Thu, 28 Mar 2024 17:35:51 UTC | login

Information for build selinux-policy-34.1.34-1.el9

ID22672
Package Nameselinux-policy
Version34.1.34
Release1.el9
Epoch
Sourcegit+https://gitlab.com/redhat/centos-stream/rpms/selinux-policy#14f9935fa025d5038212620ba43a161643f68d72
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built byzpytela
State complete
Volume DEFAULT
StartedThu, 09 Jun 2022 14:57:36 UTC
CompletedThu, 09 Jun 2022 15:01:10 UTC
Taskbuild (c9s-candidate, /redhat/centos-stream/rpms/selinux-policy:14f9935fa025d5038212620ba43a161643f68d72)
Extra{'source': {'original_url': 'git+https://gitlab.com/redhat/centos-stream/rpms/selinux-policy#14f9935fa025d5038212620ba43a161643f68d72'}}
Tags No tags
RPMs
src
selinux-policy-34.1.34-1.el9.src.rpm (info) (download)
noarch
selinux-policy-34.1.34-1.el9.noarch.rpm (info) (download)
selinux-policy-devel-34.1.34-1.el9.noarch.rpm (info) (download)
selinux-policy-doc-34.1.34-1.el9.noarch.rpm (info) (download)
selinux-policy-minimum-34.1.34-1.el9.noarch.rpm (info) (download)
selinux-policy-mls-34.1.34-1.el9.noarch.rpm (info) (download)
selinux-policy-sandbox-34.1.34-1.el9.noarch.rpm (info) (download)
selinux-policy-targeted-34.1.34-1.el9.noarch.rpm (info) (download)
Logs
noarch
build.log
hw_info.log
installed_pkgs.log
mock_output.log
noarch_rpmdiff.json
root.log
state.log
Changelog * Thu Jun 09 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.34-1 - Allow stalld setsched and sys_nice Resolves: rhbz#2092864 - Allow rhsmcertd to create cache file in /var/cache/cloud-what Resolves: rhbz#2092333 - Update policy for samba-dcerpcd Resolves: rhbz#2083509 - Add support for samba-dcerpcd Resolves: rhbz#2083509 - Allow rabbitmq to access its private memfd: objects Resolves: rhbz#2056565 - Confine targetcli Resolves: rhbz#2020169 - Add policy for wireguard Resolves: 1964862 - Label /var/cache/insights with insights_client_cache_t Resolves: rhbz#2062136 - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket Resolves: rhbz#2094489 - Allow auditd_t noatsecure for a transition to audisp_remote_t Resolves: rhbz#2081907 * Fri May 27 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.33-1 - Allow insights-client manage gpg admin home content Resolves: rhbz#2062136 - Add the gpg_manage_admin_home_content() interface Resolves: rhbz#2062136 - Add rhcd policy Resolves: bz#1965013 - Allow svirt connectto virtlogd Resolves: rhbz#2000881 - Add ksm service to ksmtuned Resolves: rhbz#2021131 - Allow nm-privhelper setsched permission and send system logs Resolves: rhbz#2053639 - Update the policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow systemd-journal-upload watch logs and journal Resolves: rhbz#2085369 - Create a policy for systemd-journal-upload Resolves: rhbz#2085369 - Allow insights-client create and use unix_dgram_socket Resolves: rhbz#2087765 - Allow insights-client search gconf homedir Resolves: rhbz#2087765 * Wed May 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.32-1 - Dontaudit guest attempts to dbus chat with systemd domains Resolves: rhbz#2062740 - Dontaudit guest attempts to dbus chat with system bus types Resolves: rhbz#2062740 - Fix users for SELinux userspace 3.4 Resolves: rhbz#2079290 - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template Resolves: rhbz#2076681 - Allow systemd-sleep get removable devices attributes Resolves: rhbz#2082404 - Allow systemd-sleep tlp_filetrans_named_content() Resolves: rhbz#2082404 - Allow systemd-sleep execute generic programs Resolves: rhbz#2082404 - Allow systemd-sleep execute shell Resolves: rhbz#2082404 - Allow systemd-sleep transition to sysstat_t Resolves: rhbz#2082404 - Allow systemd-sleep transition to tlp_t Resolves: rhbz#2082404 - Allow systemd-sleep transition to unconfined_service_t on bin_t executables Resolves: rhbz#2082404 - allow systemd-sleep to set timer for suspend-then-hibernate Resolves: rhbz#2082404 - Add default fc specifications for patterns in /opt Resolves: rhbz#2081059 - Use a named transition in systemd_hwdb_manage_config() Resolves: rhbz#2061725 * Wed May 04 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.31-2 - Remove "v" from the package version * Mon May 02 2022 Nikola Knazekova <nknazeko@redhat.com> - v34.1.31-1 - Label /var/run/machine-id as machineid_t Resolves: rhbz#2061680 - Allow insights-client create_socket_perms for tcp/udp sockets Resolves: rhbz#2077377 - Allow insights-client read rhnsd config files Resolves: rhbz#2077377 - Allow rngd drop privileges via setuid/setgid/setcap Resolves: rhbz#2076642 - Allow tmpreaper the sys_ptrace userns capability Resolves: rhbz#2062823 - Add stalld to modules.conf Resolves: rhbz#2042614 - New policy for stalld Resolves: rhbz#2042614 - Label new utility of NetworkManager nm-priv-helper Resolves: rhbz#2053639 - Exclude container.if from selinux-policy-devel Resolves: rhbz#1861968 * Tue Apr 19 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.30-2 - Update source branches to build a new package for RHEL 9.1.0 * Tue Apr 12 2022 Nikola Knazekova <nknazeko@redhat.com> - 34.1.30-1 - Allow administrative users the bpf capability Resolves: RHBZ#2070982 - Allow NetworkManager talk with unconfined user over unix domain dgram socket Resolves: rhbz#2064688 - Allow hostapd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2064688 - Allow fprintd read and write hardware state information Resolves: rhbz#2062911 - Allow fenced read kerberos key tables Resolves: RHBZ#2060722 - Allow init watch and watch_reads user ttys Resolves: rhbz#2060289 - Allow systemd watch and watch_reads console devices Resolves: rhbz#2060289 - Allow nmap create and use rdma socket Resolves: RHBZ#2059603 * Thu Mar 31 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.29-1 - Allow qemu-kvm create and use netlink rdma sockets Resolves: rhbz#2063612 - Label corosync-cfgtool with cluster_exec_t Resolves: rhbz#2061277 * Thu Mar 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.28-1 - Allow logrotate a domain transition to cluster administrative domain Resolves: rhbz#2061277 - Change the selinuxuser_execstack boolean value to true Resolves: rhbz#2064274 * Thu Feb 24 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.27-1 - Allow ModemManager connect to the unconfined user domain Resolves: rhbz#2000196 - Label /dev/wwan.+ with modem_manager_t Resolves: rhbz#2000196 - Allow systemd-coredump userns capabilities and root mounton Resolves: rhbz#2057435 - Allow systemd-coredump read and write usermodehelper state Resolves: rhbz#2057435 - Allow sysadm_passwd_t to relabel passwd and group files Resolves: rhbz#2053458 - Allow systemd-sysctl read the security state information Resolves: rhbz#2056999 - Remove unnecessary /etc file transitions for insights-client Resolves: rhbz#2055823 - Label all content in /var/lib/insights with insights_client_var_lib_t Resolves: rhbz#2055823 - Update insights-client policy Resolves: rhbz#2055823 - Update insights-client: fc pattern, motd, writing to etc Resolves: rhbz#2055823 - Update specfile to buildrequire policycoreutils-devel >= 3.3-5 - Add modules_checksum to %files * Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.26-1 - Remove permissive domain for insights_client_t Resolves: rhbz#2055823 - New policy for insight-client Resolves: rhbz#2055823 - Allow confined sysadmin to use tool vipw Resolves: rhbz#2053458 - Allow chage domtrans to sssd Resolves: rhbz#2054657 - Remove label for /usr/sbin/bgpd Resolves: rhbz#2055578 - Dontaudit pkcsslotd sys_admin capability Resolves: rhbz#2055639 - Do not change selinuxuser_execmod and selinuxuser_execstack Resolves: rhbz#2055822 - Allow tuned to read rhsmcertd config files Resolves: rhbz#2055823 * Mon Feb 14 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.25-1 - Allow systemd watch unallocated ttys Resolves: rhbz#2054150 - Allow alsa bind mixer controls to led triggers Resolves: rhbz#2049732 - Allow alsactl set group Process ID of a process Resolves: rhbz#2049732 - Allow unconfined to run virtd bpf Resolves: rhbz#2033504 * Fri Feb 04 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.24-1 - Allow tumblerd write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow login_userdomain create session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gkeyringd_domain write to session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow systemd-logind delete session_dbusd tmp socket files Resolves: rhbz#2000039 - Allow gdm-x-session write to session dbus tmp sock files Resolves: rhbz#2000039 - Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t Resolves: rhbz#2039453 - Label exFAT utilities at /usr/sbin Resolves: rhbz#1972225 * Wed Feb 02 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.23-1 - Allow systemd nnp_transition to login_userdomain Resolves: rhbz#2039453 - Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t Resolves: rhbz#2000039 - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling Resolves: rhbz#2000039 - Allow scripts to enter LUKS password Resolves: rhbz#2048521 - Allow system_mail_t read inherited apache system content rw files Resolves: rhbz#2049372 - Add apache_read_inherited_sys_content_rw_files() interface Related: rhbz#2049372 - Allow sanlock get attributes of filesystems with extended attributes Resolves: rhbz#2047811 - Associate stratisd_data_t with device filesystem Resolves: rhbz#2039974 - Allow init read stratis data symlinks Resolves: rhbz#2039974 - Label /run/stratisd with stratisd_var_run_t Resolves: rhbz#2039974 - Allow domtrans to sssd_t and role access to sssd Resolves: rhbz#2039757 - Creating interface sssd_run_sssd() Resolves: rhbz#2039757 - Fix badly indented used interfaces Resolves: rhbz#2039757 - Allow domain transition to sssd_t Resolves: rhbz#2039757 - Label /dev/nvme-fabrics with fixed_disk_device_t Resolves: rhbz#2039759 - Allow local_login_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Allow xdm_t nnp_transition to login_userdomain Resolves: rhbz#2039453 - Make cupsd_lpd_t a daemon Resolves: rhbz#2039449 - Label utilities for exFAT filesystems with fsadm_exec_t Resolves: rhbz#1972225 - Dontaudit sfcbd sys_ptrace cap_userns Resolves: rhbz#2040311 * Tue Jan 11 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.22-1 - Allow sshd read filesystem sysctl files Resolves: rhbz#2036585 - Revert "Allow sshd read sysctl files" Resolves: rhbz#2036585 * Mon Jan 10 2022 Zdenek Pytela <zpytela@redhat.com> - 34.1.21-1 - Remove the lockdown class from the policy Resolves: rhbz#2017848 - Revert "define lockdown class and access" Resolves: rhbz#2017848 - Allow gssproxy access to various system files. Resolves: rhbz#2026974 - Allow gssproxy read, write, and map ica tmpfs files Resolves: rhbz#2026974 - Allow gssproxy read and write z90crypt device Resolves: rhbz#2026974 - Allow sssd_kcm read and write z90crypt device Resolves: rhbz#2026974 - Allow abrt_domain read and write z90crypt device Resolves: rhbz#2026974 - Allow NetworkManager read and write z90crypt device Resolves: rhbz#2026974 - Allow smbcontrol read the network state information Resolves: rhbz#2038157 - Allow virt_domain map vhost devices Resolves: rhbz#2035702 - Allow fcoemon request the kernel to load a module Resolves: rhbz#2034463 - Allow lldpd connect to snmpd with a unix domain stream socket Resolves: rhbz#2033315 - Allow ModemManager create a qipcrtr socket Resolves: rhbz#2036582 - Allow ModemManager request to load a kernel module Resolves: rhbz#2036582 - Allow sshd read sysctl files Resolves: rhbz#2036585 * Wed Dec 15 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.20-1 - Allow dnsmasq watch /etc/dnsmasq.d directories Resolves: rhbz#2029866 - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t Resolves: rhbz#2029316 - Allow lldpd use an snmp subagent over a tcp socket Resolves: rhbz#2028561 - Allow smbcontrol use additional socket types Resolves: rhbz#2027751 - Add write permisson to userfaultfd_anon_inode_perms Resolves: rhbz#2027660 - Allow xdm_t watch generic directories in /lib Resolves: rhbz#1960010 - Allow xdm_t watch fonts directories Resolves: rhbz#1960010 - Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t Resolves: rhbz#2027994 - Add hwtracing_device_t type for hardware-level tracing and debugging Resolves: rhbz#2029392 - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() Resolves: rhbz#2028791 - Allow arpwatch get attributes of infiniband_device_t devices Resolves: rhbz#2028791 - Allow tcpdump and nmap get attributes of infiniband_device_t Resolves: rhbz#2028791 * Mon Nov 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.19-1 - Allow redis get attributes of filesystems with extended attributes Resolves: rhbz#2014611 - Allow dirsrv read slapd tmpfs files Resolves: rhbz#2015928 - Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" Resolves: rhbz#2015928 - Allow login_userdomain open/read/map system journal Resolves: rhbz#2017838 - Allow login_userdomain read and map /var/lib/systemd files Resolves: rhbz#2017838 - Allow nftables read NetworkManager unnamed pipes Resolves: rhbz#2023456 - Allow xdm watch generic directories in /var/lib Resolves: rhbz#1960010 - Allow xdm_t watch generic pid directories Resolves: rhbz#1960010 * Mon Nov 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.18-1 - Allow fetchmail search cgroup directories Resolves: rhbz#2015118 - Add the auth_read_passwd_file() interface Resolves: rhbz#2014611 - Allow redis-sentinel execute a notification script Resolves: rhbz#2014611 - Support new PING_CHECK health checker in keepalived Resolves: rhbz#2014423 * Thu Oct 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.17-1 - Label /usr/sbin/virtproxyd as virtd_exec_t Resolves: rhbz#2002143 - Allow at-spi-bus-launcher read and map xdm pid files Resolves: rhbz#2011772 - Remove references to init_watch_path_type attribute Resolves: rhbz#2007960 - Remove all redundant watch permissions for systemd Resolves: rhbz#2007960 - Allow systemd watch non_security_file_type dirs, files, lnk_files Resolves: rhbz#2007960 - Allow systemd-resolved watch /run/systemd Resolves: rhbz#1992461 - Allow sssd watch /run/systemd Resolves: rhbz#1992461 * Thu Sep 23 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.16-1 - Allow fprintd install a sleep delay inhibitor Resolves: rhbz#1999537 - Update mount_manage_pid_files() to use manage_files_pattern Resolves: rhbz#1999997 - Allow gnome at-spi processes create and use stream sockets Resolves: rhbz#2004885 - Allow haproxy list the sysfs directories content Resolves: rhbz#1986823 - Allow virtlogd_t read process state of user domains Resolves: rhbz#1994592 - Support hitless reloads feature in haproxy Resolves: rhbz#1997182 - Allow firewalld load kernel modules Resolves: rhbz#1999152 - Allow communication between at-spi and gdm processes Resolves: rhbz#2003037 - Remove "ipa = module" from modules-targeted-contrib.conf Resolves: rhbz#2006039 * Mon Aug 30 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.15-1 - Update ica_filetrans_named_content() with create_file_perms Resolves: rhbz#1976180 - Allow various domains work with ICA crypto accelerator Resolves: rhbz#1976180 - Add ica module Resolves: rhbz#1976180 - Revert "Support using ICA crypto accelerator on s390x arch" Resolves: rhbz#1976180 - Fix the gnome_atspi_domtrans() interface summary Resolves: rhbz#1972655 - Add support for at-spi Resolves: rhbz#1972655 - Add permissions for system dbus processes Resolves: rhbz#1972655 - Allow /tmp file transition for dbus-daemon also for sock_file Resolves: rhbz#1972655 * Wed Aug 25 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.14-1 - Support using ICA crypto accelerator on s390x arch Resolves: rhbz#1976180 - Allow systemd delete /run/systemd/default-hostname Resolves: rhbz#1978507 - Label /usr/bin/Xwayland with xserver_exec_t Resolves: rhbz#1993151 - Label /usr/libexec/gdm-runtime-config with xdm_exec_t Resolves: rhbz#1993151 - Allow tcpdump read system state information in /proc Resolves: rhbz#1972577 - Allow firewalld drop capabilities Resolves: rhbz#1989641 * Thu Aug 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.13-1 - Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp Resolves: rhbz#1977915 - Set default file context for /sys/firmware/efi/efivars Resolves: rhbz#1972372 - Allow tcpdump run as a systemd service Resolves: rhbz#1972577 - Allow nmap create and use netlink generic socket Resolves: rhbz#1985212 - Allow nscd watch system db files in /var/db Resolves: rhbz#1989416 - Allow systemd-gpt-auto-generator read udev pid files Resolves: rhbz#1992638 * Tue Aug 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.12-1 - Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" Resolves: rhbz#1990813 - Label /dev/crypto/nx-gzip with accelerator_device_t Resolves: rhbz#1973953 - Label /usr/bin/qemu-storage-daemon with virtd_exec_t Resolves: rhbz#1977245 - Allow systemd-machined stop generic service units Resolves: rhbz#1979522 - Label /.k5identity file allow read of this file to rpc.gssd Resolves: rhbz#1980610 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 34.1.11-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Thu Jul 29 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.11-1 - Allow hostapd bind UDP sockets to the dhcpd port Resolves: rhbz#1979968 - Allow mdadm read iscsi pid files Resolves: rhbz#1976073 - Unconfined domains should not be confined Resolves: rhbz#1977986 - Allow NetworkManager_t to watch /etc Resolves: rhbz#1980000 - Allow using opencryptoki for ipsec Resolves: rhbz#1977915 * Wed Jul 14 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.10-1 - Allow bacula get attributes of cgroup filesystems Resolves: rhbz#1976917 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: rhbz#1972382 - Add the lockdown integrity permission to dev_map_userio_dev() Resolves: rhbz#1966758 - Allow virtlogd_t to create virt_var_lockd_t dir Resolves: rhbz#1974875 * Tue Jun 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.9-1 - Allow systemd-coredump getattr nsfs files and net_admin capability Resolves: rhbz#1965372 - Label /run/libvirt/common with virt_common_var_run_t Resolves: rhbz#1969209 - Label /usr/bin/arping plain file with netutils_exec_t Resolves: rhbz#1952515 - Make usbmuxd_t a daemon Resolves: rhbz#1965411 - Allow usbmuxd get attributes of cgroup filesystems Resolves: rhbz#1965411 - Label /dev/dma_heap/* char devices with dma_device_t - Revert "Label /dev/dma_heap/* char devices with dma_device_t" - Revert "Label /dev/dma_heap with dma_device_dir_t" - Revert "Associate dma_device_dir_t with device filesystem" Resolves: rhbz#1967818 - Label /var/lib/kdump with kdump_var_lib_t Resolves: rhbz#1965989 - Allow systemd-timedated watch runtime dir and its parent Resolves: rhbz#1970865 - Label /run/fsck with fsadm_var_run_t Resolves: rhbz#1970911 * Thu Jun 10 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.8-1 - Associate dma_device_dir_t with device filesystem Resolves: rhbz#1954116 - Add default file context specification for dnf log files Resolves: rhbz#1955223 - Allow using opencryptoki for certmonger Resolves: rhbz#1961756 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1961756 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1964890 - Dontaudit daemon open and read init_t file Resolves: rhbz#1965412 - Allow sanlock get attributes of cgroup filesystems Resolves: rhbz#1965217 * Tue Jun 08 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.7-1 - Set default file context for /var/run/systemd instead of /run/systemd Resolves: rhbz#1966492 * Mon Jun 07 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.6-1 - Label /dev/dma_heap with dma_device_dir_t Resolves: rhbz#1954116 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1963252 - Label /run/systemd/default-hostname with hostname_etc_t Resolves: rhbz#1966492 * Thu May 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.5-1 - Label /dev/trng with random_device_t Resolves: rhbz#1962260 - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t Resolves: rhbz#1954116 - Label /dev/udmabuf character device with dma_device_t Resolves: rhbz#1954116 - Label /dev/dma_heap/* char devices with dma_device_t Resolves: rhbz#1954116 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: rhbz#1954116 - Allow fcoemon create sysfs files Resolves: rhbz#1952292 * Wed May 12 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.4-1 - Allow sysadm_t dbus chat with tuned Resolves: rhbz#1953643 - Allow tuned write profile files with file transition Resolves: rhbz#1953643 - Allow tuned manage perf_events Resolves: rhbz#1953643 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Add kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Allow syslogd_t watch root and var directories Resolves: rhbz#1957792 - Allow tgtd create and use rdma socket Resolves: rhbz#1955559 - Allow aide connect to init with a unix socket Resolves: rhbz#1926343 * Wed Apr 28 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.3-1 - Allow domain create anonymous inodes Resolves: rhbz#1954145 - Add anon_inode class to the policy Resolves: rhbz#1954145 - Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1951471 - Add brltty new permissions required by new upstream version Resolves: rhbz#1947842 - Label /var/lib/brltty with brltty_var_lib_t Resolves: rhbz#1947842 - Allow login_userdomain create cgroup files Resolves: rhbz#1951114 - Allow aide connect to systemd-userdbd with a unix socket Resolves: rhbz#1926343 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1947397 - Label /etc/redis as redis_conf_t Resolves: rhbz#1947874 - Add file context specification for /usr/libexec/realmd Resolves: rhbz#1946495 * Thu Apr 22 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.2-1 - Further update make-rhat-patches.sh for RHEL 9.0 beta - Add file context specification for /var/tmp/tmp-inst Resolves: rhbz#1924656 * Wed Apr 21 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1.1-1 - Update selinux-policy.spec and make-rhat-patches.sh for RHEL 9.0 beta - Allow unconfined_service_t confidentiality and integrity lockdown Resolves: rhbz#1950267 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 34-2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-30 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-29 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-28 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems * Tue Mar 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-27 - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-26 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-25 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Tue Mar 02 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-24 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Tue Feb 23 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-23 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files * Fri Feb 19 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-22 - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Tue Feb 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-21 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Fri Feb 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-20 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Fri Feb 12 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-19 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-17 - Update .copr/make-srpm.sh to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.7-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Fri Jan 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update README.md to reflect the state after contrib and base merge - Add README.md announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <plautrba@redhat.com> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - fc_sort.py: Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces * Mon Sep 21 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-3 - Check out the right -contrib branch in Travis * Fri Sep 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-2 - Allow openvswitch fowner capability and create netlink sockets - Allow additional permissions for gnome-initial-setup - Add to map non_security_files to the userdom_admin_user_template template - kernel/filesystem: Add exfat support (no extended attributes) * Tue Sep 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.7-1 - Bump version as Fedora 33 has been branched - Allow php-fpm write access to /var/run/redis/redis.sock - Allow journalctl to read and write to inherited user domain tty - Update rkt policy to allow rkt_t domain to read sysfs filesystem - Allow arpwatch create and use rdma socket - Allow plymouth sys_chroot capability - Allow gnome-initial-setup execute in a xdm sandbox - Add new devices and filesystem interfaces * Mon Aug 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-25 - Allow certmonger fowner capability - The nfsdcld service is now confined by SELinux - Change transitions for ~/.config/Yubico - Allow all users to connect to systemd-userdbd with a unix socket - Add file context for ~/.config/Yubico - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow login_pgm attribute to get attributes in proc_t" - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Allow traceroute_t and ping_t to bind generic nodes. - Create macro corenet_icmp_bind_generic_node() - Allow unconfined_t to node_bind icmp_sockets in node_t domain * Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf * Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.6-21 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Jul 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen * Fri Jul 10 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs" * Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes * Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files * Thu Jun 25 2020 Adam Williamson <awilliam@redhat.com> - 3.14.6-16 - Fix scriptlets when /etc/selinux/config does not exist