* Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.11-1

- Make cgroup_memory_pressure_t a part of the file_type attribute

- Allow ssh_t to change role to system_r

- Update policy for coreos generators

- Allow init_t nnp domain transition to firewalld_t

- Label /run/modprobe.d with modules_conf_t

- Allow virtnodedevd run udev with a domain transition

- Allow virtnodedev_t create and use virtnodedev_lock_t

- Allow virtstoraged manage files with virt_content_t type

- Allow virtqemud unmount a filesystem with extended attributes

- Allow svirt_t connect to unconfined_t over a unix domain socket

* Mon Jul 22 2024 Zdenek Pytela <zpytela@redhat.com> - 41.10-1

- Update afterburn file transition policy

- Allow systemd_generator read attributes of all filesystems

- Allow fstab-generator read and write cryptsetup-generator unit file

- Allow cryptsetup-generator read and write fstab-generator unit file

- Allow systemd_generator map files in /etc

- Allow systemd_generator read init's process state

- Allow coreos-installer-generator read sssd public files

- Allow coreos-installer-generator work with partitions

- Label /etc/mdadm.conf.d with mdadm_conf_t

- Confine coreos generators

- Label /run/metadata with afterburn_runtime_t

- Allow afterburn list ssh home directory

- Label samba certificates with samba_cert_t

- Label /run/coreos-installer-reboot with coreos_installer_var_run_t

- Allow virtqemud read virt-dbus process state

- Allow staff user dbus chat with virt-dbus

- Allow staff use watch /run/systemd

- Allow systemd_generator to write kmsg

* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.9-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild

* Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.9-1

- Allow virtqemud connect to sanlock over a unix stream socket

- Allow virtqemud relabel virt_var_run_t directories

- Allow svirt_tcg_t read vm sysctls

- Allow virtnodedevd connect to systemd-userdbd over a unix socket

- Allow svirt read virtqemud fifo files

- Allow svirt attach_queue to a virtqemud tun_socket

- Allow virtqemud run ssh client with a transition

- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket

- Update keyutils policy

- Allow sshd_keygen_t connect to userdbd over a unix stream socket

- Allow postfix-smtpd read mysql config files

- Allow locate stream connect to systemd-userdbd

- Allow the staff user use wireshark

- Allow updatedb connect to userdbd over a unix stream socket

- Allow gpg_t set attributes of public-keys.d

- Allow gpg_t get attributes of login_userdomain stream

- Allow systemd_getty_generator_t read /proc/1/environ

- Allow systemd_getty_generator_t to read and write to tty_device_t

* Thu Jul 11 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-4

- Move %%postInstall to %%posttrans

- Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)`

- Drop obsolete modules from config

- Install dnf protected files only when policy is built

* Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 41.8-3

- Relabel files under /usr/bin to fix stale context after sbin merge

* Mon Jun 24 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-2

- Merge -base and -contrib

* Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1

- Drop publicfile module

- Remove permissive domain for systemd_nsresourced_t

- Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t

- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t

- Allow to create and delete socket files created by rhsm.service

- Allow virtnetworkd exec shell when virt_hooks_unconfined is on

- Allow unconfined_service_t transition to passwd_t

- Support /var is empty

- Allow abrt-dump-journal read all non_security socket files

- Allow timemaster write to sysfs files

- Dontaudit domain write cgroup files

- Label /usr/lib/node_modules/npm/bin with bin_t

- Allow ip the setexec permission

- Allow systemd-networkd write files in /var/lib/systemd/network

- Fix typo in systemd_nsresourced_prog_run_bpf()

* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1

- Confine libvirt-dbus

- Allow virtqemud the kill capability in user namespace

- Allow rshim get options of the netlink class for KOBJECT_UEVENT family

- Allow dhcpcd the kill capability

- Allow systemd-networkd list /var/lib/systemd/network

- Allow sysadm_t run systemd-nsresourced bpf programs

- Update policy for systemd generators interactions

- Allow create memory.pressure files with cgroup_memory_pressure_t

- Add support for libvirt hooks

* Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1

- Allow certmonger read and write tpm devices

- Allow all domains to connect to systemd-nsresourced over a unix socket

- Allow systemd-machined read the vsock device

- Update policy for systemd generators

- Allow ptp4l_t request that the kernel load a kernel module

- Allow sbd to trace processes in user namespace

- Allow request-key execute scripts

- Update policy for haproxyd

* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1

- Update policy for systemd-nsresourced

- Correct sbin-related file context entries

* Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1

- Allow login_userdomain execute systemd-tmpfiles in the caller domain

- Allow virt_driver_domain read files labeled unconfined_t

- Allow virt_driver_domain dbus chat with policykit

- Allow virtqemud manage nfs files when virt_use_nfs boolean is on

- Add rules for interactions between generators

- Label memory.pressure files with cgroup_memory_pressure_t

- Revert "Allow some systemd services write to cgroup files"

- Update policy for systemd-nsresourced

- Label /usr/bin/ntfsck with fsadm_exec_t

- Allow systemd_fstab_generator_t read tmpfs files

- Update policy for systemd-nsresourced

- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin

- Remove a few lines duplicated between {dkim,milter}.fc

- Alias /bin → /usr/bin and remove redundant paths

- Drop duplicate line for /usr/sbin/unix_chkpwd

- Drop duplicate paths for /usr/sbin

* Tue Jun 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.3-1

- Update systemd-generator policy

- Remove permissive domain for bootupd_t

- Remove permissive domain for coreos_installer_t

- Remove permissive domain for afterburn_t

- Add the sap module to modules.conf

- Move unconfined_domain(sap_unconfined_t) to an optional block

- Create the sap module

- Allow systemd-coredumpd sys_admin and sys_resource capabilities

- Allow systemd-coredump read nsfs files

- Allow generators auto file transition only for plain files

- Allow systemd-hwdb write to the kernel messages device

- Escape "interface" as a file name in a virt filetrans pattern

- Allow gnome-software work for login_userdomain

- Allow systemd-machined manage runtime sockets

- Revert "Allow systemd-machined manage runtime sockets"

* Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 41.2-1

- Allow postfix_domain connect to postgresql over a unix socket

- Dontaudit systemd-coredump sys_admin capability

- Allow all domains read and write z90crypt device

- Allow tpm2 generator setfscreate

- Allow systemd (PID 1) manage systemd conf files

- Allow pulseaudio map its runtime files

- Update policy for getty-generator

- Allow systemd-hwdb send messages to kernel unix datagram sockets

- Allow systemd-machined manage runtime sockets

* Mon Jun 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.1-1

- Allow fstab-generator create unit file symlinks

- Update policy for cryptsetup-generator

- Update policy for fstab-generator

- Allow virtqemud read vm sysctls

- Allow collectd to trace processes in user namespace

- Allow bootupd search efivarfs dirs

- Add policy for systemd-mountfsd

- Add policy for systemd-nsresourced

- Update policy generators

- Add policy for anaconda-generator

- Update policy for fstab and gpt generators

- Add policy for kdump-dep-generator

* Thu May 30 2024 Zdenek Pytela <zpytela@redhat.com> - 40.21-1

- Add policy for a generic generator

- Add policy for tpm2 generator

- Add policy for ssh-generator

- Add policy for second batch of generators

- Update policy for systemd generators

- ci: Adjust Cockpit test plans

* Sun May 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.20-1

- Allow journald read systemd config files and directories

- Allow systemd_domain read systemd_conf_t dirs

- Fix bad Python regexp escapes

- Allow fido services connect to postgres database

* Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1

- Allow postfix smtpd map aliases file

- Ensure dbus communication is allowed bidirectionally

- Label systemd configuration files with systemd_conf_t

- Label /run/systemd/machine with systemd_machined_var_run_t

- Allow systemd-hostnamed read the vsock device

- Allow sysadm execute dmidecode using sudo

- Allow sudodomain list files in /var

- Allow setroubleshootd get attributes of all sysctls

- Allow various services read and write z90crypt device

- Allow nfsidmap connect to systemd-homed

- Allow sandbox_x_client_t dbus chat with accountsd

- Allow system_cronjob_t dbus chat with avahi_t

- Allow staff_t the io_uring sqpoll permission

- Allow staff_t use the io_uring API

- Add support for secretmem anon inode

* Thu May 16 2024 Adam Williamson <awilliam@redhat.com> - 40.18-3

- Correct some errors in the RPM macro changes from -2

* Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-2

- Update rpm configuration for the /var/run equivalency change

* Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-1

- Allow virtqemud read vfio devices

- Allow virtqemud get attributes of a tmpfs filesystem

- Allow svirt_t read vm sysctls

- Allow virtqemud create and unlink files in /etc/libvirt/

- Allow virtqemud get attributes of cifs files

- Allow virtqemud get attributes of filesystems with extended attributes

- Allow virtqemud get attributes of NFS filesystems

- Allow virt_domain read and write usb devices conditionally

- Allow virtstoraged use the io_uring API

- Allow virtstoraged execute lvm programs in the lvm domain

- Allow virtnodevd_t map /var/lib files

- Allow svirt_tcg_t map svirt_image_t files

- Allow abrt-dump-journal-core connect to systemd-homed

- Allow abrt-dump-journal-core connect to systemd-machined

- Allow sssd create and use io_uring

- Allow selinux-relabel-generator create units dir

- Allow dbus-broker read/write inherited user ttys

* Thu Apr 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.17-1

- Define transitions for /run/libvirt/common and /run/libvirt/qemu

- Allow systemd-sleep read raw disk data

- Allow numad to trace processes in user namespace

- Allow abrt-dump-journal-core connect to systemd-userdbd

- Allow plymouthd read efivarfs files

- Update the auth_dontaudit_read_passwd_file() interface

- Label /dev/mmcblk0rpmb character device with removable_device_t

- fix hibernate on btrfs swapfile (F40)

- Allow nut to statfs()

- Allow system dbusd service status systemd services

- Allow systemd-timedated get the timemaster service status

* Tue Apr 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.16-1

- Allow keyutils-dns-resolver connect to the system log service

- Allow qemu-ga read vm sysctls

- postfix: allow qmgr to delete mails in bounce/ directory

- policy: support pidfs

- Confine selinux-autorelabel-generator.sh

- Allow logwatch_mail_t read/write to init over a unix stream socket

- Allow logwatch read logind sessions files

- files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it

- files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it

- Allow NetworkManager the sys_ptrace capability in user namespace

- dontaudit execmem for modemmanager

- Allow dhcpcd use unix_stream_socket

- Allow dhcpc read /run/netns files

* Fri Mar 15 2024 Zdenek Pytela <zpytela@redhat.com> - 40.15-1

- Update mmap_rw_file_perms to include the lock permission

- Allow plymouthd log during shutdown

- Add logging_watch_all_log_dirs() and logging_watch_all_log_files()

- Allow journalctl_t read filesystem sysctls

- Allow cgred_t to get attributes of cgroup filesystems

- Allow wdmd read hardware state information

- Allow wdmd list the contents of the sysfs directories

- Allow linuxptp configure phc2sys and chronyd over a unix domain socket

- Allow sulogin relabel tty1

- Dontaudit sulogin the checkpoint_restore capability

- Modify sudo_role_template() to allow getpgid

- Remove incorrect "local" usage in varrun-convert.sh

* Thu Mar 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-2

- Update varrun-convert.sh script to check for existing duplicate entries

* Mon Feb 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-1

- Allow userdomain get attributes of files on an nsfs filesystem

- Allow opafm create NFS files and directories

- Allow virtqemud create and unlink files in /etc/libvirt/

- Allow virtqemud domain transition on swtpm execution

- Add the swtpm.if interface file for interactions with other domains

- Allow samba to have dac_override capability

- systemd: allow sys_admin capability for systemd_notify_t

- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets

- Allow thumb_t to watch and watch_reads mount_var_run_t

- Allow krb5kdc_t map krb5kdc_principal_t files

- Allow unprivileged confined user dbus chat with setroubleshoot

- Allow login_userdomain map files in /var

- Allow wireguard work with firewall-cmd

- Differentiate between staff and sysadm when executing crontab with sudo

- Add crontab_admin_domtrans interface

- Allow abrt_t nnp domain transition to abrt_handle_event_t

- Allow xdm_t to watch and watch_reads mount_var_run_t

- Dontaudit subscription manager setfscreate and read file contexts

- Don't audit crontab_domain write attempts to user home

- Transition from sudodomains to crontab_t when executing crontab_exec_t

- Add crontab_domtrans interface

- Fix label of pseudoterminals created from sudodomain

- Allow utempter_t use ptmx

- Dontaudit rpmdb attempts to connect to sssd over a unix stream socket

- Allow admin user read/write on fixed_disk_device_t

* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1

- Only allow confined user domains to login locally without unconfined_login

- Add userdom_spec_domtrans_confined_admin_users interface

- Only allow admindomain to execute shell via ssh with ssh_sysadm_login

- Add userdom_spec_domtrans_admin_users interface

- Move ssh dyntrans to unconfined inside unconfined_login tunable policy

- Update ssh_role_template() for user ssh-agent type

- Allow init to inherit system DBus file descriptors

- Allow init to inherit fds from syslogd

- Allow any domain to inherit fds from rpm-ostree

- Update afterburn policy

- Allow init_t nnp domain transition to abrtd_t

* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1

- Rename all /var/lock file context entries to /run/lock

- Rename all /var/run file context entries to /run

- Invert the "/var/run = /run" equivalency

* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1

- Replace init domtrans rule for confined users to allow exec init

- Update dbus_role_template() to allow user service status

- Allow polkit status all systemd services

- Allow setroubleshootd create and use inherited io_uring

- Allow load_policy read and write generic ptys

- Allow gpg manage rpm cache

- Allow login_userdomain name_bind to howl and xmsg udp ports

- Allow rules for confined users logged in plasma

- Label /dev/iommu with iommu_device_t

- Remove duplicate file context entries in /run

- Dontaudit getty and plymouth the checkpoint_restore capability

- Allow su domains write login records

- Revert "Allow su domains write login records"

- Allow login_userdomain delete session dbusd tmp socket files

- Allow unix dgram sendto between exim processes

- Allow su domains write login records

- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on

* Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1

- Allow chronyd-restricted read chronyd key files

- Allow conntrackd_t to use bpf capability2

- Allow systemd-networkd manage its runtime socket files

- Allow init_t nnp domain transition to colord_t

- Allow polkit status systemd services

- nova: Fix duplicate declarations

- Allow httpd work with PrivateTmp

- Add interfaces for watching and reading ifconfig_var_run_t

- Allow collectd read raw fixed disk device

- Allow collectd read udev pid files

- Set correct label on /etc/pki/pki-tomcat/kra

- Allow systemd domains watch system dbus pid socket files

- Allow certmonger read network sysctls

- Allow mdadm list stratisd data directories

- Allow syslog to run unconfined scripts conditionally

- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t

- Allow qatlib set attributes of vfio device files

* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1

- Allow systemd-sleep set attributes of efivarfs files

- Allow samba-dcerpcd read public files

- Allow spamd_update_t the sys_ptrace capability in user namespace

- Allow bluetooth devices work with alsa

- Allow alsa get attributes filesystems with extended attributes

* Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2

- Limit %%selinux_requires to version, not release

* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1

- Allow hypervkvp_t write access to NetworkManager_etc_rw_t

- Add interface for write-only access to NetworkManager rw conf

- Allow systemd-sleep send a message to syslog over a unix dgram socket

- Allow init create and use netlink netfilter socket

- Allow qatlib load kernel modules

- Allow qatlib run lspci

- Allow qatlib manage its private runtime socket files

- Allow qatlib read/write vfio devices

- Label /etc/redis.conf with redis_conf_t

- Remove the lockdown-class rules from the policy

- Allow init read all non-security socket files

- Replace redundant dnsmasq pattern macros

- Remove unneeded symlink perms in dnsmasq.if

- Add additions to dnsmasq interface

- Allow nvme_stas_t create and use netlink kobject uevent socket

- Allow collectd connect to statsd port

- Allow keepalived_t to use sys_ptrace of cap_userns

- Allow dovecot_auth_t connect to postgresql using UNIX socket

* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1

- Make named_zone_t and named_var_run_t a part of the mountpoint attribute

- Allow sysadm execute traceroute in sysadm_t domain using sudo

- Allow sysadm execute tcpdump in sysadm_t domain using sudo

- Allow opafm search nfs directories

- Add support for syslogd unconfined scripts

- Allow gpsd use /dev/gnss devices

- Allow gpg read rpm cache

- Allow virtqemud additional permissions

- Allow virtqemud manage its private lock files

- Allow virtqemud use the io_uring api

- Allow ddclient send e-mail notifications

- Allow postfix_master_t map postfix data files

- Allow init create and use vsock sockets

- Allow thumb_t append to init unix domain stream sockets

- Label /dev/vas with vas_device_t

- Change domain_kernel_load_modules boolean to true

- Create interface selinux_watch_config and add it to SELinux users

* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1

- Add afterburn to modules-targeted-contrib.conf

- Update cifs interfaces to include fs_search_auto_mountpoints()

- Allow sudodomain read var auth files

- Allow spamd_update_t read hardware state information

- Allow virtnetworkd domain transition on tc command execution

- Allow sendmail MTA connect to sendmail LDA

- Allow auditd read all domains process state

- Allow rsync read network sysctls

- Add dhcpcd bpf capability to run bpf programs

- Dontaudit systemd-hwdb dac_override capability

- Allow systemd-sleep create efivarfs files

* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1

- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on

- Allow graphical applications work in Wayland

- Allow kdump work with PrivateTmp

- Allow dovecot-auth work with PrivateTmp

- Allow nfsd get attributes of all filesystems

- Allow unconfined_domain_type use io_uring cmd on domain

- ci: Only run Rawhide revdeps tests on the rawhide branch

- Label /var/run/auditd.state as auditd_var_run_t

- Allow fido-device-onboard (FDO) read the crack database

- Allow ip an explicit domain transition to other domains

- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t

- Allow  winbind_rpcd_t processes access when samba_export_all_* is on

- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection

- Allow ntp to bind and connect to ntske port.

- Allow system_mail_t manage exim spool files and dirs

- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t

- Label /run/pcsd.socket with cluster_var_run_t

- ci: Run cockpit tests in PRs

* Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1

- Add map_read map_write to kernel_prog_run_bpf

- Allow systemd-fstab-generator read all symlinks

- Allow systemd-fstab-generator the dac_override capability

- Allow rpcbind read network sysctls

- Support using systemd containers

- Allow sysadm_t to connect to iscsid using a unix domain stream socket

- Add policy for coreos installer

- Add coreos_installer to modules-targeted-contrib.conf

* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1

- Add policy for nvme-stas

- Confine systemd fstab,sysv,rc-local

- Label /etc/aliases.lmdb with etc_aliases_t

- Create policy for afterburn

- Add nvme_stas to modules-targeted-contrib.conf

- Add plans/tests.fmf

* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1

- Add the virt_supplementary module to modules-targeted-contrib.conf

- Make new virt drivers permissive

- Split virt policy, introduce virt_supplementary module

- Allow apcupsd cgi scripts read /sys

- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes

- Allow kernel_t to manage and relabel all files

- Add missing optional_policy() to files_relabel_all_files()

* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1

- Allow named and ndc use the io_uring api

- Deprecate common_anon_inode_perms usage

- Improve default file context(None) of /var/lib/authselect/backups

- Allow udev_t to search all directories with a filesystem type

- Implement proper anon_inode support

- Allow targetd write to the syslog pid sock_file

- Add ipa_pki_retrieve_key_exec() interface

- Allow kdumpctl_t to list all directories with a filesystem type

- Allow udev additional permissions

- Allow udev load kernel module

- Allow sysadm_t to mmap modules_object_t files

- Add the unconfined_read_files() and unconfined_list_dirs() interfaces

- Set default file context of HOME_DIR/tmp/.* to <<none>>

- Allow kernel_generic_helper_t to execute mount(1)