| * Thu Jul 25 2024 Zdenek Pytela <zpytela@redhat.com> - 41.11-1 |
| - Make cgroup_memory_pressure_t a part of the file_type attribute |
| - Allow ssh_t to change role to system_r |
| - Update policy for coreos generators |
| - Allow init_t nnp domain transition to firewalld_t |
| - Label /run/modprobe.d with modules_conf_t |
| - Allow virtnodedevd run udev with a domain transition |
| - Allow virtnodedev_t create and use virtnodedev_lock_t |
| - Allow virtstoraged manage files with virt_content_t type |
| - Allow virtqemud unmount a filesystem with extended attributes |
| - Allow svirt_t connect to unconfined_t over a unix domain socket |
| |
| * Mon Jul 22 2024 Zdenek Pytela <zpytela@redhat.com> - 41.10-1 |
| - Update afterburn file transition policy |
| - Allow systemd_generator read attributes of all filesystems |
| - Allow fstab-generator read and write cryptsetup-generator unit file |
| - Allow cryptsetup-generator read and write fstab-generator unit file |
| - Allow systemd_generator map files in /etc |
| - Allow systemd_generator read init's process state |
| - Allow coreos-installer-generator read sssd public files |
| - Allow coreos-installer-generator work with partitions |
| - Label /etc/mdadm.conf.d with mdadm_conf_t |
| - Confine coreos generators |
| - Label /run/metadata with afterburn_runtime_t |
| - Allow afterburn list ssh home directory |
| - Label samba certificates with samba_cert_t |
| - Label /run/coreos-installer-reboot with coreos_installer_var_run_t |
| - Allow virtqemud read virt-dbus process state |
| - Allow staff user dbus chat with virt-dbus |
| - Allow staff use watch /run/systemd |
| - Allow systemd_generator to write kmsg |
| |
| * Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.9-2 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild |
| |
| * Tue Jul 16 2024 Zdenek Pytela <zpytela@redhat.com> - 41.9-1 |
| - Allow virtqemud connect to sanlock over a unix stream socket |
| - Allow virtqemud relabel virt_var_run_t directories |
| - Allow svirt_tcg_t read vm sysctls |
| - Allow virtnodedevd connect to systemd-userdbd over a unix socket |
| - Allow svirt read virtqemud fifo files |
| - Allow svirt attach_queue to a virtqemud tun_socket |
| - Allow virtqemud run ssh client with a transition |
| - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket |
| - Update keyutils policy |
| - Allow sshd_keygen_t connect to userdbd over a unix stream socket |
| - Allow postfix-smtpd read mysql config files |
| - Allow locate stream connect to systemd-userdbd |
| - Allow the staff user use wireshark |
| - Allow updatedb connect to userdbd over a unix stream socket |
| - Allow gpg_t set attributes of public-keys.d |
| - Allow gpg_t get attributes of login_userdomain stream |
| - Allow systemd_getty_generator_t read /proc/1/environ |
| - Allow systemd_getty_generator_t to read and write to tty_device_t |
| |
| * Thu Jul 11 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-4 |
| - Move %%postInstall to %%posttrans |
| - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)` |
| - Drop obsolete modules from config |
| - Install dnf protected files only when policy is built |
| |
| * Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 41.8-3 |
| - Relabel files under /usr/bin to fix stale context after sbin merge |
| |
| * Mon Jun 24 2024 Petr Lautrbach <lautrbach@redhat.com> 41.8-2 |
| - Merge -base and -contrib |
| |
| * Wed Jul 10 2024 Zdenek Pytela <zpytela@redhat.com> - 41.8-1 |
| - Drop publicfile module |
| - Remove permissive domain for systemd_nsresourced_t |
| - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t |
| - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t |
| - Allow to create and delete socket files created by rhsm.service |
| - Allow virtnetworkd exec shell when virt_hooks_unconfined is on |
| - Allow unconfined_service_t transition to passwd_t |
| - Support /var is empty |
| - Allow abrt-dump-journal read all non_security socket files |
| - Allow timemaster write to sysfs files |
| - Dontaudit domain write cgroup files |
| - Label /usr/lib/node_modules/npm/bin with bin_t |
| - Allow ip the setexec permission |
| - Allow systemd-networkd write files in /var/lib/systemd/network |
| - Fix typo in systemd_nsresourced_prog_run_bpf() |
| |
| * Fri Jun 28 2024 Zdenek Pytela <zpytela@redhat.com> - 41.7-1 |
| - Confine libvirt-dbus |
| - Allow virtqemud the kill capability in user namespace |
| - Allow rshim get options of the netlink class for KOBJECT_UEVENT family |
| - Allow dhcpcd the kill capability |
| - Allow systemd-networkd list /var/lib/systemd/network |
| - Allow sysadm_t run systemd-nsresourced bpf programs |
| - Update policy for systemd generators interactions |
| - Allow create memory.pressure files with cgroup_memory_pressure_t |
| - Add support for libvirt hooks |
| |
| * Wed Jun 19 2024 Zdenek Pytela <zpytela@redhat.com> - 41.6-1 |
| - Allow certmonger read and write tpm devices |
| - Allow all domains to connect to systemd-nsresourced over a unix socket |
| - Allow systemd-machined read the vsock device |
| - Update policy for systemd generators |
| - Allow ptp4l_t request that the kernel load a kernel module |
| - Allow sbd to trace processes in user namespace |
| - Allow request-key execute scripts |
| - Update policy for haproxyd |
| |
| * Tue Jun 18 2024 Zdenek Pytela <zpytela@redhat.com> - 41.5-1 |
| - Update policy for systemd-nsresourced |
| - Correct sbin-related file context entries |
| |
| * Mon Jun 17 2024 Zdenek Pytela <zpytela@redhat.com> - 41.4-1 |
| - Allow login_userdomain execute systemd-tmpfiles in the caller domain |
| - Allow virt_driver_domain read files labeled unconfined_t |
| - Allow virt_driver_domain dbus chat with policykit |
| - Allow virtqemud manage nfs files when virt_use_nfs boolean is on |
| - Add rules for interactions between generators |
| - Label memory.pressure files with cgroup_memory_pressure_t |
| - Revert "Allow some systemd services write to cgroup files" |
| - Update policy for systemd-nsresourced |
| - Label /usr/bin/ntfsck with fsadm_exec_t |
| - Allow systemd_fstab_generator_t read tmpfs files |
| - Update policy for systemd-nsresourced |
| - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin |
| - Remove a few lines duplicated between {dkim,milter}.fc |
| - Alias /bin → /usr/bin and remove redundant paths |
| - Drop duplicate line for /usr/sbin/unix_chkpwd |
| - Drop duplicate paths for /usr/sbin |
| |
| * Tue Jun 11 2024 Zdenek Pytela <zpytela@redhat.com> - 41.3-1 |
| - Update systemd-generator policy |
| - Remove permissive domain for bootupd_t |
| - Remove permissive domain for coreos_installer_t |
| - Remove permissive domain for afterburn_t |
| - Add the sap module to modules.conf |
| - Move unconfined_domain(sap_unconfined_t) to an optional block |
| - Create the sap module |
| - Allow systemd-coredumpd sys_admin and sys_resource capabilities |
| - Allow systemd-coredump read nsfs files |
| - Allow generators auto file transition only for plain files |
| - Allow systemd-hwdb write to the kernel messages device |
| - Escape "interface" as a file name in a virt filetrans pattern |
| - Allow gnome-software work for login_userdomain |
| - Allow systemd-machined manage runtime sockets |
| - Revert "Allow systemd-machined manage runtime sockets" |
| |
| * Fri Jun 07 2024 Zdenek Pytela <zpytela@redhat.com> - 41.2-1 |
| - Allow postfix_domain connect to postgresql over a unix socket |
| - Dontaudit systemd-coredump sys_admin capability |
| - Allow all domains read and write z90crypt device |
| - Allow tpm2 generator setfscreate |
| - Allow systemd (PID 1) manage systemd conf files |
| - Allow pulseaudio map its runtime files |
| - Update policy for getty-generator |
| - Allow systemd-hwdb send messages to kernel unix datagram sockets |
| - Allow systemd-machined manage runtime sockets |
| |
| * Mon Jun 03 2024 Zdenek Pytela <zpytela@redhat.com> - 41.1-1 |
| - Allow fstab-generator create unit file symlinks |
| - Update policy for cryptsetup-generator |
| - Update policy for fstab-generator |
| - Allow virtqemud read vm sysctls |
| - Allow collectd to trace processes in user namespace |
| - Allow bootupd search efivarfs dirs |
| - Add policy for systemd-mountfsd |
| - Add policy for systemd-nsresourced |
| - Update policy generators |
| - Add policy for anaconda-generator |
| - Update policy for fstab and gpt generators |
| - Add policy for kdump-dep-generator |
| |
| * Thu May 30 2024 Zdenek Pytela <zpytela@redhat.com> - 40.21-1 |
| - Add policy for a generic generator |
| - Add policy for tpm2 generator |
| - Add policy for ssh-generator |
| - Add policy for second batch of generators |
| - Update policy for systemd generators |
| - ci: Adjust Cockpit test plans |
| |
| * Sun May 19 2024 Zdenek Pytela <zpytela@redhat.com> - 40.20-1 |
| - Allow journald read systemd config files and directories |
| - Allow systemd_domain read systemd_conf_t dirs |
| - Fix bad Python regexp escapes |
| - Allow fido services connect to postgres database |
| |
| * Fri May 17 2024 Zdenek Pytela <zpytela@redhat.com> - 40.19-1 |
| - Allow postfix smtpd map aliases file |
| - Ensure dbus communication is allowed bidirectionally |
| - Label systemd configuration files with systemd_conf_t |
| - Label /run/systemd/machine with systemd_machined_var_run_t |
| - Allow systemd-hostnamed read the vsock device |
| - Allow sysadm execute dmidecode using sudo |
| - Allow sudodomain list files in /var |
| - Allow setroubleshootd get attributes of all sysctls |
| - Allow various services read and write z90crypt device |
| - Allow nfsidmap connect to systemd-homed |
| - Allow sandbox_x_client_t dbus chat with accountsd |
| - Allow system_cronjob_t dbus chat with avahi_t |
| - Allow staff_t the io_uring sqpoll permission |
| - Allow staff_t use the io_uring API |
| - Add support for secretmem anon inode |
| |
| * Thu May 16 2024 Adam Williamson <awilliam@redhat.com> - 40.18-3 |
| - Correct some errors in the RPM macro changes from -2 |
| |
| * Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-2 |
| - Update rpm configuration for the /var/run equivalency change |
| |
| * Mon May 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.18-1 |
| - Allow virtqemud read vfio devices |
| - Allow virtqemud get attributes of a tmpfs filesystem |
| - Allow svirt_t read vm sysctls |
| - Allow virtqemud create and unlink files in /etc/libvirt/ |
| - Allow virtqemud get attributes of cifs files |
| - Allow virtqemud get attributes of filesystems with extended attributes |
| - Allow virtqemud get attributes of NFS filesystems |
| - Allow virt_domain read and write usb devices conditionally |
| - Allow virtstoraged use the io_uring API |
| - Allow virtstoraged execute lvm programs in the lvm domain |
| - Allow virtnodevd_t map /var/lib files |
| - Allow svirt_tcg_t map svirt_image_t files |
| - Allow abrt-dump-journal-core connect to systemd-homed |
| - Allow abrt-dump-journal-core connect to systemd-machined |
| - Allow sssd create and use io_uring |
| - Allow selinux-relabel-generator create units dir |
| - Allow dbus-broker read/write inherited user ttys |
| |
| * Thu Apr 25 2024 Zdenek Pytela <zpytela@redhat.com> - 40.17-1 |
| - Define transitions for /run/libvirt/common and /run/libvirt/qemu |
| - Allow systemd-sleep read raw disk data |
| - Allow numad to trace processes in user namespace |
| - Allow abrt-dump-journal-core connect to systemd-userdbd |
| - Allow plymouthd read efivarfs files |
| - Update the auth_dontaudit_read_passwd_file() interface |
| - Label /dev/mmcblk0rpmb character device with removable_device_t |
| - fix hibernate on btrfs swapfile (F40) |
| - Allow nut to statfs() |
| - Allow system dbusd service status systemd services |
| - Allow systemd-timedated get the timemaster service status |
| |
| * Tue Apr 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.16-1 |
| - Allow keyutils-dns-resolver connect to the system log service |
| - Allow qemu-ga read vm sysctls |
| - postfix: allow qmgr to delete mails in bounce/ directory |
| - policy: support pidfs |
| - Confine selinux-autorelabel-generator.sh |
| - Allow logwatch_mail_t read/write to init over a unix stream socket |
| - Allow logwatch read logind sessions files |
| - files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it |
| - files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it |
| - Allow NetworkManager the sys_ptrace capability in user namespace |
| - dontaudit execmem for modemmanager |
| - Allow dhcpcd use unix_stream_socket |
| - Allow dhcpc read /run/netns files |
| |
| * Fri Mar 15 2024 Zdenek Pytela <zpytela@redhat.com> - 40.15-1 |
| - Update mmap_rw_file_perms to include the lock permission |
| - Allow plymouthd log during shutdown |
| - Add logging_watch_all_log_dirs() and logging_watch_all_log_files() |
| - Allow journalctl_t read filesystem sysctls |
| - Allow cgred_t to get attributes of cgroup filesystems |
| - Allow wdmd read hardware state information |
| - Allow wdmd list the contents of the sysfs directories |
| - Allow linuxptp configure phc2sys and chronyd over a unix domain socket |
| - Allow sulogin relabel tty1 |
| - Dontaudit sulogin the checkpoint_restore capability |
| - Modify sudo_role_template() to allow getpgid |
| - Remove incorrect "local" usage in varrun-convert.sh |
| |
| * Thu Mar 07 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-2 |
| - Update varrun-convert.sh script to check for existing duplicate entries |
| |
| * Mon Feb 26 2024 Zdenek Pytela <zpytela@redhat.com> - 40.14-1 |
| - Allow userdomain get attributes of files on an nsfs filesystem |
| - Allow opafm create NFS files and directories |
| - Allow virtqemud create and unlink files in /etc/libvirt/ |
| - Allow virtqemud domain transition on swtpm execution |
| - Add the swtpm.if interface file for interactions with other domains |
| - Allow samba to have dac_override capability |
| - systemd: allow sys_admin capability for systemd_notify_t |
| - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets |
| - Allow thumb_t to watch and watch_reads mount_var_run_t |
| - Allow krb5kdc_t map krb5kdc_principal_t files |
| - Allow unprivileged confined user dbus chat with setroubleshoot |
| - Allow login_userdomain map files in /var |
| - Allow wireguard work with firewall-cmd |
| - Differentiate between staff and sysadm when executing crontab with sudo |
| - Add crontab_admin_domtrans interface |
| - Allow abrt_t nnp domain transition to abrt_handle_event_t |
| - Allow xdm_t to watch and watch_reads mount_var_run_t |
| - Dontaudit subscription manager setfscreate and read file contexts |
| - Don't audit crontab_domain write attempts to user home |
| - Transition from sudodomains to crontab_t when executing crontab_exec_t |
| - Add crontab_domtrans interface |
| - Fix label of pseudoterminals created from sudodomain |
| - Allow utempter_t use ptmx |
| - Dontaudit rpmdb attempts to connect to sssd over a unix stream socket |
| - Allow admin user read/write on fixed_disk_device_t |
| |
| * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1 |
| - Only allow confined user domains to login locally without unconfined_login |
| - Add userdom_spec_domtrans_confined_admin_users interface |
| - Only allow admindomain to execute shell via ssh with ssh_sysadm_login |
| - Add userdom_spec_domtrans_admin_users interface |
| - Move ssh dyntrans to unconfined inside unconfined_login tunable policy |
| - Update ssh_role_template() for user ssh-agent type |
| - Allow init to inherit system DBus file descriptors |
| - Allow init to inherit fds from syslogd |
| - Allow any domain to inherit fds from rpm-ostree |
| - Update afterburn policy |
| - Allow init_t nnp domain transition to abrtd_t |
| |
| * Tue Feb 06 2024 Zdenek Pytela <zpytela@redhat.com> - 40.12-1 |
| - Rename all /var/lock file context entries to /run/lock |
| - Rename all /var/run file context entries to /run |
| - Invert the "/var/run = /run" equivalency |
| |
| * Mon Feb 05 2024 Zdenek Pytela <zpytela@redhat.com> - 40.11-1 |
| - Replace init domtrans rule for confined users to allow exec init |
| - Update dbus_role_template() to allow user service status |
| - Allow polkit status all systemd services |
| - Allow setroubleshootd create and use inherited io_uring |
| - Allow load_policy read and write generic ptys |
| - Allow gpg manage rpm cache |
| - Allow login_userdomain name_bind to howl and xmsg udp ports |
| - Allow rules for confined users logged in plasma |
| - Label /dev/iommu with iommu_device_t |
| - Remove duplicate file context entries in /run |
| - Dontaudit getty and plymouth the checkpoint_restore capability |
| - Allow su domains write login records |
| - Revert "Allow su domains write login records" |
| - Allow login_userdomain delete session dbusd tmp socket files |
| - Allow unix dgram sendto between exim processes |
| - Allow su domains write login records |
| - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on |
| |
| * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1 |
| - Allow chronyd-restricted read chronyd key files |
| - Allow conntrackd_t to use bpf capability2 |
| - Allow systemd-networkd manage its runtime socket files |
| - Allow init_t nnp domain transition to colord_t |
| - Allow polkit status systemd services |
| - nova: Fix duplicate declarations |
| - Allow httpd work with PrivateTmp |
| - Add interfaces for watching and reading ifconfig_var_run_t |
| - Allow collectd read raw fixed disk device |
| - Allow collectd read udev pid files |
| - Set correct label on /etc/pki/pki-tomcat/kra |
| - Allow systemd domains watch system dbus pid socket files |
| - Allow certmonger read network sysctls |
| - Allow mdadm list stratisd data directories |
| - Allow syslog to run unconfined scripts conditionally |
| - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t |
| - Allow qatlib set attributes of vfio device files |
| |
| * Tue Jan 09 2024 Zdenek Pytela <zpytela@redhat.com> - 40.9-1 |
| - Allow systemd-sleep set attributes of efivarfs files |
| - Allow samba-dcerpcd read public files |
| - Allow spamd_update_t the sys_ptrace capability in user namespace |
| - Allow bluetooth devices work with alsa |
| - Allow alsa get attributes filesystems with extended attributes |
| |
| * Tue Jan 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 40.8-2 |
| - Limit %%selinux_requires to version, not release |
| |
| * Thu Dec 21 2023 Zdenek Pytela <zpytela@redhat.com> - 40.8-1 |
| - Allow hypervkvp_t write access to NetworkManager_etc_rw_t |
| - Add interface for write-only access to NetworkManager rw conf |
| - Allow systemd-sleep send a message to syslog over a unix dgram socket |
| - Allow init create and use netlink netfilter socket |
| - Allow qatlib load kernel modules |
| - Allow qatlib run lspci |
| - Allow qatlib manage its private runtime socket files |
| - Allow qatlib read/write vfio devices |
| - Label /etc/redis.conf with redis_conf_t |
| - Remove the lockdown-class rules from the policy |
| - Allow init read all non-security socket files |
| - Replace redundant dnsmasq pattern macros |
| - Remove unneeded symlink perms in dnsmasq.if |
| - Add additions to dnsmasq interface |
| - Allow nvme_stas_t create and use netlink kobject uevent socket |
| - Allow collectd connect to statsd port |
| - Allow keepalived_t to use sys_ptrace of cap_userns |
| - Allow dovecot_auth_t connect to postgresql using UNIX socket |
| |
| * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 40.7-1 |
| - Make named_zone_t and named_var_run_t a part of the mountpoint attribute |
| - Allow sysadm execute traceroute in sysadm_t domain using sudo |
| - Allow sysadm execute tcpdump in sysadm_t domain using sudo |
| - Allow opafm search nfs directories |
| - Add support for syslogd unconfined scripts |
| - Allow gpsd use /dev/gnss devices |
| - Allow gpg read rpm cache |
| - Allow virtqemud additional permissions |
| - Allow virtqemud manage its private lock files |
| - Allow virtqemud use the io_uring api |
| - Allow ddclient send e-mail notifications |
| - Allow postfix_master_t map postfix data files |
| - Allow init create and use vsock sockets |
| - Allow thumb_t append to init unix domain stream sockets |
| - Label /dev/vas with vas_device_t |
| - Change domain_kernel_load_modules boolean to true |
| - Create interface selinux_watch_config and add it to SELinux users |
| |
| * Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 40.6-1 |
| - Add afterburn to modules-targeted-contrib.conf |
| - Update cifs interfaces to include fs_search_auto_mountpoints() |
| - Allow sudodomain read var auth files |
| - Allow spamd_update_t read hardware state information |
| - Allow virtnetworkd domain transition on tc command execution |
| - Allow sendmail MTA connect to sendmail LDA |
| - Allow auditd read all domains process state |
| - Allow rsync read network sysctls |
| - Add dhcpcd bpf capability to run bpf programs |
| - Dontaudit systemd-hwdb dac_override capability |
| - Allow systemd-sleep create efivarfs files |
| |
| * Tue Nov 14 2023 Zdenek Pytela <zpytela@redhat.com> - 40.5-1 |
| - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on |
| - Allow graphical applications work in Wayland |
| - Allow kdump work with PrivateTmp |
| - Allow dovecot-auth work with PrivateTmp |
| - Allow nfsd get attributes of all filesystems |
| - Allow unconfined_domain_type use io_uring cmd on domain |
| - ci: Only run Rawhide revdeps tests on the rawhide branch |
| - Label /var/run/auditd.state as auditd_var_run_t |
| - Allow fido-device-onboard (FDO) read the crack database |
| - Allow ip an explicit domain transition to other domains |
| - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t |
| - Allow winbind_rpcd_t processes access when samba_export_all_* is on |
| - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection |
| - Allow ntp to bind and connect to ntske port. |
| - Allow system_mail_t manage exim spool files and dirs |
| - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t |
| - Label /run/pcsd.socket with cluster_var_run_t |
| - ci: Run cockpit tests in PRs |
| |
| * Thu Oct 19 2023 Zdenek Pytela <zpytela@redhat.com> - 40.4-1 |
| - Add map_read map_write to kernel_prog_run_bpf |
| - Allow systemd-fstab-generator read all symlinks |
| - Allow systemd-fstab-generator the dac_override capability |
| - Allow rpcbind read network sysctls |
| - Support using systemd containers |
| - Allow sysadm_t to connect to iscsid using a unix domain stream socket |
| - Add policy for coreos installer |
| - Add coreos_installer to modules-targeted-contrib.conf |
| |
| * Tue Oct 17 2023 Zdenek Pytela <zpytela@redhat.com> - 40.3-1 |
| - Add policy for nvme-stas |
| - Confine systemd fstab,sysv,rc-local |
| - Label /etc/aliases.lmdb with etc_aliases_t |
| - Create policy for afterburn |
| - Add nvme_stas to modules-targeted-contrib.conf |
| - Add plans/tests.fmf |
| |
| * Tue Oct 10 2023 Zdenek Pytela <zpytela@redhat.com> - 40.2-1 |
| - Add the virt_supplementary module to modules-targeted-contrib.conf |
| - Make new virt drivers permissive |
| - Split virt policy, introduce virt_supplementary module |
| - Allow apcupsd cgi scripts read /sys |
| - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes |
| - Allow kernel_t to manage and relabel all files |
| - Add missing optional_policy() to files_relabel_all_files() |
| |
| * Tue Oct 03 2023 Zdenek Pytela <zpytela@redhat.com> - 40.1-1 |
| - Allow named and ndc use the io_uring api |
| - Deprecate common_anon_inode_perms usage |
| - Improve default file context(None) of /var/lib/authselect/backups |
| - Allow udev_t to search all directories with a filesystem type |
| - Implement proper anon_inode support |
| - Allow targetd write to the syslog pid sock_file |
| - Add ipa_pki_retrieve_key_exec() interface |
| - Allow kdumpctl_t to list all directories with a filesystem type |
| - Allow udev additional permissions |
| - Allow udev load kernel module |
| - Allow sysadm_t to mmap modules_object_t files |
| - Add the unconfined_read_files() and unconfined_list_dirs() interfaces |
| - Set default file context of HOME_DIR/tmp/.* to <<none>> |
| - Allow kernel_generic_helper_t to execute mount(1) |