selinux-policy-41.44-1.fc42 | Build Info

Information for build selinux-policy-41.44-1.fc42

24566

Package Name

selinux-policy

Version

41.44

Release

1.fc42

Epoch

Draft

False

Summary

SELinux policy configuration

Description

SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora.

Built by

davidlt

State

complete

Volume

DEFAULT

Started

Thu, 10 Jul 2025 12:50:39 UTC

Completed

Thu, 10 Jul 2025 12:50:39 UTC

Tags

f42

RPMs

src
	selinux-policy-41.44-1.fc42.src.rpm (info) (download)
noarch
	selinux-policy-41.44-1.fc42.noarch.rpm (info) (download)
	selinux-policy-devel-41.44-1.fc42.noarch.rpm (info) (download)
	selinux-policy-doc-41.44-1.fc42.noarch.rpm (info) (download)
	selinux-policy-minimum-41.44-1.fc42.noarch.rpm (info) (download)
	selinux-policy-mls-41.44-1.fc42.noarch.rpm (info) (download)
	selinux-policy-sandbox-41.44-1.fc42.noarch.rpm (info) (download)
	selinux-policy-targeted-41.44-1.fc42.noarch.rpm (info) (download)

Changelog

* Tue Jun 17 2025 Zdenek Pytela <zpytela@redhat.com> - 41.44-1 - virt: allow QEMU use of the qgs daemon for attestation - qgs: add contrib module for TDX "qgs" daemon - kernel: add interfaces for using SGX enclaves - Define file equivalency for /usr/etc - Allow mongod to receive pressure stall information - Dontaudit systemd_generator read sssd public files - Allow plymouthd read/write input event devices - Label 99-nvme-nbft-connect.sh with NetworkManager_dispatcher_nvme_script_t - Allow systemd-user-runtime-dir sendto to syslogd - Remove pcp module - Update irqbalance policy for using unconfined scripts - Allow utempter use terminal multiplexor - Allow virtqemud execute ovs-vsctl with a domain transition - Update the files_search_mnt() interface * Wed Jun 04 2025 Zdenek Pytela <zpytela@redhat.com> - 41.43-1 - Allow nmbd read network sysctls - Allow iio-sensor-proxy sendto to journald over a unix datagram socket - Allow logrotate stop all systemd services - systemd: rework systemd_manage_random_seed - Allow tuned-ppd connect to sssd over a unix stream socket * Tue Jun 03 2025 Zdenek Pytela <zpytela@redhat.com> - 41.42-1 - Drop config for /run/random-seed - Update file location for systemd random-seed file - Allow tomcat execute cracklib-check with a domain transition - Allow sssd watch lib dirs - Confine systemd-hibernate-resume - Allow login_userdomain create /run/tlog directory with user_tmp_t - Allow login_pgm read filesystem sysctls - Allow gconfd connect to system dbus - Allow NetworkManager manage NetworkManager_etc_rw_t symlinks - Add %verify(not md5 size mtime) for customizable_types * Mon May 26 2025 Zdenek Pytela <zpytela@redhat.com> - 41.41-1 - Allow mdadm nosuid_transition - Label plasma user service files as xdm_unit_file_t. - Revert "Allow systemd-homed to start services." - Allow virtstoraged write qemu runtime files - Allow virtqemud read/write/setattr input event devices - Allow systemd create journal pid files - Allow networkmanager send a general signal to iptables - Allow syslogd watch syslog_conf_t directories - Allow systemd-machined work with its private tmp and tmpfs files - Allow geoclue read virt lib files - Fix files_dontaudit_delete_all_files() - Label /run/polkit-1 with policykit_var_run_t - Label /dev/diag as diagnostic_device_t - Allow systemd-homed to start services. - Allow named_t to read NetworkManager's runtime files - Improve README* documentation * Tue May 13 2025 Zdenek Pytela <zpytela@redhat.com> - 41.40-1 - Add missing permissions for ftpd_anon_write to manage NFS directories - Add missing permissions for ftpd_anon_write to manage CIFS directories - Allow nut-upsmon write systemd inhibit pipes - Allow systemd-user-runtime-dir connect to systemd-userdbd over a unix socket - Remove permissive domain for systemd_vsftpd_generator_t - Change generator-specific rules to apply to systemd_generator - Define file equivalency for /var/etc - Allow tuned-ppd create ppd_base_profile with a file transition - Allow lldpd connect to systemd-homed over a unix socket - Allow sysadm_sudo_t signal rpm script - Fix the "/var/cache/systemd/home(/.*)?" regex * Wed Apr 30 2025 Zdenek Pytela <zpytela@redhat.com> - 41.39-1 - Allow collectd accept and listen to tcp sockets - Allow init_t nnp domain transition to redis_t - Allow tlshd read network sysctls - Allow NetworkManager create and use icmp_socket - Allow varnishd execute the prlimit64() syscall - Allow rhsmcertd connect to systemd-machined - Allow virt_domain write to virt_image_t files - Allow system-dbusd list systemd-machined directories - Allow asterisk read network sysctls - Allow virtstoraged fsetid capability - Allow xdm watch a mnt_t directory - Allow collectd bind TCP sockets to the collectd port - Allow virtqemud relabel from tmpfs lnk files - Allow gnome-remote-desktop additional sockets permissions - Update insights-core policy - Update systemd-homed policy - Allow xenstored_t manage xend_var_lib_t files (bsc#1228540) * Fri Apr 18 2025 Zdenek Pytela <zpytela@redhat.com> - 41.38-1 - Allow init and login_pgm connect to systemd-logind over a unix socket - Allow login_userdomain read pressure stall information - Allow systemd-journald create and use vsock socket - Update systemd-pcrextend policy - Allow systemd watch/watch_reads usb ttys - Update coreos-installer-generator policy - Update systemd-homed policy - Allow systemd-user-runtime-dir get/set tmpfs quotas - Allow systemd-rfkill read nsfs files - Dontaudit bootc-systemd-generator search sssd lib directories - Allow systemd-user-runtime-dir delete gnome homedir content * Fri Apr 11 2025 Zdenek Pytela <zpytela@redhat.com> - 41.37-1 - Allow tuned-ppd read sssd public files - Allow tuned-ppd watch_reads sysfs directories - Confine /usr/lib/systemd/systemd-user-runtime-dir - Revert "Dontaudit systemd-logind remove all files" - Make bootupd use bootupd_tmp_t as its private type for files in /tmp - Label SetroubleshootPrivileged.py with setroubleshootd_exec_t - Allow power-profiles-daemon watch sysfs directories - systemd: allow reading /dev/cpu/0/msr - Update the pcmsensor policy - Allow chronyd-restricted sendto to chronyc - Allow system_dbusd_t r/w unix stream sockets of unconfined_service_t - Allow dovecot-deliver read mail aliases * Mon Apr 07 2025 Zdenek Pytela <zpytela@redhat.com> - 41.36-1 - Confine systemd-factory-reset system generator - Allow systemd debug generator read tmpfs files - Allow gnome-shell get attributes of systemd inhibit pipes - Allow tuned-ppd watch sysfs directories - Fix the storage_rw_inherited_removable_device() interface - Allow sadc read global pressure stall information - Allow virtqemud read sblim-gatherd process state - Allow switcheroo-control dbus chat with xdm - Fix typo in calling unconfined_dbus_chat for switcheroo-control - Allow sysadm_t to write to /dev/kmsg - Allow init_t nnp domain transition to pcscd_t - Fix the genfscon statement for pidfs filesystem - Allow tuned-ppd dbus chat with xdm * Mon Mar 31 2025 Zdenek Pytela <zpytela@redhat.com> - 41.35-1 - Update INSTALL to describe necessary steps to build it - Rename the default policy to fedora-selinux - Update COPYING to the latest version of GPLv2 - Allow traceroute_t bind rawip sockets to unreserved ports - Revert "Allow traceroute_t bind rawip sockets to unreserved ports" - Change the bootc system generator name to bootc-systemd-generator - Allow mpd use the io_uring API - Confine tuned-ppd - Add the switcheroo module - Label wine's windows libraries as textrel_shlib_t - Allow systemd domains write global pressure stall information - Add label and interfaces for kernel PSI files - Update bootupd policy - Update ktls policy - Add policy for systemd-bootc-generator - Allow blueman the kill capability * Fri Mar 07 2025 Zdenek Pytela <zpytela@redhat.com> - 41.34-1 - Add context for plymouth debug log files - Allow rlimit inheritance for domains transitioning to local_login_t - Update insights-core policy - Allow insights-core map all non-security files - Allow insights-core map audit config and log files - Allow insights-client manage insights_client_var_log_t files - Remove duplicate dev_rw_dma_dev(xdm_t) - Allow thumbnailer read and write the dma device - Allow named_filetrans_domain filetrans raid/mdadm named content - Allow afterburn to mount and read config drives - Allow mptcpd the net_admin capability * Fri Feb 07 2025 Zdenek Pytela <zpytela@redhat.com> - 41.33-1 - Allow systemd-networkd the sys_admin capability - Update systemd-networkd policy in systemd v257 - Separate insights-core from insights-client - Removed unused insights_client interfaces calls from other modules - Update policy for insights_client wrt new rules for insights_core_t - Add policy for insights-core - Allow systemd-networkd use its private tmpfs files - Allow boothd connect to systemd-machined over a unix socket - Update init_explicit_domain() interface - Allow tlp to read/write nmi_watchdog state information - Allow power-profiles-daemon the bpf capability - Allow svirt_t to connect to nbdkit over a unix stream socket - Update ktlshd policy to read /proc/keys and domain keyrings - Allow virt_domain read hardware state information unconditionally - Allow init mounton crypto sysctl files - Rename winbind_rpcd_* types to samba_dcerpcd_* - Support peer-to-peer migration of vms using ssh * Wed Feb 05 2025 Zdenek Pytela <zpytela@redhat.com> - 41.32-1 - Allow virtqemud use hostdev usb devices conditionally - Allow virtqemud map svirt_image_t plain files - Allow virtqemud work with nvdimm devices - Support saving and restoring a VM to/from a block device - Allow virtnwfilterd dbus chat with firewalld - Dontaudit systemd-logind remove all files - Add the files_dontaudit_read_all_dirs() interface - Add the files_dontaudit_delete_all_files() interface - Allow rhsmcertd notify virt-who - Allow irqbalance to run unconfined scripts conditionally * Fri Jan 31 2025 Zdenek Pytela <zpytela@redhat.com> - 41.31-1 - Allow snapperd execute systemctl in the caller domain - Allow svirt_tcg_t to connect to nbdkit over a unix stream socket - Allow iio-sensor-proxy read iio devices - Label /dev/iio:device[0-9]+ devices - Allow systemd-coredump the sys_admin capability - Allow apcupsd's apccontrol to send messages using wall - contrib/thumb: also allow per-user thumbnailers - contrib/thumb: fix thunar thumbnailer (rhbz#2315893) - Allow virt_domain to use pulseaudio - conditional - Allow pcmsensor read nmi_watchdog state information - Allow init_t nnp domain transition to gssproxy_t * Mon Jan 27 2025 Zdenek Pytela <zpytela@redhat.com> - 41.30-1 - Allow systemd-generator connect to syslog over a unix stream socket - Allow virtqemud manage fixed disk device nodes - Allow iio-sensor-proxy connect to syslog over a unix stream socket - Allow virtstoraged write to sysfs files - Allow power-profiles-daemon write sysfs files - Update iiosensorproxy policy - Allow pcmsensor write nmi_watchdog state information - Label /proc/sys/kernel/nmi_watchdog with sysctl_nmi_watchdog_t - Allow virtnodedev create /etc/mdevctl.d/scripts.d with bin_t type - Add the gpg_read_user_secrets() interface - Allow gnome-remote-desktop read resolv.conf - Update switcheroo policy - Allow nfsidmap connect to systemd-homed over a unix socket - Add the auth_write_motd_var_run_files() interface - Add the bind_exec_named_checkconf() interface - Add the virt_exec_virsh() interface * Wed Jan 15 2025 Zdenek Pytela <zpytela@redhat.com> - 41.29-1 - Allow virtqemud domain transition to nbdkit - Add nbdkit interfaces defined conditionally - Allow samba-bgqd connect to cupsd over an unix domain stream socket - Confine the switcheroo-control service - Allow svirt_t read sysfs files - Add rhsmcertd interfaces - Add the ssh_exec_sshd() interface - Add the gpg_domtrans_agent() interface - Label /usr/bin/dnf5 with rpm_exec_t - Label /dev/pmem[0-9]+ with fixed_disk_device_t - allow kdm to create /root/.kde/ with correct label - Change /usr/sbin entries to use /usr/bin or remove them - Allow systemd-homed get filesystem quotas - Allow login_userdomain getattr nsfs files - Allow virtqemud send a generic signal to the ssh client domain - Dontaudit request-key read /etc/passwd * Fri Jan 03 2025 Zdenek Pytela <zpytela@redhat.com> - 41.28-1 - Update virtqemud policy regarding the svirt_tcg_t domain - Allow virtqemud domain transition on numad execution - Support virt live migration using ssh - Allow virtqemud permissions needed for live migration - Allow virtqemud the getpgid process permission - Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on - Allow virtqemud relabelfrom virt_log_t files - Allow virtqemud relabel tun_socket - Add policy for systemd-import-generator - Confine vsftpd systemd system generator - Allow virtqemud read and write sgx_vepc devices - Allow systemd-networkd list cgroup directories - Allow xdm dbus chat with power-profiles-daemon - Allow ssh_t read systemd config files - Add Valkey rules to Redis module * Tue Dec 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.27-1 - Update ktlsh policy - Allow request-key to read /etc/passwd - Allow request-key to manage all domains' keys - Add support for the KVM guest memfd anon inodes - Allow auditctl signal auditd - Dontaudit systemd-coredump the sys_resource capability - Allow traceroute_t bind rawip sockets to unreserved ports - Fix the cups_read_pid_files() interface to use read_files_pattern - Allow virtqemud additional permissions for tmpfs_t blk devices - Allow virtqemud rw access to svirt_image_t chr files - Allow virtqemud rw and setattr access to fixed block devices - Label /etc/mdevctl.d/scripts.d with bin_t - Allow virtqemud open svirt_devpts_t char files - Allow virtqemud relabelfrom virt_log_t files - Allow svirt_tcg_t read virtqemud_t fifo_files - Allow virtqemud rw and setattr access to sev devices - Allow virtqemud directly read and write to a fixed disk - Allow virtqemud_t relabel virt_var_lib_t files - Allow virtqemud_t relabel virtqemud_var_run_t sock_files - Add gnome_filetrans_gstreamer_admin_home_content() interface - Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t - Make bootupd_t permissive - Allow init_t nnp domain transition to locate_t - allow gdm and iiosensorproxy talk to each other via D-bus - Allow systemd-journald getattr nsfs files - Allow sendmail to map mail server configuration files - Allow procmail to read mail aliases - Allow cifs.idmap helper to set attributes on kernel keys - Allow irqbalance setpcap capability in the user namespace - Allow sssd_selinux_manager_t the setcap process permission - Allow systemd-sleep manage efivarfs files - Allow systemd-related domains getattr nsfs files - Allow svirt_t the sys_rawio capability - Allow alsa watch generic device directories - Move systemd-homed interfaces to seperate optional_policy block - Update samba-bgqd policy - Update virtlogd policy - Allow svirt_t the sys_rawio capability - Allow qemu-ga the dac_override and dac_read_search capabilities - Allow bacula execute container in the container domain - Allow httpd get attributes of dirsrv unit files - Allow samba-bgqd read cups config files - Add label rshim_var_run_t for /run/rshim.pid * Mon Dec 02 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.26-2 - Rebuild with SELinux Userspace 3.8 * Tue Nov 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.26-1 - [5/5][sync from 'mysql-selinux'] Add mariadb-backup - [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock' - [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2 - [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705 - [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname' - Allow systemd-networkd read mount pid files - Update policy for samba-bgqd - Allow chronyd read networkmanager's pid files - Allow staff user connect to generic tcp ports - Allow gnome-remote-desktop dbus chat with policykit - Allow tlp the setpgid process permission - Update the bootupd policy - Allow sysadm_t use the io_uring API - Allow sysadm user dbus chat with virt-dbus - Allow virtqemud_t read virsh_t files - Allow virt_dbus_t connect to virtd_t over a unix stream socket - Allow systemd-tpm2-generator read hardware state information - Allow coreos-installer-generator execute generic programs - Allow coreos-installer domain transition on udev execution - Revert "Allow unconfined_t execute kmod in the kmod domain" - Allow iio-sensor-proxy create and use unix dgram socket - Allow virtstoraged read vm sysctls - Support ssh connections via systemd-ssh-generator - Label all semanage store files in /etc as semanage_store_t - Add file transition for nvidia-modeset * Fri Oct 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.25-1 - Allow dirsrv-snmp map dirsv_tmpfs_t files - Label /usr/lib/node_modules_22/npm/bin with bin_t - Add policy for /usr/libexec/samba/samba-bgqd - Allow gnome-remote-desktop watch /etc directory - Allow rpcd read network sysctls - Allow journalctl connect to systemd-userdbd over a unix socket - Allow some confined users send to lldpad over a unix dgram socket - Allow lldpad send to unconfined_t over a unix dgram socket - Allow lldpd connect to systemd-machined over a unix socket - Confine the ktls service * Wed Oct 23 2024 Zdenek Pytela <zpytela@redhat.com> - 41.24-1 - Allow dirsrv read network sysctls - Label /run/sssd with sssd_var_run_t - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t - Allow unconfined_t execute kmod in the kmod domain - Allow confined users r/w to screen unix stream socket - Label /root/.screenrc and /root/.tmux.conf with screen_home_t - Allow virtqemud read virtd_t files - Allow ping_t read network sysctls * Mon Oct 21 2024 Zdenek Pytela <zpytela@redhat.com> - 41.23-1 - Allow systemd-homework connect to init over a unix socket - Fix systemd-homed blobs directory permissions - Allow virtqemud read sgx_vepc devices - Allow lldpad create and use netlink_generic_socket * Wed Oct 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.22-1 - Allow systemd-homework write to init pid socket - Allow init create /var/cache/systemd/home - Confine the pcm service - Allow login_userdomain read thumb tmp files - Update power-profiles-daemon policy - Fix the /etc/mdevctl\.d(/.*)? regexp - Grant rhsmcertd chown capability & userdb access - Allow iio-sensor-proxy the bpf capability - Allow systemd-machined the kill user-namespace capability * Fri Oct 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.21-1 - Remove the fail2ban module sources - Remove the linuxptp module sources - Remove legacy rules for slrnpull - Remove the aiccu module sources - Remove the bcfg2 module sources - Remove the amtu module sources - Remove the rhev module sources - Remove all file context entries for /bin and /lib - Allow ptp4l the sys_admin capability - Confine power-profiles-daemon - Label /var/cache/systemd/home with systemd_homed_cache_t - Allow login_userdomain connect to systemd-homed over a unix socket - Allow boothd connect to systemd-homed over a unix socket - Allow systemd-homed get attributes of a tmpfs filesystem - Allow abrt-dump-journal-core connect to systemd-homed over a unix socket - Allow aide connect to systemd-homed over a unix socket - Label /dev/hfi1_[0-9]+ devices - Suppress semodule's stderr * Thu Oct 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.20-1 - Remove the openct module sources - Remove the timidity module sources - Enable the slrn module - Remove i18n_input module sources - Enable the distcc module - Remove the ddcprobe module sources - Remove the timedatex module sources - Remove the djbdns module sources - Confine iio-sensor-proxy - Allow staff user nlmsg_write - Update policy for xdm with confined users - Allow virtnodedev watch mdevctl config dirs - Allow ssh watch home config dirs - Allow ssh map home configs files - Allow ssh read network sysctls - Allow chronyc sendto to chronyd-restricted - Allow cups sys_ptrace capability in the user namespace * Tue Sep 24 2024 Zdenek Pytela <zpytela@redhat.com> - 41.19-1 - Add policy for systemd-homed - Remove fc entry for /usr/bin/pump - Label /usr/bin/noping and /usr/bin/oping with ping_exec_t - Allow accountsd read gnome-initial-setup tmp files - Allow xdm write to gnome-initial-setup fifo files - Allow rngd read and write generic usb devices - Allow qatlib search the content of the kernel debugging filesystem - Allow qatlib connect to systemd-machined over a unix socket * Wed Sep 18 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.18-1 - Drop ru man pages - mls/modules.conf - fix typo - Allow unprivileged user watch /run/systemd - Allow boothd connect to kernel over a unix socket * Mon Sep 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.17-2 - Relabel /etc/mdevctl.d * Thu Sep 12 2024 Petr Lautrbach <lautrbach@redhat.com> - 41.17-1 - Clean up and sync securetty_types - Bring config files from dist-git into the source repo - Confine gnome-remote-desktop - Allow virtstoraged execute mount programs in the mount domain - Make mdevctl_conf_t member of the file_type attribute * Fri Sep 06 2024 Zdenek Pytela <zpytela@redhat.com> - 41.16-1 - Label /etc/mdevctl.d with mdevctl_conf_t - Sync users with Fedora targeted users - Update policy for rpc-virtstorage - Allow virtstoraged get attributes of configfs dirs - Fix SELinux policy for sandbox X server to fix 'sandbox -X' command - Update bootupd policy when ESP is not mounted - Allow thumb_t map dri devices - Allow samba use the io_uring API - Allow the sysadm user use the secretmem API - Allow nut-upsmon read systemd-logind session files - Allow sysadm_t to create PF_KEY sockets - Update bootupd policy for the removing-state-file test - Allow coreos-installer-generator manage mdadm_conf_t files * Thu Aug 29 2024 Zdenek Pytela <zpytela@redhat.com> - 41.15-1 - Allow setsebool_t relabel selinux data files - Allow virtqemud relabelfrom virtqemud_var_run_t dirs - Use better escape method for "interface" - Allow init and systemd-logind to inherit fds from sshd - Allow systemd-ssh-generator read sysctl files - Sync modules.conf with Fedora targeted modules - Allow virtqemud relabel user tmp files and socket files - Add missing sys_chroot capability to groupadd policy - Label /run/libvirt/qemu/channel with virtqemud_var_run_t - Allow virtqemud relabelfrom also for file and sock_file - Add virt_create_log() and virt_write_log() interfaces - Call binaries without full path * Mon Aug 12 2024 Zdenek Pytela <zpytela@redhat.com> - 41.14-1 - Update libvirt policy - Add port 80/udp and 443/udp to http_port_t definition - Additional updates stalld policy for bpf usage - Label systemd-pcrextend and systemd-pcrlock properly - Allow coreos_installer_t work with partitions - Revert "Allow coreos-installer-generator work with partitions" - Add policy for systemd-pcrextend - Update policy for systemd-getty-generator - Allow ip command write to ipsec's logs - Allow virt_driver_domain read virtd-lxc files in /proc - Revert "Allow svirt read virtqemud fifo files" - Update virtqemud policy for libguestfs usage - Allow virtproxyd create and use its private tmp files - Allow virtproxyd read network state - Allow virt_driver_domain create and use log files in /var/log - Allow samba-dcerpcd work with ctdb cluster * Tue Aug 06 2024 Zdenek Pytela <zpytela@redhat.com> - 41.13-1 - Allow NetworkManager_dispatcher_t send SIGKILL to plugins - Allow setroubleshootd execute sendmail with a domain transition - Allow key.dns_resolve set attributes on the kernel key ring - Update qatlib policy for v24.02 with new features - Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t - Allow tlp status power services - Allow virtqemud domain transition on passt execution - Allow virt_driver_domain connect to systemd-userdbd over a unix socket - Allow boothd connect to systemd-userdbd over a unix socket - Update policy for awstats scripts - Allow bitlbee execute generic programs in system bin directories - Allow login_userdomain read aliases file - Allow login_userdomain read ipsec config files - Allow login_userdomain read all pid files - Allow rsyslog read systemd-logind session files - Allow libvirt-dbus stream connect to virtlxcd * Wed Jul 31 2024 Zdenek Pytela <zpytela@redhat.com> - 41.12-1 - Update bootupd policy - Allow rhsmcertd read/write access to /dev/papr-sysparm - Label /dev/papr-sysparm and /dev/papr-vpd - Allow abrt-dump-journal-core connect to winbindd - Allow systemd-hostnamed shut down nscd - Allow systemd-pstore send a message to syslogd over a unix domain - Allow postfix_domain map postfix_etc_t files - Allow microcode create /sys/devices/system/cpu/microcode/reload - Allow rhsmcertd read, write, and map ica tmpfs files - Support SGX devices - Allow initrc_t transition to passwd_t - Update fstab and cryptsetup generators policy - Allow xdm_t read and write the dma device - Update stalld policy for bpf usage - Allow systemd_gpt_generator to getattr on DOS directories * Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.11-1 - Make cgroup_memory_pressure_t a part of the file_type attribute - Allow ssh_t to change role to system_r - Update policy for coreos generators - Allow init_t nnp domain transition to firewalld_t - Label /run/modprobe.d with modules_conf_t - Allow virtnodedevd run udev with a domain transition - Allow virtnodedev_t create and use virtnodedev_lock_t - Allow virtstoraged manage files with virt_content_t type - Allow virtqemud unmount a filesystem with extended attributes - Allow svirt_t connect to unconfined_t over a unix domain socket * Mon Jul 22 2024 Zdenek Pytela <zpytela@redhat.com> - 41.10-1 - Update afterburn file transition policy - Allow systemd_generator read attributes of all filesystems - Allow fstab-generator read and write cryptsetup-generator unit file - Allow cryptsetup-generator read and write fstab-generator unit file - Allow systemd_generator map files in /etc - Allow systemd_generator read init's process state - Allow coreos-installer-generator read sssd public files - Allow coreos-installer-generator work with partitions - Label /etc/mdadm.conf.d with mdadm_conf_t - Confine coreos generators - Label /run/metadata with afterburn_runtime_t - Allow afterburn list ssh home directory - Label samba certificates with samba_cert_t - Label /run/coreos-installer-reboot with coreos_installer_var_run_t - Allow virtqemud read virt-dbus process state - Allow staff user dbus chat with virt-dbus - Allow staff use watch /run/systemd - Allow systemd_generator to write kmsg * Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild * Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.9-1 - Allow virtqemud connect to sanlock over a unix stream socket - Allow virtqemud relabel virt_var_run_t directories - Allow svirt_tcg_t read vm sysctls - Allow virtnodedevd connect to systemd-userdbd over a unix socket - Allow svirt read virtqemud fifo files - Allow svirt attach_queue to a virtqemud tun_socket - Allow virtqemud run ssh client with a transition - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket - Update keyutils policy - Allow sshd_keygen_t connect to userdbd over a unix stream socket - Allow postfix-smtpd read mysql config files - Allow locate stream connect to systemd-userdbd - Allow the staff user use wireshark - Allow updatedb connect to userdbd over a unix stream socket - Allow gpg_t set attributes of public-keys.d - Allow gpg_t get attributes of login_userdomain stream - Allow systemd_getty_generator_t read /proc/1/environ - Allow systemd_getty_generator_t to read and write to tty_device_t * Thu Jul 11 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-4 - Move %postInstall to %posttrans - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)` - Drop obsolete modules from config - Install dnf protected files only when policy is built * Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 41.8-3 - Relabel files under /usr/bin to fix stale context after sbin merge * Wed Jul 10 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-2 - Merge -base and -contrib * Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1 - Drop publicfile module - Remove permissive domain for systemd_nsresourced_t - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t - Allow to create and delete socket files created by rhsm.service - Allow virtnetworkd exec shell when virt_hooks_unconfined is on - Allow unconfined_service_t transition to passwd_t - Support /var is empty - Allow abrt-dump-journal read all non_security socket files - Allow timemaster write to sysfs files - Dontaudit domain write cgroup files - Label /usr/lib/node_modules/npm/bin with bin_t - Allow ip the setexec permission - Allow systemd-networkd write files in /var/lib/systemd/network - Fix typo in systemd_nsresourced_prog_run_bpf() * Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1 - Confine libvirt-dbus - Allow virtqemud the kill capability in user namespace - Allow rshim get options of the netlink class for KOBJECT_UEVENT family - Allow dhcpcd the kill capability - Allow systemd-networkd list /var/lib/systemd/network - Allow sysadm_t run systemd-nsresourced bpf programs - Update policy for systemd generators interactions - Allow create memory.pressure files with cgroup_memory_pressure_t - Add support for libvirt hooks * Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1 - Allow certmonger read and write tpm devices - Allow all domains to connect to systemd-nsresourced over a unix socket - Allow systemd-machined read the vsock device - Update policy for systemd generators - Allow ptp4l_t request that the kernel load a kernel module - Allow sbd to trace processes in user namespace - Allow request-key execute scripts - Update policy for haproxyd * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1 - Update policy for systemd-nsresourced - Correct sbin-related file context entries * Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1 - Allow login_userdomain execute systemd-tmpfiles in the caller domain - Allow virt_driver_domain read files labeled unconfined_t - Allow virt_driver_domain dbus chat with policykit - Allow virtqemud manage nfs files when virt_use_nfs boolean is on - Add rules for interactions between generators - Label memory.pressure files with cgroup_memory_pressure_t - Revert "Allow some systemd services write to cgroup files" - Update policy for systemd-nsresourced - Label /usr/bin/ntfsck with fsadm_exec_t - Allow systemd_fstab_generator_t read tmpfs files - Update policy for systemd-nsresourced - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin - Remove a few lines duplicated between {dkim,milter}.fc - Alias /bin → /usr/bin and remove redundant paths - Drop duplicate line for /usr/sbin/unix_chkpwd - Drop duplicate paths for /usr/sbin * Tue Jun 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.3-1 - Update systemd-generator policy - Remove permissive domain for bootupd_t - Remove permissive domain for coreos_installer_t - Remove permissive domain for afterburn_t - Add the sap module to modules.conf - Move unconfined_domain(sap_unconfined_t) to an optional block - Create the sap module - Allow systemd-coredumpd sys_admin and sys_resource capabilities - Allow systemd-coredump read nsfs files - Allow generators auto file transition only for plain files - Allow systemd-hwdb write to the kernel messages device - Escape "interface" as a file name in a virt filetrans pattern - Allow gnome-software work for login_userdomain - Allow systemd-machined manage runtime sockets - Revert "Allow systemd-machined manage runtime sockets" * Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 41.2-1 - Allow postfix_domain connect to postgresql over a unix socket - Dontaudit systemd-coredump sys_admin capability - Allow all domains read and write z90crypt device - Allow tpm2 generator setfscreate - Allow systemd (PID 1) manage systemd conf files - Allow pulseaudio map its runtime files - Update policy for getty-generator - Allow systemd-hwdb send messages to kernel unix datagram sockets - Allow systemd-machined manage runtime sockets * Mon Jun 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.1-1 - Allow fstab-generator create unit file symlinks - Update policy for cryptsetup-generator - Update policy for fstab-generator - Allow virtqemud read vm sysctls - Allow collectd to trace processes in user namespace - Allow bootupd search efivarfs dirs - Add policy for systemd-mountfsd - Add policy for systemd-nsresourced - Update policy generators - Add policy for anaconda-generator - Update policy for fstab and gpt generators - Add policy for kdump-dep-generator