* Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1
- Drop publicfile module
- Remove permissive domain for systemd_nsresourced_t
- Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
- Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
- Allow to create and delete socket files created by rhsm.service
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
- Allow unconfined_service_t transition to passwd_t
- Support /var is empty
- Allow abrt-dump-journal read all non_security socket files
- Allow timemaster write to sysfs files
- Dontaudit domain write cgroup files
- Label /usr/lib/node_modules/npm/bin with bin_t
- Allow ip the setexec permission
- Allow systemd-networkd write files in /var/lib/systemd/network
- Fix typo in systemd_nsresourced_prog_run_bpf()
* Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1
- Confine libvirt-dbus
- Allow virtqemud the kill capability in user namespace
- Allow rshim get options of the netlink class for KOBJECT_UEVENT family
- Allow dhcpcd the kill capability
- Allow systemd-networkd list /var/lib/systemd/network
- Allow sysadm_t run systemd-nsresourced bpf programs
- Update policy for systemd generators interactions
- Allow create memory.pressure files with cgroup_memory_pressure_t
- Add support for libvirt hooks
* Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1
- Allow certmonger read and write tpm devices
- Allow all domains to connect to systemd-nsresourced over a unix socket
- Allow systemd-machined read the vsock device
- Update policy for systemd generators
- Allow ptp4l_t request that the kernel load a kernel module
- Allow sbd to trace processes in user namespace
- Allow request-key execute scripts
- Update policy for haproxyd
* Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1
- Update policy for systemd-nsresourced
- Correct sbin-related file context entries
* Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1
- Allow login_userdomain execute systemd-tmpfiles in the caller domain
- Allow virt_driver_domain read files labeled unconfined_t
- Allow virt_driver_domain dbus chat with policykit
- Allow virtqemud manage nfs files when virt_use_nfs boolean is on
- Add rules for interactions between generators
- Label memory.pressure files with cgroup_memory_pressure_t
- Revert "Allow some systemd services write to cgroup files"
- Update policy for systemd-nsresourced
- Label /usr/bin/ntfsck with fsadm_exec_t
- Allow systemd_fstab_generator_t read tmpfs files
- Update policy for systemd-nsresourced
- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
- Remove a few lines duplicated between {dkim,milter}.fc
- Alias /bin → /usr/bin and remove redundant paths
- Drop duplicate line for /usr/sbin/unix_chkpwd
- Drop duplicate paths for /usr/sbin
* Tue Jun 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.3-1
- Update systemd-generator policy
- Remove permissive domain for bootupd_t
- Remove permissive domain for coreos_installer_t
- Remove permissive domain for afterburn_t
- Add the sap module to modules.conf
- Move unconfined_domain(sap_unconfined_t) to an optional block
- Create the sap module
- Allow systemd-coredumpd sys_admin and sys_resource capabilities
- Allow systemd-coredump read nsfs files
- Allow generators auto file transition only for plain files
- Allow systemd-hwdb write to the kernel messages device
- Escape "interface" as a file name in a virt filetrans pattern
- Allow gnome-software work for login_userdomain
- Allow systemd-machined manage runtime sockets
- Revert "Allow systemd-machined manage runtime sockets"
* Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 41.2-1
- Allow postfix_domain connect to postgresql over a unix socket
- Dontaudit systemd-coredump sys_admin capability
- Allow all domains read and write z90crypt device
- Allow tpm2 generator setfscreate
- Allow systemd (PID 1) manage systemd conf files
- Allow pulseaudio map its runtime files
- Update policy for getty-generator
- Allow systemd-hwdb send messages to kernel unix datagram sockets
- Allow systemd-machined manage runtime sockets
* Mon Jun 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.1-1
- Allow fstab-generator create unit file symlinks
- Update policy for cryptsetup-generator
- Update policy for fstab-generator
- Allow virtqemud read vm sysctls
- Allow collectd to trace processes in user namespace
- Allow bootupd search efivarfs dirs
- Add policy for systemd-mountfsd
- Add policy for systemd-nsresourced
- Update policy generators
- Add policy for anaconda-generator
- Update policy for fstab and gpt generators
- Add policy for kdump-dep-generator
* Thu May 30 2024 Zdenek Pytela <zpytela@redhat.com> - 40.21-1
- Add policy for a generic generator
- Add policy for tpm2 generator
- Add policy for ssh-generator
- Add policy for second batch of generators
- Update policy for systemd generators
- ci: Adjust Cockpit test plans
* Sun May 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.20-1
- Allow journald read systemd config files and directories
- Allow systemd_domain read systemd_conf_t dirs
- Fix bad Python regexp escapes
- Allow fido services connect to postgres database
* Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1
- Allow postfix smtpd map aliases file
- Ensure dbus communication is allowed bidirectionally
- Label systemd configuration files with systemd_conf_t
- Label /run/systemd/machine with systemd_machined_var_run_t
- Allow systemd-hostnamed read the vsock device
- Allow sysadm execute dmidecode using sudo
- Allow sudodomain list files in /var
- Allow setroubleshootd get attributes of all sysctls
- Allow various services read and write z90crypt device
- Allow nfsidmap connect to systemd-homed
- Allow sandbox_x_client_t dbus chat with accountsd
- Allow system_cronjob_t dbus chat with avahi_t
- Allow staff_t the io_uring sqpoll permission
- Allow staff_t use the io_uring API
- Add support for secretmem anon inode
* Thu May 16 2024 Adam Williamson <awilliam@redhat.com> - 40.18-3
- Correct some errors in the RPM macro changes from -2
* Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-2
- Update rpm configuration for the /var/run equivalency change
* Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-1
- Allow virtqemud read vfio devices
- Allow virtqemud get attributes of a tmpfs filesystem
- Allow svirt_t read vm sysctls
- Allow virtqemud create and unlink files in /etc/libvirt/
- Allow virtqemud get attributes of cifs files
- Allow virtqemud get attributes of filesystems with extended attributes
- Allow virtqemud get attributes of NFS filesystems
- Allow virt_domain read and write usb devices conditionally
- Allow virtstoraged use the io_uring API
- Allow virtstoraged execute lvm programs in the lvm domain
- Allow virtnodevd_t map /var/lib files
- Allow svirt_tcg_t map svirt_image_t files
- Allow abrt-dump-journal-core connect to systemd-homed
- Allow abrt-dump-journal-core connect to systemd-machined
- Allow sssd create and use io_uring
- Allow selinux-relabel-generator create units dir
- Allow dbus-broker read/write inherited user ttys
* Thu Apr 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.17-1
- Define transitions for /run/libvirt/common and /run/libvirt/qemu
- Allow systemd-sleep read raw disk data
- Allow numad to trace processes in user namespace
- Allow abrt-dump-journal-core connect to systemd-userdbd
- Allow plymouthd read efivarfs files
- Update the auth_dontaudit_read_passwd_file() interface
- Label /dev/mmcblk0rpmb character device with removable_device_t
- fix hibernate on btrfs swapfile (F40)
- Allow nut to statfs()
- Allow system dbusd service status systemd services
- Allow systemd-timedated get the timemaster service status
* Tue Apr 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.16-1
- Allow keyutils-dns-resolver connect to the system log service
- Allow qemu-ga read vm sysctls
- postfix: allow qmgr to delete mails in bounce/ directory
- policy: support pidfs
- Confine selinux-autorelabel-generator.sh
- Allow logwatch_mail_t read/write to init over a unix stream socket
- Allow logwatch read logind sessions files
- files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
- files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
- Allow NetworkManager the sys_ptrace capability in user namespace
- dontaudit execmem for modemmanager
- Allow dhcpcd use unix_stream_socket
- Allow dhcpc read /run/netns files
* Fri Mar 15 2024 Zdenek Pytela <zpytela@redhat.com> - 40.15-1
- Update mmap_rw_file_perms to include the lock permission
- Allow plymouthd log during shutdown
- Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
- Allow journalctl_t read filesystem sysctls
- Allow cgred_t to get attributes of cgroup filesystems
- Allow wdmd read hardware state information
- Allow wdmd list the contents of the sysfs directories
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
- Allow sulogin relabel tty1
- Dontaudit sulogin the checkpoint_restore capability
- Modify sudo_role_template() to allow getpgid
- Remove incorrect "local" usage in varrun-convert.sh
* Thu Mar 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-2
- Update varrun-convert.sh script to check for existing duplicate entries
* Mon Feb 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-1
- Allow userdomain get attributes of files on an nsfs filesystem
- Allow opafm create NFS files and directories
- Allow virtqemud create and unlink files in /etc/libvirt/
- Allow virtqemud domain transition on swtpm execution
- Add the swtpm.if interface file for interactions with other domains
- Allow samba to have dac_override capability
- systemd: allow sys_admin capability for systemd_notify_t
- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
- Allow thumb_t to watch and watch_reads mount_var_run_t
- Allow krb5kdc_t map krb5kdc_principal_t files
- Allow unprivileged confined user dbus chat with setroubleshoot
- Allow login_userdomain map files in /var
- Allow wireguard work with firewall-cmd
- Differentiate between staff and sysadm when executing crontab with sudo
- Add crontab_admin_domtrans interface
- Allow abrt_t nnp domain transition to abrt_handle_event_t
- Allow xdm_t to watch and watch_reads mount_var_run_t
- Dontaudit subscription manager setfscreate and read file contexts
- Don't audit crontab_domain write attempts to user home
- Transition from sudodomains to crontab_t when executing crontab_exec_t
- Add crontab_domtrans interface
- Fix label of pseudoterminals created from sudodomain
- Allow utempter_t use ptmx
- Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
- Allow admin user read/write on fixed_disk_device_t
* Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1
- Only allow confined user domains to login locally without unconfined_login
- Add userdom_spec_domtrans_confined_admin_users interface
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
- Add userdom_spec_domtrans_admin_users interface
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
- Update ssh_role_template() for user ssh-agent type
- Allow init to inherit system DBus file descriptors
- Allow init to inherit fds from syslogd
- Allow any domain to inherit fds from rpm-ostree
- Update afterburn policy
- Allow init_t nnp domain transition to abrtd_t
* Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1
- Rename all /var/lock file context entries to /run/lock
- Rename all /var/run file context entries to /run
- Invert the "/var/run = /run" equivalency
* Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1
- Replace init domtrans rule for confined users to allow exec init
- Update dbus_role_template() to allow user service status
- Allow polkit status all systemd services
- Allow setroubleshootd create and use inherited io_uring
- Allow load_policy read and write generic ptys
- Allow gpg manage rpm cache
- Allow login_userdomain name_bind to howl and xmsg udp ports
- Allow rules for confined users logged in plasma
- Label /dev/iommu with iommu_device_t
- Remove duplicate file context entries in /run
- Dontaudit getty and plymouth the checkpoint_restore capability
- Allow su domains write login records
- Revert "Allow su domains write login records"
- Allow login_userdomain delete session dbusd tmp socket files
- Allow unix dgram sendto between exim processes
- Allow su domains write login records
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
* Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
- Allow chronyd-restricted read chronyd key files
- Allow conntrackd_t to use bpf capability2
- Allow systemd-networkd manage its runtime socket files
- Allow init_t nnp domain transition to colord_t
- Allow polkit status systemd services
- nova: Fix duplicate declarations
- Allow httpd work with PrivateTmp
- Add interfaces for watching and reading ifconfig_var_run_t
- Allow collectd read raw fixed disk device
- Allow collectd read udev pid files
- Set correct label on /etc/pki/pki-tomcat/kra
- Allow systemd domains watch system dbus pid socket files
- Allow certmonger read network sysctls
- Allow mdadm list stratisd data directories
- Allow syslog to run unconfined scripts conditionally
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
- Allow qatlib set attributes of vfio device files
* Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1
- Allow systemd-sleep set attributes of efivarfs files
- Allow samba-dcerpcd read public files
- Allow spamd_update_t the sys_ptrace capability in user namespace
- Allow bluetooth devices work with alsa
- Allow alsa get attributes filesystems with extended attributes
* Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2
- Limit %%selinux_requires to version, not release
* Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
- Add interface for write-only access to NetworkManager rw conf
- Allow systemd-sleep send a message to syslog over a unix dgram socket
- Allow init create and use netlink netfilter socket
- Allow qatlib load kernel modules
- Allow qatlib run lspci
- Allow qatlib manage its private runtime socket files
- Allow qatlib read/write vfio devices
- Label /etc/redis.conf with redis_conf_t
- Remove the lockdown-class rules from the policy
- Allow init read all non-security socket files
- Replace redundant dnsmasq pattern macros
- Remove unneeded symlink perms in dnsmasq.if
- Add additions to dnsmasq interface
- Allow nvme_stas_t create and use netlink kobject uevent socket
- Allow collectd connect to statsd port
- Allow keepalived_t to use sys_ptrace of cap_userns
- Allow dovecot_auth_t connect to postgresql using UNIX socket
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
- Allow sysadm execute traceroute in sysadm_t domain using sudo
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
- Allow opafm search nfs directories
- Add support for syslogd unconfined scripts
- Allow gpsd use /dev/gnss devices
- Allow gpg read rpm cache
- Allow virtqemud additional permissions
- Allow virtqemud manage its private lock files
- Allow virtqemud use the io_uring api
- Allow ddclient send e-mail notifications
- Allow postfix_master_t map postfix data files
- Allow init create and use vsock sockets
- Allow thumb_t append to init unix domain stream sockets
- Label /dev/vas with vas_device_t
- Change domain_kernel_load_modules boolean to true
- Create interface selinux_watch_config and add it to SELinux users
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1
- Add afterburn to modules-targeted-contrib.conf
- Update cifs interfaces to include fs_search_auto_mountpoints()
- Allow sudodomain read var auth files
- Allow spamd_update_t read hardware state information
- Allow virtnetworkd domain transition on tc command execution
- Allow sendmail MTA connect to sendmail LDA
- Allow auditd read all domains process state
- Allow rsync read network sysctls
- Add dhcpcd bpf capability to run bpf programs
- Dontaudit systemd-hwdb dac_override capability
- Allow systemd-sleep create efivarfs files
* Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1
- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
- Allow graphical applications work in Wayland
- Allow kdump work with PrivateTmp
- Allow dovecot-auth work with PrivateTmp
- Allow nfsd get attributes of all filesystems
- Allow unconfined_domain_type use io_uring cmd on domain
- ci: Only run Rawhide revdeps tests on the rawhide branch
- Label /var/run/auditd.state as auditd_var_run_t
- Allow fido-device-onboard (FDO) read the crack database
- Allow ip an explicit domain transition to other domains
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
- Allow ntp to bind and connect to ntske port.
- Allow system_mail_t manage exim spool files and dirs
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
- Label /run/pcsd.socket with cluster_var_run_t
- ci: Run cockpit tests in PRs
* Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1
- Add map_read map_write to kernel_prog_run_bpf
- Allow systemd-fstab-generator read all symlinks
- Allow systemd-fstab-generator the dac_override capability
- Allow rpcbind read network sysctls
- Support using systemd containers
- Allow sysadm_t to connect to iscsid using a unix domain stream socket
- Add policy for coreos installer
- Add coreos_installer to modules-targeted-contrib.conf
* Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1
- Add policy for nvme-stas
- Confine systemd fstab,sysv,rc-local
- Label /etc/aliases.lmdb with etc_aliases_t
- Create policy for afterburn
- Add nvme_stas to modules-targeted-contrib.conf
- Add plans/tests.fmf
* Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1
- Add the virt_supplementary module to modules-targeted-contrib.conf
- Make new virt drivers permissive
- Split virt policy, introduce virt_supplementary module
- Allow apcupsd cgi scripts read /sys
- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes
- Allow kernel_t to manage and relabel all files
- Add missing optional_policy() to files_relabel_all_files()
* Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1
- Allow named and ndc use the io_uring api
- Deprecate common_anon_inode_perms usage
- Improve default file context(None) of /var/lib/authselect/backups
- Allow udev_t to search all directories with a filesystem type
- Implement proper anon_inode support
- Allow targetd write to the syslog pid sock_file
- Add ipa_pki_retrieve_key_exec() interface
- Allow kdumpctl_t to list all directories with a filesystem type
- Allow udev additional permissions
- Allow udev load kernel module
- Allow sysadm_t to mmap modules_object_t files
- Add the unconfined_read_files() and unconfined_list_dirs() interfaces
- Set default file context of HOME_DIR/tmp/.* to <<none>>
- Allow kernel_generic_helper_t to execute mount(1)