Thu, 17 Jun 2021 03:19:08 UTC | login

Information for build selinux-policy-34.1.8-1.el9

Package Nameselinux-policy
SummarySELinux policy configuration
DescriptionSELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.
Built byzpytela
State complete
StartedThu, 10 Jun 2021 21:29:02 UTC
CompletedThu, 10 Jun 2021 21:33:20 UTC
Taskbuild (c9s-candidate, /redhat/centos-stream/rpms/selinux-policy:042fffd52cd459f0430506b48bd221e5b5e77f8e)
Extra{'source': {'original_url': 'git+'}}
selinux-policy-34.1.8-1.el9.src.rpm (info) (download)
selinux-policy-34.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-devel-34.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-doc-34.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-minimum-34.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-mls-34.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-sandbox-34.1.8-1.el9.noarch.rpm (info) (download)
selinux-policy-targeted-34.1.8-1.el9.noarch.rpm (info) (download)
Changelog * Thu Jun 10 2021 Zdenek Pytela <> - 34.1.8-1 - Associate dma_device_dir_t with device filesystem Resolves: rhbz#1954116 - Add default file context specification for dnf log files Resolves: rhbz#1955223 - Allow using opencryptoki for certmonger Resolves: rhbz#1961756 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1961756 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1964890 - Dontaudit daemon open and read init_t file Resolves: rhbz#1965412 - Allow sanlock get attributes of cgroup filesystems Resolves: rhbz#1965217 * Tue Jun 08 2021 Zdenek Pytela <> - 34.1.7-1 - Set default file context for /var/run/systemd instead of /run/systemd Resolves: rhbz#1966492 * Mon Jun 07 2021 Zdenek Pytela <> - 34.1.6-1 - Label /dev/dma_heap with dma_device_dir_t Resolves: rhbz#1954116 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1963252 - Label /run/systemd/default-hostname with hostname_etc_t Resolves: rhbz#1966492 * Thu May 27 2021 Zdenek Pytela <> - 34.1.5-1 - Label /dev/trng with random_device_t Resolves: rhbz#1962260 - Label /dev/zram[0-9]+ block device files with fixed_disk_device_t Resolves: rhbz#1954116 - Label /dev/udmabuf character device with dma_device_t Resolves: rhbz#1954116 - Label /dev/dma_heap/* char devices with dma_device_t Resolves: rhbz#1954116 - Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: rhbz#1954116 - Allow fcoemon create sysfs files Resolves: rhbz#1952292 * Wed May 12 2021 Zdenek Pytela <> - 34.1.4-1 - Allow sysadm_t dbus chat with tuned Resolves: rhbz#1953643 - Allow tuned write profile files with file transition Resolves: rhbz#1953643 - Allow tuned manage perf_events Resolves: rhbz#1953643 - Make domains use kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Add kernel_write_perf_event() and kernel_manage_perf_event() Resolves: rhbz#1953643 - Allow syslogd_t watch root and var directories Resolves: rhbz#1957792 - Allow tgtd create and use rdma socket Resolves: rhbz#1955559 - Allow aide connect to init with a unix socket Resolves: rhbz#1926343 * Wed Apr 28 2021 Zdenek Pytela <> - 34.1.3-1 - Allow domain create anonymous inodes Resolves: rhbz#1954145 - Add anon_inode class to the policy Resolves: rhbz#1954145 - Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1951471 - Add brltty new permissions required by new upstream version Resolves: rhbz#1947842 - Label /var/lib/brltty with brltty_var_lib_t Resolves: rhbz#1947842 - Allow login_userdomain create cgroup files Resolves: rhbz#1951114 - Allow aide connect to systemd-userdbd with a unix socket Resolves: rhbz#1926343 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1947397 - Label /etc/redis as redis_conf_t Resolves: rhbz#1947874 - Add file context specification for /usr/libexec/realmd Resolves: rhbz#1946495 * Thu Apr 22 2021 Zdenek Pytela <> - 34.1.2-1 - Further update for RHEL 9.0 beta - Add file context specification for /var/tmp/tmp-inst Resolves: rhbz#1924656 * Wed Apr 21 2021 Zdenek Pytela <> - 34.1.1-1 - Update selinux-policy.spec and for RHEL 9.0 beta - Allow unconfined_service_t confidentiality and integrity lockdown Resolves: rhbz#1950267 * Fri Apr 16 2021 Mohan Boddu <> - 34-2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Thu Apr 01 2021 Zdenek Pytela <> - 34.1-1 - Change the package versioning * Thu Apr 01 2021 Zdenek Pytela <> - 3.14.7-30 - Allow plymouthd_t exec generic program in bin directories - Allow dhcpc_t domain transition to chronyc_t - Allow login_userdomain bind xmsg port - Allow ibacm the net_raw and sys_rawio capabilities - Allow nsswitch_domain read cgroup files - Allow systemd-sleep create hardware state information files * Mon Mar 29 2021 Zdenek Pytela <> - 3.14.7-29 - Add watch_with_perm_dirs_pattern file pattern * Fri Mar 26 2021 Zdenek Pytela <> - 3.14.7-28 - Allow arpwatch_t create netlink generic socket - Allow postgrey read network state - Add watch_mount_dirs_pattern file pattern - Allow bluetooth_t dbus chat with fwupd_t - Allow xdm_t watch accountsd lib directories - Add additional interfaces for watching /boot - Allow sssd_t get attributes of tmpfs filesystems - Allow local_login_t get attributes of tmpfs filesystems * Tue Mar 23 2021 Zdenek Pytela <> - 3.14.7-27 - Dontaudit domain the fowner capability - Extend fs_manage_nfsd_fs() to allow managing dirs as well - Allow spice-vdagentd watch systemd-logind session dirs * Fri Mar 19 2021 Zdenek Pytela <> - 3.14.7-26 - Allow xdm_t watch systemd-logind session dirs - Allow xdm_t transition to system_dbusd_t - Allow confined users login into graphic session - Allow login_userdomain watch systemd login session dirs - install_t: Allow NoNewPriv transition from systemd - Remove setuid/setgid capabilities from mysqld_t - Add context for new mariadbd executable files - Allow netutils_t create netlink generic socket - Allow systemd the audit_control capability conditionally * Thu Mar 11 2021 Zdenek Pytela <> - 3.14.7-25 - Allow polkit-agent-helper-1 read logind sessions files - Allow polkit-agent-helper read init state - Allow login_userdomain watch generic device dirs - Allow login_userdomain listen on bluetooth sockets - Allow user_t and staff_t bind netlink_generic_socket - Allow login_userdomain write inaccessible nodes - Allow transition from xdm domain to unconfined_t domain. - Add 'make validate' step to CI - Disallow user_t run su/sudo and staff_t run su - Fix typo in rsyncd.conf in rsync.if - Add an alias for nvme_device_t - Allow systemd watch and watch_reads unallocated ttys * Tue Mar 02 2021 Zdenek Pytela <> - 3.14.7-24 - Allow apmd watch generic device directories - Allow kdump load a new kernel - Add confidentiality lockdown permission to kernel_read_core_if() - Allow keepalived read nsfs files - Allow local_login_t get attributes of filesystems with ext attributes - Allow keepalived read/write its private memfd: objects - Add missing declaration in rpm_named_filetrans() - Change param description in cron interfaces to userdomain_prefix * Tue Feb 23 2021 Zdenek Pytela <> - 3.14.7-23 - iptables.fc: Add missing legacy entries - iptables.fc: Remove some duplicate entries - iptables.fc: Remove duplicate file context entries - Allow libvirtd to create generic netlink sockets - Allow libvirtd the fsetid capability - Allow libvirtd to read /run/utmp - Dontaudit sys_ptrace capability when calling systemctl - Allow udisksd to read /dev/random - Allow udisksd to watch files under /run/mount - Allow udisksd to watch /etc - Allow crond to watch user_cron_spool_t directories - Allow accountsd watch xdm config directories - Label /etc/avahi with avahi_conf_t - Allow sssd get cgroup filesystems attributes and search cgroup dirs - Allow systemd-hostnamed read udev runtime data - Remove dev_getattr_sysfs_fs() interface calls for particular domains - Allow domain stat the /sys filesystem - Dontaudit NetworkManager write to initrc_tmp_t pipes - policykit.te: Clean up watch rule for policykit_auth_t - Revert further unnecessary watch rules - Revert "Allow getty watch its private runtime files" - Allow systemd watch generic /var directories - Allow init watch network config files and lnk_files * Fri Feb 19 2021 Zdenek Pytela <> - 3.14.7-22 - Allow systemd-sleep get attributes of fixed disk device nodes - Complete initial policy for systemd-coredump - Label SDC(scini) Dell Driver - Allow upowerd to send syslog messages - Remove the disk write permissions from tlp_t - Label NVMe devices as fixed_disk_device_t - Allow rhsmcertd bind tcp sockets to a generic node - Allow systemd-importd manage machines.lock file - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Tue Feb 16 2021 Zdenek Pytela <> - 3.14.7-21 - Allow unconfined integrity lockdown permission - Relocate confidentiality lockdown rule from unconfined_domain_type to unconfined - Allow systemd-machined manage systemd-userdbd runtime sockets - Enable systemd-sysctl domtrans for udev - Introduce kernel_load_unsigned_module interface and use it for couple domains - Allow gpg watch user gpg secrets dirs - Build also the container module in CI - Remove duplicate code from kernel.te - Allow restorecond to watch all non-auth directories - Allow restorecond to watch its config file * Fri Feb 12 2021 Zdenek Pytela <> - 3.14.7-20 - Allow userdomain watch various filesystem objects - Allow systemd-logind and systemd-sleep integrity lockdown permission - Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context - Allow pulseaudio watch devices and systemd-logind session dirs - Allow abrt-dump-journal-* watch generic log dirs and /run/log/journal dir - Remove duplicate files_mounton_etc(init_t) call - Add watch permissions to manage_* object permissions sets - Allow journalctl watch generic log dirs and /run/log/journal dir - Label /etc/resolv.conf as net_conf_t even when it's a symlink - Allow SSSD to watch /var/run/NetworkManager - Allow dnsmasq_t to watch /etc - Remove unnecessary lines from the new watch interfaces - Fix docstring for init_watch_dir() - Allow xdm watch its private lib dirs, /etc, /usr * Fri Feb 12 2021 Zdenek Pytela <> - 3.14.7-19 - Bump version as Fedora 34 has been branched off rawhide - Allow xdm watch its private lib dirs, /etc, /usr - Allow systemd-importd create /run/systemd/machines.lock file - Allow rhsmcertd_t read kpatch lib files - Add integrity lockdown permission into dev_read_raw_memory() - Add confidentiality lockdown permission into fs_rw_tracefs_files() - Allow gpsd read and write ptp4l_t shared memory. - Allow colord watch its private lib files and /usr - Allow init watch_reads mount PID files - Allow IPsec and Certmonger to use opencryptoki services * Sun Feb 07 2021 Zdenek Pytela <> - 3.14.7-18 - Allow lockdown confidentiality for domains using perf_event - define lockdown class and access - Add perfmon capability for all domains using perf_event - Allow ptp4l_t bpf capability to run bpf programs - Revert "Allow ptp4l_t sys_admin capability to run bpf programs" - access_vectors: Add new capabilities to cap2 - Allow systemd and systemd-resolved watch dbus pid objects - Add new watch interfaces in the base and userdomain policy - Add watch permissions for contrib packages - Allow xdm watch /usr directories - Allow getty watch its private runtime files - Add watch permissions for nscd and sssd - Add watch permissions for firewalld and NetworkManager - Add watch permissions for syslogd - Add watch permissions for systemd services - Allow restorecond watch /etc dirs - Add watch permissions for user domain types - Add watch permissions for init - Add basic watch interfaces for systemd - Add basic watch interfaces to the base module - Add additional watch object permissions sets and patterns - Allow init_t to watch localization symlinks - Allow init_t to watch mount directories - Allow init_t to watch cgroup files - Add basic watch patterns - Add new watch* permissions * Fri Feb 05 2021 Zdenek Pytela <> - 3.14.7-17 - Update .copr/ to use rawhide as DISTGIT_BRANCH - Dontaudit setsched for rndc - Allow systemd-logind destroy entries in message queue - Add userdom_destroy_unpriv_user_msgq() interface - ci: Install build dependencies from koji - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm - Add new cmadmin port for bfdd dameon - virtiofs supports Xattrs and SELinux - Allow domain write to systemd-resolved PID socket files - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type - Allow rhsmcertd_t domain transition to kpatch_t - Revert "Add kpatch_exec() interface" - Revert "Allow rhsmcertd execute kpatch" - Allow openvswitch create and use xfrm netlink sockets - Allow openvswitch_t perf_event write permission - Add kpatch_exec() interface - Allow rhsmcertd execute kpatch - Adds rule to allow glusterd to access RDMA socket - radius: Lexical sort of service-specific corenet rules by service name - VQP: Include IANA-assigned TCP/1589 - radius: Allow binding to the VQP port (VMPS) - radius: Allow binding to the BDF Control and Echo ports - radius: Allow binding to the DHCP client port - radius: Allow net_raw; allow binding to the DHCP server ports - Add rsync_sys_admin tunable to allow rsync sys_admin capability - Allow staff_u run pam_console_apply - Allow openvswitch_t perf_event open permission - Allow sysadm read and write /dev/rfkill - Allow certmonger fsetid capability - Allow domain read usermodehelper state information * Wed Jan 27 2021 Fedora Release Engineering <> - 3.14.7-16 - Rebuilt for * Fri Jan 22 2021 Petr Lautrbach <> - 3.14.7-15 - Update specfile to not verify md5/size/mtime for active store files - Add /var/mnt equivalency to /mnt - Rebuild with SELinux userspace 3.2-rc1 release * Fri Jan 08 2021 Zdenek Pytela <> - 3.14.7-14 - Allow domain read usermodehelper state information - Remove all kernel_read_usermodehelper_state() interface calls - .copr: improve timestamp format - Allow wireshark create and use rdma socket - Allow domain stat /proc filesystem - Remove all kernel_getattr_proc() interface calls - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow dovecot_auth_t stat /proc filesystem" - Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem" - Allow sssd read /run/systemd directory - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t * Thu Dec 17 2020 Zdenek Pytela <> - 3.14.7-13 - Label /dev/isst_interface as cpu_device_t - Dontaudit firewalld dac_override capability - Allow ipsec set the context of a SPD entry to the default context - Build binary RPMs in CI - Add SRPM build scripts for COPR * Tue Dec 15 2020 Zdenek Pytela <> - 3.14.7-12 - Allow dovecot_auth_t stat /proc filesystem - Allow sysadm_u user and unconfined_domain_type manage perf_events - Allow pcp-pmcd manage perf_events - Add manage_perf_event_perms object permissions set - Add perf_event access vectors. - Allow sssd, unix_chkpwd, groupadd stat /proc filesystem - Allow stub-resolv.conf to be a symlink - sysnetwork.if: avoid directly referencing systemd_resolved_var_run_t - Create the systemd_dbus_chat_resolved() compatibility interface - Allow nsswitch-domain write to systemd-resolved PID socket files - Add systemd_resolved_write_pid_sock_files() interface - Add default file context for "/var/run/chrony-dhcp(/.*)?" - Allow timedatex dbus chat with cron system domain - Add cron_dbus_chat_system_job() interface - Allow systemd-logind manage init's pid files * Wed Dec 09 2020 Zdenek Pytela <> - 3.14.7-11 - Allow systemd-logind manage init's pid files - Allow tcsd the setgid capability - Allow systemd-resolved manage its private runtime symlinks - Update systemd_resolved_read_pid() to also read symlinks - Update systemd-sleep policy - Add groupadd_t fowner capability - Migrate to GitHub Actions - Update to reflect the state after contrib and base merge - Add announcing merging of selinux-policy and selinux-policy-contrib - Adapt .travis.yml to contrib merge - Merge contrib into the main repo - Prepare to merge contrib repo - Move stuff around to match the main repo * Thu Nov 26 2020 Zdenek Pytela <> - 3.14.7-10 - Allow Xephyr connect to 6000/tcp port and open user ptys - Allow kexec manage generic tmp files - Update targetd nfs & lvm - Add interface rpc_manage_exports - Merge selinux-policy and selinux-policy-contrib repos * Tue Nov 24 2020 Zdenek Pytela <> - 3.14.7-9 - Allow varnish map its private tmp files - Allow dovecot bind to smtp ports - Change fetchmail temporary files path to /var/spool/mail - Allow cups_pdf_t domain to communicate with unix_dgram_socket - Set file context for symlinks in /etc/httpd to etc_t - Allow rpmdb rw access to inherited console, ttys, and ptys - Allow dnsmasq read public files - Announce merging of selinux-policy and selinux-policy-contrib - Label /etc/resolv.conf as net_conf_t only if it is a plain file - Fix range for unreserved ports - Add files_search_non_security_dirs() interface - Introduce logging_syslogd_append_public_content tunable - Add miscfiles_append_public_files() interface * Fri Nov 13 2020 Zdenek Pytela <> - 3.14.7-8 - Set correct default file context for /usr/libexec/pcp/lib/* - Introduce rpmdb_t type - Allow slapd manage files/dirs in ldap certificates directory - Revert "Allow certmonger add new entries in a generic certificates directory" - Allow certmonger add new entries in a generic certificates directory - Allow slapd add new entries in ldap certificates directory - Remove retired PCP pmwebd and pmmgr daemons (since 5.0) - Let keepalived bind a raw socket - Add default file context for /usr/libexec/pcp/lib/* - squid: Allow net_raw capability when squid_use_tproxy is enabled - systemd: allow networkd to check namespaces - Add ability to read init_var_run_t where fs_read_efivarfs_files is allowed - Allow resolved to created varlink sockets and the domain to talk to it - selinux: tweak selinux_get_enforce_mode() to allow status page to be used - systemd: allow all systemd services to check selinux status - Set default file context for /var/lib/ipsec/nss - Allow user domains transition to rpmdb_t - Revert "Add miscfiles_add_entry_generic_cert_dirs() interface" - Revert "Add miscfiles_create_generic_cert_dirs() interface" - Update miscfiles_manage_all_certs() to include managing directories - Add miscfiles_create_generic_cert_dirs() interface - Add miscfiles_add_entry_generic_cert_dirs() interface - Revert "Label /var/run/zincati/public/motd.d/* as motd_var_run_t" * Tue Nov 03 2020 Petr Lautrbach <> - 3.14.7-7 - Rebuild with latest libsepol - Bump policy version to 33 * Thu Oct 22 2020 Zdenek Pytela <> - 3.14.7-6 - rpc.fc: Include /etc/exports.d dir & files - Create chronyd_pid_filetrans() interface - Change invalid type redisd_t to redis_t in redis_stream_connect() - Revert "Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template" - Allow init dbus chat with kernel - Allow initrc_t create /run/chronyd-dhcp directory with a transition - Drop gcc from dependencies in Travis CI - Use "==" for comparing integers. - re-implement fc_sort in python - Remove invalid file context line - Drop git from dependencies in Travis CI * Tue Oct 06 2020 Zdenek Pytela <> - 3.14.7-5 - Remove empty line from rshd.fc - Allow systemd-logind read swap files - Add fstools_read_swap_files() interface - Allow dyntransition from sshd_t to unconfined_t - Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template * Fri Sep 25 2020 Zdenek Pytela <> - 3.14.7-4 - Allow chronyd_t to accept and make NTS-KE connections - Allow domain write to an automount unnamed pipe - Label /var/run/zincati/public/motd.d/* as motd_var_run_t - Allow login programs to (only) read MOTD files and symlinks - Relabel /usr/sbin/charon-systemd as ipsec_exec_t - Confine systemd-sleep service - Add fstools_rw_swap_files() interface - Label 4460/tcp port as ntske_port_t - Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces * Mon Sep 21 2020 Zdenek Pytela <> - 3.14.7-3 - Check out the right -contrib branch in Travis * Fri Sep 18 2020 Zdenek Pytela <> - 3.14.7-2 - Allow openvswitch fowner capability and create netlink sockets - Allow additional permissions for gnome-initial-setup - Add to map non_security_files to the userdom_admin_user_template template - kernel/filesystem: Add exfat support (no extended attributes) * Tue Sep 08 2020 Zdenek Pytela <> - 3.14.7-1 - Bump version as Fedora 33 has been branched - Allow php-fpm write access to /var/run/redis/redis.sock - Allow journalctl to read and write to inherited user domain tty - Update rkt policy to allow rkt_t domain to read sysfs filesystem - Allow arpwatch create and use rdma socket - Allow plymouth sys_chroot capability - Allow gnome-initial-setup execute in a xdm sandbox - Add new devices and filesystem interfaces * Mon Aug 24 2020 Zdenek Pytela <> - 3.14.6-25 - Allow certmonger fowner capability - The nfsdcld service is now confined by SELinux - Change transitions for ~/.config/Yubico - Allow all users to connect to systemd-userdbd with a unix socket - Add file context for ~/.config/Yubico - Allow syslogd_t domain to read/write tmpfs systemd-bootchart files - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Revert "Allow passwd to get attributes in proc_t" - Revert "Allow login_pgm attribute to get attributes in proc_t" - Allow login_pgm attribute to get attributes in proc_t - Allow passwd to get attributes in proc_t - Allow traceroute_t and ping_t to bind generic nodes. - Create macro corenet_icmp_bind_generic_node() - Allow unconfined_t to node_bind icmp_sockets in node_t domain * Thu Aug 13 2020 Zdenek Pytela <> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating * Mon Aug 03 2020 Zdenek Pytela <> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf * Thu Jul 30 2020 Zdenek Pytela <> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd * Wed Jul 29 2020 Fedora Release Engineering <> - 3.14.6-21 - Rebuilt for * Mon Jul 13 2020 Lukas Vrabec <> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen * Fri Jul 10 2020 Zdenek Pytela <> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs" * Tue Jul 07 2020 Zdenek Pytela <> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes * Fri Jun 26 2020 Zdenek Pytela <> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files * Thu Jun 25 2020 Adam Williamson <> - 3.14.6-16 - Fix scriptlets when /etc/selinux/config does not exist * Thu Jun 04 2020 Zdenek Pytela <> - 3.14.6-15 - Add fetchmail_uidl_cache_t type for /var/mail/ - Support multiple ways of tlp invocation - Allow qemu-kvm read and write /dev/mapper/control - Introduce logrotate_use_cifs boolean - Allow ptp4l_t sys_admin capability to run bpf programs - Allow to getattr files on an nsfs filesystem - httpd: Allow NoNewPriv transition from systemd - Allow rhsmd read process state of all domains and kernel threads - Allow rhsmd mmap /etc/passwd - Allow systemd-logind manage efivarfs files - Allow initrc_t tlp_filetrans_named_content() - Allow systemd_resolved_t to read efivarfs - Allow systemd_modules_load_t to read efivarfs - Introduce systemd_read_efivarfs_type attribute - Allow named transition for /run/tlp from a user shell - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files - Add file context for /sys/kernel/tracing * Tue May 19 2020 Zdenek Pytela <> - 3.14.6-14 - Allow chronyc_t domain to use nsswitch - Allow nscd_socket_use() for domains in nscd_use() unconditionally - Add allow rules for lttng-sessiond domain - Label dirsrv systemd unit files and add dirsrv_systemctl() - Allow gluster geo-replication in rsync mode - Allow nagios_plugin_domain execute programs in bin directories - Allow sys_admin capability for domain labeled systemd_bootchart_t - Split the arping path regexp to 2 lines to prevent from relabeling - Allow tcpdump sniffing offloaded (RDMA) traffic - Revert "Change arping path regexp to work around fixfiles incorrect handling" - Change arping path regexp to work around fixfiles incorrect handling - Allow read efivarfs_t files by domains executing systemctl file * Wed Apr 29 2020 Zdenek Pytela <> - 3.14.6-13 - Update networkmanager_read_pid_files() to allow also list_dir_perms - Update policy for NetworkManager_ssh_t - Allow glusterd synchronize between master and slave - Allow spamc_t domain to read network state - Allow strongswan use tun/tap devices and keys - Allow systemd_userdbd_t domain logging to journal * Tue Apr 14 2020 Zdenek Pytela <> - 3.14.6-12 - Allow rngd create netlink_kobject_uevent_socket and read udev runtime files - Allow ssh-keygen create file in /var/lib/glusterd - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files - Merge ipa and ipa_custodia modules - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t - Introduce daemons_dontaudit_scheduling boolean - Modify path for arping in netutils.fc to match both bin and sbin - Change file context for /var/run/pam_ssh to match file transition - Add file context entry and file transition for /var/run/pam_timestamp * Tue Mar 31 2020 Zdenek Pytela <> - 3.14.6-11 - Allow NetworkManager manage dhcpd unit files - Update ninfod policy to add nnp transition from systemd to ninfod - Remove container interface calling by named_filetrans_domain. * Wed Mar 25 2020 Zdenek Pytela <> - 3.14.6-10 - Allow openfortivpn exec shell - Remove label session_dbusd_tmp_t for /run/user/USERID/systemd - Add ibacm_t ipc_lock capability - Allow ipsec_t connectto ipsec_mgmt_t - Remove ipa_custodia - Allow systemd-journald to read user_tmp_t symlinks * Wed Mar 18 2020 Zdenek Pytela <> - 3.14.6-9 - Allow zabbix_t manage and filetrans temporary socket files - Makefile: fix tmp/%.mod.fc target * Fri Mar 13 2020 Zdenek Pytela <> - 3.14.6-8 - Allow NetworkManager read its unit files and manage services - Add init_daemon_domain() for geoclue_t - Allow to use nnp_transition in pulseaudio_role - Allow pdns_t domain to map files in /usr. - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t - Allow login_pgm create and bind on netlink_selinux_socket * Mon Mar 09 2020 Zdenek Pytela <> - 3.14.6-7 - Allow sssd read systemd-resolved runtime directory - Allow sssd read NetworkManager's runtime directory - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t - Allow system_mail_t to signull pcscd_t - Create interface pcscd_signull - Allow auditd poweroff or switch to single mode * Fri Feb 28 2020 Lukas Vrabec <> - 3.14.6-6 - Allow postfix stream connect to cyrus through runtime socket - Dontaudit daemons to set and get scheduling policy/parameters * Sat Feb 22 2020 Lukas Vrabec <> - 3.14.6-5 - Allow certmonger_t domain to read pkcs_slotd lock files - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853) - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets - Make file context more variable for /usr/bin/fusermount and /bin/fusermount - Allow local_login_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices * Tue Feb 18 2020 Lukas Vrabec <> - 3.14.6-4 - Update virt_read_qemu_pid_files inteface - Allow systemd_logind_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices - Allow nsswitch_domain attribute to stream connect to systemd process * Sun Feb 16 2020 Lukas Vrabec <> - 3.14.6-3 - Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks - Allow systemd_userdbd_t domain to read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <> - 3.14.6-2 - Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces - Update radiusd policy - Allow systemd_private_tmp(named_tmp_t) - Allow bacula dac_override capability - Allow systemd_networkd_t to read efivarfs - Add support for systemd-userdbd - Allow systemd system services read efivarfs files * Sat Feb 15 2020 Lukas Vrabec <> - 3.14.6-1 - Bump version to 3.14.6 because fedora 32 was branched * Fri Feb 07 2020 Zdenek Pytela <> - 3.14.5-24 - Allow ptp4l_t create and use packet_socket sockets - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories * Fri Jan 31 2020 Zdenek Pytela <> - 3.14.5-23 - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Added apache create log dirs macro - Tiny documentation fix - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Dontaudit domain chronyd_t to list in user home dirs. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Allow syslog_t to read efivarfs_t files - Add ioctl to term_dontaudit_use_ptmx macro - Update xserver_rw_session macro * Thu Jan 30 2020 Fedora Release Engineering <> - 3.14.5-22 - Rebuilt for * Fri Jan 24 2020 Zdenek Pytela <> - 3.14.5-21 - Dontaudit timedatex_t read file_contexts_t and validate security contexts - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus. * Mon Jan 13 2020 Lukas Vrabec <> - 3.14.5-20 - Fix typo in anaconda SELinux module - Allow rtkit_t domain to control scheduling for your install_t processes - Boolean: rngd_t to use executable memory - Allow rngd_t domain to use nsswitch BZ(1787661) - Allow exim to execute bin_t without domain trans - Allow create udp sockets for abrt_upload_watch_t domains - Drop label zebra_t for frr binaries - Allow NetworkManager_t domain to get status of samba services - Update milter policy to allow use sendmail - Modify file context for .local directory to match exactly BZ(1637401) - Allow init_t domain to create own socket files in /tmp - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files - Create files_create_non_security_dirs() interface * Fri Dec 20 2019 Zdenek Pytela <> - 3.14.5-19 - Allow init_t nnp domain transition to kmod_t - Allow userdomain dbus chat with systemd_resolved_t - Allow init_t read and setattr on /var/lib/fprintd - Allow sysadm_t dbus chat with colord_t - Allow confined users run fwupdmgr - Allow confined users run machinectl - Allow systemd labeled as init_t domain to create dirs labeled as var_t - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) - Add new file context rabbitmq_conf_t. - Allow journalctl read init state BZ(1731753) - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain - Change type in transition for /var/cache/{dnf,yum} directory - Allow cockpit_ws_t read efivarfs_t BZ(1777085) - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) - Allow named_t domain to mmap named_zone_t files BZ(1647493) - Make boinc_var_lib_t label system mountdir attribute - Allow stratis_t domain to request load modules - Update fail2ban policy - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. * Thu Nov 28 2019 Lukas Vrabec <> - 3.14.5-18 - Allow systemd to read all proc - Introduce new type pdns_var_lib_t - Allow zebra_t domain to read files labled as nsfs_t. - Allow systemd to setattr on all device_nodes - Allow systemd to mounton and list all proc types * Wed Nov 27 2019 Lukas Vrabec <> - 3.14.5-17 - Fix nonexisting types in rtas_errd_rw_lock interface - Allow snmpd_t domain to trace processes in user namespace - Allow timedatex_t domain to read relatime clock and adjtime_t files - Allow zebra_t domain to execute zebra binaries - Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t - Allow ksmtuned_t domain to trace processes in user namespace - Allow systemd to read symlinks in /var/lib - Update dev_mounton_all_device_nodes() interface - Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. - Allow systemd_domain to map files in /usr. - Allow strongswan start using swanctl method BZ(1773381) - Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976) * Thu Nov 21 2019 Zdenek Pytela <> - 3.14.5-16 - Allow timedatex_t domain dbus chat with both confined and unconfined users - Allow timedatex_t domain dbus chat with unconfined users - Allow NetworkManager_t manage dhcpc_state_t BZ(1770698) - Make unconfined domains part of domain_named_attribute - Label tcp ports 24816,24817 as pulp_port_t - Remove duplicate entries for initrc_t in init.te * Thu Nov 14 2019 Lukas Vrabec <> - 3.14.5-15 - Increase SELinux userspace version which should be required. * Wed Nov 13 2019 Lukas Vrabec <> - 3.14.5-14 - Increase version of kernel compiled binary policy to 32 because of new SELinux userspace v3.0 * Wed Nov 13 2019 Lukas Vrabec <> - 3.14.5-13 - Fix typo bugs in rtas_errd_read_lock() interface - cockpit: Drop cockpit-cert-session - Allow timedatex_t domain to systemctl chronyd domains - Allow ipa_helper_t to read kr5_keytab_t files - cockpit: Allow cockpit-session to read cockpit-tls state directory - Allow stratisd_t domain to read nvme and fixed disk devices - Update lldpad_t policy module - Dontaudit tmpreaper_t getting attributes from sysctl_type files - cockpit: Support https instance factory - Added macro for timedatex to chat over dbus. - Fix typo in dev_filetrans_all_named_dev() - Update files_manage_etc_runtime_files() interface to allow manage also dirs - Fix typo in cachefiles device - Dontaudit sys_admin capability for auditd_t domains - Allow x_userdomain to read adjtime_t files - Allow users using template userdom_unpriv_user_template() to run bpf tool - Allow x_userdomain to dbus_chat with timedatex. * Sun Nov 03 2019 Lukas Vrabec <> - 3.14.5-12 - Label /var/cache/nginx as httpd_cache_t - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Created dnsmasq_use_ipset boolean - Allow capability dac_override in logwatch_mail_t domain - Allow automount_t domain to execute ping in own SELinux domain (ping_t) - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t - Allow collectd_t domain to create netlink_generic_socket sockets - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. - Label /etc/postfix/chroot-update as postfix_exec_t - Update tmpreaper_t policy due to fuser command - Allow kdump_t domain to create netlink_route and udp sockets - Allow stratisd to connect to dbus - Allow fail2ban_t domain to create netlink netfilter sockets. - Allow dovecot get filesystem quotas - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689) - Allow systemd-tmpfiles processes to set rlimit information - Allow cephfs to use xattrs for storing contexts - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t * Fri Oct 25 2019 Lukas Vrabec <> - 3.14.5-11 - Allow confined users to run newaliases - Add interface mysql_dontaudit_rw_db() - Label /var/lib/xfsdump/inventory as amanda_var_lib_t - Allow tmpreaper_t domain to read all domains state - Make httpd_var_lib_t label system mountdir attribute - Update cockpit policy - Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Donaudit ifconfig_t domain to read/write mysqld_db_t files - Dontaudit domains read/write leaked pipes * Tue Oct 22 2019 Lukas Vrabec <> - 3.14.5-10 - Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Allow Gluster mount client to mount files_type - Dontaudit and disallow sys_admin capability for keepalived_t domain - Update numad policy to allow signull, kill, nice and trace processes - Allow ipmievd_t to RW watchdog devices - Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files - Allow user domains to manage user session services - Allow staff and user users to get status of user systemd session - Update sudo_role_template() to allow caller domain to read syslog pid files * Fri Oct 11 2019 Lukas Vrabec <> - 3.14.5-9 - Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226) * Wed Oct 09 2019 Lukas Vrabec <> - 3.14.5-8 - Update apache and pkcs policies to make active opencryptoki rules - Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884) * Wed Oct 09 2019 Lukas Vrabec <> - 3.14.5-7 - Revert "nova.fc: fix duplicated slash" - Introduce new bolean httpd_use_opencryptoki - Add new interface apache_read_state() - Allow setroubleshoot_fixit_t to read random_device_t - Label /etc/named direcotory as named_conf_t BZ(1759495) - nova.fc: fix duplicated slash - Allow dkim to execute sendmail - Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files - Update aide_t domain to allow this tool to analyze also /dev filesystem - Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634) - Allow avahi_t to send msg to xdm_t - Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem - Update dev_manage_sysfs() to support managing also lnk files BZ(1759019) - Allow systemd_logind_t domain to read blk_files in domain removable_device_t - Add new interface udev_getattr_rules_chr_files() * Fri Oct 04 2019 Lukas Vrabec <> - 3.14.5-6 - Update aide_t domain to allow this tool to analyze also /dev filesystem - Allow bitlbee_t domain map files in /usr - Allow stratisd to getattr of fixed disk device nodes - Add net_broadcast capability to openvswitch_t domain BZ(1716044) - Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973) - Allow cobblerd_t domain search apache configuration dirs - Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428) - Label /var/log/collectd.log as collectd_log_t - Allow boltd_t domain to manage sysfs files and dirs BZ(1754360) - Add fowner capability to the pcp_pmlogger_t domain BZ(1754767) - networkmanager: allow NetworkManager_t to create bluetooth_socket - Fix ipa_custodia_stream_connect interface - Add new interface udev_getattr_rules_chr_files() - Make dbus-broker service working on s390x arch - Add new interface dev_mounton_all_device_nodes() - Add new interface dev_create_all_files() - Allow systemd(init_t) to load kernel modules - Allow ldconfig_t domain to manage initrc_tmp_t objects - Add new interface init_write_initrc_tmp_pipes() - Add new interface init_manage_script_tmp_files() - Allow xdm_t setpcap capability in user namespace BZ(1756790) - Allow x_userdomain to mmap generic SSL certificates - Allow xdm_t domain to user netlink_route sockets BZ(1756791) - Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245) - Allow sudo userdomain to run rpm related commands - Add sys_admin capability for ipsec_t domain - Allow systemd_modules_load_t domain to read systemd pid files - Add new interface init_read_pid_files() - Allow systemd labeled as init_t domain to manage faillog_t objects - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc - Make ipa_custodia policy active * Fri Sep 20 2019 Lukas Vrabec <> - 3.14.5-5 - Fix ipa_custodia_stream_connect interface - Allow systemd_modules_load_t domain to read systemd pid files - Add new interface init_read_pid_files() - Allow systemd labeled as init_t domain to manage faillog_t objects - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc * Fri Sep 20 2019 Lukas Vrabec <> - 3.14.5-4 - Run ipa-custodia as ipa_custodia_t - Update webalizer_t SELinux policy - Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598) - Allow rhsmcertd_t domain to read rtas_errd lock files - Add new interface rtas_errd_read_lock() - Update allow rules set for nrpe_t domain - Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if - Allow avahi_t to send msg to lpr_t - Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label - Allow dlm_controld_t domain to read random device - Label libvirt drivers as virtd_exec_t - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Add new macro systemd_timedated_status to systemd.if to get timedated service status - Introduce xdm_manage_bootloader booelan - Revert "Unconfined domains, need to create content with the correct labels" - Allow xdm_t domain to read sssd pid files BZ(1753240) - Move open, audit_access, and execmod to common file perms * Fri Sep 13 2019 Lukas Vrabec <> - 3.14.5-3 - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Fix typo in cachefilesd module - Allow cachefilesd_t domain to read/write cachefiles_device_t devices - Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy - Add sys_admin capability for keepalived_t labeled processes - Allow user_mail_domain attribute to manage files labeled as etc_aliases_t. - Create new type ipmievd_helper_t domain for loading kernel modules. - Run stratisd service as stratisd_t - Fix abrt_upload_watch_t in abrt policy - Update keepalived policy - Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types - Revert "Create admin_crontab_t and admin_crontab_tmp_t types" - Revert "Update cron_role() template to accept third parameter with SELinux domain prefix" - Allow amanda_t to manage its var lib files and read random_device_t - Create admin_crontab_t and admin_crontab_tmp_t types - Add setgid and setuid capabilities to keepalived_t domain - Update cron_role() template to accept third parameter with SELinux domain prefix - Allow psad_t domain to create tcp diag sockets BZ(1750324) - Allow systemd to mount fwupd_cache_t BZ(1750288) - Allow chronyc_t domain to append to all non_security files - Update zebra SELinux policy to make it work also with frr service - Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024) - Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763) - Label /var/run/mysql as mysqld_var_run_t - Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects. - Update timedatex policy to manage localization - Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces - Update gnome_dontaudit_read_config - Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997) - Allow systemd labeled as init_t domain to remount rootfs filesystem - Add interface files_remount_rootfs() - Dontaudit sys_admin capability for iptables_t SELinux domain - Label /dev/cachefilesd as cachefiles_device_t - Make stratisd policy active - Allow userdomains to dbus chat with policykit daemon - Update userdomains to pass correct parametes based on updates from cron_*_role interfaces - New interface files_append_non_security_files() - Label 2618/tcp and 2618/udp as priority_e_com_port_t - Label 2616/tcp and 2616/udp as appswitch_emp_port_t - Label 2615/tcp and 2615/udp as firepower_port_t - Label 2610/tcp and 2610/udp as versa_tek_port_t - Label 2613/tcp and 2613/udp as smntubootstrap_port_t - Label 3784/tcp and 3784/udp as bfd_control_port_t - Remove rule allowing all processes to stream connect to unconfined domains * Wed Sep 04 2019 Lukas Vrabec <> - 3.14.5-2 - Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket - Dontaudit sandbox web types to setattr lib_t dirs - Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369) - Allow haproxy_t domain to read network state of system - Allow processes labeled as keepalived_t domain to get process group - Introduce dbusd_unit_file_type - Allow pesign_t domain to read/write named cache files. - Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. - Allow httpd_t domain to read/write named_cache_t files - Add new interface bind_rw_cache() - Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t. - Update cpucontrol_t SELinux policy - Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t - Run lldpd service as lldpad_t. - Allow spamd_update_t domain to create unix dgram sockets. - Update dbus role template for confined users to allow login into x session - Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t - Fix typo in networkmanager_append_log() interface - Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label - Allow login user type to use systemd user session - Allow xdm_t domain to start dbusd services. - Introduce new type xdm_unit_file_t - Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute - Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632) - Allow ipsec_t domain to read/write named cache files - Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label - Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus - Label udp 8125 port as statsd_port_t * Tue Aug 13 2019 Lukas Vrabec <> - 3.14.5-1 - Bump version * Tue Aug 13 2019 Lukas Vrabec <> - 3.14.4-31 - Update timedatex policy BZ(1734197) * Tue Aug 13 2019 Lukas Vrabec <> - 3.14.4-30 - cockpit: Allow cockpit-session to read cockpit-tls state - Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983) - Allow named_t domain to read/write samba_var_t files BZ(1738794) - Dontaudit abrt_t domain to read root_t files - Allow ipa_dnskey_t domain to read kerberos keytab - Allow mongod_t domain to read cgroup_t files BZ(1739357) - Update ibacm_t policy - Allow systemd to relabel all files on system. - Revert "Add new boolean systemd_can_relabel" - Allow xdm_t domain to read kernel sysctl BZ(1740385) - Add sys_admin capability for xdm_t in user namespace. BZ(1740386) - Allow dbus communications with resolved for DNS lookups - Add new boolean systemd_can_relabel - Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp - Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t - Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs - Run lvmdbusd service as lvm_t * Wed Aug 07 2019 Lukas Vrabec <> - 3.14.4-29 - Allow dlm_controld_t domain setgid capability - Fix SELinux modules not installing in chroots. Resolves: rhbz#1665643 * Tue Aug 06 2019 Lukas Vrabec <> - 3.14.4-28 - Allow systemd to create and bindmount dirs. BZ(1734831) * Mon Aug 05 2019 Lukas Vrabec <> - 3.14.4-27 - Allow tlp domain run tlp in trace mode BZ(1737106) - Make timedatex_t domain system dbus bus client BZ(1737239) - Allow cgdcbxd_t domain to list cgroup dirs - Allow systemd to create and bindmount dirs. BZ(1734831) * Tue Jul 30 2019 Lukas Vrabec <> - 3.14.4-26 - New policy for rrdcached - Allow dhcpd_t domain to read network sysctls. - Allow nut services to communicate with unconfined domains - Allow virt_domain to Support ecryptfs home dirs. - Allow domain transition lsmd_t to sensord_t - Allow httpd_t to signull mailman_cgi_t process - Make rrdcached policy active - Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542 - Allow machinectl to run pull-tar BZ(1724247) * Fri Jul 26 2019 Lukas Vrabec <> - 3.14.4-25 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Run timedatex service as timedatex_t - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - allow named_t to map named_cache_t files - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Make new timedatex policy module active - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources * Wed Jul 17 2019 Lukas Vrabec <> - 3.14.4-24 - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports - Allow mysqld_t domain to manage cluster pid files - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool - Allow dkim-milter to send e-mails BZ(1716937) - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) - Update svnserve_t policy to make working svnserve hooks - Allow varnishlog_t domain to check for presence of varnishd_t domains - Update sandboxX policy to make working firefox inside SELinux sandbox - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices - Allow gssd_t domain to list tmpfs_t dirs - Allow mdadm_t domain to read tmpfs_t files - Allow sbd_t domain to check presence of processes labeled as cluster_t - Dontaudit httpd_sys_script_t to read systemd unit files - Allow blkmapd_t domain to read nvme devices - Update cpucontrol_t domain to make working microcode service - Allow domain transition from logwatch_t do postfix_postqueue_t - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' - Allow httpd_sys_script_t domain to mmap httpcontent - Allow sbd_t to manage cgroups_t files - Update wireshark policy to make working tshar labeled as wireshark_t - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources - Allow sysadm_t domain to dbus chat with rtkit daemon - Allow x_userdomains to nnp domain transition to thumb_t domain - Allow unconfined_domain_type to setattr own process lnk files. - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon - Allow staff and admin domains to setpcap in user namespace - Allow staff and sysadm to use lockdev - Allow staff and sysadm users to run iotop. - Dontaudit traceroute_t domain require sys_admin capability - Dontaudit dbus chat between kernel_t and init_t - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t * Wed Jul 10 2019 Lukas Vrabec <> - 3.14.4-23 - Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager - Fix all interfaces which cannot by compiled because of typos - Allow X userdomains to mmap user_fonts_cache_t dirs * Mon Jul 08 2019 Lukas Vrabec <> - 3.14.4-22 - Label /var/kerberos/krb5 as krb5_keytab_t - Allow glusterd_t domain to setpgid - Allow lsmd_t domain to execute /usr/bin/debuginfo-install - Allow sbd_t domain to manage cgroup dirs - Allow opafm_t domain to modify scheduling information of another process. - Allow wireshark_t domain to create netlink netfilter sockets - Allow gpg_agent_t domain to use nsswitch - Allow httpd script types to mmap httpd rw content - Allow dkim_milter_t domain to execute shell BZ(17116937) - Allow sbd_t domain to use nsswitch - Allow rhsmcertd_t domain to send signull to all domains - Allow snort_t domain to create netlink netfilter sockets BZ(1723184) - Dontaudit blueman to read state of all domains on system BZ(1722696) - Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) - Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) - Replace "-" by "_" in types names - Change condor_domain declaration in condor_systemctl - Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) - Allow auditd_t domain to send signals to audisp_remote_t domain - Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) - Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files - Add interface kernel_relabelfrom_usermodehelper() - Dontaudit unpriv_userdomain to manage boot_t files - Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) - Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) - Allow associate efivarfs_t on sysfs_t * Tue Jun 18 2019 Lukas Vrabec <> - 3.14.4-21 - Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864) - cockpit: Support split-out TLS proxy - Allow dkim_milter_t to use shell BZ(1716937) - Create explicit fc rule for mailman executable BZ(1666004) - Update interface networkmanager_manage_pid_files() to allow manage also dirs - Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701) - Add new interface bind_map_dnssec_keys() - Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files - Allow redis_t domain to read public sssd files - Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569) - Allow confined users to login via cockpit - Allow nfsd_t domain to do chroot becasue of new version of nfsd - Add gpg_agent_roles to system_r roles - Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files - Allow rhsmcertd_t domain to manage rpm cache - Allow sbd_t domain to read tmpfs_t symlinks - Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs - Allow kadmind_t domain to read home config data - Allow sbd_t domain to readwrite cgroups - Allow NetworkManager_t domain to read nsfs_t files BZ(1715597) - Label /var/log/pacemaker/pacemaker as cluster_var_log_t - Allow certmonger_t domain to manage named cache files/dirs - Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) - Allow crack_t domain read /et/passwd files - Label fontconfig cache and config files and directories BZ(1659905) - Allow dhcpc_t domain to manage network manager pid files - Label /usr/sbin/nft as iptables_exec_t - Allow userdomain attribute to manage cockpit_ws_t stream sockets - Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes - Add interface ssh_agent_signal()