves: rhbz#1980000 - Allow using opencryptoki for ipsec Resolves: rhbz#1977915 * Wed Jul 14 2021 Zdenek Pytela <> - 34.1.10-1 - Allow bacula get attributes of cgroup filesystems Resolves: rhbz#1976917 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: rhbz#1972382 - Add the lockdown integrity permission to dev_map_userio_dev() Resolves: rhbz#1966758 - Allow virtlogd_t to create virt_var_lockd_t dir Resolves: rhbz#1974875 * Tue Jun 22 2021 Zdenek Pytela <> - 34.1.9-1 - Allow systemd-coredump getattr nsfs files and net_admin capability Resolves: rhbz#1965372 - Label /run/libvirt/common with virt_common_var_run_t Resolves: rhbz#1969209 - Label /usr/bin/arping plain file with netutils_exec_t Resolves: rhbz#1952515 - Make usbmuxd_t a daemon Resolves: rhbz#1965411 - Allow usbmuxd get attributes of cgroup filesystems Resolves: rhbz#1965411 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" Resolves: rhbz#1967818 - Label /var/lib/kdump with kdump_var_lib_t Resolves: rhbz#1965989 - Allow systemd-timedated watch runtime dir and its parent Resolves: rhbz#1970865 - Label /run/fsck with fsadm_var_run_t Resolves: rhbz#1970911 * Thu Jun 10 2021 Zdenek Pytela <> - 34.1.8-1 - Associate dma_device_dir_t with device filesystem Resolves: rhbz#1954116 - Add default file context specification for dnf log files Resolves: rhbz#1955223 - Allow using opencryptoki for certmonger Resolves: rhbz#1961756 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1961756 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1964890 - Dontaudit daemon open and read init_t file Resolves: rhbz#1965412 - Allow sanlock get attributes of cgroup filesystems Resolves: rhbz#1965217 * Tue Jun 08 2021 Zdenek Pytela <> - 34.1.7-1 - Set default file context for /var/run/systemd instead of /run/systemd Resolves: rhbz#1966492 * Mon Jun 07 2021 Zdenek Pytela <> - 34.1.6-1 - Label /dev/dma_heap with dma_device_dir_t Resolves: rhbz#1954116 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1963252 - Label /run/systemd/default-hostname with hostname_etc_t Resolves: rhbz#1966492 * Thu May 27 2021 Zdenek Pytela <> - 34.1.5-1 - Label /dev/trng with random_device_t Resolves: rhbz#1962260 - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t Resolves: rhbz#1954116 - Label /dev/udmabuf character device with dma_device_t Resolves: rhbz#1954116 - Label /dev/dma_heap/* char devices with dma_device_t Resolves: rhbz#1954116 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: rhbz#1954116 - Allow fcoemon create sysfs files Resolves: rhbz#1952292 * Wed May 12 2021 Zdenek Pytela <> - 34.1.4-1 - Allow sysadm_t dbus chat with tuned Resolves: rhbz#1953643 - Allow tuned write profile files with file transition Resolves: rhbz#1953643 - Allow tuned manage perf_events Resolves: rhbz#1953643 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Add kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Allow syslogd_t watch root and var directories Resolves: rhbz#1957792 - Allow tgtd create and use rdma socket Resolves: rhbz#1955559 - Allow aide connect to init with a unix socket Resolves: rhbz#1926343 * Wed Apr 28 2021 Zdenek Pytela <> - 34.1.3-1 - Allow domain create anonymous inodes Resolves: rhbz#1954145 - Add anon_inode class to the policy Resolves: rhbz#1954145 - Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1951471 - Add brltty new permissions required by new upstream version Resolves: rhbz#1947842 - Label /var/lib/brltty with brltty_var_lib_t Resolves: rhbz#1947842 - Allow login_userdomain create cgroup files Resolves: rhbz#1951114 - Allow aide connect to systemd-userdbd with a unix socket Resolves: rhbz#1926343 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1947397 - Label /etc/redis as redis_conf_t Resolves: rhbz#1947874 - Add file context specification for /usr/libexec/realmd Resolves: rhbz#1946495 * Thu Apr 22 2021 Zdenek Pytela <> - 34.1.2-1 - Further update for RHEL 9.0 beta - Add file context specification for /var/tmp/tmp-inst Resolves: rhbz#1924656 * Wed Apr 21 2021 Zdenek Pytela <> - 34.1.1-1 - Update selinux-policy.spec and for RHEL 9.0 beta - Allow unconfined_service_t confidentiality and integrity lockdown Resolves: rhbz#1950267 * Fri Apr 16 2021 Mohan Boddu <> - 34-2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Thu Apr 01 2021 Zdenek Pytela <> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <> - 3.14.7-30 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <> - 3.14.7-29 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <> - 3.14.7-28 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems * Tue Mar 23 2021 Zdenek Pytela <> - 3.14.7-27 - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <> - 3.14.7-26 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <> - 3.14.7-25 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Tue Mar 02 2021 Zdenek Pytela <> - 3.14.7-24 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Tue Feb 23 2021 Zdenek Pytela <> - 3.14.7-23 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files * Fri Feb 19 2021 Zdenek Pytela <> - 3.14.7-22 - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Tue Feb 16 2021 Zdenek Pytela <> - 3.14.7-21 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Fri Feb 12 2021 Zdenek Pytela <> - 3.14.7-20 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Fri Feb 12 2021 Zdenek Pytela <> - 3.14.7-19 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <> - 3.14.7-17 - Update .copr/ to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <> - 3.14.7-16 - Rebuilt for * Fri Jan 22 2021 Petr Lautrbach <> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update to reflect the state after contrib and base merge - Add announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces * Mon Sep 21 2020 Zdenek Pytela <> - 3.14.7-3 - Check out the right -contrib branch in Travis * Fri Sep 18 2020 Zdenek Pytela <> - 3.14.7-2 - Allow openvswitch fowner capability and create netlink sockets - Allow additional permissions for gnome-initial-setup - Add to map non_security_files to the userdom_admin_user_template template - kernel/filesystem: Add exfat support (no extended attributes) * Tue Sep 08 2020 Zdenek Pytela <> - 3.14.7-1 - Bump version as Fedora 33 has been branched - Allow php-fpm write access to /var/run/redis/redis.sock - Allow journalctl to read and write to inherited user domain tty - Update rkt policy to allow rkt_t domain to read sysfs filesystem - Allow arpwatch create and use rdma socket - Allow plymouth sys_chroot capability - Allow gnome-initial-setup execute in a xdm sandbox - Add new devices and filesystem interfaces * Mon Aug 24 2020 Zdenek Pytela <> - 3.14.6-25 - Allow certmonger fowner capability - The nfsdcld service is now confined by SELinux - Change transitions for ~/.config/Yubico - Allow all users to connect to systemd-userdbd with a unix socket - Add file context for ~/.config/Yubico - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow login_pgm attribute to get attributes in proc_t" - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Allow traceroute_t and ping_t to bind generic nodes. - Create macro corenet_icmp_bind_generic_node() - Allow unconfined_t to node_bind icmp_sockets in node_t domain * Thu Aug 13 2020 Zdenek Pytela <> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating * Mon Aug 03 2020 Zdenek Pytela <> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf * Thu Jul 30 2020 Zdenek Pytela <> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd * Wed Jul 29 2020 Fedora Release Engineering <> - 3.14.6-21 - Rebuilt for * Mon Jul 13 2020 Lukas Vrabec <> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen * Fri Jul 10 2020 Zdenek Pytela <> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs" * Tue Jul 07 2020 Zdenek Pytela <> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes * Fri Jun 26 2020 Zdenek Pytela <> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files * Thu Jun 25 2020 Adam Williamson <> - 3.14.6-16 - Fix scriptlets when /etc/selinux/config does not exist * Thu Jun 04 2020 Zdenek Pytela <> - 3.14.6-15 - Add fetchmail_uidl_cache_t type for /var/mail/ - Support multiple ways of tlp invocation - Allow qemu-kvm read and write /dev/mapper/control - Introduce logrotate_use_cifs boolean - Allow ptp4l_t sys_admin capability to run bpf programs - Allow to getattr files on an nsfs filesystem - httpd: Allow NoNewPriv transition from systemd - Allow rhsmd read process state of all domains and kernel threads - Allow rhsmd mmap /etc/passwd - Allow systemd-logind manage efivarfs files - Allow initrc_t tlp_filetrans_named_content() - Allow systemd_resolved_t to read efivarfs - Allow systemd_modules_load_t to read efivarfs - Introduce systemd_read_efivarfs_type attribute - Allow named transition for /run/tlp from a user shell - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files - Add file context for /sys/kernel/tracing * Tue May 19 2020 Zdenek Pytela <> - 3.14.6-14 - Allow chronyc_t domain to use nsswitch - Allow nscd_socket_use() for domains in nscd_use() unconditionally - Add allow rules for lttng-sessiond domain - Label dirsrv systemd unit files and add dirsrv_systemctl() - Allow gluster geo-replication in rsync mode - Allow nagios_plugin_domain execute programs in bin directories - Allow sys_admin capability for domain labeled systemd_bootchart_t - Split the arping path regexp to 2 lines to prevent from relabeling - Allow tcpdump sniffing offloaded (RDMA) traffic - Revert "Change arping path regexp to work around fixfiles incorrect handling" - Change arping path regexp to work around fixfiles incorrect handling - Allow read efivarfs_t files by domains executing systemctl file * Wed Apr 29 2020 Zdenek Pytela <> - 3.14.6-13 - Update networkmanager_read_pid_files() to allow also list_dir_perms - Update policy for NetworkManager_ssh_t - Allow glusterd synchronize between master and slave - Allow spamc_t domain to read network state - Allow strongswan use tun/tap devices and keys - Allow systemd_userdbd_t domain logging to journal * Tue Apr 14 2020 Zdenek Pytela <> - 3.14.6-12 - Allow rngd create netlink_kobject_uevent_socket and read udev runtime files - Allow ssh-keygen create file in /var/lib/glusterd - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files - Merge ipa and ipa_custodia modules - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t - Introduce daemons_dontaudit_scheduling boolean - Modify path for arping in netutils.fc to match both bin and sbin - Change file context for /var/run/pam_ssh to match file transition - Add file context entry and file transition for /var/run/pam_timestamp * Tue Mar 31 2020 Zdenek Pytela <> - 3.14.6-11 - Allow NetworkManager manage dhcpd unit files - Update ninfod policy to add nnp transition from systemd to ninfod - Remove container interface calling by named_filetrans_domain. * Wed Mar 25 2020 Zdenek Pytela <> - 3.14.6-10 - Allow openfortivpn exec shell - Remove label session_dbusd_tmp_t for /run/user/USERID/systemd - Add ibacm_t ipc_lock capability - Allow ipsec_t connectto ipsec_mgmt_t - Remove ipa_custodia - Allow systemd-journald to read user_tmp_t symlinks * Wed Mar 18 2020 Zdenek Pytela <> - 3.14.6-9 - Allow zabbix_t manage and filetrans temporary socket files - Makefile: fix tmp/%.mod.fc target * Fri Mar 13 2020 Zdenek Pytela <> - 3.14.6-8 - Allow NetworkManager read its unit files and manage services - Add init_daemon_domain() for geoclue_t - Allow to use nnp_transition in pulseaudio_role - Allow pdns_t domain to map files in /usr. - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t - Allow login_pgm create and bind on netlink_selinux_socket * Mon Mar 09 2020 Zdenek Pytela <> - 3.14.6-7 - Allow sssd read systemd-resolved runtime directory - Allow sssd read NetworkManager's runtime directory - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t - Allow system_mail_t to signull pcscd_t - Create interface pcscd_signull - Allow auditd poweroff or switch to single mode * Fri Feb 28 2020 Lukas Vrabec <> - 3.14.6-6 - Allow postfix stream connect to cyrus through runtime socket - Dontaudit daemons to set and get scheduling policy/parameters * Sat Feb 22 2020 Lukas Vrabec <> - 3.14.6-5 - Allow certmonger_t domain to read pkcs_slotd lock files - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853) - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets - Make file context more variable for /usr/bin/fusermount and /bin/fusermount - Allow local_login_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices * Tue Feb 18 2020 Lukas Vrabec <> - 3.14.6-4 - Update virt_read_qemu_pid_files inteface - Allow systemd_logind_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices - Allow nsswitch_domain attribute to stream connect to systemd process * Sun Feb 16 2020 Lukas Vrabec <> - 3.14.6-3 - Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks - Allow systemd_userdbd_t domain to read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <> - 3.14.6-2 - Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces - Update radiusd policy - Allow systemd_private_tmp(named_tmp_t) - Allow bacula dac_override capability - Allow systemd_networkd_t to read efivarfs - Add support for systemd-userdbd - Allow systemd system services read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <> - 3.14.6-1 - Bump version to 3.14.6 because fedora 32 was branched * Fri Feb 07 2020 Zdenek Pytela <> - 3.14.5-24 - Allow ptp4l_t create and use packet_socket sockets - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories * Fri Jan 31 2020 Zdenek Pytela <> - 3.14.5-23 - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Added apache create log dirs macro - Tiny documentation fix - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Dontaudit domain chronyd_t to list in user home dirs. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Allow syslog_t to read efivarfs_t files - Add ioctl to term_dontaudit_use_ptmx macro - Update xserver_rw_session macro * Thu Jan 30 2020 Fedora Release Engineering <> - 3.14.5-22 - Rebuilt for * Fri Jan 24 2020 Zdenek Pytela <> - 3.14.5-21 - Dontaudit timedatex_t read file_contexts_t and validate security contexts - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus. * Mon Jan 13 2020 Lukas Vrabec <> - 3.14.5-20 - Fix typo in anaconda SELinux module - Allow rtkit_t domain to control scheduling for your install_t processes - Boolean: rngd_t to use executable memory - Allow rngd_t domain to use nsswitch BZ(1787661) - Allow exim to execute bin_t without domain trans - Allow create udp sockets for abrt_upload_watch_t domains - Drop label zebra_t for frr binaries - Allow NetworkManager_t domain to get status of samba services - Update milter policy to allow use sendmail - Modify file context for .local directory to match exactly BZ(1637401) - Allow init_t domain to create own socket files in /tmp - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files - Create files_create_non_security_dirs() interface * Fri Dec 20 2019 Zdenek Pytela <> - 3.14.5-19 - Allow init_t nnp domain transition to kmod_t - Allow userdomain dbus chat with systemd_resolved_t - Allow init_t read and setattr on /var/lib/fprintd - Allow sysadm_t dbus chat with colord_t - Allow confined users run fwupdmgr - Allow confined users run machinectl - Allow systemd labeled as init_t domain to create dirs labeled as var_t - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) - Add new file context rabbitmq_conf_t. - Allow journalctl read init state BZ(1731753) - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain - Change type in transition for /var/cache/{dnf,yum} directory - Allow cockpit_ws_t read efivarfs_t BZ(1777085) - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) - Allow named_t domain to mmap named_zone_t files BZ(1647493) - Make boinc_var_lib_t label system mountdir attribute - Allow stratis_t domain to request load modules - Update fail2ban policy - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. * Thu Nov 28 2019 Lukas Vrabec <> - 3.14.5-18 - Allow systemd to read all proc - Introduce new type pdns_var_lib_t - Allow zebra_t domain to read files labled as nsfs_t. - Allow systemd to setattr on all device_nodes - Allow systemd to mounton and list all proc types * Wed Nov 27 2019 Lukas Vrabec <> - 3.14.5-17 - Fix nonexisting types in rtas_errd_rw_lock interface - Allow snmpd_t domain to trace processes in user namespace - Allow timedatex_t domain to read relatime clock and adjtime_t files - Allow zebra_t domain to execute zebra binaries - Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t - Allow ksmtuned_t domain to trace processes in user namespace - Allow systemd to read symlinks in /var/lib - Update dev_mounton_all_device_nodes() interface - Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. - Allow systemd_domain to map files in /usr. - Allow strongswan start using swanctl method BZ(1773381) - Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976) * Thu Nov 21 2019 Zdenek Pytela <> - 3.14.5-16 - Allow timedatex_t domain dbus chat with both confined and unconfined users - Allow timedatex_t domain dbus chat with unconfined users - Allow NetworkManager_t manage dhcpc_state_t BZ(1770698) - Make unconfined domains part of domain_named_attribute - Label tcp ports 24816,24817 as pulp_port_t - Remove duplicate entries for initrc_t in init.te * Thu Nov 14 2019 Lukas Vrabec <> - 3.14.5-15 - Increase SELinux userspace version which should be required. * Wed Nov 13 2019 Lukas Vrabec <> - 3.14.5-14 - Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0 * Wed Nov 13 2019 Lukas Vrabec <> - 3.14.5-13 - Fix typo bugs in rtas_errd_read_lock() interface - cockpit: Drop cockpit-cert-session - Allow timedatex_t domain to systemctl chronyd domains - Allow ipa_helper_t to read kr5_keytab_t files - cockpit: Allow cockpit-session to read cockpit-tls state directory - Allow stratisd_t domain to read nvme and fixed disk devices - Update lldpad_t policy module - Dontaudit tmpreaper_t getting attributes from sysctl_type files - cockpit: Support https instance factory - Added macro for timedatex to chat over dbus. - Fix typo in dev_filetrans_all_named_dev() - Update files_manage_etc_runtime_files() interface to allow manage also dirs - Fix typo in cachefiles device - Dontaudit sys_admin capability for auditd_t domains - Allow x_userdomain to read adjtime_t files - Allow users using template userdom_unpriv_user_template() to run bpf tool - Allow x_userdomain to dbus_chat with timedatex. * Sun Nov 03 2019 Lukas Vrabec <> - 3.14.5-12 - Label /var/cache/nginx as httpd_cache_t - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Created dnsmasq_use_ipset boolean - Allow capability dac_override in logwatch_mail_t domain - Allow automount_t domain to execute ping in own SELinux domain (ping_t) - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t - Allow collectd_t domain to create netlink_generic_socket sockets - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. - Label /etc/postfix/chroot-update as postfix_exec_t - Update tmpreaper_t policy due to fuser command - Allow kdump_t domain to create netlink_route and udp sockets - Allow stratisd to connect to dbus - Allow fail2ban_t domain to create netlink netfilter sockets. - Allow dovecot get filesystem quotas - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689) - Allow systemd-tmpfiles processes to set rlimit information - Allow cephfs to use xattrs for storing contexts - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t * Fri Oct 25 2019 Lukas Vrabec <> - 3.14.5-11 - Allow confined users to run newaliases - Add interface mysql_dontaudit_rw_db() - Label /var/lib/xfsdump/inventory as amanda_var_lib_t - Allow tmpreaper_t domain to read all domains state - Make httpd_var_lib_t label system mountdir attribute - Update cockpit policy - Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Donaudit ifconfig_t domain to read/write mysqld_db_t files - Dontaudit domains read/write leaked pipes * Tue Oct 22 2019 Lukas Vrabec <> - 3.14.5-10 - Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Allow Gluster mount client to mount files_type - Dontaudit and disallow sys_admin capability for keepalived_t domain - Update numad policy to allow signull, kill, nice and trace processes - Allow ipmievd_t to RW watchdog devices - Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files - Allow user domains to manage user session services - Allow staff and user users to get status of user systemd session - Update sudo_role_template() to allow caller domain to read syslog pid files * Fri Oct 11 2019 Lukas Vrabec <> - 3.14.5-9 - Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226) * Wed Oct 09 2019 Lukas Vrabec <> - 3.14.5-8 - Update apache and pkcs policies to make active opencryptoki rules - Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884) * Wed Oct 09 2019 Lukas Vrabec <> - 3.14.5-7 - Revert "nova.fc: fix duplicated slash" - Introduce new bolean httpd_use_opencryptoki - Add new interface apache_read_state() - Allow setroubleshoot_fixit_t to read random_device_t - Label /etc/named direcotory as named_conf_t BZ(1759495) - nova.fc: fix duplicated slash - Allow dkim to execute sendmail - Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files - Update aide_t domain to allow this tool to analyze also /dev filesystem - Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634) - Allow avahi_t to send msg to xdm_t - Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem - Update dev_manage_sysfs() to support managing also lnk files BZ(1759019) - Allow systemd_logind_t domain to read blk_files in domain removable_device_t - Add new interface udev_getattr_rules_chr_files() * Fri Oct 04 2019 Lukas Vrabec <> - 3.14.5-6 - Update aide_t domain to allow this tool to analyze also /dev filesystem - Allow bitlbee_t domain map files in /usr - Allow stratisd to getattr of fixed disk device nodes - Add net_broadcast capability to openvswitch_t domain BZ(1716044) - Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973) - Allow cobblerd_t domain search apache configuration dirs - Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428) - Label /var/log/collectd.log as collectd_log_t - Allow boltd_t domain to manage sysfs files and dirs BZ(1754360) - Add fowner capability to the pcp_pmlogger_t domain BZ(1754767) - networkmanager: allow NetworkManager_t to create bluetooth_socket - Fix ipa_custodia_stream_connect interface - Add new interface udev_getattr_rules_chr_files() - Make dbus-broker service working on s390x arch - Add new interface dev_mounton_all_device_nodes() - Add new interface dev_create_all_files() - Allow systemd(init_t) to load kernel modules - Allow ldconfig_t domain to manage initrc_tmp_t objects - Add new interface init_write_initrc_tmp_pipes() - Add new interface init_manage_script_tmp_files() - Allow xdm_t setpcap capability in user namespace BZ(1756790) - Allow x_userdomain to mmap generic SSL certificates - Allow xdm_t domain to user netlink_route sockets BZ(1756791) - Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245) - Allow sudo userdomain to run rpm related commands - Add sys_admin capability for ipsec_t domain - Allow systemd_modules_load_t domain to read systemd pid files - Add new interface init_read_pid_files() - Allow systemd labeled as init_t domain to manage faillog_t objects - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc - Make ipa_custodia policy active