* Mon Jun 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.1-1

- Allow fstab-generator create unit file symlinks

- Update policy for cryptsetup-generator

- Update policy for fstab-generator

- Allow virtqemud read vm sysctls

- Allow collectd to trace processes in user namespace

- Allow bootupd search efivarfs dirs

- Add policy for systemd-mountfsd

- Add policy for systemd-nsresourced

- Update policy generators

- Add policy for anaconda-generator

- Update policy for fstab and gpt generators

- Add policy for kdump-dep-generator

* Thu May 30 2024 Zdenek Pytela <zpytela@redhat.com> - 40.21-1

- Add policy for a generic generator

- Add policy for tpm2 generator

- Add policy for ssh-generator

- Add policy for second batch of generators

- Update policy for systemd generators

- ci: Adjust Cockpit test plans

* Sun May 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.20-1

- Allow journald read systemd config files and directories

- Allow systemd_domain read systemd_conf_t dirs

- Fix bad Python regexp escapes

- Allow fido services connect to postgres database

* Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1

- Allow postfix smtpd map aliases file

- Ensure dbus communication is allowed bidirectionally

- Label systemd configuration files with systemd_conf_t

- Label /run/systemd/machine with systemd_machined_var_run_t

- Allow systemd-hostnamed read the vsock device

- Allow sysadm execute dmidecode using sudo

- Allow sudodomain list files in /var

- Allow setroubleshootd get attributes of all sysctls

- Allow various services read and write z90crypt device

- Allow nfsidmap connect to systemd-homed

- Allow sandbox_x_client_t dbus chat with accountsd

- Allow system_cronjob_t dbus chat with avahi_t

- Allow staff_t the io_uring sqpoll permission

- Allow staff_t use the io_uring API

- Add support for secretmem anon inode

* Thu May 16 2024 Adam Williamson <awilliam@redhat.com> - 40.18-3

- Correct some errors in the RPM macro changes from -2

* Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-2

- Update rpm configuration for the /var/run equivalency change

* Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-1

- Allow virtqemud read vfio devices

- Allow virtqemud get attributes of a tmpfs filesystem

- Allow svirt_t read vm sysctls

- Allow virtqemud create and unlink files in /etc/libvirt/

- Allow virtqemud get attributes of cifs files

- Allow virtqemud get attributes of filesystems with extended attributes

- Allow virtqemud get attributes of NFS filesystems

- Allow virt_domain read and write usb devices conditionally

- Allow virtstoraged use the io_uring API

- Allow virtstoraged execute lvm programs in the lvm domain

- Allow virtnodevd_t map /var/lib files

- Allow svirt_tcg_t map svirt_image_t files

- Allow abrt-dump-journal-core connect to systemd-homed

- Allow abrt-dump-journal-core connect to systemd-machined

- Allow sssd create and use io_uring

- Allow selinux-relabel-generator create units dir

- Allow dbus-broker read/write inherited user ttys

* Thu Apr 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.17-1

- Define transitions for /run/libvirt/common and /run/libvirt/qemu

- Allow systemd-sleep read raw disk data

- Allow numad to trace processes in user namespace

- Allow abrt-dump-journal-core connect to systemd-userdbd

- Allow plymouthd read efivarfs files

- Update the auth_dontaudit_read_passwd_file() interface

- Label /dev/mmcblk0rpmb character device with removable_device_t

- fix hibernate on btrfs swapfile (F40)

- Allow nut to statfs()

- Allow system dbusd service status systemd services

- Allow systemd-timedated get the timemaster service status

* Tue Apr 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.16-1

- Allow keyutils-dns-resolver connect to the system log service

- Allow qemu-ga read vm sysctls

- postfix: allow qmgr to delete mails in bounce/ directory

- policy: support pidfs

- Confine selinux-autorelabel-generator.sh

- Allow logwatch_mail_t read/write to init over a unix stream socket

- Allow logwatch read logind sessions files

- files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it

- files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it

- Allow NetworkManager the sys_ptrace capability in user namespace

- dontaudit execmem for modemmanager

- Allow dhcpcd use unix_stream_socket

- Allow dhcpc read /run/netns files

* Fri Mar 15 2024 Zdenek Pytela <zpytela@redhat.com> - 40.15-1

- Update mmap_rw_file_perms to include the lock permission

- Allow plymouthd log during shutdown

- Add logging_watch_all_log_dirs() and logging_watch_all_log_files()

- Allow journalctl_t read filesystem sysctls

- Allow cgred_t to get attributes of cgroup filesystems

- Allow wdmd read hardware state information

- Allow wdmd list the contents of the sysfs directories

- Allow linuxptp configure phc2sys and chronyd over a unix domain socket

- Allow sulogin relabel tty1

- Dontaudit sulogin the checkpoint_restore capability

- Modify sudo_role_template() to allow getpgid

- Remove incorrect "local" usage in varrun-convert.sh

* Thu Mar 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-2

- Update varrun-convert.sh script to check for existing duplicate entries

* Mon Feb 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-1

- Allow userdomain get attributes of files on an nsfs filesystem

- Allow opafm create NFS files and directories

- Allow virtqemud create and unlink files in /etc/libvirt/

- Allow virtqemud domain transition on swtpm execution

- Add the swtpm.if interface file for interactions with other domains

- Allow samba to have dac_override capability

- systemd: allow sys_admin capability for systemd_notify_t

- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets

- Allow thumb_t to watch and watch_reads mount_var_run_t

- Allow krb5kdc_t map krb5kdc_principal_t files

- Allow unprivileged confined user dbus chat with setroubleshoot

- Allow login_userdomain map files in /var

- Allow wireguard work with firewall-cmd

- Differentiate between staff and sysadm when executing crontab with sudo

- Add crontab_admin_domtrans interface

- Allow abrt_t nnp domain transition to abrt_handle_event_t

- Allow xdm_t to watch and watch_reads mount_var_run_t

- Dontaudit subscription manager setfscreate and read file contexts

- Don't audit crontab_domain write attempts to user home

- Transition from sudodomains to crontab_t when executing crontab_exec_t

- Add crontab_domtrans interface

- Fix label of pseudoterminals created from sudodomain

- Allow utempter_t use ptmx

- Dontaudit rpmdb attempts to connect to sssd over a unix stream socket

- Allow admin user read/write on fixed_disk_device_t

* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1

- Only allow confined user domains to login locally without unconfined_login

- Add userdom_spec_domtrans_confined_admin_users interface

- Only allow admindomain to execute shell via ssh with ssh_sysadm_login

- Add userdom_spec_domtrans_admin_users interface

- Move ssh dyntrans to unconfined inside unconfined_login tunable policy

- Update ssh_role_template() for user ssh-agent type

- Allow init to inherit system DBus file descriptors

- Allow init to inherit fds from syslogd

- Allow any domain to inherit fds from rpm-ostree

- Update afterburn policy

- Allow init_t nnp domain transition to abrtd_t

* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1

- Rename all /var/lock file context entries to /run/lock

- Rename all /var/run file context entries to /run

- Invert the "/var/run = /run" equivalency

* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1

- Replace init domtrans rule for confined users to allow exec init

- Update dbus_role_template() to allow user service status

- Allow polkit status all systemd services

- Allow setroubleshootd create and use inherited io_uring

- Allow load_policy read and write generic ptys

- Allow gpg manage rpm cache

- Allow login_userdomain name_bind to howl and xmsg udp ports

- Allow rules for confined users logged in plasma

- Label /dev/iommu with iommu_device_t

- Remove duplicate file context entries in /run

- Dontaudit getty and plymouth the checkpoint_restore capability

- Allow su domains write login records

- Revert "Allow su domains write login records"

- Allow login_userdomain delete session dbusd tmp socket files

- Allow unix dgram sendto between exim processes

- Allow su domains write login records

- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on

* Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1

- Allow chronyd-restricted read chronyd key files

- Allow conntrackd_t to use bpf capability2

- Allow systemd-networkd manage its runtime socket files

- Allow init_t nnp domain transition to colord_t

- Allow polkit status systemd services

- nova: Fix duplicate declarations

- Allow httpd work with PrivateTmp

- Add interfaces for watching and reading ifconfig_var_run_t

- Allow collectd read raw fixed disk device

- Allow collectd read udev pid files

- Set correct label on /etc/pki/pki-tomcat/kra

- Allow systemd domains watch system dbus pid socket files

- Allow certmonger read network sysctls

- Allow mdadm list stratisd data directories

- Allow syslog to run unconfined scripts conditionally

- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t

- Allow qatlib set attributes of vfio device files

* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1

- Allow systemd-sleep set attributes of efivarfs files

- Allow samba-dcerpcd read public files

- Allow spamd_update_t the sys_ptrace capability in user namespace

- Allow bluetooth devices work with alsa

- Allow alsa get attributes filesystems with extended attributes

* Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2

- Limit %%selinux_requires to version, not release

* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1

- Allow hypervkvp_t write access to NetworkManager_etc_rw_t

- Add interface for write-only access to NetworkManager rw conf

- Allow systemd-sleep send a message to syslog over a unix dgram socket

- Allow init create and use netlink netfilter socket

- Allow qatlib load kernel modules

- Allow qatlib run lspci

- Allow qatlib manage its private runtime socket files

- Allow qatlib read/write vfio devices

- Label /etc/redis.conf with redis_conf_t

- Remove the lockdown-class rules from the policy

- Allow init read all non-security socket files

- Replace redundant dnsmasq pattern macros

- Remove unneeded symlink perms in dnsmasq.if

- Add additions to dnsmasq interface

- Allow nvme_stas_t create and use netlink kobject uevent socket

- Allow collectd connect to statsd port

- Allow keepalived_t to use sys_ptrace of cap_userns

- Allow dovecot_auth_t connect to postgresql using UNIX socket

* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1

- Make named_zone_t and named_var_run_t a part of the mountpoint attribute

- Allow sysadm execute traceroute in sysadm_t domain using sudo

- Allow sysadm execute tcpdump in sysadm_t domain using sudo

- Allow opafm search nfs directories

- Add support for syslogd unconfined scripts

- Allow gpsd use /dev/gnss devices

- Allow gpg read rpm cache

- Allow virtqemud additional permissions

- Allow virtqemud manage its private lock files

- Allow virtqemud use the io_uring api

- Allow ddclient send e-mail notifications

- Allow postfix_master_t map postfix data files

- Allow init create and use vsock sockets

- Allow thumb_t append to init unix domain stream sockets

- Label /dev/vas with vas_device_t

- Change domain_kernel_load_modules boolean to true

- Create interface selinux_watch_config and add it to SELinux users

* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1

- Add afterburn to modules-targeted-contrib.conf

- Update cifs interfaces to include fs_search_auto_mountpoints()

- Allow sudodomain read var auth files

- Allow spamd_update_t read hardware state information

- Allow virtnetworkd domain transition on tc command execution

- Allow sendmail MTA connect to sendmail LDA

- Allow auditd read all domains process state

- Allow rsync read network sysctls

- Add dhcpcd bpf capability to run bpf programs

- Dontaudit systemd-hwdb dac_override capability

- Allow systemd-sleep create efivarfs files

* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1

- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on

- Allow graphical applications work in Wayland

- Allow kdump work with PrivateTmp

- Allow dovecot-auth work with PrivateTmp

- Allow nfsd get attributes of all filesystems

- Allow unconfined_domain_type use io_uring cmd on domain

- ci: Only run Rawhide revdeps tests on the rawhide branch

- Label /var/run/auditd.state as auditd_var_run_t

- Allow fido-device-onboard (FDO) read the crack database

- Allow ip an explicit domain transition to other domains

- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t

- Allow  winbind_rpcd_t processes access when samba_export_all_* is on

- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection

- Allow ntp to bind and connect to ntske port.

- Allow system_mail_t manage exim spool files and dirs

- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t

- Label /run/pcsd.socket with cluster_var_run_t

- ci: Run cockpit tests in PRs

* Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1

- Add map_read map_write to kernel_prog_run_bpf

- Allow systemd-fstab-generator read all symlinks

- Allow systemd-fstab-generator the dac_override capability

- Allow rpcbind read network sysctls

- Support using systemd containers

- Allow sysadm_t to connect to iscsid using a unix domain stream socket

- Add policy for coreos installer

- Add coreos_installer to modules-targeted-contrib.conf

* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1

- Add policy for nvme-stas

- Confine systemd fstab,sysv,rc-local

- Label /etc/aliases.lmdb with etc_aliases_t

- Create policy for afterburn

- Add nvme_stas to modules-targeted-contrib.conf

- Add plans/tests.fmf

* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1

- Add the virt_supplementary module to modules-targeted-contrib.conf

- Make new virt drivers permissive

- Split virt policy, introduce virt_supplementary module

- Allow apcupsd cgi scripts read /sys

- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes

- Allow kernel_t to manage and relabel all files

- Add missing optional_policy() to files_relabel_all_files()

* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1

- Allow named and ndc use the io_uring api

- Deprecate common_anon_inode_perms usage

- Improve default file context(None) of /var/lib/authselect/backups

- Allow udev_t to search all directories with a filesystem type

- Implement proper anon_inode support

- Allow targetd write to the syslog pid sock_file

- Add ipa_pki_retrieve_key_exec() interface

- Allow kdumpctl_t to list all directories with a filesystem type

- Allow udev additional permissions

- Allow udev load kernel module

- Allow sysadm_t to mmap modules_object_t files

- Add the unconfined_read_files() and unconfined_list_dirs() interfaces

- Set default file context of HOME_DIR/tmp/.* to <<none>>

- Allow kernel_generic_helper_t to execute mount(1)

* Fri Sep 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.29-1

- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t

- Allow systemd-localed create Xserver config dirs

- Allow sssd read symlinks in /etc/sssd

- Label /dev/gnss[0-9] with gnss_device_t

- Allow systemd-sleep read/write efivarfs variables

- ci: Fix version number of packit generated srpms

- Dontaudit rhsmcertd write memory device

- Allow ssh_agent_type create a sockfile in /run/user/USERID

- Set default file context of /var/lib/authselect/backups to <<none>>

- Allow prosody read network sysctls

- Allow cupsd_t to use bpf capability

* Fri Sep 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.28-1

- Allow sssd domain transition on passkey_child execution conditionally

- Allow login_userdomain watch lnk_files in /usr

- Allow login_userdomain watch video4linux devices

- Change systemd-network-generator transition to include class file

- Revert "Change file transition for systemd-network-generator"

- Allow nm-dispatcher winbind plugin read/write samba var files

- Allow systemd-networkd write to cgroup files

- Allow kdump create and use its memfd: objects

* Thu Aug 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.27-1

- Allow fedora-third-party get generic filesystem attributes

- Allow sssd use usb devices conditionally

- Update policy for qatlib

- Allow ssh_agent_type manage generic cache home files

* Thu Aug 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.26-1

- Change file transition for systemd-network-generator

- Additional support for gnome-initial-setup

- Update gnome-initial-setup policy for geoclue

- Allow openconnect vpn open vhost net device

- Allow cifs.upcall to connect to SSSD also through the /var/run socket

- Grant cifs.upcall more required capabilities

- Allow xenstored map xenfs files

- Update policy for fdo

- Allow keepalived watch var_run dirs

- Allow svirt to rw /dev/udmabuf

- Allow qatlib  to modify hardware state information.

- Allow key.dns_resolve connect to avahi over a unix stream socket

- Allow key.dns_resolve create and use unix datagram socket

- Use quay.io as the container image source for CI

* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 38.25-1

- ci: Move srpm/rpm build to packit

- .copr: Avoid subshell and changing directory

- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file

- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t

- Make insights_client_t an unconfined domain

- Allow insights-client manage user temporary files

- Allow insights-client create all rpm logs with a correct label

- Allow insights-client manage generic logs

- Allow cloud_init create dhclient var files and init_t manage net_conf_t

- Allow insights-client read and write cluster tmpfs files

- Allow ipsec read nsfs files

- Make tuned work with mls policy

- Remove nsplugin_role from mozilla.if

- allow mon_procd_t self:cap_userns sys_ptrace

- Allow pdns name_bind and name_connect all ports

- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh

- ci: Move to actions/checkout@v3 version

- .copr: Replace chown call with standard workflow safe.directory setting

- .copr: Enable `set -u` for robustness

- .copr: Simplify root directory variable

* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.24-1

- Allow rhsmcertd dbus chat with policykit

- Allow polkitd execute pkla-check-authorization with nnp transition

- Allow user_u and staff_u get attributes of non-security dirs

- Allow unconfined user filetrans chrome_sandbox_home_t

- Allow svnserve execute postdrop with a transition

- Do not make postfix_postdrop_t type an MTA executable file

- Allow samba-dcerpc service manage samba tmp files

- Add use_nfs_home_dirs boolean for mozilla_plugin

- Fix labeling for no-stub-resolv.conf

* Wed Aug 02 2023 Zdenek Pytela <zpytela@redhat.com> - 38.23-1

- Revert "Allow winbind-rpcd use its private tmp files"

- Allow upsmon execute upsmon via a helper script

- Allow openconnect vpn read/write inherited vhost net device

- Allow winbind-rpcd use its private tmp files

- Update samba-dcerpc policy for printing

- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty

- Allow nscd watch system db dirs

- Allow qatlib to read sssd public files

- Allow fedora-third-party read /sys and proc

- Allow systemd-gpt-generator mount a tmpfs filesystem

- Allow journald write to cgroup files

- Allow rpc.mountd read network sysctls

- Allow blueman read the contents of the sysfs filesystem

- Allow logrotate_t to map generic files in /etc

- Boolean: Allow virt_qemu_ga create ssh directory

* Tue Jul 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.22-1

- Allow systemd-network-generator send system log messages

- Dontaudit the execute permission on sock_file globally

- Allow fsadm_t the file mounton permission

- Allow named and ndc the io_uring sqpoll permission

- Allow sssd io_uring sqpoll permission

- Fix location for /run/nsd

- Allow qemu-ga get fixed disk devices attributes

- Update bitlbee policy

- Label /usr/sbin/sos with sosreport_exec_t

- Update policy for the sblim-sfcb service

- Add the files_getattr_non_auth_dirs() interface

- Fix the CI to work with DNF5

* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.21-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

* Thu Jul 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.21-1

- Make systemd_tmpfiles_t MLS trusted for lowering the level of files

- Revert "Allow insights client map cache_home_t"

- Allow nfsidmapd connect to systemd-machined over a unix socket

- Allow snapperd connect to kernel over a unix domain stream socket

- Allow virt_qemu_ga_t create .ssh dir with correct label

- Allow targetd read network sysctls

- Set the abrt_handle_event boolean to on

- Permit kernel_t to change the user identity in object contexts

- Allow insights client map cache_home_t

- Label /usr/sbin/mariadbd with mysqld_exec_t

- Trim changelog so that it starts at F37 time

- Define equivalency for /run/systemd/generator.early

* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 38.20-1

- Allow httpd tcp connect to redis port conditionally

- Label only /usr/sbin/ripd and ripngd with zebra_exec_t

- Dontaudit aide the execmem permission

- Remove permissive from fdo

- Allow sa-update manage spamc home files

- Allow sa-update connect to systemlog services

- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t

- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t

- Allow bootupd search EFI directory

* Tue Jun 27 2023 Zdenek Pytela <zpytela@redhat.com> - 38.19-1

- Change init_audit_control default value to true

- Allow nfsidmapd connect to systemd-userdbd with a unix socket

- Add the qatlib  module

- Add the fdo module

- Add the bootupd module

- Set default ports for keylime policy

- Create policy for qatlib

- Add policy for FIDO Device Onboard

- Add policy for bootupd

- Add the qatlib module

- Add the fdo module

- Add the bootupd module

* Sun Jun 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.18-1

- Add support for kafs-dns requested by keyutils

- Allow insights-client execmem

- Add support for chronyd-restricted

- Add init_explicit_domain() interface

- Allow fsadm_t to get attributes of cgroup filesystems

- Add list_dir_perms to kerberos_read_keytab

- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t

- Allow sendmail manage its runtime files

- Allow keyutils_dns_resolver_exec_t be an entrypoint

- Allow collectd_t read network state symlinks

- Revert "Allow collectd_t read proc_net link files"

- Allow nfsd_t to list exports_t dirs

- Allow cupsd dbus chat with xdm

- Allow haproxy read hardware state information

- Add the kafs module

* Thu Jun 15 2023 Zdenek Pytela <zpytela@redhat.com> - 38.17-1

- Label /dev/userfaultfd with userfaultfd_t

- Allow blueman send general signals to unprivileged user domains

- Allow dkim-milter domain transition to sendmail

- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t

- Allow cifs-helper read sssd kerberos configuration files

- Allow rpm_t sys_admin capability

- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file

- Allow collectd_t read proc_net link files

- Allow insights-client getsession process permission

- Allow insights-client work with pipe and socket tmp files

- Allow insights-client map generic log files

- Update cyrus_stream_connect() to use sockets in /run

- Allow keyutils-dns-resolver read/view kernel key ring

- Label /var/log/kdump.log with kdump_log_t

* Fri Jun 09 2023 Zdenek Pytela <zpytela@redhat.com> - 38.16-1

- Add support for the systemd-pstore service

- Allow kdumpctl_t to execmem

- Update sendmail policy module for opensmtpd

- Allow nagios-mail-plugin exec postfix master

- Allow subscription-manager execute ip

- Allow ssh client connect with a user dbus instance

- Add support for ksshaskpass

- Allow rhsmcertd file transition in /run also for socket files

- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t

- Allow plymouthd read/write X server miscellaneous devices

- Allow systemd-sleep read udev pid files

- Allow exim read network sysctls

- Allow sendmail request load module

- Allow named map its conf files

- Allow squid map its cache files

- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition

* Tue May 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.15-1

- Update policy for systemd-sleep

- Remove permissive domain for rshim_t

- Remove permissive domain for mptcpd_t

- Allow systemd-bootchartd the sys_ptrace userns capability

- Allow sysadm_t read nsfs files

- Allow sysadm_t run kernel bpf programs

- Update ssh_role_template for ssh-agent

- Update ssh_role_template to allow read/write unallocated ttys

- Add the booth module to modules.conf

- Allow firewalld rw ica_tmpfs_t files

* Fri May 26 2023 Zdenek Pytela <zpytela@redhat.com> - 38.14-1

- Remove permissive domain for cifs_helper_t

- Update the cifs-helper policy

- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()

- Update pkcsslotd policy for sandboxing

- Allow abrt_t read kernel persistent storage files

- Dontaudit targetd search httpd config dirs

- Allow init_t nnp domain transition to policykit_t

- Allow rpcd_lsad setcap and use generic ptys

- Allow samba-dcerpcd connect to systemd_machined over a unix socket

- Allow wireguard to rw network sysctls

- Add policy for boothd

- Allow kernel to manage its own BPF objects

- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t

* Mon May 22 2023 Zdenek Pytela <zpytela@redhat.com> - 38.13-1

- Add initial policy for cifs-helper

- Label key.dns_resolver with keyutils_dns_resolver_exec_t

- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t

- Allow some systemd services write to cgroup files

- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files

- Allow systemd resolved to bind to arbitrary nodes

- Allow plymouthd_t bpf capability to run bpf programs

- Allow cupsd to create samba_var_t files

- Allow rhsmcert request the kernel to load a module

- Allow virsh name_connect virt_port_t

- Allow certmonger manage cluster library files

- Allow plymouthd read init process state

- Add chromium_sandbox_t setcap capability

- Allow snmpd read raw disk data

- Allow samba-rpcd work with passwords

- Allow unconfined service inherit signal state from init

- Allow cloud-init manage gpg admin home content

- Allow cluster_t dbus chat with various services

- Allow nfsidmapd work with systemd-userdbd and sssd

- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes

- Allow plymouthd map dri and framebuffer devices

- Allow rpmdb_migrate execute rpmdb

- Allow logrotate dbus chat with systemd-hostnamed

- Allow icecast connect to kernel using a unix stream socket

- Allow lldpad connect to systemd-userdbd over a unix socket

- Allow journalctl open user domain ptys and ttys

- Allow keepalived to manage its tmp files

- Allow ftpd read network sysctls

- Label /run/bgpd with zebra_var_run_t

- Allow gssproxy read network sysctls

- Add the cifsutils module

* Tue Apr 25 2023 Zdenek Pytela <zpytela@redhat.com> - 38.12-1

- Allow telnetd read network sysctls

- Allow munin system plugin read generic SSL certificates

- Allow munin system plugin create and use netlink generic socket

- Allow login_userdomain create user namespaces

- Allow request-key to send syslog messages

- Allow request-key to read/view any key

- Add fs_delete_pstore_files() interface

- Allow insights-client work with teamdctl

- Allow insights-client read unconfined service semaphores

- Allow insights-client get quotas of all filesystems

- Add fs_read_pstore_files() interface

- Allow generic kernel helper to read inherited kernel pipes

* Fri Apr 14 2023 Zdenek Pytela <zpytela@redhat.com> - 38.11-1

- Allow dovecot-deliver write to the main process runtime fifo files

- Allow dmidecode write to cloud-init tmp files

- Allow chronyd send a message to cloud-init over a datagram socket

- Allow cloud-init domain transition to insights-client domain

- Allow mongodb read filesystem sysctls

- Allow mongodb read network sysctls

- Allow accounts-daemon read generic systemd unit lnk files

- Allow blueman watch generic device dirs

- Allow nm-dispatcher tlp plugin create tlp dirs

- Allow systemd-coredump mounton /usr

- Allow rabbitmq to read network sysctls

* Tue Apr 04 2023 Zdenek Pytela <zpytela@redhat.com> - 38.10-1

- Allow certmonger dbus chat with the cron system domain

- Allow geoclue read network sysctls

- Allow geoclue watch the /etc directory

- Allow logwatch_mail_t read network sysctls

- Allow insights-client read all sysctls

- Allow passt manage qemu pid sock files

* Fri Mar 24 2023 Zdenek Pytela <zpytela@redhat.com> - 38.9-1

- Allow sssd read accountsd fifo files

- Add support for the passt_t domain

- Allow virtd_t and svirt_t work with passt

- Add new interfaces in the virt module

- Add passt interfaces defined conditionally

- Allow tshark the setsched capability

- Allow poweroff create connections to system dbus

- Allow wg load kernel modules, search debugfs dir

- Boolean: allow qemu-ga manage ssh home directory

- Label smtpd with sendmail_exec_t

- Label msmtp and msmtpd with sendmail_exec_t

- Allow dovecot to map files in /var/spool/dovecot

* Fri Mar 03 2023 Zdenek Pytela <zpytela@redhat.com> - 38.8-1

- Confine gnome-initial-setup

- Allow qemu-guest-agent create and use vsock socket

- Allow login_pgm setcap permission

- Allow chronyc read network sysctls

- Enhancement of the /usr/sbin/request-key helper policy

- Fix opencryptoki file names in /dev/shm

- Allow system_cronjob_t transition to rpm_script_t

- Revert "Allow system_cronjob_t domtrans to rpm_script_t"

- Add tunable to allow squid bind snmp port

- Allow staff_t getattr init pid chr & blk files and read krb5

- Allow firewalld to rw z90crypt device

- Allow httpd work with tokens in /dev/shm

- Allow svirt to map svirt_image_t char files

- Allow sysadm_t run initrc_t script and sysadm_r role access

- Allow insights-client manage fsadm pid files

* Wed Feb 08 2023 Zdenek Pytela <zpytela@redhat.com> - 38.7-1

- Allowing snapper to create snapshots of /home/ subvolume/partition

- Add boolean qemu-ga to run unconfined script

- Label systemd-journald feature LogNamespace

- Add none file context for polyinstantiated tmp dirs

- Allow certmonger read the contents of the sysfs filesystem

- Add journalctl the sys_resource capability

- Allow nm-dispatcher plugins read generic files in /proc

- Add initial policy for the /usr/sbin/request-key helper

- Additional support for rpmdb_migrate

- Add the keyutils module

* Mon Jan 30 2023 Zdenek Pytela <zpytela@redhat.com> - 38.6-1

- Boolean: allow qemu-ga read ssh home directory

- Allow kernel_t to read/write all sockets

- Allow kernel_t to UNIX-stream connect to all domains

- Allow systemd-resolved send a datagram to journald

- Allow kernel_t to manage and have "execute" access to all files

- Fix the files_manage_all_files() interface

- Allow rshim bpf cap2 and read sssd public files

- Allow insights-client work with su and lpstat

- Allow insights-client tcp connect to all ports

- Allow nm-cloud-setup dispatcher plugin restart nm services

- Allow unconfined user filetransition for sudo log files

- Allow modemmanager create hardware state information files

- Allow ModemManager all permissions for netlink route socket

- Allow wg to send msg to kernel, write to syslog and dbus connections

- Allow hostname_t to read network sysctls.

- Dontaudit ftpd the execmem permission

- Allow svirt request the kernel to load a module

- Allow icecast rename its log files

- Allow upsd to send signal to itself

- Allow wireguard to create udp sockets and read net_conf

- Use '%autosetup' instead of '%setup'

- Pass -p 1 to '%autosetup'

* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 38.5-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

* Fri Jan 13 2023 Zdenek Pytela <zpytela@redhat.com> - 38.5-1

- Allow insights client work with gluster and pcp

- Add insights additional capabilities

- Add interfaces in domain, files, and unconfined modules

- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t

- Allow sudodomain use sudo.log as a logfile

- Allow pdns server map its library files and bind to unreserved ports

- Allow sysadm_t read/write ipmi devices

- Allow prosody manage its runtime socket files

- Allow kernel threads manage kernel keys

- Allow systemd-userdbd the sys_resource capability

- Allow systemd-journal list cgroup directories

- Allow apcupsd dbus chat with systemd-logind

- Allow nut_domain manage also files and sock_files in /var/run

- Allow winbind-rpcd make a TCP connection to the ldap port

- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t

- Allow tlp read generic SSL certificates

- Allow systemd-resolved watch tmpfs directories

- Revert "Allow systemd-resolved watch tmpfs directories"

* Mon Dec 19 2022 Zdenek Pytela <zpytela@redhat.com> - 38.4-1

- Allow NetworkManager and wpa_supplicant the bpf capability

- Allow systemd-rfkill the bpf capability

- Allow winbind-rpcd manage samba_share_t files and dirs

- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t

- Allow gpsd the sys_ptrace userns capability

- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t

- Allow load_policy_t write to unallocated ttys

- Allow ndc read hardware state information

- Allow system mail service read inherited certmonger runtime files

- Add lpr_roles  to system_r roles

- Revert "Allow insights-client run lpr and allow the proper role"

- Allow stalld to read /sys/kernel/security/lockdown file

- Allow keepalived to set resource limits

- Add policy for mptcpd

- Add policy for rshim

- Allow admin users to create user namespaces

- Allow journalctl relabel with var_log_t and syslogd_var_run_t files

- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted

- Trim changelog so that it starts at F35 time

- Add mptcpd and rshim modules

* Wed Dec 14 2022 Zdenek Pytela <zpytela@redhat.com> - 38.3-1

- Allow insights-client dbus chat with various services

- Allow insights-client tcp connect to various ports

- Allow insights-client run lpr and allow the proper role

- Allow insights-client work with pcp and manage user config files

- Allow redis get user names

- Allow kernel threads to use fds from all domains

- Allow systemd-modules-load load kernel modules

- Allow login_userdomain watch systemd-passwd pid dirs

- Allow insights-client dbus chat with abrt

- Grant kernel_t certain permissions in the system class

- Allow systemd-resolved watch tmpfs directories

- Allow systemd-timedated watch init runtime dir

- Make `bootc` be `install_exec_t`

- Allow systemd-coredump create user_namespace

- Allow syslog the setpcap capability

- donaudit virtlogd and dnsmasq execmem

* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1

- Don't make kernel_t an unconfined domain

- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition

- Allow kernel_t to execute systemctl to do a poweroff/reboot

- Grant basic permissions to the domain created by systemd_systemctl_domain()

- Allow kernel_t to request module loading

- Allow kernel_t to do compute_create

- Allow kernel_t to manage perf events

- Grant almost all capabilities to kernel_t

- Allow kernel_t to fully manage all devices

- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"

- Allow pulseaudio to write to session_dbusd tmp socket files

- Allow systemd and unconfined_domain_type create user_namespace

- Add the user_namespace security class

- Reuse tmpfs_t also for the ramfs filesystem

- Label udf tools with fsadm_exec_t

- Allow networkmanager_dispatcher_plugin work with nscd

- Watch_sb all file type directories.

- Allow spamc read hardware state information files

- Allow sysadm read ipmi devices

- Allow insights client communicate with cupsd, mysqld, openvswitch, redis

- Allow insights client read raw memory devices

- Allow the spamd_update_t domain get generic filesystem attributes

- Dontaudit systemd-gpt-generator the sys_admin capability

- Allow ipsec_t only read tpm devices

- Allow cups-pdf connect to the system log service

- Allow postfix/smtpd read kerberos key table

- Allow syslogd read network sysctls

- Allow cdcc mmap dcc-client-map files

- Add watch and watch_sb dosfs interface

* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1

- Revert "Allow sysadm_t read raw memory devices"

- Allow systemd-socket-proxyd get attributes of cgroup filesystems

- Allow rpc.gssd read network sysctls

- Allow winbind-rpcd get attributes of device and pty filesystems

- Allow insights-client domain transition on semanage execution

- Allow insights-client create gluster log dir with a transition

- Allow insights-client manage generic locks

- Allow insights-client unix_read all domain semaphores

- Add domain_unix_read_all_semaphores() interface

- Allow winbind-rpcd use the terminal multiplexor

- Allow mrtg send mails

- Allow systemd-hostnamed dbus chat with init scripts

- Allow sssd dbus chat with system cronjobs

- Add interface to watch all filesystems

- Add watch_sb interfaces

- Add watch interfaces

- Allow dhcpd bpf capability to run bpf programs

- Allow netutils and traceroute bpf capability to run bpf programs

- Allow pkcs_slotd_t bpf capability to run bpf programs

- Allow xdm bpf capability to run bpf programs

- Allow pcscd bpf capability to run bpf programs

- Allow lldpad bpf capability to run bpf programs

- Allow keepalived bpf capability to run bpf programs

- Allow ipsec bpf capability to run bpf programs

- Allow fprintd bpf capability to run bpf programs

- Allow systemd-socket-proxyd get filesystems attributes

- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files

* Mon Oct 31 2022 Zdenek Pytela <zpytela@redhat.com> - 37.14-1

- Allow rotatelogs read httpd_log_t symlinks

- Add winbind-rpcd to samba_enable_home_dirs boolean

- Allow system cronjobs dbus chat with setroubleshoot

- Allow setroubleshootd read device sysctls

- Allow virt_domain read device sysctls

- Allow rhcd compute selinux access vector

- Allow insights-client manage samba var dirs

- Label ports 10161-10162 tcp/udp with snmp

- Allow aide to connect to systemd_machined with a unix socket.

- Allow samba-dcerpcd use NSCD services over a unix stream socket

- Allow vlock search the contents of the /dev/pts directory

- Allow insights-client send null signal to rpm and system cronjob

- Label port 15354/tcp and 15354/udp with opendnssec

- Allow ftpd map ftpd_var_run files

- Allow targetclid to manage tmp files

- Allow insights-client connect to postgresql with a unix socket

- Allow insights-client domtrans on unix_chkpwd execution

- Add file context entries for insights-client and rhc

- Allow pulseaudio create gnome content (~/.config)

- Allow login_userdomain dbus chat with rhsmcertd

- Allow sbd the sys_ptrace capability

- Allow ptp4l_t name_bind ptp_event_port_t

* Mon Oct 03 2022 Zdenek Pytela <zpytela@redhat.com> - 37.13-1

- Remove the ipa module

- Allow sss daemons read/write unnamed pipes of cloud-init

- Allow postfix_mailqueue create and use unix dgram sockets

- Allow xdm watch user home directories

- Allow nm-dispatcher ddclient plugin load a kernel module

- Stop ignoring standalone interface files

- Drop cockpit module

- Allow init map its private tmp files

- Allow xenstored change its hard resource limits

- Allow system_mail-t read network sysctls

- Add bgpd sys_chroot capability

* Thu Sep 22 2022 Zdenek Pytela <zpytela@redhat.com> - 37.12-1

- nut-upsd: kernel_read_system_state, fs_getattr_cgroup

- Add numad the ipc_owner capability

- Allow gst-plugin-scanner read virtual memory sysctls

- Allow init read/write inherited user fifo files

- Update dnssec-trigger policy: setsched, module_request

- added policy for systemd-socket-proxyd

- Add the new 'cmd' permission to the 'io_uring' class

- Allow winbind-rpcd read and write its key ring

- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t

- blueman-mechanism can read ~/.local/lib/python*/site-packages directory

- pidof executed by abrt can readlink /proc/*/exe

- Fix typo in comment

- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum

* Wed Sep 14 2022 Zdenek Pytela <zpytela@redhat.com> - 37.11-1

- Allow tor get filesystem attributes

- Allow utempter append to login_userdomain stream

- Allow login_userdomain accept a stream connection to XDM

- Allow login_userdomain write to boltd named pipes

- Allow staff_u and user_u users write to bolt pipe

- Allow login_userdomain watch various directories

- Update rhcd policy for executing additional commands 5

- Update rhcd policy for executing additional commands 4

- Allow rhcd create rpm hawkey logs with correct label

- Allow systemd-gpt-auto-generator to check for empty dirs

- Update rhcd policy for executing additional commands 3

- Allow journalctl read rhcd fifo files

- Update insights-client policy for additional commands execution 5

- Allow init remount all file_type filesystems

- Confine insights-client systemd unit

- Update insights-client policy for additional commands execution 4